End-of-sale and end-of-life announcement 48-port 100baselx10 fast ethernet line card (3 pages)
Summary of Contents for Cisco Catalyst 4500 Series
Page 1
Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Release IOS XE 3.3.0SG and IOS 15.1(1)SG Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Customer Order Number: DOC-OL-25340-=1...
Page 2
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.;...
Internet Group Management Protocol (IGMP) Snooping IPv6 Multicast Listen Discovery (MLD) and Multicast Listen Discovery snooping Jumbo Frames Link Aggregation Control Protocol Cisco IOS XE IP Application Services Features in Cisco IOS XE 3.1.0SG Link Layer Discovery Protocol Link State Tracking Location Service Multiple Spanning Tree Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG...
Page 4
GLBP 1-13 Cisco IOS XE IP Application Services Features in Cisco IOS XE 3.1.0SG 1-13 HSRP 1-13 Cisco IOS XE IP Application Services: HSRP Features in Cisco IOS XE 3.1.0SG 1-13 SSO Aware HSRP 1-14 IP Routing Protocols 1-14 1-15...
Page 5
Contents Cisco Call Home 1-21 Cisco Energy Wise 1-21 Cisco IOS IP Service Level Agreements 1-22 Cisco Media Services Proxy 1-22 Cisco Medianet AutoQoS 1-23 Cisco Medianet Flow Metadata 1-23 Cisco IOS Mediatrace and Performance Monitor 1-24 Cisco Network Assistant...
Page 6
1-37 Debugging Features 1-37 Web-based Authentication 1-38 New and Modified Software Features Supported in Cisco IOS 15.1(1)SG and Cisco IOS XE 3.3SG 1-39 Command-Line Interfaces C H A P T E R Accessing the Switch CLI Accessing the CLI Using the EIA/TIA-232 Console Interface...
Page 7
Contents Using Configuration Mode to Configure Your Switch Verifying the Running Configuration Settings Saving the Running Configuration Settings to Your Start-Up File 3-10 Reviewing the Configuration in NVRAM 3-10 Configuring a Default Gateway 3-11 Configuring a Static Route 3-11 Controlling Access to Privileged EXEC Commands 3-13 Setting or Changing a Static enable Password 3-13...
Page 8
Contents System Clock Understanding Network Time Protocol Configuring NTP Default NTP Configuration Configuring NTP Authentication Configuring NTP Associations Configuring NTP Broadcast Service Configuring NTP Access Restrictions Configuring the Source IP Address for NTP Packets 4-10 Displaying the NTP Configuration 4-11 Configuring Time and Date Manually 4-11 Setting the System Clock...
Page 9
Switching to the Standby Supervisor Engine 5-21 Stopping the ISSU Rollback Timer (Optional) 5-23 Loading New Cisco IOS Software on the New Standby Supervisor Engine 5-24 Using changeversion to Automate an ISSU Upgrade 5-26 Aborting a Software Upgrade During ISSU...
Page 10
Switching to the Standby Supervisor Engine 6-21 Stopping the ISSU Rollback Timer (Optional) 6-23 Loading New Cisco IOS XE Software on the New Standby Supervisor Engine 6-24 Using changeversion to Automate an ISSU Upgrade 6-25 Aborting a Software Upgrade During ISSU...
Page 11
Contents Using the Ethernet Management Port Understanding the Ethernet Management Port Fa1 Interface and mgmtVrf SSO Model ISSU Model Supported Features on the Ethernet Management Port Configuring the Ethernet Management Port 7-10 Defining and Using Interface-Range Macros 7-10 Deploying SFP+ in X2 Ports 7-11 Deploying 10-Gigabit Ethernet and Gigabit Ethernet SFP Ports on Supervisor Engine V-10GE 7-12...
Page 12
Contents Online Insertion and Removal on a WS-4500X-32 7-32 Shutting down a Module 7-32 Booting a Module After if it has been Stopped 7-33 Common Scenarios 7-34 Monitoring and Maintaining the Interface 7-34 Monitoring Interface and Controller Status 7-34 Clearing and Resetting the Interface 7-35 Shutting Down and Restarting an Interface 7-35...
Page 13
Contents Enabling ICMP Mask Reply Messages 8-14 Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 6-E and C H A P T E R Supervisor Engine 6L-E About Supervisor Engine Redundancy Overview RPR Operation SSO Operation About Supervisor Engine Redundancy Synchronization RPR Supervisor Engine Configuration Synchronization SSO Supervisor Engine Configuration Synchronization Supervisor Engine Redundancy Guidelines and Restrictions...
Page 14
11-13 Verifying IS-IS NSF 11-14 Configuring EIGRP NSF 11-16 Verifying EIGRP NSF 11-16 Cisco High Availability Features in Cisco IOS XE 3.1.0SG 11-17 Environmental Monitoring and Power Management 12-1 C H A P T E R About Environmental Monitoring 12-1...
Page 15
Configuring Errdisable Recovery 13-14 Enhanced Power PoE Support on the E-Series Chassis 13-15 Configuring Universal PoE 13-16 Configuring the Catalyst 4500 Series Switch with Cisco Network Assistant 14-1 C H A P T E R About Network Assistant 14-2 Community Overview...
Page 16
Contents (Additional) Configuration Required to Use Community 14-5 (Additional) Configuration Required to Use Clustering 14-5 Managing a Network Using Community 14-6 Candidate and Member Requirements 14-7 Automatic Discovery of Candidates and Members 14-7 Community Names 14-8 Hostnames 14-8 Passwords 14-8 Communication Protocols 14-8 Access Modes in Network Assistant...
Page 17
Contents Understanding VTP Pruning 15-11 VTP Configuration Guidelines and Restrictions 15-12 VTP Default Configuration 15-13 Configuring VTP 15-14 Configuring VTP Global Parameters 15-14 Configuring the VTP Mode 15-16 Starting a Takeover 15-19 Displaying VTP Statistics 15-19 Displaying VTP Devices in a Domain 15-20 VLAN Membership Policy Server 15-20...
Page 18
About SmartPort Macros and Static SmartPort 18-1 Configuring SmartPort Macros 18-2 Passing Parameters Through the Macro 18-3 Macro Parameter Help 18-3 Default SmartPort Macro Configuration 18-4 cisco-global 18-4 cisco-desktop 18-4 cisco-phone 18-5 cisco-router 18-5 cisco-switch 18-5 SmartPort Macro Configuration Guidelines...
Page 19
Contents Configuring Cisco IOS Auto Smartport Macros 19-1 C H A P T E R About Auto Smartport Macros 19-1 Device Classifier 19-2 Device Visibility Mode 19-3 Configuring Auto Smartport Macros 19-3 Enabling Auto Smartport Macros 19-3 Auto Smartport Default Configuration...
Page 20
Contents Configuring the Hello Time 20-17 Configuring the Maximum Aging Time for a VLAN 20-18 Configuring the Forward-Delay Time for a VLAN 20-19 Disabling Spanning Tree Protocol 20-20 Enabling Per-VLAN Rapid Spanning Tree 20-20 Specifying the Link Type 20-21 Restarting Protocol Migration 20-21 About MST 20-22...
Page 21
Contents Default Configuration 21-5 Configuration Guidelines 21-6 Configuring Flex Links 21-6 Configuring VLAN Load Balancing on Flex Links 21-8 Configuring MAC Address-Table Move Update 21-10 Default Configuration 21-10 Configuration Guidelines 21-10 Configuring the MAC Address-Table Move Update Feature 21-10 Configuring a Switch to Send MAC Address-Table Move Updates 21-10 Configuring a Switch to Receive MAC Address-Table Move Updates 21-12...
Page 22
Contents About BPDU Guard 23-8 Enabling BPDU Guard 23-8 About PortFast BPDU Filtering 23-9 Enabling PortFast BPDU Filtering 23-9 About UplinkFast 23-11 Enabling UplinkFast 23-12 About BackboneFast 23-13 Enabling BackboneFast 23-15 Configuring EtherChannel and Link State Tracking 24-1 C H A P T E R About EtherChannel 24-2 Port Channel Interfaces...
Page 23
Contents Link-State Tracking Configuration Guidelines 24-21 Configuring Link-State Tracking 24-21 Displaying Link-State Tracking Status 24-22 Configuring IGMP Snooping and Filtering 25-1 C H A P T E R About IGMP Snooping 25-1 Immediate-Leave Processing 25-3 IGMP Configurable-Leave Timer 25-4 IGMP Snooping Querier 25-4 Explicit Host Tracking 25-4...
Page 24
Contents Displaying IGMP Filtering Configuration 25-24 Configuring IPv6 MLD Snooping 26-1 C H A P T E R About MLD Snooping 26-1 MLD Messages 26-2 MLD Queries 26-3 Multicast Client Aging 26-3 Multicast Router Discovery 26-3 MLD Reports 26-4 MLD Done Messages and Immediate-Leave 26-4 Topology Change Notification Processing 26-4...
Page 25
29-11 Configuring Location TLV and Location Service 29-12 Monitoring and Maintaining LLDP, LLDP-MED, and Location Service 29-14 Cisco IOS Carries Ethernet Features in Cisco IOS XE 3.1.0SG 29-15 Configuring UDLD 30-1 C H A P T E R About UDLD...
Page 26
Contents Operation Modes 30-3 Default States for UDLD 30-3 Default UDLD Configuration 30-4 Configuring UDLD on the Switch 30-4 Fast UDLD Guidelines and Restrictions 30-4 Enabling UDLD Globally 30-5 Enabling UDLD on Individual Interfaces 30-6 Disabling UDLD on Individual Interfaces 30-7 Disabling UDLD on a Fiber-Optic Interface 30-7...
Page 27
Adjacency Tables 33-2 Adjacency Discovery 33-2 Adjacency Resolution 33-3 Adjacency Types That Require Special Handling 33-3 Unresolved Adjacency 33-3 Catalyst 4500 Series Switch Implementation of CEF 33-3 Hardware and Software Switching 33-4 Hardware Switching 33-5 Software Switching 33-5 Load Balancing 33-6...
Page 28
Internet Group Management Protocol 35-3 Protocol-Independent Multicast 35-3 Rendezvous Point (RP) 35-4 IGMP Snooping 35-4 IP Multicast Implementation on the Catalyst 4500 Series Switch 35-4 CEF, MFIB, and Layer 2 Forwarding 35-5 IP Multicast Tables 35-7 Hardware and Software Forwarding 35-8...
Page 29
Contents Displaying System and Network Statistics 35-23 Displaying the Multicast Routing Table 35-23 Displaying IP MFIB 35-25 Displaying Bidirectional PIM Information 35-26 Displaying PIM Statistics 35-27 Clearing Tables and Databases 35-27 Configuration Examples 35-28 PIM Dense Mode Example 35-28 PIM Sparse Mode Example 35-28 Bidirectional PIM Mode Example 35-28...
Page 30
Contents Hardware Support for BFD 37-7 How to Configure Bidirectional Forwarding Detection 37-7 Configuring BFD Session Parameters on the Interface 37-8 Configuring BFD Support for Dynamic Routing Protocols 37-8 Configuring BFD Support for BGP 37-8 Configuring BFD Support for EIGRP 37-9 Configuring BFD Support for OSPF 37-10...
Page 31
Contents Configuring VRF-lite 39-1 C H A P T E R About VRF-lite 39-2 Default VRF-lite Configuration 39-3 VRF-lite Configuration Guidelines 39-4 Configuring VRFs 39-5 Configuring VRF-Aware Services 39-5 Configuring the User Interface for ARP 39-6 Configuring the User Interface for PING 39-6 Configuring the User Interface for SNMP 39-7...
Page 32
Contents Strict Priority / Low Latency Queueing 40-9 Traffic Shaping 40-9 Packet Modification 40-9 Per Port Per VLAN QoS 40-10 Flow-based QoS 40-10 Using Metadata in QoS Policy 40-11 Configuring QoS 40-12 MQC-based QoS Configuration 40-13 Platform-supported Classification Criteria and QoS Features 40-13 Platform Hardware Capabilities 40-14...
Page 33
Cisco IP Phone Voice Traffic 41-2 Cisco IP Phone Data Traffic 41-2 Configuring a Port to Connect to a Cisco 7960 IP Phone 41-3 Configuring Voice Ports for Voice and Data Traffic 41-3 Overriding the CoS Priority of Incoming Frames...
Page 34
Configuring Cisco TrustSec MACsec 43-10 Configuring Cisco TrustSec Credentials on the Switch 43-10 Configuring Cisco TrustSec Switch-to-Switch Link Security in 802.1X Mode 43-11 Configuring Cisco TrustSec Switch-to-Switch Link Security in Manual Mode 43-12 Cisco TrustSec Switch-to-Switch Link Security Configuration Example 43-13 Configuring 802.1X Port-Based Authentication...
Page 35
Usage Guidelines for Using Authentication Failed VLAN Assignment 44-18 Using 802.1X with Port Security 44-19 Using 802.1X Authentication with ACL Assignments and Redirect URLs 44-20 Cisco Secure ACS and AV Pairs for URL-Redirect 44-20 ACLs 44-21 Using 802.1X with RADIUS-Provided Session Timeouts 44-21 Using 802.1X with Voice VLAN Ports...
Page 37
Verifying the Auth Manager Session for an Interface 44-115 Displaying MAB Details 44-117 EPM Logging 44-117 Cisco IOS Security Features in Cisco IOS XE 3.1.0 SG Release 44-118 Configuring the PPPoE Intermediate Agent 45-1 C H A P T E R Related Documents...
Page 38
Contents Configuring the Generic Error Message for PPPoE IA on an Switch 45-3 Enabling PPPoE IA on an Interface 45-4 Configuring the PPPoE IA Trust Setting on an Interface 45-4 Configuring PPPoE IA Rate Limiting Setting on an Interface 45-4 Configuring PPPoE IA Vendor-tag Stripping on an Interface 45-5 Configuring PPPoE IA Circuit-ID and Remote-ID on an Interface...
Page 39
Contents Configuring the Web-Based Authentication Parameters 46-13 Removing Web-Based Authentication Cache Entries 46-14 Displaying Web-Based Authentication Status 46-14 Configuring Port Security 47-1 C H A P T E R Port Security Commands 47-2 About Port Security 47-3 Secure MAC Addresses 47-4 Maximum Number of Secure MAC Addresses 47-4...
Page 40
Contents Examples of Voice Port Security 47-25 Example 1: Configuring Maximum MAC Addresses for Voice and Data VLANs 47-25 Example 2: Configuring Sticky MAC Addresses for Voice and Data VLANs 47-26 Voice Port Security Configuration Guidelines and Restrictions 47-27 Displaying Port Security Settings 47-27 Examples of Security Settings 47-28...
Page 41
Contents Configuring Dynamic ARP Inspection 49-1 C H A P T E R About Dynamic ARP Inspection 49-1 ARP Cache Poisoning 49-2 Purpose of Dynamic ARP Inspection 49-2 Interface Trust State, Security Coverage and Network Configuration 49-3 Relative Priority of Static Bindings and DHCP Snooping Entries 49-4 Logging of Dropped Packets 49-4...
Page 42
Contents Displaying a Binding Table 50-19 Displaying the DHCP Snooping Configuration 50-19 About IP Source Guard 50-19 Configuring IP Source Guard 50-20 Configuring IP Source Guard on Private VLANs 50-22 Displaying IP Source Guard Information 50-22 Displaying IP Source Binding Information 50-23 Configuring IP Source Guard for Static Hosts 50-24...
Page 43
Contents Examples of ACLs and VLAN Maps 51-19 Applying a VLAN Map to a VLAN 51-21 Using VLAN Maps in Your Network 51-22 Denying Access to a Server on Another VLAN 51-23 Displaying VLAN Access Map Information 51-24 Using VLAN Maps with Router ACLs 51-25 Guidelines for Using Router ACLs and VLAN Maps on the Same VLAN 51-25...
Page 44
Contents Static Routes 52-5 First-Hop Redundancy Protocols 52-5 Unicast Routing 52-5 52-5 OSPF 52-6 EIGRP 52-6 IS-IS 52-6 Multiprotocol BGP 52-6 Tunneling 52-7 IPv6 Default States 52-7 Port Unicast and Multicast Flood Blocking 53-1 C H A P T E R About Flood Blocking 53-1 Configuring Port Blocking...
Page 45
Contents Configuring SPAN 55-7 SPAN Configuration Guidelines and Restrictions 55-7 Configuring SPAN Sources 55-8 Configuring SPAN Destinations 55-9 Monitoring Source VLANs on a Trunk Interface 55-9 Configuration Scenario 55-10 Verifying a SPAN Configuration 55-10 CPU Port Sniffing 55-10 Encapsulation Configuration 55-12 Ingress Packets 55-12...
Page 46
Configuring IP SLAs Object Tracking 57-8 Configuring Static Routing Support 57-10 Configuring a Primary Interface 57-10 Configuring a Cisco IP SLAs Monitoring Agent and Track Object 57-11 Configuring a Routing Policy and Default Route 57-11 Monitoring Enhanced Object Tracking 57-12 Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG...
Page 47
Contents Configuring System Message Logging 58-1 C H A P T E R About System Message Logging 58-1 Configuring System Message Logging 58-2 System Log Message Format 58-2 Default System Message Logging Configuration 58-3 Disabling Message Logging 58-4 Setting the Message Display Destination Device 58-5 Synchronizing Log Messages 58-6...
Page 48
Contents SNMP Versions 60-2 SNMP Manager Functions 60-3 SNMP Agent Functions 60-4 SNMP Community Strings 60-4 Using SNMP to Access MIB Variables 60-4 SNMP Notifications 60-5 Configuring SNMP 60-5 Default SNMP Configuration 60-5 SNMP Configuration Guidelines 60-6 Disabling the SNMP Agent 60-7 Configuring Community Strings 60-7...
Page 49
Contents Configuring Flexible NetFlow 62-1 C H A P T E R Configuring Ethernet OAM and CFM 63-1 C H A P T E R About Ethernet CFM 63-2 Ethernet CFM and OAM Definitions 63-2 CFM Domain 63-2 Maintenance Associations and Maintenance Points 63-4 CFM Messages 63-5...
Page 51
Configuring Cisco IOS IP SLA Operations 66-1 C H A P T E R Understanding Cisco IOS IP SLAs 66-2 Using Cisco IOS IP SLAs to Measure Network Performance 66-3 IP SLAs Responder and IP SLAs Control Protocol 66-4 Response Time Computation for IP SLAs...
Page 52
Contents Displaying RMON Status 67-6 Performing Diagnostics 68-1 C H A P T E R Configuring Online Diagnostics 68-1 Configuring On-Demand Online Diagnostics 68-2 Scheduling Online Diagnostics 68-2 Performing Diagnostics 68-3 Starting and Stopping Online Diagnostic Tests 68-3 Displaying Online Diagnostic Tests and Test Results 68-4 Displaying Data Path Online Diagnostics Test Results 68-7...
Page 53
69-11 Verifying WCCP Settings Example 69-12 Configuring MIB Support 70-1 C H A P T E R Determining MIB Support for Cisco IOS Releases 70-1 Using Cisco IOS MIB Tools 70-2 Downloading and Compiling MIBs 70-2 Guidelines for Working with MIBs...
Page 55
Preface This preface describes who should read this document, how it is organized, and its conventions. The preface also tells you how to obtain Cisco documents, as well as how to obtain technical assistance. Audience This guide is for experienced network administrators who are responsible for configuring and maintaining Catalyst 4500 series switches.
Page 56
Supervisor Engine 7L-E Chapter 11 Configuring Cisco NSF with SSO Describes how to configure supervisor engine Supervisor Engine Redundancy redundancy using Cisco nonstop forwarding (NSF) with stateful switchover (SSO). Chapter 12 Environmental Monitoring and Describes how to configure power management and Power Management environmental monitoring features.
Page 57
Describes how to configure port security and trunk port security. Chapter 48 Configuring Control Plane Describes how to protect your Catalyst 4500 series Policing and Layer 2 Control switch using control plane policing (CoPP). Packet QoS Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG...
Page 58
Describes various types of diagnostics on the Catalyst 4500 series switch. Chapter 69 Configuring WCCP Version 2 Describes how to configure the Catalyst 4500 series Services switches to redirect traffic to cache engines (web caches) using the Web Cache Communication Protocol (WCCP), and describes how to manage cache engine clusters (cache farms).
Preface Chapter Title Description Chapter 71 ROM Monitor Describes the ROM Monitor. Appendix A Acronyms and Abbreviations Defines acronyms and abbreviations used in this book. Conventions This document uses the following typographical conventions: Convention Description boldface font Commands, command options, and keywords are in boldface. italic font Command arguments for which you supply values are in italics.
Preface Related Documentation Refer to the following documents for additional Catalyst 4500 series information: Catalyst 4500 Series Switch Documentation Home • http://www.cisco.com/en/US/products/hw/switches/ps4324/tsd_products_support_series_home.ht Catalyst 4900 Series Switch Documentation Home • http://www.cisco.com/en/US/products/ps6021/index.html Cisco ME 4900 Series Ethernet Switches Documentation Home • http://www.cisco.com/en/US/products/ps7009/tsd_products_support_series_home.html...
Page 61
Catalyst 4500 Series Software System Message Guide • http://www.cisco.com/en/US/products/hw/switches/ps4324/products_system_message_guides_list .html Cisco IOS Documentation Platform- independent Cisco IOS documentation may also apply to the Catalyst 4500 and 4900 switches. These documents are available at the following URLs: • Cisco IOS configuration guides, Release 12.x http://www.cisco.com/en/US/products/ps6350/products_installation_and_configuration_guides_list.html •...
Page 62
Preface OpenSSL/Open SSL Project This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young ([email protected]). This product includes software written by Tim Hudson ([email protected]). License Issues The OpenSSL toolkit stays under a dual license;...
Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html...
New and Modified Software Features Supported in Cisco IOS 15.1(1)SG and Cisco IOS XE 3.3SG, page 1-39 Note For more information about the chassis, modules, and software features supported by the Catalyst 4500 series switch, refer to the Release Notes for the Catalyst 4500 Series Switch at this location: http://www.cisco.com/en/US/products/hw/switches/ps4324/prod_release_notes_list.html Layer 2 Software Features...
Cisco IOS Auto SmartPort macros dynamically configure ports based on the device type detected on the port. When the switch detects a new device on a port it applies the appropriate Cisco IOS Auto Smartports macro. When a link-down event occurs on the port, the switch removes the macro. For example, when you connect a Cisco IP phone to a port, Cisco IOS Auto SmartPorts automatically applies the IP phone macro.
Using CDP, a device can advertise its existence to other devices and receive information about other devices on the same LAN. CDP enables Cisco switches and routers to exchange information, such as their MAC addresses, IP addresses, and outgoing interfaces. CDP runs over the data-link layer only, allowing two systems that support different network-layer protocols to learn about each other.
Chapter 1 Product Overview Layer 2 Software Features Flex Links and MAC Address-Table Move Update Flex Links are a pair of Layer 2 interfaces (switch ports or port channels) where one interface is configured to act as a backup to the other. The feature provides an alternative solution to the Spanning Tree Protocol (STP).
EtherChannel is added to the spanning tree as a single bridge port. Cisco IOS XE IP Application Services Features in Cisco IOS XE 3.1.0SG This section lists the IP Application Services software features that are supported in Cisco IOS XE 3.1.0SG. Links to the feature documentation are included.
Feature guides document features that are supported on many different software releases and platforms. Your Cisco software release or platform may not support all the features documented in a feature guide. See the Feature Information table at the end of the feature guide for information about which features in that guide are supported in your software release.
Catalyst 4500 series switch supports trusted boundary, which uses the Cisco Discovery Protocol (CDP) to detect the presence of a Cisco IP phone (such as the Cisco IP Phone 7910, 7935, 7940, and 7960) on a switch port. If the telephone is not detected, the trusted boundary feature disables the trusted setting on the switch port and prevents misuse of a high-priority queue.
Chapter 40, “Configuring Quality of Service.” Resilient Ethernet Protocol Resilient Ethernet Protocol (REP) is a Cisco proprietary protocol that provides an alternative to Spanning Tree Protocol (STP) to control network loops, handle link failures, and improve convergence time. REP controls a group of ports connected in a segment, ensures that the segment does not create any bridging loops, and responds to link failures within the segment.
DHCP data that was already snooped, and the security benefits continue uninterrupted. For information about SSO, see Chapter 11, “Configuring Cisco NSF with SSO Supervisor Engine Redundancy.” SVI Autostate When an SVI has multiple ports on a VLAN, normally the SVI will go down when all the ports in the VLAN go down.
MAC address of the host attached to that port. Virtual Switch System Client Catalyst 4500 series switches support enhanced PAgP. If a Catalyst 4500 series switch is connected to a Catalyst 6500 series Virtual Switch System (VSS) by using a PAgP EtherChannel, the Catalyst 4500 series switch will automatically serve as a VSS client, using enhanced PAgP on this EtherChannel for dual-active detection.
Compared to conventional software-based switches, Layer 3 switches process more packets faster by using application-specific integrated circuit (ASIC) hardware instead of microprocessor-based engines. The following sections describe the key Layer 3 switching software features on the Catalyst 4500 series switch: Bidirectional Forwarding Detection, page 1-11 •...
The Enhanced Object Tracking (EOT) feature separates the tracking mechanism from HSRP and creates a separate standalone tracking process that can be used by other Cisco IOS processes as well as HSRP. This feature allows tracking of other objects in addition to the interface line-protocol state.
Feature guides document features that are supported on many different software releases and platforms. Your Cisco software release or platform may not support all the features documented in a feature guide. See the Feature Information table at the end of the feature guide for information about which features in that guide are supported in your software release.
Product Overview Layer 3 Software Features that guide are supported in your software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
(called the autonomous system path), and a list of other path attributes. The Catalyst 4500 series switch supports BGP version 4, including classless interdomain routing (CIDR). CIDR lets you reduce the size of your routing tables by creating aggregate routes, resulting in supernets.
A single Level 2 area is used as backbone for inter-area traffic. For details on IS-IS, refer to this URL: http://www.cisco.com/en/US/products/ps6632/products_ios_protocol_option_home.html OSPF The Open Shortest Path First (OSPF) protocol is a standards-based IP routing protocol designed to overcome the limitations of RIP.
SSO requires the same version of Cisco IOS on both the active and standby supervisor engines. Because of version mismatch during an upgrade or downgrade of the Cisco IOS software, a Catalyst 4500 series switch is forced into operating in RPR mode. In this mode, after the switchover you can observe link-flaps and a disruption in service.
With NSF/SSO, IP phone calls do not drop. NSF/SSO is supported for OSPF, BGP, EIGRP, IS-IS, and Cisco Express Forwarding (CEF). NSF/SSO is typically deployed in the most critical parts of an enterprise or service provider network, such as Layer 3 aggregation/core or a resilient Layer 3 wiring closet design.
Refer to the following link for more details: http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/routed-ex.html With Cisco IOS Release 12.2(53)SG, the IP Base image supports OSPF for routed access. The Enterprise Services image is required if you need multiple OSPFv2 and OSPFv3 instances without route restrictions. Enterprise Services also is required to enable the VRF-lite feature.
For details on VRRP, refer to this URL: http://www.cisco.com/en/US/docs/ios/ipapp/configuration/guide/ipapp_vrrp_ps6441_TSD_Products_ Configuration_Guide_Chapter.html Management Features The Catalyst 4500 series switch offers network management and control using the CLI or through alternative access methods, such as SNMP. The switch software supports these network management features: Cisco Call Home, page 1-21 •...
XML-based automated parsing applications. Common uses of this feature may include direct paging of a network support engineer, e-mail notification to a Network Operations Center, XML delivery to a support website, and utilization of Cisco Smart Call Home services for direct case generation with the Cisco Systems Technical Assistance Center (TAC).
Chapter 66, “Configuring Cisco IOS IP SLA Operations.” For more detail on Cisco IOS IP SLAs, see the Cisco IOS IP SLAs Configuration Guide, Release 12.4T: http://www.cisco.com/en/US/docs/ios/ipsla/configuration/guide/12_4t/sla_12_4t_book.html Catalyst 4500 series switch also supports a Built-in Traffic Simulator using Cisco IOS IP SLAs video operations to generate synthetic traffic for a variety of video applications, such as Telepresence, IPTV and IP video surveillance camera.
Flow Metadata is supported on releases prior to Cisco IOS Release 15.1(1)SG. Flow metadata is the data that describes a flow in the network. This Flow Metadata describes the five tuple flow along with the attributes.
This information includes, among other things, flow statistics; utilization information for incoming and outgoing interfaces, CPUs, and memory; as well as any changes to IP routes or the Cisco IOS Mediatrace monitoring state. For details, see the following URLs: http://www.cisco.com/en/US/docs/ios-xml/ios/media_monitoring/configuration/15-1sg/mm-pasv-mon.
IP addresses from specified address pools within the router to DHCP clients. If the Cisco IOS DHCP server cannot satisfy a DHCP request from its own database, it can forward the request to one or more secondary DHCP servers defined by the network administrator.
Embedded Event Manager (EEM) is a distributed and customized approach to event detection and recovery offered directly in a Cisco IOS device. EEM offers the ability to monitor events and take informational, corrective, or any desired EEM action when the monitored events occur or when a threshold is reached.
ACL. Intelligent Power Management Working with powered devices (PDs) from Cisco, this feature uses power negotiation to refine the power consumption of an 802.3af-compliant PD beyond the granularity of power consumption provided by the 802.3af class. Power negotiation also enables the backward compatibility of newer PDs with older modules that do not support either 802.3af or high-power levels as required by IEEE standard.
SSH will be limited to providing a remote login session to the switch and will only function as a server. Simple Network Management Protocol Simple Network Management Protocol (SNMP) facilitates the exchange of management information between network devices. The Catalyst 4500 series switch supports these SNMP types and enhancements: • SNMP—A full Internet standard SNMP v2—Community-based administrative framework for version 2 of SNMP...
Class D, or better, cabling as specified in ISO/IEC 11801:1995. Cisco® Universal Power over Ethernet (UPOE) is a Cisco proprietary technology that extends the IEEE 802.3 PoE standard to provide the capability to source up to 60W of power over standard Ethernet cabling infrastructure (Class D or better).
Note Catalyst 4500X-32. Starting with Cisco IOS Release XE 3.3.0SG and the IP Base and Enterprise Services feature sets, the Catalyst 4500 series switch supports Wireshark. This is a packet analyzer program, formerly known as Ethereal that supports multiple protocols and presents information in a graphical and text-based user interface.
In this situation, 802.1X user authentication typically fails with the port closed, and the user is denied access. Inaccessible Authentication Bypass provides a configurable alternative on the Catalyst 4500 series switch to grant a critical port network access in a locally specified VLAN.
Multi-Domain Authentication—This feature allows both a data device and a voice device, such as • an IP phone (Cisco or non-Cisco), to authenticate on the same switch port, which is divided into a data domain and a voice domain. •...
DHCP data that was already snooped, and the security benefits continue uninterrupted. For DHCP server configuration information, refer to the chapter, “Configuring DHCP,” in the Cisco IOS IP and IP Routing Configuration Guide at the following URL: http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iad_dhcp_rdmp_ps6350_TSD_Produ...
Chapter 1 Product Overview Security Features Flood Blocking Flood blocking enables users to disable the flooding of unicast and multicast packets on a per-port basis. Occasionally, unknown unicast or multicast traffic from an unprotected port is flooded to a protected port because a MAC address has timed out or has not been learned by the switch.
NAC Layer 2 IP validation NAC Layer 2 IP is an integral part of Cisco Network Admission Control. It offers the first line of defense for infected hosts (PCs and other devices attached to a LAN port) attempting to connect to the corporate network.
Chapter 1 Product Overview Security Features The switch supports the following applications of ACLs to filter traffic: MAC address filtering, which enables you to block unicast traffic for a MAC address on a VLAN • interface. Port ACLs, which enable you to apply ACLs to Layer 2 interfaces on a switch for inbound traffic. •...
For information about TDR, see Chapter 8, “Checking Port Status and Connectivity.” Debugging Features The Catalyst 4500 series switch has several commands to help you debug your initial setup. These commands are included in the following command groups: platform •...
Chapter 1 Product Overview Security Features Web-based Authentication The web-based authentication feature, known as Web Authentication Proxy, enables you to authenticate end users on host systems that do not run the IEEE 802.1X supplicant. When you initiate an HTTP session, this feature intercepts ingress HTTP packets from the host and sends an HTML login page to your.
New and Modified Software Features Supported in Cisco IOS 15.1(1)SG and Cisco IOS XE 3.3SG This document provides a list of new and modified software features supported in Cisco IOS 15.1(1)SG and Cisco IOS XE 3.3SG. AAA Double Authentication Secured by Absolute Timeout http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_aaa/configuration/15-1sg/sec-aaa-double-auth.
Page 104
Chapter 1 Product Overview New and Modified Software Features Supported in Cisco IOS 15.1(1)SG and Cisco IOS XE 3.3SG BFD - Static Route Support http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bfd/configuration/15-1sg/irb-bi-fwd-det.html BFD IPv6 Encaps Support http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bfd/configuration/15-1sg/ip6-route-bfd-encaps. html BFD - OSPF Support for BFD over IPv4 http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bfd/configuration/15-1sg/irb-bi-fwd-det.html SSO - BFD http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bfd/configuration/15-1sg/irb-bi-fwd-det.html...
Page 105
Chapter 1 Product Overview New and Modified Software Features Supported in Cisco IOS 15.1(1)SG and Cisco IOS XE 3.3SG BGP Event Based VPN Import http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-1sg/irg-event-vpn-import. html http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/xe-3sg/irg-event-vpn-import. html BGP Support for the L2VPN Address Family http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/15-1sg/irg-sup-l2vpn.html http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bgp/configuration/xe-3sg/irg-sup-l2vpn.html Bidirectional Forwarding Detection (BFD) MIB version 2 http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bfd/configuration/15-1sg/irb-bfd-mib.html...
Page 106
Chapter 1 Product Overview New and Modified Software Features Supported in Cisco IOS 15.1(1)SG and Cisco IOS XE 3.3SG http://www.cisco.com/en/US/docs/ios-xml/ios/evn/configuration/xe-3sg/evn-overview.html http://www.cisco.com/en/US/docs/ios-xml/ios/evn/configuration/15-1sg/evn-confg.html http://www.cisco.com/en/US/docs/ios-xml/ios/evn/configuration/xe-3sg/evn-confg.html http://www.cisco.com/en/US/docs/ios-xml/ios/evn/configuration/15-1sg/evn-shared-svcs.html http://www.cisco.com/en/US/docs/ios-xml/ios/evn/configuration/xe-3sg/evn-shared-svcs.html EVN Cisco EVN MIB http://www.cisco.com/en/US/docs/ios-xml/ios/evn/configuration/15-1sg/evn-mgt-ts.html http://www.cisco.com/en/US/docs/ios-xml/ios/evn/configuration/xe-3sg/evn-mgt-ts.html Embedded Packet Capture (EPC) http://www.cisco.com/en/US/docs/ios-xml/ios/epc/configuration/xe-3sg/nm-packet-capture.html Enhanced Test Command http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_radcfg/configuration/15-1sg/sec-enhanced-tst-c md.html http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_radcfg/configuration/xe-3sg/sec-enhanced-tst-c...
