Page 1 Cisco IE 3000 Switch Software Configuration Guide Cisco IOS Release 12.2(50)SE March 2009 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-13018-03...
Page 2 OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
Page 3: Table Of Contents
Where to Go Next 1-20 Using the Command-Line Interface C H A P T E R Understanding Command Modes Understanding the Help System Understanding Abbreviated Commands Understanding no and default Forms of Commands Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 4 Setting the FCS Error Hysteresis Threshold Configuring Alarm Profiles Creating or Modifying an Alarm Profile 3-10 Attaching an Alarm Profile to a Specific Port 3-11 Enabling SNMP Traps 3-11 Displaying IE 3000 Switch Alarms Status 3-12 Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 5 Scheduling a Reload of the Software Image 4-20 Configuring a Scheduled Reload 4-20 Displaying Scheduled Reload Information 4-21 Configuring Cisco EnergyWise C H A P T E R Managing Single Entities EnergyWise Entity EnergyWise Domain EnergyWise Network Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 6 Configuring Cisco IOS Configuration Engine C H A P T E R Understanding Cisco Configuration Engine Software Configuration Service Event Service NameSpace Mapper What You Should Know About the CNS IDs and Device Hostnames ConfigID DeviceID Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 7 SNMP Community Strings 7-13 TACACS+ and RADIUS 7-13 LRE Profiles 7-13 Using the CLI to Manage Switch Clusters 7-14 Catalyst 1900 and Catalyst 2820 CLI Considerations 7-14 Using SNMP to Manage Switch Clusters 7-14 Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 8 Configuring MAC Address Notification Traps 8-21 Adding and Removing Static Address Entries 8-23 Configuring Unicast MAC Address Filtering 8-24 Disabling MAC Address Learning on a VLAN 8-25 Displaying Address Table Entries 8-27 Cisco IE 3000 Switch Software Configuration Guide viii OL-13018-03...
Page 9 11-12 Default TACACS+ Configuration 11-13 Identifying the TACACS+ Server Host and Setting the Authentication Key 11-13 Configuring TACACS+ Login Authentication 11-14 Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services 11-16 Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 10 Configuring a CA Trustpoint 11-40 Configuring the Secure HTTP Server 11-41 Configuring the Secure HTTP Client 11-43 Displaying Secure HTTP Server and Client Status 11-43 Configuring the Switch for Secure Copy Protocol 11-44 Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 11 802.1x Authentication with VLAN Assignment 12-14 802.1x Authentication with Downloadable ACLs and Redirect URLs 12-15 Cisco Secure ACS and Attribute-Value Pairs for the Redirect URL 12-16 Cisco Secure ACS and Attribute-Value Pairs for Downloadable ACLs 12-16 802.1x Authentication with Guest VLAN 12-17 802.1x Authentication with Restricted VLAN...
Page 12 Displaying 802.1x Statistics and Status 12-59 Configuring Interface Characteristics 13-1 C H A P T E R Understanding Interface Types 13-1 Port-Based VLANs 13-2 Switch Ports 13-2 Access Ports 13-2 Trunk Ports 13-3 Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 13 Supported VLANs 15-2 VLAN Port Membership Modes 15-3 Configuring Normal-Range VLANs 15-4 Token Ring VLANs 15-5 Normal-Range VLAN Configuration Guidelines 15-5 VLAN Configuration Mode Options 15-6 VLAN Configuration in config-vlan Mode 15-6 Cisco IE 3000 Switch Software Configuration Guide xiii OL-13018-03...
Page 14 Configuring Dynamic-Access Ports on VMPS Clients 15-26 Reconfirming VLAN Memberships 15-27 Changing the Reconfirmation Interval 15-27 Changing the Retry Count 15-28 Monitoring the VMPS 15-28 Troubleshooting Dynamic-Access Port VLAN Membership 15-29 VMPS Configuration Example 15-29 Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 15 Configuring Voice VLAN 17-3 Default Voice VLAN Configuration 17-3 Voice VLAN Configuration Guidelines 17-3 Configuring a Port Connected to a Cisco 7960 IP Phone 17-4 Configuring Cisco IP Phone Voice Traffic 17-4 Configuring the Priority of Incoming Data Frames 17-6...
Page 16 Displaying the Spanning-Tree Status 18-22 Configuring MSTP 19-1 C H A P T E R Understanding MSTP 19-2 Multiple Spanning-Tree Regions 19-2 IST, CIST, and CST 19-2 Operations Within an MST Region 19-3 Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 17 Displaying the MST Configuration and Status 19-26 Configuring Optional Spanning-Tree Features 20-1 C H A P T E R Understanding Optional Spanning-Tree Features 20-1 Understanding Port Fast 20-2 Understanding BPDU Guard 20-2 Understanding BPDU Filtering 20-3 Cisco IE 3000 Switch Software Configuration Guide xvii OL-13018-03...
Page 18 C H A P T E R Understanding Flex Links and the MAC Address-Table Move Update 22-1 Flex Links 22-1 VLAN Flex Link Load Balancing and Support 22-2 Flex Link Multicast Fast Convergence 22-3 Cisco IE 3000 Switch Software Configuration Guide xviii OL-13018-03...
Page 19 DHCP Snooping Configuration Guidelines 23-7 Configuring the DHCP Relay Agent 23-8 Enabling DHCP Snooping and Option 82 23-9 Enabling the Cisco IOS DHCP Server Database 23-10 Enabling the DHCP Snooping Binding Database Agent 23-11 Displaying DHCP Snooping Information 23-12 Understanding IP Source Guard...
Page 20 Configuring a Host Statically to Join a Group 25-9 Enabling IGMP Immediate Leave 25-10 Configuring the IGMP Leave Timer 25-10 Configuring TCN-Related Commands 25-11 Controlling the Multicast Flooding Time After a TCN Event 25-11 Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 21 26-7 Configuring Port Blocking 26-7 Default Port Blocking Configuration 26-7 Blocking Flooded Traffic on an Interface 26-8 Configuring Port Security 26-8 Understanding Port Security 26-9 Secure MAC Addresses 26-9 Security Violations 26-10 Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 22 C H A P T E R Understanding UDLD 29-1 Modes of Operation 29-1 Methods to Detect Unidirectional Links 29-2 Configuring UDLD 29-3 Default UDLD Configuration 29-4 Configuration Guidelines 29-4 Enabling UDLD Globally 29-5 Cisco IE 3000 Switch Software Configuration Guide xxii OL-13018-03...
Page 23 C H A P T E R Understanding RMON 31-1 Configuring RMON 31-2 Default RMON Configuration 31-3 Configuring RMON Alarms and Events 31-3 Collecting Group History Statistics on an Interface 31-5 Cisco IE 3000 Switch Software Configuration Guide xxiii OL-13018-03...
Page 24 Configuring Community Strings 33-8 Configuring SNMP Groups and Users 33-9 Configuring SNMP Notifications 33-11 Setting the CPU Threshold Notification Types and Values 33-15 Setting the Agent Contact and Location Information 33-16 Cisco IE 3000 Switch Software Configuration Guide xxiv OL-13018-03...
Page 25 Configuring Cisco IOS IP SLAs Operations 35-1 C H A P T E R Understanding Cisco IOS IP SLAs 35-1 Using Cisco IOS IP SLAs to Measure Network Performance 35-2 IP SLAs Responder and IP SLAs Control Protocol 35-3 Response Time Computation for IP SLAs...
Page 26 Configuring Classification Using Port Trust States 36-32 Configuring the Trust State on Ports within the QoS Domain 36-33 Configuring the CoS Value for an Interface 36-34 Configuring a Trusted Boundary to Ensure Port Security 36-35 Cisco IE 3000 Switch Software Configuration Guide xxvi OL-13018-03...
Page 27 128-Bit Wide Unicast Addresses 37-3 DNS for IPv6 37-3 ICMPv6 37-3 Neighbor Discovery 37-3 IPv6 Stateless Autoconfiguration and Duplicate Address Detection 37-4 IPv6 Applications 37-4 Dual IPv4 and IPv6 Protocol Stacks 37-4 Cisco IE 3000 Switch Software Configuration Guide xxvii OL-13018-03...
Page 28 Displaying EtherChannel, PAgP, and LACP Status 38-17 Understanding Link-State Tracking 38-18 Configuring Link-State Tracking 38-20 Default Link-State Tracking Configuration 38-20 Link-State Tracking Configuration Guidelines 38-21 Configuring Link-State Tracking 38-21 Displaying Link-State Tracking Status 38-22 Cisco IE 3000 Switch Software Configuration Guide xxviii OL-13018-03...
Page 29 Using the crashinfo Files 39-17 Basic crashinfo Files 39-17 Extended crashinfo Files 39-18 Troubleshooting Tables 39-18 Troubleshooting CPU Utilization 39-18 Possible Symptoms of High CPU Utilization 39-18 Verifying the Problem and Cause 39-19 Cisco IE 3000 Switch Software Configuration Guide xxix OL-13018-03...
Page 30 A P P E N D I X MIB List Using FTP to Access the MIB Files Working with the Cisco IOS File System, Configuration Files, and Software Images A P P E N D I X Working with the Flash File System...
Page 31 Working with Software Images B-23 Image Location on the Switch B-24 tar File Format of Images on a Server or Cisco.com B-24 Copying Image Files By Using TFTP B-25 Preparing to Download or Upload an Image File By Using TFTP...
Page 32 Unsupported 3DES Encryption Commands Spanning Tree Unsupported Global Configuration Command Unsupported Interface Configuration Command VLAN Unsupported Global Configuration Command Unsupported vlan-config Command Unsupported User EXEC Commands Unsupported Privileged EXEC Commands N D E X Cisco IE 3000 Switch Software Configuration Guide xxxii OL-13018-03...
Page 33 This guide is for the networking professional managing the IE 3000 switch, hereafter referred to as the switch. Before using this guide, you should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of Ethernet and local area networking.
Page 34: Related Publications
Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data. Related Publications These documents provide complete information about the switch and are available from this Cisco.com site: http://www.cisco.com/en/US/products/ps9703/tsd_products_support_series_home.html Before installing, configuring, or upgrading the switch, see these documents: Note For initial configuration information, see the “Using Express Setup”...
Page 35 Obtaining Documentation, Obtaining Support, and Security Guidelines For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed...
Page 36 Preface Cisco IE 3000 Switch Software Configuration Guide xxxiv OL-13018-03...
Page 37 Some features described in this chapter are available only on the cryptographic (supports encryption) version of the software. You must obtain authorization to use this feature and to download the cryptographic version of the software from Cisco.com. For more information, see the release notes for this release.
Page 38: Ease-Of-Deployment And Ease-Of-Use Features
User-defined and Cisco-default Smartports macros for creating custom switch configurations for • simplified deployment across the network. A removable compact flash card that stores the Cisco IOS software image and configuration files • for the switch. You can replace and upgrade the switch without reconfiguring the software features.
Page 39: Performance Features
Extended discovery of cluster candidates that are not directly connected to the command switch. Performance Features • Cisco EnergyWise manages the energy usage of power over Ethernet (PoE) entities. Autosensing of port speed and autonegotiation of duplex mode on all switch ports for optimizing •...
Page 40: Management Options
Network Assistant—Network Assistant is a network management application that can be downloaded from Cisco.com. You use it to manage a single switch, a cluster of switches, or a community of devices. For more information about Network Assistant, see Getting Started with Cisco Network Assistant, available on Cisco.com.
Page 41: Manageability Features
• Cisco IOS File System (IFS) for providing a single interface to all file systems that the switch uses • Support for the SSM PIM protocol to optimize multicast applications, such as video •...
Page 42: Availability And Redundancy Features
• saved Cisco IOS configuration file The HTTP client in Cisco IOS supports can send requests to both IPv4 and IPv6 HTTP server, and • the HTTP server in Cisco IOS can service HTTP requests from both IPv4 and IPv6 HTTP clients Simple Network and Management Protocol (SNMP) can be configured over IPv6 transport so that •...
Page 43: Vlan Features
Link-state tracking to mirror the state of the ports that carry upstream traffic from connected hosts • and servers, and to allow the failover of the server traffic to an operational link on another Cisco Ethernet switch. VLAN Features Support for up to 255 VLANs for assigning users to VLANs associated with appropriate network •...
Page 44: Security Features
– Port security for controlling access to 802.1x ports – Voice VLAN to permit a Cisco IP Phone to access the voice VLAN regardless of the authorized or unauthorized state of the port – IP phone detection enhancement to detect and recognize a Cisco IP phone.
Page 45: Qos And Cos Features
– IEEE 802.1x authentication with downloadable ACLs and redirect URLs to allow per-user ACL – downloads from a Cisco Secure ACS server to an authenticated switch. Flexible-authentication sequencing to configure the order of the authentication methods that a – port tries when authenticating a new host.
Page 46: Monitoring Features
Chapter 1 Overview Features Trusted boundary for detecting the presence of a Cisco IP Phone, trusting the CoS value – received, and ensuring port security • Policing Traffic-policing policies on the switch port for managing how much of the port bandwidth –...
Page 47: Default Settings After Initial Switch Configuration
Switch cluster is disabled. For more information about switch clusters, see Chapter 7, “Clustering • Switches,” and the Getting Started with Cisco Network Assistant, available on Cisco.com. No passwords are defined. For more information, see Chapter 8, “Administering the Switch.” •...
Page 48 “Configuring Port-Based Traffic Control.” No secure ports are configured. For more information, see Chapter 26, “Configuring Port-Based – Traffic Control.” CDP is enabled. For more information, see Chapter 28, “Configuring CDP.” • Cisco IE 3000 Switch Software Configuration Guide 1-12 OL-13018-03...
Page 49: Network Configuration Examples
• networked applications (such as • Use the EtherChannel feature between the switch and its connected servers and e-mail with large attached files) routers. and from bandwidth-intensive applications (such as multimedia) Cisco IE 3000 Switch Software Configuration Guide 1-13 OL-13018-03...
Page 50: Ethernet-To-The-Factory Architecture
See Figure 1-1. For more information about EttF architecture, see this URL: http://wwwin.cisco.com/enterprise/solutions/manufacturing/solutions/ettf.shtml Cisco IE 3000 Switch Software Configuration Guide 1-14 OL-13018-03...
Page 51: Demilitarized Zone
They are all in real-time communication with each other. This zone requires clear isolation and protection from the other levels of plant or enterprise operations. Figure 1-1 shows the EttF architecture. Cisco IE 3000 Switch Software Configuration Guide 1-15 OL-13018-03...
Page 52 Chapter 1 Overview Network Configuration Examples Figure 1-1 Ethernet-to-the-Factory Architecture GE Link for Servers Failover Detection Catalyst Catalyst 3750 switch 4500 switch Servers Management tools Catalyst 3750 switch stack Cisco IE 3000 Switch Software Configuration Guide 1-16 OL-13018-03...
Page 53: Topology Options
The connection between the Layer 3 switch and the first Layer 2 switch is very susceptible to • oversubscription, which can degrade network performance. • There is no redundancy to the loss of a connection. Cisco IE 3000 Switch Software Configuration Guide 1-17 OL-13018-03...
Page 54 Although better than the trunk-drop, the top of the ring (connections to the Layer 3 switches) can • become a bottleneck and is susceptible to oversubscription, which can degrade network performance. Cisco IE 3000 Switch Software Configuration Guide 1-18 OL-13018-03...
Page 55 Any Layer 2 switch is always only two hops to another Layer 2 switch. • • In the Layer 2 network, each switch has dual connections to the Layer 3 devices. • The Layer 2 network is maintained even if multiple connections are lost. Cisco IE 3000 Switch Software Configuration Guide 1-19 OL-13018-03...
Page 56: Where To Go Next
Where to Go Next Before configuring the switch, review these sections for startup information: Chapter 2, “Using the Command-Line Interface” • Chapter 4, “Assigning the Switch IP Address and Default Gateway” • Cisco IE 3000 Switch Software Configuration Guide 1-20 OL-13018-03...
Page 57: Understanding Command Modes
C H A P T E R Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your IE 3000 switch. It contains these sections: Understanding Command Modes, page 2-1 •...
Page 58 To exit to privileged Use this mode to configure Switch(vlan)# EXEC mode, enter EXEC mode, enter VLAN parameters for VLANs the vlan database exit. 1 to 1005 in the VLAN command. database. Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 59: Understanding The Help System
Obtain a list of commands that begin with a particular character string. For example: Switch# di? dir disable disconnect abbreviated-command-entry<Tab> Complete a partial command name. For example: Switch# sh conf<tab> Switch# show configuration Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 60: Understanding Abbreviated Commands
However, some commands are enabled by default and have variables set to certain default values. In these cases, the default command enables the command and sets variables to their default values. Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 61: Understanding Cli Error Messages
For more information, see the Configuration Change Notification and Logging feature module at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801d1e81 .html Only CLI or HTTP changes are logged. Note Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 62: Using Command History
The number of commands that appear is controlled by the setting of the terminal history global configuration command and the history line configuration command. 1. The arrow keys function only on ANSI-compatible terminals such as VT100s. Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 63: Disabling The Command History Feature
Table 2-5 Editing Commands through Keystrokes Capability Keystroke Purpose Move around the command line to Press Ctrl-B, or press the Move the cursor back one character. make changes or corrections. left arrow key. Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 64 Change the word at the cursor to lowercase. Press Esc U. Capitalize letters from the cursor to the end of the word. Designate a particular keystroke as Press Ctrl-V or Esc Q. an executable command, perhaps as a shortcut. Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 65: Editing Command Lines That Wrap
Use line wrapping with the command history feature to recall and modify previous complex command entries. For information about recalling previous command entries, see the “Editing Commands through Keystrokes” section on page 2-7. Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 66: Searching And Filtering Output Of Show And More Commands
11-33. The switch supports up to five simultaneous secure SSH sessions. After you connect through the console port, through a Telnet session or through an SSH session, the user EXEC prompt appears on the management station. Cisco IE 3000 Switch Software Configuration Guide 2-10 OL-13018-03...
Page 67: Understanding Ie 3000 Switch Alarms
C H A P T E R Configuring Cisco IE 3000 Switch Alarms This section describes how to configure the different alarms for the Cisco IE 3000 switch. This chapter consists of these sections: Understanding IE 3000 Switch Alarms, page 3-1 •...
Page 68: Global Status Monitoring Alarms
3-2. To save user time and effort, the switch supports changing alarm configurations by using alarm profiles. You can create a number of profiles and assign one of these profiles to each Ethernet port. Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 69: Triggering Alarm Options
You can associate any alarm condition with either alarm relay or both relays. Each fault condition is assigned a severity level based on the Cisco IOS System Error Message Severity Level.
Page 70: Configuring Ie 3000 Switch Alarms
Link Fault Alarm Disabled on all interfaces. Port not Forwarding Alarm Disabled on all interfaces. Port not Operating Alarm Enabled on all interfaces. FCS Bit Error Rate Alarm Disabled on all interfaces. Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 71: Configuring The Power Supply Alarm
Send power supply alarm traps to a syslog server. Step 5 Return to privileged EXEC mode. Step 6 show alarm settings Verify the configuration. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 72: Configuring The Switch Temperature Alarms
This example shows how to delete the primary temperature monitoring alarm configuration and return to the default setting. Switch(config) # no alarm facility temperature primary high 45 Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 73: Setting A Secondary Temperature Threshold For The Switch
{primary | secondary} syslog Step 5 Return to privileged EXEC mode. Step 6 show alarm settings Verify the configuration. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 74: Configuring The Fcs Bit Error Rate Alarm
Verify the setting. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no fcs-threshold interface configuration command to return to the default FCS threshold value. Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 75: Configuring Alarm Profiles
This section describes how to configure alarm profiles on your switch. It contains this configuration information: • Creating or Modifying an Alarm Profile, page 3-10 Attaching an Alarm Profile to a Specific Port, page 3-11 • Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 76: Creating Or Modifying An Alarm Profile
Before you use the notifies command to send alarm traps to an SNMP server, you must first set up the SNMP server by using the snmp-server enable traps alarms global configuration command. See the “Enabling SNMP Traps” section on page 3-11. Cisco IE 3000 Switch Software Configuration Guide 3-10 OL-13018-03...
Page 77: Attaching An Alarm Profile To A Specific Port
Before using alarm profiles to set the switch to send SNMP alarm trap notifications to an SNMP server, you must first enable SNMP by using the snmp-server enable traps alarms global configuration command. Cisco IE 3000 Switch Software Configuration Guide 3-11 OL-13018-03...
Page 78: Displaying Ie 3000 Switch Alarms Status
{all | power | temperature} Displays the status of environmental facilities on the switch. show facility-alarm status [critical | info | Displays generated alarms on the switch. major | minor] Cisco IE 3000 Switch Software Configuration Guide 3-12 OL-13018-03...
Page 79: Chapter 4 Assigning The Switch Ip Address And Default Gateway
For complete syntax and usage information for the commands used in this chapter, see the command reference for this release and the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline >...
Page 80: Assigning Switch Information
You can replace and upgrade the switch without reconfiguring the switch. Removing the compact flash card does not interrupt switch operation, unless you need to reload the Cisco IOS software due to a power cycle or user action. However, when the compact flash card is removed, you do not have access to the flash file system, and any attempt to access it generates an error message.
Page 81: Default Switch Information
If you are using DHCP to relay the configuration file location on the network, you might also need to configure a Trivial File Transfer Protocol (TFTP) server and a Domain Name System (DNS) server. Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 82: Dhcp Client Request Process
If the switch accepts replies from a BOOTP server and configures itself, the switch broadcasts, instead of unicasts, TFTP requests to obtain the switch configuration file. Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 83: Understanding Dhcp-Based Autoconfiguration And Image Update
Unless you configure a timeout, the DHCP-based autoconfiguration with a saved configuration feature tries indefinitely to download an IP address. • The auto-install process stops if a configuration file cannot be downloaded or it the configuration file is corrupted. Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 84: Configuring Dhcp-Based Autoconfiguration
Example Configuration, page 4-9 • If your DHCP server is a Cisco device, for additional information about configuring DHCP, see the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline >...
Page 85: Configuring The Dns
The DNS server can be on the same or on a different LAN as the switch. If it is on a different LAN, the switch must be able to access it through a router. Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 86: Configuring The Relay Device
If the relay device is a Cisco router, enable IP routing (ip routing global configuration command), and configure helper addresses by using the ip helper-address interface configuration command.
Page 87: Example Configuration
DHCP server. Table 4-2 DHCP Server Configuration Switch A Switch B Switch C Switch D Binding key (hardware address) 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004 IP address 10.0.0.21 10.0.0.22 10.0.0.23 10.0.0.24 Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 88 It reads the configuration file that corresponds to its hostname; for example, it reads switch1-confg • from the TFTP server. Switches B through D retrieve their configuration files and IP addresses in the same way. Cisco IE 3000 Switch Software Configuration Guide 4-10 OL-13018-03...
Page 89: Configuring The Dhcp Auto Configuration And Image Update Features
Switch(dhcp-config)# network 10.10.10.0 255.255.255.0 Switch(dhcp-config)# bootfile config-boot.text Switch(dhcp-config)# default-router 10.10.10.1 Switch(dhcp-config)# option 150 10.10.10.1 Switch(dhcp-config)# exit Switch(config)# tftp-server flash:config-boot.text Switch(config)# interface gigabitethernet1/2 Switch(config-if)# no switchport Switch(config-if)# ip address 10.10.10.1 255.255.255.0 Switch(config-if)# end Cisco IE 3000 Switch Software Configuration Guide 4-11 OL-13018-03...
Page 90: Configuring Dhcp Auto-Image Update (Configuration File And Image)
Upload the tar file for the new image to the switch. Step 10 exit Return to global configuration mode. Step 11 tftp-server flash:config.text Specify the Cisco IOS configuration file on the TFTP server. Step 12 tftp-server flash:imagename.tar Specify the image name on the TFTP server. Step 13 tftp-server flash:filename.txt...
Page 91: Configuring The Client
Private Config file: flash:/private-config.text Enable Break: Manual Boot: HELPER path-list: NVRAM/Config file buffer size: 32768 Timeout for Config Download: 300 seconds Config Download via DHCP: enabled (next boot: enabled) Switch# Cisco IE 3000 Switch Software Configuration Guide 4-13 OL-13018-03...
Page 92: Manually Assigning Ip Information
You can check the configuration settings that you entered or changes that you made by entering this privileged EXEC command: Switch# show running-config Building configuration... Current configuration: 1363 bytes version 12.2 Cisco IE 3000 Switch Software Configuration Guide 4-14 OL-13018-03...
Page 93: Modifying The Startup Configuration
EXEC command. For more information about alternative locations from which to copy the configuration file, see Appendix B, “Working with the Cisco IOS File System, Configuration Files, and Software Images.” Modifying the Startup Configuration These sections describe how to modify the switch startup configuration: •...
Page 94: Default Boot Configuration
Specifying the Filename to Read and Write the System Configuration By default, the Cisco IOS software uses the file config.text to read and write a nonvolatile copy of the system configuration. However, you can specify a different filename, which will be loaded during the next boot-up cycle.
Page 95: Booting Manually
Filenames and directory names are case sensitive. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable manual booting, use the no boot manual global configuration command. Cisco IE 3000 Switch Software Configuration Guide 4-17 OL-13018-03...
Page 96: Booting A Specific Software Image
A variable that is set to a null string (for example, “ ”) is a variable with a value. Many environment variables are predefined and have default values. Cisco IE 3000 Switch Software Configuration Guide 4-18...
Page 97 Cisco IOS configuration file can be stored as an environment variable. You can change the settings of the environment variables by accessing the boot loader or by using Cisco IOS commands. Under normal circumstances, it is not necessary to alter the setting of the environment variables.
Page 98: Scheduling A Reload Of The Software Image
This example shows how to reload the software on the switch at a future time: Switch# reload at 02:00 jun 20 Reload scheduled for 02:00:00 UTC Thu Jun 20 1996 (in 344 hours and 53 minutes) Cisco IE 3000 Switch Software Configuration Guide 4-20 OL-13018-03...
Page 99: Displaying Scheduled Reload Information
EXEC command. It displays reload information including the time the reload is scheduled to occur and the reason for the reload (if it was specified when the reload was scheduled). Cisco IE 3000 Switch Software Configuration Guide 4-21 OL-13018-03...
Page 100 Chapter 4 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Cisco IE 3000 Switch Software Configuration Guide 4-22 OL-13018-03...
Page 101: Managing Single Entities
• Additional Information, page 5-18 For more information about EnergyWise, go to http://www.cisco.com/en/US/products/ps10195/tsd_products_support_series_home.html. Managing Single Entities Use Cisco EnergyWise to manage the energy usage of entities in an EnergyWise network. EnergyWise Entity, page 5-1 • EnergyWise Domain, page 5-2 •...
Page 102: Energywise Domain
The domain is treated as one unit of power management. Entities have neighbor-to-neighbor relationships with other domain entities. For more information, see the “Additional Information” section on page 5-18. EnergyWise Network An EnergyWise network has EnergyWise entities in a domain. Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 103: Single Poe Switch Scenario
PoE-entity time zone. For example, IP phones are powered on at 7:00 a.m. (0700) local time, and they are powered off at 7:00 p.m. (1900) local time. This is also known as the recurrence scenario. Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 104: Energywise Power Level
If the power level is from 1 to 10, the port is powered on. If the power level is 0, enter any value in this range to power on the PoE port or the switch. When the power level changes, the port determines the action for the connected entities. Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 105: Energywise Importance
Configure the port power level. The level takes effect after you change the port mode to auto or • static. You do not need to restart the switch. If EnergyWise is disabled, the entity can use PoE to manage port power. Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 106: Manually Managing Power
By default, no domain and password are assigned. Step 4 Return to privileged EXEC mode. Step 5 show energywise Verify your entries. show energywise domain Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 107: Configuring Entity Attributes
#, (, %, !, or &. Do not use an asterisk (*) or a blank space between the • characters and symbols. The default is the model number. Step 9 Return to privileged EXEC mode. Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 108: Powering The Poe Port
Specify the port or the range of ports to be configured, and enter interface configuration mode. Step 3 energywise importance importance (Optional) Set the importance of the port. The range is from 1 to 100. The default is 1. Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 109: Automatically Managing Power (Recurrence)
(Optional) Save your entries in the configuration file. Automatically Managing Power (Recurrence) Beginning in privileged EXEC mode: Command Purpose Step 1 show energywise (Optional) Verify that EnergyWise is enabled. Step 2 configure terminal Enter global configuration mode. Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 110 * for the wildcard. day_of_week—The range is from 0 (Sunday) to 6 (Saturday). • Use * for the wildcard. The specified time is the local time based on the Note PoE-entity time zone. Cisco IE 3000 Switch Software Configuration Guide 5-10 OL-13018-03...
Page 111: Examples
Setting Up the Domain Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# energywise domain cisco secret cisco protocol udp port 43440 ip 2.2.4.30 Switch(config)# energywise importance 50 Switch(config)# energywise keywords lab1,devlab Switch(config)# energywise name LabSwitch Switch(config)# energywise neighbor TG3560G-21 43440 Switch(config)# energywise role role.labaccess...
Page 112: Manually Managing Power
To power on the lab IP phones now: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# energywise domain cisco secret cisco protocol udp port 43440 ip 2.2.4.44 Switch(config)# interface gigabitethernet1/1/3 Switch(config-if)# energywise importance 65 Switch(config-if)# energywise name labphone.5 Switch(config-if)# energywise role role.labphone...
Page 113: Multiple Poe Switch Scenario
Summarize power information from entities. • • Set parameters. Use these attributes to filter results: • Importance. • Entity name. One or more keywords for a port or for a group of ports. • Cisco IE 3000 Switch Software Configuration Guide 5-13 OL-13018-03...
Page 114: Using Queries To Manage Power In The Domain
In the results with the sum keyword, the Responded total Note is not accurate. The Queried total is accurate and is the total number of entities that respond to the query. Repeat this step to run another query. Cisco IE 3000 Switch Software Configuration Guide 5-14 OL-13018-03...
Page 115: Examples
6.3 (W) 192.168.20.2 shipping.2 8.5 (W) Queried: Responded: Time: 0.4 seconds The first row (shipping.1) is from Switch 1. The second row (shipping.2) is from Switch 2, a neighbor of Switch 1. Cisco IE 3000 Switch Software Configuration Guide 5-15 OL-13018-03...
Page 116: Querying With Keywords
You can also use the show energywise usage privileged EXEC command on Switch 1 and Switch 2 to verify the power levels. Troubleshooting EnergyWise • Using CLI Commands, page 5-17 • Verifying the Power Usage, page 5-17 Cisco IE 3000 Switch Software Configuration Guide 5-16 OL-13018-03...
Page 117: Using Cli Commands
For more information about the commands, see the command reference for this release. Verifying the Power Usage This example shows that the Cisco 7960 IP Phone uses 6.3 watts and that the Cisco 7970G IP Phone • uses 10.3 watts.
Page 118: Additional Information
Gigabit Ethernet port 1/1/23 on Switch 2 with a connected Catalyst PoE switch. • On Switch 1, configure the domain: Switch(config): energywise domain cisco secret 0 cisco protocol udp port 43440 interface gigabitethernet1/0/23 On Switch 1, verify that the EnergyWise protocols discovered the neighbors:...
Page 119 VLAN SVI is 192.168.1.2, and the IP address of the router interface is 192.168.1.1. Configure the domain: Switch(config)# energywise domain cisco secret 0 cisco protocol udp port 43440 ip 192.168.1.2 Cisco IE 3000 Switch Software Configuration Guide...
Page 120 To prevent a disjointed domain, you can also configure a helper address on Router A and specify that the Note router use UDP to forward broadcast packets with the ip helper-address address interface configuration command. ip forward-protocol udp [port] global configuration command. Cisco IE 3000 Switch Software Configuration Guide 5-20 OL-13018-03...
Page 121: Chapter 6 Configuring Cisco Ios Configuration Engine
Note For complete configuration information for the Cisco Configuration Engine, go to http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/tsd_products_support_series_home.html For complete syntax and usage information for the commands used in this chapter, go to the Cisco IOS Network Management Command Reference, Release 12.4 at http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_book.html •...
Page 122: Configuration Service
(LDAP) URLs that reference the device-specific configuration information stored in a directory. The Cisco IOS agent can perform a syntax check on received configuration files and publish events to show the success or failure of the syntax check. The configuration agent can either apply configurations immediately or delay the application until receipt of a synchronization event from the configuration server.
Page 123: Event Service
Understanding Cisco Configuration Engine Software Event Service The Cisco Configuration Engine uses the Event Service for receipt and generation of configuration events. The event agent is on the switch and facilitates the communication between the switch and the event gateway on the Configuration Engine.
Page 124: Deviceid
Therefore, the DeviceID, as originated on the switch, must match the DeviceID of the corresponding switch definition in the Configuration Engine. The origin of the DeviceID is defined by the Cisco IOS hostname of the switch. However, the DeviceID variable and its usage reside within the event gateway adjacent to the switch.
Page 125: Understanding Cisco Ios Agents
Understanding Cisco IOS Agents The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works with the Cisco IOS agent. The Cisco IOS agent feature supports the switch by providing these features: •...
Page 126: Incremental (Partial) Configuration
NVRAM for use at the next reboot. Configuring Cisco IOS Agents The Cisco IOS agents embedded in the switch Cisco IOS software allow the switch to be connected and automatically configured as described in the “Enabling Automated CNS Configuration” section on page 6-6.
Page 127: Enabling The Cns Event Agent
For more information about running the setup program and creating templates on the Configuration Note Engine, see the Cisco Configuration Engine Installation and Setup Guide, 1.5 for Linux at http://www.cisco.com/en/US/docs/net_mgmt/configuration_engine/1.5/installation_linux/guide/setup_ 1.html Enabling the CNS Event Agent You must enable the CNS event agent on the switch before you enable the CNS configuration agent.
Page 128 This example shows how to enable the CNS event agent, set the IP address gateway to 10.180.1.27, set 120 seconds as the keepalive interval, and set 10 as the retry count. Switch(config)# cns event 10.180.1.27 keepalive 120 10 Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 129: Enabling The Cisco Ios Cns Agent
Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Enabling the Cisco IOS CNS Agent After enabling the CNS event agent, start the Cisco IOS CNS agent on the switch. You can enable the Cisco IOS agent with these commands: •...
Page 130 Return to global configuration mode. Step 11 hostname name Enter the hostname for the switch. Step 12 ip route network-number (Optional) Establish a static route to the Configuration Engine whose IP address is network-number. Cisco IE 3000 Switch Software Configuration Guide 6-10 OL-13018-03...
Page 131 ID, enter an arbitrary text string for string string as the unique ID, or enter udi to set the unique device identifier (UDI) as the unique ID. Cisco IE 3000 Switch Software Configuration Guide 6-11 OL-13018-03...
Page 132 Verify your entries. To disable the CNS Cisco IOS agent, use the no cns config initial {ip-address | hostname} global configuration command. This example shows how to configure an initial configuration on a remote switch when the switch configuration is unknown (the CNS Zero Touch feature).
Page 133: Enabling A Partial Configuration
RemoteSwitch(config)# cns id ethernet 0 ipaddress RemoteSwitch(config)# cns config initial 172.28.129.22 no-persist Enabling a Partial Configuration Beginning in privileged EXEC mode, follow these steps to enable the Cisco IOS agent and to initiate a partial configuration on the switch: Command...
Page 134: Displaying Cns Configuration
Privileged EXEC show Commands Command Purpose show cns config connections Displays the status of the CNS Cisco IOS agent connections. show cns config outstanding Displays information about incremental (partial) CNS configurations that have started but are not yet completed. show cns config stats Displays statistics about the Cisco IOS agent.
Page 135: Chapter 7 Clustering Switches
Network Assistant has a Cluster Conversion Wizard to help you convert a cluster to a community. For more information about Network Assistant, including introductory information on managing switch clusters and converting a switch cluster to a community, see Getting Started with Cisco Network Assistant, available on Cisco.com.
Page 136 Catalyst 2900 XL (8-MB switches) 12.0(5.1)XU or later Member or command switch Catalyst 2900 XL (4-MB switches) 11.2(8.5)SA6 (recommended) Member switch only Catalyst 1900 and 2820 9.00(-A or -EN) or later Member switch only Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 137: Cluster Command Switch Characteristics
It is running Cisco IOS Release 12.2(40)EX or later. • It has an IP address. • It has Cisco Discovery Protocol (CDP) version 2 enabled (the default). • It is not a command or cluster member switch of another cluster. •...
Page 138: Planning A Switch Cluster
Java plug-in configurations. Automatic Discovery of Cluster Candidates and Members The cluster command switch uses Cisco Discovery Protocol (CDP) to discover cluster member switches, candidate switches, neighboring switch clusters, and edge devices across multiple VLANs and in star or cascaded topologies.
Page 139: Discovery Through Cdp Hops
Command device VLAN 16 VLAN 62 Member Member device 8 device 10 Member Device 12 device 9 Device 11 Candidate candidate Device 13 devices device Edge of cluster Device 14 Device 15 Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 140: Discovery Through Non-Cdp-Capable And Noncluster-Capable Devices
Planning a Switch Cluster Discovery Through Non-CDP-Capable and Noncluster-Capable Devices If a cluster command switch is connected to a non-CDP-capable third-party hub (such as a non-Cisco hub), it can discover cluster-enabled devices connected to that third-party hub. However, if the cluster command switch is connected to a noncluster-capable Cisco device, it cannot discover a cluster-enabled device connected beyond the noncluster-capable Cisco device.
Page 141: Discovery Through Different Management Vlans
Switches 7 and 10 (switches in management VLAN 4) because they are not connected through a • common VLAN (meaning VLANs 62 and 9) with the cluster command switch Switch 9 because automatic discovery does not extend beyond a noncandidate device, which is • switch 7 Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 142: Discovery Of Newly Installed Switches
One cluster-capable switch and its access port are assigned to VLAN 9. • The other cluster-capable switch and its access port are assigned to management VLAN 16. • Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 143: Hsrp And Standby Cluster Command Switches
These topics also provide more detail about standby cluster command switches: Virtual IP Addresses, page 7-10 • Other Considerations for Cluster Standby Groups, page 7-10 • Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 144: Virtual Ip Addresses
Catalyst 2970, Catalyst 3550, Catalyst 3560, or Catalyst 3750 cluster command switches. Each standby-group member must also be redundantly connected to each other through at least one VLAN in common with the switch cluster. Cisco IE 3000 Switch Software Configuration Guide 7-10 OL-13018-03...
Page 145: Automatic Recovery Of Cluster Configuration
This limitation applies to all clusters: If the active cluster command switch fails and becomes active • again, it does not discover any Catalyst 1900, Catalyst 2820, and Catalyst 2916M XL cluster member switches. You must again add these cluster member switches to the cluster. Cisco IE 3000 Switch Software Configuration Guide 7-11 OL-13018-03...
Page 146: Ip Addresses
If no command-switch password is configured, the cluster member switch inherits a null password. Cluster member switches only inherit the command-switch password. Cisco IE 3000 Switch Software Configuration Guide 7-12 OL-13018-03...
Page 147: Snmp Community Strings
Before you add an LRE switch to a cluster, make sure that you assign it the same public profile used by other LRE switches in the cluster. A cluster can have a mix of LRE switches that use different private profiles. Cisco IE 3000 Switch Software Configuration Guide 7-13 OL-13018-03...
Page 148: Using The Cli To Manage Switch Clusters
Telnet session (through a console or Telnet connection) and to access the cluster member switch CLI. The command mode changes, and the Cisco IOS commands operate as usual. Enter the exit privileged EXEC command on the cluster member switch to return to the command-switch CLI.
Page 149 For more information about SNMP and community strings, see Chapter 33, “Configuring SNMP.” Figure 7-7 SNMP Management for a Cluster SNMP Manager Command switch Trap 1, Trap 2, Trap 3 Member 1 Member 2 Member 3 Cisco IE 3000 Switch Software Configuration Guide 7-15 OL-13018-03...
Page 150 Chapter 7 Clustering Switches Using SNMP to Manage Switch Clusters Cisco IE 3000 Switch Software Configuration Guide 7-16 OL-13018-03...
Page 151: Managing The System Time And Date
You can manage the system time and date on your switch using automatic configuration, such as the Network Time Protocol (NTP), or manual configuration methods. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Configuration Fundamentals Command Reference from the Cisco.com page under Documentation >...
Page 152: Understanding Network Time Protocol
Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet.
Page 153: Configuring Ntp
Switch F Workstations If the network is isolated from the Internet, Cisco’s implementation of NTP allows a device to act as if it is synchronized through NTP, when in fact it has learned the time by using other means. Other devices then synchronize to that device through NTP.
Page 154: Default Ntp Configuration
NTP that provide for accurate timekeeping) with other devices for security purposes: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp authenticate Enable the NTP authentication feature, which is disabled by default. Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 155: Configuring Ntp Associations
An NTP association can be a peer association (this switch can either synchronize to the other device or allow the other device to synchronize to it), or it can be a server association (meaning that only this switch synchronizes to the other device, and not the other way around). Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 156: Configuring Ntp Broadcast Service
However, in a LAN environment, NTP can be configured to use IP broadcast messages instead. This alternative reduces configuration complexity because each device can simply be configured to send or receive broadcast messages. However, the information flow is one-way only. Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 157 Step 3 ntp broadcast client Enable the interface to receive NTP broadcast packets. By default, no interfaces receive NTP broadcast packets. Step 4 exit Return to global configuration mode. Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 158: Configuring Ntp Access Restrictions
NTP control queries and allows the • switch to synchronize to the remote device. For access-list-number, enter a standard IP access list number from 1 to 99. Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 159 99. However, the switch restricts access to allow only time requests from access list 42: Switch# configure terminal Switch(config)# ntp access-group peer 99 Switch(config)# ntp access-group serve-only 42 Switch(config)# access-list 99 permit 172.20.130.5 Switch(config)# access list 42 permit 172.20.130.6 Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 160: Configuring The Source Ip Address For Ntp Packets
“Configuring NTP Associations” section on page 8-5. Cisco IE 3000 Switch Software Configuration Guide 8-10 OL-13018-03...
Page 161: Displaying The Ntp Configuration
• Note For detailed information about the fields in these displays, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References.
Page 162: Displaying The Time And Date Configuration
Atlantic Canada (AST) is UTC-3.5, where the 3 means 3 hours and .5 means 50 percent. In this case, the necessary command is clock timezone AST -3 30. To set the time to UTC, use the no clock timezone global configuration command. Cisco IE 3000 Switch Software Configuration Guide 8-12 OL-13018-03...
Page 163: Configuring Summer Time (Daylight Saving Time)
This example shows how to specify that summer time starts on the first Sunday in April at 02:00 and ends on the last Sunday in October at 02:00: Switch(config)# clock summer-time PDT recurring 1 Sunday April 2:00 last Sunday October 2:00 Cisco IE 3000 Switch Software Configuration Guide 8-13 OL-13018-03...
Page 164: Configuring A System Name And Prompt
A greater-than symbol [>] is appended. The prompt is updated whenever the system name changes. For complete syntax and usage information for the commands used in this section, from the Cisco.com page, select Documentation > Cisco IOS Software > 12.2 Mainline > Command References and see the Cisco IOS Configuration Fundamentals Command Reference and the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols.
Page 165: Default System Name And Prompt Configuration
Domain names are pieced together with periods (.) as the delimiting characters. For example, Cisco Systems is a commercial organization that IP identifies by a com domain name, so its domain name is cisco.com. A specific device in this domain, for example, the File Transfer Protocol (FTP) system is identified as ftp.cisco.com.
Page 166: Default Dns Configuration
Internet naming scheme (DNS). Step 5 Return to privileged EXEC mode. Cisco IE 3000 Switch Software Configuration Guide 8-16 OL-13018-03...
Page 167: Displaying The Dns Configuration
If there is a period (.) in the hostname, the Cisco IOS software looks up the IP address without appending any default domain name to the hostname.
Page 168: Configuring A Message-Of-The-Day Login Banner
User Access Verification Password: Configuring a Login Banner You can configure a login banner to be displayed on all connected terminals. This banner appears after the MOTD banner and before the login prompt. Cisco IE 3000 Switch Software Configuration Guide 8-18 OL-13018-03...
Page 169: Managing The Mac Address Table
• MAC Addresses and VLANs, page 8-20 • Default MAC Address Table Configuration, page 8-20 • Changing the Address Aging Time, page 8-21 • Removing Dynamic Address Entries, page 8-21 • Cisco IE 3000 Switch Software Configuration Guide 8-19 OL-13018-03...
Page 170: Building The Address Table
Table 8-3 shows the default MAC address table configuration. Table 8-3 Default MAC Address Table Configuration Feature Default Setting Aging time 300 seconds Dynamic addresses Automatically learned Static addresses None configured Cisco IE 3000 Switch Software Configuration Guide 8-20 OL-13018-03...
Page 171: Changing The Address Aging Time
MAC address activity for each hardware port for which the trap is enabled. MAC address notifications are generated for dynamic and secure MAC addresses; events are not generated for self addresses, multicast addresses, or other static addresses. Cisco IE 3000 Switch Software Configuration Guide 8-21 OL-13018-03...
Page 172 Enable the MAC notification trap whenever a MAC address is added on this interface. Enable the MAC notification trap whenever a • MAC address is removed from this interface. Step 8 Return to privileged EXEC mode. Cisco IE 3000 Switch Software Configuration Guide 8-22 OL-13018-03...
Page 173: Adding And Removing Static Address Entries
You add a static address to the address table by specifying the destination MAC unicast address and the VLAN from which it is received. Packets received with this destination address are forwarded to the interface specified with the interface-id option. Cisco IE 3000 Switch Software Configuration Guide 8-23 OL-13018-03...
Page 174: Configuring Unicast Mac Address Filtering
% Only unicast addresses can be configured to be dropped % CPU destined address cannot be configured as drop address • Packets that are forwarded to the CPU are also not supported. Cisco IE 3000 Switch Software Configuration Guide 8-24 OL-13018-03...
Page 175: Disabling Mac Address Learning On A Vlan
MAC addresses. Before you disable MAC address learning, be sure that you are familiar with the network topology and the switch system configuration. Disabling MAC address learning on a VLAN could cause flooding in the network. Cisco IE 3000 Switch Software Configuration Guide 8-25 OL-13018-03...
Page 176 Switch(config)# no mac ddress-table learning vlan 200 You can display the MAC address learning status of all VLANs or a specified VLAN by entering the show mac-address-table learning [vlan vlan-id] privileged EXEC command. Cisco IE 3000 Switch Software Configuration Guide 8-26 OL-13018-03...
Page 177: Displaying Address Table Entries
ARP entries added manually to the table do not age and must be manually removed. Note For CLI procedures, see the Cisco IOS Release 12.2 documentation from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline. Cisco IE 3000 Switch Software Configuration Guide...
Page 178 Chapter 8 Administering the Switch Managing the ARP Table Cisco IE 3000 Switch Software Configuration Guide 8-28 OL-13018-03...
Page 179: Chapter 9 Configuring Ptp
C H A P T E R Configuring PTP This chapter describes how to configure the Precision Time Protocol (PTP) on the Cisco IE 3000 switch. Understanding PTP, page 9-1 • Configuring PTP, page 9-1 • • Displaying the PTP Configuration, page 9-4...
Page 180: Default Configuration
PTP priority1 and PTP priority2 Default priority number is 128 PTP announce interval 2 seconds PTP announce timeout 8 seconds PTP delay request interval 32 seconds PTP sync interval 1 second PTP sync limit 50000 nanoseconds Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 181: Setting Up Ptp
Enter the number of the switch port, including port type (such as Fa for Fast Ethernet and Gi for Gigabit Ethernet), the base switch number (1), and the specific port number. For example: Fa1/1 is Fast Ethernet port 1 on the base switch. Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 182: Displaying The Ptp Configuration
FastEthernet interface Display the PTP FastEthernet properties on the specified port. show ptp GigabitEthernet interface Display the PTP GigabitEthernet properties on the specified port. show ptp time-property Display the PTP time properties. Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 183: Chapter 10 Configuring Sdm Templates
Table 10-1 Approximate Number of Feature Resources Allowed by Each Template Resource Default Dual Unicast MAC addresses IPv4 IGMP groups Cisco IE 3000 Switch Software Configuration Guide 10-1 OL-13018-03...
Page 184: Configuring The Switch Sdm Template
• message is generated. • Using the dual stack templates results in less TCAM capacity allowed for each resource, so do not use if you plan to forward only IPv4 traffic. Cisco IE 3000 Switch Software Configuration Guide 10-2 OL-13018-03...
Page 185: Setting The Sdm Template
Use the show sdm prefer privileged EXEC command with no parameters to display the active template. Use the show sdm prefer [default | dual-ipv4-and-ipv6 default | qos] privileged EXEC command to display the resource numbers supported by the specified template. Cisco IE 3000 Switch Software Configuration Guide 10-3 OL-13018-03...
Page 186 Chapter 10 Configuring SDM Templates .Displaying the SDM Templates Cisco IE 3000 Switch Software Configuration Guide 10-4 OL-13018-03...
Page 187: Configuring Switch-Based Authentication
If you have defined privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair. For more information, see the “Configuring Username and Password Pairs” section on page 11-6. Cisco IE 3000 Switch Software Configuration Guide 11-1 OL-13018-03...
Page 188: Protecting Access To Privileged Exec Commands
Password protection restricts access to a network or network device. Privilege levels define what commands users can enter after they have logged into a network device. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference, Release 12.2 from the Cisco.com page under Documentation >...
Page 189: Setting Or Changing A Static Enable Password
We recommend that you use the enable secret command because it uses an improved encryption algorithm. If you configure the enable secret command, it takes precedence over the enable password command; the two commands cannot be in effect simultaneously. Cisco IE 3000 Switch Software Configuration Guide 11-3 OL-13018-03...
Page 190 By default, no password is defined. • (Optional) For encryption-type, only type 5, a Cisco proprietary encryption algorithm, is available. If you specify an encryption type, you must provide an encrypted password—an encrypted password that you...
Page 191: Disabling Password Recovery
Disable password recovery. This setting is saved in an area of the flash memory that is accessible by the boot loader and the Cisco IOS image, but it is not part of the file system and is not accessible by any user.
Page 192: Setting A Telnet Password For A Terminal Line
If you have defined privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair. Cisco IE 3000 Switch Software Configuration Guide 11-6 OL-13018-03...
Page 193: Configuring Multiple Privilege Levels
Configuring Multiple Privilege Levels By default, the Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
Page 194: Setting The Privilege Level For A Command
This example shows how to set the configure command to privilege level 14 and define SecretPswd14 as the password users must enter to use level 14 commands: Switch(config)# privilege exec level 14 configure Switch(config)# enable password level 14 SecretPswd14 Cisco IE 3000 Switch Software Configuration Guide 11-8 OL-13018-03...
Page 195: Changing The Default Privilege Level For Lines
Log in to a specified privilege level. For level, the range is 0 to 15. Step 2 disable level Exit to a specified privilege level. For level, the range is 0 to 15. Cisco IE 3000 Switch Software Configuration Guide 11-9 OL-13018-03...
Page 196: Controlling Switch Access With Tacacs
(AAA) and can be enabled only through AAA commands. Note For complete syntax and usage information for the commands used in this section, see the Cisco IOS Security Command Reference, Release 12.2. These sections contain this configuration information: Understanding TACACS+, page 11-10 •...
Page 197 The TACACS+ protocol provides authentication between the switch and the TACACS+ daemon, and it ensures confidentiality because all protocol exchanges between the switch and the TACACS+ daemon are encrypted. You need a system running the TACACS+ daemon software to use TACACS+ on your switch. Cisco IE 3000 Switch Software Configuration Guide 11-11 OL-13018-03...
Page 198: Tacacs+ Operation
This process continues until there is successful communication with a listed method or the method list is exhausted. Cisco IE 3000 Switch Software Configuration Guide 11-12 OL-13018-03...
Page 199: Default Tacacs+ Configuration
TACACS+ daemon. You must configure the same key on the TACACS+ daemon for encryption to be successful. Step 3 aaa new-model Enable AAA. Cisco IE 3000 Switch Software Configuration Guide 11-13 OL-13018-03...
Page 200: Configuring Tacacs+ Login Authentication
Beginning in privileged EXEC mode, follow these steps to configure login authentication: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Cisco IE 3000 Switch Software Configuration Guide 11-14 OL-13018-03...
Page 201 For list-name, specify the list created with the aaa authentication • login command. Step 6 Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco IE 3000 Switch Software Configuration Guide 11-15 OL-13018-03...
Page 202: Configuring Tacacs+ Authorization For Privileged Exec Access And Network Services
HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline >...
Page 203: Starting Tacacs+ Accounting
RADIUS is facilitated through AAA and can be enabled only through AAA commands. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference, Release 12.2 from the Cisco.com page under Documentation >...
Page 204: Understanding Radius
Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication. • RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device requires authentication. Networks using a variety of services. RADIUS generally binds a user to one service model.
Page 205: Radius Operation
You can use method lists to designate one or more security protocols to be used (such as TACACS+ or local username lookup), thus ensuring a backup system if the initial method fails. The Cisco IE 3000 Switch Software Configuration Guide 11-19...
Page 206: Default Radius Configuration
(The RADIUS host entries are tried in the order that they are configured.) Cisco IE 3000 Switch Software Configuration Guide 11-20...
Page 207 11-29. You can configure the switch to use AAA server groups to group existing server hosts for authentication. For more information, see the “Defining AAA Server Groups” section on page 11-25. Cisco IE 3000 Switch Software Configuration Guide 11-21 OL-13018-03...
Page 208 This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting: Switch(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1 Switch(config)# radius-server host 172.20.36.50 acct-port 1618 key rad2 Cisco IE 3000 Switch Software Configuration Guide 11-22 OL-13018-03...
Page 209: Configuring Radius Login Authentication
Beginning in privileged EXEC mode, follow these steps to configure login authentication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Cisco IE 3000 Switch Software Configuration Guide 11-23 OL-13018-03...
Page 210 For list-name, specify the list created with the aaa authentication • login command. Step 6 Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco IE 3000 Switch Software Configuration Guide 11-24 OL-13018-03...
Page 211: Defining Aaa Server Groups
HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline >...
Page 212 Repeat this step for each RADIUS server in the AAA server group. Each server in the group must be previously defined in Step 2. Step 6 Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Cisco IE 3000 Switch Software Configuration Guide 11-26 OL-13018-03...
Page 213: Configuring Radius Authorization For User Privileged Access And Network Services
Use the local database if authentication was not performed by using RADIUS. • Authorization is bypassed for authenticated users who log in through the CLI even if authorization has Note been configured. Cisco IE 3000 Switch Software Configuration Guide 11-27 OL-13018-03...
Page 214: Starting Radius Accounting
(AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable RADIUS accounting for each Cisco IOS privilege level and for network services:...
Page 215: Configuring Settings For All Radius Servers
1, which is named cisco-avpair. The value is a string with this format: protocol : attribute sep value * Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and is * for optional attributes.
Page 216 For a complete list of RADIUS attributes or more information about vendor-specific attribute 26, see the Note “RADIUS Attributes” appendix in the Cisco IOS Security Configuration Guide, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References.
Page 217: Configuring The Switch For Vendor-Proprietary Radius Server Communication
Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
Page 218: Displaying The Radius Configuration
(Optional) Save your entries in the configuration file. To disable AAA, use the no aaa new-model global configuration command. To disable authorization, use the no aaa authorization {network | exec} method1 global configuration command. Cisco IE 3000 Switch Software Configuration Guide 11-32 OL-13018-03...
Page 219: Configuring The Switch For Secure Shell
You can use an SSH client to connect to a switch running the SSH server. The SSH server works with the SSH client supported in this release and with non-Cisco SSH clients. The SSH client also works with the SSH server supported in this release and with non-Cisco SSH servers.
Page 220: Limitations
11-35. When generating the RSA key pair, the message might appear. If it does, • No host name specified you must configure a hostname by using the hostname global configuration command. Cisco IE 3000 Switch Software Configuration Guide 11-34 OL-13018-03...
Page 221: Setting Up The Switch To Run Ssh
Setting Up the Switch to Run SSH Follow these steps to set up your switch to run SSH: Download the cryptographic software image from Cisco.com. This step is required. For more information, see the release notes for this release. Configure a hostname and IP domain name for the switch. Follow this procedure only if you are configuring the switch as an SSH server.
Page 222: Configuring The Ssh Server
Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default SSH control parameters, use the no ip ssh {timeout | authentication-retries} global configuration command. Cisco IE 3000 Switch Software Configuration Guide 11-36 OL-13018-03...
Page 223: Displaying The Ssh Configuration And Status
Displaying Secure HTTP Server and Client Status, page 11-43 • For configuration examples and complete syntax and usage information for the commands used in this section, see the “HTTPS - HTTP Server and Client with SSL 3.0” feature description for Cisco IOS Release 12.2(15)T at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a008015a4c6.
Page 224: Certificate Authority Trustpoints
(pages) back to the HTTP secure server, which, in turn, responds to the original request. The primary role of the HTTP secure client (the web browser) is to respond to Cisco IOS application requests for HTTPS User Agent services, perform HTTPS User Agent services for the application, and pass the response back to the application.
Page 225: Ciphersuites
For additional information on Certificate Authorities, see the “Configuring Certification Authority Interoperability” chapter in the Cisco IOS Security Configuration Guide, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References.
Page 226: Configuring Secure Http Servers And Clients
Specify a local configuration name for the CA trustpoint and enter CA trustpoint configuration mode. Step 6 enrollment url url Specify the URL to which the switch should send certificate requests. Cisco IE 3000 Switch Software Configuration Guide 11-40 OL-13018-03...
Page 227: Configuring The Secure Http Server
(Optional) Specify the port number to be used for the HTTPS server. The default port number is 443. Valid options are 443 or any number in the range 1025 to 65535. Cisco IE 3000 Switch Software Configuration Guide 11-41 OL-13018-03...
Page 228 IP address or hostname of the server switch. If you configure a port other than the default port, you must also specify the port number after the URL. For example: https://209.165.129:1026 https://host.domain.com:1026 Cisco IE 3000 Switch Software Configuration Guide 11-42 OL-13018-03...
Page 229: Configuring The Secure Http Client
Shows the HTTP secure client configuration. secure status show ip http server Shows the HTTP secure server configuration. secure status show running-config Shows the generated self-signed certificate for secure HTTP connections. Cisco IE 3000 Switch Software Configuration Guide 11-43 OL-13018-03...
Page 230: Configuring The Switch For Secure Copy Protocol
A user who has appropriate authorization can use SCP to copy any file in the Cisco IOS File System (IFS) to and from a switch by using the copy command. An authorized administrator can also do this from a workstation.
Page 231: Understanding Ieee 802.1X Port-Based Authentication
IEEE 802.1x port-based authentication prevents unauthorized devices (clients) from gaining access to the network. The IE 3000 switch command reference and the “RADIUS Commands” section in the Cisco IOS Security Command Reference, Release 12.2, have command syntax and usage information.
Page 232: Device Roles
LAN and switch services. Because the switch acts as the proxy, the authentication service is transparent to the client. In this release, the RADIUS security system with Extensible Cisco IE 3000 Switch Software Configuration Guide 12-2 OL-13018-03...
Page 233: Authentication Process
Authentication Protocol (EAP) extensions is the only supported authentication server. It is available in Cisco Secure Access Control Server Version 3.0 or later. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
Page 234 After 802.1x authentication using a RADIUS server is configured, the switch uses timers based on the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS attribute (Attribute [29]). The Session-Timeout RADIUS attribute (Attribute[27]) specifies the time after which re-authentication occurs. Cisco IE 3000 Switch Software Configuration Guide 12-4 OL-13018-03...
Page 235: Authentication Initiation And Message Exchange
The specific exchange of EAP frames depends on the authentication method being used. Figure 12-3 shows a message exchange initiated by the client when the client uses the One-Time-Password (OTP) authentication method with a RADIUS server. Cisco IE 3000 Switch Software Configuration Guide 12-5 OL-13018-03...
Page 236 MAC authentication bypass. Figure 12-4 Message Exchange During MAC Authentication Bypass Authentication server Client (RADIUS) Switch EAPOL Request/Identity EAPOL Request/Identity EAPOL Request/Identity Ethernet packet RADIUS Access/Request RADIUS Access/Accept Cisco IE 3000 Switch Software Configuration Guide 12-6 OL-13018-03...
Page 237: Authentication Manager
Understanding IEEE 802.1x Port-Based Authentication Authentication Manager In Cisco IOS Release 12.2(46)SE and earlier, you could not use the same authorization methods, including CLI commands and messages, on this switch and also on other network devices, such as a Catalyst 6000.
Page 238: Per-User Acls And Filter-Ids
ACL configured on another device running Cisco IOS software, such as a Catalyst 6000 switch. In Cisco IOS Release 12.2(50)SE or later, the ACLs configured on the switch are compatible with other devices running Cisco IOS release.
Page 239: Ports In Authorized And Unauthorized States
802.1x-based authentication of the client. This is the default setting. force-unauthorized—causes the port to remain in the unauthorized state, ignoring all attempts by • the client to authenticate. The switch cannot provide authentication services to the client through the port. Cisco IE 3000 Switch Software Configuration Guide 12-9 OL-13018-03...
Page 240: 802.1X Host Mode
With the multiple-hosts mode enabled, you can use 802.1x authentication to authenticate the port and port security to manage network access for all MAC addresses, including that of the client. Figure 12-5 Multiple Host Mode Example Authentication server Access point (RADIUS) Wireless clients Cisco IE 3000 Switch Software Configuration Guide 12-10 OL-13018-03...
Page 241: Multidomain Authentication
The switch supports multidomain authentication (MDA), which allows both a data device and voice device, such as an IP phone (Cisco or non-Cisco), to authenticate on the same switch port. The port is divided into a data domain and a voice domain.
Page 242: 802.1X Multiple Authentication Mode
Re-authentication successfully occurs. • Re-authentication fails. • The switch does not log 802.1x accounting information. Instead, it sends this information to the RADIUS server, which must be configured to log accounting messages. Cisco IE 3000 Switch Software Configuration Guide 12-12 OL-13018-03...
Page 243: 802.1X Accounting Attribute-Value Pairs
You can view the AV pairs that are being sent by the switch by entering the debug radius accounting privileged EXEC command. For more information about this command, see the Cisco IOS Debug Command Reference, Release 12.2 at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_book09186a...
Page 244: 802.1X Readiness Check
Voice device authentication is supported with multidomain host mode in Cisco IOS Release 12.2(37)SE. In Cisco IOS Release 12.2(40)SE and later, when a voice device is authorized and the RADIUS server returned an authorized VLAN, the voice VLAN on the port is configured to send and receive packets on the assigned voice VLAN.
Page 245: 802.1X Authentication With Downloadable Acls And Redirect Urls
If no ACLs are downloaded during 802.1x authentication, the switch applies the static default ACL on the port to the host. On a voice VLAN port, the switch applies the ACL only to the phone. Cisco IE 3000 Switch Software Configuration Guide 12-15...
Page 246: Cisco Secure Acs And Attribute-Value Pairs For The Redirect Url
ACL, this ACL takes precedence over the default ACL that is configured on the switch port. However, if the switch receives an host access policy from the Cisco Secure ACS but the default ACL is not configured, the authorization failure is declared.
Page 247: 802.1X Authentication With Guest Vlan
VLAN. The guest VLAN feature is not supported on trunk ports; it is supported only on access ports. The switch supports MAC authentication bypass in Cisco IOS Release 12.2(25)SEE and later. When MAC authentication bypass is enabled on an 802.1x port, the switch can authorize clients based on the client MAC address when 802.1x authentication times out while waiting for an EAPOL message...
Page 248: 802.1X Authentication With Restricted Vlan
Other port security features such as dynamic ARP Inspection, DHCP snooping, and IP source guard can be configured independently on a restricted VLAN. For more information, see the “Configuring a Restricted VLAN” section on page 12-43. Cisco IE 3000 Switch Software Configuration Guide 12-18 OL-13018-03...
Page 249: 802.1X Authentication With Inaccessible Authentication Bypass
802.1x accounting—Accounting is not affected if the RADIUS servers are unavailable. • Private VLAN—You can configure inaccessible authentication bypass on a private VLAN host port. • The access VLAN must be a secondary private VLAN. Cisco IE 3000 Switch Software Configuration Guide 12-19 OL-13018-03...
Page 250: 802.1X Authentication With Voice Vlan Ports
If you enable 802.1x authentication on an access port on which a voice VLAN is configured and to which Note a Cisco IP Phone is connected, the Cisco IP phone loses connectivity to the switch for up to 30 seconds. For more information about voice VLANs, see Chapter 15, “Configuring VLANs.”...
Page 251: 802.1X Authentication With Wake-On-Lan
EAPOL packets. The host can receive packets but cannot send packets to other devices in the network. If PortFast is not enabled on the port, the port is forced to the bidirectional state. Note Cisco IE 3000 Switch Software Configuration Guide 12-21 OL-13018-03...
Page 252: 802.1X Authentication With Mac Authentication Bypass
802.1x authentication—You can enable MAC authentication bypass only if 802.1x authentication is • enabled on the port. Guest VLAN—If a client has an invalid MAC address identity, the switch assigns the client to a • guest VLAN if one is configured. Cisco IE 3000 Switch Software Configuration Guide 12-22 OL-13018-03...
Page 253: Network Admission Control Layer 2 802.1X Validation
For more information see the “Configuring Flexible Authentication Ordering” section on page 12-54. Cisco IE 3000 Switch Software Configuration Guide 12-23 OL-13018-03...
Page 254: Open1X Authentication
• user traffic from multiple VLANs coming from supplicant switches. This can be achieved by configuring the cisco-av-pair as device-traffic-class=switch at the ACS. (You can configure this under the group or user settings.) Cisco IE 3000 Switch Software Configuration Guide...
Page 255: Web Authentication
You can configure a port to use only web authentication. You can also configure the port to first try and use 802.1x authentication and then to use web authorization if the client does not support 802.1x authentication. Web authentication requires two Cisco Attribute-Value (AV) pair attributes: • The first attribute, , must always be set to 15.
Page 256: Web Authentication With Automatic Mac Check
Configuring 802.1x Authentication These sections contain this configuration information: Default 802.1x Authentication Configuration, page 12-27 • 802.1x Authentication Configuration Guidelines, page 12-28 • Configuring 802.1x Readiness Check, page 12-31 (optional) • Cisco IE 3000 Switch Software Configuration Guide 12-26 OL-13018-03...
Page 257: Default 802.1X Authentication Configuration
The port sends and receives normal traffic without 802.1x-based authentication of the client. Disabled. RADIUS server IP address None specified. • • UDP authentication port 1812. • • None specified. • • Cisco IE 3000 Switch Software Configuration Guide 12-27 OL-13018-03...
Page 258: 802.1X Authentication Configuration Guidelines
802.1x Authentication, page 12-29 • VLAN Assignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication Bypass, • page 12-29 MAC Authentication Bypass, page 12-30 • Maximum Number of Allowed Devices Per Port, page 12-30 • Cisco IE 3000 Switch Software Configuration Guide 12-28 OL-13018-03...
Page 259: 802.1X Authentication
You can configure any VLAN except an RSPAN VLAN or a voice VLAN as an 802.1x guest VLAN. The guest VLAN feature is not supported on trunk ports; it is supported only on access ports. Cisco IE 3000 Switch Software Configuration Guide 12-29...
Page 260: Mac Authentication Bypass
In single-host mode, only one device is allowed on the access VLAN. If the port is also configured with • a voice VLAN, an unlimited number of Cisco IP phones can send and receive traffic through the voice VLAN. Cisco IE 3000 Switch Software Configuration Guide...
Page 261: Configuring 802.1X Readiness Check
This example shows how to enable a readiness check on a switch to query a port. It also shows the response received from the queried port verifying that the device connected to it is 802.1x-capable: switch# dot1x test eapol-capable interface gigabitethernet1/2 DOT1X_PORT_EAPOL_CAPABLE:DOT1X: MAC 00-01-02-4b-f1-a3 on gigabitethernet1/2 is EAPOL capable Cisco IE 3000 Switch Software Configuration Guide 12-31 OL-13018-03...
Page 262: Configuring 802.1X Violation Modes
(AAA) and specify the authentication method list. A method list describes the sequence and authentication method to be queried to authenticate a user. To allow VLAN assignment, you must enable AAA authorization to configure the switch for all network-related service requests. Cisco IE 3000 Switch Software Configuration Guide 12-32 OL-13018-03...
Page 263 Enable 802.1x authentication on the port. For feature interaction information, see the “802.1x Authentication Configuration Guidelines” section on page 12-28. dot1x port-control auto Step 11 Return to privileged EXEC mode. Cisco IE 3000 Switch Software Configuration Guide 12-33 OL-13018-03...
Page 264: Configuring The Switch-To-Radius-Server Communication
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To delete the specified RADIUS server, use the no radius-server host {hostname | ip-address} global configuration command. Cisco IE 3000 Switch Software Configuration Guide 12-34 OL-13018-03...
Page 265: Configuring The Host Mode
802.1x-authorized port that has the dot1x port-control interface configuration command set to auto. Use the multi-domain keyword to configure multidomain authentication (MDA) to enable authentication of both a host and a voice device, such as an IP phone (Cisco or non-Cisco) on the same switch port. This procedure is optional.
Page 266 • multi-domain–Allow both a host and a voice device, such as an IP phone (Cisco or non-Cisco), to be authenticated on an 802.1x-authorized port. You must configure the voice VLAN for the IP phone when the Note host mode is set to multi-domain.
Page 267: Configuring Periodic Re-Authentication
To disable periodic re-authentication, use the no authentication periodic or the no dot1x reauthentication interface configuration command. To return to the default number of seconds between re-authentication attempts, use the no authentication timer or the no dot1x timeout reauth-period interface configuration command. Cisco IE 3000 Switch Software Configuration Guide 12-37 OL-13018-03...
Page 268: Manually Re-Authenticating A Client Connected To A Port
To return to the default quiet time, use the no dot1x timeout quiet-period interface configuration command. This example shows how to set the quiet time on the switch to 30 seconds: Switch(config-if)# dot1x timeout quiet-period 30 Cisco IE 3000 Switch Software Configuration Guide 12-38 OL-13018-03...
Page 269: Changing The Switch-To-Client Retransmission Time
Note You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers. Cisco IE 3000 Switch Software Configuration Guide 12-39 OL-13018-03...
Page 270: Setting The Re-Authentication Number
Set the number of times that the switch restarts the authentication process before the port changes to the unauthorized state. The range is 0 to 10; the default is 2. Step 4 Return to privileged EXEC mode. Cisco IE 3000 Switch Software Configuration Guide 12-40 OL-13018-03...
Page 271: Configuring 802.1X Accounting
(Optional) Enables system accounting (using the list of all RADIUS start-stop group radius servers) and generates system accounting reload event messages when the switch reloads. Step 5 Return to privileged EXEc mode. Cisco IE 3000 Switch Software Configuration Guide 12-41 OL-13018-03...
Page 272: Configuring A Guest Vlan
(Optional) Save your entries in the configuration file. To disable and remove the guest VLAN, use the no dot1x guest-vlan interface configuration command. The port returns to the unauthorized state. Cisco IE 3000 Switch Software Configuration Guide 12-42 OL-13018-03...
Page 273: Configuring A Restricted Vlan
To disable and remove the restricted VLAN, use the no dot1x auth-fail vlan interface configuration command. The port returns to the unauthorized state. This example shows how to enable VLAN 2 as an 802.1x restricted VLAN: Switch(config)# interface gigabitethernet1/2 Switch(config-if)# dot1x auth-fail vlan 2 Cisco IE 3000 Switch Software Configuration Guide 12-43 OL-13018-03...
Page 274 To return to the default value, use the no dot1x auth-fail max-attempts interface configuration command. This example shows how to set 2 as the number of authentication attempts allowed before the port moves to the restricted VLAN: Switch(config-if)# dot1x auth-fail max-attempts 2 Cisco IE 3000 Switch Software Configuration Guide 12-44 OL-13018-03...
Page 275: Configuring The Inaccessible Authentication Bypass Feature
(Optional) Set the number of minutes that a RADIUS server is not sent requests. The range is from 0 to 1440 minutes (24 hours). The default is 0 minutes. Cisco IE 3000 Switch Software Configuration Guide 12-45 OL-13018-03...
Page 276 Step 6 interface interface-id Specify the port to be configured, and enter interface configuration mode. For the supported port types, see the “802.1x Authentication Configuration Guidelines” section on page 12-28. Cisco IE 3000 Switch Software Configuration Guide 12-46 OL-13018-03...
Page 277: Configuring 802.1X Authentication With Wol
Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode. For the supported port types, see the “802.1x Authentication Configuration Guidelines” section on page 12-28. Cisco IE 3000 Switch Software Configuration Guide 12-47 OL-13018-03...
Page 278: Configuring Mac Authentication Bypass
Specify the port to be configured, and enter interface configuration mode. For the supported port types, see the “802.1x Authentication Configuration Guidelines” section on page 12-28. Step 3 authentication port-control auto Enable 802.1x authentication on the port. dot1x port-control auto Cisco IE 3000 Switch Software Configuration Guide 12-48 OL-13018-03...
Page 279: Configuring Nac Layer 2 802.1X Validation
You can configure any active VLAN except an RSPAN VLAN, or a voice VLAN as an 802.1x guest VLAN. Step 4 authentication periodic Enable periodic re-authentication of the client, which is disabled by default. dot1x reauthentication Cisco IE 3000 Switch Software Configuration Guide 12-49 OL-13018-03...
Page 280: Configuring 802.1X Switch Supplicant With Neat
“802.1x Switch Supplicant with Network Edge Access Topology (NEAT)” section on page 12-24. The cisco-av-pairs must be configured as device-traffic-class=switch on the ACS, which sets the Note interface as a trunk after the supplicant is successfuly authenticated. Beginning in privileged EXEC mode, follow these steps to configure a switch as an authenticator:...
Page 281 Attach the 802.1x credentials profile to the interface. Step 11 Return to privileged EXEC mode. Step 12 show running-config interface Verify your configuration. interface-id Step 13 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco IE 3000 Switch Software Configuration Guide 12-51 OL-13018-03...
Page 282: Configuring 802.1X Authentication With Downloadable Acls And Redirect Urls
The acl-id is an access list name or number. Note Step 8 show running-config interface interface-id Verify your configuration. Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco IE 3000 Switch Software Configuration Guide 12-52 OL-13018-03...
Page 283: Configuring A Downloadable Policy
Step 10 radius-server vsa send authentication Configures the network access server to recognize and use vendor-specific attributes. The downloadable ACL must be operational. Note Step 11 Returns to privileged EXEC mode. Cisco IE 3000 Switch Software Configuration Guide 12-53 OL-13018-03...
Page 284: Configuring Flexible Authentication Ordering
This example shows how to configure a port attempt 802.1x authentication first, followed by web authentication as fallback method: Switch# configure terminal Switch(config)# interface gigabitethernet 1/0/1 Switch(config)# authentication order dot1x webauth Cisco IE 3000 Switch Software Configuration Guide 12-54 OL-13018-03...
Page 285: Configuring Open1X
(AAA) and RADIUS on a switch before configuring web authentication. The steps enable AAA by using RADIUS authentication and enable device tracking. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Cisco IE 3000 Switch Software Configuration Guide 12-55 OL-13018-03...
Page 286 Switch(config)# aaa authentication login default group radius Switch(config)# aaa authorization auth-proxy default group radius Switch(config)# radius-server host 1.1.1.2 key key1 Switch(config)# radius-server attribute 8 include-in-access-req Switch(config)# radius-server vsa send authentication Switch(config)# ip device tracking Switch(config) end Cisco IE 3000 Switch Software Configuration Guide 12-56 OL-13018-03...
Page 287 Return to privileged EXEC mode. Step 7 interface interface-id Specify the port to be configured, and enter interface configuration mode. Step 8 switchport mode access Set the port to access mode. Cisco IE 3000 Switch Software Configuration Guide 12-57 OL-13018-03...
Page 288: Disabling 802.1X Authentication On The Port
Beginning in privileged EXEC mode, follow these steps to disable 802.1x authentication on the port. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode. Cisco IE 3000 Switch Software Configuration Guide 12-58 OL-13018-03...
Page 289: Resetting The 802.1X Authentication Configuration To The Default Values
EXEC command. For detailed information about the fields in these displays, see the command reference for this release. Cisco IE 3000 Switch Software Configuration Guide 12-59 OL-13018-03...
Page 290 Chapter 12 Configuring IEEE 802.1x Port-Based Authentication Displaying 802.1x Statistics and Status Cisco IE 3000 Switch Software Configuration Guide 12-60 OL-13018-03...
Page 291: Configuring Interface Characteristics
For complete syntax and usage information for the commands used in this chapter, see the switch Note command reference for this release and the Cisco IOS Interface Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References.
Page 292: Port-Based Vlans
VLAN assigned to the port. If an access port receives a tagged packet (IEEE 802.1Q tagged), the packet is dropped, and the source address is not learned. Cisco IE 3000 Switch Software Configuration Guide 13-2...
Page 293: Trunk Ports
Catalyst 6500 series switch; the IE 3000 switch cannot be a VMPS server. You can also configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. For more information about voice VLAN ports, see Chapter 17, “Configuring Voice VLAN.”...
Page 294: Dual-Purpose Uplink Ports
Switch Host A Host B VLAN 20 VLAN 30 Using Interface Configuration Mode The switch supports these interface types: • Physical ports—switch ports VLANs—switch virtual interfaces • Port channels—EtherChannel interfaces • Cisco IE 3000 Switch Software Configuration Guide 13-4 OL-13018-03...
Page 295 • switch model are 1–4 for the Fast Ethernet ports and 1–2 for the Gigabit Ethernet ports. The port numbers for the IE-3000-8TC switch model are 1–8 for the Fast Ethernet ports and 1–2 for the Gigabit Ethernet ports. Table 13-1 shows the switch and module combinations and the interface numbers.
Page 296: Procedures For Configuring Interfaces
You can use the interface range global configuration command to configure multiple interfaces with the same configuration parameters. When you enter the interface-range configuration mode, all command parameters that you enter are attributed to all interfaces within that range until you exit this mode. Cisco IE 3000 Switch Software Configuration Guide 13-6 OL-13018-03...
Page 297 The show running-config privileged EXEC command displays the configured VLAN interfaces. VLAN interfaces not displayed by the show running-config command cannot be used with the interface range command. Cisco IE 3000 Switch Software Configuration Guide 13-7 OL-13018-03...
Page 298: Configuring And Using Interface Range Macros
Show the defined interface range macro configuration. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no define interface-range macro_name global configuration command to delete a macro. Cisco IE 3000 Switch Software Configuration Guide 13-8 OL-13018-03...
Page 299 This example shows how to delete the interface-range macro enet_list and to verify that it was deleted. Switch# configure terminal Switch(config)# no define interface-range enet_list Switch(config)# end Switch# show run | include define Switch# Cisco IE 3000 Switch Software Configuration Guide 13-9 OL-13018-03...
Page 300: Configuring Ethernet Interfaces
“Configuring Protected Ports” section on page 26-6. Port security Disabled. See the “Default Port Security Configuration” section on page 26-11. Port Fast Disabled. See the “Default Optional Spanning-Tree Configuration” section on page 20-9. Cisco IE 3000 Switch Software Configuration Guide 13-10 OL-13018-03...
Page 301: Setting The Type Of A Dual-Purpose Uplink Port
Enabled. The switch might not support a pre-standard powered Note device—such as Cisco IP phones and access points that do not fully support IEEE 802.3af—if that powered device is connected to the switch through a crossover cable. This is regardless of whether auto-MIDX is enabled on the switch port.
Page 302 If the link goes down, the switch disables the RJ-45 side and selects the SFP module interface. When the 100BASE-x SFP module is removed, the switch again dynamically selects the type • (auto-select) and re-enables the RJ-45 side. Cisco IE 3000 Switch Software Configuration Guide 13-12 OL-13018-03...
Page 303: Configuring Interface Speed And Duplex Mode
When STP is enabled and a port is reconfigured, the switch can take up to 30 seconds to check for • loops. The port LED is amber while STP reconfigures. Changing the interface speed and duplex mode configuration might shut down and re-enable the Caution interface during the reconfiguration. Cisco IE 3000 Switch Software Configuration Guide 13-13 OL-13018-03...
Page 304: Setting The Interface Speed And Duplex Parameters
Switch(config-if)# speed 10 Switch(config-if)# duplex half This example shows how to set the interface speed to 100 Mb/s on a 10/100/1000 Mb/s port: Switch# configure terminal Switch(config)# interface gigabitethernet1/2 Switch(config-if)# speed 100 Cisco IE 3000 Switch Software Configuration Guide 13-14 OL-13018-03...
Page 305: Configuring Ieee 802.3X Flow Control
To disable flow control, use the flowcontrol receive off interface configuration command. This example shows how to turn on flow control on a port: Switch# configure terminal Switch(config)# interface gigabitethernet1/1 Switch(config-if)# flowcontrol receive on Switch(config-if)# end Cisco IE 3000 Switch Software Configuration Guide 13-15 OL-13018-03...
Page 306: Configuring Auto-Mdix On An Interface
To disable auto-MDIX, use the no mdix auto interface configuration command. This example shows how to enable auto-MDIX on a port: Switch# configure terminal Switch(config)# interface gigabitethernet1/1 Switch(config-if)# speed auto Switch(config-if)# duplex auto Switch(config-if)# mdix auto Switch(config-if)# end Cisco IE 3000 Switch Software Configuration Guide 13-16 OL-13018-03...
Page 307: Adding A Description For An Interface
You cannot set the MTU size for an individual interface; you set it for all 10/100 or all Gigabit Ethernet interfaces on the switch. When you change the system or jumbo MTU size, you must reset the switch before the new configuration takes effect. Cisco IE 3000 Switch Software Configuration Guide 13-17 OL-13018-03...
Page 308: Monitoring And Maintaining The Interfaces
These sections contain interface monitoring and maintenance information: Monitoring Interface Status, page 13-19 • Clearing and Resetting Interfaces and Counters, page 13-19 • Shutting Down and Restarting the Interface, page 13-20 • Cisco IE 3000 Switch Software Configuration Guide 13-18 OL-13018-03...
Page 309: Monitoring Interface Status
? command at the privileged EXEC prompt.) These commands are fully described in the Cisco IOS Interface Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References.
Page 310: Shutting Down And Restarting The Interface
Use the no shutdown interface configuration command to restart the interface. To verify that an interface is disabled, enter the show interfaces privileged EXEC command. A disabled interface is shown as administratively down in the display. Cisco IE 3000 Switch Software Configuration Guide 13-20 OL-13018-03...
Page 311: Chapter 14 Configuring Smartports Macros
Configuring Smartports Macros Default Smartports Configuration, page 14-1 • Smartports Configuration Guidelines, page 14-2 • Applying Smartports Macros, page 14-3 • Default Smartports Configuration There are no Smartports macros enabled on the switch. Cisco IE 3000 Switch Software Configuration Guide 14-1 OL-13018-03...
Page 312: Smartports Configuration Guidelines
PC, to a switch port. This macro is optimized for industrial automation traffic. cisco-ie-phone Use this interface configuration macro when connecting a desktop device such as a PC with a Cisco IP Phone to a switch port. This macro is an extension of the cisco-ie-desktop macro and provides the same security and resiliency features, but with the addition of dedicated voice VLANs to ensure proper treatment of delay-sensitive voice traffic.
Page 313: Applying Smartports Macros
Beginning in privileged EXEC mode, follow these steps to apply a Smartports macro: Command Purpose Step 1 show parser macro Display the Cisco-default Smartports macros embedded in the switch software. Step 2 show parser macro name macro-name Display the specific macro that you want to apply.
Page 314 You can delete a macro-applied configuration on a port by entering the default interface interface-id interface configuration command. This example shows how to display the cisco-ie-desktop macro, how to apply the macro and to set the access VLAN ID to 25 on an interface:...
Page 315: Displaying Smartports Macros
Displays a specific Smartports macro. show parser macro brief Displays the Smartports macro names. show parser macro description [interface Displays the Smartports macro description for all interfaces or for a interface-id] specified interface. Cisco IE 3000 Switch Software Configuration Guide 14-5 OL-13018-03...
Page 316 Chapter 14 Configuring Smartports Macros Displaying Smartports Macros Cisco IE 3000 Switch Software Configuration Guide 14-6 OL-13018-03...
Page 317: Chapter 15 Configuring Vlans
Before you create VLANs, you must decide whether to use VLAN Trunking Protocol (VTP) to maintain Note global VLAN configuration for your network. For more information on VTP, see Chapter 16, “Configuring VTP.” Cisco IE 3000 Switch Software Configuration Guide 15-1 OL-13018-03...
Page 318: Supported Vlans
VLAN Configuration Guidelines” section on page 15-5 for more information about the number of spanning-tree instances and the number of VLANs. The switch supports only IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports. Cisco IE 3000 Switch Software Configuration Guide 15-2 OL-13018-03...
Page 319: Vlan Port Membership Modes
Dynamic-Access Ports on VMPS Clients” section on page 15-26. Voice VLAN A voice VLAN port is an access port attached to a Cisco VTP is not required; it has no effect on a IP Phone, configured to use one VLAN for voice traffic voice VLAN.
Page 320: Configuring Normal-Range Vlans
This section does not provide configuration details for most of these parameters. For complete information on the commands and parameters that control VLAN configuration, see the command reference for this release. Cisco IE 3000 Switch Software Configuration Guide 15-4 OL-13018-03...
Page 321: Token Ring Vlans
VLANs), the new VLAN is carried on all trunk ports. Depending on the topology of the network, this could create a loop in the new VLAN that would not be broken, particularly if there Cisco IE 3000 Switch Software Configuration Guide 15-5...
Page 322: Vlan Configuration Mode Options
VTP mode is transparent, they are also saved in the switch running configuration file. You can enter the copy running-config startup-config privileged EXEC command to save the configuration in the startup configuration file. To display the VLAN configuration, enter the show vlan privileged EXEC command. Cisco IE 3000 Switch Software Configuration Guide 15-6 OL-13018-03...
Page 323: Default Ethernet Vlan Configuration
1 to 4294967294 VLAN ID) MTU size 1500 1500 to 18190 Translational bridge 1 0 to 1005 Translational bridge 2 0 to 1005 VLAN state active active, suspend Remote SPAN disabled enabled, disabled Cisco IE 3000 Switch Software Configuration Guide 15-7 OL-13018-03...
Page 324: Creating Or Modifying An Ethernet Vlan
This example shows how to use config-vlan mode to create Ethernet VLAN 20, name it test20, and add it to the VLAN database: Switch# configure terminal Switch(config)# vlan 20 Switch(config-vlan)# name test20 Switch(config-vlan)# end Cisco IE 3000 Switch Software Configuration Guide 15-8 OL-13018-03...
Page 325: Deleting A Vlan
VTP transparent mode, the VLAN is deleted only on that specific switch. You cannot delete the default VLANs for the different media types: Ethernet VLAN 1 and FDDI or Token Ring VLANs 1002 to 1005. Cisco IE 3000 Switch Software Configuration Guide 15-9 OL-13018-03...
Page 326: Assigning Static-Access Ports To A Vlan
Assign the port to a VLAN. Valid VLAN IDs are 1 to 4094. Step 5 Return to privileged EXEC mode. Step 6 show running-config interface interface-id Verify the VLAN membership mode of the interface. Cisco IE 3000 Switch Software Configuration Guide 15-10 OL-13018-03...
Page 327: Configuring Extended-Range Vlans
Ethernet VLANs. You can change only the MTU size and the remote SPAN configuration state on extended-range VLANs; all other characteristics must remain at the default state. Cisco IE 3000 Switch Software Configuration Guide 15-11 OL-13018-03...
Page 328: Extended-Range Vlan Configuration Guidelines
Beginning in privileged EXEC mode, follow these steps to create an extended-range VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vtp mode transparent Configure the switch for VTP transparent mode, disabling VTP. Cisco IE 3000 Switch Software Configuration Guide 15-12 OL-13018-03...
Page 329: Displaying Vlans
Purpose show VLAN database configuration Display status of VLANs in the VLAN database. show current [vlan-id] VLAN database configuration Display status of all or the specified VLAN in the VLAN database. Cisco IE 3000 Switch Software Configuration Guide 15-13 OL-13018-03...
Page 330: Configuring Vlan Trunks
To enable trunking to a device that does not support DTP, use the switchport mode trunk and • switchport nonegotiate interface configuration commands to cause the interface to become a trunk but to not generate DTP frames. Cisco IE 3000 Switch Software Configuration Guide 15-14 OL-13018-03...
Page 331: Ieee 802.1Q Configuration Considerations
VLAN allowed on the trunks. Non-Cisco devices might support one spanning-tree instance for all VLANs. When you connect a Cisco switch to a non-Cisco device through an IEEE 802.1Q trunk, the Cisco switch combines the spanning-tree instance of the VLAN of the trunk with the spanning-tree instance of the non-Cisco IEEE 802.1Q switch.
Page 332: Default Layer 2 Ethernet Interface Vlan Configuration
If you try to enable IEEE 802.1x on a trunk port, an error message appears, and IEEE 802.1x is not • enabled. If you try to change the mode of an IEEE 802.1x-enabled port to trunk, the port mode is not changed. Cisco IE 3000 Switch Software Configuration Guide 15-16 OL-13018-03...
Page 333: Configuring A Trunk Port
IEEE 802.1Q trunking. Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet1/2 Switch(config-if)# switchport mode dynamic desirable Switch(config-if)# end Cisco IE 3000 Switch Software Configuration Guide 15-17 OL-13018-03...
Page 334: Defining The Allowed Vlans On A Trunk
Note VLAN 1 is the default VLAN on all trunk ports in all Cisco switches, and it has previously been a requirement that VLAN 1 always be enabled on every trunk link. You can use the VLAN 1 minimization feature to disable VLAN 1 on any individual VLAN trunk link so that no user traffic (including spanning-tree advertisements) is sent or received on VLAN 1.
Page 335: Changing The Pruning-Eligible List
VLAN configured for the port. The native VLAN is VLAN 1 by default. The native VLAN can be assigned any VLAN ID. Note Cisco IE 3000 Switch Software Configuration Guide 15-19 OL-13018-03...
Page 336: Configuring Trunk Ports For Load Sharing
VLANs 8 through 10 are assigned a port priority of 16 on Trunk 1. • VLANs 3 through 6 retain the default port priority of 128 on Trunk 1. • Cisco IE 3000 Switch Software Configuration Guide 15-20 OL-13018-03...
Page 337 When the trunk links come up, VTP passes the VTP and VLAN information to Switch B. Verify that Switch B has learned the VLAN configuration. Step 15 configure terminal Enter global configuration mode on Switch A. Cisco IE 3000 Switch Software Configuration Guide 15-21 OL-13018-03...
Page 338: Load Sharing Using Stp Path Cost
Enter global configuration mode on Switch A. Step 2 interface gigabitethernet0/1 Define the interface to be configured as a trunk, and enter interface configuration mode. Step 3 switchport mode trunk Configure the port as a trunk port. Cisco IE 3000 Switch Software Configuration Guide 15-22 OL-13018-03...
Page 339: Configuring Vmps
“Configuring the VMPS Client” section on page 15-25 • “Monitoring the VMPS” section on page 15-28 • “Troubleshooting Dynamic-Access Port VLAN Membership” section on page 15-29 • “VMPS Configuration Example” section on page 15-29 • Cisco IE 3000 Switch Software Configuration Guide 15-23 OL-13018-03...
Page 340: Understanding Vmps
If the link goes down on a dynamic-access port, the port returns to an isolated state and does not belong to a VLAN. Any hosts that come online through the port are checked again through the VQP with the VMPS before the port is assigned to a VLAN. Cisco IE 3000 Switch Software Configuration Guide 15-24 OL-13018-03...
Page 341: Default Vmps Client Configuration
The VLAN configured on the VMPS server should not be a voice VLAN. • Configuring the VMPS Client You configure dynamic VLANs by using the VMPS (server). The switch can be a VMPS client; it cannot be a VMPS server. Cisco IE 3000 Switch Software Configuration Guide 15-25 OL-13018-03...
Page 342: Entering The Ip Address Of The Vmps
Step 4 switchport access vlan dynamic Configure the port as eligible for dynamic VLAN membership. The dynamic-access port must be connected to an end station. Step 5 Return to privileged EXEC mode. Cisco IE 3000 Switch Software Configuration Guide 15-26 OL-13018-03...
Page 343: Reconfirming Vlan Memberships
Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no vmps reconfirm global configuration command. Cisco IE 3000 Switch Software Configuration Guide 15-27 OL-13018-03...
Page 344: Changing The Retry Count
Switch# show vmps VQP Client Status: -------------------- VMPS VQP Version: Reconfirm Interval: 60 min Server Retry Count: 3 VMPS domain server: 172.20.128.86 (primary, current) 172.20.128.87 Reconfirmation status --------------------- VMPS Action: other Cisco IE 3000 Switch Software Configuration Guide 15-28 OL-13018-03...
Page 345: Troubleshooting Dynamic-Access Port Vlan Membership
The Catalyst 6500 series Switch C and Switch J are secondary VMPS servers. • End stations are connected to the clients, Switch B and Switch I. • The database configuration file is stored on the TFTP server with the IP address 172.20.22.7. Cisco IE 3000 Switch Software Configuration Guide 15-29 OL-13018-03...
Page 346 Switch E 172.20.26.155 Switch F 172.20.26.156 Switch G 172.20.26.157 Switch H Client switch I Dynamic-access port 172.20.26.158 station 2 Trunk port 172.20.26.159 Catalyst 6500 series Secondary VMPS Switch J Server 3 Cisco IE 3000 Switch Software Configuration Guide 15-30 OL-13018-03...
Page 347: Chapter 16 Configuring Vtp
VTP only learns about normal-range VLANs (VLAN IDs 1 to 1005). Extended-range VLANs (VLAN IDs greater than 1005) are not supported by VTP or stored in the VTP VLAN database. Cisco IE 3000 Switch Software Configuration Guide 16-1 OL-13018-03...
Page 348: The Vtp Domain
For domain name and password configuration guidelines, see the “VTP Configuration Guidelines” section on page 16-7. Cisco IE 3000 Switch Software Configuration Guide 16-2 OL-13018-03...
Page 349: Vtp Modes
VTP domain name • VTP configuration revision number • Update identity and update timestamp • MD5 digest VLAN configuration, including maximum transmission unit (MTU) size for each • VLAN. Frame format • Cisco IE 3000 Switch Software Configuration Guide 16-3 OL-13018-03...
Page 350: Vtp Version 2
Switch D are assigned to the Red VLAN. If a broadcast is sent from the host connected to Switch A, Switch A floods the broadcast and every switch in the network receives it, even though Switches C, E, and F have no ports in the Red VLAN. Cisco IE 3000 Switch Software Configuration Guide 16-4 OL-13018-03...
Page 351 VTP pruning does not prune traffic from VLANs that are pruning-ineligible. VLAN 1 and VLANs 1002 to 1005 are always pruning-ineligible; traffic from these VLANs cannot be pruned. Extended-range VLANs (VLAN IDs higher than 1005) are also pruning-ineligible. Cisco IE 3000 Switch Software Configuration Guide 16-5 OL-13018-03...
Page 352: Default Vtp Configuration
Version 1 (Version 2 is disabled). VTP password None. VTP pruning Disabled. VTP Configuration Options • VTP Configuration in Global Configuration Mode, page 16-7 • VTP Configuration in VLAN Database Configuration Mode, page 16-7 Cisco IE 3000 Switch Software Configuration Guide 16-6 OL-13018-03...
Page 353: Vtp Configuration In Global Configuration Mode
VTP domain with the same domain name. Switches in VTP transparent mode do not exchange VTP messages with other switches, and you do not need to configure a VTP domain name for them. Cisco IE 3000 Switch Software Configuration Guide 16-7 OL-13018-03...
Page 354: Passwords
When you configure VTP, you must configure a trunk port so that the switch can send and receive VTP advertisements to and from other switches in the domain. For more information, see the “Configuring VLAN Trunks” section on page 15-14. Cisco IE 3000 Switch Software Configuration Guide 16-8 OL-13018-03...
Page 355: Configuring A Vtp Server
This example shows how to use global configuration mode to configure the switch as a VTP server with the domain name eng_group and the password mypassword: Switch# config terminal Switch(config)# vtp mode server Switch(config)# vtp domain eng_group Switch(config)# vtp password mypassword Switch(config)# end Cisco IE 3000 Switch Software Configuration Guide 16-9 OL-13018-03...
Page 356 This example shows how to use VLAN database configuration mode to configure the switch as a VTP server with the domain name eng_group and the password mypassword: Switch# vlan database Switch(vlan)# vtp server Switch(vlan)# vtp domain eng_group Switch(vlan)# vtp password mypassword Switch(vlan)# exit APPLY completed. Exiting..Switch# Cisco IE 3000 Switch Software Configuration Guide 16-10 OL-13018-03...
Page 357: Configuring A Vtp Client
VLAN database configuration command to return the switch to a no-password state. When you configure a domain name, it cannot be removed; you can only reassign a switch to a different domain. Cisco IE 3000 Switch Software Configuration Guide 16-11...
Page 358: Disabling Vtp (Vtp Transparent Mode)
VLAN database configuration command to return the switch to VTP server mode. If extended-range VLANs are configured on the switch, you cannot change VTP mode to server. You receive an error message, and the configuration is not allowed. Cisco IE 3000 Switch Software Configuration Guide 16-12 OL-13018-03...
Page 359: Enabling Vtp Version 2
You can also enable VTP Version 2 by using the vlan database privileged EXEC command to enter Note VLAN database configuration mode and by entering the vtp v2-mode VLAN database configuration command. To disable VTP Version 2, use the no vtp v2-mode VLAN database configuration command. Cisco IE 3000 Switch Software Configuration Guide 16-13 OL-13018-03...
Page 360: Enabling Vtp Pruning
If you add a switch that has a revision number higher than the revision number in the VTP domain, it can erase all VLAN information from the VTP server and VTP domain. Cisco IE 3000 Switch Software Configuration Guide 16-14...
Page 361 You can use the vtp mode transparent global configuration command or the vtp transparent VLAN Note database configuration command to disable VTP on the switch, and then change its VLAN information without affecting the other switches in the VTP domain. Cisco IE 3000 Switch Software Configuration Guide 16-15 OL-13018-03...
Page 362: Monitoring Vtp
EXEC commands for monitoring VTP activity. Table 16-3 VTP Monitoring Commands Command Purpose show vtp status Display the VTP switch configuration information. show vtp counters Display counters about VTP messages that have been sent and received. Cisco IE 3000 Switch Software Configuration Guide 16-16 OL-13018-03...
Page 363: Chapter 17 Configuring Voice Vlan
The voice VLAN feature enables access ports to carry IP voice traffic from an IP phone. When the switch is connected to a Cisco 7960 IP Phone, the phone sends voice traffic with Layer 3 IP precedence and Layer 2 class of service (CoS) values, which are both set to 5 by default. Because the sound quality of an IP phone call can deteriorate if the data is unevenly sent, the switch supports quality of service (QoS) based on IEEE 802.1p CoS.
Page 364: Cisco Ip Phone Voice Traffic
Cisco IP Phone Voice Traffic You can configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. You can configure access ports...
Page 365: Configuring Voice Vlan
VLAN, the Port Fast feature is not automatically disabled. • If the Cisco IP Phone and a device attached to the phone are in the same VLAN, they must be in the same IP subnet. These conditions indicate that they are in the same VLAN: They both use IEEE 802.1p or untagged frames.
Page 366: Configuring A Port Connected To A Cisco 7960 Ip Phone
Because a Cisco 7960 IP Phone also supports a connection to a PC or other device, a port connecting the switch to a Cisco IP Phone can carry mixed traffic. You can configure a port to decide how the Cisco IP Phone carries voice traffic and data traffic.
Page 367 (Optional) Save your entries in the configuration file. This example shows how to configure a port connected to a Cisco IP Phone to use the CoS value to classify incoming traffic, to use IEEE 802.1p priority tagging for voice traffic, and to use the default...
Page 368: Configuring The Priority Of Incoming Data Frames
Configuring the Priority of Incoming Data Frames You can connect a PC or other data device to a Cisco IP Phone port. To process tagged data traffic (in IEEE 802.1Q or IEEE 802.1p frames), you can configure the switch to send CDP packets to instruct the phone how to send data packets from the device attached to the access port on the Cisco IP Phone.
Page 369: Configuring Stp
This chapter describes how to configure the Spanning Tree Protocol (STP) on port-based VLANs on the IE3000 switch. The switch can use either the per-VLAN spanning-tree plus (PVST+) protocol based on the IEEE 802.1D standard and Cisco proprietary extensions, or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol based on the IEEE 802.1w standard.
Page 370: Stp Overview
The default is for the switch to send keepalive messages (to ensure the connection is up) only on Note interfaces that do not have small form-factor pluggable (SFP) modules. You can use the [no] keepalive interface configuration command to change the default for an interface. Cisco IE 3000 Switch Software Configuration Guide 18-2 OL-13018-03...
Page 371: Spanning-Tree Topology And Bpdus
LAN is called the designated port. All paths that are not needed to reach the root switch from anywhere in the switched network are placed in the spanning-tree blocking mode. Cisco IE 3000 Switch Software Configuration Guide 18-3 OL-13018-03...
Page 372: Bridge Id, Switch Priority, And Extended System Id
Forwarding—The interface forwards frames. • Disabled—The interface is not participating in spanning tree because of a shutdown port, no link on • the port, or no spanning-tree instance running on the port. Cisco IE 3000 Switch Software Configuration Guide 18-4 OL-13018-03...
Page 373: Blocking State
BPDU is sent to each switch interface. A switch initially functions as the root until it exchanges BPDUs with other switches. This exchange establishes which switch in the network is the root or root switch. If Cisco IE 3000 Switch Software Configuration Guide 18-5...
Page 374: Listening State
An interface in the forwarding state performs these functions: Receives and forwards frames received on the interface • Forwards frames switched from another interface • Learns addresses • Receives BPDUs • Cisco IE 3000 Switch Software Configuration Guide 18-6 OL-13018-03...
Page 375: Disabled State
Ethernet link. By changing the spanning-tree port priority on the Gigabit Ethernet port to a higher priority (lower numerical value) than the root port, the Gigabit Ethernet port becomes the new root port. Cisco IE 3000 Switch Software Configuration Guide 18-7...
Page 376: Spanning Tree And Redundant Connectivity
The accelerated aging is the same as the forward-delay parameter value (spanning-tree vlan vlan-id forward-time seconds global configuration command) when the spanning tree reconfigures. Cisco IE 3000 Switch Software Configuration Guide 18-8 OL-13018-03...
Page 377: Spanning-Tree Modes And Protocols
Spanning-Tree Modes and Protocols The switch supports these spanning-tree modes and protocols: PVST+—This spanning-tree mode is based on the IEEE 802.1D standard and Cisco proprietary • extensions. It is the default spanning-tree mode used on all Ethernet port-based VLANs. The PVST+ runs on each VLAN on the switch up to the maximum supported, ensuring that each has a loop-free path through the network.
Page 378: Spanning-Tree Interoperability And Backward Compatibility
VLAN allowed on the trunks. When you connect a Cisco switch to a non-Cisco device through an IEEE 802.1Q trunk, the Cisco switch uses PVST+ to provide spanning-tree interoperability. If rapid PVST+ is enabled, the switch uses it instead of PVST+.
Page 379: Configuring Spanning-Tree Features
Spanning-tree VLAN port cost (configurable on a per-VLAN basis) 1000 Mb/s: 4. 100 Mb/s: 19. 10 Mb/s: 100. Spanning-tree timers Hello time: 2 seconds. Forward-delay time: 15 seconds. Maximum-aging time: 20 seconds. Transmit hold count: 6 BPDUs Cisco IE 3000 Switch Software Configuration Guide 18-11 OL-13018-03...
Page 380: Spanning-Tree Configuration Guidelines
Configuration Guidelines” section on page 20-10. Caution Loop guard works only on point-to-point links. We recommend that each end of the link has a directly connected device that is running STP. Cisco IE 3000 Switch Software Configuration Guide 18-12 OL-13018-03...
Page 381: Changing The Spanning-Tree Mode
(Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree mode global configuration command. To return the port to its default setting, use the no spanning-tree link-type interface configuration command. Cisco IE 3000 Switch Software Configuration Guide 18-13 OL-13018-03...
Page 382: Disabling Spanning Tree
ID support will become the root switch. The extended system ID increases the switch priority value every time the VLAN number is greater than the priority of the connected switches running older software. Cisco IE 3000 Switch Software Configuration Guide 18-14 OL-13018-03...
Page 383 Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id root global configuration command. Cisco IE 3000 Switch Software Configuration Guide 18-15 OL-13018-03...
Page 384: Configuring A Secondary Root Switch
(higher numerical values) that you want selected last. If all interfaces have the same priority value, spanning tree puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces. Cisco IE 3000 Switch Software Configuration Guide 18-16 OL-13018-03...
Page 385 To return to the default setting, use the no spanning-tree [vlan vlan-id] port-priority interface configuration command. For information on how to configure load sharing on trunk ports by using spanning-tree port priorities, see the “Configuring Trunk Ports for Load Sharing” section on page 15-20. Cisco IE 3000 Switch Software Configuration Guide 18-17 OL-13018-03...
Page 386: Configuring Path Cost
The show spanning-tree interface interface-id privileged EXEC command displays information only for ports that are in a link-up operative state. Otherwise, you can use the show running-config privileged EXEC command to confirm the configuration. Cisco IE 3000 Switch Software Configuration Guide 18-18 OL-13018-03...
Page 387: Configuring The Switch Priority Of A Vlan
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id priority global configuration command. Cisco IE 3000 Switch Software Configuration Guide 18-19 OL-13018-03...
Page 388: Configuring Spanning-Tree Timers
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id hello-time global configuration command. Cisco IE 3000 Switch Software Configuration Guide 18-20 OL-13018-03...
Page 389: Configuring The Forwarding-Delay Time For A Vlan
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id max-age global configuration command. Cisco IE 3000 Switch Software Configuration Guide 18-21 OL-13018-03...
Page 390: Configuring The Transmit Hold-Count
You can clear spanning-tree counters by using the clear spanning-tree [interface interface-id] privileged EXEC command. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Cisco IE 3000 Switch Software Configuration Guide 18-22 OL-13018-03...
Page 391: Configuring Mstp
C H A P T E R Configuring MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1s Multiple STP (MSTP) on the IE 3000 switch. The multiple spanning-tree (MST) implementation is based on the IEEE 802.1s standard.
Page 392: Understanding Mstp
Within each MST region, the MSTP maintains multiple spanning-tree instances. Instance 0 is a special instance for a region, known as the internal spanning tree (IST). All other MST instances are numbered from 1 to 4094. Cisco IE 3000 Switch Software Configuration Guide 19-2 OL-13018-03...
Page 393: Operations Within An Mst Region
CST, which includes all MST regions and all legacy STP switches in the network. The MST instances combine with the IST at the boundary of the region to become the CST. Cisco IE 3000 Switch Software Configuration Guide 19-3...
Page 394 VLAN cost, and port VLAN priority) can be configured on both the CST instance and the MST instance. MSTP switches use Version 3 RSTP BPDUs or IEEE 802.1D STP BPDUs to communicate with legacy IEEE 802.1D switches. MSTP switches use MSTP BPDUs to communicate with MSTP switches. Cisco IE 3000 Switch Software Configuration Guide 19-4 OL-13018-03...
Page 395: Ieee 802.1S Terminology
Understanding MSTP IEEE 802.1s Terminology Some MST naming conventions used in Cisco’s prestandard implementation have been changed to identify some internal or regional parameters. These parameters are significant only within an MST region, as opposed to external parameters that are relevant to the whole network. Because the CIST is the only spanning-tree instance that spans the whole network, only the CIST parameters require the external rather than the internal or regional qualifiers.
Page 396: Boundary Ports
The primary change from the Cisco prestandard implementation is that a designated port is not defined as boundary, unless it is running in an STP-compatible mode.
Page 397: Interoperation Between Legacy And Standard Switches
Detecting Unidirectional Link Failure This feature is not yet present in the IEEE MST standard, but it is included in this Cisco IOS release. The software checks the consistency of the port role and state in the received BPDUs to detect unidirectional link failures that could cause bridging loops.
Page 398: Interoperability With Ieee 802.1D Stp
Rapid Convergence, page 19-9 • Synchronization of Port Roles, page 19-11 • Bridge Protocol Data Unit Format and Processing, page 19-12 • For configuration information, see the “Configuring MSTP Features” section on page 19-13. Cisco IE 3000 Switch Software Configuration Guide 19-8 OL-13018-03...
Page 399: Port Roles And The Active Topology
Disabled Disabled Discarding To be consistent with Cisco STP implementations, this guide defines the port state as blocking instead of discarding. Designated ports start in the listening state. Rapid Convergence The RSTP provides for rapid recovery of connectivity following the failure of a switch, a switch port, or a LAN.
Page 400 Proposal and Agreement Handshaking for Rapid Convergence Switch A Switch B Proposal Designated Root switch Agreement Designated Switch C switch Root Proposal Designated Root switch Agreement DP = designated port RP = root port F = forwarding Cisco IE 3000 Switch Software Configuration Guide 19-10 OL-13018-03...
Page 401: Synchronization Of Port Roles
Sequence of Events During Rapid Convergence 4. Agreement 1. Proposal 5. Forward Edge port 2. Block 3. Block 9. Forward 11. Forward 8. Agreement 6. Proposal 7. Proposal 10. Agreement Root port Designated port Cisco IE 3000 Switch Software Configuration Guide 19-11 OL-13018-03...
Page 402: Bridge Protocol Data Unit Format And Processing
RSTP sets the port to the blocking state but does not send the agreement message. The designated port continues sending BPDUs with the proposal flag set until the forward-delay timer expires, at which time the port transitions to the forwarding state. Cisco IE 3000 Switch Software Configuration Guide 19-12 OL-13018-03...
Page 403: Processing Inferior Bpdu Information
Default MSTP Configuration, page 19-14 • MSTP Configuration Guidelines, page 19-14 • Specifying the MST Region Configuration and Enabling MSTP, page 19-15 (required) • Configuring the Root Switch, page 19-17 (optional) • Cisco IE 3000 Switch Software Configuration Guide 19-13 OL-13018-03...
Page 404: Default Mstp Configuration
• For two or more switches to be in the same MST region, they must have the same VLAN-to-instance map, the same configuration revision number, and the same name. Cisco IE 3000 Switch Software Configuration Guide 19-14 OL-13018-03...
Page 405: Specifying The Mst Region Configuration And Enabling Mstp
Beginning in privileged EXEC mode, follow these steps to specify the MST region configuration and enable MSTP. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst configuration Enter MST configuration mode. Cisco IE 3000 Switch Software Configuration Guide 19-15 OL-13018-03...
Page 406 Switch(config)# spanning-tree mst configuration Switch(config-mst)# instance 1 vlan 10-20 Switch(config-mst)# name region1 Switch(config-mst)# revision 1 Switch(config-mst)# show pending Pending MST configuration Name [region1] Revision Instance Vlans Mapped -------- --------------------- Cisco IE 3000 Switch Software Configuration Guide 19-16 OL-13018-03...
Page 407: Configuring The Root Switch
After configuring the switch as the root switch, we recommend that you avoid manually configuring the Note hello time, forward-delay time, and maximum-age time through the spanning-tree mst hello-time, spanning-tree mst forward-time, and the spanning-tree mst max-age global configuration commands. Cisco IE 3000 Switch Software Configuration Guide 19-17 OL-13018-03...
Page 408: Configuring A Secondary Root Switch
You can execute this command on more than one switch to configure multiple backup root switches. Use the same network diameter and hello-time values that you used when you configured the primary root switch with the spanning-tree mst instance-id root primary global configuration command. Cisco IE 3000 Switch Software Configuration Guide 19-18 OL-13018-03...
Page 409: Configuring Port Priority
Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode. Valid interfaces include physical ports and port-channel logical interfaces. The port-channel range is 1 to 6. Cisco IE 3000 Switch Software Configuration Guide 19-19 OL-13018-03...
Page 410: Configuring Path Cost
Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode. Valid interfaces include physical ports and port-channel logical interfaces. The port-channel range is 1 to 6. Cisco IE 3000 Switch Software Configuration Guide 19-20 OL-13018-03...
Page 411: Configuring The Switch Priority
Exercise care when using this command. For most situations, we recommend that you use the Note spanning-tree mst instance-id root primary and the spanning-tree mst instance-id root secondary global configuration commands to modify the switch priority. Cisco IE 3000 Switch Software Configuration Guide 19-21 OL-13018-03...
Page 412: Configuring The Hello Time
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst hello-time global configuration command. Cisco IE 3000 Switch Software Configuration Guide 19-22 OL-13018-03...
Page 413: Configuring The Forwarding-Delay Time
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst max-age global configuration command. Cisco IE 3000 Switch Software Configuration Guide 19-23 OL-13018-03...
Page 414: Configuring The Maximum-Hop Count
Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the port to its default setting, use the no spanning-tree link-type interface configuration command. Cisco IE 3000 Switch Software Configuration Guide 19-24 OL-13018-03...
Page 415: Designating The Neighbor Type
To restart the protocol migration process (force the renegotiation with neighboring switches) on the switch, use the clear spanning-tree detected-protocols privileged EXEC command. To restart the protocol migration process on a specific interface, use the clear spanning-tree detected-protocols interface interface-id privileged EXEC command. Cisco IE 3000 Switch Software Configuration Guide 19-25 OL-13018-03...
Page 416: Displaying The Mst Configuration And Status
Displays MST information for the specified interface. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Cisco IE 3000 Switch Software Configuration Guide 19-26 OL-13018-03...
Page 417: Understanding Optional Spanning-Tree Features
Understanding BPDU Filtering, page 20-3 • Understanding UplinkFast, page 20-3 • Understanding BackboneFast, page 20-5 • Understanding EtherChannel Guard, page 20-7 • • Understanding Root Guard, page 20-8 • Understanding Loop Guard, page 20-9 Cisco IE 3000 Switch Software Configuration Guide 20-1 OL-13018-03...
Page 418: Understanding Port Fast
To prevent the port from shutting down, you can use the errdisable detect cause bpduguard shutdown vlan global configuration command to shut down just the offending VLAN on the port where the violation occurred. Cisco IE 3000 Switch Software Configuration Guide 20-2 OL-13018-03...
Page 419: Understanding Bpdu Filtering
Switches in hierarchical networks can be grouped into backbone switches, distribution switches, and access switches. Figure 20-2 shows a complex network where distribution switches and access switches each have at least one redundant link that spanning tree blocks to prevent loops. Cisco IE 3000 Switch Software Configuration Guide 20-3 OL-13018-03...
Page 420 Switch B over link L1 and to Switch C over link L2. The Layer 2 interface on Switch C that is connected directly to Switch B is in a blocking state. Cisco IE 3000 Switch Software Configuration Guide 20-4...
Page 421: Understanding Backbonefast
(an indirect link) has failed (that is, the designated switch has lost its connection to the root switch). Under spanning-tree rules, the switch ignores inferior BPDUs for the configured maximum aging time specified by the spanning-tree vlan vlan-id max-age global configuration command. Cisco IE 3000 Switch Software Configuration Guide 20-5 OL-13018-03...
Page 422 Forward Delay time if the default Forward Delay time of 15 seconds is set. Figure 20-6 shows how BackboneFast reconfigures the topology to account for the failure of link L1. Cisco IE 3000 Switch Software Configuration Guide 20-6 OL-13018-03...
Page 423: Understanding Etherchannel Guard
If the switch detects a misconfiguration on the other device, EtherChannel guard places the switch interfaces in the error-disabled state, and displays an error message. You can enable this feature by using the spanning-tree etherchannel guard misconfig global configuration command. Cisco IE 3000 Switch Software Configuration Guide 20-7 OL-13018-03...
Page 424: Understanding Root Guard
Desired root switch Enable the root-guard feature on these interfaces to prevent switches in the customer network from becoming the root switch or being in the path to the root. Cisco IE 3000 Switch Software Configuration Guide 20-8 OL-13018-03...
Page 425: Understanding Loop Guard
Globally disabled (unless they are individually configured per interface). UplinkFast Globally disabled. BackboneFast Globally disabled. EtherChannel guard Globally enabled. Root guard Disabled on all interfaces. Loop guard Disabled on all interfaces. Cisco IE 3000 Switch Software Configuration Guide 20-9 OL-13018-03...
Page 426: Optional Spanning-Tree Configuration Guidelines
By default, Port Fast is disabled on all interfaces. Step 4 Return to privileged EXEC mode. Step 5 show spanning-tree interface interface-id Verify your entries. portfast Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco IE 3000 Switch Software Configuration Guide 20-10 OL-13018-03...
Page 427: Enabling Bpdu Guard
Enable the Port Fast feature. Step 5 Return to privileged EXEC mode. Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco IE 3000 Switch Software Configuration Guide 20-11 OL-13018-03...
Page 428: Enabling Bpdu Filtering
To disable BPDU filtering, use the no spanning-tree portfast bpdufilter default global configuration command. You can override the setting of the no spanning-tree portfast bpdufilter default global configuration command by using the spanning-tree bpdufilter enable interface configuration command. Cisco IE 3000 Switch Software Configuration Guide 20-12 OL-13018-03...
Page 429: Enabling Uplinkfast For Use With Redundant Links
If you use BackboneFast, you must enable it on all switches in the network. BackboneFast is not Note supported on Token Ring VLANs. This feature is supported for use with third-party switches. Cisco IE 3000 Switch Software Configuration Guide 20-13 OL-13018-03...
Page 430: Enabling Etherchannel Guard
EXEC command to verify the EtherChannel configuration. After the configuration is corrected, enter the shutdown and no shutdown interface configuration commands on the port-channel interfaces that were misconfigured. Cisco IE 3000 Switch Software Configuration Guide 20-14 OL-13018-03...
Page 431: Enabling Root Guard
Beginning in privileged EXEC mode, follow these steps to enable loop guard. This procedure is optional. Command Purpose Step 1 show spanning-tree active Verify which interfaces are alternate or root ports. show spanning-tree mst Step 2 configure terminal Enter global configuration mode. Cisco IE 3000 Switch Software Configuration Guide 20-15 OL-13018-03...
Page 432: Displaying The Spanning-Tree Status
You can clear spanning-tree counters by using the clear spanning-tree [interface interface-id] privileged EXEC command. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Cisco IE 3000 Switch Software Configuration Guide 20-16 OL-13018-03...
Page 433: Chapter 21 Configuring Resilient Ethernet Protocol
This chapter describes how to use Resilient Ethernet Protocol (REP) on the IE 3000 switch. REP is a Cisco proprietary protocol that provides an alternative to Spanning Tree Protocol (STP) to control network loops, handle link failures, and improve convergence time. REP controls a group of ports connected in a segment, ensures that the segment does not create any bridging loops, and responds to link failures within the segment.
Page 434 In case of a link failure, the alternate ports are unblocked as quickly as possible. When the failed link comes back up, a logically blocked port per VLAN is selected with minimal disruption to the network. Cisco IE 3000 Switch Software Configuration Guide 21-2 OL-13018-03...
Page 435: Link Integrity
When a segment port is coming up, its LSL starts sending packets that include the segment ID and the port ID. The port is declared as operational after it performs a three-way handshake with a neighbor in the same segment. Cisco IE 3000 Switch Software Configuration Guide 21-3 OL-13018-03...
Page 436: Fast Convergence
By default, REP packets are sent to a BPDU class MAC address. The packets can also be sent to the Cisco multicast address, which is used only to send blocked port advertisement (BPA) messages when there is a failure in the segment. The packets are dropped by devices not running REP.
Page 437 If you change an edge port to a regular segment port, the existing VLAN load balancing status does not change. Configuring a new edge port might cause a new topology configuration. Cisco IE 3000 Switch Software Configuration Guide 21-5...
Page 438: Spanning Tree Interaction
Configuring the REP Administrative VLAN, page 21-8 • Configuring REP Interfaces, page 21-9 • Setting Manual Preemption for VLAN Load Balancing, page 21-12 • Configuring SNMP Traps for REP, page 21-13 • Cisco IE 3000 Switch Software Configuration Guide 21-6 OL-13018-03...
Page 439: Default Rep Configuration
REP interfaces come up in a blocked state and remains in a blocked state until notified that it is safe • to unblock. You need to be aware of this to avoid sudden connection losses. Cisco IE 3000 Switch Software Configuration Guide 21-7 OL-13018-03...
Page 440: Configuring The Rep Administrative Vlan
REP sends all LSL PDUs in untagged frames on the native VLAN. The BPA message sent to the • Cisco multicast address is sent on the administration VLAN, which is VLAN 1 by default. • You can configure how long a REP interface remains up without receiving a hello from a neighbor.
Page 441: Configuring Rep Interfaces
Layer 2 interface or a port channel (logical interface). The port-channel range is 1 to 48. Step 3 switchport mode trunk Configure the interface as a Layer 2 trunk port. Cisco IE 3000 Switch Software Configuration Guide 21-9 OL-13018-03...
Page 442 STCNs. Enter segment id-list to identify one or more segments to receive • STCNs. The range is 1 to 1024. Enter stp to send STCNs to STP networks. • Cisco IE 3000 Switch Software Configuration Guide 21-10 OL-13018-03...
Page 443 The interface is configured to remain up for 6000 milliseconds without receiving a hello from a neighbor. Switch# configure terminal Switch (conf)# interface gigabitethernet1/1 Switch (conf-if)# rep segment 1 edge primary Cisco IE 3000 Switch Software Configuration Guide 21-11 OL-13018-03...
Page 444: Setting Manual Preemption For Vlan Load Balancing
Be sure that all other segment configuration has been completed before manually preempting VLAN load balancing. When you enter the rep preempt segment segment-id command, a confirmation message appears before the command is executed because preemption can cause network disruption. Cisco IE 3000 Switch Software Configuration Guide 21-12 OL-13018-03...
Page 445: Configuring Snmp Traps For Rep
Displays REP configuration and status for an interface or for all interfaces. show rep topology [segment segment_id] Displays REP topology information for a segment or for all segments, [archive] [detail] including the primary and secondary edge ports in the segment. Cisco IE 3000 Switch Software Configuration Guide 21-13 OL-13018-03...
Page 446 Chapter 21 Configuring Resilient Ethernet Protocol Monitoring REP Cisco IE 3000 Switch Software Configuration Guide 21-14 OL-13018-03...
Page 447: Understanding Flex Links And The Mac Address-Table Move Update
STP on the switch. If the switch is running STP, Flex Links is not necessary because STP already provides link-level redundancy or backup. Cisco IE 3000 Switch Software Configuration Guide 22-1 OL-13018-03...
Page 448: Vlan Flex Link Load Balancing And Support
VLANs. This way, apart from providing the redundancy, this Flex Link pair can be used for load balancing. Also, Flex Link VLAN load-balancing does not impose any restrictions on uplink switches. Cisco IE 3000 Switch Software Configuration Guide 22-2 OL-13018-03...
Page 449: Flex Link Multicast Fast Convergence
When the backup link starts forwarding, to achieve faster convergence of multicast data, the downstream switch immediately sends proxy reports for all the learned groups on this port without waiting for a general query. Cisco IE 3000 Switch Software Configuration Guide 22-3 OL-13018-03...
Page 450: Leaking Igmp Reports
Gi1/1 Here is output for the show ip igmp snooping mrouter command for VLANs 1 and 401: Switch# show ip igmp snooping mrouter Vlan ports ---- ----- Gi1/1(dynamic), Gi1/2(dynamic) Gi1/1(dynamic), Gi1/2(dynamic) Cisco IE 3000 Switch Software Configuration Guide 22-4 OL-13018-03...
Page 451 VLAN 1, which is interested in two multicast groups: Switch# show ip igmp snooping groups Vlan Group Type Version Port List ----------------------------------------------------------------------- 228.1.5.1 igmp Gi1/1, Gi1/2, Gi1/1 228.1.5.2 igmp Gi1/1, Gi1/2, Gi1/1 Cisco IE 3000 Switch Software Configuration Guide 22-5 OL-13018-03...
Page 452: Mac Address-Table Move Update
100 milliseconds (ms). The PC is directly connected to switch A, and the connection status does not change. Switch A does not need to update the PC entry in the MAC address table. Cisco IE 3000 Switch Software Configuration Guide 22-6...
Page 453: Configuring Flex Links And The Mac Address-Table Move Update
Configuration Guidelines, page 22-8 • Configuring Flex Links, page 22-9 • Configuring VLAN Load Balancing on Flex Links, page 22-11 • Configuring the MAC Address-Table Move Update Feature, page 22-12 • Cisco IE 3000 Switch Software Configuration Guide 22-7 OL-13018-03...
Page 454: Default Configuration
You can enable and configure this feature on the access switch to send the MAC address-table move updates. • You can enable and configure this feature on the uplink switches to receive the MAC address-table move updates. Cisco IE 3000 Switch Software Configuration Guide 22-8 OL-13018-03...
Page 455: Configuring Flex Links
Specify the interface, and enter interface configuration mode. The interface can be a physical Layer 2 interface or a port channel (logical interface). The port-channel range is 1 to 6. Cisco IE 3000 Switch Software Configuration Guide 22-9 OL-13018-03...
Page 456 GigabitEthernet1/1 GigabitEthernet1/2 Active Up/Backup Standby Interface Pair : Gi1/1, Gi1/2 Preemption Mode : forced Preemption Delay : 50 seconds Bandwidth : 100000 Kbit (Gi1/1), 100000 Kbit (Gi1/2) Mac Address Move Update Vlan : auto Cisco IE 3000 Switch Software Configuration Guide 22-10 OL-13018-03...
Page 457: Configuring Vlan Load Balancing On Flex Links
Switch#show interfaces switchport backup Switch Backup Interface Pairs: Active Interface Backup Interface State ------------------------------------------------------------------------ GigabitEthernet1/1 GigabitEthernet1/2 Active Down/Backup Up Vlans Preferred on Active Interface: 1-50 Vlans Preferred on Backup Interface: 60, 100-120 Cisco IE 3000 Switch Software Configuration Guide 22-11 OL-13018-03...
Page 458: Configuring The Mac Address-Table Move Update Feature
VLAN ID on the interface, which is used for sending the MAC address-table move update. When one link is forwarding traffic, the other interface is in standby mode. Cisco IE 3000 Switch Software Configuration Guide 22-12 OL-13018-03...
Page 459 Enter global configuration mode. Step 2 mac address-table move update receive Enable the switch to get and process the MAC address-table move updates. Step 3 Return to privileged EXEC mode. Cisco IE 3000 Switch Software Configuration Guide 22-13 OL-13018-03...
Page 460: Monitoring Flex Links And The Mac Address-Table Move Update
When VLAN load balancing is enabled, the output displays the preferred VLANS on Active and Backup interfaces. show mac address-table move update Displays the MAC address-table move update information on the switch. Cisco IE 3000 Switch Software Configuration Guide 22-14 OL-13018-03...
Page 461: Chapter 23 Configuring Dhcp Features And Ip Source Guard
For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release, and see the “DHCP Commands” section in the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 from the Cisco.com page under Documentation >...
Page 462: Dhcp Server
For information about the DHCP client, see the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Configuration Guides.
Page 463: Option-82 Data Insertion
DHCP server do not reside on the same IP network or subnet, a DHCP relay agent (the Catalyst switch) is configured with a helper address to enable broadcast forwarding and to transfer DHCP messages between the clients and the server. Cisco IE 3000 Switch Software Configuration Guide 23-3 OL-13018-03...
Page 464 – Circuit-ID type Length of the circuit-ID type – Remote-ID suboption fields • Suboption type – Length of the suboption type – Remote-ID type – Length of the remote-ID type – Cisco IE 3000 Switch Software Configuration Guide 23-4 OL-13018-03...
Page 465: Dhcp Snooping Binding Database
If the file is not updated in a specified time (set by the write-delay and abort-timeout values), the update stops. Cisco IE 3000 Switch Software Configuration Guide 23-5...
Page 466: Configuring Dhcp Snooping
Enabling DHCP Snooping and Option 82, page 23-9 • Enabling the DHCP Snooping Binding Database Agent, page 23-11 • Default DHCP Snooping Configuration Table 23-1 shows the default DHCP snooping configuration. Cisco IE 3000 Switch Software Configuration Guide 23-6 OL-13018-03...
Page 467: Dhcp Snooping Configuration Guidelines
• DHCP server and the DHCP relay agent are configured and enabled. When you globally enable DHCP snooping on the switch, these Cisco IOS commands are not • available until snooping is disabled. If you enter these commands, the switch returns an error message, and the configuration is not applied.
Page 468: Configuring The Dhcp Relay Agent
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable the DHCP server and relay agent, use the no service dhcp global configuration command. Cisco IE 3000 Switch Software Configuration Guide 23-8 OL-13018-03...
Page 469: Enabling Dhcp Snooping And Option 82
Configuring DHCP Features and IP Source Guard Configuring DHCP Snooping See the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software >...
Page 470: Enabling The Cisco Ios Dhcp Server Database
Switch(config-if)# ip dhcp snooping limit rate 100 Enabling the Cisco IOS DHCP Server Database For procedures to enable and configure the Cisco IOS DHCP server database, see the “DHCP Configuration Task List” section in the “Configuring DHCP” chapter of the Cisco IOS IP Configuration Guide, Release 12.2 from the Cisco.com page under Documentation >...
Page 471: Enabling The Dhcp Snooping Binding Database Agent
To delete binding entries from the DHCP snooping binding database, use the no ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface-id privileged EXEC command. Enter this command for each entry that you want to delete. Cisco IE 3000 Switch Software Configuration Guide 23-11 OL-13018-03...
Page 472: Displaying Dhcp Snooping Information
IP source guard with source IP address filtering or with source IP and MAC address filtering. These sections contain this information: Source IP Address Filtering, page 23-13 • Source IP and MAC Address Filtering, page 23-13 • Cisco IE 3000 Switch Software Configuration Guide 23-12 OL-13018-03...
Page 473: Source Ip Address Filtering
Static IP source binding can only be configured on switch port. When IP source guard with source IP filtering is enabled on an interface, DHCP snooping must be • enabled on the access VLAN to which the interface belongs. Cisco IE 3000 Switch Software Configuration Guide 23-13 OL-13018-03...
Page 474: Enabling Ip Source Guard
Step 4 exit Return to global configuration mode. Step 5 ip source binding mac-address vlan Add a static IP source binding. vlan-id ip-address inteface interface-id Enter this command for each static binding. Cisco IE 3000 Switch Software Configuration Guide 23-14 OL-13018-03...
Page 475: Displaying Ip Source Guard Information
DHCP would offer the same IP address to the replacement device. Control, monitoring, and other software expect a stable IP address associated with each device. If a device is replaced, the address assignment should remain stable even though the DHCP client has changed. Cisco IE 3000 Switch Software Configuration Guide 23-15 OL-13018-03...
Page 476: Configuring Dhcp Server Port-Based Address Allocation
In all cases, by connecting the Ethernet cable to the same port, the same IP address is allocated through DHCP to the attached device. The DHCP server port-based address allocation feature is only supported on a Cisco IOS DHCP server and not a third-party server.
Page 477: Enabling Dhcp Server Port-Based Address Allocation
Step 5 Return to privileged EXEC mode. Step 6 show ip dhcp pool Verify DHCP pool configuration. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco IE 3000 Switch Software Configuration Guide 23-17 OL-13018-03...
Page 478 For more information about configuring the DHCP server port-based address allocation feature, go to Cisco.com, and enter Cisco IOS IP Addressing Services in the Search field to access the Cisco IOS software documentation. You can also access the documentation at this URL: http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_book.html...
Page 479: Displaying Dhcp Server Port-Based Address Allocation
Display the status and configuration of a specific interface. show ip dhcp pool Display the DHCP address pools. show ip dhcp binding Display address bindings on the Cisco IOS DHCP server. Cisco IE 3000 Switch Software Configuration Guide 23-19 OL-13018-03...
Page 480 Chapter 23 Configuring DHCP Features and IP Source Guard Displaying DHCP Server Port-Based Address Allocation Cisco IE 3000 Switch Software Configuration Guide 23-20 OL-13018-03...
Page 481: Chapter 24 Configuring Dynamic Arp Inspection
A malicious user can attack hosts, switches, and routers connected to your Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts on the subnet. Figure 24-1 shows an example of ARP cache poisoning. Cisco IE 3000 Switch Software Configuration Guide 24-1 OL-13018-03...
Page 482 “Configuring ARP ACLs for Non-DHCP Environments” section on page 24-8. The switch logs dropped packets. For more information about the log buffer, see the “Logging of Dropped Packets” section on page 24-4. Cisco IE 3000 Switch Software Configuration Guide 24-2 OL-13018-03...
Page 483: Interface Trust States And Network Security
If Switch A is not running dynamic ARP inspection, Host 1 can easily poison the ARP cache of Switch B (and Host 2, if the link between the switches is configured as trusted). This condition can occur even though Switch B is running dynamic ARP inspection. Cisco IE 3000 Switch Software Configuration Guide 24-3 OL-13018-03...
Page 484: Rate Limiting Of Arp Packets
After the message is generated, the switch clears the entry from the log buffer. Each log entry contains flow information, such as the receiving VLAN, the port number, the source and destination IP addresses, and the source and destination MAC addresses. Cisco IE 3000 Switch Software Configuration Guide 24-4 OL-13018-03...
Page 485: Configuring Dynamic Arp Inspection
The number of entries in the log is 32. The number of system messages is limited to 5 per second. The logging-rate interval is 1 second. Per-VLAN logging All denied or dropped ARP packets are logged. Cisco IE 3000 Switch Software Configuration Guide 24-5 OL-13018-03...
Page 486: Dynamic Arp Inspection Configuration Guidelines
When you enable dynamic ARP inspection on the switch, policers that were configured to police • ARP traffic are no longer effective. The result is that all ARP traffic is sent to the CPU. Cisco IE 3000 Switch Software Configuration Guide 24-6 OL-13018-03...
Page 487: Configuring Dynamic Arp Inspection In Dhcp Environments
For more information, see the “Configuring the Log Buffer” section on page 24-13. Step 6 Return to privileged EXEC mode. Cisco IE 3000 Switch Software Configuration Guide 24-7 OL-13018-03...
Page 488: Configuring Arp Acls For Non-Dhcp Environments
Define an ARP ACL, and enter ARP access-list configuration mode. By default, no ARP access lists are defined. At the end of the ARP access list, there is an Note implicit deny ip any mac any command. Cisco IE 3000 Switch Software Configuration Guide 24-8 OL-13018-03...
Page 489 ACL. Packets are permitted only if the access list permits them. Step 6 interface interface-id Specify the Switch A interface that is connected to Switch B, and enter interface configuration mode. Cisco IE 3000 Switch Software Configuration Guide 24-9 OL-13018-03...
Page 490: Limiting The Rate Of Incoming Arp Packets
After you configure the rate limit, the interface retains the rate limit even when its trust state is changed. If you enter the no ip arp inspection limit interface configuration command, the interface reverts to its default rate limit. Cisco IE 3000 Switch Software Configuration Guide 24-10 OL-13018-03...
Page 491 To return to the default rate-limit configuration, use the no ip arp inspection limit interface configuration command. To disable error recovery for dynamic ARP inspection, use the no errdisable recovery cause arp-inspection global configuration command. Cisco IE 3000 Switch Software Configuration Guide 24-11 OL-13018-03...
Page 492: Performing Validation Checks
To disable checking, use the no ip arp inspection validate [src-mac] [dst-mac] [ip] global configuration command. To display statistics for forwarded, dropped, and MAC and IP validation failure packets, use the show ip arp inspection statistics privileged EXEC command. Cisco IE 3000 Switch Software Configuration Guide 24-12 OL-13018-03...
Page 493: Configuring The Log Buffer
The logs and interval settings interact. If the logs number X is greater than interval seconds Y, X divided by Y (X/Y) system messages are sent every second. Otherwise, one system message is sent every Y divided by X (Y/X) seconds. Cisco IE 3000 Switch Software Configuration Guide 24-13 OL-13018-03...
Page 494: Displaying Dynamic Arp Inspection Information
VLAN. If no VLANs are specified or if a range is specified, displays information only for VLANs with dynamic ARP inspection enabled (active). To clear or display dynamic ARP inspection statistics, use the privileged EXEC commands in Table 24-3: Cisco IE 3000 Switch Software Configuration Guide 24-14 OL-13018-03...
Page 495 Clears the dynamic ARP inspection log buffer. show ip arp inspection log Displays the configuration and contents of the dynamic ARP inspection log buffer. For more information about these commands, see the command reference for this release. Cisco IE 3000 Switch Software Configuration Guide 24-15 OL-13018-03...
Page 496 Chapter 24 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information Cisco IE 3000 Switch Software Configuration Guide 24-16 OL-13018-03...
Page 497: Chapter 25 Configuring Igmp Snooping And Mvr
For complete syntax and usage information for the commands used in this chapter, see the switch Note command reference for this release and the “IP Multicast Routing Commands” section in the Cisco IOS IP Command Reference, Volume 3 of 3:Multicast, Release 12.2 from the Cisco.com page under Documentation >...
Page 498: Igmp Versions
The switch supports IGMPv3 snooping based only on the destination multicast MAC address. It does Note not support snooping based on the source MAC address or on proxy reports. Cisco IE 3000 Switch Software Configuration Guide 25-2 OL-13018-03...
Page 499: Joining A Multicast Group
The host associated with that interface receives multicast traffic for that multicast group. See Figure 25-1. Figure 25-1 Initial IGMP Join Message Router A IGMP report 224.1.2.3 VLAN Forwarding table Host 1 Host 2 Host 3 Host 4 Cisco IE 3000 Switch Software Configuration Guide 25-3 OL-13018-03...
Page 500 Router A VLAN Forwarding table Host 1 Host 2 Host 3 Host 4 Table 25-2 Updated IGMP Snooping Forwarding Table Destination Address Type of Packet Ports 224.1.2.3 IGMP 1, 2, 5 Cisco IE 3000 Switch Software Configuration Guide 25-4 OL-13018-03...
Page 501: Leaving A Multicast Group
100 to 5000 milliseconds. The timer can be set either globally or on a per-VLAN basis. The VLAN configuration of the leave time overrides the global configuration. For configuration steps, see the “Configuring the IGMP Leave Timer” section on page 25-10. Cisco IE 3000 Switch Software Configuration Guide 25-5 OL-13018-03...
Page 502: Igmp Report Suppression
Default IGMP Snooping Configuration Table 25-3 shows the default IGMP snooping configuration. Table 25-3 Default IGMP Snooping Configuration Feature Default Setting IGMP snooping Enabled globally and per VLAN Multicast routers None configured Cisco IE 3000 Switch Software Configuration Guide 25-6 OL-13018-03...
Page 503: Enabling Or Disabling Igmp Snooping
(Optional) Save your entries in the configuration file. To disable IGMP snooping on a VLAN interface, use the no ip igmp snooping vlan vlan-id global configuration command for the specified VLAN number. Cisco IE 3000 Switch Software Configuration Guide 25-7 OL-13018-03...
Page 504: Setting The Snooping Method
Snooping on IGMP queries, Protocol Independent Multicast (PIM) packets, and Distance Vector Multicast Routing Protocol (DVMRP) packets Listening to Cisco Group Management Protocol (CGMP) packets from other routers • Statically connecting to a multicast router port with the ip igmp snooping mrouter global •...
Page 505: Configuring A Multicast Router Port
IP address. • interface-id is the member port. It can be a physical • interface or a port channel (1 to 6). Step 3 Return to privileged EXEC mode. Cisco IE 3000 Switch Software Configuration Guide 25-9 OL-13018-03...
Page 506: Enabling Igmp Immediate Leave
Configuring the leave time on a VLAN overrides the global setting. • The default leave time is 1000 milliseconds. • The IGMP configurable leave time is only supported on hosts running IGMP Version 2. • Cisco IE 3000 Switch Software Configuration Guide 25-10 OL-13018-03...
Page 507: Configuring Tcn-Related Commands
1 general query. If you set the count to 7, the flooding until 7 general queries are received. Groups are relearned based on the general queries received during the TCN event. Cisco IE 3000 Switch Software Configuration Guide 25-11 OL-13018-03...
Page 508: Recovering From Flood Mode
Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default query solicitation, use the no ip igmp snooping tcn query solicit global configuration command. Cisco IE 3000 Switch Software Configuration Guide 25-12 OL-13018-03...
Page 509: Disabling Multicast Flooding During A Tcn Event
When it is administratively enabled, the IGMP snooping querier moves to the operationally disabled • state under these conditions: IGMP snooping is disabled in the VLAN. – PIM is enabled on the SVI of the corresponding VLAN. – Cisco IE 3000 Switch Software Configuration Guide 25-13 OL-13018-03...
Page 510 Switch(config)# ip igmp snooping querier timeout expiry 60 Switch(config)# end This example shows how to set the IGMP snooping querier feature to version 2: Switch# configure terminal Switch(config)# no ip igmp snooping querier version 2 Switch(config)# end Cisco IE 3000 Switch Software Configuration Guide 25-14 OL-13018-03...
Page 511: Disabling Igmp Report Suppression
• command options instead of the actual entries. dynamic—Display entries learned through IGMP snooping. • user—Display only the user-configured multicast entries. • Cisco IE 3000 Switch Software Configuration Guide 25-15 OL-13018-03...
Page 512: Understanding Multicast Vlan Registration
MVR reacts only to join and leave messages from multicast groups configured under MVR. Join and leave messages from all other multicast groups are managed by IGMP snooping. Cisco IE 3000 Switch Software Configuration Guide 25-16 OL-13018-03...
Page 513: Using Mvr In A Multicast Television Application
VLAN as a forwarding destination of the specified multicast stream when it is received from the multicast VLAN. Uplink ports that send and receive multicast data to and from the multicast VLAN are called MVR source ports. Cisco IE 3000 Switch Software Configuration Guide 25-17 OL-13018-03...
Page 514 Multicast traffic for all channels is only sent around the VLAN trunk once—only on the multicast VLAN. The IGMP leave and join messages are in the VLAN to which the subscriber port is assigned. Cisco IE 3000 Switch Software Configuration Guide 25-18...
Page 515: Configuring Mvr
(that is, the maximum number of television channels that can be received) is 256. • MVR multicast data received in the source VLAN and leaving from receiver ports has its time-to-live (TTL) decremented by 1 in the switch. Cisco IE 3000 Switch Software Configuration Guide 25-19 OL-13018-03...
Page 516: Configuring Mvr Global Parameters
Step 7 Return to privileged EXEC mode. Step 8 show mvr or show mvr members Verify the configuration. Step 9 copy running-config (Optional) Save your entries in the configuration file. startup-config Cisco IE 3000 Switch Software Configuration Guide 25-20 OL-13018-03...
Page 517: Configuring Mvr Interfaces
(Optional) Enable the Immediate-Leave feature of MVR on the port. This command applies to only receiver ports and should only be Note enabled on receiver ports to which a single receiver device is connected. Cisco IE 3000 Switch Software Configuration Guide 25-21 OL-13018-03...
Page 518 Switch(config-if)# mvr type receiver Switch(config-if)# mvr vlan 22 group 228.1.23.4 Switch(config-if)# mvr immediate Switch(config)# end Switch# show mvr interface Port Type Status Immediate Leave ---- ---- ------- --------------- Gi1/2 RECEIVER ACTIVE/DOWN ENABLED Cisco IE 3000 Switch Software Configuration Guide 25-22 OL-13018-03...
Page 519: Displaying Mvr Information
It does not control general IGMP queries. IGMP filtering has no relationship with the function that directs the forwarding of IP multicast traffic. The filtering feature operates in the same manner whether CGMP or MVR is used to forward the multicast traffic. Cisco IE 3000 Switch Software Configuration Guide 25-23 OL-13018-03...
Page 520: Default Igmp Filtering And Throttling Configuration
When you are in IGMP profile configuration mode, you can create the profile by using these commands: • deny: Specifies that matching addresses are denied; this is the default. • exit: Exits from igmp-profile configuration mode. no: Negates a command or returns to its defaults. • Cisco IE 3000 Switch Software Configuration Guide 25-24 OL-13018-03...
Page 521: Applying Igmp Profiles
You cannot apply profiles to ports that belong to an EtherChannel port group. You can apply a profile to multiple interfaces, but each interface can have only one profile applied to it. Cisco IE 3000 Switch Software Configuration Guide 25-25...
Page 522: Setting The Maximum Number Of Igmp Groups
The range is 0 to 4294967294. The default is to have no maximum set. Step 4 Return to privileged EXEC mode. Step 5 show running-config interface Verify the configuration. interface-id Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco IE 3000 Switch Software Configuration Guide 25-26 OL-13018-03...
Page 523: Configuring The Igmp Throttling Action
• replace—Replace the existing group with the new group for which • the IGMP report was received. Cisco IE 3000 Switch Software Configuration Guide 25-27 OL-13018-03...
Page 524: Displaying Igmp Filtering And Throttling Configuration
Displays the configuration of the specified interface or the configuration of all interfaces interface-id] on the switch, including (if configured) the maximum number of IGMP groups to which an interface can belong and the IGMP profile applied to the interface. Cisco IE 3000 Switch Software Configuration Guide 25-28 OL-13018-03...
Page 525: Chapter 26 Configuring Port-Based Traffic Control
The switch counts the number of packets of a specified type received within the 1-second time interval and compares the measurement with a predefined suppression-level threshold. Cisco IE 3000 Switch Software Configuration Guide 26-1 OL-13018-03...
Page 526 Traffic rate in packets per second and for small frames. This feature is enabled globally. The • threshold for small frames is configured for each interface. (Cisco IOS Release 12.2(44)SE or later) With each method, the port blocks traffic when the rising threshold is reached. The port remains blocked until the traffic rate drops below the falling threshold (if one is specified) and then resumes normal forwarding.
Page 527: Default Storm Control Configuration
Beginning in privileged EXEC mode, follow these steps to storm control and threshold levels: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode. Cisco IE 3000 Switch Software Configuration Guide 26-3 OL-13018-03...
Page 528 Select the shutdown keyword to error-disable the port during • a storm. Select the trap keyword to generate an SNMP trap when a • storm is detected. Step 5 Return to privileged EXEC mode. Cisco IE 3000 Switch Software Configuration Guide 26-4 OL-13018-03...
Page 529: Configuring Small-Frame Arrival Rate
Incoming VLAN-tagged packets smaller than 67 bytes are considered small frames. They are forwarded by the switch, but they do not cause the switch storm-control counters to increment. In Cisco IOS Release 12.2(44)SE and later, you can configure a port to be error disabled if small frames arrive at a specified rate (threshold).
Page 530: Configuring Protected Ports
Default Protected Port Configuration, page 26-6 Protected Port Configuration Guidelines, page 26-7 • Configuring a Protected Port, page 26-7 • Default Protected Port Configuration The default is to have no protected ports defined. Cisco IE 3000 Switch Software Configuration Guide 26-6 OL-13018-03...
Page 531: Protected Port Configuration Guidelines
Blocking Flooded Traffic on an Interface, page 26-8 • Default Port Blocking Configuration The default is to not block flooding of unknown multicast and unicast traffic out of a port, but to flood these packets to all ports. Cisco IE 3000 Switch Software Configuration Guide 26-7 OL-13018-03...
Page 532: Blocking Flooded Traffic On An Interface
These sections contain this conceptual and configuration information: Understanding Port Security, page 26-9 • • Default Port Security Configuration, page 26-11 • Port Security Configuration Guidelines, page 26-11 Cisco IE 3000 Switch Software Configuration Guide 26-8 OL-13018-03...
Page 533: Understanding Port Security
MAC addresses allowed in the system. This number is the total of available MAC addresses, including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces. Cisco IE 3000 Switch Software Configuration Guide 26-9 OL-13018-03...
Page 534: Security Violations
1. Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses. 2. The switch returns an error message if you manually configure an address that would cause a security violation. 3. Shuts down only the VLAN on which the violation occurred. Cisco IE 3000 Switch Software Configuration Guide 26-10 OL-13018-03...
Page 535: Default Port Security Configuration
IP phone requires one MAC address. The Cisco IP phone address is learned on the voice VLAN, but is not learned on the access VLAN. If you connect a single PC to the Cisco IP phone, no additional MAC addresses are required. If you connect more than one PC to the Cisco IP phone, you must configure enough secure addresses to allow one for each PC and one for the phone.
Page 536: Enabling And Configuring Port Security
Step 4 switchport voice vlan vlan-id Enable voice VLAN on a port. vlan-id—Specify the VLAN to be used for voice traffic. Step 5 switchport port-security Enable port security on the interface. Cisco IE 3000 Switch Software Configuration Guide 26-12 OL-13018-03...
Page 537 The voice keyword is available only if a voice VLAN is configured on a port and if that port is not the access VLAN. If an interface is configured for voice VLAN, configure a maximum of two secure MAC addresses. Cisco IE 3000 Switch Software Configuration Guide 26-13 OL-13018-03...
Page 538 You can manually re-enable it by entering the shutdown and no shutdown interface configuration commands or by using the clear errdisable interface vlan privileged EXEC command. Cisco IE 3000 Switch Software Configuration Guide 26-14 OL-13018-03...
Page 539 VLAN. Step 11 Return to privileged EXEC mode. Step 12 show port-security Verify your entries. Step 13 copy running-config (Optional) Save your entries in the configuration file. startup-config Cisco IE 3000 Switch Software Configuration Guide 26-15 OL-13018-03...
Page 540 This example shows how to configure a static secure MAC address on VLAN 3 on a port: Switch(config)# interface gigabitethernet1/2 Switch(config-if)# switchport mode trunk Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security mac-address 0000.02000.0004 vlan 3 Cisco IE 3000 Switch Software Configuration Guide 26-16 OL-13018-03...
Page 541: Enabling And Configuring Port Security Aging
Beginning in privileged EXEC mode, follow these steps to configure port security aging: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode. Cisco IE 3000 Switch Software Configuration Guide 26-17 OL-13018-03...
Page 542 Switch(config-if)# switchport port-security aging time 2 Switch(config-if)# switchport port-security aging type inactivity Switch(config-if)# switchport port-security aging static You can verify the previous commands by entering the show port-security interface interface-id privileged EXEC command. Cisco IE 3000 Switch Software Configuration Guide 26-18 OL-13018-03...
Page 543: Displaying Port-Based Traffic Control Settings
[interface interface-id] address Displays all secure MAC addresses configured on all switch interfaces or on a specified interface with aging information for each address. show port-security interface interface-id vlan Displays the number of secure MAC addresses configured per VLAN on the specified interface. Cisco IE 3000 Switch Software Configuration Guide 26-19 OL-13018-03...
Page 544 Chapter 26 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings Cisco IE 3000 Switch Software Configuration Guide 26-20 OL-13018-03...
Page 545: Chapter 27 Configuring Lldp, Lldp-Med, And Wired Location Service
Understanding LLDP, LLDP-MED, and Wired Location Service LLDP The Cisco Discovery Protocol (CDP) is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches). CDP allows network management applications to automatically discover and learn about other Cisco devices connected to the network.
Page 546: Lldp-Med
Allows an endpoint to send detailed inventory information about itself to the switch, including information hardware revision, firmware version, software version, serial number, manufacturer name, model name, and asset ID TLV. Cisco IE 3000 Switch Software Configuration Guide 27-2 OL-13018-03...
Page 547: Wired Location Service
The switch uses the wired location service feature to send location and attachment tracking information for its connected devices to a Cisco Mobility Services Engine (MSE). The tracked device can be a wireless endpoint, a wired endpoint, or a wired switch or controller. The switch notifies the MSE of device link up and link down events through the Network Mobility Services Protocol (NMSP) location and attachment notifications.
Page 548: Configuring Lldp, Lldp-Med, And Wired Location Service
LLDP reinitialization delay 2 seconds LLDP tlv-select Disabled to send and receive all TLVs LLDP interface state Disabled LLDP receive Disabled LLDP transmit Disabled LLDP med-tlv-select Disabled to send all LLDP-MED TLVs Cisco IE 3000 Switch Software Configuration Guide 27-4 OL-13018-03...
Page 549: Configuration Guidelines
You can configure the frequency of LLDP updates, the amount of time to hold the information before discarding it, and the initialization delay time. You can also select the LLDP and LLDP-MED TLVs to send and receive. Cisco IE 3000 Switch Software Configuration Guide 27-5 OL-13018-03...
Page 550: Configuring Lldp-Med Tlvs
By using the lldp interface configuration command, you can configure the interface not to send the TLVs listed in Table 27-2. Table 27-2 LLDP-MED TLVs LLDP-MED TLV Description inventory-management LLDP-MED inventory management TLV location LLDP-MED location TLV Cisco IE 3000 Switch Software Configuration Guide 27-6 OL-13018-03...
Page 551: Configuring Network-Policy Tlv
Purpose Step 1 configure terminal Enter global configuration mode. Step 2 network-policy profile profile number Specify the network-policy profile number, and enter network-policy configuration mode. The range is 1 to 4294967295. Cisco IE 3000 Switch Software Configuration Guide 27-7 OL-13018-03...
Page 552 Switch(config-if)# lldp med-tlv-select network-policy This example shows how to configure the voice application type for the native VLAN with priority tagging: Switch(config-network-policy)# voice vlan dot1p cos 4 Switch(config-network-policy)# voice vlan dot1p dscp 34 Cisco IE 3000 Switch Software Configuration Guide 27-8 OL-13018-03...
Page 553: Configuring Location Tlv And Wired Location Service
Switch(config)# location civic-location identifier 1 Switch(config-civic)# number 3550 Switch(config-civic)# primary-road-name "Cisco Way" Switch(config-civic)# city "San Jose" Switch(config-civic)# state CA Switch(config-civic)# building 19 Switch(config-civic)# room C6 Switch(config-civic)# county "Santa Clara" Switch(config-civic)# country US Switch(config-civic)# end Cisco IE 3000 Switch Software Configuration Guide 27-9 OL-13018-03...
Page 554: Monitoring And Maintaining Lldp, Lldp-Med, And Wired Location Service
LLDP initializes on an interface. show lldp entry entry-name Display information about a specific neighbor. You can enter an asterisk (*) to display all neighbors, or you can enter the neighbor name. Cisco IE 3000 Switch Software Configuration Guide 27-10 OL-13018-03...
Page 555 TLVs. show location Display the location information for an endpoint. show network-policy profile Display the configured network-policy profiles. show nmsp Display the NMSP information. Cisco IE 3000 Switch Software Configuration Guide 27-11 OL-13018-03...
Page 556 Chapter 27 Configuring LLDP, LLDP-MED, and Wired Location Service Monitoring and Maintaining LLDP, LLDP-MED, and Wired Location Service Cisco IE 3000 Switch Software Configuration Guide 27-12 OL-13018-03...
Page 557: Chapter 28 Configuring Cdp
• Understanding CDP CDP is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches) and allows network management applications to discover Cisco devices that are neighbors of already known devices. With CDP, network management applications can learn the device type and the Simple Network Management Protocol (SNMP) agent address of neighboring devices running lower-layer, transparent protocols.
Page 558: Configuring Cdp
The range is 10 to 255 seconds; the default is 180 seconds. Step 4 cdp advertise-v2 (Optional) Configure CDP to send Version-2 advertisements. This is the default state. Step 5 Return to privileged EXEC mode. Cisco IE 3000 Switch Software Configuration Guide 28-2 OL-13018-03...
Page 559: Disabling And Enabling Cdp
28-5. Disabling and Enabling CDP CDP is enabled by default. Switch clusters and other Cisco devices (such as Cisco IP Phones) regularly exchange CDP messages. Note Disabling CDP can interrupt cluster discovery and device connectivity. For more information, see Chapter 7, “Clustering Switches”...
Page 560: Disabling And Enabling Cdp On An Interface
(Optional) Save your entries in the configuration file. This example shows how to enable CDP on a port when it has been disabled. Switch# configure terminal Switch(config)# interface gigabitethernet1/1 Switch(config-if)# cdp enable Switch(config-if)# end Cisco IE 3000 Switch Software Configuration Guide 28-4 OL-13018-03...
Page 561: Monitoring And Maintaining Cdp
You can limit the display to neighbors of a specific interface or expand the display to provide more detailed information. show cdp traffic Display CDP counters, including the number of packets sent and received and checksum errors. Cisco IE 3000 Switch Software Configuration Guide 28-5 OL-13018-03...
Page 562 Chapter 28 Configuring CDP Monitoring and Maintaining CDP Cisco IE 3000 Switch Software Configuration Guide 28-6 OL-13018-03...
Page 563: Chapter 29 Configuring Udld
A unidirectional link occurs whenever traffic sent by a local device is received by its neighbor but traffic from the neighbor is not received by the local device. Cisco IE 3000 Switch Software Configuration Guide 29-1 OL-13018-03...
Page 564: Methods To Detect Unidirectional Links
Because this behavior is the same on all UDLD neighbors, the sender of the echoes expects to receive an echo in reply. Cisco IE 3000 Switch Software Configuration Guide 29-2 OL-13018-03...
Page 565: Configuring Udld
Default UDLD Configuration, page 29-4 • Configuration Guidelines, page 29-4 Enabling UDLD Globally, page 29-5 • Enabling UDLD on an Interface, page 29-5 • Resetting an Interface Disabled by UDLD, page 29-6 • Cisco IE 3000 Switch Software Configuration Guide 29-3 OL-13018-03...
Page 566: Default Udld Configuration
• both sides of the link. Loop guard works only on point-to-point links. We recommend that each end of the link has a directly Caution connected device that is running STP. Cisco IE 3000 Switch Software Configuration Guide 29-4 OL-13018-03...
Page 567: Enabling Udld Globally
UDLD on a port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be enabled for UDLD, and enter interface configuration mode. Cisco IE 3000 Switch Software Configuration Guide 29-5 OL-13018-03...
Page 568: Resetting An Interface Disabled By Udld
To display the UDLD status for the specified port or for all ports, use the show udld [interface-id] privileged EXEC command. For detailed information about the fields in the command output, see the command reference for this release. Cisco IE 3000 Switch Software Configuration Guide 29-6 OL-13018-03...
Page 569: Chapter 30 Configuring Span And Rspan
You can use the SPAN or RSPAN destination port to inject traffic from a network security device. For example, if you connect a Cisco Intrusion Detection System (IDS) sensor appliance to a destination port, the IDS device can send TCP reset packets to close down the TCP session of a suspected attacker.
Page 570: Local Span
VLAN to a destination session monitoring the RSPAN VLAN. Each RSPAN source switch must have either ports or VLANs as RSPAN sources. The destination is always a physical port, as shown on Switch C in the figure. Cisco IE 3000 Switch Software Configuration Guide 30-2 OL-13018-03...
Page 571: Span And Rspan Concepts And Terminology
RSPAN VLAN. To configure an RSPAN destination session on another device, you associate the destination port with the RSPAN VLAN. The destination session collects all RSPAN VLAN traffic and sends it out the RSPAN destination port. Cisco IE 3000 Switch Software Configuration Guide 30-3 OL-13018-03...
Page 572: Monitored Traffic
SPAN; the destination port receives a copy of the packet even if the actual incoming packet is dropped. These features include IP standard and extended input access control lists (ACLs), ingress QoS policing, and egress QoS policing. Cisco IE 3000 Switch Software Configuration Guide 30-4 OL-13018-03...
Page 573: Source Ports
The default configuration for local SPAN session ports is to send all packets untagged. SPAN also does not normally monitor bridge protocol data unit (BPDU) packets and Layer 2 protocols, such as Cisco Discovery Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol (DTP), Spanning Tree Protocol (STP), and Port Aggregation Protocol (PAgP).
Page 574: Source Vlans
Each local SPAN session or RSPAN destination session must have a destination port (also called a monitoring port) that receives a copy of traffic from the source ports or VLANs and sends the SPAN packets to the user, usually a network analyzer. Cisco IE 3000 Switch Software Configuration Guide 30-6 OL-13018-03...
Page 575: Rspan Vlan
RSPAN VLANs must be configured in VLAN configuration mode by using the remote-span VLAN • configuration mode command. STP can run on RSPAN VLAN trunks but not on SPAN destination ports. • Cisco IE 3000 Switch Software Configuration Guide 30-7 OL-13018-03...
Page 576: Span And Rspan Interaction With Other Features
For SPAN sessions, do not enable port security on ports with monitored egress when ingress forwarding is enabled on the destination port. For RSPAN source sessions, do not enable port security on any ports with monitored egress. Cisco IE 3000 Switch Software Configuration Guide 30-8 OL-13018-03...
Page 577: Configuring Span And Rspan
SPAN Configuration Guidelines, page 30-10 • Creating a Local SPAN Session, page 30-10 • Creating a Local SPAN Session and Configuring Incoming Traffic, page 30-13 Specifying VLANs to Filter, page 30-15 • Cisco IE 3000 Switch Software Configuration Guide 30-9 OL-13018-03...
Page 578: Span Configuration Guidelines
| remote} For session_number, the range is 1 to 66. Specify all to remove all SPAN sessions, local to remove all local sessions, or remote to remove all remote SPAN sessions. Cisco IE 3000 Switch Software Configuration Guide 30-10 OL-13018-03...
Page 579 This is the default. • rx—Monitor received traffic. • tx—Monitor sent traffic. Note You can use the monitor session session_number source command multiple times to configure multiple source ports. Cisco IE 3000 Switch Software Configuration Guide 30-11 OL-13018-03...
Page 580 Switch(config)# monitor session 1 destination interface gigabitethernet1/2 encapsulation replicate Switch(config)# end This example shows how to remove port 1 as a SPAN source for SPAN session 1: Switch(config)# no monitor session 1 source interface gigabitethernet1/1 Switch(config)# end Cisco IE 3000 Switch Software Configuration Guide 30-12 OL-13018-03...
Page 581: Creating A Local Span Session And Configuring Incoming Traffic
VLANs and the destination ports, and to enable incoming traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance). For details about the keywords not related to incoming traffic, see the “Creating a Local SPAN Session”...
Page 582 IEEE 802.1Q encapsulation and VLAN 6 as the default ingress VLAN. Switch(config)# no monitor session 2 Switch(config)# monitor session 2 source gigabitethernet1/1 rx Switch(config)# monitor session 2 destination interface gigabitethernet1/2 encapsulation replicate ingress dot1q vlan 6 Switch(config)# end Cisco IE 3000 Switch Software Configuration Guide 30-14 OL-13018-03...
Page 583: Specifying Vlans To Filter
Step 8 copy running-config startup-config (Optional) Save the configuration in the configuration file. To monitor all VLANs on the trunk port, use the no monitor session session_number filter global configuration command. Cisco IE 3000 Switch Software Configuration Guide 30-15 OL-13018-03...
Page 584: Configuring Rspan
You can configure any VLAN as an RSPAN VLAN as long as these conditions are met: • The same RSPAN VLAN is used for an RSPAN session in all the switches. – All participating switches support RSPAN. – Cisco IE 3000 Switch Software Configuration Guide 30-16 OL-13018-03...
Page 585: Configuring A Vlan As An Rspan Vlan
To remove the remote SPAN characteristic from a VLAN and convert it back to a normal VLAN, use the no remote-span VLAN configuration command. This example shows how to create RSPAN VLAN 901. Switch(config)# vlan 901 Switch(config-vlan)# remote span Switch(config-vlan)# end Cisco IE 3000 Switch Software Configuration Guide 30-17 OL-13018-03...
Page 586: Creating An Rspan Source Session
Verify the configuration. show running-config Step 7 copy running-config startup-config (Optional) Save the configuration in the configuration file. To delete a SPAN session, use the no monitor session session_number global configuration command. Cisco IE 3000 Switch Software Configuration Guide 30-18 OL-13018-03...
Page 587: Creating An Rspan Destination Session
Specify the RSPAN session and the source RSPAN VLAN. remote vlan vlan-id For session_number, the range is 1 to 66. For vlan-id, specify the source RSPAN VLAN to monitor. Cisco IE 3000 Switch Software Configuration Guide 30-19 OL-13018-03...
Page 588: Creating An Rspan Destination Session And Configuring Incoming Traffic
RSPAN VLAN and the destination port, and to enable incoming traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance). For details about the keywords not related to incoming traffic, see the “Creating an RSPAN Destination...
Page 589 VLAN 6 as the default receiving VLAN. Switch(config)# monitor session 2 source remote vlan 901 Switch(config)# monitor session 2 destination interface gigabitethernet1/2 ingress vlan 6 Switch(config)# end Cisco IE 3000 Switch Software Configuration Guide 30-21 OL-13018-03...
Page 590: Specifying Vlans To Filter
Switch(config)# no monitor session 2 Switch(config)# monitor session 2 source interface gigabitethernet1/2 rx Switch(config)# monitor session 2 filter vlan 1 - 5, 9 Switch(config)# monitor session 2 destination remote vlan 902 Switch(config)# end Cisco IE 3000 Switch Software Configuration Guide 30-22 OL-13018-03...
Page 591: Displaying Span And Rspan Status
To display the current SPAN or RSPAN configuration, use the show monitor user EXEC command. You can also use the show running-config privileged EXEC command to display configured SPAN or RSPAN sessions. Cisco IE 3000 Switch Software Configuration Guide 30-23 OL-13018-03...
Page 592 Chapter 30 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Cisco IE 3000 Switch Software Configuration Guide 30-24 OL-13018-03...
Page 593: Chapter 31 Configuring Rmon
For complete syntax and usage information for the commands used in this chapter, see the “System Note Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References. This chapter consists of these sections: •...
Page 594: Configuring Rmon
Configuring RMON Alarms and Events, page 31-3 (required) • Collecting Group History Statistics on an Interface, page 31-5 (optional) • Collecting Group Ethernet Statistics on an Interface, page 31-5 (optional) • Cisco IE 3000 Switch Software Configuration Guide 31-2 OL-13018-03...
Page 595: Default Rmon Configuration
2147483647. (Optional) For event-number, specify the event • number to trigger when the rising or falling threshold exceeds its limit. (Optional) For owner string, specify the owner • of the alarm. Cisco IE 3000 Switch Software Configuration Guide 31-3 OL-13018-03...
Page 596 This example also generates an SNMP trap when the event is triggered. Switch(config)# rmon event 1 log trap eventtrap description "High ifOutErrors" owner jjones Cisco IE 3000 Switch Software Configuration Guide 31-4 OL-13018-03...
Page 597: Collecting Group History Statistics On An Interface
This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface on which to collect statistics, and enter interface configuration mode. Cisco IE 3000 Switch Software Configuration Guide 31-5 OL-13018-03...
Page 598: Displaying Rmon Status
For information about the fields in these displays, see the “System Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References.
Page 599: Chapter 32 Configuring System Message Logging
This chapter describes how to configure system message logging on the IE 3000 switch. Note For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 from the Cisco.com page under Documentation >...
Page 600: Configuring System Message Logging
The part of the message preceding the percent sign depends on the setting of the service sequence-numbers, service timestamps log datetime, service timestamps log datetime [localtime] [msec] [show-timezone], or service timestamps log uptime global configuration command. Cisco IE 3000 Switch Software Configuration Guide 32-2 OL-13018-03...
Page 601: Default System Message Logging Configuration
System message logging to the console Enabled. Console severity Debugging (and numerically lower levels; see Table 32-3 on page 32-9). Logging file configuration No filename specified. Logging buffer size 4096 bytes. Logging history size 1 message. Cisco IE 3000 Switch Software Configuration Guide 32-3 OL-13018-03...
Page 602: Disabling Message Logging
When this command is enabled, messages appear only after you press Return. For more information, see the “Synchronizing Log Messages” section on page 32-6. To re-enable message logging after it has been disabled, use the logging on global configuration command. Cisco IE 3000 Switch Software Configuration Guide 32-4 OL-13018-03...
Page 603: Setting The Message Display Destination Device
You must perform this step for each session to see the debugging messages. Step 7 show running-config Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco IE 3000 Switch Software Configuration Guide 32-5 OL-13018-03...
Page 604: Synchronizing Log Messages
Or you can change the setting of the single vty line being used for your current connection. For example, to change the setting for vty line 2, enter: line vty 2 When you enter this command, the mode changes to line configuration. Cisco IE 3000 Switch Software Configuration Guide 32-6 OL-13018-03...
Page 605: Enabling And Disabling Time Stamps On Log Messages
To disable time stamps for both debug and log messages, use the no service timestamps global configuration command. This example shows part of a logging display with the service timestamps log datetime global configuration command enabled: *Mar 1 18:46:11: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) Cisco IE 3000 Switch Software Configuration Guide 32-7 OL-13018-03...
Page 606: Enabling And Disabling Sequence Numbers In Log Messages
Table 32-3 on page 32-9). Step 3 logging monitor level Limit messages logged to the terminal lines. By default, the terminal receives debugging messages and numerically lower levels (see Table 32-3 on page 32-9). Cisco IE 3000 Switch Software Configuration Guide 32-8 OL-13018-03...
Page 607 Technical Assistance Center. Interface up or down transitions and system restart messages, displayed at the notifications level. • This message is only for information; switch functionality is not affected. Cisco IE 3000 Switch Software Configuration Guide 32-9 OL-13018-03...
Page 608: Limiting Syslog Messages Sent To The History Table And To Snmp
You can configure the size of the configuration log from 1 to 1000 entries (the default is 100). You can clear the log at any time by entering the no logging enable command followed by the logging enable command to disable and reenable logging. Cisco IE 3000 Switch Software Configuration Guide 32-10 OL-13018-03...
Page 609 [end-number] | statistics} [provisioning] privileged EXEC command to display the complete configuration log or the log for specified parameters. The default is that configuration logging is disabled. For information about the commands, see the Cisco IOS Configuration Fundamentals and Network Management Command Reference, Release 12.3 T at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_command_reference_chapter0918 6a00801a8086.html#wp1114989...
Page 610: Configuring Unix Syslog Servers
Log messages to a UNIX syslog server host by entering its IP address. To build a list of syslog servers that receive logging messages, enter this command more than once. Cisco IE 3000 Switch Software Configuration Guide 32-12 OL-13018-03...
Page 611: Displaying The Logging Configuration
To display the logging configuration and the contents of the log buffer, use the show logging privileged EXEC command. For information about the fields in this display, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 from the Cisco.com page under Documentation >...
Page 612 Chapter 32 Configuring System Message Logging Displaying the Logging Configuration Cisco IE 3000 Switch Software Configuration Guide 32-14 OL-13018-03...
Page 613: Chapter 33 Configuring Snmp
For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release and the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References. This chapter consists of these sections: Understanding SNMP, page 33-1 •...
Page 614: Snmp Versions
A combination of the security level and the security model determine which security mechanism is used when handling an SNMP packet. Available security models are SNMPv1, SNMPv2C, and SNMPv3. Cisco IE 3000 Switch Software Configuration Guide 33-2 OL-13018-03...
Page 615: Snmp Manager Functions
Set a MIB variable—The SNMP agent begins this function in response to a message from the NMS. • The SNMP agent changes the value of the MIB variable to the value requested by the NMS. Cisco IE 3000 Switch Software Configuration Guide 33-3 OL-13018-03...
Page 616: Snmp Community Strings
(@esN, where N is the switch number) to the first configured RW and RO community strings on the command switch and propagates them to the member switches. For more information, Chapter 7, “Clustering Switches” and see Getting Started with Cisco Network Assistant, available on Cisco.com. Using SNMP to Access MIB Variables An example of an NMS is the CiscoWorks network management software.
Page 617: Snmp Notifications
Physical (such as Gigabit Ethernet or SFP -module interfaces) 10000–14500 Null 14501 1. SVI = switch virtual interface 2. SFP = small form-factor pluggable Note The switch might not use sequential values within a range. Cisco IE 3000 Switch Software Configuration Guide 33-5 OL-13018-03...
Page 618: Configuring Snmp
An SNMP group is a table that maps SNMP users to SNMP views. An SNMP user is a member of an SNMP group. An SNMP host is the recipient of an SNMP trap operation. An SNMP engine ID is a name for the local or remote SNMP engine. Cisco IE 3000 Switch Software Configuration Guide 33-6 OL-13018-03...
Page 619: Disabling The Snmp Agent
The no snmp-server global configuration command disables all running versions (Version 1, Version 2C, and Version 3) on the device. No specific Cisco IOS command exists to enable SNMP. The first snmp-server global configuration command that you enter enables all versions of SNMP.
Page 620: Configuring Community Strings
MIB objects. By default, the community string permits read-only access to all objects. (Optional) For access-list-number, enter an IP standard access • list numbered from 1 to 99 and 1300 to 1999. Cisco IE 3000 Switch Software Configuration Guide 33-8 OL-13018-03...
Page 621: Configuring Snmp Groups And Users
You can specify an identification name (engine ID) for the local or remote SNMP server engine on the switch. You can configure an SNMP server group that maps SNMP users to SNMP views, and you can add new users to the SNMP group. Cisco IE 3000 Switch Software Configuration Guide 33-9 OL-13018-03...
Page 622 64 characters) that is the name of the view in which you specify a notify, inform, or trap. (Optional) Enter access access-list with a string (not to exceed • 64 characters) that is the name of the access list. Cisco IE 3000 Switch Software Configuration Guide 33-10 OL-13018-03...
Page 623: Configuring Snmp Notifications
