Page 3
Documentation Feedback xxxii Obtaining Technical Assistance xxxii Cisco.com xxxiii Technical Assistance Center xxxiii Cisco TAC Web Site xxxiii Cisco TAC Escalation Center xxxiv Overview C H A P T E R Features Management Options Management Interface Options Advantages of Using CMS and Clustering Switches...
Contents Understanding CLI Messages Using Command History Changing the Command History Buffer Size Recalling Commands Disabling the Command History Feature Using Editing Features Enabling and Disabling Editing Features Editing Commands through Keystrokes Editing Command Lines that Wrap Searching and Filtering Output of show and more Commands Accessing the CLI Getting Started with CMS C H A P T E R...
Page 5
Contents Tool Tips 3-27 Online Help 3-27 CMS Window Components 3-28 Host Name List 3-28 Tabs, Lists, and Tables 3-29 Icons Used in Windows 3-29 Buttons 3-29 Accessing CMS 3-30 Access Modes in CMS 3-31 HTTP Access to CMS 3-31 Verifying Your Changes 3-32 Change Notification...
Page 6
Contents Scheduling a Reload of the Software Image 4-17 Configuring a Scheduled Reload 4-17 Displaying Scheduled Reload Information 4-18 Clustering Switches C H A P T E R Understanding Switch Clusters Command Switch Characteristics Standby Command Switch Characteristics Candidate and Member Switches Characteristics Planning a Switch Cluster Automatic Discovery of Cluster Candidates and Members Discovery through CDP Hops...
Page 7
Contents Administering the Switch C H A P T E R Preventing Unauthorized Access to Your Switch Protecting Access to Privileged EXEC Commands Default Password and Privilege Level Configuration Setting or Changing a Static Enable Password Protecting Enable and Enable Secret Passwords with Encryption Disabling Password Recovery Setting a Telnet Password for a Terminal Line Configuring Username and Password Pairs...
Page 8
Contents Managing the System Time and Date 6-32 Understanding the System Clock 6-32 Understanding Network Time Protocol 6-32 Configuring NTP 6-34 Default NTP Configuration 6-35 Configuring NTP Authentication 6-35 Configuring NTP Associations 6-36 Configuring NTP Broadcast Service 6-37 Configuring NTP Access Restrictions 6-38 Configuring the Source IP Address for NTP Packets 6-40...
Page 9
Contents Configuring 802.1X Port-Based Authentication C H A P T E R Understanding 802.1X Port-Based Authentication Device Roles Authentication Initiation and Message Exchange Ports in Authorized and Unauthorized States Supported Topologies Configuring 802.1X Authentication Default 802.1X Configuration 802.1X Configuration Guidelines Enabling 802.1X Authentication Configuring the Switch-to-RADIUS-Server Communication Enabling Periodic Re-Authentication...
Page 10
Contents Configuring IEEE 802.3X Flow Control 8-16 Adding a Description for an Interface 8-17 Monitoring and Maintaining the Layer 2 Interface 8-18 Monitoring Interface and Controller Status 8-18 Clearing and Resetting Interfaces and Counters 8-20 Shutting Down and Restarting the Interface 8-21 Configuring Layer 3 Interfaces 8-22...
Page 11
Contents 802.1Q Configuration Considerations 9-24 Default Layer 2 Ethernet Interface VLAN Configuration 9-24 Configuring an Ethernet Interface as a Trunk Port 9-25 Configuring a Trunk Port 9-25 Defining the Allowed VLANs on a Trunk 9-27 Changing the Pruning-Eligible List 9-28 Configuring the Native VLAN for Untagged Traffic 9-29 Load Sharing Using STP...
Page 12
Contents Learning State 10-7 Forwarding State 10-8 Disabled State 10-8 STP Address Management 10-8 STP and IEEE 802.1Q Trunks 10-8 VLAN-Bridge STP 10-9 STP and Redundant Connectivity 10-9 Accelerated Aging to Retain Connectivity 10-10 Understanding Advanced STP Features 10-10 Understanding Port Fast 10-10 Understanding BPDU Guard 10-11...
Page 13
Contents Configuring Root Guard 10-36 Enabling EtherChannel Guard 10-37 Configuring IGMP Snooping and MVR 11-1 C H A P T E R Understanding IGMP Snooping 11-1 Joining a Multicast Group 11-2 Leaving a Multicast Group 11-4 Immediate-Leave Processing 11-4 Configuring IGMP Snooping 11-5 Default IGMP Snooping Configuration 11-5...
Page 14
Contents Configuring Port Blocking 12-6 Blocking Flooded Traffic on an Interface 12-6 Resuming Normal Forwarding on a Port 12-7 Configuring Port Security 12-8 Understanding Port Security 12-8 Default Port Security Configuration 12-9 Configuration Guidelines 12-9 Enabling and Configuring Port Security 12-9 Displaying Port-Based Traffic Control Settings 12-11...
Page 15
Contents Configuring SPAN 15-6 Default SPAN Configuration 15-7 SPAN Configuration Guidelines 15-7 Creating a SPAN Session and Specifying Ports to Monitor 15-8 Removing Ports from a SPAN Session 15-10 Specifying VLANs to Monitor 15-11 Specifying VLANs to Filter 15-12 Displaying SPAN Status 15-13 Configuring RMON 16-1...
Page 16
Contents Configuring SNMP 18-1 C H A P T E R Understanding SNMP 18-1 SNMP Versions 18-2 SNMP Manager Functions 18-2 SNMP Agent Functions 18-3 SNMP Community Strings 18-3 Using SNMP to Access MIB Variables 18-3 Configuring SNMP 18-4 Default SNMP Configuration 18-4 Disabling the SNMP Agent 18-5...
Page 17
Contents Time Range Applied to an IP ACL 19-25 Commented IP ACL Entries 19-25 ACL Logging 19-26 Configuring VLAN Maps 19-27 VLAN Map Configuration Guidelines 19-28 Creating Named MAC Extended ACLs 19-28 Creating a VLAN Map 19-30 Examples of ACLs and VLAN Maps 19-30 Applying a VLAN Map to a VLAN 19-32...
Page 18
Contents Configuring the Trust State on Ports within the QoS Domain 20-22 Configuring the CoS Value for an Interface 20-24 Configuring the DSCP Trust State on a Port Bordering Another QoS Domain 20-25 Configuring a QoS Policy 20-26 Classifying Traffic by Using ACLs 20-27 Classifying Traffic by Using Class Maps 20-30...
Page 20
EIGRP Interface Mode Commands 22-49 Configure EIGRP Route Authentication 22-50 Monitoring and Maintaining EIGRP 22-51 Configuring Protocol-Independent Features 22-53 Configuring Cisco Express Forwarding 22-53 Configuring the Number of Equal-Cost Routing Paths 22-54 Configuring Static Routes 22-55 Specifying Default Routes 22-56...
Page 21
Contents Configuring IP Multicast Routing 24-1 C H A P T E R Cisco Implementation of IP Multicast Routing 24-2 Understanding IGMP 24-3 IGMP Version 1 24-3 IGMP Version 2 24-4 Understanding PIM 24-5 PIM Versions 24-5 PIM Modes 24-5...
Page 22
Contents Changing the IGMP Query Timeout for IGMPv2 24-32 Changing the Maximum Query Response Time for IGMPv2 24-33 Configuring the Multilayer Switch as a Member of a Group 24-34 Controlling Access to IP Multicast Groups 24-35 Modifying the IGMP Host-Query Message Interval 24-36 Configuring the Multilayer Switch as a Statically Connected Member 24-36...
Page 23
Contents Configuring a Default MSDP Peer 25-4 Caching Source-Active State 25-6 Requesting Source Information from an MSDP Peer 25-8 Controlling Source Information that Your Switch Originates 25-8 Redistributing Sources 25-9 Filtering Source-Active Request Messages 25-11 Controlling Source Information that Your Switch Forwards 25-12 Using a Filter 25-12...
Page 24
Contents Recovering from a Command Switch Failure 27-7 Replacing a Failed Command Switch with a Cluster Member 27-7 Replacing a Failed Command Switch with Another Switch 27-9 Recovering from Lost Member Connectivity 27-10 Preventing Autonegotiation Mismatches 27-10 Diagnosing Connectivity Problems 27-11 Understanding Ping 27-11...
Page 25
Working with Software Images B-19 Image Location on the Switch B-20 tar File Format of Images on a Server or Cisco.com B-20 Copying Image Files By Using TFTP B-21 Preparing to Download or Upload an Image File By Using TFTP...
Page 26
Contents FallBack Bridging Unsupported Privileged EXEC Commands Unsupported Global Configuration Commands Unsupported Interface Configuration Commands HSRP Unsupported Global Configuration Commands Unsupported Interface Configuration Commands Interface Configuration Commands IP Multicast Routing Unsupported Privileged EXEC Commands Unsupported Global Configuration Commands Unsupported Interface Configuration Commands IP Unicast Routing Unsupported Privileged EXEC or User EXEC Commands Unsupported Global Configuration Commands...
Page 27
This guide is for the networking professional managing the Catalyst 3550 switch, hereafter referred to as the switch or the multilayer switch. Before using this guide, you should have experience working with the Cisco IOS and be familiar with the concepts and terminology of Ethernet and local area networking. Purpose This guide provides the information you need to configure Layer 2 and Layer 3 software features on your switch.
Page 28
MAC addresses. Chapter 13, “Configuring CDP,” describes how to configure Cisco Discovery Protocol (CDP) on your switch. Catalyst 3550 Multilayer Switch Software Configuration Guide...
Page 29
IP multicast routing. It describes how to use and configure the Internet Group Management Protocol (IGMP), Protocol-Independent Multicast (PIM) protocol, Cisco Group Management Protocol (CGMP) server functionality, and how to inter-operate between PIM and Distance Vector Multicast Routing Protocol (DVMRP) domains. To use this feature, you must have the enhanced multilayer software image installed on your switch.
Page 30
Preface Conventions Appendix A, “Supported MIBs,” lists the supported MIBs for this release and how to use FTP to access the MIB files. Appendix B, “Working with the IOS File System, Configuration Files, and Software Images,” describes how to manipulate the Flash file system, how to copy configuration files, and how to archive (upload and download) software images.
The following sections explain how to obtain documentation from Cisco Systems. World Wide Web You can access the most current Cisco documentation on the World Wide Web at the following URL: http://www.cisco.com Translated documentation is available at the following URL: http://www.cisco.com/public/countries_languages.shtml...
America, by calling 800 553-NETS (6387). Documentation Feedbac If you are reading Cisco product documentation on the World Wide Web, you can send us your comments by completing the online survey. When you display the document listing for this platform, click Give Us Your Feedback.
Cisco TAC Web Site. The Cisco TAC Web Site requires a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to the following URL to register: http://www.cisco.com/register/...
Page 34
Obtaining Technical Assistance If you cannot resolve your technical issues by using the Cisco TAC Web Site, and you are a Cisco.com registered user, you can open a case online by using the TAC Case Open tool at the following URL: http://www.cisco.com/tac/caseopen...
Page 35
C H A P T E R Overview This chapter provides these topics about the Catalyst 3550 multilayer switch software: Features, page 1-1 • Management Options, page 1-5 • Network Configuration Examples, page 1-7 • Features The Catalyst 3550 software supports the hardware listed in the release notes. These sections describe the features supported in this release.
Page 36
Address Resolution Protocol (ARP) for identifying a switch through its IP address and its corresponding Media Access • Control (MAC) address Cisco Discovery Protocol (CDP) versions 1 and 2 for network topology discovery and mapping between the switch and • other Cisco devices on the network Network Time Protocol (NTP) for providing a consistent timestamp to all switches from an external source •...
Page 37
Chapter 1 Overview Features Table 1-1 Features (continued) Redundancy Hot Standby Router Protocol (HSRP) for command switch and Layer 3 router redundancy • UniDirectional Link Detection (UDLD) on all Ethernet ports for detecting and disabling unidirectional links on • fiber-optic interfaces caused by incorrect fiber-optic wiring or port faults IEEE 802.1D Spanning Tree Protocol (STP) for redundant backbone connections and loop-free networks.
Page 38
Chapter 1 Overview Features Table 1-1 Features (continued) • Terminal Access Controller Access Control System Plus (TACACS+), a proprietary feature for managing network security through a TACACS server • Remote Authentication Dial-In User Service (RADIUS), which provides detailed accounting information and flexible administrative control over authentication and authorization processes Quality of Service and Class of Service Classification...
Chapter 1 Overview Management Options Table 1-1 Features (continued) • Internet Control Message Protocol (ICMP) and ICMP Router Discovery Protocol (IRDP) for using router advertisement and router solicitation messages to discover the addresses of routers on directly attached subnets • Protocol-Independent Multicast (PIM) for multicast routing within the network, allowing for devices in the network to receive the multicast feed requested and for switches not participating in the multicast to be pruned.
Using CMS and switch clusters can simplify and minimize your configuration and monitoring tasks. You can use Cisco switch clustering technology to manage up to 16 interconnected, supported Catalyst switches through one IP address. This can conserve IP addresses if you have a limited number of them.
Chapter 1 Overview Network Configuration Examples Network Configuration Examples This section provides network configuration concepts and includes examples of using the switch in different network topologies. Design Concepts As your network users compete for network bandwidth, it takes longer to send and receive data. When you configure your network, consider the bandwidth required by your network users and the relative priority of the network applications they use.
Page 42
Chapter 1 Overview Network Configuration Examples Bandwidth alone is not the only consideration when designing your network. As your network traffic profiles evolve, consider providing network services that can support applications for voice and data integration, multimedia integration, application prioritization, and security. Table 1-3 describes some network demands and how you can meet those demands.
Page 43
Chapter 1 Overview Network Configuration Examples Figure 1-1 shows three configuration examples of using Catalyst switches to create the following: • Cost-effective wiring closet—A cost-effective way to connect many users to the wiring closet is to connect a Catalyst switch cluster of up to nine Catalyst 3550 XL switches (or with a mix of Catalyst 3550, Catalyst 2950, Catalyst 3500 XL, and Catalyst 2900 XL switches) through GigaStack GBIC connections.
Page 45
Catalyst 2900 XL, Catalyst 2820, and Catalyst 1900 switches. These switches are connected to workstations, Cisco IP Phones, and local servers. You can cluster these switches into multiple clusters, as shown, or into a single cluster. You can manage a cluster through the IP address of its primary and secondary command switches, regardless of the geographic location of the cluster members.
Page 46
Chapter 1 Overview Network Configuration Examples Figure 1-2 Catalyst 3550 Switches in a Collapsed Backbone Configuration Internet Cisco 2600 or 3600 routers Catalyst 3550 Gigabit servers multilayer switches Catalyst Catalyst GigaStack GigaStack cluster cluster Cisco IP Phones Cisco IP Phones...
Page 47
Chapter 1 Overview Network Configuration Examples Large Network Using Only Catalyst 3550 Switches Switches in the wiring closet have traditionally been Layer 2-only devices, but as network traffic profiles evolve, switches in the wiring closet are increasingly employing multilayer services such as multicast management and traffic classification.
Page 48
Chapter 1 Overview Network Configuration Examples Figure 1-3 Catalyst 3550 Switches in Wiring Closets in a Backbone Configuration Cisco 7500 routers Catalyst 6000 multilayer switches Catalyst Catalyst Gigabit 3550 3550 servers cluster cluster Cisco IP Phones Cisco IP Phones power...
Page 49
The aggregating switches and routers provide services such as those described in the previous examples, “Small to Medium-Sized Network Using Mixed Switches” and “Large Network Using Only Catalyst 3550 Switches.” Figure 1-4 Catalyst 3550 Switches in a MAN Configuration Cisco 12000 Service Gigabit switch routers Provider Catalyst 6500 switches Catalyst 3550 multilayer...
Accessing the CLI, page 2-9 IOS Command Modes The Cisco IOS user interface is divided into many different modes. The commands available to you depend on which mode you are currently in. Enter a question mark (?) at the system prompt to obtain a list of commands available for each command mode.
Page 52
Chapter 2 Using the Command-Line Interface IOS Command Modes Table 2-1 Command Mode Summary Mode Access Method Prompt Exit Method About This Mode User EXEC Begin a session with Enter logout or quit. Use this mode to Switch> your switch. Change terminal •...
Chapter 2 Using the Command-Line Interface Getting Help Getting Help You can enter a question mark (?) at the system prompt to display a list of commands available for each command mode. You can also obtain a list of associated keywords and arguments for any command, as shown in Table 2-2.
Chapter 2 Using the Command-Line Interface Using no and default Forms of Commands Using no and default Forms of Commands Almost every configuration command also has a no form. In general, use the no form to disable a feature or function or reverse the action of a command. For example, the no shutdown interface configuration command reverses the shutdown of an interface.
Chapter 2 Using the Command-Line Interface Using Command History Using Command History The IOS provides a history or record of commands that you have entered. This feature is particularly useful for recalling long or complex commands or entries, including access lists. You can customize the command history feature to suit your needs as described in these sections: •...
Chapter 2 Using the Command-Line Interface Using Editing Features To disable the feature during the current terminal session, enter the terminal no history privileged EXEC command. To disable command history for the line, enter the no history line configuration command. Using Editing Features This section describes the editing features that can help you manipulate the command line.
Page 57
Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Keystroke Purpose Recall commands from the buffer Press Ctrl-Y. Recall the most recent entry in the buffer. and paste them in the command line. The switch provides a buffer with the last ten items that you deleted.
Chapter 2 Using the Command-Line Interface Searching and Filtering Output of show and more Commands Editing Command Lines that Wrap You can use a wraparound feature for commands that extend beyond a single line on the screen. When the cursor reaches the right margin, the command line shifts ten spaces to the left. You cannot see the first ten characters of the line, but you can scroll back and check the syntax at the beginning of the command.
Chapter 2 Using the Command-Line Interface Accessing the CLI Accessing the CLI Before you can access the CLI, you need to connect a terminal or PC to the switch console port and power on the switch as described in the hardware installation guide that shipped with your switch. Then, to understand the boot process and the options available for assigning IP information, see Chapter 4, “Assigning the Switch IP Address and Default Gateway.”...
Page 60
Chapter 2 Using the Command-Line Interface Accessing the CLI Catalyst 3550 Multilayer Switch Software Configuration Guide 2-10 78-11194-03...
Page 61
C H A P T E R Getting Started with CMS This chapter provides these topics about the Cluster Management Suite (CMS) software: Features, page 3-2 • Front Panel View, page 3-4 • Topology View, page 3-10 • Menus and Toolbar, page 3-15 •...
Chapter 3 Getting Started with CMS Features Features CMS provides these features (Figure 3-1) for managing switch clusters and individual switches from Web browsers such as Netscape Communicator or Microsoft Internet Explorer: • Two views of your network that can be displayed at the same time: –...
Page 63
Chapter 3 Getting Started with CMS Features • Two levels of access to the configuration options: read-write access for users allowed to change switch settings; read-only access for users allowed to only view switch settings • Consistent set of GUI components (such as tabs, buttons, drop-down lists, tables, and so on) for a consistent approach to setting configuration parameters Figure 3-1 CMS Features...
Chapter 3 Getting Started with CMS Front Panel View Front Panel View When CMS is launched from a command switch, the Front Panel view displays the front-panel images of all switches in the cluster (Figure 3-2). When CMS is launched from a standalone or non-command member switch, the Front Panel view displays only the front panel of the specific switch (Figure 3-3).
Chapter 3 Getting Started with CMS Front Panel View Cluster Tree The cluster tree (Figure 3-3) appears in the left frame of the Front Panel view and shows the name of the cluster and a list of its members. The sequence of the cluster-tree icons (Figure 3-4) mirror the sequence of the front-panel images.
Chapter 3 Getting Started with CMS Front Panel View Front-Panel Images You can manage the switch from a remote station by using the front-panel images. The front-panel images are updated based on the network polling interval that you set from CMS > Preferences. Note The Preferences window is not available if your switch access level is read-only.
Chapter 3 Getting Started with CMS Front Panel View Port Modes and LEDs The port modes (Table 3-3) determine the type of information displayed through the port LEDs. When you change port modes, the meanings of the port LED colors (Table 3-4) also change.
Chapter 3 Getting Started with CMS Front Panel View VLAN Membership Modes Ports in the Front Panel view are outlined by colors (Table 3-5) when you click Highlight VLAN Port Membership Modes on the Configure VLANs tab on the VLAN window (VLAN >...
Chapter 3 Getting Started with CMS Topology View Topology View The Topology view displays how the devices within a switch cluster are connected and how the switch cluster is connected to other clusters and devices. From this view, you can add and remove cluster members.
Page 71
Chapter 3 Getting Started with CMS Topology View Figure 3-6 Expand Cluster View Cluster members of cluster1 and other devices connected to cluster1. Right-click a Right-click a link icon to display device icon to display a link popup menu. a device popup menu. Figure 3-7 Collapse Cluster View Neighboring cluster...
Customer premises equipment (CPE) devices that are connected to Long-Reach Ethernet (LRE) • switches Devices that are not eligible to join the cluster, such as Cisco IP phones, Cisco access points, and • CDP-capable hubs and routers Devices that are identified as unknown devices, such as some Cisco devices and third-party devices •...
Chapter 3 Getting Started with CMS Topology View Figure 3-9 Topology-View Link Icons Device and Link Labels The Topology view displays device and link information by using these labels: • Cluster and switch names • Switch MAC and IP addresses •...
Chapter 3 Getting Started with CMS Topology View Colors in the Topology View The colors of the Topology view icons reflect the status of the devices and links (Table 3-6, Table 3-7, Table 3-8). Table 3-6 Device Icon Colors Icon Color Color Meaning Green The device is operating.
Chapter 3 Getting Started with CMS Menus and Toolbar Menus and Toolbar The configuration and monitoring options for configuring switches and switch clusters are available from the menu bar, toolbar, and the Front-Panel and Topology view popup menus. Menu Bar The menu bar provides the complete list of options for managing a single switch and switch cluster.
Page 76
If your cluster has these member switches running earlier software releases and if you have read-only access to these member switches, some configuration windows for those switches display incomplete information: Catalyst 2900 XL or Catalyst 3500 XL member switches running Cisco IOS – Release 12.0(5)WC2 or earlier Catalyst 2950 member switches running Cisco IOS Release 12.0(5)WC2 or earlier...
Page 77
Chapter 3 Getting Started with CMS Menus and Toolbar Table 3-10 Menu Bar (continued) Menu-Bar Options Task Cluster Cluster Manager Launch a CMS session from the command switch. Create Cluster Designate a command switch, and name a cluster. Delete Cluster Delete a cluster.
Page 78
Chapter 3 Getting Started with CMS Menus and Toolbar Table 3-10 Menu Bar (continued) Menu-Bar Options Task Router Redundancy Add a switch to or remove a switch from an HSRP group. (guide mode available Fallback Bridging Create a fallback bridging group, modify a group, delete a group, or view its details. 802.1X Configure 802.1X authentication of devices as they are attached to LAN ports in a point-to-point infrastructure.
Page 79
Catalyst 2900 XL and Catalyst 3500 XL switches when they are in a cluster where the command switch is a Catalyst 2950 switch running Cisco IOS Release 12.1(6)EA2 or later or a Catalyst 3550 switch running Cisco IOS Release 12.1(8)EA1 or later.
Page 80
Chapter 3 Getting Started with CMS Menus and Toolbar Table 3-10 Menu Bar (continued) Menu-Bar Options Task Help Overview Obtain an overview of the CMS interface. What’s New Obtain a description of the new CMS features. Help For Active Window Display the help for the active open window.
Chapter 3 Getting Started with CMS Menus and Toolbar Toolbar The toolbar buttons display commonly used switch and cluster configuration options and information windows such as legends and online help. Hover the cursor over an icon to display the feature. Table 3-11 describes the toolbar options, from left to right on the toolbar.
Chapter 3 Getting Started with CMS Menus and Toolbar Front Panel View Popup Menus These popup menus are available in the Front Panel view. Device Popup Menu You can display all switch and cluster configuration windows from the menu bar, or you can display commonly used configuration windows from the device popup menu (Table 3-12).
Chapter 3 Getting Started with CMS Menus and Toolbar Topology View Popup Menus These popup menus are available in the Topology view. Link Popup Menu You can display reports and graphs for a specific link displayed in the Topology view (Table 3-14).
Catalyst 2900 XL and Catalyst 3500 XL switches running Cisco IOS Release 12.0(5)WC2 and later. It is also available on Catalyst 2950 switches running Cisco IOS Release 12.1(6)EA2 and later and on Catalyst 3550 switch running Cisco IOS Release 12.1(8)EA1 or later. It is not available on the Catalyst 1900 and Catalyst 2820 switches.
Page 85
Task Device Manager Access the web management interface of the device. This option is available on Cisco access points, but not on Cisco IP phones, hubs, routers Note and on unknown devices such as some Cisco devices and third-party devices.
Chapter 3 Getting Started with CMS Interaction Modes Interaction Modes You can change the interaction mode of CMS to either guide or expert mode. Guide mode steps you through each feature option and provides information about the parameter. Expert mode displays a configuration window in which you configure the feature options.
Glossary of terms used in the online help. You can send us feedback about the information provided in the online help. Click Feedback to display an online form. After completing the form, click Submit to send your comments to Cisco. We appreciate and value your comments.
Chapter 3 Getting Started with CMS CMS Window Components CMS Window Components CMS windows consistently present configuration information. Figure 3-12 shows the components of a typical CMS window. Figure 3-12 CMS Window Components OK saves your changes and closes the window. Apply saves your changes and leaves the window open.
Icons Used in Windows Some window have icons for sorting information in tables, for showing which cells in a table are editable, and for displaying further information from Cisco.com (Figure 3-13).
Copies of the CMS pages you display are saved in your browser memory cache until you exit the browser session. A password is not required to redisplay these pages, including the Cisco Systems Access page. You can access the CLI by clicking Monitor the router - HTML access to the command line interface from a cached copy of the Cisco Systems Access page.
• read-only access to these member switches, some configuration windows for those switches display incomplete information: Catalyst 2900 XL or Catalyst 3500 XL member switches running Cisco IOS – Release 12.0(5)WC2 or earlier Catalyst 2950 member switches running Cisco IOS Release 12.0(5)WC2 or earlier –...
Chapter 3 Getting Started with CMS Verifying Your Changes Verifying Your Changes CMS provides notification cues to help you track and confirm the changes you make. Change Notification A green border around a field or table cell means that you made an unsaved change to the field or table cell.
Here are examples of how CMS can differ between IOS releases and switch platforms: • On Catalyst switches running Cisco IOS Release 12.0(5)WC2 or earlier or Cisco IOS Release 12.1(6)EA1 or earlier, the CMS versions in those software releases might appear similar but are not the same as this release.
Page 94
Chapter 3 Getting Started with CMS Where to Go Next Catalyst 3550 Multilayer Switch Software Configuration Guide 3-34 78-11194-03...
C H A P T E R Assigning the Switch IP Address and Default Gateway This chapter describes how to create the initial switch configuration (for example, assign the switch IP address and default gateway information) by using a variety of automatic and manual methods. It also describes how to modify the switch startup configuration.
For more information about the setup program, refer to the release notes on Cisco.com. Use a DHCP server for centralized control and automatic assignment of IP information once the server is configured.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Default Switch Information Table 4-1 shows the default switch information. Table 4-1 Default Switch Information Feature Default Setting IP address and subnet mask No IP address or subnet mask are defined. Default gateway No default gateway is defined.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information DHCP Client Request Process When you boot your switch, the DHCP client is invoked and automatically requests configuration information from a DHCP server when the configuration file is not present on the switch. Figure 4-1 shows the sequence of messages that are exchanged between the DHCP client and the DHCP server.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Configuring the DHCP Server You should configure the DHCP server with reserved leases that are bound to each switch by the switch hardware address. If you want the switch to receive IP address information, you must configure the DHCP server with these lease options: IP address of the client (required) •...
TFTP packets. You must configure this relay device to forward received broadcast packets on an interface to the destination host. If the relay device is a Cisco router, enable IP routing (ip routing global configuration command), and configure a helper addresses by using the ip helper-address interface configuration command.
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Figure 4-2 Relay Device Used in Autoconfiguration Switch Cisco router (DHCP client) (Relay) 10.0.0.2 10.0.0.1 20.0.0.1 20.0.0.2 20.0.0.3 20.0.0.4 DHCP server TFTP server DNS server Obtaining Configuration Files...
Figure 4-3 DHCP-Based Autoconfiguration Network Example Switch 1 Switch 2 Switch 3 Switch 4 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004 Cisco router 10.0.0.10 10.0.0.1 10.0.0.2 10.0.0.3 DHCP server DNS server TFTP server (maritsu) Table 4-2 shows the configuration of the reserved leases on the DHCP server.
Page 103
Chapter 4 Assigning the Switch IP Address and Default Gateway Assigning Switch Information DNS Server Configuration The DNS server maps the TFTP server name maritsu to IP address 10.0.0.3. TFTP Server Configuration (on UNIX) The TFTP server base directory is set to /tftpserver/work/. This directory contains the network-confg file used in the two-file read method.
Chapter 4 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration Manually Assigning IP Information Beginning in privileged EXEC mode, follow these steps to manually assign IP information to multiple switched virtual interfaces (SVIs) or ports: Command Purpose Step 1...
Page 105
Chapter 4 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration interface GigabitEthernet0/1 no switchport ip address 172.20.137.50 255.255.255.0 interface GigabitEthernet0/2 interface GigabitEthernet0/3 interface GigabitEthernet0/4 interface GigabitEthernet0/5 interface GigabitEthernet0/6 interface GigabitEthernet0/7 interface GigabitEthernet0/8 interface GigabitEthernet0/9 interface GigabitEthernet0/10 interface GigabitEthernet0/11 interface GigabitEthernet0/12...
Chapter 4 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Modifying the Startup Configuration This section describes how to modify the switch startup configuration. It contains this configuration information: • Default Boot Configuration, page 4-12 • Automatically Downloading a Configuration File, page 4-12 Booting Manually, page 4-13 •...
Chapter 4 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Specifying the Filename to Read and Write the System Configuration By default, the IOS software uses the file config.text to read and write a nonvolatile copy of the system configuration.
Chapter 4 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Command Purpose Step 4 show boot Verify your entries. The boot manual global command changes the setting of the MANUAL_BOOT environment variable. The next time you reboot the system, the switch is in boot loader mode, shown by the switch: prompt.
Chapter 4 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Controlling Environment Variables With a normally operating switch, you enter the boot loader mode only through a switch console connection configured for 9600 bps. Unplug the switch power cord and press the switch Mode button while reconnecting the power cord.
Page 110
Chapter 4 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Table 4-5 describes the function of the most common environment variables. Table 4-5 Environment Variables Variable Boot Loader Command IOS Global Configuration Command MANUAL_BOOT set MANUAL_BOOT yes boot manual Determines whether the switch Enables manually booting the switch during...
Chapter 4 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Scheduling a Reload of the Software Image You can schedule a reload of the software image to occur on the switch at a later time (for example, late at night or during the weekend when the switch is used less), or you can synchronize a reload network-wide (for example, to perform a software upgrade on all switches in the network).
Chapter 4 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image This example shows how to reload the software on the switch at a future time: Switch# reload at 02:00 jun 20 Reload scheduled for 02:00:00 UTC Thu Jun 20 1996 (in 344 hours and 53 minutes) Proceed with reload? [confirm] To cancel a previously scheduled reload, use the reload cancel privileged EXEC command.
C H A P T E R Clustering Switches This chapter provides these topics to help you get started with switch clustering: Understanding Switch Clusters, page 5-2 • Planning a Switch Cluster, page 5-4 • Creating a Switch Cluster, page 5-18 •...
• It is running Cisco IOS Release 12.1(4)EA1 or later. • It has an IP address. It has Cisco Discovery Protocol (CDP) version 2 enabled (the default). • It is not a command or member switch of another cluster. •...
Catalyst 3550 switches or Catalyst 2950 switches running Cisco IOS Release 12.1(6)EA2 or later. When the command switch is a Catalyst 2950 switch running Cisco IOS Release 12.1(6)EA2 or • later, all standby command switches must be Catalyst 2950 switches running Cisco IOS Release 12.1(6)EA2 or later.
Java plug-in configurations. Automatic Discovery of Cluster Candidates and Members The command switch uses Cisco Discovery Protocol (CDP) to discover member switches, candidate switches, neighboring switch clusters, and edge devices across multiple VLANs and in star or cascaded topologies.
Page 117
Chapter 5 Clustering Switches Planning a Switch Cluster Discovery through CDP Hops By using CDP, a command switch can discover switches up to seven CDP hops away (the default is three hops) from the edge of the cluster. The edge of the cluster is where the last member switches are connected to the cluster (for example, the command switch and member switches 8, 9, and 10 in Figure 5-1 are at the edge of the cluster).
Planning a Switch Cluster Discovery through Non-CDP-Capable and Noncluster-Capable Devices If a command switch is connected to a non-CDP-capable third-party hub (such as a non-Cisco hub), it can discover cluster-enabled devices connected to that third-party hub. However, if the command switch is connected to a noncluster-capable Cisco device, it cannot discover a cluster-enabled device connected beyond the noncluster-capable Cisco device.
Chapter 5 Clustering Switches Planning a Switch Cluster Discovery through Different VLANs A cluster can have Catalyst 3550 member switches configured with different VLANs. However, each member switch must be connected through at least one VLAN in common with the command switch. The command switch in Figure 5-3 has ports assigned to VLANs 9, 16, and 62 and therefore discovers...
Chapter 5 Clustering Switches Planning a Switch Cluster Discovery through the Same Management VLAN When the cluster has a Catalyst 2900 XL, Catalyst 2950, or Catalyst 3500 XL command switch, all cluster members must connect to it through the command-switch management VLAN, which is VLAN 1 by default.
Chapter 5 Clustering Switches Planning a Switch Cluster Discovery through Different Management VLANs We strongly recommend that a Catalyst 3550 switch be the command switch when the cluster has Catalyst 1900, Catalyst 2820, Catalyst 2900 XL, Catalyst 2950, and Catalyst 3500 XL member switches.
Chapter 5 Clustering Switches Planning a Switch Cluster Discovery through Routed Ports If the command switch has a routed port (RP) configured, it discovers only candidate and member switches in the same VLAN as the routed port. For more information about routed ports, see the “Routed Ports”...
Chapter 5 Clustering Switches Planning a Switch Cluster Discovery of Newly Installed Switches A new, out-of-the-box switch is set with the default VLAN, VLAN 1. By default, all access ports on the new switch are assigned to VLAN 1. To add a new switch to a cluster, it must be connected to the cluster through an access port. When the new switch joins a cluster, its default VLAN changes to the VLAN of the immediately upstream neighbor.
Catalyst 3550 switches or Catalyst 2950 switches running Cisco IOS Release 12.1(6)EA2 or later. When the command switch is a Catalyst 2950 switch running Cisco IOS Release 12.1(6)EA2 or • later, all standby command switches must be Catalyst 2950 switches running Cisco IOS Release 12.1(6)EA2 or later.
Chapter 5 Clustering Switches Planning a Switch Cluster Virtual IP Addresses You need to assign a unique virtual IP address and group number and name to the cluster standby group. This information must be configured on a specificVLAN or routed port on the active command switch. The active command switch receives traffic destined for the virtual IP address.
Catalyst 3550 switches or Catalyst 2950 switches running Cisco IOS Release 12.1(6)EA2 or later. When the command switch is a Catalyst 2950 switch running Cisco IOS Release 12.1(6)EA2 or later, all standby command switches must be Catalyst 2950 switches running Cisco IOS Release 12.1(6)EA2 or later.
Chapter 5 Clustering Switches Planning a Switch Cluster Host Names You do not need to assign a host name to either a command switch or an eligible cluster member. However, a host name assigned to the command switch can help to more easily identify the switch cluster.
A cluster can have a mix of LRE switches using different private profiles. For more information about the Catalyst 2900 LRE XL switches and LRE technology, refer to the Catalyst 2900 XL and Catalyst 3500 XL documentation for Cisco IOS Release 12.0(5)WC2. Catalyst 3550 Multilayer Switch Software Configuration Guide...
Chapter 5 Clustering Switches Creating a Switch Cluster Availability of Switch-Specific Features in Switch Clusters The menu bar on the command switch displays all options available from the switch cluster. Therefore, features specific to a member switch are available from the command-switch menu bar. For example, Device >...
Chapter 5 Clustering Switches Creating a Switch Cluster Enabling a Command Switch The switch you designate to be the command switch must meet the requirements described in the “Command Switch Characteristics” section on page 5-2, “Planning a Switch Cluster” section on page 5-4, and the release notes.
Chapter 5 Clustering Switches Creating a Switch Cluster Adding Member Switches As explained in the “Automatic Discovery of Cluster Candidates and Members” section on page 5-4, the command switch automatically discovers candidate switches. When you add new cluster-capable switches to the network, the command switch discovers and adds them to a list of candidate switches. To display an updated cluster candidates list from the Add to Cluster window (Figure 5-10), either...
Page 133
Chapter 5 Clustering Switches Creating a Switch Cluster Figure 5-10 Add to Cluster Window Select a switch, and click 2900-LRE-24-1 Add. Press Ctrl and left- click to select more than one switch. Enter the password of the candidate switch. If no password exists for the switch, leave this field blank.
Catalyst 3550 switches or Catalyst 2950 switches running Cisco IOS Release 12.1(6)EA2 or later. When the command switch is a Catalyst 2950 switch running Cisco IOS Release 12.1(6)EA2 or • later, all standby command switches must be Catalyst 2950 switches running Cisco IOS Release 12.1(6)EA2 or later.
Page 135
Chapter 5 Clustering Switches Creating a Switch Cluster Figure 5-12 Standby Command Configuration Window 2950C (cisco WS-C2950-C-24, HC, ... Active command switch. NMS-3550-12T-149 (cisco WS-C3550-1 3550-150 (cisco WS-C3550-12T, SC, ... Standby command switch. Must be a valid IP address in the same subnet as the active command switch.
Chapter 5 Clustering Switches Creating a Switch Cluster Verifying a Switch Cluster When you finish adding cluster members, follow these steps to verify the cluster: Enter the command switch IP address in the browser Location field (Netscape Communicator) or Step 1 Address field (Microsoft Internet Explorer) to access all switches in the cluster.
Chapter 5 Clustering Switches Using the CLI to Manage Switch Clusters Using the CLI to Manage Switch Clusters You can configure member switches from the CLI by first logging into the command switch. Enter the rcommand user EXEC command and the member switch number to start a Telnet session (through a console or Telnet connection) and to access the member switch CLI.
Chapter 5 Clustering Switches Using SNMP to Manage Switch Clusters Using SNMP to Manage Switch Clusters When you first power on the switch, SNMP is enabled if you enter the IP information by using the setup program and accept its proposed configuration. If you did not use the setup program to enter the IP information and SNMP was not enabled, you can enable it as described in the “Configuring SNMP”...
C H A P T E R Administering the Switch This chapter describes how to perform one-time operations to administer your switch. This chapter consists of these sections: Preventing Unauthorized Access to Your Switch, page 6-1 • Protecting Access to Privileged EXEC Commands, page 6-2 •...
Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Security Command Reference for Release 12.1. This section describes how to control access to the configuration file and privileged EXEC commands.
By default, no password is defined. • (Optional) For encryption-type, only type 5, a Cisco proprietary encryption algorithm, is available. If you specify an encryption type, you must provide an encrypted password—an encrypted password you copy...
Chapter 6 Administering the Switch Protecting Access to Privileged EXEC Commands Command Purpose Step 3 service password-encryption (Optional) Encrypt the password when the password is defined or when the current configuration is written. Encryption prevents the password from being readable in the configuration file.
Chapter 6 Administering the Switch Protecting Access to Privileged EXEC Commands Beginning in privileged EXEC mode, follow these steps to disable password recovery: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no service password-recovery Disable password recovery. This setting is saved in an area of the Flash memory that is accessible by the boot loader and the IOS image, but it is not part of the file system and is not accessible by any user.
Chapter 6 Administering the Switch Protecting Access to Privileged EXEC Commands Command Purpose Step 7 show running-config Verify your entries. The password is listed under the command line vty 0 15. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the password, use the no password global configuration command.
Chapter 6 Administering the Switch Protecting Access to Privileged EXEC Commands To disable username authentication for a specific user, use the no username name global configuration command. To disable password checking and allow connections without a password, use the no login line configuration command.
Chapter 6 Administering the Switch Protecting Access to Privileged EXEC Commands Command Purpose Step 5 show running-config Verify your entries. The first command displays the password and access level configuration. The second command displays the privilege level configuration. show privilege Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
(AAA) and can be enabled only through AAA commands. Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Security Command Reference for Release 12.1. This section contains this configuration information: •...
Page 149
The goal of TACACS+ is to provide a method for managing multiple network access points from a single management service. Your switch can be a network access server along with other Cisco routers and access servers. A network access server provides connections to a single user, to a network or...
Chapter 6 Administering the Switch Controlling Switch Access with TACACS+ You need a system running the TACACS+ daemon software to use TACACS+ on your switch. TACACS+ Operation When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process occurs: When the connection is established, the switch contacts the TACACS+ daemon to obtain a username prompt, which is then displayed to the user.
Chapter 6 Administering the Switch Controlling Switch Access with TACACS+ Configuring TACACS+ This section describes how to configure your switch to support TACACS+. At a minimum, you must identify the host or hosts maintaining the TACACS+ daemon and define the method lists for TACACS+ authentication.
Chapter 6 Administering the Switch Controlling Switch Access with TACACS+ Beginning in privileged EXEC mode, follow these steps to identify the IP host or host maintaining TACACS+ server and optionally set the encryption key: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 153
Chapter 6 Administering the Switch Controlling Switch Access with TACACS+ A method list describes the sequence and authentication methods to be queried to authenticate a user. You can designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails.
Chapter 6 Administering the Switch Controlling Switch Access with TACACS+ To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable TACACS+ authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
RADIUS is facilitated through AAA and can be enabled only through AAA commands. Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Security Command Reference for Release 12.1. This section contains this configuration information: Understanding RADIUS, page 6-18 •...
Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication. • RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device requires authentication. Networks using a variety of services. RADIUS generally binds a user to one service model.
Chapter 6 Administering the Switch Controlling Switch Access with RADIUS Figure 6-2 Typical AAA Network Configuration RADIUS server RADIUS server TACACS+ server Catalyst 3550 switch Remote TACACS+ server Workstation RADIUS Operation When a user attempts to log in and authenticate to a switch that is access controlled by a RADIUS server, these events occur: The user is prompted to enter a username and password.
Chapter 6 Administering the Switch Controlling Switch Access with RADIUS software uses the first method listed to authenticate, to authorize, or to keep accounts on users; if that method does not respond, the software selects the next method in the list. This process continues until there is successful communication with a listed method or the method list is exhausted.
Page 159
Chapter 6 Administering the Switch Controlling Switch Access with RADIUS If two different host entries on the same RADIUS server are configured for the same service—for example, accounting—the second host entry configured acts as a fail-over backup to the first one. Using this example, if the first host entry fails to provide accounting services, the switch tries the second host entry configured on the same device for accounting services.
Page 160
Chapter 6 Administering the Switch Controlling Switch Access with RADIUS Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | Specify the IP address or host name of the remote RADIUS server host. ip-address} [auth-port port-number] •...
Chapter 6 Administering the Switch Controlling Switch Access with RADIUS This example shows how to configure host1 as the RADIUS server and to use the default ports for both authentication and accounting: Switch(config)# radius-server host host1 Note You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch.
Chapter 6 Administering the Switch Controlling Switch Access with RADIUS Command Purpose Step 3 aaa authentication login {default | Create a login authentication method list. list-name} method1 [method2...] • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations.
Page 163
Chapter 6 Administering the Switch Controlling Switch Access with RADIUS Server groups also can include multiple host entries for the same server if each entry has a unique identifier (the combination of the IP address and UDP port number), allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service.
Chapter 6 Administering the Switch Controlling Switch Access with RADIUS Command Purpose Step 4 aaa group server radius group-name Define the AAA server-group with a group name. This command puts the switch in a server group configuration mode. Step 5 server ip-address Associate a particular RADIUS server with the defined server group.
(AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable RADIUS accounting for each Cisco IOS privilege level and for network services:...
1, which is named cisco-avpair. The value is a string with this format: protocol : attribute sep value * Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and * for optional attributes.
Chapter 6 Administering the Switch Controlling Switch Access with RADIUS For example, the following AV pair activates Cisco’s multiple named ip address pools feature during IP authorization (during PPP’s IPCP address assignment): cisco-avpair= ”ip:addr-pool=first“ The following example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands: cisco-avpair= ”shell:priv-lvl=15“...
Chapter 6 Administering the Switch Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to specify a vendor-proprietary RADIUS server host and a shared secret text string: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | ip-address} non-standard Specify the IP address or host name of the remote...
Chapter 6 Administering the Switch Configuring the Switch for Local Authentication and Authorization Configuring the Switch for Local Authentication and Authorization You can configure AAA to operate without a server by setting the switch to implement AAA in local mode. The switch then handles authentication and authorization. No accounting is available in this configuration.
You can manage the system time and date on your switch using automatic, such as the Network Time Protocol (NTP), or manual configuration methods. Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. This section contains this configuration information: Understanding the System Clock, page 6-32 •...
Page 171
Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet.
Chapter 6 Administering the Switch Managing the System Time and Date Figure 6-3 Typical NTP Network Configuration Catalyst 6500 series switch (NTP master) Local workgroup servers Catalyst 3550 switch Catalyst 3550 Catalyst 3550 switch switch These switches are configured in NTP server mode (server association) with the Catalyst 6500 series switch.
Chapter 6 Administering the Switch Managing the System Time and Date Default NTP Configuration Table 6-2 shows the default NTP configuration. Table 6-2 Default NTP Configuration Feature Default Setting NTP authentication Disabled. No authentication key is specified. NTP peer or server associations None configured.
Chapter 6 Administering the Switch Managing the System Time and Date Command Purpose Step 5 Return to privileged EXEC mode. Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable NTP authentication, use the no ntp authenticate global configuration command.
Chapter 6 Administering the Switch Managing the System Time and Date Command Purpose Step 3 Return to privileged EXEC mode. Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. You need to configure only one end of an association;...
Chapter 6 Administering the Switch Managing the System Time and Date Command Purpose Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Step 7 Configure the connected peers to receive NTP broadcast packets as described in the next procedure. To disable the interface from sending NTP broadcast packets, use the no ntp broadcast interface configuration command.
Page 177
Chapter 6 Administering the Switch Managing the System Time and Date Creating an Access Group and Assigning a Basic IP Access List Beginning in privileged EXEC mode, follow these steps to control access to NTP services by using access lists: Command Purpose Step 1...
Chapter 6 Administering the Switch Managing the System Time and Date If the source IP address matches the access lists for more than one access type, the first type is granted. If no access groups are specified, all access types are granted to all devices. If any access groups are specified, only the specified access types are granted.
• show ntp status • For detailed information about the fields in these displays, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. Configuring Time and Date Manually If no other source of time is available, you can manually configure the current time and date after the system is restarted.
Chapter 6 Administering the Switch Managing the System Time and Date Setting the System Clock If you have an outside source on the network that provides time services, such as an NTP server, you do not need to manually set the system clock. Beginning in privileged EXEC mode, follow these steps to set the system clock: Command Purpose...
Chapter 6 Administering the Switch Managing the System Time and Date Configuring the Time Zone Beginning in privileged EXEC mode, follow these steps to manually configure the time zone: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock timezone zone hours-offset Set the time zone.
Chapter 6 Administering the Switch Managing the System Time and Date Configuring Summer Time (Daylight Saving Time) Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year: Command Purpose Step 1...
Page 183
Chapter 6 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events): Command Purpose Step 1...
Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Configuration Fundamentals Command Reference and the Cisco IOS IP and IP Routing Command Reference for Release 12.1.
Domain names are pieced together with periods (.) as the delimiting characters. For example, Cisco Systems is a commercial organization that IP identifies by a com domain name, so its domain name is cisco.com. A specific device in this domain, for example, the File Transfer Protocol (FTP) system is identified as ftp.cisco.com.
Chapter 6 Administering the Switch Configuring a System Name and Prompt Default DNS Configuration Table 6-3 shows the default DNS configuration. Table 6-3 Default DNS Configuration Feature Default Setting DNS enable state Enabled. DNS default domain name None configured. DNS servers No name server addresses are configured.
The login banner also displays on all connected terminals. It is displayed after the MOTD banner and before the login prompts. Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. This section contains this configuration information: •...
Chapter 6 Administering the Switch Creating a Banner Configuring a Message-of-the-Day Login Banner You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner: Command Purpose Step 1...
Chapter 6 Administering the Switch Managing the MAC Address Table Configuring a Login Banner You can configure a login banner to be displayed on all connected terminals. This banner is displayed after the MOTD banner and before the login prompt. Beginning in privileged EXEC mode, follow these steps to configure a login banner: Command Purpose...
Chapter 6 Administering the Switch Managing the MAC Address Table This section contains this configuration information: • Building the Address Table, page 6-52 • MAC Addresses and VLANs, page 6-52 • Default MAC Address Table Configuration, page 6-53 Changing the Address Aging Time, page 6-53 •...
Chapter 6 Administering the Switch Managing the MAC Address Table Removing Dynamic Address Entries To remove all dynamic entries, use the clear mac-address-table dynamic command in privileged EXEC mode. You can also remove a specific MAC address (clear mac-address-table dynamic address mac-address), remove all addresses on the specified physical port or port channel (clear mac-address-table dynamic interface interface-id), or remove all addresses on a specified VLAN (clear mac-address-table dynamic vlan vlan-id).
Page 193
Chapter 6 Administering the Switch Managing the MAC Address Table Command Purpose Step 3 snmp-server enable traps mac-notification Enable the switch to send MAC address traps to the NMS. Step 4 mac-address-table notification Enable the MAC address notification feature. Step 5 mac-address-table notification [interval value] | Enter the trap interval time and the history table size.
Chapter 6 Administering the Switch Managing the MAC Address Table Adding and Removing Static Address Entries A static address has these characteristics: • It is manually entered in the address table and must be manually removed. • It can be a unicast or multicast address. •...
Chapter 6 Administering the Switch Optimizing System Resources for User-Selected Features Displaying Address Table Entries You can display the MAC address table by using one or more of the privileged EXEC commands described in Table 6-5: Table 6-5 Commands for Displaying the MAC Address Table Command Description show mac-address-table address...
Page 196
Chapter 6 Administering the Switch Optimizing System Resources for User-Selected Features The number of subnet VLANs (routed ports and SVIs) are not limited by software and can be set to a number higher than indicated in the tables. If the number of subnet VLANs configured is lower or equal to the number in the tables, the number of entries in each category (unicast addresses, IGMP groups, and so on) for each template will be as shown.
Chapter 6 Administering the Switch Optimizing System Resources for User-Selected Features Using the Templates Follow these guidelines when using the SDM templates: • The maximum number of resources allowed in each template is an approximation and depends upon the actual number of other features configured. For example, in the default template for the Catalyst 3550-12T, if your switch has more than 16 routed interfaces configured, the number of multicast or unicast routes that can be accommodated by hardware might be fewer than shown.
Page 198
Chapter 6 Administering the Switch Optimizing System Resources for User-Selected Features This example shows how to configure a switch with the routing template and verify the configuration: Switch(config)# sdm prefer routing Switch(config)# end Switch# copy running-config startup-config Switch# reload Proceed with reload? [confirm] Switch# show sdm prefer The current template is routing template.
C H A P T E R Configuring 802.1X Port-Based Authentication This chapter describes how to configure IEEE 802.1X port-based authentication to prevent unauthorized devices (clients) from gaining access to the network. As LANs extend to hotels, airports, and corporate lobbies, insecure environments could be created.
In this release, the Remote Authentication Dial-In User Service (RADIUS) security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server; it is available in Cisco Secure Access Control Server version 3.0. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
Chapter 7 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Authentication Initiation and Message Exchange The switch or the client can initiate authentication. If you enable authentication on a port by using the dot1x port-control auto interface configuration command, the switch must initiate authentication when it determines that the port link state transitions from down to up.
Chapter 7 Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Ports in Authorized and Unauthorized States The switch port state determines whether or not the client is granted access to the network. The port starts in the unauthorized state. While in this state, the port disallows all ingress and egress traffic except for 802.1X protocol packets.
Chapter 7 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication In a point-to-point configuration (see Figure 7-1 on page 7-2), only one client can be connected to the 802.1X-enabled switch port. The switch detects the client when the port link state changes to the up state. If a client leaves or is replaced with another client, the switch changes the port link state to down, and the port returns to the unauthorized state.
Chapter 7 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication 802.1X Configuration Guidelines These are the 802.1X authentication configuration guidelines: • When 802.1X is enabled, ports are authenticated before any other Layer 2 or Layer 3 features are enabled. • The 802.1X protocol is supported on both Layer 2 static-access ports and Layer 3 routed ports, but it is not supported on these port types: –...
Chapter 7 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Enabling 802.1X Authentication To enable 802.1X port-based authentication, you must enable AAA and specify the authentication method list. A method list describes the sequence and authentication methods to be queried to authenticate a user.
Chapter 7 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication This example shows how to enable AAA and 802.1X on Fast Ethernet port 0/1: Switch# configure terminal Switch(config)# aaa new-model Switch(config)# aaa authentication dot1x default group radius Switch(config)# interface fastethernet0/1 Switch(config-if)# dot1x port-control auto Switch(config-if)# end Configuring the Switch-to-RADIUS-Server Communication RADIUS security servers are identified by their host name or IP address, host name and specific UDP...
Chapter 7 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication This example shows how to specify the server with IP address 172.20.39.46 as the RADIUS server, to use port 1612 as the authorization port, and to set the encryption key to rad123, matching the key on the RADIUS server: Switch(config)# radius-server host 172.l20.39.46 auth-port 1612 key rad123 You can globally configure the timeout, retransmission, and encryption key values for all RADIUS...
Chapter 7 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Manually Re-Authenticating a Client Connected to a Port You can manually re-authenticate the client connected to a specific port at any time by entering the dot1x re-authenticate interface interface-id privileged EXEC command. If you want to enable or disable periodic re-authentication, see the “Enabling Periodic Re-Authentication”...
Chapter 7 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Changing the Switch-to-Client Retransmission Time The client responds to the EAP-request/identity frame from the switch with an EAP-response/identity frame. If the switch does not receive this response, it waits a set period of time (known as the retransmission time) and then retransmits the frame.
Chapter 7 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Setting the Switch-to-Client Frame-Retransmission Number In addition to changing the switch-to-client retransmission time, you can change the number of times that the switch sends an EAP-request/identity frame (assuming no response is received) to the client before restarting the authentication process.
Chapter 7 Configuring 802.1X Port-Based Authentication Displaying 802.1X Statistics and Status Command Purpose Step 4 Return to privileged EXEC mode. Step 5 show dot1x interface interface-id Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable multiple hosts on the port, use the no dot1x multiple-hosts interface configuration command.
For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 3550 Multilayer Switch Command Reference for this release and the online Cisco IOS Interface Command Reference for Release 12.1. Understanding Interface Types This section describe the different types of interfaces supported by the switch with references to chapters that contain more detailed information about configuring these interface types.
Chapter 8 Configuring Interface Characteristics Understanding Interface Types Port-Based VLANs A VLAN is a switched network that is logically segmented by function, team, or application, without regard to the physical location of the users. For more information about VLANs, see Chapter 9, “Creating and Maintaining VLANs.”...
Most protocols operate over either single ports or aggregated switch ports and do not recognize the physical ports within the port group. Exceptions are the DTP, the Cisco Discovery Protocol (CDP), and the Port Aggregation Protocol (PAgP), which operate only on physical ports.
Chapter 8 Configuring Interface Characteristics Understanding Interface Types Switch Virtual Interfaces A switch virtual interface (SVI) represents a VLAN of switch ports as one interface to the routing or bridging function in the system. Only one SVI can be associated with a VLAN, but you need to configure an SVI for a VLAN only when you wish to route between VLANs, fallback-bridge nonroutable protocols between VLANs, or to provide IP host connectivity to the switch.
8-1, when Host A in VLAN 20 sends data to Host B in VLAN 30, it must go from Host A to the switch, to the router, back to the switch, and then to Host B. Figure 8-1 Connecting VLANs with Layer 2 Switches Cisco router Switch Host A Host B...
Chapter 8 Configuring Interface Characteristics Using the Interface Command Figure 8-2 Connecting VLANs with the Catalyst 3550 Multilayer Switch Catalyst 3550 switch with enhanced multilayer software image 172.20.128.1 SVI 1 SVI 2 172.20.129.1 Host A Host B VLAN 20 VLAN 30 The Catalyst 3550 switch with the enhanced multilayer software image supports two methods of forwarding traffic between interfaces: routing and fallback bridging.
Chapter 8 Configuring Interface Characteristics Using the Interface Command To configure a physical interface (port), enter interface configuration mode, and specify the interface type, slot, and number. • Type—Fast Ethernet (fastethernet or fa) for 10/100 Ethernet or Gigabit Ethernet (gigabitethernet or •...
Page 220
Chapter 8 Configuring Interface Characteristics Using the Interface Command Enter the show interfaces privileged EXEC command to see a list of all interfaces on or configured for the switch. A report is provided for each interface that the device supports or for the specified interface: Switch# show interfaces Vlan1 is up, line protocol is up Hardware is EtherSVI, address is 0000.0000.0000 (bia 0000.0000.00...
Page 222
Chapter 8 Configuring Interface Characteristics Using the Interface Command • You must add a space between the interface numbers and the hyphen when using the interface range command. For example, the command interface range gigabitethernet 0/1 - 5 is a valid range; the command interface range gigabitethernet 0/1-5 is not a valid range. The interface range command works only with VLAN interfaces that have been configured with •...
Chapter 8 Configuring Interface Characteristics Using the Interface Command Configuring and Using Interface Range Macros You can create an interface range macro to automatically select a range of interfaces for configuration. Before you can use the macro keyword in the interface range macro global configuration command string, you must use the define interface-range global configuration command to define the macro.
Chapter 8 Configuring Interface Characteristics Configuring Layer 2 Interfaces This example shows how to define an interface-range macro named enet_list to select Gigabit Ethernet ports 1 to 4 and to verify the macro configuration: Switch# configure terminal Switch(config)# define interface-range enet_list gigabitethernet0/1 - 4 Switch(config)# end Switch# show running-config | include define define interface-range enet_list GigabitEthernet0/1 - 4...
Chapter 8 Configuring Interface Characteristics Configuring Layer 2 Interfaces Default Layer 2 Ethernet Interface Configuration Table 8-1 shows the Layer 2 Ethernet interface default configuration. For more details on the VLAN parameters listed in the table, see Chapter 9, “Creating and Maintaining VLANs.” For details on controlling traffic to the port, see Chapter 12, “Configuring Port-Based Traffic Control.”...
Chapter 8 Configuring Interface Characteristics Configuring Layer 2 Interfaces Configuring Interface Speed and Duplex Mode These sections describe how to configure the interface speed and duplex mode: • Configuration Guidelines, page 8-14 • Setting the Interface Speed and Duplex Parameters, page 8-14 Configuration Guidelines When configuring an interface speed and duplex mode, note these guidelines: If both ends of the line support autonegotiation, we highly recommend the default autonegotiation...
Page 227
Chapter 8 Configuring Interface Characteristics Configuring Layer 2 Interfaces Beginning in privileged EXEC mode, follow these steps to set the speed and duplex mode for a physical interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode and the physical interface identification.
Chapter 8 Configuring Interface Characteristics Configuring Layer 2 Interfaces Configuring IEEE 802.3X Flow Control Flow control enables connected Ethernet ports to control traffic rates during congestion by allowing congested nodes to pause link operation at the other end. If one port experiences congestion and cannot receive any more traffic, it notifies the other port to stop sending until the condition clears.
Chapter 8 Configuring Interface Characteristics Configuring Layer 2 Interfaces Beginning in privileged EXEC mode, follow these steps to configure flow control on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no mls qos Disable QoS on the switch. Step 3 interface interface-id Enter interface configuration mode and the physical interface to...
(You can display the full list of show commands by using the show ? command at the privileged EXEC prompt.) These commands are fully described in the Cisco IOS Interface Command Reference for Release 12.1. Table 8-2...
Page 231
Chapter 8 Configuring Interface Characteristics Monitoring and Maintaining the Layer 2 Interface Table 8-2 Show Commands for Interfaces (continued) Command Purpose show running-config Display the running configuration in RAM. show version Display the hardware configuration, software version, the names and sources of configuration files, and the boot images.
Chapter 8 Configuring Interface Characteristics Monitoring and Maintaining the Layer 2 Interface This example shows how to display the status of switching ports: Switch# show interfaces switchport Name: Gi0/1 Switchport: Enabled Administrative Mode: dynamic desirable Operational Mode: static access Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: native Negotiation of Trunking: On Access Mode VLAN: 1 (default)
Chapter 8 Configuring Interface Characteristics Monitoring and Maintaining the Layer 2 Interface Note The clear counters privileged EXEC command does not clear counters retrieved by using Simple Network Management Protocol (SNMP), but only those seen with the show interface privileged EXEC command.
Chapter 8 Configuring Interface Characteristics Configuring Layer 3 Interfaces To verify that an interface is disabled, enter the show interfaces privileged EXEC command. A disabled interface is shown as administratively down in the show interface command display as with Gigabit Ethernet interface 0/1 in this example.
Page 235
Chapter 8 Configuring Interface Characteristics Configuring Layer 3 Interfaces Beginning in privileged EXEC mode, follow these steps to configure a Layer 3 interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface {{fastethernet | gigabitethernet} interface-id} Enter interface configuration mode, and enter the | {vlan vlan-id} | {port-channel port-channel-number} interface to be configured as a Layer 3 interface.
Page 236
Chapter 8 Configuring Interface Characteristics Configuring Layer 3 Interfaces This is an example of output from the show ip interface privileged EXEC command for an interface: Switch# show ip interface gigabitethernet0/2 GigabitEthernet0/2 is up, line protocol is up Internet address is 192.20.135.21/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes...
C H A P T E R Creating and Maintaining VLANs This chapter describes how to create and maintain VLANs. It includes information about VLAN modes, the VLAN Trunking Protocol (VTP) database, and the VLAN Membership Policy Server (VMPS). For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 3550 Multilayer Switch Command Reference for this release.
VLANs as Logically Defined Networks Engineering Marketing Accounting VLAN VLAN VLAN Cisco router Floor 3 Fast Ethernet Floor 2 Floor 1 VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN. Interface VLAN membership on the switch is assigned manually on an interface-by-interface basis.
Chapter 9 Creating and Maintaining VLANs Using the VLAN Trunking Protocol VLAN Port Membership Modes You configure a port to belong to a VLAN by assigning a membership mode that determines the kind of traffic the port carries and the number of VLANs to which it can belong. Table 9-1 lists the membership modes and characteristics.
Chapter 9 Creating and Maintaining VLANs Using the VLAN Trunking Protocol The VTP Domain and VTP Modes A VTP domain (also called a VLAN management domain) consists of one switch or several interconnected switches under the same administrative responsibility sharing the same VTP domain name.
Chapter 9 Creating and Maintaining VLANs Using the VLAN Trunking Protocol VTP Advertisements Each switch in the VTP domain sends periodic global configuration advertisements from each trunk port to a reserved multicast address. Neighboring switches receive these advertisements and update their VTP and VLAN configurations as necessary.
Chapter 9 Creating and Maintaining VLANs Using the VLAN Trunking Protocol VTP Version 2 If you use VTP in your network, you must decide whether to use version 1 or version 2. VTP version 2 supports these features not supported in version 1: •...
Page 243
Chapter 9 Creating and Maintaining VLANs Using the VLAN Trunking Protocol Figure 9-2 Flooding Traffic without VTP Pruning Switch 4 Port 2 Switch 5 Switch 2 VLAN Port 1 Switch 6 Switch 3 Switch 1 Figure 9-3 shows a switched network with VTP pruning enabled. The broadcast traffic from Switch 1 is not forwarded to Switches 3, 5, and 6 because traffic for the Red VLAN has been pruned on the links shown (Port 5 on Switch 2 and Port 4 on Switch 4).
Chapter 9 Creating and Maintaining VLANs Using the VLAN Trunking Protocol To configure VTP pruning on an interface, use the switchport trunk pruning vlan interface configuration command (see the “Changing the Pruning-Eligible List” section on page 9-28). VTP pruning operates when an interface is trunking. You can set VLAN pruning-eligibility, whether or not VTP pruning is enabled for the VTP domain, whether or not any given VLAN exists, and whether or not the interface is currently trunking.
Page 245
VLAN configuration mode, it applies all the commands that you entered. VTP messages are sent to other switches in the VTP domain, and the privileged EXEC mode prompt appears. The Cisco IOS end and Ctrl-Z commands are not supported in VLAN configuration mode. Note For more configuration guidelines, see the “VLAN Configuration Guidelines”...
Page 246
Chapter 9 Creating and Maintaining VLANs Using the VLAN Trunking Protocol Configuring a VTP Server When a switch is in VTP server mode, you can change the VLAN configuration and have it propagated throughout the network. Beginning in privileged EXEC mode, follow these steps to configure the switch as a VTP server: Command Purpose Step 1...
Chapter 9 Creating and Maintaining VLANs Using the VLAN Trunking Protocol Configuring a VTP Client When a switch is in VTP client mode, you cannot change its VLAN configuration. The client switch receives VTP updates from a VTP server in the VTP domain and then modifies its configuration accordingly.
Chapter 9 Creating and Maintaining VLANs Using the VLAN Trunking Protocol Command Purpose Step 3 exit Update the VLAN database, propagate it throughout the administrative domain, and return to privileged EXEC mode. Step 4 show vtp status Verify your entries in the VTP Operating Mode field of the display. To return the switch to VTP server mode, use the no vtp transparent VLAN configuration command.
Chapter 9 Creating and Maintaining VLANs Using the VLAN Trunking Protocol Enabling VTP Pruning Pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the destination devices. You enable VTP pruning on a switch in VTP server mode. Beginning in privileged EXEC mode, follow these steps to enable VTP pruning in the management domain: Command...
Page 250
Chapter 9 Creating and Maintaining VLANs Using the VLAN Trunking Protocol This is an example of output from the show vtp status privileged EXEC command: Switch# show vtp status VTP Version Configuration Revision Maximum VLANs supported locally : 1005 Number of existing VLANs : 69 VTP Operating Mode : Server...
Chapter 9 Creating and Maintaining VLANs VLANs in the VTP Database VLANs in the VTP Database You can set these parameters when you create a new VLAN or modify an existing VLAN in the VTP database: • VLAN ID • VLAN name VLAN type (Ethernet, Fiber Distributed Data Interface [FDDI], FDDI network entity title [NET], •...
Chapter 9 Creating and Maintaining VLANs VLANs in the VTP Database Table 9-5 Ethernet VLAN Defaults and Ranges Parameter Default Range VLAN ID 1–1005 VLAN name default No range 802.10 SAID 101001 1–4294967294 MTU size 1500 1500–18190 Translational bridge 1 1002 0–1005 Translational bridge 2...
Chapter 9 Creating and Maintaining VLANs VLANs in the VTP Database Configuring VLANs in the VTP Database You can add, modify or remove VLAN configurations in the VTP database by using the CLI VLAN configuration mode. VTP globally propagates these VLAN changes throughout the VTP domain. In VTP server or transparent mode, commands to add, change, and delete VLANs are written to the file vlan.dat, and you can display them by entering the show vlan privileged EXEC command.
Chapter 9 Creating and Maintaining VLANs VLANs in the VTP Database This example shows how to add Ethernet VLAN 20 to the VLAN database and name it test20: Switch# vlan database Switch(vlan)# vlan 20 name test20 Switch(vlan)# exit APPLY completed. Exiting..
Chapter 9 Creating and Maintaining VLANs VLANs in the VTP Database When you delete a VLAN, any ports assigned to that VLAN become inactive. They remain Caution associated with the VLAN (and thus inactive) until you assign them to a new VLAN. Beginning in privileged EXEC mode, follow these steps to delete a VLAN on the switch: Command Purpose...
Page 256
Chapter 9 Creating and Maintaining VLANs VLANs in the VTP Database Command Purpose Step 6 show running-config interface interface-id Verify the VLAN membership mode of the interface. Step 7 show interfaces interface-id switchport Verify your entries in the Administrative Mode and the Access Mode VLAN fields of the display.
Chapter 9 Creating and Maintaining VLANs VLANs in the VTP Database Displaying VLANs in the VTP Database Use the show vlan privileged EXEC command to display a list of VLANs in the database, including status, ports, and configuration: Switch# show vlan VLAN Name Status Ports...
VLANs across an entire network. The 100BASE-T and Gigabit Ethernet trunks carry traffic for multiple VLANs over a single link. Two trunking encapsulations are available on all Ethernet interfaces: Inter-Switch Link (ISL)—ISL is Cisco-proprietary trunking encapsulation. • 802.1Q—802.1Q is industry-standard trunking encapsulation.
Chapter 9 Creating and Maintaining VLANs Understanding VLAN Trunks Note DTP is a point-to-point protocol. However, some internetworking devices might forward DTP frames improperly. To avoid this, ensure that interfaces connected to devices that do not support DTP are configured with the access keyword if you do not intend to trunk across those links. To enable trunking to a device that does not support DTP, use the nonegotiate keyword to cause the interface to become a trunk but to not generate DTP frames.
VLAN allowed on the trunks. Non-Cisco devices might support one spanning-tree instance for all VLANs. When you connect a Cisco switch to a non-Cisco device through an 802.1Q trunk, the Cisco switch combines the spanning-tree instance of the VLAN of the trunk with the spanning-tree instance of the non-Cisco 802.1Q switch.
Chapter 9 Creating and Maintaining VLANs Understanding VLAN Trunks Configuring an Ethernet Interface as a Trunk Port Because trunk ports send and receive VTP advertisements, you must ensure that at least one trunk port is configured on the switch and that this trunk port is connected to the trunk port of a second switch. Otherwise, the switch cannot receive any VTP advertisements.
Page 262
Chapter 9 Creating and Maintaining VLANs Understanding VLAN Trunks Command Purpose Step 8 show interfaces interface-id switchport Display the switchport configuration of the interface in the Administrative Mode and the Administrative Trunking Encapsulation fields of the display. Step 9 show interfaces interface-id trunk Display the trunk configuration of the interface.
Chapter 9 Creating and Maintaining VLANs Understanding VLAN Trunks In this example, the encapsulation method is ISL: Switch# show interfaces gigabitethernet0/4 trunk Port Mode Encapsulation Status Native vlan Gi0/4 desirable n-isl trunking Port Vlans allowed on trunk Gi0/4 1-1005 Port Vlans allowed and active in management domain Gi0/4 1,10-1000...
Chapter 9 Creating and Maintaining VLANs Understanding VLAN Trunks To return to the default allowed VLAN list of all VLANs, use the no switchport trunk allowed vlan interface configuration command. This example shows how to remove VLAN 2 from the allowed VLAN list and verify the configuration. Switch(config)# interface gigabitethernet0/1 Switch(config-if)# switchport trunk allowed vlan remove 2 Switch(config-if)# end...
Chapter 9 Creating and Maintaining VLANs Understanding VLAN Trunks Command Purpose Step 5 show interfaces interface-id switchport Verify your entries in the Pruning VLANs Enabled field of the display. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default pruning-eligible list of all VLANs, use the no switchport trunk pruning vlan interface configuration command.
Chapter 9 Creating and Maintaining VLANs Understanding VLAN Trunks Load Sharing Using STP Port Priorities When two ports on the same switch form a loop, the STP port priority setting determines which port is enabled and which port is in a blocking state. You can set the priorities on a parallel trunk port so that the port carries all the traffic for a given VLAN.
Page 267
Chapter 9 Creating and Maintaining VLANs Understanding VLAN Trunks Command Purpose Step 6 show vlan Verify that the VLANs exist in the database on Switch 1. Step 7 configure terminal Enter global configuration mode. Step 8 interface gigabitethernet 0/1 Enter interface configuration mode, and define Gigabit Ethernet port 0/1 as the interface to be configured as a trunk.
Chapter 9 Creating and Maintaining VLANs Understanding VLAN Trunks Load Sharing Using STP Path Cost You can configure parallel trunks to share VLAN traffic by setting different path costs on a trunk and associating the path costs with different sets of VLANs. The VLANs keep the traffic separate. Because no loops exist, STP does not disable the ports, and redundancy is maintained in the event of a lost link.
Chapter 9 Creating and Maintaining VLANs Understanding VMPS Command Purpose Step 8 show running-config Verify your entries. In the display, make sure that interfaces Fast Ethernet 0/1 and Fast Ethernet 0/2 are configured as trunk ports. Step 9 show vlan When the trunk links come up, Switch 1 receives the VTP information from the other switches.
Chapter 9 Creating and Maintaining VLANs Understanding VMPS If the switch receives an access-denied response from the VMPS, it continues to block traffic from the MAC address to or from the port. The switch continues to monitor the packets directed to the port and sends a query to the VMPS when it identifies a new address.
Page 271
Chapter 9 Creating and Maintaining VLANs Understanding VMPS This example shows a example of a VMPS database configuration file as it appears on a Catalyst 6000 series switch. The file has these characteristics: • The security mode is open. • The default is used for the fallback VLAN.
Chapter 9 Creating and Maintaining VLANs Understanding VMPS This is an example of output for the show vmps privileged EXEC command, used to verify the VMPS server IP address. Switch# show vmps VQP Client Status: -------------------- VMPS VQP Version: Reconfirm Interval: 60 min Server Retry Count: 3 VMPS domain server: 172.20.128.86 (primary, current) 172.20.128.87...
Chapter 9 Creating and Maintaining VLANs Understanding VMPS Reconfirming VLAN Memberships Beginning in privileged EXEC mode, follow these steps to confirm the dynamic port VLAN membership assignments that the switch has received from the VMPS: Command Purpose Step 1 vmps reconfirm Reconfirm dynamic port VLAN membership.
Chapter 9 Creating and Maintaining VLANs Understanding VMPS Administering and Monitoring the VMPS You can display information about the VMPS by using the show vmps privileged EXEC command. The switch displays this information about the VMPS: VMPS VQP Version The version of VQP used to communicate with the VMPS. The switch queries the VMPS that is using VQP version 1.
Page 277
Chapter 9 Creating and Maintaining VLANs Understanding VMPS Figure 9-7 Dynamic Port VLAN Membership Configuration TFTP server Catalyst 6000 series Primary VMPS Router Server 1 172.20.26.150 Switch 1 172.20.22.7 Catalyst 3550 switch client Dynamic-access port 172.20.26.151 station 1 Switch 2 Trunk port or static-access port Catalyst 6000 series...
C H A P T E R Configuring STP This chapter describes how to configure the Spanning Tree Protocol (STP) on your switch. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 3550 Multilayer Switch Command Reference for this release.
Chapter 10 Configuring STP Understanding Basic STP Features For information about advanced STP features, see the “Understanding Advanced STP Features” section on page 10-10 and the “Configuring Advanced STP Features” section on page 10-32. Supported STP Instances This software release supports the per-VLAN spanning tree (PVST) and a maximum of 128 spanning-tree instances.
Chapter 10 Configuring STP Understanding Basic STP Features Multiple active paths among end stations cause loops in the network. If a loop exists in the network, end stations might receive duplicate messages. Switches might also learn end-station MAC addresses on multiple Layer 2 interfaces.
Chapter 10 Configuring STP Understanding Basic STP Features • The removal of loops in the switched network by blocking Layer 2 interfaces connected to redundant links For each VLAN, the switch with the highest switch priority (the lowest numerical priority value) is elected as the root switch.
Chapter 10 Configuring STP Understanding Basic STP Features STP Timers Table 10-2 describes the STP timers that affect the entire spanning-tree performance. Table 10-2 Spanning Tree Protocol Timers Variable Description Hello timer Determines how often the switch broadcasts hello messages to other switches. Forward-delay timer Determines how long each of the listening and learning states last before the interface begins forwarding.
Chapter 10 Configuring STP Understanding Basic STP Features STP Interface States Propagation delays can occur when protocol information passes through a switched LAN. As a result, topology changes can take place at different times and at different places in a switched network. When a Layer 2 interface transitions directly from nonparticipation in the spanning-tree topology to the forwarding state, it can create temporary data loops.
Chapter 10 Configuring STP Understanding Basic STP Features When the spanning-tree algorithm places a Layer 2 interface in the forwarding state, this process occurs: The Layer 2 interface is in the listening state while spanning tree waits for protocol information to transition the interface to the blocking state.
However, in a network of Cisco switches connected through 802.1Q trunks, the switches maintain one spanning-tree instance for each VLAN allowed on the trunks. When you connect a Cisco switch to a non-Cisco device through an 802.1Q trunk, the Cisco switch uses per-VLAN spanning tree+ (PVST+) to provide STP interoperability. It combines the spanning-tree instance of the 802.1Q VLAN of the trunk with the spanning-tree instance of the non-Cisco 802.1Q...
Understanding Basic STP Features However, all PVST+ information is maintained by Cisco switches separated by a cloud of non-Cisco 802.1Q switches. The non-Cisco 802.1Q cloud separating the Cisco switches is treated as a single trunk link between the switches. PVST+ is automatically enabled on 802.1Q trunks, and no user configuration is required. The external spanning-tree behavior on access ports and Inter-Switch Link (ISL) trunks is not affected by PVST+.
Chapter 10 Configuring STP Understanding Advanced STP Features Accelerated Aging to Retain Connectivity The default for aging dynamic addresses is 5 minutes, the default setting of the mac-address-table aging-time global configuration command. However, an STP reconfiguration can cause many station locations to change.
Chapter 10 Configuring STP Understanding Advanced STP Features Figure 10-4 Port Fast-Enabled Ports Catalyst 6000 series switch Catalyst 3550 switch Catalyst 3550 Server switch Catalyst 3550 switch Port Port Fast-enabled port Fast-enabled ports Workstations Workstations Understanding BPDU Guard When the BPDU guard feature is enabled on the switch, STP shuts down Port Fast-enabled interfaces that receive BPDUs rather than putting them into the blocking state.
Chapter 10 Configuring STP Understanding Advanced STP Features Understanding UplinkFast Switches in hierarchical networks can be grouped into backbone switches, distribution switches, and access switches. Figure 10-5 shows a complex network where distribution switches and access switches each have at least one redundant link that STP blocks to prevent loops. Figure 10-5 Switches in a Hierarchical Network Backbone switches Root bridge...
Chapter 10 Configuring STP Understanding Advanced STP Features Figure 10-6 UplinkFast Example Before Direct Link Failure Switch A (Root) Switch B Blocked port Switch C If Switch C detects a link failure on the currently active link L2 on the root port (a direct link failure), UplinkFast unblocks the blocked port on Switch C and transitions it to the forwarding state without going through the listening and learning states, as shown in Figure...
Chapter 10 Configuring STP Understanding Advanced STP Features How CSUF Works CSUF ensures that one link in the stack is elected as the path to the root. As shown in Figure 10-8, Switches A, B, and C are cascaded through the GigaStack GBIC to form a multidrop backbone, which communicates control and data traffic across the switches at the access layer.
Chapter 10 Configuring STP Understanding Advanced STP Features The switch sending the fast-transition request needs to do a fast transition to the forwarding state of a port that it has chosen as the root port, and it must obtain an acknowledgement from each stack switch before performing the fast transition.
Chapter 10 Configuring STP Understanding Advanced STP Features Limitations These limitations apply to CSUF: CSUF uses the GigaStack GBIC and runs on all Catalyst 3550 switches, all Catalyst 3500 XL • switches, but only on modular Catalyst 2900 XL switches that have the 1000BASE-X module installed.
Chapter 10 Configuring STP Understanding Advanced STP Features Understanding BackboneFast BackboneFast is started when a root port or blocked port on a switch receives inferior BPDUs from its designated bridge. An inferior BPDU identifies one switch as both the root bridge and the designated bridge.
Page 297
Chapter 10 Configuring STP Understanding Advanced STP Features switchover takes approximately 30 seconds, twice the Forward Delay time if the default Forward Delay time of 15 seconds is set. Figure 10-11 shows how BackboneFast reconfigures the topology to account for the failure of link L1. Figure 10-11 BackboneFast Example After Indirect Link Failure Switch A (Root)
Chapter 10 Configuring STP Understanding Advanced STP Features Understanding Root Guard The Layer 2 network of a service provider (SP) can include many connections to switches that are not owned by the SP. In such a topology, STP can reconfigure itself and select a customer switch as the STP root switch, as shown in Figure 10-13.
Chapter 10 Configuring STP Configuring Basic STP Features Table 10-3 Default STP Configuration (continued) Feature Default Setting Forward-delay time 15 seconds. Maximum-aging time 20 seconds. Port Fast Disabled on all interfaces. BPDU guard Disabled on the switch. UplinkFast Disabled on the switch. BackboneFast Disabled on the switch.
Page 301
Chapter 10 Configuring STP Configuring Basic STP Features To configure a switch to become the root, use the spanning-tree vlan vlan-id root global configuration command to modify the switch priority from the default value (32768) to a significantly lower value so that the switch becomes the root switch for the specified VLAN.
Chapter 10 Configuring STP Configuring Basic STP Features Beginning in privileged EXEC mode, follow these steps to configure a switch as the root switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id root primary Configure a switch as the root switch.
Page 303
Chapter 10 Configuring STP Configuring Basic STP Features Beginning in privileged EXEC mode, follow these steps to configure a switch as the secondary root switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id root secondary Configure a switch as the secondary root switch.
The priority range is 0 to 255; the default is 128. Cisco IOS uses the port priority value when the interface is configured as an access port and uses VLAN port priority values when the interface is configured as a trunk port.
Chapter 10 Configuring STP Configuring Basic STP Features Configuring STP Path Cost The STP path cost default value is derived from the media speed of an interface. If a loop occurs, STP uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
Chapter 10 Configuring STP Configuring Basic STP Features Configuring the Switch Priority of a VLAN You can configure the switch priority and make it more likely that the switch will be chosen as the root switch. Note Exercise care when using this command. For most situations, we recommend that you use the spanning-tree vlan vlan-id root primary and the spanning-tree vlan vlan-id root secondary global configuration commands to modify the switch priority.
Chapter 10 Configuring STP Configuring Basic STP Features Configuring the Hello Time You can configure the interval between the generation of configuration messages by the root switch by changing the STP hello time. Note Exercise care when using this command. For most situations, we recommend that you use the spanning-tree vlan vlan-id root primary and the spanning-tree vlan vlan-id root secondary global configuration commands to modify the hello time.
Chapter 10 Configuring STP Configuring Basic STP Features To return the switch to its default setting, use the no spanning-tree vlan vlan-id forward-time global configuration command. Configuring the Maximum-Aging Time for a VLAN Beginning in privileged EXEC mode, follow these steps to configure the STP maximum-aging time for a VLAN: Command Purpose...
Chapter 10 Configuring STP Configuring Advanced STP Features Configuring BPDU Guard When the BPDU guard feature is enabled on the switch, STP shuts down Port Fast-enabled interfaces that receive BPDUs rather than putting them into the blocking state. The BPDU guard feature works on Port Fast-enable interfaces. Configure Port Fast only on interfaces Caution that connect to end stations;...
Chapter 10 Configuring STP Configuring Advanced STP Features Configuring UplinkFast for Use with Redundant Links UplinkFast increases the switch priority to 49152 and adds 3000 to the STP path cost only if the port used the default path cost before you enabled UplinkFast, making it unlikely that the switch will become the root switch.
Chapter 10 Configuring STP Configuring Advanced STP Features Configuring Cross-Stack UplinkFast Before enabling CSUF, make sure your stack switches are properly connected. For more information, see the “Connecting the Stack Ports” section on page 10-16. Beginning in privileged EXEC mode, follow these steps to enable CSUF: Command Purpose Step 1...
Chapter 10 Configuring STP Configuring Advanced STP Features Configuring BackboneFast You can enable BackboneFast to detect indirect link failures and to start the spanning-tree reconfiguration sooner. Note If you use BackboneFast, you must enable it on all switches in the network. BackboneFast is not supported on Token Ring VLANs.
Chapter 10 Configuring STP Configuring Advanced STP Features Enabling EtherChannel Guard Use the EtherChannel guard feature to detect a misconfigured EtherChannel when Catalyst 3550 switch interfaces are configured as an EtherChannel while interfaces on the remote device are not, or not all the interfaces on the remote device are in the same EtherChannel.
For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 3550 Multilayer Switch Command Reference for this release and the Cisco IOS Release Network Protocols Command Reference, Part 1, for Release 12.1.
Chapter 11 Configuring IGMP Snooping and MVR Understanding IGMP Snooping the switch adds the host port number to the forwarding table entry; when it receives an IGMP Leave Group message from a host, it removes the host port from the table entry. It also periodically deletes entries if it does not receive IGMP membership reports from the multicast clients.
Page 319
Chapter 11 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Figure 11-1 Initial IGMP Join Message Router A IGMP report 224.1.2.3 VLAN Switching engine Forwarding table Host 1 Host 2 Host 3 Host 4 Router A sends a general query to the switch, which forwards the query to ports 2 through 5, all members of the same VLAN.
Chapter 11 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Note You should only use the Immediate-Leave processing feature on VLANs where a single host is connected to each port. If Immediate Leave is enabled in VLANs where more than one host is connected to a port, some hosts might be inadvertently dropped.
Snooping on IGMP queries, Protocol Independent Multicast (PIM) packets, and Distance Vector • Multicast Routing Protocol (DVMRP) packets Listening to Cisco Group Management Protocol (CGMP) packets from other routers • Statically connecting to a multicast router port with the ip igmp snooping mrouter global •...
Chapter 11 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Beginning in privileged EXEC mode, follow these steps to alter the method in which a VLAN interface dynamically accesses a multicast router: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp snooping vlan vlan-id mrouter Enable IGMP snooping on a VLAN.
Chapter 11 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Command Purpose Step 4 show ip igmp snooping mrouter [vlan vlan-id] Verify that IGMP snooping is enabled on the VLAN interface. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove a multicast router port from the VLAN, use the no ip igmp snooping vlan vlan-id mrouter interface interface-id global configuration command.
Chapter 11 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information Enabling IGMP Immediate-Leave Processing When you enable IGMP Immediate-Leave processing, the switch immediately removes a port when it detects an IGMP version 2 leave message on that port. You should use the Immediate-Leave feature only when there is a single receiver present on every port in the VLAN.
Page 326
Chapter 11 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information Table 11-4 Commands for Displaying IGMP Snooping Information Command Purpose show ip igmp snooping [vlan vlan-id] Display the snooping configuration information for all VLANs on the switch or for a specified VLAN. (Optional) Enter vlan vlan-id to display information for a single VLAN.
Page 327
Chapter 11 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information This is an example of output from the show ip igmp snooping privileged EXEC command for a specific VLAN interface: Switch# show ip igmp snooping vlan 1 vlan 1 ---------- IGMP snooping is globally enabled IGMP snooping is disabled on this Vlan...
Chapter 11 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Understanding Multicast VLAN Registration Multicast VLAN Registration (MVR) is designed for applications using wide-scale deployment of multicast traffic across an Ethernet ring-based service provider network (for example, the broadcast of multiple television channels over a service-provider network).
Page 329
Enable the Immediate Leave feature only on receiver ports to which a single receiver device is connected. Figure 11-3 Multicast VLAN Registration Example Multicast VLAN Cisco router Multicast server Catalyst 3550 switch...
Chapter 11 Configuring IGMP Snooping and MVR Configuring MVR MVR eliminates the need to duplicate television-channel multicast traffic for subscribers in each VLAN. Multicast traffic for all channels is only sent around the VLAN trunk once—only on the multicast VLAN. Although the IGMP leave and join message in the VLAN to which the subscriber port is assigned.
Chapter 11 Configuring IGMP Snooping and MVR Configuring MVR Command Purpose Step 6 mvr mode {dynamic | compatible} (Optional) Specify the MVR mode of operation: • dynamic—Allows dynamic MVR membership on source ports. • compatible—Is compatible with Catalyst 3500 XL and Catalyst 2900 XL switches and does not support IGMP dynamic joins on source ports.
Page 333
Chapter 11 Configuring IGMP Snooping and MVR Configuring MVR Command Purpose Step 4 mvr type {source | receiver} Configure an MVR port as one of these: • source—Configure uplink ports that receive and send multicast data as source ports. Subscribers cannot be directly connected to source ports. All source ports on a switch belong to the single multicast VLAN.
Chapter 11 Configuring IGMP Snooping and MVR Displaying MVR Information This is an example of output from the show mvr interface privileged EXEC command when the member keyword is included: Switch# show mvr interface gigabitethernet0/6 member 239.255.0.0 DYNAMIC ACTIVE 239.255.0.1 DYNAMIC ACTIVE 239.255.0.2 DYNAMIC ACTIVE...
Page 335
Chapter 11 Configuring IGMP Snooping and MVR Displaying MVR Information This is an example of output from the show mvr interface privileged EXEC command: Switch# show mvr interface Port Type Status Immediate Leave ---- ---- ------- --------------- Gi0/1 SOURCE ACTIVE/UP DISABLED Gi0/2 SOURCE...
Chapter 11 Configuring IGMP Snooping and MVR Configuring IGMP Filtering Configuring IGMP Filtering In some environments, for example metropolitan or multiple-dwelling unit (MDU) installations, an administrator might want to control the set of multicast groups to which a user on a switch port can belong.
Page 337
Chapter 11 Configuring IGMP Snooping and MVR Configuring IGMP Filtering Beginning in privileged EXEC mode, follow these steps to create an IGMP profile: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp profile profile number Enter IGMP profile configuration mode, and assign a number to the profile you are configuring.
Chapter 11 Configuring IGMP Snooping and MVR Configuring IGMP Filtering Applying IGMP Profiles To control access as defined in an IGMP profile, use the ip igmp filter interface configuration command to apply the profile to the appropriate interfaces. You can apply IGMP profiles to Layer 2 ports only; you cannot apply IGMP profiles to routed ports or SVIs.
Chapter 11 Configuring IGMP Snooping and MVR Configuring IGMP Filtering Setting the Maximum Number of IGMP Groups You can set the maximum number of IGMP groups that a Layer 2 interface can join. Use the no form of this command to set the maximum back to the default, which is no limit. This restriction can be applied to Layer 2 ports only;...
Chapter 11 Configuring IGMP Snooping and MVR Displaying IGMP Filtering Configuration Displaying IGMP Filtering Configuration You can display IGMP profile characteristics, and you can display the IGMP profile and maximum group configuration for all interfaces on the switch or for a specified interface. Beginning in privileged EXEC mode, use the commands in Table 11-8 to display IGMP filtering...
C H A P T E R Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on your switch. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 3550 Multilayer Switch Command Reference for this release.
Page 342
Chapter 12 Configuring Port-Based Traffic Control Configuring Storm Control Note When the rate of multicast traffic exceeds a set threshold, all incoming traffic (broadcast, multicast, and unicast) is dropped until the level drops below the threshold level. Only spanning-tree packets are forwarded.
Chapter 12 Configuring Port-Based Traffic Control Configuring Storm Control Note Before IOS Release 12.1(8)EA1, you set up storm control threshold values by using the switchport broadcast, switchport multicast, and switchport unicast interface configuration commands. These commands are now obsolete, replaced by the storm-control interface configuration commands. Default Storm Control Configuration By default, unicast, broadcast, and multicast storm control is disabled on the switch: that is, the suppression level is 100 percent.
Chapter 12 Configuring Port-Based Traffic Control Configuring Storm Control Command Purpose Step 7 show storm-control [interface-id] [broadcast | Verify the storm control suppression levels set on the interface for multicast | unicast] the specified traffic type. If you do not enter a traffic type, broadcast storm control settings are displayed.
Chapter 12 Configuring Port-Based Traffic Control Configuring Protected Ports Configuring Protected Ports Some applications require that no traffic be forwarded between ports on the same switch so that one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of protected ports ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports on the switch.
Chapter 12 Configuring Port-Based Traffic Control Configuring Port Blocking This example shows how to configure Gigabit Ethernet interface 0/3 as a protected port and verify the configuration: Switch# configure terminal Switch(config)# interface gigabitethernet0/3 Switch(config-if)# switchport protected Switch(config-if)# end Switch# show interfaces gigabitethernet0/3 switchport Name: Gi0/3 Switchport: Enabled <output truncated>...
Chapter 12 Configuring Port-Based Traffic Control Configuring Port Blocking To return the interface to the default condition where no traffic is blocked, use the no switchport block {multicast | unicast} interface configuration commands. This example shows how to block unicast and multicast flooding on Gigabit Ethernet interface 0/1 and verify the configuration: Switch# configure terminal Switch(config)# interface gigabitethernet0/1...
Chapter 12 Configuring Port-Based Traffic Control Configuring Port Security Configuring Port Security You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses.
Chapter 12 Configuring Port-Based Traffic Control Configuring Port Security Default Port Security Configuration Table 12-1 shows the default port security configuration for an interface. Table 12-1 Default IGMP Snooping Configuration Feature Default Setting Port security Disabled on a port Maximum number of secure MAC addresses Violation mode Shutdown.
Page 350
Chapter 12 Configuring Port-Based Traffic Control Configuring Port Security Command Purpose Step 6 switchport port-security violation (Optional) Set the violation mode, the action to be taken when a security {protect | restrict | shutdown} violation is detected, as one of these: •...
Chapter 12 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings This example shows how to configure a secure MAC address on Fast Ethernet port 12 and verify the configuration. Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface fastethernet0/12 Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security...
Page 352
Chapter 12 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings This is a an example of output from the show interfaces switchport privileged EXEC command: Switch# show interfaces gigabitethernet0/1 switchport Name: Gi0/1 Switchport: Enabled Administrative Mode: dynamic desirable Operational Mode: static access Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: native Negotiation of Trunking: On...
Page 353
Chapter 12 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings This is an example of output from the show storm-control command when no keywords are entered. Because no traffic type keyword was entered, the broadcast storm control settings are displayed. Switch# show storm-control Interface Filter State...
• Understanding CDP CDP is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches) and allows network management applications to discover Cisco devices that are neighbors of already known devices. With CDP, network management applications can learn the device type and the Simple Network Management Protocol (SNMP) agent address of neighboring devices running lower-layer, transparent protocols.
Chapter 13 Configuring CDP Configuring CDP Command Purpose Step 6 show cdp Verify configuration by displaying global information about CDP on the device. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of the CDP commands to return to the default settings. This example shows how to configure and verify CDP characteristics.
Chapter 13 Configuring CDP Configuring CDP This example shows how to enable CDP if it has been disabled. Switch# configure terminal Switch(config)# cdp run Switch(config)# end Disabling and Enabling CDP on an Interface CDP is enabled by default on all supported interfaces to send and receive CDP information. Beginning in privileged EXEC mode, follow these steps to disable CDP on an interface: Command Purpose...
Chapter 13 Configuring CDP Monitoring and Maintaining CDP Monitoring and Maintaining CDP To monitor and maintain CDP on your device, perform one or more of these tasks, beginning in privileged EXEC mode. Command Description clear cdp counters Reset the traffic counters to zero. clear cdp table Delete the CDP table of information about neighbors.
Page 360
Version : Cisco Internetwork Operating System Software IOS (tm) C3550 Software (C3550-I5Q3L2-M), Experimental Version 12.1(20010612:021 316) [jang-flamingo 120] Copyright (c) 1986-2001 by cisco Systems, Inc. Compiled Fri 06-Jul-01 18:18 by jang advertisement version: 2 Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=0000000...
Page 361
Chapter 13 Configuring CDP Monitoring and Maintaining CDP Switch# show cdp interface GigabitEthernet0/1 is up, line protocol is up Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 seconds GigabitEthernet0/2 is up, line protocol is down Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 seconds GigabitEthernet0/3 is administratively down, line protocol is down...
C H A P T E R Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on your switch. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 3550 Multilayer Switch Command Reference for this release.
Page 364
Chapter 14 Configuring UDLD Understanding UDLD UDLD operates by using two mechanisms: • Neighbor database maintenance UDLD learns about other UDLD-capable neighbors by periodically sending a hello packet (also called an advertisement or probe) on every active interface to keep each device informed about its neighbors.
Chapter 14 Configuring UDLD Configuring UDLD Configuring UDLD This section describes how to configure UDLD on your switch. It contains this configuration information: • Default UDLD Configuration, page 14-3 • Enabling UDLD Globally, page 14-3 Enabling UDLD on an Interface, page 14-4 •...
Chapter 14 Configuring UDLD Configuring UDLD To disable UDLD globally on fiber-optic interfaces, use the no udld enable global configuration command. Enabling UDLD on an Interface Beginning in privileged EXEC mode, follow these steps to enable UDLD on an interface: Command Purpose Step 1...
Chapter 14 Configuring UDLD Displaying UDLD Status Displaying UDLD Status To display the UDLD status for the specified interface or for all interfaces, use the show udld [interface-id] privileged EXEC command. Catalyst 3550 Multilayer Switch Software Configuration Guide 14-5 78-11194-03...
C H A P T E R Configuring SPAN This chapter describes how to configure Switch Port Analyzer (SPAN) on your switch. For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 3550 Multilayer Switch Command Reference for this release. This chapter consists of these sections: Understanding SPAN, page 15-1 •...
Chapter 15 Configuring SPAN Understanding SPAN Figure 15-1 Example SPAN Configuration Port 5 traffic mirrored 1 2 3 4 5 6 7 8 9 10 11 12 on Port 10 Network analyzer Only traffic that enters or leaves source ports or traffic that enters source VLANs can be monitored by using SPAN;...
Chapter 15 Configuring SPAN Understanding SPAN You can configure SPAN sessions on disabled ports; however, a SPAN session does not become active unless you enable the destination port and at least one source port or VLAN for that session. The show monitor session session_number privileged EXEC command displays the operational status of a SPAN session.
Chapter 15 Configuring SPAN Understanding SPAN Source Port A source port (also called a monitored port) is a switched or routed port that you monitor for network traffic analysis. In a single SPAN session, you can monitor source port traffic such as received (Rx), transmitted (Tx), or bidirectional (both);...
• Cisco Discovery Protocol (CDP)—A SPAN destination port does not participate in CDP while the SPAN session is active. After the SPAN session is disabled, the port again participates in CDP Catalyst 3550 Multilayer Switch Software Configuration Guide...
Chapter 15 Configuring SPAN Configuring SPAN • VLAN and trunking—You can modify VLAN membership or trunk settings for source and destination ports at any time. However, changes in VLAN membership or trunk settings for a destination port do not take effect until you disable the SPAN session. Changes in VLAN membership or trunk settings for a source port immediately take effect, and the respective SPAN sessions automatically adjust accordingly.
Chapter 15 Configuring SPAN Configuring SPAN Default SPAN Configuration Table 15-1 shows the default SPAN configuration. This release supports only local SPAN; remote SPAN (RSPAN) is not supported. Table 15-1 Default SPAN Configuration Feature Default Setting SPAN state Disabled Source port traffic to monitor Both received and sent traffic (both) Only received traffic can be monitored on source Note...
Chapter 15 Configuring SPAN Configuring SPAN • The no monitor session session_number global configuration command removes a source or destination port from the SPAN session or removes a source VLAN from the SPAN session. If you do not specify any options following the no monitor session session_number command, the entire SPAN session is removed.
Page 377
Chapter 15 Configuring SPAN Configuring SPAN Command Purpose Step 4 monitor session session_number Specify the SPAN session and the destination port (monitoring port). destination interface interface-id For session_number, specify 1 or 2. [encapsulation {dot1q | isl}] For interface-id, specify the destination port. Valid interfaces include physical interfaces.
Chapter 15 Configuring SPAN Configuring SPAN Removing Ports from a SPAN Session Beginning in privileged EXEC mode, follow these steps to remove a port as a SPAN source for a session: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session session_number source Specify the characteristics of the source port (monitored port) and...
Chapter 15 Configuring SPAN Configuring SPAN This example shows how to disable received traffic monitoring on port 1, which was configured for bidirectional monitoring: Switch(config)# no monitor session 1 source interface gigabitethernet0/1 rx The monitoring of traffic received on port 1 is disabled, but traffic sent from this port continues to be monitored.
Chapter 15 Configuring SPAN Configuring SPAN This example shows how to clear any existing configuration on SPAN session 2, configure SPAN session 2 to monitor received traffic on all ports belonging to VLANs 1 through 3, and send it to destination port 7.
Chapter 15 Configuring SPAN Displaying SPAN Status Command Purpose Step 7 show monitor [session session_number] Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To monitor all VLANs on the trunk port, use the no monitor session session_number filter global configuration command.
Configuring RMON This chapter describes how to configure Remote Network Monitoring (RMON) on your switch. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco Note IOS Configuration Fundamentals Command Reference for Release 12.1.
Chapter 16 Configuring RMON Configuring RMON Default RMON Configuration RMON is disabled by default; no alarms or events are configured. Only RMON 1 is supported on the switch. Configuring RMON Alarms and Events You can configure your switch for RMON by using the command-line interface (CLI) or an SNMP-compatible network management station.
Page 386
Chapter 16 Configuring RMON Configuring RMON Command Purpose Step 3 rmon event number [log] [trap community] Add an event in the RMON event table that is [description string] [owner string] associated with an RMON event number. • For number, assign an event number. The range is 1 to 65535.
Chapter 16 Configuring RMON Configuring RMON Configuring RMON Collection on an Interface You must first configure RMON alarms and events to display collection information. Beginning in privileged EXEC mode, follow these steps to collect group history statistics on an interface: Command Purpose Step 1...
Chapter 16 Configuring RMON Displaying RMON Status Command Purpose Step 6 show rmon statistics Display the contents of the switch statistics table. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable the collection of group Ethernet statistics, use the no rmon collection stats index interface configuration command.
Configuring System Message Logging This chapter describes how to configure system message logging on your switch. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco Note IOS Configuration Fundamentals Command Reference for Release 12.1.
Chapter 17 Configuring System Message Logging Configuring System Message Logging Configuring System Message Logging This section describes how to configure system message logging. It contains this configuration information: • System Log Message Format, page 17-2 • Default System Message Logging Configuration, page 17-3 Disabling and Enabling Message Logging, page 17-4 •...
Chapter 17 Configuring System Message Logging Configuring System Message Logging Table 17-1 System Log Message Elements (continued) Element Description MNEMONIC Text string that uniquely describes the message. description Text string containing detailed information about the event being reported. This example shows a partial switch system message: 00:00:46: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up 00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up 00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to up...
Chapter 17 Configuring System Message Logging Configuring System Message Logging Disabling and Enabling Message Logging Message logging is enabled by default. It must be enabled to send messages to any destination other than the console. When enabled, log messages are sent to a logging process, which logs messages to designated locations asynchronously to the processes that generated the messages.
Page 393
Chapter 17 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 3 logging host Log messages to a UNIX syslog server host. For host, specify the name or IP address of the host to be used as the syslog server.
Chapter 17 Configuring System Message Logging Configuring System Message Logging Synchronizing Log Messages You can configure the system to synchronize unsolicited messages and debug privileged EXEC command output with solicited device output and prompts for a specific console port line or virtual terminal line.
Chapter 17 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable synchronization of unsolicited messages and debug output, use the no logging synchronous [level severity-level | all] [limit number-of-buffers] line configuration command.
Chapter 17 Configuring System Message Logging Configuring System Message Logging Enabling and Disabling Sequence Numbers in Log Messages Because there is a chance that more than one log message can have the same timestamp, you can display messages with sequence numbers so that you can unambiguously refer to a single message. By default, sequence numbers in log messages are not displayed.
Page 397
Chapter 17 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 6 show running-config Verify your entries. show logging Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Specifying a level causes messages at that level and numerically lower levels to be displayed at the Note destination.
Chapter 17 Configuring System Message Logging Configuring System Message Logging Limiting Syslog Messages Sent to the History Table and to SNMP If you have enabled syslog message traps to be sent to an SNMP network management station by using the snmp-server enable trap global configuration command, you can change the level of messages sent and stored in the switch history table.
Add a line such as the following to the file /etc/syslog.conf: Step 1 local7.debug /usr/adm/logs/cisco.log The local7 keyword specifies the logging facility to be used; see Table 17-4 on page 17-12 information on the facilities. The debug keyword specifies the syslog level; see Table 17-3 on page 17-9 for information on the severity levels.
To display the current logging configuration and the contents of the log buffer, use the show logging privileged EXEC command. For information about the fields in this display, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1.
For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 3550 Multilayer Switch Command Reference for this release and to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. This chapter consists of these sections: Understanding SNMP, page 18-1 •...
Chapter 18 Configuring SNMP Understanding SNMP SNMP Versions This software release supports these SNMP versions: • SNMPv1—The Simple Network Management Protocol, a Full Internet Standard, defined in RFC 1157. • SNMPv2C, which has these features: – SNMPv2—Version 2 of the Simple Network Management Protocol, a Draft Internet Standard, defined in RFCs 1902 through 1907.
Chapter 18 Configuring SNMP Understanding SNMP SNMP Agent Functions The SNMP agent responds to SNMP manager requests as follows: • Get a MIB variable—The SNMP agent begins this function in response to a request from the NMS. The agent retrieves the value of the requested MIB variable and responds to the NMS with that value.
Chapter 18 Configuring SNMP Configuring SNMP Figure 18-1 SNMP Network Get-request, Get-next-request, Network device Get-bulk, Set-request Get-response, traps SNMP Agent SNMP Manager For information on supported MIBs and how to access them, see Appendix A, “Supported MIBs.” Configuring SNMP This section describes how to configure SNMP on your switch. It contains this configuration information: Default SNMP Configuration, page 18-4 •...
Chapter 18 Configuring SNMP Configuring SNMP Disabling the SNMP Agent Beginning in privileged EXEC mode, follow these steps to disable the SNMP agent: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no snmp-server Disable the SNMP agent operation. Step 3 Return to privileged EXEC mode.
Page 406
Chapter 18 Configuring SNMP Configuring SNMP Command Purpose Step 3 access-list access-list-number {deny | (Optional) If you specified an IP standard access list number in permit} source [source-wildcard] Step 2, then create the list, repeating the command as many times as necessary.
Generates a trap for the SNMP Response Time Reporter (RTR). SNMP Generates a trap for SNMP-type notifications. Sends Cisco enterprise-specific notifications when a Transmission Control Protocol (TCP) connection closes. UDP-port Sends notification of the User Datagram Protocol (UDP) port number of the host.
Page 408
Chapter 18 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure the switch to send traps to a host: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server host host-addr {traps | informs} {version {1 Specify the recipient of the trap message.
Chapter 18 Configuring SNMP Configuring SNMP Setting the Agent Contact and Location Information Beginning in privileged EXEC mode, follow these steps to set the system contact and location of the SNMP agent so that these descriptions can be accessed through the configuration file: Command Purpose Step 1...
Switch(config)# snmp-server enable traps entity Switch(config)# snmp-server host cisco.com restricted entity This example shows how to enable the switch to send all traps to the host myhost.cisco.com using the community string public: Switch(config)# snmp-server enable traps Switch(config)# snmp-server host myhost.cisco.com public...
Note Catalyst 3550 Multilayer Switch Command Reference for this release and the “Configuring IP Services” section of the Cisco IOS IP and IP Routing Configuration Guide and the Cisco IOS IP and IP Routing Command Reference for IOS Release 12.1.
Chapter 19 Configuring Network Security with ACLs Understanding ACLs Switches traditionally operate at Layer 2 only, switching traffic within a VLAN, whereas routers route traffic between VLANs. The Catalyst 3550 switch with the enhanced multilayer software image installed can accelerate packet routing between VLANs by using Layer 3 switching. The switch bridges the packet, the packet is then routed internally without going to an external router, and then the packet is bridged again to send it to its destination.
Chapter 19 Configuring Network Security with ACLs Understanding ACLs One ACL can be used with multiple features for a given interface, and one feature can use multiple ACLs. When a single router ACL is used by multiple features, it is examined multiple times. •...
Chapter 19 Configuring Network Security with ACLs Understanding ACLs With VLAN maps, forwarding of packets is permitted or denied, based on the action specified in the map. Figure 19-2 illustrates how a VLAN map is applied to deny a specific type of traffic from Host A in VLAN 10 from being forwarded.
Cisco routers. The process is briefly described here. For more detailed information on configuring router ACLs, refer to the “Configuring IP Services” chapter in the Cisco IP and IP Routing Configuration Guide for IOS Release 12.1. For detailed information about the commands, refer to Cisco IOS IP and IP Routing Command Reference for IOS Release 12.1.
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs These factors can cause packets to be sent to the CPU: • Using the log keyword • Enabling ICMP unreachables • Hardware reaching its capacity to store ACL configurations If ACLs cause large numbers of packets to be sent to the CPU, the switch performance can be negatively affected.
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs These are the steps to use ACLs: Create an ACL by specifying an access list number or name and access conditions. Step 1 Apply the ACL to interfaces or terminal lines. You can also apply standard and extended IP ACLs to Step 2 VLAN maps.
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs Table 19-1 Access List Numbers (continued) Access List Number Type Supported 1300–1999 IP standard access list (expanded range) 2000–2699 IP extended access list (expanded range) Note In addition to numbered standard and extended ACLs, you can also create standard and extended named IP ACLs using the supported numbers.
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs Note When creating an ACL, remember that, by default, the end of the ACL contains an implicit deny statement for all packets that it did not find a match for before reaching the end. With standard access lists, if you omit the mask from an associated IP host address ACL specification, 0.0.0.0 is assumed to be the mask.
Page 420
2. ICMP echo-reply cannot be filtered. All other ICMP codes or types can be filtered. 3. No support for type of service (TOS) minimize monetary cost bit. For more details on the specific keywords relative to each protocol, refer to Cisco IP and IP Routing Command Reference for IOS Release 12.1.
Page 421
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs Beginning in privileged EXEC mode, follow these steps to create an extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2a access-list access-list-number Define an extended IP access list and the access conditions. {deny | permit} protocol The access-list-number is a decimal number from 100 to 199 or 2000 to 2699.
Page 422
TCP port. To see TCP port names, use the ? or refer to “Configuring IP Services” section of Cisco IOS IP and IP Routing Command Reference for IOS Release 12.1. Use only TCP port numbers or names when filtering TCP.
Page 423
ICMP message type and code name. To see a list of ICMP message type names and ICMP message type and code names, use the ? or refer to the “Configuring IP Services” section of Cisco IOS IP and IP Routing Command Reference for IOS Release 12.1.
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs Creating Named Standard and Extended ACLs You can identify IP ACLs with an alphanumeric string (a name) rather than a number. You can use named ACLs to configure more IP access lists in a router than if you were to use numbered access lists. If you identify your access list with a name rather than a number, the mode and command syntax are slightly different.
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs Beginning in privileged EXEC mode, follow these steps to create an extended ACL using names: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip access-list extended name Define an extended IP access list using a name and enter access-list configuration mode.
Page 426
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs and argument are referenced in the named and numbered extended ACL task tables in the previous sections, the “Creating Standard and Extended IP ACLs” section on page 19-6, and the “Creating Named Standard and Extended ACLs”...
Page 427
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs Switch(config-time-range)# exit Switch(config)# time-range thanksgiving_2000 Switch(config-time-range)# absolute start 00:00 22 Nov 2000 end 23:59 23 Nov 2000 Switch(config-time-range)# exit Switch(config)# time-range christmas_2000 Switch(config-time-range)# absolute start 00:00 24 Dec 2000 end 23:50 25 Dec 2000 Switch(config-time-range)# end Switch# show time-range time-range entry: christmas_2000 (inactive)
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs Including Comments About Entries in ACLs You can use the remark keyword to include comments (remarks) about entries in any IP standard or extended ACL. The remarks make the ACL easier for you to understand and scan. Each remark line is limited to 100 characters.
Page 429
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs Beginning in privileged EXEC mode, follow these steps to restrict incoming and outgoing connections between a virtual terminal line and the addresses in an ACL: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs Note The ip access-group interface configuration command is only valid when applied to a Layer 3 interface: an SVI, a Layer 3 EtherChannel, or a routed port. The interface must have been configured with an IP address.
Page 431
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs This is an example of output from the show access-lists privileged EXEC command, displaying all standard and extended ACLs: Switch# show access-lists Standard IP access list 1 permit 172.20.10.10 Standard IP access list 10 permit 12.12.12.12 Standard IP access list 12 deny...
ACL Configuration Examples This section provides examples of configuring ACLs. For detailed information about compiling ACLs, refer to the Security Configuration Guide and the “IP Services” chapter of the Cisco IOS IP and IP Routing Configuration Guide for IOS Release 12.1.
Page 433
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs Figure 19-3 Using Router ACLs to Control Traffic Server A Server B Benefits Payroll Port 0/2 Port 0/3 Catalyst 3550 switch with enhanced multilayer software image Human Resources Accounting 172.20.128.0-31 172.20.128.64-95 This example uses a standard ACL to filter traffic coming into Server B from port 0/3, permitting traffic only from Accounting’s source addresses 172.20.128.64 to 172.20.128.95.
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs Numbered ACLs In this example, network 36.0.0.0 is a Class A network whose second octet specifies a subnet; that is, its subnet mask is 255.255.0.0. The third and fourth octets of a network 36.0.0.0 address specify a particular host.
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs The marketing_group ACL allows any TCP Telnet traffic to the destination address and wildcard 171.69.0.0 0.0.255.255 and denies any other TCP traffic. It permits any ICMP traffic, denies UDP traffic from any source to the destination address range 171.69.0.0 through 179.69.255.255 with a destination port less than 1024, denies any other IP traffic, and provides a log of the result.
Chapter 19 Configuring Network Security with ACLs Configuring Router ACLs In this example of a named ACL, the Jones subnet is not allowed access: Switch(config)# ip access-list standard prevention Switch(config-std-nacl)# remark Do not allow Jones subnet through Switch(config-std-nacl)# deny 171.69.0.0 0.0.255.255 In this example of a named ACL, the Jones subnet is not allowed to use outbound Telnet: Switch(config)# ip access-list extended telnetting Switch(config-ext-nacl)# remark Do not allow Jones subnet to telnet out...
Chapter 19 Configuring Network Security with ACLs Configuring VLAN Maps This is a an example of a log for an extended ACL: 01:24:23:%SEC-6-IPACCESSLOGDP:list ext1 permitted icmp 10.1.1.15 -> 10.1.1.61 (0/0), 1 packet 01:25:14:%SEC-6-IPACCESSLOGDP:list ext1 permitted icmp 10.1.1.15 -> 10.1.1.61 (0/0), 7 packets 01:26:12:%SEC-6-IPACCESSLOGP:list ext1 denied udp 0.0.0.0(0) ->...
Chapter 19 Configuring Network Security with ACLs Configuring VLAN Maps Step 4 Use the vlan filter global configuration command to apply a VLAN map to one or more VLANs. This section contains these topics: VLAN Map Configuration Guidelines, page 19-28 •...
Page 439
Chapter 19 Configuring Network Security with ACLs Configuring VLAN Maps Beginning in privileged EXEC mode, follow these steps to create a named MAC extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac access-list extended name Define an extended MAC access list using a name.
Chapter 19 Configuring Network Security with ACLs Configuring VLAN Maps Creating a VLAN Map Each VLAN map consists of an ordered series of entries. Beginning in privileged EXEC mode, follow these steps to create, add to, or delete a VLAN map entry: Command Purpose Step 1...
Page 441
Chapter 19 Configuring Network Security with ACLs Configuring VLAN Maps This example shows how to create a VLAN map to permit a packet. ACL ip2 permits UDP packets and any packets that match the ip2 ACL are forwarded. Switch(config)# ip access-list extended ip2 Switch(config-ext-nacl)# permit udp any any Switch(config-ext-nacl)# exit Switch(config)# vlan access-map map_1 20...
Chapter 19 Configuring Network Security with ACLs Configuring VLAN Maps Switch(config)# mac access-list extended good-hosts Switch(config-ext-macl)# permit host 000.0c00.0111 any Switch(config-ext-macl)# permit host 000.0c00.0211 any Switch(config-ext-nacl)# exit Switch(config)# mac access-list extended good-protocols Switch(config-ext-macl)# permit any any decnet-ip Switch(config-ext-macl)# permit any any vines-ip Switch(config-ext-nacl)# exit Switch(config)# vlan access-map drop-mac-default 10 Switch(config-access-map)# match mac address good-hosts...
Chapter 19 Configuring Network Security with ACLs Configuring VLAN Maps Displaying VLAN Map Information You can display information about VLAN access maps or VLAN filters. Use the privileged EXEC commands in Table 19-4 to display VLAN map information. Table 19-4 Commands for Displaying VLAN Map Information Command Purpose show vlan access-map [mapname]...
Chapter 19 Configuring Network Security with ACLs Configuring VLAN Maps Wiring Closet Configuration In a wiring closet configuration, the Catalyst 3550 switch might not be running the enhanced multilayer software image. In this configuration, the switch can still support a VLAN map and a QoS classification ACL.
Chapter 19 Configuring Network Security with ACLs Configuring VLAN Maps Then, apply VLAN access map map2to VLAN 1. Switch(config)# vlan filter map2 vlan 1 Denying Access to a Server on Another VLAN You can restrict access to a server on another VLAN. For example, server 10.1.1.100 in VLAN 10 needs to have access restricted as follows (see Figure 19-5):...
Chapter 19 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Using VLAN Maps with Router ACLs To access control both bridged and routed traffic, you can use VLAN maps only or a combination of router ACLs and VLAN maps. You can define router ACLs on both input and output routed VLAN interfaces, and you can define a VLAN map to access control the bridged traffic.
Chapter 19 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs • Avoid including Layer 4 information in an ACL; adding this information complicates the merging process. The best merge results are obtained if the ACLs are filtered based on IP addresses (source and destination) and not on the full flow (source IP address, destination IP address, protocol, and protocol ports).
Page 448
Chapter 19 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs This output from the show fm label privileged EXEC command shows a merge failure on an input access group: Switch# show fm label 1 Unloaded due to merge failure or lack of space: InputAccessGroup Merge Fail:input Input Features:...
Chapter 19 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Note When configuring ACLs on the switch, to allocate maximum hardware resources for ACLs, you can use the sdm prefer access global configuration command to set the Switch Database Management feature to the access template.
Chapter 19 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs ACLs and Bridged Packets Figure 19-7 shows how an ACL is applied on fallback-bridged packets. For bridged packets, only Layer 2 ACLs are applied to the input VLAN. Only non-IP, non-ARP packets can be fallback-bridged. Figure 19-7 Applying ACLs on Bridged Packets Catalyst 3550 switch with enhanced...
Chapter 19 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs ACLs and Routed Packets Figure 19-8 shows how ACLs are applied on routed packets. For routed packets, the ACLs are applied in this order: VLAN map for input VLAN Input router ACL Output router ACL VLAN map for output VLAN...
Chapter 19 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs ACLs and Multicast Packets Figure 19-9 shows how ACLs are applied on packets that are replicated for IP multicasting. A multicast packet being routed has two different kinds of filters applied: one for destinations that are other ports in the input VLAN and another for each of the destinations that are in other VLANs to which the packet has been routed.
C H A P T E R Configuring QoS This chapter describes how to configure quality of service (QoS) on your switch. With this feature, you can provide preferential treatment to certain traffic at the expense of others. Without QoS, the switch offers best-effort service to each packet, regardless of the packet contents or size.
Page 454
Chapter 20 Configuring QoS Understanding QoS type of service (TOS) field to carry the classification (class) information. Classification can also be carried in the Layer 2 frame. These special bits in the Layer 2 frame or a Layer 3 packet are described here and shown in Figure 20-1:...
Chapter 20 Configuring QoS Understanding QoS All switches and routers that access the Internet rely on the class information to provide the same forwarding treatment to packets with the same class information and different treatment to packets with different class information. The class information in the packet can be assigned by end hosts or by switches or routers along the way, based on a configured policy, detailed examination of the packet, or both.
Chapter 20 Configuring QoS Understanding QoS Figure 20-2 Basic QoS Model Actions at ingress Actions at egress In profile or Generate DSCP out of profile Queueing and Classification Policing Mark scheduling Inspect packet and Compare DSCP to Based on whether Based on the CoS, determine the DSCP the configured...
Page 457
Chapter 20 Configuring QoS Understanding QoS For IP traffic, you have these classification options as shown in Figure 20-3: • Trust the IP DSCP in the incoming packet (configure the port to trust DSCP), and assign the same DSCP to the packet for internal use. The IETF defines the 6 most-significant bits of the 1-byte Type of Service (ToS) field as the DSCP.
Page 458
Chapter 20 Configuring QoS Understanding QoS Figure 20-3 Classification Flowchart Start Trust CoS (IP and non-IP traffic). Read ingress interface Trust DSCP (IP traffic). configuration for classification. IP and non-IP Use port Trust IP traffic default precedence (non-IP traffic). (IP traffic). Assign DSCP identical to DSCP in packet.
Chapter 20 Configuring QoS Understanding QoS Classification Based on QoS ACLs You can use IP standard, IP extended, and Layer 2 MAC ACLs to define a group of packets with the same characteristics (class). In the QoS context, the permit and deny actions in the access control entries (ACEs) have different meanings than with security ACLs: •...
Chapter 20 Configuring QoS Understanding QoS The policy map can also contain commands that define the policer, the bandwidth limitations of the traffic, and the action to take if the limits are exceeded. For more information, see the “Policing and Marking”...
Page 461
Chapter 20 Configuring QoS Understanding QoS You configure the bucket depth (the maximum burst that is tolerated before the bucket overflows) by using the burst-byte option of the police policy-map class configuration command or the mls qos aggregate-policer global configuration command. You configure how quickly (the average rate) the tokens are removed from the bucket by using the rate-bps option of the police policy-map class configuration command or the mls qos aggregate-policer global configuration command.
Page 462
Chapter 20 Configuring QoS Understanding QoS Figure 20-4 Policing and Marking Flowchart Start Read the DSCP of the packet. Is a policer configured for this DSCP? Check if the packet is in profile by querying the policer. Pass through Drop Check out-of-profile action Drop packet.
Chapter 20 Configuring QoS Understanding QoS Mapping Tables During QoS processing, the switch represents the priority of all traffic (including non-IP traffic) with an internal DSCP value: • During classification, QoS uses configurable mapping tables to derive the internal DSCP (a 6-bit value) from received CoS or IP precedence (3-bit) values.
Chapter 20 Configuring QoS Understanding QoS Queueing and Scheduling After a packet is policed and marked, the queueing and scheduling process begins as described in these sections: • Queueing and Scheduling on Gigabit-Capable Ports, page 20-12 • Queueing and Scheduling on 10/100 Ethernet Ports, page 20-15 Queueing and Scheduling on Gigabit-Capable Ports Figure 20-5 shows the queueing and scheduling flowchart for Gigabit-capable Ethernet ports.
Page 465
Chapter 20 Configuring QoS Understanding QoS During the queueing and scheduling process, the switch uses egress queues and WRR for congestion management, and tail drop or WRED algorithms for congestion avoidance on Gigabit-capable Ethernet ports. Each Gigabit-capable Ethernet port has four egress queues, one of which can be the egress expedite queue.
Page 466
Configuring QoS Understanding QoS WRED Cisco’s implementation of Random Early Detection (RED), called Weighted Random Early Detection (WRED), differs from other congestion-avoidance techniques because it attempts to anticipate and avoid congestion, rather than controlling congestion once it occurs. WRED takes advantage of TCP congestion control to try to control the average queue size by indicating to end hosts when they should temporarily stop sending packets.
Page 467
Chapter 20 Configuring QoS Understanding QoS Queueing and Scheduling on 10/100 Ethernet Ports Figure 20-6 shows the queueing and scheduling flowchart for 10/100 Ethernet ports. Figure 20-6 Queueing and Scheduling Flowchart for 10/100 Ethernet Ports Start Read the CoS value of CoS-to-queue map.
Page 468
Chapter 20 Configuring QoS Understanding QoS Each minimum-reserve level is configured with a buffer size. As shown in the figure, queue 4 of Fast Ethernet port 0/1 has a buffer size of 70 packets, queue 4 of Fast Ethernet port 0/2 has a buffer size of 80 packets, queue 4 of Fast Ethernet port 0/3 has a buffer size of 40 packets, and Fast Ethernet port 0/4 has a buffer size of 80 packets.
Chapter 20 Configuring QoS Understanding QoS Packet Modification A packet is classified, policed, and queued to provide QoS. Packet modifications can occur during this process: • For IP packets, classification involves assigning a DSCP to the packet. However, the packet is not modified at this stage;...
Chapter 20 Configuring QoS Configuring QoS Configuring QoS Before configuring QoS, you must have a thorough understanding of these items: • The types of applications used and the traffic patterns on your network. Traffic characteristics and needs of your network. Is the traffic bursty? Do you need to reserve •...
Page 471
Chapter 20 Configuring QoS Configuring QoS Table 20-2 Default QoS Parameters when QoS is Enabled Egress traffic Port (DSCP and CoS Queue Tail-drop CoS Mapping Type State Value) Queue Weights Thresholds to Queue Gigabit-capable Enabled DSCP=0 Four queues are Each queue has 100%, 100% 0, 1: queue 1 Ethernet ports...
Chapter 20 Configuring QoS Configuring QoS Configuration Guidelines Before beginning the QoS configuration, you should be aware of this information: • If you have EtherChannel ports configured on your switch, you must configure QoS classification, policing, mapping, and queueing on the individual physical ports that comprise the EtherChannel. You must decide whether the QoS configuration should match on all ports in the EtherChannel.
Chapter 20 Configuring QoS Configuring QoS Enabling QoS Globally By default, QoS is disabled on the switch, which means that the switch offers best-effort service to each packet regardless of the packet contents or size. All CoS values map to egress queue 1 with both tail-drop thresholds set to 100 percent of the total queue size for Gigabit-capable Ethernet ports.
Page 474
Chapter 20 Configuring QoS Configuring QoS Configuring the Trust State on Ports within the QoS Domain Packets entering a QoS domain are classified at the edge of the QoS domain. When the packets are classified at the edge, the switch port within the QoS domain can be configured to one of the trusted states because there is no need to classify the packets at every switch within the QoS domain.
Page 475
Chapter 20 Configuring QoS Configuring QoS Beginning in privileged EXEC mode, follow these steps to configure the port to trust the classification of the traffic that it receives: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos Enable QoS globally.
Page 476
Chapter 20 Configuring QoS Configuring QoS Configuring the CoS Value for an Interface QoS assigns the CoS value specified with the mls qos cos interface configuration command to untagged frames received on trusted and untrusted ports. Beginning in privileged EXEC mode, follow these steps to define the default CoS value of a port or to assign the default CoS to all incoming packets on the port: Command Purpose...
Page 477
Chapter 20 Configuring QoS Configuring QoS Configuring the DSCP Trust State on a Port Bordering Another QoS Domain If you are administering two separate QoS domains between which you want to implement QoS features for IP traffic, you can configure the switch ports bordering the domains to a DSCP-trusted state as shown Figure 20-9.
Chapter 20 Configuring QoS Configuring QoS Command Purpose Step 6 mls qos dscp-mutation Apply the map to the specified ingress DSCP-trusted port. dscp-mutation-name You can apply the map to different Gigabit-capable Ethernet ports. However, on 10/100 Ethernet ports, you can attach only one DSCP-to-DSCP-mutation map to a group of twelve ports.
Chapter 20 Configuring QoS Configuring QoS Classifying Traffic by Using ACLs You can classify IP traffic by using IP standard or IP extended ACLs; you can classify non-IP traffic by using Layer 2 MAC ACLs. Beginning in privileged EXEC mode, follow these steps to create an IP standard ACL for IP traffic: Command Purpose Step 1...
Page 480
Chapter 20 Configuring QoS Configuring QoS Beginning in privileged EXEC mode, follow these steps to create an IP extended ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos Enable QoS on the switch. Step 3 access-list access-list-number {deny | Create an IP extended ACL, repeating the command as many times as...
Page 481
Chapter 20 Configuring QoS Configuring QoS This example shows how to create an ACL that permits PIM traffic from any source to a destination group address of 224.0.0.2 with a DSCP set to 32: Switch(config)# access-list 102 permit pim any 224.0.0.2 dscp 32 Beginning in privileged EXEC mode, follow these steps to create a Layer 2 MAC ACL for non-IP traffic: Command Purpose...
Chapter 20 Configuring QoS Configuring QoS This example shows how to create a Layer 2 MAC ACL with two permit statements. The first statement allows traffic from the host with MAC address 0001.0000.0001 to the host with MAC address 0002.0000.0001. The second statement allows only Ethertype XNS-IDP traffic from the host with MAC address 0001.0000.0002 to the host with MAC address 0002.0000.0002.
Page 483
Chapter 20 Configuring QoS Configuring QoS Command Purpose Step 4 class-map class-map-name [match-all | Create a class map, and enter class-map configuration mode. match-any] By default, no class maps are defined. • For class-map-name, specify the name of the class map. •...
Chapter 20 Configuring QoS Configuring QoS This example shows how to create a class map called class2, which matches incoming traffic with DSCP values of 10, 11, and 12. Switch(config)# class-map class2 Switch(config-cmap)# match ip dscp 10 11 12 Switch(config-cmap)# end Switch# This example shows how to create a class map called class3, which matches incoming traffic with IP-precedence values of 5, 6, and 7:...
Page 485
Chapter 20 Configuring QoS Configuring QoS Command Purpose Step 4 policy-map policy-map-name Create a policy map by entering the policy map name, and enter policy-map configuration mode. By default, no policy maps are defined. The default behavior of a policy map is to set the DSCP to 0 if the packet is an IP packet and to set the CoS to 0 if the packet is tagged.
Page 486
Chapter 20 Configuring QoS Configuring QoS Command Purpose Step 6 trust [cos | dscp | ip-precedence] Configure the trust state, which selects the value that QoS uses as the source of the internal DSCP value. Note This command is mutually exclusive with the set command within the same policy map.
Page 487
Chapter 20 Configuring QoS Configuring QoS Command Purpose Step 8 police rate-bps burst-byte [exceed-action Define a policer for the classified traffic. {drop | policed-dscp-transmit}] You can configure up to 128 policers on ingress Gigabit-capable Ethernet ports, up to 8 policers on ingress 10/100 Ethernet ports, and up to 8 policers on egress ports.
Page 488
Chapter 20 Configuring QoS Configuring QoS This example shows how to create a policy map and attach it to an ingress interface. In the configuration, the IP standard ACL permits traffic from network 10.1.0.0. For traffic matching this classification, the DSCP value in the incoming packet is trusted.
Chapter 20 Configuring QoS Configuring QoS Classifying, Policing, and Marking Traffic by Using Aggregate Policers By using an aggregate policer, you can create a policer that is shared by multiple traffic classes within the same policy map. However, you cannot use the aggregate policer across different policy maps or interfaces.
Page 490
Chapter 20 Configuring QoS Configuring QoS Command Purpose Step 9 interface interface-id Enter interface configuration mode, and specify the interface to attach to the policy map. Valid interfaces include physical interfaces. Step 10 service-policy {input policy-map-name | Apply a policy map to the input or output of a particular interface. output policy-map-name} Only one policy map per interface per direction is supported.
Chapter 20 Configuring QoS Configuring QoS Configuring the Policed-DSCP Map You use the policed-DSCP map to mark down a DSCP value to a new value as the result of a policing and marking action. The default policed-DSCP map is a null map, which maps an incoming DSCP value to the same DSCP value.
Chapter 20 Configuring QoS Configuring QoS Configuring the DSCP-to-CoS Map You use the DSCP-to-CoS map to generate a CoS value, which is used to select one of the four egress queues. Table 20-5 shows the default DSCP-to-CoS map. Table 20-5 Default DSCP-to-CoS Map DSCP value 0–7 8–15...
Chapter 20 Configuring QoS Configuring QoS Configuring the DSCP-to-DSCP-Mutation Map You apply the DSCP-to-DSCP-mutation map to a port at the boundary of a QoS administrative domain. If the two domains have different DSCP definitions between them, you use the DSCP-to-DSCP-mutation map to translate a set of DSCP values to match the definition of the other domain.
Chapter 20 Configuring QoS Configuring QoS This example shows how to define the DSCP-to-DSCP-mutation map. All the entries that are not explicitly configured are not modified (remains as specified in the null map): Switch# configure terminal Switch(config)# mls qos map dscp-mutation mutation1 1 2 3 4 5 6 7 to 0 Switch(config)# mls qos map dscp-mutation mutation1 8 9 10 11 12 13 to 10 Switch(config)# mls qos map dscp-mutation mutation1 20 21 22 to 20 Switch(config)# mls qos map dscp-mutation mutation1 30 31 32 33 34 to 30...
Page 497
Chapter 20 Configuring QoS Configuring QoS Mapping CoS Values to Select Egress Queues Beginning in privileged EXEC mode, follow these steps to map CoS ingress values to select one of the egress queues: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos Enable QoS on the switch.
Page 498
Chapter 20 Configuring QoS Configuring QoS Configuring the Egress Queue Size Ratios Beginning in privileged EXEC mode, follow these steps to configure the egress queue size ratios: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos Enable QoS on the switch.
Chapter 20 Configuring QoS Configuring QoS Configuring Tail-Drop Threshold Percentages Tail drop is the default congestion-avoidance technique on Gigabit-capable Ethernet ports. With tail drop, packets are queued until the thresholds are exceeded. For example, all packets with DSCPs assigned to the first threshold are dropped until the threshold is no longer exceeded. However, packets assigned to a second threshold continue to be queued and sent as long as the second threshold is not exceeded.
Chapter 20 Configuring QoS Configuring QoS To return to the default thresholds, use the no wrr-queue threshold queue-id interface configuration command. To return to the default DSCP-to-threshold map, use the no wrr-queue dscp-map [threshold-id] interface configuration command. This example shows how to configure the tail-drop queue threshold values for queue 1 to 10 percent and 100 percent, for queue 2 to 40 percent and 100 percent, for queue 3 to 60 percent and 100 percent, and for queue 4 to 80 percent and 100 percent on the egress interface (Gigabit Ethernet 0/1).
Page 501
Chapter 20 Configuring QoS Configuring QoS Command Purpose Step 4 wrr-queue random-detect Configure WRED drop threshold percentages on each egress queue. max-threshold queue-id The default, WRED is disabled, and no thresholds are configured. threshold-percentage1 • For queue-id, specify the ID of the egress queue. The range is 1 threshold-percentage2 to 4, where queue 4 can be configured as the expedite queue.
Chapter 20 Configuring QoS Configuring QoS Configuring the Egress Expedite Queue You can ensure that certain packets have priority over all others by queuing them in the egress expedite queue. This queue is serviced until it is empty and before the other queues are serviced. Beginning in privileged EXEC mode, follow these steps to enable the egress expedite queue: Command Purpose...
Chapter 20 Configuring QoS Configuring QoS Command Purpose Step 4 wrr-queue bandwidth weight1 weight2 Assign WRR weights to the egress queues. weight3 weight4 By default, all the weights are set to 25 (1/4 of the bandwidth is allocated to each queue). For weight1 weight2 weight3 weight4, enter the ratio, which determines the ratio of the frequency in which the WRR scheduler drops packets.
Chapter 20 Configuring QoS Configuring QoS Configuring the Minimum-Reserve Levels You can configure the buffer size of the minimum-reserve levels on all 10/100 ports and assign the minimum-reserve level to an egress queue on a 10/100 Ethernet port. Beginning in privileged EXEC mode, follow these steps to configure the egress queue sizes: Command Purpose Step 1...
Chapter 20 Configuring QoS Configuring QoS Configuring the Egress Expedite Queue You can ensure that certain packets have priority over all others by queuing them in the egress expedite queue. This queue is serviced until it is empty and before the other queues are serviced. Beginning in privileged EXEC mode, follow these steps to enable the egress expedite queue: Command Purpose...
Page 507
Chapter 20 Configuring QoS Configuring QoS Command Purpose Step 4 wrr-queue bandwidth weight1 weight2 Assign WRR weights to the egress queues. weight3 weight4 By default, all the weights are set to 25 (1/4 of the bandwidth is allocated to each queue). For weight1 weight2 weight3 weight4, enter the ratio, which determines the ratio of the frequency in which the WRR scheduler drops packets.
Chapter 20 Configuring QoS Displaying QoS Information Displaying QoS Information To display the current QoS information, use one or more of the privileged EXEC commands in Table 20-6: Table 20-6 Commands for Displaying QoS Information Command Purpose show class-map [class-map-name] Display QoS class maps, which define the match criteria to classify traffic.
Chapter 20 Configuring QoS QoS Configuration Examples For the Catalyst 3500 XL and 2900 XL switches, CoS configures each egress port with a normal-priority transmit queue and a high-priority transmit queue, depending on the frame tag or the port information. Frames in the normal-priority queue are forwarded only after frames in the high-priority queue are forwarded.
Chapter 20 Configuring QoS QoS Configuration Examples Command Purpose Step 17 wrr-queue cos-map 4 6 7 Configure the CoS-to-egress-queue map so that CoS values 6 and 7 select queue 4 (this is the default setting). Because the default DSCP-to-CoS map has DSCP values 56 to 63 mapped to CoS value 7, the matched traffic that is set to DSCP 56 goes to the queue 4, the priority queue.
Page 512
Chapter 20 Configuring QoS QoS Configuration Examples Command Purpose Step 5 switchport mode trunk Configure this port as a trunk port. Step 6 exit Return to global configuration mode. Step 7 interface gigabitethernet0/2 Enter interface configuration mode, and specify the ingress interface connected to the intelligent wiring closet.
Page 513
Chapter 20 Configuring QoS QoS Configuration Examples Command Purpose Step 17 Return to privileged EXEC mode. Step 18 show mls qos interface Verify your entries. show interfaces Step 19 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 3550 Multilayer Switch Software Configuration Guide 20-61 78-11194-03...
C H A P T E R Configuring EtherChannel This chapter describes how to configure EtherChannel on Layer 2 and Layer 3 interfaces. To configure Layer 3 interfaces, you must have the enhanced multilayer software image (EMI) installed on your switch.
Chapter 21 Configuring EtherChannel Understanding EtherChannel Figure 21-2 Relationship of Physical Ports, Logical Port Channels, and Channel Groups Logical Logical port-channel port-channel Channel-group binding SYS TEM STAT US MOD E UTIL DUP LX SPE ED C at al ys t 35 50 10/100/1000 ports GBIC module slots...
Chapter 21 Configuring EtherChannel Understanding EtherChannel PAgP Modes Table 21-1 shows the user-configurable EtherChannel modes for the channel-group interface configuration command: on, auto, and desirable. Switch interfaces exchange PAgP packets only with partner interfaces configured in the auto or desirable modes; interfaces configured in the on mode do not exchange PAgP packets.
The higher the priority, the more likely that the port will be selected. PAgP Interaction with Other Features The Dynamic Trunking Protocol (DTP) and Cisco Discovery Protocol (CDP) send and receive packets over the physical interfaces in the EtherChannel. Trunk ports send and receive PAgP protocol data units (PDUs) on the lowest numbered VLAN.
Page 520
IP addresses might result in better load balancing. Figure 21-3 Load Distribution and Forwarding Methods Catalyst 3550 switch with source-based forwarding enabled EtherChannel Cisco router with destination-based forwarding enabled Catalyst 3550 Multilayer Switch Software Configuration Guide 21-6 78-11194-03...
Chapter 21 Configuring EtherChannel Configuring EtherChannel EtherChannel Configuration Guidelines If improperly configured, some EtherChannel interfaces are automatically disabled to avoid network loops and other problems. Follow these guidelines to avoid configuration problems: • Each EtherChannel can have up to eight compatibly configured Ethernet interfaces. Note Do not configure a GigaStack GBIC port as part of an EtherChannel.
Chapter 21 Configuring EtherChannel Configuring EtherChannel Configuring Layer 2 EtherChannels You configure Layer 2 EtherChannels by configuring the Ethernet interfaces with the channel-group interface configuration command, which creates the port-channel logical interface. Note Layer 2 interfaces must be connected and functioning for IOS to create port-channel interfaces for Layer 2 EtherChannels.
Page 524
Chapter 21 Configuring EtherChannel Configuring EtherChannel Command Purpose Step 4 channel-group channel-group-number mode Assign the interface to a channel group, and specify the PAgP {auto [non-silent] | desirable [non-silent] | on} mode. The default mode is auto silent. For channel-group-number, the range is 1 to 64. Each EtherChannel can have of up to eight compatibly configured Ethernet interfaces.
Chapter 21 Configuring EtherChannel Configuring EtherChannel Configuring Layer 3 EtherChannels To configure Layer 3 EtherChannels, you create the port-channel logical interface and then put the Ethernet interfaces into the port-channel as described in the next two sections. Creating Port-Channel Logical Interfaces Note To move an IP address from a physical interface to an EtherChannel, you must delete the IP address from the physical interface before configuring it on the port-channel interface.
Chapter 21 Configuring EtherChannel Configuring EtherChannel Configuring the Physical Interfaces Beginning in privileged EXEC mode, follow these steps to assign an Ethernet interface to a Layer 3 EtherChannel: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify a physical interface to configure.
Chapter 21 Configuring EtherChannel Configuring EtherChannel Command Purpose Step 5 Return to privileged EXEC mode. Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove an interface from the EtherChannel group, use the no channel-group interface configuration command.
Chapter 21 Configuring EtherChannel Configuring EtherChannel Beginning in privileged EXEC mode, follow these steps to configure EtherChannel load balancing: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 port-channel load-balance {dst-mac | src-mac} Configure an EtherChannel load-balancing method. The default is src-mac.
Page 529
Chapter 21 Configuring EtherChannel Configuring EtherChannel Note The Catalyst 3550 supports address learning only on aggregate ports even though the physical-port keyword is provided in the CLI. The pagp learn-method command and the pagp port-priority command have no effect on the switch hardware, but they are required for PAgP interoperability with devices that only support address learning by physical ports, such as the Catalyst 1900 switch.
Chapter 21 Configuring EtherChannel Displaying EtherChannel and PAgP Status Displaying EtherChannel and PAgP Status You can use the privileged EXEC commands described in Table 21-3 to display EtherChannel and PAgP status information: Table 21-3 Commands for Displaying EtherChannel and PAgP Status Command Description show etherchannel [channel-group-number] {brief |...
Note Configuration Guide for Release 12.1. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS IP and IP Routing Command Reference for Release 12.1. This chapter consists of these sections: •...
Chapter 22 Configuring IP Unicast Routing Understanding Routing Understanding Routing Network devices in different VLANs cannot communicate with one another without a Layer 3 device (router) to route traffic between the VLANs. Routers can perform routing in three different ways: •...
By default, IP routing is disabled on the Catalyst 3550 switch, and you must enable it before routing can take place. For detailed IP routing configuration information, refer to the Cisco IOS IP and IP Routing Configuration Guide for Release 12.1.
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing Configuring IP Addressing A required task for configuring IP routing is to assign IP addresses to Layer 3 network interfaces to enable the interfaces and allow communication with the hosts on those interfaces that use IP. These sections describe how to configure various IP addressing features.
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing Table 22-1 Default Addressing Configuration (continued) Feature Default Setting IRDP Disabled. Defaults when enabled: Broadcast IRDP advertisements. • Maximum interval between advertisements: 600 seconds. • Minimum interval between advertisements: 0.75 times max interval •...
Page 536
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing Beginning in privileged EXEC mode, follow these steps to assign an IP address and a network mask to a Layer 3 interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the Layer 3...
Page 537
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing 0 input packets with dribble condition detected 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out This is an example of output from the show ip interface privileged EXEC command for Gigabit Ethernet interface 0/10, displaying the detailed IP configuration and status:...
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing Use of Subnet Zero Subnetting with a subnet address of zero is strongly discouraged because of the problems that can arise if a network and a subnet have the same addresses. For example, if network 131.108.0.0 is subnetted as 255.255.255.0, subnet zero would be written as 131.108.0.0, which is the same as the network address.
Page 539
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing Figure 22-2, classless routing is enabled. When the host sends a packet to 120.20.4.1, instead of discarding the packet, the router forwards it to the best supernet route. If you disable classless routing and a router receives packets destined for a subnet of a network with no network default route, the router discards the packet.
Using RARP requires a RARP server on the same network segment as the router interface. Use the ip rarp-server address interface configuration command to identify the server. For more information on RARP, refer to the Cisco IOS Configuration Fundamentals Configuration Guide for Release 12.1.
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing You can perform these tasks to configure address resolution: • Define a Static ARP Cache, page 22-11 • Set ARP Encapsulation, page 22-12 • Enable Proxy ARP, page 22-13 Define a Static ARP Cache ARP and other address resolution protocols provide dynamic mapping between IP addresses and MAC addresses.
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing This is an example of output from the show arp privileged EXEC command. Switch# show arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.1.2.3 0002.4b29.2e00 ARPA GigabitEthernet0/10 Internet 172.20.136.9 0030.19c6.54e1 ARPA Vlan1...
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing This is an example of output from the show interfaces interface-id privileged EXEC command displaying ARP encapsulation. Switch# show interfaces gigabitethernet0/10 GigabitEthernet0/10 is up, line protocol is up Hardware is Gigabit Ethernet, address is 0002.4b29.2e00 (bia 0002 Internet address is 40.5.121.10/24 MTU 1500 bytes, BW 100000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255...
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing This is an example of output form the show ip interface privileged EXEC command for Gigabit Ethernet interface 0/3, where proxy ARP is enabled. Switch# show ip interface gigabitethernet0/3 GigabitEthernet0/3 is up, line protocol is down Internet address is 10.1.3.59/24 Broadcast address is 255.255.255.255 Address determined by setup command...
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing Ethernet MAC address, and the host that sent the request sends the packet to the switch, which forwards it to the intended host. Proxy ARP treats all networks as if they are local and performs ARP requests for every IP address.
Page 546
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing The only required task for IRDP routing on an interface is to enable IRDP processing on that interface. When enabled, the default parameters apply. You can optionally change any of these parameters. Beginning in privileged EXEC mode, follow these steps to enable and configure IRDP on an interface: Command Purpose...
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing GigabitEthernet0/3 has router discovery enabled Advertisements will occur between every 450 and 600 seconds. Advertisements are sent with broadcasts. Advertisements are valid for 1800 seconds. Default preference will be 0. GigabitEthernet0/4 has router discovery disabled Port-channel1 has router discovery disabled Configuring Broadcast Packet Handling After configuring an IP interface address, you can choose to enable routing and configure one or more...
By default, both UDP and ND forwarding are enabled if a helper address has been defined for an interface. The description for the ip forward-protocol interface configuration command in the Cisco IOS IP and IP Routing Command Reference for Release 12.1 lists the ports that are forwarded by default if you do not specify any UDP ports.
Page 549
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing If you do not specify any UDP ports when you configure the forwarding of UDP broadcasts, you are configuring the router to act as a BOOTP forwarding agent. BOOTP packets carry Dynamic Host Configuration Protocol (DHCP) information.
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing Establishing an IP Broadcast Address The most popular IP broadcast address (and the default) is an address consisting of all ones (255.255.255.255). However, the switch can be configured to generate any form of IP broadcast address. Beginning in privileged EXEC mode, follow these steps to set the IP broadcast address on an interface: Command Purpose...
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing Beginning in privileged EXEC mode, follow these steps to use the bridging spanning-tree database to flood UDP datagrams: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip forward-protocol spanning-tree Use the bridging spanning-tree database to flood UDP datagrams.
Page 552
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing You can display specific statistics, such as the contents of IP routing tables, caches, and databases; the reachability of nodes; and the routing path that packets are taking through the network. Table 22-4 lists the privileged EXEC commands for displaying IP statistics.
Page 553
Chapter 22 Configuring IP Unicast Routing Configuring IP Addressing Switch# show ip redirects Default gateway is 172.20.135.193 Host Gateway Last Use Total Uses Interface ICMP redirect cache is empty Switch# show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP...
(RIP) router configuration command. For information on specific protocols, refer to sections later in this chapter and to the Cisco IOS IP and IP Routing Configuration Guide for Release 12.1. Step 4 Return to privileged EXEC mode.
Protocol (UDP) data packets to exchange routing information. The protocol is documented in RFC 1058. You can find detailed information about RIP in IP Routing Fundamentals, published by Cisco Press. Using RIP, the switch sends routing information updates (advertisements) every 30 seconds. If a router does not receive an update from another router for 180 seconds or more, it marks the routes served by that router as unusable.
Page 556
Chapter 22 Configuring IP Unicast Routing Configuring RIP Table 22-5 Default RIP Configuration (continued) Feature Default Setting Validate-update-source Enabled. Version Receives RIP version 1 and version 2 packets; sends version 1 packets. For protocol-independent features that also apply to RIP, see the “Configuring Protocol-Independent Features”...
Page 557
Chapter 22 Configuring IP Unicast Routing Configuring RIP Command Purpose Step 10 no validate-update-source (Optional) Disable validation of the source IP address of incoming RIP routing updates. By default, the switch validates the source IP address of incoming RIP routing updates and discards the update if the source address is not valid.
Chapter 22 Configuring IP Unicast Routing Configuring RIP RIP Authentication RIP version 1 does not support authentication. If you are sending and receiving RIP Version 2 packets, you can enable RIP authentication on an interface. The key chain determines the set of keys that can be used on the interface.
Page 559
Chapter 22 Configuring IP Unicast Routing Configuring RIP Note In general, disabling split horizon is not recommended unless you are certain that your application requires it to properly advertise routes. If you want to configure an interface running RIP to advertise a summarized local IP address pool on a network access server for dial-up clients, use the ip summary-address rip interface configuration command.
Configuring IGRP Configuring IGRP Interior Gateway Routing Protocol (IGRP) is a dynamic, distance-vector routing, proprietary Cisco protocol for routing in an autonomous system that contains large, arbitrarily complex networks with diverse bandwidth and delay characteristics. IGRP uses a combination of user-configurable metrics, including internetwork delay, bandwidth, reliability, and load.
Page 562
Use the traffic-share router configuration command to control distribution of traffic among multiple routes of unequal cost. For more information and examples, refer to the Cisco IOS IP and IP Routing Configuration Guide Note for Release 12.1.
Page 563
Chapter 22 Configuring IP Unicast Routing Configuring IGRP Command Purpose Step 8 no metric holddown (Optional) Disable the IGRP hold-down period. The route to a network is placed in holddown if the router learns that the network is farther away than previously known or is down.
Chapter 22 Configuring IP Unicast Routing Configuring IGRP This is an example of output from the show ip protocols privileged EXEC command that verifies the IGRP configuration. Switch# show ip protocols <output truncated> Routing Protocol is "igrp 109" Sending updates every 90 seconds, next due in 52 seconds Invalid after 270 seconds, hold down 280, flushed after 630 Outgoing update filter list for all interfaces is Incoming update filter list for all interfaces is...
Configuring OSPF This section briefly describes how to configure Open Shortest Path First (OSPF). For a complete description of the OSPF commands, refer to the “OSPF Commands” chapter of the Cisco IOS IP and IP Routing Command Reference for Release 12.1.
Page 566
Chapter 22 Configuring IP Unicast Routing Configuring OSPF Table 22-7 Default OSPF Configuration Feature Default Setting Interface parameters Cost: No default cost predefined. Retransmit interval: 5 seconds. Transmit delay: 1 second. Priority: 1. Hello interval: 10 seconds. Dead interval: 4 times the hello interval. No authentication.
Page 567
Chapter 22 Configuring IP Unicast Routing Configuring OSPF Table 22-7 Default OSPF Configuration (continued) Feature Default Setting Timers shortest path first (spf) spf delay: 5 seconds. spf-holdtime: 10 seconds. Virtual link No area ID or router ID defined. Hello interval: 10 seconds. Retransmit interval: 5 seconds.
Chapter 22 Configuring IP Unicast Routing Configuring OSPF This is an example of output from the show ip protocols privileged EXEC command that verifies the OSPF process ID. Switch# show ip protocols <output truncated> Routing Protocol is "ospf 109" Invalid after 0 seconds, hold down 0, flushed after 0 Outgoing update filter list for all interfaces is Incoming update filter list for all interfaces is Redistributing: ospf 109...
Chapter 22 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 9 ip ospf authentication-key key (Optional) Assign a password to be used by neighboring OSPF routers. The password can be any string of keyboard-entered characters up to 8 bytes in length. All neighboring routers on the same network must have the same password to exchange OSPF information.
Page 570
Chapter 22 Configuring IP Unicast Routing Configuring OSPF Note The OSPF area router configuration commands are all optional. Beginning in privileged EXEC mode, follow these steps to configure area parameters: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router ospf process-id Enable OSPF routing, and enter router configuration mode.
Chapter 22 Configuring IP Unicast Routing Configuring OSPF Switch# show ip ospf Routing Process "ospf 1" with ID 172.20.135.202 and Domain ID 0.0.0.1 Supports only single TOS(TOS0) routes Supports opaque LSA SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Minimum LSA interval 5 secs.
Page 572
Chapter 22 Configuring IP Unicast Routing Configuring OSPF • Passive interfaces: Because interfaces between two devices on an Ethernet represent only one network segment, to prevent OSPF from sending hello packets for the sending interface, you must configure the sending device to be a passive interface. Both devices can identify each other through the hello packet for the receiving interface.
Chapter 22 Configuring IP Unicast Routing Configuring OSPF Change LSA Group Pacing The OSPF LSA group pacing feature allows the router to group OSPF LSAs and pace the refreshing, check-summing, and aging functions for more efficient router use. This feature is enabled by default with a 4-minute default pacing interval, and you will not usually need to modify this parameter.
EXEC commands for displaying statistics. For more show ip ospf database privileged EXEC command options and for explanations of fields in the resulting display, refer to the Cisco IOS IP and IP Routing Command Reference for Release 12.1. Table 22-8 Show IP OSPF Statistics Commands...
Page 575
Chapter 22 Configuring IP Unicast Routing Configuring OSPF This is an example of output from the show ip ospf database privileged EXEC command when no arguments or keywords are used: Switch# show ip ospf database O OSPF Router with ID (172.20.135.202) (Process ID 1) Router Link States (Area 1) Link ID ADV Router...
Configuring EIGRP Configuring EIGRP Enhanced IGRP (EIGRP) is a Cisco proprietary enhanced version of the IGRP. Enhanced IGRP uses the same distance vector algorithm and distance information as IGRP; however, the convergence properties and the operating efficiency of Enhanced IGRP are significantly improved.
Page 577
Chapter 22 Configuring IP Unicast Routing Configuring EIGRP feasible successors, but there are neighbors advertising the destination, a recomputation must occur. This is the process whereby a new successor is determined. The amount of time it takes to recompute the route affects the convergence time. Recomputation is processor-intensive; it is advantageous to avoid recomputation if it is not necessary.
Chapter 22 Configuring IP Unicast Routing Configuring EIGRP Table 22-9 Default EIGRP Configuration (continued) Feature Default Setting Network None specified. Offset-list Disabled. Router EIGRP Disabled. Set metric No metric set in the route map. Traffic-share Distributed proportionately to the ratios of the metrics. Variance 1 (equal-cost load balancing).
Chapter 22 Configuring IP Unicast Routing Configuring EIGRP Command Purpose Step 6 offset list [access-list number | name] {in | out} (Optional) Apply an offset list to routing metrics to increase offset [type number] incoming and outgoing metrics to routes learned through EIGRP. You can limit the offset list with an access list or an interface.
15 seconds for all other networks. Caution Do not adjust the hold time without consulting Cisco technical support. Step 7 no ip split-horizon eigrp autonomous-system-number (Optional) Disable split horizon to allow route information to be advertised by a router out any interface from which that information originated.
Table 22-10 lists the privileged EXEC commands for deleting neighbors and displaying statistics. For explanations of fields in the resulting display, refer to the Cisco IOS IP and IP Routing Command Reference for Release 12.1. Table 22-10 IP EIGRP Clear and Show Commands...
Page 582
Chapter 22 Configuring IP Unicast Routing Configuring EIGRP This is an example of output from the show ip eigrp interface privileged EXEC command: Switch# show ip eigrp interface IP EIGRP interfaces for process 109 Xmit Queue Mean Pacing Time Multicast Pending Interface Peers...
• Configuring Cisco Express Forwarding Cisco Express Forwarding (CEF) is a Layer 3 IP switching technology used to optimize network performance. CEF implements an advanced IP look-up and forwarding algorithm to deliver maximum Layer 3 switching performance. CEF is less CPU-intensive than fast switching route caching, allowing more CPU processing power to be dedicated to packet forwarding.
Chapter 22 Configuring IP Unicast Routing Configuring Protocol-Independent Features Beginning in privileged EXEC mode, follow these steps to enable CEF on an interface after it has been disabled: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the Layer 3 interface to configure.
Chapter 22 Configuring IP Unicast Routing Configuring Protocol-Independent Features Beginning in privileged EXEC mode, follow these steps to change the maximum number of parallel paths installed in a routing table from the default: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router {rip | ospf | igrp | eigrp} Enter router configuration mode.
Chapter 22 Configuring IP Unicast Routing Configuring Protocol-Independent Features The switch retains static routes until you remove them (by using the no ip route global configuration command). However, you can override static routes with dynamic routing information by assigning administrative distance values. Each dynamic routing protocol has a default administrative distance, as listed in Table 22-11.
The system periodically scans its routing table to choose the optimal default network as its default route. In IGRP networks, there might be several candidate networks for the system default. Cisco routers use administrative distance and metric information to determine the default route or the gateway of last resort.
Page 588
Chapter 22 Configuring IP Unicast Routing Configuring Protocol-Independent Features Beginning in privileged EXEC mode, follow these steps to configure a route map for redistribution: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 route-map map-tag [permit | deny] [sequence number] Define any route maps used to control redistribution and enter route-map configuration mode.
Page 589
Chapter 22 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 12 set metric metric value Set the metric value to give the redistributed routes (for any protocol except IGRP or EIGRP). The metric value is an integer from -294967295 to 294967295.
Page 590
Chapter 22 Configuring IP Unicast Routing Configuring Protocol-Independent Features You can distribute routes from one routing domain into another and control route distribution. Beginning in privileged EXEC mode, follow these steps to control route redistribution. Note that the keywords are the same as defined in the previous procedure. Command Purpose Step 1...
Chapter 22 Configuring IP Unicast Routing Configuring Protocol-Independent Features Filtering Routing Information You can filter routing protocol information by performing the tasks described in this section. Note When routes are redistributed between OSPF processes, no OSPF metrics are preserved. Setting Passive Interfaces To prevent other routers on a local network from dynamically learning about routes, you can use the passive-interface router configuration command to keep routing update messages from being sent through a router interface.
Chapter 22 Configuring IP Unicast Routing Configuring Protocol-Independent Features Controlling Advertising and Processing in Routing Updates You can use the distribute-list router configuration command with access control lists to suppress routes from being advertised in routing updates and to prevent other routers from learning one or more routes. When used in OSPF, this feature applies to only external routes, and you cannot specify an interface name.
Chapter 22 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 3 distance weight {ip-address {ip-address mask}} Define an administrative distance. [ip access list] weight—The administrative distance as an integer from 10 to 255. Used alone, weight specifies a default administrative distance that is used when no other specification exists for a routing information source.
Chapter 22 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network Command Purpose Step 5 accept-lifetime start-time {infinite | end-time | duration (Optional) Specify the time period during which the key seconds} can be received. The start-time and end-time syntax can be either hh:mm:ss Month date year or hh:mm:ss date Month year.
Page 595
Chapter 22 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network This is an example of output from the show ip route privileged EXEC command when entered without an address: Switch# show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP...
Page 596
Chapter 22 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network This is an example of output from the show ip route supernets-only privileged EXEC command. This display shows supernets only; it does not show subnets. Switch# show ip route supernets-only Codes: I - IGRP derived, R - RIP derived, O - OSPF derived C - connected, S - static, E - EGP derived, B - BGP derived i - IS-IS derived, D - EIGRP derived...
Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 3550 Multilayer Switch Command Reference and the Cisco IOS IP and IP Routing Command Reference for Release 12.1. This chapter consists of these sections: Understanding HSRP, page 23-1 •...
Page 598
Chapter 23 Configuring HSRP Understanding HSRP Note Routers in an HSRP group can be any router interface that supports HSRP, including Catalyst 3550 routed ports and switch virtual interfaces (SVIs). HSRP provides high network availability by providing redundancy for IP traffic from hosts on networks. In a group of router interfaces, the active router is the router of choice for routing packets;...
Chapter 23 Configuring HSRP Configuring HSRP • Etherchannel port channel in Layer 3 mode: a port-channel logical interface created by using the interface port-channel port-channel-number global configuration command and binding the Ethernet interface into the channel group. For more information, see the “Configuring Layer 3 EtherChannels”...
Page 601
Chapter 23 Configuring HSRP Configuring HSRP Beginning in privileged EXEC mode, follow these steps to create or enable HSRP on a Layer 3 interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and enter the Layer 3 interface on which you want to enable HSRP.
Chapter 23 Configuring HSRP Configuring HSRP Configuring HSRP Group Attributes Although HSRP can run with no other configuration required, you can configure attributes for the HSRP group, including authentication, priority, preemption and preemption delay, timers, or MAC address. Configuring HSRP Priority The standby priority, standby preempt, and standby track interface configuration commands are all used to set characteristics for determining active and standby routers and behavior regarding when a new active router takes over.
Page 603
Chapter 23 Configuring HSRP Configuring HSRP Beginning in privileged EXEC mode, use one or more of these steps to configure HSRP priority characteristics on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and enter the HSRP interface on which you want to set priority.
[group-number] authentication string (Optional) authentication string—Enter a string to be carried in all HSRP messages. The authentication string can be up to eight characters in length; the default string is cisco. (Optional) group-number—The group number to which the command applies.
Chapter 23 Configuring HSRP Configuring HSRP Command Purpose Step 4 standby [group-number] timers hellotime (Optional) Configure the time between hello packets and the holdtime time before other routers declare the active router to be down. • group-number—The group number to which the command applies.
Chapter 23 Configuring HSRP Displaying HSRP Configurations Displaying HSRP Configurations From privileged EXEC mode, use this command to display HSRP settings: show standby [interface-id [group]] [brief] [detail] You can display HSRP information for the whole switch, for a specific interface, for an HSRP group, or for an HSRP group on an interface.
Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS IP and IP Routing Command Reference for Release 12.1. This chapter describes how to configure IP multicast routing on your multilayer switch. To use this feature, you must have the enhanced multilayer software image (EMI) installed on your switch.
Internet (MBONE). The Cisco IOS software supports PIM-to-DVMRP interaction. • Cisco Group Management Protocol (CGMP) is used on Cisco routers and multilayer switches connected to Layer 2 Catalyst switches to perform tasks similar to those performed by IGMP. Figure 24-1 shows where these protocols operate within the IP multicast environment.
Chapter 24 Configuring IP Multicast Routing Cisco Implementation of IP Multicast Routing Understanding IGMP To participate in IP multicasting, multicast hosts, routers, and multilayer switches must have IGMP operating. This protocol is the group membership protocol used by hosts to inform routers and multilayer switches of the existence of members on their directly connected networks and to allow them to send and receive multicast datagrams.
Chapter 24 Configuring IP Multicast Routing Cisco Implementation of IP Multicast Routing IGMP Version 2 IGMPv2 provides enhancements over IGMPv1. The query and membership report messages are identical to IGMPv1 message with two exceptions. The first difference is that the IGMPv2 query message is broken into two categories: general queries, which perform the same function as the IGMPv1 queries, and group-specific queries, which are queries directed to a single group.
PIM Versions Two versions of PIM are supported in the IOS software. With PIM Version 1 (PIMv1), Cisco introduced support in IOS Release 11.1(6) for a new feature called Auto-RP. This proprietary feature eliminates the need to manually configure the rendezvous point (RP) information in every router and multilayer switch in the network.
Page 612
Chapter 24 Configuring IP Multicast Routing Cisco Implementation of IP Multicast Routing The simplest form of a multicast distribution tree is a source tree whose root is the source of the multicast traffic and whose branches form a spanning tree through the network to the receivers. Because this tree uses the shortest path through the network, it is also referred to as a shortest-path tree (SPT).
Page 613
Chapter 24 Configuring IP Multicast Routing Cisco Implementation of IP Multicast Routing PIM SM PIM SM uses shared trees and SPTs to distribute multicast traffic to multicast receivers in the network. In PIM SM, a router or multilayer switch assumes that other routers or switches do not forward multicast packets for a group, unless there is an explicit request for the traffic (join message).
For Auto-RP to work, you configure a Cisco router or multilayer switch as the mapping agent. It uses IP multicast to learn which routers or switches in the network are possible candidate RPs by joining the well-known Cisco-RP-announce multicast group (224.0.1.39) to receive candidate RP announcements.
Chapter 24 Configuring IP Multicast Routing Cisco Implementation of IP Multicast Routing travel hop-by-hop throughout the PIM domain. Because BSR messages contain the IP address of the current BSR, the flooding mechanism allows candidate RPs to automatically learn which device is the elected BSR.
(MBONE) and in other intradomain multicast networks. Cisco routers and multilayer switches run PIM and can forward multicast packets to and receive from a DVMRP neighbor. It is also possible to propagate DVMRP routes into and through a PIM cloud. The...
Configuring IP Multicast Routing Cisco Implementation of IP Multicast Routing CGMP is a protocol used on Cisco routers and multilayer switches connected to Layer 2 Catalyst switches to perform tasks similar to those performed by IGMP. CGMP permits Layer 2 group membership information to be communicated from the CGMP server to the switch, which can learn on which ports multicast members reside instead of flooding multicast traffic to all switch ports.
Chapter 24 Configuring IP Multicast Routing Configuring IP Multicast Routing Leaving a Group with CGMP When an IGMPv2 host leaves a group, it can send an IGMP leave group message to the all-multicast-routers group (224.0.0.2). The CGMP server translates this leave group message into a CGMP leave message and sends it to the switch.
PIMv2 BSR. However, Auto-RP is a standalone protocol, separate from PIMv1, and is a proprietary Cisco protocol. PIMv2 is a standards track protocol in the IETF. We recommend that you use PIMv2. The BSR mechanism interoperates with Auto-RP on Cisco routers and multilayer switches.
If you have a network that includes non-Cisco routers, configure the Auto-RP mapping agent and • the BSR on a Cisco PIMv2 router or multilayer switch. Ensure that no PIMv1 device is on the path between the BSR and a non-Cisco PIMv2 router.
Page 622
Configure the PIM version on the interface. By default, Version 2 is enabled and is the recommended setting. Note All IP multicast-capable Cisco PIM routers using IOS Release 11.3(2)T or later start in PIMv2 by default. An interface in PIMv2 mode automatically downgrades to PIMv1 mode if that interface has a PIMv1 neighbor.
• Manually Assigning an RP to Multicast Groups, page 24-17 • Configuring Auto-RP, page 24-18 (a standalone, Cisco-proprietary protocol separate from PIMv1) • Configuring PIMv2 BSR, page 24-22 (a standards track protocol in the Internet Engineering Task Force (IETF) You can use Auto-RP, BSR, or a combination of both, depending on the PIM version you are running and the types of routers in your network.
Switch(config)# access-list 1 permit 225.2.2.2 0.0.0.0 Switch(config)# ip pim rp-address 147.106.6.22 1 Configuring Auto-RP Auto-RP uses IP multicast to automate the distribution of group-to-RP mappings to all Cisco routers and multilayer switches in a PIM network. It has these benefits: •...
Page 625
Chapter 24 Configuring IP Multicast Routing Configuring IP Multicast Routing This section contains this configuration information: • Setting up Auto-RP in a New Internetwork, page 24-19 • Adding Auto-RP to an Existing Sparse-Mode Cloud, page 24-19 • Preventing Join Messages to False RPs, page 24-20 Preventing Candidate RP Spoofing, page 24-21 •...
Page 626
Chapter 24 Configuring IP Multicast Routing Configuring IP Multicast Routing Command Purpose Step 4 access-list access-list-number {deny | Create a standard access list, repeating the command as many times as permit} source [source-wildcard] necessary. • For access-list-number, enter the access list number specified in Step •...
Page 627
Chapter 24 Configuring IP Multicast Routing Configuring IP Multicast Routing If all interfaces are in sparse mode, use a default-configured RP to support the two well-known groups 224.0.1.39 and 224.0.1.40. Auto-RP uses these two well-known groups to collect and distribute RP-mapping information.
Chapter 24 Configuring IP Multicast Routing Configuring IP Multicast Routing Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove a filter on incoming RP announcement messages, use the no ip pim rp-announce-filter rp-list access-list-number group-list access-list-number global configuration command.
Page 629
Chapter 24 Configuring IP Multicast Routing Configuring IP Multicast Routing Beginning in privileged EXEC mode, follow these steps to define the PIM domain border: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to be configured.
Page 630
Chapter 24 Configuring IP Multicast Routing Configuring IP Multicast Routing Defining the IP Multicast Boundary You define a multicast boundary to prevent Auto-RP messages from entering the PIM domain. You create an access list to deny packets destined for 224.0.1.39 and 224.0.1.40, which carry Auto-RP information.
Page 631
Chapter 24 Configuring IP Multicast Routing Configuring IP Multicast Routing Configuring Candidate BSRs You can configure one or more candidate BSRs. The devices serving as candidate BSRs should have good connectivity to other devices and be in the backbone portion of the network. Beginning in privileged EXEC mode, follow these steps to configure your multilayer switch as a candidate BSR: Command...
Page 632
IP multicast address space or a portion of it. Candidate RPs send candidate RP advertisements to the BSR. When deciding which devices should be RPs, consider these options: • In a network of Cisco routers and multilayer switches where only Auto-RP is used, any device can be configured as an RP. •...
If you have non-Cisco PIMv2 routers that need to interoperate with Cisco PIMv1 routers and multilayer switches, both Auto-RP and a BSR are required. We recommend that a Cisco PIMv2 router or multilayer switch be both the Auto-RP mapping agent and the BSR.
Chapter 24 Configuring IP Multicast Routing Configuring Advanced PIM Features Troubleshooting PIMv1 and PIMv2 Interoperability Problems When debugging interoperability problems between PIMv1 and PIMv2, check these in the order shown: Verify RP mapping with the show ip pim rp-hash privileged EXEC command, making sure that all systems agree on the same RP for the same group.
Chapter 24 Configuring IP Multicast Routing Configuring Advanced PIM Features This process describes the move from a shared tree to a source tree: A receiver joins a group; leaf Router C sends a join message toward the RP. The RP puts a link to Router C in its outgoing interface list. A source sends data;...
Chapter 24 Configuring IP Multicast Routing Configuring Advanced PIM Features Beginning in privileged EXEC mode, follow these steps to configure a traffic rate threshold that must be reached before multicast routing is switched from the source tree to the shortest-path tree: Command Purpose Step 1...
Chapter 24 Configuring IP Multicast Routing Configuring Optional IGMP Features By default, multicast routers and multilayer switches send PIM router-query messages every 30 seconds. Beginning in privileged EXEC mode, follow these steps to modify the router-query message interval: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 24 Configuring IP Multicast Routing Configuring Optional IGMP Features Table 24-2 Default IGMP Configuration (continued) Feature Default Setting Access to multicast groups All groups are allowed on an interface. IGMP host-query message interval 60 seconds on all interfaces. Multilayer switch as a statically connected member Disabled.
Chapter 24 Configuring IP Multicast Routing Configuring Optional IGMP Features You can determine the query interval by entering the show ip igmp interface interface-id privileged EXEC command. Beginning in privileged EXEC mode, follow these steps to change the IGMP query timeout: Command Purpose Step 1...
ICMP echo-request packets addressed to a group of which they are members. Another example is the multicast trace-route tools provided in the Cisco IOS software. Beginning in privileged EXEC mode, follow these steps to configure the multilayer switch to be a...
Chapter 24 Configuring IP Multicast Routing Configuring Optional IGMP Features Controlling Access to IP Multicast Groups The multilayer switch sends IGMP host-query messages to determine which multicast groups have members on attached local networks. The switch then forwards to these group members all packets addressed to the multicast group.
Chapter 24 Configuring IP Multicast Routing Configuring Optional IGMP Features Modifying the IGMP Host-Query Message Interval The multilayer switch periodically sends IGMP host-query messages to discover which multicast groups are present on attached networks. These messages are sent to the all-hosts multicast group (224.0.0.1) with a time-to-live (TTL) of 1.
Chapter 24 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Beginning in privileged EXEC mode, follow these steps to configure the switch itself to be a statically connected member of a group (and allow fast switching): Command Purpose Step 1 configure terminal Enter global configuration mode.
The multilayer switch serves as a CGMP server for devices that do not support IGMP snooping but have CGMP client functionality. CGMP is a protocol used on Cisco routers and multilayer switches connected to Layer 2 Catalyst switches to perform tasks similar to those performed by IGMP. CGMP is necessary because the Layer 2 switch cannot distinguish between IP multicast data packets and IGMP report messages, which are both at the MAC-level and are addressed to the same group address.
Chapter 24 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Configuring sdr Listener Support The MBONE is the small subset of Internet routers and hosts that are interconnected and capable of forwarding IP multicast traffic. Other interesting multimedia content is often broadcast over the MBONE.
Chapter 24 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Command Purpose Step 3 Return to privileged EXEC mode. Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no ip sdr cache-timeout global configuration command.
Page 647
Chapter 24 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features multicast packets with an initial TTL value set to 99. The engineering and marketing departments have set a TTL threshold of 40 at the perimeter of their networks; therefore, multicast applications running on these networks can prevent their multicast transmissions from leaving their respective networks.
Chapter 24 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Configuring an IP Multicast Boundary Like TTL thresholds, administratively-scoped boundaries can also be used to limit the forwarding of multicast traffic outside of a domain or subdomain. This approach uses a special range of multicast addresses, called administratively-scoped addresses, as the boundary mechanism.
Chapter 24 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to set up an administratively-scoped boundary: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | Create a standard access list, repeating the command as many times as permit} source [source-wildcard] necessary.
DVMRP routers and, in turn, forwards multicast packets to DVMRP routers. DVMRP interoperability is automatically activated when a Cisco PIM device receives a DVMRP probe message on a multicast-enabled interface. No specific IOS command is configured to enable DVMRP interoperability;...
Page 651
Chapter 24 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to configure the sources that are advertised and the metrics that are used when DVMRP route-report messages are sent: Command Purpose Step 1 configure terminal Enter global configuration mode.
Switch(config)# access-list 2 permit 0.0.0.0 255.255.255.255 Configuring a DVMRP Tunnel The Cisco IOS software supports DVMRP tunnels to the MBONE. You can configure a DVMRP tunnel on a router or multilayer switch if the other end is running DVMRP. The software then sends and receives multicast packets through the tunnel.
Page 653
Chapter 24 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to configure a DVMRP tunnel: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | Create a standard access list, repeating the command as many times as permit} source [source-wildcard] necessary.
Switch(config)# access-list 1 permit 198.92.37.0 0.0.0.255 Advertising Network 0.0.0.0 to DVMRP Neighbors If your multilayer switch is a neighbor of an mrouted version 3.6 device, you can configure the Cisco IOS software to advertise network 0.0.0.0 (the default route) to the DVMRP neighbor. The DVMRP default route computes the RPF information for any multicast sources that do not match a more specific route.
Responding to mrinfo Requests The Cisco IOS software answers mrinfo requests sent by mrouted systems and Cisco routers and multilayer switches. The software returns information about neighbors through DVMRP tunnels and all the routed interfaces. This information includes the metric (always set to 1), the configured TTL threshold, the status of the interface, and various flags.
Configuring Advanced DVMRP Interoperability Features Configuring Advanced DVMRP Interoperability Features Cisco routers and multilayer switches run PIM to forward multicast packets to receivers and receive multicast packets from senders. It is also possible to propagate DVMRP routes into and through a PIM cloud.
Configuring Advanced DVMRP Interoperability Features Rejecting a DVMRP Nonpruning Neighbor By default, Cisco devices accept all DVMRP neighbors as peers, regardless of their DVMRP capability. However, some non-Cisco devices run old versions of DVMRP that cannot prune, so they continuously receive forwarded packets, wasting bandwidth.
Page 658
Chapter 24 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Figure 24-14 Router Rejects Nonpruning DVMRP Neighbor Source router or RP Router A Multicast Router B traffic gets Receiver to receiver, not to leaf DVMRP device Multilayer switch Configure the ip dvmrp reject-non-pruners command on this interface.
Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Controlling Route Exchanges This section describes how to tune the Cisco device advertisements of DVMRP routes. It contains this configuration information: • Limiting the Number of DVMRP Routes Advertised, page 24-53 •...
Cisco router that is not on these two Ethernet segments does not properly RPF-check on the DVMRP router and is discarded. You can force the Cisco router to advertise the summary address (specified by the address and mask pair in the ip dvmrp summary-address address mask interface configuration command) in place of any route that falls in this address range.
Configuring Advanced DVMRP Interoperability Features Disabling DVMRP Autosummarization By default, the Cisco IOS software automatically performs some level of DVMRP summarization. Disable this function if you want to advertise all routes, not just a summary. In some special cases, you can use the neighboring DVMRP router with all subnet information to better control the flow of multicast traffic in the DVMRP network.
Chapter 24 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Beginning in privileged EXEC mode, follow these steps to change the default metric: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to be configured.
Chapter 24 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Clearing Caches, Tables, and Databases You can remove all contents of a particular cache, table, or database. Clearing a cache, table, or database might be necessary when the contents of the particular structure are or suspected to be invalid. You can use any of the privileged EXEC commands in Table 24-3 to clear IP multicast caches, tables,...
Chapter 24 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Table 24-4 Commands for Displaying System and Network Statistics (continued) Command Purpose show ip pim interface [type number] [count] Display information about interfaces configured for PIM. show ip pim neighbor [type number] List the PIM neighbors discovered by the multilayer switch.
Page 666
Chapter 24 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Catalyst 3550 Multilayer Switch Software Configuration Guide 24-60 78-11194-03...
You can order the Enhanced Multilayer Software Image Upgrade kit to upgrade Catalyst 3550 Fast Ethernet switches from the SMI to the EMI. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco Note IOS IP and IP Routing Command Reference for Release 12.1.
Chapter 25 Configuring MSDP Understanding MSDP The purpose of this topology is to have domains discover multicast sources in other domains. If the multicast sources are of interest to a domain that has receivers, multicast data is delivered over the normal, source-tree building mechanism in PIM-SM.
Chapter 25 Configuring MSDP Configuring MSDP Command Purpose Step 3 ip prefix-list name [description string] | (Optional) Create a prefix list using the name specified in Step 2. seq number {permit | deny} network • (Optional) For description string, enter a description of up to 80 length characters to describe this prefix list.
Page 673
Chapter 25 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to enable the caching of source/group pairs: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp cache-sa-state [list Enable the caching of source/group pairs (create an SA state). Those access-list-number] pairs that pass the access list are cached.
Chapter 25 Configuring MSDP Configuring MSDP Requesting Source Information from an MSDP Peer Local RPs can send SA requests and get immediate responses for all active sources for a given group. By default, the multilayer switch does not send any SA request messages to its MSDP peers when a new member joins a group and wants to receive multicast traffic.
Chapter 25 Configuring MSDP Configuring MSDP Redistributing Sources SA messages are originated on RPs to which sources have registered. By default, any source that registers with an RP is advertised. The A flag is set in the RP when a source is registered, which means the source is advertised in an SA unless it is filtered.
Page 676
Chapter 25 Configuring MSDP Configuring MSDP Command Purpose Step 3 access-list access-list-number {deny | Create an IP standard access list, repeating the command as many times permit} source [source-wildcard] as necessary. access-list access-list-number {deny | Create an IP extended access list, repeating the command as many times permit} protocol source source-wildcard as necessary.
Chapter 25 Configuring MSDP Configuring MSDP Filtering Source-Active Request Messages By default, only multilayer switches that are caching SA information can respond to SA requests. By default, such a switch honors all SA request messages from its MSDP peers and supplies the IP addresses of the active sources.
Chapter 25 Configuring MSDP Configuring MSDP Controlling Source Information that Your Switch Forwards By default, the multilayer switch forwards all SA messages it receives to all its MSDP peers. However, you can prevent outgoing messages from being forwarded to a peer by using a filter or by setting a time-to-live (TTL) value.
Page 679
This example shows how to allow only (S,G) pairs that pass access list 100 to be forwarded in an SA message to the peer named switch.cisco.com: Switch(config)# ip msdp peer switch.cisco.com connect-source gigabitethernet0/1 Switch(config)# ip msdp sa-filter out switch.cisco.com list 100 Switch(config)# access-list 100 permit ip 171.69.0.0 0.0.255.255 224.20 0 0.0.255.255 Catalyst 3550 Multilayer Switch Software Configuration Guide...
Chapter 25 Configuring MSDP Configuring MSDP Using TTL to Limit the Multicast Data Sent in SA Messages You can use a TTL value to control what data is encapsulated in the first SA message for every source. Only multicast packets with an IP-header TTL greater than or equal to the ttl argument are sent to the specified MSDP peer.
Page 681
To remove the filter, use the no ip msdp sa-filter in {ip-address | name} [list access-list-number] [route-map map-tag] global configuration command. This example shows how to filter all SA messages from the peer named switch.cisco.com: Switch(config)# ip msdp peer switch.cisco.com connect-source gigabitethernet0/1 Switch(config)# ip msdp sa-filter in switch.cisco.com...
Chapter 25 Configuring MSDP Configuring MSDP Configuring an MSDP Mesh Group An MSDP mesh group is a group of MSDP speakers that have fully meshed MSDP connectivity among one another. Any SA messages received from a peer in a mesh group are not forwarded to other peers in the same mesh group.
Chapter 25 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to shut down a peer: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp shutdown {peer-name | peer Administratively shut down the specified MSDP peer without losing address} configuration information.
Chapter 25 Configuring MSDP Configuring MSDP Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Note that the ip msdp originator-id global configuration command also identifies an interface type and number to be used as the RP address.
Chapter 25 Configuring MSDP Monitoring and Maintaining MSDP Monitoring and Maintaining MSDP To monitor MSDP SA messages, peers, state, or peer status, use one or more of the privileged EXEC commands in Table 25-1: Table 25-1 Commands for Monitoring and Maintaining MSDP Command Purpose debug ip msdp [peer-address | name] [detail] [routes]...
You can order the Enhanced Multilayer Software Image Upgrade kit to upgrade Catalyst 3550 Fast Ethernet switches from the SMI to the EMI. For complete syntax and usage information for the commands used in this chapter, refer to the Cisco Note IOS Bridging and IBM Networking Command Reference for Release 12.1.
Page 688
Chapter 26 Configuring Fallback Bridging Understanding Fallback Bridging acts like a port on a router, but it is not connected to a router. A routed port is not associated with a particular VLAN, does not support VLAN subinterfaces, but behaves like a normal routed interface. For more information about SVIs and routed ports, see Chapter 8, “Configuring Interface Characteristics.”...
Chapter 26 Configuring Fallback Bridging Configuring Fallback Bridging Creating a Bridge Group To configure fallback bridging for a set of SVIs or routed ports, these interfaces must be assigned to bridge groups. All interfaces in the same group belong to the same bridge domain. Each SVI or routed port can be assigned to only one bridge group.
Chapter 26 Configuring Fallback Bridging Configuring Fallback Bridging This example shows how to create bridge group 10, specify the VLAN-bridge STP to run in the bridge group, and assign an interface to the bridge group: Switch(config)# bridge 10 protocol vlan-bridge Switch(config)# interface gigabitethernet0/1 Switch(config-if)# no switchport Switch(config-if)# bridge-group 10...
Chapter 26 Configuring Fallback Bridging Configuring Fallback Bridging Configuring the Bridge Table Aging Time A switch forwards, floods, or drops packets based on the bridge table. The bridge table maintains both static and dynamic entries. Static entries are entered by you or learned by the switch. Dynamic entries are entered by the bridge learning process.
Poorly planned adjustments can have a negative impact on performance. A good source on switching is the IEEE 802.1d specification; for more information, refer to the “References and Recommended Reading” appendix in the Cisco IOS Configuration Fundamentals Command Reference.
Chapter 26 Configuring Fallback Bridging Configuring Fallback Bridging Changing the Switch Priority You can globally configure the priority of an individual switch when two switches tie for position as the root switch, or you can configure the likelihood that a switch will be selected as the root switch. This priority is determined by default;...
Chapter 26 Configuring Fallback Bridging Configuring Fallback Bridging Command Purpose Step 5 show running-config Verify your entry. Step 6 copy running-config startup-config (Optional) Save your entry in the configuration file. No no form of this command exists. To return to the default setting, use the bridge-group bridge-group priority number interface configuration command.
Chapter 26 Configuring Fallback Bridging Configuring Fallback Bridging Adjusting BPDU Intervals You can adjust BPDU intervals as described in these sections: Adjusting the Interval between Hello BPDUs • Defining the Forward Delay Interval • • Defining the Maximum Idle Interval Note Each switch in a spanning tree adopts the interval between hello BPDUs, the forward delay interval, and the maximum idle interval parameters of the root switch, regardless of what its individual...
Page 697
Chapter 26 Configuring Fallback Bridging Configuring Fallback Bridging Command Purpose Step 3 Return to privileged EXEC mode. Step 4 show running-config Verify your entry. Step 5 copy running-config startup-config (Optional) Save your entry in the configuration file. To return to the default setting, use the no bridge bridge-group forward-time seconds global configuration command.
Chapter 26 Configuring Fallback Bridging Monitoring and Maintaining the Network Disabling the Spanning Tree on an Interface When a loop-free path exists between any two switched subnetworks, you can prevent BPDUs generated in one switching subnetwork from impacting devices in the other switching subnetwork, yet still permit switching throughout the network as a whole.
For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 3550 Multilayer Switch Command Reference for this release and the Cisco IOS Command Summary for Release 12.1. This chapter consists of these sections: •...
Chapter 27 Troubleshooting Using Recovery Procedures Recovering from Corrupted Software Switch software can be corrupted during an upgrade, by downloading the wrong file to the switch, and by deleting the image file. In all of these cases, the switch does not pass the power-on self-test (POST), and there is no connectivity.
Chapter 27 Troubleshooting Using Recovery Procedures Recovering from a Lost or Forgotten Password The default configuration for Catalyst 3550 switches allows an end user with physical access to the switch to recover from a lost password by interrupting the boot process during power-on and by entering a new password.
Page 702
Chapter 27 Troubleshooting Using Recovery Procedures Step 2 If you had set the console port speed to anything other than 9600, it has been reset to that particular speed. Change the emulation software line speed to match that of the switch console port. Step 3 Load any helper files: switch: load_helper...
Chapter 27 Troubleshooting Using Recovery Procedures Step 12 Return to privileged EXEC mode: Switch (config)# exit Switch# Write the running configuration to the startup configuration file: Step 13 Switch# copy running-config startup-config The new password is now in the startup configuration. Note This procedure is likely to leave your switch virtual interface in a shutdown state.
Page 704
Chapter 27 Troubleshooting Using Recovery Procedures Step 3 Display the contents of Flash memory: switch: dir flash: The switch file system is displayed: Directory of flash: drwx Mar 01 1993 22:30:48 c3550-i5q3l2-mz-121-0.0.53 -rwx Mar 01 1993 22:30:57 env_vars -rwx Mar 01 1993 22:30:57 system_env_vars 16128000 bytes total (10003456 bytes free) Step 4...
Chapter 27 Troubleshooting Using Recovery Procedures Recovering from a Command Switch Failure This section describes how to recover from a failed command switch. You can configure a redundant command switch group by using the Hot Standby Router Protocol (HSRP). For more information, see Chapter 5, “Clustering Switches”...
Page 706
Chapter 27 Troubleshooting Using Recovery Procedures Step 9 Use the setup program to configure the switch IP information. This program prompts you for IP address information and passwords. From privileged EXEC mode, enter setup, and press Return. Switch# setup --- System Configuration Dialog --- Continue with configuration dialog? [yes/no]: y At any point you may enter a question mark '?' for help.
Chapter 27 Troubleshooting Using Recovery Procedures Replacing a Failed Command Switch with Another Switch To replace a failed command switch with a switch that is command-capable but not part of the cluster, follow these steps: Step 1 Insert the new switch in place of the failed command switch, and duplicate its connections to the cluster members.
Chapter 27 Troubleshooting Preventing Autonegotiation Mismatches Step 10 When prompted, assign a name to the cluster, and press Return. The cluster name can be 1 to 31 alphanumeric characters, dashes, or underscores. Step 11 When the initial configuration displays, verify that the addresses are correct. Step 12 If the displayed information is correct, enter Y, and press Return.
Chapter 27 Troubleshooting Diagnosing Connectivity Problems Diagnosing Connectivity Problems This section describes how to troubleshoot connectivity problems: • Understanding Ping, page 27-11 Executing Ping, page 27-11 • Understanding IP Traceroute, page 27-12 • Executing IP Traceroute, page 27-13 • Understanding Ping The switch supports IP ping, which you can use to test connectivity to remote hosts.
Chapter 27 Troubleshooting Diagnosing Connectivity Problems This example shows how to ping an IP host: Switch# ping 172.20.52.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echoes to 172.20.52.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms Switch# Table 27-1 describes the possible ping character output.
Chapter 27 Troubleshooting Diagnosing Connectivity Problems To determine when a datagram reaches its destination, traceroute sets the UDP destination port number in the datagram to a very large value that the destination host is unlikely to be using. When a host receives a datagram destined to itself containing a destination port number that is unused locally, it sends an ICMP port unreachable error to the source.
For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. It is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Chapter 27 Troubleshooting Using the show forward Command Enabling All-System Diagnostics Beginning in privileged EXEC mode, enter this command to enable all-system diagnostics: Switch# debug all Because debugging output takes priority over other network traffic, and because the debug all Caution privileged EXEC command generates more output than any other debug command, it can severely diminish switch performance or even render it unusable.
Page 714
Chapter 27 Troubleshooting Using the show forward Command This is an example of the output from the show forward privileged EXEC command for Fast Ethernet port 8, where VLAN ID, source and destination MAC addresses, and source and destination IP addresses were provided.
The information in the file includes the IOS image name and version that failed, a dump of the processor registers, and a stack trace. You can provide this information to the Cisco technical support representative by using the show tech-support privileged EXEC command.
Page 716
Chapter 27 Troubleshooting Using the crashinfo File Catalyst 3550 Multilayer Switch Software Configuration Guide 27-18 78-11194-03...
BRIDGE-MIB (RFC1493) • CISCO-VLAN-MEMBERSHIP-MIB • CISCO-VLAN-IFINDEX-RELATIONSHIP-MIB • CISCO-STACK-MIB (only a subset of the available MIB objects are implemented; not all objects are supported) • RMON 1 MIB (only RMON etherStats, etherHistory, alarms, and events are supported) • IGMP MIB •...
/pub/mibs/v1 and the /pub/mibs/v2. ftp> Step 5 Use the get MIB_filename command to obtain a copy of the MIB file. Note You can also access information about MIBs on the Cisco web site: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml Catalyst 3550 Multilayer Switch Software Configuration Guide 78-11194-03...
For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 3550 Multilayer Switch Command Reference for this release and the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. This appendix consists of these sections: Working with the Flash File System, page B-1 •...
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with the Flash File System Displaying Available File Systems To display the available file systems on your switch, use the show file systems privileged EXEC command as shown in this example: Switch# show file systems File Systems: Size(b)
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with the Flash File System Setting the Default File System You can specify the file system or directory that the system uses as the default file system by using the cd filesystem: privileged EXEC command.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating and Removing Directories Beginning in privileged EXEC mode, follow these steps to create and remove a directory: Command Purpose Step 1 dir filesystem: Display the directories on the specified file system.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with the Flash File System Some invalid combinations of source and destination exist. Specifically, you cannot copy these combinations: • From a running configuration to a running configuration •...
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating, Displaying, and Extracting tar Files You can create a tar file and write files into it, list the files in a tar file, and extract the files from a tar file as described in the next sections.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with the Flash File System You can also limit the display of the files by specifying an optional list of files or directories after the tar file; then only these files are displayed. If none are specified, all files and directories are displayed. This example shows how to display the contents of the c3550-i5q3l2-mz.121-6.EA1.tar file that is in Flash memory: Switch# archive tar /table flash:c3550-i5q3l2-mz.121-6.EA1.tar...
This section describes how to create, load, and maintain configuration files. Configuration files contain commands entered to customize the function of the Cisco IOS software. To better benefit from these instructions, your switch must contain a minimal configuration for interacting with the system software.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files • Copying Configuration Files By Using FTP, page B-12 • Copying Configuration Files By Using RCP, page B-16 • Clearing Configuration Information, page B-19 Guidelines for Creating and Using Configuration Files Creating configuration files can aid in your switch configuration.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files Creating a Configuration File By Using a Text Editor When creating a configuration file, you must list commands logically so that the system can respond appropriately.
Page 729
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files • Ensure that the configuration file to be downloaded is in the correct directory on the TFTP server (usually /tftpboot on a UNIX workstation). •...
The FTP protocol requires a client to send a remote username and password on each FTP request to a server. When you copy a configuration file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list: The username specified in the copy command if a username is specified.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files If the server has a directory structure, the configuration file is written to or copied from the directory associated with the username on the server. For example, if the configuration file resides in the home directory of a user on the server, specify that user's name as the remote username.
Page 732
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 6 Return to privileged EXEC mode. Step 7 copy Using FTP, copy the configuration file from a network server ftp:[[[//[username[:password]@]location]/directory] to the running configuration or to the startup configuration /filename] system:running-config file.
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files Uploading a Configuration File By Using FTP Beginning in privileged EXEC mode, follow these steps to upload a configuration file by using FTP: Command Purpose Step 1...
The RCP requires a client to send a remote username with each RCP request to a server. When you copy a configuration file from the switch to a server, the Cisco IOS software sends the first valid username in this list: •...
Page 735
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files • When you upload a file to the RCP server, it must be properly configured to accept the RCP write request from the user on the switch. For UNIX systems, you must add an entry to the .rhosts file for the remote user on the RCP server.
Page 736
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Configuration Files This example shows how to specify a remote username of netadmin1. Then it copies the configuration file host2-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.101 to the startup configuration: Switch# configure terminal Switch(config)# ip rcmd remote-username netadmin1...
Depending on the setting of the file prompt global configuration command, you might be prompted for confirmation before you delete a file. By default, the switch prompts for confirmation on destructive file operations. For more information about the file prompt command, refer to the Cisco IOS Command Reference for Release 12.1.
Flash memory. tar File Format of Images on a Server or Cisco.com Software images located on a server or downloaded from Cisco.com are provided in a tar file format, which contains these files: •...
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Table B-3 info and info.ver File Description Field Description version_suffix Specifies the IOS image version string suffix version_directory Specifies the directory where the IOS image and the HTML subdirectory are installed image_name Specifies the name of the IOS image within the tar file ios_image_file_size...
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Preparing to Download or Upload an Image File By Using TFTP Before you begin downloading or uploading an image file by using TFTP, do these tasks: Ensure that the workstation acting as the TFTP server is properly configured.
Page 741
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 3 archive download-sw /overwrite /reload Download the image file from the TFTP server to the switch, and tftp:[[//location]/directory]/image-name.tar overwrite the current image. •...
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Uploading an Image File By Using TFTP You can upload an image from the switch to a TFTP server. You can later download this image to the switch or to another switch of the same type.
The FTP protocol requires a client to send a remote username and password on each FTP request to a server. When you copy an image file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list: The username specified in the archive download-sw or archive upload-sw privileged EXEC •...
Page 744
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Before you begin downloading or uploading an image file by using FTP, do these tasks: • Ensure that the switch has a route to the FTP server. The switch and the FTP server must be in the same subnetwork if you do not have a router to route traffic between subnets.
Page 745
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 7 archive download-sw /overwrite /reload Download the image file from the FTP server to the switch, ftp:[[//username[:password]@location]/directory] and overwrite the current image. /image-name.tar •...
Page 746
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images The algorithm installs the downloaded image onto the system board Flash device (flash:). The image is placed into a new directory named with the software version string, and the BOOT environment variable is updated to point to the newly installed image.
RCP requires a client to send a remote username on each RCP request to a server. When you copy an image from the switch to a server by using RCP, the Cisco IOS software sends the first valid username in this list: •...
Page 748
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images For the RCP copy request to execute successfully, an account must be defined on the network server for the remote username. If the server has a directory structure, the image file is written to or copied from the directory associated with the remote username on the server.
Page 749
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 5 Return to privileged EXEC mode. Step 6 archive download-sw /overwrite /reload Download the image file from the RCP server to the switch, rcp:[[[//[username@]location]/directory]/image-na and overwrite the current image.
Page 750
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images If you specify the /leave-old-sw, the existing files are not removed. If there is not enough room to install the new image an keep the running image, the download process stops, and an error message is displayed.
Page 751
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 5 Return to privileged EXEC mode. Step 6 archive upload-sw Upload the currently running switch image to the RCP rcp:[[[//[username@]location]/directory]/image-na server.
Page 752
Appendix B Working with the IOS File System, Configuration Files, and Software Images Working with Software Images Catalyst 3550 Multilayer Switch Software Configuration Guide B-34 78-11194-03...
A P P E N D I X Unsupported CLI Commands This appendix lists the unsupported command-line interface (CLI) commands that are displayed when you enter the question mark (?) at the switch prompt. The unsupported commands are listed by software feature and command mode.
Appendix C Unsupported CLI Commands IP Unicast Routing ip reflexive-list ip vrf router bgp router egp router-isis router iso-igrp router mobile router odr router static Unsupported Interface Configuration Commands ip accounting ip load-sharing [per-packet] ip mtu bytes ip route-cache ip verify ip vrf ip unnumbered type number All ip security commands...
Appendix C Unsupported CLI Commands MSDP MSDP Unsupported Privileged EXEC Commands show access-expression show exception show location show pm LINE show smf [interface-id] show subscriber-policy [policy-number] show template [template-name] Unsupported Global Configuration Commands ip msdp default-peer ip-address | name [prefix-list list] (Because BGP/MBGP is not supported, use the ip msdp peer command instead of this command.) RADIUS Unsupported Global Configuration Commands...
I N D E X accounting with RADIUS 6-27 Numerics accounting with TACACS+ 6-11, 6-17 802.1Q ACEs and trunk ports and QoS 20-7 configuration limitations 9-24 defined 19-2 encapsulation 9-22, 9-24 Ethernet 19-2 native VLAN for untagged traffic 9-29 19-2 802.1Q trunk mode Layer 3 parameters 19-10...
Page 762
Index ACLs (continued) ACLs (continued) host keyword 19-12 VLAN maps configuration guidelines 19-28 applying to interface configuring 19-18 19-27 creating 19-6 defined 19-3 fragments and QoS guidelines active router 20-20 23-1 implicit deny addresses 19-9, 19-13, 19-15 implicit masks 19-9 displaying the MAC address table 6-57 matching criteria...
Page 763
Index aggregate policing authorization with RADIUS 6-26 aging, accelerating 10-10 authorization with TACACS+ 6-11, 6-16 aging time authorized ports with 802.1X accelerated for STP autoconfiguration 10-10, 10-29 bridge table for fallback bridging 26-6 automatic discovery MAC address table adding member switches 6-53 5-20 maximum for STP...
Page 764
Index banners candidate switch configuring adding 5-20 login automatic discovery 6-51 message-of-the-day login defined 6-50 default configuration 6-49 5-22 when displayed passwords 6-49 5-20 binding cluster group and HSRP group requirements 23-9 blocking packets 12-6 standby group 5-22 booting See also command switch, cluster standby group, and member switch boot loader, function of caution, described...
Page 765
Cisco Discovery Protocol clusters, switch (continued) See CDP planning considerations Cisco Express Forwarding automatic discovery See CEF automatic recovery 5-12 Cisco Group Management Protocol 5-25 See CGMP described Cisco Technical Assistance Center host names xxxiii 5-16 CiscoWorks 2000 1-6, 18-3...
Page 766
Index CMS (continued) commands displaying system messages 3-19 abbreviating error checking no and default 3-32 features setting privilege levels Front Panel images command switch Front Panel view active (AC) 5-12, 5-22 interaction modes command switch with HSRP disabled (CC) 3-26 5-22 menu bar 3-15...
Page 767
Index configuration files conventions clearing the startup configuration B-19 command creating using a text editor for examples B-10 default name publication 4-12 deleting a stored configuration B-19 text described 1-4, 20-2 downloading CoS-to-DSCP map for QoS 20-39 automatically 4-12 CoS-to-egress-queue map 20-45 preparing B-10, B-13, B-16...
Page 769
24-56 documentation connecting PIM domain to DVMRP router 24-46 feedback enabling unicast routing xxxii 24-50 obtaining interoperability CD-ROM xxxi with Cisco devices 24-44 world wide web with IOS software xxxi 24-11 ordering xxxii mrinfo requests, responding to 24-49 related xxxi...
Page 770
Index DVMRP (continued) EIGRP (continued) support for definition 22-46 tunnels interface parameters, configuring 22-49 configuring monitoring 24-46 22-51 displaying neighbor information 24-49 support for dynamic access mode enable password dynamic access ports enable secret password characteristics encapsulation types, Ethernet trunk 9-24 configuring 9-38...
Page 771
Index EtherChannel (continued) expedite queue for QoS (continued) Layer 3 interface 22-3 Gigabit-capable Ethernet ports load balancing allocating bandwidth 21-5, 21-13 20-50 logical interfaces, described configuring 21-2 20-50 number of interfaces per 21-1 described 20-13 overview expert mode 21-1 3-26 PAgP extended system ID for STP 10-3, 10-23...
Page 772
QoS policing and marking 9-34 20-10 fan fault indication QoS queueing and scheduling Fast Uplink Transition Protocol 10-14 10/100 ports 20-15 feedback to Cisco Systems, web Gigabit-capable ports xxxii 20-12 22-53 flow control 1-2, 8-16 fiber-optic, detecting unidirectional links 14-1...
Page 773
Index FTP (continued) hello time, STP 10-29 image files help, for the command line deleting old image Help button, CMS B-28 3-29 downloading Help Contents B-26 3-27 preparing the server B-25 history uploading changing the buffer size B-28 described disabling recalling commands history table, level and number of syslog messages 17-10...
Page 774
Index IGMP (continued) leave processing, enabling 11-9 ICMP leaving multicast group 11-4 redirect messages 22-15 multicast reachability 24-34 support for overview 24-3 time exceeded messages 27-12 queries 11-3 traceroute and 27-12 support for unreachable messages 19-5 Version 1 unreachables and ACLs 19-6 changing to Version 2 24-32...
Page 775
Index IGMP snooping (continued) interfaces (continued) Immediate Leave 11-4 flow control 8-16 method management 11-6 monitoring monitoring 11-9 8-18 support for naming 8-17 VLAN configuration physical, identifying 11-6 range of 22-35 IGRP restarting 8-21 advertisements 22-30 shutting down 8-21 alternate routes supported 22-31 configuring...
Page 776
PIM domain border 24-22 manually 4-10 IOS release 24-5 through DHCP-based autoconfiguration overview 24-8 default configuration using with Auto-RP 24-27 IP multicast routing Cisco implementation 24-2 addresses configuring all-hosts basic multicast routing 24-1 24-15 all-multicast-routers 24-1 IP multicast boundary 24-42 all-PIM-routers...
Page 777
Index IP multicast routing (continued) IP routes, monitoring 22-64 MBONE IP routing deleting sdr cache entries connecting interfaces with 24-58 described enabling 24-39 22-24 displaying sdr cache 24-59 IP traceroute enabling sdr listener support executing 24-39 27-13 limiting DVMRP routes advertised overview 24-53 27-12...
Page 778
Index IP unicast routing (continued) protocols Layer 2 frames, classification with CoS 20-2 distance-vector 22-2 Layer 2 interfaces, default configuration 8-13 dynamic 22-2 Layer 2 trunks 9-22 link-state 22-2 Layer 3 features proxy ARP 22-10 Layer 3 interfaces redistribution 22-57 assigning IP addresses to 22-6 reverse address resolution...
Page 779
Index marking action in policy map 20-32 MAC addresses action with aggregate policers 20-37 aging time 6-53 described 20-3, 20-8 and VLAN association 6-52 matching, ACLs 19-6 building the address table 6-52 maximum aging time, STP 10-30 default configuration 6-53 maximum-paths command 22-54 displaying...
Page 780
Index mirroring traffic for analysis monitoring (continued) 15-1 mismatches, autonegotiation 27-10 speed and duplex mode 8-15 Mode button traffic flowing among switches 16-1 modes traffic suppression 12-11 access to CMS 3-31 VLAN port filters 19-33 VLAN port membership maps 19-33 Modify button 3-29 VMPS...
Page 781
Index MSDP (continued) source-active messages named IP ACLs 19-14 caching 25-6 native VLANs 9-29 clearing cache entries 25-19 negotiate trunk mode defined 25-2 neighbor discovery/recovery, EIGRP 22-46 filtering from a peer 25-11 neighboring devices, types of 3-12 filtering incoming 25-14 network configuration examples filtering to a peer 25-12...
Page 782
Index NTP (continued) out-of-profile markdown restricting access output interface, getting information about 27-16 creating an access group overheating indication, switch 6-39 disabling NTP services per interface 6-40 source IP address, configuring 6-40 stratum 6-32 support for packet modification, with QoS 20-17 synchronizing devices 6-36...
Page 783
Index policers default configuration 24-13 configuring dense mode for each matched traffic class 20-32 (S,G) notation for more than one traffic class 24-6 20-37 graft messages 24-6 described 20-3 overview displaying 24-5 20-56 pruning and SPT number of 24-5 1-4, 20-9 rendezvous point (RP), described 24-7 types of...
Page 785
Index protected ports QoS (continued) 1-3, 12-5 protocol-dependent modules, EIGRP 22-47 class maps Protocol-Independent Multicast Protocol configuring 20-30 See PIM displaying 20-56 proxy ARP configuration examples configuring common wiring closet 22-13 20-57 definition distribution layer 22-10 20-59 with IP routing disabled 22-14 intelligent wiring closet 20-58...
Page 786
Index QoS (continued) QoS (continued) mapping tables queues CoS-to-DSCP CoS-to-egress-queue map 20-39 20-45 CoS-to-egress-queue for 10/100 Ethernet ports 20-45 20-15 displaying 20-56 high priority (expedite) 20-13, 20-50 DSCP-to-CoS minimum-reserve levels 20-42 20-53 DSCP-to-DSCP-mutation serviced by WRR 20-43 20-13, 20-16 DSCP-to-threshold 20-47 size of 20-13, 20-15...
Page 787
Index RADIUS (continued) redundancy configuring EtherChannel 21-1 accounting features 6-27 authentication HSRP 6-23 23-1 authorization 6-26 communication, global backbone 6-21, 6-28 10-9 communication, per-server multidrop backbone 6-20, 6-21 10-13 multiple UDP ports 6-20 path cost 9-32 default configuration 6-20 port priority 9-30 defining AAA server groups redundant clusters...
Page 788
Index RFC (continued) route summarization, OSPF 22-41 1253, OSPF 22-35 routing 1305, NTP default 6-32 22-2 1587, NSSAs dynamic 22-35 22-2 1757, RMON 16-2 redistribution of information 22-57 1901, SNMPv2C static 18-2 22-2 1902 to 1907, SNMPv2 Routing Information Protocol 18-2 2236, IP multicast and IGMP 11-2...
Page 789
Index show interfaces command snooping, IGMP 8-15, 8-17 11-1 show running-config command software images displaying ACLs location in Flash 19-19, 19-30, 19-32 B-20 interface description in recovery procedures 8-17 27-2 shutdown command on interfaces 8-21 scheduling reloads 4-17 Simple Network Management Protocol tar file format, described B-20 See SNMP...
Page 790
Index standby command switch statistics (continued) configuring 5-22 QoS ingress and egress 20-56 considerations RMON group Ethernet 5-14 16-5 defined RMON group history 16-5 priority 5-12 SNMP input and output 18-10 requirements 9-13 virtual IP address storm control 5-13 See also cluster standby group and HSRP configuring 12-3 standby group, cluster...
Page 791
Index STP (continued) STP (continued) EtherChannel guard root switch described affects of extended system ID 10-20 10-3, 10-23 enabling configuring 10-37 10-23 extended system ID election 10-3 affects on root switch unexpected behavior 10-23 10-23 affects on the secondary root switch settings in a cascaded stack 10-24 10-30...
Page 792
Index switch priority, STP system name 10-28 switch software features default configuration 6-46 switch virtual interface default setting 6-46 See SVI manual configuration 6-46 syslog See also DNS See system message logging system prompt system clock default setting 6-46 configuring manual configuration 6-47 daylight saving time...
Page 794
Index troubleshooting connectivity problems 27-11 UDLD detecting default configuration 14-3 EtherChannel misconfigurations 10-37 echoing detection mechanism 14-2 unidirectional links 14-1 enabling determining packet disposition 27-15 globally 14-3 displaying crash information 27-17 per interface 14-4 PIMv1 and PIMv2 interoperability problems 24-28 link-detection mechanism 14-1 show forward command...
Page 795
B-19 19-30 using FTP B-28 displaying 19-33 using RCP B-32 examples 19-35 using TFTP support for B-24 URLs, Cisco usage xxxi 19-3 User Datagram Protocol with router ACLs 19-42 See UDP VLAN membership user EXEC mode confirming 9-39 username-based authentication...
Page 796
Index VLANs (continued) VTP (continued) native, configuring 9-29 configuration requirements number supported configuring 1-3, 9-2 port membership modes client mode 9-11 static-access ports 9-18, 9-19 server mode 9-10 STP and 802.1Q trunks transparent mode 10-8 9-11 supported consistency checks Token Ring 9-15 database 9-17...
Page 797
Index VTP (continued) window components, CMS 3-28 version 2 wizards 1-6, 3-26 configuration guidelines WRED 1-4, 20-14 disabling 9-12 1-4, 20-3 enabling 9-12 overview VLAN parameters 9-15 VTP monitoring 9-13 XMODEM protocol 27-2 VTP pruning VVIDs web-based management software See CMS Weighted Random Early Detection See WRED Weighted Round Robin...