background image

 

9-8

Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide

OL-12247-01

Chapter 9      Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

If IP connectivity to the RADIUS server is interrupted because the switch that was connected to the 
server is removed or fails, these events occur:

Ports that are already authenticated and that do not have periodic re-authentication enabled remain 
in the authenticated state. Communication with the RADIUS server is not required.

Ports that are already authenticated and that have periodic re-authentication enabled (with the dot1x 
re-authentication
 global configuration command) fail the authentication process when the 
re-authentication occurs. Ports return to the unauthenticated state during the re-authentication 
process. Communication with the RADIUS server is required.

For an ongoing authentication, the authentication fails immediately because there is no server 
connectivity. 

If the switch that failed comes up and rejoins the switch stack, the authentications might or might not 
fail depending on the boot-up time and whether the connectivity to the RADIUS server is re-established 
by the time the authentication is attempted.

To avoid loss of connectivity to the RADIUS server, you should ensure that there is a redundant 
connection to it. For example, you can have a redundant connection to the stack master and another to a 
stack member, and if the stack master fails, the switch stack still has connectivity to the RADIUS server.

IEEE 802.1x Host Mode

Note

The switch is usually not configured in the network configuration shown in 

Figure 9-5

.

You can configure an IEEE 802.1x port for single-host or for multiple-hosts mode. In single-host mode 
(see 

Figure 9-1 on page 9-2

), only one client can be connected to the IEEE 802.1x-enabled switch port. 

The switch detects the client by sending an EAPOL frame when the port link state changes to the up 
state. If a client leaves or is replaced with another client, the switch changes the port link state to down, 
and the port returns to the unauthorized state.

In multiple-hosts mode, you can attach multiple hosts to a single IEEE 802.1x-enabled port. 

Figure 9-5 

on page 9-9

 shows IEEE 802.1x port-based authentication in a wireless LAN. In this mode, only one of 

the attached clients must be authorized for all clients to be granted network access. If the port becomes 
unauthorized (re-authentication fails or an EAPOL-logoff message is received), the switch denies 
network access to all of the attached clients. In this topology, the wireless access point is responsible for 
authenticating the clients attached to it, and it also acts as a client to the switch.

With the multiple-hosts mode enabled, you can use IEEE 802.1x authentication to authenticate the port 
and port security to manage network access for all MAC addresses, including that of the client.

Summary of Contents for Catalyst 3120

Page 1: ...Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide Cisco IOS Release 12 2 40 EX November 2007 Text Part Number OL 12247 01 ...

Page 2: ...RISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES CCVP the Cisco logo and Welcome to the Human Network are trademarks of Cisco Systems Inc Changing the Way We Work Live Play and Learn is a service mark of Cisco Systems Inc and Access Registrar Aironet Catalyst CCDA CCDP CCIE CCIP CCNA CCNP CCSP Cisco the Cisco ...

Page 3: ...Security Features 1 8 QoS and CoS Features 1 10 Layer 3 Features 1 11 Monitoring Features 1 12 Default Settings After Initial Switch Configuration 1 13 Network Configuration Examples 1 16 Design Concepts for Using the Switch 1 16 Small to Medium Sized Network 1 19 Where to Go Next 1 20 C H A P T E R 2 Using the Command Line Interface 2 1 Understanding Command Modes 2 1 Understanding the Help Syste...

Page 4: ...t Switch Information 3 3 Understanding DHCP Based Autoconfiguration 3 3 DHCP Client Request Process 3 4 Configuring DHCP Based Autoconfiguration 3 5 DHCP Server Configuration Guidelines 3 5 Configuring the TFTP Server 3 6 Configuring the DNS 3 6 Configuring the Relay Device 3 7 Obtaining Configuration Files 3 7 Example Configuration 3 8 Manually Assigning IP Information 3 10 Checking and Saving th...

Page 5: ... 8 Enabling the Cisco IOS CNS Agent 4 9 Enabling an Initial Configuration 4 9 Enabling a Partial Configuration 4 13 Displaying CNS Configuration 4 14 C H A P T E R 5 Managing Switch Stacks 5 1 Understanding Switch Stacks 5 1 Switch Stack Membership 5 3 Stack Master Election and Re Election 5 6 Switch Stack Bridge ID and Router MAC Address 5 8 Stack Member Numbers 5 8 Stack Member Priority Values 5...

Page 6: ... 5 21 Default Switch Stack Configuration 5 21 Enabling Persistent MAC Address 5 21 Assigning Stack Member Information 5 23 Assigning a Stack Member Number 5 23 Setting the Stack Member Priority Value 5 23 Provisioning a New Member for a Switch Stack 5 24 Accessing the CLI of a Specific Stack Member 5 25 Displaying Switch Stack Information 5 25 C H A P T E R 6 Administering the Switch 6 1 Managing ...

Page 7: ...emoving Dynamic Address Entries 6 22 Configuring MAC Address Notification Traps 6 22 Adding and Removing Static Address Entries 6 24 Configuring Unicast MAC Address Filtering 6 25 Displaying Address Table Entries 6 27 Managing the ARP Table 6 27 C H A P T E R 7 Configuring Switch Based Authentication 7 1 Preventing Unauthorized Access to Your Switch 7 1 Protecting Access to Privileged EXEC Command...

Page 8: ...rver Host 7 20 Configuring RADIUS Login Authentication 7 23 Defining AAA Server Groups 7 25 Configuring RADIUS Authorization for User Privileged Access and Network Services 7 27 Starting RADIUS Accounting 7 28 Configuring Settings for All RADIUS Servers 7 29 Configuring the Switch to Use Vendor Specific RADIUS Attributes 7 29 Configuring the Switch for Vendor Proprietary RADIUS Server Communicatio...

Page 9: ...ure HTTP Server and Client Status 7 49 Configuring the Switch for Secure Copy Protocol 7 49 Information About Secure Copy 7 49 C H A P T E R 8 Configuring SDM Templates 8 1 Understanding the SDM Templates 8 1 Dual IPv4 and IPv6 SDM Templates 8 2 SDM Templates and Switch Stacks 8 3 Configuring the Switch SDM Template 8 4 Default SDM Template 8 4 SDM Template Configuration Guidelines 8 4 Setting the...

Page 10: ...onfiguration Guidelines 9 24 IEEE 802 1x Authentication 9 24 VLAN Assignment Guest VLAN Restricted VLAN and Inaccessible Authentication Bypass 9 25 MAC Authentication Bypass 9 26 Configuring IEEE 802 1x Authentication 9 26 Configuring the Switch to RADIUS Server Communication 9 28 Configuring the Host Mode 9 29 Configuring Periodic Re Authentication 9 30 Manually Re Authenticating a Client Connect...

Page 11: ...the Internal Ethernet Management Port 10 12 Supported Features on the Ethernet Management Port 10 14 Layer 3 Routing Configuration Guidelines 10 14 Monitoring the Ethernet Management Port 10 15 TFTP and the Ethernet Management Port 10 15 Configuring Ethernet Interfaces 10 15 Default Ethernet Interface Configuration 10 16 Configuring Interface Speed and Duplex Mode 10 17 Speed and Duplex Configurat...

Page 12: ... VLANs 12 6 Normal Range VLAN Configuration Guidelines 12 6 VLAN Configuration Mode Options 12 7 VLAN Configuration in config vlan Mode 12 7 VLAN Configuration in VLAN Database Configuration Mode 12 7 Saving VLAN Configuration 12 7 Default Ethernet VLAN Configuration 12 8 Creating or Modifying an Ethernet VLAN 12 9 Deleting a VLAN 12 10 Assigning Static Access Ports to a VLAN 12 11 Configuring Ext...

Page 13: ...lient Configuration 12 30 VMPS Configuration Guidelines 12 30 Configuring the VMPS Client 12 30 Entering the IP Address of the VMPS 12 31 Configuring Dynamic Access Ports on VMPS Clients 12 31 Reconfirming VLAN Memberships 12 32 Changing the Reconfirmation Interval 12 32 Changing the Retry Count 12 33 Monitoring the VMPS 12 33 Troubleshooting Dynamic Access Port VLAN Membership 12 34 VMPS Configur...

Page 14: ...a Traffic 14 2 Configuring Voice VLAN 14 3 Default Voice VLAN Configuration 14 3 Voice VLAN Configuration Guidelines 14 3 Configuring a Port Connected to a Cisco 7960 IP Phone 14 4 Configuring Cisco IP Phone Voice Traffic 14 5 Configuring the Priority of Incoming Data Frames 14 6 Displaying Voice VLAN 14 7 C H A P T E R 15 Configuring Private VLANs 15 1 Understanding Private VLANs 15 1 IP Addressi...

Page 15: ...02 1Q Tunneling Configuration 16 4 IEEE 802 1Q Tunneling Configuration Guidelines 16 4 Native VLANs 16 4 System MTU 16 5 IEEE 802 1Q Tunneling and Other Features 16 6 Configuring an IEEE 802 1Q Tunneling Port 16 6 Understanding Layer 2 Protocol Tunneling 16 7 Configuring Layer 2 Protocol Tunneling 16 10 Default Layer 2 Protocol Tunneling Configuration 16 11 Layer 2 Protocol Tunneling Configuration...

Page 16: ...e Configuration 17 13 Spanning Tree Configuration Guidelines 17 13 Changing the Spanning Tree Mode 17 15 Disabling Spanning Tree 17 16 Configuring the Root Switch 17 16 Configuring a Secondary Root Switch 17 18 Configuring Port Priority 17 18 Configuring Path Cost 17 20 Configuring the Switch Priority of a VLAN 17 21 Configuring Spanning Tree Timers 17 22 Configuring the Hello Time 17 22 Configuri...

Page 17: ...ation Guidelines 18 15 Specifying the MST Region Configuration and Enabling MSTP 18 16 Configuring the Root Switch 18 17 Configuring a Secondary Root Switch 18 19 Configuring Port Priority 18 19 Configuring Path Cost 18 21 Configuring the Switch Priority 18 21 Configuring the Hello Time 18 22 Configuring the Forwarding Delay Time 18 23 Configuring the Maximum Aging Time 18 23 Configuring the Maxim...

Page 18: ...ng Root Guard 19 18 Enabling Loop Guard 19 18 Displaying the Spanning Tree Status 19 19 C H A P T E R 20 Configuring Flex Links and the MAC Address Table Move Update Feature 20 1 Understanding Flex Links and the MAC Address Table Move Update 20 1 Flex Links 20 1 VLAN Flex Link Load Balancing and Support 20 2 MAC Address Table Move Update 20 3 Configuring Flex Links and MAC Address Table Move Updat...

Page 19: ...g IP Source Guard 21 16 Source IP Address Filtering 21 16 Source IP and MAC Address Filtering 21 17 Configuring IP Source Guard 21 17 Default IP Source Guard Configuration 21 17 IP Source Guard Configuration Guidelines 21 17 Enabling IP Source Guard 21 18 Displaying IP Source Guard Information 21 19 C H A P T E R 22 Configuring Dynamic ARP Inspection 22 1 Understanding Dynamic ARP Inspection 22 1 ...

Page 20: ...p 23 10 Enabling IGMP Immediate Leave 23 11 Configuring the IGMP Leave Timer 23 12 Configuring TCN Related Commands 23 12 Controlling the Multicast Flooding Time After a TCN Event 23 13 Recovering from Flood Mode 23 13 Disabling Multicast Flooding During a TCN Event 23 14 Configuring the IGMP Snooping Querier 23 14 Disabling IGMP Report Suppression 23 16 Displaying IGMP Snooping Information 23 16 ...

Page 21: ...onfiguration 24 6 MLD Snooping Configuration Guidelines 24 6 Enabling or Disabling MLD Snooping 24 7 Configuring a Static Multicast Group 24 8 Configuring a Multicast Router Port 24 8 Enabling MLD Immediate Leave 24 9 Configuring MLD Snooping Queries 24 10 Disabling MLD Listener Message Suppression 24 11 Displaying MLD Snooping Information 24 11 C H A P T E R 25 Configuring Port Based Traffic Cont...

Page 22: ...CDP and Switch Stacks 26 2 Configuring CDP 26 2 Default CDP Configuration 26 2 Configuring the CDP Characteristics 26 2 Disabling and Enabling CDP 26 3 Disabling and Enabling CDP on an Interface 26 4 Monitoring and Maintaining CDP 26 5 C H A P T E R 27 Configuring LLDP and LLDP MED 27 1 Understanding LLDP and LLDP MED 27 1 Understanding LLDP 27 1 Understanding LLDP MED 27 2 Configuring LLDP and LL...

Page 23: ...N Filtering 29 8 Destination Port 29 8 RSPAN VLAN 29 9 SPAN and RSPAN Interaction with Other Features 29 9 SPAN and RSPAN and Switch Stacks 29 11 Configuring SPAN and RSPAN 29 11 Default SPAN and RSPAN Configuration 29 11 Configuring Local SPAN 29 11 SPAN Configuration Guidelines 29 12 Creating a Local SPAN Session 29 13 Creating a Local SPAN Session and Configuring Incoming Traffic 29 15 Specifyi...

Page 24: ...ng Message Logging 31 4 Setting the Message Display Destination Device 31 5 Synchronizing Log Messages 31 6 Enabling and Disabling Time Stamps on Log Messages 31 8 Enabling and Disabling Sequence Numbers in Log Messages 31 8 Defining the Message Severity Level 31 9 Limiting Syslog Messages Sent to the History Table and to SNMP 31 10 Enabling the Configuration Change Logger 31 11 Configuring UNIX S...

Page 25: ...tions 33 4 Embedded Event Manager Policies 33 4 Embedded Event Manager Environment Variables 33 4 Configuring Embedded Event Manager 33 5 Registering and Defining an Embedded Event Manager Applet 33 5 Registering and Defining an Embedded Event Manager TCL Script 33 6 Displaying Embedded Event Manager Information 33 7 C H A P T E R 34 Configuring Network Security with ACLs 34 1 Understanding ACLs 3...

Page 26: ...nfiguration Guidelines 34 30 Creating a VLAN Map 34 31 Examples of ACLs and VLAN Maps 34 32 Applying a VLAN Map to a VLAN 34 34 Using VLAN Maps in Your Network 34 34 Denying Access to a Server on Anothera VLAN 34 34 Using VLAN Maps with Router ACLs 34 35 VLAN Maps and Router ACL Configuration Guidelines 34 36 Examples of Router ACLs and VLAN Maps Applied to VLANs 34 37 ACLs and Switched Packets 34...

Page 27: ...heduling on Ingress Queues 36 15 Queueing and Scheduling on Egress Queues 36 17 Packet Modification 36 19 Configuring Auto QoS 36 20 Generated Auto QoS Configuration 36 21 Effects of Auto QoS on the Configuration 36 25 Auto QoS Configuration Guidelines 36 25 Enabling Auto QoS for VoIP 36 26 Auto QoS Configuration Example 36 27 Displaying Auto QoS Information 36 29 Configuring Standard QoS 36 29 De...

Page 28: ...g the IP Precedence to DSCP Map 36 61 Configuring the Policed DSCP Map 36 62 Configuring the DSCP to CoS Map 36 63 Configuring the DSCP to DSCP Mutation Map 36 64 Configuring Ingress Queue Characteristics 36 66 Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds 36 67 Allocating Buffer Space Between the Ingress Queues 36 68 Allocating Bandwidth Between the Ingress Queues 36 6...

Page 29: ...Configuring EtherChannel Load Balancing 37 17 Configuring the PAgP Learn Method and Priority 37 18 Configuring LACP Hot Standby Ports 37 19 Configuring the LACP System Priority 37 20 Configuring the LACP Port Priority 37 21 Displaying EtherChannel PAgP and LACP Status 37 22 Understanding Link State Tracking 37 22 Configuring Link State Tracking 37 24 Default Link State Tracking Configuration 37 24...

Page 30: ... IP Unicast Routing 38 19 Configuring RIP 38 20 Default RIP Configuration 38 21 Configuring Basic RIP Parameters 38 21 Configuring RIP Authentication 38 23 Configuring Summary Addresses and Split Horizon 38 23 Configuring Split Horizon 38 25 Configuring OSPF 38 25 Default OSPF Configuration 38 26 OSPF Nonstop Forwarding 38 28 Configuring Basic OSPF Parameters 38 29 Configuring OSPF Interfaces 38 3...

Page 31: ...d Maintaining BGP 38 64 Configuring Multi VRF CE 38 65 Understanding Multi VRF CE 38 66 Default Multi VRF CE Configuration 38 68 Multi VRF CE Configuration Guidelines 38 68 Configuring VRFs 38 69 Configuring VRF Aware Services 38 70 User Interface for ARP 38 70 User Interface for PING 38 71 User Interface for SNMP 38 71 User Interface for HSRP 38 71 User Interface for uRPF 38 72 User Interface for...

Page 32: ...IPv6 Unicast Routing 39 1 Understanding IPv6 39 1 IPv6 Addresses 39 2 Supported IPv6 Unicast Routing Features 39 3 128 Bit Wide Unicast Addresses 39 3 DNS for IPv6 39 4 Path MTU Discovery for IPv6 Unicast 39 4 ICMPv6 39 4 Neighbor Discovery 39 4 IPv6 Applications 39 5 Dual IPv4 and IPv6 Protocol Stacks 39 5 EIGRP IPv6 39 6 Unsupported IPv6 Unicast Routing Features 39 9 Limitations 39 9 IPv6 and Sw...

Page 33: ...nderstanding Cisco IOS IP SLAs 41 1 Using Cisco IOS IP SLAs to Measure Network Performance 41 3 IP SLAs Responder and IP SLAs Control Protocol 41 4 Response Time Computation for IP SLAs 41 4 IP SLAs Operation Scheduling 41 5 IP SLAs Operation Threshold Monitoring 41 5 Configuring IP SLAs Operations 41 6 Default Configuration 41 6 Configuration Guidelines 41 6 Configuring the IP SLAs Responder 41 8...

Page 34: ...WCCP Negotiation 43 3 MD5 Security 43 3 Packet Redirection and Service Groups 43 3 WCCP and Switch Stacks 43 4 Unsupported WCCP Features 43 5 Configuring WCCP 43 5 Default WCCP Configuration 43 5 WCCP Configuration Guidelines 43 5 Enabling the Web Cache Service 43 6 Monitoring and Maintaining WCCP 43 10 C H A P T E R 44 Configuring IP Multicast Routing 44 1 Understanding Cisco s Implementation of ...

Page 35: ...tures 44 27 Understanding PIM Shared Tree and Source Tree 44 27 Delaying the Use of PIM Shortest Path Tree 44 29 Modifying the PIM Router Query Message Interval 44 30 Configuring Optional IGMP Features 44 30 Default IGMP Configuration 44 31 Configuring the Switch as a Member of a Group 44 31 Controlling Access to IP Multicast Groups 44 32 Changing the IGMP Version 44 33 Modifying the IGMP Host Que...

Page 36: ...atistics 44 54 Monitoring IP Multicast Routing 44 55 C H A P T E R 45 Configuring MSDP 45 1 Understanding MSDP 45 1 MSDP Operation 45 2 MSDP Benefits 45 3 Configuring MSDP 45 4 Default MSDP Configuration 45 4 Configuring a Default MSDP Peer 45 4 Caching Source Active State 45 6 Requesting Source Information from an MSDP Peer 45 8 Controlling Source Information that Your Switch Originates 45 9 Redi...

Page 37: ...s 46 8 Disabling the Spanning Tree on an Interface 46 10 Monitoring and Maintaining Fallback Bridging 46 11 C H A P T E R 47 Troubleshooting 47 1 Recovering from a Software Failure 47 2 Recovering from a Lost or Forgotten Password 47 3 Procedure with Password Recovery Enabled 47 5 Procedure with Password Recovery Disabled 47 7 Preventing Switch Stack Problems 47 8 Preventing Autonegotiation Mismat...

Page 38: ... T E R 48 Configuring Online Diagnostics 48 1 Understanding Online Diagnostics 48 1 Configuring Online Diagnostics 48 2 Scheduling Online Diagnostics 48 2 Configuring Health Monitoring Diagnostics 48 3 Running Online Diagnostic Tests 48 5 Starting Online Diagnostic Tests 48 5 Displaying Online Diagnostic Tests and Test Results 48 6 A P P E N D I X A Supported MIBs A 1 MIB List A 1 Using FTP to Acc...

Page 39: ...16 Preparing to Download or Upload a Configuration File By Using RCP B 17 Downloading a Configuration File By Using RCP B 18 Uploading a Configuration File By Using RCP B 19 Clearing Configuration Information B 19 Clearing the Startup Configuration File B 20 Deleting a Stored Configuration File B 20 Replacing and Rolling Back Configurations B 20 Understanding Configuration Replacement and Rollback...

Page 40: ... Commands C 2 Unsupported Interface Configuration Commands C 2 Boot Loader Commands C 2 Unsupported User EXEC Commands C 2 Unsupported Global Configuration Commands C 2 Debug Commands C 3 Unsupported Privileged EXEC Commands C 3 Embedded Event Manager C 3 Unsupported Privileged EXEC Commands C 3 Unsupported Global Configuration Commands C 3 Unsupported Commands in Applet Configuration Mode C 3 Fal...

Page 41: ... Commands C 10 Miscellaneous C 10 Unsupported Privileged EXEC Commands C 10 Unsupported Global Configuration Commands C 10 MSDP C 11 Unsupported Privileged EXEC Commands C 11 Unsupported Global Configuration Commands C 11 NetFlow Commands C 11 Unsupported Global Configuration Commands C 11 Network Address Translation NAT Commands C 11 Unsupported Privileged EXEC Commands C 11 QoS C 12 Unsupported ...

Page 42: ...Contents xlii Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide OL 12247 01 VTP C 13 Unsupported Privileged EXEC Command C 13 I N D E X ...

Page 43: ...ilable from the Cisco com home page at Products Services Technical Support Documentation See Documentation Cisco IOS Software This guide does not provide detailed information on the GUIs for the embedded device manager or for Cisco Network Assistant hereafter referred to as Network Assistant that you can use to manage the switch However the concepts in this guide are applicable to the GUI user For...

Page 44: ...oducts_support_series_home html Note Before installing configuring or upgrading the switch see these documents For initial configuration information see the Using Express Setup section in the getting started guide or the Configuring the Switch with the CLI Based Setup Program appendix in the hardware installation guide For device manager requirements see the System Requirements section in the rele...

Page 45: ...55 products_device_support_tables_list html Cisco Gigabit Ethernet Transceiver Modules Compatibility Matrix not orderable but available on Cisco com Cisco 100 Megabit Ethernet SFP Modules Compatibility Matrix not orderable but available on Cisco com Cisco Small Form Factor Pluggable Modules Compatibility Matrix not orderable but available on Cisco com Compatibility Matrix for 1000BASE T Small Form...

Page 46: ...xlvi Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide OL 12247 01 Preface Related Publications ...

Page 47: ...raphic software image You must obtain authorization to use these features and to download the cryptographic software from Cisco com For more information see the release notes for this release The switch supports one of these feature sets IP base feature set which provides Layer 2 features enterprise class intelligent services These features include access control lists ACLs quality of service QoS ...

Page 48: ...1 11 includes features requiring the IP services feature set Monitoring Features page 1 12 Deployment Features The switch ships with these features Express Setup for quickly configuring a switch for the first time with basic IP information contact information switch and Telnet passwords and Simple Network Management Protocol SNMP information through a browser based program For more information abo...

Page 49: ...Creating a bidirectional 32 Gb s switching fabric across the switch stack with all stack members having full access to the system bandwidth Using a single IP address and configuration file to manage the entire switch stack Automatic Cisco IOS version check of new stack members with the option to automatically load images from the stack master or from a TFTP server Adding removing and replacing swi...

Page 50: ...multicast traffic to specified end stations and reducing overall network traffic For IGMP devices IGMP snooping for efficiently forwarding multimedia and multicast traffic IGMP report suppression for sending only one IGMP report per multicast router query to the multicast devices supported only for IGMPv1 or IGMPv2 queries IGMP snooping querier support to configure switch to generate periodic IGMP...

Page 51: ...t is running platforms such as HP OpenView or SunNet Manager The switch supports a comprehensive set of MIB extensions and four remote monitoring RMON groups For more information about using SNMP see Chapter 32 Configuring SNMP CNS Cisco Networking Services is network management software that acts as a configuration service for automating the deployment and management of network devices and servic...

Page 52: ...splay In band management access through the device manager over a Netscape Navigator or Microsoft Internet Explorer browser session In band management access for up to 16 simultaneous Telnet connections for multiple CLI based sessions over the network In band management access for up to five simultaneous encrypted Secure Shell SSH connections for multiple CLI based sessions over the network requir...

Page 53: ...onvergence of the spanning tree by immediately changing root and designated ports to the forwarding state Optional spanning tree features available in PVST rapid PVST and MSTP mode Port Fast for eliminating the forwarding delay by enabling a port to immediately change from the blocking state to the forwarding state BPDU guard for shutting down Port Fast enabled ports that receive bridge protocol d...

Page 54: ... addresses learned on a port or define which MAC addresses may be learned on a port VLAN Flex Link Load Balancing to provide Layer 2 redundancy without requiring Spanning Tree Protocol STP A pair of interfaces configured as primary and backup links can load balance traffic based on VLAN Security Features The switch ships with these security features Web authentication to allow a supplicant client ...

Page 55: ...tication MDA to allow both a data device and a voice device such as an IP phone Cisco or non Cisco to independently authenticate on the same IEEE 802 1x enabled switch port VLAN assignment for restricting IEEE 802 1x authenticated users to a specified VLAN Port security for controlling access to IEEE 802 1x ports Voice VLAN to permit a Cisco IP Phone to access the voice VLAN regardless of the auth...

Page 56: ...ing QoS features by classifying traffic and configuring egress queues Cross stack QoS for configuring QoS features to all switches in a switch stack rather than on an individual switch basis Classification IP type of service Differentiated Services Code Point IP ToS DSCP and IEEE 802 1p CoS marking priorities on a per port basis for protecting the performance of mission critical applications IP To...

Page 57: ...other queues become empty and do not use their share of the bandwidth Automatic quality of service QoS voice over IP VoIP enhancement for port based trust of DSCP and priority queuing for egress traffic Layer 3 Features These are the Layer 3 features Note Some features noted in this section are available only in the IP services feature set HSRP for Layer 3 router redundancy IP routing protocols fo...

Page 58: ...d interfaces requires the advanced IP services feature set Support for EIGRP IPv6 which utilizes IPv6 transport communicates with IPv6 peers and advertises IPv6 routes IP unicast reverse path forwarding unicast RPF for confirming source packet IP addresses Nonstop forwarding NSF awareness to enable the Layer 3 switch to continue forwarding packets from an NSF capable neighboring router when the pr...

Page 59: ...ct it to the other devices in your network If you have specific network needs you can change the interface specific and system and stack wide settings Note For information about assigning an IP address by using the browser based Express Setup program see the getting started guide For information about assigning an IP address by using the CLI based setup program see the hardware installation guide ...

Page 60: ... VLANs Default VLAN is VLAN 1 For more information see Chapter 12 Configuring VLANs VLAN trunking setting is dynamic auto DTP For more information see Chapter 12 Configuring VLANs Trunk encapsulation is negotiate For more information see Chapter 12 Configuring VLANs VTP mode is server For more information see Chapter 13 Configuring VTP VTP version is Version 1 For more information see Chapter 13 C...

Page 61: ...ore information see Chapter 25 Configuring Port Based Traffic Control CDP is enabled For more information see Chapter 26 Configuring CDP UDLD is disabled For more information see Chapter 28 Configuring UDLD SPAN and RSPAN are disabled For more information see Chapter 29 Configuring SPAN and RSPAN RMON is disabled For more information see Chapter 30 Configuring RMON Syslog messages are enabled and ...

Page 62: ...o degrade and how you can configure your network to increase the bandwidth available to your network users Table 1 1 Increasing Network Performance Network Demands Suggested Design Methods Too many users on a single network segment and a growing number of users accessing the Internet Create smaller network segments so that fewer users share the bandwidth and use VLANs and IP subnets to place the n...

Page 63: ...st routing to design networks better suited for multicast traffic Use MVR to continuously send multicast streams in a multicast VLAN but to isolate the streams from subscriber VLANs for bandwidth and security reasons High demand on network redundancy and availability to provide always on mission critical applications Use switch stacks where all stack members are eligible stack masters in case of s...

Page 64: ...streams into different paths for processing Security features on the switch ensure rapid handling of packets Fault tolerance from the server racks to the core is achieved through dual homing of servers connected to dual switch stacks or the switches which have redundant Gigabit EtherChannels and cross stack EtherChannels Using dual SFP module uplinks from the switches provides redundant uplinks to...

Page 65: ...ta and multimedia traffic are configured on the same VLAN Voice traffic is configured on separate VVIDs If data multimedia and voice traffic are assigned to the same VLAN only one VLAN can be configured per wiring closet When an end station in one VLAN needs to communicate with an end station in another VLAN a router or Layer 3 switch routes the traffic to the destination VLAN In this network the ...

Page 66: ...work Address Translation NAT services voice over IP VoIP gateway services and WAN and Internet access Figure 1 3 Switch Stack in a Collapsed Backbone Where to Go Next Before configuring the switch review these sections for startup information Chapter 2 Using the Command Line Interface Chapter 3 Assigning the Switch IP Address and Default Gateway 201914 Campus core Catalyst 6500 switches Blade swit...

Page 67: ...a question mark at the system prompt to obtain a list of commands available for each command mode When you start a session on the switch you begin in user mode often called user EXEC mode Only a limited subset of the commands are available in user EXEC mode For example most of the user EXEC commands are one time commands such as show commands which show the current configuration status and clear c...

Page 68: ...ntered Use a password to protect access to this mode Global configuration While in privileged EXEC mode enter the configure command Switch config To exit to privileged EXEC mode enter exit or end or press Ctrl Z Use this mode to configure parameters that apply to the entire switch Config vlan While in global configuration mode enter the vlan vlan id command Switch config vlan To exit to global con...

Page 69: ...ports For information about defining interfaces see the Using Interface Configuration Mode section on page 10 7 To configure multiple interfaces with the same parameters see the Configuring a Range of Interfaces section on page 10 9 Line configuration While in global configuration mode specify a line with the line vty or line console command Switch config line To exit to global configuration mode ...

Page 70: ...terface Use the command without the keyword no to re enable a disabled feature or to enable a feature that is disabled by default Configuration commands can also have a default form The default form of a command returns the command setting to its default Most commands are disabled by default so the default form is the same as the no form However some commands are enabled by default and have variab...

Page 71: ...ication and Logging section of the Cisco IOS Configuration Fundamentals Configuration Guide Release 12 4 at this URL http www cisco com en US products ps6350 products_configuration_guide_chapter09186a0080454f 73 html Note Only CLI or HTTP changes are logged Table 2 3 Common CLI Error Messages Error Message Meaning How to Get Help Ambiguous command show con You did not enter enough characters for y...

Page 72: ...Switch terminal history size number of lines The range is from 0 to 256 Beginning in line configuration mode enter this command to configure the number of command lines the switch records for all sessions on a particular line Switch config line history size number of lines The range is from 0 to 256 Recalling Commands To recall commands from the history buffer perform one of the actions listed in ...

Page 73: ...elp you manipulate the command line It contains these sections Enabling and Disabling Editing Features page 2 7 optional Editing Commands through Keystrokes page 2 8 optional Editing Command Lines that Wrap page 2 9 optional Enabling and Disabling Editing Features Although enhanced editing mode is automatically enabled you can disable it re enable it or configure a specific line to have enhanced e...

Page 74: ...em in the command line The switch provides a buffer with the last ten items that you deleted Press Ctrl Y Recall the most recent entry in the buffer Press Esc Y Recall the next buffer entry The buffer contains only the last 10 items that you have deleted or cut If you press Esc Y more than ten times you cycle to the first buffer entry Delete entries if you make a mistake or change your mind Press ...

Page 75: ... 1 Switch config 101 permit tcp 131 108 2 5 255 255 255 0 131 108 1 20 255 25 Switch config t tcp 131 108 2 5 255 255 255 0 131 108 1 20 255 255 255 0 eq Switch config 108 2 5 255 255 255 0 131 108 1 20 255 255 255 0 eq 45 After you complete the entry press Ctrl A to check the complete syntax before pressing the Return key to execute the command The dollar sign appears at the end of the line to sh...

Page 76: ...p Vlan10 is up line protocol is down GigabitEthernet1 0 1 is up line protocol is down GigabitEthernet1 0 2 is up line protocol is up Accessing the CLI You can access the CLI through a console connection through Telnet or by using the browser You manage the switch stack and the stack member interfaces through the stack master You cannot manage stack members on an individual switch basis You can con...

Page 77: ...blish a connection with the switch Connect the switch console port to a management station or dial up modem or connect the Ethernet management port to a PC For information about connecting to the console or Ethernet management port see the switch hardware installation guide Use any Telnet TCP IP or encrypted Secure Shell SSH package from a remote management station The switch must have network con...

Page 78: ...2 12 Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide OL 12247 01 Chapter 2 Using the Command Line Interface Accessing the CLI ...

Page 79: ...onsists of these sections Understanding the Boot Process page 3 1 Assigning Switch Information page 3 2 Checking and Saving the Running Configuration page 3 11 Modifying the Startup Configuration page 3 12 Scheduling a Reload of the Software Image page 3 17 Note Information in this chapter about configuring IP addresses and DHCP is specific to IP Version 4 IPv4 If you plan to enable IP Version 6 I...

Page 80: ...an format the flash file system reinstall the operating system software image by using the Xmodem Protocol recover from a lost or forgotten password and finally restart the operating system For more information see the Recovering from a Software Failure section on page 47 2 and the Recovering from a Lost or Forgotten Password section on page 47 3 Note You can disable password recovery For more inf...

Page 81: ... DHCP Based Autoconfiguration page 3 3 Manually Assigning IP Information page 3 10 Default Switch Information Table 3 1 shows the default switch information Understanding DHCP Based Autoconfiguration DHCP provides configuration information to Internet hosts and internetworking devices This protocol consists of two components one for delivering configuration parameters from a DHCP server to a devic...

Page 82: ...the configuration file is present and the configuration includes the ip address dhcp interface configuration command on specific routed interfaces the DHCP client is invoked and requests the IP address information for those interfaces Figure 3 1 shows the sequence of messages that are exchanged between the DHCP client and the DHCP server Figure 3 1 DHCP Client and Server Message Exchange The clien...

Page 83: ...formation DHCP Server Configuration Guidelines page 3 5 Configuring the TFTP Server page 3 6 Configuring the DNS page 3 6 Configuring the Relay Device page 3 7 Obtaining Configuration Files page 3 7 Example Configuration page 3 8 If your DHCP server is a Cisco device see the Configuring DHCP section of the IP Addressing and Services section of the Cisco IOS IP Configuration Guide Release 12 2 for ...

Page 84: ...cast address 255 255 255 255 For the switch to successfully download a configuration file the TFTP server must contain one or more configuration files in its base directory The files can include these files The configuration file named in the DHCP reply the actual switch configuration file The network confg or the cisconet cfg file known as the default configuration files The router confg or the c...

Page 85: ... 20 0 0 3 router config if ip helper address 20 0 0 4 On interface 20 0 0 1 router config if ip helper address 10 0 0 1 Note If the switch is acting as the relay device configure the interface as a routed port For more information see the Routed Ports section on page 10 4 and the Configuring Layer 3 Interfaces section on page 10 21 Figure 3 2 Relay Device Used in Autoconfiguration Obtaining Config...

Page 86: ... file and obtains its hostname If the hostname is not found in the file the switch uses the hostname in the DHCP reply If the hostname is not specified in the DHCP reply the switch uses the default Switch as its hostname After obtaining its hostname from the default configuration file or the DHCP reply the switch reads the configuration file that has the same name as its hostname hostname confg or...

Page 87: ...t on Switch A through Switch D Configuration Explanation In Figure 3 3 Switch A reads its configuration file as follows It obtains its IP address 10 0 0 21 from the DHCP server If no configuration filename is given in the DHCP server reply Switch A reads the network confg file from the base directory of the TFTP server It adds the contents of the network confg file to its host table It reads its h...

Page 88: ...n for other VLAN interfaces You can enter the show interfaces vlan vlan id privileged EXEC command to show the MAC and IP addresses The MAC addresses that appear in the show interfaces vlan vlan id command output are not the same as the MAC address that is printed on the switch label the base MAC address Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface vla...

Page 89: ...ow running config Building configuration Current configuration 1363 bytes version 12 2 no service pad service timestamps debug uptime service timestamps log uptime no service password encryption hostname Stack1 enable secret 5 1 ej9 DMUvAUnZOAmvmgqBEzIxE0 output truncated interface gigabitethernet6 0 20 no switchport ip address 172 20 137 50 255 255 255 0 interface gigabitethernet6 0 21 mvr type s...

Page 90: ...or information about switch configuration files See the Switch Stack Configuration Files section on page 5 16 for information about switch stack configuration files Default Boot Configuration Table 3 3 shows the default boot configuration Automatically Downloading a Configuration File You can automatically download a configuration file to your switch by using the DHCP based autoconfiguration featu...

Page 91: ...onfigure it to manually boot up Note This command only works properly from a standalone switch Beginning in privileged EXEC mode follow these steps to configure the switch to manually boot up during the next boot cycle Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 boot config file flash file url Specify the configuration file to load during the next boot cycle Fo...

Page 92: ...riable The next time you reboot the system the switch is in boot loader mode shown by the switch prompt To boot up the system use the boot filesystem file url boot loader command For filesystem use flash for the system board flash device For file url specify the path directory and the name of the bootable image Filenames and directory names are case sensitive Step 5 copy running config startup con...

Page 93: ... sign followed by the value of the variable A variable has no value if it is not listed in this file it has a value if it is listed in the file even if the value is a null string A variable that is set to a null string for example is a variable with a value Many environment variables are predefined and have default values Environment variables store two kinds of data Data that controls code which ...

Page 94: ...tch automatically or manually boots Valid values are 1 yes 0 and no If it is set to no or 0 the boot loader attempts to automatically boot up the system If it is set to anything else you must manually boot up the switch from the boot loader mode boot manual Enables manually booting the switch during the next boot cycle and changes the setting of the MANUAL_BOOT environment variable The next time y...

Page 95: ...and minutes The reload must take place within approximately 24 days You can specify the reason for the reload in a string up to 255 characters in length To reload a specific switch in a switch stack use the reload slot stack member number privileged EXEC command reload at hh mm month day day month text This command schedules a reload of the software to take place at the specified time using a 24 h...

Page 96: ...switch prompts you to save the configuration before reloading During the save operation the system requests whether you want to proceed with the save if the CONFIG_FILE environment variable points to a startup configuration file that no longer exists If you proceed in this situation the system enters setup mode upon reload This example shows how to reload the software on the switch on the current ...

Page 97: ... 4 6 Displaying CNS Configuration page 4 14 Understanding Cisco Configuration Engine Software The Cisco Configuration Engine is network management software that acts as a configuration service for automating the deployment and management of network devices and services see Figure 4 1 Each Configuration Engine manages a group of Cisco devices switches and routers and the services that they deliver ...

Page 98: ...ervice uses the CNS Event Service to send and receive configuration change events and to send success and failure notifications The configuration server is a web server that uses configuration templates and the device specific configuration information stored in the embedded standalone mode or remote server mode directory Configuration templates are text files containing static configuration infor...

Page 99: ...e group ID device ID and event the mapping service returns a set of events on which to publish What You Should Know About the CNS IDs and Device Hostnames The Configuration Engine assumes that a unique identifier is associated with each configured switch This unique identifier can take on multiple synonyms where each synonym is unique within a particular namespace The event service uses namespace ...

Page 100: ...e event gateway and does not change even when the switch hostname is reconfigured When changing the switch hostname on the switch the only way to refresh the DeviceID is to break the connection between the switch and the event gateway Enter the no cns event global configuration command followed by the cns event global configuration command When the connection is re established the switch sends its...

Page 101: ...e new switch and includes the TFTP server IP address the path to the bootstrap configuration file and the default gateway IP address in a unicast reply to the DHCP relay agent The DHCP relay agent forwards the reply to the switch The switch automatically configures the assigned IP address on interface VLAN 1 the default and downloads the bootstrap configuration file from the TFTP server Upon succe...

Page 102: ...efer application of the configuration upon receipt of a write signal event The write signal event tells the switch not to save the updated configuration into its NVRAM The switch uses the updated configuration as its running configuration This ensures that the switch configuration is synchronized with other network activities before saving the configuration in NVRAM for use at the next reboot Conf...

Page 103: ...h Factory default no configuration file Distribution switch IP helper address Enable DHCP relay agent IP routing if used as default gateway DHCP server IP address assignment TFTP server IP address Path to bootstrap configuration file on the TFTP server Default gateway IP address TFTP server A bootstrap configuration file that includes the CNS configuration commands that enable the switch to commun...

Page 104: ...e hostname or the IP address of the event gateway Optional For port number enter the port number for the event gateway The default port number is 11011 Optional Enter backup to show that this is the backup gateway If omitted this is the primary gateway Optional For failover time seconds enter how long the switch waits for the primary gateway route after the route to the backup gateway is establish...

Page 105: ...uration mode and specify the name of the CNS connect template Step 3 cli config text Enter a command line for the CNS connect template Repeat this step for each command line in the template Step 4 Repeat Steps 2 to 3 to configure another CNS connect template Step 5 exit Return to global configuration mode Step 6 cns connect name retries number retry interval seconds sleep seconds timeout seconds E...

Page 106: ...the point to point subinterface number that is used to search for active DLCIs For interface interface type enter the type of interface For line line type enter the line type Step 8 template name name Specify the list of CNS connect templates in the CNS connect profile to be applied to the switch configuration You can specify more than one template Step 9 Repeat Steps 7 to 8 to specify more interf...

Page 107: ...dress mac address enter dns reverse to retrieve the hostname and assign it as the unique ID enter ipaddress to use the IP address or enter mac address to use the MAC address as the unique ID Optional Enter event to set the ID to be the event id value used to identify the switch Optional Enter image to set the ID to be the image id value used to identify the switch Note If both the event and image ...

Page 108: ...ip address syntax check Enable the Cisco IOS agent and initiate an initial configuration For hostname ip address enter the hostname or the IP address of the configuration server Optional For port number enter the port number of the configuration server The default port number is 80 Optional Enable event for configuration success failure or warning messages when the configuration is finished Option...

Page 109: ... a Partial Configuration Beginning in privileged EXEC mode follow these steps to enable the Cisco IOS agent and to initiate a partial configuration on the switch To disable the Cisco IOS agent use the no cns config partial ip address hostname global configuration command To cancel a partial configuration use the cns config cancel privileged EXEC command Command Purpose Step 1 configure terminal En...

Page 110: ...ow cns config connections Displays the status of the CNS Cisco IOS agent connections show cns config outstanding Displays information about incremental partial CNS configurations that have started but are not yet completed show cns config stats Displays statistics about the Cisco IOS agent show cns event connections Displays the status of the CNS event agent connections show cns event stats Displa...

Page 111: ... other types of blade switches in a switch stack might cause the switch to work improperly or to fail Understanding Switch Stacks A switch stack is a set of up to nine stacking capable switches connected through their StackWise Plus ports One of the switches controls the operation of the stack and is called the stack master The stack master and the other switches in the stack are all stack members...

Page 112: ... address even if you remove the stack master or any other stack member from the stack You can use these methods to manage switch stacks Network Assistant available on Cisco com Command line interface CLI over a serial connection to the console port of any stack member or the Ethernet management port of a stack member A network management application through the Simple Network Management Protocol S...

Page 113: ...u add to or remove from the switch stack After adding or removing stack members make sure that the switch stack is operating at full bandwidth 64 Gb s Press the Mode button on a stack member until the Stack mode LED is on The last two right port LEDs on all switches in the stack should be green Depending on the switch model the last two right ports are 10 Gigabit Ethernet ports or small form facto...

Page 114: ...ing a Switch Stack from Two Standalone Switches in Two Enclosures Blade switch Blade switch Blade switch 1 2 Blade switch Blade switch Blade switch Blade switch Blade switch Blade switch 3 Blade switch Blade switch Blade switch 1 2 Enclosure 1 Enclosure 2 Enclosure 1 Enclosure 2 Stack member 1 Stack member 1 Stack member 1 Stack member 2 and stack master 201911 ...

Page 115: ... Stacks Understanding Switch Stacks Figure 5 2 Creating a Switch Stack from Two Standalone Switches in the Same Enclosures Blade switch Blade switch Blade switch Blade switch Blade switch Blade switch 3 Enclosure Enclosure Stack member 1 Stack member 2 and stack master Stack member 1 Stack member 1 201912 1 2 2 ...

Page 116: ... ensures that the switch is re elected as stack master if a re election occurs 3 The switch that is not using the default interface level configuration 1 Onboard Administrator 2 Internal Ethernet management port that is not active 3 Active internal Ethernet management port on the stack master Note The internal Ethernet management ports on the stack members are disabled Blade switch Blade switch Bl...

Page 117: ...ning the IP base feature set 5 The switch with the lowest MAC address A stack master retains its role unless one of these events occurs The switch stack is reset The stack master is removed from the switch stack The stack master is reset or powered off The stack master fails The switch stack membership is increased by adding powered on standalone switches or switch stacks In the events marked by a...

Page 118: ...you manually change the number or unless the number is already being used by another member in the stack If you manually change the stack member number by using the switch current stack member number renumber new stack member number global configuration command the new number goes into effect after that stack member resets or after you use the reload slot stack member number privileged EXEC comman...

Page 119: ...that you create on the switch stack is called the provisioned configuration The switch that is added to the switch stack and that receives this configuration is called the provisioned switch You manually create the provisioned configuration through the switch stack member number provision type global configuration command The provisioned configuration is automatically created when a switch is adde...

Page 120: ...on to the provisioned switch and adds it to the stack The provisioned configuration is changed to reflect the new information The stack member number of the provisioned switch is in conflict with an existing stack member The stack master assigns a new stack member number to the provisioned switch The stack member numbers and the switch types match 1 If the new stack member number of the provisione...

Page 121: ...stack and is replaced with another switch the stack applies either the provisioned configuration or the default configuration to it The events that occur when the switch stack compares the provisioned configuration with the provisioned switch are the same as those described in the Effects of Adding a Provisioned Switch to a Switch Stack section on page 5 9 Effects of Removing a Provisioned Switch ...

Page 122: ...atibility on the specific stack members The stack master sends the message to all stack members For more information see the Major Version Number Incompatibility Among Switches procedure on page 5 12 and the Minor Version Number Incompatibility Among Switches procedure on page 5 12 Major Version Number Incompatibility Among Switches Switches with different major Cisco IOS software versions usually...

Page 123: ... is found the process extracts the file and automatically upgrades that switch The auto upgrade auto copy and auto extract processes wait for a few minutes after the mismatched software is detected before starting When the auto upgrade process is complete the switch that was in VM mode reloads and joins the stack as a fully functioning member If you have both StackWise Plus cables connected during...

Page 124: ...chiving cbs31x0 universal mz 122 40 EX directory Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW archiving cbs31x0 universal mz 122 40 EX cbs31x0 universal mz 122 40 EX bin 4945851 bytes Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW archiving cbs31x0 universal mz 122 40 EX info 450 bytes Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW archiving info 104 bytes Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW exam...

Page 125: ...py to the VM mode switch to make it compatible with the switch stack The auto advise process starts and recommends that you download a tar file from the network to the switch in VM mode Mar 1 00 01 11 319 STACKMGR 6 STACK_LINK_CHANGE Stack Port 2 Switch 2 has changed to state UP Mar 1 00 01 15 547 STACKMGR 6 SWITCH_ADDED_VM Switch 1 has been ADDED to the stack VERSION_MISMATCH stack_2 Mar 1 00 03 ...

Page 126: ...es from the stack master If the stack master becomes unavailable any stack member assuming the role of stack master has the latest configuration files Note We recommend that all stack members run Cisco IOS Release 12 2 40 EX or later The interface specific settings of the stack master are saved if the stack master is replaced without saving the running configuration to the startup configuration Wh...

Page 127: ...tacks section on page 18 8 DHCP Snooping and Switch Stacks section on page 21 8 IGMP Snooping and Switch Stacks section on page 23 7 Port Security and Switch Stacks section on page 25 17 CDP and Switch Stacks section on page 26 2 SPAN and RSPAN and Switch Stacks section on page 29 11 ACLs and Switch Stacks section on page 34 6 EtherChannel and Switch Stacks section on page 37 9 IP Routing and Swit...

Page 128: ...e if the stack master is running the noncryptographic software image Connectivity to the Switch Stack Through Console Ports or Ethernet Management Ports You can connect to the stack master by using one of these methods You can connect a terminal or a PC to the stack master through the console port of one or more stack members You can connect a PC to the stack master through the Ethernet management...

Page 129: ...r with a higher member priority value 3 Restart both stack members at the same time The stack member with the higher priority value is elected stack master Stack master election specifically determined by the configuration file Assuming that both stack members have the same priority value 1 Make sure that one stack member has a default configuration and that the other stack member has a saved nond...

Page 130: ... switch current stack member number renumber new stack member number global configuration command 2 Restart both stack members at the same time The stack member with the higher priority value retains its stack member number The other stack member has a new stack member number Add a stack member 1 Power off the new switch 2 Through their StackWise Plus ports connect the new switch to a powered on s...

Page 131: ... stack during this period the switch stack takes the MAC address of the new stack master as the stack MAC address You can also configure stack MAC persistency so that the stack never switches to the MAC address of the new stack master Note When you enter the command to configure this feature a warning message appears containing the consequences of your configuration You should use this feature cau...

Page 132: ...Step 2 stack mac persistent timer 0 time value Enable a time delay after a stack master change before the stack MAC address changes to that of the new stack master If the previous stack master rejoins the stack during this period the stack uses that MAC address as the stack MAC address Enter the command with no value to set the default delay of approximately 4 minutes We recommend that you always ...

Page 133: ...5 24 optional Assigning a Stack Member Number Note This task is available only from the stack master Beginning in privileged EXEC mode follow these steps to assign a member number to a stack member This procedure is optional Setting the Stack Member Priority Value Note This task is available only from the stack master Command Purpose Step 1 configure terminal Enter global configuration mode Step 2...

Page 134: ...e current stack master or switch stack resets Step 3 end Return to privileged EXEC mode Step 4 reload slot stack member number Reset the stack member and apply this configuration change Step 5 show switch stack member number Verify the stack member priority value Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Step 1 show switch Displa...