Page 107
Chapter 1 Product Overview New and Modified Software Features Supported in Cisco IOS 15.1(1)SG and Cisco IOS XE 3.3SG IGMP Static Group Range Support http://www.cisco.com/en/US/docs/ios-xml/ios/ipmulti_igmp/configuration/15-1sg/imc_static_grp_ran ge_supp.html http://www.cisco.com/en/US/docs/ios-xml/ios/ipmulti_igmp/configuration/xe-3sg/imc_static_grp_rang e_supp.html IGMPv3 Host Stack http://www.cisco.com/en/US/docs/ios-xml/ios/ipmulti_igmp/configuration/15-1sg/imc_igmpv3_hostst ack.html http://www.cisco.com/en/US/docs/ios-xml/ios/ipmulti_igmp/configuration/xe-3sg/imc_igmpv3_hostst ack.html Device Sensor http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_aaa/configuration/15-1sg/sec-dev-sensor.html http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-3sg/sec-dev-sensor.html IP Multicast Load Splitting - Equal Cost Multipath (ECMP) using S, G and Next-hop http://www.cisco.com/en/US/docs/ios-xml/ios/ipmulti_optim/configuration/15-1sg/imc_load_splt_ecm...
Page 108
Chapter 1 Product Overview New and Modified Software Features Supported in Cisco IOS 15.1(1)SG and Cisco IOS XE 3.3SG IPv6 Tunneling: ISATAP Tunnel Support http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/15-1sg/ip6-tunnel.html http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/xe-3sg/ip6-tunnel.html IPv6: Multicast Address Group Range Support http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/15-1sg/ip6-multicast.html http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/xe-3sg/ip6-multicast.html ISG:Policy Control: Policy Server: CoA (QoS, L4 redirect, User ACL, TimeOut) http://www.cisco.com/en/US/docs/ios-xml/ios/isg/configuration/15-1sg/isg-ext-pol-svrs.html...
Page 109
Chapter 1 Product Overview New and Modified Software Features Supported in Cisco IOS 15.1(1)SG and Cisco IOS XE 3.3SG http://www.cisco.com/en/US/docs/ios-xml/ios/media_monitoring/configuration/xe-3sg/mm-mediatrace .html MLD Group Limits http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/15-1sg/ip6-multicast.html http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/xe-3sg/ip6-multicast.html Media Services Proxy http://www.cisco.com/en/US/docs/ios-xml/ios/msp/configuration/15-1sg/med-ser-prxy.html http://www.cisco.com/en/US/docs/ios-xml/ios/msp/configuration/xe-3sg/med-ser-prxy-xe.html MSDP MD5 password authentication http://www.cisco.com/en/US/docs/ios-xml/ios/ipmulti_pim/configuration/15-1sg/imc_msdp.html http://www.cisco.com/en/US/docs/ios-xml/ios/ipmulti_pim/configuration/xe-3sg/imc_msdp.html Multicast Address Group Range Support...
Page 110
Chapter 1 Product Overview New and Modified Software Features Supported in Cisco IOS 15.1(1)SG and Cisco IOS XE 3.3SG http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/configuration/xe-3sg/iro-traff-stats.html OSPF Graceful Shutdown http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/configuration/15-1sg/iro-ttl.html http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/configuration/xe-3sg/iro-ttl.html OSPF Mechanism to Exclude Connected IP Prefixes from LSA Advertisements http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/configuration/15-1sg/iro-ex-lsa.html http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/configuration/xe-3sg/iro-ex-lsa.html OSPF SNMP ifIndex Value for Interface ID http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/configuration/15-1sg/iro-snmp-ifindex.htm...
Page 111
Chapter 1 Product Overview New and Modified Software Features Supported in Cisco IOS 15.1(1)SG and Cisco IOS XE 3.3SG PIM Triggered Joins http://www.cisco.com/en/US/docs/ios-xml/ios/ipmulti_resil/configuration/15-1sg/imc_pim_triggered.h http://www.cisco.com/en/US/docs/ios-xml/ios/ipmulti_resil/configuration/xe-3sg/imc_pim_triggered.h Product Security Baseline: Password Encryption and Complexity Restrictions http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cfg/configuration/15-1sg/sec-cfg-sec-4cli.html http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cfg/configuration/xe-3sg/sec-cfg-sec-4cli.html RADIUS Progress Codes http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_radcfg/configuration/15-1sg/RADIUS_Progres s_Codes.html http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_radcfg/configuration/xe-3sg/RADIUS_Progress _Codes.html...
Page 112
Chapter 1 Product Overview New and Modified Software Features Supported in Cisco IOS 15.1(1)SG and Cisco IOS XE 3.3SG Supressing EXEC Accounting Record The Suppressing EXEC Accounting Record feature enables the suppression of an EXEC-stop accounting record when autoselection during login for the dial-in clients is configured. To configure the Suppressing EXEC Accounting Record feature, use the aaa accounting nested suppress stop command in global configuration mode.
Page 113
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products/hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html...
Electronic Industries Alliance (EIA) and Telecommunications Industry Association (TIA). Perform the initial switch configuration over a connection to the EIA/TIA-232 console interface. Refer to the Catalyst 4500 Series Switch Module Installation Guide for console interface cable connection procedures. To access the switch through the console interface, perform this task:...
Chapter 2 Command-Line Interfaces Performing Command-Line Processing To make a Telnet connection to the switch, perform this task: Command Purpose Step 1 From the remote host, enter the telnet command and the telnet {hostname | ip_addr} name or IP address of the switch you want to access. Step 2 At the prompt, enter the password for the CLI.
The Cisco IOS user interface has many different modes: user EXEC, privileged EXEC (enable), global configuration, interface, subinterface, and protocol-specific. The commands available to you depend on which mode you are in. To get a list of the commands in a given mode, enter a question mark (?) at the system prompt.
Telnet. The Cisco IOS command interpreter, called the EXEC, interprets and runs the commands you enter. You can abbreviate commands and keywords by entering just enough characters to make the command unique from other commands. For example, you can abbreviate the show command to sh and the configure terminal command to config t.
EXEC mode. Virtual Console for Standby Supervisor Engine Catalyst 4500 series switches can be configured with 2 supervisor engines to provide redundancy. When the switch is powered, one of the supervisor engines becomes active and remains active until a switchover occurs.
Chapter 2 Command-Line Interfaces ROMMON Command-Line Interface To log in to the standby supervisor engine using a virtual console, enter the following command: Switch# session module 2 Connecting to standby virtual console Type "exit" or "quit" to end this session Switch-standby-console# exit If the standby console is not enabled, the following message appears: Switch-standby-console#...
When you enter ROMMON mode, the prompt changes to rommon 1>. Use the ? command to see the available ROMMON commands. For more information about the ROMMON commands, refer to the Cisco IOS Command Reference. Archiving Crashfiles Information This feature allows you to archive crashinfo files (otherwise overwritten if another system reset were to happen first to the bootflash).
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products//hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html...
Example Configuration, page 3-7 • If your DHCP server is a Cisco device, or if you are configuring the switch as a DHCP server, refer to the “IP Addressing and Services” section in the Cisco IOS IP and IP Routing Configuration Guide for Cisco IOS Release 12.1 for additional information about configuring DHCP.
Chapter 3 Configuring the Switch for the First Time Configuring DHCP-Based Autoconfiguration With DHCP-based autoconfiguration, no DHCP client-side configuration is needed on your switch because your switch (the DHCP client) is automatically configured at startup with IP address information and a configuration file. However, you need to configure the DHCP server or the DHCP server feature on your switch for various lease options associated with IP addresses.
Configuring DHCP-Based Autoconfiguration Configuring the DHCP Server A switch can act as both the DHCP client and the DHCP server. By default, the Cisco IOS DHCP server and relay agent features are enabled on your switch. You should configure the DHCP server, or the DHCP server feature running on your switch, with reserved leases that are bound to each switch by the switch hardware address.
LAN must respond. Examples of such broadcast packets are DHCP, DNS, and in some cases, TFTP packets. If the relay device is a Cisco router, enable IP routing (ip routing global configuration command) and configure helper addresses (ip helper-address interface configuration command). For example, in...
Chapter 3 Configuring the Switch for the First Time Configuring DHCP-Based Autoconfiguration Figure 3-2 Relay Device Used in Autoconfiguration Switch Cisco router (DHCP client) (Relay) 10.0.0.2 10.0.0.1 20.0.0.1 20.0.0.2 20.0.0.3 20.0.0.4 DHCP server TFTP server DNS server Obtaining Configuration Files...
Figure 3-3 DHCP-Based Autoconfiguration Network Example Switch 1 Switch 2 Switch 3 Switch 4 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004 Cisco router 10.0.0.10 10.0.0.1 10.0.0.2 10.0.0.3 DHCP server DNS server TFTP server (maritsu) Table 3-2 shows the configuration of the reserved leases on either the DHCP server or the DHCP server feature running on your switch.
Chapter 3 Configuring the Switch for the First Time Configuring the Switch DNS Server Configuration The DNS server maps the TFTP server name maritsu to IP address 10.0.0.3. TFTP Server Configuration (on UNIX) The TFTP server base directory is set to /tftpserver/work/. This directory contains the network-confg file used in the two-file read method.
Chapter 3 Configuring the Switch for the First Time Configuring the Switch Using Configuration Mode to Configure Your Switch To configure your switch from configuration mode, follow these steps: Connect a console terminal to the console interface of your supervisor engine. Step 1 Step 2 After a few seconds, you see the user EXEC prompt (Switch>).
Chapter 3 Configuring the Switch for the First Time Configuring the Switch <...output truncated...> line con 0 transport input none line vty 0 4 exec-timeout 0 0 password lab login transport input lat pad dsipcon mop telnet rlogin udptn nasi Switch# Saving the Running Configuration Settings to Your Start-Up File Caution...
Chapter 3 Configuring the Switch for the First Time Configuring the Switch line con 0 exec-timeout 0 0 transport input none line vty 0 4 exec-timeout 0 0 password lab login transport input lat pad dsipcon mop telnet rlogin udptn nasi Switch# Configuring a Default Gateway The switch uses the default gateway only when it is not configured with a routing protocol.
Page 144
Chapter 3 Configuring the Switch for the First Time Configuring the Switch To configure a static route, perform this task: Command Purpose Step 1 Configures a static route to the remote network. Switch(config)# ip route dest_IP_address mask {forwarding_IP | vlan vlan_ID} Step 2 Verifies that the static route is displayed correctly.
Chapter 3 Configuring the Switch for the First Time Controlling Access to Privileged EXEC Commands ip default-gateway 172.20.52.35 ip classless ip route 171.20.5.3 255.255.255.255 Vlan1 no ip http server x25 host z line con 0 transport input none line vty 0 4 exec-timeout 0 0 password lab login...
If you specify an encryption type, you must provide an encrypted password—an encrypted password you copy from another Catalyst 4500 series switch configuration. Note You cannot recover a lost encrypted password. You must clear NVRAM and set a new password. See the “Recovering a Lost Enable Password”...
TACACS+ is facilitated through authentication, authorization, accounting (AAA) and can be enabled only through AAA commands. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference, Release 12.2.
Page 148
Chapter 3 Configuring the Switch for the First Time Controlling Access to Privileged EXEC Commands Figure 3-4 Typical TACACS+ Network Configuration UNIX workstation (TACACS+ Catalyst 6500 server 1) series switch 171.20.10.7 UNIX workstation (TACACS+ server 2) 171.20.10.8 Configure the switches with the TACACS+ server addresses.
Chapter 3 Configuring the Switch for the First Time Controlling Access to Privileged EXEC Commands TACACS+ Operation When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process occurs: When the connection is established, the switch contacts the TACACS+ daemon to obtain a username prompt, which is then displayed to the user.
Page 150
Chapter 3 Configuring the Switch for the First Time Controlling Access to Privileged EXEC Commands Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, • page 3-21 • Starting TACACS+ Accounting, page 3-21 Default TACACS+ Configuration TACACS+ and AAA are disabled by default. To prevent a lapse in security, you cannot configure TACACS+ through a network management application.
Page 151
Chapter 3 Configuring the Switch for the First Time Controlling Access to Privileged EXEC Commands Command Purpose Step 7 Verifies your entries. show tacacs Step 8 (Optional) Saves your entries in the configuration file. copy running-config startup-config To remove the specified TACACS+ server name or address, use the no tacacs-server host hostname global configuration command.
Page 152
Chapter 3 Configuring the Switch for the First Time Controlling Access to Privileged EXEC Commands Command Purpose Step 3 Creates a login authentication method list. aaa authentication login default list-name method1 method2... • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that you plan to use in default situations.
Page 153
Chapter 3 Configuring the Switch for the First Time Controlling Access to Privileged EXEC Commands Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services AAA authorization limits the services available to a user. When AAA authorization is enabled, the switch uses information retrieved from the user’s profile, which is located either in the local user database or on the security server, to configure the user’s session.
Chapter 3 Configuring the Switch for the First Time Controlling Access to Privileged EXEC Commands To enable TACACS+ accounting for each Cisco IOS privilege level and for network services, perform this task, beginning in privileged EXEC mode: Command Purpose Step 1 configure terminal Enters global configuration mode.
3-24. Configuring Multiple Privilege Levels By default, Cisco IOS software has two modes of password security: user EXEC mode and privileged EXEC mode. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
Chapter 3 Configuring the Switch for the First Time Controlling Access to Privileged EXEC Commands Logging In to a Privilege Level To log in at a specified privilege level, enter this command: Command Purpose Logs in to a specified privilege level. Switch# enable level Exiting a Privilege Level To exit to a specified privilege level, enter this command:...
Chapter 3 Configuring the Switch for the First Time Recovering a Lost Enable Password Recovering a Lost Enable Password For more information on the configuration register which is preconfigured in NVRAM, see “Configuring Note the Software Configuration Register” section on page 3-26.
NVRAM To avoid possibly halting the Catalyst 4500 series switch switch, remember that valid configuration Caution register settings might be combinations of settings and not just the individual settings listed in Table 3-3.
Chapter 3 Configuring the Switch for the First Time Modifying the Supervisor Engine Startup Configuration Table 3-3 Software Configuration Register Bits Bit Number Hexadecimal Meaning 00 to 03 0x0000 to 0x000F Boot field (see Table 3-4) 0x0010 Unused 0x0020 Bit two of console line speed 0x0040 Causes system software to ignore NVRAM contents 0x0080...
Reboots the switch to make your changes take effect. Switch# reload To modify the configuration register while the switch is running Cisco IOS software, follow these steps: Enter the enable command and your password to enter privileged level, as follows: Step 1 Switch>...
Supervisor Engine 6-E and Supervisor Engine 6L-E Switch# show version Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500e-ENTSERVICES-M), Version 15.1(1)SG5.214, CISCO INTERNAL USE ONLY DEVTEST VERSION , synced to END_OF_FLO_ISP Copyright (c) 1986-2012 by Cisco Systems, Inc. Compiled Tue 17-Jan-12 23:07 by gsbuprod ROM: 12.2(44r)SG(0.146)
Switch# show version Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software (cat4500e-UNIVERSALK9-M), Version 03.03.00.SG5. CISCO INTERNAL USE ONLY UNIVERSAL DEVELOPMENT K10 IOSD VERSION , synced to V150_5_20_SID Copyright (c) 1986-2011 by Cisco Systems, Inc. Compiled Wed 14-Dec-11 07:59 by gsbuprod ROM: 15.0(1r)SG(0.326)
Step 1 Copy a system image to flash memory using TFTP or other protocols. Refer to the “Cisco IOS File Management” and “Loading and Maintaining System Images” chapters in the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2, at the following URL: http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/12_2sr/cf_12_2sr_book.html...
Switch# 00:01:48: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram Switch# If the Catalyst 4500 series switch is accessible to a TFTP server, you can copy an image to the bootflash memory with the TFTP command: Switch# copy tftp://192.20.3.123/tftpboot/abc/cat4500-entservices-mz.bin bootflash: Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG...
Page 165
Configuring the Switch for the First Time Resetting a Switch to Factory Default Settings When the copying is completed, you can reboot the just-copied Catalyst 4500 series switch image to the image stored in the bootflash memory with the reload command: Switch# reload System configuration has been modified.
Page 166
Chapter 3 Configuring the Switch for the First Time Resetting a Switch to Factory Default Settings Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG 3-34 OL-25340-01...
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products//hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html...
Chapter 4 Administering the Switch Managing the System Time and Date Configuring NTP, page 4-3 • Configuring Time and Date Manually, page 4-11 • System Clock The core of the time service is the system clock, which monitors the date and time. This clock starts when the system starts.
Managing the System Time and Date Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet.
Chapter 4 Administering the Switch Managing the System Time and Date Configuring NTP Associations, page 4-6 • Configuring NTP Broadcast Service, page 4-7 • Configuring NTP Access Restrictions, page 4-8 • Configuring the Source IP Address for NTP Packets, page 4-10 •...
Page 171
Chapter 4 Administering the Switch Managing the System Time and Date Command Purpose Step 4 Specifies one or more key numbers (defined in Step 3) that a peer ntp trusted-key key-number NTP device must provide in its NTP packets for this switch to synchronize to it.
Chapter 4 Administering the Switch Managing the System Time and Date Configuring NTP Associations An NTP association can be a peer association (this switch can either synchronize to the other device or allow the other device to synchronize to it), or it can be a server association (meaning that only this switch synchronizes to the other device, and not the other way around).
Chapter 4 Administering the Switch Managing the System Time and Date Configuring NTP Broadcast Service The communications between devices running NTP (known as associations) are usually statically configured; each device is given the IP addresses of all devices with which it should form associations. Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an association.
Chapter 4 Administering the Switch Managing the System Time and Date To configure the switch to receive NTP broadcast packets from connected peers, perform this task: Command Purpose Step 1 Enters global configuration mode. configure terminal Step 2 Specifies the interface to receive NTP broadcast packets, and enter interface interface-id interface configuration mode.
Page 175
Chapter 4 Administering the Switch Managing the System Time and Date Creating an Access Group and Assigning a Basic IP Access List To control access to NTP services by using access lists, perform this task: Command Purpose Step 1 Enters global configuration mode. configure terminal Step 2 Creates an access group, and apply a basic IP access list.
Chapter 4 Administering the Switch Managing the System Time and Date To remove access control to the switch NTP services, use the no ntp access-group {query-only | serve-only | serve | peer} global configuration command. This example shows how to configure the switch to allow itself to synchronize to a peer from access list 99.
For detailed information about the fields in these displays, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.3. Configuring Time and Date Manually If no other source of time is available, you can manually configure the time and date after the system is restarted.
Chapter 4 Administering the Switch Managing the System Time and Date Displaying the Time and Date Configuration To display the time and date configuration, use the show clock [detail] privileged EXEC command. The system clock keeps an authoritative flag that shows whether the time is authoritative (believed to be accurate).
Chapter 4 Administering the Switch Managing the System Time and Date Configuring Summer Time (Daylight Saving Time) To configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year, perform this task: Command Purpose Step 1...
Chapter 4 Administering the Switch Configuring a System Name and Prompt If summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events), perform this task: Command Purpose Step 1 configure terminal Enters global configuration mode.
Administering the Switch Configuring a System Name and Prompt For complete syntax and usage information for the commands used in this section, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.3 and the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.3.
Chapter 4 Administering the Switch Configuring a System Name and Prompt These sections contain this configuration information: Default DNS Configuration, page 4-16 • Setting Up DNS, page 4-16 • Displaying the DNS Configuration, page 4-17 • Default DNS Configuration Table 4-2 shows the default DNS configuration.
Chapter 4 Administering the Switch Creating a Banner Default Banner Configuration The MOTD and login banners are not configured. Configuring a Message-of-the-Day Login Banner You can create a single or multiline message banner that appears on the screen when someone logs in to the switch.
Page 185
Chapter 4 Administering the Switch Creating a Banner Command Purpose Step 4 Verifies your entries. show running-config Step 5 (Optional) Saves your entries in the configuration file. copy running-config startup-config This example shows how to configure a MOTD banner for the switch by using the pound sign (#) symbol as the beginning and ending delimiter: Switch(config)# banner motd # it is a secure site.
Chapter 4 Administering the Switch Creating a Banner Configuring a Login Banner You can configure a login banner to be displayed on all connected terminals. This banner appears after the MOTD banner and before the login prompt. To configure a login banner, perform this task: Command Purpose Step 1...
Chapter 4 Administering the Switch Managing the MAC Address Table This example shows how to configure a login banner for the switch by using the dollar sign ($) symbol as the beginning and ending delimiter: Switch# configuration terminal Switch(config)# banner login $ Access for authorized users only.
Chapter 4 Administering the Switch Managing the MAC Address Table address and its associated port number to the address table. As stations are added or removed from the network, the switch updates the address table, adding new dynamic addresses and aging out those that are not in use.
Chapter 4 Administering the Switch Managing the MAC Address Table When PVLANs are configured, address learning depends on the type of MAC address: Dynamic MAC addresses learned in one VLAN of a PVLAN are replicated in the associated • VLANs. For example, a MAC address learned in a private-VLAN secondary VLAN is replicated in the primary VLAN.
Chapter 4 Administering the Switch Managing the MAC Address Table Command Purpose Step 4 Verifies your entries. show mac address-table aging-time Step 5 (Optional) Saves your entries in the configuration file. copy running-config startup-config Removing Dynamic Address Entries To remove all dynamic entries, use the clear mac address-table dynamic command in EXEC mode. You can also remove a specific MAC address (clear mac address-table dynamic address mac-address), remove all addresses on the specified physical port or port channel (clear mac address-table dynamic interface interface-id), or remove all addresses on a specified...
Page 191
Chapter 4 Administering the Switch Managing the MAC Address Table Command Purpose Step 3 Enables the switch to send MAC change traps to the snmp-server enable traps mac-notification change NMS. To disable the switch from sending MAC change notification traps, use the no snmp-server enable traps mac-notification change global configuration command.
Chapter 4 Administering the Switch Managing the MAC Address Table This example shows how to specify 172.69.59.93 as the network management system, enable the switch to send MAC change notification traps to the network management system, enable the MAC change notification feature, set the interval time to 60 seconds, set the history-size to 100 entries, and enable traps whenever a MAC address is added on the specified port: Switch# configure terminal...
Page 193
Chapter 4 Administering the Switch Managing the MAC Address Table To configure MAC move notification, perform this task: Command Purpose Step 1 Enters global configuration mode. configure terminal Step 2 Specifies the recipient of the trap message. snmp-server host host-addr traps | informs version }} [...
Chapter 4 Administering the Switch Managing the MAC Address Table Configuring MAC Threshold Notification Traps When you configure MAC threshold notification, an SNMP notification is generated and sent to the network management system when a MAC address table (MAT) threshold limit is reached or exceeded. To configure MAC address threshold notification, perform this task: Command Purpose...
Chapter 4 Administering the Switch Managing the MAC Address Table Command Purpose Step 6 Returns to privileged EXEC mode. Step 7 Displays the MAC utilization threshold notification show mac address-table notification threshold show running-config status. Step 8 (Optional) Saves your entries in the configuration copy running-config startup-config file.
Chapter 4 Administering the Switch Managing the MAC Address Table To add a static address, perform this task: Command Purpose Step 1 Enters global configuration mode. configure terminal Step 2 Adds a static address to the MAC address table. mac address-table static mac-addr vlan vlan-id interface interface-id For mac-addr, specify the destination MAC unicast address to add to •...
Page 197
Chapter 4 Administering the Switch Managing the MAC Address Table If you add a unicast MAC address as a static address and configure unicast MAC address filtering, • the switch either adds the MAC address as a static address or drops packets with that MAC address, depending on which command was entered last.
Chapter 4 Administering the Switch Managing the MAC Address Table Disabling MAC Address Learning on a VLAN By default, MAC address learning is enabled on all VLANs on the switch. By controlling which VLANs can learn MAC addresses, you can manage the available MAC address table space. By disabling learning on a VLAN, you can conserve the MAC address table space because all the MAC addresses seen on this VLAN are not learned.
Managing the MAC Address Table Usage Guidelines Note These guidelines are advisory only. Contact the Cisco solution provider team for specific solution implementations. When disabling MAC address learning on a VLAN, consider these guidelines: If learning is disabled on a VLAN with an SVI interface, it floods every IP packet in the Layer 2 •...
Page 200
Chapter 4 Administering the Switch Managing the MAC Address Table Figure 4-2 Disabling MAC Address Learning: Point-to-Point Links Core Switch Core Switch FW Sync Distribution Distribution External External Switch Switch FW interface FW interface L2/L3 Internal Internal FW interface FW interface Firewall VLAN a VLAN a...
Chapter 4 Administering the Switch Managing the MAC Address Table Layer 2 Firewall or Cache In this topology, a rewritten Layer 3 packet is routed back to a Layer 2 firewall (or cache) before exiting. When the packet reenters the switch from the firewall, it possesses the switch’s MAC address because the packet was previously routed.
Chapter 4 Administering the Switch Managing the MAC Address Table Feature Incompatibility The following features are incompatible with disabling MAC address learning and do not work properly when the feature is enabled: 802.1X—The 802.1X class of features does not work when learning is disabled because some of •...
Configuration capabilities allow comprehensive changes to devices, if the required security privileges have been granted. The configuration and monitoring capabilities for the Catalyst 4500 series of switches mirror those available in CiscoView in all server-based CiscoWorks solutions, including CiscoWorks LAN Management Solution (LMS) and CiscoWorks Routed WAN Management Solution (RWAN).
Chapter 4 Administering the Switch Configuring Embedded CiscoView Support These sections describe the Embedded CiscoView support available with Cisco IOS Release 12.1(20)EW and later releases: • Understanding Embedded CiscoView, page 4-38 Installing and Configuring Embedded CiscoView, page 4-38 • Displaying Embedded CiscoView Information, page 4-41 •...
Page 205
Delete bootflash:cv/Cat4000IOS-4.0_error.html? [confirm]y Delete bootflash:cv/Cat4000IOS-4.0_install.html? [confirm]y Delete bootflash:cv/Cat4000IOS-4.0_jks.jar? [confirm]y Delete bootflash:cv/Cat4000IOS-4.0_nos.jar? [confirm]y Delete bootflash:cv/applet.html? [confirm]y Delete bootflash:cv/cisco.x509? [confirm]y Delete bootflash:cv/identitydb.obj? [confirm]y Switch# Switch# squeeze bootflash: All deleted files will be removed. Continue? [confirm]y Squeeze operation may take a while. Continue? [confirm]y...
Page 206
ADP version Output modifiers < For more information about web access to the switch, refer to the “Using the Cisco Web Browser” chapter in the Cisco IOS Configuration Fundamentals Configuration Guide at this URL: http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/12_4t/cf_12_4t_book.html Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG...
Page 208
Chapter 4 Administering the Switch Configuring Embedded CiscoView Support Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG 4-42 OL-25340-01...
Page 209
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products//hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html...
NFL daughter card and so on). • The new and old Cisco IOS software images must be loaded into the file systems (bootflash or compact flash) of both the active and the standby supervisor engines before you begin the ISSU process.
SSO is typically deployed in service provider networks. In this example, Cisco NSF with SSO is enabled at the access layer (edge) of the service provider network. A fault at this point could result in loss of service for enterprise customers requiring access to the service provider network.
Page 212
SSO capable-routers access layer Customers Additional levels of availability may be gained by deploying Cisco NSF with SSO at other points in the network where a single point of failure exists. Figure 5-2 illustrates an optional deployment strategy that applies Cisco NSF with SSO at the enterprise network access layer.
NSF Overview Cisco NSF works with the SSO feature in Cisco IOS software. SSO is a prerequisite of Cisco NSF. NSF works with SSO to minimize the amount of time a network is unavailable to its users following a switchover.
About ISSU ISSU Process Overview The ISSU process allows you to perform a Cisco IOS software upgrade or downgrade while the system continues to forward packets. (For an illustration of the commands used during the ISSU process, refer Figure 5-8 on page 5-11.) Cisco IOS ISSU takes advantage of the Cisco IOS high availability...
Page 215
Configuring the Cisco IOS In-Service Software Upgrade Process About ISSU An ISSU-capable switch consists of two supervisor engines (active and standby) and one or more line cards. Before initiating the ISSU process, copy the Cisco IOS software into the file systems of both supervisor engines (see Figure 5-4).
Page 216
Chapter 5 Configuring the Cisco IOS In-Service Software Upgrade Process About ISSU After you have copied the Cisco IOS software to both file systems, load the new version of Cisco IOS software onto the standby supervisor engine (see Figure 5-5).
Page 217
Chapter 5 Configuring the Cisco IOS In-Service Software Upgrade Process About ISSU After a switchover (NSF or SSO, not RPR), the standby supervisor engine takes over as the new active supervisor engine (see Figure 5-6). Figure 5-6 Switch Over to Standby Supervisor Engine...
Page 218
Configuring the Cisco IOS In-Service Software Upgrade Process About ISSU The former active supervisor engine is loaded with an old Cisco IOS image so that if the new active supervisor engine experiences problems, you can abort and conduct a switchover to the former active, which is already running the old image.
Chapter 5 Configuring the Cisco IOS In-Service Software Upgrade Process About ISSU Figure 5-8 Steps During the ISSU Process Standby Active Loadversion Loadversion Active Standby Abortversion Standby Active Abortversion Switchover Commitversion Commitversion Runversion Runversion Active Active Standby Standby *Acceptversion Commitversion Commitversion * This command is optional.
Chapter 5 Configuring the Cisco IOS In-Service Software Upgrade Process About ISSU Changeversion Process The issu changeversion command launches a single-step complete ISSU upgrade cycle. It performs the logic for all four of the standard commands (issu loadversion, issu runversion, issu acceptversion, and issu commitversion) without user intervention, streamlining the upgrade through a single CLI step.
• In a downgrade scenario, if any feature is not available in the downgrade revision of the Cisco IOS software handle, that feature should be disabled prior to initiating the ISSU process. Versioning Capability in Cisco IOS Software to Support ISSU Before the introduction of ISSU, the SSO mode of operation required each supervisor engine to be running the same versions of Cisco IOS software.
Incompatible versions cannot progress to SSO operational mode. Compatibility Matrix You can perform the ISSU process when the Cisco IOS software on both the active and the standby supervisor engine is capable of ISSU and the old and new images are compatible. The compatibility matrix information stores the compatibility among releases as follows: Compatible—The base-level system infrastructure and all optional HA-aware subsystems are...
SNMP for SSO provides a mechanism for synchronizing the SNMP configurations and the MIBs that support SSO from the active supervisor engine to the standby supervisor engine, assuming that both supervisor engines are running the same version of Cisco IOS software. This assumption is not valid for ISSU.
Init state—The initial state is two supervisor engines, one active and one standby, before the ISSU process is started. It is also the final state after the ISSU process completes. • Load version (LV) state—The standby supervisor engine is loaded with the new version of Cisco IOS software. •...
Active Location = slot 1 Current Software state = ACTIVE Uptime in current state = 0 minutes Image Version = Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-ENTSERVICES-M), Version 12.2(31)SGA, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc.
61341696 bytes total (1116224 bytes free) Loading New Cisco IOS Software on the Standby Supervisor Engine This task describes how to use ISSU to load a new version of Cisco IOS software to the standby supervisor engine. Prerequisites Ensure that the new version of Cisco IOS software image is already present in the file system of both •...
Page 227
It may take several seconds after the issu loadversion command is entered for Cisco IOS software to load onto the standby supervisor engine and for the standby supervisor engine to transition to SSO mode. This causes the standby supervisor engine to reload with the new image.
Page 228
Chapter 5 Configuring the Cisco IOS In-Service Software Upgrade Process Performing the ISSU Process Slot = 2 RP State = Standby ISSU State = Load Version Boot Variable = bootflash:new_image,12;bootflash:old_image,12 Operating Mode = Stateful Switchover Primary Version = bootflash:old_image Secondary Version = bootflash:new_image...
= 18 RF debug mask = 0x0 Switching to the Standby Supervisor Engine This task describes how to switchover to the standby supervisor engine, which is running the new Cisco IOS software image. Perform this task at the active supervisor engine:...
Page 230
Chapter 5 Configuring the Cisco IOS In-Service Software Upgrade Process Performing the ISSU Process A switchover occurs at this point. At the new active supervisor engine, after old active supervisor engine comes up as the standby engine, do the following:...
This optional task describes how to stop the rollback timer. If you do not run the following procedure before the rollback timer “timeout,” the system automatically aborts the ISSU process and reverts to the original Cisco IOS software version. By default the rollback timer is 45 minutes.
Configured Rollback Time = 45:00 Loading New Cisco IOS Software on the New Standby Supervisor Engine This task explains how to load new version of Cisco IOS software to the new standby supervisor engine. Perform this task at the active supervisor engine:...
Page 233
Performing the ISSU Process This example shows how to reset and reload the current standby supervisor engine (slot 1) with the new Cisco IOS software version. After entering the commitversion command, the standby supervisor engine boots in the Standby Hot state.
This task describes how to use the issu changeversion command to perform a one step ISSU upgrade. Prerequisites Ensure that the new version of Cisco IOS software image is already present in the file system of both • the active and standby supervisor engines. Also ensure that appropriate boot parameters (BOOT string and config-register) are set for the active and standby supervisor engines •...
Page 235
Chapter 5 Configuring the Cisco IOS In-Service Software Upgrade Process Performing the ISSU Process Perform the following steps at the active supervisor engine: Command or Action Purpose Step 1 Enables privileged EXEC mode. Switch> enable Enter your password if prompted.
Page 236
Active Location = slot 5 Current Software state = ACTIVE Uptime in current state = 9 minutes Image Version = Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software (cat4500e-UNIVERSALK9-M), Version 03.00.00.1.68 CISCO UNIVERSAL DEVELOPMENT K10 IOSD TEST VERSION Copyright (c) 1986-2010 by Cisco Systems, Inc.
