Cisco WS-C3550-12G Software Configuration Manual

Cisco WS-C3550-12G Software Configuration Manual

Multilayer switch
Hide thumbs Also See for WS-C3550-12G:
Table of Contents

Advertisement

Catalyst 3550 Multilayer Switch
Software Configuration Guide
Cisco IOS Release 12.1(8)EA1
February 2002
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Customer Order Number: DOC-7811194=
Text Part Number: 78-11194-03

Advertisement

Table of Contents
loading

Summary of Contents for Cisco WS-C3550-12G

  • Page 1 Catalyst 3550 Multilayer Switch Software Configuration Guide Cisco IOS Release 12.1(8)EA1 February 2002 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7811194=...
  • Page 2 LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
  • Page 3 Documentation Feedback xxxii Obtaining Technical Assistance xxxii Cisco.com xxxiii Technical Assistance Center xxxiii Cisco TAC Web Site xxxiii Cisco TAC Escalation Center xxxiv Overview C H A P T E R Features Management Options Management Interface Options Advantages of Using CMS and Clustering Switches...
  • Page 4: Table Of Contents

    Contents Understanding CLI Messages Using Command History Changing the Command History Buffer Size Recalling Commands Disabling the Command History Feature Using Editing Features Enabling and Disabling Editing Features Editing Commands through Keystrokes Editing Command Lines that Wrap Searching and Filtering Output of show and more Commands Accessing the CLI Getting Started with CMS C H A P T E R...
  • Page 5 Contents Tool Tips 3-27 Online Help 3-27 CMS Window Components 3-28 Host Name List 3-28 Tabs, Lists, and Tables 3-29 Icons Used in Windows 3-29 Buttons 3-29 Accessing CMS 3-30 Access Modes in CMS 3-31 HTTP Access to CMS 3-31 Verifying Your Changes 3-32 Change Notification...
  • Page 6 Contents Scheduling a Reload of the Software Image 4-17 Configuring a Scheduled Reload 4-17 Displaying Scheduled Reload Information 4-18 Clustering Switches C H A P T E R Understanding Switch Clusters Command Switch Characteristics Standby Command Switch Characteristics Candidate and Member Switches Characteristics Planning a Switch Cluster Automatic Discovery of Cluster Candidates and Members Discovery through CDP Hops...
  • Page 7 Contents Administering the Switch C H A P T E R Preventing Unauthorized Access to Your Switch Protecting Access to Privileged EXEC Commands Default Password and Privilege Level Configuration Setting or Changing a Static Enable Password Protecting Enable and Enable Secret Passwords with Encryption Disabling Password Recovery Setting a Telnet Password for a Terminal Line Configuring Username and Password Pairs...
  • Page 8 Contents Managing the System Time and Date 6-32 Understanding the System Clock 6-32 Understanding Network Time Protocol 6-32 Configuring NTP 6-34 Default NTP Configuration 6-35 Configuring NTP Authentication 6-35 Configuring NTP Associations 6-36 Configuring NTP Broadcast Service 6-37 Configuring NTP Access Restrictions 6-38 Configuring the Source IP Address for NTP Packets 6-40...
  • Page 9 Contents Configuring 802.1X Port-Based Authentication C H A P T E R Understanding 802.1X Port-Based Authentication Device Roles Authentication Initiation and Message Exchange Ports in Authorized and Unauthorized States Supported Topologies Configuring 802.1X Authentication Default 802.1X Configuration 802.1X Configuration Guidelines Enabling 802.1X Authentication Configuring the Switch-to-RADIUS-Server Communication Enabling Periodic Re-Authentication...
  • Page 10 Contents Configuring IEEE 802.3X Flow Control 8-16 Adding a Description for an Interface 8-17 Monitoring and Maintaining the Layer 2 Interface 8-18 Monitoring Interface and Controller Status 8-18 Clearing and Resetting Interfaces and Counters 8-20 Shutting Down and Restarting the Interface 8-21 Configuring Layer 3 Interfaces 8-22...
  • Page 11 Contents 802.1Q Configuration Considerations 9-24 Default Layer 2 Ethernet Interface VLAN Configuration 9-24 Configuring an Ethernet Interface as a Trunk Port 9-25 Configuring a Trunk Port 9-25 Defining the Allowed VLANs on a Trunk 9-27 Changing the Pruning-Eligible List 9-28 Configuring the Native VLAN for Untagged Traffic 9-29 Load Sharing Using STP...
  • Page 12 Contents Learning State 10-7 Forwarding State 10-8 Disabled State 10-8 STP Address Management 10-8 STP and IEEE 802.1Q Trunks 10-8 VLAN-Bridge STP 10-9 STP and Redundant Connectivity 10-9 Accelerated Aging to Retain Connectivity 10-10 Understanding Advanced STP Features 10-10 Understanding Port Fast 10-10 Understanding BPDU Guard 10-11...
  • Page 13 Contents Configuring Root Guard 10-36 Enabling EtherChannel Guard 10-37 Configuring IGMP Snooping and MVR 11-1 C H A P T E R Understanding IGMP Snooping 11-1 Joining a Multicast Group 11-2 Leaving a Multicast Group 11-4 Immediate-Leave Processing 11-4 Configuring IGMP Snooping 11-5 Default IGMP Snooping Configuration 11-5...
  • Page 14 Contents Configuring Port Blocking 12-6 Blocking Flooded Traffic on an Interface 12-6 Resuming Normal Forwarding on a Port 12-7 Configuring Port Security 12-8 Understanding Port Security 12-8 Default Port Security Configuration 12-9 Configuration Guidelines 12-9 Enabling and Configuring Port Security 12-9 Displaying Port-Based Traffic Control Settings 12-11...
  • Page 15 Contents Configuring SPAN 15-6 Default SPAN Configuration 15-7 SPAN Configuration Guidelines 15-7 Creating a SPAN Session and Specifying Ports to Monitor 15-8 Removing Ports from a SPAN Session 15-10 Specifying VLANs to Monitor 15-11 Specifying VLANs to Filter 15-12 Displaying SPAN Status 15-13 Configuring RMON 16-1...
  • Page 16 Contents Configuring SNMP 18-1 C H A P T E R Understanding SNMP 18-1 SNMP Versions 18-2 SNMP Manager Functions 18-2 SNMP Agent Functions 18-3 SNMP Community Strings 18-3 Using SNMP to Access MIB Variables 18-3 Configuring SNMP 18-4 Default SNMP Configuration 18-4 Disabling the SNMP Agent 18-5...
  • Page 17 Contents Time Range Applied to an IP ACL 19-25 Commented IP ACL Entries 19-25 ACL Logging 19-26 Configuring VLAN Maps 19-27 VLAN Map Configuration Guidelines 19-28 Creating Named MAC Extended ACLs 19-28 Creating a VLAN Map 19-30 Examples of ACLs and VLAN Maps 19-30 Applying a VLAN Map to a VLAN 19-32...
  • Page 18 Contents Configuring the Trust State on Ports within the QoS Domain 20-22 Configuring the CoS Value for an Interface 20-24 Configuring the DSCP Trust State on a Port Bordering Another QoS Domain 20-25 Configuring a QoS Policy 20-26 Classifying Traffic by Using ACLs 20-27 Classifying Traffic by Using Class Maps 20-30...
  • Page 19 Contents Understanding Load Balancing and Forwarding Methods 21-5 Configuring EtherChannel 21-7 Default EtherChannel Configuration 21-7 EtherChannel Configuration Guidelines 21-8 Configuring Layer 2 EtherChannels 21-9 Configuring Layer 3 EtherChannels 21-11 Creating Port-Channel Logical Interfaces 21-11 Configuring the Physical Interfaces 21-12 Configuring EtherChannel Load Balancing 21-13 Configuring the PAgP Learn Method and Priority 21-14...
  • Page 20 EIGRP Interface Mode Commands 22-49 Configure EIGRP Route Authentication 22-50 Monitoring and Maintaining EIGRP 22-51 Configuring Protocol-Independent Features 22-53 Configuring Cisco Express Forwarding 22-53 Configuring the Number of Equal-Cost Routing Paths 22-54 Configuring Static Routes 22-55 Specifying Default Routes 22-56...
  • Page 21 Contents Configuring IP Multicast Routing 24-1 C H A P T E R Cisco Implementation of IP Multicast Routing 24-2 Understanding IGMP 24-3 IGMP Version 1 24-3 IGMP Version 2 24-4 Understanding PIM 24-5 PIM Versions 24-5 PIM Modes 24-5...
  • Page 22 Contents Changing the IGMP Query Timeout for IGMPv2 24-32 Changing the Maximum Query Response Time for IGMPv2 24-33 Configuring the Multilayer Switch as a Member of a Group 24-34 Controlling Access to IP Multicast Groups 24-35 Modifying the IGMP Host-Query Message Interval 24-36 Configuring the Multilayer Switch as a Statically Connected Member 24-36...
  • Page 23 Contents Configuring a Default MSDP Peer 25-4 Caching Source-Active State 25-6 Requesting Source Information from an MSDP Peer 25-8 Controlling Source Information that Your Switch Originates 25-8 Redistributing Sources 25-9 Filtering Source-Active Request Messages 25-11 Controlling Source Information that Your Switch Forwards 25-12 Using a Filter 25-12...
  • Page 24 Contents Recovering from a Command Switch Failure 27-7 Replacing a Failed Command Switch with a Cluster Member 27-7 Replacing a Failed Command Switch with Another Switch 27-9 Recovering from Lost Member Connectivity 27-10 Preventing Autonegotiation Mismatches 27-10 Diagnosing Connectivity Problems 27-11 Understanding Ping 27-11...
  • Page 25 Working with Software Images B-19 Image Location on the Switch B-20 tar File Format of Images on a Server or Cisco.com B-20 Copying Image Files By Using TFTP B-21 Preparing to Download or Upload an Image File By Using TFTP...
  • Page 26 Contents FallBack Bridging Unsupported Privileged EXEC Commands Unsupported Global Configuration Commands Unsupported Interface Configuration Commands HSRP Unsupported Global Configuration Commands Unsupported Interface Configuration Commands Interface Configuration Commands IP Multicast Routing Unsupported Privileged EXEC Commands Unsupported Global Configuration Commands Unsupported Interface Configuration Commands IP Unicast Routing Unsupported Privileged EXEC or User EXEC Commands Unsupported Global Configuration Commands...
  • Page 27 This guide is for the networking professional managing the Catalyst 3550 switch, hereafter referred to as the switch or the multilayer switch. Before using this guide, you should have experience working with the Cisco IOS and be familiar with the concepts and terminology of Ethernet and local area networking. Purpose This guide provides the information you need to configure Layer 2 and Layer 3 software features on your switch.
  • Page 28 MAC addresses. Chapter 13, “Configuring CDP,” describes how to configure Cisco Discovery Protocol (CDP) on your switch. Catalyst 3550 Multilayer Switch Software Configuration Guide...
  • Page 29 IP multicast routing. It describes how to use and configure the Internet Group Management Protocol (IGMP), Protocol-Independent Multicast (PIM) protocol, Cisco Group Management Protocol (CGMP) server functionality, and how to inter-operate between PIM and Distance Vector Multicast Routing Protocol (DVMRP) domains. To use this feature, you must have the enhanced multilayer software image installed on your switch.
  • Page 30 Preface Conventions Appendix A, “Supported MIBs,” lists the supported MIBs for this release and how to use FTP to access the MIB files. Appendix B, “Working with the IOS File System, Configuration Files, and Software Images,” describes how to manipulate the Flash file system, how to copy configuration files, and how to archive (upload and download) software images.
  • Page 31: Related Publications

    The following sections explain how to obtain documentation from Cisco Systems. World Wide Web You can access the most current Cisco documentation on the World Wide Web at the following URL: http://www.cisco.com Translated documentation is available at the following URL: http://www.cisco.com/public/countries_languages.shtml...
  • Page 32: Ordering Documentation

    America, by calling 800 553-NETS (6387). Documentation Feedbac If you are reading Cisco product documentation on the World Wide Web, you can send us your comments by completing the online survey. When you display the document listing for this platform, click Give Us Your Feedback.
  • Page 33: Technical Assistance Center

    Cisco TAC Web Site. The Cisco TAC Web Site requires a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to the following URL to register: http://www.cisco.com/register/...
  • Page 34 Obtaining Technical Assistance If you cannot resolve your technical issues by using the Cisco TAC Web Site, and you are a Cisco.com registered user, you can open a case online by using the TAC Case Open tool at the following URL: http://www.cisco.com/tac/caseopen...
  • Page 35 C H A P T E R Overview This chapter provides these topics about the Catalyst 3550 multilayer switch software: Features, page 1-1 • Management Options, page 1-5 • Network Configuration Examples, page 1-7 • Features The Catalyst 3550 software supports the hardware listed in the release notes. These sections describe the features supported in this release.
  • Page 36 Address Resolution Protocol (ARP) for identifying a switch through its IP address and its corresponding Media Access • Control (MAC) address Cisco Discovery Protocol (CDP) versions 1 and 2 for network topology discovery and mapping between the switch and • other Cisco devices on the network Network Time Protocol (NTP) for providing a consistent timestamp to all switches from an external source •...
  • Page 37 Chapter 1 Overview Features Table 1-1 Features (continued) Redundancy Hot Standby Router Protocol (HSRP) for command switch and Layer 3 router redundancy • UniDirectional Link Detection (UDLD) on all Ethernet ports for detecting and disabling unidirectional links on • fiber-optic interfaces caused by incorrect fiber-optic wiring or port faults IEEE 802.1D Spanning Tree Protocol (STP) for redundant backbone connections and loop-free networks.
  • Page 38 Chapter 1 Overview Features Table 1-1 Features (continued) • Terminal Access Controller Access Control System Plus (TACACS+), a proprietary feature for managing network security through a TACACS server • Remote Authentication Dial-In User Service (RADIUS), which provides detailed accounting information and flexible administrative control over authentication and authorization processes Quality of Service and Class of Service Classification...
  • Page 39: Management Options

    Chapter 1 Overview Management Options Table 1-1 Features (continued) • Internet Control Message Protocol (ICMP) and ICMP Router Discovery Protocol (IRDP) for using router advertisement and router solicitation messages to discover the addresses of routers on directly attached subnets • Protocol-Independent Multicast (PIM) for multicast routing within the network, allowing for devices in the network to receive the multicast feed requested and for switches not participating in the multicast to be pruned.
  • Page 40: Advantages Of Using Cms And Clustering Switches

    Using CMS and switch clusters can simplify and minimize your configuration and monitoring tasks. You can use Cisco switch clustering technology to manage up to 16 interconnected, supported Catalyst switches through one IP address. This can conserve IP addresses if you have a limited number of them.
  • Page 41: Network Configuration Examples

    Chapter 1 Overview Network Configuration Examples Network Configuration Examples This section provides network configuration concepts and includes examples of using the switch in different network topologies. Design Concepts As your network users compete for network bandwidth, it takes longer to send and receive data. When you configure your network, consider the bandwidth required by your network users and the relative priority of the network applications they use.
  • Page 42 Chapter 1 Overview Network Configuration Examples Bandwidth alone is not the only consideration when designing your network. As your network traffic profiles evolve, consider providing network services that can support applications for voice and data integration, multimedia integration, application prioritization, and security. Table 1-3 describes some network demands and how you can meet those demands.
  • Page 43 Chapter 1 Overview Network Configuration Examples Figure 1-1 shows three configuration examples of using Catalyst switches to create the following: • Cost-effective wiring closet—A cost-effective way to connect many users to the wiring closet is to connect a Catalyst switch cluster of up to nine Catalyst 3550 XL switches (or with a mix of Catalyst 3550, Catalyst 2950, Catalyst 3500 XL, and Catalyst 2900 XL switches) through GigaStack GBIC connections.
  • Page 44 Chapter 1 Overview Network Configuration Examples Figure 1-1 Example Configurations Catalyst 3550-12T or Catalyst 3550-12G Gigabit server switch Catalyst 3550 GigaStack cluster Cost-Effective Wiring Closet Catalyst 3550 switch High-Performance Workgroup Catalyst 3550 cluster Catalyst 3550 switch Catalyst 3550 switch 1-Gbps HSRP Redundant Gigabit Backbone Catalyst switches Catalyst 3550 Multilayer Switch Software Configuration Guide...
  • Page 45 Catalyst 2900 XL, Catalyst 2820, and Catalyst 1900 switches. These switches are connected to workstations, Cisco IP Phones, and local servers. You can cluster these switches into multiple clusters, as shown, or into a single cluster. You can manage a cluster through the IP address of its primary and secondary command switches, regardless of the geographic location of the cluster members.
  • Page 46 Chapter 1 Overview Network Configuration Examples Figure 1-2 Catalyst 3550 Switches in a Collapsed Backbone Configuration Internet Cisco 2600 or 3600 routers Catalyst 3550 Gigabit servers multilayer switches Catalyst Catalyst GigaStack GigaStack cluster cluster Cisco IP Phones Cisco IP Phones...
  • Page 47 Chapter 1 Overview Network Configuration Examples Large Network Using Only Catalyst 3550 Switches Switches in the wiring closet have traditionally been Layer 2-only devices, but as network traffic profiles evolve, switches in the wiring closet are increasingly employing multilayer services such as multicast management and traffic classification.
  • Page 48 Chapter 1 Overview Network Configuration Examples Figure 1-3 Catalyst 3550 Switches in Wiring Closets in a Backbone Configuration Cisco 7500 routers Catalyst 6000 multilayer switches Catalyst Catalyst Gigabit 3550 3550 servers cluster cluster Cisco IP Phones Cisco IP Phones power...
  • Page 49 The aggregating switches and routers provide services such as those described in the previous examples, “Small to Medium-Sized Network Using Mixed Switches” and “Large Network Using Only Catalyst 3550 Switches.” Figure 1-4 Catalyst 3550 Switches in a MAN Configuration Cisco 12000 Service Gigabit switch routers Provider Catalyst 6500 switches Catalyst 3550 multilayer...
  • Page 50 Chapter 1 Overview Network Configuration Examples Catalyst 3550 Multilayer Switch Software Configuration Guide 1-16 78-11194-03...
  • Page 51: Ios Command Modes

    Accessing the CLI, page 2-9 IOS Command Modes The Cisco IOS user interface is divided into many different modes. The commands available to you depend on which mode you are currently in. Enter a question mark (?) at the system prompt to obtain a list of commands available for each command mode.
  • Page 52 Chapter 2 Using the Command-Line Interface IOS Command Modes Table 2-1 Command Mode Summary Mode Access Method Prompt Exit Method About This Mode User EXEC Begin a session with Enter logout or quit. Use this mode to Switch> your switch. Change terminal •...
  • Page 53: Getting Help

    Chapter 2 Using the Command-Line Interface Getting Help Getting Help You can enter a question mark (?) at the system prompt to display a list of commands available for each command mode. You can also obtain a list of associated keywords and arguments for any command, as shown in Table 2-2.
  • Page 54: Understanding Cli Messages

    Chapter 2 Using the Command-Line Interface Using no and default Forms of Commands Using no and default Forms of Commands Almost every configuration command also has a no form. In general, use the no form to disable a feature or function or reverse the action of a command. For example, the no shutdown interface configuration command reverses the shutdown of an interface.
  • Page 55: Using Command History

    Chapter 2 Using the Command-Line Interface Using Command History Using Command History The IOS provides a history or record of commands that you have entered. This feature is particularly useful for recalling long or complex commands or entries, including access lists. You can customize the command history feature to suit your needs as described in these sections: •...
  • Page 56: Using Editing Features

    Chapter 2 Using the Command-Line Interface Using Editing Features To disable the feature during the current terminal session, enter the terminal no history privileged EXEC command. To disable command history for the line, enter the no history line configuration command. Using Editing Features This section describes the editing features that can help you manipulate the command line.
  • Page 57 Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Keystroke Purpose Recall commands from the buffer Press Ctrl-Y. Recall the most recent entry in the buffer. and paste them in the command line. The switch provides a buffer with the last ten items that you deleted.
  • Page 58: Editing Command Lines That Wrap

    Chapter 2 Using the Command-Line Interface Searching and Filtering Output of show and more Commands Editing Command Lines that Wrap You can use a wraparound feature for commands that extend beyond a single line on the screen. When the cursor reaches the right margin, the command line shifts ten spaces to the left. You cannot see the first ten characters of the line, but you can scroll back and check the syntax at the beginning of the command.
  • Page 59: Accessing The Cli

    Chapter 2 Using the Command-Line Interface Accessing the CLI Accessing the CLI Before you can access the CLI, you need to connect a terminal or PC to the switch console port and power on the switch as described in the hardware installation guide that shipped with your switch. Then, to understand the boot process and the options available for assigning IP information, see Chapter 4, “Assigning the Switch IP Address and Default Gateway.”...
  • Page 60 Chapter 2 Using the Command-Line Interface Accessing the CLI Catalyst 3550 Multilayer Switch Software Configuration Guide 2-10 78-11194-03...
  • Page 61 C H A P T E R Getting Started with CMS This chapter provides these topics about the Cluster Management Suite (CMS) software: Features, page 3-2 • Front Panel View, page 3-4 • Topology View, page 3-10 • Menus and Toolbar, page 3-15 •...
  • Page 62: Chapter 3 Getting Started With Cm

    Chapter 3 Getting Started with CMS Features Features CMS provides these features (Figure 3-1) for managing switch clusters and individual switches from Web browsers such as Netscape Communicator or Microsoft Internet Explorer: • Two views of your network that can be displayed at the same time: –...
  • Page 63 Chapter 3 Getting Started with CMS Features • Two levels of access to the configuration options: read-write access for users allowed to change switch settings; read-only access for users allowed to only view switch settings • Consistent set of GUI components (such as tabs, buttons, drop-down lists, tables, and so on) for a consistent approach to setting configuration parameters Figure 3-1 CMS Features...
  • Page 64: Front Panel View

    Chapter 3 Getting Started with CMS Front Panel View Front Panel View When CMS is launched from a command switch, the Front Panel view displays the front-panel images of all switches in the cluster (Figure 3-2). When CMS is launched from a standalone or non-command member switch, the Front Panel view displays only the front panel of the specific switch (Figure 3-3).
  • Page 65: Cluster Tree

    Chapter 3 Getting Started with CMS Front Panel View Cluster Tree The cluster tree (Figure 3-3) appears in the left frame of the Front Panel view and shows the name of the cluster and a list of its members. The sequence of the cluster-tree icons (Figure 3-4) mirror the sequence of the front-panel images.
  • Page 66: Front-Panel Images

    Chapter 3 Getting Started with CMS Front Panel View Front-Panel Images You can manage the switch from a remote station by using the front-panel images. The front-panel images are updated based on the network polling interval that you set from CMS > Preferences. Note The Preferences window is not available if your switch access level is read-only.
  • Page 67: Redundant Power System Led

    Cisco RPS 300 (model PWR300-AC-RPS-N1)—Catalyst 2900 LRE XL, Catalyst 2950, • Catalyst 3524-PWR XL, and Catalyst 3550 switches Cisco RPS 600 (model PWR600-AC-RPS)—Catalyst 2900 XL and Catalyst 3500 XL switches, • except the Catalyst 2900 LRE XL and Catalyst 3524-PWR XL switches Refer to the appropriate switch hardware documentation for RPS descriptions specific for the switch.
  • Page 68: Port Modes And Leds

    Chapter 3 Getting Started with CMS Front Panel View Port Modes and LEDs The port modes (Table 3-3) determine the type of information displayed through the port LEDs. When you change port modes, the meanings of the port LED colors (Table 3-4) also change.
  • Page 69: Vlan Membership Modes

    Chapter 3 Getting Started with CMS Front Panel View VLAN Membership Modes Ports in the Front Panel view are outlined by colors (Table 3-5) when you click Highlight VLAN Port Membership Modes on the Configure VLANs tab on the VLAN window (VLAN >...
  • Page 70: Topology View

    Chapter 3 Getting Started with CMS Topology View Topology View The Topology view displays how the devices within a switch cluster are connected and how the switch cluster is connected to other clusters and devices. From this view, you can add and remove cluster members.
  • Page 71 Chapter 3 Getting Started with CMS Topology View Figure 3-6 Expand Cluster View Cluster members of cluster1 and other devices connected to cluster1. Right-click a Right-click a link icon to display device icon to display a link popup menu. a device popup menu. Figure 3-7 Collapse Cluster View Neighboring cluster...
  • Page 72: Topology Icons

    Customer premises equipment (CPE) devices that are connected to Long-Reach Ethernet (LRE) • switches Devices that are not eligible to join the cluster, such as Cisco IP phones, Cisco access points, and • CDP-capable hubs and routers Devices that are identified as unknown devices, such as some Cisco devices and third-party devices •...
  • Page 73: Device And Link Labels

    Chapter 3 Getting Started with CMS Topology View Figure 3-9 Topology-View Link Icons Device and Link Labels The Topology view displays device and link information by using these labels: • Cluster and switch names • Switch MAC and IP addresses •...
  • Page 74: Colors In The Topology View

    Chapter 3 Getting Started with CMS Topology View Colors in the Topology View The colors of the Topology view icons reflect the status of the devices and links (Table 3-6, Table 3-7, Table 3-8). Table 3-6 Device Icon Colors Icon Color Color Meaning Green The device is operating.
  • Page 75: Menus And Toolbar

    Chapter 3 Getting Started with CMS Menus and Toolbar Menus and Toolbar The configuration and monitoring options for configuring switches and switch clusters are available from the menu bar, toolbar, and the Front-Panel and Topology view popup menus. Menu Bar The menu bar provides the complete list of options for managing a single switch and switch cluster.
  • Page 76 If your cluster has these member switches running earlier software releases and if you have read-only access to these member switches, some configuration windows for those switches display incomplete information: Catalyst 2900 XL or Catalyst 3500 XL member switches running Cisco IOS – Release 12.0(5)WC2 or earlier Catalyst 2950 member switches running Cisco IOS Release 12.0(5)WC2 or earlier...
  • Page 77 Chapter 3 Getting Started with CMS Menus and Toolbar Table 3-10 Menu Bar (continued) Menu-Bar Options Task Cluster Cluster Manager Launch a CMS session from the command switch. Create Cluster Designate a command switch, and name a cluster. Delete Cluster Delete a cluster.
  • Page 78 Chapter 3 Getting Started with CMS Menus and Toolbar Table 3-10 Menu Bar (continued) Menu-Bar Options Task Router Redundancy Add a switch to or remove a switch from an HSRP group. (guide mode available Fallback Bridging Create a fallback bridging group, modify a group, delete a group, or view its details. 802.1X Configure 802.1X authentication of devices as they are attached to LAN ports in a point-to-point infrastructure.
  • Page 79 Catalyst 2900 XL and Catalyst 3500 XL switches when they are in a cluster where the command switch is a Catalyst 2950 switch running Cisco IOS Release 12.1(6)EA2 or later or a Catalyst 3550 switch running Cisco IOS Release 12.1(8)EA1 or later.
  • Page 80 Chapter 3 Getting Started with CMS Menus and Toolbar Table 3-10 Menu Bar (continued) Menu-Bar Options Task Help Overview Obtain an overview of the CMS interface. What’s New Obtain a description of the new CMS features. Help For Active Window Display the help for the active open window.
  • Page 81: Toolbar

    Chapter 3 Getting Started with CMS Menus and Toolbar Toolbar The toolbar buttons display commonly used switch and cluster configuration options and information windows such as legends and online help. Hover the cursor over an icon to display the feature. Table 3-11 describes the toolbar options, from left to right on the toolbar.
  • Page 82: Front Panel View Popup Menus

    Chapter 3 Getting Started with CMS Menus and Toolbar Front Panel View Popup Menus These popup menus are available in the Front Panel view. Device Popup Menu You can display all switch and cluster configuration windows from the menu bar, or you can display commonly used configuration windows from the device popup menu (Table 3-12).
  • Page 83: Topology View Popup Menus

    Chapter 3 Getting Started with CMS Menus and Toolbar Topology View Popup Menus These popup menus are available in the Topology view. Link Popup Menu You can display reports and graphs for a specific link displayed in the Topology view (Table 3-14).
  • Page 84: Device Popup Menus

    Catalyst 2900 XL and Catalyst 3500 XL switches running Cisco IOS Release 12.0(5)WC2 and later. It is also available on Catalyst 2950 switches running Cisco IOS Release 12.1(6)EA2 and later and on Catalyst 3550 switch running Cisco IOS Release 12.1(8)EA1 or later. It is not available on the Catalyst 1900 and Catalyst 2820 switches.
  • Page 85 Task Device Manager Access the web management interface of the device. This option is available on Cisco access points, but not on Cisco IP phones, hubs, routers Note and on unknown devices such as some Cisco devices and third-party devices.
  • Page 86: Interaction Modes

    Chapter 3 Getting Started with CMS Interaction Modes Interaction Modes You can change the interaction mode of CMS to either guide or expert mode. Guide mode steps you through each feature option and provides information about the parameter. Expert mode displays a configuration window in which you configure the feature options.
  • Page 87: Tool Tips

    Glossary of terms used in the online help. You can send us feedback about the information provided in the online help. Click Feedback to display an online form. After completing the form, click Submit to send your comments to Cisco. We appreciate and value your comments.
  • Page 88: Cms Window Components

    Chapter 3 Getting Started with CMS CMS Window Components CMS Window Components CMS windows consistently present configuration information. Figure 3-12 shows the components of a typical CMS window. Figure 3-12 CMS Window Components OK saves your changes and closes the window. Apply saves your changes and leaves the window open.
  • Page 89: Tabs, Lists, And Tables

    Icons Used in Windows Some window have icons for sorting information in tables, for showing which cells in a table are editable, and for displaying further information from Cisco.com (Figure 3-13).
  • Page 90: Accessing Cms

    Copies of the CMS pages you display are saved in your browser memory cache until you exit the browser session. A password is not required to redisplay these pages, including the Cisco Systems Access page. You can access the CLI by clicking Monitor the router - HTML access to the command line interface from a cached copy of the Cisco Systems Access page.
  • Page 91: Access Modes In Cms

    • read-only access to these member switches, some configuration windows for those switches display incomplete information: Catalyst 2900 XL or Catalyst 3500 XL member switches running Cisco IOS – Release 12.0(5)WC2 or earlier Catalyst 2950 member switches running Cisco IOS Release 12.0(5)WC2 or earlier –...
  • Page 92: Verifying Your Changes

    Chapter 3 Getting Started with CMS Verifying Your Changes Verifying Your Changes CMS provides notification cues to help you track and confirm the changes you make. Change Notification A green border around a field or table cell means that you made an unsaved change to the field or table cell.
  • Page 93: Using Different Versions Of Cms

    Here are examples of how CMS can differ between IOS releases and switch platforms: • On Catalyst switches running Cisco IOS Release 12.0(5)WC2 or earlier or Cisco IOS Release 12.1(6)EA1 or earlier, the CMS versions in those software releases might appear similar but are not the same as this release.
  • Page 94 Chapter 3 Getting Started with CMS Where to Go Next Catalyst 3550 Multilayer Switch Software Configuration Guide 3-34 78-11194-03...
  • Page 95: Chapter 4 Assigning The Switch Ip Address And Default Gateway

    C H A P T E R Assigning the Switch IP Address and Default Gateway This chapter describes how to create the initial switch configuration (for example, assign the switch IP address and default gateway information) by using a variety of automatic and manual methods. It also describes how to modify the switch startup configuration.
  • Page 96: Assigning Switch Information

    For more information about the setup program, refer to the release notes on Cisco.com. Use a DHCP server for centralized control and automatic assignment of IP information once the server is configured.
  • Page 97: Default Switch Information

    Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Default Switch Information Table 4-1 shows the default switch information. Table 4-1 Default Switch Information Feature Default Setting IP address and subnet mask No IP address or subnet mask are defined. Default gateway No default gateway is defined.
  • Page 98: Dhcp Client Request Process

    Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information DHCP Client Request Process When you boot your switch, the DHCP client is invoked and automatically requests configuration information from a DHCP server when the configuration file is not present on the switch. Figure 4-1 shows the sequence of messages that are exchanged between the DHCP client and the DHCP server.
  • Page 99: Configuring The Dhcp Server

    Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Configuring the DHCP Server You should configure the DHCP server with reserved leases that are bound to each switch by the switch hardware address. If you want the switch to receive IP address information, you must configure the DHCP server with these lease options: IP address of the client (required) •...
  • Page 100: Configuring The Dns