Page 135: ...associated with the provisioned switch Switch config switch 2 provision WS CBS3120G S Switch config end Switch show running config include switch 2 interface GigabitEthernet2 0 1 interface GigabitEthernet2 0 2 interface GigabitEthernet2 0 3 output truncated Accessing the CLI of a Specific Stack Member Note This task is available only from the stack master This task is only for debugging purposes Y...

Page 136: ... status of provisioned switches show switch stack member number Displays information about a specific member show switch detail Displays detailed information about the stack ring show switch neighbors Display the neighbors for the entire switch stack show switch stack ports Displays port information for the entire switch stack show switch stack ring activity detail Displays the number of frames pe...

Page 137: ...u can manage the system time and date on your switch using automatic configuration such as the Network Time Protocol NTP or manual configuration methods Note For complete syntax and usage information for the commands used in this section see the Cisco IOS Configuration Fundamentals Command Reference Release 12 2 These sections contain this configuration information Understanding the System Clock p...

Page 138: ... radio or atomic clock directly attached a stratum 2 time server receives its time through NTP from a stratum 1 time server and so on A device running NTP automatically chooses as its time source the device with the lowest stratum number with which it communicates through NTP This strategy effectively builds a self organizing tree of NTP speakers NTP avoids synchronizing to a device whose time mig...

Page 139: ...s Other devices then synchronize to that device through NTP When multiple sources of time are available NTP is always considered to be more authoritative NTP time overrides the time set by any other method Several manufacturers include NTP software for their host systems and a publicly available version for systems running UNIX and its various derivatives is also available This software allows hos...

Page 140: ...e administrator of the NTP server the information you configure in this procedure must be matched by the servers used by the switch to synchronize its time to the NTP server Beginning in privileged EXEC mode follow these steps to authenticate the associations communications between devices running NTP that provide for accurate timekeeping with other devices for security purposes Table 6 1 Default ...

Page 141: ...itch synchronizes to the other device and not the other way around Step 3 ntp authentication key number md5 value Define the authentication keys By default none are defined For number specify a key number The range is 1 to 4294967295 md5 specifies that message authentication support is provided by using the message digest algorithm 5 MD5 For value enter an arbitrary string of up to eight character...

Page 142: ...an simply be configured to send or receive broadcast messages However the information flow is one way only Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ntp peer ip address version number key keyid source interface prefer or ntp server ip address version number key keyid source interface prefer Configure the switch system clock to synchronize a peer or to be sync...

Page 143: ... Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to send NTP broadcast packets and enter interface configuration mode Step 3 ntp broadcast version number key keyid destination address Enable the interface to send NTP broadcast packets to a peer By default this feature is disabled on all interfaces Optional For number spe...

Page 144: ... follow these steps to control access to NTP services by using access lists Step 5 ntp broadcastdelay microseconds Optional Change the estimated round trip delay between the switch and the NTP broadcast server The default is 3000 microseconds the range is 1 to 999999 Step 6 end Return to privileged EXEC mode Step 7 show running config Verify your entries Step 8 copy running config startup config O...

Page 145: ... services use the no ntp access group query only serve only serve peer global configuration command This example shows how to configure the switch to allow itself to synchronize to a peer from access list 99 However the switch restricts access to allow only time requests from access list 42 Switch configure terminal Switch config ntp access group peer 99 Switch config ntp access group serve only 4...

Page 146: ...source address is to be taken The specified interface is used for the source address for all packets sent to all destinations If a source address is to be used for a specific association use the source keyword in the ntp peer or ntp server global configuration command as described in the Configuring NTP Associations section on page 6 5 Command Purpose Step 1 configure terminal Enter global configu...

Page 147: ...ock and the stack master fails and different stack member resumes the role of stack master These sections contain this configuration information Setting the System Clock page 6 11 Displaying the Time and Date Configuration page 6 12 Configuring the Time Zone page 6 12 Configuring Summer Time Daylight Saving Time page 6 13 Setting the System Clock If you have an outside source on the network that p...

Page 148: ...y configure the time zone The minutes offset variable in the clock timezone global configuration command is available for those cases where a local time zone is a percentage of an hour different from UTC For example the time zone for some sections of Atlantic Canada AST is UTC 3 5 where the 3 means 3 hours and 5 means 50 percent In this case the necessary command is clock timezone AST 3 30 To set ...

Page 149: ... config clock summer time PDT recurring 1 Sunday April 2 00 last Sunday October 2 00 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 clock summer time zone recurring week day month hh mm week day month hh mm offset Configure summer time to start and end on the specified days every year Summer time is disabled by default If you specify clock summer time zone recurri...

Page 150: ...reater than symbol is appended The prompt is updated whenever the system name changes If you are accessing a stack member through the stack master you must use the session stack member number privileged EXEC command The stack member number range is from 1 through 9 When you use this command the stack member number is appended to the system prompt For example Switch 2 is the prompt in privileged EX...

Page 151: ...ributed database with which you can map hostnames to IP addresses When you configure DNS on your switch you can substitute the hostname for the IP address with all IP commands such as ping telnet connect and related Telnet support operations IP defines a hierarchical naming scheme that allows a device to be identified by its location or domain Domain names are pieced together with periods as the d...

Page 152: ... name Define a default domain name that the software uses to complete unqualified hostnames names without a dotted decimal domain name Do not include the initial period that separates an unqualified name from the domain name At boot time no domain name is configured however if the switch configuration comes from a BOOTP or Dynamic Host Configuration Protocol DHCP server then the default domain nam...

Page 153: ... command Displaying the DNS Configuration To display the DNS configuration information use the show running config privileged EXEC command Creating a Banner You can configure a message of the day MOTD and a login banner The MOTD banner displays on all connected terminals at login and is useful for sending messages that affect all network users such as impending system shutdowns The login banner al...

Page 154: ...xample shows the banner that appears from the previous configuration Unix telnet 172 2 5 4 Trying 172 2 5 4 Connected to 172 2 5 4 Escape character is This is a secure site Only authorized users are allowed For access contact technical support User Access Verification Password Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 banner motd c message c Specify the messa...

Page 155: ...ludes these types of addresses Dynamic address a source MAC address that the switch learns and then ages when it is not in use Static address a manually entered unicast address that does not age and that is not lost when the switch resets The address table lists the destination MAC address the associated VLAN ID and port number associated with the address and the type static or dynamic Note For co...

Page 156: ...tions are added or removed from the network the switch updates the address table adding new dynamic addresses and aging out those that are not in use The aging interval is globally configured on a standalone switch or on the switch stack However the switch maintains an address table for each VLAN and STP can accelerate the aging interval on a per VLAN basis The switch sends packets between any com...

Page 157: ...les on all stack members When a switch joins a switch stack that switch receives the addresses for each VLAN learned on the other stack members When a stack member leaves the switch stack the remaining stack members age out or remove all addresses learned by the former stack member Default MAC Address Table Configuration Table 6 3 shows the default MAC address table configuration Changing the Addr...

Page 158: ... the MAC address activity on the switch Whenever the switch learns or removes a MAC address an SNMP notification can be generated and sent to the NMS If you have many users coming and going from the network you can set a trap interval time to bundle the notification traps and reduce network traffic The MAC notification history table stores the MAC address activity for each hardware port for which ...

Page 159: ... snmp server host command For notification type use the mac notification keyword Step 3 snmp server enable traps mac notification Enable the switch to send MAC address traps to the NMS Step 4 mac address table notification Enable the MAC address notification feature Step 5 mac address table notification interval value history size value Enter the trap interval time and the history table size Optio...

Page 160: ...mands Adding and Removing Static Address Entries A static address has these characteristics It is manually entered in the address table and must be manually removed It can be a unicast or multicast address It does not age and is retained when the switch restarts You can add and remove static addresses and define the forwarding behavior for them The forwarding behavior defines how a port that recei...

Page 161: ...ess table static mac addr vlan vlan id drop global configuration command one of these messages appears Only unicast addresses can be configured to be dropped CPU destined address cannot be configured as drop address Packets that are forwarded to the CPU are also not supported Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mac address table static mac addr vlan vla...

Page 162: ...ddress and the VLAN from which it is received Beginning in privileged EXEC mode follow these steps to configure the switch to drop a source or destination unicast static address To disable unicast MAC address filtering use the no mac address table static mac addr vlan vlan id global configuration command This example shows how to enable unicast MAC address filtering and to configure the switch to ...

Page 163: ...pecified by the Subnetwork Access Protocol SNAP By default standard Ethernet style ARP encapsulation represented by the arpa keyword is enabled on the IP interface ARP entries added manually to the table do not age and must be manually removed For CLI procedures see the Cisco IOS Release 12 2 documentation on Cisco com Table 6 4 Commands for Displaying the MAC Address Table Command Description sho...

Page 164: ...6 28 Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide OL 12247 01 Chapter 6 Administering the Switch Managing the ARP Table ...

Page 165: ...inistrators to have access to your switch while you restrict access to users who dial from outside the network through an asynchronous port connect from outside the network through a serial port or connect through a terminal or workstation from within the local network To prevent unauthorized access into your switch you should configure one or more of these security features At a minimum you shoul...

Page 166: ... and usage information for the commands used in this section see the Cisco IOS Security Command Reference Release 12 2 These sections contain this configuration information Default Password and Privilege Level Configuration page 7 2 Setting or Changing a Static Enable Password page 7 3 Protecting Enable and Enable Secret Passwords with Encryption page 7 3 Disabling Password Recovery page 7 5 Setti...

Page 167: ... or any privilege level you specify We recommend that you use the enable secret command because it uses an improved encryption algorithm If you configure the enable secret command it takes precedence over the enable password command the two commands cannot be in effect simultaneously Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 enable password password Define a ...

Page 168: ... global configuration mode Step 2 enable password level level password encryption type encrypted password or enable secret level level password encryption type encrypted password Define a new password or change an existing password for access to privileged EXEC mode or Define a secret password which is saved using a nonreversible encryption method Optional For level the range is from 0 to 15 Level...

Page 169: ...he boot process and sets the system back to default values Do not keep a backup copy of the configuration file on the switch If the switch is operating in VTP transparent mode we recommend that you also keep a backup copy of the VLAN database file on a secure server When the switch is returned to the default system configuration you can download the saved files to the switch by using the Xmodem pr...

Page 170: ... the switch If you have defined privilege levels you can also assign a specific privilege level with associated rights and privileges to each username and password pair Command Purpose Step 1 Attach a PC or workstation with emulation software to the switch console port or attach a PC to the Ethernet management port The default data characteristics of the console port are 9600 8 1 no parity You mig...

Page 171: ...n information Setting the Privilege Level for a Command page 7 8 Changing the Default Privilege Level for Lines page 7 9 Logging into and Exiting a Privilege Level page 7 9 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 username name privilege level password encryption type password Enter the username privilege level and password for each user For name specify the...

Page 172: ...ommand Purpose Step 1 configure terminal Enter global configuration mode Step 2 privilege mode level level command Set the privilege level for a command For mode enter configure for global configuration mode exec for EXEC mode interface for interface configuration mode or line for line configuration mode For level the range is from 0 to 15 Level 1 is for normal user EXEC mode privileges Level 15 i...

Page 173: ...ging into and Exiting a Privilege Level Beginning in privileged EXEC mode follow these steps to log in to a specified privilege level and to exit to a specified privilege level Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 line vty line Select the virtual terminal line on which to restrict access Step 3 privilege level level Change the default privilege level for...

Page 174: ... switch TACACS services are maintained in a database on a TACACS daemon typically running on a UNIX or Windows NT workstation You should have access to and should configure a TACACS server before the configuring TACACS features on your switch Note We recommend a redundant connection between a switch stack and the TACACS server This is to help ensure that the TACACS server remains accessible in cas...

Page 175: ...ess control session duration or protocol support You can also enforce restrictions on what commands a user can execute with the TACACS authorization feature Accounting Collects and sends information used for billing auditing and reporting to the TACACS daemon Network managers can use the accounting facility to track user activity for a security audit or to provide information for user billing Acco...

Page 176: ... information After authentication the user undergoes an additional authorization phase if authorization has been enabled on the switch Users must first successfully complete TACACS authentication before proceeding to TACACS authorization 3 If TACACS authorization is required the TACACS daemon is again contacted and it returns an ACCEPT or REJECT authorization response If an ACCEPT response is retu...

Page 177: ...or host maintaining TACACS server and optionally set the encryption key Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 tacacs server host hostname port integer timeout integer key string Identify the IP host or hosts maintaining a TACACS server Enter this command multiple times to create a list of preferred hosts The software searches for hosts in the order in whi...

Page 178: ...e a named method list explicitly defined A defined method list overrides the default method list A method list describes the sequence and authentication methods to be queried to authenticate a user You can designate one or more security protocols to be used for authentication thus ensuring a backup system for authentication in case the initial method fails The software uses the first method listed...

Page 179: ...d by using the enable password global configuration command group tacacs Uses TACACS authentication Before you can use this authentication method you must configure the TACACS server For more information see the Identifying the TACACS Server Host and Setting the Authentication Key section on page 7 13 line Use the line password for authentication Before you can use this authentication method you m...

Page 180: ...ameters that restrict a user s network access to privileged EXEC mode The aaa authorization exec tacacs local command sets these authorization parameters Use TACACS for privileged EXEC access authorization if authentication was performed by using TACACS Use the local database if authentication was not performed by using TACACS Note Authorization is bypassed for authenticated users who log in throu...

Page 181: ... command Controlling Switch Access with RADIUS This section describes how to enable and configure the RADIUS which provides detailed accounting information and flexible administrative control over authentication and authorization processes RADIUS is facilitated through AAA and can be enabled only through AAA commands Note For complete syntax and usage information for the commands used in this sect...

Page 182: ...t that uses a smart card access control system In one case RADIUS has been used with Enigma s security cards to validates users and to grant access to network resources Networks already using RADIUS You can add a Cisco switch containing a RADIUS client to the network This might be the first step when you make a transition to a TACACS server See Figure 7 2 on page 7 19 Network in which the user mus...

Page 183: ...b REJECT The user is either not authenticated and is prompted to re enter the username and password or access is denied c CHALLENGE A challenge requires additional data from the user d CHALLENGE PASSWORD A response requests the user to select a new password The ACCEPT or REJECT response is bundled with additional data that is used for privileged EXEC or network authorization Users must first succe...

Page 184: ...thod list is exhausted You should have access to and should configure a RADIUS server before configuring RADIUS features on your switch These sections contain this configuration information Default RADIUS Configuration page 7 20 Identifying the RADIUS Server Host page 7 20 required Configuring RADIUS Login Authentication page 7 23 required Defining AAA Server Groups page 7 25 optional Configuring ...

Page 185: ... RADIUS server and the switch use a shared secret text string to encrypt passwords and exchange responses To configure RADIUS to use the AAA security commands you must specify the host running the RADIUS server daemon and a secret text key string that it shares with the switch The timeout retransmission and encryption key values can be configured globally for all RADIUS servers on a per server bas...

Page 186: ...es specify the number of times a RADIUS request is resent to a server if that server is not responding or responding slowly The range is 1 to 1000 If no retransmit value is set with the radius server host command the setting of the radius server retransmit global configuration command is used Optional For key string specify the authentication and encryption key used between the switch and the RADI...

Page 187: ...e performed and the sequence in which they are performed it must be applied to a specific port before any of the defined authentication methods are performed The only exception is the default method list which by coincidence is named default The default method list is automatically applied to all ports except those that have a named method list explicitly defined A method list describes the sequen...

Page 188: ...e the RADIUS server For more information see the Identifying the RADIUS Server Host section on page 7 20 line Use the line password for authentication Before you can use this authentication method you must define a line password Use the password password line configuration command local Use the local username database for authentication You must enter username information in the database Use the u...

Page 189: ... Reference Release 12 2 Defining AAA Server Groups You can configure the switch to use AAA server groups to group existing server hosts for authentication You select a subset of the configured server hosts and use them for a particular service The server group is used with a global server host list which lists the IP addresses of the selected server hosts Server groups also can include multiple ho...

Page 190: ...etransmit value is set with the radius server host command the setting of the radius server retransmit global configuration command is used Optional For key string specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server Note The key is a text string that must match the encryption key used on the RADIUS server Always configure the key...

Page 191: ...User Privileged Access and Network Services AAA authorization limits the services available to a user When AAA authorization is enabled the switch uses information retrieved from the user s profile which is in the local user database or on the security server to configure the user s session The user is granted access to a requested service only if the information in the user profile allows it You ...

Page 192: ...rvices To disable accounting use the no aaa accounting network exec start stop method1 global configuration command Step 3 aaa authorization exec radius Configure the switch for user RADIUS authorization if the user has privileged EXEC access The exec keyword might return user profile information such as autocommand information Step 4 end Return to privileged EXEC mode Step 5 show running config V...

Page 193: ...l attributes The full set of features available for TACACS authorization can then be used for RADIUS For example this AV pair activates Cisco s multiple named ip address pools feature during IP authorization during PPP IPCP address assignment cisco avpair ip addr pool first Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server key string Specify the shared ...

Page 194: ...ileged EXEC mode follow these steps to configure the switch to recognize and use VSAs For a complete list of RADIUS attributes or more information about vendor specific attribute 26 see the RADIUS Attributes appendix in the Cisco IOS Security Configuration Guide Release 12 2 Configuring the Switch for Vendor Proprietary RADIUS Server Communication Although an IETF draft standard for RADIUS specifi...

Page 195: ...running config privileged EXEC command Controlling Switch Access with Kerberos This section describes how to enable and configure the Kerberos security system which authenticates requests for network resources by using a trusted third party To use this feature the cryptographic that is supports encryption versions of the switch software must be installed on your switch Command Purpose Step 1 confi...

Page 196: ...enticate users by using the Kerberos protocol Understanding Kerberos Kerberos is a secret key network authentication protocol which was developed at the Massachusetts Institute of Technology MIT It uses the Data Encryption Standard DES cryptographic algorithm for encryption and authentication and authenticates requests for network resources Kerberos uses the concept of a trusted third party to per...

Page 197: ...ros principals are of the form user REALM for example smith EXAMPLE COM A Kerberos principal with a Kerberos instance has the form user instance REALM for example smith admin EXAMPLE COM The Kerberos instance can be used to specify the authorization level for the user if authentication is successful The server of each network service might implement and enforce the authorization mappings of Kerber...

Page 198: ...h prompts the user for a username and password 3 The switch requests a TGT from the KDC for this user KEYTAB3 A password that a network service shares with the KDC In Kerberos 5 and later Kerberos versions the network service authenticates an encrypted service credential by using the KEYTAB to decrypt it In Kerberos versions earlier than Kerberos 5 KEYTAB is referred to as SRVTAB4 Principal Also k...

Page 199: ...C section in the Security Server Protocols chapter of the Cisco IOS Security Configuration Guide Release 12 2 at this URL http www cisco com en US products sw iosswrel ps1835 products_configuration_guide_chapter0918 6a00800ca7ad html 1000999 Authenticating to Network Services This section describes the third layer of security through which a remote user must pass The user with a TGT must now authe...

Page 200: ...onfiguration_guide_chapter0918 6a00800ca7ad html 1001027 Configuring the Switch for Local Authentication and Authorization You can configure AAA to operate without a server by setting the switch to implement AAA in local mode The switch then handles authentication and authorization No accounting is available in this configuration Beginning in privileged EXEC mode follow these steps to configure th...

Page 201: ... For more information see the release notes for this release These sections contain this information Understanding SSH page 7 38 Configuring SSH page 7 39 Displaying the SSH Configuration and Status page 7 42 Step 6 username name privilege level password encryption type password Enter the local database and establish a username based authentication system Repeat this command for each user For name...

Page 202: ...pports SSH Version 1 SSHv1 and SSH Version 2 SSHv2 This section consists of these topics SSH Servers Integrated Clients and Supported Versions page 7 38 Limitations page 7 39 Note The SSH connection to the stack can be lost if a stack master running the cryptographic software image and the IP base or the IP services feature set fails and is replaced by a switch that is running a noncryptographic i...

Page 203: ...ncryption Standard AES symmetric encryption algorithm Configuring SSH This section has this configuration information Configuration Guidelines page 7 39 Setting Up the Switch to Run SSH page 7 40 required Configuring the SSH Server page 7 41 required only if you are configuring the switch as an SSH server Configuration Guidelines Follow these guidelines when configuring the switch as an SSH server...

Page 204: ...tion see the Configuring the Switch for Local Authentication and Authorization section on page 7 36 Beginning in privileged EXEC mode follow these steps to configure a hostname and an IP domain name and to generate an RSA key pair This procedure is required if you are configuring the switch as an SSH server To delete the RSA key pair use the crypto key zeroize rsa global configuration command Afte...

Page 205: ...0 seconds This parameter applies to the SSH negotiation phase After the connection is established the switch uses the default time out values of the CLI based sessions By default up to five simultaneous encrypted SSH connections for multiple CLI based sessions over the network are available session 0 to session 4 After the execution shell starts the CLI based session time out value returns to the ...

Page 206: ...information about the cryptographic image see the release notes for this release These sections contain this information Understanding Secure HTTP Servers and Clients page 7 42 Configuring Secure HTTP Servers and Clients page 7 45 Displaying Secure HTTP Server and Client Status page 7 49 For configuration examples and complete syntax and usage information for the commands used in this section see ...

Page 207: ...client generates a notification that the certificate is self certified and the user has the opportunity to accept or reject the connection This option is useful for internal network topologies such as testing If you do not configure a CA trustpoint when you enable a secure HTTP connection either a temporary or a persistent self signed certificate for the secure HTTP server or client is automatical...

Page 208: ...to use from those on the list that are supported by both For example Netscape Communicator 4 76 supports U S security with RSA Public Key Cryptography MD2 MD5 RC2 CBC RC4 DES CBC and DES EDE3 CBC For the best possible encryption you should use a client browser that supports 128 bit encryption such as Microsoft Internet Explorer Version 5 5 or later or Netscape Communicator Version 4 76 or later Th...

Page 209: ...lock is not set the certificate is rejected due to an incorrect date In a switch stack the SSL session terminates at the stack master Configuring a CA Trustpoint For secure HTTP connections we recommend that you configure an official CA trustpoint A CA trustpoint is more secure than a self signed certificate Beginning in privileged EXEC mode follow these steps to configure a CA trustpoint Command ...

Page 210: ...ber Optional Configure the switch to obtain certificates from the CA through an HTTP proxy server Step 8 crl query url Configure the switch to request a certificate revocation list CRL to ensure that the certificate of the peer has not been revoked Step 9 primary Optional Specify that the trustpoint should be used as the primary default trustpoint for CA requests Step 10 exit Exit CA trustpoint co...

Page 211: ...mpt to authenticate the client Step 7 ip http secure trustpoint name Specify the CA trustpoint to use to get an X 509v3 security certificate and to authenticate the client certificate connection Note Use of this command assumes you have already configured a CA trustpoint according to the previous procedure Step 8 ip http path path name Optional Set a base HTTP path for HTML files The path specifie...

Page 212: ...name to remove a client trustpoint configuration Use the no ip http client secure ciphersuite to remove a previously configured CipherSuite specification for the client Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip http client secure trustpoint name Optional Specify the CA trustpoint to be used if the remote HTTP server requests client authentication Using thi...

Page 213: ...SCP you cannot enter the password into the copy command You must enter the password when prompted Information About Secure Copy To configure Secure Copy feature you should understand these concepts The behavior of SCP is similar to that of remote copy rcp which comes from the Berkeley r tools suite except that SCP relies on SSH for security SCP also requires that authentication authorization and a...

Page 214: ...7 50 Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide OL 12247 01 Chapter 7 Configuring Switch Based Authentication Configuring the Switch for Secure Copy Protocol ...

Page 215: ...mum system usage for some functions for example use the default template to balance resources and use access template to obtain maximum ACL usage To allocate hardware resources for different usages the switch SDM templates prioritize system resources to optimize support for certain features You can select SDM templates for IP Version 4 IPv4 to optimize these features Routing The routing template m...

Page 216: ...ates results in less hardware capacity allowed for each resource Do not use them if you plan to forward only IPv4 traffic These SDM templates support IPv4 and IPv6 environments Dual IPv4 and IPv6 default template supports Layer 2 multicast routing QoS and ACLs for IPv4 and Layer 2 routing and ACLs for IPv6 on the switch Dual IPv4 and IPv6 routing template supports Layer 2 multicast routing includi...

Page 217: ...23h STACKMGR 6 SWITCH_ADDED_SDM Switch 2 has been ADDED to the stack SDM_MISMATCH 2d23h SDM 6 MISMATCH_ADVISE 2d23h SDM 6 MISMATCH_ADVISE 2d23h SDM 6 MISMATCH_ADVISE System 2 is incompatible with the SDM 2d23h SDM 6 MISMATCH_ADVISE template currently running on the stack and 2d23h SDM 6 MISMATCH_ADVISE will not function unless the stack is 2d23h SDM 6 MISMATCH_ADVISE downgraded Issuing the followi...

Page 218: ...selecting and configuring SDM templates You must reload the switch for the configuration to take effect Use the sdm prefer vlan global configuration command only on switches intended for Layer 2 switching with no routing When you use the VLAN template no system resources are reserved for routing entries and any routing is done through software This overloads the CPU and severely degrades routing p...

Page 219: ...addresses 3K number of igmp groups multicast routes 1K number of unicast routes 11K number of directly connected hosts 3K number of indirect routes 8K number of qos aces 0 5K number of security aces 1K Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 sdm prefer access default dual ipv4 and ipv6 default routing vlan routing vlan Specify the SDM template to be used on...

Page 220: ...lan privileged EXEC command This is an example of output from the show sdm prefer command that displays the template in use Switch show sdm prefer The current template is desktop default template The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs number of unicast mac addresses 6K number of igmp groups multicast rout...

Page 221: ...t this level of features for 8 routed interfaces and 1024 VLANs number of unicast mac addresses 1 5K number of IPv4 IGMP groups multicast routes 1K number of IPv4 unicast routes 2 75K number of directly connected IPv4 hosts 1 5K number of indirect IPv4 routes 1 25K number of IPv6 multicast groups 1K number of directly connected IPv6 addresses 1 5K number of indirect IPv6 unicast routes 1 25K numbe...

Page 222: ...8 8 Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide OL 12247 01 Chapter 8 Configuring SDM Templates Displaying the SDM Templates ...

Page 223: ...nderstanding IEEE 802 1x Port Based Authentication The IEEE 802 1x standard defines a client server based access control and authentication protocol that prevents unauthorized clients from connecting to a LAN through publicly accessible ports unless they are properly authenticated The authentication server authenticates each client connected to a switch port before making available any services of...

Page 224: ...tion page 9 20 Using Web Authentication page 9 21 Device Roles With IEEE 802 1x port based authentication the devices in the network have specific roles as shown in Figure 9 1 Figure 9 1 IEEE 802 1x Device Roles Client the device workstation that requests access to the LAN and switch services and responds to requests from the switch The workstation must be running IEEE 802 1x compliant client soft...

Page 225: ...which is then encapsulated for Ethernet and sent to the client The devices that can act as intermediaries include the Catalyst 3750 E Catalyst 3750 Catalyst 3560 E Catalyst 3560 Catalyst 3550 Catalyst 2970 Catalyst 2960 Catalyst 2955 Catalyst 2950 Catalyst 2940 switches or a wireless access point These devices must be running software that supports the RADIUS client and IEEE 802 1x authentication ...

Page 226: ...thentication using a RADIUS server is configured the switch uses timers based on the Session Timeout RADIUS attribute Attribute 27 and the Termination Action RADIUS attribute Attribute 29 141679 Yes No Client identity is invalid All authentication servers are down All authentication servers are down Client identity is valid The switch gets an EAPOL message and the EAPOL message exchange begins Yes...

Page 227: ...of the frame the client responds with an EAP response identity frame However if during bootup the client does not receive an EAP request identity frame from the switch the client can initiate authentication by sending an EAPOL start frame which prompts the switch to request the client s identity Note If IEEE 802 1x authentication is not enabled or supported on the network access device any EAPOL f...

Page 228: ...ccessful the port becomes authorized If authorization fails and a guest VLAN is specified the switch assigns the port to the guest VLAN If the switch detects an EAPOL packet while waiting for an Ethernet packet the switch stops the MAC authentication bypass process and stops IEEE 802 1x authentication Figure 9 4 shows the message exchange during MAC authentication bypass Figure 9 4 Message Exchang...

Page 229: ...ication of the client This is the default setting force unauthorized causes the port to remain in the unauthorized state ignoring all attempts by the client to authenticate The switch cannot provide authentication services to the client through the port auto enables IEEE 802 1x authentication and causes the port to begin in the unauthorized state allowing only EAPOL frames to be sent and received ...

Page 230: ... example you can have a redundant connection to the stack master and another to a stack member and if the stack master fails the switch stack still has connectivity to the RADIUS server IEEE 802 1x Host Mode Note The switch is usually not configured in the network configuration shown in Figure 9 5 You can configure an IEEE 802 1x port for single host or for multiple hosts mode In single host mode ...

Page 231: ...g accounting messages IEEE 802 1x Accounting Attribute Value Pairs The information sent to the RADIUS server is represented in the form of Attribute Value AV pairs These AV pairs provide data for different applications For example a billing application might require information that is in the Acct Input Octets or the Acct Output Octets attributes of a RADIUS packet AV pairs are automatically sent ...

Page 232: ...he RADIUS server database maintains the username to VLAN mappings assigning the VLAN based on the username of the client connected to the switch port You can use this feature to limit network access for certain users Attribute 8 Framed IP Address Never Sometimes1 Sometimes1 Attribute 25 Class Always Always Always Attribute 30 Called Station ID Always Always Always Attribute 31 Calling Station ID A...

Page 233: ...server is valid the authorized device is placed in the specified VLAN after authentication If the multiple hosts mode is enabled on an IEEE 802 1x port all hosts are placed in the same VLAN specified by the RADIUS server as the first authenticated host Enabling port security does not impact the RADIUS server assigned VLAN behavior If IEEE 802 1x authentication is disabled on the port it is returne...

Page 234: ...ort to which a port ACL is applied are filtered by the port ACL Incoming routed packets received on other ports are filtered by the router ACL Outgoing routed packets are filtered by the router ACL To avoid configuration conflicts you should carefully plan the user profiles stored on the RADIUS server RADIUS supports per user attributes including vendor specific attributes These vendor specific at...

Page 235: ... EAPOL packet history If an EAPOL packet is detected on the interface during the lifetime of the link the switch determines that the device connected to that interface is an IEEE 802 1x capable supplicant and the interface does not change to the guest VLAN state EAPOL history is cleared if the interface link status goes down If no EAPOL packet is detected on the interface the interface changes to ...

Page 236: ... switch stack or a switch to provide limited services to clients that cannot access the guest VLAN These clients are IEEE 802 1x compliant and cannot access another VLAN because they fail the authentication process A restricted VLAN allows users without valid credentials in an authentication server typically visitors to an enterprise to access a limited set of services The administrator can contro...

Page 237: ... cannot be authenticated you can configure the switch to allow network access to the hosts connected to critical ports A critical port is enabled for the inaccessible authentication bypass feature also referred to as critical authentication or the AAA fail policy When this feature is enabled the switch checks the status of the configured RADIUS servers whenever the switch tries to authenticate a h...

Page 238: ... configure inaccessible authentication bypass on a private VLAN host port The access VLAN must be a secondary private VLAN Voice VLAN Inaccessible authentication bypass is compatible with voice VLAN but the RADIUS configured or user specified access VLAN and the voice VLAN must be different Remote Switched Port Analyzer RSPAN Do not configure an RSPAN VLAN as the RADIUS configured or user specifie...

Page 239: ... the switchport port security interface configuration command When you enable port security and IEEE 802 1x authentication on a port IEEE 802 1x authentication authenticates the port and port security manages network access for all MAC addresses including that of the client You can then limit the number or group of clients that can access the network through an IEEE 802 1x port These are some exam...

Page 240: ...es IEEE 802 1x authentication with WoL the switch forwards traffic to unauthorized IEEE 802 1x ports including magic packets While the port is unauthorized the switch continues to block ingress traffic other than EAPOL packets The host can receive packets but cannot send packets to other devices in the network Note If PortFast is not enabled on the port the port is forced to the bidirectional stat...

Page 241: ...e authentication fails the switch assigns the port to the guest VLAN if one is configured If re authentication is based on the Session Timeout RADIUS attribute Attribute 27 and the Termination Action RADIUS attribute Attribute 29 and if the Termination Action RADIUS attribute Attribute 29 action is Initialize the attribute value is DEFAULT the MAC authentication bypass session ends and connectivit...

Page 242: ...ure token on the RADIUS server For information about configuring NAC Layer 2 IEEE 802 1x validation see the Configuring NAC Layer 2 IEEE 802 1x Validation section on page 9 41 and the Configuring Periodic Re Authentication section on page 9 30 For more information about NAC see the Network Admission Control Software Configuration Guide Using Multidomain Authentication The switch supports multidoma...

Page 243: ... has been allowed on the port voice VLAN is automatically removed and must be reauthenticated on that port Active fallback mechanisms such as guest VLAN and restricted VLAN remain configured after a port changes from single or multihost mode to multidomain mode Switching a port host mode from multidomain to single or multihost mode removes all authorized devices from the port If a data domain is a...

Page 244: ...ol Server ACS for the automatic MAC check to succeed The automatic MAC check allows managed devices such as printers to skip web authentication Note The interoperability of web authentication with automatic MAC check and IEEE 802 1x MAC authentication configured on different ports of the same switch is not supported Configuring IEEE 802 1x Authentication These sections contain this configuration i...

Page 245: ...E 802 1x enable state Disabled force authorized The port sends and receives normal traffic without IEEE 802 1x based authentication of the client AAA Disabled RADIUS server IP address UDP authentication port Key None specified 1812 None specified Host mode Single host mode Control direction Bidirectional control Periodic re authentication Disabled Number of seconds between re authentication attemp...

Page 246: ...arent and does not affect the switch For example this change occurs if a port is assigned to a RADIUS server assigned VLAN and is then assigned to a different VLAN after re authentication If the VLAN to which an IEEE 802 1x port is assigned to shut down disabled or removed the port becomes unauthorized For example the port is unauthorized after the access VLAN to which a port is assigned shuts dow...

Page 247: ... authentication is disabled until the port is removed as a SPAN or RSPAN destination port You can enable IEEE 802 1x authentication on a SPAN or RSPAN source port Before globally enabling IEEE 802 1x authentication on a switch by entering the dot1x system auth control global configuration command remove the EtherChannel configuration from the interfaces on which IEEE 802 1x authentication and Ethe...

Page 248: ...voice VLAN as an IEEE 802 1x restricted VLAN The restricted VLAN feature is not supported on internal VLANs routed ports or trunk ports it is supported only on access ports MAC Authentication Bypass These are the MAC authentication bypass configuration guidelines Unless otherwise stated the MAC authentication bypass guidelines are the same as the IEEE 802 1x authentication guidelines For more info...

Page 249: ...hough other keywords are visible in the command line help string only the group radius keywords are supported Step 4 dot1x system auth control Enable IEEE 802 1x authentication globally on the switch Step 5 aaa authorization network default group radius Optional Configure the switch to use user RADIUS authorization for all network related service requests such as per user ACLs or VLAN assignment N...

Page 250: ...retransmission and encryption key values for all RADIUS servers by using the radius server host global configuration command If you want to configure these options on a per server basis use the radius server timeout radius server retransmit and the radius server key global configuration commands For more information see the Configuring Settings for All RADIUS Servers section on page 7 29 Command P...

Page 251: ...e multi host This example shows how to enable MDA and to allow both a host and a voice device on the port Switch config interface gigabitethernet3 0 1 Switch config if dot1x port control auto Switch config if dot1x host mode multi domain Switch config if switchport voice vlan 101 Switch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interfa...

Page 252: ...nticate the client connected to a specific port at any time by entering the dot1x re authenticate interface interface id privileged EXEC command This step is optional If you want to enable or disable periodic re authentication see the Configuring Periodic Re Authentication section on page 9 30 This example shows how to manually re authenticate the client connected to a port Switch dot1x re authent...

Page 253: ...ission time and then resends the frame Note You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers Beginning in privileged EXEC mode follow these steps to change the amount of time that the switch waits for client notification This procedure is optional Com...

Page 254: ...eginning in privileged EXEC mode follow these steps to set the switch to client frame retransmission number This procedure is optional To return to the default retransmission number use the no dot1x max req interface configuration command This example shows how to set 5 as the number of times that the switch sends an EAP request identity request before restarting the authentication process Switch ...

Page 255: ... accounting allows system reload events to be sent to the accounting RADIUS server for logging The server can then infer that all active IEEE 802 1x sessions are closed Because RADIUS uses the unreliable UDP transport protocol accounting messages might be lost due to poor network conditions If the switch does not receive the accounting response message from the RADIUS server after a configurable n...

Page 256: ...VLAN When you configure a guest VLAN clients that are not IEEE 802 1x capable are put into the guest VLAN when the server does not receive a response to its EAP request identity frame Clients that are IEEE 802 1x capable but that fail authentication are not granted network access The switch supports guest VLANs in single host or multiple hosts mode Beginning in privileged EXEC mode follow these st...

Page 257: ...valid username and password The switch supports restricted VLANs only in single host mode Beginning in privileged EXEC mode follow these steps to configure a restricted VLAN This procedure is optional Step 3 switchport mode access or switchport mode private vlan host Set the port to access mode or Configure the Layer 2 port as a private VLAN host port Step 4 dot1x port control auto Enable IEEE 802...

Page 258: ...oice VLAN as an IEEE 802 1x restricted VLAN Step 6 end Return to privileged EXEC mode Step 7 show dot1x interface interface id Optional Verify your entries Step 8 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be config...

Page 259: ...nning in privileged EXEC mode follow these steps to configure the port as a critical port and enable the inaccessible authentication bypass feature This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server dead criteria time time tries tries Optional Set the conditions that are used to decide when a RADIUS server is considered unavail...

Page 260: ...S server accounting port ignore auth port Disable testing on the RADIUS server authentication port For key string specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server The key is a text string that must match the encryption key used on the RADIUS server Note Always configure the key as the last item in the radius server host comman...

Page 261: ...g if dot1x critical vlan 20 Switch config if end Configuring IEEE 802 1x Authentication with WoL Beginning in privileged EXEC mode follow these steps to enable IEEE 802 1x authentication with WoL This procedure is optional Step 6 interface interface id Specify the port to be configured and enter interface configuration mode For the supported port types see the IEEE 802 1x Authentication Configurat...

Page 262: ... both Sets the port as bidirectional The port cannot receive packets from or send packets to the host By default the port is bidirectional in Sets the port as unidirectional The port can send packets to the host but cannot receive packets from the host Step 4 end Return to privileged EXEC mode Step 5 show dot1x interface interface id Verify your entries Step 6 copy running config startup config Op...

Page 263: ...face configuration mode Step 3 dot1x guest vlan vlan id Specify an active VLAN as an IEEE 802 1x guest VLAN The range is 1 to 4094 You can configure any active VLAN except an internal VLAN routed port an RSPAN VLAN or a voice VLAN as an IEEE 802 1x guest VLAN Step 4 dot1x reauthentication Enable periodic re authentication of the client which is disabled by default Step 5 dot1x timeout reauth perio...

Page 264: ...hentication method you must configure the RADIUS server For more information see Chapter 7 Configuring Switch Based Authentication The console prompts you for a username and password on future attempts to access the switch console after entering the aaa authentication login command If you do not want to be prompted for a username and password configure a second login authentication list Switch con...

Page 265: ...nterface id Specify the port to be configured and enter interface configuration mode Step 4 switchport mode access Set the port to access mode Step 5 ip access group access list in Specify the default access control list to be applied to network traffic before web authentication Step 6 ip admission rule Apply an IP admission rule to the interface Step 7 end Return to privileged EXEC mode Step 8 sh...

Page 266: ... dot1x pae interface configuration command Beginning in privileged EXEC mode follow these steps to disable IEEE 802 1x authentication on the port This procedure is optional Step 9 dot1x port control auto Enable IEEE 802 1x authentication on the interface Step 10 dot1x fallback fallback profile Configure the port to authenticate a client by using web authentication when no IEEE 802 1x supplicant is...

Page 267: ...y IEEE 802 1x statistics for all ports use the show dot1x all statistics privileged EXEC command To display IEEE 802 1x statistics for a specific port use the show dot1x statistics interface interface id privileged EXEC command To display the IEEE 802 1x administrative and operational status for the switch use the show dot1x all details statistics summary privileged EXEC command To display the IEE...

Page 268: ...9 46 Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide OL 12247 01 Chapter 9 Configuring IEEE 802 1x Port Based Authentication Displaying IEEE 802 1x Statistics and Status ...

Page 269: ...intaining the Interfaces page 10 25 Note For complete syntax and usage information for the commands used in this chapter see the switch command reference for this release and the online Cisco IOS Interface Command Reference Release 12 2 Understanding Interface Types This section describes the different types of interfaces supported by the switch with references to chapters that contain more detail...

Page 270: ... configure extended range VLANs VLAN IDs 1006 to 4094 you must use config vlan mode with VTP mode set to transparent Extended range VLANs are not added to the VLAN database When VTP mode is transparent the VTP and VLAN configuration is saved in the switch running configuration and you can save it in the switch startup configuration file by entering the copy running config startup config privileged...

Page 271: ...a VLAN by a VLAN Membership Policy Server VMPS The VMPS can be a Catalyst 6500 series switch the switch cannot be a VMPS server You can also configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone For more information about voice VLAN ports see Chapter 14 Configuring Voice VLAN Trunk Ports A tr...

Page 272: ...rt on a router it does not have to be connected to a router A routed port is not associated with a particular VLAN as is an access port A routed port behaves like a regular router interface except that it does not support VLAN subinterfaces Routed ports can be configured with a Layer 3 routing protocol A routed port is a Layer 3 interface only and does not support Layer 2 protocols such as DTP and...

Page 273: ...t to route traffic and assign it an IP address For more information see the Manually Assigning IP Information section on page 3 10 Note When you create an SVI it does not become active until it is associated with a physical port SVIs support routing protocols and bridging configurations For more information about configuring IP routing see Chapter 38 Configuring IP Unicast Routing Chapter 44 Confi...

Page 274: ...uplex mode The interface can be configured as a switched or routed port For more information about the Cisco TwinGig Converter Module see the switch hardware installation guide and your transceiver module documentation Connecting Interfaces Devices within a single VLAN can communicate directly through any switch Ports in different VLANs cannot exchange data without going through a routing device W...

Page 275: ...figuring a Range of Interfaces section on page 10 9 To configure a physical interface port specify the interface type stack member number module number and switch port number and enter interface configuration mode Type Gigabit Ethernet gigabitethernet or gi for 10 100 1000 Mb s Ethernet ports 10 Gigabit Ethernet tengigabitethernet or te for 10 000 Mb s or small form factor pluggable SFP module Gig...

Page 276: ...onfiguration processes Step 1 Enter the configure terminal command at the privileged EXEC prompt Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config Step 2 Enter the interface global configuration command Identify the interface type the switch number and the number of the connector In this example Gigabit Ethernet port 1 on switch 1 is selected Switch ...

Page 277: ...re the module is always 0 port channel port channel number port channel number where the port channel number is 1 to 48 Note When you use the interface range command with port channels the first and last port channel number must be active port channels Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface range port range macro macro_name Specify the range of i...

Page 278: ...ace range gigabitethernet1 0 1 3 tengigabitethernet1 0 1 2 Switch config if range flowcontrol receive on If you enter multiple configuration commands while you are in interface range mode each command is executed as it is entered The commands are not batched and executed after you exit interface range mode If you exit interface range configuration mode while the commands are being executed some co...

Page 279: ... command displays the configured VLAN interfaces VLAN interfaces not displayed by the show running config command cannot be used as interface ranges All interfaces defined as in a range must be the same type all Gigabit Ethernet ports all 10 Gigabit Ethernet ports all EtherChannel ports or all VLANs but you can combine multiple interface types in a macro This example shows how to define an interfa...

Page 280: ...Layer 3 port connected to the Onboard Administrator see Figure 10 2 The IP addresses are assigned to the management port by you through the Onboard Administrator or by the DHCP server You can manage the switch through these IP addresses We recommend that you let the Onboard Administrator act as the DHCP server assigning an IP address to the management port You can use this address to manage the sw...

Page 281: ...ablished In a stack that has members in multiple enclosures the PC must be able to connect to all of the enclosures with stack members Figure 10 3 Connecting a Switch Stack to a PC By default the Ethernet management port is enabled The switch cannot route packets from the Ethernet management port to a network port and the reverse 1 Onboard Administrator 2 Internal Ethernet management ports that ar...

Page 282: ...il Layer 3 Routing Configuration Guidelines When Layer 3 routing is enabled you should be aware of these guidelines If Routing Information Protocol RIP or Open Shortest Path First OSPF is enabled RIP or OSPF advertises routes with the internal Ethernet management port By default RIP and OSPF are disabled For traffic to be routed between VLAN 1 and the Ethernet management port IP routing must be en...

Page 283: ...10 21 Table 10 1 Boot Loader Commands Command Description ARP ip_address Displays the currently cached ARP1 table when this command is entered without the ip_address parameter Enables ARP to associate a MAC address with the specified IP address when this command is entered with the ip_address parameter 1 ARP Address Resolution Protocol Mgmt_init Resets the MAC address of the Ethernet management po...

Page 284: ...r switching mode switchport command Allowed VLAN range VLANs 1 4094 Default VLAN for access ports VLAN 1 Layer 2 interfaces only Native VLAN for IEEE 802 1Q trunks VLAN 1 Layer 2 interfaces only VLAN trunking Switchport mode dynamic auto supports DTP Layer 2 interfaces only Port enable state All ports are enabled Port description None defined Speed 1000 Mb s for the internal ports nonconfigurable ...

Page 285: ...0 1000 Mb s ports support all speed options and all duplex options auto half and full However Gigabit Ethernet ports operating at 1000 Mb s do not support half duplex mode The internal Ethernet management ports do not support the speed and duplex features These ports operate only at 1000 Mb s and in full duplex mode For SFP module ports the speed and duplex CLI options change depending on the SFP ...

Page 286: ...et a specific speed for the interface The 1000 keyword is available only for 10 100 1000 Mb s ports Enter auto to enable the interface to autonegotiate speed with the connected device If you use the 10 100 or the 1000 keywords with the auto keyword the port autonegotiates only at the specified speeds The nonegotiate keyword is available only for SFP module ports SFP module ports operate only at 10...

Page 287: ... receive pause frames to on off or desired The default state is off When set to desired an interface can operate with an attached device that is required to send flow control packets or with an attached device that is not required to but can send flow control packets These rules apply to flow control settings on the device receive on or desired The port cannot send pause frames but can operate wit...

Page 288: ...ble auto MDIX you must also set the interface speed and duplex to auto so that the feature operates correctly Auto MDIX is supported on all 10 100 1000 Mb s and on 10 100 1000BASE TX small form factor pluggable SFP module interfaces It is not supported on 1000BASE SX SFP module interfaces Table 10 3 shows the link states that result from auto MDIX settings and correct and incorrect cabling Beginni...

Page 289: ...al Enter configuration commands one per line End with CNTL Z Switch config interface gigabitethernet1 0 2 Switch config if description Connects to Marketing Switch config if end Switch show interfaces gigabitethernet1 0 2 description Interface Status Protocol Description Gi1 0 2 admin down down Connects to Marketing Configuring Layer 3 Interfaces The switch supports these types of Layer 3 interfac...

Page 290: ...ocol VTP of a new VLAN it sends a message that there are not enough hardware resources available and shuts down the VLAN The output of the show vlan user EXEC command shows the VLAN in a suspended state If the switch attempts to boot up with a configuration that has more VLANs and routed ports than hardware can support the VLANs are created but the routed ports are shut down and the switch sends a...

Page 291: ...ystem MTU values follow these guidelines The switch does not support the MTU on a per interface basis You can enter the system mtu bytes global configuration command on a switch but the command does not take effect on the switch The system mtu jumbo global configuration commands do not take effect when you enter the system mtu routing command on a switch on which only Layer 2 ports are configured ...

Page 292: ...ernet interfaces to an out of range number Switch config system mtu jumbo 25000 Invalid input detected at marker Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 system mtu jumbo bytes Optional Change the MTU size for all Gigabit Ethernet and 10 Gigabit Ethernet interfaces on the switch or the switch stack The range is from 1500 to 9198 bytes Step 3 system mtu routi...

Page 293: ...d Display interface status or a list of interfaces in the error disabled state show interfaces interface id switchport Display administrative and operational status of switching nonrouting ports You can use this command to find out if a port is in routing or in switching mode show interfaces interface id description Display the description configured on an interface or all interfaces and the inter...

Page 294: ...e specified interface and marks the interface as unavailable on all monitoring command displays This information is communicated to other network servers through all dynamic routing protocols The interface is not mentioned in any routing updates Beginning in privileged EXEC mode follow these steps to shut down an interface Use the no shutdown interface configuration command to restart the interfac...

Page 295: ... of command line interface CLI commands that you define Smartports macros do not contain new CLI commands they are simply a group of existing CLI commands When you apply a Smartports macro on an interface the CLI commands within the macro are configured on the interface When the macro is applied to an interface the existing interface configurations are not lost The new commands are added to the in...

Page 296: ...ult Smartports Macro Configuration page 11 2 Smartports Macro Configuration Guidelines page 11 3 Creating Smartports Macros page 11 4 Applying Smartports Macros page 11 5 Applying Cisco Default Smartports Macros page 11 6 Default Smartports Macro Configuration There are no Smartports macros enabled cisco phone Use this interface configuration macro when connecting a desktop device such as a PC wit...

Page 297: ...pplied globally to a switch or to a switch interface all existing configuration on the interface is retained This is helpful when applying an incremental configuration If you modify a macro definition by adding or deleting commands the changes are not reflected on the interface where the original macro was applied You need to reapply the updated macro on the interface to apply the new or changed c...

Page 298: ...s two help string keywords by using macro keywords Switch config macro name test switchport access vlan VLANID switchport port security maximum MAX macro keywords VLANID MAX Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 macro name macro name Create a macro definition and enter a macro name A macro definition can contain up to 3000 characters Enter the macro comma...

Page 299: ...ering the keyword values the commands are invalid and are not applied Step 3 macro global description text Optional Enter a description about the macro that is applied to the switch Step 4 interface interface id Optional Enter interface configuration mode and specify the interface on which to apply the macro Step 5 default interface interface id Optional Clear all configuration from the specified ...