Page 237
Chapter 5 Configuring the Cisco IOS In-Service Software Upgrade Process Performing the ISSU Process *Feb 25 20:41:03.639: %INSTALLER-7-ISSU_OP_SUCC: issu changeversion successfully executed 'issu runversion' Note Switchover occurs..... Look at the console of new active supervisor engine. *Feb 25 20:47:39.859: %RF-5-RF_TERMINAL_STATE: Terminal state reached for (SSO) *Feb 25 20:47:39.971: %INSTALLER-7-ISSU_OP_SUCC:...
Page 238
Performing the ISSU Process Current Software state = ACTIVE Uptime in current state = 9 minutes Image Version = Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software (cat4500e-UNIVERSALK9-M), Version 03.00.00.1.68 CISCO UNIVERSAL DEVELOPMENT K10 IOSD TEST VERSION Copyright (c) 1986-2010 by Cisco Systems, Inc.
Performing the ISSU Process Current Software state = ACTIVE Uptime in current state = 9 minutes Image Version = Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software (cat4500e-UNIVERSALK9-M), Version 03.00.00.1.68 CISCO UNIVERSAL DEVELOPMENT K10 IOSD TEST VERSION Copyright (c) 1986-2010 by Cisco Systems, Inc.
A user may want to configure the rollback timer to more than 45 minutes in order to have enough time to verify the operation of the new Cisco IOS software before committing the new image.
Page 241
Chapter 5 Configuring the Cisco IOS In-Service Software Upgrade Process Performing the ISSU Process Entering the issu commitversion command at this stage is equal to entering both the issu acceptversion and the issu commitversion commands. Use the issu commitversion command if you do not intend to run in the current state now and are satisfied with the new software version.
Chapter 5 Configuring the Cisco IOS In-Service Software Upgrade Process Performing the ISSU Process Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# issu set rollback-timer 20 % ISSU state should be [ init ] to set the rollback timer...
12.2(53)SG Comp(3) Dynamic(0) was introduced in Cisco IOS Release 12.2(50)SG with the Dynamic Image Version Compatibility (DIVC) feature. With DIVC, Dynamic(0) is stored instead of Incomp(1), Base(2), or Comp(3). Compatibility is determined during runtime when two different DIVC-capable images are running in the active and standby supervisor engines during ISSU.
Page 246
Chapter 5 Configuring the Cisco IOS In-Service Software Upgrade Process Performing the ISSU Process Command or Action Purpose Step 1 Switch> enable Enables privileged EXEC mode. Enter your password if prompted. Step 2 Switch# show issu comp-matrix Displays information regarding the ISSU compatibility {negotiated | stored | xml} matrix.
COMPATIBLE .... Related Documents Related Topic Document Title Performing ISSU Cisco IOS Software: Guide to Performing In Service Software Upgrades Information about Cisco Nonstop Forwarding Cisco Nonstop Forwarding http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsnsf20s .html Information about Stateful Switchover Stateful Switchover http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/sso120s.
Page 248
Chapter 5 Configuring the Cisco IOS In-Service Software Upgrade Process Related Documents Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG 5-40 OL-25340-01...
Page 249
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products//hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html...
• The new and old Cisco IOS XE software images must be loaded into the file systems (bootflash, SD card, or USB) of both the active and the standby supervisor engines before you begin the ISSU process.
SSO is typically deployed in service provider networks. In this example, Cisco NSF with SSO is enabled at the access layer (edge) of the service provider network. A fault at this point could result in loss of service for enterprise customers requiring access to the service provider network.
Page 252
Depending on your objectives, you may decide to deploy Cisco NSF and SSO features at the core layer of your network. Doing this can help reduce the time required to restore network capacity and service for certain failures, which leads to additional availability.
Page 253
For further information on SSO, see the Stateful Switchover document. Cisco NSF works with the SSO feature in Cisco IOS XE software. SSO is a prerequisite of Cisco NSF. NSF works with SSO to minimize the amount of time a network is unavailable to its users following a switchover.
About Performing ISSU ISSU Process The ISSU process allows you to perform a Cisco IOS XE software upgrade or downgrade while the system continues to forward packets. (For an illustration of the commands used during the ISSU process, refer to Figure 6-8.) Cisco IOS XE ISSU takes advantage of the Cisco IOS XE high availability...
Page 255
Figure 6-4). Note In the following figure, Cisco IOS XE 3.x.y SG represents the current version of Cisco IOS XE 3.z.y SG represents the image you are migrating to. Figure 6-4 Copy New Version of Cisco IOS XE Software on Both Supervisor Engines...
Page 256
Configuring the Cisco IOS XE In Service Software Upgrade Process About Performing ISSU After you have copied the Cisco IOS XE software to both file systems, load the new version of Cisco IOS XE software onto the standby supervisor engine (see Figure 6-5).
Page 257
Chapter 6 Configuring the Cisco IOS XE In Service Software Upgrade Process About Performing ISSU After a switchover (NSF/SSO, not RPR), the standby supervisor engine takes over as the new active supervisor engine (see Figure 6-6). Figure 6-6 Switch Over to Standby Supervisor Engine...
Page 258
Configuring the Cisco IOS XE In Service Software Upgrade Process About Performing ISSU The former active supervisor engine is loaded with an old Cisco IOS XE image so that if the new active supervisor engine experiences problems, you can abort and conduct a switchover to the former active, which is already running the old software image.
Chapter 6 Configuring the Cisco IOS XE In Service Software Upgrade Process About Performing ISSU Figure 6-8 shows the steps during the ISSU process. Figure 6-8 Steps During the ISSU Process Standby Active Loadversion Loadversion Active Standby Abortversion Standby Active...
Chapter 6 Configuring the Cisco IOS XE In Service Software Upgrade Process About Performing ISSU Changeversion Process The issu changeversion command launches a single-step complete ISSU upgrade cycle. It performs the logic for all four of the standard commands (issu loadversion, issu runversion, issu acceptversion, and issu commitversion) without user intervention, streamlining the upgrade through a single CLI step.
• In a downgrade scenario, if any feature is not available in the downgrade revision of the Cisco IOS XE software handle, that feature should be disabled prior to initiating the ISSU process. Compatibility Matrix ISSU requires additional information to determine compatibility between software versions. Therefore, a compatibility matrix is defined that contains information about other IOS XE software image with respect to the one in question.
It is always the newest release that contains the latest information about compatibility with existing releases in the field. The compatibility matrix is available within the Cisco IOS XE software image and on Cisco.com so that users can determine in advance whether an upgrade can be done using the ISSU process.
ISSU process is a series of steps performed while the switch is in operation. The steps result in an upgrade to new or modified Cisco IOS XE software, and have a minimal impact to traffic. For an illustration of the process flow for ISSU, refer to Figure 6-8 on page 6-11.
Chapter 6 Configuring the Cisco IOS XE In Service Software Upgrade Process How to Perform the ISSU Process You can verify the ISSU software upgrade by entering show commands to provide information on the state of the during the ISSU process:...
Post-ISSU (Targeted) Image = N/A The new version of the Cisco IOS XE software must be present on both of the supervisor engines. The directory information displayed for each of the supervisor engines shows that the new version is present.
61341696 bytes total (1116224 bytes free) Loading New Cisco IOS XE Software on the Standby Supervisor Engine This task describes how to use ISSU to load a new version of Cisco IOS XE software to the standby supervisor engine. Prerequisites •...
Page 267
Chapter 6 Configuring the Cisco IOS XE In Service Software Upgrade Process How to Perform the ISSU Process Perform the following steps at the active supervisor engine: Command or Action Purpose Step 1 Enables privileged EXEC mode. Switch> enable Enter your password if prompted.
Page 268
Chapter 6 Configuring the Cisco IOS XE In Service Software Upgrade Process How to Perform the ISSU Process Current Image = bootflash:new_image Pre-ISSU (Original) Image = bootflash:old_image Post-ISSU (Targeted) Image = bootflash:new_image Switch# show redundancy states my state = 13 -ACTIVE...
Switching to the Standby Supervisor Engine This task describes how to switchover to the standby supervisor engine, which is running the new Cisco IOS XE software image. Perform the following steps at the active supervisor engine. Command or Action Purpose Step 1 Enables privileged EXEC mode.
Page 270
Active Location = slot 6 Current Software state = ACTIVE Uptime in current state = 9 minutes Image Version = Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software (cat4500e-UNIVERSALK9-M), Version 03.00.00.1.68 CISCO UNIVERSAL DEVELOPMENT K10 IOSD TEST VERSION Copyright (c) 1986-2010 by Cisco Systems, Inc.
This optional task describes how to stop the rollback timer. If you do not run the following procedure before the rollback timer “timeout,” the system automatically aborts the ISSU process and reverts to the original Cisco IOS XE software version. By default the rollback timer is 45 minutes.
Configured Rollback Time = 00:45:00 Loading New Cisco IOS XE Software on the New Standby Supervisor Engine This task explains how to load new version of Cisco IOS XE software to the new standby supervisor engine. Perform the following steps at the active supervisor engine:...
Pre-ISSU (Original) Image = N/A Post-ISSU (Targeted) Image = N/A The ISSU process has completed. At this stage, any further Cisco IOS XE software version upgrade or downgrade will require that a new ISSU process be invoked. Using changeversion to Automate an ISSU Upgrade This task describes how to use the issu changeversion command to perform a one step ISSU upgrade.
Page 274
How to Perform the ISSU Process Prerequisites Ensure that the new version of Cisco IOS XE software image is already present in the file system of • both the active and standby supervisor engines. Also ensure that appropriate boot parameters...
Page 275
Active Location = slot 5 Current Software state = ACTIVE Uptime in current state = 9 minutes Image Version = Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software (cat4500e-UNIVERSALK9-M), Version 03.00.00.1.68 CISCO UNIVERSAL DEVELOPMENT K10 IOSD TEST VERSION Copyright (c) 1986-2010 by Cisco Systems, Inc.
Page 276
Chapter 6 Configuring the Cisco IOS XE In Service Software Upgrade Process How to Perform the ISSU Process Copyright (c) 1986-2010 by Cisco Systems, Inc. Compiled Sun 29-Aug-10 03:57 by gsbuprod Configuration register = 0x2920 Switch# issu changeversion bootflash:y.bin % 'issu changeversion' is now executing 'issu loadversion'...
Page 277
Active Location = slot 6 Current Software state = ACTIVE Uptime in current state = 9 minutes Image Version = Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software (cat4500e-UNIVERSALK9-M), Version 03.00.00.1.68 CISCO UNIVERSAL DEVELOPMENT K10 IOSD TEST VERSION Copyright (c) 1986-2010 by Cisco Systems, Inc.
Page 278
Active Location = slot 5 Current Software state = ACTIVE Uptime in current state = 9 minutes Image Version = Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software (cat4500e-UNIVERSALK9-M), Version 03.00.00.1.68 CISCO UNIVERSAL DEVELOPMENT K10 IOSD TEST VERSION Copyright (c) 1986-2010 by Cisco Systems, Inc.
Chapter 6 Configuring the Cisco IOS XE In Service Software Upgrade Process How to Perform the ISSU Process Pre-ISSU (Original) Image = N/A Post-ISSU (Targeted) Image = N/A Aborting a Software Upgrade During ISSU You can abort the ISSU process at any stage manually (prior to entering the issu commitversion command) by entering the issu abortversion command.
A user may want to configure the rollback timer to more than 45 minutes in order to have enough time to verify the operation of the new Cisco IOS XE software before committing the new software image.
Page 281
Chapter 6 Configuring the Cisco IOS XE In Service Software Upgrade Process How to Perform the ISSU Process Command or Action Purpose Step 1 Switch> enable Enables privileged EXEC mode. Enter your password if prompted. Step 2 Enters global configuration mode.
Chapter 6 Configuring the Cisco IOS XE In Service Software Upgrade Process How to Perform the ISSU Process Displaying ISSU Compatibility Matrix Information The ISSU compatibility matrix contains information about other IOS XE software releases and the version in question. This compatibility matrix represents the compatibility of the two software versions, one running on the active and the other on the standby supervisor engine, and the matrix allows the system to determine the highest operating mode it can achieve.
..Cisco High Availability Features in Cisco IOS XE 3.1.0SG This section provides a list of High Availability software features that are supported in Cisco IOS XE 3.1.0SG. Links to the feature documentation are included. Feature guides may contain information about more than one feature. To find information about a specific feature within a feature guide, see the Feature Information table at the end of the guide.
Page 284
Configuring the Cisco IOS XE In Service Software Upgrade Process Cisco High Availability Features in Cisco IOS XE 3.1.0SG that guide are supported in your software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn.
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products/hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG...
1. When you are facing the front of the switch, the interfaces are numbered from left to right. You can identify interfaces by physically checking the slot/interface location on the switch. You can also use the Cisco IOS show commands to display information about a specific interface or all the interfaces. Using the interface Command...
Chapter 7 Configuring Interfaces Using the interface Command Hardware is Ethernet SVI, address is 0004.dd46.7aff (bia 0004.dd46.7aff) MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output never, output hang never Last clearing of "show interface"...
Chapter 7 Configuring Interfaces Configuring a Range of Interfaces 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out --More-- <...output truncated...> Step 4 To begin configuring Fast Ethernet interface 5/5, as shown in the following example, enter the interface keyword, interface type, slot number, and interface number in global configuration mode: Switch# configure terminal Enter configuration commands, one per line.
Page 289
Chapter 7 Configuring Interfaces Configuring a Range of Interfaces The interface range command works only with VLAN interfaces that have been configured with the Note interface vlan command (the show running-configuration command displays the configured VLAN interfaces). VLAN interfaces that are not displayed by the show running-configuration command cannot be used with the interface range command.
PC. Use the Ethernet management port instead of the switch console port for network management. When managing a switch, connect the PC to the Ethernet management port on a Catalyst 4500 series switch. (Figure 7-1).
For details on configuring SSO and ISSU, refer to Chapter 9, “Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 6-E and Supervisor Engine 6L-E” Chapter 5, “Configuring the Cisco IOS In-Service Software Upgrade Process”. Fa1 Interface and mgmtVrf Caution The Ethernet management port is intended for out-of-band access only.
Page 292
Chapter 7 Configuring Interfaces Using the Ethernet Management Port Telnet, page 7-8 • TFTP, page 7-8 • FTP, page 7-9 • SSH, page 7-9 • Command usage specific to the mgmtVrf are mentioned below. The additional configuration that is Note necessary to make the feature work needs to be configured.
In SSO mode, the running configurations on the active and standby supervisor engines must match. You cannot enable the management port on a redundant chassis if one of the two supervisor engines is running an Cisco IOS image prior to Cisco IOS Release 12.2(50)SG (wherein a management port is not supported).
Speed—10 Mb/s, 100 Mb/s, 1000Mb/s, and autonegotiation – Duplex mode—Full, half, and autonegotiation – – Loopback detection • Cisco Discovery Protocol (CDP) (only on WS-C4900M and WS-C4948) • IPv4 access control lists (ACLs) • Routing protocols (only on WS-C4900M and WS-C4948) • Caution Before enabling a feature on the Ethernet management port, ensure that the feature is supported.
Chapter 7 Configuring Interfaces Deploying SFP+ in X2 Ports To define an interface-range macro, enter this command: This example shows how to define an interface-range macro named enet_list to select Fast Ethernet Command Purpose Defines the interface-range macro and Switch(config)# define interface-range macro_name {vlan vlan_ID - vlan_ID} | {{fastethernet | saves it in the running configuration file.
Deploying 10-Gigabit Ethernet and Gigabit Ethernet SFP Ports on Supervisor Engine V-10GE To use an SFP+ in an X2 port to obtain 10-Gigabit Ethernet bandwidth, the Catalyst 4500 series switch supports OneX Convertor modules. When you plug a OneX Convertor module into an X2 port, it converts the X2 port into an SFP+ port into which you can plug in an SFP+.
Deploying 10-Gigabit Ethernet or Gigabit Ethernet Ports Deploying 10-Gigabit Ethernet or Gigabit Ethernet Ports To increase the flexibility of X2 ports, the Catalyst 4500 series switch as well as Catalyst 4900M and Catalyst 4948E support TwinGig Convertor modules. When you plug a TwinGig Convertor module into an X2 hole, it converts a single X2 hole (capable of holding one pluggable X2 optic) into two SFP holes (capable of holding two pluggable SFP optics).
Chapter 7 Configuring Interfaces Deploying 10-Gigabit Ethernet or Gigabit Ethernet Ports Limitations on Using a TwinGig Convertor Supervisor Engine 6-E, Supervisor Engine 6L-E, and Catalyst 4900M connect ports to the switching engine through a stub ASIC. This stub ASIC imposes some limitations on the ports: Gigabit and 10-Gigabit ports cannot be mixed on a single stub ASIC;...
This feature enables you to use all four 10-Gigabit Ethernet ports on the supervisor engines as blocking ports when in redundant mode. Prior to Cisco IOS Release 12.2(40)SG, Catalyst 4500 Supervisor Engine V-10GE allowed you to enable either the dual wire-speed 10-Gigabit Ethernet ports or four TwinGig convertor based Gigabit Ethernet SFP uplink ports when operating in redundant mode.
Limitation and Restrictions on Supervisor Engine 7-E and Supervisor Engine 7L-E Beginning with Cisco IOS Release 12.2(40)SG, you could deploy all four 10-Gigabit Ethernet ports, two blocking ports on an active supervisor engine and two blocking ports on the standby supervisor engine, or all eight Gigabit Ethernet SFP ports, four on the active supervisor and four on the standby supervisor engine.
TenGigabit mode, preventing you from selecting gigabitethernet mode. Selecting the Uplink Port on a Supervisor Engine 7L-E With Cisco IOS Release 15.0(2)SG, the SFP+/SFP uplink modes on Supervisor Engine 7L-E (WS-X45-SUP-7L-E) have changed. The number of uplink ports now depends on the supervisor engine mode (single or redundant) and the uplink mode configuration (1-Gigabit or 10-Gigabit).
The frequency at which the sensor information is refreshed depends on default values configured in the transceiver SEEPROM (Serial Electrically Erasable Programmable Read Only Memory). Note For details on transceiver module compatibility, refer to this URL: http://www.cisco.com/en/US/products/hw/modules/ps5455/products_device_support_tables_list.html Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG 7-18 OL-25340-01...
Chapter 7 Configuring Interfaces Configuring Optional Interface Features Setting the Interface Speed If you set the interface speed to auto on a 10/100-Mbps Ethernet interface, speed and duplex are autonegotiated. The forced 10/100 autonegotiation feature allows you to limit interface speed auto negotiation up to 100 Mbps on a 10/100/1000BASE-T port.
Chapter 7 Configuring Interfaces Configuring Optional Interface Features Setting the Interface Duplex Mode Note When the interface is set to 1000 Mbps, you cannot change the duplex mode from full duplex to half duplex. To set the duplex mode of a Fast Ethernet interface, perform this task: Command Purpose Step 1...
Chapter 7 Configuring Interfaces Configuring Optional Interface Features Adding a Description for an Interface You can add a description about an interface to help you remember its function. The description appears in the output of the following commands: show configuration show running-config show interfaces.
Page 307
Chapter 7 Configuring Interfaces Configuring Optional Interface Features This example shows how to configure flow control on an oversubscribed Gigabit Ethernet port 7/5: Switch# configure terminal Switch(config)# interface g7/5 Switch(config-if)# flowcontrol send on Switch(config-if)# end Switch)# show interfaces gigabitEthernet 7/5 capabilities GigabitEthernet7/5 Model: WS-X4548-GB-RJ45-RJ-45...
• Maximum Transmission Units The Catalyst 4500 series switch allows you to configure a maximum of 32 different maximum transmission unit (MTU) sizes system wide. This means that the maximum number of different MTU sizes that you can configure with the system mtu, mtu, ip mtu, and ipv6 mtu command on all Layer 2 and Layer 3 interfaces combined is 32.
Page 310
Jumbo frame support does not fragment Layer 2 switched packets. Note The Catalyst 4500 series switch does not compare the packet size with the MTU at the egress port, but jumbo frames are dropped in ports that do not support them. The frames can be transmitted in ports that do support jumbo frames, even though the MTU is not configured to jumbo size.
Chapter 7 Configuring Interfaces Configuring Optional Interface Features The MTU of a packet is not checked on the ingress side for an SVI; it is checked on the egress side of an SVI. If the MTU of a packet is larger than the MTU of the egress SVI, the packet is sent to the CPU for fragmentation processing.
Configuring Optional Interface Features Interacting with Baby Giants The baby giants feature, introduced in Cisco IOS Release 12.1(12c)EW, uses the global command system mtu size to set the global baby giant MTU. This feature also allows certain interfaces to support Ethernet payload size of up to 1552 bytes.
Chapter 7 Configuring Interfaces Configuring Optional Interface Features Switch(config)# interface tenGigabitEthernet 2/1 Switch(config-if)# link debounce Warning: Enabling debounce feature causes link down detection to be delayed Switch(config-if)# exit This example shows how to enable the port debounce timer of 5000 ms on 10-Gigabit Ethernet port 2/2 and to verify the setting: Switch# config terminal Enter configuration commands, one per line.
Chapter 7 Configuring Interfaces Configuring Optional Interface Features Table 7-3 Link Conditions and auto-MDIX Settings Local Side auto-MDIX Remote Side auto-MDIX With Correct Cabling With Incorrect Cabling Link up Link up Link up Link up Link up Link up Link up Link down To configure auto-MDIX on a port, perform this task: Command...
Switch# Understanding Online Insertion and Removal The online insertion and removal (OIR) feature supported on the Catalyst 4500 series switch allows you to remove and replace modules while the system is online. You can shut down the module before removal and restart it after insertion without causing other software or interfaces to shut down.
For the number keyword, the only applicable value for WS-C4500 is 2. With Cisco Release IOS XE 3.3.0SG and IOS 15.1(1)SG, the start and stop commands are only enabled on the uplink module of WS-4500X-32.
Chapter 7 Configuring Interfaces Online Insertion and Removal on a WS-4500X-32 Switch# *Feb 5 16:34:37.325: %C4K_IOSMODPORTMAN-6-MODULEOFFLINE: Module 2 is offline Switch# show module Chassis Type : WS-C4500X-32 Power consumed by backplane : 0 Watts Mod Ports Card Type Model Serial No. ---+-----+--------------------------------------+------------------+----------- 4500X-32 10GE (SFP+) WS-C4900X-32P-10G...
Resetting the Interface to the Default Configuration, page 7-38 Monitoring Interface and Controller Status The Cisco IOS software for the Catalyst 4500 series switch contains commands that you can enter at the EXEC prompt to display information about the interface, including the version of the software and the hardware, the controller status, and statistics about the interfaces.
Chapter 7 Configuring Interfaces Monitoring and Maintaining the Interface To display information about the interface, enter one of the following commands: Command Purpose Displays the status and configuration of all interfaces or of Switch# show interfaces [type slot/interface] a specific interface. Displays the configuration currently running in RAM.
“administratively down.” Configuring Interface Link Status and Trunk Status Events You can configure interface link status and trunk status events. On the Catalyst 4500 series switch, the following interface logging event notifications are supported both globally and per interface: •...
Chapter 7 Configuring Interfaces Monitoring and Maintaining the Interface Configuring Link Status Event Notification for an Interface To enable or disable a link status logging event, enter one of the following commands: Command Purpose Enables interface link status logging. Switch(config-if)# logging event link-status Disables interface link status logging.
Chapter 7 Configuring Interfaces Monitoring and Maintaining the Interface The following example displays the configuration and logging message output for link status and trunk status logging events: // The global link status and trunk status logging events are enabled. Switch# show running | include logging show running | include logging logging event link-status global logging event trunk-status global...
Page 323
Chapter 7 Configuring Interfaces Monitoring and Maintaining the Interface This command clears all the configurations and shut down the interface: Switch# show run interface fastethernet 3/5 Building configuration... Current configuration : 58 bytes interface FastEthernet3/5 no ip address shutdown Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG 7-39 OL-25340-01...
Page 324
Chapter 7 Configuring Interfaces Monitoring and Maintaining the Interface Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG 7-40 OL-25340-01...
Page 325
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products//hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html...
Checking Module Status Checking Module Status The Catalyst 4500 series switch is a multimodule system. You can see which modules are installed, as well as the MAC address ranges and version numbers for each module, by entering the show module command.
“Checking Module Status” section on page 8-2. This example shows how to display the status of all interfaces on a Catalyst 4500 series switch, including transceivers. Output of this command displays “Unapproved GBIC” for non-Cisco transceivers: Switch# show interfaces status...
With TDR, you can check the status of copper cables on the 48-port 10/100/1000 BASE-T modules for the Catalyst 4500 series switch. TDR detects a cable fault by sending a signal through the cable and reading the signal that is reflected back. All or part of the signal can be reflected back either by cable defects or by the end of the cable.
Chapter 8 Checking Port Status and Connectivity Checking Cable Status Using Time Domain Reflectometer Four pairs of standard category 5 cable exist. Each pair can assume one of the following states: open (not Note connected), broken, shorted, or terminated. The TDR test detects all four states and displays the first three as “Fault”...
Chapter 8 Checking Port Status and Connectivity Using Telnet Switch# show cable-diagnostics tdr interface gi4/13 Interface Speed Local pair Cable length Remote channel Status Gi4/13 0Mbps 102 +-2m Unknown Fault 100 +-2m Unknown Fault 102 +-2m Unknown Fault 102 +-2m Unknown Fault After this command is deprecated, use the diagnostic start and the show diagnostic result commands to...
Chapter 8 Checking Port Status and Connectivity Changing the Logout Timer To establish a Telnet connection to a host by using the hostname, configure and enable DNS. Note To establish a Telnet connection to another device on the network from the switch, enter this command: Command Purpose Opens a Telnet session to a remote host.
Chapter 8 Checking Port Status and Connectivity Using Ping Interface User Mode Idle Peer Address Switch# show users all Line User Host(s) Idle Location 0 con 0 idle 00:00:00 1 vty 0 00:00:00 2 vty 1 00:00:00 3 vty 2 00:00:00 4 vty 3 00:00:00...
Chapter 8 Checking Port Status and Connectivity Using IP Traceroute Destination unreachable—If the default gateway cannot reach the specified network, a Destination • Unreachable message is returned. • Network or host unreachable—If there is no entry in the route table for the host or network, a Network or Host Unreachable message is returned.
Chapter 8 Checking Port Status and Connectivity Using Layer 2 Traceroute If you want the switch to trace the path from a host on a source device to a host on a destination device, the switch can identify only the path from the source device to the destination device. It cannot identify the path that a packet takes from source host to the source device or from the destination device to the destination host.
Chapter 8 Checking Port Status and Connectivity Using Layer 2 Traceroute This feature is not supported in Token Ring VLANs. • Running Layer 2 Traceroute To display the physical path that a packet takes from a source device to a destination device, enter either one of these commands: Command Purpose...
Data routes are sometimes less than optimal. For example, it is possible for the router to be forced to resend a packet through the same interface on which it was received. If this occurs, the Cisco IOS software sends an ICMP Redirect message to the originator of the packet telling the originator that the router is on a subnet directly connected to the receiving device, and that it must forward the packet to another system on the same subnet.
URL: http://www.cisco.com/en/US/docs/ios/ipapp/configuration/guide/ipapp_hsrp_ps6350_TSD_Products_Confi guration_Guide_Chapter.html To enable the sending of ICMP Redirect messages if the Cisco IOS software is forced to resend a packet through the same interface on which it was received, enter the following command in interface configuration mode:...
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products//hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG...
A user reloads the active supervisor engine. RPR Operation RPR is supported in Cisco IOS Release 12.2(12c)EW and later releases. When a redundant supervisor engine runs in RPR mode, it starts up in a partially-initialized state and is synchronized with the persistent configuration of the active supervisor engine.
SSO Operation SSO is supported in Cisco IOS Release 12.2(20)EWA and later releases. When a redundant supervisor engine runs in SSO mode, the redundant supervisor engine starts up in a fully-initialized state and synchronizes with the persistent configuration and the running configuration of the active supervisor engine.
The following features are learned on the redundant supervisor engine if the SSO feature is enabled: • All Layer 3 protocols on Catalyst 4500 series switches (Switch Virtual Interfaces) About Supervisor Engine Redundancy Synchronization During normal operation, the persistent configuration (RPR and SSO) and the running configuration (SSO only) are synchronized by default between the two supervisor engines.
Chapter 9 Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 6-E and Supervisor Supervisor Engine Redundancy Guidelines and Restrictions RPR Supervisor Engine Configuration Synchronization Because the redundant supervisor engine is only partially initialized in RPR mode, it interacts with the active supervisor engine only to receive configuration changes at startup and upon saving the configuration changes.
Page 344
RPR requires Cisco IOS Release 12.1(12c)EW, Release 12.1(19)E or later releases. SSO requires Cisco IOS Release 12.2(20)EWA or later releases. • The Catalyst 4507R switch and the 4510R switch are the only Catalyst 4500 series switches that support supervisor engine redundancy. •...
Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 6-E and Supervisor Configuring Supervisor Engine Redundancy The Cisco Express Forwarding (CEF) table is cleared on a switchover. As a result, routed traffic is • interrupted until route tables reconverge. This reconvergence time is minimal because the SSO feature reduces the supervisor engine redundancy switchover time from 30+ seconds to subsecond, so Layer 3 also has a faster failover time if the switch is configured for SSO.
When configuring redundancy, note the following: The sso keyword is supported in Cisco IOS Release 12.2(20)EWA and later releases. • The rpr keyword is supported in Cisco IOS Release 12.1(12c)EW and later releases.
Page 347
Current Software state = STANDBY HOT Uptime in current state = 2 days, 2 hours, 39 minutes Image Version = Cisco Internetwork Operating System Software IOS (tm) Catalyst 4000 L3 Switch Software (cat4000-I5S-M), Version 12.2(20)EWA(3 .92), CISCO INTERNAL USE ONLY ENHANCED PRODUCTION VERSION Copyright (c) 1986-2004 by cisco Systems, Inc.
Configuring Supervisor Engine Redundancy Virtual Console for Standby Supervisor Engine Catalyst 4500 series switches can be configured with two supervisor engines to provide redundancy. When the switch is powered, one of the supervisor engines becomes active and remains active until a switchover occurs.
Chapter 9 Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 6-E and Supervisor Configuring Supervisor Engine Redundancy The virtual console is noninteractive. Because the virtual console does not detect the interactive • nature of a command, any command that requires user interaction causes the virtual console to wait until the RPC timer aborts the command.
Chapter 9 Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 6-E and Supervisor Performing a Manual Switchover To manually synchronize individual elements of the standard auto-sync configuration, disable the default Note automatic synchronization feature. When you configure the auto-sync standard, the individual sync options such as no auto-sync Note startup-config are ignored.
Cisco IOS Release 12.1(x)E, and a standby supervisor engine running Cisco IOS Release 12.2(x)S. The standby supervisor engine resets repeatedly. If you are trying to upgrade redundant supervisor engines from Cisco IOS Release 12.1(x)E to 12.2(x)S, this requires a full system reboot.
Switch# copy running-config start-config Step 9 Reloads the redundant supervisor engine and brings it Switch# redundancy reload peer back online (using the new release of the Cisco IOS software). Note Before proceeding to Step 10, ensure that the switch is operating in RPR mode.
Page 353
Chapter 9 Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 6-E and Supervisor Manipulating Bootflash on the Redundant Supervisor Engine To manipulate the redundant supervisor engine bootflash, perform one or more of the following commands: Command Purpose Switch# dir slaveslot0:target_filename Lists the contents of the slot0: device on the redundant supervisor engine.
Page 354
Chapter 9 Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 6-E and Supervisor Manipulating Bootflash on the Redundant Supervisor Engine Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG 9-16 OL-25340-01...
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products//hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Catalyst 4500 Series Switch Cisco IOS Command Reference Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG...
Chapter 10 Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 7-E and Supervisor About Supervisor Engine Redundancy and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html About Supervisor Engine Redundancy These sections describe supervisor engine redundancy: • Overview, page 10-2 •...
About Supervisor Engine Redundancy RPR Operation RPR is supported in Cisco IOS-XE Release 3.1.0SG and later releases. When a standby supervisor engine runs in RPR mode, it starts up in a partially-initialized state and is synchronized with the persistent configuration of the active supervisor engine.
Page 358
NetFlow • The following features are learned on the standby supervisor engine if the SSO feature is enabled: All Layer 3 protocols on Catalyst 4500 series switches (Switch Virtual Interfaces) • Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG...
Chapter 10 Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 7-E and Supervisor About Supervisor Engine Redundancy Synchronization About Supervisor Engine Redundancy Synchronization During normal operation, the persistent configuration (RPR and SSO) and the running configuration (SSO only) are synchronized by default between the two supervisor engines. In a switchover, the new active supervisor engine uses the current configuration.
Page 360
• • The Cisco Express Forwarding (CEF) table is cleared on a switchover. As a result, routed traffic is interrupted until route tables reconverge. This reconvergence time is minimal because the SSO feature reduces the supervisor engine redundancy switchover time from 30+ seconds to subsecond, so Layer 3 also has a faster failover time if the switch is configured for SSO.
Chapter 10 Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 7-E and Supervisor Configuring Supervisor Engine Redundancy If configuration changes on a redundant switch are made through SNMP set operations, the changes • are not synchronized to the standby supervisor engine even in SSO mode. You might experience unexpected behavior.
Page 362
Active Location = slot 3 Current Software state = ACTIVE Uptime in current state = 9 minutes Image Version = Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500e-UNIVERSALK9-M), Version 15.0(100)XO(1.42), INTERIM SOFTWARE Copyright (c) 1986-2010 by Cisco Systems, Inc.
1 13:11:16: %C4K_REDUNDANCY-3-SIMPLEX_MODE: The peer Supervisor has been lost Virtual Console for Standby Supervisor Engine Catalyst 4500 series switches can be configured with 2 supervisor engines to provide redundancy. When the switch is powered, one of the supervisor engines becomes active and remains active until a switchover occurs.
Chapter 10 Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 7-E and Supervisor Configuring Supervisor Engine Redundancy To log in to the standby supervisor engine using a virtual console, do the following: Switch# session module 4 Connecting to standby virtual console Type "exit"...
Page 365
Chapter 10 Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 7-E and Supervisor Configuring Supervisor Engine Redundancy Command Purpose Step 4 Returns to privileged EXEC mode. Switch(config-r-mc)# end Step 5 Synchronizes the running configuration in dynamic Switch# copy running-config startup-config random-access memory (DRAM) to the startup configuration file in NVRAM.
ISSU to upgrade software for both RPR and SSO redundant mode. The software upgrade procedure supported by supervisor engine redundancy allows you to reload the Cisco IOS software image on the redundant supervisor engine, and once complete, reload the active supervisor engine once.
