Page 1
Catalyst 3750 Switch Software Configuration Guide Cisco IOS Release 12.2(20)SE May 2004 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7816180= Text Part Number: 78-16180-02...
Page 2
CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE,...
Cisco.com xxxvii Ordering Documentation xxxviii Documentation Feedback xxxviii Obtaining Technical Assistance xxxviii Cisco Technical Support Website xxxix Submitting a Service Request xxxix Definitions of Service Request Severity xxxix Obtaining Additional Publications and Information Overview C H A P T E R...
Page 4
Contents Changing the Command History Buffer Size Recalling Commands Disabling the Command History Feature Using Editing Features Enabling and Disabling Editing Features Editing Commands through Keystrokes Editing Command Lines that Wrap Searching and Filtering Output of show and more Commands Accessing the CLI Accessing the CLI through a Console Connection or through Telnet Accessing the CLI from a Browser...
Page 5
Contents Assigning the Switch IP Address and Default Gateway C H A P T E R Understanding the Boot Process Assigning Switch Information Default Switch Information Understanding DHCP-Based Autoconfiguration DHCP Client Request Process Configuring DHCP-Based Autoconfiguration DHCP Server Configuration Guidelines Configuring the TFTP Server Configuring the DNS Configuring the Relay Device...
Page 6
Contents Compatibility Recommendations 5-11 Incompatible Software and Stack Member Image Upgrades 5-11 Stack Protocol Version Compatibility 5-11 Switch Stack Configuration Files 5-12 Additional Considerations for System-Wide Configuration on Switch Stacks 5-13 Switch Stack Management Connectivity 5-14 Connectivity to the Switch Stack Through an IP Address 5-14 Connectivity to the Switch Stack Through an SSH Session 5-14...
Page 7
Contents SNMP Community Strings 6-14 Switch Clusters and Switch Stacks 6-14 TACACS+ and RADIUS 6-16 Access Modes in CMS 6-16 LRE Profiles 6-17 Availability of Switch-Specific Features in Switch Clusters 6-17 Creating a Switch Cluster 6-17 Enabling a Cluster Command Switch 6-17 Adding Cluster Member Switches 6-18...
Page 8
Contents Displaying the DNS Configuration 7-18 Creating a Banner 7-18 Default Banner Configuration 7-18 Configuring a Message-of-the-Day Login Banner 7-19 Configuring a Login Banner 7-20 Managing the MAC Address Table 7-20 Building the Address Table 7-21 MAC Addresses and VLANs 7-21 MAC Addresses and Switch Stacks 7-22...
Page 9
Contents Logging into and Exiting a Privilege Level 9-10 Controlling Switch Access with TACACS+ 9-10 Understanding TACACS+ 9-10 TACACS+ Operation 9-12 Configuring TACACS+ 9-13 Default TACACS+ Configuration 9-13 Identifying the TACACS+ Server Host and Setting the Authentication Key 9-13 Configuring TACACS+ Login Authentication 9-14 Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services 9-16...
Page 10
Contents Setting Up the Switch to Run SSH 9-39 Configuring the SSH Server 9-40 Displaying the SSH Configuration and Status 9-41 Configuring 802.1x Port-Based Authentication 10-1 C H A P T E R Understanding 802.1x Port-Based Authentication 10-1 Device Roles 10-2 Authentication Initiation and Message Exchange 10-3...
Page 12
Contents Configuring VLANs 13-1 C H A P T E R Understanding VLANs 13-1 Supported VLANs 13-3 VLAN Port Membership Modes 13-3 Configuring Normal-Range VLANs 13-5 Token Ring VLANs 13-6 Normal-Range VLAN Configuration Guidelines 13-6 VLAN Configuration Mode Options 13-7 VLAN Configuration in config-vlan Mode 13-7 VLAN Configuration in VLAN Database Configuration Mode...
Page 13
Contents VMPS Configuration Guidelines 13-29 Configuring the VMPS Client 13-30 Entering the IP Address of the VMPS 13-30 Configuring Dynamic-Access Ports on VMPS Clients 13-30 Reconfirming VLAN Memberships 13-31 Changing the Reconfirmation Interval 13-31 Changing the Retry Count 13-32 Monitoring the VMPS 13-32 Troubleshooting Dynamic-Access Port VLAN Membership 13-33...
Page 14
Configuring Voice VLAN 16-3 Default Voice VLAN Configuration 16-3 Voice VLAN Configuration Guidelines 16-3 Configuring a Port Connected to a Cisco 7960 IP Phone 16-4 Configuring IP Phone Voice Traffic 16-4 Configuring the Priority of Incoming Data Frames 16-6 Displaying Voice VLAN...
Page 15
Contents Learning State 17-7 Forwarding State 17-7 Disabled State 17-8 How a Switch or Port Becomes the Root Switch or Root Port 17-8 Spanning Tree and Redundant Connectivity 17-9 Spanning-Tree Address Management 17-9 Accelerated Aging to Retain Connectivity 17-9 Spanning-Tree Modes and Protocols 17-10 Supported Spanning-Tree Instances 17-10...
Page 16
Contents Understanding RSTP 18-6 Port Roles and the Active Topology 18-7 Rapid Convergence 18-8 Synchronization of Port Roles 18-9 Bridge Protocol Data Unit Format and Processing 18-10 Processing Superior BPDU Information 18-11 Processing Inferior BPDU Information 18-11 Topology Changes 18-11 Configuring MSTP Features 18-12 Default MSTP Configuration...
Page 17
21-1 DHCP Server 21-2 DHCP Relay Agent 21-2 DHCP Snooping 21-2 Option-82 Data Insertion 21-3 Cisco IOS DHCP Server Database 21-5 DHCP Snooping Binding Database 21-5 DHCP Snooping and Switch Stacks 21-6 Configuring DHCP Features 21-7 Default DHCP Configuration 21-7...
Page 18
Contents Enabling the Cisco IOS DHCP Server Database 21-12 Enabling the DHCP Snooping Binding Database Agent 21-12 Displaying DHCP Snooping Information 21-14 Displaying the DHCP Snooping Configuration 21-14 Displaying the DHCP Snooping Binding Database 21-14 Understanding IP Source Guard 21-15...
Page 19
Contents Configuring IGMP Snooping 23-6 Default IGMP Snooping Configuration 23-6 Enabling or Disabling IGMP Snooping 23-7 Setting the Snooping Method 23-7 Configuring a Multicast Router Port 23-9 Configuring a Host Statically to Join a Group 23-10 Enabling IGMP Immediate Leave 23-11 Disabling IGMP Report Suppression 23-11...
Page 20
Contents Understanding Port Security 24-7 Secure MAC Addresses 24-7 Security Violations 24-8 Default Port Security Configuration 24-9 Configuration Guidelines 24-10 Enabling and Configuring Port Security 24-10 Enabling and Configuring Port Security Aging 24-14 Port Security and Switch Stacks 24-15 Displaying Port-Based Traffic Control Settings 24-16 Configuring CDP 25-1...
Page 21
Contents Monitored Traffic 27-5 Source Ports 27-6 Source VLANs 27-7 VLAN Filtering 27-7 Destination Port 27-8 RSPAN VLAN 27-9 SPAN and RSPAN Interaction with Other Features 27-9 SPAN and RSPAN and Switch Stacks 27-10 Configuring SPAN and RSPAN 27-10 Default SPAN and RSPAN Configuration 27-11 Configuring Local SPAN 27-11...
Page 22
Contents Setting the Message Display Destination Device 29-5 Synchronizing Log Messages 29-6 Enabling and Disabling Time Stamps on Log Messages 29-7 Enabling and Disabling Sequence Numbers in Log Messages 29-8 Defining the Message Severity Level 29-9 Limiting Syslog Messages Sent to the History Table and to SNMP 29-10 Configuring UNIX Syslog Servers 29-11...
Page 23
Contents ACLs and Switch Stacks 31-6 Configuring IP ACLs 31-6 Creating Standard and Extended IP ACLs 31-7 Access List Numbers 31-7 Creating a Numbered Standard ACL 31-9 Creating a Numbered Extended ACL 31-11 Resequencing ACEs in an ACL 31-15 Creating Named Standard and Extended ACLs 31-15 Using Time Ranges with ACLs 31-17...
Page 24
Contents Configuring QoS 32-1 C H A P T E R Understanding QoS 32-1 Basic QoS Model 32-3 Classification 32-4 Classification Based on QoS ACLs 32-7 Classification Based on Class Maps and Policy Maps 32-7 Policing and Marking 32-8 Mapping Tables 32-10 Queueing and Scheduling Overview 32-11...
Page 25
Contents Configuring DSCP Maps 32-49 Configuring the CoS-to-DSCP Map 32-50 Configuring the IP-Precedence-to-DSCP Map 32-50 Configuring the Policed-DSCP Map 32-51 Configuring the DSCP-to-CoS Map 32-52 Configuring the DSCP-to-DSCP-Mutation Map 32-53 Configuring Ingress Queue Characteristics 32-55 Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds 32-56 Allocating Buffer Space Between the Ingress Queues 32-57...
Page 26
Contents Configuring the Physical Interfaces 33-16 Configuring EtherChannel Load Balancing 33-18 Configuring the PAgP Learn Method and Priority 33-19 Configuring LACP Hot-Standby Ports 33-20 Configuring the LACP System Priority 33-21 Configuring the LACP Port Priority 33-22 Displaying EtherChannel, PAgP, and LACP Status 33-23 Configuring IP Unicast Routing 34-1...
Page 27
Configuring BGP Route Reflectors 34-57 Configuring Route Dampening 34-58 Monitoring and Maintaining BGP 34-59 Configuring Protocol-Independent Features 34-60 Configuring Distributed Cisco Express Forwarding 34-60 Configuring the Number of Equal-Cost Routing Paths 34-62 Configuring Static Unicast Routes 34-62 Specifying Default Routes and Networks 34-63...
Page 28
Configuring HSRP Groups and Clustering 35-11 Displaying HSRP Configurations 35-11 Configuring IP Multicast Routing 36-1 C H A P T E R Understanding Cisco’s Implementation of IP Multicast Routing 36-2 Understanding IGMP 36-2 IGMP Version 1 36-3 IGMP Version 2...
Page 29
Contents PIMv1 and PIMv2 Interoperability 36-9 Auto-RP and BSR Configuration Guidelines 36-10 Configuring Basic Multicast Routing 36-10 Configuring a Rendezvous Point 36-12 Manually Assigning an RP to Multicast Groups 36-12 Configuring Auto-RP 36-14 Configuring PIMv2 BSR 36-18 Using Auto-RP and a BSR 36-22 Monitoring the RP Mapping Information 36-23...
Page 30
Contents Changing the DVMRP Route Threshold 36-46 Configuring a DVMRP Summary Address 36-47 Disabling DVMRP Autosummarization 36-49 Adding a Metric Offset to the DVMRP Route 36-49 Monitoring and Maintaining IP Multicast Routing 36-50 Clearing Caches, Tables, and Databases 36-51 Displaying System and Network Statistics 36-51 Monitoring IP Multicast Routing 36-52...
Page 31
Contents Adjusting Spanning-Tree Parameters 38-6 Changing the VLAN-Bridge Spanning-Tree Priority 38-7 Changing the Interface Priority 38-7 Assigning a Path Cost 38-8 Adjusting BPDU Intervals 38-9 Disabling the Spanning Tree on an Interface 38-11 Monitoring and Maintaining Fallback Bridging 38-11 Troubleshooting 39-1 C H A P T E R Recovering from Corrupted Software By Using the Xmodem Protocol...
Page 32
A P P E N D I X MIB List Using FTP to Access the MIB Files Working with the Cisco IOS File System, Configuration Files, and Software Images A P P E N D I X Working with the Flash File System...
Page 33
Working with Software Images B-20 Image Location on the Switch B-20 tar File Format of Images on a Server or Cisco.com B-21 Copying Image Files By Using TFTP B-22 Preparing to Download or Upload an Image File By Using TFTP...
Page 34
Contents IP Multicast Routing Unsupported Privileged EXEC Commands Unsupported Global Configuration Commands Unsupported Interface Configuration Commands IP Unicast Routing Unsupported Privileged EXEC or User EXEC Commands Unsupported Global Configuration Commands Unsupported Interface Configuration Commands Unsupported BGP Router Configuration Commands Unsupported VPN Configuration Commands Unsupported Route Map Commands MAC Address Commands Unsupported Privileged EXEC Commands...
Page 35
This guide is for the networking professional managing the Catalyst 3750 switch, hereafter referred to as the switch. Before using this guide, you should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of Ethernet and local area networking.
Page 36
Preface Conventions Conventions This publication uses these conventions to convey instructions and information: Command descriptions use these conventions: Commands and keywords are in boldface text. • Arguments for which you supply values are in italic. • Square brackets ([ ]) mean optional elements. •...
For upgrading information, refer to the “Downloading Software” section in the release notes. • You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the “Obtaining Documentation” section on page xxxvii.
Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.
URL: http://www.cisco.com/techsupport/servicerequest For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL: http://www.cisco.com/go/marketplace/ The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as • ordering and customer support services. Access the Cisco Product Catalog at this URL: http://cisco.com/univercd/cc/td/doc/pcat/...
Page 41
Some features noted in this chapter are available only on the cryptographic (that is, supports encryption) versions of the SMI and EMI. You must obtain authorization to use this feature and to download the cryptographic version of the software from Cisco.com. For more information, refer to the release notes for this release.
For more information about Express Setup, refer to the hardware installation guide. • User-defined and Cisco-default Smartports macros for creating custom switch configurations for simplified deployment across the network. Cluster Management Suite (CMS) graphical user interface (GUI) for •...
Page 43
Using a single IP address and configuration file to manage the entire switch stack. – – Automatic Cisco IOS version-check of new stack members with the option to automatically load images from the stack master or from a TFTP server. –...
Page 44
For more information about CMS, see Chapter 3, “Getting Started with CMS.” CLI—The Cisco IOS CLI software is enhanced to support desktop- and multilayer-switching • features. You can access the CLI either by connecting your management station directly to the switch console port or by using Telnet from a remote management station.
Page 45
Network Time Protocol (NTP) for providing a consistent time stamp to all switches from an external • source Cisco IOS File System (IFS) for providing a single interface to all file systems that the switch uses • In-band management access through CMS over a Netscape Communicator or Microsoft Internet •...
Page 46
Flex Link Layer 2 interfaces to back up one another as an alternative to STP for basic link redundancy • RPS support through the Cisco RPS 300 and Cisco RPS 675 for enhancing power reliability VLAN Features Support for up to 1005 VLANs for assigning users to VLANs associated with appropriate network •...
Page 47
Chapter 1 Overview Features Protected port option for restricting the forwarding of traffic to designated ports on the same switch • Port security option for limiting and identifying MAC addresses of the stations allowed to access • the port • Port security aging to set the aging time for secure addresses on a port BPDU guard for shutting down a Port Fast-configured port when an invalid configuration occurs •...
Page 48
Trusted port states (CoS, DSCP, and IP precedence) within a QoS domain and with a port – bordering another QoS domain – Trusted boundary for detecting the presence of a Cisco IP phone, trusting the CoS value received, and ensuring port security • Policing Traffic-policing policies on the switch port for managing how much of the port bandwidth –...
Page 49
Power over Ethernet (PoE) Features • Ability to provide power to connected Cisco pre-standard and IEEE 802.3af-compliant powered devices from all 10/100 Ethernet ports if the switch detects that there is no power on the circuit 24-port PoE switch provides 15.4 W of power on each 10/100 port; 48-port PoE switch provides •...
“Configuring Interface Characteristics.” – Auto-MDIX is enabled. For more information, see Chapter 11, “Configuring Interface Characteristics.” In releases earlier than Cisco IOS Release 12.2(18)SE, the default setting for Note auto-MDIX is disabled. Catalyst 3750 Switch Software Configuration Guide 1-10 78-16180-02...
Chapter 1 Overview Default Settings After Initial Switch Configuration Flow control is off. For more information, see Chapter 11, “Configuring Interface – Characteristics.” PoE is autonegotiate. For more information, see Chapter 11, “Configuring Interface – Characteristics.” No Smartports macros are defined. For more information, see Chapter 12, “Configuring Smartports •...
Chapter 1 Overview Network Configuration Examples CDP is enabled. For more information, see Chapter 25, “Configuring CDP.” • UDLD is disabled. For more information, see Chapter 26, “Configuring UDLD.” • • SPAN and RSPAN are disabled. For more information, see Chapter 27, “Configuring SPAN and RSPAN.”...
Chapter 1 Overview Network Configuration Examples Table 1-1 Increasing Network Performance Network Demands Suggested Design Methods Too many users on a single network Create smaller network segments so that fewer users share the bandwidth, and use • segment and a growing number of VLANs and IP subnets to place the network resources in the same logical network users accessing the Internet as the users who access those resources most.
Page 54
Chapter 1 Overview Network Configuration Examples Table 1-2 Providing Network Services (continued) Network Demands Suggested Design Methods An evolving demand for IP telephony Use QoS to prioritize applications such as IP telephony during congestion and to • help control both delay and jitter within the network. •...
Page 55
Chapter 1 Overview Network Configuration Examples IP forwarding at the distribution layer, connect the switches in the access layer to a Gigabit multilayer switch in the backbone, such as a Catalyst 4500 Gigabit switch or Catalyst 6500 Gigabit switch. Each switch in this configuration provides users with a dedicated 1-Gbps connection to network resources.
Page 56
Chapter 1 Overview Network Configuration Examples QoS and policing on the switches provide preferential treatment for certain data streams, if required. They segment traffic streams into different paths for processing. Security features on the switch ensure rapid handling of packets. Dual homing of servers to dual switch stacks with redundant Gigabit EtherChannel and cross-stack EtherChannel provide fault tolerance from the server racks to the core.
Data and multimedia traffic are configured on the same VLAN. Voice traffic from the Cisco IP Phones are configured on separate VVIDs. If data, multimedia, and voice traffic are assigned to the same VLAN, only one VLAN can be configured per wiring closet.
Cisco CallManager controls call processing, routing, and IP phone features and configuration. Users with workstations running Cisco SoftPhone software can place, receive, and control calls from their PCs. Using Cisco IP Phones, Cisco CallManager software, and Cisco SoftPhone software integrates telephony and IP networks, and the IP network supports both voice and data.
Page 59
Chapter 1 Overview Network Configuration Examples In the wiring closet, each switch stack has IGMP snooping enabled to efficiently forward multimedia and multicast traffic. QoS ACLs that either drop or mark nonconforming traffic based on bandwidth limits are also configured on each switch stack. VLAN maps provide intra-VLAN security and prevent unauthorized users from accessing critical pieces of the network.
Chapter 1 Overview Network Configuration Examples Multidwelling Network Using Catalyst 3750 Switches A growing segment of residential and commercial customers are requiring high-speed access to Ethernet metropolitan-area networks (MANs). Figure 1-8 shows a configuration for a Gigabit Ethernet MAN ring using multilayer switch stacks as aggregation switches in the mini-point-of-presence (POP) location.
Page 62
The CWDM OADM modules on the receiving end separate (or demultiplex) the different wavelengths. For more information about the CWDM SFP modules and CWDM OADM modules, refer to the Cisco CWDM GBIC and CWDM SFP Installation Note. Catalyst 3750 Switch Software Configuration Guide...
Chapter 1 Overview Where to Go Next Figure 1-9 Long-Distance, High-Bandwidth Transport Configuration Access layer Aggregation layer 8 Gbps CWDM CWDM OADM OADM Catalyst 4500 modules modules Eight multilayer 1-Gbps switches connections Catalyst switches Where to Go Next Before configuring the switch, review these sections for startup information: Chapter 2, “Using the Command-Line Interface”...
C H A P T E R Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your Catalyst 3750 switch. It contains these sections: Understanding Command Modes, page 2-1 •...
Chapter 2 Using the Command-Line Interface Understanding Command Modes Table 2-1 Command Mode Summary Mode Access Method Prompt Exit Method About This Mode User EXEC Begin a session with Enter logout or Use this mode to Switch> your switch. quit. Change terminal settings.
Chapter 2 Using the Command-Line Interface Understanding the Help System Understanding the Help System You can enter a question mark (?) at the system prompt to display a list of commands available for each command mode. You can also obtain a list of associated keywords and arguments for any command, as shown in Table 2-2.
Chapter 2 Using the Command-Line Interface Understanding no and default Forms of Commands Understanding no and default Forms of Commands Almost every configuration command also has a no form. In general, use the no form to disable a feature or function or reverse the action of a command. For example, the no shutdown interface configuration command reverses the shutdown of an interface.
Chapter 2 Using the Command-Line Interface Using Command History Changing the Command History Buffer Size By default, the switch records ten command lines in its history buffer. You can alter this number for a current terminal session or for all sessions on a particular line. These procedures are optional. Beginning in privileged EXEC mode, enter this command to change the number of command lines that the switch records during the current terminal session: Switch# terminal history...
Chapter 2 Using the Command-Line Interface Using Editing Features Using Editing Features This section describes the editing features that can help you manipulate the command line. It contains these sections: • Enabling and Disabling Editing Features, page 2-6 (optional) • Editing Commands through Keystrokes, page 2-6 (optional) Editing Command Lines that Wrap, page 2-8...
Page 71
Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Keystroke Purpose Press Esc Y. Recall the next buffer entry. The buffer contains only the last 10 items that you have deleted or cut. If you press Esc Y more than ten times, you cycle to the first buffer entry.
Chapter 2 Using the Command-Line Interface Searching and Filtering Output of show and more Commands Editing Command Lines that Wrap You can use a wraparound feature for commands that extend beyond a single line on the screen. When the cursor reaches the right margin, the command line shifts ten spaces to the left. You cannot see the first ten characters of the line, but you can scroll back and check the syntax at the beginning of the command.
Chapter 2 Using the Command-Line Interface Accessing the CLI Accessing the CLI You can access the CLI through a console connection, through Telnet, or by using the browser. You manage the switch stack and the stack member interfaces through the stack master. You cannot manage stack members on an individual switch basis.
Access page. You can access the CLI by clicking Web Console - HTML access to the command line interface from a cached copy of the Cisco Systems Access page. To prevent unauthorized access to the CLI or to the Cluster Management Suite (CMS), exit your browser to end the browser session.
C H A P T E R Getting Started with CMS This chapter contains these sections that describe the Cluster Management Suite (CMS) on the Catalyst 3750 switch: “Understanding CMS” section on page 3-1 • “Configuring CMS” section on page 3-8 •...
Chapter 3 Getting Started with CMS Understanding CMS Front Panel View The Front Panel view displays the front-panel image of a specific set of switches in a cluster. From this view, you can select multiple ports or multiple switches and configure them with the same settings. For more information, see the “Displaying CMS”...
Page 77
Chapter 3 Getting Started with CMS Understanding CMS The toolbar provides buttons for commonly used switch and cluster configuration options and • information windows such as legends and online help. Table 3-1 lists the toolbar options from left to right on the toolbar. Table 3-1 Toolbar Buttons Toolbar Option...
Page 78
Chapter 3 Getting Started with CMS Understanding CMS The feature bar shows the features available for the devices in your cluster. By default, the feature • bar is in standard mode. In this mode, the feature bar is always visible, and you can reduce or increase the width of the feature bar.
You can send us feedback about the information provided in the online help. Click Feedback to display an online form. After completing the form, click Submit to send your comments to Cisco Systems Inc. We appreciate and value your comments.
Chapter 3 Getting Started with CMS Understanding CMS Figure 3-3 Guide Mode and Wizards Guide mode icon Wizards Guide mode is not available if your switch access level is read-only. For more information about the read-only access mode, see the “Privilege Levels”...
If your cluster has these member switches running earlier software releases and if you have read-only access to these member switches, some configuration windows for those switches display incomplete information: Catalyst 2900 XL or Catalyst 3500 XL member switches running Cisco IOS Release 12.0(5)WC2 • or earlier Catalyst 2950 member switches running Cisco IOS Release 12.0(5)WC2 or earlier...
Chapter 3 Getting Started with CMS Configuring CMS Configuring CMS This section contains these topics that describe the requirements and configuration information for CMS: • “CMS Requirements” section on page 3-8 “Cross-Platform Considerations” section on page 3-9 • “Launching CMS” section on page 3-11 •...
When managing switch clusters through CMS, remember that clusters can have a mix of switch models using different Cisco IOS releases and that CMS in earlier Cisco IOS releases and on different switch platforms might look and function differently from CMS in this Cisco IOS release.
CMS on the Catalyst 1900 and Catalyst 2820 switches is referred to as Switch Manager. Cluster management options are not available on these switches. This is the earliest version of CMS. Refer to the documentation specific to the switch and its Cisco IOS release for descriptions of the CMS version.
HTTP • server user authentication. • local—Local user database as defined on the Cisco router or access server is used. tacacs—TACACS server is used. • Step 3 Return to privileged EXEC mode.
Page 86
Tools—Accesses diagnostic and monitoring tools, such as Telnet, Extended Ping, and the show • interfaces privileged EXEC command Help Resources—Provides links to the Cisco website, technical documentation, and the Cisco • Technical Assistance Center (TAC) Click Cluster Management Suite to launch the CMS interface. The CMS Startup Report runs and Step 3 verifies that your PC or workstation can correctly run CMS.
Page 87
Chapter 3 Getting Started with CMS Displaying CMS Figure 3-5 CMS Startup Report The CMS Startup Report has links that instruct you how to correctly configure your PC or workstation. If the CMS Startup Report appears, click the links, and follow the instructions to configure your PC or workstation.
Chapter 3 Getting Started with CMS Displaying CMS Front Panel View When CMS is launched from a command switch, you can display the Front Panel view by clicking the Front Panel button on the tool bar, as shown in Figure 3-6.
Chapter 3 Getting Started with CMS Displaying CMS Figure 3-7 shows a cluster with a Catalyst 3550 switch as the command switch. Refer to the release notes Note for a list of switches that can be members of a cluster with a Catalyst 3750 switch as the command switch.
Chapter 3 Getting Started with CMS Where to Go Next The Topology view shows how the devices within a switch cluster are connected and how the switch cluster is connected to other clusters and devices. From this view, you can add and remove cluster members.
For complete syntax and usage information for the commands used in this chapter, refer to the command Note reference for this release and to the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2. This chapter consists of these sections: •...
For more information about the setup program, refer to the release notes on Cisco.com. The switch stack is managed through a single IP address. The IP address is a system-level setting and is not specific to the stack master or to any other stack member.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information If you are using DHCP, do not respond to any of the questions in the setup program until the switch Note receives the dynamically assigned IP address and reads the configuration file. If you are an experienced user familiar with the switch configuration steps, manually configure the switch.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The DHCP server for your switch can be on the same LAN or on a different LAN than the switch. If the DHCP server is running on a different LAN, you should configure a DHCP relay device between your switch and the DHCP server.
Example Configuration, page 4-8 • If your DHCP server is a Cisco device, refer to the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2 for additional information about configuring DHCP.
If the relay device is a Cisco router, enable IP routing (ip routing global configuration command), and configure helper addresses by using the ip helper-address interface configuration command.
Note see the “Routed Ports” section on page 11-3 and the “Configuring Layer 3 Interfaces” section on page 11-21. Figure 4-2 Relay Device Used in Autoconfiguration Switch Cisco router (DHCP client) (Relay) 10.0.0.2 10.0.0.1 20.0.0.1 20.0.0.2 20.0.0.3 20.0.0.4 DHCP server...
Figure 4-3 DHCP-Based Autoconfiguration Network Example Switch 1 Switch 2 Switch 3 Switch 4 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004 Cisco router 10.0.0.10 10.0.0.1 10.0.0.2 10.0.0.3 DHCP server DNS server TFTP server (tftpserver) Table 4-2 shows the configuration of the reserved leases on the DHCP server.
Page 99
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Table 4-2 DHCP Server Configuration (continued) Switch A Switch B Switch C Switch D Boot filename (configuration file) switcha-confg switchb-confg switchc-confg switchd-confg (optional) Host name (optional) switcha switchb switchc switchd...
Chapter 4 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration Manually Assigning IP Information Beginning in privileged EXEC mode, follow these steps to manually assign IP information to multiple switched virtual interfaces (SVIs) or ports: Command Purpose Step 1...
EXEC command. For more information about alternative locations from which to copy the configuration file, see Appendix B, “Working with the Cisco IOS File System, Configuration Files, and Software Images.” Modifying the Startup Configuration This section describes how to modify the switch startup configuration.
Specifying the Filename to Read and Write the System Configuration By default, the Cisco IOS software uses the file config.text to read and write a nonvolatile copy of the system configuration. However, you can specify a different filename, which will be loaded during the next boot cycle.
Chapter 4 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Command Purpose Step 4 show boot Verify your entries. The boot config-file global configuration command changes the setting of the CONFIG_FILE environment variable. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 4 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration This command only works properly from a standalone switch. Note Beginning in privileged EXEC mode, follow these steps to configure the switch to boot a specific image during the next boot cycle: Command Purpose...
Page 105
Cisco IOS configuration file can be stored as an environment variable. You can change the settings of the environment variables by accessing the boot loader or by using Cisco IOS commands. Under normal circumstances, it is not necessary to alter the setting of the environment variables.
CONFIG_FILE set CONFIG_FILE flash:/file-url boot config-file flash:/file-url Changes the filename that Cisco IOS uses to read Specifies the filename that Cisco IOS uses to read and write a nonvolatile copy of the system and write a nonvolatile copy of the system configuration.
Chapter 4 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Use the at keyword only if the switch system clock has been set (through Network Time Note Protocol (NTP), the hardware calendar, or manually). The time is relative to the configured time zone on the switch.
Page 108
Chapter 4 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Catalyst 3750 Switch Software Configuration Guide 4-18 78-16180-02...
One of the switches controls the operation of the stack and is called the stack master. The stack master and the other switches in the stack are stack members. The stack members use the Cisco StackWise technology to behave and work together as a unified system. Layer 2 and Layer 3 protocols present the entire switch stack as a single entity to the network.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks The system-level features supported on the stack master are supported on the entire switch stack. If the switch stack must have switches running both standard multilayer image (SMI) and enhanced multilayer image (EMI) software, we recommend that a switch running the EMI software be the stack master. EMI features are unavailable if the stack master is running the SMI software.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Switch Stack Membership A switch stack has up to nine stack members connected through their StackWise ports. A switch stack always has one stack master. A standalone switch is a switch stack with one stack member that also operates as the stack master. You can connect one standalone switch to another (Figure 5-1 on page 5-4) to create a switch stack...
The Catalyst 3750 EMI cryptographic image has a higher priority than the Catalyst 3750 SMI image during the master switch election in a stack. However, when two or more switches in the stack use different software images, such as the SMI image for Cisco IOS Release 12.1(11)AX and the Catalyst 3750 Switch Software Configuration Guide...
10 seconds. To avoid this problem, upgrade the switch running the SMI to a software release later than Cisco IOS Release 12.1(11)AX or manually start the master switch and wait at least 8 seconds before starting the new member switch.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Stack Member Numbers The stack member number (1 to 9) identifies each member in the switch stack. The member number also determines the interface-level configuration that a stack member uses. You can display the stack member number by using the show switch user EXEC command.
You manually create the provisioned configuration through the switch stack-member-number provision type global configuration command. The provisioned configuration also is automatically created when a switch is added to a switch stack that is running Cisco IOS Release 12.2(20)SE or later and when no provisioned configuration exists.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Effects of Adding a Provisioned Switch to a Switch Stack When you add a provisioned switch to the switch stack, the stack applies either the provisioned configuration or the default configuration to it. Table 5-1 lists the events that occur when the switch stack compares the provisioned configuration with the provisioned switch:...
Page 117
In addition, any configured PoE-related commands that are valid only on PoE-capable interfaces are rejected, even for ports 1 through 24. If the switch stack is running Cisco IOS Release 12.2(20)SE or later and does not contain a provisioned Note configuration for a new switch, the switch joins the stack with the default interface configuration.
Effects of Removing a Provisioned Switch from a Switch Stack If a switch stack is running Cisco IOS Release 12.2(20)SE or later and you remove a provisioned switch from a switch stack, the configuration associated with the removed stack member remains in the running configuration as provisioned information.
“Hardware Compatibility in Switch Stacks” section on page 5-10. Compatibility Recommendations All stack members must run the same Cisco IOS software version to ensure compatibility between stack members. Follow these recommendations: The Cisco IOS software version on all stack members, including the stack master, should be the •...
Note We recommend that all stack members are installed with Cisco IOS Release 12.1(14)EA1 or later to ensure that the interface-specific settings of the stack master are saved, in case the stack master is replaced without saving the running configuration to the startup configuration.
For more information about file systems and configuration files, see Appendix B, “Working with the Cisco IOS File System, Configuration Files, and Software Images.” Additional Considerations for System-Wide Configuration on Switch Stacks These sections provide additional considerations for configuring system-wide features on switch stacks: •...
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Switch Stack Management Connectivity You manage the switch stack and the stack member interfaces through the stack master. You can use the CMS, the CLI, and SNMP and CiscoWorks network management applications. You cannot manage stack members on an individual switch basis.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks To debug a specific stack member, you can access it from the stack master by using the session stack-member-number privileged EXEC command. The stack member number is appended to the system prompt. For example, is the prompt in privileged EXEC mode for stack member 2, and the Switch-2# system prompt for the stack master is...
Page 124
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Table 5-2 Switch Stack Configuration Scenarios (continued) Scenario Result Stack master election Assuming that all stack members have the The stack member with the noncryptographic EMI specifically determined same priority value: software is elected stack master. by the EMI software Make sure that one stack member has the noncryptographic EMI software...
Chapter 5 Managing Switch Stacks Assigning Stack Member Information Table 5-2 Switch Stack Configuration Scenarios (continued) Scenario Result Stack master failure Remove (or power off) the stack master. Based on the factors described in the “Stack Master Election and Re-Election” section on page 5-4, one of the remaining stack members becomes the new stack master.
Chapter 5 Managing Switch Stacks Assigning Stack Member Information Beginning in privileged EXEC mode, follow these steps to assign a member number to a stack member. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 switch current-stack-member-number Specify the current stack member number and the new stack member...
Chapter 5 Managing Switch Stacks Accessing the CLI of a Specific Stack Member Beginning in privileged EXEC mode, follow these steps to provision a new member for a switch stack. This procedure is optional. Command Purpose Step 1 show switch Display summary information about the switch stack.
Chapter 5 Managing Switch Stacks Displaying Switch Stack Information Displaying Switch Stack Information To display configuration changes that you save after you reset a specific stack member or the switch stack, use the privileged EXEC commands listed in Table 5-4. Table 5-4 Commands for Displaying Switch Stack Information Command...
C H A P T E R Clustering Switches This chapter provides the concepts and procedures to create and manage Catalyst 3750 switch clusters. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. This chapter focuses on Catalyst 3750 switch clusters.
Chapter 6 Clustering Switches Understanding Switch Clusters Understanding Switch Clusters A switch cluster is a set of up to 16 connected, cluster-capable Catalyst switches that are managed as a single entity. The switches in the cluster use the switch clustering technology so that you can configure and troubleshoot a group of different Catalyst desktop switch platforms through a single IP address.
It has an IP address. • • It has Cisco Discovery Protocol (CDP) version 2 enabled (the default). It is not a command or cluster member switch of another cluster. • It is connected to the standby cluster command switches through the management VLAN and to the •...
Chapter 6 Clustering Switches Planning a Switch Cluster Candidate Switch and Cluster Member Switch Characteristics Candidate switches are cluster-capable switches and switch stacks that have not yet been added to a cluster. Cluster member switches are switches and switch stacks that have actually been added to a switch cluster.
Java plug-in configurations. Automatic Discovery of Cluster Candidates and Members The cluster command switch uses Cisco Discovery Protocol (CDP) to discover cluster member switches, candidate switches, neighboring switch clusters, and edge devices across multiple VLANs and in star or cascaded topologies.
Switch 15 Discovery Through Non-CDP-Capable and Noncluster-Capable Devices If a cluster command switch is connected to a non-CDP-capable third-party hub (such as a non-Cisco hub), it can discover cluster-enabled devices connected to that third-party hub. However, if the cluster command switch is connected to a noncluster-capable Cisco device, it cannot discover a cluster-enabled device connected beyond the noncluster-capable Cisco device.
Chapter 6 Clustering Switches Planning a Switch Cluster Discovery Through Different VLANs If the cluster command switch is a Catalyst 2970, Catalyst 3550, Catalyst 3560, or Catalyst 3750 switch, the cluster can have cluster member switches in different VLANs. As cluster member switches, they must be connected through at least one VLAN in common with the cluster command switch.
Chapter 6 Clustering Switches Planning a Switch Cluster If the switch cluster has a Catalyst 3750 switch or switch stack, that switch or switch stack must be the Note cluster command switch. The cluster command switch and standby command switch in Figure 6-4 (assuming they are Catalyst 2970, Catalyst 3550, Catalyst 3560, or Catalyst 3750 cluster command switches) have ports...
Chapter 6 Clustering Switches Planning a Switch Cluster Figure 6-5 Discovery Through Routed Ports Command switch VLAN 9 VLAN 62 VLAN VLAN 62 VLAN 9 Member (management VLAN 62) switch 7 VLAN 4 Discovery of Newly Installed Switches To join a cluster, the new, out-of-the-box switch must be connected to the cluster through one of its access ports.
Chapter 6 Clustering Switches Planning a Switch Cluster HSRP and Standby Cluster Command Switches The switch supports Hot Standby Router Protocol (HSRP) so that you can configure a group of standby cluster command switches. Because a cluster command switch manages the forwarding of all communication and configuration information to all the cluster member switches, we strongly recommend the following: For a cluster command switch stack, a standby cluster command switch is necessary if the entire...
Chapter 6 Clustering Switches Planning a Switch Cluster Virtual IP Addresses You need to assign a unique virtual IP address and group number and name to the cluster standby group. This information must be configured on a specific VLAN or routed port on the active cluster command switch.
Chapter 6 Clustering Switches Planning a Switch Cluster Catalyst 1900, Catalyst 2820, Catalyst 2900 XL, Catalyst 2950, and Catalyst 3500 XL cluster member switches must be connected to the cluster standby group through their management VLANs. For more information about VLANs in switch clusters, see these sections: “Discovery Through Different VLANs”...
Chapter 6 Clustering Switches Planning a Switch Cluster When the previously active cluster command switch resumes its active role, it receives a copy of the latest cluster configuration from the active cluster command switch, including members that were added while it was down. The active cluster command switch sends a copy of the cluster configuration to the cluster standby group.
Chapter 6 Clustering Switches Planning a Switch Cluster Passwords You do not need to assign passwords to an individual switch if it will be a cluster member. When a switch joins a cluster, it inherits the command-switch password and retains it when it leaves the cluster. If no command-switch password is configured, the cluster member switch inherits a null password.
Page 143
Chapter 6 Clustering Switches Planning a Switch Cluster Table 6-1 Basic Comparison of Switch Stacks and Switch Clusters (continued) Switch Stack Switch Cluster Stack master is the single point of complete management for Cluster command switch is the single point of some manage- all stack members in a particular switch stack ment for all cluster members in a particular switch cluster Back-up stack master is automatically determined in case the...
If your cluster has these cluster member switches running earlier software releases and if you have read-only access to these cluster member switches, some configuration windows for those switches display incomplete information: Catalyst 2900 XL or Catalyst 3500 XL cluster member switches running Cisco IOS • Release 12.0(5)WC2 or earlier Catalyst 2950 cluster member switches running Cisco IOS Release 12.0(5)WC2 or earlier...
Chapter 6 Clustering Switches Creating a Switch Cluster LRE Profiles A configuration conflict occurs if a switch cluster has Long-Reach Ethernet (LRE) switches that use both private and public profiles. If one LRE switch in a cluster is assigned a public profile, all LRE switches in that cluster must have that same public profile.
Chapter 6 Clustering Switches Creating a Switch Cluster If you did not enable a cluster command switch during initial switch setup, launch Device Manager from a command-capable switch, and select Cluster > Create Cluster. Enter a cluster number (the default is 0), and use up to 31 characters to name the cluster (Figure 6-8).
Page 147
Chapter 6 Clustering Switches Creating a Switch Cluster Instead of using CMS to add members to the cluster, you can use the cluster member global configuration command from the cluster command switch. Use the password option in this command if the candidate switch has a password.
Chapter 6 Clustering Switches Verifying a Switch Cluster Verifying a Switch Cluster When you finish adding cluster members, follow these steps to verify the cluster: Enter the cluster command switch IP address in the browser Location field (Netscape Communicator) Step 1 or Address field (Microsoft Internet Explorer) to access all switches in the cluster.
Telnet session (through a console or Telnet connection) and to access the cluster member switch CLI. The command mode changes, and the Cisco IOS commands operate as usual. Enter the exit privileged EXEC command on the cluster member switch to return to the command-switch CLI.
Chapter 6 Clustering Switches Using SNMP to Manage Switch Clusters Using SNMP to Manage Switch Clusters When you first power on the switch, SNMP is enabled if you enter the IP information by using the setup program and accept its proposed configuration. If you did not use the setup program to enter the IP information and SNMP was not enabled, you can enable it as described in the “Configuring SNMP”...
You can manage the system time and date on your switch using automatic configuration, such as the Network Time Protocol (NTP), or manual configuration methods. For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Note Configuration Fundamentals Command Reference, Release 12.2.
Chapter 7 Administering the Switch Managing the System Time and Date Understanding the System Clock The heart of the time service is the system clock. This clock runs from the moment the system starts up and keeps track of the date and time. The system clock can then be set from these sources: Network Time Protocol •...
Page 155
Managing the System Time and Date Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet.
Chapter 7 Administering the Switch Managing the System Time and Date Configuring NTP The switch does not have a hardware-supported clock and cannot function as an NTP master clock to which peers synchronize themselves when an external NTP source is not available. The switch also has no hardware support for a calendar.
Chapter 7 Administering the Switch Managing the System Time and Date Configuring NTP Authentication This procedure must be coordinated with the administrator of the NTP server; the information you configure in this procedure must be matched by the servers used by the switch to synchronize its time to the NTP server. Beginning in privileged EXEC mode, follow these steps to authenticate the associations (communications between devices running NTP that provide for accurate timekeeping) with other devices for security purposes:...
Chapter 7 Administering the Switch Managing the System Time and Date Configuring NTP Associations An NTP association can be a peer association (this switch can either synchronize to the other device or allow the other device to synchronize to it), or it can be a server association (meaning that only this switch synchronizes to the other device, and not the other way around).
Chapter 7 Administering the Switch Managing the System Time and Date Configuring NTP Broadcast Service The communications between devices running NTP (known as associations) are usually statically configured; each device is given the IP addresses of all devices with which it should form associations. Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an association.
Chapter 7 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to configure the switch to receive NTP broadcast packets from connected peers: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to receive NTP broadcast packets, and enter interface...
Page 161
Chapter 7 Administering the Switch Managing the System Time and Date Creating an Access Group and Assigning a Basic IP Access List Beginning in privileged EXEC mode, follow these steps to control access to NTP services by using access lists: Command Purpose Step 1...
Chapter 7 Administering the Switch Managing the System Time and Date To remove access control to the switch NTP services, use the no ntp access-group {query-only | serve-only | serve | peer} global configuration command. This example shows how to configure the switch to allow itself to synchronize to a peer from access list 99.
• show ntp status • For detailed information about the fields in these displays, refer to the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2. Configuring Time and Date Manually If no other source of time is available, you can manually configure the time and date after the system is restarted.
Chapter 7 Administering the Switch Managing the System Time and Date This example shows how to manually set the system clock to 1:32 p.m. on July 23, 2001: Switch# clock set 13:32:00 23 July 2001 Displaying the Time and Date Configuration To display the time and date configuration, use the show clock [detail] privileged EXEC command.
Chapter 7 Administering the Switch Managing the System Time and Date Configuring Summer Time (Daylight Saving Time) Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year: Command Purpose Step 1...
Chapter 7 Administering the Switch Configuring a System Name and Prompt Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events): Command Purpose Step 1...
Administering the Switch Configuring a System Name and Prompt For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 and the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2.
Domain names are pieced together with periods (.) as the delimiting characters. For example, Cisco Systems is a commercial organization that IP identifies by a com domain name, so its domain name is cisco.com. A specific device in this domain, for example, the File Transfer Protocol (FTP) system is identified as ftp.cisco.com.
Chapter 7 Administering the Switch Configuring a System Name and Prompt Default DNS Configuration Table 7-2 shows the default DNS configuration. Table 7-2 Default DNS Configuration Feature Default Setting DNS enable state Enabled. DNS default domain name None configured. DNS servers No name server addresses are configured.
Chapter 7 Administering the Switch Creating a Banner Configuring a Message-of-the-Day Login Banner You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner: Command Purpose Step 1...
Chapter 7 Administering the Switch Managing the MAC Address Table Configuring a Login Banner You can configure a login banner to be displayed on all connected terminals. This banner appears after the MOTD banner and before the login prompt. Beginning in privileged EXEC mode, follow these steps to configure a login banner: Command Purpose Step 1...
Chapter 7 Administering the Switch Managing the MAC Address Table This section contains this configuration information: Building the Address Table, page 7-21 • • MAC Addresses and VLANs, page 7-21 • MAC Addresses and Switch Stacks, page 7-22 Default MAC Address Table Configuration, page 7-22 •...
Chapter 7 Administering the Switch Managing the MAC Address Table For more information about private VLANs, see Chapter 15, “Configuring Private VLANs.” MAC Addresses and Switch Stacks The MAC address tables on all stack members are synchronized. At any given time, each stack member has the same copy of the address tables for each VLAN.
Chapter 7 Administering the Switch Managing the MAC Address Table Command Purpose Step 4 show mac address-table aging-time Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default value, use the no mac address-table aging-time global configuration command. Removing Dynamic Address Entries To remove all dynamic entries, use the clear mac address-table dynamic command in privileged EXEC mode.
Page 176
Chapter 7 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to configure the switch to send MAC address notification traps to an NMS host: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server host host-addr {traps | informs} {version {1 Specify the recipient of the trap message.
Chapter 7 Administering the Switch Managing the MAC Address Table Command Purpose Step 9 show mac address-table notification interface Verify your entries. show running-config Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable the switch from sending MAC address notification traps, use the no snmp-server enable traps mac-notification global configuration command.
Chapter 7 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to add a static address: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac address-table static mac-addr Add a static address to the MAC address table. vlan vlan-id interface interface-id •...
Page 179
Chapter 7 Administering the Switch Managing the MAC Address Table If you add a unicast MAC address as a static address and configure unicast MAC address filtering, • the switch either adds the MAC address as a static address or drops packets with that MAC address, depending on which command was entered last.
(represented by the arpa keyword) is enabled on the IP interface. ARP entries added manually to the table do not age and must be manually removed. For CLI procedures, refer to the Cisco IOS Release 12.2 documentation on Cisco.com. Catalyst 3750 Switch Software Configuration Guide...
C H A P T E R Configuring SDM Templates This chapter describes how to configure the Switch Database Management (SDM) templates on the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack.
Chapter 8 Configuring SDM Templates Understanding the SDM Templates Table 8-1 Approximate Number of Feature Resources Allowed by Each Template Desktop Templates Aggregator Templates Resource Default Routing VLAN Default Routing VLAN Unicast MAC addresses 12 K 12 K IGMP groups and multicast routes Unicast routes 11 K 12 K...
Chapter 8 Configuring SDM Templates Configuring the Switch SDM Template You can use the show switch privileged EXEC command to see if any stack members are in SDM mismatch mode. This example shows the output from the show switch privileged EXEC command when an SDM mismatch exists: Switch# show switch Current...
Chapter 8 Configuring SDM Templates Configuring the Switch SDM Template SDM Template Configuration Guidelines You must reload the switch for the configuration to take effect. Use the sdm prefer vlan [desktop] global configuration command only on switches intended for Layer 2 switching with no routing. When you use the VLAN template, no system resources are reserved for routing entries, and any routing is done through software.
Chapter 8 Configuring SDM Templates Displaying the SDM Templates number of unicast mac addresses: number of igmp groups + multicast routes: number of unicast routes: number of directly connected hosts: number of indirect routes: number of qos aces: number of security aces: On next reload, template will be "aggregate routing"...
Page 186
Chapter 8 Configuring SDM Templates Displaying the SDM Templates This is an example of output from the show sdm prefer routing command entered on an aggregator switch: Switch# show sdm prefer routing "aggregate routing" template: The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs.
C H A P T E R Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. This chapter consists of these sections: Preventing Unauthorized Access to Your Switch, page 9-1 •...
Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Security Command Reference, Release 12.2. This section describes how to control access to the configuration file and privileged EXEC commands.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting or Changing a Static Enable Password The enable password controls access to the privileged EXEC mode. Beginning in privileged EXEC mode, follow these steps to set or change a static enable password: Command Purpose Step 1...
The string cannot start with a number, is case sensitive, and allows spaces but ignores leading spaces. By default, no password is defined. (Optional) For encryption-type, only type 5, a Cisco • proprietary encryption algorithm, is available. If you specify an encryption type, you must provide an encrypted password—an encrypted password that you...
Disable password recovery. This setting is saved in an area of the flash memory that is accessible by the boot loader and the Cisco IOS image, but it is not part of the file system and is not accessible by any user.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands To re-enable password recovery, use the service password-recovery global configuration command. Note Disabling password recovery will not work if you have set the switch to boot manually by using the boot manual global configuration command.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Configuring Username and Password Pairs You can configure username and password pairs, which are locally stored on the switch. These pairs are assigned to lines or ports and authenticate each user before that user can access the switch. If you have defined privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair.
Protecting Access to Privileged EXEC Commands Configuring Multiple Privilege Levels By default, the Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
Chapter 9 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands When you set a command to a privilege level, all commands whose syntax is a subset of that command are also set to that level. For example, if you set the show ip traffic command to level 15, the show commands and show ip commands are automatically set to privilege level 15 unless you set them individually to different levels.
TACACS+ is facilitated through authentication, authorization, accounting (AAA) and can be enabled only through AAA commands. For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Note Security Command Reference, Release 12.2.
Page 197
The goal of TACACS+ is to provide a method for managing multiple network access points from a single management service. Your switch can be a network access server along with other Cisco routers and access servers. A network access server provides connections to a single user, to a network or...
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ The TACACS+ protocol provides authentication between the switch and the TACACS+ daemon, and it ensures confidentiality because all protocol exchanges between the switch and the TACACS+ daemon are encrypted. You need a system running the TACACS+ daemon software to use TACACS+ on your switch. TACACS+ Operation When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process occurs:...
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Configuring TACACS+ This section describes how to configure your switch to support TACACS+. At a minimum, you must identify the host or hosts maintaining the TACACS+ daemon and define the method lists for TACACS+ authentication.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Beginning in privileged EXEC mode, follow these steps to identify the IP host or host maintaining TACACS+ server and optionally set the encryption key: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 201
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ authenticate users; if that method fails to respond, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Command Purpose Step 5 login authentication {default | Apply the authentication list to a line or set of lines. list-name} If you specify default, use the default list created with the aaa •...
(AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable TACACS+ accounting for each Cisco IOS privilege level and for network services:...
RADIUS is facilitated through AAA and can be enabled only through AAA commands. Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Security Command Reference, Release 12.2. This section contains this configuration information: •...
X.25 PAD connections. Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication. • RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device requires authentication. • Networks using a variety of services. RADIUS generally binds a user to one service model.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS The ACCEPT or REJECT response is bundled with additional data that is used for privileged EXEC or network authorization. Users must first successfully complete RADIUS authentication before proceeding to RADIUS authorization, if it is enabled. The additional data included with the ACCEPT or REJECT packets includes these items: Telnet, SSH, rlogin, or privileged EXEC services •...
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Identifying the RADIUS Server Host Switch-to-RADIUS-server communication involves several components: Host name or IP address • Authentication destination port • Accounting destination port • Key string • • Timeout period •...
Page 208
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to configure per-server RADIUS server communication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | Specify the IP address or host name of the remote RADIUS server host.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command. This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting: Switch(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1 Switch(config)# radius-server host 172.20.36.50 acct-port 1618 key rad2...
Page 210
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to configure login authentication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA.
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Command Purpose Step 5 login authentication {default | Apply the authentication list to a line or set of lines. list-name} If you specify default, use the default list created with the aaa •...
Page 212
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | Specify the IP address or host name of the remote RADIUS server host.
(AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable RADIUS accounting for each Cisco IOS privilege level and for network services:...
1, which is named cisco-avpair. The value is a string with this format: protocol : attribute sep value * Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and is * for optional attributes.
Page 216
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS For example, this AV pair activates Cisco’s multiple named ip address pools feature during IP authorization (during PPP IPCP address assignment): cisco-avpair= ”ip:addr-pool=first“ This example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands: cisco-avpair= ”shell:priv-lvl=15“...
Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
Configuring Kerberos, page 9-36 • For Kerberos configuration examples, refer to the “Kerberos Configuration Examples” section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.2, at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsecsp/ For complete syntax and usage information for the commands used in this section, refer to the “Kerberos Note Commands”...
Page 219
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos This software release supports Kerberos 5, which allows organizations that are already using Kerberos 5 to use the same Kerberos authentication database on the KDC that they are already using on their other network hosts (such as UNIX servers and PCs).
Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Table 9-2 Kerberos Terms (continued) Term Definition KEYTAB A password that a network service shares with the KDC. In Kerberos 5 and later Kerberos versions, the network service authenticates an encrypted service credential by using the KEYTAB to decrypt it.
KDC and obtain a TGT from the KDC to access network services. For instructions about how to authenticate to a KDC, refer to the “Obtaining a TGT from a KDC” section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.2, at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsecsp/scfkerb.ht...
• Configure the switch to use the Kerberos protocol. For instructions, refer to the “Kerberos Configuration Task List” section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.2, at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsecsp/scfkerb.ht m#1001027. Configuring the Switch for Local Authentication and...
For complete syntax and usage information for the commands used in this section, refer to the command Note reference for this release and the command reference for Cisco IOS Release 12.2 at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm. Catalyst 3750 Switch Software Configuration Guide...
You can use an SSH client to connect to a switch running the SSH server. The SSH server works with the SSH client supported in this release and with non-Cisco SSH clients. The SSH client also works with the SSH server supported in this release and with non-Cisco SSH servers.
Setting Up the Switch to Run SSH Follow these steps to set up your switch to run SSH: Download the cryptographic software image from Cisco.com. This step is required. For more information, refer to the release notes for this release.
Chapter 9 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Generate an RSA key pair for the switch, which automatically enables SSH. Follow this procedure only if you are configuring the switch as an SSH server. Configure user authentication for local or remote access. This step is required. For more information, see the “Configuring the Switch for Local Authentication and Authorization”...
Shows the status of the SSH server. For more information about these commands, refer to the “Secure Shell Commands” section in the “Other Security Features” chapter of the Cisco IOS Security Command Reference, Cisco IOS Release 12.2, at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/fothercr/...
Page 229
Until the client is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.
Authentication Protocol (EAP) extensions is the only supported authentication server. It is available in Cisco Secure Access Control Server Version 3.0 or later. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
Chapter 10 Configuring 802.1x Port-Based Authentication Understanding 802.1x Port-Based Authentication When the switch receives EAPOL frames and relays them to the authentication server, the Ethernet header is stripped and the remaining EAP frame is re-encapsulated in the RADIUS format. The EAP frames are not modified or examined during encapsulation, and the authentication server must support EAP within the native frame format.
Chapter 10 Configuring 802.1x Port-Based Authentication Understanding 802.1x Port-Based Authentication Figure 10-2 Message Exchange Authentication server Client (RADIUS) EAPOL-Start EAP-Request/Identity EAP-Response/Identity RADIUS Access-Request EAP-Request/OTP RADIUS Access-Challenge EAP-Response/OTP RADIUS Access-Request EAP-Success RADIUS Access-Accept Port Authorized EAPOL-Logoff Port Unauthorized Ports in Authorized and Unauthorized States Depending on the switch port state, the switch can grant a client access to the network.
Chapter 10 Configuring 802.1x Port-Based Authentication Understanding 802.1x Port-Based Authentication If the client is successfully authenticated (receives an Accept frame from the authentication server), the port state changes to authorized, and all frames from the authenticated client are allowed through the port.
Chapter 10 Configuring 802.1x Port-Based Authentication Understanding 802.1x Port-Based Authentication Figure 10-3 Wireless LAN Example Authentication server Access point (RADIUS) Wireless clients Using 802.1x with Port Security You can configure 802.1x port and port security in either single-host or multiple-hosts mode. (You also must configure port security on the port by using the switchport port-security interface configuration command.) When you enable port security and 802.1x on a port, 802.1x authenticates the port, and port security manages network access for all MAC addresses, including that of the client.
When 802.1x is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN. If you enable 802.1x on an access port on which a voice VLAN is configured and to which a Cisco IP Note Phone is connected, the Cisco IP phone loses connectivity to the switch for up to 30 seconds.
Chapter 10 Configuring 802.1x Port-Based Authentication Understanding 802.1x Port-Based Authentication When configured on the switch and the RADIUS server, 802.1x with VLAN assignment has these characteristics: If no VLAN is supplied by the RADIUS server or if 802.1x authorization is disabled, the port is •...
If the RADIUS server does not allow the .in or .out syntax, the access list is applied to the outbound ACL by default. Because of limited support of Cisco IOS access lists on the switch, the Filter-Id attribute is supported only for IP ACLs numbered 1 to 199 and 1300 to 2699 (IP standard and IP extended ACLs).
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication The maximum size of the per-user ACL is 4000 ASCII characters. For examples of vendor-specific attributes, see the “Configuring the Switch to Use Vendor-Specific RADIUS Attributes” section on page 9-29. For more information about configuring ACLs, see Chapter 31, “Configuring Network Security with ACLs.”...
EtherChannel as an 802.1x port. If you try to enable 802.1x on an EtherChannel port, an error message appears, and 802.1x is not enabled. In software releases earlier than Cisco IOS Release 12.2(18)SE, if 802.1x is enabled on Note a not-yet active port of an EtherChannel, the port does not join the EtherChannel.
Some global configuration commands became interface configuration commands, and new commands were added. If you have 802.1x configured on the switch and you upgrade to Cisco IOS Release 12.1(14)EA1 or later, the configuration file will not contain the new commands, and 802.1x will not operate. After the upgrade is complete, make sure to globally enable 802.1x by using the dot1x system-auth-control global...
Page 242
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication VLAN assignment is enabled, as appropriate, based on the RADIUS server configuration. Step 3 The switch sends a start message to an accounting server. Step 4 Step 5 Re-authentication is performed, as necessary. Step 6 The switch sends an interim accounting update to the accounting server that is based on the result of re-authentication.
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication Configuring the Switch-to-RADIUS-Server Communication RADIUS security servers are identified by their host name or IP address, host name and specific UDP port numbers, or IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address.
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. For more information, refer to the RADIUS server documentation.
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication Changing the Quiet Period When the switch cannot authenticate the client, the switch remains idle for a set period of time and then tries again. The dot1x timeout quiet-period interface configuration command controls the idle period. A failed authentication of the client might occur because the client provided an invalid password.
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication Command Purpose Step 4 Return to privileged EXEC mode. Step 5 show dot1xinterface interface-id Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default retransmission time, use the no dot1x timeout tx-period interface configuration command.
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication You should change the default value of this command only to adjust for unusual circumstances such as Note unreliable links or specific behavioral problems with certain clients and authentication servers. Beginning in privileged EXEC mode, follow these steps to set the re-authentication number. This procedure is optional.
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication Command Purpose Step 3 dot1x host-mode multi-host Allow multiple hosts (clients) on an 802.1x-authorized port. Make sure that the dot1x port-control interface configuration command set is set to auto for the specified interface. Step 4 Return to privileged EXEC mode.
Chapter 10 Configuring 802.1x Port-Based Authentication Configuring 802.1x Authentication This example shows how to set 3 as the quiet time on the switch, to set 15 as the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request, and to enable VLAN 2 as an 802.1x guest VLAN when an 802.1x port is connected to a DHCP client: Switch(config-if)# dot1x timeout quiet-period 3...
Chapter 10 Configuring 802.1x Port-Based Authentication Displaying 802.1x Statistics and Status Beginning in privileged EXEC mode, follow these steps to configure 802.1x accounting after AAA is enabled on your switch. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
• For complete syntax and usage information for the commands used in this chapter, refer to the switch Note command reference for this release and the online Cisco IOS Interface Command Reference, Release 12.2. Understanding Interface Types This section describes the different types of interfaces supported by the switch with references to chapters that contain more detailed information about configuring these interface types.
Chapter 11 Configuring Interface Characteristics Understanding Interface Types EtherChannel Port Groups, page 11-5 • Connecting Interfaces, page 11-5 • Port-Based VLANs A VLAN is a switched network that is logically segmented by function, team, or application, without regard to the physical location of the users. For more information about VLANs, see Chapter 13, “Configuring VLANs.”...
Catalyst 6500 series switch; the Catalyst 3750 switch cannot be a VMPS server. You can also configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. For more information about voice VLAN ports, see Chapter 16, “Configuring Voice VLAN.”...
Chapter 11 Configuring Interface Characteristics Understanding Interface Types Configure routed ports by putting the interface into Layer 3 mode with the no switchport interface configuration command. Then assign an IP address to the port, enable routing, and assign routing protocol characteristics by using the ip routing and router protocol global configuration commands. Entering a no switchport interface configuration command shuts down the interface and then re-enables Note it, which might generate messages on the device to which the interface is connected.
Most protocols operate over either single ports or aggregated switch ports and do not recognize the physical ports within the port group. Exceptions are the DTP, the Cisco Discovery Protocol (CDP), and the Port Aggregation Protocol (PAgP), which operate only on physical ports.
Page 256
Chapter 11 Configuring Interface Characteristics Understanding Interface Types Figure 11-1 Connecting VLANs with Layer 2 Switches Cisco router Switch Host A Host B VLAN 20 VLAN 30 By using the switch with routing enabled, when you configure VLAN 20 and VLAN 30 each with an...
Chapter 11 Configuring Interface Characteristics Using Interface Configuration Mode When the EMI is running on the stack master, the switch supports two methods of forwarding traffic between interfaces: routing and fallback bridging. If the SMI is on the stack master, only basic routing (static routing and RIP) is supported.
You can identify physical interfaces by physically checking the interface location on the switch. You can also use the Cisco IOS show privileged EXEC commands to display information about a specific interface or all the interfaces on the switch. The remainder of this chapter primarily provides physical interface configuration procedures.
Chapter 11 Configuring Interface Characteristics Using Interface Configuration Mode You can also configure a range of interfaces by using the interface range or interface range macro global configuration commands. Interfaces configured in a range must be the same type and must be configured with the same feature options.
Chapter 11 Configuring Interface Characteristics Using Interface Configuration Mode port-channel port-channel-number - port-channel-number, where the port-channel-number is – 1 to 12 Note When you use the interface range command with port channels, the first and last port channel number must be active port channels. You must add a space between the first interface number and the hyphen when using the •...
Page 261
Chapter 11 Configuring Interface Characteristics Using Interface Configuration Mode Beginning in privileged EXEC mode, follow these steps to define an interface range macro: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 define interface-range macro_name Define the interface-range macro, and save it in NVRAM. interface-range •...
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces This example shows how to define an interface-range named enet_list to include ports 1 and 2 on switch 1 and to verify the macro configuration: Switch# configure terminal Switch(config)# define interface-range enet_list gigabitethernet1/0/1 - 2 Switch(config)# end Switch# show running-config | include define define interface-range enet_list GigabitEthernet1/0/1 - 2...
Page 263
Enabled. Note The switch might not support a pre-standard powered device—such as Cisco IP phones and access points that do not fully support IEEE 802.3af—if that powered device is connected to the switch through a crossover cable. This is regardless of whether Auto-MIDX is enabled on the switch port.
The speed and duplex features are not supported. The 10-Gigabit interfaces do not support these QoS features: • – Policing Auto-QoS for VoIP with Cisco IP Phones – Servicing the egress queues by using shaped round robin (SRR) weights – Limiting the bandwidth on an egress interface –...
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces These sections describe how to configure the interface speed and duplex mode: Configuration Guidelines, page 11-15 • • Setting the Interface Speed and Duplex Parameters, page 11-15 Configuration Guidelines When configuring an interface speed and duplex mode, note these guidelines: If both ends of the line support autonegotiation, we highly recommend the default setting of auto •...
Page 266
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Command Purpose Step 3 speed {10 | 100 | 1000 | auto | nonegotiate} Enter the appropriate speed parameter for the interface: Enter 10, 100, or 1000 to set a specific speed for the interface. •...
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Configuring IEEE 802.3z Flow Control Flow control enables connected Ethernet ports to control traffic rates during congestion by allowing congested nodes to pause link operation at the other end. If one port experiences congestion and cannot receive any more traffic, it notifies the other port to stop sending until the condition clears by sending a pause frame.
Chapter 11 Configuring Interface Characteristics Configuring Ethernet Interfaces Configuring Auto-MDIX on an Interface When automatic medium-dependent interface crossover (Auto-MDIX) is enabled on an interface, the interface automatically detects the required cable connection type (straight through or crossover) and configures the connection appropriately. When connecting switches without the Auto-MDIX feature, you must use straight-through cables to connect to devices such as servers, workstations, or routers and crossover cables to connect to other switches or repeaters.
After power is applied to an interface, the switch uses Cisco Discovery Protocol (CDP) to determine the power requirement of the connected Cisco PoE (standard and pre-standard) devices, and the switch adjusts the power budget accordingly.
39-13. This example shows how to enable automatic PoE on a port and the response from the show power inline command for the interface when a Cisco IEEE-compliant IP Phone is being supplied with power: Switch# configure terminal Switch(config)# interface fastethernet1/0/1...
Chapter 11 Configuring Interface Characteristics Configuring Layer 3 Interfaces Command Purpose Step 4 Return to privileged EXEC mode. Step 5 show interfaces interface-id description Verify your entry. show running-config Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no description interface configuration command to delete the description.
Chapter 11 Configuring Interface Characteristics Configuring the System MTU If the switch is notified by VLAN Trunking Protocol (VTP) of a new VLAN, it sends a message that • there are not enough hardware resources available and shuts down the VLAN. The output of the show vlan user EXEC command shows the VLAN in a suspended state.
Page 273
Chapter 11 Configuring Interface Characteristics Configuring the System MTU support jumbo frames on all Gigabit Ethernet interfaces by using the system mtu jumbo global configuration command. Gigabit Ethernet ports are not affected by the system mtu command; 10/100 ports are not affected by the system jumbo mtu command. You cannot set the MTU size for an individual interface;...
(You can display the full list of show commands by using the show ? command at the privileged EXEC prompt.) These commands are fully described in the Cisco IOS Interface Command Reference, Release 12.2. Table 11-3 Show Commands for Interfaces...
Chapter 11 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Clearing and Resetting Interfaces and Counters Table 11-4 lists the privileged EXEC mode clear commands that you can use to clear counters and reset interfaces. Table 11-4 Clear Commands for Interfaces Command Purpose clear counters [interface-id]...
Page 276
Chapter 11 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Catalyst 3750 Switch Software Configuration Guide 11-26 78-16180-02...
When the macro is applied to an interface, the existing interface configurations are not lost. The new commands are added to the interface and are saved in the running configuration file. There are Cisco-default Smartports macros embedded in the switch software (see Table 12-1).
Use this interface configuration macro when connecting a desktop device such as a PC with a Cisco IP Phone to a switch port. This macro is an extension of the cisco-desktop macro and provides the same security and resiliency features, but with the addition of dedicated voice VLANs to ensure proper treatment of delay-sensitive voice traffic.
EXEC command. Follow these guidelines when you apply a Cisco-default Smartports macro on an interface: • Display all macros on the switch by using the show parser macro user EXEC command. Display the contents of a specific macro by using the show parser macro macro-name user EXEC command.
Chapter 12 Configuring Smartports Macros Configuring Smartports Macros The Cisco-default macros use the $ character to help identify required keywords. There is no restriction on using the $ character to define keywords when you create a macro. Creating Smartports Macros...
Chapter 12 Configuring Smartports Macros Configuring Smartports Macros Applying Smartports Macros Beginning in privileged EXEC mode, follow these steps to apply a Smartports macro: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 macro global {apply | trace} Apply each individual command defined in the macro to the switch by macro-name [parameter {value}] entering macro global apply macro-name.
Enter global configuration mode. Step 4 macro global {apply | trace} Append the Cisco-default macro with the required values by using the macro-name [parameter {value}] parameter value keywords and apply the macro to the switch. [parameter {value}] [parameter...
Page 283
You can delete a macro-applied configuration on an interface by entering the default interface interface-id interface configuration command. This example shows how to display the cisco-desktop macro, how to apply the macro, and to set the access VLAN ID to 25 on an interface:...
Chapter 12 Configuring Smartports Macros Displaying Smartports Macros Displaying Smartports Macros To display the Smartports macros, use one or more of the privileged EXEC commands in Table 12-2. Table 12-2 Commands for Displaying Smartports Macros Command Purpose show parser macro Displays all configured macros.
C H A P T E R Configuring VLANs This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the Catalyst 3750 switch. It includes information about VLAN membership modes, VLAN configuration modes, VLAN trunks, and dynamic VLAN assignment from a VLAN Membership Policy Server (VMPS).
Page 286
Figure 13-1 VLANs as Logically Defined Networks Engineering Marketing Accounting VLAN VLAN VLAN Cisco router Floor 3 Gigabit Ethernet Floor 2 Floor 1 VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN.
Chapter 13 Configuring VLANs Understanding VLANs Supported VLANs The switch supports 1005 VLANs in VTP client, server, and transparent modes. VLANs are identified with a number from 1 to 4094. VLAN IDs 1002 through 1005 are reserved for Token Ring and FDDI VLANs.
Page 288
Dynamic-Access Ports on VMPS Clients” section on page 13-30. Voice VLAN A voice VLAN port is an access port attached to a Cisco VTP is not required; it has no affect on a IP Phone, configured to use one VLAN for voice traffic voice VLAN.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Configuring Normal-Range VLANs Normal-range VLANs are VLANs with VLAN IDs 1 to 1005. If the switch is in VTP server or transparent mode, you can add, modify or remove configurations for VLANs 2 to 1001 in the VLAN database.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs are several adjacent switches that all have run out of spanning-tree instances. You can prevent this possibility by setting allowed lists on the trunk ports of switches that have used up their allocation of spanning-tree instances.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Saving VLAN Configuration The configurations of VLAN IDs 1 to 1005 are always saved in the VLAN database (vlan.dat file). If VTP mode is transparent, they are also saved in the switch running configuration file and you can enter the copy running-config startup-config privileged EXEC command to save the configuration in the startup configuration file.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Table 13-2 Ethernet VLAN Defaults and Ranges (continued) Parameter Default Range Translational bridge 1 0–1005 Translational bridge 2 0–1005 VLAN state active active, suspend Remote SPAN disabled enabled, disabled Private VLANs none configured 2 to 1001, 1006 to 4094.
Page 294
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs Command Purpose Step 7 show vlan {name vlan-name | id vlan-id} Verify your entries. Step 8 copy running-config startup config (Optional) If the switch is in VTP transparent mode, the VLAN configuration is saved in the running configuration file as well as in the VLAN database.
Chapter 13 Configuring VLANs Configuring Normal-Range VLANs This example shows how to use VLAN configuration mode to create Ethernet VLAN 20, name it test20, and add it to the VLAN database: Switch# vlan database Switch(vlan)# vlan 20 name test20 Switch(vlan)# exit APPLY completed.
Chapter 13 Configuring VLANs Configuring Extended-Range VLANs Beginning in privileged EXEC mode, follow these steps to assign a port to a VLAN in the VLAN database: Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface-id Enter the interface to be added to the VLAN.
Chapter 13 Configuring VLANs Configuring Extended-Range VLANs Creating an Extended-Range VLAN, page 13-14 • Creating an Extended-Range VLAN with an Internal VLAN ID, page 13-15 • Default VLAN Configuration Table 13-2 on page 13-8 for the default configuration for Ethernet VLANs. You can change only the MTU size and remote SPAN configuration state on extended-range VLANs;...
Chapter 13 Configuring VLANs Configuring Extended-Range VLANs Although the switch stack supports a total of 1005 (normal-range and extended-range) VLANs, the • number of routed ports, SVIs, and other configured features affects the use of the switch hardware. If you try to create an extended-range VLAN and there are not enough hardware resources available, an error message is generated, and the extended-range VLAN is rejected.
Chapter 13 Configuring VLANs Configuring Extended-Range VLANs Command Purpose Step 7 show vlan id vlan-id Verify that the VLAN has been created. Step 8 copy running-config startup config Save your entries in the switch startup configuration file. To save extended-range VLAN configurations, you need to save the VTP transparent mode configuration and the extended-range VLAN configuration in the switch startup configuration file.
Chapter 13 Configuring VLANs Displaying VLANs Command Purpose Step 11 Return to privileged EXEC mode. Step 12 copy running-config startup config Save your entries in the switch startup configuration file. To save an extended-range VLAN configuration, you need to save the VTP transparent mode configuration and the extended-range VLAN configuration in the switch startup configuration file.
Ethernet trunks carry the traffic of multiple VLANs over a single link, and you can extend the VLANs across an entire network. Two trunking encapsulations are available on all Ethernet interfaces: Inter-Switch Link (ISL)—ISL is Cisco-proprietary trunking encapsulation. • 802.1Q—802.1Q is industry-standard trunking encapsulation.
Chapter 13 Configuring VLANs Configuring VLAN Trunks You can also specify on DTP interfaces whether the trunk uses ISL or 802.1Q encapsulation or if the encapsulation type is autonegotiated. The DTP supports autonegotiation of both ISL and 802.1Q trunks. Note DTP is not supported on private-VLAN ports.
VLAN allowed on the trunks. Non-Cisco devices might support one spanning-tree instance for all VLANs. When you connect a Cisco switch to a non-Cisco device through an 802.1Q trunk, the Cisco switch combines the spanning-tree instance of the VLAN of the trunk with the spanning-tree instance of the non-Cisco 802.1Q switch.
Chapter 13 Configuring VLANs Configuring VLAN Trunks By default, an interface is in Layer 2 mode. The default mode for Layer 2 interfaces is switchport mode Note dynamic auto. If the neighboring interface supports trunking and is configured to allow trunking, the link is a Layer 2 trunk or, if the interface is in Layer 3 mode, it becomes a Layer 2 trunk when you enter the switchport interface configuration command.
VLANs from the allowed list. VLAN 1 is the default VLAN on all trunk ports in all Cisco switches, and it has previously been a Note requirement that VLAN 1 always be enabled on every trunk link. You can use the VLAN 1 minimization feature to disable VLAN 1 on any individual VLAN trunk link so that no user traffic (including spanning tree advertisements) is sent or received on VLAN 1.
VLAN 1 from the allowed list. When you remove VLAN 1 from a trunk port, the interface continues to sent and receive management traffic, for example, Cisco Discovery Protocol (CDP), Port Aggregation Protocol (PAgP), Link Aggregation Control Protocol (LACP), DTP, and VLAN Trunking Protocol (VTP) in VLAN 1.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Beginning in privileged EXEC mode, follow these steps to remove VLANs from the pruning-eligible list on a trunk port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and select the trunk port for which VLANs should be pruned.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 3 switchport trunk native vlan vlan-id Configure the VLAN that is sending and receiving untagged traffic on the trunk port. For vlan-id, the range is 1 to 4094. Step 4 Return to privileged EXEC mode.
Chapter 13 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 15 show vlan When the trunk links come up, VTP passes the VTP and VLAN information to Switch B. Verify that Switch B has learned the VLAN configuration. Step 16 configure terminal Enter global configuration mode on Switch A.
Chapter 13 Configuring VLANs Configuring VMPS Beginning in privileged EXEC mode, follow these steps to configure the network shown in Figure 13-4: Command Purpose Step 1 configure terminal Enter global configuration mode on Switch A. Step 2 interface gigabitethernet1/0/1 Enter interface configuration mode, and define the interface to be configured as a trunk.
Chapter 13 Configuring VLANs Configuring VMPS Multiple hosts (MAC addresses) can be active on a dynamic-access port if they are all in the same VLAN; however, the VMPS shuts down a dynamic-access port if more than 20 hosts are active on the port.
Chapter 13 Configuring VLANs Configuring VMPS The VTP management domain of the VMPS client and the VMPS server must be the same. • The VLAN configured on the VMPS server should not be a voice VLAN. • Configuring the VMPS Client You configure dynamic VLANs by using the VMPS (server).
Chapter 13 Configuring VLANs Configuring VMPS Beginning in privileged EXEC mode, follow these steps to configure a dynamic-access port on a VMPS client switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode for the switch port that is connected to the end station.
Chapter 13 Configuring VLANs Configuring VMPS Command Purpose Step 4 show vmps Verify the dynamic VLAN reconfirmation status in the Reconfirm Interval field of the display. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no vmps reconfirm global configuration command. Changing the Retry Count Beginning in privileged EXEC mode, follow these steps to change the number of times that the switch attempts to contact the VMPS before querying the next server:...
Chapter 13 Configuring VLANs Configuring VMPS VMPS domain server: 172.20.128.86 (primary, current) 172.20.128.87 Reconfirmation status --------------------- VMPS Action: other Troubleshooting Dynamic-Access Port VLAN Membership The VMPS shuts down a dynamic-access port under these conditions: • The VMPS is in secure mode, and it does not allow the host to connect to the port. The VMPS shuts down the port to prevent the host from connecting to the network.
Page 318
Chapter 13 Configuring VLANs Configuring VMPS Figure 13-5 Dynamic Port VLAN Membership Configuration TFTP server Catalyst 6000 series switch A Primary VMPS Router Server 1 172.20.26.150 172.20.22.7 Client switch B Dynamic-access port 172.20.26.151 station 1 Trunk port Switch C Catalyst 6000 series 172.20.26.152 Secondary VMPS Server 2...
C H A P T E R Configuring VTP This chapter describes how to use the VLAN Trunking Protocol (VTP) and the VLAN database for managing VLANs with the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack.
Chapter 14 Configuring VTP Understanding VTP The switch supports 1005 VLANs, but the number of routed ports, SVIs, and other configured features affects the usage of the switch hardware. If the switch is notified by VTP of a new VLAN and the switch is already using the maximum available hardware resources, it sends a message that there are not enough hardware resources available and shuts down the VLAN.
Chapter 14 Configuring VTP Understanding VTP If you configure a switch for VTP transparent mode, you can create and modify VLANs, but the changes are not sent to other switches in the domain, and they affect only the individual switch. However, configuration changes made when the switch is in this mode are saved in the switch running configuration and can be saved to the switch startup configuration file.
Chapter 14 Configuring VTP Understanding VTP Because trunk ports send and receive VTP advertisements, you must ensure that at least one trunk port Note is configured on the switch stack and that this trunk port is connected to the trunk port of another switch. Otherwise, the switch cannot receive any VTP advertisements.
Chapter 14 Configuring VTP Understanding VTP VTP Pruning VTP pruning increases network available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to reach the destination devices. Without VTP pruning, a switch floods broadcast, multicast, and unknown unicast traffic across all trunk links within a VTP domain even though receiving switches might discard them.
Chapter 14 Configuring VTP Understanding VTP Figure 14-2 Optimized Flooded Traffic with VTP Pruning Switch D Port 2 Flooded traffic Port is pruned. Switch B VLAN Switch E Flooded traffic Port is pruned. Port 1 Switch F Switch C Switch A Enabling VTP pruning on a VTP server enables pruning for the entire management domain.
Chapter 14 Configuring VTP Configuring VTP configuration file, and you can save it in the switch startup configuration file by entering the copy running-config startup-config privileged EXEC command. You must use this command if you want to save VTP mode as transparent, even if the switch resets. When you save VTP information in the switch startup configuration file and reboot the switch, the switch configuration is selected as follows: If the VTP mode is transparent in the startup configuration and the VLAN database and the VTP...
Chapter 14 Configuring VTP Configuring VTP Passwords You can configure a password for the VTP domain, but it is not required. If you do configure a domain password, all domain switches must share the same password and you must configure the password on each switch in the management domain.
Chapter 14 Configuring VTP Configuring VTP Configuring a VTP Server When a switch is in VTP server mode, you can change the VLAN configuration and have it propagated throughout the network. Note If extended-range VLANs are configured on the switch, you cannot change VTP mode to server. You receive an error message, and the configuration is not allowed.
Chapter 14 Configuring VTP Configuring VTP Command Purpose Step 3 vtp domain domain-name Configure a VTP administrative-domain name. The name can be from 1 to 32 characters. All switches operating in VTP server or client mode under the same administrative responsibility must be configured with the same domain name.
Chapter 14 Configuring VTP Configuring VTP Beginning in privileged EXEC mode, follow these steps to configure the switch as a VTP client: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vtp mode client Configure the switch for VTP client mode. The default setting is VTP server.
Chapter 14 Configuring VTP Configuring VTP Beginning in privileged EXEC mode, follow these steps to configure VTP transparent mode and save the VTP configuration in the switch startup configuration file: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vtp mode transparent Configure the switch for VTP transparent mode (disable VTP).
Chapter 14 Configuring VTP Configuring VTP Beginning in privileged EXEC mode, follow these steps to enable VTP Version 2: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vtp version 2 Enable VTP Version 2 on the switch. VTP Version 2 is disabled by default on VTP Version 2-capable switches.
Chapter 14 Configuring VTP Configuring VTP Only VLANs included in the pruning-eligible list can be pruned. By default, VLANs 2 through 1001 are pruning-eligible on trunk ports. Reserved VLANs and extended-range VLANs cannot be pruned. To change the pruning-eligible VLANs, see the “Changing the Pruning-Eligible List”...
Chapter 14 Configuring VTP Monitoring VTP Monitoring VTP You monitor VTP by displaying VTP configuration information: the domain name, the current VTP revision, and the number of VLANs. You can also display statistics about the advertisements sent and received by the switch. Table 14-3 shows the privileged EXEC commands for monitoring VTP activity.
C H A P T E R Configuring Private VLANs This chapter describes how to configure private VLANs on the Catalyst 3750 switch. To use this feature, the stack master must be running the enhanced multilayer image (EMI). We strongly recommend that the stack members also run the EMI when private VLANs are configured.
Chapter 15 Configuring Private VLANs Understanding Private VLANs Figure 15-1 Private-VLAN Domain Primary VLAN VLAN domain Subdomain Subdomain Subdomain Subdomain Secondary Secondary Secondary Secondary community VLAN community VLAN isolated VLAN isolated VLAN There are two types of secondary VLANs: Isolated VLANs—Ports within an isolated VLAN cannot communicate with each other at the •...
Chapter 15 Configuring Private VLANs Understanding Private VLANs Primary and secondary VLANs have these characteristics: Primary VLAN—A private VLAN has only one primary VLAN. Every port in a private VLAN is a • member of the primary VLAN. The primary VLAN carries unidirectional traffic downstream from the promiscuous ports to the (isolated and community) host ports and to other promiscuous ports.
Chapter 15 Configuring Private VLANs Understanding Private VLANs Private VLANs across Multiple Switches As with regular VLANs, private VLANs can span multiple switches. A trunk port carries the primary VLAN and secondary VLANs to a neighboring switch. The trunk port treats the private VLAN as any other VLAN.
Chapter 15 Configuring Private VLANs Understanding Private VLANs You should also see the “Secondary and Primary VLAN Configuration” section on page 15-7 under the “Private-VLAN Configuration Guidelines” section. Private VLANs and Unicast, Broadcast, and Multicast Traffic In regular VLANs, devices in the same VLAN can communicate with each other at the Layer 2 level, but devices connected to interfaces in different VLANs must communicate at the Layer 3 level.
Chapter 15 Configuring Private VLANs Configuring Private VLANs If a stack master stack that contains the only private-VLAN promiscuous port in the stack fails or • leaves the stack and a new stack master is elected, host ports in a private VLAN that had its promiscuous port on the old stack master lose connectivity outside of the private VLAN.
Chapter 15 Configuring Private VLANs Configuring Private VLANs Default Private-VLAN Configuration No private VLANs are configured. Private-VLAN Configuration Guidelines Guidelines for configuring private VLANs fall into these categories: • Secondary and Primary VLAN Configuration, page 15-7 • Private-VLAN Port Configuration, page 15-8 Limitations with Other Features, page 15-9 •...
Chapter 15 Configuring Private VLANs Configuring Private VLANs Connecting a device with a different MAC address but with the same IP address generates a message and the ARP entry is not created. Because the private-VLAN port sticky ARP entries do not age out, you must manually remove private-VLAN port ARP entries if a MAC address changes.
Chapter 15 Configuring Private VLANs Configuring Private VLANs Limitations with Other Features When configuring private VLANs, remember these limitations with other features: In some cases, the configuration is accepted with no error messages, but the commands have no effect. Note Do not configure fallback bridging on switches with private VLANs.
Chapter 15 Configuring Private VLANs Configuring Private VLANs Configuring and Associating VLANs in a Private VLAN Beginning in privileged EXEC mode, follow these steps to configure a private VLAN: Note The private-vlan commands do not take effect until you exit VLAN configuration mode. Command Purpose Step 1...
Chapter 15 Configuring Private VLANs Configuring Private VLANs When you associate secondary VLANs with a primary VLAN, note this syntax information: The secondary_vlan_list parameter cannot contain spaces. It can contain multiple comma-separated • items. Each item can be a single private-VLAN ID or a hyphenated range of private-VLAN IDs. •...
Chapter 15 Configuring Private VLANs Configuring Private VLANs Configuring a Layer 2 Interface as a Private-VLAN Promiscuous Port Beginning in privileged EXEC mode, follow these steps to configure a Layer 2 interface as a private-VLAN promiscuous port and map it to primary and secondary VLANs: Note Isolated and community VLANs are both secondary VLANs.
Chapter 15 Configuring Private VLANs Configuring Private VLANs Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface If the private VLAN will be used for inter-VLAN routing, you configure an SVI for the primary VLAN and map secondary VLANs to the SVI. Note Isolated and community VLANs are both secondary VLANs.
Chapter 15 Configuring Private VLANs Monitoring Private VLANs Monitoring Private VLANs Table 15-1 shows the privileged EXEC commands for monitoring private-VLAN activity. Table 15-1 Private VLAN Monitoring Commands Command Purpose show interfaces status Displays the status of interfaces, including the VLANs to which they belongs.
The voice VLAN feature enables access ports to carry IP voice traffic from an IP phone. When the switch is connected to a Cisco 7960 IP Phone, the IP Phone sends voice traffic with Layer 3 IP precedence and Layer 2 class of service (CoS) values, which are both set to 5 by default. Because the sound quality of an IP phone call can deteriorate if the data is unevenly sent, the switch supports quality of service (QoS) based on IEEE 802.1p CoS.
Cisco IP Phone Voice Traffic You can configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. You can configure access ports on...
• voice VLAN, the Port Fast feature is not automatically disabled. If the Cisco IP Phone and a device attached to the Cisco IP Phone are in the same VLAN, they must • be in the same IP subnet. These conditions indicate that they are in the same VLAN: They both use 802.1p or untagged frames.
Because a Cisco 7960 IP Phone also supports a connection to a PC or other device, a port connecting the switch to a Cisco IP Phone can carry mixed traffic. You can configure a port to decide how the IP phone carries voice traffic and data traffic.
Page 355
Cisco IP Phone to use 802.1p priority tagging for voice traffic and to use the default native VLAN (VLAN 0) to carry all traffic. By default, the Cisco IP Phone forwards the voice traffic with an 802.1p priority of 5.
Configuring the Priority of Incoming Data Frames You can connect a PC or other data device to a Cisco IP Phone port. To process tagged data traffic (in 802.1Q or 802.1p frames), you can configure the switch to send CDP packets to instruct the IP phone how to send data packets from the device attached to the access port on the Cisco IP Phone.
Catalyst 3750 switch. The switch uses the per-VLAN spanning-tree plus (PVST+) protocol based on the IEEE 802.1D standard and Cisco proprietary extensions, or it can use the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol based on the IEEE 802.1w standard. A switch stack appears as a single spanning-tree node to the rest of the network, and all stack members use the same bridge ID.
The path cost value represents the media speed. In Cisco IOS Release 12.2(18)SE and later releases, the switch sends keepalive messages (to ensure the Note connection is up) only on interfaces that do not have small form-factor pluggable (SFP) modules.
Chapter 17 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Topology and BPDUs The stable, active spanning-tree topology of a switched network is controlled by these elements: • The unique bridge ID (switch priority and MAC address) associated with each VLAN on each switch.
Chapter 17 Configuring STP Understanding Spanning-Tree Features Only one outgoing port on the stack root switch is selected as the root port. The remaining switches in the stack become its designated switches (Switch 2 and Switch 3) as shown in Figure 17-1 on page 17-4.
Chapter 17 Configuring STP Understanding Spanning-Tree Features uniqueness of the bridge ID. As shown in Table 17-1, the two bytes previously used for the switch priority are reallocated into a 4-bit priority value and a 12-bit extended system ID value equal to the VLAN ID.
Page 362
Chapter 17 Configuring STP Understanding Spanning-Tree Features Figure 17-2 illustrates how an interface moves through the states. Figure 17-2 Spanning-Tree Interface States Power-on initialization Blocking state Listening Disabled state state Learning state Forwarding state When you power up the switch, spanning tree is enabled by default, and every interface in the switch, VLAN, or network goes through the blocking state and the transitory states of listening and learning.
Chapter 17 Configuring STP Understanding Spanning-Tree Features Blocking State A Layer 2 interface in the blocking state does not participate in frame forwarding. After initialization, a BPDU is sent to each switch interface. A switch initially functions as the root until it exchanges BPDUs with other switches.
Chapter 17 Configuring STP Understanding Spanning-Tree Features Disabled State A Layer 2 interface in the disabled state does not participate in frame forwarding or in the spanning tree. An interface in the disabled state is nonoperational. A disabled interface performs these functions: Discards frames received on the interface •...
Chapter 17 Configuring STP Understanding Spanning-Tree Features Spanning Tree and Redundant Connectivity You can create a redundant backbone with spanning tree by connecting two switch interfaces to another device or to two different devices, as shown in Figure 17-4. Spanning tree automatically disables one interface but enables it if the other one fails.
Spanning-Tree Modes and Protocols The switch supports these spanning-tree modes and protocols: PVST+—This spanning-tree mode is based on the IEEE 802.1D standard and Cisco proprietary • extensions. It is the default spanning-tree mode used on all Ethernet, Fast Ethernet, and Gigabit Ethernet port-based VLANs.
VLAN allowed on the trunks. When you connect a Cisco switch to a non-Cisco device through an 802.1Q trunk, the Cisco switch uses PVST+ to provide spanning-tree interoperability. If rapid PVST+ is enabled, the switch uses it instead of PVST+.
Configuring Spanning-Tree Features VLAN-Bridge Spanning Tree Cisco VLAN-bridge spanning tree is used with the fallback bridging feature (bridge groups), which forwards non-IP protocols such as DECnet between two or more VLAN bridge domains or routed ports. The VLAN-bridge spanning tree allows the bridge groups to form a spanning tree on top of the individual VLAN spanning trees to prevent loops from forming if there are multiple connections among VLANs.
Chapter 17 Configuring STP Configuring Spanning-Tree Features If 128 instances of spanning tree are already in use, you can disable spanning tree on one of the VLANs and then enable it on the VLAN where you want it to run. Use the no spanning-tree vlan vlan-id global configuration command to disable spanning tree on a specific VLAN, and use the spanning-tree vlan vlan-id global configuration command to enable spanning tree on the desired VLAN.
Chapter 17 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to change the spanning-tree mode. If you want to enable a mode that is different from the default mode, this procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 17 Configuring STP Configuring Spanning-Tree Features When spanning tree is disabled and loops are present in the topology, excessive traffic and indefinite Caution packet duplication can drastically reduce network performance. Beginning in privileged EXEC mode, follow these steps to disable spanning-tree on a per-VLAN basis. This procedure is optional.
Chapter 17 Configuring STP Configuring Spanning-Tree Features Use the diameter keyword to specify the Layer 2 network diameter (that is, the maximum number of switch hops between any two end stations in the Layer 2 network). When you specify the network diameter, the switch automatically sets an optimal hello time, forward-delay time, and maximum-age time for a network of that diameter, which can significantly reduce the convergence time.
Chapter 17 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to configure a switch to become the secondary root for the specified VLAN. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id root secondary Configure a switch to become the secondary root for the specified...
Page 375
Chapter 17 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to configure the port priority of an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode.
Chapter 17 Configuring STP Configuring Spanning-Tree Features Configuring Path Cost The spanning-tree path cost default value is derived from the media speed of an interface. If a loop occurs, spanning tree uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
Chapter 17 Configuring STP Configuring Spanning-Tree Features To return to the default setting, use the no spanning-tree [vlan vlan-id] cost interface configuration command. For information on how to configure load sharing on trunk ports by using spanning-tree path costs, see the “Configuring Trunk Ports for Load Sharing”...
Chapter 17 Configuring STP Configuring Spanning-Tree Features Configuring Spanning-Tree Timers Table 17-4 describes the timers that affect the entire spanning-tree performance. Table 17-4 Spanning-Tree Timers Variable Description Hello timer Controls how often the switch broadcasts hello messages to other switches. Forward-delay timer Controls how long each of the listening and learning states last before the interface begins forwarding.
Chapter 17 Configuring STP Configuring Spanning-Tree Features Configuring the Forwarding-Delay Time for a VLAN Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for a VLAN. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 17 Configuring STP Displaying the Spanning-Tree Status Displaying the Spanning-Tree Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 17-5: Table 17-5 Commands for Displaying Spanning-Tree Status Command Purpose show spanning-tree active Displays spanning-tree information on active interfaces only.
C H A P T E R Configuring MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1s Multiple STP (MSTP) on the Catalyst 3750 switch. The multiple spanning-tree (MST) implementation is a pre-standard implementation. It is based on the Note draft version of the IEEE standard.
Chapter 18 Configuring MSTP Understanding MSTP Configuring MSTP Features, page 18-12 • Displaying the MST Configuration and Status, page 18-24 • Understanding MSTP MSTP, which uses RSTP for rapid convergence, enables VLANs to be grouped into a spanning-tree instance, with each instance having a spanning-tree topology independent of other spanning-tree instances.
Chapter 18 Configuring MSTP Understanding MSTP IST, CIST, and CST Unlike PVST+ and rapid PVST+ in which all the spanning-tree instances are independent, the MSTP establishes and maintains two types of spanning trees: An internal spanning tree (IST), which is the spanning tree that runs in an MST region. •...
Chapter 18 Configuring MSTP Understanding MSTP Operations Between MST Regions If there are multiple regions or legacy 802.1D switches within the network, MSTP establishes and maintains the CST, which includes all MST regions and all legacy STP switches in the network. The MST instances combine with the IST at the boundary of the region to become the CST.
Chapter 18 Configuring MSTP Understanding MSTP Hop Count The IST and MST instances do not use the message-age and maximum-age information in the configuration BPDU to compute the spanning-tree topology. Instead, they use the path cost to the root and a hop-count mechanism similar to the IP time-to-live (TTL) mechanism. By using the spanning-tree mst max-hops global configuration command, you can configure the maximum hops inside the region and apply it to the IST and all MST instances in that region.
Chapter 18 Configuring MSTP Understanding RSTP MSTP and Switch Stacks A switch stack appears as a single spanning-tree node to the rest of the network, and all stack members use the same bridge ID for a given spanning tree. The bridge ID is derived from the MAC address of the stack master.
Learning Enabled Forwarding Forwarding Disabled Disabled Discarding To be consistent with Cisco STP implementations, this guide documents the port state as blocking instead of discarding. Designated ports start in the listening state. Catalyst 3750 Switch Software Configuration Guide 18-7 78-16180-02...
Chapter 18 Configuring MSTP Understanding RSTP Rapid Convergence The RSTP provides for rapid recovery of connectivity following the failure of a switch, a switch port, or a LAN. It provides rapid convergence for edge ports, new root ports, and ports connected through point-to-point links as follows: Edge ports—If you configure a port as an edge port on an RSTP switch by using the spanning-tree •...
Chapter 18 Configuring MSTP Understanding RSTP Figure 18-2 Proposal and Agreement Handshaking for Rapid Convergence Switch A Switch B Proposal Designated Root switch Agreement Designated Switch C Root switch Proposal Designated Root switch Agreement DP = designated port RP = root port F = forwarding Synchronization of Port Roles When the switch receives a proposal message on one of its ports and that port is selected as the new root...
Chapter 18 Configuring MSTP Understanding RSTP Figure 18-3 Sequence of Events During Rapid Convergence 4. Agreement 1. Proposal 5. Forward Edge port 2. Block 3. Block 9. Forward 11. Forward 8. Agreement 6. Proposal 7. Proposal 10. Agreement Root port Designated port Bridge Protocol Data Unit Format and Processing The RSTP BPDU format is the same as the IEEE 802.1D BPDU format except that the protocol version...
Chapter 18 Configuring MSTP Understanding RSTP The RSTP does not have a separate topology change notification (TCN) BPDU. It uses the topology change (TC) flag to show the topology changes. However, for interoperability with 802.1D switches, the RSTP switch processes and generates TCN BPDUs. The learning and forwarding flags are set according to the state of the sending port.
Chapter 18 Configuring MSTP Configuring MSTP Features Propagation—When an RSTP switch receives a TC message from another switch through a • designated or root port, it propagates the change to all of its nonedge, designated ports and to the root port (excluding the port on which it is received). The switch starts the TC-while timer for all such ports and flushes the information learned on them.
Chapter 18 Configuring MSTP Configuring MSTP Features For load balancing across redundant paths in the network to work, all VLAN-to-instance mapping • assignments must match; otherwise, all traffic flows on a single link. You can achieve load balancing across a switch stack by manually configuring the path cost. All MST boundary ports must be forwarding for load balancing between a PVST+ and an MST •...
Chapter 18 Configuring MSTP Configuring MSTP Features Command Purpose Step 8 spanning-tree mode mst Enable MSTP. RSTP is also enabled. Changing spanning-tree modes can disrupt traffic because all Caution spanning-tree instances are stopped for the previous mode and restarted in the new mode. You cannot run both MSTP and PVST+ or both MSTP and rapid PVST+ at the same time.
Page 396
4-bit switch priority value as shown in Table 17-1 on page 17-5.) Catalyst 3750 switches running software earlier than Cisco IOS Release 12.1(14)EA1 do not support the Note MSTP. If your network consists of switches that both do and do not support the extended system ID, it is unlikely Note that the switch with the extended system ID support will become the root switch.
Chapter 18 Configuring MSTP Configuring MSTP Features Command Purpose Step 4 show spanning-tree mst instance-id Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst instance-id root global configuration command.
Chapter 18 Configuring MSTP Configuring MSTP Features Configuring Port Priority If a loop occurs, the MSTP uses the port priority when selecting an interface to put into the forwarding state. You can assign higher priority values (lower numerical values) to interfaces that you want selected first and lower priority values (higher numerical values) that you want selected last.
Chapter 18 Configuring MSTP Configuring MSTP Features To return the interface to its default setting, use the no spanning-tree mst instance-id port-priority interface configuration command. Configuring Path Cost The MSTP path cost default value is derived from the media speed of an interface. If a loop occurs, the MSTP uses cost when selecting an interface to put in the forwarding state.
Chapter 18 Configuring MSTP Configuring MSTP Features Configuring the Switch Priority You can configure the switch priority and make it more likely that a standalone switch or a switch in the stack will be chosen as the root switch. Note Exercise care when using this command.
Chapter 18 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure the hello time for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst hello-time seconds Configure the hello time for all MST instances.
Chapter 18 Configuring MSTP Configuring MSTP Features Configuring the Maximum-Aging Time Beginning in privileged EXEC mode, follow these steps to configure the maximum-aging time for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst max-age seconds Configure the maximum-aging time for all MST instances.
Chapter 18 Configuring MSTP Configuring MSTP Features Specifying the Link Type to Ensure Rapid Transitions If you connect a port to another port through a point-to-point link and the local port becomes a designated port, the RSTP negotiates a rapid transition with the other port by using the proposal-agreement handshake to ensure a loop-free topology as described in the “Rapid Convergence”...
Chapter 18 Configuring MSTP Displaying the MST Configuration and Status Displaying the MST Configuration and Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 18-4: Table 18-4 Commands for Displaying MST Status Command Purpose show spanning-tree mst configuration...
C H A P T E R Configuring Optional Spanning-Tree Features This chapter describes how to configure optional spanning-tree features on the Catalyst 3750 switch. You can configure all of these features when your switch is running the per-VLAN spanning-tree plus (PVST+).
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Port Fast Port Fast immediately brings an interface configured as an access or trunk port to the forwarding state from a blocking state, bypassing the listening and learning states. You can use Port Fast on interfaces connected to a single workstation or server, as shown in Figure 19-1, to allow those devices to...
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding BPDU Guard The BPDU guard feature can be globally enabled on the switch or can be enabled per interface, but the feature operates with some differences. At the global level, you enable BPDU guard on Port Fast-enabled interfaces by using the spanning-tree portfast bpduguard default global configuration command.
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding UplinkFast Switches in hierarchical networks can be grouped into backbone switches, distribution switches, and access switches. Figure 19-2 shows a complex network where distribution switches and access switches each have at least one redundant link that spanning tree blocks to prevent loops. Figure 19-2 Switches in a Hierarchical Network Backbone switches Root bridge...
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 19-3 UplinkFast Example Before Direct Link Failure Switch A (Root) Switch B Blocked port Switch C If Switch C detects a link failure on the currently active link L2 on the root port (a direct link failure), UplinkFast unblocks the blocked interface on Switch C and transitions it to the forwarding state without going through the listening and learning states, as shown in Figure...
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features How CSUF Works CSUF ensures that one link in the stack is elected as the path to the root. As shown in Figure 19-5, the stack-root port on Switch 1 provides the path to the root of the spanning tree. The alternate stack-root ports on Switches 2 and 3 can provide an alternate path to the spanning-tree root if the current stack-root switch fails or if its link to the spanning-tree root fails.
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Each switch in the stack decides if the sending switch is a better choice than itself to be the stack root of this spanning-tree instance by comparing the root, cost, and bridge ID. If the sending switch is the best choice as the stack root, each switch in the stack returns an acknowledgement;...
Page 412
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features BackboneFast, which is enabled by using the spanning-tree backbonefast global configuration command, starts when a root port or blocked interface on a switch receives inferior BPDUs from its designated switch. An inferior BPDU identifies a switch that declares itself as both the root bridge and the designated switch.
Page 413
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features If link L1 fails as shown in Figure 19-7, Switch C cannot detect this failure because it is not connected directly to link L1. However, because Switch B is directly connected to the root switch over L1, it detects the failure, elects itself the root, and begins sending BPDUs to Switch C, identifying itself as the root.
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding EtherChannel Guard You can use EtherChannel guard to detect an EtherChannel misconfiguration between the switch and a connected device. A misconfiguration can occur if the switch interfaces are configured in an EtherChannel, but the interfaces on the other device are not.
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Figure 19-9 Root Guard in a Service-Provider Network Customer network Service-provider network Potential spanning-tree root without root guard enabled Desired root switch Enable the root-guard feature on these interfaces to prevent switches in the customer network from becoming the root switch or being...
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to enable Port Fast. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode.
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features You also can use the spanning-tree bpduguard enable interface configuration command to enable BPDU guard on any interface without also enabling the Port Fast feature. When the interface receives a BPDU, it is put in the error-disabled state.
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to globally enable the BPDU filtering feature. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree portfast bpdufilter default Globally enable BPDU filtering.
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Command Purpose Step 3 Return to privileged EXEC mode. Step 4 show spanning-tree summary Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. When UplinkFast is enabled, the switch priority of all VLANs is set to 49152.
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Command Purpose Step 4 show spanning-tree summary Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable the BackboneFast feature, use the no spanning-tree backbonefast global configuration command.
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to enable root guard on an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode.
Chapter 19 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Displaying the Spanning-Tree Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 19-2: Table 19-2 Commands for Displaying the Spanning-Tree Status Command Purpose show spanning-tree active Displays spanning-tree information on active interfaces only.
Page 424
Chapter 19 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Catalyst 3750 Switch Software Configuration Guide 19-20 78-16180-02...
C H A P T E R Configuring Flex Links This chapter describes how to configure Flex Links, a pair of interfaces on the Catalyst 3750 switch that are used to provide a mutual backup. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 20 Configuring Flex Links Configuring Flex Links Figure 20-1 Flex Links Configuration Example Uplink Uplink switch B switch C Port 1 Port 2 Switch A If a primary (forwarding) link goes down, a trap notifies the network management stations. If the standby link goes down, a trap notifies the users.
For complete syntax and usage information for the commands used in this chapter, refer to the command Note reference for this release, and refer to the “DHCP Commands” section in the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2.
Understanding DHCP Features For information about the DHCP client, refer to the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2. DHCP Server The DHCP server assigns IP addresses from specified address pools on a switch or router to DHCP clients and manages them.
Chapter 21 Configuring DHCP Features and IP Source Guard Understanding DHCP Features The switch drops a DHCP packet when one of these situations occurs: A packet from a DHCP server, such as a DHCPOFFER, DHCPACK, DHCPNAK, or • DHCPLEASEQUERY packet, is received from outside the network or firewall. •...
Page 432
Chapter 21 Configuring DHCP Features and IP Source Guard Understanding DHCP Features When you enable the DHCP snooping information option 82 on the switch, this sequence of events occurs: The host (DHCP client) generates a DHCP request and broadcasts it on the network. •...
An address binding is a mapping between an IP address and a MAC address of a host in the Cisco IOS DHCP server database. You can manually assign the client IP address, or the DHCP server can allocate an IP address from a DHCP address pool.
Chapter 21 Configuring DHCP Features and IP Source Guard Understanding DHCP Features When a switch learns of new bindings or when it loses bindings, the switch updates the entries in the database and in the binding file. The frequency at which database and file are updated is based on a configurable delay, and the updates are batched.
Configuring DHCP Features These sections describe how to configure the DHCP server, the DHCP relay agent, DHCP snooping, option 82, the Cisco IOS DHCP server binding database, and the DHCP snooping binding database on your switch: Default DHCP Configuration, page 21-7 •...
NTP. Configuring the DHCP Server The switch can act as a DHCP server. By default, the Cisco IOS DHCP server and relay agent features are enabled on your switch but are not configured. These features are not operational.
To disable the DHCP server and relay agent, use the no service dhcp global configuration command. Refer to the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2 for these procedures: Checking (validating) the relay agent information •...
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Beginning in privileged EXEC mode, follow these steps to specify the packet forwarding address: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface vlan vlan-id Enter interface configuration mode, and create a switch virtual interface.
Page 439
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Command Purpose Step 3 ip dhcp snooping vlan vlan-range Enable DHCP snooping on a VLAN or range of VLANs. The range is 1 to 4094. You can enter a single VLAN ID identified by VLAN ID number, a series of VLAN IDs separated by commas, a range of VLAN IDs separated by hyphens, or a range of VLAN IDs separated by entering the starting and ending VLAN IDs separated by a space.
VLANs, on which DHCP snooping is enabled. Enabling the Cisco IOS DHCP Server Database For procedures to enable and configure the Cisco IOS DHCP server database, refer to the “DHCP Configuration Task List” section in the “Configuring DHCP” chapter of the Cisco IOS IP Configuration Guide, Release 12.2.
Page 441
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Command Purpose Step 6 ip dhcp snooping binding mac-address (Optional) Add binding entries to the DHCP snooping binding database. vlan vlan-id ip-address interface The vlan-id range is from 1 to 4904. The seconds range is from 1 to interface-id expiry seconds 4294967295.
Chapter 21 Configuring DHCP Features and IP Source Guard Displaying DHCP Snooping Information Displaying DHCP Snooping Information This section describes how to display configuration information for all interfaces on a switch and the configuration information, status, and statistics for the DHCP snooping binding database, also referred to as a binding table.
Chapter 21 Configuring DHCP Features and IP Source Guard Understanding IP Source Guard Table 21-2 show ip dhcp snooping binding Command Output Field Description MacAddress Client hardware MAC address IpAddress Client IP address assigned from the DHCP server Lease(sec) Remaining lease time for the IP address Type Binding type VLAN...
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard Source IP Address Filtering When IP source guard is enabled with this option, IP traffic is filtered based on the source IP address. The switch forwards IP traffic when the source IP address matches an entry in the DHCP snooping binding database or a binding in the IP source binding table.
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard Configuration Guidelines These are the configuration guides for IP source guard: • You can configure static IP bindings only on nonrouted ports. If you enter the ip source binding ip-address mac-address vlan vlan-id interface interface-id global configuration command on a routed interface, this error message appears: Static IP source binding can only be configured on switch port.
Page 446
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard Command Purpose Step 8 show ip source binding [ip-address] Display the IP source bindings on the switch, on a specific VLAN, or on [mac-address] [dhcp-snooping | static] a specific interface.
Chapter 21 Configuring DHCP Features and IP Source Guard Displaying IP Source Guard Information Displaying IP Source Guard Information This section describes how to display the IP source guard configuration and the IP source bindings on the switch. This example shows how to display the IP source guard configuration for a switch: Switch# show ip verify source Interface Filter-type...
Page 448
Chapter 21 Configuring DHCP Features and IP Source Guard Displaying IP Source Guard Information Catalyst 3750 Switch Software Configuration Guide 21-20 78-16180-02...
C H A P T E R Configuring Dynamic ARP Inspection This chapter describes how to configure dynamic Address Resolution Protocol inspection (dynamic ARP inspection) on the Catalyst 3750 switch. This feature helps prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN.
Chapter 22 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection Figure 22-1 ARP Cache Poisoning Host A Host B (IA, MA) (IB, MB) Host C (man-in-the-middle) (IC, MC) Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the same subnet.
Chapter 22 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection You can configure dynamic ARP inspection to drop ARP packets when the IP addresses in the packets are invalid or when the MAC addresses in the body of the ARP packets do not match the addresses specified in the Ethernet header.
Chapter 22 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection Dynamic ARP inspection ensures that hosts (on untrusted interfaces) connected to a switch running dynamic ARP inspection do not poison the ARP caches of other hosts in the network. However, dynamic ARP inspection does not prevent hosts in other portions of the network from poisoning the caches of the hosts connected to a switch running dynamic ARP inspection.
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection You use the ip arp inspection log-buffer global configuration command to configure the number of entries in the buffer and the number of entries needed in the specified interval to generate system messages.
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Dynamic ARP Inspection Configuration Guidelines These are the dynamic ARP inspection configuration guidelines: • Dynamic ARP inspection is an ingress security feature; it does not perform any egress checking. Dynamic ARP inspection is not effective for hosts connected to switches that do not support •...
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection in DHCP Environments This procedure shows how to configure dynamic ARP inspection when two switches support this feature. Host 1 is connected to Switch A, and Host 2 is connected to Switch B as shown in Figure 22-2 on page 22-3.
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Command Purpose Step 7 show ip arp inspection interfaces Verify the dynamic ARP inspection configuration. show ip arp inspection vlan vlan-range Step 8 show ip dhcp snooping binding Verify the DHCP bindings. Step 9 show ip arp inspection statistics vlan Check the dynamic ARP inspection statistics.
Page 457
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Command Purpose Step 3 permit ip host sender-ip mac host sender-mac [log] Permit ARP packets from the specified host (Host 2). For sender-ip, enter the IP address of Host 2. •...
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Command Purpose Step 7 no ip arp inspection trust Configure the Switch A interface that is connected to Switch B as untrusted. By default, all interfaces are untrusted. For untrusted interfaces, the switch intercepts all ARP requests and responses.
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection For configuration guidelines for rate limiting trunk ports and EtherChannel ports, see the “Dynamic ARP Inspection Configuration Guidelines” section on page 22-6. Beginning in privileged EXEC mode, follow these steps to limit the rate of incoming ARP packets. This procedure is optional.
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Beginning in privileged EXEC mode, follow these steps to perform specific checks on incoming ARP packets. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip arp inspection validate Perform a specific check on incoming ARP packets.
Page 461
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection If the log buffer overflows, it means that a log event does not fit into the log buffer, and the display for the show ip arp inspection log privileged EXEC command is affected. A -- in the display appears in place of all data except the packet count and the time.
Chapter 22 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information Command Purpose Step 3 ip arp inspection vlan vlan-range Control the type of packets that are logged per VLAN. By default, all denied logging {acl-match {matchlog | or all dropped packets are logged. The term logged means the entry is placed none} | dhcp-bindings {all | none | in the log buffer and a system message is generated.
Page 463
Chapter 22 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information To clear or display dynamic ARP inspection statistics, use the privileged EXEC commands in Table 22-3: Table 22-3 Commands for Clearing or Displaying Dynamic ARP Inspection Statistics Command Description clear ip arp inspection statistics Clears dynamic ARP inspection statistics.
For complete syntax and usage information for the commands used in this chapter, refer to the switch command reference for this release and the “IP Multicast Routing Commands” section in the Cisco IOS IP Command Reference, Volume 3 of 3:Multicast, Release 12.2.
Chapter 23 Configuring IGMP Snooping and MVR Understanding IGMP Snooping the switch adds the host port number to the forwarding table entry; when it receives an IGMP Leave Group message from a host, it removes the host port from the table entry. It also periodically deletes entries if it does not receive IGMP membership reports from the multicast clients.
An IGMPv3 switch can receive messages from and forward messages to a device running the Source Specific Multicast (SSM) feature. For more information, refer to the “Configuring IP Multicast Layer 3 Switching” chapter in the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide, Cisco IOS Release 12.1(12c)EW at this URL: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_1_12/config/mcastmls.htm...
Page 468
Chapter 23 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Router A sends a general query to the switch, which forwards the query to ports 2 through 5, all members of the same VLAN. Host 1 wants to join multicast group 224.1.2.3 and multicasts an IGMP membership report (IGMP join message) to the group.
Chapter 23 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Leaving a Multicast Group The router sends periodic multicast general queries, and the switch forwards these queries through all ports in the VLAN. Interested hosts respond to the queries. If at least one host in the VLAN wishes to receive multicast traffic, the router continues forwarding the multicast traffic to the VLAN.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping IGMP Snooping and Switch Stacks IGMP snooping functions across the switch stack; that is, IGMP control information obtained from one switch is distributed to all switches in the stack. (See Chapter 5, “Managing Switch Stacks,”...
Snooping on IGMP queries, Protocol Independent Multicast (PIM) packets, and Distance Vector Multicast Routing Protocol (DVMRP) packets • Listening to Cisco Group Management Protocol (CGMP) packets from other routers • Statically connecting to a multicast router port with the ip igmp snooping mrouter global...
Page 472
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping You can configure the switch either to snoop on IGMP queries and PIM/DVMRP packets or to listen to CGMP self-join or proxy-join packets. By default, the switch snoops on PIM/DVMRP packets on all VLANs.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping This example shows how to configure IGMP snooping to use CGMP packets as the learning method and verify the configuration: Switch# configure terminal Switch(config)# ip igmp snooping vlan 1 mrouter learn cgmp Switch(config)# end Switch# show ip igmp snooping vlan 1 Global IGMP Snooping configuration:...
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping This example shows how to enable a static connection to a multicast router and verify the configuration: Switch# configure terminal Switch(config)# ip igmp snooping vlan 200 mrouter interface gigabitethernet1/0/2 Switch(config)# end Switch# show ip igmp snooping mrouter vlan 200 Vlan ports...
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Enabling IGMP Immediate Leave When you enable IGMP Immediate Leave, the switch immediately removes a port when it detects an IGMP Version 2 leave message on that port. You should only use the Immediate-Leave feature when there is a single receiver present on every port in the VLAN.
Chapter 23 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information To re-enable IGMP report suppression, use the ip igmp snooping report-suppression global configuration command. Displaying IGMP Snooping Information You can display IGMP snooping information for dynamically learned and statically configured router ports and VLAN interfaces.
Chapter 23 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Understanding Multicast VLAN Registration Multicast VLAN Registration (MVR) is designed for applications using wide-scale deployment of multicast traffic across an Ethernet ring-based service provider network (for example, the broadcast of multiple television channels over a service-provider network).
Page 478
VLAN as a forwarding destination of the specified multicast stream when it is received from the multicast VLAN. Uplink ports that send and receive multicast data to and from the multicast VLAN are called MVR source ports. Figure 23-3 Multicast VLAN Registration Example Multicast VLAN Cisco router Multicast server Switch B Multicast...
Chapter 23 Configuring IGMP Snooping and MVR Configuring MVR the IGMP leave was received. As soon as the leave message is received, the receiver port is removed from multicast group membership, which speeds up leave latency. Enable the Immediate-Leave feature only on receiver ports to which a single receiver device is connected.
Chapter 23 Configuring IGMP Snooping and MVR Configuring MVR MVR Configuration Guidelines and Limitations Follow these guidelines when configuring MVR: • Receiver ports can only be access ports; they cannot be trunk ports. Receiver ports on a switch can be in different VLANs, but should not belong to the multicast VLAN. The maximum number of multicast entries (MVR group addresses) that can be configured on a •...
Chapter 23 Configuring IGMP Snooping and MVR Configuring MVR Command Purpose Step 4 mvr querytime value (Optional) Define the maximum time to wait for IGMP report memberships on a receiver port before removing the port from multicast group membership. The value is in units of tenths of a second. The range is from 1 to 100 and the default is 5 tenths or one-half second.
Page 482
Chapter 23 Configuring IGMP Snooping and MVR Configuring MVR Command Purpose Step 4 mvr type {source | receiver} Configure an MVR port as one of these: source—Configure uplink ports that receive and send multicast data as • source ports. Subscribers cannot be directly connected to source ports. All source ports on a switch belong to the single multicast VLAN.
Chapter 23 Configuring IGMP Snooping and MVR Displaying MVR Information Displaying MVR Information You can display MVR information for the switch or for a specified interface. Beginning in privileged EXEC mode, use the commands in Table 23-6 to display MVR configuration: Table 23-6 Commands for Displaying MVR Information Command Purpose...
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling You can also set the maximum number of IGMP groups that a Layer 2 interface can join. With the IGMP throttling feature, you can also set the maximum number of IGMP groups that a Layer 2 interface can join.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Configuring IGMP Profiles To configure an IGMP profile, use the ip igmp profile global configuration command with a profile number to create an IGMP profile and to enter IGMP profile configuration mode. From this mode, you can specify the parameters of the IGMP profile to be used for filtering IGMP join requests from a port.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling This example shows how to create IGMP profile 4 allowing access to the single IP multicast address and how to verify the configuration. If the action was to deny (the default), it would not appear in the show ip igmp profile output display.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Setting the Maximum Number of IGMP Groups You can set the maximum number of IGMP groups that a Layer 2 interface can join by using the ip igmp max-groups interface configuration command.
Page 488
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling If you configure the throttling action and set the maximum group limitation after an interface has • added multicast entries to the forwarding table, the forwarding-table entries are either aged out or removed, depending on the throttling action.
Chapter 23 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Displaying IGMP Filtering and Throttling Configuration You can display IGMP profile characteristics, and you can display the IGMP profile and maximum group configuration for all interfaces on the switch or for a specified interface. You can also display the IGMP throttling configuration for all interfaces on the switch or for a specified interface.
C H A P T E R Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and a switch stack. For complete syntax and usage information for the commands used in this chapter, refer to the command Note reference for this release.
When the storm control threshold for multicast traffic is reached, all multicast traffic except control traffic, such as bridge protocol data unit (BDPU) and Cisco Discovery Protocol (CDP) frames, are blocked. However, the switch does not differentiate between routing updates, such as OSPF, and regular multicast data traffic, so both types of traffic are blocked.
Chapter 24 Configuring Port-Based Traffic Control Configuring Storm Control Because packets do not arrive at uniform intervals, the 200-millisecond time interval during which traffic Note activity is measured can affect the behavior of storm control. The switch continues to monitor traffic on the port, and when the utilization level is below the threshold level, the type of traffic that was dropped is forwarded again.
Page 494
Chapter 24 Configuring Port-Based Traffic Control Configuring Storm Control Command Purpose Step 4 storm-control multicast level level [.level] Specify the multicast traffic suppression level for an interface as a percentage of total bandwidth. The level can be from 1 to 100; the optional fraction of a level can be from 0 to 99.
Chapter 24 Configuring Port-Based Traffic Control Configuring Protected Ports Configuring Protected Ports Some applications require that no traffic be forwarded at Layer 2 between ports on the same switch so that one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of protected ports ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports on the switch.
Chapter 24 Configuring Port-Based Traffic Control Configuring Port Blocking To disable protected port, use the no switchport protected interface configuration command. This example shows how to configure a port as a protected port: Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# switchport protected Switch(config-if)# end Configuring Port Blocking By default, the switch floods packets with unknown destination MAC addresses out of all ports.
Chapter 24 Configuring Port-Based Traffic Control Configuring Port Security This example shows how to block unicast and multicast flooding on a port: Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# switchport block multicast Switch(config-if)# switchport block unicast Switch(config-if)# end Configuring Port Security You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port.
Chapter 24 Configuring Port-Based Traffic Control Configuring Port Security The switch supports these types of secure MAC addresses: Static secure MAC addresses—These are manually configured by using the switchport • port-security mac-address mac-address interface configuration command, stored in the address table, and added to the switch running configuration.
Chapter 24 Configuring Port-Based Traffic Control Configuring Port Security restrict—when the number of secure MAC addresses reaches the maximum limit allowed on the • port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses.
VLAN. When the port is connected to a Cisco IP phone, the IP phone requires up to two MAC addresses. The IP phone address is learned on the voice VLAN and might also be learned on the access VLAN.
Page 501
Chapter 24 Configuring Port-Based Traffic Control Configuring Port Security Command Purpose Step 5 switchport port-security (Optional) Set the maximum number of secure MAC addresses for the maximum value [vlan [vlan-list]] interface. The maximum number of secure MAC addresses that you can configure on a switch stack is set by the maximum number of available MAC addresses allowed in the system.
Page 502
Chapter 24 Configuring Port-Based Traffic Control Configuring Port Security Command Purpose Step 7 switchport port-security (Optional) Enter a secure MAC address for the interface. You can use this mac-address mac-address command to enter the maximum number of secure MAC addresses. If you [vlan vlan-id] configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned.
Chapter 24 Configuring Port-Based Traffic Control Configuring Port Security You must specifically delete configured secure MAC addresses from the address table by using the no switchport port-security mac-address mac-address interface configuration command. This example shows how to enable port security on a port and to set the maximum number of secure addresses to 50.
Chapter 24 Configuring Port-Based Traffic Control Configuring Port Security Command Purpose Step 3 switchport port-security aging {static | time time | Enable or disable static aging for the secure port, or set the type {absolute | inactivity}} aging time or type. The switch does not support port security aging of Note sticky secure addresses.
Chapter 24 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings When a switch (either the stack master or a stack member) leaves the stack, the remaining stack members are notified, and the secure MAC addresses configured or learned by that switch are deleted from the secure MAC address table.
• Understanding CDP CDP is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches) and allows network management applications to discover Cisco devices that are neighbors of already known devices. With CDP, network management applications can learn the device type and the Simple Network Management Protocol (SNMP) agent address of neighboring devices running lower-layer, transparent protocols.
Chapter 25 Configuring CDP Configuring CDP CDP and Switch Stacks A switch stack appears as a single switch in the network. Therefore, CDP discovers the switch stack, not the individual stack members. The switch stack sends CDP messages to neighboring network devices when there are changes to the switch stack membership, such as stack members being added or removed.
Disabling and Enabling CDP CDP is enabled by default. Note Switch clusters and other Cisco devices (such as Cisco IP Phones) regularly exchange CDP messages. Disabling CDP can interrupt cluster discovery and device connectivity. For more information, see Chapter 6, “Clustering Switches.”...
Chapter 25 Configuring CDP Configuring CDP Beginning in privileged EXEC mode, follow these steps to enable CDP when it has been disabled: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 cdp run Enable CDP after disabling it. Step 3 Return to privileged EXEC mode.
Chapter 25 Configuring CDP Monitoring and Maintaining CDP Monitoring and Maintaining CDP To monitor and maintain CDP on your device, perform one or more of these tasks, beginning in privileged EXEC mode. Command Description clear cdp counters Reset the traffic counters to zero. clear cdp table Delete the CDP table of information about neighbors.
C H A P T E R Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 26 Configuring UDLD Understanding UDLD A unidirectional link occurs whenever traffic sent by a local device is received by its neighbor but traffic from the neighbor is not received by the local device. In normal mode, UDLD detects a unidirectional link when fiber strands in a fiber-optic port are misconnected and the Layer 1 mechanisms do not detect this misconnection.
Page 515
Chapter 26 Configuring UDLD Understanding UDLD Event-driven detection and echoing • UDLD relies on echoing as its detection mechanism. Whenever a UDLD device learns about a new neighbor or receives a resynchronization request from an out-of-sync neighbor, it restarts the detection window on its side of the connection and sends echo messages in reply.
Chapter 26 Configuring UDLD Configuring UDLD Enabling UDLD Globally Beginning in privileged EXEC mode, follow these steps to enable UDLD in the aggressive or normal mode and to set the configurable message timer on all fiber-optic ports on the switch and all members in the switch stack: Command Purpose...
Chapter 26 Configuring UDLD Configuring UDLD Enabling UDLD on an Interface Beginning in privileged EXEC mode, follow these steps either to enable UDLD in the aggressive or normal mode or to disable UDLD on a port: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 26 Configuring UDLD Displaying UDLD Status Displaying UDLD Status To display the UDLD status for the specified port or for all ports, use the show udld [interface-id] privileged EXEC command. For detailed information about the fields in the command output, refer to the command reference for this release.
You can use the SPAN or RSPAN destination port to inject traffic from a network security device. For example, if you connect a Cisco Intrusion Detection System (IDS) sensor appliance to a destination port, the IDS device can send TCP reset packets to close down the TCP session of a suspected attacker.
Chapter 27 Configuring SPAN and RSPAN Understanding SPAN and RSPAN This section includes these topics: Local SPAN, page 27-2 • • Remote SPAN, page 27-3 • SPAN and RSPAN Concepts and Terminology, page 27-4 SPAN and RSPAN Interaction with Other Features, page 27-9 •...
Chapter 27 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Figure 27-2 Example of Local SPAN Configuration on a Switch Stack Catalyst 3750 switch stack Switch 1 1/0/4 Port 4 on switch 1 in the stack Port 4 on switch 1 in the stack Port 4 on switch 1 in the stack mirrored on port 15 on switch 2 mirrored on port 15 on switch 2...
Chapter 27 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Figure 27-3 Example of RSPAN Configuration RSPAN destination ports RSPAN Switch C destination session Intermediate switches must support RSPAN VLAN RSPAN VLAN Switch A Switch B RSPAN RSPAN source source session A session B RSPAN...
Chapter 27 Configuring SPAN and RSPAN Understanding SPAN and RSPAN An RSPAN source session is very similar to a local SPAN session, except for where the packet stream is directed. In an RSPAN source session, SPAN packets are relabeled with the RSPAN VLAN ID and directed over normal trunk ports to the destination switch.
The default configuration for local SPAN session ports is to send all packets untagged. SPAN also does not normally monitor bridge protocol data unit (BPDU) packets and Layer 2 protocols, such as Cisco Discovery Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol (DTP), Spanning Tree Protocol (STP), and Port Aggregation Protocol (PAgP).
Chapter 27 Configuring SPAN and RSPAN Understanding SPAN and RSPAN It can be any port type (for example, EtherChannel, Fast Ethernet, Gigabit Ethernet, and so forth). • For EtherChannel sources, you can monitor traffic for the entire EtherChannel or individually on a •...
Chapter 27 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Destination Port Each local SPAN session or RSPAN destination session must have a destination port (also called a monitoring port) that receives a copy of traffic from the source ports or VLANs and sends the SPAN packets to the user, usually a network analyzer.
On a source port, SPAN does not affect the STP status. STP can be active on trunk ports carrying an RSPAN VLAN. Cisco Discovery Protocol (CDP)—A SPAN destination port does not participate in CDP while the •...
Chapter 27 Configuring SPAN and RSPAN Configuring SPAN and RSPAN A physical port that belongs to an EtherChannel group can be configured as a SPAN source port and still be a part of the EtherChannel. In this case, data from the physical port is monitored as it participates in the EtherChannel.
Chapter 27 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Default SPAN and RSPAN Configuration Table 27-1 shows the default SPAN and RSPAN configuration. Table 27-1 Default SPAN and RSPAN Configuration Feature Default Setting SPAN state (SPAN and RSPAN) Disabled. Source port traffic to monitor Both received and sent traffic (both).
Page 532
Chapter 27 Configuring SPAN and RSPAN Configuring SPAN and RSPAN For local SPAN, outgoing packets through the SPAN destination port carry the original • encapsulation headers—untagged, ISL, or IEEE 802.1Q—if the encapsulation replicate keywords are specified. If the keywords are not specified, the packets are sent in native form. For RSPAN destination ports, outgoing packets are not tagged.
Page 533
Chapter 27 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 3 monitor session session_number source Specify the SPAN session and the source port (monitored port). {interface interface-id | vlan vlan-id} [, | -] For session_number, the range is from 1 to 66. [both | rx | tx] For interface-id, specify the source port or source VLAN to monitor.
Page 534
Chapter 27 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 6 show monitor [session session_number] Verify the configuration. show running-config Step 7 copy running-config startup-config (Optional) Save the configuration in the configuration file. To delete a SPAN session, use the no monitor session session_number global configuration command. To remove a source or destination port or VLAN from the SPAN session, use the no monitor session session_number source {interface interface-id | vlan vlan-id} global configuration command or the no monitor session session_number destination interface interface-id global configuration command.
Page 535
Beginning in privileged EXEC mode, follow these steps to create a SPAN session, to specify the source ports or VLANs and the destination ports, and to enable ingress traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance). Refer to the “Creating a Local SPAN Session”...
Chapter 27 Configuring SPAN and RSPAN Configuring SPAN and RSPAN monitor session session_number destination interface interface-id global configuration command. For destination interfaces, the encapsulation and ingress options are ignored with the no form of the command. This example shows how to remove any existing configuration on SPAN session 2, configure SPAN session 2 to monitor received traffic on Gigabit Ethernet source port 1, and send it to destination Gigabit Ethernet port 2 with the same egress encapsulation type as the source port, and to enable ingress forwarding with 802.1Q encapsulation and VLAN 6 as the default ingress VLAN.
Chapter 27 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 6 Return to privileged EXEC mode. Step 7 show monitor [session session_number] Verify the configuration. show running-config Step 8 copy running-config startup-config (Optional) Save the configuration in the configuration file. To monitor all VLANs on the trunk port, use the no monitor session session_number filter global configuration command.
Chapter 27 Configuring SPAN and RSPAN Configuring SPAN and RSPAN RSPAN VLANs are included as sources for port-based RSPAN sessions when source trunk ports • have active RSPAN VLANs. RSPAN VLANs can also be sources in SPAN sessions. However, since the switch does not monitor spanned traffic, it does not support egress spanning of packets on any RSPAN VLAN identified as the destination of an RSPAN source session on the switch.
Chapter 27 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Creating an RSPAN Source Session Beginning in privileged EXEC mode, follow these steps to start an RSPAN source session and to specify the monitored source and the destination RSPAN VLAN: Command Purpose Step 1...
Chapter 27 Configuring SPAN and RSPAN Configuring SPAN and RSPAN To remove a source port or VLAN from the SPAN session, use the no monitor session session_number source {interface interface-id | vlan vlan-id} global configuration command. To remove the RSPAN VLAN from the session, use the no monitor session session_number destination remote vlan vlan-id.
Beginning in privileged EXEC mode, follow these steps to create an RSPAN destination session, to specify the source RSPAN VLAN and the destination port, and to enable ingress traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance). Refer to the “Creating an RSPAN Destination Session”...
Page 542
Chapter 27 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 3 monitor session session_number source Specify the RSPAN session and the source RSPAN VLAN. remote vlan vlan-id For session_number, the range is from 1 to 66. For vlan-id, specify the source RSPAN VLAN to monitor. Step 4 monitor session session_number Specify the SPAN session, the destination port, the packet...
Chapter 27 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Specifying VLANs to Filter Beginning in privileged EXEC mode, follow these steps to configure the RSPAN source session to limit RSPAN source traffic to specific VLANs: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 27 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Displaying SPAN and RSPAN Status To display the current SPAN or RSPAN configuration, use the show monitor user EXEC command. You can also use the show running-config privileged EXEC command to display configured SPAN or RSPAN sessions.
For complete syntax and usage information for the commands used in this chapter, refer to the “System Note Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2. This chapter consists of these sections: •...
Chapter 28 Configuring RMON Configuring RMON Figure 28-1 Remote Monitoring Example Network management station with generic RMON console application RMON alarms and events configured. SNMP configured. RMON history and statistic collection enabled. Workstations Workstations The switch supports these RMON groups (defined in RFC 1757): Statistics (RMON group 1)—Collects Ethernet statistics (including Fast Ethernet and Gigabit •...
Chapter 28 Configuring RMON Configuring RMON Default RMON Configuration RMON is disabled by default; no alarms or events are configured. Only RMON 1 is supported on the switch. Configuring RMON Alarms and Events You can configure your switch for RMON by using the command-line interface (CLI) or an SNMP-compatible network management station.
Page 548
Chapter 28 Configuring RMON Configuring RMON Command Purpose Step 3 rmon event number [description string] [log] [owner string] Add an event in the RMON event table that is [trap community] associated with an RMON event number. For number, assign an event number. The range •...
Chapter 28 Configuring RMON Configuring RMON Collecting Group History Statistics on an Interface You must first configure RMON alarms and events to display collection information. Beginning in privileged EXEC mode, follow these steps to collect group history statistics on an interface. This procedure is optional.
Displays the RMON statistics table. For information about the fields in these displays, refer to the “System Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2. Catalyst 3750 Switch Software Configuration Guide 28-6...
This chapter describes how to configure system message logging on the Catalyst 3750 switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Note Configuration Fundamentals Command Reference, for Release 12.2.
Chapter 29 Configuring System Message Logging Configuring System Message Logging You can access logged system messages by using the switch command-line interface (CLI) or by saving them to a properly configured syslog server. The switch software saves syslog messages in an internal buffer on a standalone switch, and in the case of a switch stack, on the stack master.
Chapter 29 Configuring System Message Logging Configuring System Message Logging Table 29-1 describes the elements of syslog messages. Table 29-1 System Log Message Elements Element Description seq no: Stamps log messages with a sequence number only if the service sequence-numbers global configuration command is configured.
Chapter 29 Configuring System Message Logging Configuring System Message Logging Default System Message Logging Configuration Table 29-2 shows the default system message logging configuration. Table 29-2 Default System Message Logging Configuration Feature Default Setting System message logging to the console Enabled.
Chapter 29 Configuring System Message Logging Configuring System Message Logging The logging synchronous global configuration command also affects the display of messages to the console. When this command is enabled, messages appear only after you press Return. For more information, see the “Synchronizing Log Messages”...
Chapter 29 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 6 terminal monitor Log messages to a nonconsole terminal during the current session. Terminal parameter-setting commands are set locally and do not remain in effect after the session has ended. You must perform this step for each session to see the debugging messages.
Chapter 29 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to configure synchronous logging. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 line [console | vty] line-number Specify the line to be configured for synchronous logging of [ending-line-number] messages.
Chapter 29 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to enable time-stamping of log messages. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 service timestamps log uptime Enable log time stamps.
Chapter 29 Configuring System Message Logging Configuring System Message Logging This example shows part of a logging display with sequence numbers enabled: 000019: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) (Switch-2) Defining the Message Severity Level You can limit messages displayed to the selected device by specifying the severity level of the message, which are described in Table 29-3.
Chapter 29 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to change the level and history table size defaults. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 logging history level Change the default level of syslog messages stored in the history file and...
Add a line such as the following to the file /etc/syslog.conf: Step 1 cisco.log local7.debug /usr/adm/logs/ The local7 keyword specifies the logging facility to be used; see Table 29-4 on page 29-13 information on the facilities.
Displaying the Logging Configuration To display the logging configuration and the contents of the log buffer, use the show logging privileged EXEC command. For information about the fields in this display, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.2.
Page 564
Chapter 29 Configuring System Message Logging Displaying the Logging Configuration Catalyst 3750 Switch Software Configuration Guide 29-14 78-16180-02...
For complete syntax and usage information for the commands used in this chapter, refer to the switch Note command reference for this release and to the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2. This chapter consists of these sections: Understanding SNMP, page 30-1 •...
Chapter 30 Configuring SNMP Understanding SNMP Table 30-1 identifies the characteristics of the different combinations of security models and levels. Table 30-1 SNMP Security Models and Levels Model Level Authentication Encryption Result SNMPv1 noAuthNoPriv Community string No Uses a community string match for authentication. SNMPv2C noAuthNoPriv Community string No...
Chapter 30 Configuring SNMP Understanding SNMP SNMP Agent Functions The SNMP agent responds to SNMP manager requests as follows: • Get a MIB variable—The SNMP agent begins this function in response to a request from the NMS. The agent retrieves the value of the requested MIB variable and responds to the NMS with that value. Set a MIB variable—The SNMP agent begins this function in response to a message from the NMS.
Chapter 30 Configuring SNMP Understanding SNMP Using SNMP to Access MIB Variables An example of an NMS is the CiscoWorks network management software. CiscoWorks 2000 software uses the switch MIB variables to set device variables and to poll devices on the network for specific information.
Chapter 30 Configuring SNMP Configuring SNMP SNMP ifIndex MIB Object Values In an NMS, the IF-MIB generates and assigns an interface index (ifIndex) object value that is a unique number greater than zero to identify a physical or a logical interface. When the switch reboots or the switch software is upgraded, the switch uses this same value for the interface.
Modifying the group's notify view affects all users associated with that group. Refer to the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 for information about when you should configure notify views.
The no snmp-server global configuration command disables all running versions (Version 1, Version 2C, and Version 3) on the device. No specific Cisco IOS command exists to enable SNMP. The first snmp-server global configuration command that you enter enables all versions of SNMP.
Page 573
Chapter 30 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure a community string on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server community string [view Configure the community string. view-name] [ro | rw] [access-list-number] •...
Chapter 30 Configuring SNMP Configuring SNMP This example shows how to assign the string comaccess to SNMP, to allow read-only access, and to specify that IP access list 4 can use the community string to gain access to the switch SNMP agent: Switch(config)# snmp-server community comaccess ro 4 Configuring SNMP Groups and Users You can specify an identification name (engine ID) for the local or remote SNMP server engine on the...
Page 575
Chapter 30 Configuring SNMP Configuring SNMP Command Purpose Step 3 snmp-server group groupname {v1 | v2c | v3 Configure a new SNMP group on the remote device. {auth | noauth | priv}} [read readview] For groupname, specify the name of the group. •...
By default, no trap manager is defined, and no traps are sent. Switches running this Cisco IOS release can have an unlimited number of trap managers. Many commands use the word traps in the command syntax. Unless there is an option in the command Note to select either traps or informs, the keyword traps refers to either traps, informs, or both.
Page 577
Chapter 30 Configuring SNMP Configuring SNMP Table 30-5 Switch Notification Types Notification Type Keyword Description Generates BGP state change traps. This option is only available when the enhanced multilayer image is installed. bridge Generates STP bridge MIB traps. cluster Generates a trap when the cluster configuration changes. config Generates a trap for SNMP configuration changes.
Page 578
Chapter 30 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure the switch to send traps or informs to a host: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server engineID remote Specify the engine ID for the remote host.
Chapter 30 Configuring SNMP Configuring SNMP Command Purpose Step 9 snmp-server trap-timeout seconds (Optional) Define how often to resend trap messages. The range is 1 to 1000; the default is 30 seconds. Step 10 Return to privileged EXEC mode. Step 11 show running-config Verify your entries.
Chapter 30 Configuring SNMP Configuring SNMP Limiting TFTP Servers Used Through SNMP Beginning in privileged EXEC mode, follow these steps to limit the TFTP servers used for saving and loading configuration files through SNMP to the servers specified in an access list: Command Purpose Step 1...
Switch(config)# snmp-server enable traps entity Switch(config)# snmp-server host cisco.com restricted entity This example shows how to enable the switch to send all traps to the host myhost.cisco.com using the community string public: Switch(config)# snmp-server enable traps Switch(config)# snmp-server host myhost.cisco.com public...
Page 582
Chapter 30 Configuring SNMP Displaying SNMP Status Though visible in the command-line help strings, the snmp-server enable informs global configuration Note command is not supported. To enable the sending of SNMP inform notifications, use the snmp-server enable traps global configuration command combined with the snmp-server host host-addr informs global configuration command.
For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release, refer to the “Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2, and to these software configuration guides and command references: Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2...
Chapter 31 Configuring Network Security with ACLs Understanding ACLs You configure access lists on a router or Layer 3 switch to provide basic security for your network. If you do not configure ACLs, all packets passing through the switch could be allowed onto all parts of the network.
Chapter 31 Configuring Network Security with ACLs Understanding ACLs When a VLAN map, input router ACL, and input port ACL exist in an SVI, incoming packets • received on the ports to which a port ACL is applied are only filtered by the port ACL. Incoming routed IP packets received on other ports are filtered by both the VLAN map and the router ACL.
Chapter 31 Configuring Network Security with ACLs Understanding ACLs When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk port. When you apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and voice VLANs.
Chapter 31 Configuring Network Security with ACLs Understanding ACLs Figure 31-2 Using VLAN Maps to Control Traffic Host A Host B (VLAN 10) (VLAN 10) = VLAN map denying specific type of traffic from Host A = Packet Handling Fragmented and Unfragmented Traffic IP packets can be fragmented as they cross the network.
ACL information to all switches in the stack. Configuring IP ACLs Configuring IP ACLs on the switch is the same as configuring IP ACLs on other Cisco switches and routers. The process is briefly described here. For more detailed information on configuring ACLs, refer to the “Configuring IP Services”...
Chapter 31 Configuring Network Security with ACLs Configuring IP ACLs Inbound and outbound rate limiting (except with QoS ACLs) • Reflexive ACLs or dynamic ACLs (except for some specialized dynamic ACLs used by the switch • clustering feature) • ACL logging for port ACLs and VLAN maps These are the steps to use IP ACLs on the switch: Create an ACL by specifying an access list number or name and the access conditions.
Page 590
Chapter 31 Configuring Network Security with ACLs Configuring IP ACLs Table 31-1 Access List Numbers Access List Number Type Supported 1–99 IP standard access list 100–199 IP extended access list 200–299 Protocol type-code access list 300–399 DECnet access list 400–499 XNS standard access list 500–599 XNS extended access list...
Chapter 31 Configuring Network Security with ACLs Configuring IP ACLs Creating a Numbered Standard ACL Beginning in privileged EXEC mode, follow these steps to create a numbered standard ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | permit} Define a standard IP access list by using a source address and source [source-wildcard] [log]...
Page 592
Chapter 31 Configuring Network Security with ACLs Configuring IP ACLs Use the no access-list access-list-number global configuration command to delete the entire ACL. You cannot delete individual ACEs from numbered access lists. Note When creating an ACL, remember that, by default, the end of the ACL contains an implicit deny statement for all packets that it did not find a match for before reaching the end.
For more details on the specific keywords for each protocol, refer to these software configuration guides and command references: Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 • Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2 •...
Page 594
Chapter 31 Configuring Network Security with ACLs Configuring IP ACLs Beginning in privileged EXEC mode, follow these steps to create an extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2a access-list access-list-number Define an extended IP access list and the access conditions. {deny | permit} protocol The access-list-number is a decimal number from 100 to 199 or 2000 to 2699.
Page 595
TCP port. To see TCP port names, use the ? or refer to the “Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2. Use only TCP port numbers or names when filtering TCP.
Page 596
ICMP message type and code name. To see a list of ICMP message type names and code names, use the ?, or refer to the “Configuring IP Services” section of the Cisco IOS IP Configuration Guide, Release 12.2. Step 2e access-list access-list-number (Optional) Define an extended IGMP access list and the access conditions.
31-30). Resequencing ACEs in an ACL In Cisco IOS Release 12.2(18)SE and later, sequence numbers for the entries in an access list are automatically generated when you create a new ACL.You can use the ip access-list resequence global configuration command to edit the sequence numbers in an ACL and change the order in which ACEs are applied.
Page 598
Chapter 31 Configuring Network Security with ACLs Configuring IP ACLs Command Purpose Step 3 deny {source [source-wildcard] | host source | In access-list configuration mode, specify one or more conditions any} [log] denied or permitted to decide if the packet is forwarded or dropped. host source—A source and source wildcard of source 0.0.0.0.
Chapter 31 Configuring Network Security with ACLs Configuring IP ACLs After you create an ACL, any additions are placed at the end of the list. You cannot selectively add ACL entries to a specific ACL. However, you can use no permit and no deny access-list configuration mode commands to remove entries from a named ACL.
Page 600
Chapter 31 Configuring Network Security with ACLs Configuring IP ACLs Command Purpose Step 3 absolute [start time date] Specify when the function it will be applied to is operational. [end time date] You can use only one absolute statement in the time range. If you •...
Chapter 31 Configuring Network Security with ACLs Configuring IP ACLs 30 deny tcp any any time-range christmas_2003 (inactive) 40 permit tcp any any time-range workhours (inactive) This example uses named ACLs to permit and deny the same traffic. Switch(config)# ip access-list extended deny_access Switch(config-ext-nacl)# deny tcp any any time-range new_year_day_2003 Switch(config-ext-nacl)# deny tcp any any time-range thanksgiving_2003 Switch(config-ext-nacl)# deny tcp any any time-range christmas_2003...
Chapter 31 Configuring Network Security with ACLs Configuring IP ACLs For procedures for applying ACLs to interfaces, see the “Applying an IP ACL to an Interface” section on page 31-20. For applying ACLs to VLANs, see the “Configuring VLAN Maps” section on page 31-30.
Page 603
Chapter 31 Configuring Network Security with ACLs Configuring IP ACLs Beginning in privileged EXEC mode, follow these steps to control access to an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Identify a specific interface for configuration, and enter interface configuration mode.
This section provides examples of configuring and applying IP ACLs. For detailed information about compiling ACLs, refer to the Cisco IOS Security Configuration Guide, Release 12.2 and to the Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2.
Page 605
Chapter 31 Configuring Network Security with ACLs Configuring IP ACLs Use router ACLs to do this in one of two ways: Create a standard ACL, and filter traffic coming to the server from Port 1. • • Create an extended ACL, and filter traffic coming from the server into Port 1. Figure 31-3 Using Router ACLs to Control Traffic Server A Server B...
Chapter 31 Configuring Network Security with ACLs Configuring IP ACLs Numbered ACLs In this example, network 36.0.0.0 is a Class A network whose second octet specifies a subnet; that is, its subnet mask is 255.255.0.0. The third and fourth octets of a network 36.0.0.0 address specify a particular host.
Chapter 31 Configuring Network Security with ACLs Configuring IP ACLs The marketing_group ACL allows any TCP Telnet traffic to the destination address and wildcard 171.69.0.0 0.0.255.255 and denies any other TCP traffic. It permits ICMP traffic, denies UDP traffic from any source to the destination address range 171.69.0.0 through 179.69.255.255 with a destination port less than 1024, denies any other IP traffic, and provides a log of the result.
Chapter 31 Configuring Network Security with ACLs Configuring IP ACLs In this example of a named ACL, the Jones subnet is not allowed access: Switch(config)# ip access-list standard prevention Switch(config-std-nacl)# remark Do not allow Jones subnet through Switch(config-std-nacl)# deny 171.69.0.0 0.0.255.255 In this example of a named ACL, the Jones subnet is not allowed to use outbound Telnet: Switch(config)# ip access-list extended telnetting Switch(config-ext-nacl)# remark Do not allow Jones subnet to telnet out...
Chapter 31 Configuring Network Security with ACLs Creating Named MAC Extended ACLs 01:26:12:%SEC-6-IPACCESSLOGP:list ext1 denied udp 0.0.0.0(0) -> 255.255.255.255(0), 1 packet 01:31:33:%SEC-6-IPACCESSLOGP:list ext1 denied udp 0.0.0.0(0) -> 255.255.255.255(0), 8 packets Note that all logging entries for IP ACLs start with with minor variations in format %SEC-6-IPACCESSLOG depending on the kind of ACL and the access entry that has been matched.
Page 610
Chapter 31 Configuring Network Security with ACLs Creating Named MAC Extended ACLs Command Purpose Step 3 {deny | permit} {any | host source MAC In extended MAC access-list configuration mode, specify to address | source MAC address mask} {any | permit or deny any source MAC address, a source MAC address host destination MAC address | destination with a mask, or a specific host source MAC address and any...
Chapter 31 Configuring Network Security with ACLs Creating Named MAC Extended ACLs Applying a MAC ACL to a Layer 2 Interface After you create a MAC ACL, you can apply it to a Layer 2 interface to filter non-IP traffic coming in that interface.
Chapter 31 Configuring Network Security with ACLs Configuring VLAN Maps Configuring VLAN Maps This section describes how to configure VLAN maps, which is the only way to control filtering within a VLAN. VLAN maps have no direction. To filter traffic in a specific direction by using a VLAN map, you need to include an ACL with specific source or destination addresses.
Chapter 31 Configuring Network Security with ACLs Configuring VLAN Maps If the VLAN map has at least one match clause for the type of packet (IP or MAC) and the packet • does not match any of these match clauses, the default is to drop the packet. If there is no match clause for that type of packet in the VLAN map, the default is to forward the packet.
Chapter 31 Configuring Network Security with ACLs Configuring VLAN Maps Command Purpose Step 4 match {ip | mac} address {name | Match the packet (using either the IP or MAC address) against one or more number} [name | number] standard or extended access lists. Note that packets are only matched against access lists of the correct protocol type.
Page 615
Chapter 31 Configuring Network Security with ACLs Configuring VLAN Maps Forward all UDP packets • Drop all IGMP packets • • Forward all TCP packets • Drop all other IP packets Forward all non-IP packets • Switch(config)# access-list 101 permit udp any any Switch(config)# ip access-list extended igmp-match Switch(config-ext-nacl)# permit igmp any any Switch(config)# ip access-list extended tcp-match...
Chapter 31 Configuring Network Security with ACLs Configuring VLAN Maps Example 4 In this example, the VLAN map has a default action of drop for all packets (IP and non-IP). Used with access lists tcp-match and good-hosts from Examples 2 and 3, the map will have the following results: Forward all TCP packets •...
Chapter 31 Configuring Network Security with ACLs Configuring VLAN Maps Wiring Closet Configuration In a wiring closet configuration, routing might not be enabled on the switch. In this configuration, the switch can still support a VLAN map and a QoS classification ACL. In Figure 31-4, assume that Host X and Host Y are in different VLANs and are connected to wiring closet switches A and C.
Chapter 31 Configuring Network Security with ACLs Configuring VLAN Maps Denying Access to a Server on Another VLAN You can restrict access to a server on another VLAN. For example, server 10.1.1.100 in VLAN 10 needs to have access denied to these hosts (see Figure 31-5): Hosts in subnet 10.1.2.0/8 in VLAN 20 should not have access.
Chapter 31 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Using VLAN Maps with Router ACLs To access control both bridged and routed traffic, you can use VLAN maps only or a combination of router ACLs and VLAN maps. You can define router ACLs on both input and output routed VLAN interfaces, and you can define a VLAN map to access control the bridged traffic.
Chapter 31 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Avoid including Layer 4 information in an ACL; adding this information complicates the merging • process. The best merge results are obtained if the ACLs are filtered based on IP addresses (source and destination) and not on the full flow (source IP address, destination IP address, protocol, and protocol ports).
Chapter 31 Configuring Network Security with ACLs Displaying ACL Configuration ACLs and Multicast Packets Figure 31-9 shows how ACLs are applied on packets that are replicated for IP multicasting. A multicast packet being routed has two different kinds of filters applied: one for destinations that are other ports in the input VLAN and another for each of the destinations that are in other VLANs to which the packet has been routed.
Page 623
Chapter 31 Configuring Network Security with ACLs Displaying ACL Configuration Table 31-2 Commands for Displaying Access Lists and Access Groups (continued) Command Purpose show ip interface interface-id Display detailed configuration and status of an interface. If IP is enabled on the interface and ACLs have been applied by using the ip access-group interface configuration command, the access groups are included in the display.
The switch supports some of the modular QoS CLI (MQC) commands. For more information about the MQC commands, refer to the “Modular Quality of Service Command Line Interface Overview” at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/fqcprt8/ qcfmdcli.htm#89799 Understanding QoS Typically, networks operate on a best-effort delivery basis, which means that all traffic has equal priority and an equal chance of being delivered in a timely manner.
Page 626
Chapter 32 Configuring QoS Understanding QoS The QoS implementation is based on the Differentiated Services (Diff-Serv) architecture, an emerging standard from the Internet Engineering Task Force (IETF). This architecture specifies that each packet is classified upon entry into the network. The classification is carried in the IP packet header, using 6 bits from the deprecated IP type of service (ToS) field to carry the classification (class) information.
Chapter 32 Configuring QoS Understanding QoS Layer 3 IPv6 packets are treated as non-IP packets and are bridged by the switch. Note All switches and routers that access the Internet rely on the class information to provide the same forwarding treatment to packets with the same class information and different treatment to packets with different class information.
Chapter 32 Configuring QoS Understanding QoS Actions at the egress port include queueing and scheduling: Queueing evaluates the QoS label and the corresponding DSCP or CoS value to select into which of • the four egress queues to place a packet. Because congestion can occur when multiple ingress ports simultaneously send data to an egress port, WTD is used to differentiate traffic classes and to subject the packets to different thresholds based on the QoS label.
Page 629
Chapter 32 Configuring QoS Understanding QoS You specify which fields in the frame or packet that you want to use to classify incoming traffic. For non-IP traffic, you have these classification options as shown in Figure 32-3: Trust the CoS value in the incoming frame (configure the port to trust CoS). Then use the •...
Page 630
Chapter 32 Configuring QoS Understanding QoS Figure 32-3 Classification Flowchart Start Trust CoS (IP and non-IP traffic). Read ingress interface Trust DSCP (IP traffic). configuration for classification. IP and non-IP Trust DSCP or Trust IP traffic IP precedence precedence (non-IP traffic). (IP traffic).
Chapter 32 Configuring QoS Understanding QoS Classification Based on QoS ACLs You can use IP standard, IP extended, or Layer 2 MAC ACLs to define a group of packets with the same characteristics (class). In the QoS context, the permit and deny actions in the access control entries (ACEs) have different meanings than with security ACLs: •...
Chapter 32 Configuring QoS Understanding QoS You create and name a policy map by using the policy-map global configuration command. When you enter this command, the switch enters the policy-map configuration mode. In this mode, you specify the actions to take on a specific traffic class by using the class, trust, or set policy-map configuration and policy-map class configuration commands.
Page 633
Chapter 32 Configuring QoS Understanding QoS Policing uses a token-bucket algorithm. As each frame is received by the switch, a token is added to the bucket. The bucket has a hole in it and leaks at a rate that you specify as the average traffic rate in bits per second.
Chapter 32 Configuring QoS Understanding QoS Mapping Tables During QoS processing, the switch represents the priority of all traffic (including non-IP traffic) with an QoS label based on the DSCP or CoS value from the classification stage: During classification, QoS uses configurable mapping tables to derive a corresponding DSCP or •...
Chapter 32 Configuring QoS Understanding QoS Queueing and Scheduling Overview The switch has queues at specific points to help prevent congestion as shown in Figure 32-5. Figure 32-5 Ingress and Egress Queue Location Policer Marker Egress queues Stack ring Policer Marker Ingress queues...
Chapter 32 Configuring QoS Understanding QoS Figure 32-6 WTD and Queue Operation CoS 6-7 100% 1000 CoS 4-5 CoS 0-3 For more information, see the “Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds” section on page 32-56, the “Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set”...
Chapter 32 Configuring QoS Understanding QoS Queueing and Scheduling on Ingress Queues Figure 32-7 shows the queueing and scheduling flowchart for ingress ports. Figure 32-7 Queueing and Scheduling Flowchart for Ingress Ports Start Read QoS label (DSCP or CoS value). Determine ingress queue number, buffer allocation, and WTD thresholds.
Page 638
Chapter 32 Configuring QoS Understanding QoS You assign each packet that flows through the switch to a queue and to a threshold. Specifically, you map DSCP or CoS values to an ingress queue and map DSCP or CoS values to a threshold ID. You use the mls qos srr-queue input dscp-map queue queue-id {dscp1...dscp8 | threshold threshold-id dscp1...dscp8} or the mls qos srr-queue input cos-map queue queue-id {cos1...cos8 | threshold threshold-id cos1...cos8} global configuration command.
Chapter 32 Configuring QoS Understanding QoS Queueing and Scheduling on Egress Queues Figure 32-8 shows the queueing and scheduling flowchart for egress ports. Figure 32-8 Queueing and Scheduling Flowchart for Egress Ports Start Receive packet from the stack ring. Read QoS label (DSCP or CoS value).
Page 640
Chapter 32 Configuring QoS Understanding QoS Figure 32-9 shows the egress queue buffer. The buffer space is divided between the common pool and the reserved pool. The switch uses a buffer allocation scheme to reserve a minimum amount of buffers for each egress queue, to prevent any queue or port from consuming all the buffers and depriving other queues, and to control whether to grant buffer space to a requesting queue.
Chapter 32 Configuring QoS Understanding QoS threshold-id cos1...cos8} global configuration command. You can display the DSCP output queue threshold map and the CoS output queue threshold map by using the show mls qos maps privileged EXEC command. The queues use WTD to support distinct drop percentages for different traffic classes. Each queue has three drop thresholds: two configurable (explicit) WTD thresholds and one nonconfigurable (implicit) threshold preset to the queue-full state.
The switch uses the resulting classification to choose the appropriate egress queue. You use auto-QoS commands to identify ports connected to Cisco IP Phones and to devices running the Cisco SoftPhone application. You also use the commands to identify ports that receive trusted traffic through an uplink.
Page 643
The switch uses the Cisco Discovery Protocol (CDP) to detect the presence or absence of a Cisco IP Phone. When a Cisco IP Phone is detected, the ingress classification on the port is set to trust the QoS label received in the packet. When a Cisco IP Phone is absent, the ingress classification is set to not trust the QoS label in the packet.
Page 644
Ensure Port Security” section on page 32-35. When you enable auto-QoS by using the auto qos voip cisco-phone, the auto qos voip cisco-softphone, or the auto qos voip trust interface configuration command, the switch automatically generates a QoS configuration based on the traffic type and ingress packet label and applies the commands listed in Table 32-5 to the port.
Page 646
DSCP value received in the packet on a routed port. If you entered the auto qos voip cisco-phone command, the Switch(config-if)# mls qos trust device cisco-phone switch automatically enables the trusted boundary feature, which uses the CDP to detect the presence or absence of a Cisco IP Phone.
By default, the CDP is enabled on all ports. For auto-QoS to function properly, do not disable the • CDP. When enabling auto-QoS with a Cisco IP Phone on a routed port, you must assign a static IP address • to the IP phone.
Cisco IP Phones on routed ports was added. If auto-QoS is configured on the switch, your switch is running a release earlier than Cisco IOS Release 12.2(20)SE, and you upgrade to Cisco IOS Release 12.2(20)SE or later, the configuration file will not contain the new configuration, and auto-QoS will not operate.
Page 649
Chapter 32 Configuring QoS Configuring Auto-QoS Command Purpose Step 4 Return to privileged EXEC mode. Step 5 show auto qos interface interface-id Verify your entries. This command displays the auto-QoS command on the interface on which auto-QoS was enabled. You can use the show running-config privileged EXEC command to display the auto-QoS configuration and the user modifications.
IP phones IP phones Cisco IP phones Cisco IP phones Figure 32-10 shows a network in which the VoIP traffic is prioritized over all other traffic. Auto-QoS is enabled on the switches in the wiring closets at the edge of the QoS domain.
Page 651
Step 6 exit Return to global configuration mode. Step 7 Repeat Steps 4 to 6 for as many ports as are connected to the Cisco IP Phone. Step 8 interface interface-id Specify the switch port identified as connected to a trusted switch or router, and enter interface configuration mode.
Chapter 32 Configuring QoS Displaying Auto-QoS Information Displaying Auto-QoS Information To display the initial auto-QoS configuration, use the show auto qos [interface [interface-id]] privileged EXEC command. To display any user changes to that configuration, use the show running-config privileged EXEC command. You can compare the show auto qos and the show running-config command output to identify the user-defined QoS settings.
Chapter 32 Configuring QoS Configuring Standard QoS Default Standard QoS Configuration QoS is disabled. There is no concept of trusted or untrusted ports because the packets are not modified (the CoS, DSCP, and IP precedence values in the packet are not changed). Traffic is switched in pass-through mode (packets are switched without any rewrites and classified as best effort without any policing).
Chapter 32 Configuring QoS Configuring Standard QoS Default Egress Queue Configuration Table 32-9 shows the default egress queue configuration for each queue-set when QoS is enabled. All ports are mapped to queue-set 1. The port bandwidth limit is set to 100 percent and rate unlimited. Table 32-9 Default Egress Queue Configuration Feature Queue 1...
Chapter 32 Configuring QoS Configuring Standard QoS Standard QoS Configuration Guidelines Before beginning the QoS configuration, you should be aware of this information: • You configure QoS only on physical ports; there is no support for it on the VLAN or switch virtual interface level.
Chapter 32 Configuring QoS Configuring Standard QoS Enabling QoS Globally By default, QoS is disabled on the switch. Beginning in privileged EXEC mode, follow these steps to enable QoS. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos Enable QoS globally.
Page 657
Chapter 32 Configuring QoS Configuring Standard QoS Figure 32-11 Port Trusted States within the QoS Domain Trusted interface Trunk Traffic classification performed here Trusted boundary Catalyst 3750 Switch Software Configuration Guide 32-33 78-16180-02...
Page 658
Chapter 32 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the port to trust the classification of the traffic that it receives: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be trusted, and enter interface configuration mode.
Page 659
To return to the default setting, use the no mls qos cos {default-cos | override} interface configuration command. Configuring a Trusted Boundary to Ensure Port Security In a typical network, you connect a Cisco IP Phone to a switch port, as shown in Figure 32-11 on page 32-33, and cascade devices that generate data packets from the back of the telephone.
Page 660
CoS setting). By contrast, trusted boundary uses CDP to detect the presence of a Cisco IP Phone (such as the Cisco IP Phone 7910, 7935, 7940, and 7960) on a switch port. If the telephone is not detected, the trusted boundary feature disables the trusted setting on the switch port and prevents misuse of a high-priority queue.
Page 661
Chapter 32 Configuring QoS Configuring Standard QoS Figure 32-12 DSCP-Trusted State on a Port Bordering Another QoS Domain QoS Domain 1 QoS Domain 2 IP traffic Set interface to the DSCP-trusted state. Configure the DSCP-to-DSCP-mutation map. Beginning in privileged EXEC mode, follow these steps to configure the DSCP-trusted state on a port and modify the DSCP-to-DSCP-mutation map.
Chapter 32 Configuring QoS Configuring Standard QoS To return a port to its non-trusted state, use the no mls qos trust interface configuration command. To return to the default DSCP-to-DSCP-mutation map values, use the no mls qos map dscp-mutation dscp-mutation-name global configuration command. This example shows how to configure a port to the DSCP-trusted state and to modify the DSCP-to-DSCP-mutation map (named gi1/0/2-mutation) so that incoming DSCP values 10 to 13 are mapped to DSCP 30:...
Page 663
Chapter 32 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create an IP standard ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | Create an IP standard ACL, repeating the command as many times as permit} source [source-wildcard] necessary.
Page 664
Chapter 32 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create an IP extended ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | Create an IP extended ACL, repeating the command as many times as permit} protocol source source-wildcard necessary.
Page 665
Chapter 32 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create a Layer 2 MAC ACL for non-IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac access-list extended name Create a Layer 2 MAC ACL by specifying the name of the list.
Chapter 32 Configuring QoS Configuring Standard QoS Classifying Traffic by Using Class Maps You use the class-map global configuration command to name and to isolate a specific traffic flow (or class) from all other traffic. The class map defines the criteria to use to match against a specific traffic flow to further classify it.
Page 667
Chapter 32 Configuring QoS Configuring Standard QoS Command Purpose Step 4 match {access-group acl-index-or-name | Define the match criterion to classify traffic. ip dscp dscp-list | ip precedence By default, no match criterion is defined. ip-precedence-list} Only one match criterion per class map is supported, and only one ACL per class map is supported.
Chapter 32 Configuring QoS Configuring Standard QoS Classifying, Policing, and Marking Traffic by Using Policy Maps A policy map specifies which traffic class to act on. Actions can include trusting the CoS, DSCP, or IP precedence values in the traffic class; setting a specific DSCP or IP precedence value in the traffic class; and specifying the traffic bandwidth limitations for each matched traffic class (policer) and the action to take when the traffic is out of profile (marking).
Page 669
Chapter 32 Configuring QoS Configuring Standard QoS Command Purpose Step 4 class class-map-name Define a traffic classification, and enter policy-map class configuration mode. By default, no policy map class-maps are defined. If a traffic class has already been defined by using the class-map global configuration command, specify its name for class-map-name in this command.
Page 670
Chapter 32 Configuring QoS Configuring Standard QoS Command Purpose Step 7 police rate-bps burst-byte [exceed-action Define a policer for the classified traffic. {drop | policed-dscp-transmit}] By default, no policer is defined. For information on the number of policers supported, see the “Standard QoS Configuration Guidelines”...
Chapter 32 Configuring QoS Configuring Standard QoS Switch(config-pmap-c)# police 48000 8000 exceed-action policed-dscp-transmit Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# service-policy input flow1t This example shows how to create a Layer 2 MAC ACL with two permit statements and attach it to an ingress port.
Page 672
Chapter 32 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create an aggregate policer: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos aggregate-policer Define the policer parameters that can be applied to multiple traffic aggregate-policer-name rate-bps burst-byte classes within the same policy map.
Chapter 32 Configuring QoS Configuring Standard QoS Command Purpose Step 11 show mls qos aggregate-policer Verify your entries. [aggregate-policer-name] Step 12 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the specified aggregate policer from a policy map, use the no police aggregate aggregate-policer-name policy map configuration mode.
Chapter 32 Configuring QoS Configuring Standard QoS Configuring the CoS-to-DSCP Map You use the CoS-to-DSCP map to map CoS values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic. Table 32-12 shows the default CoS-to-DSCP map.
Chapter 32 Configuring QoS Configuring Standard QoS If these values are not appropriate for your network, you need to modify them. Beginning in privileged EXEC mode, follow these steps to modify the IP-precedence-to-DSCP map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 32 Configuring QoS Configuring Standard QoS To return to the default map, use the no mls qos policed-dscp global configuration command. This example shows how to map DSCP 50 to 57 to a marked-down DSCP value of 0: Switch(config)# mls qos map policed-dscp 50 51 52 53 54 55 56 57 to 0 Switch(config)# end Switch# show mls qos maps policed-dscp Policed-dscp map:...
Chapter 32 Configuring QoS Configuring Standard QoS Command Purpose Step 4 show mls qos maps dscp-to-cos Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default map, use the no mls qos dscp-cos global configuration command. This example shows how to map DSCP values 0, 8, 16, 24, 32, 40, 48, and 50 to CoS value 0 and to display the map: Switch(config)# mls qos map dscp-cos 0 8 16 24 32 40 48 50 to 0...
Page 678
Chapter 32 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the DSCP-to-DSCP-mutation map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map dscp-mutation Modify the DSCP-to-DSCP-mutation map.
Chapter 32 Configuring QoS Configuring Standard QoS This example shows how to define the DSCP-to-DSCP-mutation map. All the entries that are not explicitly configured are not modified (remains as specified in the null map): Switch(config)# mls qos map dscp-mutation mutation1 1 2 3 4 5 6 7 to 0 Switch(config)# mls qos map dscp-mutation mutation1 8 9 10 11 12 13 to 10 Switch(config)# mls qos map dscp-mutation mutation1 20 21 22 to 20 Switch(config)# mls qos map dscp-mutation mutation1 30 31 32 33 34 to 30...
Page 680
Chapter 32 Configuring QoS Configuring Standard QoS Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds You can prioritize traffic by placing packets with particular DSCPs or CoSs into certain queues and adjusting the queue thresholds so that packets with lower priorities are dropped. Beginning in privileged EXEC mode, follow these steps to map DSCP or CoS values to an ingress queue and to set WTD thresholds.
Chapter 32 Configuring QoS Configuring Standard QoS This example shows how to map DSCP values 0 to 6 to ingress queue 1 and to threshold 1 with a drop threshold of 50 percent. It maps DSCP values 20 to 26 to ingress queue 1 and to threshold 2 with a drop threshold of 70 percent: Switch(config)# mls qos srr-queue input dscp-map queue 1 threshold 1 0 1 2 3 4 5 6 Switch(config)# mls qos srr-queue input dscp-map queue 1 threshold 2 20 21 22 23 24 25 26...
Chapter 32 Configuring QoS Configuring Standard QoS Allocating Bandwidth Between the Ingress Queues You need to specify how much of the available bandwidth is allocated between the ingress queues. The ratio of the weights is the ratio of the frequency in which the SRR scheduler sends packets from each queue.
Chapter 32 Configuring QoS Configuring Standard QoS Configuring the Ingress Priority Queue You should use the priority queue only for traffic that needs to be expedited (for example, voice traffic, which needs minimum delay and jitter). The priority queue is guaranteed part of the bandwidth to reduce the delay and jitter under heavy network traffic on an oversubscribed ring (when there is more traffic than the backplane can carry, and the queues are full and dropping frames).
Chapter 32 Configuring QoS Configuring Standard QoS Configuring Egress Queue Characteristics Depending on the complexity of your network and your QoS solution, you might need to perform all of the tasks in the next sections. You will need to make decisions about these characteristics: Which packets are mapped by DSCP or CoS value to each queue and threshold ID? •...
Page 685
Chapter 32 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the memory allocation and to drop thresholds for a queue-set. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos queue-set output qset-id Allocate buffers to a queue-set.
Chapter 32 Configuring QoS Configuring Standard QoS Command Purpose Step 6 Return to privileged EXEC mode. Step 7 show mls qos interface [interface-id] Verify your entries. buffers Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no mls qos queue-set output qset-id buffers global configuration command.
Page 687
Chapter 32 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to map DSCP or CoS values to an egress queue and to a threshold ID. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 32 Configuring QoS Configuring Standard QoS Configuring SRR Shaped Weights on Egress Queues You cannot configure SSR shaped weights on the 10-Gigabit interfaces. Note You can specify how much of the available bandwidth is allocated to each queue. The ratio of the weights is the ratio of frequency in which the SRR scheduler sends packets from each queue.
Chapter 32 Configuring QoS Configuring Standard QoS This example shows how to configure bandwidth shaping on queue 1. Because the weight ratios for queues 2, 3, and 4 are set to 0, these queues operate in shared mode. The bandwidth weight for queue 1 is 1/8, which is 12.5 percent: Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# srr-queue bandwidth shape 8 0 0 0...
Configuring Standard QoS Configuring the Egress Expedite Queue Beginning in Cisco IOS Release 12.1(19)EA1, you can ensure that certain packets have priority over all others by queuing them in the egress expedite queue. SRR services this queue until it is empty before servicing the other queues.
Chapter 32 Configuring QoS Displaying Standard QoS Information Beginning in privileged EXEC mode, follow these steps to limit the bandwidth on an egress port. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be rate limited, and enter interface configuration mode.
Page 692
Chapter 32 Configuring QoS Displaying Standard QoS Information Table 32-15 Commands for Displaying Standard QoS Information (continued) Command Purpose show mls qos queue-set [qset-id] Display QoS settings for the egress queues. show policy-map [policy-map-name [class Display QoS policy maps, which define classification criteria for class-map-name]] incoming traffic.
C H A P T E R Configuring EtherChannels This chapter describes how to configure EtherChannels on Layer 2 and Layer 3 ports on the Catalyst 3750 switch. EtherChannel provides fault-tolerant high-speed links between switches, routers, and servers. You can use it to increase the bandwidth between the wiring closets and the data center, and you can deploy it anywhere in the network where bottlenecks are likely to occur.
Chapter 33 Configuring EtherChannels Understanding EtherChannels EtherChannel Overview An EtherChannel consists of individual Fast Ethernet or Gigabit Ethernet links bundled into a single logical link as shown in Figure 33-1. Figure 33-1 Typical EtherChannel Configuration Catalyst 8500 series switch Gigabit EtherChannel 1000BASE-X 1000BASE-X 10/100...
Page 695
Chapter 33 Configuring EtherChannels Understanding EtherChannels Figure 33-2 Single-Switch EtherChannel Catalyst 3750 switch stack Switch 1 Channel group 1 StackWise port connections Switch A Channel Switch 2 group 2 Switch 3 Figure 33-3 Cross-Stack EtherChannel Catalyst 3750 switch stack Switch 1 StackWise port connections...
Chapter 33 Configuring EtherChannels Understanding EtherChannels Port-Channel Interfaces When you create an EtherChannel, a port-channel logical interface is involved: • With Layer 2 ports, use the channel-group interface configuration command to dynamically create the port-channel logical interface. You also can use the interface port-channel port-channel-number global configuration command to manually create the port-channel logical interface, but then you must use the channel-group channel-group-number command to bind the logical interface to a physical port.
Understanding EtherChannels Port Aggregation Protocol The Port Aggregation Protocol (PAgP) is a Cisco-proprietary protocol that can be run only on Cisco switches and on those switches licensed by vendors to support PAgP. PAgP facilitates the automatic creation of EtherChannels by exchanging PAgP packets between Ethernet ports. You can use PAgP only in single-switch EtherChannel configurations;...
Link Aggregation Control Protocol The LACP is defined in IEEE 802.3ad and enables Cisco switches to manage Ethernet channels between switches that conform to the 802.3ad protocol. LACP facilitates the automatic creation of EtherChannels by exchanging LACP packets between Ethernet ports. You can use LACP only in single-switch EtherChannel configurations;...
Chapter 33 Configuring EtherChannels Understanding EtherChannels LACP Modes Table 33-2 shows the user-configurable EtherChannel LACP modes for the channel-group interface configuration command. Table 33-2 EtherChannel LACP Modes Mode Description active Places a port into an active negotiating state in which the port starts negotiations with other ports by sending LACP packets.
Page 700
Chapter 33 Configuring EtherChannels Understanding EtherChannels With source-MAC address forwarding, when packets are forwarded to an EtherChannel, they are distributed across the ports in the channel based on the source-MAC address of the incoming packet. Therefore, to provide load balancing, packets from different hosts use different ports in the channel, but packets from the same host use the same port in the channel.
Figure 33-5 Load Distribution and Forwarding Methods Switch with source-based forwarding enabled EtherChannel Cisco router with destination-based forwarding enabled EtherChannel and Switch Stacks If a stack member that has ports participating in an EtherChannel fails or leaves the stack, the stack master removes the failed stack member switch ports from the EtherChannel.
If you try to enable 802.1x on an EtherChannel port, an error message appears, and 802.1x is not enabled. In software releases earlier than Cisco IOS Release 12.1(18)SE, if 802.1x is enabled on a Note not-yet-active port of an EtherChannel, the port does not join the EtherChannel.
Chapter 33 Configuring EtherChannels Configuring EtherChannels For Layer 2 EtherChannels: • Assign all ports in the EtherChannel to the same VLAN, or configure them as trunks. Ports with – different native VLANs cannot form an EtherChannel. – If you configure an EtherChannel from trunk ports, verify that the trunking mode (ISL or 802.1Q) is the same on all the trunks.
Page 705
Chapter 33 Configuring EtherChannels Configuring EtherChannels Beginning in privileged EXEC mode, follow these steps to assign a Layer 2 Ethernet port to a Layer 2 EtherChannel. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify a physical port, and enter interface configuration mode.
Page 706
Chapter 33 Configuring EtherChannels Configuring EtherChannels Command Purpose Step 4 channel-group channel-group-number mode Assign the port to a channel group, and specify the PAgP or the {auto [non-silent] | desirable [non-silent] | on} | LACP mode. {active | passive} For channel-group-number, the range is 1 to 12. For mode, select one of these keywords: auto—Enables PAgP only if a PAgP device is detected.
Chapter 33 Configuring EtherChannels Configuring EtherChannels This example shows how to configure an EtherChannel on a single switch in the stack. It assigns two ports as static-access ports in VLAN 10 to channel 5 with the PAgP mode desirable: Switch# configure terminal Switch(config)# interface range gigabitethernet2/0/1 -2 Switch(config-if-range)# switchport mode access Switch(config-if-range)# switchport access vlan 10...
Chapter 33 Configuring EtherChannels Configuring EtherChannels Beginning in privileged EXEC mode, follow these steps to create a port-channel interface for a Layer 3 EtherChannel. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface port-channel port-channel-number Specify the port-channel logical interface, and enter interface configuration mode.
Page 709
Chapter 33 Configuring EtherChannels Configuring EtherChannels Command Purpose Step 5 channel-group channel-group-number mode Assign the port to a channel group, and specify the PAgP or the {auto [non-silent] | desirable [non-silent] | on} | LACP mode. {active | passive} For channel-group-number, the range is 1 to 12. This number must be the same as the port-channel-number (logical port) configured in the “Creating Port-Channel Logical Interfaces”...
Chapter 33 Configuring EtherChannels Configuring EtherChannels This example shows how to configure an EtherChannel. It assigns two ports to channel 5 with the LACP mode active: Switch# configure terminal Switch(config)# interface range gigabitethernet2/0/1 -2 Switch(config-if-range)# no ip address Switch(config-if-range)# no switchport Switch(config-if-range)# channel-group 5 mode active Switch(config-if-range)# end This example shows how to configure cross-stack EtherChannel.
Chapter 33 Configuring EtherChannels Configuring EtherChannels Command Purpose Step 3 Return to privileged EXEC mode. Step 4 show etherchannel load-balance Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return EtherChannel load balancing to the default configuration, use the no port-channel load-balance global configuration command.
Chapter 33 Configuring EtherChannels Configuring EtherChannels Beginning in privileged EXEC mode, follow these steps to configure your switch as a PAgP physical-port learner and to adjust the priority so that the same port in the bundle is selected for sending packets.
Chapter 33 Configuring EtherChannels Configuring EtherChannels If you configure more than eight links for an EtherChannel group, the software automatically decides which of the hot-standby ports to make active based on the LACP priority. The software assigns to every link between systems that operate LACP a unique priority made up of these elements (in priority order): LACP system priority •...
Chapter 33 Configuring EtherChannels Configuring EtherChannels Configuring the LACP Port Priority By default, all ports use the same port priority. If the local system has a lower value for the system priority and the system ID than the remote system, you can affect which of the hot-standby links become active first by changing the port priority of LACP EtherChannel ports to a lower value than the default.
Chapter 33 Configuring EtherChannels Displaying EtherChannel, PAgP, and LACP Status Displaying EtherChannel, PAgP, and LACP Status To display EtherChannel, PAgP, and LACP status information, use the privileged EXEC commands described in Table 33-4: Table 33-4 Commands for Displaying EtherChannel, PAgP , and LACP Status Command Description show etherchannel [channel-group-number {detail |...
Page 716
Chapter 33 Configuring EtherChannels Displaying EtherChannel, PAgP, and LACP Status Catalyst 3750 Switch Software Configuration Guide 33-24 78-16180-02...
For more detailed IP unicast configuration information, refer to the Cisco IOS IP Configuration Guide, Release 12.1 For complete syntax and usage information for the commands used in this chapter, refer to these command references: Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2...
Chapter 34 Configuring IP Unicast Routing Understanding IP Routing Understanding IP Routing In some network environments, VLANs are associated with individual networks or subnetworks. In an IP network, each subnetwork is mapped to an individual VLAN. Configuring VLANs helps control the size of the broadcast domain and keeps local traffic local.
It processes routing protocol messages and updates received from peer routers. • It generates, maintains, and distributes the distributed Cisco Express Forwarding (dCEF) database • to all stack members. The routes are programmed on all switches in the stack bases on this database.
Steps for Configuring Routing By default, IP routing is disabled on the switch, and you must enable it before routing can take place. For detailed IP routing configuration information, refer to the Cisco IOS IP Configuration Guide, Release 12.2 In the following procedures, the specified interface must be one of these Layer 3 interfaces: •...
Chapter 34 Configuring IP Unicast Routing Configuring IP Addressing A Layer 3 switch can have an IP address assigned to each routed port and SVI. The number of routed Note ports and SVIs that you can configure is not limited by software. However, the interrelationship between this number and the number and volume of features being implemented might have an impact on CPU utilization because of hardware limitations.
Chapter 34 Configuring IP Unicast Routing Configuring IP Addressing Command Purpose Step 3 no switchport Remove the interface from Layer 2 configuration mode (if it is a physical interface). Step 4 ip address ip-address subnet-mask Configure the IP address and IP subnet mask. Step 5 no shutdown Enable the interface.
Page 724
Chapter 34 Configuring IP Unicast Routing Configuring IP Addressing Figure 34-2 IP Classless Routing 128.0.0.0/8 128.20.4.1 IP classless 128.20.0.0 128.20.1.0 128.20.3.0 128.20.2.0 128.20.4.1 Host Figure 34-3, the router in network 128.20.0.0 is connected to subnets 128.20.1.0, 128.20.2.0, and 128.20.3.0. If the host sends a packet to 120.20.4.1, because there is no network default route, the router discards the packet.
Using RARP requires a RARP server on the same network segment as the router interface. Use the ip rarp-server address interface configuration command to identify the server. For more information on RARP, refer to the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2.
Chapter 34 Configuring IP Unicast Routing Configuring IP Addressing Define a Static ARP Cache ARP and other address resolution protocols provide dynamic mapping between IP addresses and MAC addresses. Because most hosts support dynamic address resolution, you usually do not need to specify static ARP cache entries.
Chapter 34 Configuring IP Unicast Routing Configuring IP Addressing Set ARP Encapsulation By default, Ethernet ARP encapsulation (represented by the arpa keyword) is enabled on an IP interface. You can change the encapsulation methods to SNAP if required by your network. Beginning in privileged EXEC mode, follow these steps to specify the ARP encapsulation type: Command Purpose...
Chapter 34 Configuring IP Unicast Routing Configuring IP Addressing Routing Assistance When IP Routing is Disabled These mechanisms allow the switch to learn about routes to other networks when it does not have IP routing enabled: Proxy ARP, page 34-12 •...
Chapter 34 Configuring IP Unicast Routing Configuring IP Addressing ICMP Router Discovery Protocol (IRDP) Router discovery allows the switch to dynamically learn about routes to other networks using IRDP. IRDP allows hosts to locate routers. When operating as a client, the switch generates router discovery packets.
Chapter 34 Configuring IP Unicast Routing Configuring IP Addressing If you change the maxadvertinterval value, the holdtime and minadvertinterval values also change, so it is important to first change the maxadvertinterval value, before manually changing either the holdtime or minadvertinterval values. Use the no ip irdp interface configuration command to disable IRDP routing.
By default, both UDP and ND forwarding are enabled if a helper address has been defined for an interface. The description for the ip forward-protocol interface configuration command in the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 lists the ports that are forwarded by default if you do not specify any UDP ports.
Chapter 34 Configuring IP Unicast Routing Configuring IP Addressing If you do not specify any UDP ports when you configure the forwarding of UDP broadcasts, you are configuring the router to act as a BOOTP forwarding agent. BOOTP packets carry DHCP information. Beginning in privileged EXEC mode, follow these steps to enable forwarding UDP broadcast packets on an interface and specify the destination address: Command...
Chapter 34 Configuring IP Unicast Routing Configuring IP Addressing Flooding IP Broadcasts You can allow IP broadcasts to be flooded throughout your internetwork in a controlled fashion by using the database created by the bridging STP. Using this feature also prevents loops. To support this capability, bridging must be configured on each interface that is to participate in the flooding.
Chapter 34 Configuring IP Unicast Routing Configuring IP Addressing Beginning in privileged EXEC mode, follow these steps to increase spanning-tree-based flooding: Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip forward-protocol turbo-flood Use the spanning-tree database to speed up flooding of UDP datagrams. Step 3 Return to privileged EXEC mode.
(RIP) router configuration command. For information on specific protocols, refer to sections later in this chapter and to the Cisco IOS IP Configuration Guide, Release 12.2. Note The SMI supports only RIP as a routing protocol Step 4 Return to privileged EXEC mode.
Protocol (UDP) data packets to exchange routing information. The protocol is documented in RFC 1058. You can find detailed information about RIP in IP Routing Fundamentals, published by Cisco Press. RIP is the only routing protocol supported by the SMI; other routing protocols require the stack master Note to be running the EMI.
Page 738
Chapter 34 Configuring IP Unicast Routing Configuring RIP Command Purpose Step 7 timers basic update invalid holddown (Optional) Adjust routing protocol timers. Valid ranges for all timers are flush 0 to 4294967295 seconds. update—The time between sending routing updates. The default is •...
Chapter 34 Configuring IP Unicast Routing Configuring RIP Configuring RIP Authentication RIP version 1 does not support authentication. If you are sending and receiving RIP Version 2 packets, you can enable RIP authentication on an interface. The key chain specifies \the set of keys that can be used on the interface.
Chapter 34 Configuring IP Unicast Routing Configuring RIP Beginning in privileged EXEC mode, follow these steps to set an interface to advertise a summarized local IP address and to disable split horizon on the interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
This section briefly describes how to configure Open Shortest Path First (OSPF). For a complete description of the OSPF commands, refer to the “OSPF Commands” chapter of the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2.
Chapter 34 Configuring IP Unicast Routing Configuring OSPF Table 34-5 Default OSPF Configuration (continued) Feature Default Setting Distance OSPF dist1 (all routes within an area): 110. dist2 (all routes from one area to another): 110. and dist3 (routes from other routing domains): 110. OSPF database filter Disabled.
Chapter 34 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 3 network address wildcard-mask area area-id Define an interface on which OSPF runs and the area ID for that interface. You can use the wildcard-mask to use a single command to define one or more multiple interfaces to be associated with a specific OSPF area.
Chapter 34 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 8 ip ospf dead-interval seconds (Optional) Set the number of seconds after the last device hello packet was seen before its neighbors declare the OSPF router to be down. The value must be the same for all nodes on a network. The range is 1 to 65535 seconds.
Chapter 34 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 3 area area-id authentication (Optional) Allow password-based protection against unauthorized access to the identified area. The identifier can be either a decimal value or an IP address. Step 4 area area-id authentication message-digest (Optional) Enable MD5 authentication on the area.
Page 747
Chapter 34 Configuring IP Unicast Routing Configuring OSPF Default route: When you specifically configure redistribution of routes into an OSPF routing • domain, the route automatically becomes an autonomous system boundary router (ASBR). You can force the ASBR to generate a default route into the OSPF routing domain. Domain Name Server (DNS) names for use in all OSPF show privileged EXEC command displays •...
Chapter 34 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 10 timers spf spf-delay spf-holdtime (Optional) Configure route calculation timers. spf-delay—Enter an integer from 0 to 65535. The default is 5 • seconds; 0 means no delay. spf-holdtime—Enter an integer from 0 to 65535. The default is •...
EXEC commands for displaying statistics. For more show ip ospf database privileged EXEC command options and for explanations of fields in the resulting display, refer to the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. Table 34-6 Show IP OSPF Statistics Commands...
Configuring EIGRP Configuring EIGRP Enhanced IGRP (EIGRP) is a Cisco proprietary enhanced version of the IGRP. EIGRP uses the same distance vector algorithm and distance information as IGRP; however, the convergence properties and the operating efficiency of EIGRP are significantly improved.
Chapter 34 Configuring IP Unicast Routing Configuring EIGRP feasible successors, but there are neighbors advertising the destination, a recomputation must occur. This is the process whereby a new successor is determined. The amount of time it takes to recompute the route affects the convergence time. Recomputation is processor-intensive; it is advantageous to avoid recomputation if it is not necessary.
Chapter 34 Configuring IP Unicast Routing Configuring EIGRP Command Purpose Step 3 network network-number Associate networks with an EIGRP routing process. EIGRP sends updates to the interfaces in the specified networks. If an interface’s network is not specified, it is not advertised in any IGRP or EIGRP update.
15 seconds for all other networks. Do not adjust the hold time without consulting Caution Cisco technical support. Step 7 no ip split-horizon eigrp autonomous-system-number (Optional) Disable split horizon to allow route information to be advertised by a router out any interface from which that information originated.
You can delete neighbors from the neighbor table. You can also display various EIGRP routing statistics. Table 34-8 lists the privileged EXEC commands for deleting neighbors and displaying statistics. For explanations of fields in the resulting display, refer to the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. Table 34-8...
“Configuring BGP” chapter in the Cisco IOS IP and IP Routing Configuration Guide. For details about BGP commands and keywords, refer to the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. For a list of BGP commands that are visible but not supported by the switch, see Appendix C, “Unsupported Commands in Cisco IOS Release 12.2(20)SE.”...
Page 757
AS-level policy decisions. A router or switch running Cisco IOS does not select or use an IBGP route unless it has a route available to the next-hop router and it has received synchronization from an IGP (unless IGP synchronization is disabled).
Default BGP Configuration Table 34-9 shows the basic default BGP configuration. For the defaults for all characteristics, refer to the specific commands in the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. Table 34-9 Default BGP Configuration...
Page 759
Chapter 34 Configuring IP Unicast Routing Configuring BGP Table 34-9 Default BGP Configuration (continued) Feature Default Setting Multi exit discriminator (MED) Always compare: Disabled. Does not compare MEDs for paths from neighbors in • different autonomous systems. • Best path compare: Disabled. MED missing as worst path: Disabled.
Chapter 34 Configuring IP Unicast Routing Configuring BGP Enabling BGP Routing To enable BGP routing, you establish a BGP routing process and define the local network. Because BGP must completely recognize the relationships with its neighbors, you must also specify a BGP neighbor. BGP supports two kinds of neighbors: internal and external.
Page 761
Chapter 34 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 8 no auto-summary (Optional) Disable automatic network summarization. By default, when a subnet is redistributed from an IGP into BGP, only the network route is inserted into the BGP table. Step 9 bgp fast-external-fallover (Optional) Automatically reset a BGP session when a link...
BGP sessions so that the configuration changes take effect. There are two types of reset, hard reset and soft reset. Cisco IOS Releases 12.1 and later support a soft reset without any prior configuration. To use a soft reset without preconfiguration, both BGP peers must support the soft route refresh capability, which is advertised in the OPEN message sent when the peers establish a TCP session.
Prefer the path with the largest weight (a Cisco proprietary parameter). The weight attribute is local to the router and not propagated in routing updates. By default, the weight attribute is 32768 for paths that the router originates and zero for other paths.
Page 764
Chapter 34 Configuring IP Unicast Routing Configuring BGP Prefer the route with the highest local preference. Local preference is part of the routing update and exchanged among routers in the same AS. The default value of the local preference attribute is 100. You can set local preference by using the bgp default local-preference router configuration command or by using a route map.
Chapter 34 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 7 bgp bestpath med missing-as-worst (Optional) Configure the switch to consider a missing MED as having a value of infinity, making the path without a MED value the least desirable path. Step 8 bgp always-compare med (Optional) Configure the switch to compare MEDs for...
Chapter 34 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 3 set ip next-hop ip-address [...ip-address] (Optional) Set a route map to disable next-hop processing [peer-address] In an inbound route map, set the next hop of matching routes to •...
BGP autonomous system paths. Each filter is an access list based on regular expressions. (Refer to the “Regular Expressions” appendix in the Cisco IOS Dial Services Command Reference for more information on forming regular expressions.) To use this method, define an autonomous system path access list, and apply it to updates to and from particular neighbors.
Chapter 34 Configuring IP Unicast Routing Configuring BGP You do not need to specify a sequence number when removing a configuration entry. Show commands include the sequence numbers in their output. Before using a prefix list in a command, you must set up the prefix list. Beginning in privileged EXEC mode, follow these steps to create a prefix list or to add an entry to a prefix list: Command Purpose...
Page 769
(Optional) Display and parse BGP communities in the format AA:NN. A BGP community is displayed in a two-part format 2 bytes long. The Cisco default community format is in the format NNAA. In the most recent RFC for BGP, a community takes the form AA:NN, where the first part is the AS number and the second part is a 2-byte number.
Chapter 34 Configuring IP Unicast Routing Configuring BGP Configuring BGP Neighbors and Peer Groups Often many BGP neighbors are configured with the same update policies (that is, the same outbound route maps, distribute lists, filter lists, update source, and so on). Neighbors with the same update policies can be grouped into peer groups to simplify configuration and to make updating more efficient.
Page 771
Chapter 34 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 13 neighbor {ip-address | peer-group-name} (Optional) Control how many prefixes can be received from a maximum-prefix maximum [threshold] neighbor. The range is 1 to 4294967295. The threshold (optional) is the percentage of maximum at which a warning message is generated.
Chapter 34 Configuring IP Unicast Routing Configuring BGP Configuring Aggregate Addresses Classless interdomain routing (CIDR) enables you to create aggregate routes (or supernets) to minimize the size of routing tables. You can configure aggregate routes in BGP either by redistributing an aggregate route into BGP or by creating an aggregate entry in the BGP routing table.
Chapter 34 Configuring IP Unicast Routing Configuring BGP To configure a BGP confederation, you must specify a confederation identifier that acts as the autonomous system number for the group of autonomous systems. Beginning in privileged EXEC mode, use these commands to configure a BGP confederation: Command Purpose Step 1...
Chapter 34 Configuring IP Unicast Routing Configuring BGP Beginning in privileged EXEC mode, use these commands to configure a route reflector and clients: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router bgp autonomous-system Enter BGP router configuration mode. Step 3 neighbor ip-address | peer-group-name Configure the local router as a BGP route reflector and the...
Table 34-8 lists the privileged EXEC commands for clearing and displaying BGP. For explanations of the display fields, refer to the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. Table 34-11 IP BGP Clear and Show Commands...
RIP. For a complete description of the IP routing protocol-independent commands in this chapter, refer to the “IP Routing Protocol-Independent Commands” chapter of the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2.
Page 777
Chapter 34 Configuring IP Unicast Routing Configuring Protocol-Independent Features The two main components in dCEF are the distributed FIB and the distributed adjacency tables. The FIB is similar to a routing table or information base and maintains a mirror image of the •...
Chapter 34 Configuring IP Unicast Routing Configuring Protocol-Independent Features Configuring the Number of Equal-Cost Routing Paths When a router has two or more routes to the same network with the same metrics, these routes can be thought of as having an equal cost. The term parallel path is another way to refer to occurrences of equal-cost routes in a routing table.
Chapter 34 Configuring IP Unicast Routing Configuring Protocol-Independent Features Use the no ip route prefix mask {address | interface} global configuration command to remove a static route. The switch retains static routes until you remove them. However, you can override static routes with dynamic routing information by assigning administrative distance values.
The system periodically scans its routing table to choose the optimal default network as its default route. In IGRP networks, there might be several candidate networks for the system default. Cisco routers use administrative distance and metric information to set the default route or the gateway of last resort.
Page 781
Chapter 34 Configuring IP Unicast Routing Configuring Protocol-Independent Features You can also identify route-map statements as permit or deny. If the statement is marked as a deny, the packets meeting the match criteria are sent back through the normal forwarding channels (destination-based routing).
Page 782
Chapter 34 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 11 match route-type {local | internal | external [type-1 | Match the specified route-type: type-2]} local—Locally generated BGP routes. • • internal—OSPF intra-area and interarea routes or EIGRP internal routes. external—OSPF external routes (Type 1 or Type 2) •...
Page 783
Chapter 34 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 23 show route-map Display all route maps configured or only the one specified to verify configuration. Step 24 copy running-config startup-config (Optional) Save your entries in the configuration file. To delete an entry, use the no route-map map tag global configuration command or the no match or no set route-map configuration commands.
For details about PBR commands and keywords, refer to the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. For a list of PBR commands that are visible but not supported by the switch, see Appendix C, “Unsupported Commands in Cisco IOS Release 12.2(20)SE.”...
Chapter 34 Configuring IP Unicast Routing Configuring Protocol-Independent Features PBR Configuration Guidelines Before configuring PBR, you should be aware of this information: To use PBR, you must have the EMI installed on the stack master. • Multicast traffic is not policy-routed. PBR applies to only to unicast traffic. •...
Page 786
Chapter 34 Configuring IP Unicast Routing Configuring Protocol-Independent Features Beginning in privileged EXEC mode, follow these steps to configure PBR: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 route-map map-tag [permit | deny] [sequence Define any route maps used to control where packets are number] output, and enter route-map configuration mode.
Chapter 34 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 14 show ip local policy (Optional) Display whether or not local policy routing is enabled and, if so, the route map being used. Step 15 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 34 Configuring IP Unicast Routing Configuring Protocol-Independent Features Use a network monitoring privileged EXEC command such as show ip ospf interface to verify the interfaces that you enabled as passive, or use the show ip interface privileged EXEC command to verify the interfaces that you enabled as active.
Chapter 34 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network Command Purpose Step 4 key-string text Identify the key string. The string can contain from 1 to 80 uppercase and lowercase alphanumeric characters, but the first character cannot be a number. Step 5 accept-lifetime start-time {infinite | end-time | duration (Optional) Specify the time period during which the key...
For complete syntax and usage information for the commands used in this chapter, refer to the switch Note command reference for this release and the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2. This chapter consists of these sections: •...
2 as an active router with another interface on switch 1 as its standby router. Note Cisco IOS Release 12.2(18)SE and above supports Multiple HSRP (MHSRP), an extension of HSRP that allows load sharing between two or more Hot Standby groups.
Chapter 35 Configuring HSRP Configuring HSRP Default HSRP Configuration Table 35-1 shows the default HSRP configuration. Table 35-1 Default HSRP Configuration Feature Default Setting HSRP groups None configured Standby group number Standby MAC address System assigned as: 0000.0c07.acXX, where XX is the HSRP group number Standby priority Standby delay...
Chapter 35 Configuring HSRP Configuring HSRP Beginning in privileged EXEC mode, follow these steps to create or enable HSRP on a Layer 3 interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and enter the Layer 3 interface on which you want to enable HSRP.
Chapter 35 Configuring HSRP Configuring HSRP Configuring HSRP Priority The standby priority, standby preempt, and standby track interface configuration commands are all used to set characteristics for finding active and standby routers and behavior regarding when a new active router takes over. When configuring priority, follow these guidelines: •...
Page 797
Chapter 35 Configuring HSRP Configuring HSRP Figure 35-2 MHSRP Load Sharing Active router for group 1 Active router for group 2 Standby router for group 2 Standby router for group 1 Router A Router B 10.0.0.1 E0 10.0.0.2 Client 1 Client 2 Client 3 Client 4...
Page 798
Chapter 35 Configuring HSRP Configuring HSRP Beginning in privileged EXEC mode, use one or more of these steps to configure HSRP priority characteristics on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and enter the HSRP interface on which you want to set priority.
[group-number] authentication string (Optional) authentication string—Enter a string to be carried in all HSRP messages. The authentication string can be up to eight characters in length; the default string is cisco. (Optional) group-number—The group number to which the command applies.
Switch# Enabling HSRP Support for ICMP Redirect Messages In releases earlier than Cisco IOS Release 12.2(18)SE, ICMP (Internet Control Message Protocol) redirect messages were automatically disabled on interfaces configured with HSRP. ICMP is a network layer Internet protocol that provides message packets to report errors and other information relevant to IP processing.
HSRP. This feature filters outgoing ICMP redirect messages through HSRP, in which the next hop IP address might be changed to an HSRP virtual IP address. For more information, refer to the Cisco IOS IP Configuration Guide, Release 12.2.
To use this feature, the stack master must be running the enhanced multilayer image (EMI). Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Note IP Command Reference, Volume 3 of 3: Multicast, Release 12.2.
• Internet (MBONE). The software supports PIM-to-DVMRP interaction. • Cisco Group Management Protocol (CGMP) is used on Cisco routers and multilayer switches connected to Layer 2 Catalyst switches to perform tasks similar to those performed by IGMP. Figure 36-1 shows where these protocols operate within the IP multicast environment.
Chapter 36 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing what members it has can vary from group to group and from time to time. A multicast group can be active for a long time, or it can be very short-lived. Membership in a group can constantly change. A group that has members can have no activity.
Chapter 36 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing PIM Versions PIMv2 includes these improvements over PIMv1: A single, active rendezvous point (RP) exists per multicast group, with multiple backup RPs. This • single RP compares to multiple active RPs for the same group in PIMv1.
This proprietary feature eliminates the need to manually configure the RP information in every router and multilayer switch in the network. For Auto-RP to work, you configure a Cisco router or multilayer switch as the mapping agent. It uses IP multicast to learn which routers or switches in the network are possible candidate RPs to receive candidate RP announcements.
Chapter 36 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Multicast Forwarding and Reverse Path Check With unicast routing, routers and multilayer switches forward traffic through the network along a single path from the source to the destination host whose IP address appears in the destination address field of the IP packet.
This protocol has been deployed in the MBONE and in other intradomain multicast networks. Cisco routers and multilayer switches run PIM and can forward multicast packets to and receive from a DVMRP neighbor. It is also possible to propagate DVMRP routes into and through a PIM cloud. The software propagates DVMRP routes and builds a separate database for these routes on each router and multilayer switch, but PIM uses this routing information to make the packet-forwarding decision.
(required if the interface is in sparse-dense mode, and • you want to treat the group as a sparse group) Using Auto-RP and a BSR, page 36-22 (required for non-Cisco PIMv2 devices to interoperate with • Cisco PIM v1 devices)) Monitoring the RP Mapping Information, page 36-23 (optional) •...
PIMv2 BSR. However, Auto-RP is a standalone protocol, separate from PIMv1, and is a proprietary Cisco protocol. PIMv2 is a standards track protocol in the IETF. We recommend that you use PIMv2. The BSR mechanism interoperates with Auto-RP on Cisco routers and multilayer switches.
If you have a network that includes non-Cisco routers, configure the Auto-RP mapping agent and • the BSR on a Cisco PIMv2 router or multilayer switch. Ensure that no PIMv1 device is on the path between the BSR and a non-Cisco PIMv2 router.
Page 813
Chapter 36 Configuring IP Multicast Routing Configuring IP Multicast Routing By default, multicast routing is disabled, and there is no default mode setting. This procedure is required. Beginning in privileged EXEC mode, follow these steps to enable IP multicasting, to configure a PIM version, and to configure a PIM mode.
You can use several methods, as described in these sections: Manually Assigning an RP to Multicast Groups, page 36-12 • Configuring Auto-RP, page 36-14 (a standalone, Cisco-proprietary protocol separate from PIMv1) • Configuring PIMv2 BSR, page 36-18 (a standards track protocol in the Internet Engineering Task •...
Page 815
Chapter 36 Configuring IP Multicast Routing Configuring IP Multicast Routing Beginning in privileged EXEC mode, follow these steps to manually configure the address of the RP. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip pim rp-address ip-address Configure the address of a PIM RP.
Configuring IP Multicast Routing Configuring Auto-RP Auto-RP uses IP multicast to automate the distribution of group-to-RP mappings to all Cisco routers and multilayer switches in a PIM network. It has these benefits: It is easy to use multiple RPs within a network to serve different group ranges.
Page 817
Chapter 36 Configuring IP Multicast Routing Configuring IP Multicast Routing Beginning in privileged EXEC mode, follow these steps to deploy Auto-RP in an existing sparse-mode cloud. This procedure is optional. Command Purpose Step 1 show running-config Verify that a default RP is already configured on all PIM devices and the RP in the sparse-mode network.
Page 818
Chapter 36 Configuring IP Multicast Routing Configuring IP Multicast Routing Command Purpose Step 5 ip pim send-rp-discovery scope ttl Find a switch whose connectivity is not likely to be interrupted, and assign it the role of RP-mapping agent. For scope ttl, specify the time-to-live value in hops to limit the RP discovery packets.
Page 819
Chapter 36 Configuring IP Multicast Routing Configuring IP Multicast Routing Filtering Incoming RP Announcement Messages You can add configuration commands to the mapping agents to prevent a maliciously configured router from masquerading as a candidate RP and causing problems. Beginning in privileged EXEC mode, follow these steps to filter incoming RP announcement messages. This procedure is optional.
Chapter 36 Configuring IP Multicast Routing Configuring IP Multicast Routing This example shows a sample configuration on an Auto-RP mapping agent that is used to prevent candidate RP announcements from being accepted from unauthorized candidate RPs: Switch(config)# ip pim rp-announce-filter rp-list 10 group-list 20 Switch(config)# access-list 10 permit host 172.16.5.1 Switch(config)# access-list 10 permit host 172.16.2.1 Switch(config)# access-list 20 deny 239.0.0.0 0.0.255.255...
Page 821
Chapter 36 Configuring IP Multicast Routing Configuring IP Multicast Routing To remove the PIM border, use the no ip pim bsr-border interface configuration command. Figure 36-3 Constraining PIMv2 BSR Messages PIMv2 sparse-mode network Configure the Configure the ip pim bsr-border ip pim bsr-border command on command on...
Page 822
Chapter 36 Configuring IP Multicast Routing Configuring IP Multicast Routing To remove the boundary, use the no ip multicast boundary interface configuration command. This example shows a portion of an IP multicast boundary configuration that denies Auto-RP information: Switch(config)# access-list 1 deny 224.0.1.39 Switch(config)# access-list 1 deny 224.0.1.40 Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# ip multicast boundary 1...
Page 823
IP multicast address space or a portion of it. Candidate RPs send candidate RP advertisements to the BSR. When deciding which devices should be RPs, consider these options: • In a network of Cisco routers and multilayer switches where only Auto-RP is used, any device can be configured as an RP. •...
Switch(config)# access-list 4 permit 239.0.0.0 0.255.255.255 Using Auto-RP and a BSR If there are only Cisco devices in you network (no routers from other vendors), there is no need to configure a BSR. Configure Auto-RP in a network that is running both PIMv1 and PIMv2.
Chapter 36 Configuring IP Multicast Routing Configuring Advanced PIM Features Monitoring the RP Mapping Information To monitor the RP mapping information, use these commands in privileged EXEC mode: • show ip pim bsr displays information about the elected BSR. show ip pim rp-hash group displays the RP that was selected for the specified group. •...
Page 826
Chapter 36 Configuring IP Multicast Routing Configuring Advanced PIM Features Figure 36-4 Shared Tree and Source Tree (Shortest-Path Tree) Source Router B Router A Source tree Shared tree (shortest from RP path tree) Router C Receiver If the data rate warrants, leaf routers (routers without any downstream connections) on the shared tree can use the data distribution tree rooted at the source.
Chapter 36 Configuring IP Multicast Routing Configuring Advanced PIM Features Delaying the Use of PIM Shortest-Path Tree The change from shared to source tree happens when the first data packet arrives at the last-hop router (Router C in Figure 36-4). This change occurs because the ip pim spt-threshold global configuration command controls that timing.
Chapter 36 Configuring IP Multicast Routing Configuring Advanced PIM Features Command Purpose Step 4 Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no ip pim spt-threshold {kbps | infinity} global configuration command.
Chapter 36 Configuring IP Multicast Routing Configuring Optional IGMP Features Configuring Optional IGMP Features These sections describe how to configure optional IGMP features: • Default IGMP Configuration, page 36-27 Configuring the Switch as a Member of a Group, page 36-27 (optional) •...
Chapter 36 Configuring IP Multicast Routing Configuring Optional IGMP Features Beginning in privileged EXEC mode, follow these steps to configure the switch to be a member of a group. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration...
Chapter 36 Configuring IP Multicast Routing Configuring Optional IGMP Features Command Purpose Step 5 access-list access-list-number {deny | Create a standard access list. permit} source [source-wildcard] For access-list-number, specify the access list created in Step 3. • • The deny keyword denies access if the conditions are matched. The permit keyword permits access if the conditions are matched.
Chapter 36 Configuring IP Multicast Routing Configuring Optional IGMP Features Command Purpose Step 5 show ip igmp interface [interface-id] Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no ip igmp version interface configuration command. Modifying the IGMP Host-Query Message Interval The switch periodically sends IGMP host-query messages to discover which multicast groups are present on attached networks.
Chapter 36 Configuring IP Multicast Routing Configuring Optional IGMP Features Changing the IGMP Query Timeout for IGMPv2 If you are using IGMPv2, you can specify the period of time before the switch takes over as the querier for the interface. By default, the switch waits twice the query interval controlled by the ip igmp query-interval interface configuration command.
Chapter 36 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features To return to the default setting, use the no ip igmp query-max-response-time interface configuration command. Configuring the Switch as a Statically Connected Member Sometimes there is either no group member on a network segment or a host cannot report its group membership by using IGMP.
The switch serves as a CGMP server for devices that do not support IGMP snooping but have CGMP client functionality. CGMP is a protocol used on Cisco routers and multilayer switches connected to Layer 2 Catalyst switches to perform tasks similar to those performed by IGMP. CGMP is necessary because the Layer 2 switch cannot distinguish between IP multicast data packets and IGMP report messages, which are both at the MAC-level and are addressed to the same group address.
Chapter 36 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Configuring sdr Listener Support The MBONE is the small subset of Internet routers and hosts that are interconnected and capable of forwarding IP multicast traffic. Other multimedia content is often broadcast over the MBONE. Before you can join a multimedia session, you need to know what multicast group address and port are being used for the session, when the session is going to be active, and what sort of applications (audio, video, and so forth) are required on your workstation.
Chapter 36 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Limiting How Long an sdr Cache Entry Exists By default, entries are never deleted from the sdr cache. You can limit how long the entry remains active so that if a source stops advertising SAP information, old advertisements are not needlessly kept. Beginning in privileged EXEC mode, follow these steps to limit how long an sdr cache entry stays active in the cache.
Page 838
Chapter 36 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Figure 36-5 Administratively-Scoped Boundaries Company XYZ Engineering Marketing 239.128.0.0/16 239.0.0.0/8 You can define an administratively-scoped boundary on a routed interface for multicast group addresses. A standard access list defines the range of addresses affected. When a boundary is defined, no multicast data packets are allowed to flow across the boundary from either direction.
DVMRP routers or interoperate with DVMRP routers over an MBONE tunnel. DVMRP advertisements produced by the Cisco IOS software can cause older versions of the mrouted protocol to corrupt their routing tables and those of their neighbors.
Page 840
Chapter 36 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to configure the sources that are advertised and the metrics that are used when DVMRP route-report messages are sent. This procedure is optional. Command Purpose Step 1...
You cannot configure a DVMRP tunnel between two routers. When a Cisco router or multilayer switch runs DVMRP through a tunnel, it advertises sources in DVMRP report messages, much as it does on real networks. The software also caches DVMRP report messages it receives and uses them in its RPF calculation.
Page 842
Chapter 36 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to configure a DVMRP tunnel. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | Create a standard access list, repeating the command as many times as permit} source [source-wildcard]...
This example shows how to configure a DVMRP tunnel. In this configuration, the IP address of the tunnel on the Cisco switch is assigned unnumbered, which causes the tunnel to appear to have the same IP address as port 1. The tunnel endpoint source address is 172.16.2.1, and the tunnel endpoint address of the remote DVMRP router to which the tunnel is connected is 192.168.1.10.
171.69.214.18 -> 171.69.214.17 (mm1-45a.cisco.com) [1/0/pim] Configuring Advanced DVMRP Interoperability Features Cisco routers and multilayer switches run PIM to forward multicast packets to receivers and receive multicast packets from senders. It is also possible to propagate DVMRP routes into and through a PIM cloud.
DVMRP unicast routes, to which PIM can then reverse-path forward. Cisco devices do not perform DVMRP multicast routing among each other, but they can exchange DVMRP routes. The DVMRP routes provide a multicast topology that might differ from the unicast topology.
Page 846
Chapter 36 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Figure 36-6 Leaf Nonpruning DVMRP Neighbor Source router or RP PIM dense mode Router A Valid Router B multicast Receiver traffic Layer 3 switch Unnecessary multicast traffic Leaf nonpruning DVMRP device Stub LAN with no members You can prevent the switch from peering (communicating) with a DVMRP neighbor if that neighbor does...
Page 847
Chapter 36 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Figure 36-7 Router Rejects Nonpruning DVMRP Neighbor Source router or RP Router A Multicast Router B traffic gets Receiver to receiver, not to leaf DVMRP device Layer 3 switch Configure the ip dvmrp reject-non-pruners command on this interface.
Chapter 36 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Controlling Route Exchanges These sections describe how to tune the Cisco device advertisements of DVMRP routes: • Limiting the Number of DVMRP Routes Advertised, page 36-46 (optional) Changing the DVMRP Route Threshold, page 36-46 (optional) •...
Cisco router that is not on these two Ethernet segments does not properly RPF-check on the DVMRP router and is discarded. You can force the Cisco router to advertise the summary address (specified by the address and mask pair in the ip dvmrp summary-address address mask interface configuration command) in place of any route that falls in this address range.
Page 850
176.32.10.0/24 m = 1 ip pim dense-mode 176.32.15.0/24 m = 1 DVMRP router interface fastethernet1/0/2 ip addr 176.32.15.1 255.255.255.0 ip pim dense-mode Tunnel Cisco DVMRP Route Table Unicast Routing Table (10,000 Routes) router Network Intf Metric Dist Src Network Intf Metric Dist 176.13.10.0/24 Fa1/0/1 10514432 90...
Chapter 36 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Disabling DVMRP Autosummarization By default, the software automatically performs some level of DVMRP summarization. Disable this function if you want to advertise all routes, not just a summary. In some special cases, you can use the neighboring DVMRP router with all subnet information to better control the flow of multicast traffic in the DVMRP network.
Chapter 36 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Beginning in privileged EXEC mode, follow these steps to change the default metric. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode.
Chapter 36 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Clearing Caches, Tables, and Databases You can remove all contents of a particular cache, table, or database. Clearing a cache, table, or database might be necessary when the contents of the particular structure are or suspected to be invalid. You can use any of the privileged EXEC commands in Table 36-4 to clear IP multicast caches, tables,...
Chapter 36 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Table 36-5 Commands for Displaying System and Network Statistics (continued) Command Purpose show ip mpacket [source-address | name] Display the contents of the circular cache-header [group-address | name] [detail] buffer.
To use this feature, the stack master must be running the enhanced multilayer image (EMI). Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Note IP Command Reference, Volume 3 of 3: Multicast, Release 12.2.
Chapter 37 Configuring MSDP Understanding MSDP The purpose of this topology is to have domains discover multicast sources in other domains. If the multicast sources are of interest to a domain that has receivers, multicast data is delivered over the normal, source-tree building mechanism in PIM-SM.
Chapter 37 Configuring MSDP Understanding MSDP Figure 37-1 MSDP Running Between RP Peers MSDP peer RP + MSDP peer MSDP SA Peer RPF flooding MSDP SA TCP connection Receiver MSDP peer Register Multicast (S,G) Join Source PIM sparse-mode domain MSDP Benefits MSDP has these benefits: It breaks up the shared multicast distribution tree.
Chapter 37 Configuring MSDP Configuring MSDP Command Purpose Step 3 ip prefix-list name [description string] | (Optional) Create a prefix list using the name specified in Step 2. seq number {permit | deny} network (Optional) For description string, enter a description of up to 80 •...
Page 861
Chapter 37 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to enable the caching of source/group pairs. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp cache-sa-state [list Enable the caching of source/group pairs (create an SA state).
Chapter 37 Configuring MSDP Configuring MSDP Requesting Source Information from an MSDP Peer Local RPs can send SA requests and get immediate responses for all active sources for a given group. By default, the switch does not send any SA request messages to its MSDP peers when a new member joins a group and wants to receive multicast traffic.
Chapter 37 Configuring MSDP Configuring MSDP Controlling Source Information that Your Switch Originates You can control the multicast source information that originates with your switch: • Sources you advertise (based on your sources) Receivers of source information (based on knowing the requestor) •...
Page 864
Chapter 37 Configuring MSDP Configuring MSDP Command Purpose Step 3 access-list access-list-number {deny | Create an IP standard access list, repeating the command as many times permit} source [source-wildcard] as necessary. access-list access-list-number {deny | Create an IP extended access list, repeating the command as many times permit} protocol source source-wildcard as necessary.
Chapter 37 Configuring MSDP Configuring MSDP Filtering Source-Active Request Messages By default, only switches that are caching SA information can respond to SA requests. By default, such a switch honors all SA request messages from its MSDP peers and supplies the IP addresses of the active sources.
Chapter 37 Configuring MSDP Configuring MSDP Controlling Source Information that Your Switch Forwards By default, the switch forwards all SA messages it receives to all its MSDP peers. However, you can prevent outgoing messages from being forwarded to a peer by using a filter or by setting a time-to-live (TTL) value.
Page 867
This example shows how to allow only (S,G) pairs that pass access list 100 to be forwarded in an SA message to the peer named switch.cisco.com: Switch(config)# ip msdp peer switch.cisco.com connect-source gigabitethernet1/0/1 Switch(config)# ip msdp sa-filter out switch.cisco.com list 100 Switch(config)# access-list 100 permit ip 171.69.0.0 0.0.255.255 224.20 0 0.0.255.255 Catalyst 3750 Switch Software Configuration Guide...
Chapter 37 Configuring MSDP Configuring MSDP Using TTL to Limit the Multicast Data Sent in SA Messages You can use a TTL value to control what data is encapsulated in the first SA message for every source. Only multicast packets with an IP-header TTL greater than or equal to the ttl argument are sent to the specified MSDP peer.
Page 869
To remove the filter, use the no ip msdp sa-filter in {ip-address | name} [list access-list-number] [route-map map-tag] global configuration command. This example shows how to filter all SA messages from the peer named switch.cisco.com: Switch(config)# ip msdp peer switch.cisco.com connect-source gigabitethernet1/0/1 Switch(config)# ip msdp sa-filter in switch.cisco.com...
Chapter 37 Configuring MSDP Configuring MSDP Configuring an MSDP Mesh Group An MSDP mesh group is a group of MSDP speakers that have fully meshed MSDP connectivity among one another. Any SA messages received from a peer in a mesh group are not forwarded to other peers in the same mesh group.
Chapter 37 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to shut down a peer. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp shutdown {peer-name | peer Administratively shut down the specified MSDP peer without losing address} configuration information.
Chapter 37 Configuring MSDP Configuring MSDP Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Note that the ip msdp originator-id global configuration command also identifies an interface to be used as the RP address.
Chapter 37 Configuring MSDP Monitoring and Maintaining MSDP Monitoring and Maintaining MSDP To monitor MSDP SA messages, peers, state, or peer status, use one or more of the privileged EXEC commands in Table 37-1: Table 37-1 Commands for Monitoring and Maintaining MSDP Command Purpose debug ip msdp [peer-address | name] [detail] [routes]...
To use this feature, the stack master must be running the enhanced multilayer image (EMI). Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Note Bridging and IBM Networking Command Reference, Volume 1 of 2, Release 12.2.
Page 876
Chapter 38 Configuring Fallback Bridging Understanding Fallback Bridging acts like a port on a router, but it is not connected to a router. A routed port is not associated with a particular VLAN, does not support VLAN subinterfaces, but behaves like a normal routed port. For more information about SVIs and routed ports, see Chapter 11, “Configuring Interface Characteristics.”...
Chapter 38 Configuring Fallback Bridging Configuring Fallback Bridging Fallback Bridging and Switch Stacks When the stack master fails, a stack member becomes the new stack master by using the election process described in Chapter 5, “Managing Switch Stacks.” The new stack master creates new VLAN-bridge spanning-tree instance, which temporarily puts the spanning-tree ports used for fallback bridging into a nonforwarding state.
Chapter 38 Configuring Fallback Bridging Configuring Fallback Bridging Default Fallback Bridging Configuration Table 38-1 shows the default fallback bridging configuration. Table 38-1 Default Fallback Bridging Configuration Feature Default Setting Bridge groups None are defined or assigned to a port. No VLAN-bridge STP is defined.
Page 879
Chapter 38 Configuring Fallback Bridging Configuring Fallback Bridging Beginning in privileged EXEC mode, follow these steps to create a bridge group and to assign an interface to it. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 bridge bridge-group protocol Assign a bridge group number, and specify the VLAN-bridge...
Poorly planned adjustments can have a negative impact on performance. A good source on switching is the IEEE 802.1D specification. For more information, refer to the “References and Recommended Reading” appendix in the Cisco IOS Configuration Fundamentals Command Reference.
Chapter 38 Configuring Fallback Bridging Configuring Fallback Bridging Changing the VLAN-Bridge Spanning-Tree Priority You can globally configure the VLAN-bridge spanning-tree priority of a switch when it ties with another switch for the position as the root switch. You also can configure the likelihood that the switch will be selected as the root switch.
Chapter 38 Configuring Fallback Bridging Configuring Fallback Bridging Command Purpose Step 5 show running-config Verify your entry. Step 6 copy running-config startup-config (Optional) Save your entry in the configuration file. To return to the default setting, use the no bridge-group bridge-group priority interface configuration command.
Chapter 38 Configuring Fallback Bridging Configuring Fallback Bridging Adjusting BPDU Intervals You can adjust BPDU intervals as described in these sections: Adjusting the Interval between Hello BPDUs, page 38-9 (optional) • Changing the Forward-Delay Interval, page 38-10 (optional) • Changing the Maximum-Idle Interval, page 38-10 (optional) •...
Page 884
Chapter 38 Configuring Fallback Bridging Configuring Fallback Bridging Changing the Forward-Delay Interval The forward-delay interval is the amount of time spent listening for topology change information after a port has been activated for switching and before forwarding actually begins. Beginning in privileged EXEC mode, follow these steps to change the forward-delay interval. This procedure is optional.
[bridge-group] [interface-id | mac-address | verbose] privileged EXEC command at the stack member prompt. For information about the fields in these displays, refer to the Cisco IOS Bridging and IBM Networking Command Reference, Volume 1 of 2, Release 12.2.
C H A P T E R Troubleshooting This chapter describes how to identify and resolve software problems related to the Cisco IOS software on the Catalyst 3750 switch. Depending on the nature of the problem, you can use the command-line interface (CLI) or the Cluster Management Suite (CMS) to identify and solve problems.
From your PC, download the software image tar file (image_filename.tar) from Cisco.com. Step 1 The Cisco IOS image is stored as a bin file in a directory in the tar file. For information about locating the software image files on Cisco.com, refer to the release notes.
Page 889
Step 11 start the transfer and to copy the software image into flash memory. Step 12 Boot the newly downloaded Cisco IOS image. switch:boot flash: image_filename.bin Step 13 Use the archive download-sw privileged EXEC command to download the software image to the switch or to the switch stack.
Chapter 39 Troubleshooting Recovering from a Lost or Forgotten Password Recovering from a Lost or Forgotten Password The default configuration for the switch allows an end user with physical access to the switch to recover from a lost password by interrupting the boot process during power-on and by entering a new password. These recovery procedures require that you have physical access to the switch.
Chapter 39 Troubleshooting Recovering from a Lost or Forgotten Password Procedure with Password Recovery Enabled If the password-recovery mechanism is enabled, this message appears: The system has been interrupted prior to initializing the flash file system. The following commands will initialize the flash file system, and finish loading the operating system software: flash_init load_helper...
Chapter 39 Troubleshooting Recovering from a Lost or Forgotten Password Copy the configuration file into memory: Step 9 Switch# copy flash: config.text system: running-config Source filename [config.text]? Destination filename [running-config]? Press Return in response to the confirmation prompts. The configuration file is now reloaded, and you can change the password. Enter global configuration mode: Step 10 Switch# configure terminal...
Page 893
Chapter 39 Troubleshooting Recovering from a Lost or Forgotten Password If you enter n (no), the normal boot process continues as if the Mode button had not been pressed; • you cannot access the boot loader prompt, and you cannot enter a new password. You see the message: Press Enter to continue..
Chapter 39 Troubleshooting Preventing Switch Stack Problems Write the running configuration to the startup configuration file: Step 9 Switch# copy running-config startup-config The new password is now in the startup configuration. This procedure is likely to leave your switch virtual interface in a shutdown state. You can see Note which interface is in this state by entering the show running-config privileged EXEC command.
Chapter 39 Troubleshooting Recovering from a Command Switch Failure For the commands that you can use to monitor the switch stack and its members, see the “Displaying Switch Stack Information” section on page 5-20. Recovering from a Command Switch Failure This section describes how to recover from a failed command switch.
Page 896
Chapter 39 Troubleshooting Recovering from a Command Switch Failure Enter global configuration mode. Step 6 Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Remove the member switch from the cluster. Step 7 Switch(config)# no cluster commander-address Return to privileged EXEC mode.
Chapter 39 Troubleshooting Recovering from a Command Switch Failure Start your browser, and enter the IP address of the new command switch. Step 17 From the Cluster menu, select Add to Cluster to display a list of candidate switches to add to the cluster. Step 18 Replacing a Failed Command Switch with Another Switch To replace a failed command switch with a switch that is command-capable but not part of the cluster,...
Chapter 39 Troubleshooting Recovering from Lost Cluster Member Connectivity Enter Y at the first prompt. Step 6 The prompts in the setup program vary depending on the switch you selected to be the command switch: Continue with configuration dialog? [yes/no]: y Configuring global parameters: If this prompt does not appear, enter enable, and press Return.
Troubleshooting Power over Ethernet Switch Ports If a powered device (such as a Cisco IP Phone 7910) that is connected to a Power over Ethernet (PoE) switch port and is being powered by an AC power source loses power from the AC power source, the device might enter an error-disabled state.
For more information about error messages, refer to the system message guide for this release. If you are using a non-Cisco approved SFP module, remove the SFP module from the switch, and replace it with a Cisco-approved module. After inserting a Cisco-approved SFP module, use the errdisable recovery cause gbic-invalid global configuration command to verify the port status, and enter a time interval for recovering from the error-disabled state.
Chapter 39 Troubleshooting Using Ping Executing Ping If you attempt to ping a host in a different IP subnetwork, you must define a static route to the network or have IP routing configured to route between those subnets. For more information, see Chapter 34, “Configuring IP Unicast Routing.”...
Usage Guidelines These are the Layer 2 traceroute usage guidelines: Cisco Discovery Protocol (CDP) must be enabled on all the devices in the network. For Layer 2 • traceroute to function properly, do not disable CDP. For a list of switches that support Layer 2 traceroute, see the “Usage Guidelines”...
Chapter 39 Troubleshooting Using IP Traceroute The traceroute mac ip command output shows the Layer 2 path when the specified source and • destination IP addresses belong to the same subnet. When you specify the IP addresses, the switch uses the Address Resolution Protocol (ARP) to associate the IP addresses with the corresponding MAC addresses and the VLAN IDs.
Chapter 39 Troubleshooting Using IP Traceroute of 1 or 0, it drops the datagram and sends an Internet Control Message Protocol (ICMP) time-to-live-exceeded message to the sender. Traceroute finds the address of the first hop by examining the source address field of the ICMP time-to-live-exceeded message. To identify the next hop, traceroute sends a UDP packet with a TTL value of 2.
• Understanding TDR In Cisco IOS Release 12.1(19)EA1 or later, you can use the Time Domain Reflector (TDR) feature to diagnose and resolve cabling problems. When running TDR, a local device sends a signal through a cable and compares the reflected signal to the initial signal.
Chapter 39 Troubleshooting Using TDR Running TDR and Displaying the Results When you run TDR on an interface, you can run it on the stack master or a stack member. To run TDR, enter the test cable-diagnostics tdr interface interface-id privileged EXEC command: Switch# test cable-diagnostics tdr interface gigabitethernet1/0/2 TDR test started on interface Gi1/0/2 A TDR test can take a few seconds to run on an interface...
For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. It is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Chapter 39 Troubleshooting Using Debug Commands Enabling Debugging on a Specific Feature When you enable debugging, it is enabled only on the stack master. To enable debugging on a stack member, you must start a session from the stack master by using the session switch-number privileged EXEC command.
Chapter 39 Troubleshooting Using the show platform forward Command Possible destinations include the console, virtual terminals, internal buffer, and UNIX hosts running a syslog server. The syslog format is compatible with 4.3 Berkeley Standard Distribution (BSD) UNIX and its derivatives. Be aware that the debugging destination you use affects system overhead.
Page 910
Chapter 39 Troubleshooting Using the show platform forward Command ------------------------------------------ Packet 1 Lookup Key-Used Index-Hit A-Data OutptACL 50_0D020202_0D010101-00_40000014_000A0000 01FFE 03000000 Port Vlan SrcMac DstMac Dscpv Gi1/0/1 0005 0001.0001.0001 0002.0002.0002 ------------------------------------------ Packet 2 Lookup Key-Used Index-Hit A-Data OutptACL 50_0D020202_0D010101-00_40000014_000A0000 01FFE 03000000 Port Vlan SrcMac...
Cisco IOS image to fail (crash). The switch writes the crash information to the console at the time of the failure, and the file is created the next time you boot the Cisco IOS image after the failure (instead of while the system is failing).
Page 912
Chapter 39 Troubleshooting Using the crashinfo File You can display the most recent crashinfo file (that is, the file with the highest sequence number at the end of its filename) by entering the show stacks or the show tech-support privileged EXEC command. You also can access the file by using any command that can copy or display files, such as the more or the copy privileged EXEC command.
CISCO-PAE-MIB • CISCO-PAGP-MIB CISCO-PING-MIB • CISCO-PROCESS-MIB (Only stack master details are shown.) • CISCO-RTTMON-MIB • CISCO-STACK-MIB (Partial support: for some objects, only stack master information is supported. • ENTITY MIB is a better alternative.) CISCO-STACKMAKER-MIB • CISCO-STP-EXTENSIONS-MIB • CISCO-SYSLOG-MIB •...
You can also use this URL for a list of supported MIBs for the Catalyst 3750 switch: Note ftp://ftp.cisco.com/pub/mibs/supportlists/cat3750/cat3750-supportlist.html You can access other information about MIBs and Cisco products on the Cisco web site: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml Using FTP to Access the MIB Files You can obtain each MIB file by using this procedure: Use FTP to access the server ftp.cisco.com.
Page 916
Appendix A Supported MIBs Using FTP to Access the MIB Files Catalyst 3750 Switch Software Configuration Guide 78-16180-02...
Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. For complete syntax and usage information for the commands used in this chapter, refer to the switch Note command reference for this release and the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2. This appendix consists of these sections: •...
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Displaying Information about Files on a File System, page B-3 • Creating and Removing Directories, page B-4 • • Copying Files, page B-5 •...
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Table B-1 show file systems Field Descriptions (continued) Field Value Prefixes Alias for file system. flash:—Flash file system. nvram:—NVRAM. null:—Null destination for copies. You can copy a remote file to null to find its size.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Changing Directories and Displaying the Working Directory Beginning in privileged EXEC mode, follow these steps to change directories and display the working directory.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Copying Files To copy a file from a source to a destination, use the copy source-url destination-url privileged EXEC command. For the source and destination URLs, you can use running-config and startup-config keyword shortcuts.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating, Displaying, and Extracting tar Files You can create a tar file and write files into it, list the files in a tar file, and extract the files from a tar file as described in the next sections.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System For source-url, specify the source URL alias for the local or network file system. These options are supported: For the local flash file system, the syntax is •...
5-12. Configuration files contain commands entered to customize the function of the Cisco IOS software. A way to create a basic configuration file is to use the setup program or to enter the setup privileged EXEC command. For more information, see Chapter 4, “Assigning the Switch IP Address and Default...
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files This section includes this information: Guidelines for Creating and Using Configuration Files, page B-9 • Configuration File Types and Location, page B-9 •...
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Creating a Configuration File By Using a Text Editor When creating a configuration file, you must list commands logically so that the system can respond appropriately.
Page 927
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Ensure that the configuration file to be downloaded is in the correct directory on the TFTP server • (usually /tftpboot on a UNIX workstation).
Page 928
The FTP protocol requires a client to send a remote username and password on each FTP request to a server. When you copy a configuration file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list: The username specified in the copy command if a username is specified.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files This section includes this information: Preparing to Download or Upload a Configuration File By Using FTP, page B-13 • • Downloading a Configuration File By Using FTP, page B-13 •...
Page 930
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 6 Return to privileged EXEC mode. Step 7 copy Using FTP, copy the configuration file from a network server...
Page 931
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Uploading a Configuration File By Using FTP Beginning in privileged EXEC mode, follow these steps to upload a configuration file by using FTP:...
The RCP requires a client to send a remote username with each RCP request to a server. When you copy a configuration file from the switch to a server, the Cisco IOS software sends the first valid username in this list: The username specified in the copy command if a username is specified.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files When you upload a file to the RCP server, it must be properly configured to accept the RCP write • request from the user on the switch. For UNIX systems, you must add an entry to the .rhosts file for the remote user on the RCP server.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files This example shows how to specify a remote username of netadmin1. Then it copies the configuration file host2-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.101...
Depending on the setting of the file prompt global configuration command, you might be prompted for confirmation before you delete a file. By default, the switch prompts for confirmation on destructive file operations. For more information about the file prompt command, refer to the Cisco IOS Command Reference for Release 12.2.
Image Location on the Switch The Cisco IOS image is stored as a .bin file in a directory that shows the version number. A subdirectory contains the files needed for web management. The image is stored on the system board flash memory (flash:).
Page 937
Cisco IOS image total_image_file_size Specifies the size of all the images (the Cisco IOS image and the web management files) in the tar file, which is an approximate measure of how much flash memory is required to hold them...
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Copying Image Files By Using TFTP You can download a switch image from a TFTP server or upload the image from the switch to a TFTP server.
Page 939
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Before uploading the image file, you might need to create an empty file on the TFTP server. To • create an empty file, enter the touch filename command, where filename is the name of the file you will use when uploading the image to the server.
Page 940
The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the tar file format.
The FTP protocol requires a client to send a remote username and password on each FTP request to a server. When you copy an image file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list: •...
Page 942
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Use the ip ftp username and ip ftp password commands to specify a username and password for all copies. Include the username in the archive download-sw or archive upload-sw privileged EXEC command if you want to specify a username only for that operation.
Page 943
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 7 archive download-sw /overwrite /reload Download the image file from the FTP server to the switch, ftp:[[//username[:password]@location]/directory] and overwrite the current image.
Page 944
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The algorithm installs the downloaded image onto the system board flash device (flash:). The image is placed into a new directory named with the software version string, and the BOOT environment variable is updated to point to the newly installed image.
The archive upload-sw command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the tar file format.
Page 946
RCP requires a client to send a remote username on each RCP request to a server. When you copy an image from the switch to a server by using RCP, the Cisco IOS software sends the first valid username in this list: The username specified in the archive download-sw or archive upload-sw privileged EXEC •...
Page 947
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Downloading an Image File By Using RCP You can download a new image file and replace or keep the current image. Beginning in privileged EXEC mode, follow Steps 1 through 6 to download a new image from an RCP server and overwrite the existing image.
Page 948
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 7 archive download-sw /leave-old-sw /reload Download the image file from the RCP server to the switch, rcp:[[[//[username@]location]/directory]/image-na and keep the current image.
Page 949
The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the tar file format.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Copying an Image File from One Stack Member to Another For switch stacks, the archive download-sw and archive upload-sw privileged EXEC commands can be used only through the stack master.
A P P E N D I X Unsupported Commands in Cisco IOS Release 12.2(20)SE This appendix lists some of the command-line interface (CLI) commands that appear when you enter the question mark (?) at the Catalyst 3750 switch prompt but are not supported in this release, either because they are not tested or because of Catalyst 3750 hardware limitations.
Appendix C Unsupported Commands in Cisco IOS Release 12.2(20)SE IP Unicast Routing Unsupported Global Configuration Commands ip accounting-list ip-address wildcard ip as-path access-list ip accounting-transits count ip cef accounting [per-prefix] [non-recursive] ip cef traffic-statistics [load-interval seconds] [update-rate seconds]] ip flow-aggregation...
Appendix C Unsupported Commands in Cisco IOS Release 12.2(20)SE MAC Address Commands MAC Address Commands Unsupported Privileged EXEC Commands show mac address-table multicast Use the show ip igmp snooping groups privileged EXEC command to display Layer 2 multicast Note address-table entries for a VLAN.
Appendix C Unsupported Commands in Cisco IOS Release 12.2(20)SE Network Address Translation (NAT) Commands Unsupported Global Configuration Commands ip msdp default-peer ip-address | name [prefix-list list] (Because BGP/MBGP is not supported, use the ip msdp peer command instead of this command.)
I N D E X access control entries Numerics See ACEs 10-Gigabit Ethernet interfaces access-denied response, VMPS 13-28 configuration guidelines 11-14 access groups defined 11-4 applying ACLs to interfaces 31-21 802.1D 31-21 See STP Layer 2 31-21 802.1Q Layer 3 31-21 and trunk ports 11-3...
Page 964
Index ACLs (continued) ACLs (continued) applying named 31-15 on bridged packets number per QoS class map 31-38 32-31 on multicast packets numbers 31-40 31-7 on routed packets port 31-39 31-2 on switched packets precedence of 31-38 31-2 time ranges to 31-17 32-7, 32-38 to an interface...
Page 965
Index addresses (continued) static configuring 34-10 adding and removing defined 7-25 1-4, 7-28, 34-9 defined encapsulation 7-20 34-11 address resolution static cache configuration 7-28, 34-9 34-10 Address Resolution Protocol table See ARP address resolution 7-28 adjacency tables, with CEF managing 34-61 7-28 administrative distances...
Page 966
Index automatic discovery backup interfaces adding member switches 6-18 See Flex Links considerations backup links 20-1 beyond a noncandidate device banners brand new switches configuring connectivity login 7-20 different VLANs message-of-the-day login 7-19 management VLANs default configuration 7-18 non-CDP-capable devices when displayed 7-18 noncluster-capable devices...
Page 967
Index binding database BPDU guard address, DHCP server described 19-3 See DHCP, Cisco IOS server database disabling 19-14 DHCP snooping enabling 19-13 See DHCP snooping binding database support for bindings bridged packets, ACLs on 31-38 address, Cisco IOS DHCP server...
Page 968
Cisco Group Management Protocol See system clock See CGMP Cluster Management Suite Cisco IOS DHCP server See CMS See DHCP, Cisco IOS DHCP server cluster requirements Cisco IOS File System See release notes See IFS clusters, switch Cisco StackWise technology...
Page 969
Index clusters, switch (continued) compatibility benefits creating configuration modes 6-17 creating a cluster standby group described 6-20 1-2, 1-4 described downloading image files 1-2, 3-16, B-20 LRE profile considerations Front Panel view, described 6-17 managing operating systems and supported browsers through CLI privilege levels 6-23...
Page 970
Index command switch (continued) configuration files (continued) requirements guidelines for creating and using standby (SC) invalid combinations when copying 6-10, 6-20 See also candidate switch, cluster standby group, limiting TFTP server access 30-16 member switch, and standby command switch obtaining with DHCP community list, BGP 34-53 password recovery disable considerations...
Page 972
19-8 overview 21-3 device discovery protocol 25-1 packet format, suboption Device Manager circuit ID 21-4 DHCP remote ID 21-4 Cisco IOS server database remote ID suboption 21-4 configuring 21-12 DHCP snooping default configuration 21-7 and private VLANs 21-12 described 21-5...
Page 973
Index DHCP snooping (continued) Differentiated Services Code Point 32-2 displaying binding database 21-14 Diffusing Update Algorithm (DUAL) 34-34 displaying configuration directed unicast requests 21-14 message exchange process directories 21-4 option 82 data insertion changing 21-3 trusted interface creating and removing 21-2 untrusted interface displaying the working...
Page 974
36-43 See addresses interoperability dynamic ARP inspection with Cisco devices 36-37 ARP cache poisoning 22-1 with Cisco IOS software 36-7 ARP requests, described 22-1 mrinfo requests, responding to 36-42 ARP spoofing attack 22-1 neighbors clearing...
Page 975
Index dynamic ARP inspection (continued) dynamic port VLAN membership default configuration 22-5 described 13-28 denial-of-service attacks, preventing reconfirming 22-10 13-31 described troubleshooting 22-1 13-33 DHCP snooping binding database types of connections 22-2 13-30 displaying dynamic routing 34-3 ARP ACLs Dynamic Trunking Protocol 22-14 configuration and operating state See DTP...
Page 976
Index EtherChannel EtherChannel (continued) 802.3ad, described 33-6 port-channel interfaces automatic creation of described 33-5, 33-6 33-4 channel groups numbering of 33-4 binding physical and logical interfaces port groups 33-4 11-5 numbering of stack changes, effects of 33-4 33-9 configuration guidelines support for 33-11 configuring...
Page 977
Index Fast Uplink Transition Protocol 19-6 34-60 failover support fiber-optic, detecting unidirectional links 26-1 fallback bridging files and protected ports 38-4 copying bridge groups crashinfo creating 38-4 description 39-25 described 38-2 displaying the contents of 39-25 displaying 38-11 location 39-25 function of 38-2 deleting...
Page 978
Index flowcharts QoS classification 32-6 hardware limitations and Layer 3 interfaces 11-21 QoS egress queueing and scheduling 32-15 HC (candidate switch) 6-21 QoS ingress queueing and scheduling 32-13 hello time QoS policing and marking 32-9 MSTP 18-20 flow control 1-3, 11-17 17-22 forward-delay time help, for the command line...
Page 979
Index HSRP (continued) IGMP (continued) switch stack considerations 35-2 join messages 23-3 timers leave processing, enabling 35-9 23-11 tracking leaving multicast group 35-6 23-5 See also clusters, cluster standby group, and standby multicast reachability 36-27 command switch overview 36-2 queries 23-4 report suppression described...
Page 980
Index IGMP snooping (continued) interfaces (continued) enabling and disabling 23-7 counters, clearing 11-25 global configuration described 23-7 11-20 Immediate Leave descriptive name, adding 23-5 11-20 in the switch stack displaying information about 23-6 11-24 method flow control 23-7 11-17 monitoring management 23-12 support for...
Page 981
PIM domain border 36-18 MAC address association overview 34-9 36-5 monitoring using with Auto-RP 34-18 36-22 redundant clusters Cisco implementation 6-11 36-2 standby command switch configuring 6-11, 6-13 See also IP information basic multicast routing 36-10 IP broadcast address IP multicast boundary...
Page 982
Index IP multicast routing (continued) IP protocols SAP packets for conference session in ACLs 31-12 announcement 36-34 routing Session Directory (sdr) tool, described 36-34 IP routes, monitoring 34-74 monitoring IP routing packet rate loss 36-52 connecting interfaces with 11-7 peering devices 36-52 disabling 34-19...
Page 983
Index IP traceroute IP unicast routing (continued) executing 39-18 protocols overview distance-vector 39-17 34-3 IP unicast routing dynamic 34-3 address resolution link-state 34-9 34-3 administrative distances proxy ARP 34-63, 34-72 34-9 redistribution 34-9 34-64 assigning IP addresses to Layer 3 interfaces reverse address resolution 34-6 34-9...
Page 984
Index Layer 2 traceroute (continued) IP addresses and subnets 39-17 MAC addresses and VLANs 39-16 described 9-32 multicast traffic 39-16 See also Kerberos multiple devices on a port 39-17 keepalive messages 17-2 unicast traffic 39-16 Kerberos usage guidelines 39-16 authenticating to Layer 2 trunks 13-17 boundary switch...
Page 985
Index management access in-band MAC addresses browser session aging time 7-22 CLI session and VLAN association 7-21 building the address table 7-21 SNMP default configuration 7-22 out-of-band console port connection discovering 7-28 management options displaying 7-28 displaying in DHCP snooping binding database 21-14 clustering displaying in the IP source binding table...
Page 986
Index maximum-paths command monitoring (continued) 34-47, 34-62 membership mode, VLAN port 13-3 34-61 member switch EIGRP 34-39 adding fallback bridging 6-18 38-11 automatic discovery features defined Flex Links 20-3 managing HSRP 6-23 35-11 passwords IGMP 6-13 recovering from lost connectivity 39-12 filters 23-25...
Page 987
Index MSDP MSTP benefits of 37-3 boundary ports clearing MSDP connections and statistics configuration guidelines 37-19 18-14 controlling source information described 18-5 forwarded by switch BPDU filtering 37-12 originated by switch described 37-9 19-3 received by switch enabling 37-14 19-14 default configuration BPDU guard 37-4...
Page 988
Index MSTP (continued) multicast groups interface state, blocking to forwarding 19-2 Immediate Leave 23-5 interoperability and compatibility among modes joining 17-11 23-3 interoperability with 802.1D leaving 23-5 described static joins 18-6 23-10 restarting migration process multicast packets 18-23 ACLs on 31-40 defined blocking...
Page 989
Index network configuration examples NTP (continued) cost-effective wiring closet 1-14 displaying the configuration 7-11 high-performance wiring closet overview 1-14 increasing network performance restricting access 1-12 large network creating an access group 1-18 long-distance, high-bandwidth transport disabling NTP services per interface 1-22 7-10 multidwelling network...
Page 990
Index default configuration 36-8 packet modification, with QoS 32-17 dense mode PAgP overview 36-4 See EtherChannel rendezvous point (RP), described 36-4 parallel paths, in routing tables 34-62 RPF lookups 36-7 passive interfaces displaying neighbors 36-52 configuring 34-71 enabling a mode 36-11 OSPF 34-31...
Page 991
Index policers (continued) port-based authentication (continued) number of 32-31 device roles 10-2 types of displaying statistics 32-8 10-22 policing EAPOL-start frame 10-3 described EAP-request/identity frame 32-3 10-3 token-bucket algorithm EAP-response/identity frame 32-9 10-3 policy-based routing encapsulation 10-3 See PBR guest VLAN policy maps for QoS configuration guidelines 10-9...
Page 992
Index port-based authentication (continued) port security VLAN assignment aging 24-14 AAA authorization and QoS trusted boundary 10-13 32-35 characteristics and stacking 10-8 24-15 configuration tasks configuring 10-8 24-10 described default configuration 10-7 24-9 voice VLAN described 24-7 described displaying 10-7 24-16 PVID 10-7...
Page 993
Index private VLANs (continued) Protocol-Independent Multicast Protocol configuration guidelines 15-7, 15-8 See PIM configuration tasks provisioning new members for a switch stack 15-6 configuring proxy ARP 15-10 default configuration configuring 15-7 34-11 end station access to definition 15-3 34-9 IP addressing with IP routing disabled 15-3 34-12...
Page 994
Index QoS (continued) QoS (continued) auto-QoS (continued) configuring (continued) enabling for VoIP port trust states within the domain 32-24 32-32 example configuration trusted boundary 32-26 32-35 ingress queue defaults default auto configuration 32-19 32-18 list of generated commands default standard configuration 32-20 32-29 basic model...
Page 995
Index QoS (continued) QoS (continued) ingress queues (continued) queues setting WTD thresholds configuring egress characteristics 32-56 32-60 WTD, described configuring ingress characteristics 32-14 32-55 IP phones high priority (expedite) 32-17, 32-66 automatic classification and queueing location of 32-18 32-11 detection and trusted settings SRR, described 32-18, 32-35 32-12...
Page 996
Index RADIUS (continued) redundancy in clusters 6-16 EtherChannel 33-2 limiting the services to the user HSRP 9-27 35-1 method list, defined 9-20 operation of backbone 9-19 17-9 overview multidrop backbone 9-18 19-5 suggested network environments path cost 9-18 13-26 support for port priority 13-24 tracking services accessed by user...
Page 997
Index reverse address resolution root guard 34-9 Reverse Address Resolution Protocol described 19-10 See RARP enabling 19-17 support for 1058, RIP root switch 34-20 1112, IP multicast and IGMP MSTP 23-2 18-15 1157, SNMPv1 30-2 17-16 1163, BGP route calculation timers, OSPF 34-40 34-31 1166, IP addresses...
Page 998
Index RSPAN RSPAN (continued) and stack changes 27-10 rapid convergence characteristics cross-stack rapid convergence 27-9 18-8 configuration guidelines described 27-17 18-8 default configuration edge ports and Port Fast 27-11 18-8 destination ports point-to-point links 27-8 18-8, 18-23 displaying status root ports 27-24 18-8 in a switch stack...
Page 999
Index security, port Smartports macros 24-7 security features applying Cisco-default macros 12-6 sequence numbers in log messages applying global parameter values 29-8 12-5, 12-6 server mode, VTP applying macros 14-3 12-5 service-provider network, MSTP and RSTP applying parameter values 18-1...
Page 1000
Index SNMP (continued) source addresses, in ACLs 31-12 limiting access by TFTP servers 30-16 source-and-destination-IP address based forwarding, EtherChannel 33-8 limiting system log messages to NMS 29-10 source-and-destination MAC address forwarding, manager functions 1-4, 30-3 EtherChannel 33-8 managing clusters with 6-24 source-IP address based forwarding, EtherChannel 33-8...