Page 300: ...n Interface Macro Description Gi0 2 desktop config This example shows how to apply the user created macro called desktop config and to replace all occurrences of VLAN 1 with VLAN 25 Switch config if macro apply desktop config vlan 25 Applying Cisco Default Smartports Macros Beginning in privileged EXEC mode follow these steps to apply a Smartports macro Command Purpose Step 1 show parser macro Dis...

Page 301: ...ity age is greater than one minute and use inactivity timer switchport port security violation restrict switchport port security aging time 2 switchport port security aging type inactivity Configure port as an edge network port spanning tree portfast spanning tree bpduguard enable Switch Switch configure terminal Switch config gigabitethernet1 0 4 Switch config if macro apply cisco desktop AVID 25...

Page 302: ...e or more of the privileged EXEC commands in Table 11 2 Table 11 2 Commands for Displaying Smartports Macros Command Purpose show parser macro Displays all configured macros show parser macro name macro name Displays a specific macro show parser macro brief Displays the configured macro names show parser macro description interface interface id Displays the macro description for all interfaces or ...

Page 303: ...s a switched network that is logically segmented by function project team or application without regard to the physical locations of the users VLANs have the same attributes as physical LANs but you can group end stations even if they are not physically located on the same LAN segment Any switch port can belong to a VLAN and unicast broadcast and multicast packets are forwarded and flooded only to...

Page 304: ...s section on page 10 5 and the Configuring Layer 3 Interfaces section on page 10 21 Note If you plan to configure many VLANs on the switch and to not enable routing you can use the sdm prefer vlan global configuration command to set the Switch Database Management sdm feature to the VLAN template which configures system resources to support the maximum number of unicast MAC addresses For more infor...

Page 305: ...acteristics Table 12 1 Port Membership Modes and Characteristics Membership Mode VLAN Membership Characteristics VTP Characteristics Static access A static access port can belong to one VLAN and is manually assigned to that VLAN For more information see the Assigning Static Access Ports to a VLAN section on page 12 11 VTP is not required If you do not want VTP to globally propagate information set...

Page 306: ...is stored in flash memory Thevlan dat file is stored in flash memory on the stack master Stack members have a vlan dat file that is consistent with the stack master Dynamic access A dynamic access port can belong to one VLAN VLAN ID 1 to 4094 and is dynamically assigned by a VMPS The VMPS can be a Catalyst 5000 or Catalyst 6500 series switch for example but never a blade switch The switch is a VMP...

Page 307: ...pe Ethernet Fiber Distributed Data Interface FDDI FDDI network entity title NET TrBRF or TrCRF Token Ring Token Ring Net VLAN state active or suspended Maximum transmission unit MTU for the VLAN Security Association Identifier SAID Bridge identification number for TrBRF VLANs Ring number for FDDI and TrCRF VLANs Parent VLAN number for TrCRF VLANs Spanning Tree Protocol STP type for TrCRF VLANs VLA...

Page 308: ...fine a VTP domain or VTP will not function The switch does not support Token Ring or FDDI media The switch does not forward FDDI FDDI Net TrCRF or TrBRF traffic but it does propagate the VLAN configuration through VTP The switch supports 128 spanning tree instances If a switch has more active VLANs than supported spanning tree instances spanning tree can be enabled on 128 VLANs and is disabled on ...

Page 309: ... mode when creating extended range VLANs VLAN IDs greater than 1005 See the Configuring Extended Range VLANs section on page 12 12 VLAN Configuration in VLAN Database Configuration Mode To access VLAN database configuration mode enter the vlan database privileged EXEC command Then enter the vlan command with a new VLAN ID to create a VLAN or enter an existing VLAN ID to modify the VLAN You can use...

Page 310: ...tion for the first 1005 VLANs use the VLAN database information Caution If the VLAN database configuration is used at startup and the startup configuration file contains extended range VLAN configuration this information is lost when the system boots up Default Ethernet VLAN Configuration Table 12 2 shows the default configuration for Ethernet VLANs Note The switch supports Ethernet interfaces exc...

Page 311: ... terminal Switch config vlan 20 Switch config vlan name test20 Switch config vlan end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 vlan vlan id Enter a VLAN ID and enter config vlan mode Enter a new VLAN ID to create a VLAN or enter an existing VLAN ID to modify that VLAN Note The available VLAN ID range for this command is 1 to 4094 For information about adding...

Page 312: ...nly on that specific switch or a switch stack You cannot delete the default VLANs for the different media types Ethernet VLAN 1 and FDDI or Token Ring VLANs 1002 to 1005 Command Purpose Step 1 vlan database Enter VLAN database configuration mode Step 2 vlan vlan id name vlan name Add an Ethernet VLAN by assigning a number to it The range is 1 to 1001 You can create or modify a range of consecutive...

Page 313: ...to a VLAN that does not exist the new VLAN is created See the Creating or Modifying an Ethernet VLAN section on page 12 9 Beginning in privileged EXEC mode follow these steps to assign a port to a VLAN in the VLAN database Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no vlan vlan id Remove the VLAN by entering the VLAN ID Step 3 end Return to privileged EXEC mod...

Page 314: ...iguration mode accessed by entering the vlan database privileged EXEC command Extended range VLAN configurations are not stored in the VLAN database but because VTP mode is transparent they are stored in the switch running configuration file and you can save the configuration in the startup configuration file by using the copy running config startup config privileged EXEC command Note Although the...

Page 315: ...ecommend that you configure the IEEE 802 1s Multiple STP MSTP on your switch to map multiple VLANs to a single spanning tree instance For more information about MSTP see Chapter 18 Configuring MSTP Each routed port on the switch creates an internal VLAN for its use These internal VLANs use extended range VLAN numbers and the internal VLAN ID cannot be used for an extended range VLAN If you try to ...

Page 316: ...ded Range VLAN with an Internal VLAN ID section on page 12 15 before creating the extended range VLAN Beginning in privileged EXEC mode follow these steps to create an extended range VLAN To delete an extended range VLAN use the no vlan vlan id global configuration command The procedure for assigning static access ports to an extended range VLAN is the same as for normal range VLANs See the Assign...

Page 317: ...s the routed port that is using the VLAN ID Enter that port number in Step 3 Step 2 configure terminal Enter global configuration mode Step 3 interface interface id Specify the interface ID for the routed port that is using the VLAN ID and enter interface configuration mode Step 4 shutdown Shut down the port to free the internal VLAN ID Step 5 exit Return to global configuration mode Step 6 vtp mo...

Page 318: ...0 Configuring an Ethernet Interface as a Trunk Port page 12 20 Configuring Trunk Ports for Load Sharing page 12 24 Trunking Overview A trunk is a point to point link between one or more Ethernet switch interfaces and another networking device such as a router or a switch Ethernet trunks carry the traffic of multiple VLANs over a single link and you can extend the VLANs across an entire network Two...

Page 319: ...E 802 1Q Trunking Environment You can configure a trunk on a single Ethernet interface or on an EtherChannel bundle For more information about EtherChannel see Chapter 37 Configuring EtherChannels and Link State Tracking Catalyst 6500 series switch Blade switch Blade switch Blade switch Blade switch VLAN2 VLAN3 VLAN1 VLAN1 VLAN2 VLAN3 ISL trunk ISL trunk ISL trunk ISL trunk 119945 Catalyst 6500 se...

Page 320: ... private VLAN ports or tunnel ports Table 12 4 Layer 2 Interface Modes Mode Function switchport mode access Puts the interface access port into permanent nontrunking mode and negotiates to convert the link into a nontrunk link The interface becomes a nontrunk interface regardless of whether or not the neighboring interface is a trunk interface switchport mode dynamic auto Makes the interface able ...

Page 321: ...on Cisco IEEE 802 1Q switch However spanning tree information for each VLAN is maintained by Cisco switches separated by a cloud of non Cisco IEEE 802 1Q switches The non Cisco IEEE 802 1Q cloud separating the Cisco switches is treated as a single trunk link between the switches Make sure the native VLAN for an IEEE 802 1Q trunk is the same on both ends of the trunk link If the native VLAN on one ...

Page 322: ...2 trunk or if the interface is in Layer 3 mode it becomes a Layer 2 trunk when you enter the switchport interface configuration command By default trunks negotiate encapsulation If the neighboring interface supports ISL and IEEE 802 1Q encapsulation and both interfaces are set to negotiate the encapsulation type the trunk uses ISL encapsulation Interaction with Other Features Trunking interacts wi...

Page 323: ... to support ISL or IEEE 802 1Q encapsulation or to negotiate the default with the neighboring interface for encapsulation type You must configure each end of the link with the same encapsulation type Step 4 switchport mode dynamic auto desirable trunk Configure the interface as a Layer 2 trunk required only if the interface is a Layer 2 access port or tunnel port or to specify the trunking mode dy...

Page 324: ... requirement that VLAN 1 always be enabled on every trunk link You can use the VLAN 1 minimization feature to disable VLAN 1 on any individual VLAN trunk link so that no user traffic including spanning tree advertisements is sent or received on VLAN 1 To reduce the risk of spanning tree loops or storms you can disable VLAN 1 on any individual VLAN trunk port by removing VLAN 1 from the allowed lis...

Page 325: ... from 1 to 4094 or a range of VLANs described by two VLAN numbers the lower one first separated by a hyphen Do not enter any spaces between comma separated VLAN parameters or in hyphen specified ranges All VLANs are allowed by default Step 5 end Return to privileged EXEC mode Step 6 show interfaces interface id switchport Verify your entries in the Trunking VLANs Enabled field of the display Step ...

Page 326: ...he packet is sent untagged otherwise the switch sends the packet with a tag Configuring Trunk Ports for Load Sharing Load sharing divides the bandwidth supplied by parallel trunks connecting switches To avoid loops STP normally blocks all but one parallel link between switches Using load sharing you divide the traffic between the links according to which VLAN the traffic belongs Step 5 show interf...

Page 327: ...wo trunks connecting supported switches In this example the switches are configured as follows VLANs 8 through 10 are assigned a port priority of 16 on Trunk 1 VLANs 3 through 6 retain the default port priority of 128 on Trunk 1 VLANs 3 through 6 are assigned a port priority of 16 on Trunk 2 VLANs 8 through 10 retain the default port priority of 128 on Trunk 2 In this way Trunk 1 carries traffic f...

Page 328: ...the same encapsulation type Step 10 switchport mode trunk Configure the port as a trunk port Step 11 end Return to privileged EXEC mode Step 12 show interfaces gigabitethernet1 0 1 switchport Verify the VLAN configuration Step 13 Repeat Steps 7 through 11on Switch A for a second port in the switch or switch stack Step 14 Repeat Steps 7 through 11on Switch B to configure the trunk ports that connec...

Page 329: ...etwork shown in Figure 12 5 90573 Switch A Switch B Trunk port 1 VLANs 2 4 path cost 30 VLANs 8 10 path cost 19 Trunk port 2 VLANs 8 10 path cost 30 VLANs 2 4 path cost 19 Command Purpose Step 1 configure terminal Enter global configuration mode on Switch A Step 2 interface gigabitethernet1 0 1 Define the interface to be configured as a trunk and enter interface configuration mode Step 3 switchpor...

Page 330: ...4 VMPS Configuration Example section on page 12 34 Understanding VMPS Each time the client switch receives the MAC address of a new host it sends a VQP query to the VMPS When the VMPS receives this query it searches its database for a MAC address to VLAN mapping The server response is based on this mapping and whether or not the server is in open or secure mode In secure mode the server shuts down...

Page 331: ... belong to only one VLAN with an ID from 1 to 4094 When the link comes up the switch does not forward traffic to or from this port until the VMPS provides the VLAN assignment The VMPS receives the source MAC address from the first packet of a new host connected to the dynamic access port and attempts to match the MAC address to a VLAN in the VMPS database If there is a match the VMPS sends the VLA...

Page 332: ...e dynamic access ports but you can enter the switchport access vlan dynamic interface configuration command for a trunk port In this case the switch retains the setting and applies it if the port is later configured as an access port You must turn off trunking on the port before the dynamic access setting takes effect Dynamic access ports cannot be monitor ports Secure ports cannot be dynamic acce...

Page 333: ...o other switches can cause a loss of connectivity Beginning in privileged EXEC mode follow these steps to configure a dynamic access port on a VMPS client switch Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 vmps server ipaddress primary Enter the IP address of the switch acting as the primary VMPS server Step 3 vmps server ipaddress Optional Enter the IP address...

Page 334: ... than the reconfirmation setting on the command switch You must also first use the rcommand privileged EXEC command to log in to the member switch Beginning in privileged EXEC mode follow these steps to change the reconfirmation interval To return the switch to its default setting use the no vmps reconfirm global configuration command Step 6 show interfaces interface id switchport Verify your entr...

Page 335: ... starts to query the secondary VMPS VMPS domain server the IP address of the configured VLAN membership policy servers The switch sends queries to the one marked current The one marked primary is the primary server VMPS Action the result of the most recent reconfirmation attempt A reconfirmation attempt can occur automatically when the reconfirmation interval expires or you can force it by enterin...

Page 336: ...re enable a disabled dynamic access port enter the shutdown interface configuration command followed by the no shutdown interface configuration command VMPS Configuration Example Figure 12 6 shows a network with a VMPS server switch and VMPS client switches with dynamic access ports In this example these assumptions apply The VMPS server and the VMPS client are separate switches The Catalyst 6500 ...

Page 337: ... Catalyst 6500 series Secondary VMPS Server 3 172 20 26 150 172 20 26 151 Catalyst 6500 series switch A 172 20 26 152 Switch C Ethernet segment Trunk link 172 20 26 153 172 20 26 154 172 20 26 155 172 20 26 156 172 20 26 157 172 20 26 158 172 20 26 159 Client switch I Client switch B Server 2 Server 1 TFTP server Dynamic access port Dynamic access port Switch J Switch D Switch E Switch F Switch G ...

Page 338: ...12 36 Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide OL 12247 01 Chapter 12 Configuring VLANs Configuring VMPS ...

Page 339: ...ations and security violations Before you create VLANs you must decide whether to use VTP in your network Using VTP you can make configuration changes centrally on one or more switches and have those changes automatically communicated to all the other switches in the network Without VTP you cannot send information about VLANs to other switches VTP is designed to work in an environment where update...

Page 340: ...LANs on a VTP server and VLAN information is not propagated over the network If the switch receives a VTP advertisement over a trunk link it inherits the management domain name and the VTP configuration revision number The switch then ignores advertisements with a different domain name or an earlier configuration revision number Caution Before adding a VTP client switch to a VTP domain always veri...

Page 341: ...figurations are saved in NVRAM VTP server is the default mode VTP client A VTP client behaves like a VTP server and transmits and receives VTP updates on its trunks but you cannot create change or delete VLANs on a VTP client VLANs are configured on another switch in the domain that is in server mode In VTP client mode VLAN configurations are not saved in NVRAM VTP transparent VTP transparent swit...

Page 342: ...erver or client propagates configuration changes to its other trunks even for TLVs it is not able to parse The unrecognized TLV is saved in NVRAM when the switch is operating in VTP server mode Version Dependent Transparent Mode In VTP Version 1 a VTP transparent switch inspects VTP messages for the domain name and version and forwards a message only if the version and domain name match Because VT...

Page 343: ...witch D are assigned to the Red VLAN If a broadcast is sent from the host connected to Switch A Switch A floods the broadcast and every switch in the network receives it even though Switches C E and F have no ports in the Red VLAN Figure 13 1 Flooding Traffic without VTP Pruning Figure 13 2 shows a switched network with VTP pruning enabled The broadcast traffic from Switch A is not forwarded to Sw...

Page 344: ...on command see the Changing the Pruning Eligible List section on page 12 23 VTP pruning operates when an interface is trunking You can set VLAN pruning eligibility whether or not VTP pruning is enabled for the VTP domain whether or not any given VLAN exists and whether or not the interface is currently trunking VTP and Switch Stacks VTP configuration is the same in all members of a switch stack Wh...

Page 345: ...n VTP mode is transparent the VTP domain name and mode are also saved in the switch running configuration file and you can save it in the switch startup configuration file by entering the copy running config startup config privileged EXEC command You must use this command if you want to save VTP mode as transparent even if the switch resets When you save VTP information in the switch startup confi...

Page 346: ...sparent mode do not exchange VTP messages with other switches and you do not need to configure a VTP domain name for them Note If NVRAM and DRAM storage is sufficient all switches in a VTP domain should be in VTP server mode Caution Do not configure a VTP domain if all switches are operating in VTP client mode If you configure the domain it is impossible to make changes to the VLAN configuration o...

Page 347: ...r more information see the Configuring VLAN Trunks section on page 12 16 If you are configuring VTP on a cluster member switch to a VLAN use the rcommand privileged EXEC command to log in to the member switch For more information about the command see the command reference for this release If you are configuring extended range VLANs on the switch the switch must be in VTP transparent mode VTP does...

Page 348: ...Optional Set the password for the VTP domain The password can be 8 to 64 characters If you configure a VTP password the VTP domain does not function properly if you do not assign the same password to each switch in the domain Step 5 end Return to privileged EXEC mode Step 6 show vtp status Verify your entries in the VTP Operating Mode and the VTP Domain Name fields of the display Command Purpose C...

Page 349: ... VTP configuration to the default To keep the VTP configuration with VTP client mode after the switch restarts you must first configure the VTP domain name before the VTP mode Caution If all switches are operating in VTP client mode do not configure a VTP domain name If you do it is impossible to make changes to the VLAN configuration of that domain Therefore make sure you configure at least one s...

Page 350: ...rsion 2 does forward received VTP advertisements on its trunk links Note Before you create extended range VLANs VLAN IDs 1006 to 4094 you must set VTP mode to transparent by using the vtp mode transparent global configuration command Save this configuration to the startup configuration so that the switch boots up in VTP transparent mode Otherwise you lose the extended range VLAN configuration if t...

Page 351: ...same VTP domain Every switch in the VTP domain must use the same VTP version Do not enable VTP Version 2 unless every switch in the VTP domain supports Version 2 Note In TrCRF and TrBRF Token ring environments you must enable VTP Version 2 for Token Ring VLAN switching to function properly For Token Ring and Token Ring Net media VTP Version 2 must be disabled For more information on VTP version co...

Page 352: ...or the entire VTP domain Only VLANs included in the pruning eligible list can be pruned By default VLANs 2 through 1001 are pruning eligible on trunk ports Reserved VLANs and extended range VLANs cannot be pruned To change the pruning eligible VLANs see the Changing the Pruning Eligible List section on page 12 23 Adding a VTP Client Switch to a VTP Domain Before adding a VTP client to a VTP domain...

Page 353: ...omain Command Purpose Step 1 show vtp status Check the VTP configuration revision number If the number is 0 add the switch to the VTP domain If the number is greater than 0 follow these steps a Write down the domain name b Write down the configuration revision number c Continue with the next steps to reset the switch configuration revision number Step 2 configure terminal Enter global configuratio...

Page 354: ...ame the current VTP revision and the number of VLANs You can also display statistics about the advertisements sent and received by the switch Table 13 3 shows the privileged EXEC commands for monitoring VTP activity Table 13 3 VTP Monitoring Commands Command Purpose show vtp status Display the VTP switch configuration information show vtp counters Display counters about VTP messages that have been...

Page 355: ... Phone the phone sends voice traffic with Layer 3 IP precedence and Layer 2 class of service CoS values which are both set to 5 by default Because the sound quality of an IP phone call can deteriorate if the data is unevenly sent the switch supports quality of service QoS based on IEEE 802 1p CoS QoS uses classification and scheduling to send network traffic from the switch in a predictable manner...

Page 356: ...tagged no Layer 2 CoS priority value Note In all configurations the voice traffic carries a Layer 3 IP precedence value the default is 5 for voice traffic and 3 for voice control traffic Cisco IP Phone Data Traffic The switch can also process tagged data traffic traffic in IEEE 802 1Q or IEEE 802 1p frame types from the device attached to the access port on the Cisco IP Phone see Figure 14 1 You c...

Page 357: ...e a voice VLAN only on Layer 2 ports Note Voice VLAN is only supported on access ports and not on trunk ports even though the configuration is allowed The voice VLAN should be present and active on the switch for the IP phone to correctly communicate on the voice VLAN Use the show vlan privileged EXEC command to see if the VLAN is present listed in the display If the VLAN is not listed see Chapter...

Page 358: ...re information Note If you enable IEEE 802 1x on an access port on which a voice VLAN is configured and to which a Cisco IP Phone is connected the phone loses connectivity to the switch for up to 30 seconds Protected port See the Configuring Protected Ports section on page 25 5 for more information A source or destination port for a SPAN or RSPAN session Secure port See the Configuring Port Securi...

Page 359: ...nfiguring the port trust state you must first globally enable QoS by using the mls qos global configuration command Step 4 switchport voice detect cisco phone full duplex vlan vlan id dot1p none untagged Configure how the Cisco IP Phone carries voice traffic detect Configure the interface to detect and recognize a Cisco IP phone cisco phone When you initially implement the switchport voice detect ...

Page 360: ...plex Cisco IP Phone Switch config if switchport voice detect cisco phone full duplex full duplex full duplex keyword Switch config if end This example shows how to disable switchport voice detect on a Cisco IP Phone Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config interface gigabitethernet 1 0 1 Switch config if no switchport voice detect cisco phon...

Page 361: ...ying Voice VLAN To display voice VLAN configuration for an interface use the show interfaces interface id switchport privileged EXEC command Step 3 switchport priority extend cos value trust Set the priority of data traffic received from the Cisco IP Phone access port cos value Configure the phone to override the priority received from the PC or the attached device with the specified CoS value The...

Page 362: ...14 8 Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide OL 12247 01 Chapter 14 Configuring Voice VLAN Displaying Voice VLAN ...

Page 363: ...esses two problems that service providers face when using VLANs Scalability The switch supports up to 1005 active VLANs If a service provider assigns one VLAN per customer this limits the numbers of customers the service provider can support To enable IP routing each VLAN is assigned a subnet address space or a block of addresses which can result in wasting the unused IP addresses and cause IP add...

Page 364: ... the primary VLAN Isolated An isolated port is a host port that belongs to an isolated secondary VLAN It has complete Layer 2 separation from other ports within the same private VLAN except for the promiscuous ports Private VLANs block all traffic to isolated ports except traffic from promiscuous ports Traffic received from an isolated port is forwarded only to promiscuous ports Community A commun...

Page 365: ...e outside the private VLAN You can use private VLANs to control access to end stations in these ways Configure selected interfaces connected to end stations as isolated ports to prevent any communication at Layer 2 For example if the end stations are servers this configuration prevents Layer 2 communication between the servers Configure interfaces connected to default gateways and selected end sta...

Page 366: ...ches in the network the Layer 2 databases in these switches are not merged This can result in unnecessary flooding of private VLAN traffic on those switches Note When configuring private VLANs on the switch always use the default Switch Database Management SDM template to balance system resources between unicast routes and Layer 2 entries If another SDM template is configured use the sdm prefer de...

Page 367: ...l interface SVI represents the Layer 3 interface of a VLAN Layer 3 devices communicate with a private VLAN only through the primary VLAN and not through secondary VLANs Configure Layer 3 VLAN interfaces SVIs only for primary VLANs You cannot configure Layer 3 VLAN interfaces for secondary VLANs SVIs for secondary VLANs are inactive while the VLAN is configured as a secondary VLAN If you try to con...

Page 368: ...e 15 14 Tasks for Configuring Private VLANs To configure a private VLAN perform these steps Step 1 Set VTP mode to transparent Step 2 Create the primary and secondary VLANs and associate them See the Configuring and Associating VLANs in a Private VLAN section on page 15 10 Note If the VLAN is not created already the private VLAN configuration process creates it Step 3 Configure interfaces to be is...

Page 369: ...evice where you want private VLAN ports You cannot configure VLAN 1 or VLANs 1002 to 1005 as primary or secondary VLANs Extended VLANs VLAN IDs 1006 to 4094 can belong to private VLANs A primary VLAN can have one isolated VLAN and multiple community VLANs associated with it An isolated or community VLAN can have only one primary VLAN associated with it Although a private VLAN contains more than on...

Page 370: ...primary and secondary VLAN Layer 3 traffic Although private VLANs provide host isolation at Layer 2 hosts can communicate with each other at Layer 3 Private VLANs support these Switched Port Analyzer SPAN features You can configure a private VLAN port as a SPAN source port You can use VLAN based SPAN VSPAN on primary isolated and community VLANs or use SPAN on only one VLAN to separately monitor e...

Page 371: ...ache Communication Protocol WCCP You can configure IEEE 802 1x port based authentication on a private VLAN port but do not configure 802 1x with port security voice VLAN or per user ACL on private VLAN ports A private VLAN host or promiscuous port cannot be a SPAN destination port If you configure a SPAN destination port as a private VLAN port the port becomes inactive If you configure a static MA...

Page 372: ...o 1001 and 1006 to 4094 Step 7 private vlan isolated Designate the VLAN as an isolated VLAN Step 8 exit Return to global configuration mode Step 9 vlan vlan id Optional Enter VLAN configuration mode and designate or create a VLAN that will be a community VLAN The VLAN ID range is 2 to 1001 and 1006 to 4094 Step 10 private vlan community Designate the VLAN as a community VLAN Step 11 exit Return to...

Page 373: ...munity VLANs to associate them in a private VLAN and to verify the configuration Switch configure terminal Switch config vlan 20 Switch config vlan private vlan primary Switch config vlan exit Switch config vlan 501 Switch config vlan private vlan isolated Switch config vlan exit Switch config vlan 502 Switch config vlan private vlan community Switch config vlan exit Switch config vlan 503 Switch ...

Page 374: ...de VLAN 1 default Trunking Native Mode VLAN 1 default Administrative Native VLAN tagging enabled Voice VLAN none Administrative private vlan host association 20 501 Administrative private vlan mapping none Administrative private vlan trunk native VLAN none Administrative private vlan trunk Native VLAN tagging enabled Administrative private vlan trunk encapsulation dot1q Administrative private vlan...

Page 375: ...ure an interface as a private VLAN promiscuous port and map it to a private VLAN The interface is a member of primary VLAN 20 and secondary VLANs 501 to 503 are mapped to it Switch configure terminal Switch config interface gigabitethernet1 0 2 Switch config if switchport mode private vlan promiscuous Switch config if switchport private vlan mapping 20 add 501 503 Switch config if end Use the show...

Page 376: ...y_vlan_list to map the secondary VLANs to the primary VLAN Use the remove keyword with a secondary_vlan_list to clear the mapping between secondary VLANs and the primary VLAN This example shows how to map the interfaces of VLANs 501and 502 to primary VLAN 10 which permits routing of secondary VLAN ingress traffic from private VLANs 501 to 502 Switch configure terminal Switch config interface vlan ...

Page 377: ...vate vlan Primary Secondary Type Ports 10 501 isolated Gi2 0 1 Gi3 0 1 Gi3 0 2 10 502 community Gi2 0 11 Gi3 0 1 Gi3 0 4 10 503 non operational Table 15 1 Private VLAN Monitoring Commands Command Purpose show interfaces status Displays the status of interfaces including the VLANs to which they belongs show vlan private vlan type Display the private VLAN information for the switch show interface sw...

Page 378: ...15 16 Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide OL 12247 01 Chapter 15 Configuring Private VLANs Monitoring Private VLANs ...

Page 379: ... 16 7 Configuring Layer 2 Protocol Tunneling page 16 10 Monitoring and Maintaining Tunneling Status page 16 18 Understanding IEEE 802 1Q Tunneling Business customers of service providers often have specific requirements for VLAN IDs and the number of VLANs to be supported The VLAN ranges required by different customers in the same service provider network might overlap and traffic of customers thr...

Page 380: ...main intact inside the switch and when they exit the trunk port into the service provider network they are encapsulated with another layer of an IEEE 802 1Q tag called the metro tag that contains the VLAN ID that is unique to the customer The original customer IEEE 802 1Q tag is preserved in the encapsulated packet Therefore packets entering the service provider network are double tagged with the ...

Page 381: ...umbering space used by other customers and the VLAN numbering space used by the service provider network At the outbound tunnel port the original VLAN numbers on the customer s network are recovered It is possible to have multiple levels of tunneling and tagging but the switch supports only one level in this release If traffic coming from a customer network is not tagged native VLAN frames these p...

Page 382: ...on units MTUs are explained in these next sections Native VLANs When configuring IEEE 802 1Q tunneling on an edge switch you must use IEEE 802 1Q trunk ports for sending packets into the service provider network However packets going through the core of the service provider network can be carried through IEEE 802 1Q trunks ISL trunks or nontrunking links When IEEE 802 1Q trunks are used in these c...

Page 383: ...raffic on the switch is 1500 bytes You can configure 10 Gigabit and Gigabit Ethernet ports to support frames larger than 1500 bytes by using the system mtu jumbo global configuration command The system jumbo MTU values do not include the IEEE 802 1Q header Because the IEEE 802 1Q tunneling feature increases the frame size by 4 bytes when the metro tag is added you must configure all switches in th...

Page 384: ...s are compatible with tunnel ports as long as the IEEE 802 1Q configuration is consistent within an EtherChannel port group Port Aggregation Protocol PAgP Link Aggregation Control Protocol LACP and UniDirectional Link Detection UDLD are supported on IEEE 802 1Q tunnel ports Dynamic Trunking Protocol DTP is not compatible with IEEE 802 1Q tunneling because you must manually configure asymmetric lin...

Page 385: ...e their topologies to include all remote sites as well as the local sites STP must run properly and every VLAN should build a proper spanning tree that includes the local site and all remote sites across the service provider network Cisco Discovery Protocol CDP must discover neighboring Cisco devices from local and remote sites VLAN Trunking Protocol VTP must provide consistent VLAN configuration ...

Page 386: ...eling is enabled on the trunk port the encapsulated tunnel MAC address is removed and the protocol packets have their normal MAC address Layer 2 protocol tunneling can be used independently or can enhance IEEE 802 1Q tunneling If protocol tunneling is not enabled on IEEE 802 1Q tunneling ports remote switches at the receiving end of the service provider network do not receive the PDUs and cannot p...

Page 387: ...f EtherChannels by emulating a point to point network topology When you enable protocol tunneling PAgP or LACP on the SP switch remote customer switches receive the PDUs and can negotiate the automatic creation of EtherChannels Customer X Site 2 VLANs 1 to 100 Customer Y Site 2 VLANs 1 to 200 Customer Y Site 1 VLANs 1 to 200 Customer X Site 1 VLANs 1 to 100 VLAN 30 Trunk ports Switch A Trunk ports...

Page 388: ...hport mode dynamic desirable The switch supports Layer 2 protocol tunneling for CDP STP and VTP For emulated point to point network topologies it also supports PAgP LACP and UDLD protocols The switch does not support Layer 2 protocol tunneling for LLDP Caution PAgP LACP and UDLD protocol tunneling is only intended to emulate a point to point topology An erroneous configuration that sends tunneled ...

Page 389: ... the customer specific access VLAN tag In switch stacks Layer 2 protocol tunneling configuration is distributed among all stack members Each stack member that receives an ingress packet on a local port encapsulates or decapsulates the packet and forwards it to the appropriate destination port On a single switch ingress Layer 2 protocol tunneled traffic is sent across all local ports in the same VL...

Page 390: ... on access ports If you enable PAgP or LACP tunneling we recommend that you also enable UDLD on the interface for faster link failure detection Loopback detection is not supported on Layer 2 protocol tunneling of PAgP LACP or UDLD packets EtherChannel port groups are compatible with tunnel ports when the IEEE 802 1Q configuration is consistent within an EtherChannel port group If an encapsulated P...

Page 391: ...pes The range is 1 to 4096 The default is to have no threshold configured Note If you also set a drop threshold on this interface the shutdown threshold value must be greater than or equal to the drop threshold value Step 6 l2protocol tunnel drop threshold cdp stp vtp value Optional Configure the threshold for packets per second accepted for encapsulation The interface drops packets if the configu...

Page 392: ...ulation Drop Threshold Threshold Counter Counter Counter Gi1 0 11 cdp 1500 1000 2288 2282 0 stp 1500 1000 116 13 0 vtp 1500 1000 3 67 0 pagp 0 0 0 lacp 0 0 0 udld 0 0 0 Configuring Layer 2 Tunneling for EtherChannels To configure Layer 2 point to point tunneling to facilitate the automatic creation of EtherChannels you need to configure both the SP edge switch and the customer switch Configuring t...

Page 393: ...lue Optional Configure the threshold for packets per second accepted for encapsulation The interface drops packets if the configured threshold is exceeded If no protocol option is specified the threshold applies to each of the tunneled Layer 2 protocol types The range is 1 to 4096 The default is to have no threshold configured Note If you also set a shutdown threshold on this interface the drop th...

Page 394: ...udld Switch config if l2protocol tunnel drop threshold point to point pagp 1000 Switch config if exit Switch config interface gigabitethernet1 0 2 Switch config if switchport access vlan 18 Switch config if switchport mode dot1q tunnel Switch config if l2protocol tunnel point to point pagp Switch config if l2protocol tunnel point to point udld Command Purpose Step 1 configure terminal Enter global...

Page 395: ...ort trunk encapsulation isl Switch config if switchport mode trunk This example shows how to configure the customer switch at Site 1 Fast Ethernet interfaces 1 2 3 and 4 are set for IEEE 802 1Q trunking UDLD is enabled EtherChannel group 1 is enabled and the port channel is shut down and then enabled to activate the EtherChannel configuration Switch config interface gigabitethernet1 0 1 Switch con...

Page 396: ... clear l2protocol tunnel counters Clear the protocol counters on Layer 2 protocol tunneling ports show dot1q tunnel Display IEEE 802 1Q tunnel ports on the switch show dot1q tunnel interface interface id Verify if a specific interface is a tunnel port show l2protocol tunnel Display information about Layer 2 protocol tunneling ports show errdisable recovery Verify if the recovery timer from a Layer...

Page 397: ...hapter 18 Configuring MSTP For information about other spanning tree features such as Port Fast UplinkFast root guard and so forth see Chapter 19 Configuring Optional Spanning Tree Features Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release This chapter consists of these sections Understanding Spanning Tree Features page ...

Page 398: ...ogy Designated A forwarding port elected for every switched LAN segment Alternate A blocked port providing an alternate path to the root bridge in the spanning tree Backup A blocked port in a loopback configuration The switch that has all of its ports as the designated role or as the backup role is the root switch The switch that has at least one of its ports in the designated role is called the d...

Page 399: ... attached LANs for which it is the designated switch If a switch receives a configuration BPDU that contains inferior information to that currently stored for that port it discards the BPDU If the switch is a designated switch for the LAN from which the inferior BPDU was received it sends that LAN a BPDU containing the up to date information stored for that port In this way inferior information is...

Page 400: ... 1 Spanning Tree Port States in a Switch Stack All paths that are not needed to reach the root switch from anywhere in the switched network are placed in the spanning tree blocking mode Bridge ID Switch Priority and Extended System ID The IEEE 802 1D standard requires that each switch has an unique bridge identifier bridge ID which controls the selection of the root switch Because each VLAN is con...

Page 401: ...on page 17 16 the Configuring a Secondary Root Switch section on page 17 18 and the Configuring the Switch Priority of a VLAN section on page 17 21 Spanning Tree Interface States Propagation delays can occur when protocol information passes through a switched LAN As a result topology changes can take place at different times and at different places in a switched network When an interface transitio...

Page 402: ...and resets the forward delay timer 3 In the learning state the interface continues to block frame forwarding as the switch learns end station location information for the forwarding database 4 When the forward delay timer expires spanning tree moves the interface to the forwarding state where both learning and frame forwarding are enabled Blocking State A Layer 2 interface in the blocking state do...

Page 403: ... learning state from the listening state An interface in the learning state performs these functions Discards frames received on the interface Discards frames switched from another interface for forwarding Learns addresses Receives BPDUs Forwarding State A Layer 2 interface in the forwarding state forwards frames The interface enters the forwarding state from the learning state An interface in the...

Page 404: ...tions in a switched network might not be ideal For instance connecting higher speed links to an interface that has a higher number than the root port can cause a root port change The goal is to make the fastest link the root port For example assume that one port on Switch B is a Gigabit Ethernet link and that another port on Switch B a 10 100 link is the root port Network traffic might be more eff...

Page 405: ...switch or each switch in the stack forwards those packets as unknown multicast addresses Accelerated Aging to Retain Connectivity The default for aging dynamic addresses is 5 minutes the default setting of the mac address table aging time global configuration command However a spanning tree reconfiguration can cause many station locations to change Because these stations could be unreachable for 5...

Page 406: ...figuration as PVST except where noted and the switch needs only minimal extra configuration The benefit of rapid PVST is that you can migrate a large PVST install base to rapid PVST without having to learn the complexities of the MSTP configuration and without having to reprovision your network In rapid PVST mode each VLAN runs its own spanning tree instance up to the maximum supported MSTP This s...

Page 407: ...g tree instance for each VLAN allowed on the trunks When you connect a Cisco switch to a non Cisco device through an IEEE 802 1Q trunk the Cisco switch uses PVST to provide spanning tree interoperability If rapid PVST is enabled the switch uses it instead of PVST The switch combines the spanning tree instance of the IEEE 802 1Q VLAN of the trunk with the spanning tree instance of the non Cisco IEE...

Page 408: ...ce occurs within the stack and possibly outside the stack The remaining stack member with the lowest stack port ID becomes the stack root If the stack master fails or leaves the stack the stack members elect a new stack master and all stack members change their bridge IDs of the spanning trees to the new master bridge ID If the switch stack is the spanning tree root and the stack master fails or l...

Page 409: ... spanning tree are already in use you can disable spanning tree on one of the VLANs and then enable it on the VLAN where you want it to run Use the no spanning tree vlan vlan id global configuration command to disable spanning tree on a specific VLAN and use the spanning tree vlan vlan id global configuration command to enable spanning tree on the desired VLAN Table 17 3 Default Spanning Tree Conf...

Page 410: ...there are several adjacent switches that have all run out of spanning tree instances You can prevent this possibility by setting up allowed lists on the trunk ports of switches that have used up their allocation of spanning tree instances Setting up allowed lists is not necessary in many cases and can make it more labor intensive to add another VLAN to the network Spanning tree commands control th...

Page 411: ...elect rapid pvst to enable rapid PVST Step 3 interface interface id Recommended for rapid PVST mode only Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports VLANs and port channels The VLAN ID range is 1 to 4094 The port channel range is 1 to 48 Step 4 spanning tree link type point to point Recommended for rapid PVST mode only Specify th...

Page 412: ...itch priority from the default value 32768 to a significantly lower value When you enter this command the software checks the switch priority of the root switches for each VLAN Because of the extended system ID support the switch sets its own priority for the specified VLAN to 24576 if this value will cause this switch to become the root for the specified VLAN If any root switch for the specified ...

Page 413: ...d time and the spanning tree vlan vlan id max age global configuration commands Beginning in privileged EXEC mode follow these steps to configure a switch to become the root for the specified VLAN This procedure is optional To return to the default setting use the no spanning tree vlan vlan id root global configuration command Command Purpose Step 1 configure terminal Enter global configuration mo...

Page 414: ...forwarding state You can assign higher priority values lower numerical values to interfaces that you want selected first and lower priority values higher numerical values that you want selected last If all interfaces have the same priority value spanning tree puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces Command Purpose Step 1 configure...

Page 415: ...tion mode Step 2 interface interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel logical interfaces port channel port channel number Step 3 spanning tree port priority priority Configure the port priority for an interface For priority the range is 0 to 240 in increments of 16 the default is 128 Valid values ar...

Page 416: ...uration mode Step 2 interface interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel logical interfaces port channel port channel number Step 3 spanning tree cost cost Configure the cost for an interface If a loop occurs spanning tree uses the path cost when selecting an interface to place into the forwarding s...

Page 417: ...ary and the spanning tree vlan vlan id root secondary global configuration commands to modify the switch priority Beginning in privileged EXEC mode follow these steps to configure the switch priority of a VLAN This procedure is optional To return to the default setting use the no spanning tree vlan vlan id priority global configuration command Command Purpose Step 1 configure terminal Enter global...

Page 418: ...imers Variable Description Hello timer Controls how often the switch broadcasts hello messages to other switches Forward delay timer Controls how long each of the listening and learning states last before the interface begins forwarding Maximum age timer Controls the amount of time the switch stores protocol information received on an interface Transmit hold count Controls the number of BPDUs that...

Page 419: ...istening states to the forwarding state For vlan id you can specify a single VLAN identified by VLAN ID number a range of VLANs separated by a hyphen or a series of VLANs separated by a comma The range is 1 to 4094 For seconds the range is 4 to 30 the default is 15 Step 3 end Return to privileged EXEC mode Step 4 show spanning tree vlan vlan id Verify your entries Step 5 copy running config startu...

Page 420: ...by using the clear spanning tree interface interface id privileged EXEC command For information about other keywords for the show spanning tree privileged EXEC command see the command reference for this release Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree transmit hold count value Configure the number of BPDUs that can be sent before pausing for 1 ...

Page 421: ... is automatically enabled The RSTP provides rapid convergence of the spanning tree through explicit handshaking that eliminates the IEEE 802 1D forwarding delay and quickly transitions root ports and designated ports to the forwarding state Both MSTP and RSTP improve the spanning tree operation and maintain backward compatibility with equipment that is based on the original IEEE 802 1D spanning tr...

Page 422: ...anning tree MST instances you must consistently configure the switches with the same MST configuration information A collection of interconnected switches that have the same MST configuration comprises an MST region as shown in Figure 18 1 on page 18 4 The MST configuration controls to which MST region each switch belongs The configuration includes the name of the region the revision number and th...

Page 423: ... tree algorithm running among switches that support the IEEE 802 1w IEEE 802 1s and IEEE 802 1D standards The CIST inside an MST region is the same as the CST outside a region For more information see the Operations Within an MST Region section on page 18 3 and the Operations Between MST Regions section on page 18 4 Note The implementation of the IEEE 802 1s standard changes some of the terminolog...

Page 424: ...itch to adjacent STP switches and MST regions Figure 18 1 shows a network with three MST regions and a legacy IEEE 802 1D switch D The CIST regional root for region 1 A is also the CIST root The CIST regional root for region 2 B and the CIST regional root for region 3 C are the roots for their respective subtrees within the CIST The RSTP runs in all regions Figure 18 1 MST Regions CIST Masters and...

Page 425: ... root in the region The CIST regional root acts as a root switch for the IST The CIST internal root path cost is the cost to the CIST regional root in a region This cost is only relevant to the IST instance 0 Table 18 1 on page 18 5 compares the IEEE standard and the Cisco prestandard terminology Hop Count The IST and MST instances do not use the message age and maximum age information in the conf...

Page 426: ...tation treats a port that receives an external message as a boundary port This means a port cannot receive a mix of internal and external messages An MST region includes both switches and LANs A segment belongs to the region of its designated port Therefore a port in a different region than the designated port for a segment is a boundary port This definition allows two ports internal to a region t...

Page 427: ...restandard switches can fail you can use an interface configuration command to identify prestandard ports A region cannot be formed between a standard and a prestandard switch but they can interoperate by using the CIST Only the capability of load balancing over different instances is lost in that particular case The CLI displays different flags depending on the port configuration when a port rece...

Page 428: ...ame switch ID for a given spanning tree The switch ID is derived from the MAC address of the stack master If a switch that does not support MSTP is added to a switch stack that does support MSTP or the reverse the switch is put into a version mismatch state If possible the switch is automatically upgraded or downgraded to the same version of software that is running on the switch stack When a new ...

Page 429: ... port A boundary port connects to a LAN the designated switch of which is either a single spanning tree switch or a switch with a different MST configuration Understanding RSTP The RSTP takes advantage of point to point wiring and provides rapid convergence of the spanning tree Reconfiguration of the spanning tree can occur in less than 1 second in contrast to 50 seconds with the default settings ...

Page 430: ...ks as follows Edge ports If you configure a port as an edge port on an RSTP switch by using the spanning tree portfast interface configuration command the edge port immediately transitions to the forwarding state An edge port is the same as a Port Fast enabled port and you should enable it only on ports that connect to a single end station Root ports If the RSTP selects a new root port it blocks t...

Page 431: ...efore moving the port to the forwarding state CSRT is automatically enabled when the switch is in MST mode The switch learns the link type from the port duplex mode a full duplex port is considered to have a point to point connection a half duplex port is considered to have a shared connection You can override the default setting that is controlled by the duplex setting by using the spanning tree ...

Page 432: ...ected by a point to point link are in agreement about their port roles the RSTP immediately transitions the port states to forwarding The sequence of events is shown in Figure 18 5 Figure 18 5 Sequence of Events During Rapid Convergence Bridge Protocol Data Unit Format and Processing The RSTP BPDU format is the same as the IEEE 802 1D BPDU format except that the protocol version is set to 2 A new ...

Page 433: ...ot set the proposal flag and starts the forward delay timer for the port The new root port requires twice the forward delay time to transition to the forwarding state If the superior information received on the port causes the port to become a backup or alternate port RSTP sets the port to the blocking state but does not send the agreement message The designated port continues sending BPDUs with t...

Page 434: ...t basis When a port is initialized the migrate delay timer is started specifies the minimum time during which RSTP BPDUs are sent and RSTP BPDUs are sent While this timer is active the switch processes all BPDUs received on that port and ignores the protocol type If the switch receives an IEEE 802 1D BPDU after the port migration delay timer has expired it assumes that it is connected to an IEEE 8...

Page 435: ...T or all VLANs run MSTP For more information see the Spanning Tree Interoperability and Backward Compatibility section on page 17 11 For information on the recommended trunk port configuration see the Interaction with Other Features section on page 12 20 All stack members run the same version of spanning tree all PVST rapid PVST or MSTP For more information see the Spanning Tree Interoperability a...

Page 436: ...they must have the same VLAN to instance mapping the same configuration revision number and the same name A region can have one member or multiple members with the same MST configuration each member must be capable of processing RSTP BPDUs There is no limit to the number of MST regions in a network but each region can only support up to 65 spanning tree instances You can assign a VLAN to only one ...

Page 437: ...tch config Configuring the Root Switch The switch maintains a spanning tree instance for the group of VLANs mapped to it A switch ID consisting of the switch priority and the switch MAC address is associated with each instance For a group of VLANs the switch with the lowest switch ID becomes the root switch To configure a switch to become the root use the spanning tree mst instance id root global ...

Page 438: ...time You can use the hello keyword to override the automatically calculated hello time Note After configuring the switch as the root switch we recommend that you avoid manually configuring the hello time forward delay time and maximum age time through the spanning tree mst hello time spanning tree mst forward time and the spanning tree mst max age global configuration commands Beginning in privile...

Page 439: ...ng state You can assign higher priority values lower numerical values to interfaces that you want selected first and lower priority values higher numerical values that you want selected last If all interfaces have the same priority value the MSTP puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces Command Purpose Step 1 configure terminal Ent...

Page 440: ...nd to confirm the configuration To return the interface to its default setting use the no spanning tree mst instance id port priority interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel ...

Page 441: ...g tree mst instance id cost interface configuration command Configuring the Switch Priority You can configure the switch priority and make it more likely that a standalone switch or a switch in the stack will be chosen as the root switch Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify an interface to configure and enter interface conf...

Page 442: ...figuration mode Step 2 spanning tree mst instance id priority priority Configure the switch priority For instance id you can specify a single instance a range of instances separated by a hyphen or a series of instances separated by a comma The range is 0 to 4094 For priority the range is 0 to 61440 in increments of 4096 the default is 32768 The lower the number the more likely the switch will be c...

Page 443: ...tep 1 configure terminal Enter global configuration mode Step 2 spanning tree mst forward time seconds Configure the forward time for all MST instances The forward delay is the number of seconds a port waits before changing from its spanning tree learning and listening states to the forwarding state For seconds the range is 4 to 30 the default is 15 Step 3 end Return to privileged EXEC mode Step 4...

Page 444: ...nnection If you have a half duplex link physically connected point to point to a single port on a remote switch running MSTP you can override the default setting of the link type and enable rapid transitions to the forwarding state Beginning in privileged EXEC mode follow these steps to override the default link type setting This procedure is optional Command Purpose Step 1 configure terminal Ente...

Page 445: ...ds only IEEE 802 1D BPDUs on that port An MSTP switch also can detect that a port is at the boundary of a region when it receives a legacy BPDU an MST BPDU Version 3 associated with a different region or an RST BPDU Version 2 However the switch does not automatically revert to the MSTP mode if it no longer receives IEEE 802 1D BPDUs because it cannot detect whether the legacy switch has been remov...

Page 446: ...e or more of the privileged EXEC commands in Table 18 5 For information about other keywords for the show spanning tree privileged EXEC command see the command reference for this release Table 18 5 Commands for Displaying MST Status Command Purpose show spanning tree mst configuration Displays the MST region configuration show spanning tree mst configuration digest Displays the MD5 digest included...

Page 447: ...tion about the Multiple Spanning Tree Protocol MSTP and how to map multiple VLANs to the same spanning tree instance see Chapter 18 Configuring MSTP Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release This chapter consists of these sections Understanding Optional Spanning Tree Features page 19 1 Configuring Optional Spanni...

Page 448: ...sk creating a spanning tree loop You can enable this feature by using the spanning tree portfast interface configuration or the spanning tree portfast default global configuration command Figure 19 1 Port Fast Enabled Interfaces Understanding BPDU Guard The BPDU guard feature can be globally enabled on the switch or can be enabled per port but the feature operates with some differences At the glob...

Page 449: ...command prevents interfaces that are in a Port Fast operational state from sending or receiving BPDUs The interfaces still send a few BPDUs at link up before the switch begins to filter outbound BPDUs You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs If a BPDU is received on a Port Fast enabled interface the interface loses its P...

Page 450: ...parameter is 150 packets per second However if you enter zero station learning frames are not generated so the spanning tree topology converges more slowly after a loss of connectivity Note UplinkFast is most useful in wiring closet switches at the access or edge of the network It is not appropriate for backbone devices This feature might not be useful for other types of applications UplinkFast pr...

Page 451: ... provides a fast spanning tree transition fast convergence in less than 1 second under normal network conditions across a switch stack During the fast transition an alternate redundant link on the switch stack is placed in the forwarding state without causing temporary spanning tree loops or loss of connectivity to the backbone With this feature you can have a redundant and resilient network in so...

Page 452: ...ate stack root port on Switch 2 or Switch 3 and puts it into the forwarding state in less than 1 second Figure 19 5 Cross Stack UplinkFast Topology When certain link loss or spanning tree events occur described in Events that Cause Fast Convergence section on page 19 7 the Fast Uplink Transition Protocol uses the neighbor list to send fast transition requests to stack members The switch sending th...