Page 367
Switch# copy running-config start-config Step 9 Reloads the standby supervisor engine and brings it back Switch# redundancy reload peer online (using the new release of the Cisco IOS-XE software). Step 10 Conducts a manual switchover to the standby supervisor Switch# redundancy force-switchover engine.
Chapter 10 Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 7-E and Supervisor Manipulating Bootflash on the Standby Supervisor Engine This example illustrates how to verify that the running configuration on the active supervisor engine has successfully synchronized with the redundant supervisor engine: Switch# config terminal Switch(config)# redundancy Switch(config-red)# main-cpu...
Page 369
Chapter 10 Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 7-E and Supervisor Manipulating Bootflash on the Standby Supervisor Engine Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG 10-15 OL-25340-01...
Page 370
Chapter 10 Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 7-E and Supervisor Manipulating Bootflash on the Standby Supervisor Engine Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG 10-16 OL-25340-01...
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products//hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html...
NSF does not support IPv6. Note NSF- capable devices include Catalyst 4500 series switches, Catalyst 6500 series switches, Cisco 7500 series routers, Cisco 10000 series routers, and Cisco 12000 series routers. A typical topology for NSF and NSF-aware routers is given below.
NSF with SSO Supervisor Engine Redundancy Overview Catalyst 4500 series switches support fault resistance by allowing a redundant supervisor engine to take over if the primary supervisor engine fails. NSF works with SSO to minimize the amount of time a network is unavailable to its users following a switchover.
In networking devices running SSO, both supervisor engines must be running the same Cisco IOS software version and ROMMON version so that the redundant supervisor engine is always ready to assume control following a fault on the active supervisor engine.
About NSF with SSO Supervisor Engine Redundancy Cisco Express Forwarding A key element of NSF is packet forwarding. In a Cisco networking device, packet forwarding is provided by Cisco Express Forwarding (CEF). CEF maintains the FIB and uses the FIB information that was current at the time of the switchover to continue forwarding packets during a switchover.
Chapter 11 Configuring Cisco NSF with SSO Supervisor Engine Redundancy About NSF with SSO Supervisor Engine Redundancy If the BGP session is lost during the supervisor engine switchover, the NSF-aware BGP peer marks all the routes associated with the NSF-capable router as stale; however, it continues to use these routes to make forwarding decisions for a set period of time.
If the neighbor routers on a network segment are not NSF-aware, you must use the Cisco configuration option. The Cisco IS-IS configuration transfers both protocol adjacency and link-state information from the active to the redundant supervisor engine. An advantage of Cisco configuration is that it does not rely on NSF-aware neighbors.
Configuring Cisco NSF with SSO Supervisor Engine Redundancy About NSF with SSO Supervisor Engine Redundancy Following a switchover, Cisco IS-IS NSF has complete neighbor adjacency and LSP information; Note however, it must wait for all interfaces to come on line that had adjacencies prior to the switchover. If an interface does not come on line within the allocated interface wait time, the routes learned from these neighbor devices are not considered in routing table recalculation.
Chapter 11 Configuring Cisco NSF with SSO Supervisor Engine Redundancy Configuring NSF with SSO Supervisor Engine Redundancy When the restarting router has received all EOT indications from its neighbors or when the NSF converge timer expires, EIGRP notifies the RIB of convergence. EIGRP waits for the RIB convergence signal and then floods its topology table to all awaiting NSF-aware peers.
Displays the operating redundancy mode. Switch# show redundancy states Note The sso keyword is supported in Cisco IOS Release 12.2(20)EWA and later releases. This example shows how to configure the system for SSO and display the redundancy state: Switch> enable Switch# configure terminal Enter configuration commands, one per line.
Chapter 11 Configuring Cisco NSF with SSO Supervisor Engine Redundancy Configuring NSF with SSO Supervisor Engine Redundancy Verifying CEF NSF To verify that CEF is NSF-capable, enter the show cef state command: Switch# show cef state CEF Status [RP] CEF enabled/running...
Chapter 11 Configuring Cisco NSF with SSO Supervisor Engine Redundancy Configuring NSF with SSO Supervisor Engine Redundancy Verify that “bgp graceful-restart” appears in the BGP configuration of the SSO-enabled switch by Step 1 entering the show running-config command: Switch# show running-config...
<...Output Truncated...> Step 2 If the NSF configuration is set to cisco, enter the show isis nsf command to verify that NSF is enabled on the device. Using the Cisco configuration, the display output differs on the active and redundant RPs.
Page 385
Checkpointing enabled, no errors Local state:ACTIVE, Peer state:STANDBY HOT, Mode:SSO The following display shows sample output for the Cisco configuration on the standby RP. In this example, note the presence of “NSF restart enabled”: Switch# show isis nsf NSF enabled, mode 'cisco'...
Distance: internal 90 external 170 Cisco High Availability Features in Cisco IOS XE 3.1.0SG This section provides a list of High Availability software features that are supported in Cisco IOS XE 3.1.0SG. Links to the feature documentation are included. Feature guides may contain information about more than one feature. To find information about a specific feature within a feature guide, see the Feature Information table at the end of the guide.
Page 388
Chapter 11 Configuring Cisco NSF with SSO Supervisor Engine Redundancy Cisco High Availability Features in Cisco IOS XE 3.1.0SG SSO - Multilink PPP (MLP) http://www.cisco.com/en/US/docs/ios-xml/ios/ha/configuration/xe-3s/ha-config-stateful-switchover.ht SSO - PPP http://www.cisco.com/en/US/docs/ios-xml/ios/ha/configuration/xe-3s/ha-config-stateful-switchover.ht Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG 11-18 OL-25340-01...
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products/hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html...
Chapter 12 Environmental Monitoring and Power Management About Environmental Monitoring System Alarms, page 12-5 • Environmental monitoring of chassis components provides early warning indications of possible component failure. This warning helps you to ensure the safe and reliable operation of your system and avoid network interruptions.
Chapter 12 Environmental Monitoring and Power Management About Environmental Monitoring Chassis Type : WS-C4510R-E Power consumed by backplane : 40 Watts Switch Bandwidth Utilization : 0% Supervisor Led Color : Green Module 2 Status Led Color : Green Module 5 Status Led Color : Green Module 6 Status Led Color...
Chapter 12 Environmental Monitoring and Power Management About Environmental Monitoring The following example illustrates how to display the environment condition on WS-C4500X-32 with a Supervisor Engine 7-E. The thresholds appear within parentheses. Switch> show environment no temperature alarms Module Sensor Temperature Status ------+--------------------------+--------------------+------------...
Chapter 12 Environmental Monitoring and Power Management About Environmental Monitoring supplies to protect itself from overheating. When this happens, you can recover the switch only by cycling the power on and off switches on the power supplies or by cycling the AC or DC inputs to the power supplies.
The timer values and the emergency actions depend on the type of supervisor engine. Refer to the Catalyst 4500 Series Switch Module Installation Guide for information on LEDs, including Note the startup behavior of the supervisor engine system LED.
You can select from several different power supplies to ensure that you have enough power for the modules installed in your switch. You should select a power supply based on the modules and the amount of PoE desired using the Cisco Note Power Calculator: http://tools.cisco.com/cpc/...
– on the number of inputs powered and input voltage. All Catalyst 4500 series switch AC-input power supplies require single-phase source AC. The source AC Note can be out of phase between multiple power supplies or multiple AC-power plugs on the same power supply because all AC power supply inputs are isolated.
1000 W can support a fully loaded Catalyst 4503 switch with no powered device support. • 1300 W can support a fully loaded Catalyst 4503 switch with Cisco powered devices. • Each PoE port on a WS-X4148-RJ45V module requires 6.3 W. Five fully loaded WS-X4148-RJ45V modules in a switch comprise 240 ports.
Page 398
Chapter 12 Environmental Monitoring and Power Management Power Management If the power requirements for the installed modules exceeds the power provided by the power supplies, the switch displays this error message: Insufficient power available for the current chassis configuration. This error message also appears in the show power command output. If you attempt to insert additional modules into your switch and exceed the power supply, the switch immediately places the newly inserted module into reset mode, and the switch displays these error messages:...
Page 399
When all slots are required only one WS-X4448-GB-RJ45 line card can be used. Configuring Redundant Mode on a Catalyst 4500 Series Switch By default, the power supplies in a Catalyst 4500 series switch are set to operate in redundant mode. To effectively use redundant mode, follow these guidelines: Use two power supplies of the same type.
Page 400
The maximum available power for chassis and PoE for each power supply are listed in Table 12-5 on page 12-14. To configure redundant mode on your Catalyst 4500 series switch, perform this task: Command Purpose Step 1 Switch# configure terminal Enters configuration mode.
Available Power for Catalyst 4500 Series Switches Power Supplies Table 12-5 lists the power available for use in the various Catalyst 4500 series switches power supplies. When your switch is configured to combined mode, the total available power in not the mathematical sum of the individual power supplies.
Chapter 12 Environmental Monitoring and Power Management Power Management Table 12-5 Available Power for Switch Power Supplies Power Supply Redundant Mode (W) Combined Mode (W) Sharing Ratio 1000 W AC Chassis = 1050 Chassis = 1667 PoE = 0 PoE = 0 1300 W AC Chassis (max) = 1050 Chassis (min) = 767...
Page 403
Chapter 12 Environmental Monitoring and Power Management Power Management Power supplies needed by system Power supplies currently available : 2 Power Summary Maximum (in Watts) Used Available ---------------------- ---- --------- System Power (12V) 1360 Inline Power (-50V) 1850 Backplane Power (3.3V) ---------------------- ---- ---------...
Chapter 12 Environmental Monitoring and Power Management Power Management Table 12-7 Combined Mode Output for the 4200 W AC Power Supply Power Supply 12 V 3.3 V -50 V Maximum 220 V+220 V, other side 220 V 2200 4700 5500 Both sides at 220 V+220 V 2200 6200...
Page 405
Chapter 12 Environmental Monitoring and Power Management Power Management Command Purpose Step 1 Switch# configure terminal Enters configuration mode. Step 2 Limits the power usage to two or three Switch(config)# power redundancy combined max inputs {2 | 3} inputs. Note The maximum inputs part of the command is ignored by all power supplies other than the 4200 W AC or...
Chapter 12 Environmental Monitoring and Power Management Power Management PS1-2 110V good PWR-C45-4200ACV AC 4200W good good good PS2-1 110V good PS2-2 110V good Power supplies needed by system : 2 Maximum Inputs = 3 Power supplies currently available : 2 Power Summary Maximum (in Watts)
Unlike the 1400 W DC power supply, the 1400 W DC SP power supply has submodules (multiple inputs) that can be powered on or off. With Cisco IOS Release 12.2(25)EW, the output of the show power command is modified to display the status of these submodules:...
300 W DC • These power supplies are incompatible with Catalyst 4500 series switches. Because Power over Ethernet (PoE) is not supported on the Catalyst 4948 switch, you only need a limited wattage is needed. (For information on PoE, see Chapter 13, “Configuring Power over...
PHY's operating circuitry and save power. This functionality is provided per port and is not enabled by default. To avoid issues with EEE functionality on any port during run-time, Cisco provides the power efficient-ethernet auto command to enable or disable EEE.
Chapter 12 Environmental Monitoring and Power Management IEEE 802.3az Energy Efficient Ethernet Switch(config)# interface gigabitethernet 1/1 Switch(config-if)# power efficient-ethernet auto Switch(config-if)# exit Determining EEE Status To determine EEE status use the show platform software interface interface status command: The following example determines EEE status: Switch(config)# show platform software interface g2/1 status Switch Phyport Gi2/1 Software Status EEE: Disabled...
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products//hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html...
Ethernet port. Catalyst 4500 series switches can sense if a powered device is connected to a PoE module. They can supply PoE to the powered device if there is no power on the circuit. (If there is power on the circuit, the switch does not supply it.) The powered device can also be connected to an AC power source and supply...
Page 413
Chapter 13 Configuring Power over Ethernet Power Management Modes The Catalyst 4500 series switch has three PoE modes: auto—PoE interface. The supervisor engine directs the switching module to power up the interface • only if the switching module discovers the phone and the switch has enough power. You can specify the maximum wattage that is allowed on the interface.
When a powered device (PD) is attached to a PoE-capable port, the port detects the PD and provision power accordingly. If a Cisco PD is used, the switch and PD negotiate power using CDP packets to determine the precise amount of power needed by the PD. If the PD is 802.3af compatible, the difference between what is mandated by the 802.3af class and what is actually needed by the PD is...
(7 W on a legacy PoE module and 15.4W on the IEEE PoE modules introduced in Cisco IOS Release 12.2(18)EW). When the switch receives a CDP packet from the powered device, the wattage automatically adjusts downward to the specific amount required by that device.
Chapter 13 Configuring Power over Ethernet Displaying the Operational Status for an Interface Interface AdminPowerMax AdminConsumption (Watts) (Watts) ---------- --------------- -------------------- Gi7/1 15.4 15.4 Switch# config terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# int gi 7/1 Switch(config-if)# power inline consumption 5000 Switch(config-if)# exit Switch(config)# exit...
Switch# Displaying all PoE Detection and Removal Events Starting with Cisco IOS Release 15.0(2)SG2/XE 3.2.2SG, a Catalyst 4500 series switch can display all PoE detection and removal events. To enable PoE event logging, you use the power inline logging global command: Switch# conf terminal Enter configuration commands, one per line.
*Oct 17 12:02:54.915: %ILPOWER-7-DETECT: Interface Gi5/5: Power Device detected: IEEE PD Displaying the PoE Consumed by a Module A Catalyst 4500 series switch can measure the actual PoE consumption for an 802.3af-compliant PoE module. You can observe this consumption by using show power module and show power detail commands.
Page 419
Chapter 13 Configuring Power over Ethernet Displaying the PoE Consumed by a Module The operating PoE consumption for an 802.3af-compliant module can be non-zero, even when no Note powered devices are attached to the module, because of the PoE consumed by FPGAs and other hardware components on the module.
Page 420
Gi1/8 auto 10.3 10.3 CNU Platform Gi1/9 auto 10.3 10.3 CNU Platform Gi1/10 auto 15.4 15.4 Cisco/Ieee PD Gi1/11 auto 10.3 10.3 CNU Platform Gi1/12 auto 10.3 10.3 CNU Platform --------- ------ ---------- ---------- ---------- ------------------- ----- Totals: 128.2 128.2 switch# Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG...
Page 421
Chapter 13 Configuring Power over Ethernet Displaying the PoE Consumed by a Module switch# show power inline module 2 Chassis Inline Power Supply: Available:800(w) Used:138(w) Remaining:662(w) Interface Admin Oper Power(Watts) Device Class From PS To Device --------- ------ ---------- ---------- ---------- ------------------- ----- Gi2/1 auto 11.5...
Chapter 13 Configuring Power over Ethernet PoE Policing and Monitoring Gi2/45 auto Gi2/46 auto Gi2/47 auto Gi2/48 auto --------- ------ ---------- ---------- ---------- ------------------- ----- Totals: 138.2 123.0 Switch# PoE Policing and Monitoring Note This functionality is supported on the WS-X4548-RJ45V+, WS-X4648-RJ45V-E, and WS-X4648-RJ45V+E line cards.
• Configured consumption values, in case any exist • CDP allocated values (for Cisco devices using CDP) • Allocated power from IEEE discovery (for devices using this mechanism) To activate default PoE policing, enter the following: Switch# conf t Enter configuration commands, one per line.
Chapter 13 Configuring Power over Ethernet PoE Policing and Monitoring Interface Admin Oper Admin Oper Cutoff Oper State State Police Police Power Power --------- ------ ---------- ---------- ---------- ------ ----- Gi2/1 auto errdisable errdisable overdrawn Displaying Power Policing on an Interface You can display power policing on an interface, on a module, or for all the PoE-capable line cards in a chassis.
IEEE 802.3af PoE as well as the Cisco proprietary Inline Power standard. With Cisco IOS Release 12.2(44)SG, the WS-X4648-RJ45V+E line card can also support the IEEE 802.3at standard with up to 30 W available per-port. The WS-X4648-RJ45V-E line card also supports up to 20 W.
The default power inline configurations usually are sifficient; no additional configuration is required even for high power-consumption Cisco powered devices (for example, a Cisco AP1250 Wireless Access Point). When a high-power consumption device is attached to a port on a WS-X4648-RJ45V-E or WS-X4648-RJ45V+E line card, the switch and device negotiate power using CDP packets to automatically determine the extended amount of power needed by the device.
Page 427
Chapter 13 Configuring Power over Ethernet Enhanced Power PoE Support on the E-Series Chassis The following example shows how to automatically enable power on both signal and spare pairs from switch port gigabit ethernet 2/1: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet 2/1 Switch(config-if)# power inline four-pair forced Switch(config-if)# shutdown...
Page 428
Chapter 13 Configuring Power over Ethernet Enhanced Power PoE Support on the E-Series Chassis Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG 13-18 OL-25340-01...
Page 429
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products//hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html...
The switches in the cluster use the switch clustering technology so that you can configure and troubleshoot a group of different Catalyst 4500 series switch platforms through a single IP address. Using switch clusters simplifies the management of multiple switches, regardless of their physical location and platform families.
3. You can only change this value for a cluster of devices. Port number on the Network Assistant and on the Catalyst 4500 series switch must match. Value can be changed to any non-default number above 1024. 4. Required for Network Assistant to access the device.
(Additional) Configuration Required to Use Clustering, page 14-5 (Minimum) Required Configuration If you use the default configuration, access the Catalyst 4500 series switch and enter the ip http server (for HTTP) or ip http secure-server (for HTTPS) global configuration command.
Chapter 14 Configuring the Catalyst 4500 Series Switch with Cisco Network Assistant Configuring Your Switch for Network Assistant Command Purpose Step 5 Configures the HTTPS port. Switch(config)# ip http timeout-policy idle idle_time life life_time requests requests The idle keyword specifies the maximum amount of time a connection can stay idle.
Switch# show running-config Managing a Network Using Community This section describes how to use communities to manage devices (including Catalyst 4500 series switches, routers, access points, and PIX firewalls) using the Network Assistant application. Access points have been eliminated from the device limits. There is no current limit for the number of Note access points that can be managed by CNA.
To join a community, a candidate must meet these requirements: An IP address has been obtained. • • Cisco Discovery Protocol (CDP) version 2 is enabled (the default) (if you want the device to be auto-discovered). HTTP (or HTTPS) is enabled. •...
Chapter 14 Configuring the Catalyst 4500 Series Switch with Cisco Network Assistant Managing a Network Using Community Do not disable CDP on candidates, members, or on any network devices that you might want Network Note Assistant to discover. PIX firewalls do not support the CDP, so they are not automatically shown as neighbors in the Topology Note view.
Chapter 14 Configuring the Catalyst 4500 Series Switch with Cisco Network Assistant Managing a Network Using Community Access Modes in Network Assistant When Network Assistant is connected to a community or cluster, two access modes are available: read-write and read-only, depending on the password.
Chapter 14 Configuring the Catalyst 4500 Series Switch with Cisco Network Assistant Converting a Cluster into a Community If you are logged into a community and you delete that community from some other CNA instance, then Note unless you close that community session, you can perform all the configurations through that session.
14-2). Managing a Network Using Cluster This section describes how to use clustering to create and manage Catalyst 4500 series switches using the standalone Network Assistant application or the command-line interface (CLI). Use clustering to group the switches in your network. You must enter the cluster run command on each switch to be managed.
Managing a Network Using Cluster Has 16 VTY lines. • On a Catalyst 4500 series switch, the default is 4 lines. You configure the switch to set the value Note to 16. Is not a command or cluster member switch of another cluster.
Telnet session (through a console or Telnet connection) and to access the cluster member switch CLI. The command mode changes and the Cisco IOS commands operate as usual. Enter the exit privileged EXEC command on the cluster member switch to return to the command-switch CLI.
Page 442
Chapter 14 Configuring the Catalyst 4500 Series Switch with Cisco Network Assistant Configuring Network Assistant in Community or Cluster Mode Command Purpose Step 6 Enables the selected interface to be in the specified VLAN. Switch(config-if)# switchport access vlan vlan_id Step 7 Select the VLAN instance for configuration.
Page 443
Chapter 14 Configuring the Catalyst 4500 Series Switch with Cisco Network Assistant Configuring Network Assistant in Community or Cluster Mode Command Purpose Step 27 Returns to privileged EXEC mode. Switch(config-line)# end Step 28 Verifies the configuration. Switch# show running-config This example shows how to configure Network Assistant on a networked switch in community mode:...
Page 444
Chapter 14 Configuring the Catalyst 4500 Series Switch with Cisco Network Assistant Configuring Network Assistant in Community or Cluster Mode subject-name cn=IOS-Self-Signed-Certificate-913087 revocation-check none rsakeypair TP-self-signed-913087 crypto pki certificate chain TP-self-signed-913087 certificate self-signed 01 3082028E 308201F7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030...
Chapter 14 Configuring the Catalyst 4500 Series Switch with Cisco Network Assistant Configuring Network Assistant in Community or Cluster Mode interface GigabitEthernet1/13 interface GigabitEthernet1/14 interface GigabitEthernet1/15 interface GigabitEthernet1/16 interface GigabitEthernet1/17 interface GigabitEthernet1/18 interface GigabitEthernet1/19 interface GigabitEthernet1/20 interface Vlan1 no ip address interface Vlan2 ip address 123.123.123.1 255.255.255.0...
Page 446
Chapter 14 Configuring the Catalyst 4500 Series Switch with Cisco Network Assistant Configuring Network Assistant in Community or Cluster Mode Command Purpose Step 7 Selects the interface that connects to your CNA-enabled PC. Switch(config-vlan)# interface {vlan vlan_ID | {fastethernet | gigabitethernet}...
Page 447
Chapter 14 Configuring the Catalyst 4500 Series Switch with Cisco Network Assistant Configuring Network Assistant in Community or Cluster Mode Switch(config)# line con 0 Switch(config-line)# exec-timeout 0 0 Switch(config-line)# password keepout Switch(config-line)# login Switch(config-line)# line vty 5 15 Switch(config-line)# password keepout...
Page 448
Chapter 14 Configuring the Catalyst 4500 Series Switch with Cisco Network Assistant Configuring Network Assistant in Community or Cluster Mode interface GigabitEthernet1/8 interface GigabitEthernet1/9 interface GigabitEthernet1/10 interface GigabitEthernet1/11 interface GigabitEthernet1/12 interface GigabitEthernet1/13 interface GigabitEthernet1/14 interface GigabitEthernet1/15 interface GigabitEthernet1/16 interface GigabitEthernet1/17...
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products//hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html...
Layer 3 switches. See the “About Layer 3 Interfaces” section on page 32-1 information on inter-VLAN routing on Catalyst 4500 series switches. Figure 15-1 shows an example of three VLANs that create logically defined networks.
Before creating a VLAN, put the Catalyst 4500 series switch in VTP server mode or VTP transparent mode. If the Catalyst 4500 series switch is a VTP server, you must define a VTP domain. For information on configuring VTP, see the “VLAN Trunking Protocol”...
Normal Used for Ethernet VLANs; you can create, use, and delete these VLANs. 1002–1005 Normal Cisco defaults for FDDI and Token Ring. You cannot delete VLANs 1002–1005. 1006–4094 Extended For Ethernet VLANs only. When configuring extended-range VLANs, note the following: Layer 3 ports and some software features require internal •...
Note Catalyst 4500 series switches do not support Token Ring or FDDI media. The switch does not forward FDDI, FDDI-NET, TrCRF, or TrBRF traffic, but it does propagate the VLAN configuration by using VTP. The software reserves parameters for these media types, but they are not supported.
Chapter 15 Configuring VLANs, VTP, and VMPS VLANs Configuring VLANs in Global Configuration Mode If the switch is in VTP server or transparent mode (see the “VLAN Trunking Protocol” section on page 15-7), you can configure VLANs in global and VLAN configuration modes. When you configure VLANs in global and config-vlan configuration modes, the VLAN configuration is saved in the vlan.dat files, not the running-config or startup-config files.
“Configuring Ethernet Interfaces for Layer 2 Switching” section on page 17-5. VLAN Trunking Protocol This section describes the VLAN Trunking Protocol (VTP) on the Catalyst 4500 series switches, and includes the following major subsections: • About VTP, page 15-8 VTP Configuration Guidelines and Restrictions, page 15-12 •...
Network Management Protocol (SNMP). By default, the Catalyst 4500 series switch is in VTP server mode and the domain is set to NULL until the switch receives an advertisement for a domain over a trunk link or you configure a management domain.
Configuring VLANs, VTP, and VMPS VLAN Trunking Protocol Understanding VTP Modes You can configure a Catalyst 4500 series switch to operate in any one of these VTP modes: • Server—In VTP server mode, you can create, modify, and delete VLANs and specify other configuration parameters (such as VTP version and VTP pruning) for the entire VTP domain.
Page 458
Chapter 15 Configuring VLANs, VTP, and VMPS VLAN Trunking Protocol Catalyst 4500 series switches do not support Token Ring or FDDI media. The switch does not forward Note FDDI, FDDI-Net, Token Ring Concentrator Relay Function (TrCRF), or Token Ring Bridge Relay Function (TrBRF) traffic, but it does propagate the VLAN configuration by using VTP.
Switch 1. Switch 1 floods the broadcast and every network device in the network receives it, even though Switches 3, 5, and 6 have no interfaces in the Red VLAN. You can enable pruning globally on the Catalyst 4500 series switch (see the “Enabling VTP Pruning”...
• Configuring VLANs as eligible for pruning on a Catalyst 4500 series switch affects pruning eligibility for those VLANs on that switch only, not on all network devices in the VTP domain. The VLAN database is saved in the NVRAM file in a format compliant with the VTP version •...
Chapter 15 Configuring VLANs, VTP, and VMPS VLAN Trunking Protocol Configuring VTP These sections describe how to configure VTP: Configuring VTP Global Parameters, page 15-14 • Configuring the VTP Mode, page 15-16 • Starting a Takeover, page 15-19 • Displaying VTP Statistics, page 15-19 •...
Page 463
Chapter 15 Configuring VLANs, VTP, and VMPS VLAN Trunking Protocol This example shows how to configure a VTP password in EXEC mode: Switch# vtp password WATER Setting device VLAN database password to WATER. Switch# Note The password is not stored in the running-config file. This example shows how to configure a hidden password: Switch# configure terminal Switch(config)# vtp password WATER hidden...
Chapter 15 Configuring VLANs, VTP, and VMPS VLAN Trunking Protocol Caution VTP version 1 and VTP version 2 are not interoperable on network devices in the same VTP domain. Every network device in the VTP domain must use the same VTP version. Do not enable VTP version 2 unless every network device in the VTP domain supports version 2.
Page 465
Chapter 15 Configuring VLANs, VTP, and VMPS VLAN Trunking Protocol When VTP is disabled, you can enter VLAN configuration commands in configuration mode instead of Note the VLAN database mode and the VLAN configuration is stored in the startup configuration file. This example shows how to configure the switch as a VTP server: Switch# configure terminal Switch(config)# vtp mode server...
Page 466
Chapter 15 Configuring VLANs, VTP, and VMPS VLAN Trunking Protocol This example shows an example of the VTP configuration parameters when the device is running VTP version 2: Switch# show vtp status VTP Version capable : 1 to 3 VTP version running VTP Domain Name : Lab_Network VTP Pruning Mode...
Chapter 15 Configuring VLANs, VTP, and VMPS VLAN Trunking Protocol Starting a Takeover This process applies to VTP version 3 only. To start a takeover, perform this task: Command Purpose Changes the operational state of a switch from a Switch# vtp primary-server [vlan | mst]| [force] secondary to a primary server and advertises the configuration to the whole domain.
Chapter 15 Configuring VLANs, VTP, and VMPS VLAN Membership Policy Server Request advertisements transmitted : 3 Number of config revision errors Number of config digest errors Number of V1 summary errors VTP pruning statistics: Trunk Join Transmitted Join Received Summary advts received from non-pruning-capable device ---------------- ---------------- ---------------- --------------------------- Fa5/8...
VLAN for that host. A Catalyst 4500 series switch running Cisco IOS software does not support the functionality of a VMPS. It can only function as a VLAN Query Protocol (VQP) client, which communicates with a VMPS through the VQP.
VMPS server. Note Although Catalyst 4500 series and Catalyst 6500 series switches running Catalyst operating system software support VMPS in all three operation modes, the User Registration Tool (URT) supports open mode only.
Chapter 15 Configuring VLANs, VTP, and VMPS VLAN Membership Policy Server Fallback VLAN You can configure a fallback VLAN name on a VMPS server. If no VLAN has been assigned to this port, VMPS compares the requesting MAC address to this port: •...
Reconfirming VLAN Memberships, page 15-26 Configuring the IP Address of the VMPS Server To configure a Catalyst 4500 series switch as a VMPS client, you must enter the IP address or hostname of the switch acting as the VMPS. Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG...
Page 473
Chapter 15 Configuring VLANs, VTP, and VMPS VLAN Membership Policy Server To define the primary and secondary VMPS on a Catalyst 4500 series switch, perform this task: Command Purpose Step 1 Enters global configuration mode. Switch# configure terminal Step 2...
Page 474
Chapter 15 Configuring VLANs, VTP, and VMPS VLAN Membership Policy Server This example shows how to configure a dynamic access port and to verify the entry: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface fa1/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan dynamic Switch(config-if)# end...
Page 475
Chapter 15 Configuring VLANs, VTP, and VMPS VLAN Membership Policy Server Command Purpose Step 3 Returns to privileged EXEC mode. Switch(config)# end Step 4 Verifies the dynamic VLAN reconfirmation status. Switch# show vmps This example shows how to change the reconfirmation interval to 60 minutes and verify the change: Switch# configure terminal Enter configuration commands, one per line.
• VMPS servers. • End stations are connected to these clients: Catalyst 4500 series XL Switch 2 (running Catalyst Cisco IOS) – Catalyst 4500 series XL Switch 9 (running Catalyst Cisco IOS) – The database configuration file is called Bldg-G.db and is stored on the TFTP server with the IP •...
Page 478
Catalyst 4500 series switch operating as a VMPS client. Figure 15-6 illustrates a topology with an end station attached to a Cisco IP Phone, which is attached to a Catalyst 4500 series switch. Figure 15-5 Topology with an End Station Attached Directly to a Catalyst 4500 Series Switch...
Page 479
Chapter 15 Configuring VLANs, VTP, and VMPS VLAN Membership Policy Server Figure 15-6 Topology with an End Station Attached to a Cisco IP Phone that is Attached to a Catalyst 4500 Series Switch Endstation (in VLAN 20) Internet Cisco IP phone...
Chapter 15 Configuring VLANs, VTP, and VMPS VLAN Membership Policy Server Assign the port dynamic VLAN membership: switch(config-if)# switchport access vlan dynamic Return to privileged EXEC mode: switch(config-if)# exit switch# Step 3 Connect End Station 2 on port Fa2/1. When End Station 2 sends a packet, Switch 2 sends a query to the primary VMPS server, Switch 1.
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products//hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html...
IP address. The IP unnumbered interface can “borrow” the IP address from another interface that is already configured on the Catalyst 4500 series switch, which conserves network and address space. When used with the DHCP server/relay agent, this feature allows a host address assigned by the DHCP server to be learned dynamically at the DHCP relay agent.
Chapter 16 Configuring IP Unnumbered Interface IP Unnumbered Configuration Guidelines and Restrictions Figure 16-2 Format of the Agent Remote ID Suboption 12 bytes Type Length Reserved NAS IP address Interface Reserved VLAN ID (byte 1) (byte 2) (bytes 3-4) (bytes 5-8) (byte 9) (byte 10) (bytes 11-12)
Configuring IP Unnumbered Interface Configuring IP Unnumbered Interface Support with DHCP Server The option to add dhcp host routes as connected routes is available in Cisco IOS. When using • connected mode, however, the clear ip route * command deletes the dhcp host connected routes permanently.
Chapter 16 Configuring IP Unnumbered Interface Configuring IP Unnumbered Interface Support with DHCP Server In the following example, Ethernet VLAN 10 is configured as an IP unnumbered interfaces: Switch> enable Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface vlan 10 Switch(config-if)# ip unnumbered Lookback 0 Configuring IP Unnumbered Interface Support on a Range of Ethernet VLANs...
Chapter 16 Configuring IP Unnumbered Interface Configuring IP Unnumbered Interface Support with Connected Host Polling Configuring IP Unnumbered Interface Support with Connected Host Polling To configure IP unnumbered interface support with connected host polling, perform this task: Command Purpose Step 1 Enables privileged EXEC mode.
Displays the status of unnumbered interface with connected Switch# show ip interface [type number] unnumbered [detail] host polling for the Catalyst 4500 series switch. The following example shows how to display the status of unnumbered interfaces with connected host polling:...
Troubleshooting IP Unnumbered Interface Troubleshooting IP Unnumbered Interface To understand how to debug connect host polling, see the Cisco IOS documentation of the debug arp command on cisco.com. When an IP unnumbered interface shares the IP address of a loopback interface whose prefix is advertised in an OSPF network, you must modify the loopback interface as a point-to-point interface.
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products//hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html...
Catalyst 4500 series switch are full-duplex mode only, providing 2-Gbps effective bandwidth. Switching Frames Between Segments Each Ethernet interface on a Catalyst 4500 series switch can connect to a single workstation or server, or to a hub through which workstations or servers connect to the network.
Chapter 17 Configuring Layer 2 Ethernet Interfaces About Layer 2 Ethernet Switching VLAN Trunks A trunk is a point-to-point link between one or more Ethernet switch interfaces and another networking device such as a router or a switch. Trunks carry the traffic of multiple VLANs over a single link and allow you to extend VLANs across an entire network.
VLANs allowed on the trunks. When you connect a Cisco switch to a non-Cisco device through an 802.1Q trunk, the Cisco switch combines the spanning tree instance of the native VLAN of the trunk with the spanning tree instance of the non-Cisco 802.1Q switch.
Configuring Ethernet Interfaces for Layer 2 Switching Configuring Ethernet Interfaces for Layer 2 Switching The following sections describe how to configure Layer 2 switching on a Catalyst 4500 series switch: Configuring an Ethernet Interface as a Layer 2 Trunk, page 17-5 •...
Page 496
Chapter 17 Configuring Layer 2 Ethernet Interfaces Configuring Ethernet Interfaces for Layer 2 Switching Command Purpose Step 7 (Optional) Configures the list of VLANs allowed to be pruned Switch(config-if)# switchport trunk pruning vlan {add | except | none | from the trunk (see the “VLAN Trunking Protocol”...