A trap manager is a management station that receives and processes traps. Traps are system alerts that the switch generates when certain events occur. By default, no trap manager is defined, and no traps are sent. Switches running this Cisco IOS release can have an unlimited number of trap managers. Note Many commands use the word traps in the command syntax.
Page 624 Generates a trap for Open Shortest Path First (OSPF) changes. You can enable any or all of these traps: Cisco specific, errors, link-state advertisement, rate limit, retransmit, and state changes. Generates a trap for Protocol-Independent Multicast (PIM) changes. You can enable any or all of these traps: invalid PIM messages, neighbor changes, and rendezvous point (RP)-mapping changes.
Page 625 Step 4 snmp-server group groupname {v1 | Configure an SNMP group. v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] [access access-list] Cisco IE 3000 Switch Software Configuration Guide 33-13 OL-13018-03...
Page 626 1000; the default is 30 seconds. Step 10 Return to privileged EXEC mode. Step 11 show running-config Verify your entries. Step 12 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco IE 3000 Switch Software Configuration Guide 33-14 OL-13018-03...
Page 627: Setting The Cpu Threshold Notification Types And Values
Step 3 Return to privileged EXEC mode. Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco IE 3000 Switch Software Configuration Guide 33-15 OL-13018-03...
Page 628: Setting The Agent Contact And Location Information
Place ones in the bit positions that you want to ignore. Recall that the access list is always terminated by an implicit deny statement for everything. Cisco IE 3000 Switch Software Configuration Guide 33-16 OL-13018-03...
Page 629: Snmp Examples
Switch(config)# snmp-server enable traps entity Switch(config)# snmp-server host cisco.com restricted entity This example shows how to enable the switch to send all traps to the host myhost.cisco.com using the community string public: Switch(config)# snmp-server enable traps Switch(config)# snmp-server host myhost.cisco.com public...
Page 630: Displaying Snmp Status
EXEC command. You also can use the other privileged EXEC commands in Table 33-6 to display SNMP information. For information about the fields in the displays, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2. Table 33-6 Commands for Displaying SNMP Information...
Page 631: Chapter 34 Configuring Network Security With Acls
“Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2, and the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2. The Cisco IOS documentation is available from the Cisco.com page under Documentation >...
Page 632: Port Acls
Layer 2 input would allow Host A to access the Human Resources network, but prevent Host B from accessing the same network. Port ACLs can only be applied to Layer 2 interfaces in the inbound direction. Cisco IE 3000 Switch Software Configuration Guide 34-2 OL-13018-03...
Page 633: Handling Fragmented And Unfragmented Traffic
TCP, UDP, and so on) are considered to match the fragment regardless of what the missing Layer 4 information might have been. • Deny ACEs that check Layer 4 information never match a fragment unless the fragment contains Layer 4 information. Cisco IE 3000 Switch Software Configuration Guide 34-3 OL-13018-03...
Page 634: Configuring Ipv4 Acls
ACEs were checking different hosts. Configuring IPv4 ACLs Configuring IP v4ACLs on the switch is the same as configuring IPv4 ACLs on other Cisco switches and routers. The process is briefly described here. For more detailed information on configuring ACLs, see the “Configuring IP Services”...
Page 635: Creating Standard And Extended Ipv4 Acls
Resequencing ACEs in an ACL, page 34-12 • Creating Named Standard and Extended ACLs, page 34-12 • Using Time Ranges with ACLs, page 34-14 • Including Comments in ACLs, page 34-15 • Cisco IE 3000 Switch Software Configuration Guide 34-5 OL-13018-03...
Page 636: Access List Numbers
IP ACL can be 100 to 199. The advantage of using named ACLs instead of numbered lists is that you can delete individual entries from a named list. Cisco IE 3000 Switch Software Configuration Guide 34-6...
Page 637: Creating A Numbered Standard Acl
Switch (config)# access-list 2 deny host 171.69.198.102 Switch (config)# access-list 2 permit any Switch(config)# end Switch# show access-lists Standard IP access list 2 10 deny 171.69.198.102 20 permit any Cisco IE 3000 Switch Software Configuration Guide 34-7 OL-13018-03...
Page 638: Creating A Numbered Extended Acl
For more details on the specific keywords for each protocol, see these command references: • Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2 •...
Page 639 0.0.0.0 [fragments] [time-range 255.255.255.255. time-range-name] [dscp dscp] You can use the any keyword in place of source and destination address and wildcard. Cisco IE 3000 Switch Software Configuration Guide 34-9 OL-13018-03...
Page 640 TCP port. To see TCP port names, use the ? or see the “Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2. Use only TCP port numbers or names when filtering TCP.
Page 641 ICMP message type and code name. To see a list of ICMP message type names and code names, use the ?, or see the “Configuring IP Services” section of the Cisco IOS IP Configuration Guide, Release 12.2. Step access-list access-list-number (Optional) Define an extended IGMP access list and the access conditions.
Page 642: Resequencing Aces In An Acl
• host source—A source and source wildcard of source 0.0.0.0. permit {source [source-wildcard] | host source any—A source and source wildcard of 0.0.0.0 • | any} 255.255.255.255. Cisco IE 3000 Switch Software Configuration Guide 34-12 OL-13018-03...
Page 643 Being able to selectively remove lines from a named ACL is one reason you might use named ACLs instead of numbered ACLs. After creating a named ACL, you can apply it to interfaces (see the “Applying an IPv4 ACL to an Interface” section on page 34-16). Cisco IE 3000 Switch Software Configuration Guide 34-13 OL-13018-03...
Page 644: Using Time Ranges With Acls
This example shows how to configure time ranges for workhours and to configure January 1, 2006, as a company holiday and to verify your configuration. Switch(config)# time-range workhours Switch(config-time-range)# periodic weekdays 8:00 to 12:00 Cisco IE 3000 Switch Software Configuration Guide 34-14 OL-13018-03...
Page 645: Including Comments In Acls
Smith is not allowed access: Switch(config)# access-list 1 remark Permit only Jones workstation through Switch(config)# access-list 1 permit 171.69.2.88 Switch(config)# access-list 1 remark Do not allow Smith through Switch(config)# access-list 1 deny 171.69.3.13 Cisco IE 3000 Switch Software Configuration Guide 34-15 OL-13018-03...
Page 646: Applying An Ipv4 Acl To A Terminal Line
This section describes how to apply IPv4 ACLs to network interfaces. Note these guidelines: Apply an ACL only to inbound Layer 2 interfaces. • When controlling access to an interface, you can use a named or numbered ACL. • Cisco IE 3000 Switch Software Configuration Guide 34-16 OL-13018-03...
Page 647: Hardware And Software Treatment Of Ip Acls
Logical operation units are needed for a TCP flag match or a test other than eq (ne, gt, lt, or range) on TCP, UDP, or SCTP port numbers. Cisco IE 3000 Switch Software Configuration Guide 34-17...
Page 648: Ipv4 Acl Configuration Examples
This section provides examples of configuring and applying IPv4 ACLs. For detailed information about compiling ACLs, see the Cisco IOS Security Configuration Guide, Release 12.2 and to the Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2.
Page 649: Numbered Acls
Switch(config-ext-nacl)# deny tcp any any Switch(config-ext-nacl)# permit ip any any Switch(config-ext-nacl)# exit The marketing_group ACL is applied to incoming traffic on a port. Switch(config)# interface gigabitethernet1/2 Switch(config-if)# ip access-group marketing_group in Cisco IE 3000 Switch Software Configuration Guide 34-19 OL-13018-03...
Page 650: Time Range Applied To An Ip Acl
MAC extended ACLs. The procedure is similar to that of configuring other extended named ACLs. For more information about the supported non-IP protocols in the mac access-list extended command, see the command reference for this release. Cisco IE 3000 Switch Software Configuration Guide 34-20 OL-13018-03...
Page 651 Switch(config)# mac access-list extended mac1 Switch(config-ext-macl)# deny any any decnet-iv Switch(config-ext-macl)# permit any any Switch(config-ext-macl)# end Switch # show access-lists Extended MAC access list mac1 10 deny any any decnet-iv 20 permit any any Cisco IE 3000 Switch Software Configuration Guide 34-21 OL-13018-03...
Page 652: Applying A Mac Acl To A Layer 2 Interface
ACL to an interface, the switch acts as if the ACL has not been applied and permits all packets. Remember this behavior if you use undefined ACLs for network security. Cisco IE 3000 Switch Software Configuration Guide 34-22 OL-13018-03...
Page 653: Displaying Ipv4 Acl Configuration
MAC and IP access lists and which access groups are applied to an interface. show mac access-group [interface interface-id] Displays MAC access lists applied to all Layer 2 interfaces or the specified Layer 2 interface. Cisco IE 3000 Switch Software Configuration Guide 34-23 OL-13018-03...
Page 654 Chapter 34 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration Cisco IE 3000 Switch Software Configuration Guide 34-24 OL-13018-03...
Page 655: Chapter 35 Configuring Cisco Ios Ip Slas Operations
This chapter describes how to use Cisco IOS IP Service Level Agreements (SLAs) on the IE 3000 switch. Cisco IP SLAs is a part of Cisco IOS software that allows Cisco customers to analyze IP service levels for IP applications and services by using active traffic monitoring—the generation of traffic in a continuous, reliable, and predictable manner—for measuring network performance.
Page 656: Using Cisco Ios Ip Slas To Measure Network Performance
Virtual Private Network (VPN) routing/forwarding instance (VRF), and URL web address. Because Cisco IP SLAs is Layer 2 transport independent, you can configure end-to-end operations over disparate networks to best reflect the metrics that an end user is likely to experience. IP SLAs collects a...
Page 657: Ip Slas Responder And Ip Slas Control Protocol
IP SLAs Responder and IP SLAs Control Protocol The IP SLAs responder is a component embedded in the destination Cisco device that allows the system to anticipate and respond to IP SLAs request packets. The responder provides accurate measurements without the need for dedicated probes.
Page 658: Response Time Computation For Ip Slas
The IP SLAs responder can be a Cisco IOS Layer 2, responder-configurable switch, such as a Note Catalyst 2960, or a Cisco ME 2400 or IE 3000 switch, or a Catalyst 3560 or 3750 switch running the IP base image. The responder does not need to support full IP SLAs functionality.
Page 659: Configuring Ip Slas Operations
This section does not include configuration information for all available operations as the configuration information details are included in the Cisco IOS IP SLAs Configuration Guide. It includes only the procedure for configuring the responder, as the switch includes only responder support.
Page 660: Configuring The Ip Slas Responder
The IP SLAs responder is available only on Cisco IOS software-based devices, including some Layer 2 switches that do not support full IP SLAs functionality, such as the Catalyst 2960 or the Cisco ME 2400 or IE 3000 switch. Beginning in privileged EXEC mode, follow these steps to configure the IP SLAs...
Page 661: Chapter 36 Configuring Qos
When you configure the QoS feature, you can select specific network traffic, prioritize it according to its relative importance, and use congestion-management and congestion-avoidance techniques to provide preferential treatment. Implementing QoS in your network makes network performance more predictable and bandwidth utilization more effective. Cisco IE 3000 Switch Software Configuration Guide 36-1 OL-13018-03...
Page 662 (DSCP) value. QoS supports the use of either value because DSCP values are backward-compatible with IP precedence values. IP precedence values range from 0 to 7. DSCP values range from 0 to 63. Note IPv6 QoS is not supported in this release. Cisco IE 3000 Switch Software Configuration Guide 36-2 OL-13018-03...
Page 663: Basic Qos Model
(police and mark), and provide different treatment (queue and schedule) in all situations where resource contention exists. The switch also needs to ensure that traffic sent from it meets a specific traffic profile (shape). Cisco IE 3000 Switch Software Configuration Guide 36-3 OL-13018-03...
Page 664 Scheduling services the four egress queues based on their configured SRR shared or shaped weights. One of the queues (queue 1) can be the expedited queue, which is serviced until empty before the other queues are serviced. Figure 36-2 Basic QoS Model Cisco IE 3000 Switch Software Configuration Guide 36-4 OL-13018-03...
Page 665: Classification
For information on the maps described in this section, see the “Mapping Tables” section on page 36-10. For configuration information on port trust states, see the “Configuring Classification Using Port Trust States” section on page 36-32. Cisco IE 3000 Switch Software Configuration Guide 36-5 OL-13018-03...
Page 666 CoS-to-DSCP map. Assign the DSCP or CoS as specified Assign the default Generate the DSCP by using by ACL action to generate the QoS label. DSCP (0). the CoS-to-DSCP map. Done Done Cisco IE 3000 Switch Software Configuration Guide 36-6 OL-13018-03...
Page 667: Classification Based On Qos Acls
In this mode, you specify the actions to take on a specific traffic class by using the class, trust, or set policy-map configuration and policy-map class configuration commands. Cisco IE 3000 Switch Software Configuration Guide 36-7 OL-13018-03...
Page 668: Policing And Marking
Aggregate—QoS applies the bandwidth limits specified in an aggregate policer cumulatively to all matched traffic flows. You configure this type of policer by specifying the aggregate policer name within a policy map by using the police aggregate policy-map class configuration command. You Cisco IE 3000 Switch Software Configuration Guide 36-8 OL-13018-03...
Page 669 You configure how fast (the average rate) that the tokens are removed from the bucket by using the rate-bps option of the police policy-map class configuration command or the mls qos aggregate-policer global configuration command. Cisco IE 3000 Switch Software Configuration Guide 36-9 OL-13018-03...
Page 670: Mapping Tables
This configurable map is called the policed-DSCP map. You configure this map by using the mls qos map policed-dscp global configuration command. Cisco IE 3000 Switch Software Configuration Guide 36-10 OL-13018-03...
Page 671: Queueing And Scheduling Overview
Both the ingress and egress queues use an enhanced version of the tail-drop congestion-avoidance mechanism called weighted tail drop (WTD). WTD is implemented on queues to manage the queue lengths and to provide drop precedences for different traffic classifications. Cisco IE 3000 Switch Software Configuration Guide 36-11 OL-13018-03...
Page 672: Srr Shaping And Sharing
With sharing, the ratio of the weights controls the frequency of dequeuing; the absolute values are meaningless. Shaping and sharing is configured per interface. Each interface can be uniquely configured. Cisco IE 3000 Switch Software Configuration Guide 36-12 OL-13018-03...
Page 673: Queueing And Scheduling On Ingress Queues
Queue the packet. Service the queue according to the SRR weights. Send packet to the internal ring. SRR services the priority queue for its configured share before servicing the other queue. Note Cisco IE 3000 Switch Software Configuration Guide 36-13 OL-13018-03...
Page 674 The priority queue should be used for traffic (such as voice) that requires guaranteed delivery because this queue is guaranteed part of the bandwidth regardless of the load on the internal ring. Cisco IE 3000 Switch Software Configuration Guide 36-14 OL-13018-03...
Page 675: Queueing And Scheduling On Egress Queues
Figure 36-8 shows the queueing and scheduling flowchart for egress ports. If the expedite queue is enabled, SRR services it until it is empty before servicing the other three queues. Note Cisco IE 3000 Switch Software Configuration Guide 36-15 OL-13018-03...
Page 676 (under-limit), whether it has consumed all of its maximum buffers (over limit), and whether the common pool is empty (no free Cisco IE 3000 Switch Software Configuration Guide 36-16...
Page 677 You assign the two WTD threshold percentages for threshold ID 1 and ID 2. The drop threshold for threshold ID 3 is preset to the queue-full state, and you cannot Cisco IE 3000 Switch Software Configuration Guide 36-17...
Page 678: Packet Modification
The input mutation causes the DSCP to be rewritten depending on the new value of DSCP chosen. The set action in a policy map also causes the DSCP to be rewritten. Cisco IE 3000 Switch Software Configuration Guide 36-18 OL-13018-03...
Page 679: Configuring Auto-Qos
The switch uses the resulting classification to choose the appropriate egress queue. You use auto-QoS commands to identify ports connected to Cisco IP Phones and to devices running the Cisco SoftPhone application. You also use the commands to identify ports that receive trusted traffic through an uplink.
Page 680 DSCP value of 24, 26, or 46 or is out of profile, the switch changes the DSCP value to 0. When a Cisco IP Phone is absent, the ingress classification is set to not trust the QoS label in the packet. The...
Page 681 Configuring QoS Configuring Auto-QoS When you enable auto-QoS by using the auto qos voip cisco-phone, the auto qos voip cisco-softphone, or the auto qos voip trust interface configuration command, the switch automatically generates a QoS configuration based on the traffic type and ingress packet label and applies the commands listed in Table 36-5 to the port.
Page 682 Switch(config)# mls qos queue-set output 1 buffers 10 10 26 54 Switch(config)# mls qos queue-set output 2 buffers 16 6 17 61 Switch(config-if)# priority-que out Switch(config-if)# srr-queue bandwidth share 10 10 60 20 Cisco IE 3000 Switch Software Configuration Guide 36-22 OL-13018-03...
Page 683 If you entered the auto qos voip cisco-phone command, the Switch(config-if)# mls qos trust device cisco-phone switch automatically enables the trusted boundary feature, which uses the CDP to detect the presence or absence of a Cisco IP Phone.
Page 684: Effects Of Auto-Qos On The Configuration
By default, the CDP is enabled on all ports. For auto-QoS to function properly, do not disable the CDP. When enabling auto-QoS with a Cisco IP Phone on a routed port, you must assign a static IP address • to the IP phone.
Page 685: Enabling Auto-Qos For Voip
Step 2 interface interface-id Specify the port that is connected to a Cisco IP Phone, the port that is connected to a device running the Cisco SoftPhone feature, or the uplink port that is connected to another trusted switch or router in the interior of the network, and enter interface configuration mode.
Page 686: Auto-Qos Configuration Example
You should not configure any standard QoS commands before entering the auto-QoS commands. You can fine-tune the QoS configuration, but we recommend that you do so only after the auto-QoS configuration is completed. Cisco IE 3000 Switch Software Configuration Guide 36-26 OL-13018-03...
Page 687: Displaying Auto-Qos Information
Return to global configuration mode. Step 7 Repeat Steps 4 to 6 for as many ports as are connected to the Cisco IP Phone. Step 8 interface interface-id Specify the switch port identified as connected to a trusted switch or router, and enter interface configuration mode.
Page 688: Configuring Standard Qos
No policy maps are configured. The default port trust state on all ports is untrusted. The default ingress and egress queue settings are described in the “Default Ingress Queue Configuration” section on page 36-29 and the “Default Egress Queue Configuration” section on page 36-29. Cisco IE 3000 Switch Software Configuration Guide 36-28 OL-13018-03...
Page 689: Default Ingress Queue Configuration
WTD drop threshold 1 100 percent 200 percent 100 percent 100 percent WTD drop threshold 2 100 percent 200 percent 100 percent 100 percent Reserved threshold 50 percent 50 percent 50 percent 50 percent Cisco IE 3000 Switch Software Configuration Guide 36-29 OL-13018-03...
Page 690: Default Mapping Table Configuration
The default DSCP-to-DSCP-mutation map is a null map, which maps an incoming DSCP value to the same DSCP value. The default policed-DSCP map is a null map, which maps an incoming DSCP value to the same DSCP value (no markdown). Cisco IE 3000 Switch Software Configuration Guide 36-30 OL-13018-03...
Page 691: Standard Qos Configuration Guidelines
If you have EtherChannel ports configured on your switch, you must configure QoS classification, • policing, mapping, and queueing on the individual physical ports that comprise the EtherChannel. You must decide whether the QoS configuration should match on all ports in the EtherChannel. Cisco IE 3000 Switch Software Configuration Guide 36-31 OL-13018-03...
Page 692: General Qos Guidelines
Configuring a Trusted Boundary to Ensure Port Security, page 36-35 • • Enabling DSCP Transparency Mode, page 36-36 • Configuring the DSCP Trust State on a Port Bordering Another QoS Domain, page 36-37 Cisco IE 3000 Switch Software Configuration Guide 36-32 OL-13018-03...
Page 693: Configuring The Trust State On Ports Within The Qos Domain
Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be trusted, and enter interface configuration mode. Valid interfaces include physical ports. Cisco IE 3000 Switch Software Configuration Guide 36-33 OL-13018-03...
Page 694: Configuring The Cos Value For An Interface
CoS to all incoming packets on the port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode. Valid interfaces include physical ports. Cisco IE 3000 Switch Software Configuration Guide 36-34 OL-13018-03...
Page 695: Configuring A Trusted Boundary To Ensure Port Security
CoS setting). By contrast, trusted boundary uses CDP to detect the presence of a Cisco IP Phone (such as the Cisco IP Phone 7910, 7935, 7940, and 7960) on a switch port. If the telephone is not detected, the Cisco IE 3000 Switch Software Configuration Guide...
Page 696: Enabling Dscp Transparency Mode
In some situations, you can prevent a PC connected to the Cisco IP Phone from taking advantage of a high-priority data queue. You can use the switchport priority extend cos interface configuration command to configure the telephone through the switch CLI to override the priority of the traffic received from the PC.
Page 697: Configuring The Dscp Trust State On A Port Bordering Another Qos Domain
DSCP-to-DSCP-mutation map to translate a set of DSCP values to match the definition in the other domain. Figure 36-12 DSCP-Trusted State on a Port Bordering Another QoS Domain QoS Domain 1 QoS Domain 2 IP traffic Set interface to the DSCP-trusted state. Configure the DSCP-to-DSCP-mutation map. Cisco IE 3000 Switch Software Configuration Guide 36-37 OL-13018-03...
Page 698 DSCP 30: Switch(config)# mls qos map dscp-mutation gi1/2-mutation 10 11 12 13 to 30 Switch(config)# interface gigabitethernet1/2 Switch(config-if)# mls qos trust dscp Switch(config-if)# mls qos dscp-mutation gi1/2-mutation Switch(config-if)# end Cisco IE 3000 Switch Software Configuration Guide 36-38 OL-13018-03...
Page 699: Configuring A Qos Policy
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To delete an access list, use the no access-list access-list-number global configuration command. Cisco IE 3000 Switch Software Configuration Guide 36-39 OL-13018-03...
Page 700 This example shows how to create an ACL that permits IP traffic from any source to any destination that has the DSCP value set to 32: Switch(config)# access-list 100 permit ip any any dscp 32 Cisco IE 3000 Switch Software Configuration Guide 36-40 OL-13018-03...
Page 701 Verify your entries. access-list-name] Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To delete an access list, use the no mac access-list extended access-list-name global configuration command. Cisco IE 3000 Switch Software Configuration Guide 36-41 OL-13018-03...
Page 702: Classifying Traffic By Using Class Maps
{permit | deny} {host src-MAC-addr mask | any | host dst-MAC-addr | dst-MAC-addr mask} [type mask] Cisco IE 3000 Switch Software Configuration Guide 36-42 OL-13018-03...
Page 703 103. It permits traffic from any host to any destination that matches a DSCP value of 10. Switch(config)# access-list 103 permit ip any any dscp 10 Switch(config)# class-map class1 Switch(config-cmap)# match access-group 103 Switch(config-cmap)# end Switch# Cisco IE 3000 Switch Software Configuration Guide 36-43 OL-13018-03...
Page 704: Classifying, Policing, And Marking Traffic On Physical Ports By Using Policy Maps
IP precedence value. This setting appears as set ip precedence in the switch configuration. A policy-map and a port trust state can both run on a physical interface. The policy-map is applied • before the port trust state. Cisco IE 3000 Switch Software Configuration Guide 36-44 OL-13018-03...
Page 705 By default, no policy map class-maps are defined. If a traffic class has already been defined by using the class-map global configuration command, specify its name for class-map-name in this command. Cisco IE 3000 Switch Software Configuration Guide 36-45 OL-13018-03...
Page 706 The range is 0 to 63. For ip precedence new-precedence, enter a new IP-precedence • value to be assigned to the classified traffic. The range is 0 to 7. Cisco IE 3000 Switch Software Configuration Guide 36-46 OL-13018-03...
Page 707 8000 bytes, its DSCP is marked down (based on the policed-DSCP map) and sent: Switch(config)# access-list 1 permit 10.1.0.0 0.0.255.255 Switch(config)# class-map ipclass1 Switch(config-cmap)# match access-group 1 Switch(config-cmap)# exit Switch(config)# policy-map flow1t Cisco IE 3000 Switch Software Configuration Guide 36-47 OL-13018-03...
Page 708: Classifying, Policing, And Marking Traffic By Using Aggregate Policers
By using an aggregate policer, you can create a policer that is shared by multiple traffic classes within the same policy map. However, you cannot use the aggregate policer across different policy maps or ports. Cisco IE 3000 Switch Software Configuration Guide 36-48 OL-13018-03...
Page 709 Step 7 exit Return to global configuration mode. Step 8 interface interface-id Specify the port to attach to the policy map, and enter interface configuration mode. Valid interfaces include physical ports. Cisco IE 3000 Switch Software Configuration Guide 36-49 OL-13018-03...
Page 710: Configuring Dscp Maps
Configuring the CoS-to-DSCP Map, page 36-51 (optional) • Configuring the IP-Precedence-to-DSCP Map, page 36-52 (optional) • Configuring the Policed-DSCP Map, page 36-53 (optional, unless the null settings in the map are • not appropriate) Cisco IE 3000 Switch Software Configuration Guide 36-50 OL-13018-03...
Page 711: Configuring The Cos-To-Dscp Map
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default map, use the no mls qos cos-dscp global configuration command. Cisco IE 3000 Switch Software Configuration Guide 36-51 OL-13018-03...
Page 712: Configuring The Ip-Precedence-To-Dscp Map
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default map, use the no mls qos ip-prec-dscp global configuration command. Cisco IE 3000 Switch Software Configuration Guide 36-52 OL-13018-03...
Page 713: Configuring The Policed-Dscp Map
30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 00 00 00 00 00 00 00 00 58 59 60 61 62 63 Cisco IE 3000 Switch Software Configuration Guide 36-53 OL-13018-03...
Page 714: Configuring The Dscp-To-Cos Map
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default map, use the no mls qos dscp-cos global configuration command. Cisco IE 3000 Switch Software Configuration Guide 36-54 OL-13018-03...
Page 715: Configuring The Dscp-To-Dscp-Mutation Map
• The DSCP range is 0 to 63. Step 3 interface interface-id Specify the port to which to attach the map, and enter interface configuration mode. Valid interfaces include physical ports. Cisco IE 3000 Switch Software Configuration Guide 36-55 OL-13018-03...
Page 716: Configuring Ingress Queue Characteristics
What drop percentage thresholds apply to each queue, and which CoS or DSCP values map to each • threshold? How much of the available buffer space is allocated between the queues? • Cisco IE 3000 Switch Software Configuration Guide 36-56 OL-13018-03...
Page 717: Mapping Dscp Or Cos Values To An Ingress Queue And Setting Wtd Thresholds
100. Separate each value with a space. Each threshold value is a percentage of the total number of queue descriptors allocated for the queue. Step 4 Return to privileged EXEC mode. Cisco IE 3000 Switch Software Configuration Guide 36-57 OL-13018-03...
Page 718: Allocating Buffer Space Between The Ingress Queues
For percentage1 percentage2, the range is 0 to 100. Separate each value with a space. You should allocate the buffers so that the queues can handle any incoming bursty traffic. Step 3 Return to privileged EXEC mode. Cisco IE 3000 Switch Software Configuration Guide 36-58 OL-13018-03...
Page 719: Allocating Bandwidth Between The Ingress Queues
Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no mls qos srr-queue input bandwidth global configuration command. Cisco IE 3000 Switch Software Configuration Guide 36-59 OL-13018-03...
Page 720: Configuring The Ingress Priority Queue
To return to the default setting, use the no mls qos srr-queue input priority-queue queue-id global configuration command. To disable priority queueing, set the bandwidth weight to 0, for example, mls qos srr-queue input priority-queue queue-id bandwidth 0. Cisco IE 3000 Switch Software Configuration Guide 36-60 OL-13018-03...
Page 721: Configuring Egress Queue Characteristics
You can guarantee the availability of buffers, set WTD thresholds, and configure the maximum allocation for a queue-set by using the mls qos queue-set output qset-id threshold queue-id drop-threshold1 drop-threshold2 reserved-threshold maximum-threshold global configuration commands. Cisco IE 3000 Switch Software Configuration Guide 36-61 OL-13018-03...
Page 722 0 to 99. For allocation2, the range is 1 to 100 (including the CPU buffer). Allocate buffers according to the importance of the traffic; for example, give a large percentage of the buffer to the queue with the highest-priority traffic. Cisco IE 3000 Switch Software Configuration Guide 36-62 OL-13018-03...
Page 723 200 percent as the maximum memory that this queue can have before packets are dropped: Switch(config)# mls qos queue-set output 2 buffers 40 20 20 20 Switch(config)# mls qos queue-set output 2 threshold 2 40 60 100 200 Switch(config)# interface gigabitethernet1/1 lSwitch(config-if)# queue-set 2 Cisco IE 3000 Switch Software Configuration Guide 36-63 OL-13018-03...
Page 724: Mapping Dscp Or Cos Values To An Egress Queue And To A Threshold Id
To return to the default DSCP output queue threshold map or the default CoS output queue threshold map, use the no mls qos srr-queue output dscp-map or the no mls qos srr-queue output cos-map global configuration command. Cisco IE 3000 Switch Software Configuration Guide 36-64 OL-13018-03...
Page 725: Configuring Srr Shaped Weights On Egress Queues
2, 3, and 4 are set to 0, these queues operate in shared mode. The bandwidth weight for queue 1 is 1/8, which is 12.5 percent: Switch(config)# interface gigabitethernet1/1 Switch(config-if)# srr-queue bandwidth shape 8 0 0 0 Cisco IE 3000 Switch Software Configuration Guide 36-65 OL-13018-03...
Page 726: Configuring Srr Shared Weights On Egress Queues
1, 2, 3, and 4. This means that queue 4 has four times the bandwidth of queue 1, twice the bandwidth of queue 2, and one-and-a-third times the bandwidth of queue 3. Switch(config)# interface gigabitethernet1/1 Switch(config-if)# srr-queue bandwidth share 1 2 3 4 Cisco IE 3000 Switch Software Configuration Guide 36-66 OL-13018-03...
Page 727: Configuring The Egress Expedite Queue
Beginning in privileged EXEC mode, follow these steps to limit the bandwidth on an egress port. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be rate limited, and enter interface configuration mode. Cisco IE 3000 Switch Software Configuration Guide 36-67 OL-13018-03...
Page 728: Displaying Standard Qos Information
[cos-dscp | cos-input-q | Display QoS mapping information. cos-output-q | dscp-cos | dscp-input-q | dscp-mutation dscp-mutation-name | dscp-output-q | ip-prec-dscp | policed-dscp] show mls qos queue-set [qset-id] Display QoS settings for the egress queues. Cisco IE 3000 Switch Software Configuration Guide 36-68 OL-13018-03...
Page 729 The control-plane and interface keywords are not supported, and the statistics shown in the display should be ignored. show running-config | include rewrite Display the DSCP transparency setting. Cisco IE 3000 Switch Software Configuration Guide 36-69 OL-13018-03...
Page 730 Chapter 36 Configuring QoS Displaying Standard QoS Information Cisco IE 3000 Switch Software Configuration Guide 36-70 OL-13018-03...
Page 731: Chapter 37 Configuring Ipv6 Host Functions
IPv4 and IPv6 switch database management (SDM) template. See the “Dual IPv4 and IPv6 Protocol Stacks” section on page 37-4. For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Note documentation referenced in the procedures This chapter consists of these sections: “Understanding IPv6”...
Page 732: Ipv6 Addresses
2031:0:130F::09C0:080F:130B For more information about IPv6 address formats, address types, and the IPv6 packet header, see the “Implementing IPv6 Addressing and Basic Connectivity” chapter of Cisco IOS IPv6 Configuration Library on Cisco.com. In the “Implementing Addressing and Basic Connectivity” chapter, these sections apply to the IE 3000...
Page 733: 128-Bit Wide Unicast Addresses
For more information, see the section about IPv6 unicast addresses in the “Implementing IPv6 Addressing and Basic Connectivity” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com. DNS for IPv6 IPv6 supports Domain Name System (DNS) record types in the DNS name-to-address and address-to-name lookup processes.
Page 734: Ipv6 Stateless Autoconfiguration And Duplicate Address Detection
For more information about autoconfiguration and duplicate address detection, see the “Implementing IPv6 Addressing and Basic Connectivity” chapter of Cisco IOS IPv6 Configuration Library on Cisco.com. IPv6 Applications...
Page 735: Static Routes For Ipv6
• Verifies SNMP Manager feature works with IPv6 transport For information on SNMP over IPv6, including configuration procedures, see the “Managing Cisco IOS Applications over IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com. For information about syslog over IPv6, including configuration procedures, see the “Implementing IPv6 Addressing and Basic Connectivity”...
Page 736: Http(S) Over Ipv6
Basic network connectivity (ping) must exist between the client and the server hosts before HTTP connections can be made. For more information, see the “Managing Cisco IOS Applications over IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.
Page 737 For more information about configuring IPv6, see the “Implementing Addressing and Basic Connectivity for IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com. Beginning in privileged EXEC mode, follow these steps to assign an IPv6 address to a Layer 3 interface...
Page 738: Configuring Ipv6 Icmp Rate Limiting
The range is from 1 to 200. Step 3 Return to privileged EXEC mode. Step 4 show ipv6 interface [interface-id] Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco IE 3000 Switch Software Configuration Guide 37-8 OL-13018-03...
Page 739: Configuring Static Routes For Ipv6
To configure a floating static route, use an administrative distance greater than that of the dynamic routing protocol. Step 3 Return to privileged EXEC mode. Cisco IE 3000 Switch Software Configuration Guide 37-9 OL-13018-03...
Page 740: Displaying Ipv6
For more information about configuring static IPv6 routing, see the “Implementing Static Routes for IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com. Displaying IPv6 For complete syntax and usage information on these commands, see the Cisco IOS command reference publications. Table 37-2 shows the privileged EXEC commands for monitoring IPv6 on the switch.
Page 741 This is an example of the output from the show ipv6 static privileged EXEC command: Switch# show ipv6 static IPv6 Static routes Code: * - installed in RIB * ::/0 via nexthop 3FFE:C000:0:7::777, distance 1 Cisco IE 3000 Switch Software Configuration Guide 37-11 OL-13018-03...
Page 742 UDP statistics: Rcvd: 0 input, 0 checksum errors, 0 length errors 0 no port, 0 dropped Sent: 26749 output TCP statistics: Rcvd: 0 input, 0 checksum errors Sent: 0 output, 0 retransmitted Cisco IE 3000 Switch Software Configuration Guide 37-12 OL-13018-03...
Page 743: Chapter 38 Configuring Etherchannels And Link-State Tracking
Port-Channel Interfaces, page 38-3 • • Port Aggregation Protocol, page 38-4 • Link Aggregation Control Protocol, page 38-5 • EtherChannel On Mode, page 38-6 Load Balancing and Forwarding Methods, page 38-7 • Cisco IE 3000 Switch Software Configuration Guide 38-1 OL-13018-03...
Page 744: Etherchannel Overview
EtherChannel, and the failed link. Inbound broadcast and multicast packets on one link in an EtherChannel are blocked from returning on any other link of the EtherChannel. Cisco IE 3000 Switch Software Configuration Guide 38-2...
Page 745: Port-Channel Interfaces
To change the parameters of all ports in an EtherChannel, apply configuration commands to the port-channel interface, for example, spanning-tree commands or commands to configure a Layer 2 EtherChannel as a trunk. Cisco IE 3000 Switch Software Configuration Guide 38-3 OL-13018-03...
Page 746: Port Aggregation Protocol
Understanding EtherChannels Port Aggregation Protocol The Port Aggregation Protocol (PAgP) is a Cisco-proprietary protocol that can be run only on Cisco switches and on those switches licensed by vendors to support PAgP. PAgP facilitates the automatic creation of EtherChannels by exchanging PAgP packets between Ethernet ports.
Page 747: Pagp Interaction With Virtual Switches And Dual-Active Detection
Link Aggregation Control Protocol The LACP is defined in IEEE 802.3ad and enables Cisco switches to manage Ethernet channels between switches that conform to the IEEE 802.3ad protocol. LACP facilitates the automatic creation of EtherChannels by exchanging LACP packets between Ethernet ports.
Page 748: Lacp Modes
Ports that are configured in the on mode in the same channel group must have compatible port characteristics, such as speed and duplex. Ports that are not compatible are suspended, even though they are configured in the on mode. Cisco IE 3000 Switch Software Configuration Guide 38-6 OL-13018-03...
Page 749: Load Balancing And Forwarding Methods
In Figure 38-3, an EtherChannel from a switch that is aggregating data from four workstations communicates with a router. Because the router is a Cisco IE 3000 Switch Software Configuration Guide 38-7 OL-13018-03...
Page 750: Configuring Etherchannels
Configuring Layer 2 EtherChannels, page 38-10 (required) • Configuring EtherChannel Load Balancing, page 38-13 (optional) Configuring the PAgP Learn Method and Priority, page 38-14 (optional) • Configuring LACP Hot-Standby Ports, page 38-15 (optional) • Cisco IE 3000 Switch Software Configuration Guide 38-8 OL-13018-03...
Page 751: Default Etherchannel Configuration
Enable all ports in an EtherChannel. A port in an EtherChannel that is disabled by using the • shutdown interface configuration command is treated as a link failure, and its traffic is transferred to one of the remaining ports in the EtherChannel. Cisco IE 3000 Switch Software Configuration Guide 38-9 OL-13018-03...
Page 752: Configuring Layer 2 Etherchannels
EtherChannel. Configuring Layer 2 EtherChannels You configure Layer 2 EtherChannels by assigning ports to a channel group with the channel-group interface configuration command. This command automatically creates the port-channel logical interface. Cisco IE 3000 Switch Software Configuration Guide 38-10 OL-13018-03...
Page 753 Assign all ports as static-access ports in the same VLAN, or configure them as trunks. switchport access vlan vlan-id If you configure the port as a static-access port, assign it to only one VLAN. The range is 1 to 4094. Cisco IE 3000 Switch Software Configuration Guide 38-11 OL-13018-03...
Page 754 VLAN 10 to channel 5 with the PAgP mode desirable: Switch# configure terminal Switch(config)# interface range gigabitethernet1/1 -2 Switch(config-if-range)# switchport mode access Switch(config-if-range)# switchport access vlan 10 Switch(config-if-range)# channel-group 5 mode desirable non-silent Cisco IE 3000 Switch Software Configuration Guide 38-12 OL-13018-03...
Page 755: Configuring Etherchannel Load Balancing
Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return EtherChannel load balancing to the default configuration, use the no port-channel load-balance global configuration command. Cisco IE 3000 Switch Software Configuration Guide 38-13 OL-13018-03...
Page 756: Configuring The Pagp Learn Method And Priority
This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port for transmission, and enter interface configuration mode. Cisco IE 3000 Switch Software Configuration Guide 38-14 OL-13018-03...
Page 757: Configuring Lacp Hot-Standby Ports
LACP, the software assigns a unique priority made up of these elements (in priority order): LACP system priority • System ID (the switch MAC address) • LACP port priority • Port number • Cisco IE 3000 Switch Software Configuration Guide 38-15 OL-13018-03...
Page 758: Configuring The Lacp System Priority
The hot-standby ports that have lower port numbers become active in the channel first. You can use the show etherchannel summary privileged EXEC command to see which ports are in the hot-standby mode (denoted with an H port-state flag). Cisco IE 3000 Switch Software Configuration Guide 38-16 OL-13018-03...
Page 759: Displaying Etherchannel, Pagp, And Lacp Status
[channel-group-number] dual-active Displays the dual-active detection status. show lacp [channel-group-number] {counters | Displays LACP information such as traffic information, the internal | neighbor} internal LACP configuration, and neighbor information. Cisco IE 3000 Switch Software Configuration Guide 38-17 OL-13018-03...
Page 760: Understanding Link-State Tracking
Port 5 and port 6 are connected to distribution switch 2 through link-state group 2. Port 5 and – port 6 are the upstream interfaces in link-state group 2. • Link-state group 1 on switch B Cisco IE 3000 Switch Software Configuration Guide 38-18 OL-13018-03...
Page 761 You can recover a downstream interface link-down condition by removing the failed downstream port from the link-state group. To recover multiple downstream interfaces, disable the link-state group. Cisco IE 3000 Switch Software Configuration Guide 38-19 OL-13018-03...
Page 762: Configuring Link-State Tracking
Configuring Link-State Tracking, page 38-21 • Displaying Link-State Tracking Status, page 38-22 • Default Link-State Tracking Configuration There are no link-state groups defined, and link-state tracking is not enabled for any group. Cisco IE 3000 Switch Software Configuration Guide 38-20 OL-13018-03...
Page 763: Link-State Tracking Configuration Guidelines
Switch(config-if)# link state group 1 downstream Switch(config-if)# interface gigabitethernet1/2 Switch(config-if)# link state group 1 downstream Switch(config-if)# end To disable a link-state group, use the no link state track number global configuration command. Cisco IE 3000 Switch Software Configuration Guide 38-21 OL-13018-03...
Page 764: Displaying Link-State Tracking Status
Upstream Interfaces : Fa1/6(Dwn) Fa1/7(Dwn) Fa1/8(Dwn) Downstream Interfaces : Fa1/2(Dis) Fa1/3(Dis) Fa1/4(Dis) Fa1/5(Dis) (Up):Interface up (Dwn):Interface Down (Dis):Interface disabled For detailed information about the fields in the display, see the command reference for this release. Cisco IE 3000 Switch Software Configuration Guide 38-22 OL-13018-03...
Page 765: Chapter 39 Troubleshooting
C H A P T E R Troubleshooting This chapter describes how to identify and resolve software problems related to the Cisco IOS software on the IE 3000 switch. Depending on the nature of the problem, you can use the command-line interface (CLI), the device manager, or Network Assistant to identify and solve problems.
Page 766: Recovering From A Software Failure
From your PC, download the software image tar file (image_filename.tar) from Cisco.com. Step 1 The Cisco IOS image is stored as a bin file in a directory in the tar file. For information about locating the software image files on Cisco.com, see the release notes.
Page 767: Recovering From A Lost Or Forgotten Password
After the Xmodem request appears, use the appropriate command on the terminal-emulation software to Step 11 start the transfer and to copy the software image into flash memory. Boot the newly downloaded Cisco IOS image. Step 12 switch:boot flash:image_filename.bin Use the archive download-sw privileged EXEC command to download the software image to the Step 13 switch.
Page 768: Recovering From A Command Switch Failure
This section describes how to recover from a failed command switch. You can configure a redundant command switch group by using the Hot Standby Router Protocol (HSRP). For more information, see Chapter 7, “Clustering Switches.” Also see the Getting Started with Cisco Network Assistant, available on Cisco.com. Note HSRP is the preferred method for supplying redundancy to a cluster.
Page 769 Start your browser, and enter the IP address of the new command switch. Step 18 From the Cluster menu, select Add to Cluster to display a list of candidate switches to add to the cluster. Cisco IE 3000 Switch Software Configuration Guide 39-5 OL-13018-03...
Page 770: Replacing A Failed Command Switch With Another Switch
When prompted for the enable secret and enable passwords, enter the passwords of the failed command switch again. Step 9 When prompted, make sure to enable the switch as the cluster command switch, and press Return. Cisco IE 3000 Switch Software Configuration Guide 39-6 OL-13018-03...
Page 771: Recovering From Lost Cluster Member Connectivity
If a remote device does not autonegotiate, configure the duplex settings on the two ports to match. The Note speed parameter can adjust itself even if the connected port does not autonegotiate. Cisco IE 3000 Switch Software Configuration Guide 39-7 OL-13018-03...
Page 772: Sfp Module Security And Identification
If you are using a non-Cisco SFP module, remove the SFP module from the switch, and replace it with a Cisco module. After inserting a Cisco SFP module, use the errdisable recovery cause gbic-invalid global configuration command to verify the port status, and enter a time interval for recovering from the error-disabled state.
Page 773: Understanding Ping
Each exclamation point means receipt of a reply. Each period means the network server timed out while waiting for a reply. A destination unreachable error PDU was received. A congestion experienced packet was received. User interrupted test. Cisco IE 3000 Switch Software Configuration Guide 39-9 OL-13018-03...
Page 774: Using Layer 2 Traceroute
Usage Guidelines These are the Layer 2 traceroute usage guidelines: Cisco Discovery Protocol (CDP) must be enabled on all the devices in the network. For Layer 2 • traceroute to function properly, do not disable CDP. For a list of switches that support Layer 2 traceroute, see the “Usage Guidelines”...
Page 775: Displaying The Physical Path
You can use IP traceroute to identify the path that packets take through the network on a hop-by-hop basis. The command output displays all network layer (Layer 3) devices, such as routers, that the traffic passes through on the way to the destination. Cisco IE 3000 Switch Software Configuration Guide 39-11 OL-13018-03...
Page 776: Executing Ip Traceroute
4 171.9.4.5 0 msec 4 msec 0 msec 5 171.9.121.34 0 msec 4 msec 4 msec 6 171.9.15.9 120 msec 132 msec 128 msec 7 171.9.15.10 132 msec 128 msec 128 msec Switch# Cisco IE 3000 Switch Software Configuration Guide 39-12 OL-13018-03...
Page 777: Using Tdr
For example, a shorted twisted pair can occur if one wire of the twisted pair is soldered to the other wire. If one of the twisted-pair wires is open, TDR can find the length at which the wire is open. Cisco IE 3000 Switch Software Configuration Guide 39-13 OL-13018-03...
Page 778: Running Tdr And Displaying The Results
For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. It is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Page 779: Enabling All-System Diagnostics
Logging messages to a syslog server produces even less, and logging to an internal buffer produces the least overhead of any method. For more information about system message logging, see Chapter 32, “Configuring System Message Logging.” Cisco IE 3000 Switch Software Configuration Guide 39-15 OL-13018-03...
Page 780: Using The Show Platform Forward Command
Vlan SrcMac DstMac Dscpv Gi1/2 0005 0001.0001.0001 0002.0002.0002 ------------------------------------------ <output truncated> ------------------------------------------ Packet 10 Lookup Key-Used Index-Hit A-Data OutptACL 50_0D020202_0D010101-00_40000014_000A0000 01FFE 03000000 Packet dropped due to failed DEJA_VU Check on Gi0/2 Cisco IE 3000 Switch Software Configuration Guide 39-16 OL-13018-03...
Page 781: Using The Crashinfo Files
• Basic crashinfo Files The information in the basic file includes the Cisco IOS image name and version that failed, a list of the processor registers, and other switch-specific information. You can provide this information to the Cisco technical support representative by using the show tech-support privileged EXEC command.
Page 782: Extended Crashinfo Files
You provide this information to the Cisco technical support representative by manually accessing the file and using the more or the copy privileged EXEC command.
Page 783: Verifying The Problem And Cause
This example shows normal CPU utilization. The output shows that utilization for the last 5 seconds is 8%/0%, which has this meaning: The total CPU utilization is 8 percent, including both time running Cisco IOS processes and time • spent handling interrupts The time spent handling interrupts is zero percent.
Page 784 Chapter 39 Troubleshooting Troubleshooting Tables Cisco IE 3000 Switch Software Configuration Guide 39-20 OL-13018-03...
Page 785: Appendix
• • CISCO-CONFIG-MAN-MIB • CISCO-ENTITY-ALARM-MIB • CISCO-ENTITY-VENDORTYPE-OID-MIB CISCO-ENVMON-MIB • CISCO-ERR-DISABLE-MIB • CISCO-FLASH-MIB (Flash memory on all switches is modeled as removable flash memory.) • CISCO-FTP-CLIENT-MIB • CISCO-IETF-IP-MIB • CISCO-IETF-IP-FORWARDING-MIB • CISCO-IGMP-FILTER-MIB • Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 786 CISCO IP-STAT-MIB • CISCO-LAG-MIB • CISCO-MAC-AUTH-BYPASS • CISCO-MAC-NOTIFICATION-MIB • CISCO-MEMORY-POOL-MIB • CISCO-PAGP-MIB • CISCO-PING-MIB • CISCO-PORT-QOS-MIB (only the packet counters are supported; the octet counters are not • supported) CISCO-PRODUCTS-MIB • CISCO-PROCESS-MIB • CISCO-RTTMON-MIB • CISCO-SMI-MIB • CISCO-STP-EXTENSIONS-MIB • •...
Page 787: Using Ftp To Access The Mib Files
You can also use this URL for a list of supported MIBs for the IE3000 switch: Note ftp://ftp.cisco.com/pub/mibs/supportlists/ie3000/ie3000-supportlist.html You can access other information about MIBs and Cisco products on the Cisco web site: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml Using FTP to Access the MIB Files You can get each MIB file by using this procedure: Make sure that your FTP client is in passive mode.
Page 788 Appendix A Supported MIBs Using FTP to Access the MIB Files Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 789: Appendix
Removing the compact flash card does not interrupt switch operation unless you need to reload the Cisco IOS software. However, if you remove the compact flash card, you do not have access to the flash file system, and any attempt to access it generates an error message.
Page 790: Displaying Available File Systems
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System These sections contain this configuration information: Displaying Available File Systems, page B-2 • Setting the Default File System, page B-2 •...
Page 791: Displaying Information About Files On A File System
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Table B-1 show file systems Field Descriptions (continued) Field Value Flags Permission for file system. ro—read-only. rw—read/write.\ wo—write-only. Prefixes Alias for file system.
Page 792: Changing Directories And Displaying The Working Directory
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Changing Directories and Displaying the Working Directory Beginning in privileged EXEC mode, follow these steps to change directories and display the working directory.
Page 793: Copying Files
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Copying Files To copy a file from a source to a destination, use the copy source-url destination-url privileged EXEC command. For the source and destination URLs, you can use running-config and startup-config keyword shortcuts.
Page 794: Creating, Displaying, And Extracting Tar Files
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating, Displaying, and Extracting tar Files You can create a tar file and write files into it, list the files in a tar file, and extract the files from a tar file as described in the next sections.
Page 795: Extracting A Tar File
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System For the TFTP, the syntax is • tftp:[[//location]/directory]/tar-filename.tar The tar-filename.tar is the tar file to display. You can also limit the display of the files by specifying an optional list of files or directories after the tar file;...
Page 796: Displaying The Contents Of A File
This section describes how to create, load, and maintain configuration files. Configuration files contain commands entered to customize the function of the Cisco IOS software. A way to create a basic configuration file is to use the setup program or to enter the setup privileged EXEC command.
Page 797 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Copying Configuration Files By Using RCP, page B-15 • Clearing Configuration Information, page B-18 • Replacing and Rolling Back Configurations, page B-19 •...
Page 798: Preparing To Download Or Upload A Configuration File B Y Using Tftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Creating a Configuration File By Using a Text Editor When creating a configuration file, you must list commands logically so that the system can respond appropriately.
Page 799 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Ensure that the configuration file to be downloaded is in the correct directory on the TFTP server • (usually /tftpboot on a UNIX workstation).
Page 800: Copying Configuration Files By Using Ftp
The FTP protocol requires a client to send a remote username and password on each FTP request to a server. When you copy a configuration file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list: The username specified in the copy command if a username is specified.
Page 801 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Preparing to Download or Upload a Configuration File By Using FTP Before you begin downloading or uploading a configuration file by using FTP, do these tasks: Ensure that the switch has a route to the FTP server.
Page 802 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files This example shows how to copy a configuration file named host1-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.101 and to load and run those commands on the switch: Switch# copy ftp://netadmin1:mypass@172.16.101.101/host1-confg system:running-config...
Page 803: Copying Configuration Files By Using Rcp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 6 Return to privileged EXEC mode. Step 7 copy system:running-config Using FTP, store the switch running or startup configuration ftp:[[[//[username[:password]@]location]/directory] file to the specified location.
Page 804: Preparing To Download Or Upload A Configuration File By Using Rcp
The RCP requires a client to send a remote username with each RCP request to a server. When you copy a configuration file from the switch to a server, the Cisco IOS software sends the first valid username in this list: The username specified in the copy command if a username is specified.
Page 805 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Downloading a Configuration File By Using RCP Beginning in privileged EXEC mode, follow these steps to download a configuration file by using RCP:...
Page 806: Clearing Configuration Information
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Uploading a Configuration File By Using RCP Beginning in privileged EXEC mode, follow these steps to upload a configuration file by using RCP:...
Page 807: Clearing The Startup Configuration File
Replacing and Rolling Back Configurations The configuration replacement and rollback feature replaces the running configuration with any saved Cisco IOS configuration file. You can use the rollback function to roll back to a previous configuration. These sections contain this information: Understanding Configuration Replacement and Rollback, page B-19 •...
Page 808 EXEC command displays information for all the configuration files saved in the configuration archive. The Cisco IOS configuration archive, in which the configuration files are stored and available for use with the configure replace command, is in any of these file systems: FTP, HTTP, RCP, TFTP.
Page 809: Configuring The Configuration Archive
• replacement configuration file for the running configuration. The replacement file must be a complete configuration generated by a Cisco IOS device (for example, a configuration generated by the copy running-config destination-url command). If you generate the replacement configuration file externally, it must comply with the format of files Note generated by Cisco IOS devices.
Page 810: Performing A Configuration Replacement Or Rollback Operation
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 5 time-period minutes (Optional) Set the time increment for automatically saving an archive file of the running configuration in the configuration archive.
Page 811: Working With Software Images
If you do not have access to a TFTP server, you can download a software image file directly to your PC or workstation by using a web browser (HTTP) and then by using the device manager or Cisco Network Assistant to upgrade your switch. For information about upgrading your switch by using a TFTP server or a web browser (HTTP), see the release notes.
Page 812: Image Location On The Switch
Image Location on the Switch The Cisco IOS image is stored as a .bin file in a directory that shows the version number. A subdirectory contains the files needed for web management. The image is stored on the system board flash memory (flash:).
Page 813: Copying Image Files By Using Tftp
Field Description total_image_file_size Specifies the size of all the images (the Cisco IOS image and the web management files) in the tar file, which is an approximate measure of how much flash memory is required to hold them image_feature Describes the core functionality of the image...
Page 814: Downloading An Image File By Using Tftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Ensure that the switch has a route to the TFTP server. The switch and the TFTP server must be in • the same subnetwork if you do not have a router to route traffic between subnets. Check connectivity to the TFTP server by using the ping command.
Page 815 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 3 archive download-sw /overwrite /reload Download the image file from the TFTP server to the switch, and tftp:[[//location]/directory]/image-name.tar overwrite the current image.
Page 816: Uploading An Image File By Using Tftp
The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the tar file format.
Page 817: Preparing To Download Or Upload An Image File By Using Ftp
The FTP protocol requires a client to send a remote username and password on each FTP request to a server. When you copy an image file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list: The username specified in the archive download-sw or archive upload-sw privileged EXEC •...
Page 818 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images When you upload an image file to the FTP server, it must be properly configured to accept the write • request from the user on the switch.
Page 819 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 8 archive download-sw /leave-old-sw /reload Download the image file from the FTP server to the switch, ftp:[[//username[:password]@location]/directory] and keep the current image.
Page 820: Copying Image Files By Using Rcp
The archive upload-sw command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the tar file format.
Page 821: Preparing To Download Or Upload An Image File By Using Rcp
RCP requires a client to send a remote username on each RCP request to a server. When you copy an image from the switch to a server by using RCP, the Cisco IOS software sends the first valid username in this list: The username specified in the archive download-sw or archive upload-sw privileged EXEC •...
Page 822 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images operations. The new username is stored in NVRAM. If you are accessing the switch through a Telnet session and you have a valid username, this username is used, and there is no need to set the RCP username.
Page 823 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 6 archive download-sw /overwrite /reload Download the image file from the RCP server to the switch, rcp:[[[//[username@]location]/directory]/image-na and overwrite the current image.
Page 824 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The algorithm installs the downloaded image onto the system board flash device (flash:). The image is placed into a new directory named with the software version string, and the BOOT environment variable is updated to point to the newly installed image.
Page 825 The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the tar file format.
Page 826 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Cisco IE 3000 Switch Software Configuration Guide B-38 OL-13018-03...
Page 827: Appendix
Access Control Lists Unsupported Privileged EXEC Commands access-enable [host] [timeout minutes] access-template [access-list-number | name] [dynamic-name] [source] [destination] [timeout minutes] clear access-template [access-list-number | name] [dynamic-name] [source] [destination]. show access-lists rate-limit [destination] Cisco IE 3000 Switch Software Configuration Guide OL-13018-03...
Page 828: Unsupported Global Configuration Commands
Appendix C Unsupported Commands in Cisco IOS Release 12.2(50)SE Boot Loader Commands show accounting show ip accounting [checkpoint] [output-packets | access violations] show ip cache [prefix-mask] [type number] Unsupported Global Configuration Commands access-list rate-limit acl-index {precedence | mask prec-mask} access-list dynamic extended Unsupported Route-Map Configuration Commands match ip address prefix-list prefix-list-name [prefix-list-name...]...
Page 829: Interface Commands
Appendix C Unsupported Commands in Cisco IOS Release 12.2(50)SE Interface Commands Interface Commands Unsupported Privileged EXEC Commands show interfaces [interface-id | vlan vlan-id] [crb | fair-queue | irb | mac-accounting | precedence | irb | random-detect | rate-limit | shape]...
Page 830: Unsupported Global Configuration Commands
Appendix C Unsupported Commands in Cisco IOS Release 12.2(50)SE Miscellaneous Unsupported Global Configuration Commands mac-address-table aging-time mac-address-table notification mac-address-table static Miscellaneous Unsupported User EXEC Commands verify Unsupported Privileged EXEC Commands file verify auto show cable-diagnostics prbs test cable-diagnostics prbs Unsupported Global Configuration Commands...
Page 831: Unsupported Interface Configuration Commands
Appendix C Unsupported Commands in Cisco IOS Release 12.2(50)SE RADIUS Unsupported Interface Configuration Commands priority-group rate-limit Unsupported Policy-Map Configuration Command class class-default where class-default is the class-map-name. RADIUS Unsupported Global Configuration Commands aaa nas port extended aaa authentication feature default enable...
Page 832: Spanning Tree
Appendix C Unsupported Commands in Cisco IOS Release 12.2(50)SE Spanning Tree Spanning Tree Unsupported Global Configuration Command spanning-tree pathcost method {long | short} Unsupported Interface Configuration Command spanning-tree stack-port VLAN Unsupported Global Configuration Command vlan internal allocation policy {ascending | descending}...
Page 833 34-17 and QoS 36-7 IPv4 defined 34-2 applying to interfaces 34-16 Ethernet 34-2 creating 34-5 34-2 matching criteria 34-5 named 34-12 numbers 34-6 terminal lines, setting on 34-16 unsupported features 34-4 Cisco IE 3000 Switch Software Configuration Guide IN-1 OL-13018-03...
Page 834 8-19 address resolution address resolution 8-27 8-27 Address Resolution Protocol managing 8-27 See ARP associating the temperature alarms to a relay attaching an alarm profile to a port 3-11 Cisco IE 3000 Switch Software Configuration Guide IN-2 OL-13018-03...
Page 835 22-2 considerations banners beyond a noncandidate device configuring brand new switches login 8-18 connectivity message-of-the-day login 8-18 different VLANs default configuration 8-17 management VLANs when displayed 8-17 Cisco IE 3000 Switch Software Configuration Guide IN-3 OL-13018-03...
Page 836 Cisco 7960 IP Phone 17-1 support for Cisco Discovery Protocol bridge protocol data unit See CDP See BPDU Cisco IOS File System broadcast storm-control command 26-4 See IFS broadcast storms 26-1 Cisco IE 3000 Switch Software Configuration Guide IN-4 OL-13018-03...
Page 837 Index Cisco IOS IP Service Level Agreements (SLAs) CLI (continued) responder managing clusters 7-14 Cisco IOS IP SLAs 35-1 no and default forms of commands Cisco Secure ACS Client Information Signalling Protocol attribute-value pairs for downloadable ACLs 12-16 See CISP...
Page 838 B-21 replacing invalid combinations when copying with another switch 39-6 limiting TFTP server access 33-16 with cluster member 39-4 obtaining with DHCP requirements password recovery disable considerations 11-5 standby (SC) Cisco IE 3000 Switch Software Configuration Guide IN-6 OL-13018-03...
Page 839 Flex Links 22-8 trust priority 17-6 IGMP filtering 25-24 CoS input queue threshold map for QoS 36-14 IGMP snooping 25-6 CoS output queue threshold map for QoS 36-17 IGMP throttling 25-24 Cisco IE 3000 Switch Software Configuration Guide IN-7 OL-13018-03...
Page 840 DHCP-based autoconfiguration and image update default gateway 4-14 configuring 4-11 to 4-13 deleting VLANs 15-9 understanding denial-of-service attack 26-1 DHCP binding database description command 13-17 See DHCP snooping binding database designing your network, examples 1-13 Cisco IE 3000 Switch Software Configuration Guide IN-8 OL-13018-03...
Page 841 DHCP snooping binding database default configuration 8-16 adding bindings 23-11 displaying the configuration 8-17 binding entries, displaying 23-12 in IPv6 37-3 binding file overview 8-15 format 23-6 setting up 8-16 location 23-5 support for Cisco IE 3000 Switch Software Configuration Guide IN-9 OL-13018-03...
Page 842 24-14 IPv4 and IPv6 37-5 error-disabled state for exceeding rate limit 24-4 SDM templates supporting 37-5 function of 24-2 interface trust states 24-3 Cisco IE 3000 Switch Software Configuration Guide IN-10 OL-13018-03...
Page 843 38-17 wrapped lines interaction with other features 38-5 ELIN location 27-3 interaction with virtual switches 38-5 enable password 11-3 learn method and priority configuration 38-14 enable secret password 11-3 modes 38-4 Cisco IE 3000 Switch Software Configuration Guide IN-11 OL-13018-03...
Page 844 34-20 See EUI show and more command output 2-10 Extensible Authentication Protocol over LAN 12-1 filtering show and more command output 2-10 filters, IP See ACLs, IP flash device, number of Cisco IE 3000 Switch Software Configuration Guide IN-12 OL-13018-03...
Page 845 B-14 7-10 image files See also clusters, cluster standby group, and standby command switch deleting old image B-31 HTTP over SSL downloading B-30 see HTTPS preparing the server B-29 uploading B-31 Cisco IE 3000 Switch Software Configuration Guide IN-13 OL-13018-03...
Page 846 25-5 IEEE 802.1x enabling 25-10 See port-based authentication IGMP profile IEEE 802.3ad applying 25-25 See EtherChannel configuration mode 25-24 IEEE 802.3x flow control 13-15 configuring 25-25 ifIndex values, SNMP 33-5 Cisco IE 3000 Switch Software Configuration Guide IN-14 OL-13018-03...
Page 847 13-16 configuration guidelines command switch 7-3, 7-10, 7-12 duplex and speed discovering 13-13 8-27 configuring IPv6 37-2 procedure redundant clusters 13-6 7-10 counters, clearing standby command switch 13-19 7-10, 7-12 Cisco IE 3000 Switch Software Configuration Guide IN-15 OL-13018-03...
Page 848 SNMP support named 35-2 34-12 supported metrics standard, creating 35-2 34-7 IP source guard IPv4 and IPv6 and 802.1x 23-14 dual protocol stacks 37-4 and DHCP snooping 23-12 and EtherChannels 23-14 Cisco IE 3000 Switch Software Configuration Guide IN-16 OL-13018-03...
Page 849 27-5 MAC addresses and VLANs 39-11 LLDP-MED multicast traffic 39-11 configuring multiple devices on a port 39-11 procedures 27-4 unicast traffic 39-10 TLVs 27-6 usage guidelines 39-10 Cisco IE 3000 Switch Software Configuration Guide IN-17 OL-13018-03...
Page 850 8-20 browser session disabling learning on a VLAN 8-26 CLI session discovering 8-27 device manager displaying 8-27 SNMP displaying in the IP source binding table 23-15 out-of-band console port connection Cisco IE 3000 Switch Software Configuration Guide IN-18 OL-13018-03...
Page 851 25-23 exceptions with authentication process 12-5 network traffic for analysis with probe 30-2 membership mode, VLAN port port 15-3 member switch blocking 26-19 automatic discovery protection 26-19 defined managing 7-14 21-13 Cisco IE 3000 Switch Software Configuration Guide IN-19 OL-13018-03...
Page 852 MST region 19-15 described 20-9 neighbor type 19-25 enabling 20-15 path cost 19-20 mapping VLANs to MST instance 19-16 port priority 19-19 root switch 19-17 secondary root switch 19-18 switch priority 19-21 Cisco IE 3000 Switch Software Configuration Guide IN-20 OL-13018-03...
Page 853 15-19 multicast storm-control command 26-4 NEAT multicast television application 25-17 configuring 12-50 multicast VLAN 25-16 overview 12-24 Multicast VLAN Registration neighbor discovery, IPv6 37-3 See MVR neighbor offset numbers, REP 21-4 Cisco IE 3000 Switch Software Configuration Guide IN-21 OL-13018-03...
Page 854 1-10 described 36-8 non-IP traffic filtering 34-20 nontrunking mode 15-15 normal-range VLANs 15-4 packet modification, with QoS 36-18 configuration guidelines 15-5 PAgP configuration modes 15-6 See EtherChannel configuring 15-4 defined 15-1 Cisco IE 3000 Switch Software Configuration Guide IN-22 OL-13018-03...
Page 855 36-44 default configuration 12-27 for more than one traffic class 36-48 described 12-1 described 36-4 device roles 12-2 displaying 36-68 displaying statistics 12-59 number of 36-31 types of 36-8 Cisco IE 3000 Switch Software Configuration Guide IN-23 OL-13018-03...
Page 856 12-20 port priority interactions 12-20 MSTP 19-19 multiple-hosts mode 12-10 18-16 readiness check ports configuring 12-31 access 13-2 described 12-14, 12-31 blocking 26-7 resetting to default values 12-59 dual-purpose uplink 13-4 Cisco IE 3000 Switch Software Configuration Guide IN-24 OL-13018-03...
Page 857 PVST+ 22-8 preferential treatment of traffic described 18-9 See QoS IEEE 802.1Q trunking interoperability 18-10 preventing unauthorized access 11-1 instances supported 18-9 primary edge port, REP 21-4 primary links 22-2 Cisco IE 3000 Switch Software Configuration Guide IN-25 OL-13018-03...
Page 858 DSCP, described 36-5 scheduling, described 36-4 trusted CoS, described 36-5 setting WTD thresholds 36-61 trust IP precedence, described 36-5 WTD, described 36-17 class maps enabling globally 36-32 configuring 36-42 displaying 36-68 Cisco IE 3000 Switch Software Configuration Guide IN-26 OL-13018-03...
Page 859 IP-precedence-to-DSCP quality of service 36-52 policed-DSCP See QoS 36-53 types of 36-10 queries, IGMP 25-4 marked-down actions query solicitation, IGMP 36-47 25-12 marking, described 36-4, 36-8 overview 36-1 packet modification 36-18 Cisco IE 3000 Switch Software Configuration Guide IN-27 OL-13018-03...
Page 860 Remote Network Monitoring described 18-9 See RMON IEEE 802.1Q trunking interoperability 18-10 Remote SPAN instances supported 18-9 See RSPAN Rapid Spanning Tree Protocol remote SPAN 30-2 See RSTP rcommand command 7-14 Cisco IE 3000 Switch Software Configuration Guide IN-28 OL-13018-03...
Page 861 29-6 Resilient Ethernet Protocol described 20-8 See REP enabling 20-15 responder, IP SLAs support for described root switch 35-3 enabling MSTP 35-6 19-17 response time, measuring with IP SLAs 35-4 18-14 Cisco IE 3000 Switch Software Configuration Guide IN-29 OL-13018-03...
Page 862 Secure Copy Protocol topology changes 19-13 secure HTTP client overview 19-8 configuring 11-43 port roles displaying 11-43 described 19-9 secure HTTP server synchronized 19-11 configuring 11-41 proposal-agreement handshake process 19-10 displaying 11-43 Cisco IE 3000 Switch Software Configuration Guide IN-30 OL-13018-03...
Page 863 28-5 33-5 show cluster members command in-band management 7-14 show configuration command 13-17 in clusters 7-13 show forward command 39-16 show interfaces command 13-14, 13-17 Cisco IE 3000 Switch Software Configuration Guide IN-31 OL-13018-03...
Page 864 SNMP traps source ports 30-5 21-13 transmitted traffic 30-5 SNMPv1 33-2 VLAN-based 30-6 SNMPv2C 33-2 spanning tree and native VLANs 15-15 SNMPv3 33-2 Spanning Tree Protocol snooping, IGMP 25-1 See STP Cisco IE 3000 Switch Software Configuration Guide IN-32 OL-13018-03...
Page 865 26-1 standby group, cluster disabling 26-5 See cluster standby group and HSRP displaying 26-19 standby links support for 22-2 startup configuration thresholds 26-1 booting manually 4-17 specific image 4-18 clearing B-19 Cisco IE 3000 Switch Software Configuration Guide IN-33 OL-13018-03...
Page 866 18-3 enabling 20-15 detecting indirect link failures 20-5 modes supported 18-9 disabling 18-14 multicast addresses, effect of 18-8 displaying status 18-22 optional features supported overview 18-2 path costs 15-22 Cisco IE 3000 Switch Software Configuration Guide IN-34 OL-13018-03...
Page 867 32-5 See SDM synchronizing log messages 32-6 Switched Port Analyzer syslog facility 1-10 See SPAN time stamps, enabling and disabling 32-7 switched ports 13-2 switchport backup interface 22-4, 22-5 Cisco IE 3000 Switch Software Configuration Guide IN-35 OL-13018-03...
Page 868 32-7 support for time zones 8-12 tracking services accessed by user 11-17 TLVs tar files defined 27-1 creating LLDP 27-2 displaying the contents of LLDP-MED 27-2 extracting image file format B-24 Cisco IE 3000 Switch Software Configuration Guide IN-36 OL-13018-03...
Page 869 33-1, 33-4 triggering alarm options within a QoS domain 36-33 configurable relays trustpoints, CA 11-38 methods twisted-pair Ethernet, detecting unidirectional links 29-1 SNMP traps type of service syslog messages See ToS Cisco IE 3000 Switch Software Configuration Guide IN-37 OL-13018-03...
Page 870 32-12 VLAN blocking, REP 21-12 facilities supported 32-13 VLAN configuration message logging configuration 32-12 at bootup 15-7 unrecognized Type-Length-Value (TLV) support 16-4 saving 15-7 VLAN configuration mode 2-2, 15-6 Cisco IE 3000 Switch Software Configuration Guide IN-38 OL-13018-03...
Page 871 MAC addresses to VLANs 15-24 creating in VLAN configuration mode 15-9 monitoring 15-28 default configuration 15-7 reconfirmation interval, changing 15-27 deleting 15-9 reconfirming membership 15-27 described 13-2, 15-1 retry count, changing 15-28 Cisco IE 3000 Switch Software Configuration Guide IN-39 OL-13018-03...
Page 872 16-7 16-8 configuration requirements disabling 16-8 16-13 configuration revision number enabling 16-13 guideline overview 16-14 16-4 resetting 16-15 configuring client mode 16-11 server mode 16-9 transparent mode 16-12 Cisco IE 3000 Switch Software Configuration Guide IN-40 OL-13018-03...
Page 873 36-57 fallback for IEEE 802.1x 12-57 support for 1-10 weighted tail drop See WTD wired location service configuring 27-9 Xmodem protocol 39-2 displaying 27-10 location TLV 27-3 understanding 27-3 wizards Cisco IE 3000 Switch Software Configuration Guide IN-41 OL-13018-03...
Page 874 Index Cisco IE 3000 Switch Software Configuration Guide IN-42 OL-13018-03...

This manual is also suitable for:

Ie 3000

Cisco IE-3000-8TC Software Configuration Manual

CHAPTER 1 Overview 1-1

CHAPTER 2 Using the Command-Line Interface

Understanding the Help System

Understanding Abbreviated Commands

Understanding no and Default Forms of Commands

Understanding CLI Error Messages

Using Configuration Logging

Using Command History

Using Editing Features

Searching and Filtering Output of Show and more Commands

Accessing the CLI

CHAPTER 3 Configuring Cisco IE 3000 Switch Alarms

Configuring the Power Supply Alarm

Configuring the Switch Temperature Alarms

Configuring the FCS Bit Error Rate Alarm

Configuring Alarm Profiles

Enabling SNMP Traps

Chapter 4 Assigning the Switch IP Address and Default Gateway

Default Boot Configuration

Automatically Downloading a Configuration File

Booting Manually

Booting a Specific Software Image

Controlling Environment Variables

CHAPTER 5 Configuring Cisco Energywise

Managing Single Entities

Energywise Domain

Energywise Network

Single Poe Switch Scenario

Energywise Power Level

Energywise Importance

Configuration Guidelines

Poe and Energywise Interactions

Manually Managing Power

Automatically Managing Power (Recurrence)

Chapter 6 Configuring Cisco IOS Configuration Engine

Chapter 7 Clustering Switches

IP Addresses

Hostnames

Passwords

SNMP Community Strings

TACACS+ and RADIUS

LRE Profiles

CHAPTER 8 Administering the Switch 8-1

Configuring MAC Address Notification Traps

Adding and Removing Static Address Entries

Configuring Unicast MAC Address Filtering

Disabling MAC Address Learning on a VLAN

Displaying Address Table Entries

Chapter 9 Configuring PTP

Chapter 10 Configuring SDM Templates

CHAPTER 11 Configuring Switch-Based Authentication

CHAPTER 12 Configuring IEEE 802.1X Port-Based Authentication

Quick Links

Troubleshooting

Related Manuals for Cisco IE-3000-8TC

Summary of Contents for Cisco IE-3000-8TC