Page 453: ...ccurs under these circumstances The stack root port link fails If two switches in the stack have alternate paths to the root only one of the switches performs the fast transition The failed link which connects the stack root to the spanning tree root recovers A network reconfiguration causes a new stack root switch to be selected A network reconfiguration causes a new port on the current stack roo...

Page 454: ... If the switch has alternate paths to the root switch it uses these alternate paths to send a root link query RLQ request The switch sends the RLQ request on all alternate paths to learn if any stack member has an alternate root to the root switch and waits for an RLQ reply from other switches in the network and in the stack When a stack member receives an RLQ reply from a nonstack member on a blo...

Page 455: ...warding state providing a path from Switch B to Switch A The root switch election takes approximately 30 seconds twice the Forward Delay time if the default Forward Delay time of 15 seconds is set Figure 19 7 shows how BackboneFast reconfigures the topology to account for the failure of link L1 Figure 19 7 BackboneFast Example After Indirect Link Failure If a new switch is introduced into a shared...

Page 456: ...n in Figure 19 9 You can avoid this situation by enabling root guard on data center switch interfaces that connect to switches in your customer s network If spanning tree calculations cause an interface in the customer network to be selected as the root port root guard then places the interface in the root inconsistent blocked state to prevent the customer s switch from becoming the root switch or...

Page 457: ...ming designated ports and spanning tree does not send BPDUs on root or alternate ports When the switch is operating in MST mode BPDUs are not sent on nonboundary ports only if the interface is blocked by loop guard in all MST instances On a boundary port loop guard blocks the interface in all MST instances Configuring Optional Spanning Tree Features These sections contain this configuration inform...

Page 458: ...ture enabled is moved directly to the spanning tree forwarding state without waiting for the standard forward time delay Caution Use Port Fast only when connecting a single end station to an access or trunk port Enabling this feature on an interface connected to a switch or hub could prevent spanning tree from detecting and disabling loops in your network which could cause broadcast storms and add...

Page 459: ...h shuts down the entire port on which the violation occurred To prevent the port from shutting down you can use the errdisable detect cause bpduguard shutdown vlan global configuration command to shut down just the offending VLAN on the port where the violation occurred Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify an interface to c...

Page 460: ...ree portfast bpduguard default global configuration command by using the spanning tree bpduguard enable interface configuration command Enabling BPDU Filtering When you globally enable BPDU filtering on Port Fast enabled interfaces it prevents interfaces that are in a Port Fast operational state from sending or receiving BPDUs The interfaces still send a few BPDUs at link up before the switch begi...

Page 461: ...terface configuration command Enabling UplinkFast for Use with Redundant Links UplinkFast cannot be enabled on VLANs that have been configured with a switch priority To enable UplinkFast on a VLAN with switch priority configured first restore the switch priority on the VLAN to the default value by using the no spanning tree vlan vlan id priority global configuration command Note When you enable Up...

Page 462: ...panning tree uplinkfast command Enabling Cross Stack UplinkFast When you enable or disable the UplinkFast feature by using the spanning tree uplinkfast global configuration command CSUF is automatically globally enabled or disabled on nonstack port interfaces For more information see the Enabling UplinkFast for Use with Redundant Links section on page 19 15 To disable UplinkFast on the switch and ...

Page 463: ...he EtherChannel guard feature use the no spanning tree etherchannel guard misconfig global configuration command You can use the show interfaces status err disabled privileged EXEC command to show which switch ports are disabled because of an EtherChannel misconfiguration On the remote device you can enter the show etherchannel summary privileged EXEC command to verify the EtherChannel configurati...

Page 464: ... Guard You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link This feature is most effective when it is configured on the entire switched network Loop guard operates only on interfaces that are considered point to point by the spanning tree Note You cannot enable both loop guard and root guard at the same ti...

Page 465: ...spanning tree privileged EXEC command see the command reference for this release Step 3 spanning tree loopguard default Enable loop guard By default loop guard is disabled Step 4 end Return to privileged EXEC mode Step 5 show running config Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 19 2 Commands for Disp...

Page 466: ...19 20 Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide OL 12247 01 Chapter 19 Configuring Optional Spanning Tree Features Displaying the Spanning Tree Status ...

Page 467: ...C Address Table Move Update page 20 1 Configuring Flex Links and MAC Address Table Move Update page 20 5 Monitoring Flex Links and the MAC Address Table Move Update page 20 11 Understanding Flex Links and the MAC Address Table Move Update This section contains this information Flex Links page 20 1 VLAN Flex Link Load Balancing and Support page 20 2 MAC Address Table Move Update page 20 3 Flex Link...

Page 468: ...continues forwarding traffic You can also choose to configure a preemption mechanism specifying the preferred port for forwarding traffic For example in the example in Figure 20 1 you can configure the Flex Links pair with preemption mode In the scenario shown when port 1 comes back up and has more bandwidth than port 2 port 1 begins forwarding traffic after 60 seconds Port 2 becomes the standby p...

Page 469: ...moves the MAC address of the PC on port 3 and relearns it on port 4 traffic can then be forwarded from the server to the PC through port 2 If the MAC address table move update feature is configured and enabled on the switches in Figure 20 3 and port 1 goes down port 2 starts forwarding traffic from the PC to the server The switch sends a MAC address table move update packet from port 2 Switch C ge...

Page 470: ...247 01 Chapter 20 Configuring Flex Links and the MAC Address Table Move Update Feature Understanding Flex Links and the MAC Address Table Move Update Figure 20 3 MAC Address Table Move Update Example Switch C Port 3 Port 1 Port 2 Port 4 Switch A Switch B Switch D Server PC 141223 ...

Page 471: ...k does not have to be the same type Gigabit Ethernet or port channel as the active link However you should configure both Flex Links with similar characteristics so that there are no loops or changes in behavior if the standby link begins to forward traffic STP is disabled on Flex Link ports A Flex Link port does not participate in STP even if the VLANs present on the port are configured for STP W...

Page 472: ...itch conf interface gigabitethernet1 0 1 Switch conf if switchport backup interface gigabitethernet1 0 2 Switch conf if end Switch show interface switchport backup Switch Backup Interface Pairs Active Interface Backup Interface State GigabitEthernet1 0 1 GigabitEthernet1 0 2 Active Up Backup Standby Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interfac...

Page 473: ...econds Bandwidth 100000 Kbit Gi1 0 1 100000 Kbit Gi1 0 2 Mac Address Move Update Vlan auto Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface and enter interface configuration mode The interface can be a physical Layer 2 interface or a port channel logical interface The port channel range is 1 to 48 Step 3 switchport backup...

Page 474: ...ferred on Backup Interface 60 100 120 When a Flex Link interface goes down LINK_DOWN VLANs preferred on this interface are moved to the peer interface of the Flex Link pair In this example if interface Gi2 0 6 goes down Gi2 0 8 carries all VLANs of the Flex Link pair Switch show interfaces switchport backup Switch Backup Interface Pairs Active Interface Backup Interface State GigabitEthernet2 0 6 ...

Page 475: ...Interface 3 4 Preemption Mode off Bandwidth 10000 Kbit Fa1 0 3 100000 Kbit Fa1 0 4 Mac Address Move Update Vlan auto Configuring the MAC Address Table Move Update Feature This section contains this information Configuring a switch to send MAC address table move updates Configuring a switch to get MAC address table move updates Beginning in privileged EXEC mode follow these steps to configure an ac...

Page 476: ...kets per min Rcv 40 Xmt 60 Rcv packet count 5 Rcv conforming packet count 5 Rcv invalid packet count 0 Rcv packet count this min 0 Rcv threshold exceed count 0 Rcv last sequence this min 0 Rcv last interface Po2 Rcv last src mac address 000b 462d c502 Rcv last switch ID 0403 fd6a 8700 Xmt packet count 0 Xmt packet count this min 0 Xmt threshold exceed count 0 Xmt pak buf unavail cnt 0 Xmt last int...

Page 477: ...tch conf end Monitoring Flex Links and the MAC Address Table Move Update Table 20 1 shows the privileged EXEC commands for monitoring the Flex Links configuration and the MAC address table move update information Step 3 end Return to privileged EXEC mode Step 4 show mac address table move update Verify the configuration Step 5 copy running config startup config Optional Save your entries in the sw...

Page 478: ...Catalyst Blade Switch 3120 for HP Software Configuration Guide OL 12247 01 Chapter 20 Configuring Flex Links and the MAC Address Table Move Update Feature Monitoring Flex Links and the MAC Address Table Move Update ...

Page 479: ...g DHCP Features page 21 1 Configuring DHCP Features page 21 8 Displaying DHCP Snooping Information page 21 15 Understanding IP Source Guard page 21 16 Configuring IP Source Guard page 21 17 Displaying IP Source Guard Information page 21 19 Understanding DHCP Features DHCP is widely used in LAN environments to dynamically assign host IP addresses from a centralized server which significantly reduce...

Page 480: ...CP Snooping Information section on page 21 15 DHCP snooping acts like a firewall between untrusted hosts and DHCP servers You use DHCP snooping to differentiate between untrusted interfaces connected to the end user and trusted interfaces connected to the DHCP server or another switch Note For DHCP snooping to function properly all DHCP servers must be connected to the switch through trusted inter...

Page 481: ...not learn the DHCP snooping bindings for connected devices and cannot build a complete DHCP snooping binding database When an aggregation switch can be connected to an edge switch through an untrusted interface and you enter the ip dhcp snooping information option allow untrusted global configuration command the aggregation switch accepts packets with option 82 information from the edge switch The...

Page 482: ...ng these suboptions see the Enabling DHCP Snooping and Option 82 section on page 21 12 If the IP address of the relay agent is configured the switch adds this IP address in the DHCP packet The blade switch forwards the DHCP request that includes the option 82 field to the DHCP server The DHCP server receives the packet If the server is option 82 capable it can use the remote ID the circuit ID or b...

Page 483: ... the packet formats for the remote ID suboption and the circuit ID suboption when the default suboption configuration is used For the circuit ID suboption the module number corresponds to the switch number in the stack The switch uses the packet formats when you globally enable DHCP snooping and enter the ip dhcp snooping information option global configuration command Figure 21 2 Suboption Packet...

Page 484: ...and configuration parameters such as the boot file An address binding is a mapping between an IP address and a MAC address of a host in the Cisco IOS DHCP server database You can manually assign the client IP address or the DHCP server can allocate an IP address from a DHCP address pool For more information about manual and automatic address bindings see the Configuring DHCP chapter of the Cisco I...

Page 485: ...ries in the binding file The frequency at which the file is updated is based on a configurable delay and the updates are batched If the file is not updated in a specified time set by the write delay and abort timeout values the update stops This is the format of the file with bindings initial checksum TYPE DHCP SNOOPING VERSION 1 BEGIN entry 1 checksum 1 entry 2 checksum 1 2 entry n checksum 1 2 n...

Page 486: ... about switch stacks see Chapter 5 Managing Switch Stacks Configuring DHCP Features These sections contain this configuration information Default DHCP Configuration page 21 8 DHCP Snooping Configuration Guidelines page 21 9 Configuring the DHCP Server page 21 10 DHCP Server and Switch Stacks page 21 10 Configuring the DHCP Relay Agent page 21 11 Specifying the Packet Forwarding Address page 21 11 ...

Page 487: ...ecify the IP addresses that the DHCP server can assign or exclude or you must configure DHCP options for these devices When configuring a large number of circuit IDs on a switch consider the impact of lengthy character strings on the NVRAM or the flash memory If the circuit ID configurations combined with other data exceed the capacity of the NVRAM or the flash memory an error message appears DHCP...

Page 488: ...igured the switch writes binding changes to the binding file only when the switch system clock is synchronized with NTP Do not enter the ip dhcp snooping information option allow untrusted command on an aggregation switch to which an untrusted device is connected If you enter this command an untrusted device might spoof the option 82 information Starting with Cisco IOS Release 12 2 37 SE you can d...

Page 489: ...n the destination network segment Using the network address enables any DHCP server to respond to requests Beginning in privileged EXEC mode follow these steps to specify the packet forwarding address Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 service dhcp Enable the DHCP server and relay agent on your switch By default this feature is enabled Step 3 end Retur...

Page 490: ...onfig startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip dhcp snooping Enable DHCP snooping globally Step 3 ip dhcp snooping vlan vlan range Enable DHCP snooping on a VLAN or range of VLANs The range is 1 to 4094 You can enter a single VLAN ID identified by VLAN ID number a series o...

Page 491: ...e Step 8 ip dhcp snooping vlan vlan information option format type circuit id string ASCII string Optional Configure the circuit ID suboption for the specified interface Specify the VLAN and port identifier using a VLAN ID in the range of 1 to 4094 The default circuit ID is the port identifier in the format vlan mod port You can configure the circuit ID to be a string of 3 to 63 ASCII characters n...

Page 492: ...nooping configuration on secondary vlan is derived from its primary vlan The show ip dhcp snooping privileged EXEC command output shows all VLANs including primary and secondary private VLANs on which DHCP snooping is enabled Enabling the Cisco IOS DHCP Server Database For procedures to enable and configure the Cisco IOS DHCP server database see the DHCP Configuration Task List section in the Conf...

Page 493: ...inite duration which means to continue trying the transfer indefinitely Step 4 ip dhcp snooping database write delay seconds Specify the duration for which the transfer should be delayed after the binding database changes The range is from 15 to 86400 seconds The default is 300 seconds 5 minutes Step 5 end Return to privileged EXEC mode Step 6 ip dhcp snooping binding mac address vlan vlan id ip a...

Page 494: ...ing table has bindings that are learned by DHCP snooping or are manually configured static IP source bindings An entry in this table has an IP address its associated MAC address and its associated VLAN number The switch uses the IP source binding table only when IP source guard is enabled IP source guard is supported only on Layer 2 ports including access and trunk ports You can configure IP sourc...

Page 495: ...ation Guidelines These are the configuration guides for IP source guard You can configure static IP bindings only on nonrouted ports If you enter the ip source binding mac address vlan vlan id ip address interface interface id global configuration command on a routed interface this error message appears Static IP source binding can only be configured on switch port When IP source guard with source...

Page 496: ...able For more information about provisioned switches see the Chapter 5 Managing Switch Stacks Enabling IP Source Guard Beginning in privileged EXEC mode follow these steps to enable and configure IP source guard on an interface Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configura...

Page 497: ... exit Switch config ip source binding 0100 0022 0010 vlan 10 10 0 0 2 interface gigabitethernet1 0 1 Switch config ip source binding 0100 0230 0002 vlan 11 10 0 0 4 interface gigabitethernet1 0 1 Switch config end Displaying IP Source Guard Information To display the IP source guard information use one or more of the privileged EXEC commands in Table 21 3 Step 8 show ip source binding ip address m...

Page 498: ...21 20 Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide OL 12247 01 Chapter 21 Configuring DHCP Features and IP Source Guard Displaying IP Source Guard Information ...

Page 499: ...ction ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address For example Host B wants to send information to Host A but does not have the MAC address of Host A in its ARP cache Host B generates a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP address of Host A All hosts within the broad...

Page 500: ...rk It intercepts logs and discards ARP packets with invalid IP to MAC address bindings This capability protects the network from certain man in the middle attacks Dynamic ARP inspection ensures that only valid ARP requests and responses are relayed The switch performs these activities Intercepts all ARP requests and responses on untrusted ports Verifies that each of these intercepted packets has a...

Page 501: ...n switch bypass the security check No other validation is needed at any other place in the VLAN or in the network You configure the trust setting by using the ip arp inspection trust interface configuration command Caution Use the trust state configuration carefully Configuring interfaces as untrusted when they should be trusted can result in a loss of connectivity In Figure 22 2 assume that both ...

Page 502: ...mited to prevent a denial of service attack By default the rate for untrusted interfaces is 15 packets per second pps Trusted interfaces are not rate limited You can change this setting by using the ip arp inspection limit interface configuration command When the rate of incoming ARP packets exceeds the configured limit the switch places the port in the error disabled state The port remains in tha...

Page 503: ...uring Dynamic ARP Inspection These sections contain this configuration information Default Dynamic ARP Inspection Configuration page 22 5 Dynamic ARP Inspection Configuration Guidelines page 22 6 Configuring Dynamic ARP Inspection in DHCP Environments page 22 7 required in DHCP environments Configuring ARP ACLs for Non DHCP Environments page 22 8 required in non DHCP environments Limiting the Rate...

Page 504: ...ckets Dynamic ARP inspection is supported on access ports trunk ports EtherChannel ports and private VLAN ports A physical port can join an EtherChannel port channel only when the trust state of the physical port and the channel port match Otherwise the physical port remains suspended in the port channel A port channel inherits its trust state from the first physical port that joins the channel Co...

Page 505: ...ice attack to other VLANs when the software places the port in the error disabled state When you enable dynamic ARP inspection on the switch policers that were configured to police ARP traffic are no longer effective The result is that all ARP traffic is sent to the CPU Configuring Dynamic ARP Inspection in DHCP Environments This procedure shows how to configure dynamic ARP inspection when two swi...

Page 506: ...ecify the same VLAN ID for both switches Step 4 interface interface id Specify the interface connected to the other switch and enter interface configuration mode Step 5 ip arp inspection trust Configure the connection between the switches as trusted By default all interfaces are untrusted The switch does not check ARP packets that it receives from the other switch on the trusted interface It simpl...

Page 507: ...to configure an ARP ACL on Switch A This procedure is required in non DHCP environments Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 arp access list acl name Define an ARP ACL and enter ARP access list configuration mode By default no ARP access lists are defined Note At the end of the ARP access list there is an implicit deny ip any mac any command Step 3 permi...

Page 508: ...L ARP packets containing only IP to MAC address bindings are compared against the ACL Packets are permitted only if the access list permits them Step 6 interface interface id Specify the Switch A interface that is connected to Switch B and enter interface configuration mode Step 7 no ip arp inspection trust Configure the Switch A interface that is connected to Switch B as untrusted By default all ...

Page 509: ...eout period Note Unless you configure a rate limit on an interface changing the trust state of the interface also changes its rate limit to the default value for that trust state After you configure the rate limit the interface retains the rate limit even when its trust state is changed If you enter the no ip arp inspection limit interface configuration command the interface reverts to its default...

Page 510: ... address the sender and target IP addresses and the source MAC address Step 4 exit Return to global configuration mode Step 5 errdisable detect cause arp inspection and errdisable recovery cause arp inspection and errdisable recovery interval interval Optional Enable error recovery from the dynamic ARP inspection error disabled state and configure the dynamic ARP inspection recover mechanism varia...

Page 511: ...nter global configuration mode Step 2 ip arp inspection validate src mac dst mac ip Perform a specific check on incoming ARP packets By default no checks are performed The keywords have these meanings For src mac check the source MAC address in the Ethernet header against the sender MAC address in the ARP body This check is performed on both ARP requests and responses When enabled packets with dif...

Page 512: ...pose Step 1 configure terminal Enter global configuration mode Step 2 ip arp inspection log buffer entries number logs number interval seconds Configure the dynamic ARP inspection logging buffer By default when dynamic ARP inspection is enabled denied or dropped ARP packets are logged The number of log entries is 32 The number of system messages is limited to 5 per second The logging rate interval...

Page 513: ...LANs separated by a comma The range is 1 to 4094 For acl match matchlog log packets based on the ACE logging configuration If you specify the matchlog keyword in this command and the log keyword in the permit or deny ARP access list configuration command ARP packets permitted or denied by the ACL are logged For acl match none do not log packets that match ACLs For dhcp bindings all log all packets...

Page 514: ...privileged EXEC commands in Table 22 4 For more information about these commands see the command reference for this release Table 22 3 Commands for Clearing or Displaying Dynamic ARP Inspection Statistics Command Description clear ip arp inspection statistics Clears dynamic ARP inspection statistics show ip arp inspection statistics vlan vlan range Displays statistics for forwarded dropped MAC val...

Page 515: ...or IPv4 traffic For information about MLD snooping see Chapter 24 Configuring IPv6 MLD Snooping Note For complete syntax and usage information for the commands used in this chapter see the switch command reference for this release and the IP Multicast Routing Commands section in the Cisco IOS IP Command Reference Volume 3 of 3 Multicast Release 12 2 This chapter consists of these sections Understa...

Page 516: ...eceives an IGMP join request The switch supports IP multicast group based bridging rather than MAC addressed based groups With multicast MAC address based groups if an IP address being configured translates aliases to a previously configured MAC address or to any reserved multicast MAC addresses in the range 224 0 0 xxx the command fails Because the switch uses IP multicast groups there are no add...

Page 517: ...MPv2 or IGMPv1 hosts Note IGMPv3 join and leave messages are not supported on switches running IGMP filtering or MVR An IGMPv3 switch can receive messages from and forward messages to a device running the Source Specific Multicast SSM feature For more information about source specific multicast with IGMPv3 and IGMP see this URL http www cisco com en US products sw iosswrel ps1834 products_feature_...

Page 518: ...e IGMP report to set up a forwarding table entry as shown in Table 23 1 that includes the port numbers of Blade Server 1 and the router The switch hardware can distinguish IGMP information packets from other packets for the multicast group The information in the table tells the switching engine to send frames addressed to the 224 1 2 3 multicast IP address that are not IGMP packets to the router a...

Page 519: ... receive multicast traffic the router continues forwarding the multicast traffic to the VLAN The switch forwards multicast group traffic only to those blade servers listed in the forwarding table for that IP multicast group maintained by IGMP snooping When blade servers want to leave a multicast group they can silently leave or they can send a leave message When the switch receives a leave message...

Page 520: ...n be configured from 100 to 5000 milliseconds The timer can be set either globally or on a per VLAN basis The VLAN configuration of the leave time overrides the global configuration For configuration steps see the Configuring the IGMP Leave Timer section on page 23 12 IGMP Report Suppression Note IGMP report suppression is supported only when the multicast query has IGMPv1 and IGMPv2 reports This ...

Page 521: ...ake longer to converge if the stack master is removed Configuring IGMP Snooping IGMP snooping allows switches to examine IGMP packets and make forwarding decisions based on their content These sections contain this configuration information Default IGMP Snooping Configuration page 23 7 Enabling or Disabling IGMP Snooping page 23 8 Setting the Snooping Method page 23 9 Configuring a Multicast Route...

Page 522: ...hese steps to enable IGMP snooping on a VLAN interface To disable IGMP snooping on a VLAN interface use the no ip igmp snooping vlan vlan id global configuration command for the specified VLAN number IGMP snooping querier Disabled IGMP report suppression Enabled 1 TCN Topology Change Notification Table 23 3 Default IGMP Snooping Configuration continued Feature Default Setting Command Purpose Step ...

Page 523: ...no other CGMP packets To learn of multicast router ports through only PIM DVMRP packets use the ip igmp snooping vlan vlan id mrouter learn pim dvmrp global configuration command Note If you want to use CGMP as the learning method and no multicast routers in the VLAN are CGMP proxy enabled you must enter the ip cgmp router only command to dynamically access the router For more information see Chap...

Page 524: ...icast router Switch configure terminal Switch config ip igmp snooping vlan 200 mrouter interface gigabitethernet0 2 Switch config end Configuring a Blade Server Statically to Join a Group Hosts or Layer 2 ports normally join multicast groups dynamically but you can also statically configure a host on an interface Blade servers that are connected to Layer 2 ports normally join multicast groups dyna...

Page 525: ...Version 2 blade servers Beginning in privileged EXEC mode follow these steps to enable IGMP Immediate Leave Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp snooping vlan vlan id static ip_address interface interface id Statically configure a Layer 2 port as a member of a multicast group vlan id is the multicast group VLAN ID The range is 1 to 1001 and 1006 ...

Page 526: ...MP configurable leave timer To globally reset the IGMP leave timer to the default setting use the no ip igmp snooping last member query interval global configuration command To remove the configured IGMP leave time setting from the specified VLAN use the no ip igmp snooping vlan vlan id last member query interval global configuration command Configuring TCN Related Commands These sections describe...

Page 527: ...ddress 0 0 0 0 However when you enable the ip igmp snooping tcn query solicit global configuration command the switch sends the global leave message whether or not it is the spanning tree root When the router receives this special leave it immediately sends general queries which expedite the process of recovering from the flood mode during the TCN event Leaves are always sent if the switch is the ...

Page 528: ... the query source address If there is no IP address configured on the VLAN interface the IGMP snooping querier tries to use the configured global IP address for the IGMP querier If there is no global IP address specified the IGMP querier tries to use the VLAN switch virtual interface SVI IP address if one exists If there is no SVI IP address the switch uses the first available IP address configure...

Page 529: ...ing querier Enable the IGMP snooping querier Step 3 ip igmp snooping querier address ip_address Optional Specify an IP address for the IGMP snooping querier If you do not specify an IP address the querier tries to use the global IP address configured for the IGMP querier Note The IGMP snooping querier does not generate an IGMP general query if it cannot find an IP address on the switch Step 4 ip i...

Page 530: ...uppression is disabled all IGMP reports are forwarded to the multicast routers Beginning in privileged EXEC mode follow these steps to disable IGMP report suppression To re enable IGMP report suppression use the ip igmp snooping report suppression global configuration command Displaying IGMP Snooping Information You can display IGMP snooping information for dynamically learned and statically confi...

Page 531: ...t user count Display multicast table information for a multicast VLAN or about a specific parameter for the VLAN vlan id The VLAN ID range is 1 to 1001 and 1006 to 4094 count Display the total number of entries for the specified command options instead of the actual entries dynamic Display entries learned through IGMP snooping ip_address Display characteristics of the multicast group with the spec...

Page 532: ...rcepts the IGMP messages and modifies the forwarding table to include or remove the subscriber as a receiver of the multicast stream even though the receivers might be in a different VLAN from the source This forwarding behavior selectively allows traffic to cross between different VLANs You can set the switch for compatible or dynamic mode of MVR operation In compatible mode multicast data receiv...

Page 533: ...rom multicast group membership With Immediate Leave an IGMP query is not sent from the receiver port on which the IGMP leave was received As soon as the leave message is received the receiver port is removed from multicast group membership which speeds up leave latency Enable the Immediate Leave feature only on receiver ports to which a single receiver device is connected MVR eliminates the need t...

Page 534: ...ly be access ports they cannot be trunk ports Receiver ports on a switch can be in different VLANs but should not belong to the multicast VLAN The maximum number of multicast entries MVR group addresses that can be configured on a switch that is the maximum number of television channels that can be received is 256 Because MVR on the switch uses IP multicast addresses instead of MAC multicast addre...

Page 535: ...itch Step 3 mvr group ip address count Configure an IP multicast address on the switch or use the count parameter to configure a contiguous series of MVR group addresses the range for count is 1 to 256 the default is 1 Any multicast data sent to this address is sent to all source ports on the switch and all receiver ports that have elected to receive data on that multicast address Each multicast a...

Page 536: ...at receive and send multicast data as source ports Subscribers cannot be directly connected to source ports All source ports on a switch belong to the single multicast VLAN receiver Configure a port as a receiver port if it is a subscriber port and should only receive multicast data It does not receive data unless it becomes a member of the multicast group either statically or by using IGMP leave ...

Page 537: ...ommands in Table 23 6 to display MVR configuration Step 8 show mvr show mvr interface or show mvr members Verify the configuration Step 9 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 23 6 Commands for Displaying MVR Information Command Purpose show mvr Displays MVR status and values for the switch whether MVR is enabled or disabled t...

Page 538: ...ve reports It does not control general IGMP queries IGMP filtering has no relationship with the function that directs the forwarding of IP multicast traffic The filtering feature operates in the same manner whether CGMP or MVR is used to forward the multicast traffic IGMP filtering is applicable only to the dynamic learning of IP multicast group addresses not static configuration With the IGMP thr...

Page 539: ...Exits from igmp profile configuration mode no Negates a command or returns to its defaults permit Specifies that matching addresses are permitted range Specifies a range of IP addresses for the profile You can enter a single IP address or a range with a start and an end address The default is for the switch to have no IGMP profiles configured When a profile is configured if neither the permit nor ...

Page 540: ...at belong to an EtherChannel port group You can apply a profile to multiple interfaces but each interface can have only one profile applied to it Beginning in privileged EXEC mode follow these steps to apply an IGMP profile to a switch port Step 4 range ip multicast address Enter the IP multicast address or range of IP multicast addresses to which access is being controlled If entering a range ent...

Page 541: ...fault of no maximum use the no ip igmp max groups interface configuration command This example shows how to limit to 25 the number of IGMP groups that a port can join Switch config interface gigabitethernet1 0 2 Switch config if ip igmp max groups 25 Switch config if end Configuring the IGMP Throttling Action After you set the maximum number of IGMP groups that a Layer 2 interface can join you can...

Page 542: ...he maximum number of entries is in the forwarding table the switch replaces a randomly selected entry with the received IGMP report To prevent the switch from removing the forwarding table entries you can configure the IGMP throttling action before an interface adds entries to the forwarding table Beginning in privileged EXEC mode follow these steps to configure the throttling action when the maxi...

Page 543: ...tion for all interfaces on the switch or for a specified interface Use the privileged EXEC commands in Table 23 8 to display IGMP filtering and throttling configuration Table 23 8 Commands for Displaying IGMP Filtering and Throttling Configuration Command Purpose show ip igmp profile profile number Displays the specified IGMP profile or all the IGMP profiles defined on the switch show running conf...

Page 544: ...23 30 Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide OL 12247 01 Chapter 23 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration ...

Page 545: ... 39 Configuring IPv6 Unicast Routing Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release or the Cisco IOS documentation referenced in the procedures This chapter includes these sections Understanding MLD Snooping section on page 24 1 Configuring IPv6 MLD Snooping section on page 24 5 Displaying MLD Snooping Information sec...

Page 546: ...nhanced snooping MESS which sets up IPv6 source and destination multicast address based forwarding MLD snooping can be enabled or disabled globally or per VLAN When MLD snooping is enabled a per VLAN IPv6 multicast MAC address table is constructed in software and a per VLAN IPv6 multicast address table is constructed in software and hardware The switch then performs IPv6 multicast address based br...

Page 547: ...he CPU for processing From the received query MLD snooping builds the IPv6 multicast address database It detects multicast router ports maintains timers sets report response time learns the querier IP source address for the VLAN learns the querier port in the VLAN and maintains multicast address aging Note When the IPv6 multicast router is a Catalyst 6500 switch and you are using extended VLANs in...

Page 548: ... group within the VLAN is forwarded using this address When MLD snooping is disabled reports are flooded in the ingress VLAN When MLD snooping is enabled MLD report suppression called listener message suppression is automatically enabled With report suppression the switch forwards the first MLDv1 report received by a group to IPv6 multicast routers subsequent reports for the group are not sent to ...

Page 549: ... global configuration command The default is to send two queries The switch also generates MLDv1 global Done messages with valid link local IPv6 source addresses when the switch becomes the STP root in the VLAN or when it is configured by the user This is same as done in IGMP snooping MLD Snooping in Switch Stacks The MLD IPv6 group and MAC address databases are maintained on all switches in the s...

Page 550: ...ly of each other You can enable both features at the same time on the switch The maximum number of multicast entries allowed on the switch or switch stack is determined by the configured SDM template The maximum number of address entries allowed for the switch or switch stack is 1000 Table 24 1 Default MLD Snooping Configuration Feature Default Setting MLD snooping Global Disabled MLD snooping per...

Page 551: ... IPv6 multicast router is a Catalyst 6500 switch and you are using extended VLANs in the range 1006 to 4094 IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch in order for the switch to receive queries on the VLAN For normal range VLANs 1 to 1005 it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch To disable MLD snooping on a VLAN...

Page 552: ... and PIMv6 queries you can also use the command line interface CLI to add a multicast router port to a VLAN To add a multicast router port add a static connection to a multicast router use the ipv6 mld snooping vlan mrouter global configuration command on the switch Note Static connections to multicast routers are supported only on switch ports Command Purpose Step 1 configure terminal Enter globa...

Page 553: ...e Leave on a VLAN use the no ipv6 mld snooping vlan vlan id immediate leave global configuration command This example shows how to enable MLD Immediate Leave on VLAN 130 Switch configure terminal Switch config ipv6 mld snooping vlan 130 immediate leave Switch config exit Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ipv6 mld snooping vlan vlan id mrouter interfac...

Page 554: ... 1 to 7 the default is 2 The queries are sent 1 second apart Step 5 ipv6 mld snooping vlan vlan id last listener query count count Optional Set the last listener query count on a VLAN basis This value overrides the value configured globally The range is 1 to 7 the default is 0 When set to 0 the global count value is used Queries are sent 1 second apart Step 6 ipv6 mld snooping last listener query ...

Page 555: ...rwards only one MLD report per multicast router query When message suppression is disabled multiple MLD reports could be forwarded to the multicast routers Beginning in privileged EXEC mode follow these steps to disable MLD listener message suppression To re enable MLD message suppression use the ipv6 mld snooping listener message suppression global configuration command Displaying MLD Snooping In...

Page 556: ...Optional Enter vlan vlan id to display information for a single VLAN The VLAN ID range is 1 to 1001 and 1006 to 4094 show ipv6 mld snooping querier vlan vlan id Display information about the IPv6 address and incoming port for the most recently received MLD query messages in the VLAN Optional Enter vlan vlan id to display information for a single VLAN The VLAN ID range is 1 to 1001 and 1006 to 4094...

Page 557: ...ain this conceptual and configuration information Understanding Storm Control page 25 1 Default Storm Control Configuration page 25 3 Configuring Storm Control and Threshold Levels page 25 3 Understanding Storm Control Storm control prevents traffic on a LAN from being disrupted by a broadcast multicast or unicast storm on one of the physical interfaces A LAN storm occurs when packets flood the LA...

Page 558: ...ot differentiate between routing updates such as OSPF and regular multicast data traffic so both types of traffic are blocked The graph in Figure 25 1 shows broadcast traffic patterns on an interface over a given period of time The example can also be applied to multicast and unicast traffic In this example the broadcast traffic being forwarded exceeded the configured threshold between time interv...

Page 559: ...However because of hardware limitations and the way in which packets of different sizes are counted threshold percentages are approximations Depending on the sizes of the packets making up the incoming traffic the actual enforced threshold might differ from the configured level by several percentage points Note Storm control is supported on physical interfaces You can also configure storm control ...

Page 560: ...he rising threshold level for broadcast multicast or unicast traffic in bits per second up to one decimal place The port blocks traffic when the rising threshold is reached The range is 0 0 to 10000000000 0 Optional For bps low specify the falling threshold level in bits per second up to one decimal place It can be less than or equal to the rising threshold level The port forwards traffic when tra...

Page 561: ...nsures that there is no exchange of unicast broadcast or multicast traffic between these ports on the switch Protected ports have these features A protected port does not forward any traffic unicast multicast or broadcast to any other port that is also a protected port Data traffic cannot be forwarded between protected ports at Layer 2 only control traffic such as PIM packets is forwarded because ...

Page 562: ...ort as a protected port Switch configure terminal Switch config interface gigabitethernet1 0 1 Switch config if switchport protected Switch config if end Configuring Port Blocking By default the switch floods packets with unknown destination MAC addresses out of all ports If unknown unicast and multicast traffic is forwarded to a protected port there could be security issues To prevent unknown uni...

Page 563: ...ture to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port When you assign secure MAC addresses to a secure port the port does not forward packets with source addresses outside the group of defined addresses If you limit the number of secure MAC addresses to one and assign a single secure MAC address the workstation attached to that ...

Page 564: ...ommand stored in the address table and added to the switch running configuration Dynamic secure MAC addresses These are dynamically configured stored only in the address table and removed when the switch restarts Sticky secure MAC addresses These can be dynamically learned or manually configured stored in the address table and added to the running configuration If these addresses are saved in the ...

Page 565: ...ient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses You are not notified that a security violation has occurred Note We do not recommend configuring the protect violation mode on a trunk port The protect mode disables learning when any VLAN reaches its maximum limit even if the port has not reached its maximum limit restrict whe...

Page 566: ...urity Violation Mode Actions Violation Mode Traffic is forwarded1 1 Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses Sends SNMP trap Sends syslog message Displays error message2 2 The switch returns an error message if you manually configure an address that would cause a security violation Violation counter increments Shuts down port pr...

Page 567: ... If the new value is less than the previous value and the number of configured secure addresses on the interface exceeds the new value the command is rejected The switch does not support port security aging of sticky secure MAC addresses Table 25 3 summarizes port security compatibility with other port based features Table 25 3 Port Security Compatibility with Other Switch Features Type of Port or...

Page 568: ...access voice Optional Set the maximum number of secure MAC addresses for the interface The maximum number of secure MAC addresses that you can configure on a switch or switch stack is set by the maximum number of available MAC addresses allowed in the system This number is set by the active Switch Database Management SDM template See Chapter 8 Configuring the Switch SDM Template This number is the...

Page 569: ... has not reached its maximum limit restrict When the number of secure MAC addresses reaches the limit allowed on the port packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses An SNMP trap is sent a syslog message is logged and the violation counter increments shutdown The interface is er...

Page 570: ... is configured for voice VLAN configure a maximum of two secure MAC addresses Step 9 switchport port security mac address sticky Optional Enable sticky learning on the interface Step 10 switchport port security mac address sticky mac address vlan vlan id access voice Optional Enter a sticky secure MAC address repeating the command as many times as necessary If you configure fewer secure MAC addres...

Page 571: ...ommand followed by the switchport port security command to re enable port security on the interface If you use the no switchport port security mac address sticky interface configuration command to convert sticky secure MAC addresses to dynamic secure MAC addresses before entering the no switchport port security command all secure addresses on the interface except those that were manually configure...

Page 572: ...re addresses on a per port basis Beginning in privileged EXEC mode follow these steps to configure port security aging Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configuration mode Step 3 switchport port security aging static time time type absolute inactivity Enable or disable s...

Page 573: ...a switch joins a stack the new switch will get the configured secure addresses All dynamic secure addresses are downloaded by the new stack member from the other stack members When a switch either the stack master or a stack member leaves the stack the remaining stack members are notified and the secure MAC addresses configured or learned by that switch are deleted from the secure MAC address tabl...

Page 574: ...w interfaces interface id switchport privileged EXEC command displays among other characteristics the interface traffic suppression and control configuration The show storm control and show port security privileged EXEC commands display those storm control and port security settings To display traffic control information use one or more of the privileged EXEC commands in Table 25 4 Table 25 4 Comm...

Page 575: ...etwork management applications can learn the device type and the Simple Network Management Protocol SNMP agent address of neighboring devices running lower layer transparent protocols This feature enables applications to send SNMP queries to neighboring devices CDP runs on all media that support Subnetwork Access Protocol SNAP Because CDP runs over the data link layer only two systems that support...

Page 576: ...DP Configuration Table 26 1 shows the default CDP configuration Configuring the CDP Characteristics You can configure the frequency of CDP updates the amount of time to hold the information before discarding it and whether or not to send Version 2 advertisements Beginning in privileged EXEC mode follow these steps to configure the CDP timer holdtime and advertisement type Note Steps 2 through 4 ar...

Page 577: ...example shows how to enable CDP if it has been disabled Switch configure terminal Switch config cdp run Switch config end Step 3 cdp holdtime seconds Optional Specify the amount of time a receiving device should hold the information sent by your device before discarding it The range is 10 to 255 seconds the default is 180 seconds Step 4 cdp advertise v2 Optional Configure CDP to send Version 2 adv...

Page 578: ...dp enable Switch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface on which you are disabling CDP and enter interface configuration mode Step 3 no cdp enable Disable CDP on the interface Step 4 end Return to privileged EXEC mode Step 5 copy running config startup config Optional Save your entries in the confi...

Page 579: ...bor You can enter an asterisk to display all CDP neighbors or you can enter the name of the neighbor about which you want information You can also limit the display to information about the protocols enabled on the specified neighbor or information about the version of software running on the device show cdp interface interface id Display information about interfaces where CDP is enabled You can l...

Page 580: ...26 6 Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide OL 12247 01 Chapter 26 Configuring CDP Monitoring and Maintaining CDP ...

Page 581: ...ining LLDP and LLDP MED page 27 7 Understanding LLDP and LLDP MED This section contains this conceptual information Understanding LLDP page 27 1 Understanding LLDP MED page 27 2 Understanding LLDP The Cisco Discovery Protocol CDP is a device discovery protocol that runs over Layer 2 the data link layer on all Cisco manufactured devices routers bridges access servers and switches CDP allows network...

Page 582: ...at operates between endpoint devices such as IP phones and network devices such as switches It specifically provides support for voice over IP VoIP applications and provides additional TLVs for capabilities discovery network policy Power over Ethernet and inventory management LLDP MED supports these TLVs LLDP MED capabilities TLV Allows LLDP MED endpoints to determine the capabilities that the con...

Page 583: ...te simultaneously in a network By default a network device sends only LLDP packets until it receives LLDP MED packets from an endpoint device The network device then sends LLDP MED packets until it receives only LLDP packets Configuring LLDP and LLDP MED This section contains this configuration information Default LLDP Configuration page 27 3 Configuring LLDP Characteristics page 27 4 Disabling an...

Page 584: ...s see the Monitoring and Maintaining LLDP and LLDP MED section on page 27 7 LLDP transmit Enabled LLDP med tlv select Enabled to send all LLDP MED TLVs Table 27 1 Default LLDP Configuration continued Feature Default Setting Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 lldp holdtime seconds Optional Specify the amount of time a receiving device should hold the in...

Page 585: ...DP is enabled by default on all supported interfaces to send and to receive LLDP information Note If the interface is configured as a tunnel port LLDP is automatically disabled Beginning in privileged EXEC mode follow these steps to disable LLDP on an interface Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no lldp run Disable LLDP Step 3 end Return to privileged ...

Page 586: ...an interface Step 5 end Return to privileged EXEC mode Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface on which you are enabling LLDP MED and enter interface configuration mode Step 3 lldp transmit LLDP packets ...

Page 587: ...ed tlv select tlv Specify the TLV to enable Step 4 end Return to privileged EXEC mode Step 5 copy running config startup config Optional Save your entries in the configuration file Command Description clear lldp counters Reset the traffic counters to zero clear lldp table Delete the LLDP table of information about neighbors show lldp Display global information such as frequency of transmissions th...

Page 588: ...27 8 Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide OL 12247 01 Chapter 27 Configuring LLDP and LLDP MED Monitoring and Maintaining LLDP and LLDP MED ...

Page 589: ...ffected port and alerts you Unidirectional links can cause a variety of problems including spanning tree topology loops Modes of Operation UDLD supports two modes of operation normal the default and aggressive In normal mode UDLD can detect unidirectional links due to misconnected ports on fiber optic connections In aggressive mode UDLD can also detect unidirectional links due to one way traffic o...

Page 590: ...sely the loss of the heart beat means that the link must be shut down if it is not possible to re establish a bidirectional link If both fiber strands in a cable are working normally from a Layer 1 perspective UDLD in aggressive mode detects whether those fiber strands are connected correctly and whether traffic is flowing bidirectionally between the correct neighbors This check cannot be performe...

Page 591: ...nt or in the detection phase UDLD restarts the link up sequence to resynchronize with any potentially out of sync neighbor UDLD shuts down the port if after the fast train of messages the link state is still undetermined Figure 28 1 shows an example of a unidirectional link condition Figure 28 1 UDLD Detection of a Unidirectional Link Configuring UDLD These sections contain this configuration info...

Page 592: ... another switch When configuring the mode normal or aggressive make sure that the same mode is configured on both sides of the link Caution Loop guard works only on point to point links We recommend that each end of the link has a directly connected device that is running STP Table 28 1 Default UDLD Configuration Feature Default Setting UDLD global enable state Globally disabled UDLD per port enab...

Page 593: ... mode on all fiber optic ports enable Enables UDLD in normal mode on all fiber optic ports on the switch UDLD is disabled by default An individual interface configuration overrides the setting of the udld enable global configuration command For more information about aggressive and normal modes see the Modes of Operation section on page 28 1 message time message timer interval Configures the perio...

Page 594: ...command enables the timer to automatically recover from the UDLD error disabled state and the errdisable recovery interval interval global configuration command specifies the time to recover from the UDLD error disabled state Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be enabled for UDLD and enter interface configurat...

Page 595: ... 28 Configuring UDLD Displaying UDLD Status Displaying UDLD Status To display the UDLD status for the specified port or for all ports use the show udld interface id privileged EXEC command For detailed information about the fields in the command output see the command reference for this release ...

Page 596: ...28 8 Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide OL 12247 01 Chapter 28 Configuring UDLD Displaying UDLD Status ...

Page 597: ...y device SPAN copies or mirrors traffic received or sent or both on source ports or source VLANs to a destination port for analysis SPAN does not affect the switching of network traffic on the source ports or VLANs You must dedicate the destination port for SPAN use Except for traffic that is required for the SPAN or RSPAN session destination ports do not receive or forward traffic Only traffic th...

Page 598: ...are in the same switch or switch stack Local SPAN copies traffic from one or more source ports in any VLAN or from one or more VLANs to a destination port for analysis For example in Figure 29 1 all traffic on port 5 the source port is mirrored to port 10 the destination port A network analyzer on port 10 receives all network traffic from port 5 without being physically attached to port 5 Figure 2...

Page 599: ...ified RSPAN VLAN that is dedicated for that RSPAN session in all participating switches The RSPAN traffic from the source ports or VLANs is copied into the RSPAN VLAN and forwarded over trunk ports carrying the RSPAN VLAN to a destination session monitoring the RSPAN VLAN Each RSPAN source switch must have either ports or VLANs as RSPAN sources The destination is always a physical port as shown on...

Page 600: ...ecified by the user and form them into a stream of SPAN data which is directed to the destination port RSPAN consists of at least one RSPAN source session an RSPAN VLAN and at least one RSPAN destination session You separately configure RSPAN source sessions and RSPAN destination sessions on different network devices To configure an RSPAN source session on a device you associate a set of source po...

Page 601: ...or VLANs but you cannot mix source ports and source VLANs in the same session The switch supports up to two local SPAN or RSPAN source sessions You can run both a local SPAN and an RSPAN source session in the same switch or switch stack The switch or switch stack supports a total of 66 source and RSPAN destination sessions On a desktop switch you can configure two separate SPAN or RSPAN source ses...

Page 602: ... is to monitor as much as possible all the packets sent by the source interface after all modification and processing is performed by the switch A copy of each packet sent by the source is sent to the destination port for that SPAN session The copy is provided after the packet is modified Packets that are modified because of routing for example with modified time to live TTL MAC address or QoS val...

Page 603: ...nitor source ports or VLANs for traffic in one or both directions The switch supports any number of source ports up to the maximum number of available ports on the switch and any number of source VLANs up to the maximum number of VLANs supported However the switch supports a maximum of two sessions local or RSPAN with source ports or VLANs You cannot mix ports and VLANs in a single session A sourc...

Page 604: ...port that receives a copy of traffic from the source ports or VLANs and sends the SPAN packets to the user usually a network analyzer A destination port has these characteristics For a local SPAN session the destination port must reside on the same switch or switch stack as the source port For an RSPAN session it is located on the switch containing the RSPAN destination session There is no destina...

Page 605: ...l characteristics All traffic in the RSPAN VLAN is always flooded No MAC address learning occurs on the RSPAN VLAN RSPAN VLAN traffic only flows on trunk ports RSPAN VLANs must be configured in VLAN configuration mode by using the remote span VLAN configuration mode command STP can run on RSPAN VLAN trunks but not on SPAN destination ports An RSPAN VLAN cannot be a private VLAN primary or secondar...

Page 606: ...at belongs to an EtherChannel group can be configured as a SPAN source port and still be a part of the EtherChannel In this case data from the physical port is monitored as it participates in the EtherChannel However if a physical port that belongs to an EtherChannel group is configured as a SPAN destination it is removed from the group After the port is removed from the SPAN session it rejoins th...

Page 607: ...d RSPAN These sections contain this configuration information Default SPAN and RSPAN Configuration page 29 11 Configuring Local SPAN page 29 11 Configuring RSPAN page 29 17 Default SPAN and RSPAN Configuration Table 29 1 shows the default SPAN and RSPAN configuration Configuring Local SPAN These sections contain this configuration information SPAN Configuration Guidelines page 29 12 Creating a Loc...

Page 608: ...h port only monitored traffic passes through the SPAN destination port Entering SPAN configuration commands does not remove previously configured SPAN parameters You must enter the no monitor session session_number all local remote global configuration command to delete configured SPAN parameters For local SPAN outgoing packets through the SPAN destination port carry the original encapsulation hea...

Page 609: ...e range is 1 to 66 For interface id specify the source port or source VLAN to monitor For source interface id specify the source port to monitor Valid interfaces include physical interfaces and port channel logical interfaces port channel port channel number Valid port channel numbers are 1 to 48 For vlan id specify the source VLAN to monitor The range is 1 to 4094 excluding the RSPAN VLAN Note A ...

Page 610: ...et1 0 1 Switch config end This example shows how to disable received traffic monitoring on port 1 which was configured for bidirectional monitoring Switch config no monitor session 1 source interface gigabitethernet1 0 1 rx The monitoring of traffic received on port 1 is disabled but traffic sent from this port continues to be monitored Step 4 monitor session session_number destination interface i...

Page 611: ...number all local remote Remove any existing SPAN configuration for the session Step 3 monitor session session_number source interface interface id vlan vlan id both rx tx Specify the SPAN session and the source port monitored port Step 4 monitor session session_number destination interface interface id encapsulation replicate ingress dot1q vlan vlan id isl untagged vlan vlan id vlan vlan id Specif...

Page 612: ...q vlan 6 Switch config end Specifying VLANs to Filter Beginning in privileged EXEC mode follow these steps to limit SPAN source traffic to specific VLANs Step 5 end Return to privileged EXEC mode Step 6 show monitor session session_number show running config Verify the configuration Step 7 copy running config startup config Optional Save the configuration in the configuration file Command Purpose ...

Page 613: ...figuring Incoming Traffic page 29 22 RSPAN Configuration Guidelines Follow these guidelines when configuring RSPAN All the items in the SPAN Configuration Guidelines section on page 29 12 apply to RSPAN As RSPAN VLANs have special properties you should reserve a few VLANs across your network for use as RSPAN VLANs do not assign access ports to these VLANs Step 5 monitor session session_number dest...

Page 614: ... you configure an RSPAN VLAN before you configure an RSPAN source or a destination session If you enable VTP and VTP pruning RSPAN traffic is pruned in the trunks to prevent the unwanted flooding of RSPAN traffic across the network for VLAN IDs that are lower than 1005 Configuring a VLAN as an RSPAN VLAN First create a new VLAN to be the RSPAN VLAN for the RSPAN session You must create the RSPAN V...