Chapter 17 Configuring Layer 2 Ethernet Interfaces Configuring Ethernet Interfaces for Layer 2 Switching This example shows how to verify the trunk configuration: Switch# show interfaces fastethernet 5/8 trunk Port Mode Encapsulation Status Native vlan Fa5/8 desirable n-802.1q trunking Port Vlans allowed on trunk Fa5/8 1-1005 Port...
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products//hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html...
Use this interface configuration macro when connecting a desktop device such as a PC with a Cisco IP Phone to a switch port. This macro is an extension of the cisco-desktop macro and provides the same security and resiliency features, but with the addition of dedicated voice VLANs to ensure proper treatment of delay-sensitive voice traffic.
Chapter 18 Configuring SmartPort Macros Configuring SmartPort Macros Passing Parameters Through the Macro Some commands might not be sufficiently generic for all the interfaces; for example, VLAN ID for Layer 2 interfaces and the IP address for Layer 3 interface. Retaining such commands in macro definitions requires that you change the value of such parameters (such as VLAN ID or IP address) before applying the macro to different interfaces.
• cisco-switch, page 18-5 • cisco-global This is the example for the cisco-global macro: # Enable dynamic port error recovery for link state failures. errdisable recovery cause link-flap errdisable recovery interval 60 # VTP requires Transparent mode for future 802.1x Guest VLAN...
# and use inactivity timer switchport port-security violation restrict switchport port-security aging time 2 switchport port-security aging type inactivity # Enable auto-qos to extend trust to attached Cisco phone auto qos voip cisco-phone # Configure port as an edge network port spanning-tree portfast...
If a command fails when you apply a macro, either due to a syntax error or to a configuration error, the macro continues to apply the remaining commands to the interface. • cisco-global needs to be applied at the global configuration mode. We recommend that you apply this macro before any other interface level macro. •...
Page 507
Cisco-default macro with the required values by using the parameter value keywords. The Cisco-default macros use the $ character to help identify required keywords. There is no restriction on using the $ character to define keywords when you create a macro.
Chapter 18 Configuring SmartPort Macros Configuring SmartPort Macros Creating SmartPort Macros To create a SmartPort macro, perform this task: Command Purpose Step 1 Switch# configure terminal Enters global configuration mode. Step 2 Creates a macro definition, and enter a macro name. A macro definition Switch(config)# macro name macro-name can contain up to 3000 characters.
If you apply a macro without entering the keyword values, the commands are invalid and are not applied. For example, here is how you apply this command: Switch(config-if)# macro apply cisco-phone ? WORD Keyword to replace with a value e.g. $AVID, $VVID ...
• cisco-switch, page 18-12 • cisco-router, page 18-13 cisco-global This example shows how to use the system-defined macro cisco-global: Switch(config)# macro global apply cisco-global Changing VTP domain name from gsg-switch to [smartports] Setting device to VTP TRANSPARENT mode. Switch(config)# end...
Configuring SmartPort Macros Configuring SmartPort Macros cisco-desktop This example shows how to use the system-defined macro cisco-desktop to assign a value of 35 to the access VLAN of the Fast Ethernet interface 2/9. Note This macro requires the $AVID keyword, which is the access VLAN of the port.
-------------------------------------------------------------- cisco-switch This example shows how to use the system-defined macro cisco-switch to assign a value of 38 to the native VLAN on the Fast Ethernet interface 2/9. This macro requires the $NVID keyword, which is the native VLANs of the port.
-------------------------------------------------------------- cisco-router This example shows how to use the system-defined macro cisco-router to assign a value of 451 to the native VLAN on the Fast Ethernet interface 2/9. Note This macro requires the $NVID keyword, which is the native VLANs of the port.
PC, to a switch port. cisco-phone Use this interface configuration macro when connecting a desktop device such as a PC with a Cisco IP Phone to a switch port. This macro is an extension of the cisco-desktop macro and provides the same security and resiliency features, but with the addition of dedicated voice VLANs to ensure proper treatment of delay-sensitive voice traffic.
EXEC command. Applying Static SmartPort Macros To apply a static SmartPort macro, perform these steps, beginning in privileged EXEC mode: Command Purpose Step 1 Displays the Cisco-default static SmartPort macros embedded in the show parser macro switch software. Step 2 Displays the specific macro that you want to apply.
Page 516
You can delete a macro-applied configuration on a port by entering the default interface interface-id interface configuration command. This example shows how to display the cisco-desktop macro, to apply the macro and to set the access VLAN ID to 25 on an interface:...
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products//hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html...
Auto Smartport module, comprising a limited set of Cisco devices. They are built into Cisco IOS and cannot be changed. The default profiles are stored as a text file in nonvolatile storage and allow the DC to identify a much larger set of devices. The default profiles are updated as part of the Cisco IOS archive download.
Chapter 19 Configuring Cisco IOS Auto Smartport Macros Configuring Auto Smartport Macros When a new device is detected, the corresponding shell trigger executes the Auto Smartport configuration macro. Auto Smartport has built-in mappings for a large set of devices. You can use the commands described in the “Configuring Mapping Between User-Defined Triggers and Built-in...
Switch(config)# interface interface_id Switch(config-if)# no macro auto processing Auto Smartport Default Configuration By default, Cisco IOS shell is enabled and Auto Smartport is disabled globally. Table 19-1 shows the Auto Smartport built-in event triggers that are embedded in the switch software by default.
Use this macro to apply the switch macro for Cisco switches. It enables SMARTPORT trunking on the port. CISCO_ROUTER_AUTO_ Use this macro to apply the router macro for Cisco routers. It enables QoS, SMARTPORT trunking, and spanning-tree protection on the port. CISCO_AP_AUTO_...
Consult the specific device documentation to ensure the device's firmware is current. The LWAP’s WLC software version must be 6.0.188 ( => Cisco IOS 12.4(21a)JA2) or later to make •...
Page 523
[[parameter=value] {function contents}]} command deletes the mapping. This example shows how to use two built-in Auto Smartport macros for connecting Cisco switches and Cisco IP phones to the switch. This example modifies the default voice VLAN, access VLAN, and native VLAN for the trunk interface:...
802.1X-Based Event Trigger When using MAB or 802.1X authentication to trigger Auto Smartport macros, you need to create an event trigger that corresponds to the Cisco AV pair (auto-smart-port=event trigger) sent by the RADIUS server. To configure an event trigger, perform this task:...
Chapter 19 Configuring Cisco IOS Auto Smartport Macros Configuring Auto Smartport Macros Command Purpose Step 4 Displays the event triggers on the switch. Switch# show shell triggers Step 5 (Optional) Saves your entries in the configuration file. Switch# copy running-config startup-config Use the no shell trigger identifier global configuration command to delete the event trigger.
Page 527
Switch# copy running-config (Optional) Saves your entries in the configuration file. startup-config This example shows how to map a user-defined event trigger called Cisco Digital Media Player (DMP) to a user-defined macro. Connect the DMP to an 802.1X- or MAB-enabled switch port.
Page 528
Chapter 19 Configuring Cisco IOS Auto Smartport Macros Configuring Auto Smartport Macros switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security violation restrict switchport port-security aging time 2 switchport port-security aging type inactivity spanning-tree portfast spanning-tree bpduguard enable...
Chapter 19 Configuring Cisco IOS Auto Smartport Macros Displaying Auto Smartport Table 19-5 lists the shell keywords that are not supported in macros and antimacros. Table 19-5 Unsupported Cisco IOS Shell Reserved Keywords Command Description Pipeline. case Conditional construct. esac Conditional construct.
Page 530
Chapter 19 Configuring Cisco IOS Auto Smartport Macros Displaying Auto Smartport Switch# show macro auto monitor type table Valid Type Profile Name min Conf =========== ========= ================== ======== ==== Valid Default Apple-Device Valid Default Aruba-Device Valid Default Avaya-Device Valid Default...
Page 532
Chapter 19 Configuring Cisco IOS Auto Smartport Macros Displaying Auto Smartport Trigger mapping function: CISCO_LWAP_AUTO_SMARTPORT This example shows how to use the show shell functions privileged EXEC command to view the built-in macros in the switch software: Switch# show shell functions...
Page 533
Chapter 19 Configuring Cisco IOS Auto Smartport Macros Displaying Auto Smartport
Page 534
Chapter 19 Configuring Cisco IOS Auto Smartport Macros Displaying Auto Smartport Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG 19-18 OL-25340-01...
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products//hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html...
Configuring STP and MST About STP A Catalyst 4500 series switch use STP (the IEEE 802.1D bridge protocol) on all VLANs. By default, a single spanning tree runs on each configured VLAN (provided you do not manually disable the spanning tree).
VLAN ID STP MAC Address Allocation A Catalyst 4500 series switch chassis has either 64 or 1024 MAC addresses available to support software features like STP. Enter the show module command to view the MAC address range on your chassis.
Chapter 20 Configuring STP and MST About STP The identifier of the transmitting port • Values for the hello, forward delay, and max-age protocol timers • When a switch transmits a BPDU frame, all switches connected to the LAN on which the frame is transmitted receive the BPDU.
Chapter 20 Configuring STP and MST About STP Creating the STP Topology The goal of the spanning tree algorithm is to make the most direct link the root port. When the spanning tree topology is calculated based on default parameters, the path between source and destination end stations in a switched network might not be optimal according to link speed.
When you connect a Cisco switch to a non-Cisco device (that supports 802.1Q) through an 802.1Q trunk, the Cisco switch combines the spanning tree instance of the 802.1Q native VLAN of the trunk with the spanning tree instance of the non-Cisco 802.1Q switch. However, all per-VLAN spanning tree information is maintained by Cisco switches separated by a network of non-Cisco 802.1Q switches.
Chapter 20 Configuring STP and MST Default STP Configuration For enabling information, see “Enabling Per-VLAN Rapid Spanning Tree” on page 20. Default STP Configuration Table 20-4 shows the default spanning tree configuration. Table 20-4 Spanning Tree Default Configuration Values Feature Default Value Enable state Spanning tree enabled for all VLANs...
Chapter 20 Configuring STP and MST Configuring STP Disabling Spanning Tree Protocol, page 20-20 • Enabling Per-VLAN Rapid Spanning Tree, page 20-20 • The spanning tree commands described in this chapter can be configured on any interface except those Note configured with the no switchport command.
Chapter 20 Configuring STP and MST Configuring STP Designated bridge has priority 32768, address 00e0.4fac.b000 Designated port id is 128.2, designated path cost 19 Timers: message age 3, forward delay 0, hold 0 Number of transitions to forwarding state: 1 BPDU: sent 3, received 3417 Switch# Enabling the Extended System ID...
Chapter 20 Configuring STP and MST Configuring STP Configuring the Root Bridge A Catalyst 4000 family switch maintains an instance of spanning tree for each active VLAN configured on the switch. A bridge ID, consisting of the bridge priority and the bridge MAC address, is associated with each instance.
Page 545
Chapter 20 Configuring STP and MST Configuring STP VLAN1 is executing the ieee compatible Spanning Tree protocol Bridge Identifier has priority 32768, address 0030.94fc.0a00 Configured hello time 2, max age 20, forward delay 15 Current root has priority 32768, address 0001.6445.4400 Root port is 323 (FastEthernet6/3), cost of root path is 19 Topology change flag not set, detected flag not set Number of topology changes 2 last change occurred 00:02:19 ago...
Chapter 20 Configuring STP and MST Configuring STP Port 324 (FastEthernet6/4) of VLAN1 is listening Port path cost 19, Port priority 128, Port Identifier 129.68. Designated root has priority 8192, address 0030.94fc.0a00 Designated bridge has priority 8192, address 0030.94fc.0a00 Designated port id is 129.68, designated path cost 0 Timers:message age 0, forward delay 5, hold 0 Number of transitions to forwarding state:0 BPDU:sent 6, received 102...
16 (the default is 128). Note The Cisco IOS software uses the port priority value when the interface is configured as an access port and uses VLAN port priority values when the interface is configured as a trunk port.
Page 548
Chapter 20 Configuring STP and MST Configuring STP Switch(config-if)# spanning-tree port-priority 100 Switch(config-if)# end Switch# This example shows how to verify the configuration of a Fast Ethernet interface when it is configured as an access port: Switch# show spanning-tree interface fastethernet 3/1 Vlan Role Sts Cost Prio.Nbr Status...
Chapter 20 Configuring STP and MST Configuring STP Designated root has priority 32768, address 0003.6b10.ebec Designated bridge has priority 32768, address 0003.6b10.ebec Designated port id is 128.129, designated path cost 0 Timers:message age 0, forward delay 0, hold 0 Number of transitions to forwarding state:1 Link type is point-to-point by default BPDU:sent 95, received 2 Switch#...
Page 550
Chapter 20 Configuring STP and MST Configuring STP Command Purpose Step 1 Switch(config)# interface {{fastethernet | Specifies an interface to configure. gigabitethernet | tengigabitethernet} slot/port} | {port-channel port_channel_number} Step 2 Switch(config-if)# [no] spanning-tree cost Configures the port cost for an interface. The port_cost port_cost value can be from 1 to 200,000,000.
Chapter 20 Configuring STP and MST Configuring STP Number of transitions to forwarding state: 1 BPDU: sent 0, received 13513 <...output truncated...> Switch# Note The show spanning-tree command displays only information for ports with an active link (green light is on). If there is no port with an active link, you can issue a show running-config command to confirm the configuration.
Chapter 20 Configuring STP and MST Configuring STP To configure the spanning tree hello time of a VLAN, perform this task: Command Purpose Step 1 Configures the hello time of a VLAN. The hello_time Switch(config)# [no] spanning-tree vlan vlan_ID hello-time hello_time value can be from 1 to 10 seconds.
Chapter 20 Configuring STP and MST Configuring STP This example shows how to verify the configuration: Switch# show spanning-tree vlan 200 bridge brief Hello Max Vlan Bridge ID Time Age Delay Protocol ---------------- -------------------- ---- ---- ----- -------- VLAN200 49152 0050.3e8d.64c8 ieee Switch# Configuring the Forward-Delay Time for a VLAN...
Chapter 20 Configuring STP and MST Configuring STP Disabling Spanning Tree Protocol To disable spanning tree on a per-VLAN basis, perform this task: Command Purpose Step 1 Switch(config)# no spanning-tree vlan vlan_ID Disables spanning tree on a per-VLAN basis. Step 2 Exits configuration mode.
Chapter 20 Configuring STP and MST Configuring STP Switch# clear spanning-tree detected-protocols The following example shows how to verify the configuration: Switch# show spanning-tree summary totals Switch is in rapid-pvst mode Root bridge for:VLAN0001 Extended system ID is disabled Portfast Default is disabled PortFast BPDU Guard Default is disabled...
Spanning Tree Plus (PVST+) and is backward compatible with 802.1D STP, 802.1w (Rapid Spanning Tree Protocol [RSTP]), and the Cisco PVST+ architecture. MST allows you to build multiple spanning trees over trunks. You can group and associate VLANs to spanning tree instances.
Chapter 20 Configuring STP and MST About MST MST establishes and maintains additional spanning trees within each MST region. These spanning • trees are termed MST instances (MSTIs). The IST is numbered 0, and the MSTIs are numbered 1, 2, 3, and so on. Any MSTI is local to the MST region and is independent of MSTIs in another region, even if the MST regions are interconnected.
Chapter 20 Configuring STP and MST About MST RSTP Port Roles In RSTP, the port roles are defined as follows: • Root—A forwarding port elected for the spanning tree topology. • Designated—A forwarding port elected for every switched LAN segment. •...
– Common Spanning Tree CST (802.1Q) is a single spanning tree for all the VLANs. In a Catalyst 4500 series switch running PVST+, the VLAN 1 spanning tree corresponds to CST. In a Catalyst 4500 series switch running MST, IST (instance 0) corresponds to CST.
Chapter 20 Configuring STP and MST About MST MST Instances We support 65 instances including instance 0. Each spanning tree instance is identified by an instance ID that ranges from 0 to 4094. Instance 0 is mandatory and is always present. Rest of the instances are optional.
Chapter 20 Configuring STP and MST About MST To form an MST region, bridges can be either of the following: An MST bridge that is the only member of the MST region. • An MST bridge interconnected by a LAN. A LAN’s designated bridge has the same MST •...
Chapter 20 Configuring STP and MST About MST To prevent a misconfiguration, the PortFast operation is turned off if the port receives a BPDU. You can display the configured and operational status of PortFast by using the show spanning-tree mst interface command.
VLAN is mapped. The topology change stays local to the first MST region, and the Cisco Access Manager (CAM) entries in the other region are not flushed. To make the topology change visible throughout other MST regions, you can map that VLAN to IST or connect the PVST+ switch to the two regions through access links.
Page 564
Switch(config-mst)# show current Current MST configuration Name Revision Instance Vlans mapped -------- --------------------------------------------------------------------- 1-4094 ------------------------------------------------------------------------------- Switch(config-mst)# name cisco Switch(config-mst)# revision 2 Switch(config-mst)# instance 1 vlan 1 Switch(config-mst)# instance 2 vlan 1-1000 Switch(config-mst)# show pending Pending MST configuration Name [cisco] Revision Instance...
Chapter 20 Configuring STP and MST Configuring MST Switch# show spanning-tree mst ###### MST00 vlans mapped: 11-4094 Bridge address 00d0.00b8.1400 priority 24576 (24576 sysid 0) Root this switch for CST and IST Configured hello time 2, forward delay 15, max age 20, max hops 20 Interface Role Sts Cost Prio.Nbr Status...
Similarly, an MST port still assumes that it is a boundary port when the bridge(s) to which it is connected have joined the same region. To force a Catalyst 4500 series switch to renegotiate with the neighbors (that is, to restart protocol migration), you must enter the clear...
Page 568
Configuring STP and MST Configuring MST The following examples show how to display spanning tree VLAN configurations in MST mode: Switch(config)# spanning-tree mst configuration Switch(config-mst)# instance 1 vlan 1-10 Switch(config-mst)# name cisco Switch(config-mst)# revision 1 Switch(config-mst)# Ctrl-D Switch# show spanning-tree mst configuration Name...
Page 569
Chapter 20 Configuring STP and MST Configuring MST Switch# show spanning-tree mst interface fastethernet 4/4 FastEthernet4/4 of MST00 is backup blocking Edge port:no (default) port guard :none (default) Link type:point-to-point (auto) bpdu filter:disable (default) Boundary :internal bpdu guard :disable (default) Bpdus sent 2, received 368 Instance Role Sts Cost Prio.Nbr Vlans mapped...
Page 570
Chapter 20 Configuring STP and MST Configuring MST Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 00d0.00b8.1400 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Interface Role Sts Cost Prio.Nbr Status ---------------- ---- --- --------- -------- -------------------------------- Fa4/4 Back BLK 1000 240.196...
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products//hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html...
STP on some interfaces. Note The Catalyst 4500 series switch supports a maximum of 16 Flex Links. You configure Flex Links on one Layer 2 interface (the active link) by assigning another Layer 2 interface as the Flex Link or backup link. When one of the links is up and forwarding traffic, the other link is in standby mode, ready to begin forwarding traffic if the other link fails.
Chapter 21 Configuring Flex Links and MAC Address-Table Move Update About Flex Links rest on the other port. If one of the ports fail, the other active port forwards all the traffic. When the failed port reactivates, it resumes forwarding traffic in the preferred VLANs. In addition to providing the redundancy, this Flex Links pair can be used for load balancing.
Chapter 21 Configuring Flex Links and MAC Address-Table Move Update MAC Address-Table Move Update MAC Address-Table Move Update Figure 21-3, ports 1 and 2 on switch A are connected to uplink switches B and D through a Flex Links pair. Port 1 is forwarding traffic, and port 2 is in the blocking state. Traffic from the PC to the server is forwarded from port 1 to port 3.
Chapter 21 Configuring Flex Links and MAC Address-Table Move Update Configuring Flex Links Figure 21-3 MAC Address-Table Move Update Example Server Switch C Port 3 Port 4 Switch B Switch D Port 1 Port 2 Switch A Configuring Flex Links These sections contain this configuration information: Default Configuration, page 21-5 •...
Chapter 21 Configuring Flex Links and MAC Address-Table Move Update Configuring Flex Links Configuration Guidelines Follow these guidelines to configure Flex Links and associated features: You can configure only one Flex Link backup link for any active link, and it must be a different •...
Page 577
Chapter 21 Configuring Flex Links and MAC Address-Table Move Update Configuring Flex Links To disable a Flex Links backup interface, enter the no switchport backup interface interface-id interface configuration command. This example shows how to configure an interface with a backup interface and to verify the configuration: Switch# configure terminal Switch(conf)# interface fastethernet1/1...
Chapter 21 Configuring Flex Links and MAC Address-Table Move Update Configuring Flex Links To remove a preemption scheme, enter the no switchport backup interface interface-id preemption mode interface configuration command. To reset the delay time to the default, enter the no switchport backup interface interface-id preemption delay interface configuration command.
Page 579
Chapter 21 Configuring Flex Links and MAC Address-Table Move Update Configuring Flex Links When both interfaces are up, Fast Ethernet port 1/0/8 forwards traffic for VLANs 60 and 100 to 120 and Fast Ethernet port 1/0/6 forwards traffic for VLANs 1 to 50. Switch# show interfaces switchport backup Switch Backup Interface Pairs: Active Interface...
Chapter 21 Configuring Flex Links and MAC Address-Table Move Update Configuring MAC Address-Table Move Update Configuring MAC Address-Table Move Update These sections contain this configuration information: Default Configuration, page 21-5 • Configuration Guidelines, page 21-6 • Configuring MAC Address-Table Move Update, page 21-10 •...
Page 581
Chapter 21 Configuring Flex Links and MAC Address-Table Move Update Configuring MAC Address-Table Move Update Command Purpose Step 3 Configures a physical Layer 2 interface (or port channel), Switch(conf-if)# switchport backup interface interface-id as part of a Flex Links pair with the interface. The MAC address-table move update VLAN is the lowest VLAN ID on the interface.
Chapter 21 Configuring Flex Links and MAC Address-Table Move Update Monitoring Flex Links and the MAC Address-Table Move Update Configuring a Switch to Receive MAC Address-Table Move Updates To configure a switch to receive and process MAC address-table move update messages, perform this task: Command Purpose...
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products//hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html...
Chapter 22 Configuring Resilient Ethernet Protocol About REP Figure 22-1 REP Open Segments Edge port Blocked port Link failure The segment shown in Figure 22-1 is an open segment; there is no connectivity between the two edge ports. The REP segment cannot cause a bridging loop and it is safe to connect the segment edges to any network.
Page 585
Figure 22-3. Starting with Cisco IOS Release 15.0(2)SG, you can configure the non-REP facing ports (E1 and E2) as edge no-neighbor ports. These ports inherit all properties of edge ports, and you can configure them the same as any edge port, including configuring them to send STP or REP topology change notices to the aggregation switch.
By default, REP packets are sent to a BPDU class MAC address. The packets can also be sent to the Cisco multicast address, which at present is used only to send blocked port advertisement (BPA) messages when there is a failure in the segment. The packets are dropped by devices not running REP.
Page 587
Chapter 22 Configuring Resilient Ethernet Protocol About REP The neighbor offset number range is –256 to +256; a value of 0 is invalid. The primary edge port has an offset number of 1; positive numbers above 1 identify downstream neighbors of the primary edge port.
Chapter 22 Configuring Resilient Ethernet Protocol About REP When VLAN load balancing is triggered, the primary edge port then sends out a message to alert all interfaces in the segment about the preemption. When the message is received by the secondary edge port, it is reflected into the network to notify the alternate port to block the set of VLANs specified in the message and to notify the primary edge port to block the remaining VLANs.
Chapter 22 Configuring Resilient Ethernet Protocol Configuring REP Configuring REP A segment is a collection of ports connected one to the other in a chain and configured with a segment ID. To configure REP segments, you should configure the REP administrative VLAN (or use the default VLAN 1) and then add the ports to the segment using interface configuration mode.
• REP sends all LSL PDUs in untagged frames on the native VLAN. The BPA message sent to the Cisco multicast address is sent on the administration VLAN, which is VLAN 1 by default. • REP ports can not be configured as one of these port types: –...
Chapter 22 Configuring Resilient Ethernet Protocol Configuring REP To configure the REP administrative VLAN, perform this task: Command Purpose Step 1 Enters global configuration mode. Switch# configure terminal Step 2 Specifies the administrative VLAN. The range is 2 to Switch(config)# rep admin vlan vlan-id 4094.
Page 592
Chapter 22 Configuring Resilient Ethernet Protocol Configuring REP To enable and configure REP on an interface, perform this task: Command Purpose Step 1 Enters global configuration mode. Switch# configure terminal Step 2 Specifies the interface, and enter interface configuration mode. The Switch(config)# interface interface-id interface can be a physical Layer 2 interface or a port channel (logical interface).
Page 593
Chapter 22 Configuring Resilient Ethernet Protocol Configuring REP Command Purpose Step 4 Enables REP on the interface, and identifies a segment number. The Switch(config-if)# rep segment segment-id edge no-neighbor primary segment ID range is from 1 to 1024. These optional keywords are preferred available.
Page 594
Chapter 22 Configuring Resilient Ethernet Protocol Configuring REP Command Purpose Step 6 (Optional) Configures VLAN load balancing on the primary edge Switch(config-if)# rep block port {id port-id neighbor_offset | preferred port, identify the REP alternate port in one of three ways, and vlan vlan-list configure the VLANs to be blocked on the alternate port.
Chapter 22 Configuring Resilient Ethernet Protocol Configuring REP This example shows how to configure the same configuration when the interface has no external REP neighbor: Switch# configure terminal Switch (config)# interface gigabitethernet1/1 Switch (config-if)# rep segment 1 edge no-neighbor primary Switch (config-if)# rep stcn segment 2-5 Switch (config-if)# rep block port 0009001818D68700 vlan all Switch (config-if)# rep preempt delay 60...
Chapter 22 Configuring Resilient Ethernet Protocol Monitoring REP Command Purpose Step 3 Manually triggers VLAN load balancing on the segment. Switch(config-if)# rep preempt segment segment-id You must confirm the command before it is executed. Step 4 Returns to privileged EXEC mode. Switch(config-if)# end Step 5 Displays REP topology information.
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products//hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG...
Chapter 23 Configuring Optional STP Features About Root Guard location: http://www.cisco.com/en/US/products/ps6350/index.html About Root Guard Spanning Tree root guard forces an interface to become a designated port, to protect the current root status and prevent surrounding switches from becoming the root switch.
Chapter 23 Configuring Optional STP Features About Loop Guard This example shows how to determine whether any ports are in root inconsistent state: Switch# show spanning-tree inconsistentports Name Interface Inconsistency -------------------- ---------------------- ------------------ VLAN0001 FastEthernet3/1 Root Inconsistent VLAN0001 FastEthernet3/2 Root Inconsistent VLAN1002 FastEthernet3/1 Root Inconsistent...
Chapter 23 Configuring Optional STP Features Enabling Loop Guard Figure 23-1 illustrates the following configuration: Switches A and B are distribution switches. • Switch C is an access switch. • Loop guard is enabled on ports 3/1 and 3/2 on Switches A, B, and C. •...
Page 601
Chapter 23 Configuring Optional STP Features Enabling Loop Guard Command Purpose Step 2 Exits configuration mode. Switch(config)# end Step 3 Verifies the configuration impact on a port. Switch# show spanning tree interface 4/4 detail This example shows how to enable loop guard globally: Switch(config)# spanning-tree loopguard default Switch(config)# Ctrl-Z This example shows how to verify the previous configuration of port 4/4:...
Chapter 23 Configuring Optional STP Features About EtherChannel Guard About EtherChannel Guard EtherChannel guard allows you to detect an EtherChannel misconfiguration between the switch and a connected device. A misconfiguration can occur if the interfaces of a switch are manually configured in an EtherChannel, and one or more interfaces on the other device are not.
Chapter 23 Configuring Optional STP Features Enabling PortFast unit (BPDU), spanning tree does not place the port into the blocking state. Spanning tree sets the port’s operating state to non-port fast even if the configured state remains port fast and starts participating in the topology change.
Chapter 23 Configuring Optional STP Features About BPDU Guard About BPDU Guard Spanning Tree BPDU guard shuts down PortFast-configured interfaces that receive BPDUs, rather than putting them into the spanning tree blocking state. In a valid configuration, PortFast-configured interfaces do not receive BPDUs. Reception of a BPDU by a PortFast-configured interface signals an invalid configuration, such as connection of an unauthorized device.
About PortFast BPDU Filtering About PortFast BPDU Filtering Cisco IOS Release 12.2(25)EW and later support PortFast BPDU filtering, which allows the administrator to prevent the system from sending or even receiving BPDUs on specified ports. When configured globally, PortFast BPDU filtering applies to all operational PortFast ports. Ports in an operational PortFast state are supposed to be connected to hosts that typically drop BPDUs.
Page 606
Chapter 23 Configuring Optional STP Features Enabling PortFast BPDU Filtering Switch(config)# Ctrl-Z This example shows how to verify the BPDU configuration in PVST+ mode: Switch# show spanning-tree summary totals Root bridge for:VLAN0010 EtherChannel misconfiguration guard is enabled Extended system ID is disabled Portfast is enabled by default...
Chapter 23 Configuring Optional STP Features About UplinkFast Switch# About UplinkFast UplinkFast is most useful in wiring-closet switches. This feature might not be useful for other types of Note applications. Spanning Tree UplinkFast provides fast convergence after a direct link failure and uses uplink groups to achieve load balancing between redundant Layer 2 links.
Chapter 23 Configuring Optional STP Features Enabling UplinkFast Figure 23-3 UplinkFast After Direct Link Failure Switch A Switch B (Root) Link failure UplinkFast transitions port directly to forwarding state Switch C Enabling UplinkFast UplinkFast increases the bridge priority to 49,152 and adds 3000 to the spanning tree port cost of all interfaces on the switch, making it unlikely that the switch becomes the root switch.
Chapter 23 Configuring Optional STP Features About BackboneFast Station update rate set to 150 packets/sec. UplinkFast statistics ----------------------- Number of transitions via uplinkFast (all VLANs) Number of proxy multicast addresses transmitted (all VLANs) :5308 Name Interface List -------------------- ------------------------------------ VLAN1 Fa6/9(fwd), Gi5/7 VLAN2 Gi5/7(fwd)
Page 610
Chapter 23 Configuring Optional STP Features About BackboneFast If the switch finds an alternate path to the root bridge, it uses this new alternate path. This new path, and any other alternate paths, are used to send a Root Link Query (RLQ) BPDU. When BackboneFast is enabled, the RLQ BPDUs are sent out as soon as an inferior BPDU is received.
Chapter 23 Configuring Optional STP Features Enabling BackboneFast Figure 23-5 shows how BackboneFast reconfigures the topology to account for the failure of link L1. Figure 23-5 BackboneFast after Indirect Link Failure Switch A Switch B (Root) Blocked port Switch C If a new switch is introduced into a shared-medium topology as shown in Figure 23-6, BackboneFast is...
Page 612
Chapter 23 Configuring Optional STP Features Enabling BackboneFast Command Purpose Step 1 Switch(config)# [no] spanning-tree backbonefast Enables BackboneFast. Use You can use the no keyword to disable BackboneFast. Step 2 Exits configuration mode. Switch(config)# end Step 3 Verifies that BackboneFast is enabled. Switch# show spanning-tree backbonefast This example shows how to enable BackboneFast: Switch(config)# spanning-tree backbonefast...
Page 613
Chapter 23 Configuring Optional STP Features Enabling BackboneFast Number of RLQ response PDUs sent (all VLANs) Switch# This example shows how to display the total lines of the spanning tree state section: Switch# show spanning-tree summary totals Root bridge for:VLAN0001, VLAN1002-VLAN1005 Extended system ID is disabled Portfast...
Page 615
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products//hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html...
All interfaces in each EtherChannel must be the same speed and must be configured as either Layer 2 or Layer 3 interfaces. The network device to which a Catalyst 4500 series switch is connected may impose its own limits on Note the number of interfaces in an EtherChannel.
You can configure EtherChannels manually or use the Port Aggregation Control Protocol (PAgP) or the Link Aggregation Control Protocol (LACP) (Cisco IOS Release 12.2(25)EWA and later), to form EtherChannels. The EtherChannel protocols allow ports with similar characteristics to form an EtherChannel through dynamic negotiation with connected network devices.
IEEE 802.3ad LACP EtherChannel Configuration Cisco IOS Release 12.2(25)EWA and later releases support IEEE 802.3ad LACP EtherChannels. LACP supports the automatic creation of EtherChannels by exchanging LACP packets between LAN ports. LACP packets are exchanged only between ports in passive and active modes.
Chapter 24 Configuring EtherChannel and Link State Tracking EtherChannel Configuration Guidelines and Restrictions LACP administrative key—LACP automatically configures an administrative key value equal to the • channel group identification number on each port configured to use LACP. The administrative key defines the ability of a port to aggregate with other ports.
Chapter 24 Configuring EtherChannel and Link State Tracking Configuring EtherChannel For Layer 2 EtherChannels: • Assign all interfaces in the EtherChannel to the same VLAN, or configure them as trunks. – If you configure an EtherChannel from trunk interfaces, verify that the trunking mode and the –...
Chapter 24 Configuring EtherChannel and Link State Tracking Configuring EtherChannel These sections describe Layer 3 EtherChannel configuration: Creating Port Channel Logical Interfaces, page 24-7 • Configuring Physical Interfaces as Layer 3 EtherChannels, page 24-7 • Creating Port Channel Logical Interfaces To move an IP address from a physical interface to an EtherChannel, you must delete the IP address from Note the physical interface before configuring it on the port channel interface.
Page 622
Chapter 24 Configuring EtherChannel and Link State Tracking Configuring EtherChannel Command Purpose Step 3 Ensures that no IP address is assigned to the physical Switch(config-if)# no ip address interface. Step 4 Configures the interface in a port channel and Switch(config-if)# channel-group port_channel_number mode {active | on | auto | passive | desirable} specifies the PAgP or LACP mode.
Page 623
Chapter 24 Configuring EtherChannel and Link State Tracking Configuring EtherChannel Timers: H - Hello timer is running. Q - Quit timer is running. S - Switching timer is running. I - Interface timer is running. Local information: Hello Partner PAgP Learning Group Port...
To configure Layer 2 EtherChannels, configure the Ethernet interfaces with the channel-group command. This operation creates the port channel logical interface. Cisco IOS software creates port channel interfaces for Layer 2 EtherChannels when you configure Note Layer 2 Ethernet interfaces with the channel-group command.