    TFTP packets. You must configure this relay device to forward received broadcast packets on an interface to the destination host. If the relay device is a Cisco router, enable IP routing (ip routing global configuration command), and configure a helper addresses by using the ip helper-address interface configuration command.
  • Page 101: Obtaining Configuration Files

    Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Figure 4-2 Relay Device Used in Autoconfiguration Switch Cisco router (DHCP client) (Relay) 10.0.0.2 10.0.0.1 20.0.0.1 20.0.0.2 20.0.0.3 20.0.0.4 DHCP server TFTP server DNS server Obtaining Configuration Files...
  • Page 102: Example Configuration

    Figure 4-3 DHCP-Based Autoconfiguration Network Example Switch 1 Switch 2 Switch 3 Switch 4 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004 Cisco router 10.0.0.10 10.0.0.1 10.0.0.2 10.0.0.3 DHCP server DNS server TFTP server (maritsu) Table 4-2 shows the configuration of the reserved leases on the DHCP server.
  • Page 103 Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information DNS Server Configuration The DNS server maps the TFTP server name maritsu to IP address 10.0.0.3. TFTP Server Configuration (on UNIX) The TFTP server base directory is set to /tftpserver/work/. This directory contains the network-confg file used in the two-file read method.
  • Page 104: Manually Assigning Ip Information

    Chapter 4 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration Manually Assigning IP Information Beginning in privileged EXEC mode, follow these steps to manually assign IP information to multiple switched virtual interfaces (SVIs) or ports: Command Purpose Step 1...
  • Page 105 Chapter 4 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration interface GigabitEthernet0/1 no switchport ip address 172.20.137.50 255.255.255.0 interface GigabitEthernet0/2 interface GigabitEthernet0/3 interface GigabitEthernet0/4 interface GigabitEthernet0/5 interface GigabitEthernet0/6 interface GigabitEthernet0/7 interface GigabitEthernet0/8 interface GigabitEthernet0/9 interface GigabitEthernet0/10 interface GigabitEthernet0/11 interface GigabitEthernet0/12...
  • Page 106: Modifying The Startup Configuration

    Chapter 4 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Modifying the Startup Configuration This section describes how to modify the switch startup configuration. It contains this configuration information: • Default Boot Configuration, page 4-12 • Automatically Downloading a Configuration File, page 4-12 Booting Manually, page 4-13 •...
  • Page 107: Specifying The Filename To Read And Write The System Configuration

    Chapter 4 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Specifying the Filename to Read and Write the System Configuration By default, the IOS software uses the file config.text to read and write a nonvolatile copy of the system configuration.
  • Page 108: Booting A Specific Software Image

    Chapter 4 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Command Purpose Step 4 show boot Verify your entries. The boot manual global command changes the setting of the MANUAL_BOOT environment variable. The next time you reboot the system, the switch is in boot loader mode, shown by the switch: prompt.
  • Page 109: Controlling Environment Variables

    Chapter 4 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Controlling Environment Variables With a normally operating switch, you enter the boot loader mode only through a switch console connection configured for 9600 bps. Unplug the switch power cord and press the switch Mode button while reconnecting the power cord.
  • Page 110 Chapter 4 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Table 4-5 describes the function of the most common environment variables. Table 4-5 Environment Variables Variable Boot Loader Command IOS Global Configuration Command MANUAL_BOOT set MANUAL_BOOT yes boot manual Determines whether the switch Enables manually booting the switch during...
  • Page 111: Scheduling A Reload Of The Software Image

    Chapter 4 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Scheduling a Reload of the Software Image You can schedule a reload of the software image to occur on the switch at a later time (for example, late at night or during the weekend when the switch is used less), or you can synchronize a reload network-wide (for example, to perform a software upgrade on all switches in the network).
  • Page 112: Displaying Scheduled Reload Information

    Chapter 4 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image This example shows how to reload the software on the switch at a future time: Switch# reload at 02:00 jun 20 Reload scheduled for 02:00:00 UTC Thu Jun 20 1996 (in 344 hours and 53 minutes) Proceed with reload? [confirm] To cancel a previously scheduled reload, use the reload cancel privileged EXEC command.
  • Page 113: Chapter 5 Clustering Switches

    C H A P T E R Clustering Switches This chapter provides these topics to help you get started with switch clustering: Understanding Switch Clusters, page 5-2 • Planning a Switch Cluster, page 5-4 • Creating a Switch Cluster, page 5-18 •...
  • Page 114: Understanding Switch Clusters

    • It is running Cisco IOS Release 12.1(4)EA1 or later. • It has an IP address. It has Cisco Discovery Protocol (CDP) version 2 enabled (the default). • It is not a command or member switch of another cluster. •...
  • Page 115: Standby Command Switch Characteristics

    Catalyst 3550 switches or Catalyst 2950 switches running Cisco IOS Release 12.1(6)EA2 or later. When the command switch is a Catalyst 2950 switch running Cisco IOS Release 12.1(6)EA2 or • later, all standby command switches must be Catalyst 2950 switches running Cisco IOS Release 12.1(6)EA2 or later.
  • Page 116: Planning A Switch Cluster

    Java plug-in configurations. Automatic Discovery of Cluster Candidates and Members The command switch uses Cisco Discovery Protocol (CDP) to discover member switches, candidate switches, neighboring switch clusters, and edge devices across multiple VLANs and in star or cascaded topologies.
  • Page 117 Chapter 5 Clustering Switches Planning a Switch Cluster Discovery through CDP Hops By using CDP, a command switch can discover switches up to seven CDP hops away (the default is three hops) from the edge of the cluster. The edge of the cluster is where the last member switches are connected to the cluster (for example, the command switch and member switches 8, 9, and 10 in Figure 5-1 are at the edge of the cluster).
  • Page 118: Discovery Through Non-Cdp-Capable And Noncluster-Capable Devices

    Planning a Switch Cluster Discovery through Non-CDP-Capable and Noncluster-Capable Devices If a command switch is connected to a non-CDP-capable third-party hub (such as a non-Cisco hub), it can discover cluster-enabled devices connected to that third-party hub. However, if the command switch is connected to a noncluster-capable Cisco device, it cannot discover a cluster-enabled device connected beyond the noncluster-capable Cisco device.
  • Page 119: Discovery Through Different Vlans

    Chapter 5 Clustering Switches Planning a Switch Cluster Discovery through Different VLANs A cluster can have Catalyst 3550 member switches configured with different VLANs. However, each member switch must be connected through at least one VLAN in common with the command switch. The command switch in Figure 5-3 has ports assigned to VLANs 9, 16, and 62 and therefore discovers...
  • Page 120: Discovery Through The Same Management Vlan

    Chapter 5 Clustering Switches Planning a Switch Cluster Discovery through the Same Management VLAN When the cluster has a Catalyst 2900 XL, Catalyst 2950, or Catalyst 3500 XL command switch, all cluster members must connect to it through the command-switch management VLAN, which is VLAN 1 by default.
  • Page 121: Discovery Through Different Management Vlans

    Chapter 5 Clustering Switches Planning a Switch Cluster Discovery through Different Management VLANs We strongly recommend that a Catalyst 3550 switch be the command switch when the cluster has Catalyst 1900, Catalyst 2820, Catalyst 2900 XL, Catalyst 2950, and Catalyst 3500 XL member switches.
  • Page 122: Discovery Through Routed Ports

    Chapter 5 Clustering Switches Planning a Switch Cluster Discovery through Routed Ports If the command switch has a routed port (RP) configured, it discovers only candidate and member switches in the same VLAN as the routed port. For more information about routed ports, see the “Routed Ports”...
  • Page 123: Discovery Of Newly Installed Switches

    Chapter 5 Clustering Switches Planning a Switch Cluster Discovery of Newly Installed Switches A new, out-of-the-box switch is set with the default VLAN, VLAN 1. By default, all access ports on the new switch are assigned to VLAN 1. To add a new switch to a cluster, it must be connected to the cluster through an access port. When the new switch joins a cluster, its default VLAN changes to the VLAN of the immediately upstream neighbor.
  • Page 124: Hsrp And Standby Command Switches

    Catalyst 3550 switches or Catalyst 2950 switches running Cisco IOS Release 12.1(6)EA2 or later. When the command switch is a Catalyst 2950 switch running Cisco IOS Release 12.1(6)EA2 or • later, all standby command switches must be Catalyst 2950 switches running Cisco IOS Release 12.1(6)EA2 or later.
  • Page 125: Virtual Ip Addresses

    Chapter 5 Clustering Switches Planning a Switch Cluster Virtual IP Addresses You need to assign a unique virtual IP address and group number and name to the cluster standby group. This information must be configured on a specificVLAN or routed port on the active command switch. The active command switch receives traffic destined for the virtual IP address.
  • Page 126: Considerations For Cluster Standby Groups

    Catalyst 3550 switches or Catalyst 2950 switches running Cisco IOS Release 12.1(6)EA2 or later. When the command switch is a Catalyst 2950 switch running Cisco IOS Release 12.1(6)EA2 or later, all standby command switches must be Catalyst 2950 switches running Cisco IOS Release 12.1(6)EA2 or later.
  • Page 127: Ip Addresses

    Chapter 5 Clustering Switches Planning a Switch Cluster Figure 5-8 VLAN Connectivity between Standby-Group Members and Cluster Members Catalyst 3550 primary Catalyst 3550 standby Catalyst 2950 passive command switch command switch command switch VLANs 9,16 VLANs 9,16 Management VLAN 9 VLAN 9 VLAN 16 Catalyst 2900 XL or...
  • Page 128: Host Names

    Chapter 5 Clustering Switches Planning a Switch Cluster Host Names You do not need to assign a host name to either a command switch or an eligible cluster member. However, a host name assigned to the command switch can help to more easily identify the switch cluster.
  • Page 129: Tacacs

    A cluster can have a mix of LRE switches using different private profiles. For more information about the Catalyst 2900 LRE XL switches and LRE technology, refer to the Catalyst 2900 XL and Catalyst 3500 XL documentation for Cisco IOS Release 12.0(5)WC2. Catalyst 3550 Multilayer Switch Software Configuration Guide...
  • Page 130: Availability Of Switch-Specific Features In Switch Clusters

    Chapter 5 Clustering Switches Creating a Switch Cluster Availability of Switch-Specific Features in Switch Clusters The menu bar on the command switch displays all options available from the switch cluster. Therefore, features specific to a member switch are available from the command-switch menu bar. For example, Device >...
  • Page 131: Enabling A Command Switch

    Chapter 5 Clustering Switches Creating a Switch Cluster Enabling a Command Switch The switch you designate to be the command switch must meet the requirements described in the “Command Switch Characteristics” section on page 5-2, “Planning a Switch Cluster” section on page 5-4, and the release notes.
  • Page 132: Adding Member Switches

    Chapter 5 Clustering Switches Creating a Switch Cluster Adding Member Switches As explained in the “Automatic Discovery of Cluster Candidates and Members” section on page 5-4, the command switch automatically discovers candidate switches. When you add new cluster-capable switches to the network, the command switch discovers and adds them to a list of candidate switches. To display an updated cluster candidates list from the Add to Cluster window (Figure 5-10), either...
  • Page 133 Chapter 5 Clustering Switches Creating a Switch Cluster Figure 5-10 Add to Cluster Window Select a switch, and click 2900-LRE-24-1 Add. Press Ctrl and left- click to select more than one switch. Enter the password of the candidate switch. If no password exists for the switch, leave this field blank.
  • Page 134: Creating A Cluster Standby Group

    Catalyst 3550 switches or Catalyst 2950 switches running Cisco IOS Release 12.1(6)EA2 or later. When the command switch is a Catalyst 2950 switch running Cisco IOS Release 12.1(6)EA2 or • later, all standby command switches must be Catalyst 2950 switches running Cisco IOS Release 12.1(6)EA2 or later.
  • Page 135 Chapter 5 Clustering Switches Creating a Switch Cluster Figure 5-12 Standby Command Configuration Window 2950C (cisco WS-C2950-C-24, HC, ... Active command switch. NMS-3550-12T-149 (cisco WS-C3550-1 3550-150 (cisco WS-C3550-12T, SC, ... Standby command switch. Must be a valid IP address in the same subnet as the active command switch.
  • Page 136: Verifying A Switch Cluster

    Chapter 5 Clustering Switches Creating a Switch Cluster Verifying a Switch Cluster When you finish adding cluster members, follow these steps to verify the cluster: Enter the command switch IP address in the browser Location field (Netscape Communicator) or Step 1 Address field (Microsoft Internet Explorer) to access all switches in the cluster.
  • Page 137: Using The Cli To Manage Switch Clusters

    Chapter 5 Clustering Switches Using the CLI to Manage Switch Clusters Using the CLI to Manage Switch Clusters You can configure member switches from the CLI by first logging into the command switch. Enter the rcommand user EXEC command and the member switch number to start a Telnet session (through a console or Telnet connection) and to access the member switch CLI.
  • Page 138: Using Snmp To Manage Switch Clusters

    Chapter 5 Clustering Switches Using SNMP to Manage Switch Clusters Using SNMP to Manage Switch Clusters When you first power on the switch, SNMP is enabled if you enter the IP information by using the setup program and accept its proposed configuration. If you did not use the setup program to enter the IP information and SNMP was not enabled, you can enable it as described in the “Configuring SNMP”...
  • Page 139: Preventing Unauthorized Access To Your Switch

    C H A P T E R Administering the Switch This chapter describes how to perform one-time operations to administer your switch. This chapter consists of these sections: Preventing Unauthorized Access to Your Switch, page 6-1 • Protecting Access to Privileged EXEC Commands, page 6-2 •...
  • Page 140: Chapter 6 Administering The Switch

    Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Security Command Reference for Release 12.1. This section describes how to control access to the configuration file and privileged EXEC commands.
  • Page 141: Default Password And Privilege Level Configuration

    Chapter 6 Administering the Switch Protecting Access to Privileged EXEC Commands Default Password and Privilege Level Configuration Table 6-1 shows the default password and privilege level configuration. Table 6-1 Default Password and Privilege Levels Feature Default Setting Enable password and privilege level No password is defined.
  • Page 142: Protecting Enable And Enable Secret Passwords With Encryption

    By default, no password is defined. • (Optional) For encryption-type, only type 5, a Cisco proprietary encryption algorithm, is available. If you specify an encryption type, you must provide an encrypted password—an encrypted password you copy...
  • Page 143: Disabling Password Recovery

    Chapter 6 Administering the Switch Protecting Access to Privileged EXEC Commands Command Purpose Step 3 service password-encryption (Optional) Encrypt the password when the password is defined or when the current configuration is written. Encryption prevents the password from being readable in the configuration file.
  • Page 144: Setting A Telnet Password For A Terminal Line

    Chapter 6 Administering the Switch Protecting Access to Privileged EXEC Commands Beginning in privileged EXEC mode, follow these steps to disable password recovery: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no service password-recovery Disable password recovery. This setting is saved in an area of the Flash memory that is accessible by the boot loader and the IOS image, but it is not part of the file system and is not accessible by any user.
  • Page 145: Configuring Username And Password Pairs

    Chapter 6 Administering the Switch Protecting Access to Privileged EXEC Commands Command Purpose Step 7 show running-config Verify your entries. The password is listed under the command line vty 0 15. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the password, use the no password global configuration command.
  • Page 146: Configuring Multiple Privilege Levels

    Chapter 6 Administering the Switch Protecting Access to Privileged EXEC Commands To disable username authentication for a specific user, use the no username name global configuration command. To disable password checking and allow connections without a password, use the no login line configuration command.
  • Page 147: Changing The Default Privilege Level For Lines

    Chapter 6 Administering the Switch Protecting Access to Privileged EXEC Commands Command Purpose Step 5 show running-config Verify your entries. The first command displays the password and access level configuration. The second command displays the privilege level configuration. show privilege Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
  • Page 148: Logging Into And Exiting A Privilege Level

    (AAA) and can be enabled only through AAA commands. Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Security Command Reference for Release 12.1. This section contains this configuration information: •...
  • Page 149 The goal of TACACS+ is to provide a method for managing multiple network access points from a single management service. Your switch can be a network access server along with other Cisco routers and access servers. A network access server provides connections to a single user, to a network or...
  • Page 150: Tacacs+ Operation

    Chapter 6 Administering the Switch Controlling Switch Access with TACACS+ You need a system running the TACACS+ daemon software to use TACACS+ on your switch. TACACS+ Operation When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process occurs: When the connection is established, the switch contacts the TACACS+ daemon to obtain a username prompt, which is then displayed to the user.
  • Page 151: Configuring Tacacs

    Chapter 6 Administering the Switch Controlling Switch Access with TACACS+ Configuring TACACS+ This section describes how to configure your switch to support TACACS+. At a minimum, you must identify the host or hosts maintaining the TACACS+ daemon and define the method lists for TACACS+ authentication.
  • Page 152: Configuring Tacacs+ Login Authentication

    Chapter 6 Administering the Switch Controlling Switch Access with TACACS+ Beginning in privileged EXEC mode, follow these steps to identify the IP host or host maintaining TACACS+ server and optionally set the encryption key: Command Purpose Step 1 configure terminal Enter global configuration mode.
  • Page 153 Chapter 6 Administering the Switch Controlling Switch Access with TACACS+ A method list describes the sequence and authentication methods to be queried to authenticate a user. You can designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails.
  • Page 154: Configuring Tacacs+ Authorization For Privileged Exec Access And Network Services

    Chapter 6 Administering the Switch Controlling Switch Access with TACACS+ To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable TACACS+ authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
  • Page 155: Starting Tacacs+ Accounting

    RADIUS is facilitated through AAA and can be enabled only through AAA commands. Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Security Command Reference for Release 12.1. This section contains this configuration information: Understanding RADIUS, page 6-18 •...
  • Page 156: Understanding Radius

    Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication. • RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device requires authentication. Networks using a variety of services. RADIUS generally binds a user to one service model.
  • Page 157: Radius Operation

    Chapter 6 Administering the Switch Controlling Switch Access with RADIUS Figure 6-2 Typical AAA Network Configuration RADIUS server RADIUS server TACACS+ server Catalyst 3550 switch Remote TACACS+ server Workstation RADIUS Operation When a user attempts to log in and authenticate to a switch that is access controlled by a RADIUS server, these events occur: The user is prompted to enter a username and password.
  • Page 158: Default Radius Configuration

    Chapter 6 Administering the Switch Controlling Switch Access with RADIUS software uses the first method listed to authenticate, to authorize, or to keep accounts on users; if that method does not respond, the software selects the next method in the list. This process continues until there is successful communication with a listed method or the method list is exhausted.
  • Page 159 Chapter 6 Administering the Switch Controlling Switch Access with RADIUS If two different host entries on the same RADIUS server are configured for the same service—for example, accounting—the second host entry configured acts as a fail-over backup to the first one. Using this example, if the first host entry fails to provide accounting services, the switch tries the second host entry configured on the same device for accounting services.
  • Page 160 Chapter 6 Administering the Switch Controlling Switch Access with RADIUS Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | Specify the IP address or host name of the remote RADIUS server host. ip-address} [auth-port port-number] •...
  • Page 161: Configuring Radius Login Authentication

    Chapter 6 Administering the Switch Controlling Switch Access with RADIUS This example shows how to configure host1 as the RADIUS server and to use the default ports for both authentication and accounting: Switch(config)# radius-server host host1 Note You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch.
  • Page 162: Defining Aaa Server Groups

    Chapter 6 Administering the Switch Controlling Switch Access with RADIUS Command Purpose Step 3 aaa authentication login {default | Create a login authentication method list. list-name} method1 [method2...] • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations.
  • Page 163 Chapter 6 Administering the Switch Controlling Switch Access with RADIUS Server groups also can include multiple host entries for the same server if each entry has a unique identifier (the combination of the IP address and UDP port number), allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service.
  • Page 164: Configuring Radius Authorization For User Privileged Access And Network Services

    Chapter 6 Administering the Switch Controlling Switch Access with RADIUS Command Purpose Step 4 aaa group server radius group-name Define the AAA server-group with a group name. This command puts the switch in a server group configuration mode. Step 5 server ip-address Associate a particular RADIUS server with the defined server group.
  • Page 165: Starting Radius Accounting

    (AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable RADIUS accounting for each Cisco IOS privilege level and for network services:...
  • Page 166: Configuring Settings For All Radius Servers

    1, which is named cisco-avpair. The value is a string with this format: protocol : attribute sep value * Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and * for optional attributes.
  • Page 167: Configuring The Switch For Vendor-Proprietary Radius Server Communication

    Chapter 6 Administering the Switch Controlling Switch Access with RADIUS For example, the following AV pair activates Cisco’s multiple named ip address pools feature during IP authorization (during PPP’s IPCP address assignment): cisco-avpair= ”ip:addr-pool=first“ The following example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands: cisco-avpair= ”shell:priv-lvl=15“...
  • Page 168: Displaying The Radius Configuration

    Chapter 6 Administering the Switch Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to specify a vendor-proprietary RADIUS server host and a shared secret text string: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | ip-address} non-standard Specify the IP address or host name of the remote...
  • Page 169: Configuring The Switch For Local Authentication And Authorization

    Chapter 6 Administering the Switch Configuring the Switch for Local Authentication and Authorization Configuring the Switch for Local Authentication and Authorization You can configure AAA to operate without a server by setting the switch to implement AAA in local mode. The switch then handles authentication and authorization. No accounting is available in this configuration.
  • Page 170: Managing The System Time And Date

    You can manage the system time and date on your switch using automatic, such as the Network Time Protocol (NTP), or manual configuration methods. Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. This section contains this configuration information: Understanding the System Clock, page 6-32 •...
  • Page 171 Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet.
  • Page 172: Configuring Ntp

    Chapter 6 Administering the Switch Managing the System Time and Date Figure 6-3 Typical NTP Network Configuration Catalyst 6500 series switch (NTP master) Local workgroup servers Catalyst 3550 switch Catalyst 3550 Catalyst 3550 switch switch These switches are configured in NTP server mode (server association) with the Catalyst 6500 series switch.
  • Page 173: Default Ntp Configuration

    Chapter 6 Administering the Switch Managing the System Time and Date Default NTP Configuration Table 6-2 shows the default NTP configuration. Table 6-2 Default NTP Configuration Feature Default Setting NTP authentication Disabled. No authentication key is specified. NTP peer or server associations None configured.
  • Page 174: Configuring Ntp Associations

    Chapter 6 Administering the Switch Managing the System Time and Date Command Purpose Step 5 Return to privileged EXEC mode. Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable NTP authentication, use the no ntp authenticate global configuration command.
  • Page 175: Configuring Ntp Broadcast Service

    Chapter 6 Administering the Switch Managing the System Time and Date Command Purpose Step 3 Return to privileged EXEC mode. Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. You need to configure only one end of an association;...
  • Page 176: Configuring Ntp Access Restrictions

    Chapter 6 Administering the Switch Managing the System Time and Date Command Purpose Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Step 7 Configure the connected peers to receive NTP broadcast packets as described in the next procedure. To disable the interface from sending NTP broadcast packets, use the no ntp broadcast interface configuration command.
  • Page 177 Chapter 6 Administering the Switch Managing the System Time and Date Creating an Access Group and Assigning a Basic IP Access List Beginning in privileged EXEC mode, follow these steps to control access to NTP services by using access lists: Command Purpose Step 1...
  • Page 178: Configuring The Source Ip Address For Ntp Packets

    Chapter 6 Administering the Switch Managing the System Time and Date If the source IP address matches the access lists for more than one access type, the first type is granted. If no access groups are specified, all access types are granted to all devices. If any access groups are specified, only the specified access types are granted.
  • Page 179: Displaying The Ntp Configuration

    • show ntp status • For detailed information about the fields in these displays, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. Configuring Time and Date Manually If no other source of time is available, you can manually configure the current time and date after the system is restarted.
  • Page 180: Setting The System Clock

    Chapter 6 Administering the Switch Managing the System Time and Date Setting the System Clock If you have an outside source on the network that provides time services, such as an NTP server, you do not need to manually set the system clock. Beginning in privileged EXEC mode, follow these steps to set the system clock: Command Purpose...
  • Page 181: Configuring The Time Zone

    Chapter 6 Administering the Switch Managing the System Time and Date Configuring the Time Zone Beginning in privileged EXEC mode, follow these steps to manually configure the time zone: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock timezone zone hours-offset Set the time zone.
  • Page 182: Configuring Summer Time (Daylight Saving Time)

    Chapter 6 Administering the Switch Managing the System Time and Date Configuring Summer Time (Daylight Saving Time) Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year: Command Purpose Step 1...
  • Page 183 Chapter 6 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events): Command Purpose Step 1...
  • Page 184: Configuring A System Name And Prompt

    Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Configuration Fundamentals Command Reference and the Cisco IOS IP and IP Routing Command Reference for Release 12.1.
  • Page 185: Configuring A System Prompt

    Domain names are pieced together with periods (.) as the delimiting characters. For example, Cisco Systems is a commercial organization that IP identifies by a com domain name, so its domain name is cisco.com. A specific device in this domain, for example, the File Transfer Protocol (FTP) system is identified as ftp.cisco.com.
  • Page 186: Default Dns Configuration

    Chapter 6 Administering the Switch Configuring a System Name and Prompt Default DNS Configuration Table 6-3 shows the default DNS configuration. Table 6-3 Default DNS Configuration Feature Default Setting DNS enable state Enabled. DNS default domain name None configured. DNS servers No name server addresses are configured.
  • Page 187: Displaying The Dns Configuration

    The login banner also displays on all connected terminals. It is displayed after the MOTD banner and before the login prompts. Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. This section contains this configuration information: •...
  • Page 188: Configuring A Message-Of-The-Day Login Banner

    Chapter 6 Administering the Switch Creating a Banner Configuring a Message-of-the-Day Login Banner You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner: Command Purpose Step 1...
  • Page 189: Configuring A Login Banner

    Chapter 6 Administering the Switch Managing the MAC Address Table Configuring a Login Banner You can configure a login banner to be displayed on all connected terminals. This banner is displayed after the MOTD banner and before the login prompt. Beginning in privileged EXEC mode, follow these steps to configure a login banner: Command Purpose...
  • Page 190: Building The Address Table

    Chapter 6 Administering the Switch Managing the MAC Address Table This section contains this configuration information: • Building the Address Table, page 6-52 • MAC Addresses and VLANs, page 6-52 • Default MAC Address Table Configuration, page 6-53 Changing the Address Aging Time, page 6-53 •...
  • Page 191: Default Mac Address Table Configuration

    Chapter 6 Administering the Switch Managing the MAC Address Table Default MAC Address Table Configuration Table 6-4 shows the default MAC address table configuration. Table 6-4 Default MAC Address Table Configuration Feature Default Setting Aging time 300 seconds Dynamic addresses Automatically learned Static addresses None configured...
  • Page 192: Removing Dynamic Address Entries

    Chapter 6 Administering the Switch Managing the MAC Address Table Removing Dynamic Address Entries To remove all dynamic entries, use the clear mac-address-table dynamic command in privileged EXEC mode. You can also remove a specific MAC address (clear mac-address-table dynamic address mac-address), remove all addresses on the specified physical port or port channel (clear mac-address-table dynamic interface interface-id), or remove all addresses on a specified VLAN (clear mac-address-table dynamic vlan vlan-id).
  • Page 193 Chapter 6 Administering the Switch Managing the MAC Address Table Command Purpose Step 3 snmp-server enable traps mac-notification Enable the switch to send MAC address traps to the NMS. Step 4 mac-address-table notification Enable the MAC address notification feature. Step 5 mac-address-table notification [interval value] | Enter the trap interval time and the history table size.
  • Page 194: Adding And Removing Static Address Entries

    Chapter 6 Administering the Switch Managing the MAC Address Table Adding and Removing Static Address Entries A static address has these characteristics: • It is manually entered in the address table and must be manually removed. • It can be a unicast or multicast address. •...
  • Page 195: Displaying Address Table Entries

    Chapter 6 Administering the Switch Optimizing System Resources for User-Selected Features Displaying Address Table Entries You can display the MAC address table by using one or more of the privileged EXEC commands described in Table 6-5: Table 6-5 Commands for Displaying the MAC Address Table Command Description show mac-address-table address...
  • Page 196 Chapter 6 Administering the Switch Optimizing System Resources for User-Selected Features The number of subnet VLANs (routed ports and SVIs) are not limited by software and can be set to a number higher than indicated in the tables. If the number of subnet VLANs configured is lower or equal to the number in the tables, the number of entries in each category (unicast addresses, IGMP groups, and so on) for each template will be as shown.
  • Page 197: Using The Templates

    Chapter 6 Administering the Switch Optimizing System Resources for User-Selected Features Using the Templates Follow these guidelines when using the SDM templates: • The maximum number of resources allowed in each template is an approximation and depends upon the actual number of other features configured. For example, in the default template for the Catalyst 3550-12T, if your switch has more than 16 routed interfaces configured, the number of multicast or unicast routes that can be accommodated by hardware might be fewer than shown.
  • Page 198 Chapter 6 Administering the Switch Optimizing System Resources for User-Selected Features This example shows how to configure a switch with the routing template and verify the configuration: Switch(config)# sdm prefer routing Switch(config)# end Switch# copy running-config startup-config Switch# reload Proceed with reload? [confirm] Switch# show sdm prefer The current template is routing template.
  • Page 199: Understanding 802.1X Port-Based Authentication

    C H A P T E R Configuring 802.1X Port-Based Authentication This chapter describes how to configure IEEE 802.1X port-based authentication to prevent unauthorized devices (clients) from gaining access to the network. As LANs extend to hotels, airports, and corporate lobbies, insecure environments could be created.
  • Page 200: C H A P T E R 7 Configuring 802.1X Port-Based Authentication

    In this release, the Remote Authentication Dial-In User Service (RADIUS) security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server; it is available in Cisco Secure Access Control Server version 3.0. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
  • Page 201: Authentication Initiation And Message Exchange

    Chapter 7 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Authentication Initiation and Message Exchange The switch or the client can initiate authentication. If you enable authentication on a port by using the dot1x port-control auto interface configuration command, the switch must initiate authentication when it determines that the port link state transitions from down to up.
  • Page 202: Ports In Authorized And Unauthorized States

    Chapter 7 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Ports in Authorized and Unauthorized States The switch port state determines whether or not the client is granted access to the network. The port starts in the unauthorized state. While in this state, the port disallows all ingress and egress traffic except for 802.1X protocol packets.
  • Page 203: Configuring 802.1X Authentication

    Chapter 7 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication In a point-to-point configuration (see Figure 7-1 on page 7-2), only one client can be connected to the 802.1X-enabled switch port. The switch detects the client when the port link state changes to the up state. If a client leaves or is replaced with another client, the switch changes the port link state to down, and the port returns to the unauthorized state.
  • Page 204: Default 802.1X Configuration

    Chapter 7 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Default 802.1X Configuration Table 7-1 shows the default 802.1X configuration. Table 7-1 Default 802.1X Configuration Feature Default Setting Authentication, authorization, and Disabled. accounting (AAA) RADIUS server • IP address • None specified. UDP authentication port 1812.
  • Page 205: 802.1X Configuration Guidelines

    Chapter 7 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication 802.1X Configuration Guidelines These are the 802.1X authentication configuration guidelines: • When 802.1X is enabled, ports are authenticated before any other Layer 2 or Layer 3 features are enabled. • The 802.1X protocol is supported on both Layer 2 static-access ports and Layer 3 routed ports, but it is not supported on these port types: –...
  • Page 206: Enabling 802.1X Authentication

    Chapter 7 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Enabling 802.1X Authentication To enable 802.1X port-based authentication, you must enable AAA and specify the authentication method list. A method list describes the sequence and authentication methods to be queried to authenticate a user.
  • Page 207: Configuring The Switch-To-Radius-Server Communication

    Chapter 7 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication This example shows how to enable AAA and 802.1X on Fast Ethernet port 0/1: Switch# configure terminal Switch(config)# aaa new-model Switch(config)# aaa authentication dot1x default group radius Switch(config)# interface fastethernet0/1 Switch(config-if)# dot1x port-control auto Switch(config-if)# end Configuring the Switch-to-RADIUS-Server Communication RADIUS security servers are identified by their host name or IP address, host name and specific UDP...
  • Page 208: Enabling Periodic Re-Authentication

    Chapter 7 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication This example shows how to specify the server with IP address 172.20.39.46 as the RADIUS server, to use port 1612 as the authorization port, and to set the encryption key to rad123, matching the key on the RADIUS server: Switch(config)# radius-server host 172.l20.39.46 auth-port 1612 key rad123 You can globally configure the timeout, retransmission, and encryption key values for all RADIUS...
  • Page 209: Manually Re-Authenticating A Client Connected To A Port

    Chapter 7 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Manually Re-Authenticating a Client Connected to a Port You can manually re-authenticate the client connected to a specific port at any time by entering the dot1x re-authenticate interface interface-id privileged EXEC command. If you want to enable or disable periodic re-authentication, see the “Enabling Periodic Re-Authentication”...
  • Page 210: Changing The Switch-To-Client Retransmission Time

    Chapter 7 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Changing the Switch-to-Client Retransmission Time The client responds to the EAP-request/identity frame from the switch with an EAP-response/identity frame. If the switch does not receive this response, it waits a set period of time (known as the retransmission time) and then retransmits the frame.
  • Page 211: Setting The Switch-To-Client Frame-Retransmission Number

    Chapter 7 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Setting the Switch-to-Client Frame-Retransmission Number In addition to changing the switch-to-client retransmission time, you can change the number of times that the switch sends an EAP-request/identity frame (assuming no response is received) to the client before restarting the authentication process.
  • Page 212: Resetting The 802.1X Configuration To The Default Values

    Chapter 7 Configuring 802.1X Port-Based Authentication Displaying 802.1X Statistics and Status Command Purpose Step 4 Return to privileged EXEC mode. Step 5 show dot1x interface interface-id Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable multiple hosts on the port, use the no dot1x multiple-hosts interface configuration command.
  • Page 213: Understanding Interface Types

    For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 3550 Multilayer Switch Command Reference for this release and the online Cisco IOS Interface Command Reference for Release 12.1. Understanding Interface Types This section describe the different types of interfaces supported by the switch with references to chapters that contain more detailed information about configuring these interface types.
  • Page 214: Port-Based Vlans

    Chapter 8 Configuring Interface Characteristics Understanding Interface Types Port-Based VLANs A VLAN is a switched network that is logically segmented by function, team, or application, without regard to the physical location of the users. For more information about VLANs, see Chapter 9, “Creating and Maintaining VLANs.”...
  • Page 215: C H A P T E R 8 Configuring Interface Characteristics

    Most protocols operate over either single ports or aggregated switch ports and do not recognize the physical ports within the port group. Exceptions are the DTP, the Cisco Discovery Protocol (CDP), and the Port Aggregation Protocol (PAgP), which operate only on physical ports.
  • Page 216: Switch Virtual Interfaces

    Chapter 8 Configuring Interface Characteristics Understanding Interface Types Switch Virtual Interfaces A switch virtual interface (SVI) represents a VLAN of switch ports as one interface to the routing or bridging function in the system. Only one SVI can be associated with a VLAN, but you need to configure an SVI for a VLAN only when you wish to route between VLANs, fallback-bridge nonroutable protocols between VLANs, or to provide IP host connectivity to the switch.
  • Page 217: Connecting Interfaces

    8-1, when Host A in VLAN 20 sends data to Host B in VLAN 30, it must go from Host A to the switch, to the router, back to the switch, and then to Host B. Figure 8-1 Connecting VLANs with Layer 2 Switches Cisco router Switch Host A Host B...
  • Page 218: Using The Interface Command

    Chapter 8 Configuring Interface Characteristics Using the Interface Command Figure 8-2 Connecting VLANs with the Catalyst 3550 Multilayer Switch Catalyst 3550 switch with enhanced multilayer software image 172.20.128.1 SVI 1 SVI 2 172.20.129.1 Host A Host B VLAN 20 VLAN 30 The Catalyst 3550 switch with the enhanced multilayer software image supports two methods of forwarding traffic between interfaces: routing and fallback bridging.
  • Page 219: Procedures For Configuring Interfaces

    Chapter 8 Configuring Interface Characteristics Using the Interface Command To configure a physical interface (port), enter interface configuration mode, and specify the interface type, slot, and number. • Type—Fast Ethernet (fastethernet or fa) for 10/100 Ethernet or Gigabit Ethernet (gigabitethernet or •...
  • Page 220 Chapter 8 Configuring Interface Characteristics Using the Interface Command Enter the show interfaces privileged EXEC command to see a list of all interfaces on or configured for the switch. A report is provided for each interface that the device supports or for the specified interface: Switch# show interfaces Vlan1 is up, line protocol is up Hardware is EtherSVI, address is 0000.0000.0000 (bia 0000.0000.00...
  • Page 221: Configuring A Range Of Interfaces

    Chapter 8 Configuring Interface Characteristics Using the Interface Command 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 input packets with dribble condition detected 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets...
  • Page 222 Chapter 8 Configuring Interface Characteristics Using the Interface Command • You must add a space between the interface numbers and the hyphen when using the interface range command. For example, the command interface range gigabitethernet 0/1 - 5 is a valid range; the command interface range gigabitethernet 0/1-5 is not a valid range. The interface range command works only with VLAN interfaces that have been configured with •...
  • Page 223: Configuring And Using Interface Range Macros

    Chapter 8 Configuring Interface Characteristics Using the Interface Command Configuring and Using Interface Range Macros You can create an interface range macro to automatically select a range of interfaces for configuration. Before you can use the macro keyword in the interface range macro global configuration command string, you must use the define interface-range global configuration command to define the macro.
  • Page 224: Configuring Layer 2 Interfaces

    Chapter 8 Configuring Interface Characteristics Configuring Layer 2 Interfaces This example shows how to define an interface-range macro named enet_list to select Gigabit Ethernet ports 1 to 4 and to verify the macro configuration: Switch# configure terminal Switch(config)# define interface-range enet_list gigabitethernet0/1 - 4 Switch(config)# end Switch# show running-config | include define define interface-range enet_list GigabitEthernet0/1 - 4...
  • Page 225: Default Layer 2 Ethernet Interface Configuration

    Chapter 8 Configuring Interface Characteristics Configuring Layer 2 Interfaces Default Layer 2 Ethernet Interface Configuration Table 8-1 shows the Layer 2 Ethernet interface default configuration. For more details on the VLAN parameters listed in the table, see Chapter 9, “Creating and Maintaining VLANs.” For details on controlling traffic to the port, see Chapter 12, “Configuring Port-Based Traffic Control.”...
  • Page 226: Configuring Interface Speed And Duplex Mode

    Chapter 8 Configuring Interface Characteristics Configuring Layer 2 Interfaces Configuring Interface Speed and Duplex Mode These sections describe how to configure the interface speed and duplex mode: • Configuration Guidelines, page 8-14 • Setting the Interface Speed and Duplex Parameters, page 8-14 Configuration Guidelines When configuring an interface speed and duplex mode, note these guidelines: If both ends of the line support autonegotiation, we highly recommend the default autonegotiation...
  • Page 227 Chapter 8 Configuring Interface Characteristics Configuring Layer 2 Interfaces Beginning in privileged EXEC mode, follow these steps to set the speed and duplex mode for a physical interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode and the physical interface identification.
  • Page 228: Configuring Ieee 802.3X Flow Control

    Chapter 8 Configuring Interface Characteristics Configuring Layer 2 Interfaces Configuring IEEE 802.3X Flow Control Flow control enables connected Ethernet ports to control traffic rates during congestion by allowing congested nodes to pause link operation at the other end. If one port experiences congestion and cannot receive any more traffic, it notifies the other port to stop sending until the condition clears.
  • Page 229: Adding A Description For An Interface

    Chapter 8 Configuring Interface Characteristics Configuring Layer 2 Interfaces Beginning in privileged EXEC mode, follow these steps to configure flow control on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no mls qos Disable QoS on the switch. Step 3 interface interface-id Enter interface configuration mode and the physical interface to...
  • Page 230: Monitoring And Maintaining The Layer 2 Interface

    (You can display the full list of show commands by using the show ? command at the privileged EXEC prompt.) These commands are fully described in the Cisco IOS Interface Command Reference for Release 12.1. Table 8-2...
  • Page 231 Chapter 8 Configuring Interface Characteristics Monitoring and Maintaining the Layer 2 Interface Table 8-2 Show Commands for Interfaces (continued) Command Purpose show running-config Display the running configuration in RAM. show version Display the hardware configuration, software version, the names and sources of configuration files, and the boot images.
  • Page 232: Clearing And Resetting Interfaces And Counters

    Chapter 8 Configuring Interface Characteristics Monitoring and Maintaining the Layer 2 Interface This example shows how to display the status of switching ports: Switch# show interfaces switchport Name: Gi0/1 Switchport: Enabled Administrative Mode: dynamic desirable Operational Mode: static access Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: native Negotiation of Trunking: On Access Mode VLAN: 1 (default)
  • Page 233: Shutting Down And Restarting The Interface

    Chapter 8 Configuring Interface Characteristics Monitoring and Maintaining the Layer 2 Interface Note The clear counters privileged EXEC command does not clear counters retrieved by using Simple Network Management Protocol (SNMP), but only those seen with the show interface privileged EXEC command.
  • Page 234: Configuring Layer 3 Interfaces

    Chapter 8 Configuring Interface Characteristics Configuring Layer 3 Interfaces To verify that an interface is disabled, enter the show interfaces privileged EXEC command. A disabled interface is shown as administratively down in the show interface command display as with Gigabit Ethernet interface 0/1 in this example.
  • Page 235 Chapter 8 Configuring Interface Characteristics Configuring Layer 3 Interfaces Beginning in privileged EXEC mode, follow these steps to configure a Layer 3 interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface {{fastethernet | gigabitethernet} interface-id} Enter interface configuration mode, and enter the | {vlan vlan-id} | {port-channel port-channel-number} interface to be configured as a Layer 3 interface.
  • Page 236 Chapter 8 Configuring Interface Characteristics Configuring Layer 3 Interfaces This is an example of output from the show ip interface privileged EXEC command for an interface: Switch# show ip interface gigabitethernet0/2 GigabitEthernet0/2 is up, line protocol is up Internet address is 192.20.135.21/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes...
  • Page 237: Chapter 9 Creating And Maintaining Vlans

    C H A P T E R Creating and Maintaining VLANs This chapter describes how to create and maintain VLANs. It includes information about VLAN modes, the VLAN Trunking Protocol (VTP) database, and the VLAN Membership Policy Server (VMPS). For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 3550 Multilayer Switch Command Reference for this release.
  • Page 238: Number Of Supported Vlans

    VLANs as Logically Defined Networks Engineering Marketing Accounting VLAN VLAN VLAN Cisco router Floor 3 Fast Ethernet Floor 2 Floor 1 VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN. Interface VLAN membership on the switch is assigned manually on an interface-by-interface basis.
  • Page 239: Vlan Port Membership Modes

    Chapter 9 Creating and Maintaining VLANs Using the VLAN Trunking Protocol VLAN Port Membership Modes You configure a port to belong to a VLAN by assigning a membership mode that determines the kind of traffic the port carries and the number of VLANs to which it can belong. Table 9-1 lists the membership modes and characteristics.
  • Page 240: The Vtp Domain And Vtp Modes

    Chapter 9 Creating and Maintaining VLANs Using the VLAN Trunking Protocol The VTP Domain and VTP Modes A VTP domain (also called a VLAN management domain) consists of one switch or several interconnected switches under the same administrative responsibility sharing the same VTP domain name.
  • Page 241: Vtp Advertisements

    Chapter 9 Creating and Maintaining VLANs Using the VLAN Trunking Protocol VTP Advertisements Each switch in the VTP domain sends periodic global configuration advertisements from each trunk port to a reserved multicast address. Neighboring switches receive these advertisements and update their VTP and VLAN configurations as necessary.
  • Page 242: Vtp Version 2

    Chapter 9 Creating and Maintaining VLANs Using the VLAN Trunking Protocol VTP Version 2 If you use VTP in your network, you must decide whether to use version 1 or version 2. VTP version 2 supports these features not supported in version 1: •...
  • Page 243 Chapter 9 Creating and Maintaining VLANs Using the VLAN Trunking Protocol Figure 9-2 Flooding Traffic without VTP Pruning Switch 4 Port 2 Switch 5 Switch 2 VLAN Port 1 Switch 6 Switch 3 Switch 1 Figure 9-3 shows a switched network with VTP pruning enabled. The broadcast traffic from Switch 1 is not forwarded to Switches 3, 5, and 6 because traffic for the Red VLAN has been pruned on the links shown (Port 5 on Switch 2 and Port 4 on Switch 4).
  • Page 244: Configuring Vtp

    Chapter 9 Creating and Maintaining VLANs Using the VLAN Trunking Protocol To configure VTP pruning on an interface, use the switchport trunk pruning vlan interface configuration command (see the “Changing the Pruning-Eligible List” section on page 9-28). VTP pruning operates when an interface is trunking. You can set VLAN pruning-eligibility, whether or not VTP pruning is enabled for the VTP domain, whether or not any given VLAN exists, and whether or not the interface is currently trunking.
  • Page 245 VLAN configuration mode, it applies all the commands that you entered. VTP messages are sent to other switches in the VTP domain, and the privileged EXEC mode prompt appears. The Cisco IOS end and Ctrl-Z commands are not supported in VLAN configuration mode. Note For more configuration guidelines, see the “VLAN Configuration Guidelines”...
  • Page 246 Chapter 9 Creating and Maintaining VLANs Using the VLAN Trunking Protocol Configuring a VTP Server When a switch is in VTP server mode, you can change the VLAN configuration and have it propagated throughout the network. Beginning in privileged EXEC mode, follow these steps to configure the switch as a VTP server: Command Purpose Step 1...
  • Page 247: Disabling Vtp (Vtp Transparent Mode)

    Chapter 9 Creating and Maintaining VLANs Using the VLAN Trunking Protocol Configuring a VTP Client When a switch is in VTP client mode, you cannot change its VLAN configuration. The client switch receives VTP updates from a VTP server in the VTP domain and then modifies its configuration accordingly.
  • Page 248: Enabling Vtp Version 2

    Chapter 9 Creating and Maintaining VLANs Using the VLAN Trunking Protocol Command Purpose Step 3 exit Update the VLAN database, propagate it throughout the administrative domain, and return to privileged EXEC mode. Step 4 show vtp status Verify your entries in the VTP Operating Mode field of the display. To return the switch to VTP server mode, use the no vtp transparent VLAN configuration command.
  • Page 249: Enabling Vtp Pruning

    Chapter 9 Creating and Maintaining VLANs Using the VLAN Trunking Protocol Enabling VTP Pruning Pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the destination devices. You enable VTP pruning on a switch in VTP server mode. Beginning in privileged EXEC mode, follow these steps to enable VTP pruning in the management domain: Command...
  • Page 250 Chapter 9 Creating and Maintaining VLANs Using the VLAN Trunking Protocol This is an example of output from the show vtp status privileged EXEC command: Switch# show vtp status VTP Version Configuration Revision Maximum VLANs supported locally : 1005 Number of existing VLANs : 69 VTP Operating Mode : Server...
  • Page 251: Vlans In The Vtp Database

    Chapter 9 Creating and Maintaining VLANs VLANs in the VTP Database VLANs in the VTP Database You can set these parameters when you create a new VLAN or modify an existing VLAN in the VTP database: • VLAN ID • VLAN name VLAN type (Ethernet, Fiber Distributed Data Interface [FDDI], FDDI network entity title [NET], •...
  • Page 252: Vlan Configuration Guidelines

    Chapter 9 Creating and Maintaining VLANs VLANs in the VTP Database Table 9-5 Ethernet VLAN Defaults and Ranges Parameter Default Range VLAN ID 1–1005 VLAN name default No range 802.10 SAID 101001 1–4294967294 MTU size 1500 1500–18190 Translational bridge 1 1002 0–1005 Translational bridge 2...
  • Page 253: Configuring Vlans In The Vtp Database

    Chapter 9 Creating and Maintaining VLANs VLANs in the VTP Database Configuring VLANs in the VTP Database You can add, modify or remove VLAN configurations in the VTP database by using the CLI VLAN configuration mode. VTP globally propagates these VLAN changes throughout the VTP domain. In VTP server or transparent mode, commands to add, change, and delete VLANs are written to the file vlan.dat, and you can display them by entering the show vlan privileged EXEC command.
  • Page 254: Modifying An Ethernet Vlan

    Chapter 9 Creating and Maintaining VLANs VLANs in the VTP Database This example shows how to add Ethernet VLAN 20 to the VLAN database and name it test20: Switch# vlan database Switch(vlan)# vlan 20 name test20 Switch(vlan)# exit APPLY completed. Exiting..
  • Page 255: Assigning Static-Access Ports To A Vlan

    Chapter 9 Creating and Maintaining VLANs VLANs in the VTP Database When you delete a VLAN, any ports assigned to that VLAN become inactive. They remain Caution associated with the VLAN (and thus inactive) until you assign them to a new VLAN. Beginning in privileged EXEC mode, follow these steps to delete a VLAN on the switch: Command Purpose...
  • Page 256 Chapter 9 Creating and Maintaining VLANs VLANs in the VTP Database Command Purpose Step 6 show running-config interface interface-id Verify the VLAN membership mode of the interface. Step 7 show interfaces interface-id switchport Verify your entries in the Administrative Mode and the Access Mode VLAN fields of the display.
  • Page 257: Displaying Vlans In The Vtp Database

    Chapter 9 Creating and Maintaining VLANs VLANs in the VTP Database Displaying VLANs in the VTP Database Use the show vlan privileged EXEC command to display a list of VLANs in the database, including status, ports, and configuration: Switch# show vlan VLAN Name Status Ports...
  • Page 258: Understanding Vlan Trunks

    VLANs across an entire network. The 100BASE-T and Gigabit Ethernet trunks carry traffic for multiple VLANs over a single link. Two trunking encapsulations are available on all Ethernet interfaces: Inter-Switch Link (ISL)—ISL is Cisco-proprietary trunking encapsulation. • 802.1Q—802.1Q is industry-standard trunking encapsulation.
  • Page 259: Encapsulation Types

    Chapter 9 Creating and Maintaining VLANs Understanding VLAN Trunks Note DTP is a point-to-point protocol. However, some internetworking devices might forward DTP frames improperly. To avoid this, ensure that interfaces connected to devices that do not support DTP are configured with the access keyword if you do not intend to trunk across those links. To enable trunking to a device that does not support DTP, use the nonegotiate keyword to cause the interface to become a trunk but to not generate DTP frames.
  • Page 260: 802.1Q Configuration Considerations

    VLAN allowed on the trunks. Non-Cisco devices might support one spanning-tree instance for all VLANs. When you connect a Cisco switch to a non-Cisco device through an 802.1Q trunk, the Cisco switch combines the spanning-tree instance of the VLAN of the trunk with the spanning-tree instance of the non-Cisco 802.1Q switch.
  • Page 261: Configuring An Ethernet Interface As A Trunk Port

    Chapter 9 Creating and Maintaining VLANs Understanding VLAN Trunks Configuring an Ethernet Interface as a Trunk Port Because trunk ports send and receive VTP advertisements, you must ensure that at least one trunk port is configured on the switch and that this trunk port is connected to the trunk port of a second switch. Otherwise, the switch cannot receive any VTP advertisements.
  • Page 262 Chapter 9 Creating and Maintaining VLANs Understanding VLAN Trunks Command Purpose Step 8 show interfaces interface-id switchport Display the switchport configuration of the interface in the Administrative Mode and the Administrative Trunking Encapsulation fields of the display. Step 9 show interfaces interface-id trunk Display the trunk configuration of the interface.
  • Page 263: Defining The Allowed Vlans On A Trunk

    Chapter 9 Creating and Maintaining VLANs Understanding VLAN Trunks In this example, the encapsulation method is ISL: Switch# show interfaces gigabitethernet0/4 trunk Port Mode Encapsulation Status Native vlan Gi0/4 desirable n-isl trunking Port Vlans allowed on trunk Gi0/4 1-1005 Port Vlans allowed and active in management domain Gi0/4 1,10-1000...
  • Page 264: Changing The Pruning-Eligible List

    Chapter 9 Creating and Maintaining VLANs Understanding VLAN Trunks To return to the default allowed VLAN list of all VLANs, use the no switchport trunk allowed vlan interface configuration command. This example shows how to remove VLAN 2 from the allowed VLAN list and verify the configuration. Switch(config)# interface gigabitethernet0/1 Switch(config-if)# switchport trunk allowed vlan remove 2 Switch(config-if)# end...
  • Page 265: Configuring The Native Vlan For Untagged Traffic

    Chapter 9 Creating and Maintaining VLANs Understanding VLAN Trunks Command Purpose Step 5 show interfaces interface-id switchport Verify your entries in the Pruning VLANs Enabled field of the display. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default pruning-eligible list of all VLANs, use the no switchport trunk pruning vlan interface configuration command.
  • Page 266: Load Sharing Using Stp Port Priorities

    Chapter 9 Creating and Maintaining VLANs Understanding VLAN Trunks Load Sharing Using STP Port Priorities When two ports on the same switch form a loop, the STP port priority setting determines which port is enabled and which port is in a blocking state. You can set the priorities on a parallel trunk port so that the port carries all the traffic for a given VLAN.
  • Page 267 Chapter 9 Creating and Maintaining VLANs Understanding VLAN Trunks Command Purpose Step 6 show vlan Verify that the VLANs exist in the database on Switch 1. Step 7 configure terminal Enter global configuration mode. Step 8 interface gigabitethernet 0/1 Enter interface configuration mode, and define Gigabit Ethernet port 0/1 as the interface to be configured as a trunk.
  • Page 268: Load Sharing Using Stp Path Cost

    Chapter 9 Creating and Maintaining VLANs Understanding VLAN Trunks Load Sharing Using STP Path Cost You can configure parallel trunks to share VLAN traffic by setting different path costs on a trunk and associating the path costs with different sets of VLANs. The VLANs keep the traffic separate. Because no loops exist, STP does not disable the ports, and redundancy is maintained in the event of a lost link.
  • Page 269: Understanding Vmps

    Chapter 9 Creating and Maintaining VLANs Understanding VMPS Command Purpose Step 8 show running-config Verify your entries. In the display, make sure that interfaces Fast Ethernet 0/1 and Fast Ethernet 0/2 are configured as trunk ports. Step 9 show vlan When the trunk links come up, Switch 1 receives the VTP information from the other switches.
  • Page 270: Dynamic Port Vlan Membership

    Chapter 9 Creating and Maintaining VLANs Understanding VMPS If the switch receives an access-denied response from the VMPS, it continues to block traffic from the MAC address to or from the port. The switch continues to monitor the packets directed to the port and sends a query to the VMPS when it identifies a new address.
  • Page 271 Chapter 9 Creating and Maintaining VLANs Understanding VMPS This example shows a example of a VMPS database configuration file as it appears on a Catalyst 6000 series switch. The file has these characteristics: • The security mode is open. • The default is used for the fallback VLAN.
  • Page 272: Vmps Configuration Guidelines

    Chapter 9 Creating and Maintaining VLANs Understanding VMPS vmps-vlan-group Engineering vlan-name hardware vlan-name software !VLAN port Policies !vmps-port-policies {vlan-name <vlan_name> | vlan-group <group-name> } ! { port-group <group-name> | device <device-id> port <port-name> } vmps-port-policies vlan-group Engineering port-group WiringCloset1 vmps-port-policies vlan-name Green device 198.92.30.32 port 0/8 vmps-port-policies vlan-name Purple device 198.4.254.22 port 0/2...
  • Page 273: Default Vmps Configuration

    Chapter 9 Creating and Maintaining VLANs Understanding VMPS Default VMPS Configuration Table 9-9 shows the default VMPS and dynamic port configuration on client switches. Table 9-9 Default VMPS Client and Dynamic Port Configuration Feature Default Setting VMPS domain server None VMPS reconfirm interval 60 minutes VMPS server retry count...
  • Page 274: Configuring Dynamic Access Ports On Vmps Clients

    Chapter 9 Creating and Maintaining VLANs Understanding VMPS This is an example of output for the show vmps privileged EXEC command, used to verify the VMPS server IP address. Switch# show vmps VQP Client Status: -------------------- VMPS VQP Version: Reconfirm Interval: 60 min Server Retry Count: 3 VMPS domain server: 172.20.128.86 (primary, current) 172.20.128.87...
  • Page 275: Reconfirming Vlan Memberships

    Chapter 9 Creating and Maintaining VLANs Understanding VMPS Reconfirming VLAN Memberships Beginning in privileged EXEC mode, follow these steps to confirm the dynamic port VLAN membership assignments that the switch has received from the VMPS: Command Purpose Step 1 vmps reconfirm Reconfirm dynamic port VLAN membership.
  • Page 276: Administering And Monitoring The Vmps

    Chapter 9 Creating and Maintaining VLANs Understanding VMPS Administering and Monitoring the VMPS You can display information about the VMPS by using the show vmps privileged EXEC command. The switch displays this information about the VMPS: VMPS VQP Version The version of VQP used to communicate with the VMPS. The switch queries the VMPS that is using VQP version 1.
  • Page 277 Chapter 9 Creating and Maintaining VLANs Understanding VMPS Figure 9-7 Dynamic Port VLAN Membership Configuration TFTP server Catalyst 6000 series Primary VMPS Router Server 1 172.20.26.150 Switch 1 172.20.22.7 Catalyst 3550 switch client Dynamic-access port 172.20.26.151 station 1 Switch 2 Trunk port or static-access port Catalyst 6000 series...
  • Page 278 Chapter 9 Creating and Maintaining VLANs Understanding VMPS Catalyst 3550 Multilayer Switch Software Configuration Guide 9-42 78-11194-03...
  • Page 279: Configuring Stp

    C H A P T E R Configuring STP This chapter describes how to configure the Spanning Tree Protocol (STP) on your switch. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 3550 Multilayer Switch Command Reference for this release.
  • Page 280: Supported Stp Instances

    Chapter 10 Configuring STP Understanding Basic STP Features For information about advanced STP features, see the “Understanding Advanced STP Features” section on page 10-10 and the “Configuring Advanced STP Features” section on page 10-32. Supported STP Instances This software release supports the per-VLAN spanning tree (PVST) and a maximum of 128 spanning-tree instances.
  • Page 281: Chapter 10 Configuring Stp

    Chapter 10 Configuring STP Understanding Basic STP Features Multiple active paths among end stations cause loops in the network. If a loop exists in the network, end stations might receive duplicate messages. Switches might also learn end-station MAC addresses on multiple Layer 2 interfaces.
  • Page 282: Bridge Protocol Data Units

    Chapter 10 Configuring STP Understanding Basic STP Features • The removal of loops in the switched network by blocking Layer 2 interfaces connected to redundant links For each VLAN, the switch with the highest switch priority (the lowest numerical priority value) is elected as the root switch.
  • Page 283: Stp Timers

    Chapter 10 Configuring STP Understanding Basic STP Features STP Timers Table 10-2 describes the STP timers that affect the entire spanning-tree performance. Table 10-2 Spanning Tree Protocol Timers Variable Description Hello timer Determines how often the switch broadcasts hello messages to other switches. Forward-delay timer Determines how long each of the listening and learning states last before the interface begins forwarding.
  • Page 284: Stp Interface States

    Chapter 10 Configuring STP Understanding Basic STP Features STP Interface States Propagation delays can occur when protocol information passes through a switched LAN. As a result, topology changes can take place at different times and at different places in a switched network. When a Layer 2 interface transitions directly from nonparticipation in the spanning-tree topology to the forwarding state, it can create temporary data loops.
  • Page 285: Blocking State

    Chapter 10 Configuring STP Understanding Basic STP Features When the spanning-tree algorithm places a Layer 2 interface in the forwarding state, this process occurs: The Layer 2 interface is in the listening state while spanning tree waits for protocol information to transition the interface to the blocking state.
  • Page 286: Forwarding State

    However, in a network of Cisco switches connected through 802.1Q trunks, the switches maintain one spanning-tree instance for each VLAN allowed on the trunks. When you connect a Cisco switch to a non-Cisco device through an 802.1Q trunk, the Cisco switch uses per-VLAN spanning tree+ (PVST+) to provide STP interoperability. It combines the spanning-tree instance of the 802.1Q VLAN of the trunk with the spanning-tree instance of the non-Cisco 802.1Q...
  • Page 287: Vlan-Bridge Stp

    Understanding Basic STP Features However, all PVST+ information is maintained by Cisco switches separated by a cloud of non-Cisco 802.1Q switches. The non-Cisco 802.1Q cloud separating the Cisco switches is treated as a single trunk link between the switches. PVST+ is automatically enabled on 802.1Q trunks, and no user configuration is required. The external spanning-tree behavior on access ports and Inter-Switch Link (ISL) trunks is not affected by PVST+.
  • Page 288: Accelerated Aging To Retain Connectivity

    Chapter 10 Configuring STP Understanding Advanced STP Features Accelerated Aging to Retain Connectivity The default for aging dynamic addresses is 5 minutes, the default setting of the mac-address-table aging-time global configuration command. However, an STP reconfiguration can cause many station locations to change.
  • Page 289: Understanding Bpdu Guard

    Chapter 10 Configuring STP Understanding Advanced STP Features Figure 10-4 Port Fast-Enabled Ports Catalyst 6000 series switch Catalyst 3550 switch Catalyst 3550 Server switch Catalyst 3550 switch Port Port Fast-enabled port Fast-enabled ports Workstations Workstations Understanding BPDU Guard When the BPDU guard feature is enabled on the switch, STP shuts down Port Fast-enabled interfaces that receive BPDUs rather than putting them into the blocking state.
  • Page 290: Understanding Uplinkfast

    Chapter 10 Configuring STP Understanding Advanced STP Features Understanding UplinkFast Switches in hierarchical networks can be grouped into backbone switches, distribution switches, and access switches. Figure 10-5 shows a complex network where distribution switches and access switches each have at least one redundant link that STP blocks to prevent loops. Figure 10-5 Switches in a Hierarchical Network Backbone switches Root bridge...
  • Page 291: Understanding Cross-Stack Uplinkfast

    Chapter 10 Configuring STP Understanding Advanced STP Features Figure 10-6 UplinkFast Example Before Direct Link Failure Switch A (Root) Switch B Blocked port Switch C If Switch C detects a link failure on the currently active link L2 on the root port (a direct link failure), UplinkFast unblocks the blocked port on Switch C and transitions it to the forwarding state without going through the listening and learning states, as shown in Figure...
  • Page 292: How Csuf Works

    Chapter 10 Configuring STP Understanding Advanced STP Features How CSUF Works CSUF ensures that one link in the stack is elected as the path to the root. As shown in Figure 10-8, Switches A, B, and C are cascaded through the GigaStack GBIC to form a multidrop backbone, which communicates control and data traffic across the switches at the access layer.
  • Page 293: Events That Cause Fast Convergence

    Chapter 10 Configuring STP Understanding Advanced STP Features The switch sending the fast-transition request needs to do a fast transition to the forwarding state of a port that it has chosen as the root port, and it must obtain an acknowledgement from each stack switch before performing the fast transition.
  • Page 294: Limitations

    Chapter 10 Configuring STP Understanding Advanced STP Features Limitations These limitations apply to CSUF: CSUF uses the GigaStack GBIC and runs on all Catalyst 3550 switches, all Catalyst 3500 XL • switches, but only on modular Catalyst 2900 XL switches that have the 1000BASE-X module installed.
  • Page 295 Chapter 10 Configuring STP Understanding Advanced STP Features Figure 10-9 GigaStack GBIC Connections and STP Convergence GigaStack GBIC connection for fast convergence Catalyst 3550-12T Catalyst 3508G XL Catalyst 3500 Catalyst 3500 Catalyst 2924M XL Catalyst 3508G XL Catalyst 2900 Catalyst 3500 Catalyst 3524 XL Catalyst 3512 XL Catalyst 3500...
  • Page 296: Understanding Backbonefast

    Chapter 10 Configuring STP Understanding Advanced STP Features Understanding BackboneFast BackboneFast is started when a root port or blocked port on a switch receives inferior BPDUs from its designated bridge. An inferior BPDU identifies one switch as both the root bridge and the designated bridge.
  • Page 297 Chapter 10 Configuring STP Understanding Advanced STP Features switchover takes approximately 30 seconds, twice the Forward Delay time if the default Forward Delay time of 15 seconds is set. Figure 10-11 shows how BackboneFast reconfigures the topology to account for the failure of link L1. Figure 10-11 BackboneFast Example After Indirect Link Failure Switch A (Root)
  • Page 298: Understanding Root Guard

    Chapter 10 Configuring STP Understanding Advanced STP Features Understanding Root Guard The Layer 2 network of a service provider (SP) can include many connections to switches that are not owned by the SP. In such a topology, STP can reconfigure itself and select a customer switch as the STP root switch, as shown in Figure 10-13.
  • Page 299: Configuring Basic Stp Features

    Chapter 10 Configuring STP Configuring Basic STP Features Configuring Basic STP Features These sections include basic STP configuration information: • Default STP Configuration, page 10-21 Disabling STP, page 10-22 • Configuring the Root Switch, page 10-22 • Configuring a Secondary Root Switch, page 10-24 •...
  • Page 300: Disabling Stp

    Chapter 10 Configuring STP Configuring Basic STP Features Table 10-3 Default STP Configuration (continued) Feature Default Setting Forward-delay time 15 seconds. Maximum-aging time 20 seconds. Port Fast Disabled on all interfaces. BPDU guard Disabled on the switch. UplinkFast Disabled on the switch. BackboneFast Disabled on the switch.
  • Page 301 Chapter 10 Configuring STP Configuring Basic STP Features To configure a switch to become the root, use the spanning-tree vlan vlan-id root global configuration command to modify the switch priority from the default value (32768) to a significantly lower value so that the switch becomes the root switch for the specified VLAN.
  • Page 302: Configuring A Secondary Root Switch

    Chapter 10 Configuring STP Configuring Basic STP Features Beginning in privileged EXEC mode, follow these steps to configure a switch as the root switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id root primary Configure a switch as the root switch.
  • Page 303 Chapter 10 Configuring STP Configuring Basic STP Features Beginning in privileged EXEC mode, follow these steps to configure a switch as the secondary root switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id root secondary Configure a switch as the secondary root switch.
  • Page 304: Configuring Stp Port Priority

    The priority range is 0 to 255; the default is 128. Cisco IOS uses the port priority value when the interface is configured as an access port and uses VLAN port priority values when the interface is configured as a trunk port.
  • Page 305: Configuring Stp Path Cost

    Chapter 10 Configuring STP Configuring Basic STP Features Configuring STP Path Cost The STP path cost default value is derived from the media speed of an interface. If a loop occurs, STP uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
  • Page 306: Configuring The Switch Priority Of A Vlan

    Chapter 10 Configuring STP Configuring Basic STP Features Configuring the Switch Priority of a VLAN You can configure the switch priority and make it more likely that the switch will be chosen as the root switch. Note Exercise care when using this command. For most situations, we recommend that you use the spanning-tree vlan vlan-id root primary and the spanning-tree vlan vlan-id root secondary global configuration commands to modify the switch priority.
  • Page 307: Configuring The Hello Time

    Chapter 10 Configuring STP Configuring Basic STP Features Configuring the Hello Time You can configure the interval between the generation of configuration messages by the root switch by changing the STP hello time. Note Exercise care when using this command. For most situations, we recommend that you use the spanning-tree vlan vlan-id root primary and the spanning-tree vlan vlan-id root secondary global configuration commands to modify the hello time.
  • Page 308: Configuring The Maximum-Aging Time For A Vlan

    Chapter 10 Configuring STP Configuring Basic STP Features To return the switch to its default setting, use the no spanning-tree vlan vlan-id forward-time global configuration command. Configuring the Maximum-Aging Time for a VLAN Beginning in privileged EXEC mode, follow these steps to configure the STP maximum-aging time for a VLAN: Command Purpose...
  • Page 309: Displaying Stp Status

    Chapter 10 Configuring STP Configuring Basic STP Features Figure 10-14 Gigabit Ethernet Stack Cisco 7000 Catalyst 5000 Catalyst 3550 router series switch switches Layer 3 Catalyst Catalyst 3550 Catalyst backbone 5000 series or switches 3550 6000 series switches backbone Catalyst 6000...
  • Page 310: Configuring Advanced Stp Features

    Chapter 10 Configuring STP Configuring Advanced STP Features Configuring Advanced STP Features These sections include advanced STP configuration information: • Configuring Port Fast, page 10-32 Configuring BPDU Guard, page 10-33 • Configuring UplinkFast for Use with Redundant Links, page 10-34 •...
  • Page 311: Configuring Bpdu Guard

    Chapter 10 Configuring STP Configuring Advanced STP Features Configuring BPDU Guard When the BPDU guard feature is enabled on the switch, STP shuts down Port Fast-enabled interfaces that receive BPDUs rather than putting them into the blocking state. The BPDU guard feature works on Port Fast-enable interfaces. Configure Port Fast only on interfaces Caution that connect to end stations;...
  • Page 312: Configuring Uplinkfast For Use With Redundant Links

    Chapter 10 Configuring STP Configuring Advanced STP Features Configuring UplinkFast for Use with Redundant Links UplinkFast increases the switch priority to 49152 and adds 3000 to the STP path cost only if the port used the default path cost before you enabled UplinkFast, making it unlikely that the switch will become the root switch.
  • Page 313: Configuring Cross-Stack Uplinkfast

    Chapter 10 Configuring STP Configuring Advanced STP Features Configuring Cross-Stack UplinkFast Before enabling CSUF, make sure your stack switches are properly connected. For more information, see the “Connecting the Stack Ports” section on page 10-16. Beginning in privileged EXEC mode, follow these steps to enable CSUF: Command Purpose Step 1...
  • Page 314: Configuring Backbonefast

    Chapter 10 Configuring STP Configuring Advanced STP Features Configuring BackboneFast You can enable BackboneFast to detect indirect link failures and to start the spanning-tree reconfiguration sooner. Note If you use BackboneFast, you must enable it on all switches in the network. BackboneFast is not supported on Token Ring VLANs.
  • Page 315: Enabling Etherchannel Guard

    Chapter 10 Configuring STP Configuring Advanced STP Features Enabling EtherChannel Guard Use the EtherChannel guard feature to detect a misconfigured EtherChannel when Catalyst 3550 switch interfaces are configured as an EtherChannel while interfaces on the remote device are not, or not all the interfaces on the remote device are in the same EtherChannel.
  • Page 316 Chapter 10 Configuring STP Configuring Advanced STP Features Catalyst 3550 Multilayer Switch Software Configuration Guide 10-38 78-11194-03...
  • Page 317: Understanding Igmp Snooping

    For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 3550 Multilayer Switch Command Reference for this release and the Cisco IOS Release Network Protocols Command Reference, Part 1, for Release 12.1.
  • Page 318: Chapter 11 Configuring Igmp Snooping And Mvr

    Chapter 11 Configuring IGMP Snooping and MVR Understanding IGMP Snooping the switch adds the host port number to the forwarding table entry; when it receives an IGMP Leave Group message from a host, it removes the host port from the table entry. It also periodically deletes entries if it does not receive IGMP membership reports from the multicast clients.
  • Page 319 Chapter 11 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Figure 11-1 Initial IGMP Join Message Router A IGMP report 224.1.2.3 VLAN Switching engine Forwarding table Host 1 Host 2 Host 3 Host 4 Router A sends a general query to the switch, which forwards the query to ports 2 through 5, all members of the same VLAN.
  • Page 320: Leaving A Multicast Group

    Chapter 11 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Figure 11-2 Second Host Joining a Multicast Group Router A VLAN Switching engine Forwarding table Host 1 Host 2 Host 3 Host 4 Table 11-2 Updated IGMP Snooping Forwarding Table Destination Address Type of Packet Ports...
  • Page 321: Configuring Igmp Snooping

    Chapter 11 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Note You should only use the Immediate-Leave processing feature on VLANs where a single host is connected to each port. If Immediate Leave is enabled in VLANs where more than one host is connected to a port, some hosts might be inadvertently dropped.
  • Page 322: Setting The Snooping Method

    Snooping on IGMP queries, Protocol Independent Multicast (PIM) packets, and Distance Vector • Multicast Routing Protocol (DVMRP) packets Listening to Cisco Group Management Protocol (CGMP) packets from other routers • Statically connecting to a multicast router port with the ip igmp snooping mrouter global •...
  • Page 323: Configuring A Multicast Router Port

    Chapter 11 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Beginning in privileged EXEC mode, follow these steps to alter the method in which a VLAN interface dynamically accesses a multicast router: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp snooping vlan vlan-id mrouter Enable IGMP snooping on a VLAN.
  • Page 324: Configuring A Host Statically To Join A Group

    Chapter 11 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Command Purpose Step 4 show ip igmp snooping mrouter [vlan vlan-id] Verify that IGMP snooping is enabled on the VLAN interface. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove a multicast router port from the VLAN, use the no ip igmp snooping vlan vlan-id mrouter interface interface-id global configuration command.
  • Page 325: Enabling Igmp Immediate-Leave Processing

    Chapter 11 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information Enabling IGMP Immediate-Leave Processing When you enable IGMP Immediate-Leave processing, the switch immediately removes a port when it detects an IGMP version 2 leave message on that port. You should use the Immediate-Leave feature only when there is a single receiver present on every port in the VLAN.
  • Page 326 Chapter 11 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information Table 11-4 Commands for Displaying IGMP Snooping Information Command Purpose show ip igmp snooping [vlan vlan-id] Display the snooping configuration information for all VLANs on the switch or for a specified VLAN. (Optional) Enter vlan vlan-id to display information for a single VLAN.
  • Page 327 Chapter 11 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information This is an example of output from the show ip igmp snooping privileged EXEC command for a specific VLAN interface: Switch# show ip igmp snooping vlan 1 vlan 1 ---------- IGMP snooping is globally enabled IGMP snooping is disabled on this Vlan...
  • Page 328: Understanding Multicast Vlan Registration

    Chapter 11 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Understanding Multicast VLAN Registration Multicast VLAN Registration (MVR) is designed for applications using wide-scale deployment of multicast traffic across an Ethernet ring-based service provider network (for example, the broadcast of multiple television channels over a service-provider network).
  • Page 329 Enable the Immediate Leave feature only on receiver ports to which a single receiver device is connected. Figure 11-3 Multicast VLAN Registration Example Multicast VLAN Cisco router Multicast server Catalyst 3550 switch...
  • Page 330: Configuring Mvr

    Chapter 11 Configuring IGMP Snooping and MVR Configuring MVR MVR eliminates the need to duplicate television-channel multicast traffic for subscribers in each VLAN. Multicast traffic for all channels is only sent around the VLAN trunk once—only on the multicast VLAN. Although the IGMP leave and join message in the VLAN to which the subscriber port is assigned.
  • Page 331: Default Mvr Configuration

    Chapter 11 Configuring IGMP Snooping and MVR Configuring MVR Default MVR Configuration Table 11-5 shows the default MVR configuration. Table 11-5 Default MVR Configuration Feature Default Setting Disabled globally and per interface Multicast addresses None configured Query response time 0.5 second Multicast VLAN VLAN 1 Mode...
  • Page 332: Configuring Mvr Interfaces

    Chapter 11 Configuring IGMP Snooping and MVR Configuring MVR Command Purpose Step 6 mvr mode {dynamic | compatible} (Optional) Specify the MVR mode of operation: • dynamic—Allows dynamic MVR membership on source ports. • compatible—Is compatible with Catalyst 3500 XL and Catalyst 2900 XL switches and does not support IGMP dynamic joins on source ports.
  • Page 333 Chapter 11 Configuring IGMP Snooping and MVR Configuring MVR Command Purpose Step 4 mvr type {source | receiver} Configure an MVR port as one of these: • source—Configure uplink ports that receive and send multicast data as source ports. Subscribers cannot be directly connected to source ports. All source ports on a switch belong to the single multicast VLAN.
  • Page 334: Displaying Mvr Information

    Chapter 11 Configuring IGMP Snooping and MVR Displaying MVR Information This is an example of output from the show mvr interface privileged EXEC command when the member keyword is included: Switch# show mvr interface gigabitethernet0/6 member 239.255.0.0 DYNAMIC ACTIVE 239.255.0.1 DYNAMIC ACTIVE 239.255.0.2 DYNAMIC ACTIVE...
  • Page 335 Chapter 11 Configuring IGMP Snooping and MVR Displaying MVR Information This is an example of output from the show mvr interface privileged EXEC command: Switch# show mvr interface Port Type Status Immediate Leave ---- ---- ------- --------------- Gi0/1 SOURCE ACTIVE/UP DISABLED Gi0/2 SOURCE...
  • Page 336: Configuring Igmp Filtering

    Chapter 11 Configuring IGMP Snooping and MVR Configuring IGMP Filtering Configuring IGMP Filtering In some environments, for example metropolitan or multiple-dwelling unit (MDU) installations, an administrator might want to control the set of multicast groups to which a user on a switch port can belong.
  • Page 337 Chapter 11 Configuring IGMP Snooping and MVR Configuring IGMP Filtering Beginning in privileged EXEC mode, follow these steps to create an IGMP profile: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp profile profile number Enter IGMP profile configuration mode, and assign a number to the profile you are configuring.
  • Page 338: Applying Igmp Profiles

    Chapter 11 Configuring IGMP Snooping and MVR Configuring IGMP Filtering Applying IGMP Profiles To control access as defined in an IGMP profile, use the ip igmp filter interface configuration command to apply the profile to the appropriate interfaces. You can apply IGMP profiles to Layer 2 ports only; you cannot apply IGMP profiles to routed ports or SVIs.
  • Page 339: Setting The Maximum Number Of Igmp Groups

    Chapter 11 Configuring IGMP Snooping and MVR Configuring IGMP Filtering Setting the Maximum Number of IGMP Groups You can set the maximum number of IGMP groups that a Layer 2 interface can join. Use the no form of this command to set the maximum back to the default, which is no limit. This restriction can be applied to Layer 2 ports only;...
  • Page 340: Displaying Igmp Filtering Configuration

    Chapter 11 Configuring IGMP Snooping and MVR Displaying IGMP Filtering Configuration Displaying IGMP Filtering Configuration You can display IGMP profile characteristics, and you can display the IGMP profile and maximum group configuration for all interfaces on the switch or for a specified interface. Beginning in privileged EXEC mode, use the commands in Table 11-8 to display IGMP filtering...
  • Page 341: Configuring Storm Control

    C H A P T E R Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on your switch. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 3550 Multilayer Switch Command Reference for this release.
  • Page 342 Chapter 12 Configuring Port-Based Traffic Control Configuring Storm Control Note When the rate of multicast traffic exceeds a set threshold, all incoming traffic (broadcast, multicast, and unicast) is dropped until the level drops below the threshold level. Only spanning-tree packets are forwarded.
  • Page 343: C H A P T E R 12 Configuring Port-Based Traffic Control

    Chapter 12 Configuring Port-Based Traffic Control Configuring Storm Control Note Before IOS Release 12.1(8)EA1, you set up storm control threshold values by using the switchport broadcast, switchport multicast, and switchport unicast interface configuration commands. These commands are now obsolete, replaced by the storm-control interface configuration commands. Default Storm Control Configuration By default, unicast, broadcast, and multicast storm control is disabled on the switch: that is, the suppression level is 100 percent.
  • Page 344: Disabling Storm Control

    Chapter 12 Configuring Port-Based Traffic Control Configuring Storm Control Command Purpose Step 7 show storm-control [interface-id] [broadcast | Verify the storm control suppression levels set on the interface for multicast | unicast] the specified traffic type. If you do not enter a traffic type, broadcast storm control settings are displayed.
  • Page 345: Configuring Protected Ports

    Chapter 12 Configuring Port-Based Traffic Control Configuring Protected Ports Configuring Protected Ports Some applications require that no traffic be forwarded between ports on the same switch so that one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of protected ports ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports on the switch.
  • Page 346: Configuring Port Blocking

    Chapter 12 Configuring Port-Based Traffic Control Configuring Port Blocking This example shows how to configure Gigabit Ethernet interface 0/3 as a protected port and verify the configuration: Switch# configure terminal Switch(config)# interface gigabitethernet0/3 Switch(config-if)# switchport protected Switch(config-if)# end Switch# show interfaces gigabitethernet0/3 switchport Name: Gi0/3 Switchport: Enabled <output truncated>...
  • Page 347: Resuming Normal Forwarding On A Port

    Chapter 12 Configuring Port-Based Traffic Control Configuring Port Blocking To return the interface to the default condition where no traffic is blocked, use the no switchport block {multicast | unicast} interface configuration commands. This example shows how to block unicast and multicast flooding on Gigabit Ethernet interface 0/1 and verify the configuration: Switch# configure terminal Switch(config)# interface gigabitethernet0/1...
  • Page 348: Configuring Port Security

    Chapter 12 Configuring Port-Based Traffic Control Configuring Port Security Configuring Port Security You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses.
  • Page 349: Default Port Security Configuration

    Chapter 12 Configuring Port-Based Traffic Control Configuring Port Security Default Port Security Configuration Table 12-1 shows the default port security configuration for an interface. Table 12-1 Default IGMP Snooping Configuration Feature Default Setting Port security Disabled on a port Maximum number of secure MAC addresses Violation mode Shutdown.
  • Page 350 Chapter 12 Configuring Port-Based Traffic Control Configuring Port Security Command Purpose Step 6 switchport port-security violation (Optional) Set the violation mode, the action to be taken when a security {protect | restrict | shutdown} violation is detected, as one of these: •...
  • Page 351: Displaying Port-Based Traffic Control Settings

    Chapter 12 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings This example shows how to configure a secure MAC address on Fast Ethernet port 12 and verify the configuration. Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface fastethernet0/12 Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security...
  • Page 352 Chapter 12 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings This is a an example of output from the show interfaces switchport privileged EXEC command: Switch# show interfaces gigabitethernet0/1 switchport Name: Gi0/1 Switchport: Enabled Administrative Mode: dynamic desirable Operational Mode: static access Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: native Negotiation of Trunking: On...
  • Page 353 Chapter 12 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings This is an example of output from the show storm-control command when no keywords are entered. Because no traffic type keyword was entered, the broadcast storm control settings are displayed. Switch# show storm-control Interface Filter State...
  • Page 354 Chapter 12 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings Catalyst 3550 Multilayer Switch Software Configuration Guide 12-14 78-11194-03...
  • Page 355: Chapter 13 Configuring Cdp

    • Understanding CDP CDP is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches) and allows network management applications to discover Cisco devices that are neighbors of already known devices. With CDP, network management applications can learn the device type and the Simple Network Management Protocol (SNMP) agent address of neighboring devices running lower-layer, transparent protocols.
  • Page 356: Default Cdp Configuration

    Chapter 13 Configuring CDP Configuring CDP Configuring CDP These sections include CDP configuration information and procedures: • Default CDP Configuration, page 13-2 Configuring the CDP Characteristics, page 13-2 • Disabling and Enabling CDP, page 13-3 • Disabling and Enabling CDP on an Interface, page 13-4 •...
  • Page 357: Disabling And Enabling Cdp

    Chapter 13 Configuring CDP Configuring CDP Command Purpose Step 6 show cdp Verify configuration by displaying global information about CDP on the device. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of the CDP commands to return to the default settings. This example shows how to configure and verify CDP characteristics.
  • Page 358: Disabling And Enabling Cdp On An Interface

    Chapter 13 Configuring CDP Configuring CDP This example shows how to enable CDP if it has been disabled. Switch# configure terminal Switch(config)# cdp run Switch(config)# end Disabling and Enabling CDP on an Interface CDP is enabled by default on all supported interfaces to send and receive CDP information. Beginning in privileged EXEC mode, follow these steps to disable CDP on an interface: Command Purpose...
  • Page 359: Monitoring And Maintaining Cdp

    Chapter 13 Configuring CDP Monitoring and Maintaining CDP Monitoring and Maintaining CDP To monitor and maintain CDP on your device, perform one or more of these tasks, beginning in privileged EXEC mode. Command Description clear cdp counters Reset the traffic counters to zero. clear cdp table Delete the CDP table of information about neighbors.
  • Page 360 Version : Cisco Internetwork Operating System Software IOS (tm) C3550 Software (C3550-I5Q3L2-M), Experimental Version 12.1(20010612:021 316) [jang-flamingo 120] Copyright (c) 1986-2001 by cisco Systems, Inc. Compiled Fri 06-Jul-01 18:18 by jang advertisement version: 2 Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=0000000...
  • Page 361 Chapter 13 Configuring CDP Monitoring and Maintaining CDP Switch# show cdp interface GigabitEthernet0/1 is up, line protocol is up Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 seconds GigabitEthernet0/2 is up, line protocol is down Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 seconds GigabitEthernet0/3 is administratively down, line protocol is down...
  • Page 362 Chapter 13 Configuring CDP Monitoring and Maintaining CDP Catalyst 3550 Multilayer Switch Software Configuration Guide 13-8 78-11194-03...
  • Page 363: Chapter 14 Configuring Udld

    C H A P T E R Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on your switch. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 3550 Multilayer Switch Command Reference for this release.
  • Page 364 Chapter 14 Configuring UDLD Understanding UDLD UDLD operates by using two mechanisms: • Neighbor database maintenance UDLD learns about other UDLD-capable neighbors by periodically sending a hello packet (also called an advertisement or probe) on every active interface to keep each device informed about its neighbors.
  • Page 365: Configuring Udld

    Chapter 14 Configuring UDLD Configuring UDLD Configuring UDLD This section describes how to configure UDLD on your switch. It contains this configuration information: • Default UDLD Configuration, page 14-3 • Enabling UDLD Globally, page 14-3 Enabling UDLD on an Interface, page 14-4 •...
  • Page 366: Enabling Udld On An Interface

    Chapter 14 Configuring UDLD Configuring UDLD To disable UDLD globally on fiber-optic interfaces, use the no udld enable global configuration command. Enabling UDLD on an Interface Beginning in privileged EXEC mode, follow these steps to enable UDLD on an interface: Command Purpose Step 1...
  • Page 367: Displaying Udld Status

    Chapter 14 Configuring UDLD Displaying UDLD Status Displaying UDLD Status To display the UDLD status for the specified interface or for all interfaces, use the show udld [interface-id] privileged EXEC command. Catalyst 3550 Multilayer Switch Software Configuration Guide 14-5 78-11194-03...
  • Page 368 Chapter 14 Configuring UDLD Displaying UDLD Status Catalyst 3550 Multilayer Switch Software Configuration Guide 14-6 78-11194-03...
  • Page 369: Chapter 15 Configuring Span

    C H A P T E R Configuring SPAN This chapter describes how to configure Switch Port Analyzer (SPAN) on your switch. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 3550 Multilayer Switch Command Reference for this release. This chapter consists of these sections: Understanding SPAN, page 15-1 •...
  • Page 370: Span Concepts And Terminology

    Chapter 15 Configuring SPAN Understanding SPAN Figure 15-1 Example SPAN Configuration Port 5 traffic mirrored 1 2 3 4 5 6 7 8 9 10 11 12 on Port 10 Network analyzer Only traffic that enters or leaves source ports or traffic that enters source VLANs can be monitored by using SPAN;...
  • Page 371: Traffic Types

    Chapter 15 Configuring SPAN Understanding SPAN You can configure SPAN sessions on disabled ports; however, a SPAN session does not become active unless you enable the destination port and at least one source port or VLAN for that session. The show monitor session session_number privileged EXEC command displays the operational status of a SPAN session.
  • Page 372: Source Port

    Chapter 15 Configuring SPAN Understanding SPAN Source Port A source port (also called a monitored port) is a switched or routed port that you monitor for network traffic analysis. In a single SPAN session, you can monitor source port traffic such as received (Rx), transmitted (Tx), or bidirectional (both);...
  • Page 373: Vlan-Based Span

    • Cisco Discovery Protocol (CDP)—A SPAN destination port does not participate in CDP while the SPAN session is active. After the SPAN session is disabled, the port again participates in CDP Catalyst 3550 Multilayer Switch Software Configuration Guide...
  • Page 374: Configuring Span

    Chapter 15 Configuring SPAN Configuring SPAN • VLAN and trunking—You can modify VLAN membership or trunk settings for source and destination ports at any time. However, changes in VLAN membership or trunk settings for a destination port do not take effect until you disable the SPAN session. Changes in VLAN membership or trunk settings for a source port immediately take effect, and the respective SPAN sessions automatically adjust accordingly.
  • Page 375: Default Span Configuration

    Chapter 15 Configuring SPAN Configuring SPAN Default SPAN Configuration Table 15-1 shows the default SPAN configuration. This release supports only local SPAN; remote SPAN (RSPAN) is not supported. Table 15-1 Default SPAN Configuration Feature Default Setting SPAN state Disabled Source port traffic to monitor Both received and sent traffic (both) Only received traffic can be monitored on source Note...
  • Page 376: Creating A Span Session And Specifying Ports To Monitor

    Chapter 15 Configuring SPAN Configuring SPAN • The no monitor session session_number global configuration command removes a source or destination port from the SPAN session or removes a source VLAN from the SPAN session. If you do not specify any options following the no monitor session session_number command, the entire SPAN session is removed.
  • Page 377 Chapter 15 Configuring SPAN Configuring SPAN Command Purpose Step 4 monitor session session_number Specify the SPAN session and the destination port (monitoring port). destination interface interface-id For session_number, specify 1 or 2. [encapsulation {dot1q | isl}] For interface-id, specify the destination port. Valid interfaces include physical interfaces.
  • Page 378: Removing Ports From A Span Session

    Chapter 15 Configuring SPAN Configuring SPAN Removing Ports from a SPAN Session Beginning in privileged EXEC mode, follow these steps to remove a port as a SPAN source for a session: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session session_number source Specify the characteristics of the source port (monitored port) and...
  • Page 379: Specifying Vlans To Monitor

    Chapter 15 Configuring SPAN Configuring SPAN This example shows how to disable received traffic monitoring on port 1, which was configured for bidirectional monitoring: Switch(config)# no monitor session 1 source interface gigabitethernet0/1 rx The monitoring of traffic received on port 1 is disabled, but traffic sent from this port continues to be monitored.
  • Page 380: Specifying Vlans To Filter

    Chapter 15 Configuring SPAN Configuring SPAN This example shows how to clear any existing configuration on SPAN session 2, configure SPAN session 2 to monitor received traffic on all ports belonging to VLANs 1 through 3, and send it to destination port 7.
  • Page 381: Displaying Span Status

    Chapter 15 Configuring SPAN Displaying SPAN Status Command Purpose Step 7 show monitor [session session_number] Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To monitor all VLANs on the trunk port, use the no monitor session session_number filter global configuration command.
  • Page 382 Chapter 15 Configuring SPAN Displaying SPAN Status Catalyst 3550 Multilayer Switch Software Configuration Guide 15-14 78-11194-03...
  • Page 383: Chapter 16 Configuring Rmon

    Configuring RMON This chapter describes how to configure Remote Network Monitoring (RMON) on your switch. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco Note IOS Configuration Fundamentals Command Reference for Release 12.1.
  • Page 384: Configuring Rmon

    Chapter 16 Configuring RMON Configuring RMON Figure 16-1 Remote Monitoring Example Network management station with generic RMON console application Catalyst 3550 switch RMON alarms and events configured. SNMP configured. RMON history and statistic collection enabled. Catalyst 3500 Catalyst 3550 series XL switch switch Workstations Workstations...
  • Page 385: Default Rmon Configuration

    Chapter 16 Configuring RMON Configuring RMON Default RMON Configuration RMON is disabled by default; no alarms or events are configured. Only RMON 1 is supported on the switch. Configuring RMON Alarms and Events You can configure your switch for RMON by using the command-line interface (CLI) or an SNMP-compatible network management station.
  • Page 386 Chapter 16 Configuring RMON Configuring RMON Command Purpose Step 3 rmon event number [log] [trap community] Add an event in the RMON event table that is [description string] [owner string] associated with an RMON event number. • For number, assign an event number. The range is 1 to 65535.
  • Page 387: Configuring Rmon Collection On An Interface

    Chapter 16 Configuring RMON Configuring RMON Configuring RMON Collection on an Interface You must first configure RMON alarms and events to display collection information. Beginning in privileged EXEC mode, follow these steps to collect group history statistics on an interface: Command Purpose Step 1...
  • Page 388: Displaying Rmon Status

    Chapter 16 Configuring RMON Displaying RMON Status Command Purpose Step 6 show rmon statistics Display the contents of the switch statistics table. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable the collection of group Ethernet statistics, use the no rmon collection stats index interface configuration command.
  • Page 389: Chapter 17 Configuring System Message Logging

    Configuring System Message Logging This chapter describes how to configure system message logging on your switch. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco Note IOS Configuration Fundamentals Command Reference for Release 12.1.
  • Page 390: System Log Message Format

    Chapter 17 Configuring System Message Logging Configuring System Message Logging Configuring System Message Logging This section describes how to configure system message logging. It contains this configuration information: • System Log Message Format, page 17-2 • Default System Message Logging Configuration, page 17-3 Disabling and Enabling Message Logging, page 17-4 •...
  • Page 391: Default System Message Logging Configuration

    Chapter 17 Configuring System Message Logging Configuring System Message Logging Table 17-1 System Log Message Elements (continued) Element Description MNEMONIC Text string that uniquely describes the message. description Text string containing detailed information about the event being reported. This example shows a partial switch system message: 00:00:46: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up 00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up 00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to up...
  • Page 392: Disabling And Enabling Message Logging

    Chapter 17 Configuring System Message Logging Configuring System Message Logging Disabling and Enabling Message Logging Message logging is enabled by default. It must be enabled to send messages to any destination other than the console. When enabled, log messages are sent to a logging process, which logs messages to designated locations asynchronously to the processes that generated the messages.
  • Page 393 Chapter 17 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 3 logging host Log messages to a UNIX syslog server host. For host, specify the name or IP address of the host to be used as the syslog server.
  • Page 394: Synchronizing Log Messages

    Chapter 17 Configuring System Message Logging Configuring System Message Logging Synchronizing Log Messages You can configure the system to synchronize unsolicited messages and debug privileged EXEC command output with solicited device output and prompts for a specific console port line or virtual terminal line.
  • Page 395: Enabling And Disabling Timestamps On Log Messages

    Chapter 17 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable synchronization of unsolicited messages and debug output, use the no logging synchronous [level severity-level | all] [limit number-of-buffers] line configuration command.
  • Page 396: Enabling And Disabling Sequence Numbers In Log Messages

    Chapter 17 Configuring System Message Logging Configuring System Message Logging Enabling and Disabling Sequence Numbers in Log Messages Because there is a chance that more than one log message can have the same timestamp, you can display messages with sequence numbers so that you can unambiguously refer to a single message. By default, sequence numbers in log messages are not displayed.
  • Page 397 Chapter 17 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 6 show running-config Verify your entries. show logging Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Specifying a level causes messages at that level and numerically lower levels to be displayed at the Note destination.
  • Page 398: Limiting Syslog Messages Sent To The History Table And To Snmp

    Chapter 17 Configuring System Message Logging Configuring System Message Logging Limiting Syslog Messages Sent to the History Table and to SNMP If you have enabled syslog message traps to be sent to an SNMP network management station by using the snmp-server enable trap global configuration command, you can change the level of messages sent and stored in the switch history table.
  • Page 399: Logging Messages To A Unix Syslog Daemon

    Add a line such as the following to the file /etc/syslog.conf: Step 1 local7.debug /usr/adm/logs/cisco.log The local7 keyword specifies the logging facility to be used; see Table 17-4 on page 17-12 information on the facilities. The debug keyword specifies the syslog level; see Table 17-3 on page 17-9 for information on the severity levels.
  • Page 400: Displaying The Logging Configuration

    To display the current logging configuration and the contents of the log buffer, use the show logging privileged EXEC command. For information about the fields in this display, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1.
  • Page 401: Understanding Snmp

    For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 3550 Multilayer Switch Command Reference for this release and to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. This chapter consists of these sections: Understanding SNMP, page 18-1 •...
  • Page 402: Chapter 18 Configuring Snmp

    Chapter 18 Configuring SNMP Understanding SNMP SNMP Versions This software release supports these SNMP versions: • SNMPv1—The Simple Network Management Protocol, a Full Internet Standard, defined in RFC 1157. • SNMPv2C, which has these features: – SNMPv2—Version 2 of the Simple Network Management Protocol, a Draft Internet Standard, defined in RFCs 1902 through 1907.
  • Page 403: Snmp Agent Functions

    Chapter 18 Configuring SNMP Understanding SNMP SNMP Agent Functions The SNMP agent responds to SNMP manager requests as follows: • Get a MIB variable—The SNMP agent begins this function in response to a request from the NMS. The agent retrieves the value of the requested MIB variable and responds to the NMS with that value.
  • Page 404: Configuring Snmp

    Chapter 18 Configuring SNMP Configuring SNMP Figure 18-1 SNMP Network Get-request, Get-next-request, Network device Get-bulk, Set-request Get-response, traps SNMP Agent SNMP Manager For information on supported MIBs and how to access them, see Appendix A, “Supported MIBs.” Configuring SNMP This section describes how to configure SNMP on your switch. It contains this configuration information: Default SNMP Configuration, page 18-4 •...
  • Page 405: Disabling The Snmp Agent

    Chapter 18 Configuring SNMP Configuring SNMP Disabling the SNMP Agent Beginning in privileged EXEC mode, follow these steps to disable the SNMP agent: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no snmp-server Disable the SNMP agent operation. Step 3 Return to privileged EXEC mode.
  • Page 406 Chapter 18 Configuring SNMP Configuring SNMP Command Purpose Step 3 access-list access-list-number {deny | (Optional) If you specified an IP standard access list number in permit} source [source-wildcard] Step 2, then create the list, repeating the command as many times as necessary.
  • Page 407: Configuring Trap Managers And Enabling Traps

    Generates a trap for the SNMP Response Time Reporter (RTR). SNMP Generates a trap for SNMP-type notifications. Sends Cisco enterprise-specific notifications when a Transmission Control Protocol (TCP) connection closes. UDP-port Sends notification of the User Datagram Protocol (UDP) port number of the host.
  • Page 408 Chapter 18 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure the switch to send traps to a host: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server host host-addr {traps | informs} {version {1 Specify the recipient of the trap message.
  • Page 409: Setting The Agent Contact And Location Information

    Chapter 18 Configuring SNMP Configuring SNMP Setting the Agent Contact and Location Information Beginning in privileged EXEC mode, follow these steps to set the system contact and location of the SNMP agent so that these descriptions can be accessed through the configuration file: Command Purpose Step 1...
  • Page 410: Snmp Examples

    Switch(config)# snmp-server enable traps entity Switch(config)# snmp-server host cisco.com restricted entity This example shows how to enable the switch to send all traps to the host myhost.cisco.com using the community string public: Switch(config)# snmp-server enable traps Switch(config)# snmp-server host myhost.cisco.com public...
  • Page 411: Chapter 19 Configuring Network Security With Acls

    Note Catalyst 3550 Multilayer Switch Command Reference for this release and the “Configuring IP Services” section of the Cisco IOS IP and IP Routing Configuration Guide and the Cisco IOS IP and IP Routing Command Reference for IOS Release 12.1.
  • Page 412: Supported Acls

    Chapter 19 Configuring Network Security with ACLs Understanding ACLs Switches traditionally operate at Layer 2 only, switching traffic within a VLAN, whereas routers route traffic between VLANs. The Catalyst 3550 switch with the enhanced multilayer software image installed can accelerate packet routing between VLANs by using Layer 3 switching. The switch bridges the packet, the packet is then routed internally without going to an external router, and then the packet is bridged again to send it to its destination.
  • Page 413: Vlan Maps

    Chapter 19 Configuring Network Security with ACLs Understanding ACLs One ACL can be used with multiple features for a given interface, and one feature can use multiple ACLs. When a single router ACL is used by multiple features, it is examined multiple times. •...
  • Page 414: Handling Fragmented And Unfragmented Traffic

    Chapter 19 Configuring Network Security with ACLs Understanding ACLs With VLAN maps, forwarding of packets is permitted or denied, based on the action specified in the map. Figure 19-2 illustrates how a VLAN map is applied to deny a specific type of traffic from Host A in VLAN 10 from being forwarded.
  • Page 415: Configuring Router Acls

    Cisco routers. The process is briefly described here. For more detailed information on configuring router ACLs, refer to the “Configuring IP Services” chapter in the Cisco IP and IP Routing Configuration Guide for IOS Release 12.1. For detailed information about the commands, refer to Cisco IOS IP and IP Routing Command Reference for IOS Release 12.1.
  • Page 416: Unsupported Features

    Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs These factors can cause packets to be sent to the CPU: • Using the log keyword • Enabling ICMP unreachables • Hardware reaching its capacity to store ACL configurations If ACLs cause large numbers of packets to be sent to the CPU, the switch performance can be negatively affected.
  • Page 417: Access List Numbers

    Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs These are the steps to use ACLs: Create an ACL by specifying an access list number or name and access conditions. Step 1 Apply the ACL to interfaces or terminal lines. You can also apply standard and extended IP ACLs to Step 2 VLAN maps.
  • Page 418: Creating A Numbered Standard Acl

    Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs Table 19-1 Access List Numbers (continued) Access List Number Type Supported 1300–1999 IP standard access list (expanded range) 2000–2699 IP extended access list (expanded range) Note In addition to numbered standard and extended ACLs, you can also create standard and extended named IP ACLs using the supported numbers.
  • Page 419: Creating A Numbered Extended Acl

    Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs Note When creating an ACL, remember that, by default, the end of the ACL contains an implicit deny statement for all packets that it did not find a match for before reaching the end. With standard access lists, if you omit the mask from an associated IP host address ACL specification, 0.0.0.0 is assumed to be the mask.
  • Page 420 2. ICMP echo-reply cannot be filtered. All other ICMP codes or types can be filtered. 3. No support for type of service (TOS) minimize monetary cost bit. For more details on the specific keywords relative to each protocol, refer to Cisco IP and IP Routing Command Reference for IOS Release 12.1.
  • Page 421 Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs Beginning in privileged EXEC mode, follow these steps to create an extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2a access-list access-list-number Define an extended IP access list and the access conditions. {deny | permit} protocol The access-list-number is a decimal number from 100 to 199 or 2000 to 2699.
  • Page 422 TCP port. To see TCP port names, use the ? or refer to “Configuring IP Services” section of Cisco IOS IP and IP Routing Command Reference for IOS Release 12.1. Use only TCP port numbers or names when filtering TCP.
  • Page 423 ICMP message type and code name. To see a list of ICMP message type names and ICMP message type and code names, use the ? or refer to the “Configuring IP Services” section of Cisco IOS IP and IP Routing Command Reference for IOS Release 12.1.
  • Page 424: Creating Named Standard And Extended Acls

    Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs Creating Named Standard and Extended ACLs You can identify IP ACLs with an alphanumeric string (a name) rather than a number. You can use named ACLs to configure more IP access lists in a router than if you were to use numbered access lists. If you identify your access list with a name rather than a number, the mode and command syntax are slightly different.
  • Page 425: Applying Time Ranges To Acls

    Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs Beginning in privileged EXEC mode, follow these steps to create an extended ACL using names: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip access-list extended name Define an extended IP access list using a name and enter access-list configuration mode.
  • Page 426 Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs and argument are referenced in the named and numbered extended ACL task tables in the previous sections, the “Creating Standard and Extended IP ACLs” section on page 19-6, and the “Creating Named Standard and Extended ACLs”...
  • Page 427 Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs Switch(config-time-range)# exit Switch(config)# time-range thanksgiving_2000 Switch(config-time-range)# absolute start 00:00 22 Nov 2000 end 23:59 23 Nov 2000 Switch(config-time-range)# exit Switch(config)# time-range christmas_2000 Switch(config-time-range)# absolute start 00:00 24 Dec 2000 end 23:50 25 Dec 2000 Switch(config-time-range)# end Switch# show time-range time-range entry: christmas_2000 (inactive)
  • Page 428: Including Comments About Entries In Acls

    Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs Including Comments About Entries in ACLs You can use the remark keyword to include comments (remarks) about entries in any IP standard or extended ACL. The remarks make the ACL easier for you to understand and scan. Each remark line is limited to 100 characters.
  • Page 429 Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs Beginning in privileged EXEC mode, follow these steps to restrict incoming and outgoing connections between a virtual terminal line and the addresses in an ACL: Command Purpose Step 1 configure terminal Enter global configuration mode.
  • Page 430: Displaying Acls And Access Groups

    Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs Note The ip access-group interface configuration command is only valid when applied to a Layer 3 interface: an SVI, a Layer 3 EtherChannel, or a routed port. The interface must have been configured with an IP address.
  • Page 431 Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs This is an example of output from the show access-lists privileged EXEC command, displaying all standard and extended ACLs: Switch# show access-lists Standard IP access list 1 permit 172.20.10.10 Standard IP access list 10 permit 12.12.12.12 Standard IP access list 12 deny...
  • Page 432: Acl Configuration Examples

    ACL Configuration Examples This section provides examples of configuring ACLs. For detailed information about compiling ACLs, refer to the Security Configuration Guide and the “IP Services” chapter of the Cisco IOS IP and IP Routing Configuration Guide for IOS Release 12.1.
  • Page 433 Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs Figure 19-3 Using Router ACLs to Control Traffic Server A Server B Benefits Payroll Port 0/2 Port 0/3 Catalyst 3550 switch with enhanced multilayer software image Human Resources Accounting 172.20.128.0-31 172.20.128.64-95 This example uses a standard ACL to filter traffic coming into Server B from port 0/3, permitting traffic only from Accounting’s source addresses 172.20.128.64 to 172.20.128.95.
  • Page 434: Numbered Acls

    Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs Numbered ACLs In this example, network 36.0.0.0 is a Class A network whose second octet specifies a subnet; that is, its subnet mask is 255.255.0.0. The third and fourth octets of a network 36.0.0.0 address specify a particular host.
  • Page 435: Time Range Applied To An Ip Acl

    Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs The marketing_group ACL allows any TCP Telnet traffic to the destination address and wildcard 171.69.0.0 0.0.255.255 and denies any other TCP traffic. It permits any ICMP traffic, denies UDP traffic from any source to the destination address range 171.69.0.0 through 179.69.255.255 with a destination port less than 1024, denies any other IP traffic, and provides a log of the result.
  • Page 436: Acl Logging

    Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs In this example of a named ACL, the Jones subnet is not allowed access: Switch(config)# ip access-list standard prevention Switch(config-std-nacl)# remark Do not allow Jones subnet through Switch(config-std-nacl)# deny 171.69.0.0 0.0.255.255 In this example of a named ACL, the Jones subnet is not allowed to use outbound Telnet: Switch(config)# ip access-list extended telnetting Switch(config-ext-nacl)# remark Do not allow Jones subnet to telnet out...
  • Page 437: Configuring Vlan Maps

    Chapter 19 Configuring Network Security with ACLs Configuring VLAN Maps This is a an example of a log for an extended ACL: 01:24:23:%SEC-6-IPACCESSLOGDP:list ext1 permitted icmp 10.1.1.15 -> 10.1.1.61 (0/0), 1 packet 01:25:14:%SEC-6-IPACCESSLOGDP:list ext1 permitted icmp 10.1.1.15 -> 10.1.1.61 (0/0), 7 packets 01:26:12:%SEC-6-IPACCESSLOGP:list ext1 denied udp 0.0.0.0(0) ->...
  • Page 438: Vlan Map Configuration Guidelines

    Chapter 19 Configuring Network Security with ACLs Configuring VLAN Maps Step 4 Use the vlan filter global configuration command to apply a VLAN map to one or more VLANs. This section contains these topics: VLAN Map Configuration Guidelines, page 19-28 •...
  • Page 439 Chapter 19 Configuring Network Security with ACLs Configuring VLAN Maps Beginning in privileged EXEC mode, follow these steps to create a named MAC extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac access-list extended name Define an extended MAC access list using a name.
  • Page 440: Creating A Vlan Map

    Chapter 19 Configuring Network Security with ACLs Configuring VLAN Maps Creating a VLAN Map Each VLAN map consists of an ordered series of entries. Beginning in privileged EXEC mode, follow these steps to create, add to, or delete a VLAN map entry: Command Purpose Step 1...
  • Page 441 Chapter 19 Configuring Network Security with ACLs Configuring VLAN Maps This example shows how to create a VLAN map to permit a packet. ACL ip2 permits UDP packets and any packets that match the ip2 ACL are forwarded. Switch(config)# ip access-list extended ip2 Switch(config-ext-nacl)# permit udp any any Switch(config-ext-nacl)# exit Switch(config)# vlan access-map map_1 20...
  • Page 442: Applying A Vlan Map To A Vlan

    Chapter 19 Configuring Network Security with ACLs Configuring VLAN Maps Switch(config)# mac access-list extended good-hosts Switch(config-ext-macl)# permit host 000.0c00.0111 any Switch(config-ext-macl)# permit host 000.0c00.0211 any Switch(config-ext-nacl)# exit Switch(config)# mac access-list extended good-protocols Switch(config-ext-macl)# permit any any decnet-ip Switch(config-ext-macl)# permit any any vines-ip Switch(config-ext-nacl)# exit Switch(config)# vlan access-map drop-mac-default 10 Switch(config-access-map)# match mac address good-hosts...
  • Page 443: Displaying Vlan Map Information

    Chapter 19 Configuring Network Security with ACLs Configuring VLAN Maps Displaying VLAN Map Information You can display information about VLAN access maps or VLAN filters. Use the privileged EXEC commands in Table 19-4 to display VLAN map information. Table 19-4 Commands for Displaying VLAN Map Information Command Purpose show vlan access-map [mapname]...
  • Page 444: Wiring Closet Configuration

    Chapter 19 Configuring Network Security with ACLs Configuring VLAN Maps Wiring Closet Configuration In a wiring closet configuration, the Catalyst 3550 switch might not be running the enhanced multilayer software image. In this configuration, the switch can still support a VLAN map and a QoS classification ACL.
  • Page 445: Denying Access To A Server On Another Vlan

    Chapter 19 Configuring Network Security with ACLs Configuring VLAN Maps Then, apply VLAN access map map2to VLAN 1. Switch(config)# vlan filter map2 vlan 1 Denying Access to a Server on Another VLAN You can restrict access to a server on another VLAN. For example, server 10.1.1.100 in VLAN 10 needs to have access restricted as follows (see Figure 19-5):...
  • Page 446: Using Vlan Maps With Router Acls

    Chapter 19 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Using VLAN Maps with Router ACLs To access control both bridged and routed traffic, you can use VLAN maps only or a combination of router ACLs and VLAN maps. You can define router ACLs on both input and output routed VLAN interfaces, and you can define a VLAN map to access control the bridged traffic.
  • Page 447: Determining If The Acl Configuration Fits In Hardware

    Chapter 19 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs • Avoid including Layer 4 information in an ACL; adding this information complicates the merging process. The best merge results are obtained if the ACLs are filtered based on IP addresses (source and destination) and not on the full flow (source IP address, destination IP address, protocol, and protocol ports).
  • Page 448 Chapter 19 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs This output from the show fm label privileged EXEC command shows a merge failure on an input access group: Switch# show fm label 1 Unloaded due to merge failure or lack of space: InputAccessGroup Merge Fail:input Input Features:...
  • Page 449: Examples Of Router Acls And Vlan Maps Applied To Vlans

    Chapter 19 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Note When configuring ACLs on the switch, to allocate maximum hardware resources for ACLs, you can use the sdm prefer access global configuration command to set the Switch Database Management feature to the access template.
  • Page 450: Acls And Bridged Packets

    Chapter 19 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs ACLs and Bridged Packets Figure 19-7 shows how an ACL is applied on fallback-bridged packets. For bridged packets, only Layer 2 ACLs are applied to the input VLAN. Only non-IP, non-ARP packets can be fallback-bridged. Figure 19-7 Applying ACLs on Bridged Packets Catalyst 3550 switch with enhanced...
  • Page 451: Acls And Routed Packets

    Chapter 19 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs ACLs and Routed Packets Figure 19-8 shows how ACLs are applied on routed packets. For routed packets, the ACLs are applied in this order: VLAN map for input VLAN Input router ACL Output router ACL VLAN map for output VLAN...
  • Page 452: Acls And Multicast Packets

    Chapter 19 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs ACLs and Multicast Packets Figure 19-9 shows how ACLs are applied on packets that are replicated for IP multicasting. A multicast packet being routed has two different kinds of filters applied: one for destinations that are other ports in the input VLAN and another for each of the destinations that are in other VLANs to which the packet has been routed.
  • Page 453: Chapter 20 Configuring Qos

    C H A P T E R Configuring QoS This chapter describes how to configure quality of service (QoS) on your switch. With this feature, you can provide preferential treatment to certain traffic at the expense of others. Without QoS, the switch offers best-effort service to each packet, regardless of the packet contents or size.
  • Page 454 Chapter 20 Configuring QoS Understanding QoS type of service (TOS) field to carry the classification (class) information. Classification can also be carried in the Layer 2 frame. These special bits in the Layer 2 frame or a Layer 3 packet are described here and shown in Figure 20-1:...
  • Page 455: Basic Qos Model

    Chapter 20 Configuring QoS Understanding QoS All switches and routers that access the Internet rely on the class information to provide the same forwarding treatment to packets with the same class information and different treatment to packets with different class information. The class information in the packet can be assigned by end hosts or by switches or routers along the way, based on a configured policy, detailed examination of the packet, or both.
  • Page 456: Classification

    Chapter 20 Configuring QoS Understanding QoS Figure 20-2 Basic QoS Model Actions at ingress Actions at egress In profile or Generate DSCP out of profile Queueing and Classification Policing Mark scheduling Inspect packet and Compare DSCP to Based on whether Based on the CoS, determine the DSCP the configured...
  • Page 457 Chapter 20 Configuring QoS Understanding QoS For IP traffic, you have these classification options as shown in Figure 20-3: • Trust the IP DSCP in the incoming packet (configure the port to trust DSCP), and assign the same DSCP to the packet for internal use. The IETF defines the 6 most-significant bits of the 1-byte Type of Service (ToS) field as the DSCP.
  • Page 458 Chapter 20 Configuring QoS Understanding QoS Figure 20-3 Classification Flowchart Start Trust CoS (IP and non-IP traffic). Read ingress interface Trust DSCP (IP traffic). configuration for classification. IP and non-IP Use port Trust IP traffic default precedence (non-IP traffic). (IP traffic). Assign DSCP identical to DSCP in packet.
  • Page 459: Classification Based On Qos Acls

    Chapter 20 Configuring QoS Understanding QoS Classification Based on QoS ACLs You can use IP standard, IP extended, and Layer 2 MAC ACLs to define a group of packets with the same characteristics (class). In the QoS context, the permit and deny actions in the access control entries (ACEs) have different meanings than with security ACLs: •...
  • Page 460: Policing And Marking

    Chapter 20 Configuring QoS Understanding QoS The policy map can also contain commands that define the policer, the bandwidth limitations of the traffic, and the action to take if the limits are exceeded. For more information, see the “Policing and Marking”...
  • Page 461 Chapter 20 Configuring QoS Understanding QoS You configure the bucket depth (the maximum burst that is tolerated before the bucket overflows) by using the burst-byte option of the police policy-map class configuration command or the mls qos aggregate-policer global configuration command. You configure how quickly (the average rate) the tokens are removed from the bucket by using the rate-bps option of the police policy-map class configuration command or the mls qos aggregate-policer global configuration command.
  • Page 462 Chapter 20 Configuring QoS Understanding QoS Figure 20-4 Policing and Marking Flowchart Start Read the DSCP of the packet. Is a policer configured for this DSCP? Check if the packet is in profile by querying the policer. Pass through Drop Check out-of-profile action Drop packet.
  • Page 463: Mapping Tables

    Chapter 20 Configuring QoS Understanding QoS Mapping Tables During QoS processing, the switch represents the priority of all traffic (including non-IP traffic) with an internal DSCP value: • During classification, QoS uses configurable mapping tables to derive the internal DSCP (a 6-bit value) from received CoS or IP precedence (3-bit) values.
  • Page 464: Queueing And Scheduling

    Chapter 20 Configuring QoS Understanding QoS Queueing and Scheduling After a packet is policed and marked, the queueing and scheduling process begins as described in these sections: • Queueing and Scheduling on Gigabit-Capable Ports, page 20-12 • Queueing and Scheduling on 10/100 Ethernet Ports, page 20-15 Queueing and Scheduling on Gigabit-Capable Ports Figure 20-5 shows the queueing and scheduling flowchart for Gigabit-capable Ethernet ports.
  • Page 465 Chapter 20 Configuring QoS Understanding QoS During the queueing and scheduling process, the switch uses egress queues and WRR for congestion management, and tail drop or WRED algorithms for congestion avoidance on Gigabit-capable Ethernet ports. Each Gigabit-capable Ethernet port has four egress queues, one of which can be the egress expedite queue.
  • Page 466 Configuring QoS Understanding QoS WRED Cisco’s implementation of Random Early Detection (RED), called Weighted Random Early Detection (WRED), differs from other congestion-avoidance techniques because it attempts to anticipate and avoid congestion, rather than controlling congestion once it occurs. WRED takes advantage of TCP congestion control to try to control the average queue size by indicating to end hosts when they should temporarily stop sending packets.
  • Page 467 Chapter 20 Configuring QoS Understanding QoS Queueing and Scheduling on 10/100 Ethernet Ports Figure 20-6 shows the queueing and scheduling flowchart for 10/100 Ethernet ports. Figure 20-6 Queueing and Scheduling Flowchart for 10/100 Ethernet Ports Start Read the CoS value of CoS-to-queue map.
  • Page 468 Chapter 20 Configuring QoS Understanding QoS Each minimum-reserve level is configured with a buffer size. As shown in the figure, queue 4 of Fast Ethernet port 0/1 has a buffer size of 70 packets, queue 4 of Fast Ethernet port 0/2 has a buffer size of 80 packets, queue 4 of Fast Ethernet port 0/3 has a buffer size of 40 packets, and Fast Ethernet port 0/4 has a buffer size of 80 packets.
  • Page 469: Packet Modification

    Chapter 20 Configuring QoS Understanding QoS Packet Modification A packet is classified, policed, and queued to provide QoS. Packet modifications can occur during this process: • For IP packets, classification involves assigning a DSCP to the packet. However, the packet is not modified at this stage;...
  • Page 470: Configuring Qos

    Chapter 20 Configuring QoS Configuring QoS Configuring QoS Before configuring QoS, you must have a thorough understanding of these items: • The types of applications used and the traffic patterns on your network. Traffic characteristics and needs of your network. Is the traffic bursty? Do you need to reserve •...
  • Page 471 Chapter 20 Configuring QoS Configuring QoS Table 20-2 Default QoS Parameters when QoS is Enabled Egress traffic Port (DSCP and CoS Queue Tail-drop CoS Mapping Type State Value) Queue Weights Thresholds to Queue Gigabit-capable Enabled DSCP=0 Four queues are Each queue has 100%, 100% 0, 1: queue 1 Ethernet ports...
  • Page 472: Configuration Guidelines

    Chapter 20 Configuring QoS Configuring QoS Configuration Guidelines Before beginning the QoS configuration, you should be aware of this information: • If you have EtherChannel ports configured on your switch, you must configure QoS classification, policing, mapping, and queueing on the individual physical ports that comprise the EtherChannel. You must decide whether the QoS configuration should match on all ports in the EtherChannel.
  • Page 473: Enabling Qos Globally

    Chapter 20 Configuring QoS Configuring QoS Enabling QoS Globally By default, QoS is disabled on the switch, which means that the switch offers best-effort service to each packet regardless of the packet contents or size. All CoS values map to egress queue 1 with both tail-drop thresholds set to 100 percent of the total queue size for Gigabit-capable Ethernet ports.
  • Page 474 Chapter 20 Configuring QoS Configuring QoS Configuring the Trust State on Ports within the QoS Domain Packets entering a QoS domain are classified at the edge of the QoS domain. When the packets are classified at the edge, the switch port within the QoS domain can be configured to one of the trusted states because there is no need to classify the packets at every switch within the QoS domain.
  • Page 475 Chapter 20 Configuring QoS Configuring QoS Beginning in privileged EXEC mode, follow these steps to configure the port to trust the classification of the traffic that it receives: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos Enable QoS globally.
  • Page 476 Chapter 20 Configuring QoS Configuring QoS Configuring the CoS Value for an Interface QoS assigns the CoS value specified with the mls qos cos interface configuration command to untagged frames received on trusted and untrusted ports. Beginning in privileged EXEC mode, follow these steps to define the default CoS value of a port or to assign the default CoS to all incoming packets on the port: Command Purpose...
  • Page 477 Chapter 20 Configuring QoS Configuring QoS Configuring the DSCP Trust State on a Port Bordering Another QoS Domain If you are administering two separate QoS domains between which you want to implement QoS features for IP traffic, you can configure the switch ports bordering the domains to a DSCP-trusted state as shown Figure 20-9.
  • Page 478: Configuring A Qos Policy

    Chapter 20 Configuring QoS Configuring QoS Command Purpose Step 6 mls qos dscp-mutation Apply the map to the specified ingress DSCP-trusted port. dscp-mutation-name You can apply the map to different Gigabit-capable Ethernet ports. However, on 10/100 Ethernet ports, you can attach only one DSCP-to-DSCP-mutation map to a group of twelve ports.
  • Page 479: Classifying Traffic By Using Acls

    Chapter 20 Configuring QoS Configuring QoS Classifying Traffic by Using ACLs You can classify IP traffic by using IP standard or IP extended ACLs; you can classify non-IP traffic by using Layer 2 MAC ACLs. Beginning in privileged EXEC mode, follow these steps to create an IP standard ACL for IP traffic: Command Purpose Step 1...
  • Page 480 Chapter 20 Configuring QoS Configuring QoS Beginning in privileged EXEC mode, follow these steps to create an IP extended ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos Enable QoS on the switch. Step 3 access-list access-list-number {deny | Create an IP extended ACL, repeating the command as many times as...
  • Page 481 Chapter 20 Configuring QoS Configuring QoS This example shows how to create an ACL that permits PIM traffic from any source to a destination group address of 224.0.0.2 with a DSCP set to 32: Switch(config)# access-list 102 permit pim any 224.0.0.2 dscp 32 Beginning in privileged EXEC mode, follow these steps to create a Layer 2 MAC ACL for non-IP traffic: Command Purpose...
  • Page 482: Classifying Traffic By Using Class Maps

    Chapter 20 Configuring QoS Configuring QoS This example shows how to create a Layer 2 MAC ACL with two permit statements. The first statement allows traffic from the host with MAC address 0001.0000.0001 to the host with MAC address 0002.0000.0001. The second statement allows only Ethertype XNS-IDP traffic from the host with MAC address 0001.0000.0002 to the host with MAC address 0002.0000.0002.
  • Page 483 Chapter 20 Configuring QoS Configuring QoS Command Purpose Step 4 class-map class-map-name [match-all | Create a class map, and enter class-map configuration mode. match-any] By default, no class maps are defined. • For class-map-name, specify the name of the class map. •...
  • Page 484: Classifying, Policing, And Marking Traffic By Using Policy Maps

    Chapter 20 Configuring QoS Configuring QoS This example shows how to create a class map called class2, which matches incoming traffic with DSCP values of 10, 11, and 12. Switch(config)# class-map class2 Switch(config-cmap)# match ip dscp 10 11 12 Switch(config-cmap)# end Switch# This example shows how to create a class map called class3, which matches incoming traffic with IP-precedence values of 5, 6, and 7:...
  • Page 485 Chapter 20 Configuring QoS Configuring QoS Command Purpose Step 4 policy-map policy-map-name Create a policy map by entering the policy map name, and enter policy-map configuration mode. By default, no policy maps are defined. The default behavior of a policy map is to set the DSCP to 0 if the packet is an IP packet and to set the CoS to 0 if the packet is tagged.
  • Page 486 Chapter 20 Configuring QoS Configuring QoS Command Purpose Step 6 trust [cos | dscp | ip-precedence] Configure the trust state, which selects the value that QoS uses as the source of the internal DSCP value. Note This command is mutually exclusive with the set command within the same policy map.
  • Page 487 Chapter 20 Configuring QoS Configuring QoS Command Purpose Step 8 police rate-bps burst-byte [exceed-action Define a policer for the classified traffic. {drop | policed-dscp-transmit}] You can configure up to 128 policers on ingress Gigabit-capable Ethernet ports, up to 8 policers on ingress 10/100 Ethernet ports, and up to 8 policers on egress ports.
  • Page 488 Chapter 20 Configuring QoS Configuring QoS This example shows how to create a policy map and attach it to an ingress interface. In the configuration, the IP standard ACL permits traffic from network 10.1.0.0. For traffic matching this classification, the DSCP value in the incoming packet is trusted.
  • Page 489: Classifying, Policing, And Marking Traffic By Using Aggregate Policers

    Chapter 20 Configuring QoS Configuring QoS Classifying, Policing, and Marking Traffic by Using Aggregate Policers By using an aggregate policer, you can create a policer that is shared by multiple traffic classes within the same policy map. However, you cannot use the aggregate policer across different policy maps or interfaces.
  • Page 490 Chapter 20 Configuring QoS Configuring QoS Command Purpose Step 9 interface interface-id Enter interface configuration mode, and specify the interface to attach to the policy map. Valid interfaces include physical interfaces. Step 10 service-policy {input policy-map-name | Apply a policy map to the input or output of a particular interface. output policy-map-name} Only one policy map per interface per direction is supported.
  • Page 491: Configuring Dscp Maps

    Chapter 20 Configuring QoS Configuring QoS Configuring DSCP Maps This section describes how to configure the DSCP maps. It contains this configuration information: • Configuring the CoS-to-DSCP Map, page 20-39 • Configuring the IP-Precedence-to-DSCP Map, page 20-40 • Configuring the Policed-DSCP Map, page 20-41 Configuring the DSCP-to-CoS Map, page 20-42 •...
  • Page 492: Configuring The Ip-Precedence-To-Dscp Map

    Chapter 20 Configuring QoS Configuring QoS This example shows how to modify and display the CoS-to-DSCP map: Switch# configure terminal Switch(config)# mls qos map cos-dscp 10 15 20 25 30 35 40 45 Switch(config)# end Switch# show mls qos maps cos-dscp Cos-dscp map: cos: --------------------------------...
  • Page 493: Configuring The Policed-Dscp Map

    Chapter 20 Configuring QoS Configuring QoS Configuring the Policed-DSCP Map You use the policed-DSCP map to mark down a DSCP value to a new value as the result of a policing and marking action. The default policed-DSCP map is a null map, which maps an incoming DSCP value to the same DSCP value.
  • Page 494: Configuring The Dscp-To-Cos Map

    Chapter 20 Configuring QoS Configuring QoS Configuring the DSCP-to-CoS Map You use the DSCP-to-CoS map to generate a CoS value, which is used to select one of the four egress queues. Table 20-5 shows the default DSCP-to-CoS map. Table 20-5 Default DSCP-to-CoS Map DSCP value 0–7 8–15...
  • Page 495: Configuring The Dscp-To-Dscp-Mutation Map

    Chapter 20 Configuring QoS Configuring QoS Configuring the DSCP-to-DSCP-Mutation Map You apply the DSCP-to-DSCP-mutation map to a port at the boundary of a QoS administrative domain. If the two domains have different DSCP definitions between them, you use the DSCP-to-DSCP-mutation map to translate a set of DSCP values to match the definition of the other domain.
  • Page 496: Configuring Egress Queues On Gigabit-Capable Ethernet Ports

    Chapter 20 Configuring QoS Configuring QoS This example shows how to define the DSCP-to-DSCP-mutation map. All the entries that are not explicitly configured are not modified (remains as specified in the null map): Switch# configure terminal Switch(config)# mls qos map dscp-mutation mutation1 1 2 3 4 5 6 7 to 0 Switch(config)# mls qos map dscp-mutation mutation1 8 9 10 11 12 13 to 10 Switch(config)# mls qos map dscp-mutation mutation1 20 21 22 to 20 Switch(config)# mls qos map dscp-mutation mutation1 30 31 32 33 34 to 30...
  • Page 497 Chapter 20 Configuring QoS Configuring QoS Mapping CoS Values to Select Egress Queues Beginning in privileged EXEC mode, follow these steps to map CoS ingress values to select one of the egress queues: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos Enable QoS on the switch.
  • Page 498 Chapter 20 Configuring QoS Configuring QoS Configuring the Egress Queue Size Ratios Beginning in privileged EXEC mode, follow these steps to configure the egress queue size ratios: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos Enable QoS on the switch.
  • Page 499: Configuring Tail-Drop Threshold Percentages

    Chapter 20 Configuring QoS Configuring QoS Configuring Tail-Drop Threshold Percentages Tail drop is the default congestion-avoidance technique on Gigabit-capable Ethernet ports. With tail drop, packets are queued until the thresholds are exceeded. For example, all packets with DSCPs assigned to the first threshold are dropped until the threshold is no longer exceeded. However, packets assigned to a second threshold continue to be queued and sent as long as the second threshold is not exceeded.
  • Page 500: Configuring Wred Drop Thresholds Percentages

    Chapter 20 Configuring QoS Configuring QoS To return to the default thresholds, use the no wrr-queue threshold queue-id interface configuration command. To return to the default DSCP-to-threshold map, use the no wrr-queue dscp-map [threshold-id] interface configuration command. This example shows how to configure the tail-drop queue threshold values for queue 1 to 10 percent and 100 percent, for queue 2 to 40 percent and 100 percent, for queue 3 to 60 percent and 100 percent, and for queue 4 to 80 percent and 100 percent on the egress interface (Gigabit Ethernet 0/1).
  • Page 501 Chapter 20 Configuring QoS Configuring QoS Command Purpose Step 4 wrr-queue random-detect Configure WRED drop threshold percentages on each egress queue. max-threshold queue-id The default, WRED is disabled, and no thresholds are configured. threshold-percentage1 • For queue-id, specify the ID of the egress queue. The range is 1 threshold-percentage2 to 4, where queue 4 can be configured as the expedite queue.
  • Page 502: Configuring The Egress Expedite Queue

    Chapter 20 Configuring QoS Configuring QoS Configuring the Egress Expedite Queue You can ensure that certain packets have priority over all others by queuing them in the egress expedite queue. This queue is serviced until it is empty and before the other queues are serviced. Beginning in privileged EXEC mode, follow these steps to enable the egress expedite queue: Command Purpose...
  • Page 503: Configuring Egress Queues On 10/100 Ethernet Ports

    Chapter 20 Configuring QoS Configuring QoS Command Purpose Step 4 wrr-queue bandwidth weight1 weight2 Assign WRR weights to the egress queues. weight3 weight4 By default, all the weights are set to 25 (1/4 of the bandwidth is allocated to each queue). For weight1 weight2 weight3 weight4, enter the ratio, which determines the ratio of the frequency in which the WRR scheduler drops packets.
  • Page 504: Mapping Cos Values To Select Egress Queues

    Chapter 20 Configuring QoS Configuring QoS This section contains this configuration information: • Mapping CoS Values to Select Egress Queues, page 20-52 • Configuring the Minimum-Reserve Levels, page 20-53 • Configuring the Egress Expedite Queue, page 20-54 Allocating Bandwidth among Egress Queues, page 20-54 •...
  • Page 505: Configuring The Minimum-Reserve Levels

    Chapter 20 Configuring QoS Configuring QoS Configuring the Minimum-Reserve Levels You can configure the buffer size of the minimum-reserve levels on all 10/100 ports and assign the minimum-reserve level to an egress queue on a 10/100 Ethernet port. Beginning in privileged EXEC mode, follow these steps to configure the egress queue sizes: Command Purpose Step 1...
  • Page 506: Configuring The Egress Expedite Queue

    Chapter 20 Configuring QoS Configuring QoS Configuring the Egress Expedite Queue You can ensure that certain packets have priority over all others by queuing them in the egress expedite queue. This queue is serviced until it is empty and before the other queues are serviced. Beginning in privileged EXEC mode, follow these steps to enable the egress expedite queue: Command Purpose...
  • Page 507 Chapter 20 Configuring QoS Configuring QoS Command Purpose Step 4 wrr-queue bandwidth weight1 weight2 Assign WRR weights to the egress queues. weight3 weight4 By default, all the weights are set to 25 (1/4 of the bandwidth is allocated to each queue). For weight1 weight2 weight3 weight4, enter the ratio, which determines the ratio of the frequency in which the WRR scheduler drops packets.
  • Page 508: Displaying Qos Information

    Chapter 20 Configuring QoS Displaying QoS Information Displaying QoS Information To display the current QoS information, use one or more of the privileged EXEC commands in Table 20-6: Table 20-6 Commands for Displaying QoS Information Command Purpose show class-map [class-map-name] Display QoS class maps, which define the match criteria to classify traffic.
  • Page 509: Qos Configuration For The Common Wiring Closet

    Chapter 20 Configuring QoS QoS Configuration Examples Figure 20-10 QoS Configuration Example Network Cisco router To Internet Gigabit Ethernet 0/5 Catalyst 3550-12G switch Gigabit Ethernet 0/2 Gigabit Ethernet 0/1 Existing wiring closet Intelligent wiring closet Catalyst 2900 and 3500 XL...
  • Page 510: Qos Configuration For The Intelligent Wiring Closet

    Chapter 20 Configuring QoS QoS Configuration Examples For the Catalyst 3500 XL and 2900 XL switches, CoS configures each egress port with a normal-priority transmit queue and a high-priority transmit queue, depending on the frame tag or the port information. Frames in the normal-priority queue are forwarded only after frames in the high-priority queue are forwarded.
  • Page 511: Qos Configuration For The Distribution Layer

    Chapter 20 Configuring QoS QoS Configuration Examples Command Purpose Step 17 wrr-queue cos-map 4 6 7 Configure the CoS-to-egress-queue map so that CoS values 6 and 7 select queue 4 (this is the default setting). Because the default DSCP-to-CoS map has DSCP values 56 to 63 mapped to CoS value 7, the matched traffic that is set to DSCP 56 goes to the queue 4, the priority queue.
  • Page 512 Chapter 20 Configuring QoS QoS Configuration Examples Command Purpose Step 5 switchport mode trunk Configure this port as a trunk port. Step 6 exit Return to global configuration mode. Step 7 interface gigabitethernet0/2 Enter interface configuration mode, and specify the ingress interface connected to the intelligent wiring closet.
  • Page 513 Chapter 20 Configuring QoS QoS Configuration Examples Command Purpose Step 17 Return to privileged EXEC mode. Step 18 show mls qos interface Verify your entries. show interfaces Step 19 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3550 Multilayer Switch Software Configuration Guide 20-61 78-11194-03...
  • Page 514 Chapter 20 Configuring QoS QoS Configuration Examples Catalyst 3550 Multilayer Switch Software Configuration Guide 20-62 78-11194-03...
  • Page 515: Configuring Etherchannel

    C H A P T E R Configuring EtherChannel This chapter describes how to configure EtherChannel on Layer 2 and Layer 3 interfaces. To configure Layer 3 interfaces, you must have the enhanced multilayer software image (EMI) installed on your switch.
  • Page 516: C H A P T E R 21 Configuring Etherchannel

    Chapter 21 Configuring EtherChannel Understanding EtherChannel Figure 21-1 Typical EtherChannel Configuration Catalyst 8500, 6000, 5500, or 4000 series switch Gigabit EtherChannel Catalyst 3550-12T switch 1000BASE-X 1000BASE-X Catalyst 3550-12T Catalyst 3550-12T switch switch 10/100 10/100 Switched Switched links links Workstations Workstations Understanding Port-Channel Interfaces You create an EtherChannel for Layer 2 interfaces differently from Layer 3 interfaces.
  • Page 517: Understanding The Port Aggregation Protocol

    Chapter 21 Configuring EtherChannel Understanding EtherChannel Figure 21-2 Relationship of Physical Ports, Logical Port Channels, and Channel Groups Logical Logical port-channel port-channel Channel-group binding SYS TEM STAT US MOD E UTIL DUP LX SPE ED C at al ys t 35 50 10/100/1000 ports GBIC module slots...
  • Page 518: Pagp Modes

    Chapter 21 Configuring EtherChannel Understanding EtherChannel PAgP Modes Table 21-1 shows the user-configurable EtherChannel modes for the channel-group interface configuration command: on, auto, and desirable. Switch interfaces exchange PAgP packets only with partner interfaces configured in the auto or desirable modes; interfaces configured in the on mode do not exchange PAgP packets.
  • Page 519: Physical Learners And Aggregate-Port Learners

    The higher the priority, the more likely that the port will be selected. PAgP Interaction with Other Features The Dynamic Trunking Protocol (DTP) and Cisco Discovery Protocol (CDP) send and receive packets over the physical interfaces in the EtherChannel. Trunk ports send and receive PAgP protocol data units (PDUs) on the lowest numbered VLAN.
  • Page 520 IP addresses might result in better load balancing. Figure 21-3 Load Distribution and Forwarding Methods Catalyst 3550 switch with source-based forwarding enabled EtherChannel Cisco router with destination-based forwarding enabled Catalyst 3550 Multilayer Switch Software Configuration Guide 21-6 78-11194-03...
  • Page 521: Configuring Etherchannel

    Chapter 21 Configuring EtherChannel Configuring EtherChannel Configuring EtherChannel This section describes these configurations for EtherChannel on Layer 2 and Layer 3 interfaces: • Default EtherChannel Configuration, page 21-7 EtherChannel Configuration Guidelines, page 21-8 • Configuring Layer 2 EtherChannels, page 21-9 •...
  • Page 522: Etherchannel Configuration Guidelines

    Chapter 21 Configuring EtherChannel Configuring EtherChannel EtherChannel Configuration Guidelines If improperly configured, some EtherChannel interfaces are automatically disabled to avoid network loops and other problems. Follow these guidelines to avoid configuration problems: • Each EtherChannel can have up to eight compatibly configured Ethernet interfaces. Note Do not configure a GigaStack GBIC port as part of an EtherChannel.
  • Page 523: Configuring Layer 2 Etherchannels

    Chapter 21 Configuring EtherChannel Configuring EtherChannel Configuring Layer 2 EtherChannels You configure Layer 2 EtherChannels by configuring the Ethernet interfaces with the channel-group interface configuration command, which creates the port-channel logical interface. Note Layer 2 interfaces must be connected and functioning for IOS to create port-channel interfaces for Layer 2 EtherChannels.
  • Page 524 Chapter 21 Configuring EtherChannel Configuring EtherChannel Command Purpose Step 4 channel-group channel-group-number mode Assign the interface to a channel group, and specify the PAgP {auto [non-silent] | desirable [non-silent] | on} mode. The default mode is auto silent. For channel-group-number, the range is 1 to 64. Each EtherChannel can have of up to eight compatibly configured Ethernet interfaces.
  • Page 525: Configuring Layer 3 Etherchannels

    Chapter 21 Configuring EtherChannel Configuring EtherChannel Configuring Layer 3 EtherChannels To configure Layer 3 EtherChannels, you create the port-channel logical interface and then put the Ethernet interfaces into the port-channel as described in the next two sections. Creating Port-Channel Logical Interfaces Note To move an IP address from a physical interface to an EtherChannel, you must delete the IP address from the physical interface before configuring it on the port-channel interface.
  • Page 526: Configuring The Physical Interfaces

    Chapter 21 Configuring EtherChannel Configuring EtherChannel Configuring the Physical Interfaces Beginning in privileged EXEC mode, follow these steps to assign an Ethernet interface to a Layer 3 EtherChannel: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify a physical interface to configure.
  • Page 527: Configuring Etherchannel Load Balancing

    Chapter 21 Configuring EtherChannel Configuring EtherChannel Command Purpose Step 5 Return to privileged EXEC mode. Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove an interface from the EtherChannel group, use the no channel-group interface configuration command.
  • Page 528: Configuring The Pagp Learn Method And Priority

    Chapter 21 Configuring EtherChannel Configuring EtherChannel Beginning in privileged EXEC mode, follow these steps to configure EtherChannel load balancing: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 port-channel load-balance {dst-mac | src-mac} Configure an EtherChannel load-balancing method. The default is src-mac.
  • Page 529 Chapter 21 Configuring EtherChannel Configuring EtherChannel Note The Catalyst 3550 supports address learning only on aggregate ports even though the physical-port keyword is provided in the CLI. The pagp learn-method command and the pagp port-priority command have no effect on the switch hardware, but they are required for PAgP interoperability with devices that only support address learning by physical ports, such as the Catalyst 1900 switch.
  • Page 530: Displaying Etherchannel And Pagp Status

    Chapter 21 Configuring EtherChannel Displaying EtherChannel and PAgP Status Displaying EtherChannel and PAgP Status You can use the privileged EXEC commands described in Table 21-3 to display EtherChannel and PAgP status information: Table 21-3 Commands for Displaying EtherChannel and PAgP Status Command Description show etherchannel [channel-group-number] {brief |...
  • Page 531: Chapter 22 Configuring Ip Unicast Routing

    Note Configuration Guide for Release 12.1. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS IP and IP Routing Command Reference for Release 12.1. This chapter consists of these sections: •...
  • Page 532: Understanding Routing

    Chapter 22 Configuring IP Unicast Routing Understanding Routing Understanding Routing Network devices in different VLANs cannot communicate with one another without a Layer 3 device (router) to route traffic between the VLANs. Routers can perform routing in three different ways: •...
  • Page 533: Steps For Configuring Routing

    By default, IP routing is disabled on the Catalyst 3550 switch, and you must enable it before routing can take place. For detailed IP routing configuration information, refer to the Cisco IOS IP and IP Routing Configuration Guide for Release 12.1.
  • Page 534: Configuring Ip Addressing

    Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing Configuring IP Addressing A required task for configuring IP routing is to assign IP addresses to Layer 3 network interfaces to enable the interfaces and allow communication with the hosts on those interfaces that use IP. These sections describe how to configure various IP addressing features.
  • Page 535: Assigning Ip Addresses To Network Interfaces

    Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing Table 22-1 Default Addressing Configuration (continued) Feature Default Setting IRDP Disabled. Defaults when enabled: Broadcast IRDP advertisements. • Maximum interval between advertisements: 600 seconds. • Minimum interval between advertisements: 0.75 times max interval •...
  • Page 536 Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing Beginning in privileged EXEC mode, follow these steps to assign an IP address and a network mask to a Layer 3 interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the Layer 3...
  • Page 537 Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing 0 input packets with dribble condition detected 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out This is an example of output from the show ip interface privileged EXEC command for Gigabit Ethernet interface 0/10, displaying the detailed IP configuration and status:...
  • Page 538: Use Of Subnet Zero

    Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing Use of Subnet Zero Subnetting with a subnet address of zero is strongly discouraged because of the problems that can arise if a network and a subnet have the same addresses. For example, if network 131.108.0.0 is subnetted as 255.255.255.0, subnet zero would be written as 131.108.0.0, which is the same as the network address.
  • Page 539 Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing Figure 22-2, classless routing is enabled. When the host sends a packet to 120.20.4.1, instead of discarding the packet, the router forwards it to the best supernet route. If you disable classless routing and a router receives packets destined for a subnet of a network with no network default route, the router discards the packet.
  • Page 540: Configuring Address Resolution Methods

    Using RARP requires a RARP server on the same network segment as the router interface. Use the ip rarp-server address interface configuration command to identify the server. For more information on RARP, refer to the Cisco IOS Configuration Fundamentals Configuration Guide for Release 12.1.
  • Page 541: Define A Static Arp Cache

    Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing You can perform these tasks to configure address resolution: • Define a Static ARP Cache, page 22-11 • Set ARP Encapsulation, page 22-12 • Enable Proxy ARP, page 22-13 Define a Static ARP Cache ARP and other address resolution protocols provide dynamic mapping between IP addresses and MAC addresses.
  • Page 542: Set Arp Encapsulation

    Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing This is an example of output from the show arp privileged EXEC command. Switch# show arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.1.2.3 0002.4b29.2e00 ARPA GigabitEthernet0/10 Internet 172.20.136.9 0030.19c6.54e1 ARPA Vlan1...
  • Page 543: Enable Proxy Arp

    Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing This is an example of output from the show interfaces interface-id privileged EXEC command displaying ARP encapsulation. Switch# show interfaces gigabitethernet0/10 GigabitEthernet0/10 is up, line protocol is up Hardware is Gigabit Ethernet, address is 0002.4b29.2e00 (bia 0002 Internet address is 40.5.121.10/24 MTU 1500 bytes, BW 100000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255...
  • Page 544: Routing Assistance When Ip Routing Is Disabled

    Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing This is an example of output form the show ip interface privileged EXEC command for Gigabit Ethernet interface 0/3, where proxy ARP is enabled. Switch# show ip interface gigabitethernet0/3 GigabitEthernet0/3 is up, line protocol is down Internet address is 10.1.3.59/24 Broadcast address is 255.255.255.255 Address determined by setup command...
  • Page 545: Default Gateway

    Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing Ethernet MAC address, and the host that sent the request sends the packet to the switch, which forwards it to the intended host. Proxy ARP treats all networks as if they are local and performs ARP requests for every IP address.
  • Page 546 Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing The only required task for IRDP routing on an interface is to enable IRDP processing on that interface. When enabled, the default parameters apply. You can optionally change any of these parameters. Beginning in privileged EXEC mode, follow these steps to enable and configure IRDP on an interface: Command Purpose...
  • Page 547: Configuring Broadcast Packet Handling

    Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing GigabitEthernet0/3 has router discovery enabled Advertisements will occur between every 450 and 600 seconds. Advertisements are sent with broadcasts. Advertisements are valid for 1800 seconds. Default preference will be 0. GigabitEthernet0/4 has router discovery disabled Port-channel1 has router discovery disabled Configuring Broadcast Packet Handling After configuring an IP interface address, you can choose to enable routing and configure one or more...
  • Page 548: Forwarding Udp Broadcast Packets And Protocols

    By default, both UDP and ND forwarding are enabled if a helper address has been defined for an interface. The description for the ip forward-protocol interface configuration command in the Cisco IOS IP and IP Routing Command Reference for Release 12.1 lists the ports that are forwarded by default if you do not specify any UDP ports.
  • Page 549 Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing If you do not specify any UDP ports when you configure the forwarding of UDP broadcasts, you are configuring the router to act as a BOOTP forwarding agent. BOOTP packets carry Dynamic Host Configuration Protocol (DHCP) information.
  • Page 550: Establishing An Ip Broadcast Address

    Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing Establishing an IP Broadcast Address The most popular IP broadcast address (and the default) is an address consisting of all ones (255.255.255.255). However, the switch can be configured to generate any form of IP broadcast address. Beginning in privileged EXEC mode, follow these steps to set the IP broadcast address on an interface: Command Purpose...
  • Page 551: Monitoring And Maintaining Ip Addressing

    Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing Beginning in privileged EXEC mode, follow these steps to use the bridging spanning-tree database to flood UDP datagrams: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip forward-protocol spanning-tree Use the bridging spanning-tree database to flood UDP datagrams.
  • Page 552 Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing You can display specific statistics, such as the contents of IP routing tables, caches, and databases; the reachability of nodes; and the routing path that packets are taking through the network. Table 22-4 lists the privileged EXEC commands for displaying IP statistics.
  • Page 553 Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing Switch# show ip redirects Default gateway is 172.20.135.193 Host Gateway Last Use Total Uses Interface ICMP redirect cache is empty Switch# show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP...
  • Page 554: Enabling Ip Routing

    (RIP) router configuration command. For information on specific protocols, refer to sections later in this chapter and to the Cisco IOS IP and IP Routing Configuration Guide for Release 12.1. Step 4 Return to privileged EXEC mode.
  • Page 555: Configuring Rip

    Protocol (UDP) data packets to exchange routing information. The protocol is documented in RFC 1058. You can find detailed information about RIP in IP Routing Fundamentals, published by Cisco Press. Using RIP, the switch sends routing information updates (advertisements) every 30 seconds. If a router does not receive an update from another router for 180 seconds or more, it marks the routes served by that router as unusable.
  • Page 556 Chapter 22 Configuring IP Unicast Routing Configuring RIP Table 22-5 Default RIP Configuration (continued) Feature Default Setting Validate-update-source Enabled. Version Receives RIP version 1 and version 2 packets; sends version 1 packets. For protocol-independent features that also apply to RIP, see the “Configuring Protocol-Independent Features”...
  • Page 557 Chapter 22 Configuring IP Unicast Routing Configuring RIP Command Purpose Step 10 no validate-update-source (Optional) Disable validation of the source IP address of incoming RIP routing updates. By default, the switch validates the source IP address of incoming RIP routing updates and discards the update if the source address is not valid.
  • Page 558: Rip Authentication

    Chapter 22 Configuring IP Unicast Routing Configuring RIP RIP Authentication RIP version 1 does not support authentication. If you are sending and receiving RIP Version 2 packets, you can enable RIP authentication on an interface. The key chain determines the set of keys that can be used on the interface.
  • Page 559 Chapter 22 Configuring IP Unicast Routing Configuring RIP Note In general, disabling split horizon is not recommended unless you are certain that your application requires it to properly advertise routes. If you want to configure an interface running RIP to advertise a summarized local IP address pool on a network access server for dial-up clients, use the ip summary-address rip interface configuration command.
  • Page 560: Configuring Igrp

    Configuring IGRP Configuring IGRP Interior Gateway Routing Protocol (IGRP) is a dynamic, distance-vector routing, proprietary Cisco protocol for routing in an autonomous system that contains large, arbitrarily complex networks with diverse bandwidth and delay characteristics. IGRP uses a combination of user-configurable metrics, including internetwork delay, bandwidth, reliability, and load.
  • Page 561: Load Balancing And Traffic Distribution Control

    Chapter 22 Configuring IP Unicast Routing Configuring IGRP Table 22-6 Default IGRP Configuration (continued) Feature Default Setting Network None specified. Offset-list Disabled. Set metric None set in route map. Timers basic Update: 90 seconds. Invalid: 270 seconds. Hold-down: 280 seconds. Flush: 630 seconds.
  • Page 562 Use the traffic-share router configuration command to control distribution of traffic among multiple routes of unequal cost. For more information and examples, refer to the Cisco IOS IP and IP Routing Configuration Guide Note for Release 12.1.
  • Page 563 Chapter 22 Configuring IP Unicast Routing Configuring IGRP Command Purpose Step 8 no metric holddown (Optional) Disable the IGRP hold-down period. The route to a network is placed in holddown if the router learns that the network is farther away than previously known or is down.
  • Page 564: Split Horizon

    Chapter 22 Configuring IP Unicast Routing Configuring IGRP This is an example of output from the show ip protocols privileged EXEC command that verifies the IGRP configuration. Switch# show ip protocols <output truncated> Routing Protocol is "igrp 109" Sending updates every 90 seconds, next due in 52 seconds Invalid after 270 seconds, hold down 280, flushed after 630 Outgoing update filter list for all interfaces is Incoming update filter list for all interfaces is...
  • Page 565: Configuring Ospf

    Configuring OSPF This section briefly describes how to configure Open Shortest Path First (OSPF). For a complete description of the OSPF commands, refer to the “OSPF Commands” chapter of the Cisco IOS IP and IP Routing Command Reference for Release 12.1.
  • Page 566 Chapter 22 Configuring IP Unicast Routing Configuring OSPF Table 22-7 Default OSPF Configuration Feature Default Setting Interface parameters Cost: No default cost predefined. Retransmit interval: 5 seconds. Transmit delay: 1 second. Priority: 1. Hello interval: 10 seconds. Dead interval: 4 times the hello interval. No authentication.
  • Page 567 Chapter 22 Configuring IP Unicast Routing Configuring OSPF Table 22-7 Default OSPF Configuration (continued) Feature Default Setting Timers shortest path first (spf) spf delay: 5 seconds. spf-holdtime: 10 seconds. Virtual link No area ID or router ID defined. Hello interval: 10 seconds. Retransmit interval: 5 seconds.
  • Page 568: Ospf Interface Parameters

    Chapter 22 Configuring IP Unicast Routing Configuring OSPF This is an example of output from the show ip protocols privileged EXEC command that verifies the OSPF process ID. Switch# show ip protocols <output truncated> Routing Protocol is "ospf 109" Invalid after 0 seconds, hold down 0, flushed after 0 Outgoing update filter list for all interfaces is Incoming update filter list for all interfaces is Redistributing: ospf 109...
  • Page 569: Ospf Area Parameters

    Chapter 22 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 9 ip ospf authentication-key key (Optional) Assign a password to be used by neighboring OSPF routers. The password can be any string of keyboard-entered characters up to 8 bytes in length. All neighboring routers on the same network must have the same password to exchange OSPF information.
  • Page 570 Chapter 22 Configuring IP Unicast Routing Configuring OSPF Note The OSPF area router configuration commands are all optional. Beginning in privileged EXEC mode, follow these steps to configure area parameters: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router ospf process-id Enable OSPF routing, and enter router configuration mode.
  • Page 571: Other Ospf Behavior Parameters

    Chapter 22 Configuring IP Unicast Routing Configuring OSPF Switch# show ip ospf Routing Process "ospf 1" with ID 172.20.135.202 and Domain ID 0.0.0.1 Supports only single TOS(TOS0) routes Supports opaque LSA SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Minimum LSA interval 5 secs.
  • Page 572 Chapter 22 Configuring IP Unicast Routing Configuring OSPF • Passive interfaces: Because interfaces between two devices on an Ethernet represent only one network segment, to prevent OSPF from sending hello packets for the sending interface, you must configure the sending device to be a passive interface. Both devices can identify each other through the hello packet for the receiving interface.
  • Page 573: Change Lsa Group Pacing

    Chapter 22 Configuring IP Unicast Routing Configuring OSPF Change LSA Group Pacing The OSPF LSA group pacing feature allows the router to group OSPF LSAs and pace the refreshing, check-summing, and aging functions for more efficient router use. This feature is enabled by default with a 4-minute default pacing interval, and you will not usually need to modify this parameter.
  • Page 574: Monitoring Ospf

    EXEC commands for displaying statistics. For more show ip ospf database privileged EXEC command options and for explanations of fields in the resulting display, refer to the Cisco IOS IP and IP Routing Command Reference for Release 12.1. Table 22-8 Show IP OSPF Statistics Commands...
  • Page 575 Chapter 22 Configuring IP Unicast Routing Configuring OSPF This is an example of output from the show ip ospf database privileged EXEC command when no arguments or keywords are used: Switch# show ip ospf database O OSPF Router with ID (172.20.135.202) (Process ID 1) Router Link States (Area 1) Link ID ADV Router...
  • Page 576: Configuring Eigrp

    Configuring EIGRP Configuring EIGRP Enhanced IGRP (EIGRP) is a Cisco proprietary enhanced version of the IGRP. Enhanced IGRP uses the same distance vector algorithm and distance information as IGRP; however, the convergence properties and the operating efficiency of Enhanced IGRP are significantly improved.
  • Page 577 Chapter 22 Configuring IP Unicast Routing Configuring EIGRP feasible successors, but there are neighbors advertising the destination, a recomputation must occur. This is the process whereby a new successor is determined. The amount of time it takes to recompute the route affects the convergence time. Recomputation is processor-intensive; it is advantageous to avoid recomputation if it is not necessary.
  • Page 578: Eigrp Router Mode Commands

    Chapter 22 Configuring IP Unicast Routing Configuring EIGRP Table 22-9 Default EIGRP Configuration (continued) Feature Default Setting Network None specified. Offset-list Disabled. Router EIGRP Disabled. Set metric No metric set in the route map. Traffic-share Distributed proportionately to the ratios of the metrics. Variance 1 (equal-cost load balancing).
  • Page 579: Eigrp Interface Mode Commands

    Chapter 22 Configuring IP Unicast Routing Configuring EIGRP Command Purpose Step 6 offset list [access-list number | name] {in | out} (Optional) Apply an offset list to routing metrics to increase offset [type number] incoming and outgoing metrics to routes learned through EIGRP. You can limit the offset list with an access list or an interface.
  • Page 580: Configure Eigrp Route Authentication

    15 seconds for all other networks. Caution Do not adjust the hold time without consulting Cisco technical support. Step 7 no ip split-horizon eigrp autonomous-system-number (Optional) Disable split horizon to allow route information to be advertised by a router out any interface from which that information originated.
  • Page 581: Monitoring And Maintaining Eigrp

    Table 22-10 lists the privileged EXEC commands for deleting neighbors and displaying statistics. For explanations of fields in the resulting display, refer to the Cisco IOS IP and IP Routing Command Reference for Release 12.1. Table 22-10 IP EIGRP Clear and Show Commands...
  • Page 582 Chapter 22 Configuring IP Unicast Routing Configuring EIGRP This is an example of output from the show ip eigrp interface privileged EXEC command: Switch# show ip eigrp interface IP EIGRP interfaces for process 109 Xmit Queue Mean Pacing Time Multicast Pending Interface Peers...
  • Page 583: Configuring Protocol-Independent Features

    • Configuring Cisco Express Forwarding Cisco Express Forwarding (CEF) is a Layer 3 IP switching technology used to optimize network performance. CEF implements an advanced IP look-up and forwarding algorithm to deliver maximum Layer 3 switching performance. CEF is less CPU-intensive than fast switching route caching, allowing more CPU processing power to be dedicated to packet forwarding.
  • Page 584: Configuring The Number Of Equal-Cost Routing Paths

    Chapter 22 Configuring IP Unicast Routing Configuring Protocol-Independent Features Beginning in privileged EXEC mode, follow these steps to enable CEF on an interface after it has been disabled: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the Layer 3 interface to configure.
  • Page 585: Configuring Static Routes

    Chapter 22 Configuring IP Unicast Routing Configuring Protocol-Independent Features Beginning in privileged EXEC mode, follow these steps to change the maximum number of parallel paths installed in a routing table from the default: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router {rip | ospf | igrp | eigrp} Enter router configuration mode.
  • Page 586: Specifying Default Routes

    Chapter 22 Configuring IP Unicast Routing Configuring Protocol-Independent Features The switch retains static routes until you remove them (by using the no ip route global configuration command). However, you can override static routes with dynamic routing information by assigning administrative distance values. Each dynamic routing protocol has a default administrative distance, as listed in Table 22-11.
  • Page 587: Redistributing Routing Information

    The system periodically scans its routing table to choose the optimal default network as its default route. In IGRP networks, there might be several candidate networks for the system default. Cisco routers use administrative distance and metric information to determine the default route or the gateway of last resort.
  • Page 588 Chapter 22 Configuring IP Unicast Routing Configuring Protocol-Independent Features Beginning in privileged EXEC mode, follow these steps to configure a route map for redistribution: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 route-map map-tag [permit | deny] [sequence number] Define any route maps used to control redistribution and enter route-map configuration mode.
  • Page 589 Chapter 22 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 12 set metric metric value Set the metric value to give the redistributed routes (for any protocol except IGRP or EIGRP). The metric value is an integer from -294967295 to 294967295.
  • Page 590 Chapter 22 Configuring IP Unicast Routing Configuring Protocol-Independent Features You can distribute routes from one routing domain into another and control route distribution. Beginning in privileged EXEC mode, follow these steps to control route redistribution. Note that the keywords are the same as defined in the previous procedure. Command Purpose Step 1...
  • Page 591: Filtering Routing Information

    Chapter 22 Configuring IP Unicast Routing Configuring Protocol-Independent Features Filtering Routing Information You can filter routing protocol information by performing the tasks described in this section. Note When routes are redistributed between OSPF processes, no OSPF metrics are preserved. Setting Passive Interfaces To prevent other routers on a local network from dynamically learning about routes, you can use the passive-interface router configuration command to keep routing update messages from being sent through a router interface.
  • Page 592: Controlling Advertising And Processing In Routing Updates

    Chapter 22 Configuring IP Unicast Routing Configuring Protocol-Independent Features Controlling Advertising and Processing in Routing Updates You can use the distribute-list router configuration command with access control lists to suppress routes from being advertised in routing updates and to prevent other routers from learning one or more routes. When used in OSPF, this feature applies to only external routes, and you cannot specify an interface name.
  • Page 593: Managing Authentication Keys

    Chapter 22 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 3 distance weight {ip-address {ip-address mask}} Define an administrative distance. [ip access list] weight—The administrative distance as an integer from 10 to 255. Used alone, weight specifies a default administrative distance that is used when no other specification exists for a routing information source.
  • Page 594: Monitoring And Maintaining The Ip Network

    Chapter 22 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network Command Purpose Step 5 accept-lifetime start-time {infinite | end-time | duration (Optional) Specify the time period during which the key seconds} can be received. The start-time and end-time syntax can be either hh:mm:ss Month date year or hh:mm:ss date Month year.
  • Page 595 Chapter 22 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network This is an example of output from the show ip route privileged EXEC command when entered without an address: Switch# show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP...
  • Page 596 Chapter 22 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network This is an example of output from the show ip route supernets-only privileged EXEC command. This display shows supernets only; it does not show subnets. Switch# show ip route supernets-only Codes: I - IGRP derived, R - RIP derived, O - OSPF derived C - connected, S - static, E - EGP derived, B - BGP derived i - IS-IS derived, D - EIGRP derived...
  • Page 597: Chapter 23 Configuring Hsrp

    Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 3550 Multilayer Switch Command Reference and the Cisco IOS IP and IP Routing Command Reference for Release 12.1. This chapter consists of these sections: Understanding HSRP, page 23-1 •...
  • Page 598 Chapter 23 Configuring HSRP Understanding HSRP Note Routers in an HSRP group can be any router interface that supports HSRP, including Catalyst 3550 routed ports and switch virtual interfaces (SVIs). HSRP provides high network availability by providing redundancy for IP traffic from hosts on networks. In a group of router interfaces, the active router is the router of choice for routing packets;...
  • Page 599: Configuring Hsrp

    Chapter 23 Configuring HSRP Configuring HSRP Figure 23-1 Typical HSRP Configuration Host B 172.20.130.5 Active Virtual Standby router router router Catalyst 3550 switches with enhanced multilayer 172.20.128.1 172.20.128.3 172.20.128.2 software images Router A Router B Stacked Stacked Catalyst 3550 or Catalyst 3550 or 2900XL/3500XL 2900XL/3500XL...
  • Page 600: Default Hsrp Configuration

    Chapter 23 Configuring HSRP Configuring HSRP • Etherchannel port channel in Layer 3 mode: a port-channel logical interface created by using the interface port-channel port-channel-number global configuration command and binding the Ethernet interface into the channel group. For more information, see the “Configuring Layer 3 EtherChannels”...
  • Page 601 Chapter 23 Configuring HSRP Configuring HSRP Beginning in privileged EXEC mode, follow these steps to create or enable HSRP on a Layer 3 interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and enter the Layer 3 interface on which you want to enable HSRP.
  • Page 602: Configuring Hsrp Group Attributes

    Chapter 23 Configuring HSRP Configuring HSRP Configuring HSRP Group Attributes Although HSRP can run with no other configuration required, you can configure attributes for the HSRP group, including authentication, priority, preemption and preemption delay, timers, or MAC address. Configuring HSRP Priority The standby priority, standby preempt, and standby track interface configuration commands are all used to set characteristics for determining active and standby routers and behavior regarding when a new active router takes over.
  • Page 603 Chapter 23 Configuring HSRP Configuring HSRP Beginning in privileged EXEC mode, use one or more of these steps to configure HSRP priority characteristics on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and enter the HSRP interface on which you want to set priority.
  • Page 604: Configuring Hsrp Authentication And Timers

    [group-number] authentication string (Optional) authentication string—Enter a string to be carried in all HSRP messages. The authentication string can be up to eight characters in length; the default string is cisco. (Optional) group-number—The group number to which the command applies.
  • Page 605: Configuring Hsrp Groups And Clustering

    Chapter 23 Configuring HSRP Configuring HSRP Command Purpose Step 4 standby [group-number] timers hellotime (Optional) Configure the time between hello packets and the holdtime time before other routers declare the active router to be down. • group-number—The group number to which the command applies.
  • Page 606: Displaying Hsrp Configurations

    Chapter 23 Configuring HSRP Displaying HSRP Configurations Displaying HSRP Configurations From privileged EXEC mode, use this command to display HSRP settings: show standby [interface-id [group]] [brief] [detail] You can display HSRP information for the whole switch, for a specific interface, for an HSRP group, or for an HSRP group on an interface.
  • Page 607: Chapter 24 Configuring Ip Multicast Routing

    Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS IP and IP Routing Command Reference for Release 12.1. This chapter describes how to configure IP multicast routing on your multilayer switch. To use this feature, you must have the enhanced multilayer software image (EMI) installed on your switch.
  • Page 608: Cisco Implementation Of Ip Multicast Routing

    Internet (MBONE). The Cisco IOS software supports PIM-to-DVMRP interaction. • Cisco Group Management Protocol (CGMP) is used on Cisco routers and multilayer switches connected to Layer 2 Catalyst switches to perform tasks similar to those performed by IGMP. Figure 24-1 shows where these protocols operate within the IP multicast environment.
  • Page 609: Understanding Igmp

    Chapter 24 Configuring IP Multicast Routing Cisco Implementation of IP Multicast Routing Understanding IGMP To participate in IP multicasting, multicast hosts, routers, and multilayer switches must have IGMP operating. This protocol is the group membership protocol used by hosts to inform routers and multilayer switches of the existence of members on their directly connected networks and to allow them to send and receive multicast datagrams.
  • Page 610: Igmp Version 2

    Chapter 24 Configuring IP Multicast Routing Cisco Implementation of IP Multicast Routing IGMP Version 2 IGMPv2 provides enhancements over IGMPv1. The query and membership report messages are identical to IGMPv1 message with two exceptions. The first difference is that the IGMPv2 query message is broken into two categories: general queries, which perform the same function as the IGMPv1 queries, and group-specific queries, which are queries directed to a single group.
  • Page 611: Understanding Pim

    PIM Versions Two versions of PIM are supported in the IOS software. With PIM Version 1 (PIMv1), Cisco introduced support in IOS Release 11.1(6) for a new feature called Auto-RP. This proprietary feature eliminates the need to manually configure the rendezvous point (RP) information in every router and multilayer switch in the network.
  • Page 612 Chapter 24 Configuring IP Multicast Routing Cisco Implementation of IP Multicast Routing The simplest form of a multicast distribution tree is a source tree whose root is the source of the multicast traffic and whose branches form a spanning tree through the network to the receivers. Because this tree uses the shortest path through the network, it is also referred to as a shortest-path tree (SPT).
  • Page 613 Chapter 24 Configuring IP Multicast Routing Cisco Implementation of IP Multicast Routing PIM SM PIM SM uses shared trees and SPTs to distribute multicast traffic to multicast receivers in the network. In PIM SM, a router or multilayer switch assumes that other routers or switches do not forward multicast packets for a group, unless there is an explicit request for the traffic (join message).
  • Page 614: Auto-Rp

    For Auto-RP to work, you configure a Cisco router or multilayer switch as the mapping agent. It uses IP multicast to learn which routers or switches in the network are possible candidate RPs by joining the well-known Cisco-RP-announce multicast group (224.0.1.39) to receive candidate RP announcements.
  • Page 615: Multicast Forwarding And Reverse Path Check

    Chapter 24 Configuring IP Multicast Routing Cisco Implementation of IP Multicast Routing travel hop-by-hop throughout the PIM domain. Because BSR messages contain the IP address of the current BSR, the flooding mechanism allows candidate RPs to automatically learn which device is the elected BSR.
  • Page 616: Neighbor Discovery

    Chapter 24 Configuring IP Multicast Routing Cisco Implementation of IP Multicast Routing Figure 24-6 RPF Check Multicast Multicast packet from packet from source 151.10.3.21 source 151.10.3.21 is forwarded. packet is discarded. Gigabit Ethernet 0/2 Gigabit Ethernet 0/1 Gigabit Ethernet 0/3...
  • Page 617: Understanding Dvmrp

    (MBONE) and in other intradomain multicast networks. Cisco routers and multilayer switches run PIM and can forward multicast packets to and receive from a DVMRP neighbor. It is also possible to propagate DVMRP routes into and through a PIM cloud. The...
  • Page 618: Joining A Group With Cgmp

    Configuring IP Multicast Routing Cisco Implementation of IP Multicast Routing CGMP is a protocol used on Cisco routers and multilayer switches connected to Layer 2 Catalyst switches to perform tasks similar to those performed by IGMP. CGMP permits Layer 2 group membership information to be communicated from the CGMP server to the switch, which can learn on which ports multicast members reside instead of flooding multicast traffic to all switch ports.
  • Page 619: Leaving A Group With Cgmp

    Chapter 24 Configuring IP Multicast Routing Configuring IP Multicast Routing Leaving a Group with CGMP When an IGMPv2 host leaves a group, it can send an IGMP leave group message to the all-multicast-routers group (224.0.0.2). The CGMP server translates this leave group message into a CGMP leave message and sends it to the switch.
  • Page 620: Multicast Routing Configuration Guidelines

    PIMv2 BSR. However, Auto-RP is a standalone protocol, separate from PIMv1, and is a proprietary Cisco protocol. PIMv2 is a standards track protocol in the IETF. We recommend that you use PIMv2. The BSR mechanism interoperates with Auto-RP on Cisco routers and multilayer switches.
  • Page 621: Auto-Rp And Bsr Configuration Guidelines

    If you have a network that includes non-Cisco routers, configure the Auto-RP mapping agent and • the BSR on a Cisco PIMv2 router or multilayer switch. Ensure that no PIMv1 device is on the path between the BSR and a non-Cisco PIMv2 router.
  • Page 622 Configure the PIM version on the interface. By default, Version 2 is enabled and is the recommended setting. Note All IP multicast-capable Cisco PIM routers using IOS Release 11.3(2)T or later start in PIMv2 by default. An interface in PIMv2 mode automatically downgrades to PIMv1 mode if that interface has a PIMv1 neighbor.
  • Page 623: Configuring A Rendezvous Point

    • Manually Assigning an RP to Multicast Groups, page 24-17 • Configuring Auto-RP, page 24-18 (a standalone, Cisco-proprietary protocol separate from PIMv1) • Configuring PIMv2 BSR, page 24-22 (a standards track protocol in the Internet Engineering Task Force (IETF) You can use Auto-RP, BSR, or a combination of both, depending on the PIM version you are running and the types of routers in your network.
  • Page 624: Configuring Auto-Rp

    Switch(config)# access-list 1 permit 225.2.2.2 0.0.0.0 Switch(config)# ip pim rp-address 147.106.6.22 1 Configuring Auto-RP Auto-RP uses IP multicast to automate the distribution of group-to-RP mappings to all Cisco routers and multilayer switches in a PIM network. It has these benefits: •...
  • Page 625 Chapter 24 Configuring IP Multicast Routing Configuring IP Multicast Routing This section contains this configuration information: • Setting up Auto-RP in a New Internetwork, page 24-19 • Adding Auto-RP to an Existing Sparse-Mode Cloud, page 24-19 • Preventing Join Messages to False RPs, page 24-20 Preventing Candidate RP Spoofing, page 24-21 •...
  • Page 626 Chapter 24 Configuring IP Multicast Routing Configuring IP Multicast Routing Command Purpose Step 4 access-list access-list-number {deny | Create a standard access list, repeating the command as many times as permit} source [source-wildcard] necessary. • For access-list-number, enter the access list number specified in Step •...
  • Page 627 Chapter 24 Configuring IP Multicast Routing Configuring IP Multicast Routing If all interfaces are in sparse mode, use a default-configured RP to support the two well-known groups 224.0.1.39 and 224.0.1.40. Auto-RP uses these two well-known groups to collect and distribute RP-mapping information.
  • Page 628: Configuring Pimv2 Bsr

    Chapter 24 Configuring IP Multicast Routing Configuring IP Multicast Routing Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove a filter on incoming RP announcement messages, use the no ip pim rp-announce-filter rp-list access-list-number group-list access-list-number global configuration command.
  • Page 629 Chapter 24 Configuring IP Multicast Routing Configuring IP Multicast Routing Beginning in privileged EXEC mode, follow these steps to define the PIM domain border: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to be configured.
  • Page 630 Chapter 24 Configuring IP Multicast Routing Configuring IP Multicast Routing Defining the IP Multicast Boundary You define a multicast boundary to prevent Auto-RP messages from entering the PIM domain. You create an access list to deny packets destined for 224.0.1.39 and 224.0.1.40, which carry Auto-RP information.
  • Page 631 Chapter 24 Configuring IP Multicast Routing Configuring IP Multicast Routing Configuring Candidate BSRs You can configure one or more candidate BSRs. The devices serving as candidate BSRs should have good connectivity to other devices and be in the backbone portion of the network. Beginning in privileged EXEC mode, follow these steps to configure your multilayer switch as a candidate BSR: Command...
  • Page 632 IP multicast address space or a portion of it. Candidate RPs send candidate RP advertisements to the BSR. When deciding which devices should be RPs, consider these options: • In a network of Cisco routers and multilayer switches where only Auto-RP is used, any device can be configured as an RP. •...
  • Page 633: Using Auto-Rp And A Bsr

    If you have non-Cisco PIMv2 routers that need to interoperate with Cisco PIMv1 routers and multilayer switches, both Auto-RP and a BSR are required. We recommend that a Cisco PIMv2 router or multilayer switch be both the Auto-RP mapping agent and the BSR.
  • Page 634: Troubleshooting Pimv1 And Pimv2 Interoperability Problems

    Chapter 24 Configuring IP Multicast Routing Configuring Advanced PIM Features Troubleshooting PIMv1 and PIMv2 Interoperability Problems When debugging interoperability problems between PIMv1 and PIMv2, check these in the order shown: Verify RP mapping with the show ip pim rp-hash privileged EXEC command, making sure that all systems agree on the same RP for the same group.
  • Page 635: Delaying The Use Of Pim Shortest-Path Tree

    Chapter 24 Configuring IP Multicast Routing Configuring Advanced PIM Features This process describes the move from a shared tree to a source tree: A receiver joins a group; leaf Router C sends a join message toward the RP. The RP puts a link to Router C in its outgoing interface list. A source sends data;...
  • Page 636: Modifying The Pim Router-Query Message Interval

    Chapter 24 Configuring IP Multicast Routing Configuring Advanced PIM Features Beginning in privileged EXEC mode, follow these steps to configure a traffic rate threshold that must be reached before multicast routing is switched from the source tree to the shortest-path tree: Command Purpose Step 1...
  • Page 637: Configuring Optional Igmp Features

    Chapter 24 Configuring IP Multicast Routing Configuring Optional IGMP Features By default, multicast routers and multilayer switches send PIM router-query messages every 30 seconds. Beginning in privileged EXEC mode, follow these steps to modify the router-query message interval: Command Purpose Step 1 configure terminal Enter global configuration mode.
  • Page 638: Changing The Igmp Version

    Chapter 24 Configuring IP Multicast Routing Configuring Optional IGMP Features Table 24-2 Default IGMP Configuration (continued) Feature Default Setting Access to multicast groups All groups are allowed on an interface. IGMP host-query message interval 60 seconds on all interfaces. Multilayer switch as a statically connected member Disabled.
  • Page 639: Changing The Maximum Query Response Time For Igmpv2

    Chapter 24 Configuring IP Multicast Routing Configuring Optional IGMP Features You can determine the query interval by entering the show ip igmp interface interface-id privileged EXEC command. Beginning in privileged EXEC mode, follow these steps to change the IGMP query timeout: Command Purpose Step 1...
  • Page 640: Configuring The Multilayer Switch As A Member Of A Group

    ICMP echo-request packets addressed to a group of which they are members. Another example is the multicast trace-route tools provided in the Cisco IOS software. Beginning in privileged EXEC mode, follow these steps to configure the multilayer switch to be a...
  • Page 641: Controlling Access To Ip Multicast Groups

    Chapter 24 Configuring IP Multicast Routing Configuring Optional IGMP Features Controlling Access to IP Multicast Groups The multilayer switch sends IGMP host-query messages to determine which multicast groups have members on attached local networks. The switch then forwards to these group members all packets addressed to the multicast group.
  • Page 642: Modifying The Igmp Host-Query Message Interval

    Chapter 24 Configuring IP Multicast Routing Configuring Optional IGMP Features Modifying the IGMP Host-Query Message Interval The multilayer switch periodically sends IGMP host-query messages to discover which multicast groups are present on attached networks. These messages are sent to the all-hosts multicast group (224.0.0.1) with a time-to-live (TTL) of 1.
  • Page 643: Configuring Optional Multicast Routing Features

    Chapter 24 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Beginning in privileged EXEC mode, follow these steps to configure the switch itself to be a statically connected member of a group (and allow fast switching): Command Purpose Step 1 configure terminal Enter global configuration mode.
  • Page 644: Enabling Cgmp Server Support

    The multilayer switch serves as a CGMP server for devices that do not support IGMP snooping but have CGMP client functionality. CGMP is a protocol used on Cisco routers and multilayer switches connected to Layer 2 Catalyst switches to perform tasks similar to those performed by IGMP. CGMP is necessary because the Layer 2 switch cannot distinguish between IP multicast data packets and IGMP report messages, which are both at the MAC-level and are addressed to the same group address.
  • Page 645: Configuring Sdr Listener Support

    Chapter 24 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Configuring sdr Listener Support The MBONE is the small subset of Internet routers and hosts that are interconnected and capable of forwarding IP multicast traffic. Other interesting multimedia content is often broadcast over the MBONE.
  • Page 646: Configuring The Ttl Threshold

    Chapter 24 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Command Purpose Step 3 Return to privileged EXEC mode. Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no ip sdr cache-timeout global configuration command.
  • Page 647 Chapter 24 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features multicast packets with an initial TTL value set to 99. The engineering and marketing departments have set a TTL threshold of 40 at the perimeter of their networks; therefore, multicast applications running on these networks can prevent their multicast transmissions from leaving their respective networks.
  • Page 648: Configuring An Ip Multicast Boundary

    Chapter 24 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Configuring an IP Multicast Boundary Like TTL thresholds, administratively-scoped boundaries can also be used to limit the forwarding of multicast traffic outside of a domain or subdomain. This approach uses a special range of multicast addresses, called administratively-scoped addresses, as the boundary mechanism.
  • Page 649: Configuring Basic Dvmrp Interoperability Features

    Chapter 24 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to set up an administratively-scoped boundary: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | Create a standard access list, repeating the command as many times as permit} source [source-wildcard] necessary.
  • Page 650: Configuring Dvmrp Interoperability

    DVMRP routers and, in turn, forwards multicast packets to DVMRP routers. DVMRP interoperability is automatically activated when a Cisco PIM device receives a DVMRP probe message on a multicast-enabled interface. No specific IOS command is configured to enable DVMRP interoperability;...
  • Page 651 Chapter 24 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to configure the sources that are advertised and the metrics that are used when DVMRP route-report messages are sent: Command Purpose Step 1 configure terminal Enter global configuration mode.
  • Page 652: Configuring A Dvmrp Tunnel

    Switch(config)# access-list 2 permit 0.0.0.0 255.255.255.255 Configuring a DVMRP Tunnel The Cisco IOS software supports DVMRP tunnels to the MBONE. You can configure a DVMRP tunnel on a router or multilayer switch if the other end is running DVMRP. The software then sends and receives multicast packets through the tunnel.
  • Page 653 Chapter 24 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to configure a DVMRP tunnel: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | Create a standard access list, repeating the command as many times as permit} source [source-wildcard] necessary.
  • Page 654: Advertising Network 0.0.0.0 To Dvmrp Neighbors

    Switch(config)# access-list 1 permit 198.92.37.0 0.0.0.255 Advertising Network 0.0.0.0 to DVMRP Neighbors If your multilayer switch is a neighbor of an mrouted version 3.6 device, you can configure the Cisco IOS software to advertise network 0.0.0.0 (the default route) to the DVMRP neighbor. The DVMRP default route computes the RPF information for any multicast sources that do not match a more specific route.
  • Page 655: Responding To Mrinfo Requests

    Responding to mrinfo Requests The Cisco IOS software answers mrinfo requests sent by mrouted systems and Cisco routers and multilayer switches. The software returns information about neighbors through DVMRP tunnels and all the routed interfaces. This information includes the metric (always set to 1), the configured TTL threshold, the status of the interface, and various flags.
  • Page 656: Configuring Advanced Dvmrp Interoperability Features

    Configuring Advanced DVMRP Interoperability Features Configuring Advanced DVMRP Interoperability Features Cisco routers and multilayer switches run PIM to forward multicast packets to receivers and receive multicast packets from senders. It is also possible to propagate DVMRP routes into and through a PIM cloud.
  • Page 657: Rejecting A Dvmrp Nonpruning Neighbor

    Configuring Advanced DVMRP Interoperability Features Rejecting a DVMRP Nonpruning Neighbor By default, Cisco devices accept all DVMRP neighbors as peers, regardless of their DVMRP capability. However, some non-Cisco devices run old versions of DVMRP that cannot prune, so they continuously receive forwarded packets, wasting bandwidth.
  • Page 658 Chapter 24 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Figure 24-14 Router Rejects Nonpruning DVMRP Neighbor Source router or RP Router A Multicast Router B traffic gets Receiver to receiver, not to leaf DVMRP device Multilayer switch Configure the ip dvmrp reject-non-pruners command on this interface.
  • Page 659: Controlling Route Exchanges

    Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Controlling Route Exchanges This section describes how to tune the Cisco device advertisements of DVMRP routes. It contains this configuration information: • Limiting the Number of DVMRP Routes Advertised, page 24-53 •...
  • Page 660: Changing The Dvmrp Route Threshold

    Cisco router that is not on these two Ethernet segments does not properly RPF-check on the DVMRP router and is discarded. You can force the Cisco router to advertise the summary address (specified by the address and mask pair in the ip dvmrp summary-address address mask interface configuration command) in place of any route that falls in this address range.
  • Page 661 = 1 ip pim dense-mode 176.32.15.0/24 m = 1 DVMRP router interface fastethernet 0/2 ip addr 176.32.15.1 255.255.255.0 ip pim dense-mode Tunnel Cisco DVMRP Route Table Unicast Routing Table (10,000 Routes) router Network Intf Metric Dist Src Network Intf...
  • Page 662: Disabling Dvmrp Autosummarization

    Configuring Advanced DVMRP Interoperability Features Disabling DVMRP Autosummarization By default, the Cisco IOS software automatically performs some level of DVMRP summarization. Disable this function if you want to advertise all routes, not just a summary. In some special cases, you can use the neighboring DVMRP router with all subnet information to better control the flow of multicast traffic in the DVMRP network.
  • Page 663: Monitoring And Maintaining Ip Multicast Routing

    Chapter 24 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Beginning in privileged EXEC mode, follow these steps to change the default metric: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to be configured.
  • Page 664: Clearing Caches, Tables, And Databases

    Chapter 24 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Clearing Caches, Tables, and Databases You can remove all contents of a particular cache, table, or database. Clearing a cache, table, or database might be necessary when the contents of the particular structure are or suspected to be invalid. You can use any of the privileged EXEC commands in Table 24-3 to clear IP multicast caches, tables,...
  • Page 665: Monitoring Ip Multicast Routing

    Chapter 24 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Table 24-4 Commands for Displaying System and Network Statistics (continued) Command Purpose show ip pim interface [type number] [count] Display information about interfaces configured for PIM. show ip pim neighbor [type number] List the PIM neighbors discovered by the multilayer switch.
  • Page 666 Chapter 24 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Catalyst 3550 Multilayer Switch Software Configuration Guide 24-60 78-11194-03...
  • Page 667: Chapter 25 Configuring Msdp

    You can order the Enhanced Multilayer Software Image Upgrade kit to upgrade Catalyst 3550 Fast Ethernet switches from the SMI to the EMI. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco Note IOS IP and IP Routing Command Reference for Release 12.1.
  • Page 668: Msdp Operation

    Chapter 25 Configuring MSDP Understanding MSDP The purpose of this topology is to have domains discover multicast sources in other domains. If the multicast sources are of interest to a domain that has receivers, multicast data is delivered over the normal, source-tree building mechanism in PIM-SM.
  • Page 669: Msdp Benefits

    Chapter 25 Configuring MSDP Understanding MSDP Figure 25-1 MSDP Running Between RP Peers MSDP peer RP + MSDP peer MSDP SA Peer RPF flooding MSDP SA TCP connection Receiver MSDP peer Register Multicast (S,G) Join Source PIM sparse-mode domain MSDP Benefits MSDP has these benefits: •...
  • Page 670: Configuring Msdp

    Chapter 25 Configuring MSDP Configuring MSDP Configuring MSDP This section describes how to configure MSDP. It contains this configuration information: • Default MSDP Configuration, page 25-4 Configuring a Default MSDP Peer, page 25-4 (required) • Caching Source-Active State, page 25-6 (optional) •...
  • Page 671 Chapter 25 Configuring MSDP Configuring MSDP Figure 25-2 Default MSDP Peer Network Router C Default MSDP peer ISP C PIM domain 10.1.1.1 Multilayer Router A Switch B Default MSDP peer Default MSDP peer ISP A PIM domain Customer PIM domain Beginning in privileged EXEC mode, follow these steps to specify a default MSDP peer: Command Purpose...
  • Page 672: Caching Source-Active State

    Chapter 25 Configuring MSDP Configuring MSDP Command Purpose Step 3 ip prefix-list name [description string] | (Optional) Create a prefix list using the name specified in Step 2. seq number {permit | deny} network • (Optional) For description string, enter a description of up to 80 length characters to describe this prefix list.
  • Page 673 Chapter 25 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to enable the caching of source/group pairs: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp cache-sa-state [list Enable the caching of source/group pairs (create an SA state). Those access-list-number] pairs that pass the access list are cached.
  • Page 674: Requesting Source Information From An Msdp Peer

    Chapter 25 Configuring MSDP Configuring MSDP Requesting Source Information from an MSDP Peer Local RPs can send SA requests and get immediate responses for all active sources for a given group. By default, the multilayer switch does not send any SA request messages to its MSDP peers when a new member joins a group and wants to receive multicast traffic.
  • Page 675: Redistributing Sources

    Chapter 25 Configuring MSDP Configuring MSDP Redistributing Sources SA messages are originated on RPs to which sources have registered. By default, any source that registers with an RP is advertised. The A flag is set in the RP when a source is registered, which means the source is advertised in an SA unless it is filtered.
  • Page 676 Chapter 25 Configuring MSDP Configuring MSDP Command Purpose Step 3 access-list access-list-number {deny | Create an IP standard access list, repeating the command as many times permit} source [source-wildcard] as necessary. access-list access-list-number {deny | Create an IP extended access list, repeating the command as many times permit} protocol source source-wildcard as necessary.
  • Page 677: Filtering Source-Active Request Messages

    Chapter 25 Configuring MSDP Configuring MSDP Filtering Source-Active Request Messages By default, only multilayer switches that are caching SA information can respond to SA requests. By default, such a switch honors all SA request messages from its MSDP peers and supplies the IP addresses of the active sources.
  • Page 678: Controlling Source Information That Your Switch Forwards

    Chapter 25 Configuring MSDP Configuring MSDP Controlling Source Information that Your Switch Forwards By default, the multilayer switch forwards all SA messages it receives to all its MSDP peers. However, you can prevent outgoing messages from being forwarded to a peer by using a filter or by setting a time-to-live (TTL) value.
  • Page 679 This example shows how to allow only (S,G) pairs that pass access list 100 to be forwarded in an SA message to the peer named switch.cisco.com: Switch(config)# ip msdp peer switch.cisco.com connect-source gigabitethernet0/1 Switch(config)# ip msdp sa-filter out switch.cisco.com list 100 Switch(config)# access-list 100 permit ip 171.69.0.0 0.0.255.255 224.20 0 0.0.255.255 Catalyst 3550 Multilayer Switch Software Configuration Guide...
  • Page 680: Using Ttl To Limit The Multicast Data Sent In Sa Messages

    Chapter 25 Configuring MSDP Configuring MSDP Using TTL to Limit the Multicast Data Sent in SA Messages You can use a TTL value to control what data is encapsulated in the first SA message for every source. Only multicast packets with an IP-header TTL greater than or equal to the ttl argument are sent to the specified MSDP peer.
  • Page 681 To remove the filter, use the no ip msdp sa-filter in {ip-address | name} [list access-list-number] [route-map map-tag] global configuration command. This example shows how to filter all SA messages from the peer named switch.cisco.com: Switch(config)# ip msdp peer switch.cisco.com connect-source gigabitethernet0/1 Switch(config)# ip msdp sa-filter in switch.cisco.com...
  • Page 682: Configuring An Msdp Mesh Group

    Chapter 25 Configuring MSDP Configuring MSDP Configuring an MSDP Mesh Group An MSDP mesh group is a group of MSDP speakers that have fully meshed MSDP connectivity among one another. Any SA messages received from a peer in a mesh group are not forwarded to other peers in the same mesh group.
  • Page 683: Including A Bordering Pim Dense-Mode Region In Msdp

    Chapter 25 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to shut down a peer: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp shutdown {peer-name | peer Administratively shut down the specified MSDP peer without losing address} configuration information.
  • Page 684: Configuring An Originating Address Other Than The Rp Address

    Chapter 25 Configuring MSDP Configuring MSDP Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Note that the ip msdp originator-id global configuration command also identifies an interface type and number to be used as the RP address.
  • Page 685: Monitoring And Maintaining Msdp

    Chapter 25 Configuring MSDP Monitoring and Maintaining MSDP Monitoring and Maintaining MSDP To monitor MSDP SA messages, peers, state, or peer status, use one or more of the privileged EXEC commands in Table 25-1: Table 25-1 Commands for Monitoring and Maintaining MSDP Command Purpose debug ip msdp [peer-address | name] [detail] [routes]...
  • Page 686 Chapter 25 Configuring MSDP Monitoring and Maintaining MSDP Catalyst 3550 Multilayer Switch Software Configuration Guide 25-20 78-11194-03...
  • Page 687: Chapter 26 Configuring Fallback Bridging

    You can order the Enhanced Multilayer Software Image Upgrade kit to upgrade Catalyst 3550 Fast Ethernet switches from the SMI to the EMI. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco Note IOS Bridging and IBM Networking Command Reference for Release 12.1.
  • Page 688 Chapter 26 Configuring Fallback Bridging Understanding Fallback Bridging acts like a port on a router, but it is not connected to a router. A routed port is not associated with a particular VLAN, does not support VLAN subinterfaces, but behaves like a normal routed interface. For more information about SVIs and routed ports, see Chapter 8, “Configuring Interface Characteristics.”...
  • Page 689: Configuring Fallback Bridging

    Chapter 26 Configuring Fallback Bridging Configuring Fallback Bridging Configuring Fallback Bridging This section describes how to configure fallback bridging on your switch. It contains this configuration information: • Default Fallback Bridging Configuration, page 26-3 • Creating a Bridge Group, page 26-4 Preventing the Forwarding of Dynamically Learned Stations, page 26-5 •...
  • Page 690: Creating A Bridge Group

    Chapter 26 Configuring Fallback Bridging Configuring Fallback Bridging Creating a Bridge Group To configure fallback bridging for a set of SVIs or routed ports, these interfaces must be assigned to bridge groups. All interfaces in the same group belong to the same bridge domain. Each SVI or routed port can be assigned to only one bridge group.
  • Page 691: Preventing The Forwarding Of Dynamically Learned Stations

    Chapter 26 Configuring Fallback Bridging Configuring Fallback Bridging This example shows how to create bridge group 10, specify the VLAN-bridge STP to run in the bridge group, and assign an interface to the bridge group: Switch(config)# bridge 10 protocol vlan-bridge Switch(config)# interface gigabitethernet0/1 Switch(config-if)# no switchport Switch(config-if)# bridge-group 10...
  • Page 692: Configuring The Bridge Table Aging Time

    Chapter 26 Configuring Fallback Bridging Configuring Fallback Bridging Configuring the Bridge Table Aging Time A switch forwards, floods, or drops packets based on the bridge table. The bridge table maintains both static and dynamic entries. Static entries are entered by you or learned by the switch. Dynamic entries are entered by the bridge learning process.
  • Page 693: Adjusting Spanning-Tree Parameters

    Poorly planned adjustments can have a negative impact on performance. A good source on switching is the IEEE 802.1d specification; for more information, refer to the “References and Recommended Reading” appendix in the Cisco IOS Configuration Fundamentals Command Reference.
  • Page 694: Changing The Switch Priority

    Chapter 26 Configuring Fallback Bridging Configuring Fallback Bridging Changing the Switch Priority You can globally configure the priority of an individual switch when two switches tie for position as the root switch, or you can configure the likelihood that a switch will be selected as the root switch. This priority is determined by default;...
  • Page 695: Assigning A Path Cost

    Chapter 26 Configuring Fallback Bridging Configuring Fallback Bridging Command Purpose Step 5 show running-config Verify your entry. Step 6 copy running-config startup-config (Optional) Save your entry in the configuration file. No no form of this command exists. To return to the default setting, use the bridge-group bridge-group priority number interface configuration command.
  • Page 696: Adjusting Bpdu Intervals

    Chapter 26 Configuring Fallback Bridging Configuring Fallback Bridging Adjusting BPDU Intervals You can adjust BPDU intervals as described in these sections: Adjusting the Interval between Hello BPDUs • Defining the Forward Delay Interval • • Defining the Maximum Idle Interval Note Each switch in a spanning tree adopts the interval between hello BPDUs, the forward delay interval, and the maximum idle interval parameters of the root switch, regardless of what its individual...
  • Page 697 Chapter 26 Configuring Fallback Bridging Configuring Fallback Bridging Command Purpose Step 3 Return to privileged EXEC mode. Step 4 show running-config Verify your entry. Step 5 copy running-config startup-config (Optional) Save your entry in the configuration file. To return to the default setting, use the no bridge bridge-group forward-time seconds global configuration command.
  • Page 698: Disabling The Spanning Tree On An Interface

    Chapter 26 Configuring Fallback Bridging Monitoring and Maintaining the Network Disabling the Spanning Tree on an Interface When a loop-free path exists between any two switched subnetworks, you can prevent BPDUs generated in one switching subnetwork from impacting devices in the other switching subnetwork, yet still permit switching throughout the network as a whole.
  • Page 699: Chapter 27 Troubleshooting

    For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 3550 Multilayer Switch Command Reference for this release and the Cisco IOS Command Summary for Release 12.1. This chapter consists of these sections: •...
  • Page 700: Recovering From Corrupted Software

    Chapter 27 Troubleshooting Using Recovery Procedures Recovering from Corrupted Software Switch software can be corrupted during an upgrade, by downloading the wrong file to the switch, and by deleting the image file. In all of these cases, the switch does not pass the power-on self-test (POST), and there is no connectivity.
  • Page 701: Recovering From A Lost Or Forgotten Password

    Chapter 27 Troubleshooting Using Recovery Procedures Recovering from a Lost or Forgotten Password The default configuration for Catalyst 3550 switches allows an end user with physical access to the switch to recover from a lost password by interrupting the boot process during power-on and by entering a new password.
  • Page 702 Chapter 27 Troubleshooting Using Recovery Procedures Step 2 If you had set the console port speed to anything other than 9600, it has been reset to that particular speed. Change the emulation software line speed to match that of the switch console port. Step 3 Load any helper files: switch: load_helper...
  • Page 703: Procedure With Password Recovery Disabled

    Chapter 27 Troubleshooting Using Recovery Procedures Step 12 Return to privileged EXEC mode: Switch (config)# exit Switch# Write the running configuration to the startup configuration file: Step 13 Switch# copy running-config startup-config The new password is now in the startup configuration. Note This procedure is likely to leave your switch virtual interface in a shutdown state.
  • Page 704 Chapter 27 Troubleshooting Using Recovery Procedures Step 3 Display the contents of Flash memory: switch: dir flash: The switch file system is displayed: Directory of flash: drwx Mar 01 1993 22:30:48 c3550-i5q3l2-mz-121-0.0.53 -rwx Mar 01 1993 22:30:57 env_vars -rwx Mar 01 1993 22:30:57 system_env_vars 16128000 bytes total (10003456 bytes free) Step 4...
  • Page 705: Recovering From A Command Switch Failure

    Chapter 27 Troubleshooting Using Recovery Procedures Recovering from a Command Switch Failure This section describes how to recover from a failed command switch. You can configure a redundant command switch group by using the Hot Standby Router Protocol (HSRP). For more information, see Chapter 5, “Clustering Switches”...
  • Page 706 Chapter 27 Troubleshooting Using Recovery Procedures Step 9 Use the setup program to configure the switch IP information. This program prompts you for IP address information and passwords. From privileged EXEC mode, enter setup, and press Return. Switch# setup --- System Configuration Dialog --- Continue with configuration dialog? [yes/no]: y At any point you may enter a question mark '?' for help.
  • Page 707: Replacing A Failed Command Switch With Another Switch

    Chapter 27 Troubleshooting Using Recovery Procedures Replacing a Failed Command Switch with Another Switch To replace a failed command switch with a switch that is command-capable but not part of the cluster, follow these steps: Step 1 Insert the new switch in place of the failed command switch, and duplicate its connections to the cluster members.
  • Page 708: Recovering From Lost Member Connectivity

    Chapter 27 Troubleshooting Preventing Autonegotiation Mismatches Step 10 When prompted, assign a name to the cluster, and press Return. The cluster name can be 1 to 31 alphanumeric characters, dashes, or underscores. Step 11 When the initial configuration displays, verify that the addresses are correct. Step 12 If the displayed information is correct, enter Y, and press Return.
  • Page 709: Diagnosing Connectivity Problems

    Chapter 27 Troubleshooting Diagnosing Connectivity Problems Diagnosing Connectivity Problems This section describes how to troubleshoot connectivity problems: • Understanding Ping, page 27-11 Executing Ping, page 27-11 • Understanding IP Traceroute, page 27-12 • Executing IP Traceroute, page 27-13 • Understanding Ping The switch supports IP ping, which you can use to test connectivity to remote hosts.
  • Page 710: Understanding Ip Traceroute

    Chapter 27 Troubleshooting Diagnosing Connectivity Problems This example shows how to ping an IP host: Switch# ping 172.20.52.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echoes to 172.20.52.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms Switch# Table 27-1 describes the possible ping character output.
  • Page 711: Executing Ip Traceroute

    Chapter 27 Troubleshooting Diagnosing Connectivity Problems To determine when a datagram reaches its destination, traceroute sets the UDP destination port number in the datagram to a very large value that the destination host is unlikely to be using. When a host receives a datagram destined to itself containing a destination port number that is unused locally, it sends an ICMP port unreachable error to the source.
  • Page 712: Using Debug Commands

    For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. It is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
  • Page 713: Enabling All-System Diagnostics

    Chapter 27 Troubleshooting Using the show forward Command Enabling All-System Diagnostics Beginning in privileged EXEC mode, enter this command to enable all-system diagnostics: Switch# debug all Because debugging output takes priority over other network traffic, and because the debug all Caution privileged EXEC command generates more output than any other debug command, it can severely diminish switch performance or even render it unusable.
  • Page 714 Chapter 27 Troubleshooting Using the show forward Command This is an example of the output from the show forward privileged EXEC command for Fast Ethernet port 8, where VLAN ID, source and destination MAC addresses, and source and destination IP addresses were provided.
  • Page 715: Using The Crashinfo File

    The information in the file includes the IOS image name and version that failed, a dump of the processor registers, and a stack trace. You can provide this information to the Cisco technical support representative by using the show tech-support privileged EXEC command.
  • Page 716 Chapter 27 Troubleshooting Using the crashinfo File Catalyst 3550 Multilayer Switch Software Configuration Guide 27-18 78-11194-03...
  • Page 717: Appendix

    BRIDGE-MIB (RFC1493) • CISCO-VLAN-MEMBERSHIP-MIB • CISCO-VLAN-IFINDEX-RELATIONSHIP-MIB • CISCO-STACK-MIB (only a subset of the available MIB objects are implemented; not all objects are supported) • RMON 1 MIB (only RMON etherStats, etherHistory, alarms, and events are supported) • IGMP MIB •...
  • Page 718: Appendix A Supported Mib

    /pub/mibs/v1 and the /pub/mibs/v2. ftp> Step 5 Use the get MIB_filename command to obtain a copy of the MIB file. Note You can also access information about MIBs on the Cisco web site: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml Catalyst 3550 Multilayer Switch Software Configuration Guide 78-11194-03...
  • Page 719: Appendix

    For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 3550 Multilayer Switch Command Reference for this release and the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. This appendix consists of these sections: Working with the Flash File System, page B-1 •...
  • Page 720: Displaying Available File Systems

    Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with the Flash File System Displaying Available File Systems To display the available file systems on your switch, use the show file systems privileged EXEC command as shown in this example: Switch# show file systems File Systems: Size(b)
  • Page 721: A P P E N D I X B Working With The Ios File System, Configuration Files, And Software Images

    Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with the Flash File System Setting the Default File System You can specify the file system or directory that the system uses as the default file system by using the cd filesystem: privileged EXEC command.
  • Page 722: Creating And Removing Directories

    Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating and Removing Directories Beginning in privileged EXEC mode, follow these steps to create and remove a directory: Command Purpose Step 1 dir filesystem: Display the directories on the specified file system.
  • Page 723: Deleting Files

    Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with the Flash File System Some invalid combinations of source and destination exist. Specifically, you cannot copy these combinations: • From a running configuration to a running configuration •...
  • Page 724: Creating, Displaying, And Extracting Tar Files

    Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating, Displaying, and Extracting tar Files You can create a tar file and write files into it, list the files in a tar file, and extract the files from a tar file as described in the next sections.
  • Page 725: Extracting A Tar File

    Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with the Flash File System You can also limit the display of the files by specifying an optional list of files or directories after the tar file; then only these files are displayed. If none are specified, all files and directories are displayed. This example shows how to display the contents of the c3550-i5q3l2-mz.121-6.EA1.tar file that is in Flash memory: Switch# archive tar /table flash:c3550-i5q3l2-mz.121-6.EA1.tar...
  • Page 726: Displaying The Contents Of A File

    This section describes how to create, load, and maintain configuration files. Configuration files contain commands entered to customize the function of the Cisco IOS software. To better benefit from these instructions, your switch must contain a minimal configuration for interacting with the system software.
  • Page 727: Guidelines For Creating And Using Configuration Files

    Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files • Copying Configuration Files By Using FTP, page B-12 • Copying Configuration Files By Using RCP, page B-16 • Clearing Configuration Information, page B-19 Guidelines for Creating and Using Configuration Files Creating configuration files can aid in your switch configuration.
  • Page 728: Creating A Configuration File By Using A Text Editor

    Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files Creating a Configuration File By Using a Text Editor When creating a configuration file, you must list commands logically so that the system can respond appropriately.
  • Page 729 Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files • Ensure that the configuration file to be downloaded is in the correct directory on the TFTP server (usually /tftpboot on a UNIX workstation). •...
  • Page 730: Copying Configuration Files By Using Ftp

    The FTP protocol requires a client to send a remote username and password on each FTP request to a server. When you copy a configuration file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list: The username specified in the copy command if a username is specified.
  • Page 731: Preparing To Download Or Upload A Configuration File By Using Ftp

    Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files If the server has a directory structure, the configuration file is written to or copied from the directory associated with the username on the server. For example, if the configuration file resides in the home directory of a user on the server, specify that user's name as the remote username.
  • Page 732 Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 6 Return to privileged EXEC mode. Step 7 copy Using FTP, copy the configuration file from a network server ftp:[[[//[username[:password]@]location]/directory] to the running configuration or to the startup configuration /filename] system:running-config file.
  • Page 733: Uploading A Configuration File By Using Ftp

    Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files Uploading a Configuration File By Using FTP Beginning in privileged EXEC mode, follow these steps to upload a configuration file by using FTP: Command Purpose Step 1...
  • Page 734: Copying Configuration Files By Using Rcp

    The RCP requires a client to send a remote username with each RCP request to a server. When you copy a configuration file from the switch to a server, the Cisco IOS software sends the first valid username in this list: •...
  • Page 735 Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files • When you upload a file to the RCP server, it must be properly configured to accept the RCP write request from the user on the switch. For UNIX systems, you must add an entry to the .rhosts file for the remote user on the RCP server.
  • Page 736 Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files This example shows how to specify a remote username of netadmin1. Then it copies the configuration file host2-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.101 to the startup configuration: Switch# configure terminal Switch(config)# ip rcmd remote-username netadmin1...
  • Page 737: Clearing Configuration Information

    Depending on the setting of the file prompt global configuration command, you might be prompted for confirmation before you delete a file. By default, the switch prompts for confirmation on destructive file operations. For more information about the file prompt command, refer to the Cisco IOS Command Reference for Release 12.1.
  • Page 738: Image Location On The Switch

    Flash memory. tar File Format of Images on a Server or Cisco.com Software images located on a server or downloaded from Cisco.com are provided in a tar file format, which contains these files: •...
  • Page 739: Copying Image Files By Using Tftp

    Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Table B-3 info and info.ver File Description Field Description version_suffix Specifies the IOS image version string suffix version_directory Specifies the directory where the IOS image and the HTML subdirectory are installed image_name Specifies the name of the IOS image within the tar file ios_image_file_size...
  • Page 740: Preparing To Download Or Upload An Image File By Using Tftp

    Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Preparing to Download or Upload an Image File By Using TFTP Before you begin downloading or uploading an image file by using TFTP, do these tasks: Ensure that the workstation acting as the TFTP server is properly configured.
  • Page 741 Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 3 archive download-sw /overwrite /reload Download the image file from the TFTP server to the switch, and tftp:[[//location]/directory]/image-name.tar overwrite the current image. •...
  • Page 742: Uploading An Image File By Using Tftp

    Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Uploading an Image File By Using TFTP You can upload an image from the switch to a TFTP server. You can later download this image to the switch or to another switch of the same type.
  • Page 743: Copying Image Files By Using Ftp

    The FTP protocol requires a client to send a remote username and password on each FTP request to a server. When you copy an image file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list: The username specified in the archive download-sw or archive upload-sw privileged EXEC •...
  • Page 744 Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Before you begin downloading or uploading an image file by using FTP, do these tasks: • Ensure that the switch has a route to the FTP server. The switch and the FTP server must be in the same subnetwork if you do not have a router to route traffic between subnets.
  • Page 745 Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 7 archive download-sw /overwrite /reload Download the image file from the FTP server to the switch, ftp:[[//username[:password]@location]/directory] and overwrite the current image. /image-name.tar •...
  • Page 746 Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images The algorithm installs the downloaded image onto the system board Flash device (flash:). The image is placed into a new directory named with the software version string, and the BOOT environment variable is updated to point to the newly installed image.
  • Page 747: Copying Image Files By Using Rcp

    RCP requires a client to send a remote username on each RCP request to a server. When you copy an image from the switch to a server by using RCP, the Cisco IOS software sends the first valid username in this list: •...
  • Page 748 Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images For the RCP copy request to execute successfully, an account must be defined on the network server for the remote username. If the server has a directory structure, the image file is written to or copied from the directory associated with the remote username on the server.
  • Page 749 Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 5 Return to privileged EXEC mode. Step 6 archive download-sw /overwrite /reload Download the image file from the RCP server to the switch, rcp:[[[//[username@]location]/directory]/image-na and overwrite the current image.
  • Page 750 Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images If you specify the /leave-old-sw, the existing files are not removed. If there is not enough room to install the new image an keep the running image, the download process stops, and an error message is displayed.
  • Page 751 Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 5 Return to privileged EXEC mode. Step 6 archive upload-sw Upload the currently running switch image to the RCP rcp:[[[//[username@]location]/directory]/image-na server.
  • Page 752 Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Catalyst 3550 Multilayer Switch Software Configuration Guide B-34 78-11194-03...
  • Page 753: Appendix

    A P P E N D I X Unsupported CLI Commands This appendix lists the unsupported command-line interface (CLI) commands that are displayed when you enter the question mark (?) at the switch prompt. The unsupported commands are listed by software feature and command mode.
  • Page 754: Appendix C Unsupported Cli Command

    Appendix C Unsupported CLI Commands FallBack Bridging FallBack Bridging Unsupported Privileged EXEC Commands clear bridge [bridge-group] multicast [router-ports | groups | counts] [group-address] [interface-unit] [counts] clear vlan statistics show bridge [bridge-group] circuit-group [circuit-group] [src-mac-address] [dst-mac-address] show bridge [bridge-group] multicast [router-ports | groups] [group-address] show bridge vlan show interfaces crb show interfaces {ethernet | fastethernet} [interface | slot/port] irb...
  • Page 755: Hsrp

    Appendix C Unsupported CLI Commands HSRP bridge-group bridge-group input-pattern-list access-list-number bridge-group bridge-group input-type-list access-list-number bridge-group bridge-group lat-compression bridge-group bridge-group output-address-list access-list-number bridge-group bridge-group output-lat-service-deny group-list bridge-group bridge-group output-lat-service-permit group-list bridge-group bridge-group output-lsap-list access-list-number bridge-group bridge-group output-pattern-list access-list-number bridge-group bridge-group output-type-list access-list-number bridge-group bridge-group sse bridge-group bridge-group subscriber-loop-control bridge-group bridge-group subscriber-trunk...
  • Page 756: Interface Configuration Commands

    Appendix C Unsupported CLI Commands Interface Configuration Commands Interface Configuration Commands switchport broadcast level switchport multicast level switchport unicast level Note These commands were replaced in IOS release 12.1(8)EA1 by the storm-control {broadcast | multicast | unicast} level level [.level] interface configuration command. IP Multicast Routing Unsupported Privileged EXEC Commands clear ip rtp header-compression [type number]...
  • Page 757: Unsupported Interface Configuration Commands

    Appendix C Unsupported CLI Commands IP Unicast Routing Unsupported Interface Configuration Commands frame-relay ip rtp header-compression [active | passive] frame-relay map ip ip-address dlci [broadcast] compress frame-relay map ip ip-address dlci rtp header-compression [active | passive] ip igmp helper-address ip-address ip multicast helper-map {group-address | broadcast} {broadcast-address | multicast-address} extended-access-list-number ip multicast rate-limit {in | out} [video | whiteboard] [group-list access-list] [source-list access-list]...
  • Page 758: Unsupported Interface Configuration Commands

    Appendix C Unsupported CLI Commands IP Unicast Routing ip reflexive-list ip vrf router bgp router egp router-isis router iso-igrp router mobile router odr router static Unsupported Interface Configuration Commands ip accounting ip load-sharing [per-packet] ip mtu bytes ip route-cache ip verify ip vrf ip unnumbered type number All ip security commands...
  • Page 759: Msdp

    Appendix C Unsupported CLI Commands MSDP MSDP Unsupported Privileged EXEC Commands show access-expression show exception show location show pm LINE show smf [interface-id] show subscriber-policy [policy-number] show template [template-name] Unsupported Global Configuration Commands ip msdp default-peer ip-address | name [prefix-list list] (Because BGP/MBGP is not supported, use the ip msdp peer command instead of this command.) RADIUS Unsupported Global Configuration Commands...
  • Page 760 Appendix C Unsupported CLI Commands RADIUS Catalyst 3550 Multilayer Switch Software Configuration Guide 78-11194-03...
  • Page 761: I N D E X

    I N D E X accounting with RADIUS 6-27 Numerics accounting with TACACS+ 6-11, 6-17 802.1Q ACEs and trunk ports and QoS 20-7 configuration limitations 9-24 defined 19-2 encapsulation 9-22, 9-24 Ethernet 19-2 native VLAN for untagged traffic 9-29 19-2 802.1Q trunk mode Layer 3 parameters 19-10...
  • Page 762 Index ACLs (continued) ACLs (continued) host keyword 19-12 VLAN maps configuration guidelines 19-28 applying to interface configuring 19-18 19-27 creating 19-6 defined 19-3 fragments and QoS guidelines active router 20-20 23-1 implicit deny addresses 19-9, 19-13, 19-15 implicit masks 19-9 displaying the MAC address table 6-57 matching criteria...
  • Page 763 Index aggregate policing authorization with RADIUS 6-26 aging, accelerating 10-10 authorization with TACACS+ 6-11, 6-16 aging time authorized ports with 802.1X accelerated for STP autoconfiguration 10-10, 10-29 bridge table for fallback bridging 26-6 automatic discovery MAC address table adding member switches 6-53 5-20 maximum for STP...
  • Page 764 Index banners candidate switch configuring adding 5-20 login automatic discovery 6-51 message-of-the-day login defined 6-50 default configuration 6-49 5-22 when displayed passwords 6-49 5-20 binding cluster group and HSRP group requirements 23-9 blocking packets 12-6 standby group 5-22 booting See also command switch, cluster standby group, and member switch boot loader, function of caution, described...
  • Page 765 Cisco Discovery Protocol clusters, switch (continued) See CDP planning considerations Cisco Express Forwarding automatic discovery See CEF automatic recovery 5-12 Cisco Group Management Protocol 5-25 See CGMP described Cisco Technical Assistance Center host names xxxiii 5-16 CiscoWorks 2000 1-6, 18-3...
  • Page 766 Index CMS (continued) commands displaying system messages 3-19 abbreviating error checking no and default 3-32 features setting privilege levels Front Panel images command switch Front Panel view active (AC) 5-12, 5-22 interaction modes command switch with HSRP disabled (CC) 3-26 5-22 menu bar 3-15...
  • Page 767 Index configuration files conventions clearing the startup configuration B-19 command creating using a text editor for examples B-10 default name publication 4-12 deleting a stored configuration B-19 text described 1-4, 20-2 downloading CoS-to-DSCP map for QoS 20-39 automatically 4-12 CoS-to-egress-queue map 20-45 preparing B-10, B-13, B-16...
  • Page 768 Index default configuration (continued) designing your network, examples EtherChannel 21-7 destination addresses, in ACLs 19-11 fallback bridging device discovery protocol 26-3 13-1 HSRP device icons 23-3 IGMP 24-31 Front Panel view IGMP filtering Topology view 11-20 3-12 IGMP snooping device labels 11-5 3-13 IGRP...
  • Page 769 24-56 documentation connecting PIM domain to DVMRP router 24-46 feedback enabling unicast routing xxxii 24-50 obtaining interoperability CD-ROM xxxi with Cisco devices 24-44 world wide web with IOS software xxxi 24-11 ordering xxxii mrinfo requests, responding to 24-49 related xxxi...
  • Page 770 Index DVMRP (continued) EIGRP (continued) support for definition 22-46 tunnels interface parameters, configuring 22-49 configuring monitoring 24-46 22-51 displaying neighbor information 24-49 support for dynamic access mode enable password dynamic access ports enable secret password characteristics encapsulation types, Ethernet trunk 9-24 configuring 9-38...
  • Page 771 Index EtherChannel (continued) expedite queue for QoS (continued) Layer 3 interface 22-3 Gigabit-capable Ethernet ports load balancing allocating bandwidth 21-5, 21-13 20-50 logical interfaces, described configuring 21-2 20-50 number of interfaces per 21-1 described 20-13 overview expert mode 21-1 3-26 PAgP extended system ID for STP 10-3, 10-23...
  • Page 772 QoS policing and marking 9-34 20-10 fan fault indication QoS queueing and scheduling Fast Uplink Transition Protocol 10-14 10/100 ports 20-15 feedback to Cisco Systems, web Gigabit-capable ports xxxii 20-12 22-53 flow control 1-2, 8-16 fiber-optic, detecting unidirectional links 14-1...
  • Page 773 Index FTP (continued) hello time, STP 10-29 image files help, for the command line deleting old image Help button, CMS B-28 3-29 downloading Help Contents B-26 3-27 preparing the server B-25 history uploading changing the buffer size B-28 described disabling recalling commands history table, level and number of syslog messages 17-10...
  • Page 774 Index IGMP (continued) leave processing, enabling 11-9 ICMP leaving multicast group 11-4 redirect messages 22-15 multicast reachability 24-34 support for overview 24-3 time exceeded messages 27-12 queries 11-3 traceroute and 27-12 support for unreachable messages 19-5 Version 1 unreachables and ACLs 19-6 changing to Version 2 24-32...
  • Page 775 Index IGMP snooping (continued) interfaces (continued) Immediate Leave 11-4 flow control 8-16 method management 11-6 monitoring monitoring 11-9 8-18 support for naming 8-17 VLAN configuration physical, identifying 11-6 range of 22-35 IGRP restarting 8-21 advertisements 22-30 shutting down 8-21 alternate routes supported 22-31 configuring...
  • Page 776 PIM domain border 24-22 manually 4-10 IOS release 24-5 through DHCP-based autoconfiguration overview 24-8 default configuration using with Auto-RP 24-27 IP multicast routing Cisco implementation 24-2 addresses configuring all-hosts basic multicast routing 24-1 24-15 all-multicast-routers 24-1 IP multicast boundary 24-42 all-PIM-routers...
  • Page 777 Index IP multicast routing (continued) IP routes, monitoring 22-64 MBONE IP routing deleting sdr cache entries connecting interfaces with 24-58 described enabling 24-39 22-24 displaying sdr cache 24-59 IP traceroute enabling sdr listener support executing 24-39 27-13 limiting DVMRP routes advertised overview 24-53 27-12...
  • Page 778 Index IP unicast routing (continued) protocols Layer 2 frames, classification with CoS 20-2 distance-vector 22-2 Layer 2 interfaces, default configuration 8-13 dynamic 22-2 Layer 2 trunks 9-22 link-state 22-2 Layer 3 features proxy ARP 22-10 Layer 3 interfaces redistribution 22-57 assigning IP addresses to 22-6 reverse address resolution...
  • Page 779 Index marking action in policy map 20-32 MAC addresses action with aggregate policers 20-37 aging time 6-53 described 20-3, 20-8 and VLAN association 6-52 matching, ACLs 19-6 building the address table 6-52 maximum aging time, STP 10-30 default configuration 6-53 maximum-paths command 22-54 displaying...
  • Page 780 Index mirroring traffic for analysis monitoring (continued) 15-1 mismatches, autonegotiation 27-10 speed and duplex mode 8-15 Mode button traffic flowing among switches 16-1 modes traffic suppression 12-11 access to CMS 3-31 VLAN port filters 19-33 VLAN port membership maps 19-33 Modify button 3-29 VMPS...
  • Page 781 Index MSDP (continued) source-active messages named IP ACLs 19-14 caching 25-6 native VLANs 9-29 clearing cache entries 25-19 negotiate trunk mode defined 25-2 neighbor discovery/recovery, EIGRP 22-46 filtering from a peer 25-11 neighboring devices, types of 3-12 filtering incoming 25-14 network configuration examples filtering to a peer 25-12...
  • Page 782 Index NTP (continued) out-of-profile markdown restricting access output interface, getting information about 27-16 creating an access group overheating indication, switch 6-39 disabling NTP services per interface 6-40 source IP address, configuring 6-40 stratum 6-32 support for packet modification, with QoS 20-17 synchronizing devices 6-36...
  • Page 783 Index policers default configuration 24-13 configuring dense mode for each matched traffic class 20-32 (S,G) notation for more than one traffic class 24-6 20-37 graft messages 24-6 described 20-3 overview displaying 24-5 20-56 pruning and SPT number of 24-5 1-4, 20-9 rendezvous point (RP), described 24-7 types of...
  • Page 784 Index port-based authentication (continued) ports (continued) EAP-response/identity frame dynamic VLAN membership, reconfirming 9-39 enabling forwarding, resuming 12-7 802.1X authentication ISL trunk periodic re-authentication 7-10 negotiate trunk encapsulation protected 12-5 initiation and message exchange routed method lists secure 12-8 ports static-access 3-9, 9-3, 9-19 authorization state and dot1x port-control switch...
  • Page 785 Index protected ports QoS (continued) 1-3, 12-5 protocol-dependent modules, EIGRP 22-47 class maps Protocol-Independent Multicast Protocol configuring 20-30 See PIM displaying 20-56 proxy ARP configuration examples configuring common wiring closet 22-13 20-57 definition distribution layer 22-10 20-59 with IP routing disabled 22-14 intelligent wiring closet 20-58...
  • Page 786 Index QoS (continued) QoS (continued) mapping tables queues CoS-to-DSCP CoS-to-egress-queue map 20-39 20-45 CoS-to-egress-queue for 10/100 Ethernet ports 20-45 20-15 displaying 20-56 high priority (expedite) 20-13, 20-50 DSCP-to-CoS minimum-reserve levels 20-42 20-53 DSCP-to-DSCP-mutation serviced by WRR 20-43 20-13, 20-16 DSCP-to-threshold 20-47 size of 20-13, 20-15...
  • Page 787 Index RADIUS (continued) redundancy configuring EtherChannel 21-1 accounting features 6-27 authentication HSRP 6-23 23-1 authorization 6-26 communication, global backbone 6-21, 6-28 10-9 communication, per-server multidrop backbone 6-20, 6-21 10-13 multiple UDP ports 6-20 path cost 9-32 default configuration 6-20 port priority 9-30 defining AAA server groups redundant clusters...
  • Page 788 Index RFC (continued) route summarization, OSPF 22-41 1253, OSPF 22-35 routing 1305, NTP default 6-32 22-2 1587, NSSAs dynamic 22-35 22-2 1757, RMON 16-2 redistribution of information 22-57 1901, SNMPv2C static 18-2 22-2 1902 to 1907, SNMPv2 Routing Information Protocol 18-2 2236, IP multicast and IGMP 11-2...
  • Page 789 Index show interfaces command snooping, IGMP 8-15, 8-17 11-1 show running-config command software images displaying ACLs location in Flash 19-19, 19-30, 19-32 B-20 interface description in recovery procedures 8-17 27-2 shutdown command on interfaces 8-21 scheduling reloads 4-17 Simple Network Management Protocol tar file format, described B-20 See SNMP...
  • Page 790 Index standby command switch statistics (continued) configuring 5-22 QoS ingress and egress 20-56 considerations RMON group Ethernet 5-14 16-5 defined RMON group history 16-5 priority 5-12 SNMP input and output 18-10 requirements 9-13 virtual IP address storm control 5-13 See also cluster standby group and HSRP configuring 12-3 standby group, cluster...
  • Page 791 Index STP (continued) STP (continued) EtherChannel guard root switch described affects of extended system ID 10-20 10-3, 10-23 enabling configuring 10-37 10-23 extended system ID election 10-3 affects on root switch unexpected behavior 10-23 10-23 affects on the secondary root switch settings in a cascaded stack 10-24 10-30...
  • Page 792 Index switch priority, STP system name 10-28 switch software features default configuration 6-46 switch virtual interface default setting 6-46 See SVI manual configuration 6-46 syslog See also DNS See system message logging system prompt system clock default setting 6-46 configuring manual configuration 6-47 daylight saving time...
  • Page 793 3-21 extracting tool tips 3-27 image file format B-20 Topology view technical assistance Collapse Cluster view 3-11 Cisco.com colors xxxiii 3-14 xxxiii described 3-10 TAC website xxxiii device icons 3-12 toll-free telephone numbers device labels...
  • Page 794 Index troubleshooting connectivity problems 27-11 UDLD detecting default configuration 14-3 EtherChannel misconfigurations 10-37 echoing detection mechanism 14-2 unidirectional links 14-1 enabling determining packet disposition 27-15 globally 14-3 displaying crash information 27-17 per interface 14-4 PIMv1 and PIMv2 interoperability problems 24-28 link-detection mechanism 14-1 show forward command...
  • Page 795 B-19 19-30 using FTP B-28 displaying 19-33 using RCP B-32 examples 19-35 using TFTP support for B-24 URLs, Cisco usage xxxi 19-3 User Datagram Protocol with router ACLs 19-42 See UDP VLAN membership user EXEC mode confirming 9-39 username-based authentication...
  • Page 796 Index VLANs (continued) VTP (continued) native, configuring 9-29 configuration requirements number supported configuring 1-3, 9-2 port membership modes client mode 9-11 static-access ports 9-18, 9-19 server mode 9-10 STP and 802.1Q trunks transparent mode 10-8 9-11 supported consistency checks Token Ring 9-15 database 9-17...
  • Page 797 Index VTP (continued) window components, CMS 3-28 version 2 wizards 1-6, 3-26 configuration guidelines WRED 1-4, 20-14 disabling 9-12 1-4, 20-3 enabling 9-12 overview VLAN parameters 9-15 VTP monitoring 9-13 XMODEM protocol 27-2 VTP pruning VVIDs web-based management software See CMS Weighted Random Early Detection See WRED Weighted Round Robin...
  • Page 798 Index Catalyst 3550 Multilayer Switch Software Configuration Guide IN-38 78-11194-03...

This manual is also suitable for:

Catalyst 3550

Table of Contents