Page 615: ...AN session and the source port monitored port For session_number the range is 1 to 66 Enter a source port or source VLAN for the RSPAN session For interface id specify the source port to monitor Valid interfaces include physical interfaces and port channel logical interfaces port channel port channel number Valid port channel numbers are 1 to 48 For vlan id specify the source VLAN to monitor The r...

Page 616: ...s to configure the RSPAN source session to limit RSPAN source traffic to specific VLANs Step 6 show monitor session session_number show running config Verify the configuration Step 7 copy running config startup config Optional Save the configuration in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no monitor session session_...

Page 617: ... the destination port Step 5 monitor session session_number destination remote vlan vlan id Specify the RSPAN session and the destination remote VLAN RSPAN VLAN For session_number enter the session number specified in step 3 For vlan id specify the RSPAN VLAN to carry the monitored traffic to the destination port Step 6 end Return to privileged EXEC mode Step 7 show monitor session session_number ...

Page 618: ...ating an RSPAN Destination Session section on page 29 21 This procedure assumes that the RSPAN VLAN has already been configured Step 6 monitor session session_number source remote vlan vlan id Specify the RSPAN session and the source RSPAN VLAN For session_number the range is 1 to 66 For vlan id specify the source RSPAN VLAN to monitor Step 7 monitor session session_number destination interface in...

Page 619: ... vlan id Specify the SPAN session the destination port the packet encapsulation and the incoming VLAN and encapsulation For session_number enter the number defined in Step 4 In an RSPAN destination session you must use the same session number for the source RSPAN VLAN and the destination port For interface id specify the destination interface The destination interface must be a physical interface ...

Page 620: ... 29 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Displaying SPAN and RSPAN Status To display the current SPAN or RSPAN configuration use the show monitor user EXEC command You can also use the show running config privileged EXEC command to display configured SPAN or RSPAN sessions ...

Page 621: ...ance tuning information Note For complete syntax and usage information for the commands used in this chapter see the System Management Commands section in the Cisco IOS Configuration Fundamentals Command Reference Release 12 2 This chapter consists of these sections Understanding RMON page 30 1 Configuring RMON page 30 2 Displaying RMON Status page 30 6 Understanding RMON RMON is an Internet Engin...

Page 622: ...s the alarm at another value falling threshold Alarms can be used with events the alarm triggers an event which can generate a log entry or an SNMP trap Event RMON group 9 Specifies the action to take when an event is triggered by an alarm The action can be to generate a log entry or an SNMP trap Because switches supported by this software release use hardware counters for RMON data processing the...

Page 623: ...uired Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 rmon alarm number variable interval absolute delta rising threshold value event number falling threshold value event number owner string Set an alarm on a MIB object For number specify the alarm number The range is 1 to 65535 For variable specify the MIB object to monitor For interval specify the time in seconds...

Page 624: ...t and can be triggered again Switch config rmon alarm 10 ifEntry 20 1 20 delta rising threshold 15 1 falling threshold 0 owner jjohnson The following example creates RMON event number 1 by using the rmon event command The event is defined as High ifOutErrors and generates a log entry when the event is triggered by the alarm The user jjones owns the row that is created in the event table by this co...

Page 625: ...n collection history index buckets bucket number interval seconds owner ownername Enable history collection for the specified number of buckets and time period For index identify the RMON group of statistics The range is 1 to 65535 Optional For buckets bucket number specify the maximum number of buckets desired for the RMON collection history group of statistics The range is 1 to 65535 The default...

Page 626: ...ommand Reference Release 12 2 Step 3 rmon collection stats index owner ownername Enable RMON statistic collection on the interface For index specify the RMON group of statistics The range is from 1 to 65535 Optional For owner ownername enter the name of the owner of the RMON group of statistics Step 4 end Return to privileged EXEC mode Step 5 show running config Verify your entries Step 6 show rmo...

Page 627: ...t generates a system message appends its hostname in the form of hostname n where n is a switch number from 1 to 9 and redirects the output to the logging process on the stack master Though the stack master is a stack member it does not append its hostname to system messages The logging process controls the distribution of logging messages to various destinations such as the logging buffer termina...

Page 628: ...essage Logging Configuration page 31 4 Disabling Message Logging page 31 4 optional Setting the Message Display Destination Device page 31 5 optional Synchronizing Log Messages page 31 6 optional Enabling and Disabling Time Stamps on Log Messages page 31 8 optional Enabling and Disabling Sequence Numbers in Log Messages page 31 8 optional Defining the Message Severity Level page 31 9 optional Limi...

Page 629: ...O 5 UPDOWN Line protocol on Interface Vlan1 changed state to down Switch 2 00 00 48 LINEPROTO 5 UPDOWN Line protocol on Interface GigabitEthernet2 0 1 changed state to down 2 Switch 2 Table 31 1 System Log Message Elements Element Description seq no Stamps log messages with a sequence number only if the service sequence numbers global configuration command is configured For more information see th...

Page 630: ...the logging process is disabled messages appear on the console as soon as they are produced often appearing in the middle of command output Table 31 2 Default System Message Logging Configuration Feature Default Setting System message logging to the console Enabled Console severity Debugging and numerically lower levels see Table 31 3 on page 31 10 Logging file configuration No filename specified ...

Page 631: ...Note Do not make the buffer size too large because the switch could run out of memory for other tasks Use the show memory privileged EXEC command to view the free processor memory on the switch However this value is the maximum available and the buffer size should not be set to this amount Step 3 logging host Log messages to a UNIX syslog server host For host specify the name or IP address of the ...

Page 632: ...ileged EXEC command output with solicited device output and prompts for a specific console port line or virtual terminal line You can identify the types of messages to be output asynchronously based on the level of severity You can also configure the maximum number of buffers for storing asynchronous messages for the terminal after which messages are dropped When synchronous logging of unsolicited...

Page 633: ... numbers is from 0 to 15 You can change the setting of all 16 vty lines at once by entering line vty 0 15 Or you can change the setting of the single vty line being used for your current connection For example to change the setting for vty line 2 enter line vty 2 When you enter this command the mode changes to line configuration Step 3 logging synchronous level severity level all limit number of b...

Page 634: ...han one log message can have the same time stamp you can display messages with sequence numbers so that you can unambiguously see a single message By default sequence numbers in log messages are not displayed Beginning in privileged EXEC mode follow these steps to enable sequence numbers in log messages This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration...

Page 635: ...configuration command To disable logging to syslog servers use the no logging trap global configuration command Step 4 show running config Verify your entries Step 5 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 logging console level Limit messages logged to th...

Page 636: ...sages displayed at the informational level This message is only for information switch functionality is not affected Limiting Syslog Messages Sent to the History Table and to SNMP If you enabled syslog message traps to be sent to an SNMP network management station by using the snmp server enable trap global configuration command you can change the level of messages sent and stored in the switch hi...

Page 637: ...mmand followed by the logging enable command to disable and re enable logging Use the show archive log config all number end number user username session number number end number statistics provisioning privileged EXEC command to display the complete configuration log or the log for specified parameters The default is that configuration logging is disabled For information about the commands see th...

Page 638: ...erface GigabitEthernet4 0 1 43 14 temi vty4 switchport mode trunk 44 14 temi vty4 exit 45 16 temi vty5 interface GigabitEthernet5 0 1 46 16 temi vty5 switchport mode trunk 47 16 temi vty5 exit Configuring UNIX Syslog Servers The next sections describe how to configure the UNIX server syslog daemon and how to define the UNIX system logging facility Logging Messages to a UNIX Syslog Daemon Before yo...

Page 639: ...te the log file by entering these commands at the UNIX shell prompt touch var log cisco log chmod 666 var log cisco log Step 3 Make sure the syslog daemon reads the new changes kill HUP cat etc syslog pid For more information see the man syslog conf and man syslogd commands on your UNIX system Configuring the UNIX System Logging Facility When sending system log messages to an external device you c...

Page 640: ...laying the Logging Configuration To display the logging configuration and the contents of the log buffer use the show logging privileged EXEC command For information about the fields in this display see the Cisco IOS Configuration Fundamentals Command Reference Release 12 2 Step 6 show running config Verify your entries Step 7 copy running config startup config Optional Save your entries in the co...

Page 641: ...e relationship between the manager and the agent The SNMP agent contains MIB variables whose values the SNMP manager can request or change A manager can get a value from an agent or store a value into the agent The agent gathers data from the MIB the repository for information about device parameters and network data The agent can also respond to a manager s requests to get or set data An agent ca...

Page 642: ... security features Message integrity ensuring that a packet was not tampered with in transit Authentication determining that the message is from a valid source Encryption mixing the contents of a package to prevent it from being read by an unauthorized source Note To select encryption enter the priv keyword This keyword is available only when the cryptographic encrypted universal software image is...

Page 643: ...SNMPv3 authNoPriv MD5 or SHA No Provides authentication based on the HMAC MD5 or HMAC SHA algorithms SNMPv3 authPriv requires the cryptographic universal software image MD5 or SHA DES Provides authentication based on the HMAC MD5 or HMAC SHA algorithms Provides DES 56 bit encryption in addition to authentication based on the CBC DES DES 56 standard Table 32 2 SNMP Operations Operation Description ...

Page 644: ... read access to authorized management stations to all objects in the MIB except the community strings but does not allow write access Read write RW Gives read and write access to authorized management stations to all objects in the MIB but does not allow access to the community strings Using SNMP to Access MIB Variables An example of an NMS is the CiscoWorks network management software CiscoWorks ...

Page 645: ...as soon as it is sent an inform request is held in memory until a response is received or the request times out Traps are sent only once but an inform might be re sent or retried several times The retries increase traffic and contribute to a higher overhead on the network Therefore traps and informs require a trade off between reliability and resources If it is important that the SNMP manager rece...

Page 646: ... and the witch startup configuration has at least one snmp server global configuration command the SNMP agent is enabled An SNMP group is a table that maps SNMP users to SNMP views An SNMP user is a member of an SNMP group An SNMP host is the recipient of an SNMP trap operation An SNMP engine ID is a name for the local or remote SNMP engine Table 32 4 Default SNMP Configuration Feature Default Set...

Page 647: ...to it If a local user is not associated with a remote host the switch does not send informs for the auth authNoPriv and the priv authPriv authentication levels Changing the value of the SNMP engine ID has important side effects A user s password entered on the command line is converted to an MD5 or SHA security digest based on the password and the local engine ID The command line password is then ...

Page 648: ...one or more community strings of any length Optional For view specify the view record accessible to the community Optional Specify either read only ro if you want authorized management stations to retrieve MIB objects or specify read write rw if you want authorized management stations to retrieve and modify MIB objects By default the community string permits read only access to all objects Optiona...

Page 649: ...new users to the SNMP group Beginning in privileged EXEC mode follow these steps to configure SNMP on the switch Step 5 show running config Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server engineID local engineid string remot...

Page 650: ... authentication noauth Enables the noAuthNoPriv security level This is the default if no keyword is specified priv Enables Data Encryption Standard DES packet encryption also called privacy Note The priv keyword is available only when the cryptographic universal software image is installed Optional Enter read readview with a string not to exceed 64 characters that is the name of the view in which ...

Page 651: ...er for an SNMP group The username is the name of the user on the host that connects to the agent The groupname is the name of the group to which the user is associated Enter remote to specify a remote SNMP entity to which the user belongs and the hostname or IP address of that entity with the optional UDP port number The default is 162 Enter the SNMP version number v1 v2c or v3 If you enter v3 you...

Page 652: ...rap for Open Shortest Path First OSPF changes You can enable any or all of these traps Cisco specific errors link state advertisement rate limit retransmit and state changes pim Generates a trap for Protocol Independent Multicast PIM changes You can enable any or all of these traps invalid PIM messages neighbor changes and rendezvous point RP mapping changes port security Generates SNMP port secur...

Page 653: ...reated traps vlandelete Generates SNMP VLAN deleted traps vtp Generates a trap for VLAN Trunking Protocol VTP changes Table 32 5 Switch Notification Types continued Notification Type Keyword Description Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server engineID remote ip address engineid string Specify the engine ID for the remote host Step 3 snmp server ...

Page 654: ...When version 3 is specified enter the SNMPv3 username Optional For notification type use the keywords listed in Table 32 5 on page 32 11 If no type is specified all notifications are sent Step 6 snmp server enable traps notification types Enable the switch to send traps or informs and specify the type of notifications to be sent For a list of notification types see Table 32 5 on page 32 11 or ente...

Page 655: ...Beginning in privileged EXEC mode follow these steps to limit the TFTP servers used for saving and loading configuration files through SNMP to the servers specified in an access list Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server contact text Set the system contact string For example snmp server contact Dial System Operator at beeper 21555 Step 3 snmp ...

Page 656: ...embers of access list 4 that use the comaccess community string No other SNMP managers have access to any objects SNMP Authentication Failure traps are sent by SNMPv2C to the host cisco com using the community string public Switch config snmp server community comaccess ro 4 Switch config snmp server enable traps snmp authentication Switch config snmp server host cisco com version 2c public Step 3 ...

Page 657: ... v3 auth Switch config snmp server user authuser authgroup remote 192 180 1 27 v3 auth md5 mypassword Switch config snmp server user authuser authgroup v3 auth md5 mypassword Switch config snmp server host 192 180 1 27 informs version 3 auth authuser config Switch config snmp server enable traps Switch config snmp server inform retries 0 Displaying SNMP Status To display SNMP input and output stat...

Page 658: ...32 18 Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide OL 12247 01 Chapter 32 Configuring SNMP Displaying SNMP Status ...

Page 659: ... system events and then acts on them though a set policy This policy is a programmed script that you can use to customize a script to invoke an action based on a given set of events occurring The script generates actions such as generating custom syslog or Simple Network Management Protocol SNMP traps invoking CLI commands forcing a failover and so forth The event management capabilities of EEM ar...

Page 660: ...rovide an interface between the agent being monitored for example SNMP and the EEM polices where an action can be implemented Event detectors are generated only by the master switch CLI and routing processes also run only from the master switch Note The stack member switch does not generate events and does not support memory threshold notifications or IOSWdSysmon event detectors 127574 Cisco IOS p...

Page 661: ...ed on global platform values and thresholds Includes resources such as CPU utilization and remaining buffer capacity Applies only to the master switch SNMP event detector Allows a standard SNMP MIB object to be monitored and an event to be generated when the object matches specified values or crosses specified thresholds Syslog event detector Allows for screening syslog messages for a regular expr...

Page 662: ...ipts are defined on the networking device by using an ASCII editor The script is then copied to the networking device and registered with EEM You use EEM to write and implement your own policies using the EEM policy tool command language TCL script When you configure a TCL script on the master switch and the file is automatically sent to the member switches The user defined TCL scripts must be ava...

Page 663: ...ation Registering and Defining an Embedded Event Manager Applet page 33 5 Registering and Defining an Embedded Event Manager TCL Script page 33 6 For complete information about configuring embedded event manager see the Cisco IOS Network Management Configuration Guide Release 12 4T Registering and Defining an Embedded Event Manager Applet Beginning in privileged EXEC mode perform this task to regi...

Page 664: ...level msg msg text Specify the action when an EEM applet is triggered Repeat this action to add other CLI commands to the applet Optional The priority keyword specifies the priority level of the syslog messages If selected you need to define the priority level argument For msg text the argument can be character text an environment variable or a combination of the two Step 5 end Exit applet configu...

Page 665: ...ry day Switch config event manager environment_cron_entry 0 59 2 0 23 1 0 6 This example shows the sample EEM policy named tm_cli_cmd tcl registered as a system policy The system policies are part of the Cisco IOS image User defined TCL scripts must first be copied to flash memory Switch config event manager policy tm_cli_cmd tcl type system Displaying Embedded Event Manager Information To display...

Page 666: ...33 8 Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide OL 12247 01 Chapter 33 Configuring Embedded Event Manager Displaying Embedded Event Manager Information ...

Page 667: ... Named MAC Extended ACLs page 34 27 Configuring VLAN Maps page 34 29 Using VLAN Maps with Router ACLs page 34 35 Displaying IPv4 ACL Configuration page 34 39 Understanding ACLs Packet filtering can help limit network traffic and restrict network use by certain users or devices ACLs filter traffic as it passes through a router or switch and permit or deny packets crossing specified interfaces or VL...

Page 668: ...hree applications of ACLs to filter traffic Port ACLs access control traffic entering a Layer 2 interface The switch does not support port ACLs in the outbound direction You can apply only one IP access list and one MAC access list to a Layer 2 interface For more information see the Port ACLs section on page 34 3 Router ACLs access control routed traffic between VLANs and are applied to Layer 3 in...

Page 669: ...the switch does not recognize the protocol inside the IEEE 802 1Q header This restriction applies to router ACLs port ACLs and VLAN maps For more information about IEEE 802 1Q tunneling see Chapter 16 Configuring IEEE 802 1Q Tunneling and Chapter 16 Configuring Layer 2 Protocol Tunneling Port ACLs Port ACLs are ACLs that are applied to Layer 2 interfaces on a switch Port ACLs are supported only on...

Page 670: ...d you apply a new IP access list or MAC access list to the interface the new ACL replaces the previously configured one Router ACLs You can apply router ACLs on switch virtual interfaces SVIs which are Layer 3 interfaces to VLANs on physical Layer 3 interfaces and on Layer 3 EtherChannel interfaces You apply router ACLs on interfaces for specific directions inbound or outbound You can apply one ro...

Page 671: ...pe using MAC VLAN maps IP traffic is not access controlled by MAC VLAN maps You can enforce VLAN maps only on packets going through the switch you cannot enforce VLAN maps on traffic between hosts on a hub or on another switch connected to this switch With VLAN maps forwarding of packets is permitted or denied based on the action specified in the map Figure 34 2 shows how a VLAN map is applied to ...

Page 672: ...CE a deny because all Layer 3 and Layer 4 information is present The remaining fragments in the packet do not match the second ACE because they are missing Layer 4 information Instead they match the third ACE a permit Because the first fragment was denied host 10 1 1 2 cannot reassemble a complete packet so packet B is effectively denied However the later fragments that are permitted will consume ...

Page 673: ... configuring ACLs see the Configuring IP Services section in the IP Addressing and Services chapter of the Cisco IOS IP Configuration Guide Release 12 2 For detailed information about the commands see the Cisco IOS IP Command Reference Volume 1 of 3 Addressing and Services Release 12 2 The switch does not support these Cisco IOS router ACL related features Non IP protocol ACLs see Table 34 1 on pa...

Page 674: ...ess List Numbers page 34 8 ACL Logging page 34 9 Creating a Numbered Standard ACL page 34 10 Creating a Numbered Extended ACL page 34 11 Resequencing ACEs in an ACL page 34 15 Creating Named Standard and Extended ACLs page 34 15 Using Time Ranges with ACLs page 34 17 Including Comments in ACLs page 34 19 Access List Numbers The number you use to denote your ACL shows the type of access list that y...

Page 675: ... messages logged to the console is controlled by the logging console commands controlling the syslog messages Note Because routing is done in hardware and logging is done in software if a large number of packets match a permit or deny ACE containing a log keyword the software might not be able to match the hardware processing rate and not all packets will be logged The first packet that triggers t...

Page 676: ...ts Standard IP access list 2 10 deny 171 69 198 102 20 permit any Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard log Define a standard IPv4 access list by using a source address and wildcard The access list number is a decimal number from 1 to 99 or 1300 to 1999 Enter deny or permit to specify wheth...

Page 677: ... end of the list You cannot reorder the list or selectively add or remove ACEs from a numbered list Some protocols also have specific parameters and keywords that apply to that protocol These IP protocols are supported protocol keywords are in parentheses in bold Authentication Header Protocol ahp Enhanced Interior Gateway Routing Protocol eigrp Encapsulation Security Payload esp generic routing e...

Page 678: ...ific parameters for TCP UDP ICMP and IGMP see steps 2b through 2e The source is the number of the network or host from which the packet is sent The source wildcard applies wildcard bits to the source The destination is the network or host number to which the packet is sent The destination wildcard applies wildcard bits to the destination Source source wildcard destination and destination wildcard ...

Page 679: ...on Control Protocol The parameters are the same as those described in Step 2a with these exceptions Optional Enter an operator and port to compare source if positioned after source source wildcard or destination if positioned after destination destination wildcard port Possible operators include eq equal gt greater than lt less than neq not equal and range inclusive range Operators require a port ...

Page 680: ...e precedence precedence tos tos fragments log log input time range time range name dscp dscp Optional Define an extended ICMP access list and the access conditions Enter icmp for Internet Control Message Protocol The ICMP parameters are the same as those described for most IP protocols in Step 2a with the addition of the ICMP message type and code parameters These optional keywords have these mean...

Page 681: ...ss lists in a router than if you were to use numbered access lists If you identify your access list with a name rather than a number the mode and command syntax are slightly different However not all commands that use IP access lists accept a named access list Note The name you give to a standard or extended ACL can also be a number in the supported range of access list numbers That is the name of...

Page 682: ...end Return to privileged EXEC mode Step 5 show access lists number name Show the access list configuration Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip access list extended name Define an extended IPv4 access list using a name and enter access list configuration mod...

Page 683: ... times and the dates or the days of the week in the time range Then enter the time range name when applying an ACL to set restrictions to the access list You can use the time range to define when the permit or deny statements in the ACL are in effect for example during a specified time period or on specified days of the week The time range keyword and argument are referenced in the named and numbe...

Page 684: ...y extended access list 188 that denies TCP traffic from any source to any destination during the defined holiday times and permits all TCP traffic during work hours Switch config access list 188 deny tcp any any time range new_year_day_2006 Switch config access list 188 permit tcp any any time range workhours Switch config end Switch show access lists Extended IP access list 188 10 deny tcp any an...

Page 685: ...ed permit or deny statements and some remarks after the associated statements To include a comment for IP numbered standard or extended ACLs use the access list access list number remark remark global configuration command To remove the remark use the no form of this command In this example the server that belongs to Jones is allowed access and the workstation that belongs to Smith is not allowed ...

Page 686: ...NMP Telnet or web traffic You do not have to enable routing to apply ACLs to Layer 2 interfaces When private VLANs are configured you can apply router ACLs only on the primary VLAN SVIs The ACL is applied to both primary and secondary VLAN Layer 3 traffic Note By default the router sends Internet Control Message Protocol ICMP unreachable messages when a packet is denied by an access group These ac...

Page 687: ... the packet against the ACL If the ACL permits the packet the switch sends the packet If the ACL rejects the packet the switch discards the packet By default the input interface sends ICMP Unreachable messages whenever a packet is discarded regardless of whether the packet was discarded because of an ACL on the input interface or because of an ACL on the output interface ICMP Unreachables are norm...

Page 688: ... be routed are routed in software but are bridged in hardware If ACLs cause large numbers of packets to be sent to the CPU the switch performance can be negatively affected When you enter the show ip access lists privileged EXEC command the match count displayed does not account for packets that are access controlled in hardware Use the show access lists hardware counters privileged EXEC command t...

Page 689: ...dard IP access list 6 10 permit 172 20 128 64 wildcard bits 0 0 0 31 Switch config interface gigabitethernet1 0 1 Switch config if ip access group 6 out This example uses an extended ACL to filter traffic coming from Blade Server B into a port permitting traffic from any source address in this case Server B to only the Accounting destination addresses 172 20 128 64 to 172 20 128 95 The ACL is appl...

Page 690: ...you have a network connected to the Internet and you want any host on the network to be able to form TCP connections to any host on the Internet However you do not want IP hosts to be able to form TCP connections to hosts on your network except to the mail SMTP port of a dedicated mail host SMTP uses TCP port 25 on one end of the connection and a random port number on the other end The same port n...

Page 691: ...applied to outgoing traffic and the marketing_group ACL is applied to incoming traffic on a Layer 3 port Switch config interface gigabitethernet3 0 2 Switch config if no switchport Switch config if ip address 2 0 5 1 255 255 255 0 Switch config if ip access group Internet_filter out Switch config if ip access group marketing_group in Time Range Applied to an IP ACL This example denies HTTP traffic...

Page 692: ...t interface in the log entry In this example standard named access list stan1 denies traffic from 10 1 1 0 0 0 0 255 allows traffic from all other sources and includes the log keyword Switch config ip access list standard stan1 Switch config std nacl deny 10 1 1 0 0 0 0 255 log Switch config std nacl permit any log Switch config std nacl exit Switch config interface gigabitethernet1 0 1 Switch con...

Page 693: ... 0001 42ef a400 10 1 1 61 0 0 1 packet A log message for the same sort of packet using the log keyword does not include the input interface information 00 05 47 SEC 6 IPACCESSLOGDP list inputlog permitted icmp 10 1 1 10 10 1 1 61 0 0 1 packet Creating Named MAC Extended ACLs You can filter non IPv4 traffic on a VLAN or on a Layer 2 interface by using MAC addresses and named MAC extended ACLs The p...

Page 694: ...s list filters only IP packets and the MAC access list filters non IP packets Step 3 deny permit any host source MAC address source MAC address mask any host destination MAC address destination MAC address mask type mask lsap lsap mask aarp amber dec spanning decnet iv diagnostic dsm etype 6000 etype 8042 lat lavc sca mop console mop dump msdos mumps netbios vines echo vines ip xns idp 0 65535 cos...

Page 695: ...its all packets Remember this behavior if you use undefined ACLs for network security Configuring VLAN Maps This section describes how to configure VLAN maps which is the only way to control filtering within a VLAN VLAN maps have no direction To filter traffic in a specific direction by using a VLAN map you need to include an ACL with specific source or destination addresses If there is a match cl...

Page 696: ...page 34 31 Applying a VLAN Map to a VLAN page 34 34 Using VLAN Maps in Your Network page 34 34 VLAN Map Configuration Guidelines Follow these guidelines when configuring VLAN maps If there is no ACL configured to deny traffic on an interface and no VLAN map is configured all traffic is permitted Each VLAN map consists of a series of entries The order of entries in an VLAN map is important A packet...

Page 697: ...ration command to delete a single sequence entry from within the map Use the no action access map configuration command to enforce the default action which is to forward VLAN maps do not use the specific permit or deny keywords To deny a packet by using VLAN maps create an ACL that would match the packet and set the action to drop A permit in the ACL counts as a match A deny in the ACL means no ma...

Page 698: ...would get dropped Switch config ip access list extended ip2 Switch config ext nacl permit udp any any Switch config ext nacl exit Switch config vlan access map map_1 20 Switch config access map match ip address ip2 Switch config access map action forward Example 2 In this example the VLAN map has a default action of drop for IP packets and a default action of forward for MAC packets Used with stan...

Page 699: ...itch config ext macl permit any any vines ip Switch config ext nacl exit Switch config vlan access map drop mac default 10 Switch config access map match mac address good hosts Switch config access map action forward Switch config access map exit Switch config vlan access map drop mac default 20 Switch config access map match mac address good protocols Switch config access map action forward Examp...

Page 700: ...er on Anothera VLAN page 34 34 Denying Access to a Server on Anothera VLAN You can restrict access to a server on another VLAN For example server 10 1 1 100 in VLAN 10 needs to have access denied to these hosts see Figure 34 4 Hosts in subnet 10 1 2 0 8 in VLAN 20 should not have access Hosts 10 1 1 4 and 10 1 1 8 in VLAN 10 should not have access Command Purpose Step 1 configure terminal Enter gl...

Page 701: ...fine a VLAN map using this ACL that will drop IP packets that match SERVER1_ACL and forward IP packets that do not match the ACL Switch config vlan access map SERVER1_MAP Switch config access map match ip address SERVER1_ACL Switch config access map action drop Switch config vlan access map SERVER1_MAP 20 Switch config access map action forward Switch config access map exit Step 3 Apply the VLAN m...

Page 702: ...outer ACL and a VLAN map when they are configured on the same VLAN Merging the router ACL with the VLAN map might significantly increase the number of ACEs If you must configure a router ACL and a VLAN map on the same VLAN use these guidelines for both router ACL and VLAN map configuration You can configure only one VLAN map and one router ACL in each direction input output on a VLAN interface Whe...

Page 703: ...at the packet might be dropped rather than forwarded ACLs and Switched Packets Figure 34 5 shows how an ACL is applied on packets that are switched within a VLAN Packets switched within the VLAN without being routed or forwarded by fallback bridging are only subject to the VLAN map of the input VLAN Figure 34 5 Applying ACLs on Switched Packets ACLs and Bridged Packets Figure 34 6 shows how an ACL...

Page 704: ...outed packets For routed packets the ACLs are applied in this order 1 VLAN map for input VLAN 2 Input router ACL 3 Output router ACL 4 VLAN map for output VLAN Figure 34 7 Applying ACLs on Routed Packets Frame Fallback bridge VLAN 10 Blade server A VLAN 10 Packet 201777 VLAN 20 Blade server B VLAN 20 VLAN 10 map VLAN 20 map Frame Routing function VLAN 10 Blade server A VLAN 10 Packet 201778 VLAN 2...

Page 705: ...acket no destination receives a copy of the packet Figure 34 8 Applying ACLs on Multicast Packets Displaying IPv4 ACL Configuration You can display the ACLs that are configured on the switch and you can display the ACLs that have been applied to interfaces and VLANs When you use the ip access group interface configuration command to apply ACLs to a Layer 2 interface you can display the access grou...

Page 706: ...splay show running config interface interface id Displays the contents of the configuration file for the switch or the specified interface including all configured MAC and IP access lists and which access groups are applied to an interface show mac access group interface interface id Displays MAC access lists applied to all Layer 2 interfaces or the specified Layer 2 interface Table 34 2 Commands ...

Page 707: ...h and to a switch stack Note To use IPv6 you must configure the dual IPv4 and IPv6 Switch Database Management SDM template on the switch You select the template by entering the sdm prefer dual ipv4 and ipv6 default vlan global configuration command For related information see these chapters For more information about SDM templates see Chapter 8 Configuring SDM Templates For information about IPv6 ...

Page 708: ...pears If you want to use the output router ACL or input port ACL save the switch configuration and enable the advanced IP services feature set which supports the ACL The switch does not support VLAN ACLs VLAN maps for IPv6 traffic Note For more information about ACL support on the switch see Chapter 34 Configuring Network Security with ACLs You can apply both IPv4 and IPv6 ACLs to an interface As ...

Page 709: ...rt VLAN ACLs VLAN maps The switch does not apply MAC based ACLs on IPv6 frames You cannot apply IPv6 port ACLs to Layer 2 EtherChannels The switch does not support output port ACLs Output router ACLs and input port ACLs for IPv6 are supported only when the switch is running the advanced IP services feature set Switches running the IP services or IP base feature set support only input router ACLs f...

Page 710: ...d apply IPv6 ACLs Default IPv6 ACL Configuration page 35 4 Interaction with Other Features and Switches page 35 4 Creating IPv6 ACLs page 35 5 Applying an IPv6 ACL to an Interface page 35 8 Default IPv6 ACL Configuration There are no IPv6 ACLs configured or applied Interaction with Other Features and Switches Configuring IPv6 ACLs has these interactions with other features or switch characteristic...

Page 711: ...f the hardware memory is full for any additional configured ACLs packets are forwarded to the CPU and the ACLs are applied in software Creating IPv6 ACLs Beginning in privileged EXEC mode follow these steps to create an IPv6 ACL Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ipv6 access list access list name Define an IPv6 access list using a name and enter IPv6 a...

Page 712: ...ecimal using 16 bit values between colons Optional For operator specify an operand that compares the source or destination ports of the specified protocol Operands are lt less than gt greater than eq equal neq not equal and range If the operator follows the source ipv6 prefix prefix length argument it must match the source port If the operator follows the destination ipv6 prefix prefix length argu...

Page 713: ...l routing sequence value time range name Optional Define a UDP access list and the access conditions Enter udp for the User Datagram Protocol The UDP parameters are the same as those described for TCP except that the operator port port number or name must be a UDP port number or name and the established parameter is not valid for UDP Step 3d deny permit icmp source ipv6 prefix prefix length any ho...

Page 714: ...rfaces or to inbound traffic on Layer 2 interfaces If the switch is running the IP services or IP base feature set you can apply ACLs only to inbound management traffic on Layer 3 interfaces Beginning in privileged EXEC mode follow these steps to control access to an interface Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Identify a Layer 2...

Page 715: ... show access lists privileged EXEC command The output shows all access lists that are configured on the switch or switch stack Switch show access lists Extended IP access list hello 10 permit ip any any IPv6 access list ipv6 permit ipv6 any any sequence 10 This is an example of the output from the show ipv6 access lists privileged EXEC command The output shows only IPv6 access lists configured on ...

Page 716: ...35 10 Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide OL 12247 01 Chapter 35 Configuring IPv6 ACLs Displaying IPv6 ACLs ...

Page 717: ...pply policy maps you configure the QoS settings such as classification queueing and scheduling the same way on physical ports and SVIs When configuring QoS on a physical port you apply a nonhierarchical policy map When configuring QoS on an SVI you apply a nonhierarchical or a hierarchical policy map Note For complete syntax and usage information for the commands used in this chapter see the comma...

Page 718: ...ice ToS field to carry the classification class information Classification can also be carried in the Layer 2 frame These special bits in the Layer 2 frame or a Layer 3 packet are described here and shown in Figure 36 1 Prioritization bits in Layer 2 frames Layer 2 Inter Switch Link ISL frame headers have a 1 byte User field that carries an IEEE 802 1p class of service CoS value in the three least...

Page 719: ...ong a path provide a consistent per hop behavior you can construct an end to end QoS solution Implementing QoS in your network can be a simple or complex task and depends on the QoS features offered by your internetworking devices the traffic types and patterns in your network and the granularity of control that you need over incoming and outgoing traffic Basic QoS Model To implement QoS the switc...

Page 720: ...6 8 Queueing evaluates the QoS label and the corresponding DSCP or CoS value to select into which of the two ingress queues to place a packet Queueing is enhanced with the weighted tail drop WTD algorithm a congestion avoidance mechanism If the threshold is exceeded the packet is dropped For more information see the Queueing and Scheduling Overview section on page 36 13 Scheduling services the que...

Page 721: ...y of the traffic Perform the classification based on a configured Layer 2 MAC access control list ACL which can examine the MAC source address the MAC destination address and other fields If no ACL is configured the packet is assigned 0 as the DSCP and CoS values which means best effort traffic Otherwise the policy map action specifies a DSCP or CoS value to assign to the incoming frame For IP tra...

Page 722: ...guration for classification Assign DSCP identical to DSCP in packet Check if packet came with CoS label tag Use the CoS value to generate the QoS label Generate DSCP from CoS to DSCP map Use the DSCP value to generate the QoS label Yes Read next ACL Is there a match with a permit action Assign the DSCP or CoS as specified by ACL action to generate the QoS label Assign the default DSCP 0 Are there ...

Page 723: ... access list extended global configuration command For configuration information see the Configuring a QoS Policy section on page 36 42 Classification Based on Class Maps and Policy Maps A class map is a mechanism that you use to name a specific traffic flow or class and to isolate it from all other traffic The class map defines the criteria used to match against a specific traffic flow to further...

Page 724: ...ut of profile and specifies the actions on the packet These actions carried out by the marker include passing through the packet without modification dropping the packet or modifying marking down the assigned DSCP of the packet and allowing the packet to pass through The configurable policed DSCP map provides the packet with a new DSCP based QoS label For information on the policed DSCP map see th...

Page 725: ...nough room in the bucket If there is not enough room the packet is marked as nonconforming and the specified policer action is taken dropped or marked down How quickly the bucket fills is a function of the bucket depth burst byte the rate at which the tokens are removed rate bps and the duration of the burst above the average rate The size of the bucket imposes an upper limit on the burst length a...

Page 726: ...interface level of the hierarchical policy map A hierarchical policy map has two levels The first level the VLAN level specifies the actions to be taken against a traffic flow on an SVI The second level the interface level specifies the actions to be taken against the traffic on the physical ports that belong to the SVI and are specified in the interface level policy map 86835 Yes Yes No No Pass t...

Page 727: ...el policy map only supports individual policers and does not support aggregate policers You can configure different interface level policy maps for each class defined in the VLAN level policy map See the Classifying Policing and Marking Traffic on SVIs by Using Hierarchical Policy Maps section on page 36 52 for an example of a hierarchical policy map Figure 36 5 shows the policing and marking proc...

Page 728: ...e this map by using the mls qos map policed dscp global configuration command Before the traffic reaches the scheduling stage QoS stores the packet in an ingress and an egress queue according to the QoS label The QoS label is based on the DSCP or the CoS value in the packet and selects the queue through the DSCP input and output queue threshold maps or through the CoS input and output queue thresh...

Page 729: ... label the space available in the destination queue is less than the size of the frame the switch drops the frame Each queue has three threshold values The QOS label is determines which of the three threshold values is subjected to the frame Of the three thresholds two are configurable explicit and one is not implicit Figure 36 7 shows an example of WTD operating on a queue whose size is 1000 fram...

Page 730: ...the bandwidth and they are rate limited to that amount Shaped traffic does not use more than the allocated bandwidth even if the link is idle Shaping provides a more even flow of traffic over time and reduces the peaks and valleys of bursty traffic With shaping the absolute value of each weight is used to compute the bandwidth available for the queues In shared mode the queues share the bandwidth ...

Page 731: ...queue according to the SRR weights Send packet to the stack ring Drop packet Start Yes No Table 36 1 Ingress Queue Types Queue Type1 1 The switch uses two nonconfigurable queues for traffic that is essential for proper network and stack operation Function Normal User traffic that is considered to be normal priority You can configure three different thresholds to differentiate among the flows You c...

Page 732: ...ace with which to divide the ingress buffers between the two queues by using the mls qos srr queue input buffers percentage1 percentage2 global configuration command The buffer allocation together with the bandwidth allocation control how much data can be buffered and sent before packets are dropped You allocate bandwidth as a percentage by using the mls qos srr queue input bandwidth weight1 weigh...

Page 733: ... Each port supports four egress queues one of which queue 1 can be the egress expedite queue These queues are configured by a queue set All traffic leaving an egress port flows through one of these four queues and is subjected to a threshold based on the QoS label assigned to the packet 86694 Receive packet from the stack ring Read QoS label DSCP or CoS value Determine egress queue number and thre...

Page 734: ...availability of buffers set drop thresholds and configure the maximum memory allocation for a queue set by using the mls qos queue set output qset id threshold queue id drop threshold1 drop threshold2 reserved threshold maximum threshold global configuration command Each threshold value is a percentage of the queue s allocated memory which you specify by using the mls qos queue set output qset id ...

Page 735: ...ee the SRR Shaping and Sharing section on page 36 14 The buffer allocation together with the SRR weight ratios control how much data can be buffered and sent before packets are dropped The weight ratio is the ratio of the frequency in which the SRR scheduler sends packets from each queue All four queues participate in the SRR unless the expedite queue is enabled in which case the first bandwidth w...

Page 736: ...ction in a policy map also causes the DSCP to be rewritten Configuring Auto QoS You can use the auto QoS feature to simplify the deployment of existing QoS features Auto QoS makes assumptions about the network design and as a result the switch can prioritize different traffic flows and appropriately use the ingress and egress queues instead of using the default QoS behavior The default is that QoS...

Page 737: ...the Cisco SoftPhone the switch uses policing to determine whether a packet is in or out of profile and to specify the action on the packet Table 36 2 Traffic Types Packet Labels and Queues VoIP1 Data Traffic 1 VoIP voice over IP VoIP Control Traffic Routing Protocol Traffic STP BPDU Traffic Real Time Video Traffic All Other Traffic DSCP 46 24 26 48 56 34 CoS 5 3 6 7 4 CoS to Ingress Queue Map 2 3 ...

Page 738: ...traffic type and ingress packet label and applies the commands listed in Table 36 5 to the port Table 36 5 Generated Auto QoS Configuration Description Automatically Generated Command The switch automatically enables standard QoS and configures the CoS to DSCP map maps CoS values in incoming packets to a DSCP value Switch config mls qos Switch config mls qos map cos dscp 0 8 16 26 32 46 48 56 The ...

Page 739: ...ls qos srr queue output dscp map queue 1 threshold 3 40 41 42 43 44 45 46 47 Switch config mls qos srr queue output dscp map queue 2 threshold 3 24 25 26 27 28 29 30 31 Switch config mls qos srr queue output dscp map queue 2 threshold 3 48 49 50 51 52 53 54 55 Switch config mls qos srr queue output dscp map queue 2 threshold 3 56 57 58 59 60 61 62 63 Switch config mls qos srr queue output dscp map...

Page 740: ...ket on a routed port by using the mls qos trust dscp command Switch config if mls qos trust cos Switch config if mls qos trust dscp If you entered the auto qos voip cisco phone command the switch automatically enables the trusted boundary feature which uses the CDP to detect the presence or absence of a Cisco IP Phone Switch config if mls qos trust device cisco phone If you entered the auto qos vo...

Page 741: ...nfigures the switch for VoIP with devices running the Cisco SoftPhone application Note When a device running Cisco SoftPhone is connected to a nonrouted or routed port the switch supports only one Cisco SoftPhone application per port To take advantage of the auto QoS defaults you should enable auto QoS before you configure other QoS commands If necessary you can fine tune the QoS configuration but...

Page 742: ...ough mode packets are switched without any rewrites and classified as best effort without any policing This example shows how to enable auto QoS and to trust the QoS labels received in incoming packets when the switch or router connected to a port is a trusted device Switch config interface gigabitethernet2 0 1 Switch config if auto qos voip trust Command Purpose Step 1 configure terminal Enter gl...

Page 743: ...ple Network Figure 36 11 shows a network in which the VoIP traffic is prioritized over all other traffic Auto QoS is enabled on the switches in the network at the edge of the QoS domain 201780 Cisco router To Internet Cisco Blade switch Trunk link Trunk link Cisco IP phones Blade servers Cisco IP phones Video server 172 20 10 16 IP IP IP IP Identify this interface as connected to a trusted switch ...

Page 744: ...auto QoS on the port and specify that the port is connected to a Cisco IP Phone The QoS labels of incoming packets are trusted only when the Cisco IP Phone is detected Step 6 exit Return to global configuration mode Step 7 Repeat Steps 4 to 6 for as many ports as are connected to the Cisco IP Phone Step 8 interface interface id Specify the switch port identified as connected to a trusted switch or...

Page 745: ...t these commands see the command reference for this release Configuring Standard QoS Before configuring standard QoS you must have a thorough understanding of these items The types of applications used and the traffic patterns on your network Traffic characteristics and needs of your network Is the traffic bursty Do you need to reserve bandwidth for voice and video streams Bandwidth requirements a...

Page 746: ... Configuration section on page 36 30 and the Default Egress Queue Configuration section on page 36 31 Default Ingress Queue Configuration Table 36 6 shows the default ingress queue configuration when QoS is enabled Table 36 7 shows the default CoS input queue threshold map when QoS is enabled Table 36 8 shows the default DSCP input queue threshold map when QoS is enabled Table 36 6 Default Ingress...

Page 747: ... Queue 3 Queue 4 Buffer allocation 25 percent 25 percent 25 percent 25 percent WTD drop threshold 1 100 percent 200 percent 100 percent 100 percent WTD drop threshold 2 100 percent 200 percent 100 percent 100 percent Reserved threshold 50 percent 50 percent 50 percent 50 percent Maximum threshold 400 percent 400 percent 400 percent 400 percent SRR shaped weights absolute 1 1 A shaped weight of zer...

Page 748: ...ded ACLs to enforce QoS IP fragments are sent as best effort IP fragments are denoted by fields in the IP header Only one ACL per class map and only one match class map configuration command per class map are supported The ACL can have multiple ACEs which match fields against the contents of the packet A trust statement in a policy map requires multiple hardware entries per ACL line If an input se...

Page 749: ...internal use The maximum number of user configurable policers supported per port is 63 For example you could configure 32 policers on a Gigabit Ethernet port and 7 policers on a 10 Gigabit Ethernet port or you could configure 64 policers on a Gigabit Ethernet port and 4 policers on a 10 Gigabit Ethernet port Policers are allocated on demand by the software and are constrained by the hardware and A...

Page 750: ...vileged EXEC mode follow these steps to enable VLAN based QoS This procedure is required on physical ports that are specified in the interface level of a hierarchical policy map on an SVI Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos Enable QoS globally QoS runs with the default settings described in the Default Standard QoS Configuration section on page ...

Page 751: ...ction on page 36 42 Configuring the Trust State on Ports within the QoS Domain page 36 35 Configuring the CoS Value for an Interface page 36 37 Configuring a Trusted Boundary to Ensure Port Security page 36 38 Enabling DSCP Transparency Mode page 36 39 Configuring the DSCP Trust State on a Port Bordering Another QoS Domain page 36 40 Configuring the Trust State on Ports within the QoS Domain Packe...

Page 752: ...d EXEC mode follow these steps to configure the port to trust the classification of the traffic that it receives 201781 Trunk Trusted interface Traffic classification performed here Trusted boundary P1 P3 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be trusted and enter interface configuration mode Valid interfaces incl...

Page 753: ...is dscp The keywords have these meanings cos Classifies an ingress packet by using the packet CoS value For an untagged packet the port default CoS value is used The default port CoS value is 0 dscp Classifies an ingress packet by using the packet DSCP value For a non IP packet the packet CoS value is used if the packet is tagged for an untagged packet the default port CoS is used Internally the s...

Page 754: ... bypasses the telephone and connects the PC directly to the switch Without trusted boundary the CoS labels generated by the PC are trusted by the switch because of the trusted CoS setting By contrast trusted boundary uses CDP to detect the presence of a Cisco IP Phone such as the Cisco IP Phone 7910 7935 7940 and 7960 on a switch port If the telephone is not detected the trusted boundary feature d...

Page 755: ...ite ip dscp command the switch does not modify the DSCP field in the incoming packet and the DSCP field in the outgoing packet is the same as that in the incoming packet Note Enabling DSCP transparency does not affect the port trust settings on IEEE 802 1Q tunneling ports Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 cdp run Enable CDP globally By default CDP is ...

Page 756: ...ble DSCP transparency and then enter the mls qos trust cos dscp interface configuration command DSCP transparency is still enabled Configuring the DSCP Trust State on a Port Bordering Another QoS Domain If you are administering two separate QoS domains between which you want to implement QoS features for IP traffic you can configure the switch ports bordering the domains to a DSCP trusted state as...

Page 757: ...a null map which maps an incoming DSCP value to the same DSCP value For dscp mutation name enter the mutation map name You can create more than one map by specifying a new name For in dscp enter up to eight DSCP values separated by spaces Then enter the to keyword For out dscp enter a single DSCP value The DSCP range is 0 to 63 Step 3 interface interface id Specify the port to be trusted and enter...

Page 758: ...p mutation gigabitethernet1 0 2 mutation Switch config if end Configuring a QoS Policy Configuring a QoS policy typically requires classifying traffic into classes configuring policies applied to those traffic classes and attaching policies to ports For background information see the Classification section on page 36 5 and the Policing and Marking section on page 36 8 For configuration guidelines ...

Page 759: ...and Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard Create an IP standard ACL repeating the command as many times as necessary For access list number enter the access list number The range is 1 to 99 and 1300 to 1999 Use the permit keyword to permit a certain type of traffic if the conditions are matched Use...

Page 760: ...er The range is 100 to 199 and 2000 to 2699 Use the permit keyword to permit a certain type of traffic if the conditions are matched Use the deny keyword to deny a certain type of traffic if conditions are matched For protocol enter the name or number of an IP protocol Use the question mark to see a list of available protocol keywords For source enter the network or host from which the packet is b...

Page 761: ...pecify the type of traffic to permit or deny if the conditions are matched entering the command as many times as necessary For src MAC addr enter the MAC address of the host from which the packet is being sent You specify this by using the hexadecimal format H H H by using the any keyword as an abbreviation for source 0 0 0 source wildcard ffff ffff ffff or by using the host keyword for source 0 0...

Page 762: ...t number deny permit protocol source source wildcard destination destination wildcard or mac access list extended name permit deny host src MAC addr mask any host dst MAC addr dst MAC addr mask type mask Create an IP standard or extended ACL for IP traffic or a Layer 2 MAC ACL for non IP traffic repeating the command as many times as necessary For more information see the Classifying Traffic by Us...

Page 763: ...lass2 Switch config cmap match ip dscp 10 11 12 Switch config cmap end Switch This example shows how to create a class map called class3 which matches incoming traffic with IP precedence values of 5 6 and 7 Switch config class map class3 Switch config cmap match ip precedence 5 6 7 Switch config cmap end Switch Step 4 match access group acl index or name ip dscp dscp list ip precedence ip preceden...

Page 764: ...dence to DSCP map by using the mls qos map ip prec dscp dscp1 dscp8 global configuration command the settings only affect packets on ingress interfaces that are configured to trust the IP precedence value In a policy map if you set the packet IP precedence value to a new value by using the set ip precedence new precedence policy map class configuration command the egress DSCP value is not affected...

Page 765: ... name of the class map If neither the match all or match any keyword is specified the default is match all Note Because only one match command per class map is supported the match all and match any keywords function the same See the Creating Named Standard and Extended ACLs section on page 34 15 for limitations when using the match all and the match any keywords Step 3 policy map policy map name C...

Page 766: ...S value for non IP packets that are untagged QoS derives the DSCP value by using the default port CoS value In either case the DSCP value is derived from the CoS to DSCP map For more information see the Configuring the CoS to DSCP Map section on page 36 60 Step 6 set dscp new dscp ip precedence new precedence Classify IP traffic by setting a new value in the packet For dscp new dscp enter a new DS...

Page 767: ...itch config pmap c police 1000000 8000 exceed action policed dscp transmit Switch config pmap c exit Switch config pmap exit Switch config interface gigabitethernet2 0 1 Switch config if service policy input flow1t This example shows how to create a Layer 2 MAC ACL with two permit statements and attach it to an ingress port The first permit statement allows traffic from the host with MAC address 0...

Page 768: ...ap You can attach only one policy map per ingress port or SVI A policy map can contain multiple class statements each with different match criteria and actions A separate policy map class can exist for each type of traffic received on the SVI If you configure the IP precedence to DSCP map by using the mls qos map ip prec dscp dscp1 dscp8 global configuration command the settings only affect packet...

Page 769: ...ck When the switch stack divides into two or more switch stacks the stack master in each switch stack re enables and reconfigures these features on all applicable interfaces on the stack members including the stack master Beginning in privileged EXEC mode follow these steps to create a hierarchical policy map Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 class ma...

Page 770: ...efined Optional Use the match all keyword to perform a logical AND of all matching statements under this class map All match criteria in the class map must be matched Optional Use the match any keyword to perform a logical OR of all matching statements under this class map One or more match criteria must be matched For class map name specify the name of the class map If neither the match all or ma...