Page 625
Chapter 24 Configuring EtherChannel and Link State Tracking Configuring EtherChannel interface Port-channel2 switchport access vlan 10 switchport mode access Switch# The following two examples show how to verify the configuration of Fast Ethernet interface 5/6: Switch# show running-config interface fastethernet 5/6 Building configuration...
Chapter 24 Configuring EtherChannel and Link State Tracking Configuring EtherChannel Fa5/7 Time since last port bundled: 00h:23m:33s Fa5/6 Switch# Configuring LACP Standalone or Independent Mode This feature is particularly relevant when a port (A) in a Layer 2 LACP EtherChannel is connected to an unresponsive port (B) on the peer.
Chapter 24 Configuring EtherChannel and Link State Tracking Configuring EtherChannel Switch# This example shows how to verify the state of port channel interface 1: Switch# show etherchannel 1 port-channel Port-channels in the group: --------------------------- Port-channel: Po13 (Primary Aggregator) ------------ Age of the Port-channel = 0d:00h:07m:57s Logical slot/port = 11/13...
Chapter 24 Configuring EtherChannel and Link State Tracking Configuring EtherChannel This example shows how to verify the configuration: Switch# show lacp sys-id 23456,0050.3e8d.6400 Switch# The system priority is displayed first, followed by the MAC address of the switch. Configuring EtherChannel Load Balancing Load balancing can only be configured globally.
Chapter 24 Configuring EtherChannel and Link State Tracking Configuring EtherChannel IPv6: Source XOR Destination IP address Switch# Removing an Interface from an EtherChannel To remove an Ethernet interface from an EtherChannel, perform this task: Command Purpose Step 1 Selects a physical interface to configure. Switch(config)# interface {fastethernet | gigabitethernet | tengigabitethernet} slot/port Step 2...
Displaying EtherChannel to a Virtual Switch System Displaying EtherChannel to a Virtual Switch System Catalyst 4500 series switches support enhanced PAgP. If a Catalyst 4500 series switch is connected to a Catalyst 6500 series Virtual Switch System (VSS) by using a PAgP EtherChannel, the Catalyst 4500 series switch automatically serve as a VSS client, using enhanced PAgP on this EtherChannel for dual-active detection.
Page 631
(Catalyst 4500 series switch) Active_ID = B’s MAC As a remote switch, the Catalyst 4500 series switch supports stateful VSS client. In particular, the ID of the current active virtual switch is synchronized from the active supervisor engine to the redundant supervisor engine of the Catalyst 4500 series switch.
Chapter 24 Configuring EtherChannel and Link State Tracking Understanding Link-State Tracking Displaying EtherChannel Links to VSS To display the dual-active detection capability of a configured PAgP port channel, enter the show pagp port_channel_number dual-active command. The command provides the following information: •...
Page 633
Chapter 24 Configuring EtherChannel and Link State Tracking Understanding Link-State Tracking Figure 24-3 on page 24-20 shows a network configured with link-state tracking. To enable link-state tracking, create a link-state group, and specify the interfaces that are assigned to the link-state group. An interface can be an aggregation of ports (an EtherChannel), a single physical port in access or trunk mode, or a routed port.
Page 634
Chapter 24 Configuring EtherChannel and Link State Tracking Understanding Link-State Tracking As an example of a connectivity change from link-state group 1 to link-state group 2 on switch A, Figure 24-3 on page 24-20. If the upstream link for port 6 is lost, the link states of downstream ports 1 and 2 do not change.
Chapter 24 Configuring EtherChannel and Link State Tracking Configuring Link-State Tracking Command Purpose Step 4 Specifies a link-state group, and configure the interface as either Switch(config-if)# link state group number ] {upstream | downstream} an upstream or downstream interface in the group.The group number can be 1 to 10;...
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products//hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html...
Chapter 25 Configuring IGMP Snooping and Filtering About IGMP Snooping IGMP Snooping Querier, page 25-4 • Explicit Host Tracking, page 25-4 • Quality of service does not apply to IGMP packets. Note IGMP snooping allows a switch to snoop or capture information from IGMP packets transmitted between hosts and a router.
Chapter 25 Configuring IGMP Snooping and Filtering About IGMP Snooping In contrast, IGMPv3 hosts send IGMPv3 membership reports (with the allow group record mode) to join a specific multicast group. When IGMPv3 hosts send membership reports (with the block group record) to reject traffic from all sources in the previous source list, the last host on the port is removed by immediate-leave if EHT is enabled.
In Cisco IOS Release 12.2(31)SG and later, you can configure the length of time that the switch waits after sending a group-specific query to determine if hosts are still interested in a specific multicast group.
Chapter 25 Configuring IGMP Snooping and Filtering Configuring IGMP Snooping Configuring IGMP Snooping When configuring IGMP, configure the VLAN in the VLAN database mode. See Chapter 15, Note “Configuring VLANs, VTP, and VMPS.” IGMP snooping allows switches to examine IGMP packets and make forwarding decisions based on their content.
Chapter 25 Configuring IGMP Snooping and Filtering Configuring IGMP Snooping This example shows how to enable IGMP snooping on VLAN 2 and verify the configuration: Switch# configure terminal Switch(config)# ip igmp snooping vlan 2 Switch(config)# end Switch# show ip igmp snooping vlan 2 Global IGMP Snooping configuration: ----------------------------------- IGMP snooping...
Chapter 25 Configuring IGMP Snooping and Filtering Configuring IGMP Snooping This example shows how to configure IP IGMP snooping to learn from CGMP self-join packets: Switch# configure terminal Switch(config)# ip igmp snooping vlan 1 mrouter learn cgmp Switch(config)# end Switch# Configuring a Static Connection to a Multicast Router To configure a static connection to a multicast router, enter the ip igmp snooping vlan mrouter interface command on the switch.
Chapter 25 Configuring IGMP Snooping and Filtering Configuring IGMP Snooping This example shows how to enable IGMP immediate-leave processing on interface VLAN 200 and to verify the configuration: Switch# configure terminal Switch(config)# ip igmp snooping vlan 200 immediate-leave Configuring immediate leave on vlan 200 Switch(config)# end Switch# show ip igmp interface vlan 200 | include immediate leave Immediate leave...
When the topology changes, the Catalyst 4500 series switch takes special actions to ensure that multicast traffic is delivered to all multicast receivers in that VLAN.
When the spanning tree protocol is running in a VLAN, a spanning tree topology change notification (TCN) is issued by the root switch in the VLAN. A Catalyst 4500 series switch that receives a TCN in a VLAN for which IGMP snooping has been enabled immediately enters into multicast flooding mode for a period of time until the topology restabilizes and the new locations of all multicast receivers are learned.
When a spanning tree root switch receives a topology change in an IGMP snooping-enabled VLAN, the switch issues a query solicitation that causes an Cisco IOS router to send out one or more general queries. The new command ip igmp snooping tcn query solicit causes the switch to send the query solicitation whenever it notices a topology change, even if that switch is not the spanning tree root.
Chapter 25 Configuring IGMP Snooping and Filtering Displaying IGMP Snooping Information Displaying MAC Address Multicast Entries, page 25-18 • Displaying IGMP Snooping Information on a VLAN Interface, page 25-18 • Configuring IGMP Filtering, page 25-20 • Displaying Querier Information To display querier information, perform this task: Command Purpose Switch# show ip igmp snooping querier [vlan...
Chapter 25 Configuring IGMP Snooping and Filtering Displaying IGMP Snooping Information This example shows how to display the host types and ports of a group in VLAN 1: Switch# show ip igmp snooping groups vlan 10 226.6.6.7 Vlan Group Version Ports --------------------------------------------------------- 226.6.6.7...
Chapter 25 Configuring IGMP Snooping and Filtering Displaying IGMP Snooping Information To display multicast router interfaces, perform this task: Command Purpose Displays multicast router interfaces. Switch# show ip igmp snooping mrouter vlan vlan_ID This example shows how to display the multicast router interfaces in VLAN 1: Switch# show ip igmp snooping mrouter vlan 1 vlan ports...
Chapter 25 Configuring IGMP Snooping and Filtering Displaying IGMP Snooping Information This example shows how to display IGMP snooping information on VLAN 5: Switch# show ip igmp snooping vlan 5 Global IGMP Snooping configuration: ----------------------------------- IGMP snooping :Enabled IGMPv3 snooping support :Full Report suppression :Enabled...
Chapter 25 Configuring IGMP Snooping and Filtering Configuring IGMP Filtering Table 25-2 Default IGMP Filtering Settings Feature Default Setting IGMP filters No filtering IGMP maximum number of IGMP groups No limit IGMP profiles None defined Configuring IGMP Profiles To configure an IGMP profile and to enter IGMP profile configuration mode, use the ip igmp profile global configuration command.
Chapter 25 Configuring IGMP Snooping and Filtering Configuring IGMP Filtering To delete a profile, use the no ip igmp profile profile-number global configuration command. To delete an IP multicast address or range of IP multicast addresses, use the no range ip multicast address IGMP profile configuration command.
Chapter 25 Configuring IGMP Snooping and Filtering Configuring IGMP Filtering Switch# show running-config interface fastethernet2/12 Building configuration... Current configuration : 123 bytes interface FastEthernet2/12 no ip address shutdown snmp trap link-status ip igmp max-groups 25 ip igmp filter 4 Setting the Maximum Number of IGMP Groups You can set the maximum number of IGMP groups that a Layer 2 interface can join by using the ip igmp max-groups interface configuration command.
Chapter 25 Configuring IGMP Snooping and Filtering Displaying IGMP Filtering Configuration interface FastEthernet2/12 no ip address shutdown snmp trap link-status ip igmp max-groups 25 ip igmp filter 4 Displaying IGMP Filtering Configuration You can display IGMP profile and maximum group configuration for all interfaces on the switch or for a specified interface.
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products//hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html...
Chapter 26 Configuring IPv6 MLD Snooping About MLD Snooping MLD is a protocol used by IPv6 multicast routers to discover the presence of multicast listeners (nodes that want to receive IPv6 multicast packets) on its directly attached links and to discover which multicast packets are of interest to neighboring nodes.
Chapter 26 Configuring IPv6 MLD Snooping About MLD Snooping MLD Queries The switch sends out MLD queries, constructs an IPv6 multicast address database, and generates MLD group-specific and MLD group-and-source-specific queries in response to MLD Done messages. The switch also supports report suppression, report proxying, Immediate-Leave functionality, and static IPv6 multicast MAC-address configuration.
Chapter 26 Configuring IPv6 MLD Snooping About MLD Snooping MLD Reports The processing of MLDv1 join messages is essentially the same as with IGMPv2. When no IPv6 multicast routers are detected in a VLAN, reports are not processed or forwarded from the switch. When IPv6 multicast routers are detected and an MLDv1 report is received, an IPv6 multicast group address and an IPv6 multicast MAC address are entered in the VLAN MLD database.
Chapter 26 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping configuration command. The default is to send two queries. The switch also generates MLDv1 global Done messages with valid link-local IPv6 source addresses when the switch becomes the STP root in the VLAN or when it is configured by the user.
The total number of IPv4 and IPv6 multicast groups entries that can coexist on the Catalyst 4500 series switch is limited to 16384. The supervisor engine with 512 MB of memory supports about 11000 MLD Snooping multicast •...
Chapter 26 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping To disable MLD snooping on a VLAN interface, use the no ipv6 mld snooping vlan vlan-id global configuration command for the specified VLAN number. Configuring a Static Multicast Group Hosts or Layer 2 ports normally join multicast groups dynamically, but you can also statically configure an IPv6 multicast address and member ports for a VLAN.
Chapter 26 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Configuring MLD Snooping Queries When Immediate Leave is not enabled and a port receives an MLD Done message, the switch generates MASQs on the port and sends them to the IPv6 multicast address for which the Done message was sent. You can optionally configure the number of MASQs that are sent and the length of time the switch waits for a response before deleting the port from the multicast group.
Chapter 26 Configuring IPv6 MLD Snooping Displaying MLD Snooping Information Switch# configure terminal Switch(config)# ipv6 mld snooping robustness-variable 3 Switch(config)# exit This example shows how to set the MLD snooping last-listener query count for a VLAN to 3: Switch# configure terminal Switch(config)# ipv6 mld snooping vlan 200 last-listener-query-count 3 Switch(config)# exit This example shows how to set the MLD snooping last-listener query interval (maximum response time)
Page 671
Chapter 26 Configuring IPv6 MLD Snooping Displaying MLD Snooping Information Table 26-2 Commands for Displaying MLD Snooping Information Command Purpose Displays the MLD snooping configuration information for all VLANs show ipv6 mld snooping [vlan vlan-id] on the switch or for a specified VLAN. (Optional) Enter vlan vlan-id to display information for a single VLAN.
Page 673
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products//hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html...
Chapter 27 Configuring 802.1Q Tunneling, VLAN Mapping, and Layer 2 Protocol Tunneling About 802.1Q Tunneling About 802.1Q Tunneling The VLAN ranges required by different customers in the same service provider network might overlap, and customer traffic through the infrastructure might be mixed. Assigning a unique range of VLAN IDs to each customer restricts customer configurations and could easily exceed the VLAN limit (4096) of the 802.1Q specification.
Chapter 27 Configuring 802.1Q Tunneling, VLAN Mapping, and Layer 2 Protocol Tunneling Configuring 802.1Q Tunneling Figure 27-2 Original (Normal), 802.1Q, and Double-Tagged Ethernet Packet Formats (IA, MA) (IB, MB) (IC, MC) When the packet enters the trunk port of the service provider egress switch, the metro tag is again stripped as the switch processes the packet.
Chapter 27 Configuring 802.1Q Tunneling, VLAN Mapping, and Layer 2 Protocol Tunneling Configuring 802.1Q Tunneling Native VLANs When configuring 802.1Q tunneling on an edge switch, you must use 802.1Q trunk ports for sending packets into the service provider network. However, packets going through the core of the service provider network can be carried through 802.1Q trunks, ISL trunks, or nontrunking links.
Q = 802.1Q trunk ports System MTU The default system MTU for traffic on the Catalyst 4500 series switch is 1500 bytes. You can configure the switch to support larger frames by using the system mtu global configuration command. Because the 802.1Q tunneling feature increases the frame size by 4 bytes when the metro tag is added, you must...
Loopback detection is supported on 802.1Q tunnel ports. • When a port is configured as an 802.1Q tunnel port, spanning-tree bridge protocol data unit (BPDU) filtering is automatically enabled on the interface. Cisco Discovery Protocol (CDP) is automatically disabled on the interface. Configuring an 802.1Q Tunneling Port To configure a port as an 802.1Q tunnel port, perform this task:...
Chapter 27 Configuring 802.1Q Tunneling, VLAN Mapping, and Layer 2 Protocol Tunneling About VLAN Mapping Switch(config-if)# exit Switch(config)# vlan dot1q tag native Switch(config)# end Switch# show dot1q-tunnel interface gigabitethernet2/7 Port ----- LAN Port(s) ----- Gi2/7 Switch# show vlan dot1q tag native dot1q native vlan tagging is enabled globally About VLAN Mapping In a typical deployment of VLAN mapping, you want the service provider to provide a transparent...
Page 680
SP Network Customer B edge switch All forwarding operations on the Catalyst 4500 series switch are performed using S-VLAN and not C-VLAN information because the VLAN ID is mapped to the S-VLAN on ingress. Note When you configure features on a port configured for VLAN mapping, you always use the S-VLAN rather than the customer VLAN-ID (C-VLAN).
Chapter 27 Configuring 802.1Q Tunneling, VLAN Mapping, and Layer 2 Protocol Tunneling Configuring VLAN Mapping Mapping Customer VLANs to Service-Provider VLANs Figure 27-5 shows a topology where a customer uses the same VLANs in multiple sites on different sides of a service-provider network. You map the customer VLAN IDs to service-provider VLAN IDs for packet travel across the service-provider backbone.
“Monitoring and Maintaining Tunneling Status” section on page 27-18 for the syntax of these commands. For more information about all commands in this section, see the Catalyst 4500 Series Switch Software Command Reference for this release. The following VLAN mapping types are discussed: One-to-One Mapping, page 27-11 •...
Chapter 27 Configuring 802.1Q Tunneling, VLAN Mapping, and Layer 2 Protocol Tunneling Configuring VLAN Mapping Switch(config-if)# switchport vlan mapping 4 104 Switch(config-if)# switchport vlan mapping 4 105 Switch(config-if)# exit In the previous example, at the ingress of the service-provider network, VLAN IDs 1 to 5 in the customer network are mapped to VLANs 101 to 105, in the service provider network.
• CDP discovers and shows information about the other Cisco devices connected through the service provider network. Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG...
Page 686
Chapter 27 Configuring 802.1Q Tunneling, VLAN Mapping, and Layer 2 Protocol Tunneling About Layer 2 Protocol Tunneling VTP provides consistent VLAN configuration throughout the customer network, propagating to all • switches through the service provider. Layer 2 protocol tunneling can enabled on trunk, access and tunnel ports. If protocol tunneling is not enabled, remote switches at the receiving end of the service provider network do not receive the PDUs and cannot properly run STP, CDP, and VTP.
PDU-destination MAC address with a well-known Cisco proprietary multicast address (01-00-0c-cd-cd-d0). If 802.1Q tunneling is enabled, packets are also double-tagged; the outer tag is the customer metro tag, and the inner tag is the customer’s VLAN tag.
Chapter 27 Configuring 802.1Q Tunneling, VLAN Mapping, and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Because tunneled PDUs (especially STP BPDUs) must be delivered to all remote sites so that the • customer virtual network operates properly, you can give PDUs higher priority within the service provider network than data packets received from the same tunnel port.
Chapter 27 Configuring 802.1Q Tunneling, VLAN Mapping, and Layer 2 Protocol Tunneling Monitoring and Maintaining Tunneling Status Command Purpose Step 8 (Optional) Configures the recovery method from a Layer 2 maximum-rate Switch(config)# errdisable recovery cause l2ptguard error so that the interface is reenabled and can try again. Errdisable recovery is disabled by default;...
Page 691
Switch# show vlan dot1q native Note With Cisco IOS Release 12.2(20)EW, the BPDU filtering configuration for both dot1q and Layer 2 protocol tunneling is no longer visible in the running configuration as spanning-tree bpdufilter enable. The configuration is visible in the output of the show spanning tree int detail command.
Page 692
Chapter 27 Configuring 802.1Q Tunneling, VLAN Mapping, and Layer 2 Protocol Tunneling Monitoring and Maintaining Tunneling Status Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG 27-20 OL-25340-01...
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products//hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html...
Chapter 28 Configuring CDP Configuring CDP CDP runs on all LAN and WAN media that support Subnetwork Access Protocol (SNAP). Each CDP-configured device sends periodic messages to a multicast address. Each device advertises at least one address at which it can receive SNMP messages. The advertisements also contain the time-to-live, or holdtime information, which indicates the length of time a receiving device should hold CDP information before discarding it.
Chapter 28 Configuring CDP Configuring CDP Enabling CDP on an Interface To enable CDP on an interface, use this command: Command Purpose Enables CDP on an interface. Switch(config-if)# [no] cdp enable Use the no keyword to disable CDP on an interface. This example shows how to enable CDP on Fast Ethernet interface 5/1: Switch(config)# interface fastethernet 5/1 Switch(config-if)# cdp enable...
Page 696
Chapter 28 Configuring CDP Configuring CDP Command Purpose Displays information about a specific neighbor. The Switch# show cdp entry entry_name [protocol | version] display can be limited to protocol or version information. Switch# show cdp interface Displays information about interfaces on which CDP is [type/number] enabled.
• LLDP The Cisco Discovery Protocol (CDP) is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches). CDP allows network management applications to automatically discover and learn about other Cisco devices connected to the network.
Configuring LLDP, LLDP-MED, and Location Service About LLDP, LLDP-MED, and Location Service To support non-Cisco devices and to allow for interoperability between other devices, the switch supports the IEEE 802.1AB LLDP. LLDP is a neighbor discovery protocol that is used for network devices to advertise information about themselves to other devices on the network.
The location service feature enables the switch to provide location and attachment tracking information for its connected devices to a Cisco Mobility Services Engine (MSE). The tracked device can be a wireless endpoint, a wired endpoint, or a wired switch or controller. The switch informs device link up and link-down events through Network Mobility Services Protocol (NMSP) location and attachment notifications to the MSE.
Chapter 29 Configuring LLDP, LLDP-MED, and Location Service Configuring LLDP and LLDP-MED, and Location Service Slot, port, and port-type • Client’s MAC address • Client’s IP address • 802.1X username if applicable • Device category is specified as a wired station •...
Chapter 29 Configuring LLDP, LLDP-MED, and Location Service Configuring LLDP and LLDP-MED, and Location Service Default LLDP Configuration Table 29-1 shows the default LLDP configuration. To change the default settings, use the LLDP global configuration and LLDP interface configuration commands. Table 29-1 Default LLDP Configuration Feature...
Chapter 29 Configuring LLDP, LLDP-MED, and Location Service Configuring LLDP and LLDP-MED, and Location Service Command Purpose Step 6 Saves your entries in the configuration file. Switch(config)# copy running-config startup-config Step 7 (Optional) Specifies the LLDP-MED TLVs to send or receive. Switch(config)# lldp med-tlv-select Note Use the no form of each of the LLDP commands to return to the default setting.
Chapter 29 Configuring LLDP, LLDP-MED, and Location Service Configuring LLDP and LLDP-MED, and Location Service Command Purpose Step 2 Enables LLDP. Switch(config)# lldp run Step 3 Returns to privileged EXEC mode. Switch(config)# end This example shows how to globally disable LLDP: Switch# configure terminal Switch(config)# no lldp run Switch(config)# end...
Page 704
Chapter 29 Configuring LLDP, LLDP-MED, and Location Service Configuring LLDP and LLDP-MED, and Location Service Command Purpose Step 5 Returns to privileged EXEC mode. Switch(config)# end Step 6 Saves your entries in the configuration file. Switch# copy running-config startup-config This example shows how to enable LLDP on an interface: Switch# configure terminal Switch(config)# interface GigabitEthernet 1/1 Switch(config-if)# lldp transmit...
Chapter 29 Configuring LLDP, LLDP-MED, and Location Service Configuring LLDP and LLDP-MED, and Location Service Configuring LLDP-MED TLVs By default, the switch only sends LLDP packets until it receives LLDP-MED packets from the end device. The switch continues to send LLDP-MED packets until it only receives LLDP packets. By using the lldp interface configuration command, you can configure the interface not to send the TLVs listed in Table...
Chapter 29 Configuring LLDP, LLDP-MED, and Location Service Configuring LLDP and LLDP-MED, and Location Service Configuring Network-Policy Profile To create a network-policy profile, configure the policy attributes, and apply it to an interface, perform this task: Command Purpose Step 1 Enters global configuration mode.
Switch(config-network-policy)# voice vlan dot1p dscp 34 Note As of Cisco IOS Release 12.2(54)SG, the Catalyst 4500 series switch supports only 2 applications: voice and voice signaling. The default cos/dscp values for a voice application is 5/46 and for voice signaling is 3/24.
Chapter 29 Configuring LLDP, LLDP-MED, and Location Service Configuring LLDP and LLDP-MED, and Location Service Command Purpose Step 3 Enables LLDP power negotiation. Switch(config-if)# lldp tlv-select power-management Step 4 Returns to privileged EXEC mode. Switch(config-if)# end Step 5 Switch# copy running-config (Optional) Saves your entries in the configuration file.
Page 709
Note Your switch must be running the cryptographic (encrypted) software image in order to enable the location service feature. Your Cisco Mobility Service Engine (MSE) must be running Heitz 6.0 or later software image to support wired location service Command...
Chapter 29 Configuring LLDP, LLDP-MED, and Location Service Monitoring and Maintaining LLDP, LLDP-MED, and Location Service Command Purpose Step 4 Specifies the NMSP notification interval. Switch(config)# nmsp notification interval {attachment | location} attachment—Specify the attachment notification interval. interval-seconds location—Specify the location notification interval. interval-seconds—Duration in seconds before a switch sends the location or attachment updates to the MSE.
[detail] Cisco IOS Carries Ethernet Features in Cisco IOS XE 3.1.0SG This section provides a list of High Availability software features that are supported in Cisco IOS XE 3.1.0SG. Links to the feature documentation are included. Feature guides may contain information about more than one feature. To find information about a specific feature within a feature guide, see the Feature Information table at the end of the guide.
Page 712
Chapter 29 Configuring LLDP, LLDP-MED, and Location Service Cisco IOS Carries Ethernet Features in Cisco IOS XE 3.1.0SG Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG 29-16 OL-25340-01...
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products/hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html...
Configuring UDLD About UDLD Starting with Cisco IOS Release 12.2(54)SG, the enhancement Fast UDLD was added, which supports timers in the few-hundred milliseconds range, which enables subsecond unidirectional link detection. With Fast UDLD, the time to detect a unidirectional link can vary from less than one second to a few seconds (the detection time also depends on how the timers are configured).
Chapter 30 Configuring UDLD About UDLD Figure 30-2 Fast UDLD Topology EtherChannel consisting of two interfaces Switch A Switch B Note For Fast UDLD, Catalyst 4900M, Catalyst 4948E, Supervisor Engine 6-E, Supervisor 6L-E, Supervisor 7-E, and Supervisor Engine 7L-E support up to 32 ports. Operation Modes UDLD and Fast UDLD support the following operation modes: Normal—A UDLD-capable port (A) periodically sends a UDLD probe to a second port (B).
Chapter 30 Configuring UDLD Default UDLD Configuration Default UDLD Configuration Table 30-1 shows the UDLD default configuration. Table 30-1 UDLD Default Configuration Feature Default Status UDLD global enable state Globally disabled. UDLD per-interface enable state for fiber-optic media Enabled on all Ethernet fiber-optic interfaces. UDLD per-interface enable state for twisted-pair (copper) media Disabled on all Ethernet 10/100 and 1000BASE-TX interfaces.
The range is from 1 to 90 seconds. Prior to Cisco IOS Release 12.2(31)SGA, the Note timer range is 7 to 90 seconds. With Cisco IOS Release 12.2(31)SGA, the timer range is 1 to 90 seconds.
Chapter 30 Configuring UDLD Configuring UDLD on the Switch Enabling UDLD on Individual Interfaces To enable UDLD on individual interfaces, perform this task: Command Purpose Step 1 Switch(config-if)# udld port Enables UDLD in normal mode on a specific interface. On a fiber-optic interface, this command overrides the udld enable global configuration command setting.
Chapter 30 Configuring UDLD Configuring UDLD on the Switch Disabling UDLD on Individual Interfaces To disable UDLD on individual interfaces, perform this task: Command Purpose Step 1 Switch(config-if)# no udld port Disables UDLD on an interface. The following applies: • On fiber-optic interfaces, the no udld port command reverts the interface configuration to the setting established with the udld enable global...
1 to 90 seconds. Prior to Cisco IOS Release 12.2(31)SGA, the Note time interval is 7 to 90 seconds. With Cisco IOS Release 12.2(31)SGA, the time interval is 1 to 90 second.
Chapter 30 Configuring UDLD Displaying UDLD Link Status Displaying UDLD Link Status To verify link status reported by UDLD, enter the following command: Switch# show udld neighbors Port Device Name Device ID Port ID Neighbor State ---- ----------- --------- ------- -------------- Gi1/33 FOX10430380...
Page 722
Chapter 30 Configuring UDLD Displaying UDLD Link Status To verify status for a particular link as reported by Fast UDLD, enter the following command: Switch# show udld fast-hello g1/33 Interface Gi1/33 Port enable administrative configuration setting: Enabled / in aggressive mode Port enable operational state: Enabled / in aggressive mode Current bidirectional state: Bidirectional Current operational state: Advertisement - Single neighbor detected...
Page 723
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products//hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html...
Chapter 31 Configuring Unidirectional Ethernet Configuring Unidirectional Ethernet Configuring Unidirectional Ethernet You must configure Unidirectional Ethernet on the non-blocking Gigabit Ethernet Port, which Note automatically disables UDLD on the port. To enable Unidirectional Ethernet, perform this task: Command Purpose Step 1 Selects the interface to configure.
Chapter 31 Configuring Unidirectional Ethernet Configuring Unidirectional Ethernet This example shows how to verify the configuration: Switch> show interface gigabitethernet 1/1 unidirectional show interface gigabitethernet 1/1 unidirectional Unidirectional configuration mode: send only CDP neighbor unidirectional configuration mode: receive only This example shows how to disable Unidirectional Ethernet on Gigabit Ethernet interface 1/1: Switch# configure terminal Enter configuration commands, one per line.
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products//hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html...
Chapter 32 Configuring Layer 3 Interfaces About Layer 3 Interfaces On a Catalyst 4500 Series Switch, a physical Layer 3 interface has MAC address learning enabled. Note This section contains the following subsections: Logical Layer 3 VLAN Interfaces, page 32-2 •...
Chapter 32 Configuring Layer 3 Interfaces About Layer 3 Interfaces Figure 32-2 Physical Layer 3 Interfaces for the Catalyst 4500 Series Switch Router Interface Ethernet Interface Ethernet 1.1.1.1 2.1.1.1 Host 1 Host 2 Physical Inter-VLAN Routing on a Catalyst 4500 series switch...
Page 730
Chapter 32 Configuring Layer 3 Interfaces About Layer 3 Interfaces Input multicast • Output unicast • Output multicast • For each counter type, both the number of packets and the total number of bytes received or transmitted are counted. You can collect these statistics uniquely for IPv4 and IPv6 traffic. Because the total number of supported Layer 3 interfaces exceeds the number of counters supported by hardware, all Layer 3 interfaces might not have counters.
A Catalyst 4500 series switch does not support subinterfaces or the encapsulation keyword on Layer 3 Fast Ethernet, Gigabit Ethernet, 10-Gigabit Ethernet interfaces. As with any Layer 3 interface running Cisco IOS software, the IP address and network assigned to an Note SVI cannot overlap those assigned to any other Layer 3 interface on the switch.
Chapter 32 Configuring Layer 3 Interfaces Configuring Logical Layer 3 VLAN Interfaces Configuring Logical Layer 3 VLAN Interfaces Before you can configure logical Layer 3 VLAN interfaces, you must create and configure the VLANs Note on the switch, assign VLAN membership to the Layer 2 interfaces, enable IP routing if IP routing is disabled, and specify an IP routing protocol.
Chapter 32 Configuring Layer 3 Interfaces Configuring VLANs as Layer 3 Interfaces Configuring IP MTU Sizes You can set the protocol-specific maximum transmission unit (MTU) size of IPv4 or IPv6 packets that are sent on an interface. For information on MTU limitations, refer to “Maximum Transmission Units” on page 25. To set the nonprotocol-specific MTU value for an interface, use the mtu interface configuration Note command.
Chapter 32 Configuring Layer 3 Interfaces Configuring VLANs as Layer 3 Interfaces The following example shows how to configure IPv6 MTU on an interface: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface vlan 1 Switch(config-if)# ipv6 mtu 1280 Switch(config)# end This example shows how to verify the configuration...
Page 737
Chapter 32 Configuring Layer 3 Interfaces Configuring VLANs as Layer 3 Interfaces Command Purpose Step 3 Enables counters. Switch(config-if)# counter {ipv4 | ipv6 | ipv4 ipv6 separate> counter —Enables collection of IPv4 and IPv6 statistics and displays them as a sum counter ipv4 —...
Chapter 32 Configuring Layer 3 Interfaces Configuring Physical Layer 3 Interfaces Configuring Physical Layer 3 Interfaces Before you can configure physical Layer 3 interfaces, you must enable IP routing if IP routing is Note disabled, and specify an IP routing protocol. To configure physical Layer 3 interfaces, perform this task: Command Purpose...
Host C For more information about EIGRP stub routing, see the “Configuring EIGRP Stub Routing” part of the Cisco IOS IP Configuration Guide, Volume 2 of 3: Routing Protocols, Release 12.2. Configuring EIGRP Stub Routing The EIGRP stub routing feature improves network stability, reduces resource utilization, and simplifies stub switch configuration.
By default, the ip classless command is enabled in all Cisco IOS images that support the EIGRP stub routing feature. Without the stub feature, even after the routes that are sent from the distribution router to the remote router have been filtered or summarized, a problem might occur.
Page 742
Chapter 32 Configuring Layer 3 Interfaces Configuring EIGRP Stub Routing Figure 32-5 Simple Dual-Homed Remote Topology Distribution router 1 (hub) Corporate network Remote router (spoke) Distribution router 2 (hub) Figure 32-5 shows a simple dual-homed remote with one remote router and two distribution routers. Both distribution routers maintain routes to the corporate network and stub network 10.1.1.0/24.
Page 743
Chapter 32 Configuring Layer 3 Interfaces Configuring EIGRP Stub Routing network. The use of the lower bandwidth route that passes using the remote router might cause WAN EIGRP distribution routers to be dropped. Serial lines on distribution and remote routers could also be dropped, and EIGRP SIA errors on the distribution and core routers could occur.
Chapter 32 Configuring Layer 3 Interfaces Configuring EIGRP Stub Routing Multi-access interfaces, such as ATM, Ethernet, Frame Relay, ISDN PRI, and X.25, are supported by the Note EIGRP stub routing feature only when all routers on that interface, except the hub, are configured as stub routers.
Chapter 32 Configuring Layer 3 Interfaces Configuring EIGRP Stub Routing default route learned from the neighbors is displaced by the summary default route, or if the summary route is the only default route present, all traffic destined for the default route does not leave the router. Instead, this traffic is sent to the null 0 interface where it is dropped.
Page 747
Chapter 32 Configuring Layer 3 Interfaces Configuring EIGRP Stub Routing static • summary • This section provides configuration examples for all forms of the eigrp stub command. The eigrp stub command can be modified with several options, and these options can be used in any combination except for the receive-only keyword.
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products//hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html...
IP routing table. On the Catalyst 4500 series switches, CEF loads the FIB in to the integrated switching engine hardware to increase the performance of forwarding. The integrated switching engine has a finite number of forwarding slots for storing routing information.
When the Layer 2 information is known, the packet is forwarded to the route processor, and the adjacency is determined through ARP. Catalyst 4500 Series Switch Implementation of CEF Catalyst 4500 series switches support an ASIC-based integrated switching engine that provides these features: Ethernet bridging at Layer 2 •...
Software Interfaces Cisco IOS for the Catalyst 4500 series switch supports GRE and IP tunnel interfaces that are not part of the hardware forwarding engine. All packets that flow to or from these interfaces must be processed in software and have a significantly lower forwarding rate than that of hardware-switched interfaces.
Switch (config)# [no] ip cef load-sharing algorithm include-ports source and destination ports. destination] Use the no keyword to set the switch to use the default Cisco IOS load-sharing algorithm. Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG 33-7 OL-25340-01...
Chapter 33 Configuring Cisco Express Forwarding Monitoring and Maintaining CEF The include-ports option does not apply to software-switched traffic on the Catalyst 4500 series Note switches. Viewing CEF Information You can view the collected CEF information. To view CEF information, perform this task:...
Page 757
Chapter 33 Configuring Cisco Express Forwarding Monitoring and Maintaining CEF This example shows how to display IP unicast statistics for fastethernet 3/1: Switch# show interface fastethernet 3/1 counters detail Port InBytes InUcastPkts InMcastPkts InBcastPkts Fa3/1 7263539133 5998222 6412307 Port OutBytes...
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products//hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html...
This ability to look backwards is available only when Cisco Express Forwarding (CEF) is enabled on the switch, because the lookup relies on the presence of the Forwarding Information Base (FIB). CEF generates the FIB as part of its operation.
Page 761
Chapter 34 Configuring Unicast Reverse Path Forwarding About Unicast Reverse Path Forwarding The packet is forwarded. Step 5 This section provides information about Unicast RPF enhancements: Access control lists and logging • • Per-interface statistics Figure 34-1 illustrates how Unicast RPF and CEF work together to validate IP source addresses by verifying packet return paths.
Chapter 34 Configuring Unicast Reverse Path Forwarding About Unicast Reverse Path Forwarding This section provides information about the implementation of Unicast RPF: Security Policy and Unicast RPF, page 34-5 • Where to Use Unicast RPF, page 34-5 • Routing Table Requirements, page 34-7 •...
Page 764
Chapter 34 Configuring Unicast Reverse Path Forwarding About Unicast Reverse Path Forwarding ACLs work well for many single-homed customers; however, there are trade-offs when ACLs are used as ingress filters, including two commonly referenced limitations: • Packet per second (PPS) performance at very high packet rates This restriction applies only to software packet forwarding.
Chapter 34 Configuring Unicast Reverse Path Forwarding About Unicast Reverse Path Forwarding Unicast RPF works with a single default route. No additional routes or routing protocols exist. Network 192.168.10.0/22 is a connected network. Packets arriving from the Internet with a source address in the range 192.168.10.0/22 are dropped by Unicast RPF.
Related Features and Technologies For more information about Unicast RPF-related features and technologies, review the following: Unicast RPF requires Cisco express forwarding (CEF) to function properly on the switch. For more • information about CEF, refer to the Cisco IOS Switching Services Configuration Guide.
Internet or to other networks, you can permit only packets with valid source IP addresses to leave your network. For more information on network filtering, refer to RFC 2267 and to the Cisco IOS IP Configuration Guide.
Chapter 34 Configuring Unicast Reverse Path Forwarding Unicast RPF Configuration Tasks To configure Unicast RPF, perform the following task: Command Purpose Step 1 Selects the input interface on which you want to Switch(config-if)# interface type apply Unicast RPF. it is the receiving interface, allowing Unicast RPF to verify the best return path before forwarding the packet on to the next destination.
Chapter 34 Configuring Unicast Reverse Path Forwarding Monitoring and Maintaining Unicast RPF Monitoring and Maintaining Unicast RPF To monitor and maintain Unicast RFP, perform this task: Command Purpose Switch# show ip traffic Displays global switch statistics about Unicast RPF drops and suppressed drops.
Chapter 34 Configuring Unicast Reverse Path Forwarding Unicast RPF Configuration Example: Inbound and Outbound Filters The show access-lists command displays the number of matches found for a specific entry in a specific access list. Switch> show access-lists Extended IP access list 197 deny ip 192.168.201.0 0.0.0.63 any log-input (1 match) permit ip 192.168.201.64 0.0.0.63 any log-input (1 match) deny ip 192.168.201.128 0.0.0.63 any log-input...
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products/hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html...
IP multicast group. In the multicasting process on the Catalyst 4500 series switch, a packet is replicated in the Integrated Switching Engine, forwarded to the appropriate output interfaces, and sent to each member of the multicast group.
Chapter 35 Configuring IP Multicast About IP Multicast Figure 35-1 IP Multicast Routing Protocols Host A Catalyst 4500 series switch Router Internet IGMP and Host B IGMP Snooping Internet Group Management Protocol IGMP messages are used by IP multicast hosts to send their local Layer 3 switch or router a request to join a specific multicast group and begin receiving multicast traffic.
(RPs). Senders to a multicast group use RPs to announce their presence. Receivers of multicast packets use RPs to learn about new senders. You can configure Cisco IOS software so that packets for a single multicast group can use one or more RPs.
S/M, 224/4, page 35-12 CEF, MFIB, and Layer 2 Forwarding The implementation of IP multicast on the Catalyst 4500 series switch is an extension of centralized Cisco Express Forwarding (CEF). CEF extracts information from the unicast routing table, which is created by unicast routing protocols, such as BGP, OSPF, and EIGR and loads it into the hardware Forwarding Information Base (FIB).
Page 776
FIB and Replica Expansion Table (RET). The Catalyst 4500 series switch performs Layer 3 routing and Layer 2 bridging at the same time. There can be multiple Layer 2 switch ports on any VLAN interface. To determine the set of output switch ports on which to forward a multicast packet, the Supervisor Engine III combines Layer 3 MFIB information with Layer 2 forwarding information and stores it in the hardware MET for packet replication.
(1/1,1/2, 2/1, 2/2, 3/1, and 3/2). IP Multicast Tables Figure 35-4 shows some key data structures that the Catalyst 4500 series switch uses to forward IP multicast packets in hardware. Figure 35-4 IP Multicast Tables and Protocols...
Chapter 35 Configuring IP Multicast About IP Multicast Output interface lists are stored in the multicast expansion table (MET). The MET has room for up to 32,000 output interface lists. (For RET, we can have up to 102 K entries (32 K used for floodsets, 70,000 used for multicast entries)).
Page 779
Chapter 35 Configuring IP Multicast About IP Multicast Replication is a particular type of forwarding where, instead of sending out one copy of the packet, the packet is replicated and multiple copies of the packet are sent out. At Layer 3, replication occurs only for multicast packets;...
Chapter 35 Configuring IP Multicast About IP Multicast Non-Reverse Path Forwarding Traffic Traffic that fails an Reverse Path Forwarding (RPF) check is called non-RPF traffic. Non-RPF traffic is forwarded by the integrated switching engine by filtering (persistently dropping) or rate limiting the non-RPF traffic.
The Multicast Forwarding Information Base (MFIB) subsystem supports IP multicast routing in the integrated switching engine hardware on the Catalyst 4500 series switch. The MFIB logically resides between the IP multicast routing protocols in the CPU subsystem software (PIM, IGMP, MSDP, MBGP, and DVMRP) and the platform-specific code that manages IP multicast routing in hardware.
Forwarding interfaces that form what is often referred to as the multicast “olist” or output interface list. • Signaling (S)—Sets on an interface when some multicast routing protocol process in Cisco IOS needs to be notified of packets arriving on that interface. Note When PIM-SM routing is in use, the MFIB route might include an interface as in this example: PimTunnel [1.2.3.4].
For more detailed information on IP multicast routing, such as Auto-RP, PIM Version 2, and IP multicast static routes, refer to the Cisco IOS IP and IP Routing Configuration Guide, Cisco IOS Release 12.3. Default Configuration in IP Multicast Routing Table 35-1 shows the IP multicast default configuration.
Chapter 35 Configuring IP Multicast Configuring IP Multicast Routing Enabling PIM on an Interface Enabling PIM on an interface also enables IGMP operation on that interface. An interface can be configured to be in dense mode, sparse mode, or sparse-dense mode. The mode determines how the Layer 3 switch or router populates its multicast routing table and how the Layer 3 switch or router forwards multicast packets it receives from its directly connected LANs.
Chapter 35 Configuring IP Multicast Configuring IP Multicast Routing If you configure sparse-dense mode, the idea of sparseness or denseness is applied to the group on the switch, and the network manager should apply the same concept throughout the network. Another benefit of sparse-dense mode is that Auto-RP information can be distributed in a dense-mode manner;...
35-28. Enabling PIM-SSM Mapping The Catalyst 4500 series switch supports SSM mapping, enabling an SSM transition in cases either where neither URD nor IGMP v3-lite is available, or when supporting SSM on the end system is impossible or unwanted due to administrative or technical reasons. With SSM mapping, you can leverage SSM for video delivery to legacy set-top boxes (STBs) that do not support IGMPv3 or for applications that do not take advantage of the IGMPv3 host stack.
Chapter 35 Configuring IP Multicast Configuring IP Multicast Routing Configuring Auto-RP Auto-rendezvous point (Auto-RP) automates the distribution of group-to-rendezvous point (RP) mappings in a PIM network. To make Auto-RP work, a router must be designated as an RP mapping agent, which receives the RP announcement messages from the RPs and arbitrates conflicts. The RP mapping agent then sends the consistent group-to-RP mappings to all other routers by way of dense mode flooding.
Page 788
Chapter 35 Configuring IP Multicast Configuring IP Multicast Routing Command or Action Purpose Step 9 Sends RP announcements out all PIM-enabled interfaces. Switch(config)# ip pim send-rp-announce {interface-type interface-number | ip-address} • Perform this step on the RP router only. scope ttl-value [group-list access-list] [interval seconds] [bidir] •...
Page 789
Chapter 35 Configuring IP Multicast Configuring IP Multicast Routing Command or Action Purpose Step 11 Filters incoming Auto-RP announcement messages coming Switch(config)# ip pim rp-announce-filter rp-list access-list group-list access-list from the RP. • Perform this step on the RP router only. •...
Chapter 35 Configuring IP Multicast Configuring IP Multicast Routing Switch# show ip pim rp mapping Switch# show ip igmp groups Switch# show ip mroute cbone-audio Configuring a Single Static RP If you are configuring PIM sparse mode, you must configure a PIM RP for a multicast group. An RP can either be configured statically in each device, or learned through a dynamic mechanism.
Chapter 35 Configuring IP Multicast Configuring IP Multicast Routing Command or Action Purpose Step 10 (Optional) Displays RPs known in the network and shows Switch# show ip pim rp [mapping] [rp-address] how the router learned about each RP. Step 11 (Optional) Displays the multicast groups having receivers Switch# show ip igmp groups [group-name | group-address | interface-type...
Chapter 35 Configuring IP Multicast Monitoring and Maintaining IP Multicast Routing To enable IP multicast multipath, perform this task: Command Purpose Step 1 Enters configuration mode. Switch# config t Step 2 Enables IP multicast multipath. Switch(config)# ip multicast multipath Step 3 Exits configuration mode.
Chapter 35 Configuring IP Multicast Monitoring and Maintaining IP Multicast Routing Displaying System and Network Statistics You can display specific statistics, such as the contents of IP routing tables and databases. Information provided can be used to determine resource utilization and solve network problems. You can also display information about node reachability and discover the routing path your device’s packets are taking using the network.
Page 794
The following is sample output from the show ip mroute command with the active keyword: Switch# show ip mroute active Active IP Multicast Sources - sending >= 4 kbps Group: 224.2.127.254, (sdr.cisco.com) Source: 146.137.28.69 (mbone.ipd.anl.gov) Rate: 1 pps/4 kbps(1sec), 4 kbps(last 1 secs), 4 kbps(life avg) Group: 224.2.201.241, ACM 97...
Chapter 35 Configuring IP Multicast Monitoring and Maintaining IP Multicast Routing Command Purpose Displays the (S,G) and (*,G) routes that are used for packet Switch# show ip mfib forwarding. Displays counts for fast, slow, and partially switched packets for every multicast route. Displays all routes in the MFIB, including routes that may Switch# show ip mfib all not exist directly in the upper-layer routing protocol...
Chapter 35 Configuring IP Multicast Monitoring and Maintaining IP Multicast Routing Command Purpose Displays information about the elected designated Switch(config)# show ip pim interface [type number] [df | count] forward (DF) for each RP of an interface, along with [rp-address] the unicast routing metric associated with the DF.
Chapter 35 Configuring IP Multicast Configuration Examples Command Purpose Deletes entries from the IP routing table. Switch# clear ip mroute Switch# clear ip mfib counters Deletes all per-route and global MFIB counters. IP multicast routes can be regenerated in response to protocol events and as data packets arrive. Note Configuration Examples The following sections provide IP multicast routing configuration examples:...
Chapter 35 Configuring IP Multicast Configuration Examples interfaces are used to allow this configuration and the addresses of these interfaces must be routed throughout the PIM domain so that the other routers in the PIM domain can receive Auto-RP announcements and communicate with the RP: ip multicast-routing !Enable IP multicast routing ip pim bidir-enable !Enable bidir-PIM...
Page 800
Chapter 35 Configuring IP Multicast Configuration Examples Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG 35-30 OL-25340-01...
Page 801
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products//hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html...
Identifying a Port with the ANCP Protocol To make the Catalyst 4500 series switch operate as an ANCP client and to build and initialize its relevant data, enter the ancp mode client command. The no version of this command disables ANCP. This command disconnects the ANCP client from the ANCP server and terminates any existing multicast streams that have been enabled with ANCP.
Chapter 36 Configuring ANCP Client Enabling and Configuring ANCP Client (Optional) Enable the ANCP multicast client to identify this VLAN interface using the port-identifier as Step 3 opposed to the Option 82 circuit-id: Switch(config)> ancp client port identifier [port-identifier] vlan [number] interface [interface] The no version of this command prompts a warning message if any multicast stream is activated by ANCP using the port-identifier on a port:...
Hosts”). If you identify the port with DHCP option 82, you need to configure the Catalyst 4500 series switch as a DHCP relay to insert the DHCP option 82. This action adds a tag in the DHCP packet from the DHCP client so that the DHCP server knows the port connected to this specific DHCP client.
Page 805
Chapter 36 Configuring ANCP Client ANCP Guidelines and Restrictions ANCP Guidelines and Restrictions When using (or configuring) ANCP, consider these guidelines and restrictions: Entering a shut command on a port removes ANCP activated multicast streams from the port. They • must be reactivated by the ANCP server.
C H A P T E R Configuring Bidirection Forwarding Detection Note Support on the Catalyst 4500E is limited. Starting with Cisco IOS Release IOS 15.1(1)SG, Bidirectional Forwarding Detection (BFD) is supported only on Catalyst 4900M, and Catalyst 4948E Ethernet switches.
Multihop configurations are not supported. Cisco IOS Release 15.1(1)SG and Cisco Catalyst 4500 Series Switches Cisco Catalyst 4500 series switches support up to 128 BFD sessions with a minimum hello interval • of 50 ms and a multiplier of 3. The multiplier specifies the minimum number of consecutive packets that can be missed before a session is declared down.
Configuring Bidirection Forwarding Detection Information About Bidirectional Forwarding Detection BFD is a detection protocol that you enable at the interface and routing protocol levels. Cisco supports the BFD asynchronous mode, which depends on the sending of BFD control packets between two systems to activate and maintain BFD neighbor sessions between switches.
BFD Version Interoperability Cisco IOS Release 15.1(1)SG supports BFD Version 1 as well as BFD Version 0. All BFD sessions come up as Version 1 by default and will be interoperable with Version 0. The system automatically performs BFD version detection, and BFD sessions between neighbors will run in the highest common BFD version between neighbors.
To ensure a successful switchover to the standby RP, the BFD protocol uses checkpoint messages to send session information from the active RP Cisco IOS instance to the standby RP Cisco IOS instance. The session information includes local and remote discriminators, adjacent router timer information, BFD setup information, and session-specific information such as the type of session and the session version.
When the BFD protocol on the standby RP is notified of a switchover it changes its state to active, registers itself with Cisco Express Forwarding so that it can receive packets, and then sends packets for any elements that have expired.
BFD control packets are sent or received. BFD echo mode, which is supported in BFD Version 1 for Cisco IOS Release 15.1(1)SG, is enabled by default. BFD echo packets are sent and received, in addition to BFD control packets. The adjacency creation takes places once you have configured BFD support for the applicable routing protocols.
Chapter 37 Configuring Bidirection Forwarding Detection How to Configure Bidirectional Forwarding Detection Prerequisites BGP must be running on all participating switches. The baseline parameters for BFD sessions on the interfaces over which you want to run BFD sessions to BFD neighbors must be configured. See the “Configuring BFD Session Parameters on the Interface”...
Chapter 37 Configuring Bidirection Forwarding Detection How to Configure Bidirectional Forwarding Detection Prerequisites EIGRP must be running on all participating switches. The baseline parameters for BFD sessions on the interfaces over which you want to run BFD sessions to BFD neighbors must be configured. See the “Configuring BFD Session Parameters on the Interface”...
Page 817
Chapter 37 Configuring Bidirection Forwarding Detection How to Configure Bidirectional Forwarding Detection You can enable BFD on all the interfaces for which OSPF is routing by using the bfd all-interfaces • command in router configuration mode. You can disable BFD support on individual interfaces using the ip ospf bfd [disable] command in interface configuration mode.
Page 818
Chapter 37 Configuring Bidirection Forwarding Detection How to Configure Bidirectional Forwarding Detection What to Do Next See the “Monitoring and Troubleshooting BFD” section on page 37-16 for more information on monitoring and troubleshooting BFD. If you want to configure BFD support for another routing protocol, see the following sections: Configuring BFD Support for BGP, page 37-8 •...
Chapter 37 Configuring Bidirection Forwarding Detection How to Configure Bidirectional Forwarding Detection Command or Action Purpose Step 6 (Optional) Displays information that can help verify if the show bfd neighbors [details] BFD neighbor is active and displays the routing protocols Switch# show bfd neighbors details that BFD has registered.
Chapter 37 Configuring Bidirection Forwarding Detection How to Configure Bidirectional Forwarding Detection the forwarding path on the remote (neighbor) system without involving the remote system, there is an opportunity to improve the interpacket delay variance, thereby achieving quicker failure detection times than when using BFD Version 0 with BFD control packets for the BFD session.
Chapter 37 Configuring Bidirection Forwarding Detection How to Configure Bidirectional Forwarding Detection Disabling BFD Echo Mode Without Asymmetry The steps in this procedure show how to disable BFD echo mode without asymmetry —no echo packets will be sent by the switch, and the switch will not forward BFD echo packets that are received from any neighbor switches.
The following example shows how to configure BFD in an EIGRP network with echo mode enabled by default in Cisco IOS Release 15.1(1)SG. In the following example, the EIGRP network contains SwitchA, SwitchB, and SwitchC. Gigabit Ethernet interface 6/1 on SwitchA is connected to the same network as Gigabit Ethernet interface 6/1 on SwitchB.
Page 824
Chapter 37 Configuring Bidirection Forwarding Detection Configuration Examples for Bidirectional Forwarding Detection run on the forwarding path for RouteA and SwitchB, and their echo packets will return along the same path for BFD sessions and failure detections, while their BFD neighbor SwitchC runs BFD Version 0 and uses BFD controls packets for BFD sessions and failure detections.
Page 825
Chapter 37 Configuring Bidirection Forwarding Detection Configuration Examples for Bidirectional Forwarding Detection router eigrp 11 network 172.16.0.0 bfd all-interfaces auto-summary ip default-gateway 10.4.9.1 ip default-network 0.0.0.0 ip route 0.0.0.0 0.0.0.0 10.4.9.1 ip route 172.16.1.129 255.255.255.255 10.4.9.1 Configuration for SwitchC interface GigabitEthernet6/2 no switchport no shutdown ip address 10.4.9.34 255.255.255.0...
Page 826
Chapter 37 Configuring Bidirection Forwarding Detection Configuration Examples for Bidirectional Forwarding Detection Poll bit: 0 - Final bit: 0 Multiplier: 3 - Length: 24 My Discr.: 3 - Your Discr.: 5 Min tx interval: 50000 - Min rx interval: 50000 Min Echo interval: 0 OurAddr NeighAddr...
Gi6/1 Example: Configuring BFD in an OSPF Network The following example shows how to configure BFD in an OSPF network in Cisco IOS Release 15.1(1)SG. In the following example, the simple OSPF network consists of SwitchA and SwitchB. Gigabit Ethernet interface 6/1 on SwitchA is connected to the same network as Gigabit Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG...
Page 828
Chapter 37 Configuring Bidirection Forwarding Detection Configuration Examples for Bidirectional Forwarding Detection Ethernet interface 6/1 in SwitchB. The example, starting in global configuration mode, shows the configuration of BFD. For both SwitchA and SwitchB, BFD is configured globally for all interfaces associated with the OSPF process.
Page 829
Chapter 37 Configuring Bidirection Forwarding Detection Configuration Examples for Bidirectional Forwarding Detection Min tx interval: 50000 - Min rx interval: 1000 Min Echo interval: 0 The output from the show bfd neighbors details command on SwitchB verifies that a BFD session has been created: SwitchB SwitchB# attach 6...
Page 830
Chapter 37 Configuring Bidirection Forwarding Detection Configuration Examples for Bidirectional Forwarding Detection External flood list length 0 BFD is enabled Area BACKBONE(0) Number of interfaces in this area is 2 (1 loopback) Area has no authentication SPF algorithm last executed 00:00:08.828 ago SPF algorithm executed 9 times Area ranges are Number of LSA 3.
The following example shows how to configure BFD Hardware-Offload support in a BGP network in Cisco IOS Release 15.1(1)SG. In the following example, the simple BGP network consists of SwitchA and SwitchB. Gigabit Ethernet interface 6/1 on SwitchA is connected to the same network as Gigabit Ethernet interface 6/1 in SwitchB.
Page 832
Chapter 37 Configuring Bidirection Forwarding Detection Configuration Examples for Bidirectional Forwarding Detection Configuration for SwitchB interface GigabitEthernet 6/1 no switchport ip address 1.1.1.2 255.255.255.0 bfd interval 50 min_rx 50 multiplier 3 no bfd echo router bgp 10 neighbor 1.1.1.1 remote-as 10 neighbor 1.1.1.1 fall-over bfd The output from the show bfd neighbors details command from SwitchA verifies that a BFD session has been created and that BGP is registered for BFD support.
Additional References Related Documents Related Topic Document Title Cisco IOS commands Cisco IOS Master Commands List, All Releases Configuring and monitoring BGP Cisco BGP Overview” module of the Cisco IOS IP Routing Protocols Configuration Guide Configuring and monitoring EIGRP “Configuring EIGRP”...
No new or modified MIBs are supported by this To locate and download MIBs for selected platforms, Cisco software feature, and support for existing MIBs has not been releases, and feature sets, use Cisco MIB Locator found at the modified by this feature. following URL: http://www.cisco.com/go/mibs...
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products//hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html...
Chapter 38 Configuring Policy-Based Routing About Policy-Based Routing You can set up PBR as a way to route packets based on configured policies. For example, you can implement routing policies to allow or deny paths based on the identity of a particular end system, or an application protocol.
Chapter 38 Configuring Policy-Based Routing About Policy-Based Routing route-map rm-test permit 23 match ip address 101 2102 set interface vlan23 route-map rm-test deny 24 match ip address 104 set ip next-hop 24.4.4.1 route-map rm-test deny 25 match ip address 105 set ip next-hop 25.5.5.1 route-map rm-test permit 26 match ip address 2104...
Page 840
Chapter 38 Configuring Policy-Based Routing About Policy-Based Routing PBR Route-Map Processing Logic Example Consider a route-map called rm-test defined as follows: access-list 101 permit tcp host 61.1.1.1 host 133.3.3.1 eq 101 access-list 102 deny tcp host 61.1.1.1 host 133.3.3.1 eq 102 access-list 2102 permit tcp host 61.1.1.1 host 133.3.3.1 eq 102 access-list 104 deny...
The route-map deny takes effect, and the packet is routed using the default IP routing table. – The Catalyst 4500 series switch supports matching route-map actions with a packet by installing entries in the TCAM that match the set of packets described by the ACLs in the match criteria of the route map.
Chapter 38 Configuring Policy-Based Routing Policy-Based Routing Configuration Tasks Enabling PBR To enable PBR, you must create a route map that specifies the match criteria and the resulting action if all of the match clauses are met. Then you must apply that route-map on a particular interface. All packets arriving on the specified interface matching the match clauses are subject to PBR.
The following PBR commands in config-route-map mode are in the CLI but not supported in Cisco IOS for the Catalyst 4500 series switches. If you attempt to use these commands, an error message displays: Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG...
Chapter 38 Configuring Policy-Based Routing Policy-Based Routing Configuration Examples match-length • set ip qos • set ip tos • set ip precedence • Policy-Based Routing Configuration Examples The following sections provide PBR configuration examples: • Equal Access, page 38-8 • Differing Next Hops, page 38-8 •...
Chapter 38 Configuring Policy-Based Routing Policy-Based Routing Configuration Examples interface fastethernet 3/1 ip policy route-map Texas route-map Texas permit 10 match ip address 1 set ip next-hop 3.3.3.3 route-map Texas permit 20 match ip address 2 set ip next-hop 3.3.3.5 Deny ACE The following example illustrates how to stop processing a given route map sequence, and to jump to the next sequence.
Page 847
Edge Device). VRF-lite allows a service provider to support two or more VPNs with overlapping IP addresses using one interface. Note Starting with Cisco IOS Release 12.2(52)SG, the Catalyst 4500 switch supports VRF lite NSF support with routing protocols OSPF/EIGRP/BGP. The switch does not use Multiprotocol Label Switching (MPLS) to support VPNs. For information about...
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products//hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html...
The Layer 3 TCAM resource is shared between all VRFs. To ensure that any one VRF has sufficient CAM space, use the maximum routes command. A Catalyst 4500 series switch using VRF can support one global network and up to 64 VRFs. The •...
Note For complete syntax and usage information for the following commands, see the switch command reference for this release and see the Cisco IOS Switching Services Command Reference at: http://www.cisco.com/en/US/docs/ios/ipswitch/command/reference/isw_book.html Use the no ip vrf vrf-name global configuration command to delete a VRF and to remove all interfaces from it.
Configuring VRF-Aware Services VRF-aware services are implemented in platform-independent modules. VRF provides multiple routing instances in Cisco IOS. Each platform has its own limit on the number of VRFs it supports. VRF-aware services have the following characteristics: The user can ping a host in a user-specified VRF.
Chapter 39 Configuring VRF-lite Configuring VRF-Aware Services Configuring the User Interface for SNMP To configure VRF-aware services for SNMP, perform this task: Command Purpose Step 1 Switch# configure terminal Enters global configuration mode. Step 2 Enables SNMP traps for packets on a VRF. Switch(config)# snmp-server trap authentication vrf Step 3...
Chapter 39 Configuring VRF-lite Configuring VRF-Aware Services Configuring the User Interface for Syslog To configure VRF-aware services for syslog, perform this task: Command Purpose Step 1 Switch# configure terminal Enters global configuration mode. Step 2 Enables or temporarily disables logging of storage router event Switch(config)# logging on message.
Chapter 39 Configuring VRF-lite Configuring Per-VRF for TACACS+ Servers Command Purpose Step 2 Specifies the source IP address for FTP connections. Switch(config)# ip ftp source-interface interface-type interface-number Step 3 Returns to privileged EXEC mode. Switch(config)# end To specify the IP address of an interface as the source address for TFTP connections, use the ip tftp source-interface show mode command.
Page 856
Switch (config-sg-tacacs+)# ip tacacs source-interface Loopback0 Switch (config-sg-tacacs)# exit For more information about configuring per-VRF for TACACS+ server, see the Cisco IOS Per VRF for TACACS + Server, Release 12.3(7)T. Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG 39-10...
For more information about configuring a multicast within a Multi-VRF CE, see the Cisco IOS IP Multicast Configuration Guide, Release 12.4. Use the no ip vrf vrf-name global configuration command to delete a VRF and to remove all interfaces from it.
Chapter 39 Configuring VRF-lite Configuring a VPN Routing Session Configuring a VPN Routing Session Routing within the VPN can be configured with any supported routing protocol (RIP, OSPF, or BGP) or with static routing. The configuration shown here is for OSPF, but the process is the same for other protocols.
Chapter 39 Configuring VRF-lite VRF-lite Configuration Example Command Purpose Step 3 Specifies a network and mask to announce using BGP. Switch(config-router)# network network-number mask network-mask Step 4 Sets the switch to redistribute OSPF internal routes. Switch(config-router)# redistribute ospf process-id match internal Step 5 Defines a network address and mask on which OSPF runs Switch(config-router)# network...
Chapter 39 Configuring VRF-lite Displaying VRF-lite Status Router(config-vrf)# route-target export 100:2 Router(config-vrf)# route-target import 100:2 Router(config-vrf)# exit Router(config)# ip cef Router(config)# interface Loopback1 Router(config-if)# ip vrf forwarding v1 Router(config-if)# ip address 3.3.1.3 255.255.255.0 Router(config-if)# exit Router(config)# interface Loopback2 Router(config-if)# ip vrf forwarding v2 Router(config-if)# ip address 3.3.2.3 255.255.255.0 Router(config-if)# exit Router(config)# interface Fast Ethernet3/0.10...
Page 864
Outgoing interface list: Vlan45, Forward/Sparse-Dense, 00:00:02/00:02:57, H Vlan134, Bidir-Upstream/Sparse-Dense, 13:35:54/00:00:00, H Note For more information about the information in the displays, refer to the Cisco IOS Switching Services Command Reference at: http://www.cisco.com/en/US/docs/ios/ipswitch/command/reference/isw_book.html Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG...
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products//hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html...
Chapter 40 Configuring Quality of Service Overview of QoS Figure 40-1 QoS Classification Layers in Frames and Packets Encapsulated Packet Layer 2 IP header Data header Layer 2 ISL Frame ISL header Encapsulated frame ... (26 bytes) (4 bytes) 3 bits used for CoS Layer 2 802.1Q/P Frame Start frame Preamble...
Page 868
Chapter 40 Configuring Quality of Service Overview of QoS Layer 2 802.1Q frame headers have a 2-byte Tag Control Information field that carries the CoS value in the three most significant bits, which are called the User Priority bits. Other frame types cannot carry Layer 2 CoS values. On interfaces configured as Layer 2 ISL trunks, all traffic is in ISL frames.
Chapter 40 Configuring Quality of Service Overview of QoS Table 40-1 IP Precedence and DSCP Values (continued) 3-bit IP 6 MSb of ToS 6-bit 3-bit IP 6 MSb of ToS 6-bit Precedence DSCP Precedence DSCP 8 7 6 5 4 3 8 7 6 5 4 3 1.
Chapter 40 Configuring Quality of Service Overview of QoS The QoS model proceeds as follows: Step 1 The incoming packet is classified (based on different packet fields, receive port and/or VLAN) to belong to a traffic class. Depending on the traffic class, the packet is rate-limited/policed and its priority is optionally marked Step 2 (typically at the edge of the network) so that lower priority packets are dropped or marked with lower priority in the packet fields (DSCP and CoS).
Chapter 40 Configuring Quality of Service Overview of QoS In the 'match' statements, you can specify the fields in the packet to match on, or you can use IP standard or IP extended ACLs or MAC ACLs. For more information, see the “Classification Based on Class Maps and Policy Maps”...
Queueing and Scheduling The Catalyst 4500 Series Switch supports 8 transmit queues per port. Once the decision has been made to forward a packet out a port, the output QoS classification determines the transmit queue into which the packet must be enqueued.
Chapter 40 Configuring Quality of Service Overview of QoS Active Queue Management Active queue management (AQM) is the pro-active approach of informing you about congestion before a buffer overflow occurs. AQM is done using Dynamic buffer limiting (DBL). DBL tracks the queue length for each traffic flow in the switch.
Chapter 40 Configuring Quality of Service Overview of QoS For non-IP packets, classification involves assigning an internal DSCP to the packet, but because • there is no DSCP in the non-IP packet, no overwrite occurs. Instead, the internal DSCP is used both for queueing and scheduling decisions and for writing the CoS priority value in the tag if the packet is being transmitted on either an ISL or 802.1Q trunk port.
For command details on Cisco Media Services Proxy, refer to the following URL: http://www.cisco.com/en/US/docs/ios-xml/ios/msp/command/reference/guide/media-ser-prxy.html Restrictions The following restrictions apply to using a metadata-based QoS policy on a Catalyst 4500 series switch: • They can only be attached to target in input direction.
Configuring Quality of Service Configuring QoS MQC-based QoS Configuration Starting with Cisco IOS Release 12.2(40)SG, a Catalyst 4900M, a Catalyst 4948E, or a Catalyst 4500 Note Series Switch with Supervisor Engine 6-E or Supervisor Engine 6L-E use the MQC model of QoS.
Chapter 40 Configuring Quality of Service Configuring QoS Supported classification actions Descriptions set cos Sets the Layer 2 class of service (CoS) value of an outgoing packet. set dscp Marks a packet by setting the differentiated services code point (DSCP) value in the type of service (ToS) byte of IPv4 or traffic class byte of IPv6 packet.
1 mbps on interface Gig 1/1 and packets on interface Gig 1/2 are policed to 1 mbps. Note With Cisco IOS Release 12.2(46)SG, you can issue the match protocol arp command. For details, see the Catalyst 4500 Series Switch Cisco IOS Command Reference.
Chapter 40 Configuring Quality of Service Configuring QoS Attaching a Policy Map to an Interface To create a policy map, enter this command: Command Purpose Selects the interface to configure. Switch(config)# interface {vlan vlan_ID | {fastethernet | gigabitethernet} slot/interface | Port-channel number} Attaches a policy map to the input direction of the Switch(config-if)# [no] service-policy input policy_map_name...
Two policers are reserved for internal use. Note How to Implement Policing For details on how to implement the policing features on a Catalyst 4500 Series Switch, refer to the Cisco IOS documentation at the following link: http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpolsh.html Platform Restrictions Platform restrictions include the following: Multi-policer actions can be specified (setting CoS and IP DSCP is supported).
Chapter 40 Configuring Quality of Service Configuring QoS “Multi-attribute Marking Support” section on page 40-21 • “Hardware Capabilities for Marking” section on page 40-22 • “Configuring the Policy Map Marking Action” section on page 40-22 • “Marking Statistics” section on page 40-24 •...
Page 883
You specify the traffic attribute you want to change with a set command configured in a policy map. The following table lists the available set commands and the corresponding attribute. For details on the set command, refer to the Catalyst 4500 Series Switch Command Reference. Table 40-2...
Chapter 40 Configuring Quality of Service Configuring QoS map from 2 to 3 exit The following table lists the traffic attributes for which a to-from relationship can be established using the table map. Table 40-3 Traffic Attributes for Which a To-From Relationship Can Be Established The “To”...
Chapter 40 Configuring Quality of Service Configuring QoS Figure 40-3 Traffic marking Procedure Flowchart Start Create a class map Using a Create a table map table map? Create a policy map Create additional policy maps? Attach policy map(s) to interface Finish Restrictions for Marking Network Traffic The following restrictions apply to packet marking actions:...
Chapter 40 Configuring Quality of Service Configuring QoS When using unconditional explicit marking of multiple fields or policer-based multi-field, multi-region Note (conform/exceed/violate) marking the number of tablemaps that can be setup in TOS or COS marking tables will be less than the maximum supported. Hardware Capabilities for Marking Catalyst 4900M, Catalyst 4948E, Supervisor Engine 6-E, and Supervisor Engine 6L-E provide a 128 entry marking action (Supervisor Engine 7-E and Supervisor Engine 7L-E provide a 256 entry marking...
Page 887
Chapter 40 Configuring Quality of Service Configuring QoS Command Purpose Step 4 Exits table-map configuration mode. Switch(config-tablemap)# exit Step 5 Enters policy-map configuration mode. Switch(config)# policy-map name Step 6 Selects the class for QoS actions. Switch(config-p)# class name Step 7 Switch(config-p-c)# set cos | dscp | Selects the marking action based on an implicit or explicit prec...
Shaping, Sharing (Bandwidth), Priority Queuing, Queue-limiting and DBL The Catalyst 4500 Series Switch supports the Classification-based (class-based) mode for transmit queue selection. In this mode, the transmit queue selection is based on the Output QoS classification lookup.
Page 889
Chapter 40 Configuring Quality of Service Configuring QoS When a queuing class is configured without any explicit shape configuration, the queue shape is set to the link rate. To configure class-level shaping in a service policy, perform this task: Command Purpose Step 1 Switch# configure terminal...
Chapter 40 Configuring Quality of Service Configuring QoS Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface gigabitethernet1/1 Switch(config-if)# service-policy output policy1 Switch(config-if)# end Switch# Switch# show policy-map policy1 Policy Map policy1 Class class1 shape average 256000 This example shows how to configure class-level, average shape percentage to 32% of link bandwidth for queuing-class traffic: Switch# configure terminal Switch(config)# policy-map queuing-policy...
Page 891
Chapter 40 Configuring Quality of Service Configuring QoS Command Purpose Step 4 Specifies the minimum bandwidth provided to a class belonging to Switch(config-pmap-class)# bandwidth {bandwidth-kbps | percent percent} the policy map when there is traffic congestion in the switch. If the switch is not congested, the class receives more bandwidth than you specify with the bandwidth command.
Page 892
Chapter 40 Configuring Quality of Service Configuring QoS Switch(config-if)# end Switch # Switch# show policy-map policy11 Policy Map policy11 Class prec1 bandwidth percent 30 Class prec2 bandwidth percent 20 Class prec3 bandwidth percent 10 This example shows how to create a class-level policy map called policy11 for three classes called prec1, prec2, and prec3.
Chapter 40 Configuring Quality of Service Configuring QoS class-default = 70% Similarly, when another queuing class (say q3) is added without any explicit bandwidth (say, just a shape command), then the bandwidth allocation is q1 = 10% q2 = 20% q3 = min(35%, q3-shape-rate) class-default = max(35%, (100 - (q1 + q2 + q3 ))) Priority queuing...
Chapter 40 Configuring Quality of Service Configuring QoS Command Purpose Step 8 Specifies the policy-map name, and apply it a physical interface. Switch(config-interface)# service-policy output policy-map-name Step 9 Returns to privileged EXEC mode. Switch(config-interface)# end Step 10 Switch# show policy-map Verifies your entries.
Page 895
Chapter 40 Configuring Quality of Service Configuring QoS Queue Memory The number of queue entries that can be allocated has to be a multiple of 8 and can range from 16 to 8184. When a class-based queue is instantiated on a physical port, it is given a default number of entries. This default queue size is based on the number of slots in the chassis and the number of front-panel ports in each slot.
Page 896
Chapter 40 Configuring Quality of Service Configuring QoS Command Purpose Step 1 Switch# configure terminal Enters global configuration mode. Step 2 Creates a policy map by entering the policy-map name, and enter Switch(config)# policy-map policy-map-name policy-map configuration mode. By default, no policy maps are defined. Step 3 Specifies the name of the class whose traffic policy you want to Switch(config-pmap)# class class-name...
Chapter 40 Configuring Quality of Service Configuring QoS Switch(config-if)# end Switch# Switch# show policy-map policy1 Policy Map policy1 Class class1 shape average 256000 queue-limit 4048 Switch# Active Queue Management (AQM) via Dynamic Buffer Limiting (DBL) AQM provides buffering control of traffic flows prior to queuing a packet into a transmit queue of a port. This is of significant interest in a shared memory switch, ensuring that certain flows do not hog the switch packet memory.
Chapter 40 Configuring Quality of Service Configuring QoS Command Purpose Step 11 Verifies your entries. Switch# show policy-map [policy-map-name [class class-map-name]] Switch# show policy-map interface interface-id Step 12 (Optional) Saves your entries in the configuration file. Switch# copy running-config startup-config To delete an existing policy map, use the no policy-map policy-map-name global configuration command.
Enabling Per-Port Per-VLAN QoS The per-port per-VLAN QoS feature enables you to specify different QoS configurations on different VLANs on a given interface. Typically, you use this feature on trunk or voice VLANs (Cisco IP Phone) ports, as they belong to multiple VLANs.
Page 900
Chapter 40 Configuring Quality of Service Configuring QoS ip access-list 103 permit ip any any Class-map match-all RT match ip access-group 101 Class-map Match all PD match ip access-group 103 Policy-map P31_QoS Class RT Police 200m 16k conform transmit exceed drop Class PD Police 100m 16k conform transmit exceed drop Interface Gigabit 3/1...
Page 901
Chapter 40 Configuring Quality of Service Configuring QoS conformed 0 bytes; actions: transmit exceeded 0 bytes; actions: drop conformed 0000 bps, exceed 0000 bps Class-map: class-default (match-any) 0 packets Match: any Example 4 The following command shows how to display policy-map statistics on all VLANs configured on Gigabit Ethernet interface 6/1: Switch# show policy-map interface gigabitEthernet 6/1 GigabitEthernet6/1 vlan 20...
Chapter 40 Configuring Quality of Service Configuring QoS Qos Policy merging Applicable policies are applied to a given packet in given direction. For example, if you configure egress VLAN-based police and marking, followed by selective queuing on the port, then actions from both policies will be applied for this packet.
Chapter 40 Configuring Quality of Service Configuring QoS The software generated packets are the ones locally sourced by the switch. The type of output software QoS processing applied to these packets is the same as the one applied to software switched packets. The only difference in the two is that the software switched packets take input marking of the packet into account for output classification purpose.
Chapter 40 Configuring Quality of Service Configuring QoS Attach the policy to one or more QoS targets. Step 4 Examples The following examples illustrate how to configure Flow based QoS policy and apply microflow policers on individual flows. Example 1 This example assumes there are multiple users (identified by source IP address) on the subnet 192.168.10.*.
Page 906
Chapter 40 Configuring Quality of Service Configuring QoS Example 2. This example assumes there are multiple users (identified by source IP address) on subnets 192.168.10.* and 172.20.55.*. The first requirement is to police with a CIR of 500Kbps and a PIR of 650Kbps on any TCP traffic originating from 192 network to any destination at any given time.
Chapter 40 Configuring Quality of Service Configuring QoS Switch(config)# interface gigabitEthernet3/1 Switch(config-if)# service-policy input p1 Switch(config-if)# exit Use the show commands described in the QoS section to display the policy-map configuration and interface specific policy-map statistics. Example 3 Assume that there are two active flows on FastEthernet interface 6/1: Table 40-2 SrcIp DStIp...
Chapter 40 Configuring Quality of Service Configuring QoS A policy can contain multiple classes and each class-map may contain the same or different FNF • flow record. • Flow based QoS policy and FNF monitor both cannot be applied on the same target at the same time. When the interface mode changes from switchport to routed port and vice versa, any Flow QoS •...
GigabitEthernet2/6 switchport mode trunk Configuring System Queue Limit This feature is available only from Cisco IOS Release 15.0(2)SG1 and later and Cisco IOS Release XE Note 3.2.1SG. With the hw-module system max-queue-limit command, the Catalyst 4500 series switch allows you to change the queue limit for all interfaces globally, instead of applying a policy with queue limit to all the interfaces.
However, if the device does not support CDP (like legacy Digital Media Player), QoS trust must be applied manually. The Catalyst 4500 Series Switch employs the MQC model. This means that instead of using certain global configurations (like qos and qos dbl), auto-QoS applied to any interface on a switch configures several global class-maps and policy-maps.
Page 911
There are 7 policy maps that must be defined (5 Input, 2 output) • AutoQos-4.0-Input-Policy • AutoQos-VoIP-Input-Cos-Policy • AutoQos-VoIP-Input-Dscp-Policy • AutoQos-4.0-Cisco-Phone-Input-Policy • AutoQos-4.0-Output-Policy • AutoQos-4.0-Cisco-Softphone-Input-Policy • • AutoQos-VoIP-Output-Policy On all ports. The problem with COS is that packets on the native VLAN is marked as zero.
Page 912
Chapter 40 Configuring Quality of Service Configuring Auto-QoS class-map match-all AutoQos-4.0-Scavenger-Classify match access-group name AutoQos-4.0-ACL-Scavenger class-map match-all AutoQos-4.0-Default-Classify match access-group name AutoQos-4.0-ACL-Default ! for interfaces with video devices class-map match-any AutoQos-4.0-VoIP match dscp ef match cos 5 class-map match-all AutoQos-4.0-Broadcast-Vid match dscp cs5 class-map match-all AutoQos-4.0-Realtime-Interact match dscp cs4...
Page 913
26 Class AutoQos-4.0-Transaction-Data set qos-group 18 Class AutoQos-4.0-Bulk-Data set qos-group 10 Class AutoQos-4.0-Scavenger set qos-group 8 Policy Map AutoQos-4.0-Cisco-Phone-Input-Policy Class AutoQos-4.0-VoIP-Data-Cos set dscp ef set qos-group 32 police cir 128000 bc 8000 conform-action transmit exceed-action set-dscp-transmit cs1 exceed-action set-cos-transmit 1 Class AutoQos-4.0-VoIP-Signal-Cos...
Page 914
Chapter 40 Configuring Quality of Service Configuring Auto-QoS conform-action transmit exceed-action set-dscp-transmit cs1 exceed-action set-cos-transmit 1 Class AutoQos-4.0-Multimedia-Conf-Classify set dscp af41 set cos 4 set qos-group 34 police cir 5000000 bc 8000 conform-action transmit exceed-action drop Class AutoQos-4.0-Signaling-Classify set dscp cs3 set cos 3 set qos-group 16 police cir 32000 bc 8000...
Page 915
The previous section listing defines the AutoQoS macros for defining QoS guidelines prior to Solution Note Reference Network Design 4.0 (SRND4). Starting with Cisco Release XE 3.3.0(SG) and 15.1(1)SG, the Catalyst 4500 Series Switch supports the auto qos srnd4 command.
Page 916
Chapter 40 Configuring Quality of Service Configuring Auto-QoS match qos-group 34 class-map match-all AutoQos-4.0-Multimedia-Stream-Queue match qos-group 26 class-map match-all AutoQos-4.0-Trans-Data-Queue match qos-group 18 class-map match-all AutoQos-4.0-Bulk-Data-Queue match qos-group 10 class-map match-any AutoQos-4.0-Scavenger-Queue match qos-group 8 match dscp cs1 The output policy maps are as follows: ! Each class maps to a different qos-group with ! class-default taking any traffic not assigned to a qos-group ! Note: in this example, the outbound policy map drops voice packets when the priority...
Page 917
It establishes a trusted boundary that recognizes Cisco IP Phones and trusts the Cos setting of the packets from the phone. If a Cisco IP Phone is not detected, the Cos field is ignored and the packets are not classified as voice traffic. Upon detecting a Cisco phone, the ingress packets are marked based on the Cos value in the packets.
Page 918
Configuring Auto-QoS Auto qos void cisco-softphone—Generate QoS configuration for interfaces connected to PCs running the Cisco IP SoftPhone application and marks as police traffic stemming from such interfaces. Ports configured with this CLI are considered untrusted. Auto qos classify—Generates QoS configuration for untrusted interfaces. It applies a service-policy to classify the traffic stemming from untrusted desktops or devices and marks them accordingly.
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products/hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html...
Cisco IP Phone Voice Traffic You can configure an access port with an attached Cisco IP phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. You can configure access ports on...
Configuring a Port to Connect to a Cisco 7960 IP Phone Because a Cisco 7960 IP Phone also supports connection to a PC or another device, an interface connecting a Catalyst 4500 series switch to a Cisco 7960 IP Phone can carry a mix of voice and data traffic.
In the following example, VLAN 1 carries data traffic, and VLAN 2 carries voice traffic. In this configuration, you must connect all Cisco IP phones and other voice-related devices to switch ports that belong to VLAN 2.
Catalyst 4500 series switch can supply Power over Ethernet (PoE) to the Cisco 7960 IP Phone if there is no power on the circuit. The Cisco 7960 IP Phone can also be connected to an AC power source and supply its own power to the voice circuit. If there is power on the circuit, the switch does not supply it.
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products//hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html...
Layer 2 level. Note Beginning with Cisco IOS Release 15.0(2)SG, you can use a twoway-community VLAN to apply VACLs or QoS in both directions per-community and per-customer. A promiscuous port can serve only one primary VLAN, one isolated VLAN, and multiple community (or twoway-community) VLANs.
Chapter 42 Configuring Private VLANs About Private VLANs In a switched environment, you can assign an individual PVLAN and associated IP subnet to each individual or common group of end stations. The end stations need to communicate only with a default gateway to communicate outside the PVLAN.
Page 928
Chapter 42 Configuring Private VLANs About Private VLANs Term Definition Isolated Port An isolated port is a host port that belongs to an isolated secondary VLAN. It has complete Layer 2 separation from other ports within the same PVLAN, except for the promiscuous ports.
Chapter 42 Configuring Private VLANs About Private VLANs PVLANs across Multiple Switches This section discusses the following topics: Standard Trunk Ports, page 42-5 • Isolated PVLAN Trunk Ports, page 42-6 • Promiscuous PVLAN Trunk Ports, page 42-7 • Standard Trunk Ports As with regular VLANs, PVLANs can span multiple switches.
Traffic being sent in the downstream direction towards host1 from the router is received by the Catalyst 4500 series switch on the promiscuous port and in the primary VLAN (VLAN 10). The packets are then switched out of the isolated PVLAN trunk. Rather that being tagged with the primary VLAN (VLAN 10), they are transmitted with the isolated VLAN’s tag (VLAN 11).
Note When an isolated trunk is used in this way, Catalyst 4500 series switch provides isolation between the isolated trunk and directly connected hosts (such as host3) but not between hosts connected to the non-PVLAN switch (such as host1 and host2). The non-PVLAN switch must provide isolation between these hosts, using a feature such as protected ports on a Catalyst 2950.
Chapter 42 Configuring Private VLANs About Private VLANs PVLAN Modes Over Gigabit Etherchannel Beginning with Cisco IOS Release 15.0(2)SG you can configure PVLAN modes over Etherchannel. These new modes are: • Host mode - Isolated, Community and 2-way community •...
Chapter 42 Configuring Private VLANs About Private VLANs A packet received on a PVLAN trunk port belongs to the secondary VLAN if the packet is tagged • with a secondary VLAN or if the packet is untagged and the native VLAN on the port is a secondary VLAN.
Chapter 42 Configuring Private VLANs PVLAN Commands PVLANs and SVIs In a Layer 3 switch, a switch virtual interface (SVI) represents the Layer 3 interface of a VLAN. Layer 3 devices communicate with a PVLAN only using the primary VLAN and not through secondary VLANs. Configure Layer 3 VLAN interfaces (SVIs) only for primary VLANs.
Chapter 42 Configuring Private VLANs Configuring PVLANs Configuring a Layer 2 Interface as an Isolated PVLAN Trunk Port, page 42-19 • Configuring a Layer 2 Interface as a Promiscuous PVLAN Trunk Port, page 42-21 • Permitting Routing of Secondary VLAN Ingress Traffic, page 42-23 •...
Page 937
VLAN is configured as an isolated or community VLAN. • Do not apply dynamic access control entries (ACEs) to primary VLANs. Cisco IOS dynamic ACL configuration applied to a primary VLAN is inactive while the VLAN is part of the PVLAN configuration. •...
Page 938
In a DHCP environment, if you shut down your PC, it is not possible to give your IP address to • someone else. To solve this problem, the Catalyst 4500 series switch supports the no ip sticky-arp command. This command promotes IP address overwriting and reuse in a DHCP environment.
Chapter 42 Configuring Private VLANs Configuring PVLANs Configuring a VLAN as a PVLAN To configure a VLAN as a PVLAN, perform this task: Command Purpose Step 1 Switch# configure terminal Enters configuration mode. Step 2 Enters VLAN configuration mode. Switch(config)# vlan vlan_ID Step 3 Configures a VLAN as a PVLAN.
Chapter 42 Configuring Private VLANs Configuring PVLANs This example shows how to configure VLAN 550 as a twoway-community VLAN and verify the configuration: Switch# configure terminal Switch(config)# vlan 550 Switch(config-vlan)# private-vlan twoway-community Switch(config-vlan)# end Switch# show vlan private-vlan Primary Secondary Type Interfaces ------- --------- ----------------- ------------------------------------------ primary...
Chapter 42 Configuring Private VLANs Configuring PVLANs Switch# configure terminal Switch(config)# vlan 202 Switch(config-vlan)# private-vlan association 303-307,309,440 Switch(config-vlan)# end Switch# show vlan private-vlan Primary Secondary Type Interfaces ------- --------- ----------------- ------------------------------------------ community community community community community community isolated twoway-community twoway-community twoway-community community Note...
Chapter 42 Configuring Private VLANs Configuring PVLANs Use the remove keyword with a secondary_vlan_list to clear the mapping between secondary • VLANs and the PVLAN promiscuous port. This example shows how to configure interface FastEthernet 5/2 as a PVLAN promiscuous port, map it to a PVLAN, and verify the configuration: Switch# configure terminal Switch(config)# interface fastethernet 5/2...
Chapter 42 Configuring Private VLANs Configuring PVLANs This example shows how to configure interface FastEthernet 5/1 as a PVLAN host port and verify the configuration: Switch# configure terminal Switch(config)# interface fastethernet 5/1 Switch(config-if)# switchport mode private-vlan host Switch(config-if)# switchport private-vlan host-association 202 440 Switch(config-if)# end Switch# show interfaces fastethernet 5/1 switchport Name: Fa5/1...
Page 944
Chapter 42 Configuring Private VLANs Configuring PVLANs Command Purpose Step 4 Configures association between primary VLANs and Switch(config-if)# [no] switchport private-vlan association trunk primary_vlan_ID secondary VLANs the PVLAN trunk port with a secondary_vlan_ID PVLAN. Note Multiple PVLAN pairs can be specified using this command so that a PVLAN trunk port can carry multiple secondary VLANs.
Page 946
Chapter 42 Configuring Private VLANs Configuring PVLANs The [no] switchport private-vlan mapping command provides the following three levels of removal: Remove one or more secondary VLANs from the list. For example: • Switch(config-if)# switchport private-vlan mapping trunk 2 remove 222 Remove the entire mapping of PVLAN promiscuous trunk port to the specified primary VLAN (and •...
Configuring a Layer 2 Etherchannel as a Promiscuous PVLAN Trunk Port, page 42-28 Configuring a Layer 2 EtherChannel Do the following: Configure a VLAN as a PVLAN. Step 1 Refer to the URL: http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/01xo/configuration/guide/pvlans.ht ml#wp1174853 Associate a secondary VLAN with a primary VLAN. Step 2 Refer to the URL: http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/01xo/configuration/guide/pvlans.ht ml#wp1121802 Configuring a Layer 2 EtherChannel.
Page 949
Chapter 42 Configuring Private VLANs Configuring PVLANs Command Purpose Step 3 Configures a Layer 2 Etherchannel as a Switch(config-if)# switchport mode private-vlan {host | promiscuous | trunk promiscuous | trunk PVLAN promiscuous port. [secondary]} Step 4 (Maps the PVLAN promiscuous port to a Switch(config-if)# [no] switchport private-vlan mapping [trunk] primary_vlan_ID primary VLAN and to selected secondary...
Chapter 42 Configuring Private VLANs Configuring PVLANs Configuring a Layer 2 EtherChannel as a PVLAN Host Port To configure a Layer 2 EtherChannel as a PVLAN host port, perform this task: Command Purpose Step 1 Enters global configuration mode. Switch# configure terminal Step 2 Specifies the LAN interface to configure.
Chapter 42 Configuring Private VLANs Configuring PVLANs Configuring a Layer 2 EtherChannel as an Isolated PVLAN Trunk Port To configure a Layer 2 EtherChannel as an isolated PVLAN trunk port, perform this task: Command Purpose Step 1 Enters global configuration mode. Switch# configure terminal Step 2 Specifies the LAN interface to configure.
Chapter 42 Configuring Private VLANs Configuring PVLANs This example shows how to configure interface port channel 63 as a secondary trunk port, and to verify the configuration: Switch# configure terminal Switch(config)# interface port-channel 63 Switch(config-if)# switchport mode private-vlan trunk secondary Switch(config-if)# switchport private-vlan trunk native vlan 10 Switch(config-if)# switchport private-vlan trunk allowed vlan 10.
Page 953
Chapter 42 Configuring Private VLANs Configuring PVLANs Command Purpose Step 5 Exits configuration mode. Switch(config-if)# end Step 6 Verifies the configuration. Switch# show interfaces port-channel interface-number switchport Note The maximum number of unique PVLAN pairs supported by the switchport private-vlan mapping trunk command is 500.
Page 955
MACsec encryption between switches (encryption is optional). MACsec is supported on the Catalyst 4500 series switch universal k9 image. It is not supported with the Note NPE license or with a LAN Base service image.
Chapter 43 Configuring MACsec Encryption Understanding Media Access Control Security and MACsec Key Agreement Understanding Cisco TrustSec MACsec, page 43-8 • Configuring Cisco TrustSec MACsec, page 43-10 • For more information on TrustSec, refer to the following URL: http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html Understanding Media Access Control Security and MACsec Key Agreement MACsec, defined in 802.1AE, provides MAC-layer encryption over wired networks by using...
MAC address of the physical interface concatenated with a 16-bit port ID. MACsec A Catalyst 4500 series switch running MACsec maintains the configuration files that show which ports on a member switch support MACsec. The stack master performs these functions: •...
Chapter 43 Configuring MACsec Encryption Understanding Media Access Control Security and MACsec Key Agreement MACsec, MKA, and 802.1X Host Modes You can use MACsec and the MKA Protocol with 802.1X single-host mode, multiple-host mode, or Multi Domain Authentication (MDA) mode. Multiple authentication mode is not supported. Single-Host Mode Figure 43-1 shows how a single EAP authenticated session is secured by MACsec using MKA.
Chapter 43 Configuring MACsec Encryption Understanding Media Access Control Security and MACsec Key Agreement MKA Statistics Some MKA counters are aggregated globally, while others are updated both globally and per session. You can also obtain information about the status of MKA sessions. This is an example of the show mka statistics command output: SWitch# show mka statistics MKA Global Statistics...
Chapter 43 Configuring MACsec Encryption Configuring MACsec and MKA Configuring MACsec on an Interface To configure MACsec on an interface with one MACsec session for voice and one for data, perform this task: Command Purpose Step 1 Enters global configuration mode. configure terminal Step 2 interface interface-id...
Runnable methods list: Method State dot1x Authc Success Understanding Cisco TrustSec MACsec MACsec is supported on the Catalyst 4500 series switch universal k9 image. It is not supported with the Note NPE license or with a LAN Base service image. Table 43-2 summarizes the Cisco TrustSec features supported on the switch.
Page 963
NPE or the LAN Base image. Cisco TrustSec NDAC SAP is supported on trunk ports because it is intended only for network device to network device links, that is, switch-to-switch links. It is not supported on: Host facing access ports (these ports support MKA MACsec) •...
Configuring MACsec Encryption Configuring Cisco TrustSec MACsec Configuring Cisco TrustSec MACsec MACsec is supported on the Catalyst 4500 series switch universal k9 image. It is not supported with the Note NPE license or with a LAN Base service image. Following topics are discussed: Configuring Cisco TrustSec Credentials on the Switch, page 43-10 •...
Cisco. Note MACsec is supported on the Catalyst 4500 series switch universal k9 image. It is not supported with the NPE license or with a LAN Base service image. If you select GCM without the required license, the interface is forced to a link-down state.
If you select GCM as the SAP operating mode, you must have a MACsec Encryption software • license from Cisco. If you select GCM without the required license, the interface is forced to a link-down state. These protection levels are supported when you configure SAP pairwise master key (sap pmk): •...
TrustSec-related interface characteristics. Step 9 (Optional) Saves your entries in the configuration file. copy running-config startup-config This example shows how to configure Cisco TrustSec authentication in manual mode on an interface: Switch# configure terminal Switch(config)# interface tengiigabitethernet 1/1/2 Switch(config-if)# cts manual...
Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location: http://www.cisco.com/en/US/products/hw/switches/ps4324/index.html If the command is not found in the Catalyst 4500 Series Switch Command Reference, it will be found in the larger Cisco IOS library. Refer to the Cisco IOS Command Reference and related publications at this location: http://www.cisco.com/en/US/products/ps6350/index.html...
Chapter 44 Configuring 802.1X Port-Based Authentication About 802.1X Port-Based Authentication 802.1X support requires an authentication server that is configured for Remote Authentication Dial-In Note User Service (RADIUS). 802.1X authentication does not work unless the network access switch can route packets to the configured RADIUS server. To verify that the switch can route packets, you must ping the server from the switch.
• Authenticator—Controls physical access to the network based on the authentication status of the client. The Catalyst 4500 series switch acts as an intermediary between the client and the authentication server, requesting identity information from the client, verifying that information with the authentication server, and relaying a response to the client.
(dot1x port-control auto command in Cisco IOS Release 12.2(46)SG and earlier releases), the switch must initiate authentication when it determines that the port link state has changed. It then sends an EAP-request/identity frame to the client to request its identity (typically, the switch sends an initial identity/request frame followed by one or more requests for authentication information).
You can control the port authorization state by using the authentication port-control interface configuration command (dot1x port-control auto command in Cisco IOS Release 12.2(46)SG and earlier releases) and these keywords: •...
Chapter 44 Configuring 802.1X Port-Based Authentication About 802.1X Port-Based Authentication Figure 44-3 Authentication Flowchart Start Client IEEE IEEE 802.1x authentication Is MAC authentication 802.1x capable? process times out bypass enabled? The switch gets an EAPOL message, and the EAPOL message exchange begins.
Beginning with Cisco IOS Release 12.2(37)SG, Catalyst 4500 series switches support Multidomain Authentication (MDA), which allows an IP phone (Cisco or third-party) and a single host behind the IP phone to authenticate independently, using 802.1X, MAC authentication bypass (MAB) or (for the host only) web-based authentication.
To prevent another device from using the established authentication of the disconnected client later, Cisco IP phones send a Cisco Discovery Protocol (CDP) host presence type length value (TLV) to notify the switch of changes in the attached client’s port link state.
(as happens for single-host and MDA modes). it is not an issue for directly connected hosts or for hosts behind Cisco phones, where a port-down event or proxy EAPoL-Logoff/CDP TLV is received when the initial host disconnects. It is an issue where a host disconnects from behind a hub, third party phone, or legacy Cisco phone, causing the session to remain up.
• Starting with Cisco IOS Release 15.0(2)SG, if multi-authentication mode is enabled on an 802.1X port, VLAN Assignment occurs successfully for the first authenticated host. Subsequent authorized (based on user credentials) data hosts, are considered successfully authenticated, provided either they have no VLAN assignment or have a VLAN assignment matching the first successfully authenticated host on the port.
Chapter 44 Configuring 802.1X Port-Based Authentication About 802.1X Port-Based Authentication To configure VLAN assignment you need to perform these tasks: Enable AAA authorization by using the network keyword to allow interface configuration from the • RADIUS server. For an illustration of how to apply the aaa authorization network group radius command, refer to the section “Enabling 802.1X Authentication”...
802.1X supplicant. If authentication fails, the port moves to the guest VLAN if configured, or it remains unauthorized. The Catalyst 4500 series switch also supports reauthentication of MACs on a per-port level. Be aware that the reauthentication functionality is provided by 802.1X and is not MAB specific. In the reauthentication mode, a port stays in the previous RADIUS-sent VLAN and tries to re-authenticate itself.
Chapter 44 Configuring 802.1X Port-Based Authentication About 802.1X Port-Based Authentication Feature Interaction This section lists feature interactions and restrictions when MAB is enabled. If a feature is not listed, assume that it interacts seamlessly with MAB (such as Unidirectional Controlled Port). MAB can only be enabled if 802.1X is configured on a port.
If the port is changed to multiple- user host, port security must be used to enforce the number of MAC addresses allowed through this port. Catalyst 4500 series switch supports MAB with VVID, with the restriction that the MAC address •...
Chapter 44 Configuring 802.1X Port-Based Authentication About 802.1X Port-Based Authentication Inaccessible Authentication Bypass allows a voice client to access configured voice VLAN when Note RADIUS becomes unavailable. For the voice device to operate properly, it must learn the voice VLAN ID through other protocols such as CDP, LLDP, or DHCP, wherever appropriate.
(or the dot1x control-direction both interface configuration command for Cisco IOS Release 12.2(46) or earlier), the port is access-controlled in both directions. In this state, except for EAPOL packets, a switch port does not receive or send packets.
Chapter 44 Configuring 802.1X Port-Based Authentication About 802.1X Port-Based Authentication Deployment Example In a large campus LAN design, you might want to design the VLAN infrastructure without large Layer 2 domain. For the same employee VLAN, customers might have different VLANs at different campus access switches.
Chapter 44 Configuring 802.1X Port-Based Authentication About 802.1X Port-Based Authentication You can set the maximum number of authentication attempts that the authenticator sends before moving a port into the authentication-failed VLAN. The authenticator keeps a count of the failed authentication attempts for each port.
Chapter 44 Configuring 802.1X Port-Based Authentication About 802.1X Port-Based Authentication Internal VLANs that are used for Layer 3 ports cannot be configured as authentication-failed • VLANs. • The authentication-failed VLAN is supported only in single-host mode (the default port mode). When a port is placed in an authentication-failed VLAN the user’s MAC address is added to the •...
Using 802.1X Authentication with ACL Assignments and Redirect URLs Beginning with Cisco IOS Release 12.2(50)SG, you can download per-host policies such as ACLs and redirect URLs to the switch from the RADIUS server during 802.1X or MAB authentication of the host.
ACL on a client-facing switch port. If the default ACL is configured on the switch and the Cisco Secure ACS sends a host access policy to the switch, it applies the policy to traffic from the host connected to a switch port. If the policy does not apply, the switch applies the default ACL.
UNAUTHORIZED. All traffic exiting the voice VLAN is obtained correctly and appears in the MAC address table. Cisco IP phones do not relay CDP messages from other devices. If several Cisco IP phones are connected in a series, the switch recognizes only the one directly connected to it. When 802.1X is enabled on a voice VLAN port, the switch drops packets from unrecognized Cisco IP phones more than one hop away.
Page 991
When a port host mode is changed from single- or multihost to multidomain mode, an authorized data device remains authorized on the port. However, a Cisco IP phone that was allowed on the port in the voice VLAN is automatically removed and must be reauthenticated on that port.
NEAT is intended for deployment scenarios where a switch acting as 802.1X authenticator to end-hosts (PC or Cisco IP-phones) is placed in an unsecured location (outside wiring closet). Because of this topology, the authenticator switch cannot always be trusted. For example, compact switches (8-port Catalyst 3560 and Catalyst 2960) are generally deployed outside the wiring closet.
Auto enablement—Automatically enables trunk configuration on the authenticator switch, allowing user traffic from multiple VLANs arising from supplicant switches. At the ACS, you must configure the Cisco AV pair as device-traffic-class=switch. For details on how to do this, see the “Configuring an Authenticator and a Supplicant Switch with NEAT”...
Chapter 44 Configuring 802.1X Port-Based Authentication Configuring 802.1X Port-Based Authentication switch denies access to the network for all wireless access point-attached clients. In this topology, the wireless access point is responsible for authenticating clients attached to it, and the wireless access point acts as a client to the switch.
If you are planning to use VLAN assignment, be aware that the features use general AAA commands. For information on how to configure AAA, refer to the “Enabling 802.1X Authentication” section on page 44-28. Alternatively, you can refer to the Cisco IOS security documentation at this location: http://www.cisco.com/en/US/products/ps6586/products_ios_technology_home.html Enabling 802.1X Authentication To enable 802.1X port-based authentication, you first must enable 802.1X globally on your switch, then...
Page 997
Switch(config-if)# dot1x pae authenticator Refer to the “Default 802.1X Configuration” section on page 44-27. Step 9 Cisco IOS Release 12.2(50)SG and later Enables 802.1X authentication on the interface. Switch(config-if)# authentication port-control auto Cisco IOS Release 12.2(46)SG or earlier releases Switch(config-if)# dot1x...
Page 998
Switch(config-if)# dot1x pae authenticator Refer to the “Default 802.1X Configuration” section on page 44-27. Step 9 Cisco IOS Release 12.2(50)SG and later Enables 802.1X authentication on the interface. Switch(config-if)# authentication port-control auto Cisco IOS Release 12.2(46)SG or earlier releases Switch(config-if)# dot1x...
Page 999
Configuring 802.1X Port-Based Authentication Configuring 802.1X Port-Based Authentication This example shows how to enable 802.1X and AAA on Fast Ethernet port 2/1, and how to verify the configuration: Cisco IOS Release 12.2(50)SG and later Switch# configure terminal Switch(config)# dot1x system-auth-control Switch(config)# aaa new-model...
Chapter 44 Configuring 802.1X Port-Based Authentication Configuring 802.1X Port-Based Authentication Dot1x Authenticator Client List ------------------------------- Supplicant = 0007.e95d.83c4 Session ID = 0A050B160000009505106398 Auth SM State = AUTHENTICATING Auth BEND SM State = REQUEST Port Status = UNAUTHORIZED The following example illustrates when a port is authorized: Switch# show authentication sessions int G4/5 Interface: GigabitEthernet4/5...