Page 771: ...e range is 8000 to 1000000000 For burst byte specify the normal burst size in bytes The range is 8000 to 1000000 Optional Specify the action to take when the rates are exceeded Use the exceed action drop keywords to drop the packet Use the exceed action policed dscp transmit keywords to mark down the DSCP value by using the policed DSCP map and to send the packet For more information see the Confi...

Page 772: ... the ingress packet and the IP precedence to DSCP map For non IP packets that are tagged QoS derives the DSCP value by using the received CoS value for non IP packets that are untagged QoS derives the DSCP value by using the default port CoS value In either case the DSCP value is derived from the CoS to DSCP map For more information see the Configuring the CoS to DSCP Map section on page 36 60 Ste...

Page 773: ...ccess 101 Switch config cmap exit Switch config exit Switch Switch This example shows how to attach the new map to an SVI Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config class map cm interface 1 Switch config cmap match input gigabitethernet3 0 1 gigabitethernet3 0 2 Switch config cmap exit Switch config policy map port plcmap Switch config pmap cl...

Page 774: ...aggregate policer Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos aggregate policer aggregate policer name rate bps burst byte exceed action drop policed dscp transmit Define the policer parameters that can be applied to multiple traffic classes within the same policy map By default no aggregate policer is defined For information on the number of policers s...

Page 775: ...itch config cmap match access group 1 Switch config cmap exit Switch config class map ipclass2 Switch config cmap match access group 2 Switch config cmap exit Switch config policy map aggflow1 Switch config pmap class ipclass1 Step 4 policy map policy map name Create a policy map by entering the policy map name and enter policy map configuration mode For more information see the Classifying Polici...

Page 776: ...ptional Configuring the IP Precedence to DSCP Map page 36 61 optional Configuring the Policed DSCP Map page 36 62 optional unless the null settings in the map are not appropriate Configuring the DSCP to CoS Map page 36 63 optional Configuring the DSCP to DSCP Mutation Map page 36 64 optional unless the null settings in the map are not appropriate All the maps except the DSCP to DSCP mutation map a...

Page 777: ...p to map IP precedence values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic Table 36 13 shows the default IP precedence to DSCP map If these values are not appropriate for your network you need to modify them Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos map cos dscp dscp1 dscp8 Modify the CoS to DSC...

Page 778: ...follow these steps to modify the policed DSCP map This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos map ip prec dscp dscp1 dscp8 Modify the IP precedence to DSCP map For dscp1 dscp8 enter eight DSCP values that correspond to the IP precedence values 0 to 7 Separate each DSCP value with a space The DSCP range is 0 to 63 Step 3 end Re...

Page 779: ...7 48 49 5 00 00 00 00 00 00 00 00 58 59 6 60 61 62 63 Note In this policed DSCP map the marked down DSCP values are shown in the body of the matrix The d1 column specifies the most significant digit of the original DSCP the d2 row specifies the least significant digit of the original DSCP The intersection of the d1 and d2 values provides the marked down value For example an original DSCP value of ...

Page 780: ... CoS map a DSCP value of 08 corresponds to a CoS value of 0 Configuring the DSCP to DSCP Mutation Map If two QoS domains have different DSCP definitions use the DSCP to DSCP mutation map to translate one set of DSCP values to match the definition of another domain You apply the DSCP to DSCP mutation map to the receiving port ingress mutation at the boundary of a QoS administrative domain With ingr...

Page 781: ...0 00 00 00 00 00 00 10 10 1 10 10 10 10 14 15 16 17 18 19 2 20 20 20 23 24 25 26 27 28 29 3 30 30 30 30 30 35 36 37 38 39 4 40 41 42 43 44 45 46 47 48 49 5 50 51 52 53 54 55 56 57 58 59 6 60 61 62 63 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos map dscp mutation dscp mutation name in dscp to out dscp Modify the DSCP to DSCP mutation map For dscp mutation...

Page 782: ...ht need to perform all of the tasks in the next sections You will need to make decisions about these characteristics Which packets are assigned by DSCP or CoS value to each queue What drop percentage thresholds apply to each queue and which CoS or DSCP values map to each threshold How much of the available buffer space is allocated between the queues How much of the available bandwidth is allocate...

Page 783: ...pped to queue 1 and threshold 1 CoS value 5 is mapped to queue 2 and threshold 1 For queue id the range is 1 to 2 For threshold id the range is 1 to 3 The drop threshold percentage for threshold 3 is predefined It is set to the queue full state For dscp1 dscp8 enter up to eight values and separate each value with a space The range is 0 to 63 For cos1 cos8 enter up to eight values and separate each...

Page 784: ...the default setting use the no mls qos srr queue input buffers global configuration command This example shows how to allocate 60 percent of the buffer space to ingress queue 1 and 40 percent of the buffer space to ingress queue 2 Switch config mls qos srr queue input buffers 60 40 Allocating Bandwidth Between the Ingress Queues You need to specify how much of the available bandwidth is allocated ...

Page 785: ... the mls qos srr queue input priority queue queue id bandwidth weight global configuration command Then SRR shares the remaining bandwidth with both ingress queues and services them as specified by the weights configured with the mls qos srr queue input bandwidth weight1 weight2 global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos sr...

Page 786: ...e next sections You will need to make decisions about these characteristics Which packets are mapped by DSCP or CoS value to each queue and threshold ID What drop percentage thresholds apply to the queue set four egress queues per port and how much reserved and maximum memory is needed for the traffic type How much of the fixed buffer space is allocated to the queue set Does the bandwidth of the p...

Page 787: ...ueue is disabled and the SRR shaped and shared weights are configured the shaped mode overrides the shared mode for queue 1 and SRR services this queue in shaped mode If the egress expedite queue is disabled and the SRR shaped weights are not configured SRR services this queue in shared mode Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue Set You can guarantee the availab...

Page 788: ...gure the WTD thresholds guarantee the availability of buffers and configure the maximum memory allocation for the queue set four egress queues per port By default the WTD thresholds for queues 1 3 and 4 are set to 100 percent The thresholds for queue 2 are set to 200 percent The reserved thresholds for queues 1 2 3 and 4 are set to 50 percent The maximum thresholds for all queues are set to 400 pe...

Page 789: ...s the maximum memory that this queue can have before packets are dropped Switch config mls qos queue set output 2 buffers 40 20 20 20 Switch config mls qos queue set output 2 threshold 2 40 60 100 200 Switch config interface gigabitethernet1 0 1 Switch config if queue set 2 Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID You can prioritize traffic by placing packets with partic...

Page 790: ...ueue 4 and threshold 1 DSCP values 40 47 are mapped to queue 1 and threshold 1 By default CoS values 0 and 1 are mapped to queue 2 and threshold 1 CoS values 2 and 3 are mapped to queue 3 and threshold 1 CoS values 4 6 and 7 are mapped to queue 4 and threshold 1 CoS value 5 is mapped to queue 1 and threshold 1 For queue id the range is 1 to 4 For threshold id the range is 1 to 3 The drop threshold...

Page 791: ... which is 12 5 percent Switch config interface gigabitethernet2 0 1 Switch config if srr queue bandwidth shape 8 0 0 0 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port of the outbound traffic and enter interface configuration mode Step 3 srr queue bandwidth shape weight1 weight2 weight3 weight4 Assign SRR weights to the egress...

Page 792: ... and the bandwidth ratio allocated for each queue in shared mode is 1 1 2 3 4 2 1 2 3 4 3 1 2 3 4 and 4 1 2 3 4 which is 10 percent 20 percent 30 percent and 40 percent for queues 1 2 3 and 4 This means that queue 4 has four times the bandwidth of queue 1 twice the bandwidth of queue 2 and one and a third times the bandwidth of queue 3 Switch config interface gigabitethernet2 0 1 Switch config if ...

Page 793: ...meet your QoS solution Beginning in privileged EXEC mode follow these steps to limit the bandwidth on an egress port This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos Enable QoS on a switch Step 3 interface interface id Specify the egress port and enter interface configuration mode Step 4 priority queue out Enable the egress expedit...

Page 794: ...ps which define the match criteria to classify traffic show mls qos Display global QoS configuration information show mls qos aggregate policer aggregate policer name Display the aggregate policer configuration show mls qos input queue Display QoS settings for the ingress queues show mls qos interface interface id buffers policers queueing statistics Display QoS information at the port level inclu...

Page 795: ...36 79 Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide OL 12247 01 Chapter 36 Configuring QoS Displaying Standard QoS Information ...

Page 796: ...36 80 Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide OL 12247 01 Chapter 36 Configuring QoS Displaying Standard QoS Information ...

Page 797: ...s in the channel without intervention This chapter also describes how to configure link state tracking Unless otherwise noted the term switch refers to a standalone switch and to a switch stack Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release This chapter consists of these sections Understanding EtherChannels page 37 1 ...

Page 798: ...ds of the EtherChannel in the same mode When you configure one end of an EtherChannel in either PAgP or LACP mode the system negotiates with the other end of the channel to determine which ports should become active If the remote port cannot negotiate an EtherChannel the local port is put into an independent state and continues to carry data traffic as would any other single link The port configur...

Page 799: ...king Understanding EtherChannels Figure 37 2 Single Switch EtherChannel Figure 37 3 Cross Stack EtherChannel Switch 1 Blade switch stack Switch 2 Channel group 1 Channel group 2 StackWise Plus port connections Switch 3 Switch A 201782 Switch 1 Blade switch stack Switch 2 Channel group 1 StackWise Plus port connections Switch 3 Switch A 201783 ...

Page 800: ...iguration command followed by the no switchport interface configuration command Then you manually assign an interface to the EtherChannel by using the channel group interface configuration command For both Layer 2 and Layer 3 ports the channel group command binds the physical port and the logical interface together as shown in Figure 37 4 Each EtherChannel has a port channel logical interface numb...

Page 801: ... ports configured in the auto or desirable modes Ports configured in the on mode do not exchange PAgP packets Both the auto and desirable modes enable ports to negotiate with partner ports to form an EtherChannel based on criteria such as port speed and for Layer 2 EtherChannels trunking state and VLAN numbers Ports can form an EtherChannel when they are in different PAgP modes as long as the mode...

Page 802: ...the auto or desirable mode Link Aggregation Control Protocol The LACP is defined in IEEE 802 3ad and enables Cisco switches to manage Ethernet channels between switches that conform to the IEEE 802 3ad protocol LACP facilitates the automatic creation of EtherChannels by exchanging LACP packets between Ethernet ports By using LACP the switch or switch stack learns the identity of partners capable o...

Page 803: ... without negotiations The on mode can be useful if the remote device does not support PAgP or LACP In the on mode a usable EtherChannel exists only when the switches at both ends of the link are configured in the on mode Ports that are configured in the on mode in the same channel group must have compatible port characteristics such as speed and duplex Ports that are not compatible are suspended e...

Page 804: ...incoming packet Therefore to provide load balancing packets from the same IP source address sent to different IP destination addresses could be sent on different ports in the channel But packets sent from different source IP addresses to the same destination IP address are always sent on the same port in the channel With source and destination IP address based forwarding when packets are forwarded...

Page 805: ...tion and acts accordingly Any PAgP or LACP configuration on a winning switch stack is not affected but the PAgP or LACP configuration on the losing switch stack is lost after the stack reboots With PAgP if the stack master fails or leaves the stack a new stack master is elected A spanning tree reconvergence is not triggered unless there is a change in the EtherChannel bandwidth The new stack maste...

Page 806: ...e the EtherChannel Configuration Guidelines section on page 37 11 Note After you configure an EtherChannel configuration changes applied to the port channel interface apply to all the physical ports assigned to the port channel interface and configuration changes applied to the physical port affect only the port where you apply the configuration Default EtherChannel Configuration Table 37 3 shows ...

Page 807: ...for each VLAN Spanning tree port priority for each VLAN Spanning tree Port Fast setting Do not configure a port to be a member of more than one EtherChannel group Do not configure an EtherChannel in both the PAgP and LACP modes EtherChannel groups running PAgP and LACP can coexist on the same switch or on different switches in the stack Individual EtherChannel groups can run either PAgP or LACP bu...

Page 808: ...ck partitions loops and forwarding misbehaviors can occur Configuring Layer 2 EtherChannels You configure Layer 2 EtherChannels by assigning ports to a channel group with the channel group interface configuration command This command automatically creates the port channel logical interface If you enabled PAgP on a port in the auto or desirable mode you must reconfigure it for either the on mode or...

Page 809: ...tack on Forces the port to channel without PAgP or LACP In the on mode an EtherChannel exists only when a port group in the on mode is connected to another port group in the on mode non silent Optional If your switch is connected to a partner that is PAgP capable configure the switch port for nonsilent operation when the port is in the auto or desirable mode If you do not specify non silent silent...

Page 810: ...hannel It uses LACP passive mode and assigns two ports on stack member 2 and one port on stack member 3 as static access ports in VLAN 10 to channel 5 Switch configure terminal Switch config interface range gigabitethernet2 0 4 5 Switch config if range switchport mode access Switch config if range switchport access vlan 10 Switch config if range channel group 5 mode active Switch config if range e...

Page 811: ...l logical interface and enter interface configuration mode For port channel number the range is 1 to 48 Step 3 no switchport Put the interface into Layer 3 mode Step 4 ip address ip address mask Assign an IP address and subnet mask to the EtherChannel Step 5 end Return to privileged EXEC mode Step 6 show etherchannel channel group number detail Verify your entries Step 7 copy running config startu...

Page 812: ...switches in the switch stack on Forces the port to channel without PAgP or LACP In the on mode an EtherChannel exists only when a port group in the on mode is connected to another port group in the on mode non silent Optional If your switch is connected to a partner that is PAgP capable configure the switch port for nonsilent operation when the port is in the auto or desirable mode If you do not s...

Page 813: ... switchport Switch config if channel group 7 mode active Switch config if exit Configuring EtherChannel Load Balancing This section describes how to configure EtherChannel load balancing by using source based or destination based forwarding methods For more information see the Load Balancing and Forwarding Methods section on page 37 7 Beginning in privileged EXEC mode follow these steps to configu...

Page 814: ...e a single port within the group for all transmissions and use other ports for hot standby The unused ports in the group can be swapped into operation in just a few seconds if the selected single port loses hardware signal detection You can configure which port is always selected for packet transmission by changing its priority with the pagp port priority interface configuration command The higher...

Page 815: ...nter global configuration mode Step 2 interface interface id Specify the port for transmission and enter interface configuration mode Step 3 pagp learn method physical port Select the PAgP learning method By default aggregation port learning is selected which means the switch sends packets to the source by using any of the ports in the EtherChannel With aggregate port learning it is not important ...

Page 816: ...d the LACP port priority to affect how the software selects active and standby links For more information see the Configuring the LACP System Priority section on page 37 20 and the Configuring the LACP Port Priority section on page 37 21 Configuring the LACP System Priority You can configure the system priority for all the EtherChannels that are enabled for LACP by using the lacp system priority g...

Page 817: ...m might have more restrictive hardware limitations all the ports that cannot be actively included in the EtherChannel are put in the hot standby state and are used only if one of the channeled ports fails Beginning in privileged EXEC mode follow these steps to configure the LACP port priority This procedure is optional To return the LACP port priority to the default value use the no lacp port prio...

Page 818: ...es to the secondary interface Figure 37 6 on page 37 23 shows a network configured with link state tracking To enable link state tracking create a link state group and specify the interfaces that are assigned to the link state group An interface can be an aggregation of ports an EtherChannel a single physical port in access or trunk mode or a routed port In a link state group these interfaces are ...

Page 819: ... the blade servers to distribution switch 2 through port channel 2 The blade servers can choose which Ethernet server interfaces are active To balance the network traffic flow some Ethernet interfaces in link state group 1 and some Ethernet interfaces in link state group 2 are active For example when half the Ethernet server interfaces connected to blade switch 1 are active and the remaining inter...

Page 820: ... the upstream interfaces lose connectivity the link states of the downstream interfaces remain unchanged The server does not recognize that upstream connectivity has been lost and does not failover to the secondary interface You can recover a downstream interface link down condition by removing the failed downstream port from the link state group To recover from multiple downstream interfaces disa...

Page 821: ...l 1 Switch config if link state group 1 upstream Switch config if end Note If the interfaces are part of an EtherChannel you must specify the port channel name as part of the link state group not the individual port members To disable a link state group use the no link state track number global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 l...

Page 822: ... group Enter the detail keyword to display detailed information about the group This is an example of output from the show link state group 1 command Switch show link state group 1 Link State Group 1 Status Enabled Down This is an example of output from the show link state group detail command Switch show link state group detail Up Interface up Dwn Interface Down Dis Interface disabled Link State ...

Page 823: ...outing and configure interfaces to forward IPv6 traffic in addition to IPv4 traffic For information about configuring IPv6 on the switch see Chapter 39 Configuring IPv6 Unicast Routing For more detailed IP unicast configuration information see the Cisco IOS IP Configuration Guide Release 12 2 For complete syntax and usage information for the commands used in this chapter see these command referenc...

Page 824: ...nter VLAN routing You configure one or more routers to route traffic to the appropriate destination VLAN Figure 38 1 shows a basic routing topology Switch A is in VLAN 10 and Switch B is in VLAN 20 The router has an interface in each VLAN Figure 38 1 Routing Topology Example When Host A in VLAN 10 needs to communicate with Host B in VLAN 10 it sends a packet addressed to that host Switch A forward...

Page 825: ...rotocols Distance vector protocols supported by the switch are Routing Information Protocol RIP which uses a single distance metric cost to determine the best path and Border Gateway Protocol BGP which adds a path vector mechanism The switch also supports the Open Shortest Path First OSPF link state protocol and Enhanced IGRP EIGRP which adds some link state routing features to traditional Interio...

Page 826: ... supports NSF capable routing for OSPF and EIGRP For more information see the OSPF NSF Capability section on page 38 28 and the EIGRP NSF Capability section on page 38 40 Upon election the new stack master performs these functions It starts generating receiving and processing routing updates It builds routing tables generates the CEF database and distributes it to stack members It uses its MAC add...

Page 827: ...hem See the Assigning IP Addresses to Network Interfaces section on page 38 7 Note A Layer 3 switch can have an IP address assigned to each routed port and SVI The number of routed ports and SVIs that you can configure is not limited by software However the interrelationship between this number and the number and volume of features being implemented might have an impact on CPU utilization because ...

Page 828: ...net style ARP Timeout 14400 seconds 4 hours IP broadcast address 255 255 255 255 all ones IP classless routing Enabled IP default gateway Disabled IP directed broadcast Disabled all IP directed broadcasts are dropped IP domain Domain list No domain names defined Domain lookup Enabled Domain name Enabled IP forward protocol If a helper address is defined or User Datagram Protocol UDP flooding is co...

Page 829: ... the all ones subnet 131 108 255 0 and even though it is discouraged you can enable the use of subnet zero if you need the entire subnet space for your IP address Beginning in privileged EXEC mode follow these steps to enable subnet zero Use the no ip subnet zero global configuration command to restore the default and disable the use of subnet zero Command Purpose Step 1 configure terminal Enter g...

Page 830: ...o relieve the pressure on the rapidly depleting Class B address space In Figure 38 2 classless routing is enabled When the host sends a packet to 120 20 4 1 instead of discarding the packet the router forwards it to the best supernet route If you disable classless routing and a router receives packets destined for a subnet of a network with no network default route the router discards the packet F...

Page 831: ...ent or LAN and a network address which identifies the network to which the device belongs Note In a switch stack network communication uses a single MAC address and the IP address of the stack The local address or MAC address is known as a data link address because it is contained in the data link layer Layer 2 section of the packet header and is read by data link Layer 2 devices To communicate wi...

Page 832: ...a RARP server on the same network segment as the router interface Use the ip rarp server address interface configuration command to identify the server For more information on RARP see the Cisco IOS Configuration Fundamentals Configuration Guide Release 12 2 You can perform these tasks to configure address resolution Define a Static ARP Cache page 38 10 Set ARP Encapsulation page 38 11 Enable Prox...

Page 833: ... interface configuration mode and specify the interface to configure Step 5 arp timeout seconds Optional Set the length of time an ARP cache entry will stay in the cache The default is 14400 seconds 4 hours The range is 0 to 2147483 seconds Step 6 end Return to privileged EXEC mode Step 7 show interfaces interface id Verify the type of ARP and the timeout value used on all interfaces or a specific...

Page 834: ...RP reply packet with its own Ethernet MAC address and the host that sent the request sends the packet to the switch which forwards it to the intended host Proxy ARP treats all networks as if they are local and performs ARP requests for every IP address Proxy ARP is enabled by default To enable it after it has been disabled see the Enable Proxy ARP section on page 38 12 Proxy ARP works as long as o...

Page 835: ...ssive retransmissions The only required task for IRDP routing on an interface is to enable IRDP processing on that interface When enabled the default parameters apply You can optionally change any of these parameters Beginning in privileged EXEC mode follow these steps to enable and configure IRDP on an interface Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip d...

Page 836: ...s because they are Layer 2 devices forward broadcasts to all network segments thus propagating broadcast storms The best solution to the broadcast storm problem is to use a single broadcast address scheme on a network In most modern IP implementations you can set the address to be used as the broadcast address Many implementations including the one in the switch support several addressing schemes ...

Page 837: ...st to physical broadcasts Use the no ip forward protocol global configuration command to remove a protocol or port Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the interface to configure Step 3 ip directed broadcast access list number Enable directed broadcast to physical broadcast translation...

Page 838: ... IP Command Reference Volume 1 of 3 Addressing and Services Release 12 2 lists the ports that are forwarded by default if you do not specify any UDP ports If you do not specify any UDP ports when you configure the forwarding of UDP broadcasts you are configuring the router to act as a BOOTP forwarding agent BOOTP packets carry DHCP information Beginning in privileged EXEC mode follow these steps t...

Page 839: ...ets must meet these criteria Note that these are the same conditions used to consider packet forwarding using IP helper addresses The packet must be a MAC level broadcast The packet must be an IP level broadcast The packet must be a TFTP DNS Time NetBIOS ND or BOOTP packet or a UDP specified by the ip forward protocol udp global configuration command The time to live TTL value of the packet must b...

Page 840: ...nds Table 38 2 lists the commands for clearing contents You can display specific statistics such as the contents of IP routing tables caches and databases the reachability of nodes and the routing path that packets are taking through the network Table 38 3 lists the privileged EXEC commands for displaying IP statistics Command Purpose Step 1 configure terminal Enter global configuration mode Step ...

Page 841: ...pped to TCP ports aliases show ip arp Display the IP ARP cache show ip interface interface id Display the IP status of interfaces show ip irdp Display IRDP values show ip masks address Display the masks used for network addresses and the number of subnets using each mask show ip redirects Display the address of a default gateway show ip route address mask protocol Display the current state of the ...

Page 842: ...n updates advertisements every 30 seconds If a router does not receive an update from another router for 180 seconds or more it marks the routes served by that router as unusable If there is still no update after 240 seconds the router removes all routing table entries for the non updating router RIP uses hop counts to rate the value of different routes The hop count is the number of routers that ...

Page 843: ... translations IP RIP authentication key chain No authentication Authentication mode clear text IP RIP receive version According to the version router configuration command IP RIP send version According to the version router configuration command IP RIP triggered According to the version router configuration command IP split horizon Varies with media Neighbor None defined Network None specified Off...

Page 844: ...default is 240 seconds Step 8 version 1 2 Optional Configure the switch to receive and send only RIP Version 1 or RIP Version 2 packets By default the switch receives Version 1 and 2 but sends only Version 1 You can also use the interface commands ip rip send receive version 1 2 1 2 to control what versions are used for sending and receiving on interfaces Step 9 no auto summary Optional Disable au...

Page 845: ...ntication use the no ip rip authentication mode interface configuration command To prevent authentication use the no ip rip authentication key chain interface configuration command Configuring Summary Addresses and Split Horizon Routers connected to broadcast type IP networks and using distance vector routing protocols normally use the split horizon mechanism to reduce the possibility of routing l...

Page 846: ...ing the ip address interface configuration command Note If split horizon is enabled neither autosummary nor interface summary addresses those configured with the ip summary address rip router configuration command are advertised Switch config router rip Switch config router interface gigabitethernet1 0 2 Switch config if ip address 10 1 5 1 255 255 255 0 Switch config if ip summary address rip 10 ...

Page 847: ...o broadcast nonbroadcast and point to point networks The switch supports broadcast Ethernet Token Ring and FDDI and point to point networks Ethernet interfaces configured as point to point links OSPF is an Interior Gateway Protocol IGP designed expressly for IP networks supporting IP subnetting and tagging of externally derived routing information OSPF also allows packet authentication and uses IP...

Page 848: ...to multiple areas and autonomous system boundary routers ASBRs The minimum configuration would use all default parameter values no authentication and interfaces assigned to areas If you customize your environment you must ensure coordinated configuration of all routers These sections contain this configuration information Default OSPF Configuration page 38 26 Configuring Basic OSPF Parameters page...

Page 849: ... is 10 and the external route type default is Type 2 Default metric Built in automatic metric translation as appropriate for each routing protocol Distance OSPF dist1 all routes within an area 110 dist2 all routes from one area to another 110 and dist3 routes from other routing domains 110 OSPF database filter Disabled All outgoing link state advertisements LSAs are flooded to the interface IP OSP...

Page 850: ...www cisco com en US products ps6350 products_configuration_guide_chapter09186a00804557 a8 html OSPF NSF Capability The IP services feature set also supports OSPF NSF capable routing for IPv4 for better convergence and lower traffic loss following a stack master change When a stack master change occurs in an OSPF NSF capable stack the new stack master must do two things to resynchronize its link st...

Page 851: ...pf privileged EXEC command to verify that it is enabled For more information about this feature see the Cisco Nonstop Forwarding Feature Overview at this URL http www cisco com en US products sw iosswrel ps1829 products_feature_guide09186a00800ab7fc html Note NSF is not supported on interfaces configured for Hot Standby Router Protocol HSRP Configuring Basic OSPF Parameters Enabling OSPF requires ...

Page 852: ... retransmit interval seconds Optional Specify the number of seconds between link state advertisement transmissions The range is 1 to 65535 seconds The default is 5 seconds Step 5 ip ospf transmit delay seconds Optional Set the estimated number of seconds to wait before sending a link state update packet The range is 1 to 65535 seconds The default is 1 second Step 6 ip ospf priority number Optional...

Page 853: ...e The OSPF area router configuration commands are all optional Beginning in privileged EXEC mode follow these steps to configure area parameters Step 11 ip ospf database filter all out Optional Block flooding of OSPF LSA packets to the interface By default OSPF floods new LSAs over all interfaces in the same area except the interface on which the LSA arrives Step 12 end Return to privileged EXEC m...

Page 854: ...es an autonomous system boundary router ASBR You can force the ASBR to generate a default route into the OSPF routing domain Domain Name Server DNS names for use in all OSPF show privileged EXEC command displays makes it easier to identify a router than displaying it by router ID or neighbor ID Step 5 area area id stub no summary Optional Define an area as a stub area The no summary keyword preven...

Page 855: ...e trusted at all and should be ignored OSPF uses three different administrative distances routes within an area interarea routes to another area interarea and routes from another routing domain learned through redistribution external You can change any of the distance values Passive interfaces Because interfaces between two devices on an Ethernet represent only one network segment to prevent OSPF ...

Page 856: ...name lookup The default is disabled Step 7 ip auto cost reference bandwidth ref bw Optional Specify an address range for which a single route will be advertised Use this command only with area border routers Step 8 distance ospf inter area dist1 inter area dist2 external dist3 Optional Change the OSPF distance values The default distance for each type of route is 110 The range is 1 to 255 Step 9 p...

Page 857: ...all its routing information out its interfaces If a loopback interface is configured with an IP address OSPF uses this IP address as its router ID even if other interfaces have higher IP addresses Because loopback interfaces never fail this provides greater stability OSPF automatically prefers a loopback interface over other interfaces and it chooses the highest IP address among all loopback inter...

Page 858: ...idth of your network is 15 hops Because the EIGRP metric is large enough to support thousands of hops the only barrier to expanding the network is the transport layer hop counter EIGRP increments the transport control field only when an IP packet has traversed 15 routers and the next hop to the destination was learned through EIGRP When a RIP route is used as the next hop to the destination the tr...

Page 859: ...et need not be acknowledged Other types of packets such as updates require acknowledgment which is shown in the packet The reliable transport has a provision to send multicast packets quickly when there are unacknowledged packets pending Doing so helps ensure that convergence time remains low in the presence of varying speed links The DUAL finite state machine embodies the decision process for all...

Page 860: ...e redistributed without a default metric The metric includes Bandwidth 0 or greater kb s Delay tens of microseconds 0 or any positive number that is a multiple of 39 1 nanoseconds Reliability any number between 0 and 255 255 means 100 percent reliability Loading effective bandwidth as a number between 0 and 255 255 is 100 percent loading MTU maximum transmission unit size of the route in bytes 0 o...

Page 861: ...ing router is NSF capable the Layer 3 switch continues to forward packets from the neighboring router during the interval between the primary Route Processor RP in a router failing and the backup RP taking over or while the primary RP is manually reloaded for a nondisruptive software upgrade This feature cannot be disabled For more information on this feature see the EIGRP Nonstop Forwarding NSF A...

Page 862: ...rker in the last update packet to mark the end of the table content The stack master recognizes the convergence when it receives the EOT marker and it then begins sending updates When the stack master has received all EOT markers from its neighbors or when the NSF converge timer expires EIGRP notifies the routing information database RIB of convergence and floods its topology table to all NSF awar...

Page 863: ... limit the offset list with an access list or an interface Step 8 no auto summary Optional Disable automatic summarization of subnet routes into network level routes Step 9 ip summary address eigrp autonomous system number address mask Optional Configure a summary aggregate Step 10 end Return to privileged EXEC mode Step 11 show ip protocols Verify your entries Step 12 show ip protocols Verify you...

Page 864: ...ot adjust the hold time without consulting Cisco technical support Step 7 no ip split horizon eigrp autonomous system number Optional Disable split horizon to allow route information to be advertised by a router out any interface from which that information originated Step 8 end Return to privileged EXEC mode Step 9 show ip eigrp interface Display which interfaces EIGRP is active on and informatio...

Page 865: ... switch The switch responds to all queries for summaries connected routes and routing updates Any neighbor that receives a packet informing it of the stub status does not query the stub router for any routes and a router that has a stub peer does not query that peer The stub router depends on the distribution router to send the proper updates to all peers In Figure 38 4 switch B is configured as a...

Page 866: ... made up of routers that operate under the same administration and that run Interior Gateway Protocols IGPs such as RIP or OSPF within their boundaries and that interconnect by using an Exterior Gateway Protocol EGP BGP Version 4 is the standard EGP for interdomain routing in the Internet The protocol is defined in RFCs 1163 1267 and 1771 You can find detailed information about BGP in Internet Rou...

Page 867: ...l TCP as its transport protocol specifically port 179 Two BGP speakers that have a TCP connection to each other for exchanging routing information are known as peers or neighbors In Figure 38 5 Routers A and B are BGP peers as are Routers B and C and Routers C and D The routing information is a series of AS numbers that describe the full path to the destination network BGP uses this information to...

Page 868: ...ses within BGP and supports the advertising of IP prefixes These sections contain this configuration information Default BGP Configuration page 38 46 Enabling BGP Routing page 38 49 Managing Routing Policy Changes page 38 51 Configuring BGP Decision Attributes page 38 53 Configuring BGP Filtering with Route Maps page 38 55 Configuring BGP Filtering by Neighbor page 38 55 Configuring Prefix Lists f...

Page 869: ...mpening Disabled by default When enabled Half life is 15 minutes Re use is 750 10 second increments Suppress is 2000 10 second increments Max suppress time is 4 times half life 60 minutes BGP router ID The IP address of a loopback interface if one is configured or the highest IP address configured for a physical interface on the router Default information originate protocol or network redistributi...

Page 870: ...t hop router as next hop for BGP neighbor Disabled Password Disabled Peer group None defined no members assigned Prefix list None specified Remote AS add entry to neighbor BGP table No peers defined Private AS number removal Disabled Route maps None applied to a peer Send community attributes None sent to neighbors Shutdown or soft reconfiguration Not enabled Timers keepalive 60 seconds holdtime 1...

Page 871: ...ivate as router configuration command Then when an update is passed to an external neighbor if the AS path includes private AS numbers these numbers are dropped If your AS will be passing traffic through it from another AS to a third AS it is important to be consistent about the routes it advertises If BGP advertised a route before all routers in the network had learned about the route through the...

Page 872: ...he connection For IBGP the IP address can be the address of any of the router interfaces Step 6 neighbor ip address peer group name remove private as Optional Remove private AS numbers from the AS path in outbound routing updates Step 7 no synchronization Optional Disable synchronization between BGP and an IGP Step 8 no auto summary Optional Disable automatic network summarization By default when ...

Page 873: ...umber increments A table version number that continually increments means that a route is flapping causing continual routing updates For exterior protocols a reference to an IP network from the network router configuration command controls only which networks are advertised This is in contrast to Interior Gateway Protocols IGPs such as EIGRP which also use the network command to specify where to s...

Page 874: ...BGP IP and FIB tables provided by the neighbor are lost Not recommended Outbound soft reset No configuration no storing of routing table updates Does not reset inbound routing table updates Dynamic inbound soft reset Does not clear the BGP session and cache Does not require storing of routing table updates and has no memory overhead Both BGP routers must support the route refresh capability in Cis...

Page 875: ...d in routing updates By default the weight attribute is 32768 for paths that the router originates and zero for other paths Routes with the largest weight are preferred You can use access lists route maps or the neighbor weight router configuration command to set weights 3 Prefer the route with the highest local preference Local preference is part of the routing update and exchanged among routers ...

Page 876: ...e range is 1 to 4294967295 The lowest value is the most desirable Step 7 bgp bestpath med missing as worst Optional Configure the switch to consider a missing MED as having a value of infinity making the path without a MED value the least desirable path Step 8 bgp always compare med Optional Configure the switch to compare MEDs for paths from neighbors in different autonomous systems By default ME...

Page 877: ...ng and Processing in Routing Updates section on page 38 93 for information about the distribute list command You can use route maps on a per neighbor basis to filter updates and to modify various attributes A route map can be applied to either inbound or outbound updates Only the routes that pass the route map are sent or accepted in updates On both inbound and outbound updates matching is support...

Page 878: ...mand Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp autonomous system Enable a BGP routing process assign it an AS number and enter router configuration mode Step 3 neighbor ip address peer group name distribute list access list number name in out Optional Filter BGP routing updates to or from neighbors as specified in an access list Note You can also use the n...

Page 879: ...ot need to specify a sequence number when removing a configuration entry Show commands include the sequence numbers in their output Before using a prefix list in a command you must set up the prefix list Beginning in privileged EXEC mode follow these steps to create a prefix list or to add an entry to a prefix list To delete a prefix list and all of its entries use the no ip prefix list list name ...

Page 880: ...o accept prefer or distribute to other neighbors A BGP speaker can set append or modify the community of a route when learning advertising or redistributing routes When routes are aggregated the resulting aggregate has a COMMUNITIES attribute that contains all communities from all the initial routes You can use community lists to create groups of communities to use in a match clause of a route map...

Page 881: ...ving all the configuration information by using the neighbor shutdown router configuration command Beginning in privileged EXEC mode use these commands to configure BGP peers Step 5 set comm list list num delete Optional Remove communities from the community attribute of an inbound or outbound update that match a standard or extended community list specified by a route map Step 6 exit Return to gl...

Page 882: ...ed The default is 75 percent Step 14 neighbor ip address peer group name next hop self Optional Disable next hop processing on the BGP updates to a neighbor Step 15 neighbor ip address peer group name password string Optional Set MD5 authentication on a TCP connection to a BGP peer The same password must be configured on both BGP peers or the connection between them is not made Step 16 neighbor ip...

Page 883: ...le Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp autonomous system Enter BGP router configuration mode Step 3 aggregate address address mask Create an aggregate entry in the BGP routing table The aggregate route is advertised as coming from the AS and the atomic aggregate attribute is set to indicate that information might be missing St...

Page 884: ...e it to all internal neighbors To prevent a routing information loop all IBPG speakers must be connected The internal neighbors do not send routes learned from internal neighbors to other internal neighbors With route reflectors all IBGP speakers need not be fully meshed because another method is used to pass learned routes to neighbors When you configure an internal BGP peer to be a route reflect...

Page 885: ...edly available then unavailable then available then unavailable and so on When route dampening is enabled a numeric penalty value is assigned to a route when it flaps When a route s accumulated penalties reach a configurable limit BGP suppresses advertisements of the route even if the route is running The reuse limit is a configurable value that is compared with the penalty If the penalty is less ...

Page 886: ...ing Protocols Release 12 2 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp autonomous system Enter BGP router configuration mode Step 3 bgp dampening Enable BGP route dampening Step 4 bgp dampening half life reuse suppress max suppress route map map Optional Change the default values of route dampening factors Step 5 end Return to privileged EXEC mode St...

Page 887: ...oups and peers not in peer groups to which the prefix has been advertised Also display prefix attributes such as the next hop and the local prefix show ip bgp cidr only Display all BGP routes that contain subnet and supernet network masks show ip bgp community community number exact Display routes that belong to the specified communities show ip bgp community list community list number exact match...

Page 888: ...ccess to the service provider network over a data link to one or more provider edge routers The CE device advertises the site s local routes to the router and learns the remote VPN routes from it A switch can be a CE Provider edge PE routers exchange routing information with CE devices by using static routing or a routing protocol such as BGP RIPv2 OSPF or EIGRP The PE is only required to maintain...

Page 889: ...uish the VRFs during processing For each new VPN route learned the Layer 3 setup function retrieves the policy label by using the VLAN ID of the ingress port and inserts the policy label and new route to the multi VRF CE routing section If the packet is received from a routed port the port internal VLAN ID number is used if the packet is received from an SVI the VLAN number is used This is the pac...

Page 890: ...vices or advanced IP services feature set enabled on your switch These are considerations when configuring VRF in your network A switch with multi VRF CE is shared by multiple customers and each customer has its own routing table Because customers use different VRF tables the same IP addresses can be reused Overlapped IP addresses are allowed in different VPNs Multi VRF CE lets multiple customers ...

Page 891: ...ication Protocol WCCP is enabled on an interface and the reverse Configuring VRFs Beginning in privileged EXEC mode follow these steps to configure one or more VRFs For complete syntax and usage information for the commands see the switch command reference for this release and the Cisco IOS Switching Services Command Reference Release 12 2 Command Purpose Step 1 configure terminal Enter global con...

Page 892: ...ervices have the following characteristics The user can ping a host in a user specified VRF ARP entries are learned in separate VRFs The user can display Address Resolution Protocol ARP entries for specific VRFs These services are VRF Aware ARP Ping Simple Network Management Protocol SNMP Hot Standby Router Protocol HSRP Unicast Reverse Path Forwarding uRPF Syslog Traceroute FTP and TFTP User Inte...

Page 893: ... Release 12 2 Command Purpose ping vrf vrf name ip host Display the ARP table in the specified VRF Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server trap authentication vrf Enable SNMP traps for packets on a VRF Step 3 snmp server engineID remote host vrf vpn instance engine id string Configure a name for the remote SNMP engine on a switch Step 4 snmp ser...

Page 894: ... privileged EXEC mode Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the Layer 3 interface to configure Step 3 no switchport Remove the interface from Layer 2 configuration mode if it is a physical interface Step 4 ip vrf forwarding vrf name Configure VRF on the interface Step 5 ...

Page 895: ...ior That is you can use the source interface CLI to send packets out a particular interface even if no VRF is configured on that interface To specify the source IP address for FTP connections use the ip ftp source interface show mode command To use the address of the interface where the connection is made use the no form of this command To specify the IP address of an interface as the source addre...

Page 896: ...S number and an arbitrary number xxx y or an IP address and an arbitrary number A B C D y Step 5 route target export import both route target ext community Create a list of import export or import and export route target communities for the specified VRF Enter either an AS system number and an arbitrary number xxx y or an IP address and an arbitrary number A B C D y The route target ext community ...

Page 897: ...k address Step 6 end Return to privileged EXEC mode Step 7 show ip ospf process id Verify the configuration of the OSPF network Step 8 copy running config startup config Optional Save your entries in the configuration file Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp autonomous system number Configure the BGP routing process with the AS number passed ...

Page 898: ...tions The examples following the illustration show how to configure a switch as CE Switch A and the VRF configuration for customer switches D and F Commands for configuring CE Switch C and the other customer switches are not included but would be similar The example also includes commands for configuring traffic to Switch A for a Catalyst 6000 or Catalyst 6500 switch acting as a PE router Figure 3...

Page 899: ...fig interface loopback2 Switch config if ip vrf forwarding v12 Switch config if ip address 8 8 2 8 255 255 255 0 Switch config if exit Switch config interface gigabitethernet1 0 5 Switch config if switchport trunk encapsulation dot1q Switch config if switchport mode trunk Switch config if no ip address Switch config if exit Switch config interface gigabitethernet1 0 8 Switch config if switchport a...

Page 900: ... Switch config router address family ipv4 vrf vl2 Switch config router af redistribute ospf 2 match internal Switch config router af neighbor 83 0 0 3 remote as 100 Switch config router af neighbor 83 0 0 3 activate Switch config router af network 8 8 2 0 mask 255 255 255 0 Switch config router af exit Switch config router address family ipv4 vrf vl1 Switch config router af redistribute ospf 1 mat...

Page 901: ...A Router configure terminal Enter configuration commands one per line End with CNTL Z Router config ip vrf v1 Router config vrf rd 100 1 Router config vrf route target export 100 1 Router config vrf route target import 100 1 Router config vrf exit Router config ip vrf v2 Router config vrf rd 100 2 Router config vrf route target export 100 2 Router config vrf route target import 100 2 Router config...

Page 902: ...ofed IP source addresses into a network by discarding IP packets that lack a verifiable IP source address For example a number of common types of denial of service DoS attacks including Smurf and Tribal Flood Network TFN can take advantage of forged or rapidly changing source IP addresses to allow attackers to thwart efforts to locate or filter the attacks For Internet service providers ISPs that ...

Page 903: ...warding In a switch stack the hardware uses distributed CEF dCEF in the stack In dynamic networks fast switching cache entries are frequently invalidated because of routing changes which can cause traffic to be process switched using the routing table instead of fast switched using the route cache CEF and dCEF use the Forwarding Information Base FIB lookup table to perform destination based switch...

Page 904: ...term parallel path is another way to see occurrences of equal cost routes in a routing table If a router has two or more equal cost paths to a network it can use them concurrently Parallel paths provide redundancy in case of a circuit failure and also enable a router to load balance packets over the available paths for more efficient use of available bandwidth Equal cost routes are supported acros...

Page 905: ... configuration command to remove a static route The switch retains static routes until you remove them However you can override static routes with dynamic routing information by assigning administrative distance values Each dynamic routing protocol has a default administrative distance as listed in Table 38 14 If you want a static route to be overridden by information from a dynamic routing protoc...

Page 906: ...bility you can use some routers as smart routers and give the remaining routers default routes to the smart router Smart routers have routing table information for the entire internetwork These default routes can be dynamically learned or can be configured in the individual routers Most dynamic interior routing protocols include a mechanism for causing a smart router to generate dynamic default in...

Page 907: ...ortion of a route map The match command specifies that a criterion must be matched The set command specifies an action to be taken if the routing update meets the conditions defined by the match command Although redistribution is a protocol independent feature some of the match and set route map configuration commands are specific to a particular protocol One or more match commands and one or more...

Page 908: ...e Step 3 match as path path list number Match a BGP AS path access list Step 4 match community list community list number exact Match a BGP community list Step 5 match ip address access list number access list name access list number access list name Match a standard access list by specifying the name or number It can be an integer from 1 to 199 Step 6 match metric metric value Match the specified...

Page 909: ...95 Step 18 set metric bandwidth delay reliability loading mtu Set the metric value to give the redistributed routes for EIGRP only bandwidth Metric value or IGRP bandwidth of the route in kilobits per second in the range 0 to 4294967295 delay Route delay in tens of microseconds in the range 0 to 4294967295 reliability Likelihood of successful packet transmission expressed as a number between 0 and...

Page 910: ...n specify and implement routing policies that allow or deny paths based on Identity of a particular end system Application Protocol You can use PBR to provide equal access and source sensitive routing routing based on interactive versus batch traffic or routing based on dedicated links For example you could transfer stock records to a corporate office on a high bandwidth high cost link for a short...

Page 911: ...nds and keywords see the Cisco IOS IP Command Reference Volume 2 of 3 Routing Protocols Release 12 2 For a list of PBR commands that are visible but not supported by the switch see Appendix C Unsupported Commands in Cisco IOS Release 12 2 40 EX PBR configuration is applied to the whole stack and all switches use the stack master configuration Note This software release does not support Policy Base...

Page 912: ...mutation maps and PBR route maps to the same interface You cannot configure DSCP transparency and PBR DSCP route maps on the same switch When you configure PBR with QoS DSCP you can set QoS to be enabled by entering the mls qos global configuration command or disabled by entering the no mls qos command When QoS is enabled to ensure that the DSCP value of the traffic is unchanged you should configu...

Page 913: ...itted by one or more standard or extended access lists Note Do not enter an ACL with a deny ACE or an ACL that permits a packet destined for a local address If you do not specify a match command the route map applies to all packets Step 4 set ip next hop ip address ip address Specify the action to take on the packets that match the criteria Set next hop to which to route the packet the next hop mu...

Page 914: ...her sent nor received through the specified router interface In networks with many interfaces to avoid having to manually set them as passive you can set all interfaces to be passive by default by using the passive interface default router configuration command and manually setting interfaces where adjacencies are desired Beginning in privileged EXEC mode follow these steps to configure passive in...

Page 915: ...feature does not apply to OSPF Beginning in privileged EXEC mode follow these steps to control the advertising or processing of routing updates Use the no distribute list in router configuration command to change or cancel a filter To cancel suppression of network advertisements in updates use the no distribute list out router configuration command Filtering Sources of Routing Information Because ...

Page 916: ... key identifier specified with the key number key chain configuration command which is stored locally The combination of the key identifier and the interface associated with the message uniquely identifies the authentication algorithm and Message Digest 5 MD5 authentication key in use You can configure multiple keys with life times Only one authentication packet is sent regardless of how many vali...

Page 917: ...h the key can be received The start time and end time syntax can be either hh mm ss Month date year or hh mm ss date Month year The default is forever with the default start time and the earliest acceptable date as January 1 1993 The default end time and duration is infinite Step 6 send lifetime start time infinite end time duration seconds Optional Specify the time period during which the key can...

Page 918: ... Monitoring and Maintaining the IP Network show ip route supernets only Display supernets show ip cache Display the routing table used to switch IP traffic show route map map name Display all route maps configured or only the one specified Table 38 15 Commands to Clear IP Routes or Display Route Status continued Command Purpose ...

Page 919: ...lso configure a switch database management SDM template to a dual IPv4 and IPv6 template See the SDM Templates section on page 39 11 Unless otherwise noted the term switch refers to a standalone switch and to a switch stack Note For complete syntax and usage information for the commands used in this chapter see the Cisco IOS documentation referenced in the procedures This chapter consists of these...

Page 920: ...mplements IPv6 go to this URL http www cisco com warp public 732 Tech ipv6 This section describes IPv6 implementation on the switch These sections are included IPv6 Addresses page 39 2 Supported IPv6 Unicast Routing Features page 39 3 Unsupported IPv6 Unicast Routing Features page 39 9 Limitations page 39 9 IPv6 and Switch Stacks page 39 10 SDM Templates page 39 11 IPv6 Addresses IPv6 supports thr...

Page 921: ...are parsing of the extension header The switch supports hop by hop extension header packets which are routed or bridged in software The switch provides IPv6 routing capability over native Ethernet Inter Switch Link ISL or 802 1Q trunk ports for static routes Routing Information Protocol RIP for IPv6 RFC 2080 and Open Shortest Path First OSPF Version 3 protocol RFC 2740 It supports up to 16 equal c...

Page 922: ...TU to IPv6 nodes and path MTU discovery Path MTU discovery RFC 1981 allows a host to dynamically discover and adjust to differences in the MTU size of every link along a given data path In IPv6 if a link along the path is not large enough to accommodate the packet size the source of the packet handles the fragmentation The switch does not support path MTU discovery for multicast packets ICMPv6 The...

Page 923: ...rver access over IPv6 transport DNS resolver for AAAA over IPv4 transport Cisco Discovery Protocol CDP support for IPv6 addresses For more information about managing these applications with Cisco IOS see the Managing Cisco IOS Applications over IPv6 chapter in the Cisco IOS IPv6 Configuration Library at this URL http www cisco com en US products sw iosswrel ps5187 products_configuration_guide_chap...

Page 924: ...thernet 0 however to do so it must also meet the following conditions IPv6 unicast packet forwarding is enabled IPv6 is enabled by issuing the ipv6 enable command on the interface or on a global IPv6 address The interface has its line protocol running The router process is running The router process has a router ID EIGRP IPv6 can be configured on an interface However after being configured on an i...

Page 925: ...th that may be used by EIGRP IPv6 on an interface ipv6 hello interval eigrp as number seconds Configures the hello interval for the EIGRP IPv6 routing process designated by an autonomous system number ipv6 hold time eigrp as number seconds Configures the hold time for a particular EIGRP IPv6 routing process designated by the autonomous system number ipv6 next hop self eigrp as number Informs the E...

Page 926: ...eceive only static summary redstributed Configures a router as a stub using EIGRP timers active time time limit disabled Adjusts routing wait time variance multiplier Controls load balancing in an internetwork based on EIGRP Table 39 2 EIGRP IPv6 Router mode Commands continued Command Purpose Table 39 3 EIGRP IPv6 Show and Debug Commands Command Purpose show ipv6 eigrp as number interface Displays...

Page 927: ...4 tunneling protocols IPv6 unicast reverse path forwarding IPv6 general prefixes Limitations Because IPv6 is implemented in hardware in the switch some limitations occur due to the use of IPv6 compressed addresses in the hardware memory These hardware limitations result in some loss of functionality and limits some features These are feature limitations Load balancing using equal cost and unequal ...

Page 928: ...k master the new master recomputes the IPv6 routing tables and distributes them to the member switches While the new stack master is elected and is resetting the switch stack does not forward IPv6 packets If a new switch becomes the stack master the stack MAC address also changes When the IPv6 address of the stack is specified with an extended universal identifier EUI by using the ipv6 address ipv...

Page 929: ...configuration command For more information about SDM templates see Chapter 8 Configuring SDM Templates You can select SDM templates to support IP Version 6 IPv6 The dual IPv4 and IPv6 templates allow the switch to be used in dual stack environments supporting both IPv4 and IPv6 Note If you try to configure IPv6 without first selecting a dual IPv4 and IPv6 template a warning message is generated In...

Page 930: ...g configuration information Default IPv6 Configuration page 39 13 Configuring IPv6 Addressing and Enabling IPv6 Routing page 39 13 Configuring IPv4 and IPv6 Protocol Stacks page 39 15 Configuring IPv6 ICMP Rate Limiting page 39 17 Configuring CEF and dCEF for IPv6 page 39 17 Configuring Static Routing for IPv6 page 39 18 Configuring RIP for IPv6 page 39 20 Configuring OSPF for IPv6 page 39 22 Tabl...

Page 931: ...cal address and activates IPv6 for the interface The configured interface automatically joins these required multicast groups for that link solicited node multicast group FF02 0 0 0 0 1 ff00 104 for each unicast address assigned to the interface this address is used in the neighbor discovery process all nodes link local multicast group FF02 1 all routers link local multicast group FF02 2 Note Befo...

Page 932: ...interface configuration mode and specify the Layer 3 interface to configure The interface can be a physical interface a switch virtual interface SVI or a Layer 3 EtherChannel Step 7 no switchport Remove the interface from Layer 2 configuration mode if it is a physical interface Step 8 ipv6 address ipv6 prefix prefix length eui 64 or ipv6 address ipv6 address link local or ipv6 enable Specify a glo...

Page 933: ...et is 2001 0DB8 c18 1 64 EUI Joined group address es FF02 1 FF02 2 FF02 1 FF2F D940 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled number of DAD attempts 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are se...

Page 934: ... ipv6 address 2001 0DB8 c18 1 64 eui 64 Switch config if end Step 4 interface interface id Enter interface configuration mode and specify the Layer 3 interface to configure Step 5 no switchport Remove the interface from Layer 2 configuration mode if it is a physical interface Step 6 ip address ip address mask secondary Specify a primary or secondary IPv4 address for the interface Step 7 ipv6 addre...

Page 935: ...al global configuration command This example shows how to configure an IPv6 ICMP error message interval of 50 milliseconds and a bucket size of 20 tokens Switch config ipv6 icmp error interval 50 20 Configuring CEF and dCEF for IPv6 Cisco Express Forwarding CEF is a Layer 3 IP switching technology used to optimize network performance CEF implements an advanced IP look up and forwarding algorithm t...

Page 936: ...rface The packet destination is used as the next hop address A directly attached static route is valid only when the specified interface is IPv6 enabled and is up Recursive static routes Only the next hop is specified and the output interface is derived from the next hop A recursive static route is valid only when the specified next hop results in a valid IPv6 output interface the route does not s...

Page 937: ...y connected recursion is done to find the IPv6 address of the directly connected next hop The address must be in the form documented in RFC 2373 specified in hexadecimal using 16 bit values between colons interface id Specify direct static routes from point to point and broadcast interfaces With point to point interfaces there is no need to specify the IPv6 address of the next hop With broadcast i...

Page 938: ...RIP learns the same route from two different neighbors but with different costs it stores only the lowest cost route in the local RIB The RIB also stores any expired routes that the RIP process is advertising to its neighbors that are running RIP If the same route is learned from a different routing protocol with a better administrative distance than IPv6 RIP the RIP route is not added to the IPv6...

Page 939: ...er router configuration mode for the process Step 3 maximum paths number paths Optional Define the maximum number of equal cost routes that IPv6 RIP can support The range is from 1 to 64 and the default is four paths Step 4 exit Return to global configuration mode Step 5 interface interface id Enter interface configuration mode and specify the Layer 3 interface to configure Step 6 ipv6 rip name en...

Page 940: ...Version 2 interfaces are indirectly enabled by using router configuration mode In IPv6 you can configure many address prefixes on an interface All address prefixes configured on an interface are included by default you cannot select a subset of address prefixes to import Unlike OSPF Version 2 multiple instances of IPv6 can run on a link OSPF Version 2 uses the 32 bit IPv4 address configured on the...

Page 941: ... Optional Set the address range status to advertise and generate a Type 3 summary link state advertisement LSA not advertise Optional Set the address range status to DoNotAdvertise The Type 3 summary LSA is suppressed and component networks remain hidden from other networks cost cost Optional Metric or cost for this summary route which is used during OSPF SPF calculation to determine the shortest ...

Page 942: ... 3FFE C000 0 1 20B 46FF FE2F D940 subnet is 3FFE C000 0 1 64 EUI Joined group address es FF02 1 FF02 2 FF02 1 FF2F D940 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled number of DAD attempts 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 millisec...

Page 943: ...0B 46FF FE2F D94B 128 receive 3FFE C000 16A 1 64 attached to Loopback10 3FFE C000 16A 1 20B 46FF FE2F D900 128 receive output truncated This is an example of the output from the show ipv6 protocols privileged EXEC command Switch show ipv6 protocols IPv6 Routing Protocol is connected IPv6 Routing Protocol is static IPv6 Routing Protocol is rip fer Interfaces Vlan6 GigabitEthernet2 0 4 GigabitEthern...

Page 944: ...NSSA ext 1 ON2 OSPF NSSA ext 2 S 0 1 0 via 3FFE C000 0 7 777 C 3FFE C000 0 1 64 0 0 via Vlan1 L 3FFE C000 0 1 20B 46FF FE2F D940 128 0 0 via Vlan1 C 3FFE C000 0 7 64 0 0 via Vlan7 L 3FFE C000 0 7 20B 46FF FE2F D97F 128 0 0 via Vlan7 C 3FFE C000 111 1 64 0 0 via GigabitEthernet1 0 11 L 3FFE C000 111 1 20B 46FF FE2F D945 128 0 0 C 3FFE C000 168 1 64 0 0 via GigabitEthernet2 0 4 L 3FFE C000 168 1 20B...

Page 945: ...query 0 group report 0 group reduce 1 router solicit 0 router advert 0 redirects 0 neighbor solicit 0 neighbor advert Sent 10112 output 0 rate limited unreach 0 routing 0 admin 0 neighbor 0 address 0 port parameter 0 error 0 header 0 option 0 hopcount expired 0 reassembly timeout 0 too big 0 echo request 0 echo reply 0 group query 0 group report 0 group reduce 0 router solicit 9944 router advert 0...

Page 946: ...39 28 Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide OL 12247 01 Chapter 39 Configuring IPv6 Unicast Routing Displaying IPv6 ...

Page 947: ...any single router It enables a set of router interfaces to work together to present the appearance of a single virtual router or default gateway to the hosts on a LAN When HSRP is configured on a network or segment it provides a virtual Media Access Control MAC address and an IP address that is shared among a group of configured routers HSRP allows two or more HSRP configured routers to use the MA...

Page 948: ...use of the redundant routers To do so specify a group number for each Hot Standby command group you configure for an interface For example you might configure an interface on switch 1 as an active router and one on switch 2 as a standby router and also configure another interface on switch 2 as an active router with another interface on switch 1 as its standby router Figure 40 1 shows a segment of...

Page 949: ...ve router because it has the assigned highest priority and Router B is the standby router For group 2 Router B is the default active router because it has the assigned highest priority and Router A is the standby router During normal operation the two routers share the IP traffic load When either router becomes unavailable the other router becomes active and assumes the packet transfer functions o...

Page 950: ...y router might become active after the stack master fails Configuring HSRP These sections contain this configuration information Default HSRP Configuration page 40 5 HSRP Configuration Guidelines page 40 5 Enabling HSRP page 40 5 Configuring HSRP Priority page 40 7 Configuring MHSRP page 40 9 Configuring HSRP Authentication and Timers page 40 9 201791 Active router for group 1 Standby router for g...

Page 951: ...t channel number global configuration command and binding the Ethernet interface into the channel group For more information see the Configuring Layer 3 EtherChannels section on page 37 14 All Layer 3 interfaces must have IP addresses assigned to them See the Configuring Layer 3 Interfaces section on page 10 21 Enabling HSRP The standby ip interface configuration command activates HSRP on the conf...

Page 952: ... Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and enter the Layer 3 interface on which you want to enable HSRP Step 3 standby group number ip ip address secondary Create or enable the HSRP group using its number and virtual IP address Optional group number The group number on the interface for which HSRP is being enabled...

Page 953: ... interface fails the hot standby priority on the device on which tracking has been configured decreases by 10 If an interface is not tracked its state changes do not affect the hot standby priority of the configured device For each interface configured for hot standby you can configure a separate list of interfaces to be tracked The standby track interface priority interface configuration command ...

Page 954: ...onfigure the router to preempt which means that when the local router has a higher priority than the active router it assumes control as the active router Optional group number The group number to which the command applies Optional priority Enter to set or change the group priority The range is 1 to 255 the default is 100 Optional delay Set to cause the local router to postpone taking over the act...

Page 955: ...outer for group 2 The HSRP interface for Router A has an IP address of 10 0 0 1 with a group 1 standby priority of 110 the default is 100 The HSRP interface for Router B has an IP address of 10 0 0 2 with a group 2 standby priority of 110 Group 1 uses a virtual IP address of 10 0 0 3 and group 2 uses a virtual IP address of 10 0 0 4 Router A Configuration Switch configure terminal Switch config in...

Page 956: ...le shows how to configure word as the authentication string required to allow Hot Standby routers in group 1 to interoperate Switch configure terminal Switch config interface gigabitethernet1 0 1 Switch config if no switchport Switch config if standby 1 authentication word Switch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id E...

Page 957: ... you can use the same standby group for command switch redundancy and HSRP redundancy Use the cluster standby group HSRP group name routing redundancy global configuration command to enable the same HSRP standby group to be used for command switch and routing redundancy If you create a cluster with the same HSRP standby group name without entering the routing redundancy keyword HSRP standby routin...

Page 958: ...by priority 105 may preempt Hellotime 3 holdtime 10 Next hello sent in 00 00 02 182 Hot standby IP address is 172 20 128 3 configured Active router is 172 20 128 1 expires in 00 00 09 Standby router is local Standby virtual mac address is 0000 0c07 ac01 Name is bbb VLAN1 Group 100 Local state is Active priority 105 may preempt Hellotime 3 holdtime 10 Next hello sent in 00 00 02 262 Hot standby IP ...

Page 959: ...http www cisco com en US products ps6441 products_configuration_guide_book09186a0080707055 html For command syntax information see the command reference at this URL http www cisco com en US products ps6441 products_command_reference_book09186a008049739b html This chapter consists of these sections Understanding Cisco IOS IP SLAs page 41 1 Configuring IP SLAs Operations page 41 6 Monitoring IP SLAs...

Page 960: ...u can find more details about network management products that use Cisco IOS IP SLAs at this URL http www cisco com go ipsla Using IP SLAs can provide these benefits Service level agreement monitoring measurement and verification Network performance monitoring Measures the jitter latency or packet loss in the network Provides continuous reliable and predictable measurements IP service network heal...

Page 961: ...As responder if required 2 Configure the required IP SLAs operation type 3 Configure any options available for the specified operation type 4 Configure threshold conditions if required 5 Schedule the operation to run then let the operation run for a period of time to gather statistics 6 Display and interpret the results of the operation using the Cisco IOS CLI or a network management system NMS sy...

Page 962: ...xample a responder is not required for services that are already provided by the destination router such as Telnet or HTTP You cannot configure the IP SLAs responder on non Cisco devices and Cisco IOS IP SLAs can send operational packets only to services native to those devices Response Time Computation for IP SLAs Switches and routers can take tens of milliseconds to process incoming packets due ...

Page 963: ...is visible through SNMP The pending state is also used when an operation is a reaction threshold operation waiting to be triggered You can schedule a single IP SLAs operation or a group of operations at one time You can schedule several IP SLAs operations by using a single command through the Cisco IOS CLI or the CISCO RTTMON MIB Scheduling the operations to run at evenly distributed times allows ...

Page 964: ...Configuration Guide It does include several operations as examples including configuring the responder configuring UDP jitter operation which requires a responder and configuring ICMP echo operation which does not require a responder For details about configuring other operations see he Cisco IOS IP SLAs Configuration Guide at this URL http www cisco com en US products ps6441 products_configuratio...

Page 965: ...d on your software image This is an example of the output from the command Switch show ip sla application IP SLAs Version 2 2 0 Round Trip Time MIB Infrastructure Engine II Time of last change in whole IP SLAs 22 17 39 117 UTC Fri Jun Estimated system max number of entries 15801 Estimated number of configurable operations 15801 Number of Entries configured 0 Number of active Entries 0 Number of pe...

Page 966: ...ets arrived more than 10 ms apart If the packets arrive 12 ms apart positive jitter is 2 ms if the packets arrive 8 ms apart negative jitter is 2 ms For delay sensitive networks positive jitter values are undesirable and a jitter value of 0 is ideal In addition to monitoring jitter the IP SLAs UDP jitter operation can be used as a multipurpose data gathering operation The packets IP SLAs generates...

Page 967: ... every 60 seconds You can configure each of these parameters to best simulate the IP service you want to provide To provide accurate one way delay latency measurements time synchronization such as that provided by NTP is required between the source and the target device Time synchronization is not required for the one way jitter and packet loss measurements If the time is not synchronized between ...

Page 968: ...rval inter packet interval Enter the interval between sending packets in milliseconds The range is 1 to 6000 the default value is 20 ms Step 4 frequency seconds Optional Set the rate at which a specified IP SLAs operation repeats The range is from 1 to 604800 seconds the default is 60 seconds Step 5 exit Exit UDP jitter configuration mode and return to global configuration mode Step 6 ip sla monit...

Page 969: ...ALSE Life seconds 3600 Entry Ageout seconds never Recurring Starting Everyday FALSE Status of entry SNMP RowStatus notInService Threshold milliseconds 5000 Distribution Statistics Number of statistic hours kept 2 Number of statistic distribution buckets kept 1 Statistic distribution interval milliseconds 20 Enhanced History Analyzing IP Service Levels by Using the ICMP Echo Operation The ICMP echo...

Page 970: ...As operation repeats The range is from 1 to 604800 seconds the default is 60 seconds Step 5 exit Exit UDP jitter configuration mode and return to global configuration mode Step 6 ip sla schedule operation number life forever seconds start time hh mm ss month day day month pending now after hh mm ss ageout seconds recurring Configure the scheduling parameters for an individual IP SLAs operation ope...

Page 971: ...ARR data portion 28 Operation timeout milliseconds 5000 Type Of Service parameters 0x0 Verify data No Vrf Name Schedule Operation frequency seconds 60 Next Scheduled Start Time Pending trigger Group Scheduled FALSE Randomly Scheduled FALSE Life seconds 3600 Entry Ageout seconds never Recurring Starting Everyday FALSE Status of entry SNMP RowStatus notInService Threshold milliseconds 5000 Distribut...

Page 972: ... for all IP SLAs operations or a specific operation show ip sla ethernet monitor configuration entry number Display IP SLAs automatic Ethernet configuration show ip sla group schedule schedule entry number Display IP SLAs group scheduling configuration and details show ip sla history entry number full tabular Display history collected for all IP SLAs operations show ip sla mpls lsp monitor collect...

Page 973: ... a switch stack For more information about enhanced object tracking and the commands used to configure it see this URL http www cisco com en US products sw iosswrel ps1839 products_feature_guide09186a00801541be html The chapter includes these sections Understanding Enhanced Object Tracking page 42 1 Configuring Enhanced Object Tracking Features page 42 2 Monitoring Enhanced Object Tracking page 42...

Page 974: ...conditions are not met the IP routing state is down Beginning in privileged EXEC mode follow these steps to track the line protocol state or IP routing state of an interface Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 track object number interface interface id line protocol Optional Create a tracking list to track the line protocol state of an interface and ent...

Page 975: ...e state of the tracked list is determined by whether or not the threshold was met The state of each object is determined by comparing the total weight of all objects against a threshold weight for each object When you measure the tracked list by a percentage threshold you assign a percentage threshold to all objects in the tracked list The state of each object is determined by comparing the assign...

Page 976: ...t use the Boolean NOT operator in a weight threshold list Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 track track number list boolean and or Configure a tracked list object and enter tracking configuration mode The track number can be from 1 to 500 boolean Specify the state of the tracked list based on a Boolean calculation and Specify that the list is up if al...

Page 977: ...objects specify that a percentage will be used as the threshold and specify a percentage for all objects in the list The state of the list is determined by comparing the assigned percentage of each object to the list You cannot use the Boolean NOT operator in a percentage threshold list Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 track track number list thresho...

Page 978: ... object and enter tracking configuration mode The track number can be from 1 to 500 threshold Specify the state of the tracked list based on a threshold percentage Specify that the threshold is based on percentage Step 3 object object number Specify the object to be tracked The range is from 1 to 500 Note An object must exist before you can add it to a tracked list Step 4 threshold percentage up n...

Page 979: ...t up threshold is 254 and the default down threshold is 255 Enter list to track objects grouped in a list Configure the list as described on the previous pages For boolean see the Configuring a Tracked List with a Boolean Expression section on page 42 3 For threshold weight see the Configuring a Tracked List with a Weight Threshold section on page 42 4 For threshold percentage see the Configuring ...

Page 980: ...nhanced object tracking configuration For more information about enhanced object tracking and the commands used to configure it see this URL http www cisco com en US products sw iosswrel ps1839 products_feature_guide09186a00801541be html Step 6 standby group number track object number decrement priority decrement Configure HSRP to track an object and change the hot standby priority based on the st...

Page 981: ...achability is down Beginning in privileged EXEC mode follow these steps to track the state of an IP SLAs operation or the reachability of an IP SLAs IP host This example shows how to configure and display IP SLAs state tracking Switch config track 2 200 state Switch config end Switch show track 2 Track 2 Response Time Reporter 1 state State is Down 1 change last change 00 00 47 Command Purpose Ste...

Page 982: ...shold Latest RTT millisecs 4 Tracked by HSRP Ethernet0 1 3 Monitoring Enhanced Object Tracking Use the privileged EXEC or user EXEC commands in Table 42 1 to display enhanced object tracking information Table 42 1 Commands for Displaying Tracking Information Command Purpose show track object number Display information about the all tracking lists or the specified list show track brief Display a si...

Page 983: ...42 11 Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide OL 12247 01 Chapter 42 Configuring Enhanced Object Tracking Monitoring Enhanced Object Tracking ...

Page 984: ...42 12 Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide OL 12247 01 Chapter 42 Configuring Enhanced Object Tracking Monitoring Enhanced Object Tracking ...

Page 985: ...regional site and the small branch office To use this feature the switch or the stack master must be running the IP services feature set Unless otherwise noted the term switch refers to a standalone switch and to a switch stack Note For complete syntax and usage information for the commands used in this chapter see the WCCP Router Configuration Commands section in the System Management Commands pa...

Page 986: ...e This sequence of events describes the WCCP message exchange 1 The application engines send their IP addresses to the WCCP enabled switch by using WCCP signaling their presence through a Here I am message The switch and application engines communicate to each other through a control channel based on UDP port 2048 2 The WCCP enabled switch uses the application engine IP information to create a clu...

Page 987: ...ot present The application engine does not intercept the reconnection attempt In this way the application engine effectively cancels the redirection of a packet to the application engine and creates a bypass flow If the return method is generic route encapsulation GRE the switch receives the returned packet through a GRE tunnel that is configured in the application engine The switch CPU uses Cisco...

Page 988: ...routers dynamically using a single multicast address provides easier configuration because you do not need to specifically enter the addresses of all devices in the WCCP network You can use a router group list to validate the protocol packets received from the application engine Packets matching the address in the group list are processed packets not matching the group list address are dropped To ...

Page 989: ... WCCP on your switch make sure to follow these configuration guidelines The application engines and switches in the same service group must be in the same subnetwork directly connected to the switch that has WCCP enabled Configure the switch interfaces that are connected to the web clients the application engines and the web server as Layer 3 interfaces routed ports and switch virtual interfaces S...

Page 990: ...d the group can be added to the interface The routing maximum transmission unit MTU size configured on the stack member switches should be larger than the client MTU size The MAC layer MTU size configured on ports connected to application engines should take into account the GRE tunnel header bytes You cannot configure WCCP and VPN routing forwarding VRF on the same switch interface You cannot con...

Page 991: ...of valid IP addresses that correspond to the application engines that are participating in the service group Optional For redirect list access list specify the redirect service for specific hosts or specific packets from hosts Optional For password encryption number password specify an encryption number The range is 0 to 7 Use 0 for not encrypted and use 7 for proprietary Specify a password name u...

Page 992: ...f no switchport Switch config if ip address 172 20 10 30 255 255 255 0 Switch config if no shutdown Switch config if ip wccp web cache group listen Switch config if exit Switch config interface gigabitethernet1 0 2 Switch config if no switchport Switch config if ip address 175 20 20 10 255 255 255 0 Switch config if no shutdown Switch config if exit Switch config interface gigabitethernet1 0 3 Swi...

Page 993: ...nts are configured as access ports in VLAN 301 The switch redirects packets received from the client interfaces to the application engine Switch configure terminal Switch config ip wccp web cache 80 group list 15 Switch config access list 15 permit host 171 69 198 102 Switch config access list 15 permit host 171 69 198 104 Switch config access list 15 permit host 171 69 198 106 Switch config vlan ...

Page 994: ...and Maintaining WCCP Command Purpose clear ip wccp web cache Removes statistics for the web cache service show ip wccp web cache Displays global information related to WCCP show ip wccp web cache detail Displays information for the switch and all application engines in the WCCP cluster show ip interface Displays status about any IP WCCP redirection commands that are configured on an interface for ...

Page 995: ...oup receive the message To use this feature the switch or stack master must be running the IP services feature set To use the PIM stub routing feature the switch or stack master can be running the IP base image Unless otherwise noted the term switch refers to a standalone switch and to a switch stack Note For complete syntax and usage information for the commands used in this chapter see the Cisco...

Page 996: ...Cisco routers and multilayer switches connected to Layer 2 Catalyst switches to perform tasks similar to those performed by IGMP Figure 44 1 shows where these protocols operate within the IP multicast environment Figure 44 1 IP Multicast Routing Protocols According to IPv4 multicast standards the MAC destination multicast address begins with 0100 5e and is appended by the last 23 bits of the IP ad...

Page 997: ...dresses which are class D addresses The high order bits of a Class D address are 1110 Therefore host group addresses can be in the range 224 0 0 0 through 239 255 255 255 Multicast addresses in the range 224 0 0 0 to 224 0 0 255 are reserved for use by routing protocols and other network control traffic The address 224 0 0 0 is guaranteed not to be assigned to any group IGMP packets are sent using...

Page 998: ... RP discovery and distribution mechanism that enables routers and multilayer switches to dynamically learn the group to RP mappings Sparse mode and dense mode are properties of a group as opposed to an interface We strongly recommend sparse dense mode as opposed to either sparse mode or dense mode only PIM join and prune messages have more flexible encoding for multiple address families A more fle...

Page 999: ...ages to be torn down when they are no longer needed When the number of PIM enabled interfaces exceeds the hardware capacity and PIM SM is enabled with the SPT threshold is set to infinity the switch does not create S G entries in the multicast routing table for the some directly connected interfaces if they are not already in the table The switch might not correctly forward traffic from these inte...

Page 1000: ...ted traffic closer to the end user and reduces network traffic You can also reduce traffic by configuring a stub router switch with the IGMP helper feature You can configure a stub router switch with the igmp helper help address interface configuration command to enable the switch to send reports to the next hop interface Hosts that are not directly connected to a downstream router can then join a...

Page 1001: ...ion mechanism is similar to the root bridge election mechanism used in bridged LANs The BSR election is based on the BSR priority of the device contained in the BSR messages that are sent hop by hop through the network Each BSR device examines the message and forwards out all interfaces only the message that has either a higher BSR priority than its BSR priority or the same BSR priority but with a...

Page 1002: ...st packet from source 151 10 3 21 Table 44 1 shows that the port on the reverse path to the source is port 1 not port 2 Because the RPF check fails the multilayer switch discards the packet Another multicast packet from source 151 10 3 21 is received on port 1 and the routing table shows this port is on the reverse path to the source Because the RPF check passes the switch forwards the packet to a...

Page 1003: ...e and is used to build a source distribution tree and to perform multicast forward using RPF DVMRP is a dense mode protocol and builds a parent child database using a constrained multicast model to build a forwarding tree rooted at the source of the multicast packets Multicast packets are initially flooded down this source tree If redundant paths are on the source tree packets are not forwarded al...

Page 1004: ...y elected stack master is running the IP base feature set the switch stack loses its multicast routing capability For information about the stack master election process see Chapter 5 Managing Switch Stacks They do not build multicast routing tables Instead they use the multicast routing table that is distributed by the stack master Configuring IP Multicast Routing These sections contain this conf...

Page 1005: ...together with the Auto RP feature can perform the same tasks as the PIMv2 BSR However Auto RP is a standalone protocol separate from PIMv1 and is a proprietary Cisco protocol PIMv2 is a standards track protocol in the IETF We recommend that you use PIMv2 The BSR mechanism interoperates with Auto RP on Cisco routers and multilayer switches For more information see the Auto RP and BSR Configuration ...

Page 1006: ...ice prevents these messages from reaching all routers and multilayer switches in your network Therefore if your network has a PIMv1 device in it and only Cisco routers and multilayer switches it is best to use Auto RP If you have a network that includes non Cisco routers configure the Auto RP mapping agent and the BSR on a Cisco PIMv2 router or multilayer switch Ensure that no PIMv1 device is on t...

Page 1007: ... configure a PIM version and to configure a PIM mode This procedure is required Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip multicast routing distributed Enable IP multicast distributed switching Step 3 interface interface id Specify the Layer 3 interface on which you want to enable multicast routing and enter interface configuration mode The specified inter...

Page 1008: ...oes not route the transit traffic between the distribution routers Unicast EIGRP stub routing enforces this behavior You must configure unicast stub routing to assist the PIM stub router behavior For more information see the EIGRP Stub Routing section on page 38 43 Only directly connected multicast IGMP receivers and sources are allowed in the Layer 2 access domains The PIM protocol is not support...

Page 1009: ...f ip address 100 1 1 1 255 255 255 0 Switch config if ip pim passive Switch config if exit Switch config interface GigabitEthernet0 20 Switch config if no switchport Switch config if ip address 10 1 1 1 255 255 255 0 Switch config if ip pim passive Switch config if end To verify that PIM stub is enabled for each interface use the show ip pim interface privileged EXEC command Switch show ip pim int...

Page 1010: ...ion of both depending on the PIM version that you are running and the types of routers in your network For more information see the PIMv1 and PIMv2 Interoperability section on page 44 11 and the Auto RP and BSR Configuration Guidelines section on page 44 12 Manually Assigning an RP to Multicast Groups This section explains how to manually configure an RP If the RP for a group is learned through a ...

Page 1011: ...in The access list conditions specify for which groups the device is an RP For ip address enter the unicast address of the RP in dotted decimal notation Optional For access list number enter an IP standard access list number from 1 to 99 If no access list is configured the RP is used for all groups Optional The override keyword means that if there is a conflict between the RP configured with this ...

Page 1012: ...d with a manual RP address for the Auto RP groups If routed interfaces are configured in sparse mode and you enter the ip pim autorp listener global configuration command Auto RP can still be used even if all devices are not configured with a manual RP address for the Auto RP groups These sections describe how to configure Auto RP Setting up Auto RP in a New Internetwork page 44 18 optional Adding...

Page 1013: ...e the candidate RP for local groups For interface id enter the interface type and number that identifies the RP address Valid interfaces include physical ports port channels and VLANs For scope ttl specify the time to live value in hops Enter a hop count that is high enough so that the RP announce messages reach all mapping agents in the network There is no default setting The range is 1 to 255 Fo...

Page 1014: ...terfaces are in sparse mode use a default configured RP to support the two well known groups 224 0 1 39 and 224 0 1 40 Auto RP uses these two well known groups to collect and distribute RP mapping information When this is the case and the ip pim accept rp auto rp command is configured another ip pim accept rp command accepting the RP must be configured as follows Switch config ip pim accept rp 172...

Page 1015: ...accepted for the group ranges supplied in the group list access list number variable If this variable is omitted the filter applies to all multicast groups If more than one mapping agent is used the filters must be consistent across all mapping agents to ensure that no conflicts occur in the Group to RP mapping information Step 3 access list access list number deny permit source source wildcard Cr...

Page 1016: ...age 44 7 Defining the PIM Domain Border As IP multicast becomes more widespread the chance of one PIMv2 domain bordering another PIMv2 domain is increasing Because these two domains probably do not share the same set of RPs BSR candidate RPs and candidate BSRs you need to constrain PIMv2 BSR messages from flowing into or out of the domain Allowing these messages to leak across the domain borders c...

Page 1017: ... switch Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny source source wildcard Create a standard access list repeating the command as many times as necessary For access list number the range is 1 to 99 The deny keyword denies access if the conditions are matched For source enter multicast addresses 224 0 1 39 and 224 0 1 40 which...

Page 1018: ... of 10 Switch config interface gigabitethernet1 0 2 Switch config if ip address 172 21 24 18 255 255 255 0 Switch config if ip pim sparse dense mode Switch config if ip pim bsr candidate gigabitethernet1 0 2 30 10 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip pim bsr candidate interface id hash mask length priority Configure your switch to be a candidate BSR F...

Page 1019: ...figuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip pim rp candidate interface id group list access list number Configure your switch to be a candidate RP For interface id specify the interface whose associated IP address is advertised as a candidate RP address Valid interfaces include physical ports port channels and VLANs Optional For group list...

Page 1020: ...idate BSRs as the RP mapping agents for Auto RP For more information see the Configuring Auto RP section on page 44 18 and the Configuring Candidate BSRs section on page 44 24 For group prefixes advertised through Auto RP the PIMv2 BSR mechanism should not advertise a subrange of these group prefixes served by a different set of RPs In a mixed PIMv1 and PIMv2 domain have backup RPs serve the same ...

Page 1021: ...he show ip pim rp hash privileged EXEC command making sure that all systems agree on the same RP for the same group 2 Verify interoperability between different versions of DRs and RPs Make sure the RPs are interacting with the DRs properly by responding with register stops and forwarding decapsulated data packets from registers Configuring Advanced PIM Features These sections describe the optional...

Page 1022: ...he source At this point data might arrive twice at Router C once encapsulated and once natively 5 When data arrives natively unencapsulated at the RP it sends a register stop message to Router A 6 By default reception of the first data packet prompts Router C to send a join message toward the source 7 When Router C receives data on S G it sends a prune message for the source up the shared tree 8 T...

Page 1023: ...o all groups Beginning in privileged EXEC mode follow these steps to configure a traffic rate threshold that must be reached before multicast routing is switched from the source tree to the shortest path tree This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard Create a standard...

Page 1024: ... follow these steps to modify the router query message interval This procedure is optional To return to the default setting use the no ip pim query interval seconds interface configuration command Configuring Optional IGMP Features These sections contain this configuration information Default IGMP Configuration page 44 31 Configuring the Switch as a Member of a Group page 44 31 optional Controllin...

Page 1025: ...e route tools provided in the software Caution Performing this procedure might impact the CPU performance because the CPU will receive all data traffic for the group address Beginning in privileged EXEC mode follow these steps to configure the switch to be a member of a group This procedure is optional Table 44 3 Default IGMP Configuration Feature Default Setting Multilayer switch as a member of a...

Page 1026: ...copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configuration mode Step 3 ip igmp access group access list number Specify the multicast groups that hosts on the subnet serviced by a...

Page 1027: ...fying the IGMP Host Query Message Interval The switch periodically sends IGMP host query messages to discover which multicast groups are present on attached networks These messages are sent to the all hosts multicast group 224 0 0 1 with a time to live TTL of 1 The switch sends host query messages to refresh its knowledge of memberships present on the network If after some number of queries the so...

Page 1028: ...me if the switch has received no queries it becomes the querier You can configure the query interval by entering the show ip igmp interface interface id privileged EXEC command Beginning in privileged EXEC mode follow these steps to change the IGMP query timeout This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specif...

Page 1029: ...multicast traffic down to a network segment Use the ip igmp join group interface configuration command With this method the switch accepts the multicast packets in addition to forwarding them Accepting the multicast packets prevents the switch from fast switching Use the ip igmp static group interface configuration command With this method the switch does not accept the packets itself but only for...

Page 1030: ...vices that do not support IGMP snooping but have CGMP client functionality CGMP is a protocol used on Cisco routers and multilayer switches connected to Layer 2 Catalyst switches to perform tasks similar to those performed by IGMP CGMP is necessary because the Layer 2 switch cannot distinguish between IP multicast data packets and IGMP report messages which are both at the MAC level and are addres...

Page 1031: ...onference sessions These SAP packets contain a session description the time the session is active its IP multicast group addresses media format contact person and other information about the advertised multimedia session The information in the SAP packet is displayed in the SDR Session Announcement window Step 3 ip cgmp proxy Enable CGMP on the interface By default CGMP is disabled on all interfac...

Page 1032: ...he This procedure is optional To return to the default setting use the no ip sdr cache timeout global configuration command To delete the entire cache use the clear ip sdr privileged EXEC command To display the session directory cache use the show ip sdr privileged EXEC command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the inter...

Page 1033: ...e multicast address range 239 0 0 0 8 on all routed interfaces at the perimeter of its network This boundary prevents any multicast traffic in the range 239 0 0 0 through 239 255 255 255 from entering or leaving the network Similarly the engineering and marketing departments have an administratively scoped boundary of 239 128 0 0 16 around the perimeter of their networks This boundary prevents mul...

Page 1034: ...res see the Configuring Advanced DVMRP Interoperability Features section on page 44 45 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard Create a standard access list repeating the command as many times as necessary For access list number the range is 1 to 99 The deny keyword denies access if the condi...

Page 1035: ... an MBONE tunnel DVMRP advertisements produced by the Cisco IOS software can cause older versions of the mrouted protocol to corrupt their routing tables and those of their neighbors You can configure what sources are advertised and what metrics are used by configuring the ip dvmrp metric interface configuration command You can also direct all sources learned through a particular unicast routing p...

Page 1036: ...tch config access list 1 permit 198 92 35 0 0 0 0 255 Switch config access list 1 permit 198 92 36 0 0 0 0 255 Switch config access list 1 permit 198 92 37 0 0 0 0 255 Switch config access list 1 permit 131 108 0 0 0 0 255 255 Switch config access list 1 permit 150 136 0 0 0 0 255 255 Switch config access list 1 deny 0 0 0 0 255 255 255 255 Switch config access list 2 permit 0 0 0 0 255 255 255 25...

Page 1037: ...gh the tunnel Beginning in privileged EXEC mode follow these steps to configure a DVMRP tunnel This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard Create a standard access list repeating the command as many times as necessary For access list number the range is 1 to 99 The deny...

Page 1038: ...t 1 permit 198 92 37 0 0 0 0 255 Advertising Network 0 0 0 0 to DVMRP Neighbors If your switch is a neighbor of an mrouted Version 3 6 device you can configure the software to advertise network 0 0 0 0 the default route to the DVMRP neighbor The DVMRP default route computes the RPF information for any multicast sources that do not match a more specific route Do not advertise the DVMRP default into...

Page 1039: ... 0 0 0 1 0 pim querier down leaf 171 69 214 203 0 0 0 0 1 0 pim querier down leaf 171 69 214 18 171 69 214 20 mm1 45e cisco com 1 0 pim 171 69 214 18 171 69 214 19 mm1 45c cisco com 1 0 pim 171 69 214 18 171 69 214 17 mm1 45a cisco com 1 0 pim Configuring Advanced DVMRP Interoperability Features Cisco routers and multilayer switches run PIM to forward multicast packets to receivers and receive mul...

Page 1040: ...MBONE topology When DVMRP unicast routing is enabled the router or switch caches routes learned in DVMRP report messages in a DVMRP routing table When PIM is running these routes might be preferred over routes in the unicast routing table enabling PIM to run on the MBONE topology when it is different from the unicast topology DVMRP unicast routing can run on all interfaces For DVMRP tunnels it use...

Page 1041: ...ghbor You can prevent the switch from peering communicating with a DVMRP neighbor if that neighbor does not support DVMRP pruning or grafting To do so configure the switch which is a neighbor to the leaf nonpruning DVMRP machine with the ip dvmrp reject non pruners interface configuration command on the interface connected to the nonpruning machine as shown in Figure 44 8 In this case when the swi...

Page 1042: ...rocedure is optional To disable this function use the no ip dvmrp reject non pruners interface configuration command 101245 Router A Router B RP Multicast traffic gets to receiver not to leaf DVMRP device Source router or RP Leaf nonpruning DVMRP device Configure the ip dvmrp reject non pruners command on this interface Receiver Layer 3 switch Command Purpose Step 1 configure terminal Enter global...

Page 1043: ...ged EXEC mode follow these steps to change the DVMRP route limit This procedure is optional To configure no route limit use the no ip dvmrp route limit global configuration command Changing the DVMRP Route Threshold By default 10 000 DVMRP routes can be received per interface within a 1 minute interval When that rate is exceeded a syslog message is issued warning that there might be a route surge ...

Page 1044: ...se the DVMRP tunnel shares the same IP address as Fast Ethernet port 1 and falls into the same Class B network as the two directly connected subnets classful summarization of these routes was not performed As a result the DVMRP router is able to poison reverse only these two routes to the directly connected subnets and is able to only RPF properly for multicast traffic sent by sources on these two...

Page 1045: ...3 0 24 m 40 176 32 10 0 24 m 1 176 32 15 0 24 m 1 DVMRP router Cisco router Tunnel Gigabit Ethernet 1 0 1 176 32 10 0 24 Gigabit Ethernet 1 0 2 176 32 15 0 24 DVMRP Report 159888 DVMRP Route Table Unicast Routing Table 10 000 Routes interface tunnel 0 ip unnumbered gigabitethernet1 0 1 interface gigabitethernet1 0 1 ip addr 176 32 10 1 255 255 255 0 ip pim dense mode interface gigabitethernet1 0 2...

Page 1046: ...ion command Adding a Metric Offset to the DVMRP Route By default the switch increments by one the metric hop count of a DVMRP route advertised in incoming DVMRP reports You can change the metric if you want to favor or not favor a certain route For example a route is learned by multilayer switch A and the same route is learned by multilayer switch B with a higher metric If you want to use the path...

Page 1047: ...out increment Change the metric added to DVMRP routes advertised in incoming reports The keywords have these meanings Optional in Specifies that the increment value is added to incoming DVMRP reports and is reported in mrinfo replies Optional out Specifies that the increment value is added to outgoing DVMRP reports for routes from the DVMRP routing table If neither in nor out is specified in is th...

Page 1048: ...he or an sdr cache entry Table 44 4 Commands for Clearing Caches Tables and Databases continued Command Purpose Table 44 5 Commands for Displaying System and Network Statistics Command Purpose ping group name group address Send an ICMP Echo Request to a multicast group address show ip dvmrp route ip address Display the entries in the DVMRP routing table show ip igmp groups group name group address...

Page 1049: ...g Reverse Path Forwarding that is from the unicast routing table DVMRP routing table or static mroutes show ip sdr group session name detail Display the Session Directory Protocol Version 2 cache Table 44 5 Commands for Displaying System and Network Statistics continued Command Purpose Table 44 6 Commands for Monitoring IP Multicast Routing Command Purpose mrinfo hostname address source address in...

Page 1050: ...44 56 Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide OL 12247 01 Chapter 44 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing ...

Page 1051: ...syntax and usage information for the commands used in this chapter see the Cisco IOS IP Command Reference Volume 3 of 3 Multicast Release 12 2 This chapter consists of these sections Understanding MSDP page 45 1 Configuring MSDP page 45 4 Monitoring and Maintaining MSDP page 45 19 Understanding MSDP MSDP allows multicast sources for a group to be known to all rendezvous points RPs in different dom...

Page 1052: ...e to all MSDP peers The SA message identifies the source the group the source is sending to and the address of the RP or the originator ID the IP address of the interface used as the RP address if configured Each MSDP peer receives and forwards the SA message away from the originating RP to achieve peer reverse path flooding RPF The MSDP device examines the BGP or MBGP routing table to discover wh...

Page 1053: ...ared tree never need to leave your domain PIM sparse mode domains can rely only on their own RPs decreasing reliance on RPs in another domain This increases security because you can prevent your sources from being known outside your domain Domains with only receivers can receive data without globally advertising group membership Global source multicast routing table state is not required saving me...

Page 1054: ...red MSDP peer Configure a default MSDP peer when the switch is not BGP or MBGP peering with an MSDP peer If a single MSDP peer is configured the switch always accepts all SA messages from that peer Figure 45 2 shows a network in which default MSDP peers might be used In Figure 45 2 a customer who owns Switch B is connected to the Internet through two Internet service providers ISPs one owning Rout...

Page 1055: ...A messages For ip address name enter the IP address or Domain Name System DNS server name of the MSDP default peer Optional For prefix list list enter the list name that specifies the peer to be the default peer only for the listed prefixes You can have multiple active default peers when you have a prefix list associated with each When you enter multiple ip msdp default peer commands with the pref...

Page 1056: ...soon after a SA message is received by the local RP that member needs to wait until the next SA message to hear about the source This delay is known as join latency If you want to sacrifice some memory in exchange for reducing the latency of the source information you can configure the switch to cache SA messages Step 3 ip prefix list name description string seq number permit deny network length O...

Page 1057: ...are cached For list access list number the range is 100 to 199 Step 3 access list access list number deny permit protocol source source wildcard destination destination wildcard Create an IP extended access list repeating the command as many times as necessary For access list number the range is 100 to 199 Enter the same number created in Step 2 The deny keyword denies access if the conditions are...

Page 1058: ...t sacrifices memory Beginning in privileged EXEC mode follow these steps to configure the switch to send SA request messages to the MSDP peer when a new member joins a group and wants to receive multicast traffic This procedure is optional To return to the default setting use the no ip msdp sa request ip address name global configuration command This example shows how to configure the switch to se...

Page 1059: ...is procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip msdp redistribute list access list name asn aspath access list number route map map Configure which S G entries from the multicast routing table are advertised in SA messages By default only sources within the local domain are advertised Optional For list access list name enter the name or ...

Page 1060: ... access if the conditions are matched The permit keyword permits access if the conditions are matched For protocol enter ip as the protocol name For source enter the number of the network or host from which the packet is being sent For source wildcard enter the wildcard bits in dotted decimal notation to be applied to the source Place ones in the bit positions that you want to ignore For destinati...

Page 1061: ... sa request 171 69 2 2 list 1 Switch config access list 1 permit 192 4 22 0 0 0 0 255 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip msdp filter sa request ip address name or ip msdp filter sa request ip address name list access list number Filter all SA request messages from the specified MSDP peer or Filter SA request messages from the specified MSDP peer for...

Page 1062: ... in privileged EXEC mode follow these steps to apply a filter This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip msdp sa filter out ip address name or ip msdp sa filter out ip address name list access list number or ip msdp sa filter out ip address name route map map tag Filter all SA messages to the specified MSDP peer or To the specifie...

Page 1063: ... as necessary For access list number enter the number specified in Step 2 The deny keyword denies access if the conditions are matched The permit keyword permits access if the conditions are matched For protocol enter ip as the protocol name For source enter the number of the network or host from which the packet is being sent For source wildcard enter the wildcard bits in dotted decimal notation ...

Page 1064: ...l SA messages that its MSDP RPF peers send to it However you can control the source information that you receive from MSDP peers by filtering incoming SA messages In other words you can configure the switch to not accept them You can perform one of these actions Filter all incoming SA messages from an MSDP peer Specify an IP extended access list to pass certain source group pairs Filter based on m...

Page 1065: ...y those SA messages that meet the match criteria in the route map map tag If all match criteria are true a permit from the route map passes routes through the filter A deny will filter routes Step 3 access list access list number deny permit protocol source source wildcard destination destination wildcard Optional Create an IP extended access list repeating the command as many times as necessary F...

Page 1066: ...e ip address name global configuration command Shutting Down an MSDP Peer If you want to configure many MSDP commands for the same peer and you do not want the peer to become active you can shut down the peer configure it and later bring it up When a peer is shut down the TCP connection is terminated and is not restarted You can also shut down an MSDP session without losing configuration informati...

Page 1067: ...peers This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip msdp shutdown peer name peer address Administratively shut down the specified MSDP peer without losing configuration information For peer name peer address enter the IP address or name of the MSDP peer to shut down Step 3 end Return to privileged EXEC mode Step 4 show running config...

Page 1068: ... mode sources to be known to the outside world Because this switch is not an RP it would not have an RP address to use in an SA message Therefore this command provides the RP address by specifying the address of the interface Beginning in privileged EXEC mode follow these steps to allow an MSDP speaker that originates an SA message to use the IP address on the interface as the RP address in the SA...

Page 1069: ...omous system The ip msdp cache sa state command must be configured for this command to produce any output show ip msdp peer peer address name Displays detailed information about an MSDP peer show ip msdp sa cache group address source address group name source name autonomous system number Displays S G state learned from MSDP peers show ip msdp summary Displays MSDP peer status and SA message count...

Page 1070: ...45 20 Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide OL 12247 01 Chapter 45 Configuring MSDP Monitoring and Maintaining MSDP ...

Page 1071: ... the commands used in this chapter see the Cisco IOS Bridging and IBM Networking Command Reference Volume 1 of 2 Release 12 2 This chapter consists of these sections Understanding Fallback Bridging page 46 1 Configuring Fallback Bridging page 46 3 Monitoring and Maintaining Fallback Bridging page 46 11 Understanding Fallback Bridging These sections describe how fallback bridging works Fallback Bri...

Page 1072: ...h creates a VLAN bridge spanning tree instance when a bridge group is created The switch runs the bridge group and treats the SVIs and routed ports in the bridge group as its spanning tree ports These are the reasons for placing network interfaces into a bridge group To bridge all nonrouted traffic among the network interfaces making up the bridge group If the packet destination address is in the ...

Page 1073: ...he newly elected stack master is running the IP base feature set the switch stack loses its fallback bridging capability If stacks merge or if a switch is added to the stack any new VLANs that are part of a bridge group and become active are included in the VLAN bridge STP When a stack member fails the addresses learned from this member are deleted from the bridge group MAC address table For more ...

Page 1074: ...t of SVIs or routed ports these interfaces must be assigned to bridge groups All interfaces in the same group belong to the same bridge domain Each SVI or routed port can be assigned to only one bridge group Note The protected port feature is not compatible with fallback bridging When fallback bridging is enabled it is possible for packets to be forwarded from one protected port on a switch to ano...

Page 1075: ...ge Switch config vlan 2 Switch config vlan exit Switch config interface vlan2 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 bridge bridge group protocol vlan bridge Assign a bridge group number and specify the VLAN bridge spanning tree protocol to run in the bridge group The ibm and dec keywords are not supported For bridge group specify the bridge group number T...

Page 1076: ...s to spanning tree parameters Poorly planned adjustments can have a negative impact on performance A good source on switching is the IEEE 802 1D specification For more information see the References and Recommended Reading appendix in the Cisco IOS Configuration Fundamentals Command Reference Changing the VLAN Bridge Spanning Tree Priority You can globally configure the VLAN bridge spanning tree p...

Page 1077: ...bridge group 10 Switch config interface gigabitethernet2 0 1 Switch config if bridge group 10 priority 20 Assigning a Path Cost Each port has a path cost associated with it By convention the path cost is 1000 data rate of the attached LAN in Mb s Beginning in privileged EXEC mode follow these steps to assign a path cost This procedure is optional Command Purpose Step 1 configure terminal Enter glo...

Page 1078: ... its individual configuration might be Adjusting the Interval between Hello BPDUs Beginning in privileged EXEC mode follow these step to adjust the interval between hello BPDUs This procedure is optional Step 3 bridge group bridge group path cost cost Assign the path cost of a port For bridge group specify the bridge group number The range is 1 to 255 For cost enter a number from 0 to 65535 The hi...

Page 1079: ...bridge group forward time global configuration command This example shows how to change the forward delay interval to 10 seconds in bridge group 10 Switch config bridge 10 forward time 10 Changing the Maximum Idle Interval If a switch does not receive BPDUs from the root switch within a specified interval it recomputes the spanning tree topology Step 4 show running config Verify your entry Step 5 ...

Page 1080: ...e on the port use the no bridge group bridge group spanning disabled interface configuration command This example shows how to disable spanning tree on a port in bridge group 10 Switch config interface gigabitethernet2 0 1 Switch config if bridge group 10 spanning disabled Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 bridge bridge group max age seconds Specify t...

Page 1081: ...n stack member number global configuration command Enter the show bridge bridge group interface id mac address verbose privileged EXEC command at the stack member prompt For information about the fields in these displays see the Cisco IOS Bridging and IBM Networking Command Reference Volume 1 of 2 Release 12 2 Table 46 2 Commands for Monitoring and Maintaining Fallback Bridging Command Purpose cle...

Page 1082: ...46 12 Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide OL 12247 01 Chapter 46 Configuring Fallback Bridging Monitoring and Maintaining Fallback Bridging ...

Page 1083: ...tion for the commands used in this chapter see the command reference for this release and the Cisco IOS Command Summary Release 12 2 This chapter consists of these sections Recovering from a Software Failure page 47 2 Recovering from a Lost or Forgotten Password page 47 3 Preventing Switch Stack Problems page 47 8 Note Recovery procedures require that you have physical access to the switch Prevent...

Page 1084: ...r UNIX command switch tar tvf image_filename tar 2 Locate the bin file and extract it by using the tar xvf image_filename tar image_filename bin UNIX command switch tar xvf image_filename tar image_filename bin x cbs31x0 universal mz 122 40 EX cbs31x0 universal mz 122 40 EX bin 3970586 bytes 7756 tape blocks 3 Verify that the bin file was extracted by using the ls l image_filename bin UNIX command...

Page 1085: ...e image into flash memory Step 12 Boot up the newly downloaded Cisco IOS image switch boot flash image_filename bin Step 13 Use the archive download sw privileged EXEC command to download the software image to the switch or to the switch stack Step 14 Use the reload privileged EXEC command to restart the switch and to verify that the new software image is operating properly Step 15 Delete the flas...

Page 1086: ...entire switch stack Power off the standalone switch or the switch stack by using the Onboard Administrator GUI Remove the switch or stack members from the enclosure Step 4 Power on the switch by using one of these methods If you powered off the standalone switch or switch stack it should automatically power on If this does not occur use the Onboard Administrator GUI to power on the switch or stack...

Page 1087: ...u had set the console port speed to anything other than 9600 it has been reset to that particular speed Change the emulation software line speed to match that of the switch console port Step 3 Load any helper files switch load_helper Step 4 Display the contents of flash memory switch dir flash The switch file system appears Directory of flash 2 rwx 5752 Mar 1 1993 00 06 02 00 00 config text 3 rwx ...

Page 1088: ... and you can change the password Step 10 Enter global configuration mode Switch configure terminal Step 11 Change the password Switch config enable secret password The secret password can be from 1 to 25 alphanumeric characters can start with a number is case sensitive and allows spaces but ignores leading spaces Step 12 Return to privileged EXEC mode Switch config exit Switch Step 13 Write the ru...

Page 1089: ... the normal boot process continues as if the Mode button had not been pressed you cannot access the boot loader prompt and you cannot enter a new password You see the message Press Enter to continue If you enter y yes the configuration file in flash memory and the VLAN database file are deleted When the default configuration loads you can reset the password Step 1 Elect to continue with password r...

Page 1090: ... in interface configuration mode enter the no shutdown command Step 10 You must now reconfigure the switch If the system administrator has the backup switch and VLAN configuration files available you should use those Step 11 Reload the switch Switch reload Preventing Switch Stack Problems Note Make sure that the switches that you add to or remove from the switch stack are powered off For all power...

Page 1091: ...rts 3 Power on the switches For the commands that you can use to monitor the switch stack and its members see the Displaying Switch Stack Information section on page 5 25 Preventing Autonegotiation Mismatches The IEEE 802 3ab autonegotiation protocol manages the switch settings for speed 10 Mb s 100 Mb s and 1000 Mb s excluding SFP module ports and duplex half or full There are situations when thi...

Page 1092: ...identified as a Cisco SFP module but the system is unable to read vendor data information to verify its accuracy an SFP module error message is generated In this case you should remove and re insert the SFP module If it continues to fail the SFP module might be defective Monitoring SFP Module Status You can check the physical or operational status of an SFP module by using the show interfaces tran...

Page 1093: ...t or network a network or host unreachable message is returned Executing Ping If you attempt to ping a host in a different IP subnetwork you must define a static route to the network or have IP routing configured to route between those subnets For more information see Chapter 38 Configuring IP Unicast Routing IP routing is disabled by default on all switches If you need to enable or configure IP r...

Page 1094: ...witch continues to send Layer 2 trace queries and lets them time out The switch can only identify the path from the source device to the destination device It cannot identify the path that a packet takes from source host to the source device or from the destination device to the destination host Usage Guidelines These are the Layer 2 traceroute usage guidelines Cisco Discovery Protocol CDP must be...

Page 1095: ...er 2 path when the specified source and destination IP addresses belong to the same subnet When you specify the IP addresses the switch uses the Address Resolution Protocol ARP to associate the IP addresses with the corresponding MAC addresses and the VLAN IDs If an ARP entry exists for the specified IP address the switch uses the associated MAC address and identifies the physical path If an ARP e...

Page 1096: ...s an Internet Control Message Protocol ICMP time to live exceeded message to the sender Traceroute finds the address of the first hop by examining the source address field of the ICMP time to live exceeded message To identify the next hop traceroute sends a UDP packet with a TTL value of 2 The first router decrements the TTL field by 1 and sends the datagram to the next router The second router se...

Page 1097: ...er the escape sequence Ctrl X by default Simultaneously press and release the Ctrl Shift and 6 keys and then press the X key Using TDR These sections contain this information Understanding TDR page 47 15 Running TDR and Displaying the Results page 47 16 Understanding TDR You can use the Time Domain Reflector TDR feature to diagnose and resolve cabling problems When running TDR a local device sends...

Page 1098: ... Gigabit link is a solid core cable The open ended cable is not terminated When you run TDR the switch does not report accurate information if The cable for the Gigabit link is a twisted pair cable or is in series with a solid core cable The link is a 10 Megabit or a 100 Megabit link The cable is a stranded cable The link partner is a Cisco IP Phone The link partner is not IEEE 802 3 compliant Run...

Page 1099: ...s are entered in privileged EXEC mode and most debug commands take no arguments For example beginning in privileged EXEC mode enter this command to enable the debugging for Switched Port Analyzer SPAN Switch debug span session The switch continues to generate output until you enter the no form of the command If you enable a debug command and no output appears consider these possibilities The switc...

Page 1100: ...tem overhead Logging messages to the console produces very high overhead whereas logging messages to a virtual terminal produces less overhead Logging messages to a syslog server produces even less and logging to an internal buffer produces the least overhead of any method When stack members generate a system error message the stack master displays the error message to all stack members The syslog...

Page 1101: ...E 03000000 Port Vlan SrcMac DstMac Cos Dscpv Gi1 0 1 0005 0001 0001 0001 0002 0002 0002 Packet 2 Lookup Key Used Index Hit A Data OutptACL 50_0D020202_0D010101 00_40000014_000A0000 01FFE 03000000 Port Vlan SrcMac DstMac Cos Dscpv Gi1 0 2 0005 0001 0001 0001 0002 0002 0002 output truncated Packet 10 Lookup Key Used Index Hit A Data OutptACL 50_0D020202_0D010101 00_40000014_000A0000 01FFE 03000000 P...

Page 1102: ...0D020202_0D010101 00_40000014_000A0000 034E0 000C001D_00000000 Lookup Used Secondary Station Descriptor 02260000 DestIndex 0226 RewriteIndex 0000 This is an example of the output when the packet coming in on port 1 in VLAN 5 has a destination MAC address set to the router MAC address in VLAN 5 and the destination IP address set to an IP address that is in the IP routing table It should be forwarde...

Page 1103: ...ailure Version numbers are used instead of a timestamp because the switches do not include a real time clock You cannot change the name of the file that the system will use when it creates the file However after the file is created you can use the rename privileged EXEC command to rename it but the contents of the renamed file will not be displayed by the show stacks or the show tech support privi...

Page 1104: ...d the serial number Message Record of the hardware related system messages generated by a standalone switch or a stack member Temperature Temperature of a standalone switch or a stack member Uptime data Time when a standalone switch or a stack member starts the reason the switch restarts and the length of time the switch has been running since it last restarted Voltage System voltages of a standal...

Page 1105: ...board module switch number clilog Displays the OBFL CLI commands that were entered on a standalone switch or the specified stack members show logging onboard module switch number environment Display the UDI information for a standalone switch or the specified stack members and for all the connected FRU devices the PID the VID and the serial number show logging onboard module switch number message ...

Page 1106: ...47 24 Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide OL 12247 01 Chapter 47 Troubleshooting Using On Board Failure Logging ...

Page 1107: ...line Diagnostics With online diagnostics you can test and verify the hardware functionality of the switch while the switch is connected to a live network The online diagnostics contain packet switching tests that check different hardware components and verify the data path and the control signals The online diagnostics detect problems in these areas Hardware components Interfaces Ethernet ports an...

Page 1108: ...le diagnostic testing for a specific day and time on a standalone switch Switch config diagnostic schedule test TestPortAsicCam on december 3 2006 22 25 Command Purpose diagnostic schedule switch number test name test id test id range all basic non disruptive daily hh mm on mm dd yyyy hh mm weekly day of week hh mm Schedule on demand diagnostic tests for a specific day and time The range for the s...

Page 1109: ...e steps to configure and enable the health monitoring diagnostic tests Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 diagnostic monitor interval switch number test name test id test id range all hh mm ss milliseconds day Configure the health monitoring interval of the specified tests The range for the switch number keyword is from 1 to 9 When specifying the tests...

Page 1110: ... for the health monitoring tests The range for the switch number keyword is from 1 to 9 When specifying the tests use one of these parameters name Name of the test that appears in the show diagnostic content command output test id ID number of the test that appears in the show diagnostic content command output test id range ID numbers of the tests that appear in the show diagnostic content command...

Page 1111: ...e shows how to start a diagnostic test by using the test name Switch diagnostic start switch 2 test TestInlinePwrCtlr This example shows how to start all of the basic diagnostic tests Switch diagnostic start switch 1 test all Command Purpose diagnostic start switch number test name test id test id range all basic non disruptive Start the diagnostic tests The range for the switch number keyword is ...

Page 1112: ...in the command reference for this release Table 48 1 Commands for Diagnostic Test Configuration and Results Command Purpose show diagnostic content switch number all Display the online diagnostics configured for a switch show diagnostic status Display the currently running diagnostic tests show diagnostic result switch number all detail test name test id test id range all detail Display the online...

Page 1113: ...n for VLAN 1 To obtain the BRIDGE MIB information for other VLANs for example VLAN n use this community string in the SNMP message configured community string n CISCO CABLE DIAG MIB CISCO CDP MIB CISCO CONFIG COPY MIB CISCO CONFIG MAN MIB CISCO DHCP SNOOPING MIB CISCO ENTITY FRU CONTROL MIB CISCO ENTITY VENDORTYPE OID MIB CISCO ENVMON MIB CISCO ERR DISABLE MIB CISCO FLASH MIB Flash memory on all s...

Page 1114: ... switch configuration CISCO PORT STORM CONTROL MIB CISCO PRIVATE VLAN MIB CISCO POWER ETHERNET EXT MIB CISCO PROCESS MIB Only stack master details are shown CISCO PRODUCTS MIB CISCO RTTMON MIB CISCO SLB MIB Only with the advanced IP services feature sets CISCO SMI MIB CISCO STACK MIB Partial support on stacking capable switches for some objects only stack master information is supported ENTITY MIB...

Page 1115: ...MIB OLD CISCO INTERFACES MIB OLD CISCO IP MIB OLD CISCO SYS MIB OLD CISCO TCP MIB OLD CISCO TS MIB PIM MIB RFC1213 MIB Functionality is as per the agent capabilities specified in the CISCO RFC1213 CAPABILITY my RFC1253 MIB OSPF MIB RMON MIB RMON2 MIB SNMP FRAMEWORK MIB SNMP MPD MIB SNMP NOTIFICATION MIB SNMP TARGET MIB SNMPv2 MIB TCP MIB UDP MIB Note You can also use this URL for a list of support...

Page 1116: ...procedure Step 1 Make sure that your FTP client is in passive mode Note Some FTP clients do not support passive mode Step 2 Use FTP to access the server ftp cisco com Step 3 Log in with the username anonymous Step 4 Enter your e mail username when prompted for the password Step 5 At the ftp prompt change directories to pub mibs v1 and pub mibs v2 Step 6 Use the get MIB_filename command to obtain a...

Page 1117: ...h Software Images page B 23 Working with the Flash File System The flash file system is a single flash device on which you can store files It also provides several commands to help you manage software image and configuration files The default flash file system on the switch is named flash As viewed from the stack master or any stack member flash refers to the local flash device which is the device...

Page 1118: ...acking capable switch In this example the stack master is stack member 2 therefore flash2 is aliased to flash The file system on stack member 5 is displayed as flash5 on the stack master Switch show file systems File Systems Size b Free b Type Flags Prefixes opaque ro bs 57409536 25664000 flash rw flash flash2 opaque rw system 524288 512375 nvram rw nvram opaque ro xmodem opaque ro ymodem opaque r...

Page 1119: ... flash memory you might want to verify that the file system does not already contain a configuration file with the same name Similarly before copying a flash configuration file to another location you might want to verify its filename for use in another command To display information about files on a file system use one of the privileged EXEC commands in Table B 2 Flags Permission for file system ...

Page 1120: ... a specific file show file descriptors Display a list of open file descriptors File descriptors are the internal representations of open files You can use this command to see if another user has a file open Table B 2 Commands for Displaying Information About Files continued Command Description Command Purpose Step 1 dir filesystem Display the directories on the specified file system For filesystem...

Page 1121: ...config startup config command saves the currently running configuration file to the NVRAM section of flash memory to be used as the configuration during system initialization You can also copy from special file systems xmodem ymodem as the source for the file from a network machine that uses the Xmodem or Ymodem protocol Network file system URLs include ftp rcp and tftp and have these syntaxes FTP...

Page 1122: ...etion Caution When files are deleted their contents cannot be recovered This example shows how to delete the file myconfig from the default flash memory device Switch delete myconfig Creating Displaying and Extracting Files You can create a file and write files into it list the files in a file and extract the files from a file as described in the next sections Note Instead of using the copy privil...

Page 1123: ...ry filename TFTP syntax tftp location directory filename For flash file url specify the location on the local flash file system in which the new file is created You can also specify an optional list of files or directories within the source directory to add to the new file If none are specified all files and directories at this level are written to the newly created file Step 2 archive table sourc...

Page 1124: ...ersal mz 122 40 EX html xhome htm 9373 bytes cbs31x0 universal mz 122 40 EX html menu css 1654 bytes output truncated This example shows how to extract the contents of a file located on the TFTP server at 172 20 10 30 Switch archive xtract tftp 172 20 10 30 saved flash new configs This example shows how to display the contents of a configuration file on a TFTP server Switch more tftp serverA hampt...

Page 1125: ...ork and want it to have a configuration similar to the original switch By copying the file to the new switch you can change the relevant parts rather than recreating the whole file To load the same configuration commands on all the switches in your network so that all the switches have similar configurations You can copy upload configuration files from the switch to a file server by using TFTP FTP...

Page 1126: ...command line The switch does not erase the existing running configuration before adding the commands If a command in the copied configuration file replaces a command in the existing configuration file the existing command is erased For example if the copied configuration file contains a different IP address in a particular command than the existing configuration the IP address in the copied config...

Page 1127: ...witch by using configuration files you create download from another switch or download from a TFTP server You can copy upload configuration files to a TFTP server for storage These sections contain this configuration information Preparing to Download or Upload a Configuration File By Using TFTP page B 11 Downloading the Configuration File By Using TFTP page B 12 Uploading the Configuration File By...

Page 1128: ...ring to the Preparing to Download or Upload a Configuration File By Using TFTP section on page B 11 Step 3 Log into the switch through the console port the Ethernet management port or a Telnet session Step 4 Download the configuration file from the TFTP server to configure the switch Specify the IP address or hostname of the TFTP server and the name of the file to download Use one of these privile...

Page 1129: ...nds the first valid username in this list The username specified in the copy command if a username is specified The username set by the ip ftp username username global configuration command if the command is configured Anonymous The switch sends the first valid password in this list The password specified in the copy command if a password is specified The password set by the ip ftp password passwo...

Page 1130: ...e create a new FTP username by using the ip ftp username username global configuration command during all copy operations The new username is stored in NVRAM If you are accessing the switch through a Telnet session and you have a valid username this username is used and you do not need to set the FTP username Include the username in the copy command if you want to specify a username for only that ...

Page 1131: ...etadmin1 Switch config ip ftp password mypass Switch config end Switch copy ftp nvram startup config Address of remote host 255 255 255 255 172 16 101 101 Name of configuration file rtr2 confg host2 confg Configure using host2 confg from 172 16 101 101 confirm Connected to 172 16 101 101 Loading 1112 byte file host2 confg OK OK Switch SYS 5 CONFIG_NV Non volatile store configured from host2 config...

Page 1132: ...itch Unlike TFTP which uses User Datagram Protocol UDP a connectionless protocol RCP uses TCP which is connection oriented To use RCP to copy files the server from or to which you will be copying files must support RCP The RCP copy commands rely on the rsh server or daemon on the remote system To copy files by using RCP you do not need to create a server for file distribution as you do with TFTP Y...

Page 1133: ...Configuration File By Using RCP Before you begin downloading or uploading a configuration file by using RCP do these tasks Ensure that the workstation acting as the RCP server supports the remote shell rsh Ensure that the switch has a route to the RCP server The switch and the server must be in the same subnetwork if you do not have a router to route traffic between subnets Check connectivity to t...

Page 1134: ...h configure terminal Switch config ip rcmd remote username netadmin1 Switch config end Switch copy rcp nvram startup config Address of remote host 255 255 255 255 172 16 101 101 Name of configuration file rtr2 confg host2 confg Configure using host2 confg from 172 16 101 101 confirm Connected to 172 16 101 101 Loading 1112 byte file host2 confg OK OK Switch SYS 5 CONFIG_NV Non volatile store confi...

Page 1135: ...tion file to write switch2 confg Write file switch2 confg on host 172 16 101 101 confirm OK Clearing Configuration Information You can clear the configuration information from the startup configuration If you reboot the switch with no startup configuration the switch enters the setup program so that you can reconfigure the switch with all new settings Command Purpose Step 1 Verify that the RCP ser...

Page 1136: ...the running configuration with any saved Cisco IOS configuration file You can use the rollback function to roll back to a previous configuration These sections contain this information Understanding Configuration Replacement and Rollback page B 20 Configuration Guidelines page B 21 Configuring the Configuration Archive page B 22 Performing a Configuration Replacement or Rollback Operation page B 2...

Page 1137: ...the configure replace target url privileged EXEC command note these major differences The copy source url running config command is a merge operation and preserves all the commands from both the source file and the running configuration This command does not remove commands from the running configuration that are not present in the source file In contrast the configure replace target url command r...

Page 1138: ...figuration Archive Using the configure replace command with the configuration archive and with the archive config command is optional but offers significant benefit for configuration rollback scenarios Before using the archive config command you must first configure the configuration archive Starting in privileged EXEC mode follow these steps to configure the configuration archive Command Purpose ...

Page 1139: ...n file created in Step 2 by using the archive config privileged EXEC command list Display a list of the command entries applied by the software parser during each pass of the configuration replacement operation The total number of passes also appears force Replace the running configuration file with the specified saved configuration file without prompting you for confirmation time seconds Specify ...

Page 1140: ...notes You can replace the current image with the new one or keep the current image in flash memory after a download You can use the archive download sw allow feature upgrade privileged EXEC command to allow installation of an image with a different feature set for example upgrading from the noncryptographic universal image with the IP services feature set to the cryptographic universal image with ...

Page 1141: ...m are in a file format which contains these files An info file which serves as a table of contents for the file One or more subdirectories containing other images and files such as Cisco IOS images and web management files This example shows some of the information contained in the info file Table B 3 provides additional details about this information system_type 0x00000000 cbs31x0 universal mz 12...

Page 1142: ...ch with an incompatible software image use the archive copy sw privileged EXEC command to copy the software image from an existing stack member to the incompatible switch That switch automatically reloads and joins the stack as a fully functioning member These sections contain this configuration information Preparing to Download or Upload an Image File By Using TFTP page B 26 Downloading an Image ...

Page 1143: ... set correctly The permission on the file should be world read Before uploading the image file you might need to create an empty file on the TFTP server To create an empty file enter the touch filename command where filename is the name of the file you will use when uploading the image to the server During upload operations if you are overwriting an existing file including an empty file if you had...

Page 1144: ...on allows installation of a software images with different feature sets Optional The directory option specifies a directory for the images The overwrite option overwrites the software image in flash memory with the downloaded image The reload option reloads the system after downloading the image unless the configuration has been changed and not been saved For location specify the IP address of the...

Page 1145: ...isting image Beginning in privileged EXEC mode follow these steps to upload an image to a TFTP server The archive upload sw privileged EXEC command builds an image file on the server by uploading these files in order info the Cisco IOS image and the web management files After these files are uploaded the upload algorithm creates the file format Caution For the download and upload algorithms to ope...

Page 1146: ... client to send a remote username and password on each FTP request to a server When you copy an image file from the switch to a server by using FTP the Cisco IOS software sends the first valid username in this list The username specified in the archive download sw or archive upload sw privileged EXEC command if a username is specified The username set by the ip ftp username username global configu...

Page 1147: ...username is used and you do not need to set the FTP username Include the username in the archive download sw or archive upload sw privileged EXEC command if you want to specify a username for that operation only When you upload an image file to the FTP server it must be properly configured to accept the write request from the user on the switch For more information see the documentation for your F...

Page 1148: ...ion on page B 30 For location specify the IP address of the FTP server For directory image name1 tar directory image name2 tar image name3 tar image name4 tar specify the directory optional and the images to download Directory and image names are case sensitive Step 8 archive download sw directory leave old sw reload tftp location directory image name1 tar image name2 tar image name3 tar image nam...

Page 1149: ...ave old sw keyword you can remove it by entering the delete force recursive filesystem file url privileged EXEC command For filesystem use flash for the system board flash device For file url enter the directory name of the old software image All the files in the directory and the directory are removed Caution For the download and upload algorithms to operate properly do not rename image names Upl...

Page 1150: ... For switch stacks the archive download sw and archive upload sw privileged EXEC commands can only be used through the stack master Software images downloaded to the stack master are automatically downloaded to the rest of the stack members To upgrade a switch with an incompatible software image use the archive copy sw privileged EXEC command to copy the software image from an existing stack membe...

Page 1151: ...me The switch hostname For the RCP copy request to execute successfully an account must be defined on the network server for the remote username If the server has a directory structure the image file is written to or copied from the directory associated with the remote username on the server For example if the image file resides in the home directory of a user on the server specify that user s nam...

Page 1152: ...rrent image Beginning in privileged EXEC mode follow Steps 1 through 6 to download a new image from an RCP server and overwrite the existing image To keep the current image go to Step 6 Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the Preparing to Download or Upload an Image File By Using RCP section on page B 35 Step 2 Log into the switch through the co...

Page 1153: ...ecify the IP address of the RCP server For directory image name1 tar directory image name2 tar image name3 tar image name4 tar specify the directory optional and the images to download Directory and image names are case sensitive Step 7 archive download sw directory leave old sw reload tftp location directory image name1 tar image name2 tar image name3 tar image name4 tar Download the images file ...

Page 1154: ...f you kept the old software during the download process you specified the leave old sw keyword you can remove it by entering the delete force recursive filesystem file url privileged EXEC command For filesystem use flash for the system board flash device For file url enter the directory name of the old software image All the files in the directory and the directory are removed Caution For the down...

Page 1155: ...py the software image from an existing stack member to the one that has incompatible software That switch automatically reloads and joins the stack as a fully functioning member Note To use the archive copy sw privileged EXEC command you must have downloaded from a TFTP server the images for both the stack member switch being added and the stack master You use the archive download sw privileged EX...

Page 1156: ...updated stack member Note At least one stack member must be running the image that is to be copied to the switch that is running the incompatible software For destination system destination stack member number specify the number of the stack member the destination to which to copy the source running image file If you do not specify this stack member number the default is to copy the running image ...

Page 1157: ...e feature and command mode Access Control Lists Unsupported Privileged EXEC Commands access enable host timeout minutes access template access list number name dynamic name source destination timeout minutes clear access template access list number name dynamic name source destination show access lists rate limit destination show accounting show ip accounting checkpoint output packets access viola...

Page 1158: ...rchive config show archive config show archive log ARP Commands Unsupported Global Configuration Commands arp ip address hardware address smds arp ip address hardware address srp a arp ip address hardware address srp b Unsupported Interface Configuration Commands arp probe ip probe proxy Boot Loader Commands Unsupported User EXEC Commands verify Unsupported Global Configuration Commands boot buffe...

Page 1159: ...ation Commands no event manager directory user repository url location event manager applet applet name maxrun Unsupported Commands in Applet Configuration Mode no event interface name interface name parameter counter name entry val entry counter value entry op gt ge eq ne lt le entry type increment rate value exit val exit value exit op gt ge eq ne lt le exit type increment rate value average fac...

Page 1160: ... irb bridge bridge group mac address table limit number bridge bridge group multicast source bridge bridge group protocol dec bridge bridge group route protocol bridge bridge group subscriber policy policy subscriber policy policy no default packet permit deny Unsupported Interface Configuration Commands bridge group bridge group cbus bridging bridge group bridge group circuit group circuit number...

Page 1161: ...ridge group bridge group subscriber loop control bridge group bridge group subscriber trunk bridge bridge group lat service filtering frame relay map bridge dlci broadcast interface bvi bridge group x25 map bridge x 121 address broadcast options keywords HSRP Unsupported Global Configuration Commands interface Async interface BVI interface Dialer interface Group Async interface Lex interface Multi...

Page 1162: ... does not display packets that are hardware switched The debug ip mpacket detail access list number group name or address command affects only packets received by the switch CPU Because most multicast packets are hardware switched use this command only when you know that the route will forward the packet to the CPU debug ip pim atm show frame relay ip rtp header compression interface type number T...

Page 1163: ...ess broadcast broadcast address multicast address extended access list number ip multicast rate limit in out video whiteboard group list access list source list access list kbps ip multicast ttl threshold ttl value instead use the ip multicast boundary access list number interface configuration command ip multicast use functional ip pim minimum vc rate pps ip pim multipoint signalling ip pim nbma ...

Page 1164: ...t ip accounting transits count ip cef accounting per prefix non recursive ip cef traffic statistics load interval seconds update rate seconds ip flow aggregation ip flow cache ip flow export ip gratuitous arps ip local ip prefix list ip reflexive list router egp router isis router iso igrp router mobile router odr router static Unsupported Interface Configuration Commands ip accounting ip load sha...

Page 1165: ...repend as path string set automatic tag set dampening half life reuse suppress max suppress time set default interface interface id interface id set interface interface id interface id set ip default next hop ip address ip address set ip destination ip address mask set ip next hop verify availability set ip precedence value set ip qos group set metric type internal set origin set metric type inter...

Page 1166: ...w ip igmp snooping groups privileged EXEC command to display Layer 2 multicast address table entries for a VLAN Unsupported Global Configuration Commands mac address table aging time mac address table notification mac address table static Miscellaneous Unsupported Privileged EXEC Commands file verify auto remote command show cable diagnostics prbs test cable diagnostics prbs Unsupported Global Con...

Page 1167: ...subscriber policy policy number show template template name Unsupported Global Configuration Commands ip msdp default peer ip address name prefix list list Because BGP MBGP is not supported use the ip msdp peer command instead of this command NetFlow Commands Unsupported Global Configuration Commands ip flow aggregation cache ip flow cache entries ip flow export Network Address Translation NAT Com...

Page 1168: ...group rate limit Unsupported Policy Map Configuration Command class class default where class default is the class map name RADIUS Unsupported Global Configuration Commands aaa nas port extended aaa authentication feature default enable aaa authentication feature default line radius server attribute nas port radius server configure radius server extended portnames SNMP Unsupported Global Configura...

Page 1169: ...ee pathcost method long short Unsupported Interface Configuration Command spanning tree stack port VLAN Unsupported Global Configuration Command vlan internal allocation policy ascending descending Unsupported User EXEC Commands show running config vlan show vlan ifindex VTP Unsupported Privileged EXEC Command vtp password password pruning version number Note This command has been replaced by the ...

Page 1170: ...C 14 Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide OL 12247 01 Appendix C Unsupported Commands in Cisco IOS Release 12 2 40 EX VTP ...

Page 1171: ...Ls access ports and Layer 2 protocol tunneling 16 11 defined 10 3 access template 8 1 accounting with 802 1x 9 33 with IEEE 802 1x 9 9 with RADIUS 7 28 with TACACS 7 11 7 17 ACEs and QoS 36 7 defined 34 2 Ethernet 34 2 IP 34 2 ACLs ACEs 34 2 any keyword 34 13 applying on bridged packets 34 37 on multicast packets 34 39 on routed packets 34 38 on switched packets 34 37 time ranges to 34 17 to an in...

Page 1172: ...21 monitoring 34 39 35 9 named IPv4 34 15 IPv6 35 3 names 35 4 number per QoS class map 36 32 port 34 2 35 2 ACLs continued precedence of 34 2 QoS 36 7 36 43 resequencing entries 34 15 router 34 2 35 2 router ACLs and VLAN map configuration guidelines 34 36 standard IP configuring for QoS classification 36 43 standard IPv4 creating 34 10 matching criteria 34 8 support for 1 8 support in hardware 3...

Page 1173: ...RMON 30 3 allowed VLAN list 12 22 application engines redirecting traffic to 43 1 area border routers See ABRs ARP configuring 38 10 defined 1 6 6 27 38 10 encapsulation 38 11 static cache configuration 38 10 table address resolution 6 27 managing 6 27 ASBRs 38 26 AS path filters BGP 38 55 asymmetrical links and IEEE 802 1Q tunneling 16 4 attributes RADIUS vendor proprietary 7 30 vendor specific 7...

Page 1174: ...ation 6 17 when displayed 6 17 BGP aggregate addresses 38 61 aggregate routes configuring 38 61 CIDR 38 61 clear commands 38 64 community filtering 38 58 configuring neighbors 38 59 default configuration 38 46 described 38 46 enabling 38 49 monitoring 38 64 multipath support 38 53 neighbors types of 38 49 path selection 38 53 peers configuring 38 59 prefix filtering 38 57 resetting sessions 38 51 ...

Page 1175: ...packets directed 38 14 flooded 38 14 broadcast storm control command 25 4 broadcast storms 25 1 38 14 C cables monitoring for unidirectional links 28 1 CA trustpoint configuring 7 45 defined 7 43 caution described xliv CDP and trusted boundary 36 38 configuring 26 2 default configuration 26 2 defined with LLDP 27 1 described 26 1 disabling for routing device 26 3 to 26 4 enabling and disabling on ...

Page 1176: ...abbreviating commands 2 4 command modes 2 1 configuration logging 2 5 described 1 5 CLI continued editing features enabling and disabling 2 7 keystroke editing 2 8 wrapped lines 2 9 error messages 2 5 filtering command output 2 10 getting help 2 3 history changing the buffer size 2 6 described 2 6 disabling 2 7 recalling commands 2 6 no and default forms of commands 2 4 client mode VTP 13 3 client...

Page 1177: ...running configuration B 20 B 21 rolling back a running configuration B 20 B 21 specifying the filename 3 13 system contact and location information 32 15 configuration files continued types and location B 10 uploading preparing B 11 B 14 B 17 reasons for B 9 using FTP B 15 using RCP B 19 using TFTP B 12 configuration guidelines multi VRF CE 38 68 configuration logging 2 5 configuration replacement...

Page 1178: ...ing error message output 47 18 using commands 47 16 default commands 2 4 default configuration 802 1x 9 23 auto QoS 36 21 banners 6 17 BGP 38 46 booting 3 12 default configuration continued CDP 26 2 DHCP 21 8 DHCP option 82 21 8 DHCP snooping 21 8 DHCP snooping binding database 21 9 DNS 6 16 dynamic ARP inspection 22 5 EIGRP 38 38 EtherChannel 37 10 Ethernet interfaces 10 16 fallback bridging 46 3...

Page 1179: ...resses in IPv4 ACLs 34 12 in IPv6 ACLs 35 6 destination IP address based forwarding EtherChannel 37 8 destination MAC address forwarding EtherChannel 37 8 detecting indirect link failures STP 19 8 device discovery protocol 26 1 27 1 device manager benefits 1 2 described 1 2 1 5 in band management 1 6 requirements xliv DHCP Cisco IOS server database configuring 21 14 default configuration 21 9 desc...

Page 1180: ...bindings 21 7 clearing agent statistics 21 15 configuration guidelines 21 10 configuring 21 14 default configuration 21 8 21 9 DHCP snooping binding database continued deleting binding file 21 15 bindings 21 15 database agent 21 15 described 21 6 displaying 21 15 binding entries 21 15 status and statistics 21 15 displaying status and statistics 21 15 enabling 21 14 entry 21 7 renewing database 21 ...

Page 1181: ...finite state machine EIGRP 38 37 dual IPv4 and IPv6 templates 8 2 39 1 39 11 dual protocol stacks configuring 39 15 IPv4 and IPv6 39 11 SDM templates supporting 39 11 DVMRP autosummarization configuring a summary address 44 50 disabling 44 52 connecting PIM domain to DVMRP router 44 43 enabling unicast routing 44 46 interoperability with Cisco devices 44 41 with Cisco IOS software 44 9 mrinfo requ...

Page 1182: ...face trust states 22 3 log buffer clearing 22 16 configuring 22 13 displaying 22 16 logging of dropped packets described 22 5 man in the middle attack described 22 2 network security issues and interface trust states 22 3 dynamic ARP inspection continued priority of ARP ACLs and DHCP snooping entries 22 4 rate limiting of ARP packets configuring 22 11 described 22 4 error disabled state 22 4 stati...

Page 1183: ...of 3 16 equal cost routing 1 12 38 82 error disabled state BPDU 19 2 error messages during command entry 2 5 EtherChannel automatic creation of 37 5 37 6 channel groups binding physical and logical interfaces 37 4 numbering of 37 4 configuration guidelines 37 11 configuring Layer 2 interfaces 37 12 Layer 3 physical interfaces 37 15 Layer 3 port channel logical interfaces 37 14 default configuratio...

Page 1184: ...UI 39 3 event detectors embedded event manager 33 2 events RMON 30 3 examples conventions for xliv network configuration 1 16 expedite queue for QoS 36 76 Express Setup 1 2 See also getting started guide extended crashinfo file 47 21 extended range VLANs configuration guidelines 12 13 configuring 12 12 creating 12 14 creating with an internal VLAN ID 12 15 defined 12 1 extended system ID MSTP 18 1...

Page 1185: ... crashinfo description 47 21 deleting B 5 displaying the contents of B 8 extended crashinfo description 47 21 location 47 21 files continued tar creating B 7 displaying the contents of B 7 extracting B 8 image file format B 25 file system displaying available file systems B 2 displaying file information B 3 local file system names B 1 network file system names B 5 setting the default B 3 filtering...

Page 1186: ...uide audience xliii purpose of xliii guide mode 1 3 GUIs See device manager and Network Assistant H hardware limitations and Layer 3 interfaces 10 22 hello time MSTP 18 22 STP 17 22 help for the command line 2 3 hierarchical policy maps 36 8 configuration guidelines 36 32 configuring 36 52 described 36 11 history changing the buffer size 2 6 described 2 6 disabling 2 7 recalling commands 2 6 histo...

Page 1187: ...EEE 802 1p 14 1 IEEE 802 1Q and trunk ports 10 3 configuration limitations 12 19 encapsulation 12 16 native VLAN for untagged traffic 12 24 tunneling compatibility with other features 16 6 defaults 16 4 described 16 1 tunnel ports with other features 16 6 IEEE 802 1s See MSTP IEEE 802 1w See RSTP IEEE 802 1x See port based authentication IEEE 802 3ad See EtherChannel IEEE 802 3x flow control 10 19...

Page 1188: ...uring filtering 23 27 setting the maximum number 23 27 IGMP helper 44 6 IGMP Immediate Leave configuration guidelines 23 12 described 23 6 enabling 23 11 IGMP profile applying 23 26 configuration mode 23 25 configuring 23 25 IGMP snooping and address aliasing 23 2 and stack changes 23 7 configuring 23 7 default configuration 23 7 24 6 definition 23 2 enabling and disabling 23 8 24 7 global configu...

Page 1189: ...ternal BGP See IBGP internal neighbors BGP 38 49 Internet Control Message Protocol See ICMP Internet Group Management Protocol See IGMP Internet Protocol version 6 See IPv6 Inter Switch Link See ISL inter VLAN routing 1 11 38 2 Intrusion Detection System See IDS appliances inventory management TLV 27 6 IP ACLs for QoS classification 36 7 implicit deny 34 10 34 14 implicit masks 34 10 named 34 15 u...

Page 1190: ...ault configuration 44 10 enabling multicast forwarding 44 13 PIM mode 44 14 group to RP mappings Auto RP 44 6 BSR 44 7 IP multicast routing continued MBONE deleting sdr cache entries 44 54 described 44 37 displaying sdr cache 44 55 enabling sdr listener support 44 38 limiting DVMRP routes advertised 44 49 limiting sdr cache entry lifetime 44 38 SAP packets for conference session announcement 44 37...

Page 1191: ...rk performance 41 3 monitoring 41 14 multioperations scheduling 41 5 object tracking 42 9 operation 41 3 reachability tracking 42 9 responder described 41 4 enabling 41 8 response time 41 4 IP SLAs continued scheduling 41 5 SNMP support 41 2 supported metrics 41 2 threshold monitoring 41 6 track state 42 9 UDP jitter operation 41 8 IP source guard and DHCP snooping 21 16 and EtherChannels 21 18 an...

Page 1192: ...AN 38 2 IP addressing classes 38 7 configuring 38 5 IPv6 39 3 IRDP 38 13 Layer 3 interfaces 38 5 MAC address and IP address 38 9 passive interfaces 38 92 IP unicast routing continued protocols distance vector 38 3 dynamic 38 3 link state 38 3 proxy ARP 38 10 redistribution 38 85 reverse address resolution 38 9 routed ports 38 5 static routing 38 3 steps to configure 38 5 subnet mask 38 7 subnet ze...

Page 1193: ... 39 22 path MTU discovery 39 4 reasons for 39 1 RIP 39 20 SDM templates 8 2 24 1 35 1 39 11 stack master functions 39 10 supported features 39 3 switch limitations 39 9 IPv6 traffic filtering 35 4 IRDP configuring 38 13 definition 38 13 support for 1 12 ISL and IPv6 39 3 and trunk ports 10 3 encapsulation 1 8 12 16 trunking with IEEE 802 1 tunneling 16 5 isolated port 15 2 isolated VLANs 15 2 15 3...

Page 1194: ...9 14 changing from Layer 2 mode 38 7 38 71 38 72 types of 38 5 Layer 3 packets classification methods 36 2 LDAP 4 2 LEDs switch See hardware installation guide Lightweight Directory Access Protocol See LDAP line configuration mode 2 3 Link Aggregation Control Protocol See EtherChannel Link Failure detecting unidirectional 18 8 Link Layer Discovery Protocol See CDP link local unicast addresses 39 4...

Page 1195: ...tic adding 6 25 allowing 6 26 characteristics of 6 24 dropping 6 26 removing 6 25 MAC address notification support for 1 12 MAC address table move update configuration guidelines 20 5 configuring 20 9 default configuration 20 5 description 20 3 monitoring 20 11 MAC address to VLAN mapping 12 28 MAC extended access lists applying to Layer 2 interfaces 34 28 configuring for QoS 36 45 creating 34 27 ...

Page 1196: ...ule number 10 7 monitoring access groups 34 39 BGP 38 64 cables for unidirectional links 28 1 CDP 26 5 CEF 38 82 EIGRP 38 44 fallback bridging 46 11 features 1 12 Flex Links 20 11 monitoring continued HSRP 40 11 IEEE 802 1Q tunneling 16 18 IGMP filters 23 29 snooping 23 16 24 11 interfaces 10 25 IP address tables 38 18 multicast routing 44 53 routes 38 95 IP SLAs operations 41 14 IPv4 ACL configur...

Page 1197: ...rom 45 8 shutting down 45 16 source active messages caching 45 6 clearing cache entries 45 19 defined 45 2 filtering from a peer 45 11 filtering incoming 45 14 MSDP continued source active messages continued filtering to a peer 45 12 limiting data with TTL 45 14 monitoring 45 19 restricting advertised sources 45 9 support for 1 12 MSTP boundary ports configuration guidelines 18 16 described 18 6 B...

Page 1198: ... 18 16 described 18 2 hop count mechanism 18 5 IST 18 3 supported spanning tree instances 18 2 optional features supported 1 7 overview 18 2 MSTP continued Port Fast described 19 2 enabling 19 12 preventing root switch selection 19 10 root guard described 19 10 enabling 19 18 root switch configuring 18 18 effects of extended system ID 18 17 unexpected behavior 18 18 shutdown Port Fast enabled port...

Page 1199: ...02 1x authentication using a RADIUS server 9 41 IEEE 802 1x validation using RADIUS server 9 41 inaccessible authentication bypass 1 10 9 37 NAC continued Layer 2 IEEE 802 1x validation 1 9 9 41 Layer 2 IP validation 1 9 named IPv4 ACLs 34 15 named IPv6 ACLs 35 3 NameSpace Mapper See NSM native VLAN and IEEE 802 1Q tunneling 16 4 configuring 12 24 default 12 24 neighbor discovery IPv6 39 4 neighbo...

Page 1200: ...nfiguration 6 4 displaying the configuration 6 11 overview 6 2 restricting access creating an access group 6 8 disabling NTP services per interface 6 10 source IP address configuring 6 10 stratum 6 2 support for 1 6 NTP continued synchronizing devices 6 5 time services 6 2 synchronizing 6 2 O OBFL configuring 47 22 described 47 22 displaying 47 23 object tracking HSRP 42 7 IP SLAs 42 9 IP SLAs con...

Page 1201: ...scovery 39 4 PBR defined 38 88 enabling 38 90 fast switched policy based routing 38 91 local policy based routing 38 91 peers BGP 38 59 percentage thresholds in tracked lists 42 6 performance network design 1 16 performance features 1 3 persistent self signed certificate 7 43 per VLAN spanning tree plus See PVST PE to CE routing configuring 38 75 physical ports 10 2 PIM default configuration 44 10...

Page 1202: ...6 52 described 36 11 nonhierarchical on physical ports configuration guidelines 36 32 configuring 36 48 described 36 9 port ACLs defined 34 2 types of 34 3 Port Aggregation Protocol See EtherChannel port based authentication accounting 9 9 authentication server defined 9 2 RADIUS server 9 3 client defined 9 2 configuration guidelines 9 24 configuring 802 1x authentication 9 26 guest VLAN 9 34 host...

Page 1203: ...tack changes effects of 9 7 statistics displaying 9 45 switch as proxy 9 3 RADIUS client 9 3 VLAN assignment AAA authorization 9 26 characteristics 9 11 configuration tasks 9 11 described 9 10 port based authentication continued voice VLAN described 9 16 PVID 9 16 VVID 9 16 wake on LAN described 9 18 port blocking 1 4 25 6 port channel See EtherChannel Port Fast described 19 2 enabling 19 12 mode ...

Page 1204: ...s 15 7 15 8 configuration tasks 15 6 configuring 15 10 default configuration 15 6 end station access to 15 3 IP addressing 15 3 isolated port 15 2 isolated VLANs 15 2 15 3 mapping 15 14 private VLANs continued monitoring 15 15 ports community 15 2 configuration guidelines 15 8 configuring host ports 15 11 configuring promiscuous ports 15 13 isolated 15 2 promiscuous 15 2 primary VLANs 15 1 15 3 pr...

Page 1205: ...guration 36 27 ingress queue defaults 36 21 list of generated commands 36 22 basic model 36 4 QoS continued classification class maps described 36 7 defined 36 4 DSCP transparency described 36 39 flowchart 36 6 forwarding treatment 36 3 in frames and packets 36 3 IP ACLs described 36 5 36 7 MAC ACLs described 36 5 36 7 options for IP traffic 36 5 options for non IP traffic 36 5 policy maps describ...

Page 1206: ...ng buffer space 36 68 buffer and bandwidth allocation described 36 16 configuring shared weights for SRR 36 68 configuring the priority queue 36 69 described 36 4 displaying the threshold map 36 67 flowchart 36 15 mapping DSCP or CoS values 36 67 QoS continued ingress queues continued priority queue described 36 16 scheduling described 36 4 setting WTD thresholds 36 67 WTD described 36 16 IP phone...

Page 1207: ... 7 20 defining AAA server groups 7 25 displaying the configuration 7 31 identifying the server 7 20 limiting the services to the user 7 27 method list defined 7 20 RADIUS continued operation of 7 19 overview 7 18 suggested network environments 7 18 support for 1 10 tracking services accessed by user 7 28 range macro 10 10 of interfaces 10 9 rapid convergence 18 10 rapid per VLAN spanning tree plus...

Page 1208: ...r IP SLAs described 41 4 enabling 41 8 response time measuring with IP SLAs 41 4 restricted VLAN configuring 9 35 described 9 14 using with IEEE 802 1x 9 14 restricting access NTP services 6 8 overview 7 1 passwords and privilege levels 7 2 RADIUS 7 17 TACACS 7 10 retry count VMPS changing 12 33 reverse address resolution 38 9 Reverse Address Resolution Protocol See RARP RFC 1058 RIP 38 20 1112 IP...

Page 1209: ... BGP 38 53 route summarization OSPF 38 32 route targets VPN 38 68 routing default 38 3 dynamic 38 3 redistribution of information 38 85 static 38 3 routing domain confederation BGP 38 62 Routing Information Protocol See RIP routing protocol administrative distances 38 84 RSPAN 29 3 and stack changes 29 11 characteristics 29 9 configuration guidelines 29 17 default configuration 29 11 destination p...

Page 1210: ...8 4 dual IPv4 and IPv6 8 2 types of 8 1 secondary VLANs 15 2 secure HTTP client configuring 7 48 displaying 7 49 secure HTTP server configuring 7 46 displaying 7 49 secure MAC addresses and switch stacks 25 17 deleting 25 15 maximum number of 25 9 types of 25 8 secure ports and switch stacks 25 17 configuring 25 7 secure remote connections 7 38 Secure Shell See SSH Secure Socket Layer See SSL secu...

Page 1211: ...ned 11 1 displaying 11 8 tracing 11 3 website 11 2 SNAP 26 1 SNMP accessing MIB variables with 32 4 agent described 32 4 disabling 32 7 and IP SLAs 41 2 authentication level 32 10 community strings configuring 32 8 overview 32 4 configuration examples 32 16 SNMP continued default configuration 32 6 engine ID 32 7 groups 32 6 32 9 host 32 6 ifIndex values 32 5 in band management 1 6 informs and tra...

Page 1212: ... 29 16 29 23 creating 29 13 defined 29 4 limiting source traffic to specific VLANs 29 16 removing destination monitoring ports 29 14 specifying monitored ports 29 13 with ingress traffic enabled 29 15 source ports 29 7 SPAN continued transmitted traffic 29 6 VLAN based 29 7 spanning tree and native VLANs 12 19 Spanning Tree Protocol See STP SPAN traffic 29 6 split horizon RIP 38 23 SRR configuring...

Page 1213: ...cing 5 16 See also stacks switch stack member number 10 7 stack protocol version 5 12 stacks switch accessing CLI of specific member 5 25 assigning information member number 5 23 priority value 5 23 provisioning a new member 5 24 auto advise 5 13 auto copy 5 13 auto extract 5 13 auto upgrade 5 13 bridge ID 5 8 CDP considerations 26 2 compatibility software 5 11 configuration file 5 16 configuratio...

Page 1214: ...B 39 version mismatch VM mode automatic upgrades with auto upgrade 5 13 described 5 12 examples 5 14 manual upgrades with auto advise 5 13 upgrades with auto extract 5 13 See also stack master and stack member StackWise Plus technology Cisco 1 3 See also stacks switch standby ip command 40 5 standby links 20 2 standby router 40 1 standby timers HSRP 40 10 startup configuration booting manually 3 1...

Page 1215: ...ng 19 16 default configuration 17 13 STP continued default optional feature configuration 19 12 designated port defined 17 4 designated switch defined 17 4 detecting indirect link failures 19 8 disabling 17 16 displaying status 17 24 EtherChannel guard described 19 10 disabling 19 17 enabling 19 17 extended system ID effects on root switch 17 16 effects on the secondary root switch 17 18 overview ...

Page 1216: ...ibed 17 22 UplinkFast described 19 3 enabling 19 15 VLAN bridge 17 11 stratum NTP 6 2 stub areas OSPF 38 31 stub routing EIGRP 38 43 subdomains private VLAN 15 1 subnet mask 38 7 subnet zero 38 7 success response VMPS 12 29 summer time 6 13 SunNet Manager 1 5 supernet 38 8 SVIs and IP unicast routing 38 5 and router ACLs 34 4 connecting VLANs 10 6 defined 10 5 routing between VLANs 12 2 switch con...

Page 1217: ... default configuration 6 15 default setting 6 15 manual configuration 6 15 See also DNS system prompt default setting 6 14 6 15 system resources optimizing 8 1 T TACACS accounting defined 7 11 authentication defined 7 11 authorization defined 7 11 configuring accounting 7 17 authentication key 7 13 authorization 7 16 login authentication 7 14 default configuration 7 13 displaying the configuration...

Page 1218: ...d CDP 47 12 broadcast traffic 47 12 described 47 12 IP addresses and subnets 47 13 MAC addresses and VLANs 47 13 traceroute Layer 2 continued multicast traffic 47 13 multiple devices on a port 47 13 unicast traffic 47 12 usage guidelines 47 12 traceroute command 47 14 See also IP traceroute tracked lists configuring 42 3 types 42 3 tracked objects by Boolean expression 42 4 by threshold percentage...

Page 1219: ...lel 12 27 pruning eligible list 12 23 to non DTP device 12 18 trusted boundary for QoS 36 38 trusted port states between QoS domains 36 40 classification options 36 5 ensuring port security for IP phones 36 38 support for 1 10 within a QoS domain 36 35 trustpoints CA 7 43 tunneling defined 16 1 IEEE 802 1Q 16 1 Layer 2 protocol 16 8 tunnel ports described 10 4 16 1 IEEE 802 1Q configuring 16 6 inc...

Page 1220: ...ized Type Length Value TLV support 13 4 upgrading information See release notes upgrading software images See downloading UplinkFast described 19 3 disabling 19 16 enabling 19 15 support for 1 7 uploading configuration files preparing B 11 B 14 B 17 reasons for B 9 using FTP B 15 using RCP B 19 using TFTP B 12 image files preparing B 26 B 30 B 35 reasons for B 24 using FTP B 33 using RCP B 38 usin...

Page 1221: ...34 32 removing 34 34 support for 1 9 VLAN membership confirming 12 32 modes 12 3 VLAN Query Protocol See VQP VLANs adding 12 9 adding to VLAN database 12 9 aging dynamic addresses 17 9 allowed on trunk 12 22 and spanning tree instances 12 3 12 6 12 13 configuration guidelines extended range VLANs 12 13 configuration guidelines normal range VLANs 12 6 configuration options 12 7 configuring 12 1 con...

Page 1222: ... incoming frame 14 6 configuring ports for voice traffic in IEEE 802 1p priority tagged frames 14 5 IEEE 802 1Q frames 14 5 connecting to an IP phone 14 4 default configuration 14 3 described 14 1 displaying 14 7 IP phone data traffic described 14 2 IP phone voice traffic described 14 2 VPN configuring routing in 38 74 forwarding 38 68 in service provider networks 38 65 routes 38 66 VPN routing an...

Page 1223: ...support 13 4 transparent mode configuring 13 12 using 13 1 version guidelines 13 9 Version 1 13 4 VTP continued Version 2 configuration guidelines 13 9 disabling 13 13 enabling 13 13 overview 13 4 W WCCP authentication 43 3 configuration guidelines 43 5 default configuration 43 5 described 43 1 displaying 43 10 dynamic service groups 43 3 enabling 43 6 features unsupported 43 5 forwarding method 4...

Page 1224: ...N 54 Cisco Catalyst Blade Switch 3120 for HP Software Configuration Guide OL 12247 01 WTD described 36 13 setting thresholds egress queue sets 36 71 ingress queues 36 67 support for 1 11 X Xmodem protocol 47 2 ...

Reviews: