Page 1 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide Cisco IOS Release 12.2(58)SE April 2011 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883...
Page 2 OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks.
Page 3: Table Of Contents
Understanding Command Modes Understanding the Help System Understanding Abbreviated Commands Understanding no and default Forms of Commands Understanding CLI Error Messages Using Configuration Logging Using Command History Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 4 3-18 Modifying the Startup Configuration 3-19 Default Boot Configuration 3-19 Automatically Downloading a Configuration File 3-19 Specifying the Filename to Read and Write the System Configuration 3-20 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 5 NTP Version 4 Configuring Time and Date Manually Setting the System Clock Displaying the Time and Date Configuration Configuring the Time Zone Configuring Summer Time (Daylight Saving Time) Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 6 Setting a Telnet Password for a Terminal Line Configuring Username and Password Pairs Configuring Multiple Privilege Levels Setting the Privilege Level for a Command Changing the Default Privilege Level for Lines Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 7 Monitoring and Troubleshooting CoA Functionality 6-40 Configuring RADIUS Server Load Balancing 6-40 Displaying the RADIUS Configuration 6-40 Controlling Switch Access with Kerberos 6-40 Understanding Kerberos 6-41 Kerberos Operation 6-43 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 8 Effects of Adding a Provisioned Switch to a Switch Stack 7-10 Effects of Replacing a Provisioned Switch in a Switch Stack 7-11 Effects of Removing a Provisioned Switch from a Switch Stack 7-11 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide viii OL-13270-06...
Page 9 Hardware Loopback Example: LINK OK event 7-32 Hardware Loop Example: LINK NOT OK Event 7-33 Finding a Disconnected Stack Cable 7-33 Fixing a Bad Connection Between Stack Ports 7-34 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 10 9-21 802.1x Authentication with Guest VLAN 9-21 802.1x Authentication with Restricted VLAN 9-22 802.1x Authentication with Inaccessible Authentication Bypass 9-23 Overview 9-23 Support on Multiple-Authentication Ports 9-24 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 11 Setting the Switch-to-Client Frame-Retransmission Number 9-47 Setting the Re-Authentication Number 9-48 Enabling MAC Move 9-48 Enabling MAC Replace 9-49 Configuring 802.1x Accounting 9-50 Configuring a Guest VLAN 9-51 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 12 802.1x Authentication 10-8 EtherChannel 10-8 Configuring Web-Based Authentication 10-9 Default Web-Based Authentication Configuration 10-9 Web-Based Authentication Configuration Guidelines and Restrictions 10-9 Web-Based Authentication Configuration Task List 10-10 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 13 Default Ethernet Interface Configuration 11-19 Configuring Interface Speed and Duplex Mode 11-20 Speed and Duplex Configuration Guidelines 11-20 Setting the Interface Speed and Duplex Parameters 11-21 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide xiii OL-13270-06...
Page 14 Configuring Extended-Range VLANs 13-11 Default VLAN Configuration 13-11 Extended-Range VLAN Configuration Guidelines 13-11 Creating an Extended-Range VLAN 13-12 Creating an Extended-Range VLAN with an Internal VLAN ID 13-13 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 15 The VTP Domain 14-2 VTP Modes 14-3 VTP Advertisements 14-4 VTP Version 2 14-4 VTP Version 3 14-5 VTP Pruning 14-6 VTP and Switch Stacks 14-8 Configuring VTP 14-8 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 16 Private VLANs and SVIs 16-5 Private VLANs and Switch Stacks 16-6 Configuring Private VLANs 16-6 Tasks for Configuring Private VLANs 16-6 Default Private-VLAN Configuration 16-7 Private-VLAN Configuration Guidelines 16-7 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 17 Bridge ID, Switch Priority, and Extended System ID 18-4 Spanning-Tree Interface States 18-5 Blocking State 18-6 Listening State 18-7 Learning State 18-7 Forwarding State 18-7 Disabled State 18-7 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide xvii OL-13270-06...
Page 18 IEEE 802.1s Terminology 19-5 Hop Count 19-5 Boundary Ports 19-6 IEEE 802.1s Implementation 19-6 Port Role Naming Change 19-7 Interoperation Between Legacy and Standard Switches 19-7 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide xviii OL-13270-06...
Page 19 Understanding BPDU Guard 20-3 Understanding BPDU Filtering 20-3 Understanding UplinkFast 20-4 Understanding Cross-Stack UplinkFast 20-5 How CSUF Works 20-6 Events that Cause Fast Convergence 20-7 Understanding BackboneFast 20-7 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 20 21-14 Configuring DHCP Features and IP Source Guard 22-1 C H A P T E R Understanding DHCP Features 22-1 DHCP Server 22-2 DHCP Relay Agent 22-2 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 21 Displaying DHCP Server Port-Based Address Allocation 22-30 Configuring Dynamic ARP Inspection 23-1 C H A P T E R Understanding Dynamic ARP Inspection 23-1 Interface Trust States and Network Security 23-3 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 22 Configuring the IGMP Snooping Querier 24-15 Disabling IGMP Report Suppression 24-16 Displaying IGMP Snooping Information 24-17 Understanding Multicast VLAN Registration 24-18 Using MVR in a Multicast Television Application 24-19 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide xxii OL-13270-06...
Page 23 25-12 Configuring Port-Based Traffic Control 26-1 C H A P T E R Configuring Storm Control 26-1 Understanding Storm Control 26-2 Default Storm Control Configuration 26-3 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide xxiii OL-13270-06...
Page 24 27-5 Configuring LLDP, LLDP-MED, and Wired Location Service 28-1 C H A P T E R Understanding LLDP, LLDP-MED, and Wired Location Service 28-1 LLDP 28-1 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide xxiv OL-13270-06...
Page 25 VLAN Filtering 30-7 Destination Port 30-8 RSPAN VLAN 30-9 SPAN and RSPAN Interaction with Other Features 30-9 SPAN and RSPAN and Switch Stacks 30-10 Understanding Flow-Based SPAN 30-10 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 26 Setting the Message Display Destination Device 32-5 Synchronizing Log Messages 32-6 Enabling and Disabling Time Stamps on Log Messages 32-8 Enabling and Disabling Sequence Numbers in Log Messages 32-8 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide xxvi OL-13270-06...
Page 27 Embedded Event Manager Policies 34-4 Embedded Event Manager Environment Variables 34-5 EEM 3.2 34-5 Configuring Embedded Event Manager 34-6 Registering and Defining an Embedded Event Manager Applet 34-6 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide xxvii OL-13270-06...
Page 28 35-30 VLAN Map Configuration Guidelines 35-31 Creating a VLAN Map 35-32 Examples of ACLs and VLAN Maps 35-33 Applying a VLAN Map to a VLAN 35-35 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide xxviii OL-13270-06...
Page 29 Queueing and Scheduling Overview 37-14 Weighted Tail Drop 37-14 SRR Shaping and Sharing 37-15 Queueing and Scheduling on Ingress Queues 37-16 Queueing and Scheduling on Egress Queues 37-18 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide xxix OL-13270-06...
Page 30 Configuring the DSCP Trust State on a Port Bordering Another QoS Domain 37-46 Configuring a QoS Policy 37-48 Classifying Traffic by Using ACLs 37-49 Classifying Traffic by Using Class Maps 37-54 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 31 Link Aggregation Control Protocol 38-6 LACP Modes 38-7 LACP Interaction with Other Features 38-7 EtherChannel On Mode 38-7 Load-Balancing and Forwarding Methods 38-8 EtherChannel and Switch Stacks 38-9 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide xxxi OL-13270-06...
Page 32 39-12 Routing Assistance When IP Routing is Disabled 39-12 Proxy ARP 39-12 Default Gateway 39-12 ICMP Router Discovery Protocol (IRDP) 39-13 Configuring Broadcast Packet Handling 39-14 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide xxxii OL-13270-06...
Page 33 Enabling BGP Routing 39-52 Managing Routing Policy Changes 39-55 Configuring BGP Decision Attributes 39-56 Configuring BGP Filtering with Route Maps 39-58 Configuring BGP Filtering by Neighbor 39-59 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide xxxiii OL-13270-06...
Page 34 39-90 Displaying Multi-VRF CE Status 39-94 Configuring Unicast Reverse Path Forwarding 39-95 Configuring Protocol-Independent Features 39-95 Configuring Cisco Express Forwarding and Distributed Cisco Express Forwarding 39-95 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide xxxiv OL-13270-06...
Page 35 SNMP and Syslog Over IPv6 40-8 HTTP(S) Over IPv6 40-8 Unsupported IPv6 and Unicast Routing Features 40-9 Limitations 40-9 IPv6 and Switch Stacks 40-10 Configuring IPv6 40-11 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide xxxv OL-13270-06...
Page 36 Configuring VRRP 41-13 VRRP Limitations 41-13 Configuring Cisco IOS IP SLAs Operations 42-1 C H A P T E R Understanding Cisco IOS IP SLAs 42-1 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide xxxvi OL-13270-06...
Page 37 44-4 WCCP and Switch Stacks 44-5 Unsupported WCCP Features 44-5 Configuring WCCP 44-5 Default WCCP Configuration 44-6 WCCP Configuration Guidelines 44-6 Enabling the Cache Service 44-7 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide xxxvii OL-13270-06...
Page 38 45-18 Configuring Source Specific Multicast Mapping 45-18 Configuration Guidelines 45-19 SSM Mapping Overview 45-19 Configuring SSM Mapping 45-21 Monitoring SSM Mapping 45-23 Configuring Source-Specific Multicast 45-23 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide xxxviii OL-13270-06...
Page 39 Configuring an IP Multicast Boundary 45-51 Configuring Basic DVMRP Interoperability Features 45-53 Configuring DVMRP Interoperability 45-53 Configuring a DVMRP Tunnel 45-55 Advertising Network 0.0.0.0 to DVMRP Neighbors 45-57 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide xxxix OL-13270-06...
Page 40 Configuring an Originating Address other than the RP Address 46-18 Monitoring and Maintaining MSDP 46-19 Configuring Fallback Bridging 47-1 C H A P T E R Understanding Fallback Bridging 47-1 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 41 Using IP Traceroute 48-13 Understanding IP Traceroute 48-14 Executing IP Traceroute 48-14 Using TDR 48-15 Understanding TDR 48-15 Running TDR and Displaying the Results 48-16 Using Debug Commands 48-16 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 42 Starting Online Diagnostic Tests 49-5 Displaying Online Diagnostic Tests and Test Results 49-6 Working with the Cisco IOS File System, Configuration Files, and Software Images A P P E N D I X Working with the Flash File System Displaying Available File Systems...
Page 43 Downloading an Image File By Using RCP A-37 Uploading an Image File By Using RCP A-39 Copying an Image File from One Stack Member to Another A-40 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide xliii OL-13270-06...
Page 44 Unsupported Interface Configuration Commands IP Multicast Routing Unsupported Privileged EXEC Commands Unsupported Global Configuration Commands Unsupported Interface Configuration Commands IP Unicast Routing Unsupported Privileged EXEC or User EXEC Commands Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide xliv OL-13270-06...
Page 45 VLAN B-14 Unsupported Global Configuration Command B-14 Unsupported User EXEC Commands B-14 Unsupported VLAN Database commands B-14 B-15 Unsupported Privileged EXEC Command B-15 N D E X Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 46 Contents Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide xlvi OL-13270-06...
Page 47 This guide is for the networking professional using the Cisco IOS command-line interface (CLI) to manage the standalone Cisco Catalyst Blade Switch 3130 for Dell or blade switch stack, referred to as the switch. Before using this guide, you should have experience working with the Cisco IOS commands and the switch software features.
Page 48: Related Publications
Means reader be careful. In this situation, you might do something that could result in equipment Caution damage or loss of data. Related Publications These documents provide complete information about the switch and are available from this Cisco.com site: http://www.cisco.com/en/US/products/ps8742/tsd_products_support_series_home.html Note Before installing, configuring, or upgrading the switch, see these documents: •...
Page 49: Obtaining Documentation And Submitting A Service Request
Preface Cisco Catalyst Blade Switch 3130 for Dell and Cisco Catalyst Blade Switch 3032 for Dell Hardware • Installation Guide • Cisco Catalyst Blade Switch 3130 for Dell and Cisco Catalyst Blade Switch 3032 for Dell Getting Started Guide •...
Page 50 Preface Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 51: Features
The cryptographic and noncryptographic universal software images support the IP base and IP services feature sets. To enable a specific feature set, you must have a Cisco IOS software license for that feature set. For more information about the software license, see the Cisco Software Activation for Dell document on Cisco.com.
Page 52: Chapter 1 Overview
QoS and CoS Features, page 1-13 • Layer 3 Features, page 1-14 (includes features requiring the IP services feature set) • Monitoring Features, page 1-15 • Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 53: Deployment Features
Using a single IP address and configuration file to manage the entire switch stack. – Automatic Cisco IOS version-check of new stack members with the option to automatically load – images from the stack master or from a TFTP server.
Page 54: Performance Features
Call Home to provide e-mail-based and web-based notification of critical system events. Users with • a service contract directly with Cisco Systems can register Call Home devices for the Cisco Smart Call Home service that generates automatic service requests with the Cisco TAC.
Page 55: Management Options
Network Assistant—Network Assistant is a network management application that can be • downloaded from Cisco.com. You use it to manage a single switch, a cluster of switches, or a community of devices. For more information about Network Assistant, see Getting Started with Cisco Network Assistant, available on Cisco.com.
Page 56: Manageability Features
Configurable MAC address scaling that allows disabling MAC address learning on a VLAN to limit • the size of the MAC address table Cisco Discovery Protocol (CDP) Versions 1 and 2 for network topology discovery and mapping • between the switch and other Cisco devices on the network •...
Page 57 Network Time Protocol version 4 (NTPv4) to support both IPv4 and IPv6 and compatibility with • NTPv3 Cisco IOS File System (IFS) for providing a single interface to all file systems that the switch uses • Configuration logging to log and to view changes to the switch configuration •...
Page 58: Availability And Redundancy Features
Loop guard for preventing alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link • Equal-cost routing for link-level and switch-level redundancy Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 59: Vlan Features
• Link-state tracking to mirror the state of the ports that carry upstream traffic from connected hosts and servers and to allow the failover of the server traffic to an operational link on another Cisco Ethernet switch Support for VTP version 3 that includes support for configuring extended range VLANs (VLANs •...
Page 60: Security Features
Flexible-authentication sequencing to configure the order of the authentication methods that a port • tries when authenticating a new host IEEE 802.1x with open access to allow a host to access the network before being authenticated • Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 1-10 OL-13270-06...
Page 61 VLAN. Voice VLAN assignment is supported for one IP phone Port security for controlling access to IEEE 802.1x ports – Voice VLAN to permit a Cisco IP Phone to access the voice VLAN regardless of the authorized – or unauthorized state of the port IP phone detection enhancement to detect and recognize a Cisco IP phone –...
Page 62 When there is a change in policy for a user or user group in AAA, administrators can send the RADIUS CoA packets from the AAA server, such as Cisco Secure ACS to reinitialize authentication, and apply to the new policies.
Page 63: Qos And Cos Features
Trusted port states (CoS, DSCP, and IP precedence) within a QoS domain and with a port bordering another QoS domain – Trusted boundary for detecting the presence of a Cisco IP Phone, trusting the CoS value received, and ensuring port security Policing •...
Page 64: Layer 3 Features
Fallback bridging for forwarding non-IP traffic between two or more VLANs (requires the IP services feature set) • Static IP routing for manually building a routing table of network path information • Equal-cost routing for load-balancing and redundancy Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 1-14 OL-13270-06...
Page 65: Monitoring Features
VRRP routers on a LAN, allowing multiple routers on a multiaccess link to utilize the same virtual IP address. Monitoring Features These are the monitoring features: Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 1-15 OL-13270-06...
Page 66: Default Settings After Initial Switch Configuration
• Support for Embedded Event Manager (EEM) for event detection and recovery within a Cisco IOS device, and EEM 3.2, which introduces event detectors for Neighbor Discovery, Identity, and...
Page 67 The standard HTTP server and Secure Socket Layer (SSL) HTTPS server are both enabled. For more • information, see Chapter 6, “Configuring Switch-Based Authentication.” IEEE 802.1x is disabled. For more information, see Chapter 9, “Configuring IEEE 802.1x • Port-Based Authentication.” Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 1-17 OL-13270-06...
Page 68 The IGMP snooping querier feature is disabled. For more information, see Chapter 24, “Configuring • IGMP Snooping and MVR.” • MVR is disabled. For more information, see Chapter 24, “Configuring IGMP Snooping and MVR.” Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 1-18 OL-13270-06...
Page 69 MSDP is disabled. For more information, see Chapter 46, “Configuring MSDP.” • Fallback bridging is not configured. For more information, see Chapter 47, “Configuring Fallback • Bridging.” Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 1-19 OL-13270-06...
Page 70: Network Configuration Examples
Use the EtherChannel feature between the switch and its connected servers and • e-mail with large attached files) routers. and from bandwidth-intensive applications (such as multimedia) Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 1-20 OL-13270-06...
Page 71 LRE is the technology used in the Catalyst 2950 LRE switch. See the Note Internet or an intranet at higher documentation sets specific to this switch for LRE information. speeds Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 1-21 OL-13270-06...
Page 72 The various lengths of stack cable available, ranging from 0.5 meter to 3 meters, provide extended connections to the switch stacks across multiple server racks, for multiple stack aggregation. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 1-22...
Page 73: Small To Medium-Sized Network
Cisco CallManager controls call processing and routing. Users with workstations running Cisco SoftPhone software can place, receive, and control calls from their PCs. Using Cisco CallManager software and Cisco SoftPhone software integrates telephony and IP networks, and the IP network supports both voice and data.
Page 74: Where To Go Next
Chapter 3, “Assigning the Switch IP Address and Default Gateway” • To locate and download MIBs for a specific Cisco product and release, use the Cisco MIB Locator: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide...
Page 75: Understanding Command Modes
C H A P T E R Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your standalone switch or a switch stack, referred to as the switch. It contains these sections: Understanding Command Modes, page 2-1 •...
Page 76: C H A P T E R 2 Using The Command-Line Interface
To return to console command. privileged EXEC mode, press Ctrl-Z or enter end. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 77: Understanding The Help System
You need to enter only enough characters for the switch to recognize the command as unique. This example shows how to enter the show configuration privileged EXEC command in an abbreviated form: Switch# show conf Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 78: Understanding No And Default Forms Of Commands
The caret (^) marks the that are available in this command mode. point of the error. The possible keywords that you can enter with the command appear. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 79: Using Configuration Logging
You can choose to have the notifications sent to the syslog. For more information, see the “Configuration Change Notification and Logging” section of the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.4.
Page 80: Recalling Commands
These procedures are optional. To globally disable enhanced editing mode, enter this command in line configuration mode: Switch (config-line)# no editing Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 81: Editing Commands Through Keystrokes
Delete from the cursor to the end of the word. Capitalize or lowercase words or Press Esc C. Capitalize at the cursor. capitalize a set of letters. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 82: Editing Command Lines That Wrap
Switch(config)# access-list 101 permit tcp 131.108.2.5 255.255.255.0 131.108.1 Switch(config)# $ 101 permit tcp 131.108.2.5 255.255.255.0 131.108.1.20 255.25 Switch(config)# $t tcp 131.108.2.5 255.255.255.0 131.108.1.20 255.255.255.0 eq Switch(config)# $108.2.5 255.255.255.0 131.108.1.20 255.255.255.0 eq 45 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 83: Searching And Filtering Output Of Show And More Commands
If you want to configure a specific stack member port, you must include the stack member number in the CLI command interface notation. For more information about interface notations, see the “Using Interface Configuration Mode” section on page 11-8. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 84: Accessing The Cli Through A Console Connection Or Through Telnet
After you connect through the console port, through the Ethernet management port, through a Telnet session or through an SSH session, the user EXEC prompt appears on the management station. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 2-10...
Page 85 For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release and the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2. This chapter consists of these sections: Understanding the Boot Process, page 3-2 •...
Page 86: C H A P T E R 3 Assigning The Switch Ip Address And Default Gateway
If the data bits option is set to 8, set the parity option to none. Note Stop bits default is 1. • Parity settings default is none. • Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 87: Assigning Switch Information
Default gateway No default gateway is defined. Enable secret password No password is defined. Hostname The factory-assigned default hostname is Switch. Telnet password No password is defined. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 88: Understanding Dhcp-Based Autoconfiguration
(such as an IP address, subnet mask, gateway IP address, DNS IP address, a lease for the IP address, and so forth) to the client in a DHCPOFFER unicast message. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 89: Understanding Dhcp-Based Autoconfiguration And Image Update
DHCP server. The downloaded configuration file becomes the running configuration of the switch. It does not over write the bootup configuration saved in the flash, until you reload the switch. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 90: Dhcp Auto-Image Update
EXEC command. Note that if the downloaded configuration is saved to the startup configuration, the feature is not triggered during sub- sequent system restarts. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 91: Configuring Dhcp-Based Autoconfiguration
The switch can act as a DHCP server. By default, the Cisco IOS DHCP server and relay agent features are enabled on your switch but are not configured. These features are not operational. If your DHCP server is a Cisco device, for additional information about configuring DHCP, see the “Configuring...
Page 92: Configuring The Tftp Server
If the relay device is a Cisco router, enable IP routing (ip routing global configuration command), and configure helper addresses by using the ip helper-address interface configuration command.
Page 93: Obtaining Configuration Files
The switch sends a broadcast message to a TFTP server to retrieve the named configuration file from the base directory of the server, and upon receipt, it completes its boot up process. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 94: Example Configuration
Table 3-2 DHCP Server Configuration Switch A Switch B Switch C Switch D Binding key (hardware address) 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004 IP address 10.0.0.21 10.0.0.22 10.0.0.23 10.0.0.24 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 3-10 OL-13270-06...
Page 95 It reads the configuration file that corresponds to its hostname; for example, it reads switch1-confg • from the TFTP server. Switches B through D retrieve their configuration files and IP addresses in the same way. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 3-11 OL-13270-06...
Page 96: Configuring The Dhcp Auto Configuration And Image Update Features
Specify the IP address and mask for the interface. Step 12 Return to privileged EXEC mode. Step 13 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 3-12 OL-13270-06...
Page 97: Configuring Dhcp Auto-Image Update (Configuration File And Image)
Specify the text file that contains the name of the image file to download Step 14 interface interface-id Specify the address of the client that will receive the configuration file. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 3-13 OL-13270-06...
Page 98: Configuring The Client
(Optional) Create warning messages to be displayed when you try to save the configuration file to NVRAM. Step 5 Return to privileged EXEC mode. Step 6 show boot Verify the configuration. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 3-14 OL-13270-06...
Page 99: Manually Assigning Ip Information
Get an IP address for the VLAN interface from the DHCP server. interface-name] [hostname host-name] Step 4 ip address ip-address subnet-mask Enter the IP address and subnet mask. Step 5 exit Return to global configuration mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 3-15 OL-13270-06...
Page 100 For information on setting the switch system name, protecting access to privileged EXEC commands, and setting time and calendar services, see Chapter 5, “Administering the Switch.” Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 3-16 OL-13270-06...
Page 101: Checking And Saving The Running Configuration
For more information about alternative locations from which to copy the configuration file, see Appendix A, “Working with the Cisco IOS File System, Configuration Files, and Software Images.” Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide...
Page 102: Configuring The Nvram Buffer Size
Auto upgrade : yes Auto upgrade path NVRAM/Config file buffer size: 524288 Timeout for Config Download: 300 seconds Config Download via DHCP: enabled (next boot: enabled) Switch# Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 3-18 OL-13270-06...
Page 103: Modifying The Startup Configuration
The Cisco IOS image is stored in a directory that has the same name as the image file (excluding the .bin extension).
Page 104: Specifying The Filename To Read And Write The System Configuration
Specifying the Filename to Read and Write the System Configuration By default, the Cisco IOS software uses the file config.text to read and write a nonvolatile copy of the system configuration. However, you can specify a different filename, which will be loaded during the next boot cycle.
Page 105: Booting A Specific Software Image
Use number to specify a stack member. (Specify only one stack member.) • Use all to specify all stack members. Step 4 Return to privileged EXEC mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 3-21 OL-13270-06...
Page 106: Controlling Environment Variables
Cisco IOS configuration file can be stored as an environment variable. You can change the settings of the environment variables by accessing the boot loader or by using Cisco IOS commands. Under normal circumstances, it is not necessary to alter the setting of the environment variables.
Page 107 Changes the priority value of a stack member. Changes the priority value of a stack member This command is supported only on Note stacking-capable switches. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 3-23 OL-13270-06...
Page 108: Scheduling A Reload Of The Software Image
(if the specified time is later than the current time) or on the next day (if the specified time is earlier than the current time). Specifying 00:00 schedules the reload for midnight. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 3-24...
Page 109: Displaying Scheduled Reload Information
It displays reload information including the time the reload is scheduled to occur and the reason for the reload (if it was specified when the reload was scheduled). Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 3-25...
Page 110 Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 3-26 OL-13270-06...
Page 111: Understanding Cisco Configuration Engine Software
For complete configuration information for the Cisco Configuration Engine, go to Note http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/tsd_products_support_series_home.html For complete syntax and usage information for the commands used in this chapter, go to the Cisco IOS Network Management Command Reference, Release 12.4 at http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_book.html This chapter consists of these sections: Understanding Cisco Configuration Engine Software, page 4-1 •...
Page 112: C H A P T E R 4 Configuring Cisco Ios Configuration Engine
(LDAP) URLs that reference the device-specific configuration information stored in a directory. The Cisco IOS agent can perform a syntax check on received configuration files and publish events to show the success or failure of the syntax check. The configuration agent can either apply configurations immediately or delay the application until receipt of a synchronization event from the configuration server.
Page 113: Event Service
ID, and event. Cisco IOS devices recognize only event subject-names that match those configured in Cisco IOS software; for example, cisco.cns.config.load. You can use the namespace mapping service to designate events by using any desired naming convention.
Page 114: Deviceid
Therefore, the DeviceID, as originated on the switch, must match the DeviceID of the corresponding switch definition in the Configuration Engine. The origin of the DeviceID is defined by the Cisco IOS hostname of the switch. However, the DeviceID variable and its usage reside within the event gateway adjacent to the switch.
Page 115: Understanding Cisco Ios Agents
Understanding Cisco IOS Agents The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works with the Cisco IOS agent. The Cisco IOS agent feature supports the switch by providing these features: •...
Page 116: Incremental (Partial) Configuration
NVRAM for use at the next reboot. Configuring Cisco IOS Agents The Cisco IOS agents embedded in the switch Cisco IOS software allow the switch to be connected and automatically configured as described in the “Enabling Automated CNS Configuration” section on page 4-7.
Page 117: Enabling Automated Cns Configuration
For more information about running the setup program and creating templates on the Configuration Note Engine, see the Cisco Configuration Engine Installation and Setup Guide, 1.5 for Linux at http://www.cisco.com/en/US/docs/net_mgmt/configuration_engine/1.5/installation_linux/guide/setup_ 1.html Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide...
Page 118: Enabling The Cns Event Agent
This example shows how to enable the CNS event agent, set the IP address gateway to 10.180.1.27, set 120 seconds as the keepalive interval, and set 10 as the retry count. Switch(config)# cns event 10.180.1.27 keepalive 120 10 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 119: Enabling The Cisco Ios Cns Agent
Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Enabling the Cisco IOS CNS Agent After enabling the CNS event agent, start the Cisco IOS CNS agent on the switch. You can enable the Cisco IOS agent with these commands: •...
Page 120 Enter the hostname for the switch. Step 12 ip route network-number (Optional) Establish a static route to the Configuration Engine whose IP address is network-number. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 4-10 OL-13270-06...
Page 121 ID, enter an arbitrary text string for string string as the unique ID, or enter udi to set the unique device identifier (UDI) as the unique ID. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 4-11 OL-13270-06...
Page 122 Verify your entries. To disable the CNS Cisco IOS agent, use the no cns config initial {ip-address | hostname} global configuration command. This example shows how to configure an initial configuration on a remote switch when the switch configuration is unknown (the CNS Zero Touch feature).
Page 123: Enabling A Partial Configuration
RemoteSwitch(config)# cns id ethernet 0 ipaddress RemoteSwitch(config)# cns config initial 172.28.129.22 no-persist Enabling a Partial Configuration Beginning in privileged EXEC mode, follow these steps to enable the Cisco IOS agent and to initiate a partial configuration on the switch: Command...
Page 124: Displaying Cns Configuration
Displays statistics about the CNS event agent. show cns event subject Displays a list of event agent subjects that are subscribed to by applications. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 4-14 OL-13270-06...
Page 125: Managing The System Time And Date
You can manage the system time and date on your switch using automatic configuration, such as the Network Time Protocol (NTP), or manual configuration methods. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Configuration Fundamentals Command Reference, Release 12.2.
Page 126: Chapter 5 Administering The Switch
The time kept on a device is a critical resource; you should use the security features of NTP to avoid the accidental or malicious setting of an incorrect time. Two mechanisms are available: an access list-based restriction scheme and an encrypted authentication mechanism. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 127 Managing the System Time and Date Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet.
Page 128: Ntp Version 4
Setting the System Clock, page 5-5 • Displaying the Time and Date Configuration, page 5-5 • Configuring the Time Zone, page 5-6 • Configuring Summer Time (Daylight Saving Time), page 5-7 • Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 129: Setting The System Clock
The symbol that precedes the show clock display has this meaning: *—Time is not authoritative. • (blank)—Time is authoritative. • .—Time is authoritative, but NTP is not synchronized. • Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 130: Configuring The Time Zone
In this case, the necessary command is clock timezone AST -3 30. To set the time to UTC, use the no clock timezone global configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 131: Configuring Summer Time (Daylight Saving Time)
This example shows how to specify that summer time starts on the first Sunday in April at 02:00 and ends on the last Sunday in October at 02:00: Switch(config)# clock summer-time PDT recurring 1 Sunday April 2:00 last Sunday October 2:00 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 132: Configuring A System Name And Prompt
9. When you use this command, the stack member number is appended to the system prompt. For example, is the prompt in privileged EXEC mode for stack member 2, and the system prompt Switch-2# for the switch stack is Switch Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 133: Default System Name And Prompt Configuration
Administering the Switch Configuring a System Name and Prompt For complete syntax and usage information for the commands used in this section, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 and the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2.
Page 134: Default Dns Configuration
If your network devices require connectivity with devices in networks for which you do not control name assignment, you can dynamically assign device names that uniquely identify your devices by using the global Internet naming scheme (DNS). Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 5-10 OL-13270-06...
Page 135: Displaying The Dns Configuration
If there is a period (.) in the hostname, the Cisco IOS software looks up the IP address without appending any default domain name to the hostname.
Page 136: Configuring A Message-Of-The-Day Login Banner
Connected to 172.2.5.4. Escape character is '^]'. This is a secure site. Only authorized users are allowed. For access, contact technical support. User Access Verification Password: Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 5-12 OL-13270-06...
Page 137: Configuring A Login Banner
(static or dynamic). For complete syntax and usage information for the commands used in this section, see the command Note reference for this release. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 5-13 OL-13270-06...
Page 138: Building The Address Table
Each VLAN maintains its own logical address table. A known address in one VLAN is unknown in another until it is learned or statically associated with a port in the other VLAN. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 5-14...
Page 139: Mac Addresses And Switch Stacks
MAC address table configuration. Table 5-2 Default MAC Address Table Configuration Feature Default Setting Aging time 300 seconds Dynamic addresses Automatically learned Static addresses None configured Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 5-15 OL-13270-06...
Page 140: Changing The Address Aging Time
MAC address change notifications are generated for dynamic and secure MAC addresses. Notifications are not generated for self addresses, multicast addresses, or other static addresses. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 5-16 OL-13270-06...
Page 141 Step 9 show mac address-table notification change Verify your entries. interface show running-config Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 5-17 OL-13270-06...
Page 142: Configuring Mac Address Move Notification Traps
Enable the switch to send MAC address move notification traps to the NMS. Step 4 mac address-table notification mac-move Enable the MAC address move notification feature. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 5-18 OL-13270-06...
Page 143: Configuring Mac Threshold Notification Traps
For notification-type, use the mac-notification • keyword. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 5-19 OL-13270-06...
Page 144: Adding And Removing Static Address Entries
VLAN, the switch acquires the VLAN ID for the address from the ports that you specify. You can specify a different list of destination ports for each source port. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 5-20...
Page 145: Configuring Unicast Mac Address Filtering
When unicast MAC address filtering is enabled, the switch drops packets with specific source or destination MAC addresses. This feature is disabled by default and only supports unicast static addresses. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 5-21 OL-13270-06...
Page 146 When a packet is received in VLAN 4 with this MAC address as its source or destination, the packet is dropped: Switch(config)# mac ddress-table static c2f3.220a.12f4 vlan 4 drop Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 5-22 OL-13270-06...
Page 147: Disabling Mac Address Learning On A Vlan
Return to privileged EXEC mode. Step 4 show mac address-table learning [vlan Verify the configuration. vlan-id] Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 5-23 OL-13270-06...
Page 148: Displaying Address Table Entries
(represented by the arpa keyword) is enabled on the IP interface. ARP entries added manually to the table do not age and must be manually removed. For CLI procedures, see the Cisco IOS Release 12.2 documentation on Cisco.com. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide...
Page 149: Preventing Unauthorized Access To Your Switch
This chapter describes how to configure switch-based authentication on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference, Release 12.2.
Page 150: Protecting Access To Privileged Exec Commands
No password is defined. The default is level 15 (privileged EXEC level). The password is encrypted before it is written to the configuration file. Line password No password is defined. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 151: C H A P T E R 6 Configuring Switch-Based Authentication
We recommend that you use the enable secret command because it uses an improved encryption algorithm. If you configure the enable secret command, it takes precedence over the enable password command; the two commands cannot be in effect simultaneously. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 152 To remove a password and level, use the no enable password [level level] or no enable secret [level level] global configuration command. To disable password encryption, use the no service password-encryption global configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 153: Disabling Password Recovery
Disable password recovery. This setting is saved in an area of the flash memory that is accessible by the bootloader and the Cisco IOS image, but it is not part of the file system and is not accessible by any user.
Page 154: Setting A Telnet Password For A Terminal Line
If you have defined privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 155: Configuring Multiple Privilege Levels
Configuring Multiple Privilege Levels By default, the Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
Page 156: Setting The Privilege Level For A Command
This example shows how to set the configure command to privilege level 14 and define SecretPswd14 as the password users must enter to use level 14 commands: Switch(config)# privilege exec level 14 configure Switch(config)# enable password level 14 SecretPswd14 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 157: Changing The Default Privilege Level For Lines
Log in to a specified privilege level. For level, the range is 0 to 15. Step 2 disable level Exit to a specified privilege level. For level, the range is 0 to 15. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 158: Controlling Switch Access With Tacacs
“Implementing ADSL for IPv6” chapter in the Cisco IOS XE IPv6 Configuration Guide, Release For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Security Command Reference, Release 12.2.
Page 159 TACACS+ daemon are encrypted. You need a system running the TACACS+ daemon software to use TACACS+ on your switch. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 6-11 OL-13270-06...
Page 160: Tacacs+ Operation
Default TACACS+ Configuration, page 6-13 • Identifying the TACACS+ Server Host and Setting the Authentication Key, page 6-13 • • Configuring TACACS+ Login Authentication, page 6-14 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 6-12 OL-13270-06...
Page 161: Default Tacacs+ Configuration
(Optional) Associate a particular TACACS+ server with the defined server group. Repeat this step for each TACACS+ server in the AAA server group. Each server in the group must be previously defined in Step 2. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 6-13 OL-13270-06...
Page 162: Configuring Tacacs+ Login Authentication
Beginning in privileged EXEC mode, follow these steps to configure login authentication: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 6-14 OL-13270-06...
Page 163 To either disable TACACS+ authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 6-15...
Page 164: Configuring Tacacs+ Authorization For Privileged Exec Access And Network Services
Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2.
Page 165: Starting Tacacs+ Accounting
(AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable TACACS+ accounting for each Cisco IOS privilege level and for network services:...
Page 166: Controlling Switch Access With Radius
In one case, RADIUS has been used with Enigma’s security cards to validates users and to grant access to network resources. Networks already using RADIUS. You can add a Cisco switch containing a RADIUS client to the •...
Page 167: Radius Operation
X.25 PAD connections. Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication. • RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device requires authentication. • Networks using a variety of services. RADIUS generally binds a user to one service model.
Page 168: Radius Change Of Authorization
RADIUS Change of Authorization (CoA) extensions defined in RFC 5176 that are typically used in a pushed model and allow for the dynamic reconfiguring of sessions from external authentication, authorization, and accounting (AAA) or policy servers. Beginning with Cisco IOS Release 12.2(52)SE, the switch supports these per-session CoA requests: Session reauthentication •...
Page 169: Change-Of-Authorization Requests
Value Explanation Residual Session Context Removed Invalid EAP Packet (Ignored) Unsupported Attribute Missing Attribute NAS Identification Mismatch Invalid Request Unsupported Service Unsupported Extension Invalid Attribute Value Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 6-21 OL-13270-06...
Page 170 If more than one session identification attribute is included in the message, all the attributes must match the session or the switch returns a Disconnect- negative acknowledgement (NAK) or CoA-NAK with the error code “Invalid Attribute Value.” Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 6-22 OL-13270-06...
Page 171 • CoA Disconnect-Request • CoA Request: Disable Host Port • CoA Request: Bounce-Port • Beginning with Cisco IOS Release 12.2(52)SE, the switch supports the commands shown in Table 6-4. Table 6-4 CoA Commands Supported on the Switch Command Cisco VSA Reauthenticate host Cisco:Avpair=“subscriber:command=reauthenticate”...
Page 172 When you want to restore network access on the port, re-enable it using a non-RADIUS mechanism. 1. Extensible Authentication Protocol over Lan Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 6-24 OL-13270-06...
Page 173 If the switch fails after returning a CoA-ACK message to the client but before the operation has completed, the operation is re-started on the new active switch. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 6-25...
Page 174: Stacking Guidelines For Session Termination
(which is subsequently removed). If the stack master fails before sending a CoA-ACK message, the new stack master treats the re-sent command as a new command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 6-26 OL-13270-06...
Page 175: Configuring Radius
Identifying the RADIUS Server Host Switch-to-RADIUS-server communication involves several components: Hostname or IP address • Authentication destination port • Accounting destination port • Key string • Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 6-27 OL-13270-06...
Page 176 You can configure the switch to use AAA server groups to group existing server hosts for authentication. For more information, see the “Defining AAA Server Groups” section on page 6-32. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 6-28 OL-13270-06...
Page 177 (Optional) Save your entries in the configuration file. To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 6-29 OL-13270-06...
Page 178: Configuring Radius Login Authentication
Beginning in privileged EXEC mode, follow these steps to configure login authentication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 6-30 OL-13270-06...
Page 179 Step 6 Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 6-31 OL-13270-06...
Page 180: Defining Aaa Server Groups
Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2.
Page 181 Each server in the group must be previously defined in Step 2. Step 6 Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 6-33 OL-13270-06...
Page 182: Configuring Radius Authorization For User Privileged Access And Network Services
Step 1 configure terminal Enter global configuration mode. Step 2 aaa authorization network radius Configure the switch for user RADIUS authorization for all network-related service requests. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 6-34 OL-13270-06...
Page 183: Starting Radius Accounting
(AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable RADIUS accounting for each Cisco IOS privilege level and for network services:...
Page 184: Configuring Settings For All Radius Servers
1, which is named cisco-avpair. The value is a string with this format: protocol : attribute sep value * Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and is * for optional attributes.
Page 185 Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS For example, this AV pair activates Cisco’s multiple named ip address pools feature during IP authorization (during PPP IPCP address assignment): cisco-avpair= ”ip:addr-pool=first“ This example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands: cisco-avpair= ”shell:priv-lvl=15“...
Page 186: Configuring The Switch For Vendor-Proprietary Radius Server Communication
Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
Page 187: Configuring Coa On The Switch
To disable AAA, use the no aaa new-model global configuration command. To disable the AAA server functionality on the switch, use the no aaa server radius dynamic authorization global configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 6-39 OL-13270-06...
Page 188: Monitoring And Troubleshooting Coa Functionality
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Monitoring and Troubleshooting CoA Functionality The following Cisco IOS commands can be used to monitor and troubleshoot CoA functionality on the switch: debug radius • debug aaa coa • debug aaa pod •...
Page 189: Understanding Kerberos
If a network service decides to trust the Kerberos server that issued a ticket, it can be used in place of re-entering a username and password. Credentials have a default lifespan of eight hours. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 6-41 OL-13270-06...
Page 190 Kerberos realm represented by the KDC. 1. TGT = ticket granting ticket 2. KDC = key distribution center 3. KEYTAB = key table 4. SRVTAB = server table Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 6-42 OL-13270-06...
Page 191: Kerberos Operation
For instructions about how to authenticate to a KDC, see the “Obtaining a TGT from a KDC” section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.2. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide...
Page 192: Authenticating To Network Services
TGT must now authenticate to the network services in a Kerberos realm. For instructions about how to authenticate to a network service, see the “Authenticating to Network Services” section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.2, at this URL: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfkerb.html#wp1001010...
Page 193: Configuring The Switch For Secure Shell
Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2.
Page 194: Understanding Ssh
You can use an SSH client to connect to a switch running the SSH server. The SSH server works with the SSH client supported in this release and with non-Cisco SSH clients. The SSH client also works with the SSH server supported in this release and with non-Cisco SSH servers.
Page 195: Limitations
Configure a hostname and IP domain name for the switch. Follow this procedure only if you are configuring the switch as an SSH server. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 6-47 OL-13270-06...
Page 196: Configuring The Ssh Server
SSH version supported by the SSH client. For example, if the SSH client supports SSHv1 and SSHv2, the SSH server selects SSHv2. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 6-48 OL-13270-06...
Page 197: Displaying The Ssh Configuration And Status
Shows the status of the SSH server. For more information about these commands, see the “Secure Shell Commands” chapter of the Cisco IOS Security Command Reference, Cisco IOS Release 12.2. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide...
Page 198: Configuring The Switch For Secure Socket Layer Http
(pages) back to the HTTP secure server, which, in turn, responds to the original request. The primary role of the HTTP secure client (the web browser) is to respond to Cisco IOS application requests for HTTPS User Agent services, perform HTTPS User Agent services for the application, and pass the response back to the application.
Page 199: Ciphersuites
For example, Netscape Communicator 4.76 supports U.S. security with RSA Public Key Cryptography, MD2, MD5, RC2-CBC, RC4, DES-CBC, and DES-EDE3-CBC. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 6-51 OL-13270-06...
Page 200: Configuring Secure Http Servers And Clients
Before you configure a CA trustpoint, you should ensure that the system clock is set. If the clock is not set, the certificate is rejected due to an incorrect date. In a switch stack, the SSL session terminates at the stack master. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 6-52 OL-13270-06...
Page 201: Configuring A Ca Trustpoint
(Optional) Save your entries in the configuration file. Use the no crypto ca trustpoint name global configuration command to delete all identity information and certificates associated with the CA. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 6-53 OL-13270-06...
Page 202: Configuring The Secure Http Server
(Optional) Set the maximum number of concurrent connections that are allowed to the HTTP server. The range is 1 to 16; the default value is 5. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 6-54 OL-13270-06...
Page 203: Configuring The Secure Http Client
CA trustpoint by using the previous procedure. The command is optional if client authentication is not needed or if a primary trustpoint has been configured. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 6-55 OL-13270-06...
Page 204: Displaying Secure Http Server And Client Status
Shows the HTTP secure client configuration. secure status show ip http server Shows the HTTP secure server configuration. secure status show running-config Shows the generated self-signed certificate for secure HTTP connections. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 6-56 OL-13270-06...
Page 205: Configuring The Switch For Secure Copy Protocol
A user who has appropriate authorization can use SCP to copy any file in the Cisco IOS File System (IFS) to and from a switch by using the copy command. An authorized administrator can also do this from a workstation.
Page 206 Chapter 6 Configuring Switch-Based Authentication Configuring the Switch for Secure Copy Protocol Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 6-58 OL-13270-06...
Page 207: Understanding Switch Stacks
One of the switches controls the operation of the stack and is called the stack master. The stack master and the other switches in the stack are all stack members. The stack members use the Cisco StackWise Plus technology to work together as a unified system. Layer 2 and Layer 3 protocols present the entire switch stack as a single entity to the network.
Page 208: Chapter 7 Managing Switch Stack
Incompatible Software and Stack Member Image Upgrades, page 7-16 – Switch Stack Configuration Files, page 7-16 – Additional Considerations for System-Wide Configuration on Switch Stacks, page 7-17 – Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 209: Switch Stack Membership
Reconnect them to the original switch stack through their StackWise Plus ports. Power on the switches. For more information about cabling and powering switch stacks, see the “Switch Installation” chapter in the hardware installation guide. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 210 Blade switch Enclosure 1 Blade switch Stack member 1 Blade switch Blade switch Enclosure 2 Blade switch Blade switch Blade switch Stack member 2 and stack master Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 211 Stack member 1 Blade switch Blade switch Blade switch Stack member 1 Enclosure Stack member 1 Blade switch Blade switch Blade switch Stack member 2 and stack master Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 212: Stack Master Election And Re-Election
Note stack master. This ensures that the switch is re-elected as stack master if a re-election occurs. The switch that is not using the default interface-level configuration. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 213 As described in the hardware installation guide, you can use the Master LED on the switch to see if the switch is the stack master. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 214: Switch Stack Bridge Id And Router Mac Address
If you merge switch stacks, the switches that join the switch stack of a new stack master select the • the lowest available numbers in the stack. For more information about merging switch stacks, see “Switch Stack Membership” section on page 7-3. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 215: Stack Member Priority Values
Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 216: Effects Of Adding A Provisioned Switch To A Switch Stack
The switch type of the provisioned switch does not match the switch type in the provisioned configuration on the stack. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 7-10 OL-13270-06...
Page 217: Effects Of Replacing A Provisioned Switch In A Switch Stack
If you remove a provisioned switch from the switch stack, the configuration associated with the removed stack member remains in the running configuration as provisioned information. To completely remove the configuration, use the no switch stack-member-number provision global configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 7-11 OL-13270-06...
Page 218: Hardware Compatibility And Sdm Mismatch Mode In Switch Stacks
“Hardware Compatibility and SDM Mismatch Mode in Switch Stacks” section on page 7-12. All stack members must run the same Cisco IOS software image and feature set to ensure compatibility between stack members. For example, all stack members should run the cryptographic universal software image and have the IP services feature set enabled for Cisco IOS Release 12.2(40)EX1 or later.
Page 219: Minor Version Number Incompatibility Among Switches
If you have both StackWise Plus cables connected during the reload, network downtime does not occur because the switch stack operates on two rings. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 7-13...
Page 220: Auto-Upgrade And Auto-Advise Example Messages
*Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:archiving cbs31x0-universal-mz.122-40.EX1/cbs31x0-universal-mz.122-40.EX.bin (4945851 bytes) *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:archiving cbs31x0-universal-mz.122-40.EX1/info (450 bytes) *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:archiving info (104 bytes) *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:examining image... *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:extracting info (104 bytes) Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 7-14 OL-13270-06...
Page 221 1 00:01:15.547:%STACKMGR-6-SWITCH_ADDED_VM:Switch 1 has been ADDED to the stack (VERSION_MISMATCH) stack_2# *Mar 1 00:03:15.554:%IMAGEMGR-6-AUTO_COPY_SW_INITIATED:Auto-copy-software process initiated for switch number(s) 1 *Mar 1 00:03:15.554:%IMAGEMGR-6-AUTO_COPY_SW: *Mar 1 00:03:15.554:%IMAGEMGR-6-AUTO_COPY_SW:Searching for stack member to act Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 7-15 OL-13270-06...
Page 222: Incompatible Software And Stack Member Image Upgrades
We recommend that all stack members run Cisco IOS Release 12.2(40)EX1 or later. The Note interface-specific settings of the stack master are saved if the stack master is replaced without saving the running configuration to the startup configuration.
Page 223: Additional Considerations For System-Wide Configuration On Switch Stacks
“Working with the Cisco IOS File System, Configuration Files, and Software Images.” Additional Considerations for System-Wide Configuration on Switch Stacks These sections provide additional considerations for configuring system-wide features on switch stacks: “Planning and Creating Clusters” chapter in the Getting Started with Cisco Network Assistant, • available on Cisco.com “MAC Addresses and Switch Stacks”...
Page 224: Switch Stack Management Connectivity
For more information about connecting to the switch stack through Ethernet management ports, see the “Using the Internal Ethernet Management Port” section on page 11-13. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 7-18 OL-13270-06...
Page 225: Connectivity To Specific Stack Members
Make sure that one stack member has a default configuration and that the other stack member has a saved (nondefault) configuration file. Restart both stack members at the same time. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 7-19 OL-13270-06...
Page 226 The stack master is retained. The new switch is added to the switch stack. Through their StackWise Plus ports, connect the new switch to a powered-on switch stack. Power on the new switch. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 7-20 OL-13270-06...
Page 227: Configuring The Switch Stack
During this time period, if the previous stack master rejoins the stack, the stack continues to use its MAC address as the stack MAC address, even if the switch is now a stack member and not a stack master. If Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 7-21...
Page 228 If you enter the no stack-mac persistent timer command after a new stack master takes over, before the time expires, the switch stack moves to the current stack master MAC address. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 7-22 OL-13270-06...
Page 229 (Optional) Save your entries in the configuration file. Use the no stack-mac persistent timer global configuration command to disable the persistent MAC address feature. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 7-23 OL-13270-06...
Page 230: Assigning Stack Member Information
Reset the stack member. Step 5 show switch Verify the stack member number. Step 6 copy running-config startup-config Save your entries in the configuration file. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 7-24 OL-13270-06...
Page 231: Setting The Stack Member Priority Value
Step 4 Return to privileged EXEC mode. Step 5 show running-config Verify the correct numbering of interfaces in the running configuration file. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 7-25 OL-13270-06...
Page 232: Accessing The Cli Of A Specific Stack Member
. Enter exit to return to the CLI Switch-2# Switch# session on the master. Only the show and debug commands are available on a specific member. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 7-26 OL-13270-06...
Page 233: Displaying Switch Stack Information
Understanding the show switch stack-ports summary Output, page 7-29 • Identifying Loopback Problems, page 7-30 • Finding a Disconnected Stack Cable, page 7-33 • Fixing a Bad Connection Between Stack Ports, page 7-34 • Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 7-27 OL-13270-06...
Page 234: Manually Disabling A Stack Port
If Switch 4 is powered on first, you might need to enter the switch 1 stack port 1 enable and the switch 4 stack port 2 enable privileged EXEC commands to bring up the link. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 7-28...
Page 235: Understanding The Show Switch Stack-Ports Summary Output
No—At least one stack port on the member has an attached stack • cable. • Yes—None of the stack ports on the member has an attached stack cable. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 7-29 OL-13270-06...
Page 236: Identifying Loopback Problems
Length Active Changes Loopback Status To LinkOK -------- ------ -------- -------- ---- ------ ---- --------- -------- Down None 50 cm 50 cm Down None 50 cm Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 7-30 OL-13270-06...
Page 237: Software Loopback Example: No Connected Stack Cable
--------- -------- 50 cm 50 cm The port status shows that Switch 2 is a standalone switch. – The ports can send and receive traffic. – Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 7-31 OL-13270-06...
Page 238: Hardware Loopback
FF01FF00 00017C07 00000000 0000FFFF 0CE60C10 No /No Event type: RAC 0000000154 FF01FF00 860351A5 55A5FFFF FFFFFFFF 0CE60C10 No /No 50 cm 0000000154 FF01FF00 00017C85 00000000 0000FFFF 0CE60C10 No /No Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 7-32 OL-13270-06...
Page 239: Hardware Loop Example: Link Not Ok Event
If you disconnect the cable from Port 2 on Switch 1, these messages appear: %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 1 Switch 2 has changed to state DOWN %STACKMGR-4-STACK_LINK_CHANGE: Stack Port 2 Switch 1 has changed to state DOWN Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 7-33 OL-13270-06...
Page 240: Fixing A Bad Connection Between Stack Ports
The Cable Length value is 50 cm. The switch detects and correctly identifies the cable. • The connection between Port 2 on Switch 1 and Port 1 on Switch 2 is unreliable on at least one of the connector pins. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 7-34 OL-13270-06...
Page 241: Understanding The Sdm Templates
Default—The default template gives balance to all functions. Access—The access template maximizes system resources for access control lists (ACLs) to • accommodate a large number of ACLs. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 242: Chapter 8 Configuring Sdm Template
Layer 2 and ACLs for IPv6 on the switch. With the new indirect IPv4 and IPv6 routing template in Cisco IOS Release 12.2(58)SE, you can more IPv6 indirect routes for deployments that have little need for direct IPv6 host route connectivity.
Page 243: Sdm Templates And Switch Stacks
This is an example of a syslog message notifying the stack master that a stack member is in SDM mismatch mode: 2d23h:%STACKMGR-6-SWITCH_ADDED_SDM:Switch 2 has been ADDED to the stack (SDM_MISMATCH) 2d23h:%SDM-6-MISMATCH_ADVISE: 2d23h:%SDM-6-MISMATCH_ADVISE: 2d23h:%SDM-6-MISMATCH_ADVISE:System (#2) is incompatible with the SDM Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 244: Configuring The Switch Sdm Template
Use the indirect-ipv4-and-ipv6-routing template to provide more space for IPv4 and IPv6 summary • or indirect routes by providing less space for IPv4 policy-based routing entries and IPv6 ACL, QoS, and policy-based routes. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 245: Setting The Sdm Template
If you enter the show sdm prefer command before you enter the reload privileged EXEC command, the show sdm prefer command shows the template currently in use and the template that will become active after a reload. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 246: Displaying The Sdm Templates
0.5K number of security aces: Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 247 0.5K number of IPv4/MAC security aces: 0.5K number of IPv6 policy based routing aces: 0.25K number of IPv6 qos aces: 0.5K number of IPv6 security aces: 0.5K Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 248 Chapter 8 Configuring SDM Templates Displaying the SDM Templates Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 249 IP address. The SXP control protocol allows tagging packets with SCTs without a hardware upgrade, and runs between access layer devices at the Cisco TrustSec domain edge and distribution layer devices within the Cisco TrustSec domain. The blade switches operate as access layer switches in the Cisco TrustSec network.
Page 250: C H A P T E R 9 Configuring Ieee 802.1X Port-Based Authentication
Until the client is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.
Page 251: Device Roles
Authentication Protocol (EAP) extensions is the only supported authentication server. It is available in Cisco Secure Access Control Server Version 3.0 or later. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
Page 252: Authentication Process
If Multi Domain Authentication (MDA) is enabled on a port, this flow can be used with some exceptions that are applicable to voice authorization. For more information on MDA, see the “Multidomain Authentication” section on page 9-30. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 253 After 802.1x authentication using a RADIUS server is configured, the switch uses timers based on the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS attribute (Attribute [29]). The Session-Timeout RADIUS attribute (Attribute[27]) specifies the time after which re-authentication occurs. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 254: Authentication Initiation And Message Exchange
The specific exchange of EAP frames depends on the authentication method being used. Figure 9-3 shows a message exchange initiated by the client when the client uses the One-Time-Password (OTP) authentication method with a RADIUS server. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 255 MAC authentication bypass. Figure 9-4 Message Exchange During MAC Authentication Bypass Authentication server Client (RADIUS) Switch EAPOL Request/Identity EAPOL Request/Identity EAPOL Request/Identity Ethernet packet RADIUS Access/Request RADIUS Access/Accept Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL-13270-06...
Page 256: Authentication Manager
Understanding IEEE 802.1x Port-Based Authentication Authentication Manager In Cisco IOS Release 12.2(46)SE and earlier, you could not use the same authorization methods, including CLI commands and messages, on this switch and also on other network devices, such as Catalyst 6000 switches.
Page 257: Per-User Acls And Filter-Ids
ACL configured on another device running Cisco IOS software, such as a Catalyst 6000 switch. In Cisco IOS Release 12.2(50)SE or later, the ACLs configured on the switch are compatible with other devices running Cisco IOS release.
Page 258: Authentication Manager
Beginning with Cisco IOS Release 12.2(55)SE, you can filter out verbose system messages generated by the authentication manager. The filtered content typically relates to authentication success. You can also filter verbose messages for 802.1x authentication and MAB authentication. There is a separate...
Page 259: Ports In Authorized And Unauthorized States
If the link state of a port changes from up to down, or if an EAPOL-logoff frame is received, the port returns to the unauthorized state. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-11 OL-13270-06...
Page 260: Authentication And Switch Stacks
In this topology, the wireless access point is responsible for authenticating the clients attached to it, and it also acts as a client to the switch. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-12...
Page 261: Multiple Authentication Mode
When a port is in multiple-authentication mode, the guest VLAN and authentication-failed VLAN features do not activate. Beginning with Cisco IOS Release 12.2(55)SE, you can assign a RADIUS-server-supplied VLAN in multi-auth mode, under these conditions: The host is the first host authorized on the port, and the RADIUS server supplies VLAN information.
Page 262: Mac Move
“Enabling MAC Move” section on page 9-48. MAC Replace Beginning with Cisco IOS Release 12.2(55)SE, the MAC replace feature can be configured to address the violation that occurs when a host attempts to connect to a port where another host was previously authenticated.
Page 263: Accounting
Always Attribute[5] NAS-Port Always Always Always Attribute[8] Framed-IP-Address Never Sometimes Sometimes Attribute[25] Class Always Always Always Attribute[30] Called-Station-ID Always Always Always Attribute[31] Calling-Station-ID Always Always Always Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-15 OL-13270-06...
Page 264: Readiness Check
DHCP snooping bindings table. You can view the AV pairs that are being sent by the switch by entering the debug radius accounting privileged EXEC command. For more information about this command, see the Cisco IOS Debug Command Reference, Release 12.2.
Page 265 Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return these attributes to the switch: [64] Tunnel-Type = VLAN – [65] Tunnel-Medium-Type = 802 – – [81] Tunnel-Private-Group-ID = VLAN name or VLAN ID Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-17 OL-13270-06...
Page 266: Authentication With Per-User Acls
If the RADIUS server does not allow the .in or .out syntax, the access list is applied to the outbound ACL by default. Because of limited support of Cisco IOS access lists on the switch, the Filter-Id attribute is supported only for IP ACLs numbered 1 to 199 and 1300 to 2699 (IP standard and IP extended ACLs).
Page 267: X Authentication With Downloadable Acls And Redirect Urls
ACL only to the phone as part of the authorization policies. Beginning with Cisco IOS Release 12.2(55)SE, if there is no static ACL on a port, a dynamic auth-default ACL is created, and policies are enforced before dACLs are downloaded and applied.
Page 268: Cisco Secure Acs And Attribute-Value Pairs For The Redirect Url
The switch then forwards the client web browser to the specified redirect address. The url-redirect AV pair on the Cisco Secure ACS contains the URL to which the web browser is redirected. The url-redirect-acl AV pair contains the name or number of an ACL that specifies the HTTP or HTTPS traffic to redirect.
Page 269: Cisco Secure Acs And Attribute-Value Pairs For Downloadable Acls
ACL, this ACL takes precedence over the default ACL that is configured on the switch port. However, if the switch receives an host access policy from the Cisco Secure ACS but the default ACL is not configured, the authorization failure is declared.
Page 270: Authentication With Restricted Vlan
A restricted VLAN allows users without valid credentials in an authentication server (typically, visitors to an enterprise) to access a limited set of services. The administrator can control the services available to the restricted VLAN. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-22 OL-13270-06...
Page 271: Authentication With Inaccessible Authentication Bypass
RADIUS servers are unavailable, the switch grants network access to the host and puts the port in the critical-authentication state, which is a special case of the authentication state. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-23...
Page 272: Support On Multiple-Authentication Ports
If all the RADIUS servers are not available and the client is connected to a critical port, the switch authenticates the client and puts the critical port in the critical-authentication state in the RADIUS-configured or user-specified access VLAN. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-24 OL-13270-06...
Page 273: X Authentication With Voice Vlan Ports
A voice VLAN port becomes active when there is a link, and the device MAC address appears after the first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices. As a result, if several IP phones are connected in series, the switch recognizes only the one directly connected to it.
Page 274: User Distribution
If you enable 802.1x authentication on an access port on which a voice VLAN is configured and to which Note a Cisco IP Phone is connected, the Cisco IP phone loses connectivity to the switch for up to 30 seconds. For more information about voice VLANs, see Chapter 15, “Configuring Voice VLAN.”...
Page 275: X User Distribution Configuration Guidelines
802.1x-capable supplicant and uses 802.1x authentication (not MAC authentication bypass) to authorize the interface. EAPOL history is cleared if the interface link status goes down. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-27 OL-13270-06...
Page 276: Network Admission Control Layer 2 802.1X Validation
For more configuration information, see the “Authentication Manager” section on page 9-8. Cisco IOS Release 12.2(55)SE and later supports filtering of verbose MAB system messages. See the “Authentication Manager CLI Commands” section on page 9-9. Network Admission Control Layer 2 802.1x Validation The switch supports the Network Admission Control (NAC) Layer 2 802.1x validation, which checks...
Page 277: Flexible Authentication Ordering
Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-29 OL-13270-06...
Page 278: Multidomain Authentication
The switch supports multidomain authentication (MDA), which allows both a data device and voice device, such as an IP phone (Cisco or non-Cisco), to authenticate on the same switch port. The port is divided into a data domain and a voice domain.
Page 279: Voice Aware 802.1X Security
Auto enablement: Automatically enables trunk configuration on the authenticator switch, allowing • user traffic from multiple VLANs coming from supplicant switches. Configure the cisco-av-pair as device-traffic-class=switch at the ACS. (You can configure this under the group or the user settings.)
Page 280: Guidelines
The IP address of the Network Access Device (NAD) • A monotonically increasing unique 32 bit integer • The session start time stamp (a 32 bit integer) • Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-32 OL-13270-06...
Page 281: Configuring 802.1X Authentication
Configuring the Inaccessible Authentication Bypass Feature, page 9-53 (optional) • Configuring 802.1x Authentication with WoL, page 9-57 (optional) • Configuring MAC Authentication Bypass, page 9-57 (optional) • Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-33 OL-13270-06...
Page 282: Default 802.1X Authentication Configuration
Retransmission time 30 seconds (number of seconds that the switch should wait for a response to an EAP request/identity frame from the client before resending the request). Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-34 OL-13270-06...
Page 283: X Authentication Configuration Guidelines
The 802.1x protocol is supported on Layer 2 static-access ports, voice VLAN ports, and Layer 3 routed ports, but it is not supported on these port types: Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-35...
Page 284: Vlan Assignment, Guest Vlan, Restricted Vlan, And Inaccessible Authentication Bypass
EtherChannel configuration from the interfaces on which 802.1x authentication and EtherChannel are configured. If you are using a device running the Cisco Access Control Server (ACS) application for • IEEE 802.1x authentication with EAP-Transparent LAN Services (TLS) and EAP-MD5, make sure that the device is running ACS Version 3.2.1 or later.
Page 285: Mac Authentication Bypass
In single-host mode, only one device is allowed on the access VLAN. If the port is also configured with • a voice VLAN, an unlimited number of Cisco IP phones can send and receive traffic through the voice VLAN. In multidomain authentication (MDA) mode, one device is allowed for the access VLAN, and one •...
Page 286: Configuring 802.1X Violation Modes
To allow per-user ACLs or VLAN assignment, you must enable AAA authorization to configure the switch for all network-related service requests. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-38 OL-13270-06...
Page 287 IEEE 802.1x authentication, and enter interface configuration mode. Step 9 switchport mode access (Optional) Set the port to access mode only if you configured the RADIUS server in Step 6 and Step 7. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-39 OL-13270-06...
Page 288: Configuring 802.1X Readiness Check
(Optional) Configure the timeout used to wait for EAPOL response. The range is from 1 to 65535 seconds. The default is 10 seconds. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-40 OL-13270-06...
Page 289: Configuring Voice Aware 802.1X Security
If the shutdown vlan keywords are not included, the entire port Note enters the error-disabled state and shuts down. Step 3 errdisable recovery cause (Optional) Enable automatic per-VLAN error recovery. security-violation Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-41 OL-13270-06...
Page 290: Configuring The Switch-To-Radius-Server Communication
The RADIUS host entries are tried in the order that they were configured. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-42...
Page 291 You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. For more information, see the RADIUS server documentation. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-43 OL-13270-06...
Page 292: Configuring The Host Mode
Use the multi-domain keyword to configure and enable multidomain authentication (MDA), which allows both a host and a voice device, such as an IP phone (Cisco or non-Cisco), on the same switch port. This procedure is optional.
Page 293: Configuring Periodic Re-Authentication
This example shows how to enable periodic re-authentication and set the number of seconds between re-authentication attempts to 4000: Switch(config-if)# authentication periodic Switch(config-if)# authentication timer reauthenticate 4000 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-45 OL-13270-06...
Page 294: Manually Re-Authenticating A Client Connected To A Port
You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-46...
Page 295: Setting The Switch-To-Client Frame-Retransmission Number
Return to privileged EXEC mode. Step 5 show authentication interface Verify your entries. interface-id Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-47 OL-13270-06...
Page 296: Setting The Re-Authentication Number
Beginning in privileged EXEC mode, follow these steps to globally enable MAC move on the switch. This procedure is optional. Command Purpose configure terminal Enter global configuration mode. authentication mac-move permit Enable Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-48 OL-13270-06...
Page 297: Enabling Mac Replace
(Optional) Saves your entries in the configuration file. This example shows how to enable MAC replace on an interface: Switch(config)# interface gigabitethernet2/0/2 Switch(config-if)# authentication violation replace Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-49 OL-13270-06...
Page 298: Configuring 802.1X Accounting
Switch(config)# radius-server host 172.120.39.46 auth-port 1812 acct-port 1813 key rad123 Switch(config)# aaa accounting dot1x default start-stop group radius Switch(config)# aaa accounting system default start-stop group radius Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-50 OL-13270-06...
Page 299: Configuring A Guest Vlan
VLAN 2 as an IEEE 802.1x guest VLAN when an 802.1x port is connected to a DHCP client: Switch(config-if)# authentication timer inactivity 3 Switch(config-if)# authentication timer reauthenticate 15 Switch(config-if)# authentication event no-response action authorize vlan 2 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-51 OL-13270-06...
Page 300: Configuring A Restricted Vlan
Specify the port to be configured, and enter interface configuration mode. For the supported port types, see the “802.1x Authentication Configuration Guidelines” section on page 9-35. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-52 OL-13270-06...
Page 301: Configuring The Inaccessible Authentication Bypass Feature
(Optional) Set the number of minutes that a RADIUS server is not sent requests. The range is from 0 to 1440 minutes (24 hours). The default is 0 minutes. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-53 OL-13270-06...
Page 302 The range is from 1 to 10000 milliseconds. The default is 1000 milliseconds (a port can be re-initialized every second). Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-54 OL-13270-06...
Page 303 Switch(config)# dot1x critical recovery delay 2000 Switch(config)# interface gigabitethernet 1/0/1 Switch(config)# radius-server deadtime 60 Switch(config-if)# dot1x critical Switch(config-if)# dot1x critical recovery action reinitialize Switch(config-if)# dot1x critical vlan 20 Switch(config-if)# end Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-55 OL-13270-06...
Page 304: Configuring 802.1X User Distribution
This example shows how to clear all the VLAN groups: switch(config)# no vlan group end-dept vlan-list all switch(config)# show vlan-group all For more information about these commands, see the Cisco IOS Security Command Reference. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-56...
Page 305: Configuring 802.1X Authentication With Wol
MAC authentication bypass (MAB) to the order of • authentication methods. webauth—Add web authentication to the order of authentication • methods. Step 5 Return to privileged EXEC mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-57 OL-13270-06...
Page 306: Configuring Nac Layer 2 802.1X Validation
(Optional) Save your entries in the configuration file. This example shows how to configure NAC Layer 2 802.1x validation: Switch# configure terminal Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# authentication periodic Switch(config-if)# authentication timer reauthenticate Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-58 OL-13270-06...
Page 307: Configuring An Authenticator And A Supplicant Switch With Neat
9-31. Note The cisco-av-pairs must be configured as device-traffic-class=switch on the ACS, which sets the interface as a trunk after the supplicant is successfully authenticated. Beginning in privileged EXEC mode, follow these steps to configure a switch as an authenticator:...
Page 308: Configuring Neat With Asp
You must configure a downloadable ACL on the ACS before downloading it to the switch. Note After authentication on the port, you can use the show ip access-list privileged EXEC command to display the downloaded ACLs on the port. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-60 OL-13270-06...
Page 309: Configuring Downloadable Acls
The acl-id is an access list name or number. Note Step 8 show running-config interface interface-id Verify your configuration. Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-61 OL-13270-06...
Page 310: Configuring A Downloadable Policy
ARP probe. The range is from 30 to 300 seconds. The default is 30 seconds. • use-svi—Uses the switch virtual interface (SVI) IP address as source of ARP probes. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-62 OL-13270-06...
Page 311: Configuring Vlan Id-Based Mac Authentication
There is no show command to confirm the status of VLAN ID-based MAC authentication. You can use the debug radius accounting privileged EXEC command to confirm the RADIUS attribute 32. For more information about this command, see the Cisco IOS Debug Command Reference, Release 12.2 at this URL: http://www.cisco.com/en/US/docs/ios/debug/command/reference/db_q1.html#wp1123741...
Page 312: Configuring Flexible Authentication Ordering
(Optional) Enable or disable reauthentication on a port. Step 9 authentication port-control {auto | (Optional) Enable manual control of the port authorization state. force-authorized | force-un authorized} Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-64 OL-13270-06...
Page 313: Disabling 802.1X Authentication On The Port
This example shows how to disable 802.1x authentication on the port: Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# no dot1x pae authenticator Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 9-65 OL-13270-06...
Page 314: Resetting The 802.1X Authentication Configuration To The Default Values
EXEC command. Beginning with Cisco IOS Release 12.2(55)SE, you can use the no dot1x logging verbose global configuration command to filter verbose 802.1x authentication messages. See the “Authentication...
Page 315: Understanding Web-Based Authentication
If the user exceeds the maximum number of attempts, web-based authentication forwards a Login-Expired HTML page to the host, and the user is placed on a watch list for a waiting period. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 10-1 OL-13270-06...
Page 316: C H A P T E R 10 Configuring Web-Based Authentication
The switch maintains an IP device tracking table to store information about detected hosts. By default, the IP device tracking feature is disabled on a switch. You must enable the IP device tracking Note feature to use web-based authentication. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 10-2 OL-13270-06...
Page 317: Session Creation
The terminate action is included in the response from the server. • If the terminate action is default, the session is dismantled, and the applied policy is removed. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 10-3 OL-13270-06...
Page 318: Local Web Authentication Banner
You create a banner by using the ip admission auth-proxy-banner http global configuration command. The default banner Cisco Systems and Switch host-name Authentication appear on the Login Page. Cisco Systems appears on the authentication result pop-up page, as shown in Figure 10-2.
Page 319 Login Screen With No Banner For more information, see the Cisco IOS Security Command Reference and the “Configuring a Web Authentication Local Banner” section on page 10-16. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 10-5 OL-13270-06...
Page 320: Web Authentication Customizable Web Pages
You must include an HTML redirect command in the success page to access a specific URL. • The URL string must be a valid URL (for example, http://www.cisco.com). An incomplete URL • might cause page not found or similar errors on a web browser.
Page 321: Web-Based Authentication Interactions With Other Features
You can then limit the number or group of clients that can access the network through the port. For more information about enabling port security, see the “Configuring Port Security” section on page 26-9 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 10-7 OL-13270-06...
Page 322: Gateway Ip
ACLs If you configure a VLAN ACL or a Cisco IOS ACL on an interface, the ACL is applied to the host traffic only after the web-based authentication host policy is applied. For Layer 2 web-based authentication, you must configure a port ACL (PACL) as the default access policy for ingress traffic from hosts connected to the port.
Page 323: Configuring Web-Based Authentication
You must configure the default ACL on the interface before configuring web-based authentication. • Configure a port ACL for a Layer 2 interface or a Cisco IOS ACL for a Layer 3 interface. You cannot authenticate hosts on Layer 2 interfaces with static ARP cache assignment. These hosts •...
Page 324: Web-Based Authentication Configuration Task List
This example shows how to enable web-based authentication on Fast Ethernet port 5/1: Switch(config)# ip admission name webauth1 proxy http Switch(config)# interface fastethernet 5/1 Switch(config-if)# ip admission webauth1 Switch(config-if)# exit Switch(config)# ip device tracking Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 10-10 OL-13270-06...
Page 325: Configuring Aaa Authentication
RADIUS security servers identification: Host name • Host IP address • Host name and specific UDP port numbers • IP address and specific UDP port numbers • Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 10-11 OL-13270-06...
Page 326 For more information, see Cisco IOS Security Configuration Guide, Release 12.2 and the Cisco IOS Security Command Reference, Release 12.2 at this URL: http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/fsecur_r.html Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 10-12 OL-13270-06...
Page 327: Configuring The Http Server
Specify the location of the custom HTML file to use in device:success-filename place of the default login success page. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 10-13 OL-13270-06...
Page 328 Authentication global init state time is 2 minutes Authentication Proxy Session ratelimit is 100 Authentication Proxy Watch-list is disabled Authentication Proxy Auditing is disabled Max Login attempts per user is 5 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 10-14 OL-13270-06...
Page 329: Specifying A Redirection Url For Successful Login
(Optional) Save your entries in the configuration file. This example shows how to set the maximum number of failed login attempts to 10: Switch(config)# ip admission max-login-attempts 10 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 10-15 OL-13270-06...
Page 330: Configuring A Web Authentication Local Banner
This example shows how to remove the web-based authentication session for the client at the IP address 209.165.201.1: Switch# clear ip auth-proxy cache 209.165.201.1 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 10-16 OL-13270-06...
Page 331: Displaying Web-Based Authentication Status
This example shows how to view only the global web-based authentication status: Switch# show authentication sessions This example shows how to view the web-based authentication settings for gigabit interface 3/27: Switch# show authentication sessions interface gigabitethernet 3/27 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 10-17 OL-13270-06...
Page 332 Chapter 10 Configuring Web-Based Authentication Displaying Web-Based Authentication Status Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 10-18 OL-13270-06...
Page 333: Understanding Interface Types
Monitoring and Maintaining the Interfaces, page 11-29 For complete syntax and usage information for the commands used in this chapter, see the switch Note command reference for this release and the online Cisco IOS Interface Command Reference, Release 12.2. Understanding Interface Types This section describes the different types of interfaces supported by the switch with references to chapters that contain more detailed information about configuring these interface types.
Page 334: C H A P T E R 11 Configuring Interface Characteristics
When you put an interface that is in Layer 3 mode into Layer 2 mode, the previous configuration information related to the affected interface might be lost, and the interface is returned to its default configuration. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 11-2 OL-13270-06...
Page 335: Access Ports
Catalyst 6500 series switch; the switch cannot be a VMPS server. You can also configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. For more information about voice VLAN ports, see Chapter 15, “Configuring Voice VLAN.”...
Page 336: Routed Ports
VLANs, or to provide IP host connectivity to the switch. By default, an SVI is created for the default VLAN (VLAN 1) to permit remote switch administration. Additional SVIs must be explicitly configured. You cannot delete interface VLAN 1. Note Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 11-4 OL-13270-06...
Page 337: Svi Autostate Exclude
VLAN go down. You can use the SVI autostate exclude feature to configure a port so that it is not included in the SVI line-state up-an- down calculation. For example, if the only active port on the VLAN Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 11-5...
Page 338: Etherchannel Port Groups
Most protocols operate over either single ports or aggregated switch ports and do not recognize the physical ports within the port group. Exceptions are the DTP, the Cisco Discovery Protocol (CDP), and the Port Aggregation Protocol (PAgP), which operate only on physical ports.
Page 339 SVIs or routed ports to bridge groups with each SVI or routed port assigned to only one bridge group. All interfaces in the same group belong to the same bridge domain. For more information, Chapter 47, “Configuring Fallback Bridging.” Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 11-7 OL-13270-06...
Page 340: Using Interface Configuration Mode
21 to 24 (for example, gigabitethernet1/0/23). On a switch with Cisco dual SFP X2 converter modules in the 10-Gigabit Ethernet module slots, the external 10/100/1000 ports are numbered from 17 to 20 (for example, gigabitethernet1/0/18), and the SFP module ports are numbered from 21 to 24 (for example, gigabitethernet1/0/22).
Page 341: Procedures For Configuring Interfaces
When you enter the interface-range configuration mode, all command parameters that you enter are attributed to all interfaces within that range until you exit this mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 11-9...
Page 342 - {last port}, where the module is always 0 (for – nonstacking-capable switches) gigabitethernet stack member/module/{first port} - {last port}, where the module is always 0 (for stacking-capable switches) Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 11-10 OL-13270-06...
Page 343 If you exit interface-range configuration mode while the commands are being executed, some commands might not be executed on all interfaces in the range. Wait until the command prompt reappears before exiting interface-range configuration mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 11-11 OL-13270-06...
Page 344: Configuring And Using Interface Range Macros
You must add a space between the first interface number and the hyphen when entering an • interface-range. For example, gigabitethernet1/0/1 - 4 is a valid range; gigabitethernet1/0/1-4 is not a valid range. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 11-12 OL-13270-06...
Page 345: Using The Internal Ethernet Management Port
11-2). You assign the IP addresses to the management port through the CMC or by the DHCP server. You can manage the switch through these IP addresses. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 11-13 OL-13270-06...
Page 346 PC as shown in Figure 11-2. Figure 11-2 Connecting a Switch to a PC Uplink ports Blade switch Network Blade switch Blade switch Internal Ethernet management port Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 11-14 OL-13270-06...
Page 347 Module to the PC. In a stack that has members in multiple enclosures, the PC must be connected to the Chassis Management Module of the enclosure with the stack master. The PC should also be able to access the all of the enclosure OAs. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 11-15 OL-13270-06...
Page 348 Blade switch By default, the Ethernet management port is enabled. The switch cannot route packets from the Ethernet management port to a network port and the reverse. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 11-16 OL-13270-06...
Page 349: Supported Features On The Ethernet Management Port
To avoid this problem, use VRF or configure static route to forward the packets to specific hosts and networks. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 11-17...
Page 350: Monitoring The Ethernet Management Port
Loads and boots an executable image from the TFTP server and enters the command-line interface. For more details, see the command reference for this release. copy tftp:/source-file-url Copies a Cisco IOS image from the TFTP server to the specified filesystem:/destination-file- location. For more details, see the command reference for this release.
Page 351: Default Ethernet Interface Configuration
Disabled (Layer 2 interfaces only). See the “Configuring Protected Ports” section on page 26-6. Port security Disabled (Layer 2 interfaces only). See the “Default Port Security Configuration” section on page 26-11. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 11-19 OL-13270-06...
Page 352: Configuring Interface Speed And Duplex Mode
When STP is enabled and a port is reconfigured, the switch can take up to 30 seconds to check for loops. The port LED is amber while STP reconfigures. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 11-20...
Page 353: Setting The Interface Speed And Duplex Parameters
Use the no speed and no duplex interface configuration commands to return the interface to the default speed and duplex settings (autonegotiate). To return all interface settings to the defaults, use the default interface interface-id interface configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 11-21 OL-13270-06...
Page 354: Configuring Ieee 802.3X Flow Control
Return to privileged EXEC mode. Step 5 show interfaces interface-id Verify the interface flow control settings. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 11-22 OL-13270-06...
Page 355: Configuring Auto-Mdix On An Interface
Verify the operational state of the auto-MDIX feature on the interface. interface-id phy Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 11-23 OL-13270-06...
Page 356: Adding A Description For An Interface
Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# description Connects to Marketing Switch(config-if)# end Switch# show interfaces gigabitethernet1/0/2 description Interface Status Protocol Description Gi1/0/2 admin down down Connects to Marketing Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 11-24 OL-13270-06...
Page 357: Configuring Layer 3 Interfaces
Furthermore, when you put an interface that is in Layer 2 mode into Layer 3 mode, the previous configuration information related to the affected interface might be lost, and the interface is returned to its default configuration Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 11-25 OL-13270-06...
Page 358: Configuring Svi Autostate Exclude
Exclude the access or trunk port when defining the status of an SVI line state (up or down) Step 4 Return to privileged EXEC mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 11-26 OL-13270-06...
Page 359: Configuring The System Mtu
Cisco IOS configuration file, even if you enter the copy running-config startup-config privileged EXEC command. Therefore, if you use TFTP to configure a new switch by using a backup...
Page 360 This example shows the response when you try to set Gigabit Ethernet interfaces to an out-of-range number: Switch(config)# system mtu jumbo 25000 % Invalid input detected at '^' marker. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 11-28 OL-13270-06...
Page 361: Monitoring And Maintaining The Interfaces
Display the hardware configuration, software version, the names and sources of configuration files, and the boot images. show controllers ethernet-controller interface-id Display the operational state of the auto-MDIX feature on the interface. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 11-29 OL-13270-06...
Page 362: Clearing And Resetting Interfaces And Counters
Use the no shutdown interface configuration command to restart the interface. To verify that an interface is disabled, enter the show interfaces privileged EXEC command. A disabled interface is shown as administratively down in the display. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 11-30 OL-13270-06...
Page 363: Understanding Smartports Macros
Use this interface configuration macro for increased network security and reliability when connecting a desktop device, such as a PC, to a switch port. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 12-1 OL-13270-06...
Page 364: C H A P T E R 12 Configuring Smartports Macros
Use this interface configuration macro when connecting a desktop device such as a PC with a Cisco IP Phone to a switch port. This macro is an extension of the cisco-desktop macro and provides the same security and resiliency features, but with the addition of dedicated voice VLANs to ensure proper treatment of delay-sensitive voice traffic.
Page 365 Cisco-default macro with the required values by using the parameter value keywords. The Cisco-default macros use the $ character to help identify required keywords. There is no restriction on using the $ character to define keywords when you create a macro.
Page 366: Creating Smartports Macros
MAC addresses and also includes two help string keywords by using # macro keywords: Switch(config)# macro name test switchport access vlan $VLANID switchport port-security maximum $MAX #macro keywords $VLANID $MAX Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 12-4 OL-13270-06...
Page 367: Applying Smartports Macros
You can delete a global macro-applied configuration on a switch only by entering the no version of each command that is in the macro. You can delete a macro-applied configuration on an interface by entering the default interface interface-id interface configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 12-5 OL-13270-06...
Page 368: Applying Cisco-Default Smartports Macros
(Optional) Enter interface configuration mode, and specify the interface on which to apply the macro. Step 6 default interface interface-id (Optional) Clear all configuration from the specified interface. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 12-6 OL-13270-06...
Page 369 You can delete a macro-applied configuration on an interface by entering the default interface interface-id interface configuration command. This example shows how to display the cisco-desktop macro, how to apply the macro, and to set the access VLAN ID to 25 on an interface:...
Page 370: Displaying Smartports Macros
Displays the configured macro names. show parser macro description [interface Displays the macro description for all interfaces or for a specified interface-id] interface. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 12-8 OL-13270-06...
Page 371: Understanding Vlans
Before you create VLANs, you must decide whether to use VLAN Trunking Protocol (VTP) to maintain Note global VLAN configuration for your network. For more information on VTP, see Chapter 14, “Configuring VTP.” Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 13-1 OL-13270-06...
Page 372: Supported Vlans
VTP transparent mode when you create VLAN IDs from 1006 to 4094. Cisco IOS Release 12.2(52)SE and later support VTP version 3. VTP version 3 supports the entire Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide...
Page 373: Chapter 13 Configuring Vlan
For configuration information, see the “Configuring Dynamic-Access Ports on VMPS Clients” section on page 13-29. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 13-3 OL-13270-06...
Page 374: Configuring Normal-Range Vlans
VLAN Membership Characteristics VTP Characteristics Voice VLAN A voice VLAN port is an access port attached to a Cisco VTP is not required; it has no effect on a IP Phone, configured to use one VLAN for voice traffic voice VLAN.
Page 375 Default Ethernet VLAN Configuration, page 13-8 • Creating or Modifying an Ethernet VLAN, page 13-8 • Deleting a VLAN, page 13-9 • Assigning Static-Access Ports to a VLAN, page 13-10 • Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 13-5 OL-13270-06...
Page 376: Token Ring Vlans
IEEE 802.1s Multiple STP (MSTP) on your switch to map multiple VLANs to a single spanning-tree instance. For more information about MSTP, see Chapter 19, “Configuring MSTP.” Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 13-6 OL-13270-06...
Page 377: Configuring Normal-Range Vlans
In VTP versions 1 and 2, if VTP mode is server, the domain name and VLAN configuration for only the first 1005 VLANs use the VLAN database information. VTP version 3 also supports VLANs 1006 to 4094. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 13-7 OL-13270-06...
Page 378: Default Ethernet Vlan Configuration
VLANs” section on page 13-11. For the list of default parameters that are assigned when you add a VLAN, see the “Configuring Normal-Range VLANs” section on page 13-4. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 13-8 OL-13270-06...
Page 379: Deleting A Vlan
When you delete a VLAN, any ports assigned to that VLAN become inactive. They remain associated Caution with the VLAN (and thus inactive) until you assign them to a new VLAN. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 13-9 OL-13270-06...
Page 380: Assigning Static-Access Ports To A Vlan
Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 2 Switch(config-if)# end Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 13-10 OL-13270-06...
Page 381: Configuring Extended-Range Vlans
VLANs. If the number of VLANs on the switch exceeds the maximum number of spanning-tree instances, Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 13-11...
Page 382: Creating An Extended-Range Vlan
Extended-Range VLAN with an Internal VLAN ID” section on page 13-13 before creating the extended-range VLAN. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 13-12 OL-13270-06...
Page 383: Creating An Extended-Range Vlan With An Internal Vlan Id
VLAN is rejected. To manually free an internal VLAN ID, you must temporarily shut down the routed port that is using the internal VLAN ID. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 13-13...
Page 384: Displaying Vlans
Display parameters for all VLANs or the specified VLAN on the switch. For more details about the show command options and explanations of output fields, see the command reference for this release. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 13-14 OL-13270-06...
Page 385: Configuring Vlan Trunks
13-4). You can set an interface as trunking or nontrunking or to negotiate trunking with the neighboring interface. To autonegotiate trunking, the interfaces must be in the same VTP domain. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 13-15 OL-13270-06...
Page 386 Specifies that the interface negotiate with the neighboring interface become an IEEE negotiate 802.1Q trunk, depending on the configuration and capabilities of the neighboring interface. This is the default for the switch. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 13-16 OL-13270-06...
Page 387: Ieee 802.1Q Configuration Considerations
VLAN allowed on the trunks. Non-Cisco devices might support one spanning-tree instance for all VLANs. When you connect a Cisco switch to a non-Cisco device through an IEEE 802.1Q trunk, the Cisco switch combines the spanning-tree instance of the VLAN of the trunk with the spanning-tree instance of the non-Cisco IEEE 802.1Q switch.
Page 388: Configuring An Ethernet Interface As A Trunk Port
IEEE 802.1x on a dynamic port, an error message appears, and IEEE 802.1x is not enabled. If you try to change the mode of an IEEE 802.1x-enabled port to dynamic, the port mode is not changed. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 13-18...
Page 389: Configuring A Trunk Port
Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# switchport mode dynamic desirable Switch(config-if)# switchport trunk encapsulation dot1q Switch(config-if)# end Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 13-19 OL-13270-06...
Page 390: Defining The Allowed Vlans On A Trunk
Note VLAN 1 is the default VLAN on all trunk ports in all Cisco switches, and it has previously been a requirement that VLAN 1 always be enabled on every trunk link. You can use the VLAN 1 minimization feature to disable VLAN 1 on any individual VLAN trunk link so that no user traffic (including spanning-tree advertisements) is sent or received on VLAN 1.
Page 391: Changing The Pruning-Eligible List
(Optional) Save your entries in the configuration file. To return to the default pruning-eligible list of all VLANs, use the no switchport trunk pruning vlan interface configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 13-21 OL-13270-06...
Page 392: Configuring The Native Vlan For Untagged Traffic
STP path costs, each load-sharing link can be connected to the same switch or to two different switches. For more information about STP, see Chapter 18, “Configuring STP.” Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 13-22 OL-13270-06...
Page 393: Load Sharing Using Stp Port Priorities
The domain name can be 1 to 32 characters. Step 3 vtp mode server Configure Switch A as the VTP server. Step 4 Return to privileged EXEC mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 13-23 OL-13270-06...
Page 394: Load Sharing Using Stp Path Cost
VLANs, blocking different ports for different VLANs. The VLANs keep the traffic separate and maintain redundancy in the event of a lost link. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 13-24...
Page 395 Step 12 spanning-tree vlan 2-4 cost 30 Set the spanning-tree path cost to 30 for VLANs 2 through 4. Step 13 Return to global configuration mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 13-25 OL-13270-06...
Page 396: Configuring Vmps
• access-denied response. • If the VLAN is not allowed on the port and the VMPS is in secure mode, the VMPS sends a port-shutdown response. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 13-26 OL-13270-06...
Page 397: Dynamic-Access Port Vlan Membership
Default VMPS Client and Dynamic-Access Port Configuration Feature Default Setting VMPS domain server None VMPS reconfirm interval 60 minutes VMPS server retry count Dynamic-access ports None configured Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 13-27 OL-13270-06...
Page 398: Vmps Configuration Guidelines
(Optional) Enter the IP address of the switch acting as a secondary VMPS server. You can enter up to three secondary server addresses. Step 4 Return to privileged EXEC mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 13-28 OL-13270-06...
Page 399: Configuring Dynamic-Access Ports On Vmps Clients
VMPS: Command Purpose Step 1 vmps reconfirm Reconfirm dynamic-access port VLAN membership. Step 2 show vmps Verify the dynamic VLAN reconfirmation status. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 13-29 OL-13270-06...
Page 400: Changing The Reconfirmation Interval
Server Retry Count—the number of times VQP resends a query to the VMPS. If no response is • received after this many tries, the switch starts to query the secondary VMPS. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 13-30 OL-13270-06...
Page 401: Troubleshooting Dynamic-Access Port Vlan Membership
End stations are connected to the clients, Switch B and Switch I. • The database configuration file is stored on the TFTP server with the IP address 172.20.22.7. • Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 13-31 OL-13270-06...
Page 402 172.20.26.156 Switch G 172.20.26.157 Switch H Client switch I Dynamic-access port Server 2 172.20.26.158 Trunk port 172.20.26.159 Catalyst 6500 series Secondary VMPS Switch J Server 3 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 13-32 OL-13270-06...
Page 403: Understanding Vtp
When a switch joins the stack or when stacks merge, the new switches get VTP information from the stack master. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 14-1 OL-13270-06...
Page 404: Chapter 14 Configuring Vtp
VLAN in a suspended state. VTP version 1 and version 2 support only normal-range VLANs (VLAN IDs 1 to 1005). Cisco IOS Release 12.2(52)SE and later support VTP version 3. VTP version 3 supports the entire VLAN range (VLANs 1 to 4094).
Page 405: Vtp Modes
A switch in VTP off mode functions in the same manner as a VTP transparent switch, except that it does not forward VTP advertisements on trunks. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 14-3 OL-13270-06...
Page 406: Vtp Advertisements
TLVs it is not able to parse. The unrecognized TLV is saved in NVRAM when the switch is operating in VTP server mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 14-4...
Page 407: Vtp Version 3
For example, you can configure the switch as a VTP server for the VLAN database but with VTP off for the MST database. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 14-5...
Page 408: Vtp Pruning
F have no ports in the Red VLAN. Figure 14-1 Flooding Traffic without VTP Pruning Switch D Port 2 Switch E Switch B VLAN Port 1 Switch F Switch C Switch A Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 14-6 OL-13270-06...
Page 409 You can set VLAN pruning-eligibility, whether or not VTP pruning is enabled for the VTP domain, whether or not any given VLAN exists, and whether or not the interface is currently trunking. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 14-7 OL-13270-06...
Page 410: Vtp And Switch Stacks
VTP mode (VTP version 1 and version 2) Server. VTP mode (VTP version 3) The mode is the same as the mode in VTP version 1 or 2 before conversion to version 3. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 14-8 OL-13270-06...
Page 411: Vtp Configuration Guidelines
VLAN configuration of that domain. Make sure that you configure at least one switch in the VTP domain for VTP server mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 14-9...
Page 412: Passwords
2. If there is a version 1-only switch, it does not exchange VTP information with switches that have version 2 enabled. Cisco recommends placing VTP version 1 and 2 switches at the edge of the network because they •...
Page 413: Configuration Requirements
However, a VTP transparent switch running VTP version 2 does forward received VTP advertisements on its trunk links. • VTP off mode is the same as VTP transparent mode except that VTP advertisements are not forwarded. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 14-11 OL-13270-06...
Page 414 (Optional) Configure the database: unknown} • vlan—the VLAN database is the default if none are configured. mst—the multiple spanning tree (MST) database. • unknown—an unknown database type. • Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 14-12 OL-13270-06...
Page 415: Configuring A Vtp Version 3 Password
(Optional) secret—Enter secret to directly configure the password. • The secret password must contain 32 hexadecimal characters. Step 3 Return to privileged EXEC mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 14-13 OL-13270-06...
Page 416: Configuring A Vtp Version 3 Primary Server
VTP Database Conf Switch ID Primary Server Revision System Name ------------ ---- -------------- -------------- -------- -------------------- VLANDB 00d0.00b8.1400=00d0.00b8.1400 1 stp7 Do you want to continue (y/n) [n]? y Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 14-14 OL-13270-06...
Page 417: Enabling The Vtp Version
Token Ring VLAN switching to function properly. For Token Ring and Token Ring-Net media, disable VTP version 2 must be disabled. VTP version 3 is supported on switches running Cisco IOS Release 12.2(52) SE or later. • In VTP version 3, both the primary and secondary servers can exist on an instance in the domain.
Page 418: Enabling Vtp Pruning
Verify the change to the port. interface-id Step 6 show vtp status Verify the configuration. To disable VTP on the interface, use the no vtp interface configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 14-16 OL-13270-06...
Page 419: Adding A Vtp Client Switch To A Vtp Domain
You can use the vtp mode transparent global configuration command to disable VTP on the switch and Note then to change its VLAN information without affecting the other switches in the VTP domain. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 14-17 OL-13270-06...
Page 420: Monitoring Vtp
Display the VTP switch configuration information. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 14-18 OL-13270-06...
Page 421: Understanding Voice Vlan
The voice VLAN feature enables access ports to carry IP voice traffic from an IP phone. When the switch is connected to a Cisco 7960 IP Phone, the phone sends voice traffic with Layer 3 IP precedence and Layer 2 class of service (CoS) values, which are both set to 5 by default. Because the sound quality of an IP phone call can deteriorate if the data is unevenly sent, the switch supports quality of service (QoS) based on IEEE 802.1p CoS.
Page 422: Chapter 15 Configuring Voice Vlan
Cisco IP Phone Voice Traffic You can configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone. You can configure access ports on...
Page 423: Configuring Voice Vlan
For more information, see Chapter 37, “Configuring QoS.” You must enable CDP on the switch port connected to the Cisco IP Phone to send the configuration • to the phone. (CDP is globally enabled by default on all switch interfaces.) •...
Page 424: Configuring A Port Connected To A Cisco 7960 Ip Phone
Configuring Voice VLAN Configuring Voice VLAN If the Cisco IP Phone and a device attached to the phone are in the same VLAN, they must be in the • same IP subnet. These conditions indicate that they are in the same VLAN: –...
Page 425: Configuring Cisco Ip Phone Voice Traffic
Configuring Cisco IP Phone Voice Traffic You can configure a port connected to the Cisco IP Phone to send CDP packets to the phone to configure the way in which the phone sends voice traffic. The phone can carry voice traffic in IEEE 802.1Q frames for a specified voice VLAN with a Layer 2 CoS value.
Page 426: Configuring The Priority Of Incoming Data Frames
Configuring the Priority of Incoming Data Frames You can connect a PC or other data device to a Cisco IP Phone port. To process tagged data traffic (in IEEE 802.1Q or IEEE 802.1p frames), you can configure the switch to send CDP packets to instruct the phone how to send data packets from the device attached to the access port on the Cisco IP Phone.
Page 427: Displaying Voice Vlan
(Optional) Save your entries in the configuration file. startup-config This example shows how to configure a port connected to a Cisco IP Phone to not change the priority of frames received from the PC or the attached device: Switch# configure terminal Enter configuration commands, one per line.
Page 428 Chapter 15 Configuring Voice VLAN Displaying Voice VLAN Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 15-8 OL-13270-06...
Page 429: Understanding Private Vlans
VLAN. A private VLAN can have multiple VLAN pairs, one pair for each subdomain. All VLAN pairs in a private VLAN share the same primary VLAN. The secondary VLAN ID differentiates one subdomain from another. See Figure 16-1. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 16-1 OL-13270-06...
Page 430: Chapter 16 Configuring Private Vlan
These interfaces are isolated at Layer 2 from all other interfaces in other communities and from isolated ports within their private VLAN. Trunk ports carry traffic from regular VLANs and also from primary, isolated, and community VLANs. Note Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 16-2 OL-13270-06...
Page 431: Ip Addressing Scheme With Private Vlans
VLANs, but in the same primary VLAN. When new devices are added, the DHCP server assigns them the next available address from a large pool of subnet addresses. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 16-3...
Page 432: Private Vlans Across Multiple Switches
(SDM) template to balance system resources between unicast routes and Layer 2 entries. If another SDM template is configured, use the sdm prefer default global configuration command to set the default template. See Chapter 8, “Configuring SDM Templates.” Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 16-4 OL-13270-06...
Page 433: Private-Vlan Interaction With Other Features
VLAN is propagated to the secondary VLAN SVIs. For example, if you assign an IP subnet to the primary VLAN SVI, this subnet is the IP subnet address of the entire private VLAN. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 16-5...
Page 434: Private Vlans And Switch Stacks
Configure interfaces as promiscuous ports, and map the promiscuous ports to the primary-secondary Step 4 VLAN pair. See the “Configuring a Layer 2 Interface as a Private-VLAN Promiscuous Port” section on page 16-13. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 16-6 OL-13270-06...
Page 435: Default Private-Vlan Configuration
VLAN, the configuration does not take effect if the primary VLAN is already configured. • When you enable IP source guard on private-VLAN ports, you must enable DHCP snooping on the primary VLAN. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 16-7 OL-13270-06...
Page 436 You can use VLAN-based SPAN (VSPAN) on primary, isolated, and community VLANs or use SPAN on only one VLAN to separately monitor egress or ingress traffic. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 16-8 OL-13270-06...
Page 437: Private-Vlan Port Configuration
A private-VLAN host or promiscuous port cannot be a SPAN destination port. If you configure a SPAN destination port as a private-VLAN port, the port becomes inactive. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 16-9...
Page 438: Configuring And Associating Vlans In A Private Vlan
Enter VLAN configuration mode for the primary VLAN designated in Step 2. Step 13 private-vlan association [add | remove] Associate the secondary VLANs with the primary VLAN. secondary_vlan_list Step 14 Return to privileged EXEC mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 16-10 OL-13270-06...
Page 439 Switch(config)# vlan 20 Switch(config-vlan)# private-vlan association 501-503 Switch(config-vlan)# end Switch(config)# show vlan private vlan Primary Secondary Type Ports ------- --------- ----------------- ------------------------------------------ isolated community community non-operational Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 16-11 OL-13270-06...
Page 440: Configuring A Layer 2 Interface As A Private-Vlan Host Port
Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk private VLANs: none Operational private-vlan: 20 501 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 16-12 OL-13270-06...
Page 441: Configuring A Layer 2 Interface As A Private-Vlan Promiscuous Port
Switch(config-if)# end Use the show vlan private-vlan or the show interface status privileged EXEC command to display primary and secondary VLANs and private-VLAN ports on the switch. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 16-13 OL-13270-06...
Page 442: Mapping Secondary Vlans To A Primary Vlan Layer 3 Vlan Interface
Switch(config)# interface vlan 10 Switch(config-if)# private-vlan mapping 501-502 Switch(config-if)# end Switch# show interfaces private-vlan mapping Interface Secondary VLAN Type --------- -------------- ----------------- vlan10 isolated vlan10 community Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 16-14 OL-13270-06...
Page 443: Monitoring Private Vlans
This is an example of the output from the show vlan private-vlan command: Switch(config)# show vlan private-vlan Primary Secondary Type Ports ------- --------- ----------------- ------------------------------------------ isolated Gi2/0/1, Gi3/0/1, Gi3/0/2 community Gi2/0/11, Gi3/0/1, Gi3/0/4 non-operational Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 16-15 OL-13270-06...
Page 444 Chapter 16 Configuring Private VLANs Monitoring Private VLANs Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 16-16 OL-13270-06...
Page 445: Understanding Ieee 802.1Q Tunneling
VLAN ID that is dedicated to tunneling. Each customer requires a separate service-provider VLAN ID, but that VLAN ID supports all of the customer’s VLANs. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 17-1...
Page 446: C H A P T E R 17 Configuring Ieee 802.1Q And Layer 2 Protocol Tunneling
When the packet exits another trunk port on the same core switch, the same metro tag is again added to the packet. Figure 17-2 shows the tag structures of the double-tagged packets. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 17-2 OL-13270-06...
Page 447 Because 802.1Q tunneling is configured on a per-port basis, it does not matter whether the switch is a standalone switch or a stack member. All configuration is done on the stack master. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 17-3...
Page 448: Configuring Ieee 802.1Q Tunneling
(Switch C) and is misdirected through the egress switch tunnel port to Customer Y. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 17-4...
Page 449: System Mtu
The switch has a system jumbo MTU value of 1500 bytes, and the switchport mode dot1q tunnel interface configuration command is configured on a 10-Gigabit or Gigabit Ethernet switch port. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 17-5...
Page 450: Ieee 802.1Q Tunneling And Other Features
When a port is configured as an IEEE 802.1Q tunnel port, spanning-tree bridge protocol data unit • (BPDU) filtering is automatically enabled on the interface. Cisco Discovery Protocol (CDP) and the Layer Link Discovery Protocol (LLDP) are automatically disabled on the interface.
Page 451: Understanding Layer 2 Protocol Tunneling
VLAN should build a proper spanning tree that includes the local site and all remote sites across the service-provider network. Cisco Discovery Protocol (CDP) must discover neighboring Cisco devices from local and remote sites. VLAN Trunking Protocol (VTP) must provide consistent VLAN configuration throughout all sites in the customer network.
Page 452 Users on each of a customer’s sites can properly run STP, and every VLAN can build a correct • spanning tree based on parameters from all sites and not just from the local site. CDP discovers and shows information about the other Cisco devices connected through the • service-provider network.
Page 453 When you enable protocol tunneling (PAgP or LACP) on the SP switch, remote customer switches receive the PDUs and can negotiate the automatic creation of EtherChannels. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 17-9 OL-13270-06...
Page 454: Configuring Layer 2 Protocol Tunneling
When the Layer 2 PDUs that entered the service-provider inbound edge switch through a Layer 2 protocol-enabled port exit through the trunk port into the service-provider network, the switch overwrites the customer PDU-destination MAC address with a well-known Cisco proprietary multicast address (01-00-0c-cd-cd-d0). If IEEE 802.1Q tunneling is enabled, packets are also double-tagged; the outer tag is the customer metro tag, and the inner tag is the customer’s VLAN tag.
Page 455: Default Layer 2 Protocol Tunneling Configuration
CoS marking of L2 protocol tunneling BPDUs is 5. This does not apply to data traffic. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 17-11 OL-13270-06...
Page 456: Layer 2 Protocol Tunneling Configuration Guidelines
PDUs higher priority within the service-provider network than data packets received from the same tunnel port. By default, the PDUs use the same CoS value as data packets. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 17-12 OL-13270-06...
Page 457: Configuring Layer 2 Protocol Tunneling
Display the Layer 2 tunnel ports on the switch, including the protocols configured, the thresholds, and the counters. Step 12 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 17-13 OL-13270-06...
Page 458: Configuring Layer 2 Tunneling For Etherchannels
To avoid a network failure, make sure that the network is a Caution point-to-point topology before you enable tunneling for PAgP, LACP, or UDLD packets. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 17-14 OL-13270-06...
Page 459 [point-to-point [pagp | lacp | udld]] and the no l2protocol-tunnel drop-threshold [[point-to-point [pagp | lacp | udld]] commands to return the shutdown and drop thresholds to the default settings. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 17-15 OL-13270-06...
Page 460: Configuring The Customer Switch
For EtherChannels, you need to configure both the SP edge switches and the customer switches for Layer 2 protocol tunneling. (See Figure 17-6 on page 17-10.) Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 17-16 OL-13270-06...
Page 461 Switch(config-if)# l2protocol-tunnel point-to-point pagp Switch(config-if)# l2protocol-tunnel point-to-point udld Switch(config-if)# l2protocol-tunnel drop-threshold point-to-point pagp 1000 Switch(config-if)# exit Switch(config)# interface gigabitethernet1/0/3 Switch(config-if)# switchport trunk encapsulation negotiate Switch(config-if)# switchport mode trunk Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 17-17 OL-13270-06...
Page 462: Monitoring And Maintaining Tunneling Status
Display the status of native VLAN tagging on the switch. For detailed information about these displays, see the command reference for this release. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 17-18 OL-13270-06...
Page 463: Understanding Spanning-Tree Features
The switch can use either the per-VLAN spanning-tree plus (PVST+) protocol based on the IEEE 802.1D standard and Cisco proprietary extensions, or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol based on the IEEE 802.1w standard. A switch stack appears as a single spanning-tree node to the rest of the network, and all stack members use the same bridge ID.
Page 464: Chapter 18 Configuring Stp
(SFP) modules. You can change the default for an interface by entering the [no] keepalive interface configuration command with no keywords. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 18-2...
Page 465: Spanning-Tree Topology And Bpdus
When selecting the root port on a switch stack, spanning tree follows this sequence: Selects the lowest root bridge ID – Selects the lowest path cost to the root switch – Selects the lowest designated bridge ID – Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 18-3 OL-13270-06...
Page 466: Bridge Id, Switch Priority, And Extended System Id
VLAN identifier. The result is that fewer MAC addresses are reserved for the switch, and a larger range of VLAN IDs can be supported, all while maintaining the Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 18-4...
Page 467: Spanning-Tree Interface States
From blocking to listening or to disabled • From listening to learning or to disabled • From learning to forwarding or to disabled • From forwarding to disabled • Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 18-5 OL-13270-06...
Page 468: Blocking State
An interface in the blocking state performs these functions: Discards frames received on the interface • Discards frames switched from another interface for forwarding • Does not learn addresses • • Receives BPDUs Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 18-6 OL-13270-06...
Page 469: Listening State
• Discards frames received on the interface Discards frames switched from another interface for forwarding • Does not learn addresses • Does not receive BPDUs • Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 18-7 OL-13270-06...
Page 470: How A Switch Or Port Becomes The Root Switch Or Root Port
If the speeds are the same, the port priority and port ID are added together, and spanning tree disables the link with the lowest value. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 18-8...
Page 471: Spanning-Tree Address Management
VLAN to be subject to accelerated aging. Dynamic addresses on other VLANs can be unaffected and remain subject to the aging interval entered for the switch. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 18-9 OL-13270-06...
Page 472: Spanning-Tree Modes And Protocols
Spanning-Tree Modes and Protocols The switch supports these spanning-tree modes and protocols: PVST+—This spanning-tree mode is based on the IEEE 802.1D standard and Cisco proprietary • extensions. It is the default spanning-tree mode used on all Ethernet port-based VLANs. The PVST+ runs on each VLAN on the switch up to the maximum supported, ensuring that each has a loop-free path through the network.
Page 473: Spanning-Tree Interoperability And Backward Compatibility
VLAN allowed on the trunks. When you connect a Cisco switch to a non-Cisco device through an IEEE 802.1Q trunk, the Cisco switch uses PVST+ to provide spanning-tree interoperability. If rapid PVST+ is enabled, the switch uses it instead of PVST+.
Page 474: Vlan-Bridge Spanning Tree
Understanding Spanning-Tree Features VLAN-Bridge Spanning Tree Cisco VLAN-bridge spanning tree is used with the fallback bridging feature (bridge groups), which forwards non-IP protocols such as DECnet between two or more VLAN bridge domains or routed ports. The VLAN-bridge spanning tree allows the bridge groups to form a spanning tree on top of the individual VLAN spanning trees to prevent loops from forming if there are multiple connections among VLANs.
Page 475: Configuring Spanning-Tree Features
1000 Mb/s: 4. 100 Mb/s: 19. 10 Mb/s: 100. Spanning-tree timers Hello time: 2 seconds. Forward-delay time: 15 seconds. Maximum-aging time: 20 seconds. Transmit hold count: 6 BPDUs Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 18-13 OL-13270-06...
Page 476: Spanning-Tree Configuration Guidelines
20-12. Loop guard works only on point-to-point links. We recommend that each end of the link has a directly Caution connected device that is running STP. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 18-14 OL-13270-06...
Page 477: Changing The Spanning-Tree Mode
To return to the default setting, use the no spanning-tree mode global configuration command. To return the port to its default setting, use the no spanning-tree link-type interface configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 18-15...
Page 478: Disabling Spanning Tree
ID support will become the root switch. The extended system ID increases the switch priority value every time the VLAN number is greater than the priority of the connected switches running older software. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 18-16 OL-13270-06...
Page 479 (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id root global configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 18-17 OL-13270-06...
Page 480: Configuring A Secondary Root Switch
(higher numerical values) that you want selected last. If all interfaces have the same priority value, spanning tree puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 18-18 OL-13270-06...
Page 481 The show spanning-tree interface interface-id privileged EXEC command displays information only Note if the port is in a link-up operative state. Otherwise, you can use the show running-config interface privileged EXEC command to confirm the configuration. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 18-19 OL-13270-06...
Page 482: Configuring Path Cost
Step 6 show spanning-tree interface interface-id Verify your entries. show spanning-tree vlan vlan-id Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 18-20 OL-13270-06...
Page 483: Configuring The Switch Priority Of A Vlan
(Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id priority global configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 18-21 OL-13270-06...
Page 484: Configuring Spanning-Tree Timers
(Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id hello-time global configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 18-22 OL-13270-06...
Page 485: Configuring The Forwarding-Delay Time For A Vlan
(Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id max-age global configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 18-23 OL-13270-06...
Page 486: Configuring The Transmit Hold-Count
You can clear spanning-tree counters by using the clear spanning-tree [interface interface-id] privileged EXEC command. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 18-24 OL-13270-06...
Page 487 Both MSTP and RSTP improve the spanning-tree operation and maintain backward compatibility with equipment that is based on the (original) IEEE 802.1D spanning tree, with existing Cisco-proprietary Multiple Instance STP (MISTP), and with existing Cisco per-VLAN spanning-tree plus (PVST+) and rapid per-VLAN spanning-tree plus (rapid PVST+).
Page 488: Chapter 19 Configuring Mstp
65 spanning-tree instances. Instances can be identified by any number in the range from 0 to 4094. You can assign a VLAN to only one spanning-tree instance at a time. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 19-2 OL-13270-06...
Page 489: Ist, Cist, And Cst
IST information, they leave their old subregions and join the new subregion that contains the true CIST regional root. Thus all subregions shrink, except for the one that contains the true CIST regional root. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 19-3 OL-13270-06...
Page 490: Operations Between Mst Regions
MST Regions, CIST Masters, and CST Root IST master and CST root Legacy IEEE 802.1D MST Region 1 IST master IST master MST Region 2 MST Region 3 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 19-4 OL-13270-06...
Page 491: Ieee 802.1S Terminology
IEEE 802.1D switches. MSTP switches use MSTP BPDUs to communicate with MSTP switches. IEEE 802.1s Terminology Some MST naming conventions used in Cisco’s prestandard implementation have been changed to identify some internal or regional parameters. These parameters are significant only within an MST region, as opposed to external parameters that are relevant to the whole network.
Page 492: Boundary Ports
The primary change from the Cisco prestandard implementation is that a designated port is not defined as boundary, unless it is running in an STP-compatible mode.
Page 493: Port Role Naming Change
The boundary role is no longer in the final MST standard, but this boundary concept is maintained in Cisco’s implementation. However, an MST instance port at a boundary of the region might not follow the state of the corresponding CIST port. Two cases exist now: The boundary port is the root port of the CIST regional root—When the CIST instance port is...
Page 494: Detecting Unidirectional Link Failure
Detecting Unidirectional Link Failure This feature is not yet present in the IEEE MST standard, but it is included in this Cisco IOS release. The software checks the consistency of the port role and state in the received BPDUs to detect unidirectional link failures that could cause bridging loops.
Page 495: Interoperability With Ieee 802.1D Stp
LAN is called the designated port. Alternate port—Offers an alternate path toward the root switch to that provided by the current root • port. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 19-9 OL-13270-06...
Page 496: Rapid Convergence
Disabled Disabled Discarding To be consistent with Cisco STP implementations, this guide defines the port state as blocking instead of discarding. Designated ports start in the listening state. Rapid Convergence The RSTP provides for rapid recovery of connectivity following the failure of a switch, a switch port, or a LAN.
Page 497 Proposal Designated Root switch Agreement Designated Switch C Root switch Proposal Designated Root switch Agreement DP = designated port RP = root port F = forwarding Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 19-11 OL-13270-06...
Page 498: Synchronization Of Port Roles
1. Proposal 5. Forward Edge port 2. Block 3. Block 9. Forward 11. Forward 8. Agreement 6. Proposal 7. Proposal 10. Agreement Root port Designated port Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 19-12 OL-13270-06...
Page 499: Bridge Protocol Data Unit Format And Processing
RSTP sets the port to the blocking state but does not send the agreement message. The designated port continues sending BPDUs with the proposal flag set until the forward-delay timer expires, at which time the port transitions to the forwarding state. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 19-13 OL-13270-06...
Page 500: Processing Inferior Bpdu Information
However, if the RSTP switch is using IEEE 802.1D BPDUs on a port and receives an RSTP BPDU after the timer has expired, it restarts the timer and starts using RSTP BPDUs on that port. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 19-14...
Page 501: Configuring Mstp Features
Maximum-aging time 20 seconds. Maximum hop count 20 hops. For information about the supported number of spanning-tree instances, see the “Supported Spanning-Tree Instances” section on page 18-10. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 19-15 OL-13270-06...
Page 502: Mstp Configuration Guidelines
MST cloud than a path through the PVST+ or rapid-PVST+ cloud. You might have to manually configure the switches in the clouds. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 19-16...
Page 503: Specifying The Mst Region Configuration And Enabling Mstp
You cannot run both MSTP and PVST+ or both MSTP and rapid PVST+ at the same time. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 19-17 OL-13270-06...
Page 504: Configuring The Root Switch
ID support will become the root switch. The extended system ID increases the switch priority value every time the VLAN number is greater than the priority of the connected switches running older software. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 19-18 OL-13270-06...
Page 505: Configuring A Secondary Root Switch
This is assuming that the other network switches use the default switch priority of 32768 and therefore are unlikely to become the root switch. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 19-19...
Page 506: Configuring Port Priority
For more information, see the “Configuring Path Cost” section on page 19-22. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 19-20 OL-13270-06...
Page 507 Otherwise, you can use the show running-config interface privileged EXEC command to confirm the configuration. To return the interface to its default setting, use the no spanning-tree mst instance-id port-priority interface configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 19-21 OL-13270-06...
Page 508: Configuring Path Cost
Otherwise, you can use the show running-config privileged EXEC command to confirm the configuration. To return the interface to its default setting, use the no spanning-tree mst instance-id cost interface configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 19-22 OL-13270-06...
Page 509: Configuring The Switch Priority
Configuring the Hello Time You can configure the interval between the generation of configuration messages by the root switch by changing the hello time. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 19-23 OL-13270-06...
Page 510: Configuring The Forwarding-Delay Time
(Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst forward-time global configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 19-24 OL-13270-06...
Page 511: Configuring The Maximum-Aging Time
(Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst max-hops global configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 19-25 OL-13270-06...
Page 512: Specifying The Link Type To Ensure Rapid Transitions
Specify an interface to configure, and enter interface configuration mode. Valid interfaces include physical ports. Step 3 spanning-tree mst pre-standard Specify that the port can send only prestandard BPDUs. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 19-26 OL-13270-06...
Page 513: Restarting The Protocol Migration Process
Displays MST information for the specified interface. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 19-27 OL-13270-06...
Page 514 Chapter 19 Configuring MSTP Displaying the MST Configuration and Status Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 19-28 OL-13270-06...
Page 515: Understanding Optional Spanning-Tree Features
Understanding Cross-Stack UplinkFast, page 20-5 • Understanding BackboneFast, page 20-7 • Understanding EtherChannel Guard, page 20-10 • Understanding Root Guard, page 20-10 • Understanding Loop Guard, page 20-11 • Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 20-1 OL-13270-06...
Page 516: C H A P T E R 20 Configuring Optional Spanning-Tree Features
You can enable this feature by using the spanning-tree portfast interface configuration or the spanning-tree portfast default global configuration command. Figure 20-1 Port Fast-Enabled Interfaces Blade Switch Port Fast-enabled ports Blade Servers Blade Servers Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 20-2 OL-13270-06...
Page 517: Understanding Bpdu Guard
Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in Caution spanning-tree loops. You can enable the BPDU filtering feature for the entire switch or for an interface. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 20-3 OL-13270-06...
Page 518: Understanding Uplinkfast
Switch B over link L1 and to Switch C over link L2. The Layer 2 interface on Switch C that is connected directly to Switch B is in a blocking state. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 20-4...
Page 519: Understanding Cross-Stack Uplinkfast
CSUF might not provide a fast transition all the time; in these cases, the normal spanning-tree transition occurs, completing in 30 to 40 seconds. For more information, see the “Events that Cause Fast Convergence” section on page 20-7. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 20-5 OL-13270-06...
Page 520: How Csuf Works
The switch sending the fast-transition request needs to do a fast transition to the forwarding state of a port that it has chosen as the root port, and it must obtain an acknowledgement from each stack switch before performing the fast transition. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 20-6 OL-13270-06...
Page 521: Events That Cause Fast Convergence
BPDU is a signal that the other switch might have lost its path to the root, and BackboneFast tries to find an alternate path to the root. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 20-7...
Page 522 Switch B is in the blocking state. Figure 20-6 BackboneFast Example Before Indirect Link Failure Switch A (Root) Switch B Blocked port Switch C Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 20-8 OL-13270-06...
Page 523 Switch A, the root switch. Figure 20-8 Adding a Switch in a Shared-Medium Topology Switch A (Root) Switch B Switch C (Designated bridge) Blocked port Added switch Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 20-9 OL-13270-06...
Page 524: Understanding Etherchannel Guard
You can enable this feature by using the spanning-tree guard root interface configuration command. Misuse of the root-guard feature can cause a loss of connectivity. Caution Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 20-10 OL-13270-06...
Page 525: Understanding Loop Guard
• Enabling BPDU Filtering, page 20-14 (optional) • Enabling UplinkFast for Use with Redundant Links, page 20-15 (optional) • Enabling Cross-Stack UplinkFast, page 20-16 (optional) • Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 20-11 OL-13270-06...
Page 526: Default Optional Spanning-Tree Configuration
VLAN, the Port Fast feature is not automatically disabled. For more information, see Chapter 15, “Configuring Voice VLAN.” You can enable this feature if your switch is running PVST+, rapid PVST+, or MSTP. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 20-12 OL-13270-06...
Page 527: Enabling Bpdu Guard
To prevent the port from shutting down, you can use the errdisable detect cause bpduguard shutdown vlan global configuration command to shut down just the offending VLAN on the port where the violation occurred. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 20-13 OL-13270-06...
Page 528: Enabling Bpdu Filtering
Configure Port Fast only on interfaces that connect to end stations; otherwise, an accidental topology Caution loop could cause a data packet loop and disrupt switch and network operation. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 20-14 OL-13270-06...
Page 529: Enabling Uplinkfast For Use With Redundant Links
You can configure the UplinkFast or the CSUF feature for rapid PVST+ or for the MSTP, but the feature remains disabled (inactive) until you change the spanning-tree mode to PVST+. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 20-15...
Page 530: Enabling Cross-Stack Uplinkfast
To disable UplinkFast on the switch and all its VLANs, use the no spanning-tree uplinkfast global configuration command. Enabling BackboneFast You can enable BackboneFast to detect indirect link failures and to start the spanning-tree reconfiguration sooner. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 20-16 OL-13270-06...
Page 531: Enabling Etherchannel Guard
EXEC command to verify the EtherChannel configuration. After the configuration is corrected, enter the shutdown and no shutdown interface configuration commands on the port-channel interfaces that were misconfigured. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 20-17 OL-13270-06...
Page 532: Enabling Root Guard
Command Purpose Step 1 show spanning-tree active Verify which interfaces are alternate or root ports. show spanning-tree mst Step 2 configure terminal Enter global configuration mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 20-18 OL-13270-06...
Page 533: Displaying The Spanning-Tree Status
You can clear spanning-tree counters by using the clear spanning-tree [interface interface-id] privileged EXEC command. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 20-19 OL-13270-06...
Page 534 Chapter 20 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 20-20 OL-13270-06...
Page 535: Understanding Flex Links And The Mac Address-Table Move Update
• VLAN Flex Link Load Balancing and Support, page 21-3 • Flex Link Multicast Fast Convergence, page 21-3 • MAC Address-Table Move Update, page 21-6 • Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 21-1 OL-13270-06...
Page 536: Flex Links
Flex Links are supported only on Layer 2 ports and port channels, not on VLANs or on Layer 3 ports. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 21-2...
Page 537: C H A P T E R 21 Configuring Flex Links And The Mac Address-Table Move Update Feature
When the changeover happens, the backup port is unblocked, allowing the traffic to flow. In this case, the upstream multicast data flows as soon as the backup port is unblocked. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 21-3...
Page 538: Generating Igmp Reports
GigabitEthernet1/0/11 GigabitEthernet1/0/12 Active Up/Backup Standby Preemption Mode : off Multicast Fast Convergence : Off Bandwidth : 100000 Kbit (Gi1/0/11), 100000 Kbit (Gi1/0/12) Mac Address Move Update Vlan : auto Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 21-4 OL-13270-06...
Page 539 This output shows a querier for VLAN 1 and 401 with their queries reaching the switch through Gigabit Ethernet 1/0/11: Switch# show ip igmp snooping querier Vlan IP Address IGMP Version Port ------------------------------------------------------------- 1.1.1.1 Gi1/0/11 41.41.41.1 Gi1/0/11 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 21-5 OL-13270-06...
Page 540: Mac Address-Table Move Update
100 milliseconds (ms). The PC is directly connected to switch A, and the connection status does not change. Switch A does not need to update the PC entry in the MAC address table. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 21-6...
Page 541: Configuring Flex Links And Mac Address-Table Move Update
Configuring Flex Links, page 21-9 • Configuring VLAN Load Balancing on Flex Links, page 21-11 • Configuring the MAC Address-Table Move Update Feature, page 21-12 • Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 21-7 OL-13270-06...
Page 542: Configuration Guidelines
The Flex Links are not configured, and there are no backup interfaces defined. The preemption mode is off. The preemption delay is 35 seconds. The MAC address-table move update feature is not configured on the switch. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 21-8 OL-13270-06...
Page 543: Configuring Flex Links
Configure a physical Layer 2 interface (or port channel) as part of a Flex Links pair with the interface. When one link is forwarding traffic, the other interface is in standby mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 21-9 OL-13270-06...
Page 544 Interface Pair : Gi1/0/1, Gi1/0/2 Preemption Mode : forced Preemption Delay : 50 seconds Bandwidth : 100000 Kbit (Gi1/0/1), 100000 Kbit (Gi1/0/2) Mac Address Move Update Vlan : auto Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 21-10 OL-13270-06...
Page 545: Configuring Vlan Load Balancing On Flex Links
Switch Backup Interface Pairs: Active Interface Backup Interface State ------------------------------------------------------------------------ GigabitEthernet2/0/6 GigabitEthernet2/0/8 Active Down/Backup Up Vlans Preferred on Active Interface: 1-50 Vlans Preferred on Backup Interface: 60, 100-120 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 21-11 OL-13270-06...
Page 546: Configuring The Mac Address-Table Move Update Feature
VLAN ID on the interface, which is used for sending the MAC address-table move update. When one link is forwarding traffic, the other interface is in standby mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 21-12 OL-13270-06...
Page 547 Xmt packet count : 0 Xmt packet count this min : 0 Xmt threshold exceed count : 0 Xmt pak buf unavail cnt : 0 Xmt last interface : None Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 21-13 OL-13270-06...
Page 548: Monitoring Flex Links And The Mac Address-Table Move Update Information
Flex Links and the state of each active and backup backup interface (up or standby mode). show mac address-table Displays the MAC address-table move update information on the move update switch. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 21-14 OL-13270-06...
Page 549: Understanding Dhcp Features
For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release, and see the “DHCP Commands” section in the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2.
Page 550: C H A P T E R 22 Configuring Dhcp Features And Ip Source Guard
In a service-provider network, a trusted interface is connected to a port on a device in the same network. An untrusted interface is connected to an untrusted interface in the network or to an interface on a device that is not in the network. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 22-2 OL-13270-06...
Page 551: Option-82 Data Insertion
The DHCP option-82 feature is supported only when DHCP snooping is globally enabled and on the Note VLANs to which subscriber devices using this feature are assigned. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 22-3 OL-13270-06...
Page 552 Figure 22-2 do not change: Circuit-ID suboption fields • Suboption type – Length of the suboption type – Circuit-ID type – Length of the circuit-ID type – Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 22-4 OL-13270-06...
Page 553 In the port field of the circuit ID suboption, the port numbers start at 1. For example, on a switch with Cisco dual SFP X2 converter modules in the 10-Gigabit Ethernet module slots, port 1 is the internal Gigabit Ethernet 1/0/1 port, port 2 is the internal Gigabit Ethernet1/0/2 port, and so on. For the external uplink ports (port 17 to port 20), port 17 is the Gigabit Ethernet 1/0/17 port, port 18 is the Gigabit Ethernet 1/0/18 port, and so on.
Page 554: Cisco Ios Dhcp Server Database
An address binding is a mapping between an IP address and a MAC address of a host in the Cisco IOS DHCP server database. You can manually assign the client IP address, or the DHCP server can allocate an IP address from a DHCP address pool.
Page 555 • expires). The interface in the entry no longer exists on the system. • The interface is a routed interface or a DHCP snooping-trusted interface. • Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 22-7 OL-13270-06...
Page 556: Dhcp Snooping And Switch Stacks
Enabled (invalid messages are dropped) DHCP relay agent forwarding policy Replace the existing relay agent information DHCP snooping enabled globally Disabled DHCP snooping information option Enabled Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 22-8 OL-13270-06...
Page 557: Dhcp Snooping Configuration Guidelines
If a switch port is connected to a DHCP client, configure a port as untrusted by entering the no ip • dhcp snooping trust interface configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 22-9 OL-13270-06...
Page 558: Configuring The Dhcp Server
Configuring the DHCP Server The switch can act as a DHCP server. By default, the Cisco IOS DHCP server and relay agent features are enabled on your switch but are not configured. These features are not operational. For procedures to configure the switch as a DHCP server, see the “Configuring DHCP” section of the “IP addressing and Services”...
Page 559: Configuring The Dhcp Relay Agent
To disable the DHCP server and relay agent, use the no service dhcp global configuration command. See the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2 for these procedures: Checking (validating) the relay agent information •...
Page 560: Enabling Dhcp Snooping And Option 82
If the hostname is longer than 63 characters, it is truncated to 63 Note characters in the remote-ID configuration. The default remote ID is the switch MAC address. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 22-12 OL-13270-06...
Page 561 To configure an aggregation switch to drop incoming DHCP snooping packets with option-82 information from an edge switch, use the no ip dhcp snooping information option allow-untrusted global configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 22-13 OL-13270-06...
Page 562: Enabling Dhcp Snooping On Private Vlans
VLANs, on which DHCP snooping is enabled. Enabling the Cisco IOS DHCP Server Database For procedures to enable and configure the Cisco IOS DHCP server database, see the “DHCP Configuration Task List” section in the “Configuring DHCP” chapter of the Cisco IOS IP Configuration Guide, Release 12.2.
Page 563: Enabling The Dhcp Snooping Binding Database Agent
To delete binding entries from the DHCP snooping binding database, use the no ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface-id privileged EXEC command. Enter this command for each entry that you want to delete. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 22-15 OL-13270-06...
Page 564: Displaying Dhcp Snooping Information
IP source bindings). An entry in this table has an IP address, its associated MAC address, and its associated VLAN number. The switch uses the IP source binding table only when IP source guard is enabled. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 22-16 OL-13270-06...
Page 565: Source Ip Address Filtering
IP packets to maintain the list of valid hosts for a given port. You can also specify the number of hosts allowed to send traffic to a given port. This is equivalent to port security at Layer 3. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 22-17...
Page 566: Configuring Ip Source Guard
When IP source guard with source IP filtering is enabled on an interface, DHCP snooping must be • enabled on the access VLAN to which the interface belongs. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 22-18 OL-13270-06...
Page 567: Enabling Ip Source Guard
Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 22-19 OL-13270-06...
Page 568 Switch(config-if)# ip verify source port-security Switch(config-if)# exit Switch(config)# ip source binding 0100.0022.0010 vlan 10 10.0.0.2 interface gigabitethernet1/0/1 Switch(config)# ip source binding 0100.0230.0002 vlan 11 10.0.0.4 interface gigabitethernet1/0/1 Switch(config)# end Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 22-20 OL-13270-06...
Page 569: Configuring Ip Source Guard For Static Hosts
(Optional) Activate port security for this port. Step 9 switchport port-security maximum value (Optional) Establish a maximum of MAC addresses for this port. Step 10 Return to privileged EXEC mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 22-21 OL-13270-06...
Page 570 Switch(config-if)# switchport access vlan 1 Switch(config-if)# ip device tracking maximum 5 Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 5 Switch(config-if)# ip verify source tracking port-security Switch(config-if)# end Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 22-22 OL-13270-06...
Page 571 MAC Address Vlan Interface STATE --------------------------------------------------------------------- 200.1.1.1 0001.0600.0000 GigabitEthernet0/1 ACTIVE 200.1.1.2 0001.0600.0000 GigabitEthernet0/1 ACTIVE 200.1.1.3 0001.0600.0000 GigabitEthernet0/1 ACTIVE 200.1.1.4 0001.0600.0000 GigabitEthernet0/1 ACTIVE 200.1.1.5 0001.0600.0000 GigabitEthernet0/1 ACTIVE Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 22-23 OL-13270-06...
Page 572: Configuring Ip Source Guard For Static Hosts On A Private Vlan Host Port
Exit VLAN configuration mode. Step 8 vlan vlan-id1 Enter configuration VLAN mode. Step 9 private-vlan association 201 Associate the VLAN on an isolated private VLAN port. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 22-24 OL-13270-06...
Page 573 STATE --------------------------------------------------------------------- 40.1.1.24 0000.0000.0304 GigabitEthernet1/0/3 ACTIVE 40.1.1.20 0000.0000.0305 200 GigabitEthernet1/0/3 ACTIVE 40.1.1.21 0000.0000.0306 200 GigabitEthernet1/0/3 ACTIVE 40.1.1.22 0000.0000.0307 200 GigabitEthernet1/0/3 ACTIVE 40.1.1.23 0000.0000.0308 200 GigabitEthernet1/0/3 ACTIVE Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 22-25 OL-13270-06...
Page 574: Displaying Ip Source Guard Information
When you configure this feature, the port name of the interface overrides the client identifier or hardware address and the actual point of connection, the switch port, becomes the client identifier. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 22-26 OL-13270-06...
Page 575: Configuring Dhcp Server Port-Based Address Allocation
In all cases, by connecting the Ethernet cable to the same port, the same IP address is allocated through DHCP to the attached device. The DHCP server port-based address allocation feature is only supported on a Cisco IOS DHCP server and not a third-party server.
Page 576 Return to privileged EXEC mode. Step 7 show ip dhcp pool Verify DHCP pool configuration. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 22-28 OL-13270-06...
Page 577 For more information about configuring the DHCP server port-based address allocation feature, go to Cisco.com, and enter Cisco IOS IP Addressing Services in the Search field to locate the Cisco IOS software documentation. You can also locate the documentation at this URL: http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_book.html...
Page 578: Displaying Dhcp Server Port-Based Address Allocation
Display the status and configuration of a specific interface. show ip dhcp pool Display the DHCP address pools. show ip dhcp binding Display address bindings on the Cisco IOS DHCP server. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 22-30 OL-13270-06...
Page 579: Understanding Dynamic Arp Inspection
ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts on the subnet. Figure 23-1 shows an example of ARP cache poisoning. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 23-1 OL-13270-06...
Page 580: C H A P T E R 23 Configuring Dynamic Arp Inspection
“Configuring ARP ACLs for Non-DHCP Environments” section on page 23-8. The switch logs dropped packets. For more information about the log buffer, see the “Logging of Dropped Packets” section on page 23-5. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 23-2 OL-13270-06...
Page 581: Interface Trust States And Network Security
Switch B (and Host 2, if the link between the switches is configured as trusted). This condition can occur even though Switch B is running dynamic ARP inspection. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 23-3...
Page 582: Rate Limiting Of Arp Packets
The switch first compares ARP packets to user-configured ARP ACLs. If the ARP ACL denies the ARP packet, the switch also denies the packet even if a valid binding exists in the database populated by DHCP snooping. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 23-4 OL-13270-06...
Page 583: Logging Of Dropped Packets
The rate is unlimited on all trusted interfaces. The burst interval is 1 second. ARP ACLs for non-DHCP environments No ARP ACLs are defined. Validation checks No checks are performed. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 23-5 OL-13270-06...
Page 584: Dynamic Arp Inspection Configuration Guidelines
EtherChannel ports is equal to the sum of the incoming rate of packets from all the channel members. Configure the rate limit for EtherChannel ports only after examining the rate of incoming ARP packets on the channel-port members. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 23-6 OL-13270-06...
Page 585: Configuring Dynamic Arp Inspection In Dhcp Environments
VLANs separated by a comma. The range is 1 to 4094. Specify the same VLAN ID for both switches. Step 4 interface interface-id Specify the interface connected to the other switch, and enter interface configuration mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 23-7 OL-13270-06...
Page 586: Configuring Arp Acls For Non-Dhcp Environments
VLAN 1. If the IP address of Host 2 is not static (it is impossible to apply the ACL configuration on Switch A) you must separate Switch A from Switch B at Layer 3 and use a router to route packets between them. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 23-8 OL-13270-06...
Page 587 Step 6 interface interface-id Specify the Switch A interface that is connected to Switch B, and enter interface configuration mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 23-9 OL-13270-06...
Page 588: Limiting The Rate Of Incoming Arp Packets
If you enter the no ip arp inspection limit interface configuration command, the interface reverts to its default rate limit. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 23-10...
Page 589 To return to the default rate-limit configuration, use the no ip arp inspection limit interface configuration command. To disable error recovery for dynamic ARP inspection, use the no errdisable recovery cause arp-inspection global configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 23-11 OL-13270-06...
Page 590: Performing Validation Checks
To disable checking, use the no ip arp inspection validate [src-mac] [dst-mac] [ip] global configuration command. To display statistics for forwarded, dropped, and MAC and IP validation failure packets, use the show ip arp inspection statistics privileged EXEC command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 23-12 OL-13270-06...
Page 591: Configuring The Log Buffer
Y, X divided by Y (X/Y) system messages are sent every second. Otherwise, one system message is sent every Y divided by X (Y/X) seconds. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 23-13 OL-13270-06...
Page 592: Displaying Dynamic Arp Inspection Information
ARP inspection for the specified VLAN. If no VLANs are specified or if a range is specified, displays information only for VLANs with dynamic ARP inspection enabled (active). Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 23-14 OL-13270-06...
Page 593 Displays the configuration and contents of the dynamic ARP inspection log buffer. For more information about these commands, see the command reference for this release. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 23-15 OL-13270-06...
Page 594 Chapter 23 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 23-16 OL-13270-06...
Page 595 For complete syntax and usage information for the commands used in this chapter, see the switch Note command reference for this release and the “IP Multicast Routing Commands” section in the Cisco IOS IP Command Reference, Volume 3 of 3:Multicast, Release 12.2.
Page 596: Chapter 24 Configuring Igmp Snooping And Mvr
• Immediate Leave, page 24-6 • IGMP Configurable-Leave Timer, page 24-6 • IGMP Report Suppression, page 24-6 • IGMP Snooping and Switch Stacks, page 24-7 • Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 24-2 OL-13270-06...
Page 597: Igmp Versions
The CPU also adds the interface where the join message was received to the forwarding-table entry. The blade server associated with that interface receives multicast traffic for that multicast group. See Figure 24-1. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 24-3 OL-13270-06...
Page 598 CPU, the message is not flooded to other ports on the switch. Any known multicast traffic is forwarded to the group and not to the CPU. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 24-4...
Page 599: Leaving A Multicast Group
If the router receives no reports from a VLAN, it removes the group for the VLAN from its IGMP cache. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 24-5...
Page 600: Immediate Leave
If you disable IGMP report suppression, all IGMP reports are forwarded to the multicast routers. For configuration steps, see the “Disabling IGMP Report Suppression” section on page 24-16. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 24-6 OL-13270-06...
Page 601: Igmp Snooping And Switch Stacks
Multicast routers None configured Multicast router learning (snooping) method PIM-DVMRP IGMP snooping Immediate Leave Disabled Static groups None configured flood query count TCN query solicitation Disabled Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 24-7 OL-13270-06...
Page 602: Enabling Or Disabling Igmp Snooping
(Optional) Save your entries in the configuration file. To disable IGMP snooping on a VLAN interface, use the no ip igmp snooping vlan vlan-id global configuration command for the specified VLAN number. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 24-8 OL-13270-06...
Page 603: Setting The Snooping Method
This example shows how to configure IGMP snooping to use CGMP packets as the learning method: Switch# configure terminal Switch(config)# ip igmp snooping vlan 1 mrouter learn cgmp Switch(config)# end Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 24-9 OL-13270-06...
Page 604: Configuring A Multicast Router Port
This example shows how to enable a static connection to a multicast router: Switch# configure terminal Switch(config)# ip igmp snooping vlan 200 mrouter interface gigabitethernet0/2 Switch(config)# end Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 24-10 OL-13270-06...
Page 605: Configuring A Blade Server Statically To Join A Group
Enter global configuration mode. Step 2 ip igmp snooping vlan vlan-id Enable IGMP Immediate Leave on the VLAN interface. immediate-leave Step 3 Return to privileged EXEC mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 24-11 OL-13270-06...
Page 606: Configuring The Igmp Leave Timer
To remove the configured IGMP leave-time setting from the specified VLAN, use the no ip igmp snooping vlan vlan-id last-member-query-interval global configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 24-12 OL-13270-06...
Page 607: Configuring Tcn-Related Commands
TCN event. Leaves are always sent if the switch is the spanning-tree root regardless of this configuration command. By default, query solicitation is disabled. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 24-13 OL-13270-06...
Page 608: Disabling Multicast Flooding During A Tcn Event
(Optional) Save your entries in the configuration file. To re-enable multicast flooding on an interface, use the ip igmp snooping tcn flood interface configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 24-14 OL-13270-06...
Page 609: Configuring The Igmp Snooping Querier
VLAN interface. The VLAN ID range is 1 to 1001 and 1006 to 4094. Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 24-15 OL-13270-06...
Page 610: Disabling Igmp Report Suppression
Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To re-enable IGMP report suppression, use the ip igmp snooping report-suppression global configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 24-16 OL-13270-06...
Page 611: Displaying Igmp Snooping Information
IGMP snooping querier in the VLAN. For more information about the keywords and options in these commands, see the command reference for this release. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 24-17 OL-13270-06...
Page 612: Understanding Multicast Vlan Registration
If a switch fails or is removed from the stack, only those receiver ports belonging to that switch will not receive the multicast data. All other receiver ports on other switches continue to receive the multicast data. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 24-18 OL-13270-06...
Page 613: Using Mvr In A Multicast Television Application
With Immediate Leave, an IGMP query is not sent from the receiver port on which the Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 24-19...
Page 614: Configuring Mvr
Query response time 0.5 second Multicast VLAN VLAN 1 Mode Compatible Interface (per port) default Neither a receiver nor a source port Immediate Leave Disabled on all ports Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 24-20 OL-13270-06...
Page 615: Mvr Configuration Guidelines And Limitations
The value is in units of tenths of a second. The range is 1 to 100, and the default is 5 tenths or one-half second. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 24-21 OL-13270-06...
Page 616: Configuring Mvr Interfaces
Enter global configuration mode. Step 2 Enable MVR on the switch. Step 3 interface interface-id Specify the Layer 2 port to configure, and enter interface configuration mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 24-22 OL-13270-06...
Page 617 Switch(config-if)# mvr vlan 22 group 228.1.23.4 Switch(config-if)# mvr immediate Switch(config)# end Switch# show mvr interface Port Type Status Immediate Leave ---- ---- ------- --------------- Gi1/0/2 RECEIVER ACTIVE/DOWN ENABLED Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 24-23 OL-13270-06...
Page 618: Displaying Mvr Information
IP multicast traffic. The filtering feature operates in the same manner whether CGMP or MVR is used to forward the multicast traffic. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 24-24...
Page 619: Default Igmp Filtering And Throttling Configuration
Specifies that matching addresses are denied; this is the default. • exit: Exits from igmp-profile configuration mode. no: Negates a command or returns to its defaults. • Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 24-25 OL-13270-06...
Page 620 Switch(config)# ip igmp profile 4 Switch(config-igmp-profile)# permit Switch(config-igmp-profile)# range 229.9.9.0 Switch(config-igmp-profile)# end Switch# show ip igmp profile 4 IGMP Profile 4 permit range 229.9.9.0 229.9.9.0 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 24-26 OL-13270-06...
Page 621: Applying Igmp Profiles
Specify the interface to be configured, and enter interface configuration mode. The interface can be a Layer 2 port that does not belong to an EtherChannel group or a EtherChannel interface. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 24-27 OL-13270-06...
Page 622: Configuring The Igmp Throttling Action
IGMP report. To prevent the switch from removing the forwarding-table entries, you can configure the IGMP throttling action before an interface adds entries to the forwarding table. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 24-28 OL-13270-06...
Page 623: Displaying Igmp Filtering And Throttling Configuration
(if configured) the maximum number of IGMP groups to which an interface can belong and the IGMP profile applied to the interface. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 24-29 OL-13270-06...
Page 624 Chapter 24 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 24-30 OL-13270-06...
Page 625: Understanding Mld Snooping
For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release or the Cisco IOS documentation referenced in the procedures. This chapter includes these sections: “Understanding MLD Snooping” section on page 25-1 •...
Page 626: Chapter 25 Configuring Ipv6 Mld Snooping
• Multicast-Address-Specific Queries (MASQs). Multicast Listener Reports are the equivalent of IGMPv2 reports • Multicast Listener Done messages are the equivalent of IGMPv2 leave messages. • Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 25-2 OL-13270-06...
Page 627: Mld Queries
If there are multiple routers on the same Layer 2 interface, MLD snooping tracks a single multicast • router on the port (the router that most recently sent a router control packet). Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 25-3 OL-13270-06...
Page 628: Mld Reports
MASQ was sent is deleted from the IPv6 multicast address database. The maximum response time is the time configured by using the ipv6 mld snooping Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 25-4...
Page 629: Topology Change Notification Processing
Configuring MLD Snooping Queries, page 25-10 • Disabling MLD Listener Message Suppression, page 25-11 • Default MLD Snooping Configuration Table 25-1 shows the default MLD snooping configuration. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 25-5 OL-13270-06...
Page 630: Mld Snooping Configuration Guidelines
The maximum number of multicast entries allowed on the switch or switch stack is determined by • the configured SDM template. The maximum number of address entries allowed for the switch or switch stack is 1000. • Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 25-6 OL-13270-06...
Page 631: Enabling Or Disabling Mld Snooping
VLAN. For normal-range VLANs (1 to 1005), it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 25-7...
Page 632: Configuring A Static Multicast Group
To remove a Layer 2 port from the multicast group, use the no ipv6 mld snooping vlan vlan-id static mac-address interface interface-id global configuration command. If all member ports are removed from a group, the group is deleted. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 25-8 OL-13270-06...
Page 633: Enabling Mld Immediate Leave
Immediate-Leave in a VLAN. Beginning in privileged EXEC mode, follow these steps to enable MLDv1 Immediate Leave: Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 25-9...
Page 634: Configuring Mld Snooping Queries
The range is 1 to 7; the default is 0. When set to 0, the global count value is used. Queries are sent 1 second apart. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 25-10 OL-13270-06...
Page 635: Disabling Mld Listener Message Suppression
MLD snooping listener message suppression is enabled by default. When it is enabled, the switch forwards only one MLD report per multicast router query. When message suppression is disabled, multiple MLD reports could be forwarded to the multicast routers. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 25-11 OL-13270-06...
Page 636: Displaying Mld Snooping Information
MLD query messages in the VLAN. (Optional) Enter vlan vlan-id to display information for a single VLAN.The VLAN ID range is 1 to 1001 and 1006 to 4094. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 25-12 OL-13270-06...
Page 637 VLAN. show ipv6 mld snooping multicast-address vlan Display MLD snooping for the specified VLAN and IPv6 multicast vlan-id [ipv6-multicast-address] address. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 25-13 OL-13270-06...
Page 638 Chapter 25 Configuring IPv6 MLD Snooping Displaying MLD Snooping Information Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 25-14 OL-13270-06...
Page 639: Configuring Storm Control
These sections contain this conceptual and configuration information: Understanding Storm Control, page 26-2 • Default Storm Control Configuration, page 26-3 • Configuring Storm Control and Threshold Levels, page 26-3 • Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 26-1 OL-13270-06...
Page 640: C H A P T E R 26 Configuring Port-Based Traffic Control
Traffic rate in packets per second and for small frames. This feature is enabled globally. The threshold for small frames is configured for each interface. (Cisco IOS Release 12.2(44)SE or later) With each method, the port blocks traffic when the rising threshold is reached. The port remains blocked until the traffic rate drops below the falling threshold (if one is specified) and then resumes normal forwarding.
Page 641: Default Storm Control Configuration
Storm control is supported on physical interfaces. You can also configure storm control on an EtherChannel. Note When storm control is configured on an EtherChannel, the storm control settings propagate to the EtherChannel physical interfaces. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 26-3 OL-13270-06...
Page 642 The range is 0.0 to 10000000000.0. For BPS and PPS settings, you can use metric suffixes such as k, m, and g for large number thresholds. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 26-4 OL-13270-06...
Page 643: Configuring Small-Frame Arrival Rate
Incoming VLAN-tagged packets smaller than 67 bytes are considered small frames. They are forwarded by the switch, but they do not cause the switch storm-control counters to increment. In Cisco IOS Release 12.2(44)SE and later, you can configure a port to be error disabled if small frames arrive at a specified rate (threshold).
Page 644: Configuring Protected Ports
Because a switch stack represents a single logical switch, Layer 2 traffic is not forwarded between any protected ports in the switch stack, whether they are on the same or different switches in the stack. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 26-6...
Page 645: Default Protected Port Configuration
To disable protected port, use the no switchport protected interface configuration command. This example shows how to configure a port as a protected port: Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# switchport protected Switch(config-if)# end Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 26-7 OL-13270-06...
Page 646: Configuring Port Blocking
Return to privileged EXEC mode. Step 6 show interfaces interface-id switchport Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 26-8 OL-13270-06...
Page 647: Configuring Port Security
If you try to set the maximum value to a number less than the number of secure addresses already Note configured on an interface, the command is rejected. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 26-9 OL-13270-06...
Page 648: Security Violations
We do not recommend configuring the protect violation mode on a trunk port. The protect Note mode disables learning when any VLAN reaches its maximum limit, even if the port has not reached its maximum limit. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 26-10 OL-13270-06...
Page 649: Default Port Security Configuration
Shutdown. The port shuts down when the maximum number of secure MAC addresses is exceeded. Port security aging Disabled. Aging time is 0. Static aging is disabled. Type is absolute. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 26-11 OL-13270-06...
Page 650: Port Security Configuration Guidelines
IP phone requires one MAC address. The Cisco IP phone address is learned on the voice VLAN, but is not learned on the access VLAN. If you connect a single PC to the Cisco IP phone, no additional MAC addresses are required. If you connect more than one PC to the Cisco IP phone, you must configure enough secure addresses to allow one for each PC and one for the phone.
Page 651: Enabling And Configuring Port Security
Enable voice VLAN on a port. vlan-id—Specify the VLAN to be used for voice traffic. Step 5 switchport port-security Enable port security on the interface. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 26-13 OL-13270-06...
Page 652 VLAN. If an interface is configured for voice VLAN, configure a maximum of two secure MAC addresses. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 26-14 OL-13270-06...
Page 653 You can manually re-enable it by entering the shutdown and no shutdown interface configuration commands or by using the clear errdisable interface vlan privileged EXEC command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 26-15 OL-13270-06...
Page 654 Step 11 Return to privileged EXEC mode. Step 12 show port-security Verify your entries. Step 13 copy running-config (Optional) Save your entries in the configuration file. startup-config Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 26-16 OL-13270-06...
Page 655 This example shows how to configure a static secure MAC address on VLAN 3 on a port: Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# switchport mode trunk Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security mac-address 0000.02000.0004 vlan 3 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 26-17 OL-13270-06...
Page 656: Enabling And Configuring Port Security Aging
Beginning in privileged EXEC mode, follow these steps to configure port security aging: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 26-18 OL-13270-06...
Page 657: Port Security And Switch Stacks
MAC addresses configured or learned by that switch are deleted from the secure MAC address table. For more information about switch stacks, see Chapter 7, “Managing Switch Stacks.” Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 26-19 OL-13270-06...
Page 658: Port Security And Private Vlans
VLANs, and similarly, secure addresses learned on promiscuous ports automatically get replicated on all associated secondary VLANs. Static addresses (using mac-address-table static command) cannot be user configured on a secure port. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 26-20 OL-13270-06...
Page 659: Configuring Protocol Storm Protection
Virtual port error disabling is not supported for EtherChannel and Flexlink interfaces. Default Protocol Storm Protection Configuration Protocol storm protection is disabled by default. When it is enabled, auto-recovery of the virtual port is disabled by default. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 26-21 OL-13270-06...
Page 660: Enabling Protocol Storm Protection
[arp | igmp | dhcp] privileged EXEC command. To clear the counter for a protocol, use the clear psp counter [arp | igmp | dhcp] command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 26-22...
Page 661: Displaying Port-Based Traffic Control Settings
Displays the number of secure MAC addresses configured per VLAN on the specified interface. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 26-23 OL-13270-06...
Page 662 Chapter 26 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 26-24 OL-13270-06...
Page 663: Understanding Cdp
• Understanding CDP CDP is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches) and allows network management applications to discover Cisco devices that are neighbors of already known devices. With CDP, network management applications can learn the device type and the Simple Network Management Protocol (SNMP) agent address of neighboring devices running lower-layer, transparent protocols.
Page 664: Cdp And Switch Stacks
Default Setting CDP global state Enabled CDP interface state Enabled CDP timer (packet update frequency) 60 seconds CDP holdtime (before discarding) 180 seconds CDP Version-2 advertisements Enabled Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 27-2 OL-13270-06...
Page 665: Chapter 27 Configuring Cdp
Beginning in privileged EXEC mode, follow these steps to disable the CDP device discovery capability: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no cdp run Disable CDP. Step 3 Return to privileged EXEC mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 27-3 OL-13270-06...
Page 666: Disabling And Enabling Cdp On An Interface
This example shows how to enable CDP on a port when it has been disabled. Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# cdp enable Switch(config-if)# end Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 27-4 OL-13270-06...
Page 667: Monitoring And Maintaining Cdp
You can limit the display to neighbors of a specific interface or expand the display to provide more detailed information. show cdp traffic Display CDP counters, including the number of packets sent and received and checksum errors. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 27-5 OL-13270-06...
Page 668 Chapter 27 Configuring CDP Monitoring and Maintaining CDP Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 27-6 OL-13270-06...
Page 669 Understanding LLDP, LLDP-MED, and Wired Location Service LLDP The Cisco Discovery Protocol (CDP) is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches). CDP allows network management applications to automatically discover and learn about other Cisco devices connected to the network.
Page 670: C H A P T E R 28 Configuring Lldp, Lldp-Med, And Wired Location Service
Enables advanced power management between LLDP-MED endpoint and network connectivity devices. Allows switches and phones to convey power information, such as how the device is powered, power priority, and how much power the device needs. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 28-2 OL-13270-06...
Page 671: Lldp-Med
The switch uses the wired location service feature to send location and attachment tracking information for its connected devices to a Cisco Mobility Services Engine (MSE). The tracked device can be a wireless endpoint, a wired endpoint, or a wired switch or controller. The switch notifies the MSE of device link up and link down events through the Network Mobility Services Protocol (NMSP) location and attachment notifications.
Page 672: Wired Location Service
LLDP tlv-select Disabled to send and receive all TLVs LLDP interface state Disabled LLDP receive Disabled LLDP transmit Disabled LLDP med-tlv-select Disabled to send all LLDP-MED TLVs Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 28-4 OL-13270-06...
Page 673: Configuring Lldp, Lldp-Med, And Wired Location Service
Switch(config)# end This example shows how to enable LLDP on an interface. Switch# configure terminal Switch(config)# interface interface_id Switch(config-if)# lldp transmit Switch(config-if)# lldp receive Switch(config-if)# end Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 28-5 OL-13270-06...
Page 674: Enabling Lldp
Use the no form of each of the LLDP commands to return to the default setting. This example shows how to configure LLDP characteristics. Switch# configure terminal Switch(config)# lldp holdtime 120 Switch(config)# lldp reinit 2 Switch(config)# lldp timer 30 Switch(config)# end Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 28-6 OL-13270-06...
Page 675: Configuring Lldp-Med Tlvs
Enter global configuration mode. Step 2 network-policy profile profile number Specify the network-policy profile number, and enter network-policy configuration mode. The range is 1 to 4294967295. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 28-7 OL-13270-06...
Page 676 This example shows how to configure the voice application type for the native VLAN with priority tagging: Switch(config-network-policy)# voice vlan dot1p cos 4 Switch(config-network-policy)# voice vlan dot1p dscp 34 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 28-8 OL-13270-06...
Page 677: Configuring Location Tlv And Wired Location Service
Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of each command to return to the default setting. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 28-9 OL-13270-06...
Page 678 (Optional) Save your entries in the configuration file. This example shows how to enable NMSP on a switch and to set the location notification time to 10 seconds: Switch(config)# nmsp enable Switch Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 28-10 OL-13270-06...
Page 679 Display the location information for an emergency location. show network-policy profile Display the configured network-policy profiles. show nmsp Display the NMSP information. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 28-11 OL-13270-06...
Page 680: Monitoring And Maintaining Lldp, Lldp-Med, And Wired Location Service
Chapter 28 Configuring LLDP, LLDP-MED, and Wired Location Service Monitoring and Maintaining LLDP, LLDP-MED, and Wired Location Service Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 28-12 OL-13270-06...
Page 681: Understanding Udld
A unidirectional link occurs whenever traffic sent by a local device is received by its neighbor but traffic from the neighbor is not received by the local device. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 29-1...
Page 682: Chapter 29 Configuring Udld
Because this behavior is the same on all UDLD neighbors, the sender of the echoes expects to receive an echo in reply. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 29-2 OL-13270-06...
Page 683 If UDLD is in normal mode, the logical link is considered undetermined, and UDLD does not disable the interface. Switch B Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 29-3 OL-13270-06...
Page 684: Configuring Udld
Caution Loop guard works only on point-to-point links. We recommend that each end of the link has a directly connected device that is running STP. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 29-4 OL-13270-06...
Page 685: Enabling Udld Globally
To disable UDLD globally, use the no udld enable global configuration command to disable normal mode UDLD on all fiber-optic ports. Use the no udld aggressive global configuration command to disable aggressive mode UDLD on all fiber-optic ports. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 29-5 OL-13270-06...
Page 686: Enabling Udld On An Interface
UDLD error-disabled state, and the errdisable recovery interval interval global configuration command specifies the time to recover from the UDLD error-disabled state. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 29-6 OL-13270-06...
Page 687: Displaying Udld Status
To display the UDLD status for the specified port or for all ports, use the show udld [interface-id] privileged EXEC command. For detailed information about the fields in the command output, see the command reference for this release. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 29-7 OL-13270-06...
Page 688 Chapter 29 Configuring UDLD Displaying UDLD Status Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 29-8 OL-13270-06...
Page 689: Understanding Span And Rspan
You can use the SPAN or RSPAN destination port to inject traffic from a network security device. For example, if you connect a Cisco Intrusion Detection System (IDS) sensor appliance to a destination port, the IDS device can send TCP reset packets to close down the TCP session of a suspected attacker.
Page 690: Chapter 30 Configuring Span And Rspan
Network analyzer Figure 30-2 is an example of a local SPAN in a switch stack, where the source and destination ports reside on different stack members. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 30-2 OL-13270-06...
Page 691: Remote Span
RSPAN source switch must have either ports or VLANs as RSPAN sources. The destination is always a physical port, as shown on Switch C in the figure. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 30-3...
Page 692: Span And Rspan Concepts And Terminology
RSPAN VLAN. The destination session collects all RSPAN VLAN traffic and sends it out the RSPAN destination port. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 30-4 OL-13270-06...
Page 693: Monitored Traffic
SPAN session. Packets that are modified because of routing or quality of service (QoS)—for example, modified Differentiated Services Code Point (DSCP)—are copied before modification. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 30-5 OL-13270-06...
Page 694: Source Ports
The default configuration for local SPAN session ports is to send all packets untagged. SPAN also does not normally monitor bridge protocol data unit (BPDU) packets and Layer 2 protocols, such as Cisco Discovery Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol (DTP), Spanning Tree Protocol (STP), and Port Aggregation Protocol (PAgP).
Page 695: Source Vlans
• allowed on other ports. VLAN filtering affects only traffic forwarded to the destination SPAN port and does not affect the • switching of normal traffic. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 30-7 OL-13270-06...
Page 696: Destination Port
For RSPAN, the original VLAN ID is lost because it is overwritten by the RSPAN VLAN • identification. Therefore, all packets appear on the destination port as untagged. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 30-8 OL-13270-06...
Page 697: Rspan Vlan
If a physical port is added to a monitored EtherChannel group, the new port is added to the SPAN source port list. If a port is removed from a monitored EtherChannel group, it is automatically removed from the source port list. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 30-9 OL-13270-06...
Page 698: Span And Rspan And Switch Stacks
SPAN session.The packets that are permitted by this ACL are copied to the SPAN destination port. No other packets are copied to the SPAN destination port. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 30-10...
Page 699: Configuring Span And Rspan
Configuring SPAN and RSPAN These sections contain this configuration information: Default SPAN and RSPAN Configuration, page 30-12 • Configuring Local SPAN, page 30-12 • Configuring RSPAN, page 30-17 • Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 30-11 OL-13270-06...
Page 700: Default Span And Rspan Configuration
You can configure a disabled port to be a source or destination port, but the SPAN function does not start until the destination port and at least one source port or source VLAN are enabled. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 30-12...
Page 701: Creating A Local Span Session
This is the default. • rx—Monitor received traffic. • tx—Monitor sent traffic. You can use the monitor session session_number source Note command multiple times to configure multiple source ports. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 30-13 OL-13270-06...
Page 702 Switch(config)# no monitor session 1 source interface gigabitethernet1/0/1 rx The monitoring of traffic received on port 1 is disabled, but traffic sent from this port continues to be monitored. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 30-14 OL-13270-06...
Page 703: Creating A Local Span Session And Configuring Incoming Traffic
• packets with untagged encapsulation type with the specified VLAN as the default VLAN. Step 5 Return to privileged EXEC mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 30-15 OL-13270-06...
Page 704: Specifying Vlans To Filter
(Optional) Use a comma (,) to specify a series of VLANs, or use a hyphen (-) to specify a range of VLANs. Enter a space before and after the comma; enter a space before and after the hyphen. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 30-16 OL-13270-06...
Page 705: Configuring Rspan
Specifying VLANs to Filter, page 30-21 • Creating an RSPAN Destination Session, page 30-22 • • Creating an RSPAN Destination Session and Configuring Incoming Traffic, page 30-23 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 30-17 OL-13270-06...
Page 706: Rspan Configuration Guidelines
Use VTP pruning to get an efficient flow of RSPAN traffic, or manually delete the RSPAN VLAN from all trunks that do not need to carry the RSPAN traffic. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 30-18...
Page 707: Creating An Rspan Source Session
For session_number, the range is 1 to 66. Specify all to remove all RSPAN sessions, local to remove all local sessions, or remote to remove all remote SPAN sessions. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 30-19 OL-13270-06...
Page 708 Switch(config)# monitor session 1 source interface gigabitethernet1/0/2 rx Switch(config)# monitor session 1 source interface port-channel 2 Switch(config)# monitor session 1 destination remote vlan 901 Switch(config)# end Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 30-20 OL-13270-06...
Page 709: Specifying Vlans To Filter
Switch(config)# monitor session 2 source interface gigabitethernet1/0/2 rx Switch(config)# monitor session 2 filter vlan 1 - 5 , 9 Switch(config)# monitor session 2 destination remote vlan 902 Switch(config)# end Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 30-21 OL-13270-06...
Page 710: Creating An Rspan Destination Session
To remove a destination port from the SPAN session, use the no monitor session session_number destination interface interface-id global configuration command. To remove the RSPAN VLAN from the session, use the no monitor session session_number source remote vlan vlan-id. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 30-22 OL-13270-06...
Page 711: Creating An Rspan Destination Session And Configuring Incoming Traffic
RSPAN VLAN and the destination port, and to enable incoming traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance). For details about the keywords not related to incoming traffic, see the “Creating an RSPAN Destination...
Page 712: Configuring Fspan And Frspan
ACL configured, any commands including Catalyst 3750 ports as source ports are rejected. The Catalyst 3750 ports can be added as destination ports in an FSPAN session. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 30-24...
Page 713: Configuring An Fspan Session
For session_number, the range is 1 to 66. Specify all to remove all SPAN sessions, local to remove all local sessions, or remote to remove all remote SPAN sessions. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 30-25 OL-13270-06...
Page 714 If not selected, the default is to send packets in native form (untagged). You can use monitor session session_number destination Note command multiple times to configure multiple destination ports. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 30-26 OL-13270-06...
Page 715: Configuring An Frspan Session
For session_number, the range is 1 to 66. Specify all to remove all RSPAN sessions, local to remove all local sessions, or remote to remove all remote SPAN sessions. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 30-27 OL-13270-06...
Page 716 Return to privileged EXEC mode. Step 10 show monitor [session session_number] Verify the configuration. show running-config Step 11 copy running-config startup-config (Optional) Save the configuration in the configuration file. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 30-28 OL-13270-06...
Page 717: Displaying Span And Rspan Status
To display the current SPAN or RSPAN configuration, use the show monitor user EXEC command. You can also use the show running-config privileged EXEC command to display configured SPAN or RSPAN sessions. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 30-29 OL-13270-06...
Page 718 Chapter 30 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 30-30 OL-13270-06...
Page 719: Configuring Rmon
For complete syntax and usage information for the commands used in this chapter, see the “System Note Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References. This chapter consists of these sections: Understanding RMON, page 31-2 •...
Page 720: Chapter 31 Configuring Rmon
Because switches supported by this software release use hardware counters for RMON data processing, the monitoring is more efficient, and little processing power is required. Note 64-bit counters are not supported for RMON alarms. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 31-2 OL-13270-06...
Page 721: Configuring Rmon
You must also configure SNMP on the switch to access RMON MIB objects. For more information, see Chapter 33, “Configuring SNMP.” 64-bit counters are not supported for RMON alarms. Note Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 31-3 OL-13270-06...
Page 722 You cannot disable at once all the alarms that you configured. To disable an event, use the no rmon event number global configuration command. To learn more about alarms and events and how they interact with each other, see RFC 1757. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 31-4 OL-13270-06...
Page 723: Collecting Group History Statistics On An Interface
Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable history collection, use the no rmon collection history index interface configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 31-5 OL-13270-06...
Page 724: Collecting Group Ethernet Statistics On An Interface
For information about the fields in these displays, see the “System Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References.
Page 725: Understanding System Message Logging
This chapter describes how to configure system message logging on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Note Configuration Fundamentals Command Reference, Release 12.2 from the Cisco.com page under...
Page 726: Configuring System Message Logging
The part of the message preceding the percent sign depends on the setting of the service sequence-numbers, service timestamps log datetime, service timestamps log datetime [localtime] [msec] [show-timezone], or service timestamps log uptime global configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 32-2 OL-13270-06...
Page 727: C H A P T E R 32 Configuring System Message Logging
00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/2, changed state to up (Switch-2) 00:00:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down (Switch-2) 00:00:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/1, changed state to down 2 (Switch-2) Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 32-3 OL-13270-06...
Page 728: Default System Message Logging Configuration
Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no logging console Disable message logging. Step 3 Return to privileged EXEC mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 32-4 OL-13270-06...
Page 729: Setting The Message Display Destination Device
To build a list of syslog servers that receive logging messages, enter this command more than once. For complete syslog server configuration steps, see the “Configuring UNIX Syslog Servers” section on page 32-12. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 32-5 OL-13270-06...
Page 730: Synchronizing Log Messages
Therefore, unsolicited messages and debug command output are not interspersed with solicited device output and prompts. After the unsolicited messages appear, the console again displays the user prompt. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 32-6 OL-13270-06...
Page 731 (Optional) Save your entries in the configuration file. To disable synchronization of unsolicited messages and debug output, use the no logging synchronous [level severity-level | all] [limit number-of-buffers] line configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 32-7 OL-13270-06...
Page 732: Enabling And Disabling Time Stamps On Log Messages
This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 service sequence-numbers Enable sequence numbers. Step 3 Return to privileged EXEC mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 32-8 OL-13270-06...
Page 733: Defining The Message Severity Level
To disable logging to syslog servers, use the no logging trap global configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 32-9...
Page 734: Limiting Syslog Messages Sent To The History Table And To Snmp
By default, one message of the level warning and numerically lower levels (see Table 32-3 on page 32-10) are stored in the history table even if syslog traps are not enabled. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 32-10 OL-13270-06...
Page 735: Enabling The Configuration-Change Logger
[end-number] | statistics} [provisioning] privileged EXEC command to display the complete configuration log or the log for specified parameters. The default is that configuration logging is disabled. For information about the commands, see the Cisco IOS Configuration Fundamentals and Network Management Command Reference, Release 12.3 T at this URL: http://www.cisco.com/en/US/docs/ios/12_3/featlist/cfun_vcg.html...
Page 736: Configuring Unix Syslog Servers
| exit Configuring UNIX Syslog Servers The next sections describe how to configure the UNIX server syslog daemon and how to define the UNIX system logging facility. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 32-12 OL-13270-06...
Page 737: Logging Messages To A Unix Syslog Daemon
Limit messages logged to the syslog servers. Be default, syslog servers receive informational messages and lower. See Table 32-3 on page 32-10 for level keywords. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 32-13 OL-13270-06...
Page 738: Displaying The Logging Configuration
To display the logging configuration and the contents of the log buffer, use the show logging privileged EXEC command. For information about the fields in this display, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12. 12.2 from the Cisco.com page under Documentation >...
Page 739: Understanding Snmp
Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release and the Cisco IOS Network Management Command Reference, Release 12.4 from the Cisco.com page at this URL: http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_book.html...
Page 740: Chapter 33 Configuring Snmp
A combination of the security level and the security model determine which security mechanism is used when handling an SNMP packet. Available security models are SNMPv1, SNMPv2C, and SNMPv3. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 33-2 OL-13270-06...
Page 741: Snmp Manager Functions
1. With this operation, an SNMP manager does not need to know the exact variable name. A sequential search is performed to find the needed variable from within a table. 2. The get-bulk command only works with SNMPv2 or later. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 33-3 OL-13270-06...
Page 742: Snmp Agent Functions
SNMP manager in get-request, get-next-request, and set-request format. Figure 33-1 SNMP Network Get-request, Get-next-request, Network device Get-bulk, Set-request Get-response, traps SNMP Agent SNMP Manager Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 33-4 OL-13270-06...
Page 743: Snmp Notifications
Loopback and Tunnel 24567 + 1. SVI = switch virtual interface 2. SFP = small form-factor pluggable The switch might not use sequential values within a range. Note Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 33-5 OL-13270-06...
Page 744: Configuring Snmp
SNMP group. An SNMP host is the recipient of an SNMP trap operation. An SNMP engine ID is a name for the local or remote SNMP engine. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 33-6...
Page 745: Disabling The Snmp Agent
The no snmp-server global configuration command disables all running versions (Version 1, Version 2C, and Version 3) on the device. No specific Cisco IOS command exists to enable SNMP. The first snmp-server global configuration command that you enter enables all versions of SNMP.
Page 746: Configuring Community Strings
Recall that the access list is always terminated by an implicit deny statement for everything. Step 4 Return to privileged EXEC mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 33-8 OL-13270-06...
Page 747: Configuring Snmp Groups And Users
If you select remote, specify the ip-address of the device that • contains the remote copy of SNMP and the optional User Datagram Protocol (UDP) port on the remote device. The default is 162. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 33-9 OL-13270-06...
Page 748 • (Optional) Enter access access-list with a string (not to exceed 64 characters) that is the name of the access list. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 33-10 OL-13270-06...
Page 749 Note priv mode configuration, you must enter the show snmp user privileged command. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 33-11 OL-13270-06...
Page 750: Configuring Snmp Notifications
A trap manager is a management station that receives and processes traps. Traps are system alerts that the switch generates when certain events occur. By default, no trap manager is defined, and no traps are sent. Switches running this Cisco IOS release can have an unlimited number of trap managers. Note Many commands use the word traps in the command syntax.
Page 751 You can use the snmp-server host global configuration command to a specific host to receive the notification types listed in Table 33-5. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 33-13 OL-13270-06...
Page 752 • snmp-server enable traps port-security trap-rate rate • Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 33-14 OL-13270-06...
Page 753 To disable informs, use the no snmp-server host informs global configuration command. To disable a specific trap type, use the no snmp-server enable traps notification-types global configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 33-15 OL-13270-06...
Page 754: Setting The Cpu Threshold Notification Types And Values
Dial System Operator at beeper 21555. Step 3 snmp-server location text Set the system location string. For example: snmp-server location Building 3/Room 222 Step 4 Return to privileged EXEC mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 33-16 OL-13270-06...
Page 755: Limiting Tftp Servers Used Through Snmp
Step 4 Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 33-17 OL-13270-06...
Page 756: Snmp Examples
Switch(config)# snmp-server enable traps entity Switch(config)# snmp-server host cisco.com restricted entity This example shows how to enable the switch to send all traps to the host myhost.cisco.com using the community string public: Switch(config)# snmp-server enable traps Switch(config)# snmp-server host myhost.cisco.com public...
Page 757: Displaying Snmp Status
EXEC command. You also can use the other privileged EXEC commands in Table 33-6 to display SNMP information. For information about the fields in the displays, see the Cisco IOS Configuration Fundamentals Command Reference. Table 33-6 Commands for Displaying SNMP Information Feature...
Page 758 Chapter 33 Configuring SNMP Displaying SNMP Status Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 33-20 OL-13270-06...
Page 759: Understanding Embedded Event Manager
Writing Embedded Event Manager Policies Using Tcl • http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_policy_tcl.html Note Beginning with Cisco IOS Release 12.2(55)SE, the EEM feature is supported on the IP base feature set. This chapter consists of these sections: • Understanding Embedded Event Manager, page 34-1 Configuring Embedded Event Manager, page 34-6 •...
Page 760 Embedded Event Manager Actions, page 34-4 • Embedded Event Manager Policies, page 34-4 • Embedded Event Manager Environment Variables, page 34-5 • • EEM 3.2, page 34-5 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 34-2 OL-13270-06...
Page 761: C H A P T E R 34 Configuring Embedded Event Manager
Counter event detector–Publishes an event when a named counter crosses a specified threshold. • Interface counter event detector– Publishes an event when a generic Cisco IOS interface counter for • a specified interface crosses a defined threshold. A threshold can be specified as an absolute value or an incremental value.For example, if the incremental value is set to 50 an event would be...
Page 762: Embedded Event Manager Actions
The user-defined TCL scripts must be available in the member switches so that if the master switch changes, the TCL scripts policies continue to work. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 34-4...
Page 763: Embedded Event Manager Environment Variables
Cisco built-in variables (available in EEM applets) • Defined by Cisco and can be read-only or read-write. The read-only variables are set by the system before an applet starts to execute. The single read-write variable, _exit_status, allows you to set the exit status for policies triggered from synchronous events.
Page 764: Configuring Embedded Event Manager
• Registering and Defining an Embedded Event Manager TCL Script, page 34-7 • For complete information about configuring embedded event manager, see the Cisco IOS Network Management Configuration Guide, Release 12.4T. Registering and Defining an Embedded Event Manager Applet Beginning in privileged EXEC mode, perform this task to register an applet with EEM and to define the EEM applet using the event applet and action applet configuration commands.
Page 765: Registering And Defining An Embedded Event Manager Tcl Script
This example shows the sample output for the show event manager environment command: Switch# show event manager environment all Name Value _cron_entry 0-59/2 0-23/1 * * 0-6 _show_cmd show ver _syslog_pattern .*UPDOWN.*Ethernet1/0.* Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 34-7 OL-13270-06...
Page 766: Displaying Embedded Event Manager Information
Switch(config)# event manager environment_cron_entry 0-59/2 0-23/1 * * 0-6 This example shows the sample EEM policy named tm_cli_cmd.tcl registered as a system policy. The system policies are part of the Cisco IOS image. User-defined TCL scripts must first be copied to flash memory.
Page 767 “Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2, and the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2.
Page 768: C H A P T E R 35 Configuring Network Security With Acls
Router ACLs access-control routed traffic between VLANs and are applied to Layer 3 interfaces in • a specific direction (inbound or outbound). For more information, see the “Router ACLs” section on page 35-4. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-2 OL-13270-06...
Page 769: Port Acls
Extended IP access lists using source and destination addresses and optional protocol type • information MAC extended access lists using source and destination MAC addresses and optional protocol type • information Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-3 OL-13270-06...
Page 770: Router Acls
Layer 3 interfaces; and on Layer 3 EtherChannel interfaces. You apply router ACLs on interfaces for specific directions (inbound or outbound). You can apply one router ACL in each direction on an interface. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-4 OL-13270-06...
Page 771: Vlan Maps
Using VLAN Maps to Control Traffic Host A Blade Host B (VLAN 10) switch (VLAN 10) = VLAN map denying specific type of traffic from Host A = Packet Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-5 OL-13270-06...
Page 772: Handling Fragmented And Unfragmented Traffic
ACE because that ACE does not check any Layer 4 information and because Layer 3 information in all fragments shows that they are being sent to host 10.1.1.3, and the earlier permit ACEs were checking different hosts. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-6 OL-13270-06...
Page 773: Acls And Switch Stacks
ACL information to all switches in the stack. Configuring IPv4 ACLs Configuring IP v4ACLs on the switch is the same as configuring IPv4 ACLs on other Cisco switches and routers. The process is briefly described here. For more detailed information on configuring ACLs, see the “Configuring IP Services”...
Page 774: Creating Standard And Extended Ipv4 Acls
Access List Numbers Access List Number Type Supported 1–99 IP standard access list 100–199 IP extended access list 200–299 Protocol type-code access list 300–399 DECnet access list Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-8 OL-13270-06...
Page 775: Acl Logging
IP address of the packet, and the number of packets from that source permitted or denied in the prior 5-minute interval. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-9...
Page 776: Creating A Numbered Standard Acl
Switch (config)# access-list 2 deny host 171.69.198.102 Switch (config)# access-list 2 permit any Switch(config)# end Switch# show access-lists Standard IP access list 2 10 deny 171.69.198.102 20 permit any Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-10 OL-13270-06...
Page 777: Creating A Numbered Extended Acl
For more details on the specific keywords for each protocol, see these command references: • Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 • Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2 •...
Page 778 DSCP value specified by a number • from 0 to 63, or use the question mark (?) to see a list of available values. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-12 OL-13270-06...
Page 779 TCP port. To see TCP port names, use the ? or see the “Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2. Use only TCP port numbers or names when filtering TCP.
Page 780 When you are creating an ACL, remember that, by default, the end of the access list contains an implicit deny statement for all packets if it did not find a match before reaching the end. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-14...
Page 781: Resequencing Aces In An Acl
The ACL must be an extended named ACL. – match input-interface interface-id-list – match ip dscp dscp-list – match ip precedence ip-precedence-list You cannot enter the match access-group acl-index command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-15 OL-13270-06...
Page 782 (Optional) Save your entries in the configuration file. To remove a named extended ACL, use the no ip access-list extended name global configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-16 OL-13270-06...
Page 783: Using Time Ranges With Acls
Network Time Protocol (NTP) to synchronize the switch clock. For more information, see the “Managing the System Time and Date” section on page 5-1. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-17 OL-13270-06...
Page 784 Switch(config)# end Switch# show access-lists Extended IP access list 188 10 deny tcp any any time-range new_year_day_2006 (inactive) 20 permit tcp any any time-range workhours (inactive) Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-18 OL-13270-06...
Page 785: Including Comments In Acls
For procedures for applying ACLs to interfaces, see the “Applying an IPv4 ACL to an Interface” section on page 35-20. For applying ACLs to VLANs, see the “Configuring VLAN Maps” section on page 35-30. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-19 OL-13270-06...
Page 786: Applying An Ipv4 Acl To An Interface
CPU so that it can generate the ICMP-unreachable message. Port ACLs are an exception. They do not generate ICMP unreachable messages. ICMP unreachable messages can be disabled on router ACLs with the no ip unreachables interface command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-20 OL-13270-06...
Page 787 When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied to the interface and permits all packets. Remember this behavior if you use undefined ACLs for network security. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-21 OL-13270-06...
Page 788: Hardware And Software Treatment Of Ip Acls
Logical operation units are needed for a TCP flag match or a test other than eq (ne, gt, lt, or range) on TCP, UDP, or SCTP port numbers. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-22...
Page 789: Ipv4 Acl Configuration Examples
This section provides examples of configuring and applying IPv4 ACLs. For detailed information about compiling ACLs, see the Cisco IOS Security Configuration Guide, Release 12.2 and to the Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2.
Page 790 Switch(config)# access-list 106 permit ip any 172.20.128.64 0.0.0.31 Switch(config)# end Switch# show access-lists Extended IP access list 106 10 permit ip any 172.20.128.64 0.0.0.31 Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# ip access-group 106 in Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-24 OL-13270-06...
Page 791: Numbered Acls
Switch(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.255 established Switch(config)# access-list 102 permit tcp any host 128.88.1.2 eq 25 Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# ip access-group 102 in Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-25 OL-13270-06...
Page 792: Named Acls
Switch(config-ext-nacl)# deny tcp any any eq www time-range no-http Switch(config-ext-nacl)# permit udp any any time-range udp-yes Switch(config-ext-nacl)# exit Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# ip access-group strict in Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-26 OL-13270-06...
Page 793: Commented Ip Acl Entries
00:00:48: NTP: authentication delay calculation problems 00:09:34:%SEC-6-IPACCESSLOGS:list stan1 permitted 0.0.0.0 1 packet 00:09:59:%SEC-6-IPACCESSLOGS:list stan1 denied 10.1.1.15 1 packet 00:10:11:%SEC-6-IPACCESSLOGS:list stan1 permitted 0.0.0.0 1 packet Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-27 OL-13270-06...
Page 794: Creating Named Mac Extended Acls
Beginning in privileged EXEC mode, follow these steps to create a named MAC extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac access-list extended name Define an extended MAC access list using a name. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-28 OL-13270-06...
Page 795: Applying A Mac Acl To A Layer 2 Interface
You can apply no more than one IP access list and one MAC access list to the same Layer 2 interface. • The IP access list filters only IP packets, and the MAC access list filters non-IP packets. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-29 OL-13270-06...
Page 796: Configuring Vlan Maps
For complete syntax and usage information for the commands used in this section, see the command reference for this release. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-30 OL-13270-06...
Page 797: Vlan Map Configuration Guidelines
VLAN map to a VLAN that the port belongs to, the port ACL takes precedence over the VLAN map. If VLAN map configuration cannot be applied in hardware, all packets in that VLAN must be • bridged and routed by software. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-31 OL-13270-06...
Page 798: Creating A Vlan Map
Use the no action access-map configuration command to enforce the default action, which is to forward. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-32 OL-13270-06...
Page 799: Examples Of Acls And Vlan Maps
Switch(config)# vlan access-map drop-ip-default 10 Switch(config-access-map)# match ip address 101 Switch(config-access-map)# action forward Switch(config-access-map)# exit Switch(config)# vlan access-map drop-ip-default 20 Switch(config-access-map)# match ip address igmp-match Switch(config-access-map)# action drop Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-33 OL-13270-06...
Page 800 Switch(config)# vlan access-map drop-all-default 10 Switch(config-access-map)# match ip address tcp-match Switch(config-access-map)# action forward Switch(config-access-map)# exit Switch(config)# vlan access-map drop-all-default 20 Switch(config-access-map)# match mac address good-hosts Switch(config-access-map)# action forward Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-34 OL-13270-06...
Page 801: Applying A Vlan Map To A Vlan
Deny Access to a Server on Another VLAN VLAN map 10.1.1.100 Subnet 10.1.2.0/8 Server (VLAN 10) 10.1.1.4 Host (VLAN 20) Layer 3 switch Host (VLAN 10) 10.1.1.8 Packet Host (VLAN 10) Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-35 OL-13270-06...
Page 802: Configuring Vacl Logging
Only denied IP packets are logged. • • Packets that require logging on the outbound port ACLs are not logged if they are denied by a VACL. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-36 OL-13270-06...
Page 803 DomainMember(config-access-map)# action drop log DomainMember(config-access-map)# exit This example shows how to configure global VACL logging parameters: DomainMember(config)# vlan access-log maxflow 800 DomainMember(config)# vlan access-log threshold 4000 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-37 OL-13270-06...
Page 804: Using Vlan Maps With Router Acls
Chapter 35 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs For complete syntax and usage information of the commands used in this section, see the Cisco IOS LAN Note Switching Command Reference: http://www.cisco.com/en/US/docs/ios/lanswitch/command/reference/lsw_book.html Using VLAN Maps with Router ACLs To access control both bridged and routed traffic, you can use VLAN maps only or a combination of router ACLs and VLAN maps.
Page 805: Vlan Maps And Router Acl Configuration Guidelines
ACL is applied on packets that are switched within a VLAN. Packets switched within the VLAN without being routed or forwarded by fallback bridging are only subject to the VLAN map of the input VLAN. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-39 OL-13270-06...
Page 806: Acls And Bridged Packets
Applying ACLs on Bridged Packets VLAN 10 VLAN 20 Frame Blade server A Blade server B (VLAN 10) (VLAN 20) Fallback bridge VLAN 10 VLAN 20 Packet Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-40 OL-13270-06...
Page 807: Acls And Routed Packets
However, if the input VLAN map (VLAN 10 map in Figure 35-8) drops the packet, no destination receives a copy of the packet. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-41 OL-13270-06...
Page 808: Displaying Ipv4 Acl Configuration
[interface interface-id] Displays MAC access lists applied to all Layer 2 interfaces or the specified Layer 2 interface. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-42 OL-13270-06...
Page 809 [access-map name | vlan vlan-id] Show information about all VLAN filters or about a specified VLAN or VLAN access map. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-43 OL-13270-06...
Page 810 Chapter 35 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 35-44 OL-13270-06...
Page 811: Understanding Ipv6 Acls
Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release or the Cisco IOS documentation referenced in the procedures. This chapter contains these sections: Understanding IPv6 ACLs, page 36-1 •...
Page 812: Chapter 36 Configuring Ipv6 Acl
With IPv4, you can configure standard and extended numbered IP ACLs, named IP ACLs, and MAC ACLs. IPv6 supports only named ACLs. The switch supports most Cisco IOS-supported IPv6 ACLs with these exceptions: Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 36-2 OL-13270-06...
Page 813: Ipv6 Acls And Switch Stacks
Apply the IPv6 ACL to an interface. For router ACLs, you must also configure an IPv6 address on the Step 3 Layer 3 interface to which the ACL is applied. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 36-3 OL-13270-06...
Page 814: Default Ipv6 Acl Configuration
Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 access-list access-list-name Define an IPv6 access list using a name, and enter IPv6 access-list configuration mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 36-4 OL-13270-06...
Page 815 The range is from 1 to 4294967295. (Optional) Enter time-range name to specify the time range that applies to • the deny or permit statement. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 36-5 OL-13270-06...
Page 816 Return to privileged EXEC mode. Step 5 show ipv6 access-list Verify the access list configuration. Step 6 copy running-config (Optional) Save your entries in the configuration file. startup-config Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 36-6 OL-13270-06...
Page 817: Applying An Ipv6 Acl To An Interface
This example configures the IPv6 access list named CISCO. The first deny entry in the list denies all packets that have a destination TCP port number greater than 5000. The second deny entry denies packets that have a source UDP port number less than 5000.
Page 818: Displaying Ipv6 Acls
Chapter 36 Configuring IPv6 ACLs Displaying IPv6 ACLs This example shows how to apply the access list Cisco to outbound traffic on a Layer 3 interface: Switch(config)# interface gigabitethernet 1/0/3 Switch(config-if)# no switchport Switch(config-if)# ipv6 address 2001::/64 eui-64 Switch(config-if)# ipv6 traffic-filter CISCO out...
Page 819: Displaying Ipv6 Acls
Chapter 36 Configuring IPv6 ACLs Displaying IPv6 ACLs Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 36-9 OL-13270-06...
Page 820 Chapter 36 Configuring IPv6 ACLs Displaying IPv6 ACLs Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 36-10 OL-13270-06...
Page 821: Configuring Qos
Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Cisco IOS release 12.2(52)SE and later supports QoS for both IPv4and IPv6 traffic when a dual IPv4 and IPv6 SDM template is configured.
Page 822: Understanding Qos
IP precedence values range from 0 to 7. DSCP values range from 0 to 63. Beginning with Cisco IOS Release 12.2(52)SE, you can use the dual IPv4 and IPv6 SDM templates to Note enable IPv6 QoS globally on the switch or switch stack. You must reload the switch after configuring the dual IPv4 and IPv6 templates.
Page 823: Chapter 37 Configuring Qo
Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-3 OL-13270-06...
Page 824: Basic Qos Model
Scheduling services the four egress queues based on their configured SRR shared or shaped weights. • One of the queues (queue 1) can be the expedited queue, which is serviced until empty before the other queues are serviced. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-4 OL-13270-06...
Page 825: Classification
0 as the DSCP and CoS values, which means best-effort traffic. Otherwise, the policy-map action specifies a DSCP or CoS value to assign to the incoming frame. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-5...
Page 826 • IPv6 packets, the DSCP value is rewritten by using the CoS-to-DSCP map and by using the default CoS of the port. In Cisco IOS Release 12.2(52)SE and later, you can do this for both IPv4 and IPv6 traffic. Perform the classification based on a configured IP standard or an extended ACL, which examines •...
Page 827 Assign the DSCP or CoS as specified Assign the default Generate the DSCP by using by ACL action to generate the QoS label. DSCP (0). the CoS-to-DSCP map. Done Done Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-7 OL-13270-06...
Page 828: Classification Based On Qos Acls
You can use IP standard, IP extended, or Layer 2 MAC ACLs to define a group of packets with the same characteristics (class). Beginning with Cisco IOS Release 12.2(52)SE, you can classify IP traffic based on IPv6 ACLs. In the QoS context, the permit and deny actions in the access control entries (ACEs) have...
Page 829: Policing And Marking
“Classifying, Policing, and Marking Traffic on SVIs by Using Hierarchical Policy Maps” section on page 37-64, and the “Classifying, Policing, and Marking Traffic by Using Aggregate Policers” section on page 37-72. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-9 OL-13270-06...
Page 830: Policing On Physical Ports
A nonhierarchical policy map on a physical port. • The interface level of a hierarchical policy map attached to an SVI. The physical ports are specified • in this secondary policy map. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-10 OL-13270-06...
Page 831: Policing On Svis
SVI. The second level, the interface level, specifies the actions to be taken against the traffic on the physical ports that belong to the SVI and are specified in the interface-level policy map. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-11 OL-13270-06...
Page 832 Drop Verify the out-of-profile action Drop packet. configured for this policer. Mark Modify DSCP according to the policed-DSCP map. Generate a new QoS label. Done Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-12 OL-13270-06...
Page 833: Mapping Tables
Scheduling on Ingress Queues” section on page 37-16. For information about the DSCP and CoS output queue threshold maps, see the “Queueing and Scheduling on Egress Queues” section on page 37-18. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-13 OL-13270-06...
Page 834: Queueing And Scheduling Overview
5 and is subjected to the 60-percent threshold. If this frame is added to the queue, the threshold will be exceeded, so the switch drops it. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-14...
Page 835: Srr Shaping And Sharing
37-83, the “Configuring SRR Shaped Weights on Egress Queues” section on page 37-90, and the “Configuring SRR Shared Weights on Egress Queues” section on page 37-91. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-15 OL-13270-06...
Page 836: Queueing And Scheduling On Ingress Queues
The expedite queue has guaranteed bandwidth. 1. The switch uses two nonconfigurable queues for traffic that is essential for proper network and stack operation. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-16 OL-13270-06...
Page 837 For configuration information, see the “Configuring Ingress Queue Characteristics” section on page 37-81. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-17 OL-13270-06...
Page 838: Queueing And Scheduling On Egress Queues
All traffic exiting the switch flows through one of these four queues and is subjected to a threshold based on the QoS label assigned to the packet. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-18...
Page 839 The switch can allocate the needed buffers from the common pool if the common pool is not empty. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-19...
Page 840: Packet Modification
DSCP to the CPU where it is again processed through software. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-20...
Page 841: Configuring Auto-Qos
The switch uses the classification results to choose the appropriate egress queue. Beginning with Cisco IOS Release 12.2(52)SE, auto-QoS supports IPv4 and IPv6 traffic when you configure the dual IPv4 and IPv6 SDM template with the sdm prefer dual ipv4-and-ipv6 global configuration command.
Page 842: Generated Auto-Qos Configuration
DSCP value of 24, 26, or 46 or is out of profile, the switch changes the DSCP value to 0. When there is no Cisco IP Phone, the ingress classification is set to not trust the QoS label in the packet. The policing is applied to the traffic matching the policy-map classification before the switch enables the trust boundary feature.
Page 843 Ensure Port Security” section on page 39-42. When you enable auto-QoS by using the auto qos voip cisco-phone, the auto qos voip cisco-softphone, or the auto qos voip trust interface configuration command, the switch automatically generates a QoS configuration based on the traffic type and ingress packet label and applies the commands listed in Table 37-5 to the port.
Page 844: Enhanced Auto-Qos For Video, Trust, And Classification
When you configure the auto qos {video | classify | trust} enhanced commands on a switch port, this behavior occurs: Auto qos voip generated commands that you configured on the interface before Cisco IOS Release • 12.2(55)SE migrate to the enhanced commands.
Page 845: Global Auto-Qos Configuration
3 threshold 3 0 Switch(config)# mls qos srr-queue output cos-map queue 4 threshold 3 0 Switch(config)# mls qos srr-queue output cos-map queue 4 threshold 3 1 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-25 OL-13270-06...
Page 846 Switch(config)# mls qos srr-queue Switch(config)# mls qos srr-queue input dscp-map queue 2 threshold 3 40 input dscp-map queue 2 threshold 3 46 41 42 43 44 45 46 47 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-26 OL-13270-06...
Page 847 10 11 12 13 14 15 12 14 Switch(config)# mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-27 OL-13270-06...
Page 848: Auto-Qos Generated Configuration For Voip Devices
Auto-QoS Generated Configuration For VoIP Devices If you entered the auto qos voip cisco-phone command, the switch automatically enables the trusted boundary feature, which uses the CDP to detect the presence or absence of a Cisco IP Phone. Switch(config-if)# mls qos trust device cisco-phone If you entered the auto qos voip cisco-softphone command, the switch automatically creates class maps and policy maps.
Page 849: Auto-Qos Generated Configuration For Enhanced Video, Trust, And Classify Devices
AutoQoS-Police-SoftPhone to an ingress interface on which auto-QoS with the Cisco SoftPhone feature is enabled. Switch(config-if)# service-policy input AutoQoS-Police-SoftPhone If you entered the auto qos voip cisco-phone command, the switch automatically creates class maps and policy maps. Switch(config-if)# mls qos trust device cisco-phone If you entered the auto qos voip cisco-softphone command, the switch automatically creates class maps and policy maps.
Page 850 Switch(config-pmap-c)# set dscp af21 Switch(config-pmap-c)# police 10000000 8000 exceed-action policed-dscp-transmit Switch(config-pmap)# class AUTOQOS_SCAVANGER_CLASS Switch(config-pmap-c)# set dscp cs1 Switch(config-pmap-c)# police 10000000 8000 exceed-action drop Switch(config-pmap)# class AUTOQOS_SIGNALING_CLASS Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-30 OL-13270-06...
Page 851 Switch(config-pmap-c)# set dscp default Switch(config-pmap-c)# police 10000000 8000 exceed-action policed-dscp-transmit Switch(config-if)# service-policy input AUTOQOS-SRND4-CLASSIFY-POLICE-POLICY This is the enhanced configuration for the auto qos voip cisco-phone command: Switch(config)# mls qos map policed-dscp 0 10 18 to 8 Switch(config)# mls qos map cos-dscp 0 8 16 24 32 46 48 56...
Page 852: Effects Of Auto-Qos On The Configuration
You can enable auto-QoS on static, dynamic-access, voice VLAN access, and trunk ports. By default, the CDP is enabled on all ports. For auto-QoS to function properly, do not disable CDP. • Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-32 OL-13270-06...
Page 853: Auto-Qos Voip Considerations
When a device running Cisco SoftPhone is connected to a nonrouted or routed port, the Note switch supports only one Cisco SoftPhone application per port. When enabling auto-QoS with a Cisco IP Phone on a routed port, you must assign a static IP address • to the IP phone.
Page 854: Troubleshooting Auto Qos Commands
(the CoS, DSCP, and IP precedence values in the packet are not changed). Traffic is switched in pass-through mode (packets are switched without any rewrites and classified as best effort without any policing). Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-34 OL-13270-06...
Page 855: Displaying Auto-Qos Information
(optional, unless you need to use the DSCP-to-DSCP-mutation map or the policed-DSCP map) • Configuring Ingress Queue Characteristics, page 37-81 (optional) • Configuring Egress Queue Characteristics, page 37-85 (optional) Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-35 OL-13270-06...
Page 856: Default Standard Qos Configuration
DSCP input queue threshold map when QoS is enabled. Table 37-8 Default DSCP Input Queue Threshold Map DSCP Value Queue ID–Threshold ID 0–39 1–1 40–47 2–1 48–63 1–1 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-36 OL-13270-06...
Page 857: Default Egress Queue Configuration
DSCP output queue threshold map when QoS is enabled. Table 37-11 Default DSCP Output Queue Threshold Map DSCP Value Queue ID–Threshold ID 0–15 2–1 16–31 3–1 32–39 4–1 40–47 1–1 48–63 4–1 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-37 OL-13270-06...
Page 858: Default Mapping Table Configuration
QoS hardware memory, and an error can occur when you apply the policy map to a port. Whenever possible, you should minimize the number of lines is a QoS ACL. IPv6 QoS ACL Guidelines Chapter 36, “Configuring IPv6 ACLs.”. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-38 OL-13270-06...
Page 859: Applying Qos On Interfaces
Beginning with Cisco IOS Release 12.2(52)SE, you can enable IPv6 QoS on a switch or a switch stack. If the stack includes only Cisco 3560E and Cisco 3750E switches, the QoS configuration applies to all traffic. These are the guidelines for IPv6 QoS in a stack that includes one or more Cisco Catalyst 3750 switches: Any switch can be the stack master.
Page 860: Policing Guidelines
QoS policies that include IPv6-specific classification (such as an IPv6 ACL or the match protocol • ipv6 command) are supported on Cisco 3750E interfaces and on any SVI when a Cisco 3750E switch is part of the stack. QoS policies that include common IPv4 and IPv6 classifications are supported on all Cisco 3750E •...
Page 861: Enabling Qos Globally
Configuring Standard QoS Enabling QoS Globally By default, QoS is disabled on the switch. Cisco IOS Release 12.2(52)SE and later supports IPv6 QoS. To enable IPv6 QoS on the switch, you must first configure the dual-IP SDM template and reload the switch.
Page 862: Configuring Classification Using Port Trust States
QoS domain. Figure 37-11 shows a sample network topology. Figure 37-11 Port Trusted States within the QoS Domain Trusted interface Trunk Traffic classification performed here Trusted boundary Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-42 OL-13270-06...
Page 863: Configuring The Cos Value For An Interface
Configuring the CoS Value for an Interface QoS assigns the CoS value specified with the mls qos cos interface configuration command to untagged frames received on trusted and untrusted ports. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-43 OL-13270-06...
Page 864: Configuring A Trusted Boundary To Ensure Port Security
To return to the default setting, use the no mls qos cos {default-cos | override} interface configuration command. Configuring a Trusted Boundary to Ensure Port Security In a typical network, you connect a Cisco IP Phone to a switch port, as shown in Figure 37-11 on page 37-42, and cascade devices that generate data packets from the back of the telephone.
Page 865 CoS setting). By contrast, trusted boundary uses CDP to detect the presence of a Cisco IP Phone (such as the Cisco IP Phone 7910, 7935, 7940, and 7960) on a switch port. If the telephone is not detected, the trusted boundary feature disables the trusted setting on the switch port and prevents misuse of a high-priority queue.
Page 866: Enabling Dscp Transparency Mode
QoS. If the two domains use different DSCP values, you can configure the DSCP-to-DSCP-mutation map to translate a set of DSCP values to match the definition in the other domain. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-46 OL-13270-06...
Page 867 Return to privileged EXEC mode. Step 7 show mls qos maps dscp-mutation Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-47 OL-13270-06...
Page 868: Configuring A Qos Policy
Classifying, Policing, and Marking Traffic on SVIs by Using Hierarchical Policy Maps, page 37-64 Classifying, Policing, and Marking Traffic by Using Aggregate Policers, page 37-72 • Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-48 OL-13270-06...
Page 869: Classifying Traffic By Using Acls
Classifying Traffic by Using ACLs You can classify IP traffic by using IP standard or IP extended ACLs; in Cisco IOS Release 12.2(52)SE and later, you can use IPv6 ACLs. You can classify non-IP traffic by using Layer 2 MAC ACLs.
Page 870 This example shows how to create an ACL that permits PIM traffic from any source to a destination group address of 224.0.0.2 with a DSCP set to 32: Switch(config)# access-list 102 permit pim any 224.0.0.2 dscp 32 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-50 OL-13270-06...
Page 871 Create an IPv6 ACL, and enter IPv6 access-list configuration mode. Access list names cannot contain a space or quotation mark or begin with a numeric. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-51 OL-13270-06...
Page 872 The acceptable range is from 1 to 4294967295. (Optional) Enter time-range name to specify the time range that • applies to the deny or permit statement. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-52 OL-13270-06...
Page 873 Step 4 Return to privileged EXEC mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-53 OL-13270-06...
Page 874: Classifying Traffic By Using Class Maps
Using Policy Maps” section on page 37-59 and the “Classifying, Policing, and Marking Traffic on SVIs by Using Hierarchical Policy Maps” section on page 37-64. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-54 OL-13270-06...
Page 875 See “Creating Named Standard and Extended ACLs” section on page 35-15 for limitations when using the match-all and the match-any keywords. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-55 OL-13270-06...
Page 876 103. It permits traffic from any host to any destination that matches a DSCP value of 10. Switch(config)# access-list 103 permit ip any any dscp 10 Switch(config)# class-map class1 Switch(config-cmap)# match access-group 103 Switch(config-cmap)# end Switch# Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-56 OL-13270-06...
Page 877: Classifying Traffic By Using Class Maps And Filtering Ipv6 Traffic
Classifying Traffic by Using Class Maps and Filtering IPv6 Traffic In Cisco IOS Release 12.2(52)SE and later, the switch supports both IPv4 and IPv6 QoS when the dual IPv4 and IPv6 SDM template is configured. When the dual IP SDM template is configured, the match ip dscp and match ip precedence classifications match both IPv4 and IPv6 traffic.
Page 878 Switch(config-cmap)# match access-group name ipv6-any Switch(config-cmap)# exit Switch(config)# Policy-map pm1 Switch(config-pmap)# class cm-1 Switch(config-pmap-c)# set dscp 4 Switch(config-pmap-c)# exit Switch(config-pmap)# class cm-2 Switch(config-pmap-c)# set dscp 6 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-58 OL-13270-06...
Page 879: Classifying, Policing, And Marking Traffic On Physical Ports By Using Policy Maps
When you configure a default traffic class by using the class class-default policy-map configuration • command, unclassified traffic (traffic that does not meet the match criteria specified in the traffic classes) is treated as the default traffic class (class-default). Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-59 OL-13270-06...
Page 880 It is always placed at the end of a policy map. With an implied match any included in the class-default class, all packets that have not already matched the other traffic classes will match class-default. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-60 OL-13270-06...
Page 881 DSCP value (by using the policed-DSCP map) and to send the packet. For more information, see the “Configuring the Policed-DSCP Map” section on page 37-77. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-61 OL-13270-06...
Page 882 Switch(config-ext-mac)# permit 0001.0000.0002 0.0.0 0002.0000.0002 0.0.0 xns-idp Switch(config-ext-mac)# exit Switch(config)# mac access-list extended maclist2 Switch(config-ext-mac)# permit 0001.0000.0003 0.0.0 0002.0000.0003 0.0.0 Switch(config-ext-mac)# permit 0001.0000.0004 0.0.0 0002.0000.0004 0.0.0 aarp Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-62 OL-13270-06...
Page 883: Classifying, Policing, And Marking Traffic On Svis By Using Hierarchical Policy Maps
Use the interface-level policy map to specify the physical ports that are affected by individual policers. Beginning with Cisco IOS Release 12.2(52)SE, you can configure hierarchical policy maps that filter IPv4 and IPv6 traffic. Follow these guidelines when configuring hierarchical policy maps: Before configuring a hierarchical policy map, you must enable VLAN-based QoS on the physical •...
Page 884 When VLAN-based QoS is enabled, the switch supports VLAN-based features, such as the VLAN map. You can configure a hierarchical policy map only on the primary VLAN of a private VLAN. • Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-64 OL-13270-06...
Page 885 See “Creating Named Standard and Extended ACLs” section on page 35-15 for limitations when using the match-all and the match-any keywords. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-65 OL-13270-06...
Page 886 For more information about the match protocol command, see the Cisco IOS Quality of Service Solutions Command Reference. Step 5 exit Returns to class-map configuration mode. Step 6 exit Returns to global configuration mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-66 OL-13270-06...
Page 887 By default, no policy-map class-maps are defined. If a traffic class has already been defined by using the class-map global configuration command, specify its name for class-map-name in this command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-67 OL-13270-06...
Page 888 It is always placed at the end of a policy map. With an implied match any included in the class-default class, all packets that have not already matched the other traffic classes will match class-default. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-68 OL-13270-06...
Page 889 Returns to global configuration mode. Step 23 interface interface-id Specifies the SVI to which to attach the hierarchical policy map, and enter interface configuration mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-69 OL-13270-06...
Page 890 Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# access-list 101 permit ip any any Switch(config)# class-map cm-1 Switch(config-cmap)# match access 101 Switch(config-cmap)# exit Switch(config)# exit Switch# Switch# Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-70 OL-13270-06...
Page 891 Switch(config-pmap)# class cm-1 Switch(config-pmap-c)# set dscp 4 Switch(config-pmap-c)# exit Switch(config-pmap)# class cm-2 Switch(config-pmap-c)# set dscp 6 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface G1/0/1 Switch(config-if)# service-policy input pm1 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-71 OL-13270-06...
Page 892: Classifying, Policing, And Marking Traffic By Using Aggregate Policers
However, you cannot use the aggregate policer across different policy maps or ports. You can configure aggregate policers only in nonhierarchical policy maps on physical ports. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-72 OL-13270-06...
Page 893 Valid interfaces include physical ports. Step 9 service-policy input policy-map-name Specifies the policy-map name, and apply it to an ingress port. Only one policy map per ingress port is supported. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-73 OL-13270-06...
Page 894 Switch(config-pmap-c)# police aggregate transmit1 Switch(config-pmap-c)# exit Switch(config-pmap)# class class-default Switch(config-pmap-c)# set dscp 10 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# service-policy input aggflow1 Switch(config-if)# exit Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-74 OL-13270-06...
Page 895: Configuring Dscp Maps
For dscp1...dscp8, enter eight DSCP values that correspond to CoS values 0 to 7. Separate each DSCP value with a space. The DSCP range is 0 to 63. Step 3 Return to privileged EXEC mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-75 OL-13270-06...
Page 896: Configuring The Ip-Precedence-To-Dscp Map
0 to 7. Separate each DSCP value with a space. The DSCP range is 0 to 63. Step 3 Return to privileged EXEC mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-76 OL-13270-06...
Page 897: Configuring The Policed-Dscp Map
(Optional) Save your entries in the configuration file. To return to the default map, use the no mls qos policed-dscp global configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-77 OL-13270-06...
Page 898: Configuring The Dscp-To-Cos Map
DSCP Value CoS Value 0–7 8–15 16–23 24–31 32–39 40–47 48–55 56–63 If these values are not appropriate for your network, you need to modify them. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-78 OL-13270-06...
Page 899: Configuring The Dscp-To-Dscp-Mutation Map
You can configure multiple DSCP-to-DSCP-mutation maps on an ingress port. The default DSCP-to-DSCP-mutation map is a null map, which maps an incoming DSCP value to the same DSCP value. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-79 OL-13270-06...
Page 900 30 30 30 30 30 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-80 OL-13270-06...
Page 901: Configuring Ingress Queue Characteristics
Allocating Buffer Space Between the Ingress Queues, page 37-83 (optional) • Allocating Bandwidth Between the Ingress Queues, page 37-83 (optional) • Configuring the Ingress Priority Queue, page 37-84 (optional) • Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-81 OL-13270-06...
Page 902: Mapping Dscp Or Cos Values To An Ingress Queue And Setting Wtd Thresholds
To return to the default WTD threshold percentages, use the no mls qos srr-queue input threshold queue-id global configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-82 OL-13270-06...
Page 903: Allocating Buffer Space Between The Ingress Queues
The bandwidth and the buffer allocation control how much data can be buffered before packets are dropped. On ingress queues, SRR operates only in shared mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-83...
Page 904: Configuring The Ingress Priority Queue
Then, SRR shares the remaining bandwidth with both ingress queues and services them as specified by the weights configured with the mls qos srr-queue input bandwidth weight1 weight2 global configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-84 OL-13270-06...
Page 905: Configuring Egress Queue Characteristics
Does the bandwidth of the port need to be rate limited? • How often should the egress queues be serviced and which technique (shaped, shared, or both) • should be used? Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-85 OL-13270-06...
Page 906: Allocating Buffer Space To And Setting Wtd Thresholds For An Egress Queue-Set
The egress queue default settings are suitable for most situations. You should change them only when Note you have a thorough understanding of the egress queues and if these settings do not meet your QoS solution. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-86 OL-13270-06...
Page 907 For qset-id, enter the ID of the queue-set specified in Step 2. The range is 1 to 2. The default is 1. Step 6 Return to privileged EXEC mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-87 OL-13270-06...
Page 908: Mapping Dscp Or Cos Values To An Egress Queue And To A Threshold Id
The egress queue default settings are suitable for most situations. You should change them only when Note you have a thorough understanding of the egress queues and if these settings do not meet your QoS solution. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-88 OL-13270-06...
Page 909 This example shows how to map DSCP values 10 and 11 to egress queue 1 and to threshold 2: Switch(config)# mls qos srr-queue output dscp-map queue 1 threshold 2 10 11 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-89...
Page 910: Configuring Srr Shaped Weights On Egress Queues
2, 3, and 4 are set to 0, these queues operate in shared mode. The bandwidth weight for queue 1 is 1/8, which is 12.5 percent: Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# srr-queue bandwidth shape 8 0 0 0 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-90 OL-13270-06...
Page 911: Configuring Srr Shared Weights On Egress Queues
1, 2, 3, and 4. This means that queue 4 has four times the bandwidth of queue 1, twice the bandwidth of queue 2, and one-and-a-third times the bandwidth of queue 3. Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# srr-queue bandwidth share 1 2 3 4 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-91 OL-13270-06...
Page 912: Configuring The Egress Expedite Queue
The egress queue default settings are suitable for most situations. You should change them only when you have a thorough understanding of the egress queues and if these settings do not meet your QoS solution. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-92 OL-13270-06...
Page 913: Displaying Standard Qos Information
Display QoS information at the port level, including the buffer queueing | statistics] allocation, which ports have configured policers, the queueing strategy, and the ingress and egress statistics. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-93 OL-13270-06...
Page 914 The control-plane and interface keywords are not supported, and the statistics shown in the display should be ignored. show running-config | include rewrite Display the DSCP transparency setting. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 37-94 OL-13270-06...
Page 915: Understanding Etherchannels
Link Aggregation Control Protocol, page 38-6 • • EtherChannel On Mode, page 38-7 • Load-Balancing and Forwarding Methods, page 38-8 • EtherChannel and Switch Stacks, page 38-9 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 38-1 OL-13270-06...
Page 916: C H A P T E R 38 Configuring Etherchannels And Link-State Tracking
EtherChannel, and the failed link. Inbound broadcast and multicast packets on one link in an EtherChannel are blocked from returning on any other link of the EtherChannel. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 38-2...
Page 917 2 Switch 3 Figure 38-3 Cross-Stack EtherChannel Blade switch stack Switch 1 StackWise Plus port connections Switch A Switch 2 Channel group 1 Switch 3 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 38-3 OL-13270-06...
Page 918: Port-Channel Interfaces
EtherChannel, apply configuration commands to the port-channel interface, for example, spanning-tree commands or commands to configure a Layer 2 EtherChannel as a trunk. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 38-4 OL-13270-06...
Page 919: Port Aggregation Protocol
Understanding EtherChannels Port Aggregation Protocol The Port Aggregation Protocol (PAgP) is a Cisco-proprietary protocol that can be run only on Cisco switches and on those switches licensed by vendors to support PAgP. PAgP facilitates the automatic creation of EtherChannels by exchanging PAgP packets between Ethernet ports. You can use PAgP only in single-switch EtherChannel configurations;...
Page 920: Pagp Interaction With Virtual Switches And Dual-Active Detection
Link Aggregation Control Protocol The LACP is defined in IEEE 802.3ad and enables Cisco switches to manage Ethernet channels between switches that conform to the IEEE 802.3ad protocol. LACP facilitates the automatic creation of EtherChannels by exchanging LACP packets between Ethernet ports.
Page 921: Lacp Modes
Ports that are configured in the on mode in the same channel group must have compatible port characteristics, such as speed and duplex. Ports that are not compatible are suspended, even though they are configured in the on mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 38-7 OL-13270-06...
Page 922: Load-Balancing And Forwarding Methods
In Figure 38-5, an EtherChannel of sixteen blade servers communicates with a router. Because the router is a single-MAC-address device, source-based Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 38-8 OL-13270-06...
Page 923: Etherchannel And Switch Stacks
Spanning tree detects this condition and acts accordingly. Any PAgP or LACP configuration on a winning switch stack is not affected, but the PAgP or LACP configuration on the losing switch stack is lost after the stack reboots. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 38-9 OL-13270-06...
Page 924: Configuring Etherchannels
Channel groups None assigned. Port-channel logical interface None defined. PAgP mode No default. PAgP learn method Aggregate-port learning on all ports. PAgP priority 128 on all ports. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 38-10 OL-13270-06...
Page 925: Etherchannel Configuration Guidelines
Do not configure a port that is an active or a not-yet-active member of an EtherChannel as an IEEE 802.1x port. If you try to enable IEEE 802.1x on an EtherChannel port, an error message appears, and IEEE 802.1x is not enabled. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 38-11 OL-13270-06...
Page 926: Configuring Layer 2 Etherchannels
If you enabled PAgP on a port in the auto or desirable mode, you must reconfigure it for either the on mode or the LACP mode before adding this port to a cross-stack EtherChannel. PAgP does not support cross-stack EtherChannels. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 38-12 OL-13270-06...
Page 927 If you configure the port as a static-access port, assign it to only one VLAN. The range is 1 to 4094. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 38-13 OL-13270-06...
Page 928 (Optional) Save your entries in the configuration file. To remove a port from the EtherChannel group, use the no channel-group interface configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 38-14 OL-13270-06...
Page 929: Configuring Layer 3 Etherchannels
To move an IP address from a physical port to an EtherChannel, you must delete the IP address from the Note physical port before configuring it on the port-channel interface. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 38-15 OL-13270-06...
Page 930: Configuring The Physical Interfaces
Ensure that there is no IP address assigned to the physical port. Step 4 no switchport Put the port into Layer 3 mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 38-16 OL-13270-06...
Page 931 Step 6 Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 38-17 OL-13270-06...
Page 932: Configuring Etherchannel Load-Balancing
IP • address. src-mac—Load distribution is based on the source-MAC • address of the incoming packet. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 38-18 OL-13270-06...
Page 933: Configuring The Pagp Learn Method And Priority
Catalyst 1900 switch using the same port in the EtherChannel from which it learned the source address. Only use the pagp learn-method command in this situation. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 38-19...
Page 934: Configuring Lacp Hot-Standby Ports
If one of the active links becomes inactive, a link that is in the hot-standby mode becomes active in its place. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 38-20...
Page 935: Configuring The Lacp System Priority
(Optional) Save your entries in the configuration file. To return the LACP system priority to the default value, use the no lacp system-priority global configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 38-21 OL-13270-06...
Page 936: Configuring The Lacp Port Priority
(Optional) Save your entries in the configuration file. To return the LACP port priority to the default value, use the no lacp port-priority interface configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 38-22 OL-13270-06...
Page 937: Displaying Etherchannel, Pagp, And Lacp Status
Interfaces connected to servers are referred to as downstream interfaces, and interfaces connected to distribution switches and network devices are referred to as upstream interfaces. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 38-23 OL-13270-06...
Page 938 Traffic from half of the active Ethernet interfaces flows through blade switch 1 to distribution • switch 1. Traffic from the remaining active Ethernet interfaces flows through blade switch 2 to distribution • switch 2. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 38-24 OL-13270-06...
Page 939: Configuring Link-State Tracking
An interface cannot be a member of more than one link-state group. • You can configure only two link-state groups per nonstacking-capable switch. • You can configure only ten link-state groups per stacking-capable switch. • Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 38-25 OL-13270-06...
Page 940: Configuring Link-State Tracking
This example shows how to create a link-state group and to configure the interface: Switch# configure terminal Switch(config)# link state track 1 Switch(config)# interface port-channel 1 Switch(config-if)# link state group 1 upstream Switch(config-if)# end Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 38-26 OL-13270-06...
Page 941: Displaying Link-State Tracking Status
Downstream Interfaces : Gi0/3(Up) Gi0/4(Up) (Up):Interface up (Dwn):Interface Down (Dis):Interface disabled For detailed information about the fields in the display, see the command reference for this release. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 38-27 OL-13270-06...
Page 942 Chapter 38 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 38-28 OL-13270-06...
Page 943: Configuring Ip Unicast Routing
For more detailed IP unicast configuration information, see the Cisco IOS IP Configuration Guide, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Configuration Guides. For complete syntax and usage information for the commands used in this chapter, see these command references from the Cisco.com page under Documentation >...
Page 944: Understanding Ip Routing
Types of Routing Routers and Layer 3 switches can route packets in these ways: By using default routing • By using preprogrammed static routes for the traffic • Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-2 OL-13270-06...
Page 945: Chapter 39 Configuring Ip Unicast Routing
It processes routing protocol messages and updates received from peer routers. • It generates, maintains, and distributes the distributed Cisco Express Forwarding (dCEF) database • to all stack members. The routes are programmed on all switches in the stack bases on this database.
Page 946 Partitioning on the switch stack into two or more stacks might lead to undesirable behavior in the Caution network. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-4 OL-13270-06...
Page 947: Steps For Configuring Routing
By default, IP routing is disabled on the switch, and you must enable it before routing can take place. For detailed IP routing configuration information, see the Cisco IOS IP Configuration Guide, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Configuration Guides.
Page 948: Default Addressing Configuration
Maximum interval between advertisements: 600 seconds. • Minimum interval between advertisements: 0.75 times maximum • interval Preference: 0. • IP proxy ARP Enabled. IP routing Disabled. IP subnet-zero Disabled. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-6 OL-13270-06...
Page 949: Assigning Ip Addresses To Network Interfaces
(Optional) Save your entry in the configuration file. Use the no ip subnet-zero global configuration command to restore the default and to disable the use of subnet zero. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-7 OL-13270-06...
Page 950: Classless Routing
39-3, the router in network 128.20.0.0 is connected to subnets 128.20.1.0, 128.20.2.0, and 128.20.3.0. If the host sends a packet to 120.20.4.1, because there is no network default route, the router discards the packet. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-8 OL-13270-06...
Page 951: Configuring Address Resolution Methods
MAC address from an IP address is called address resolution. The process of learning the IP address from the MAC address is called reverse address resolution. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-9...
Page 952: Define A Static Arp Cache
For more information on RARP, see the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2 under Documentation > Cisco IOS Software > 12.2 Mainline > Configuration Guides from the Cisco.com page.
Page 953: Set Arp Encapsulation
(Optional) Save your entries in the configuration file. To disable an encapsulation type, use the no arp arpa or no arp snap interface configuration command. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-11 OL-13270-06...
Page 954: Enable Proxy Arp
(ICMP) redirect message, identifying the local router that the host should use. The switch caches the redirect messages and forwards each packet as efficiently as possible. This method cannot detect when the default router has failed or is unavailable. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-12 OL-13270-06...
Page 955: Icmp Router Discovery Protocol (Irdp)
It must be greater than maxadvertinterval and cannot be greater than 9000 seconds. If you change the maxadvertinterval value, this value also changes. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-13 OL-13270-06...
Page 956: Configuring Broadcast Packet Handling
Enabling Directed Broadcast-to-Physical Broadcast Translation, page 39-15 • • Forwarding UDP Broadcast Packets and Protocols, page 39-16 • Establishing an IP Broadcast Address, page 39-16 • Flooding IP Broadcasts, page 39-17 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-14 OL-13270-06...
Page 957: Enabling Directed Broadcast-To-Physical Broadcast Translation
Use the no ip directed-broadcast interface configuration command to disable translation of directed broadcasts to physical broadcasts. Use the no ip forward-protocol global configuration command to remove a protocol or a port. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-15 OL-13270-06...
Page 958: Forwarding Udp Broadcast Packets And Protocols
By default, both UDP and NDP forwarding are enabled if a helper address has been defined for an interface. The description for the ip forward-protocol interface configuration command in the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 lists the ports that are forwarded by default if you do not specify any UDP ports.
Page 959: Flooding Ip Broadcasts
When a flooded UDP datagram is sent on an interface (and the destination address is possibly changed), the datagram is processed by the normal IP output routines and is, therefore, subject to ACLs, if they are present on the output interface. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-17 OL-13270-06...
Page 960: Monitoring And Maintaining Ip Addressing
Remove one or all entries from the hostname and the address cache. clear ip route {network [mask] |*} Remove one or more routes from the IP routing table. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-18 OL-13270-06...
Page 961: Enabling Ip Unicast Routing
(RIP) router configuration command. For information on specific protocols, see sections later in this chapter and to the Cisco IOS IP Configuration Guide, Release 12.2. The IP base feature set supports only RIP as a routing Note protocol.
Page 962: Configuring Rip
RIP is configured with a default metric. RIP sends updates to the interfaces in specified networks. If an interface’s network is not specified, it is not advertised in any RIP update. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-20 OL-13270-06...
Page 963: Default Rip Configuration
Invalid: 180 seconds. • Hold-down: 180 seconds. • Flush: 240 seconds. • Validate-update-source Enabled. Version Receives RIP Version 1 and 2 packets; sends Version 1 packets. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-21 OL-13270-06...
Page 964: Configuring Basic Rip Parameters
(Optional) Disable automatic summarization. By default, the switch summarizes subprefixes when crossing classful network boundaries. Disable summarization (only RIP Version 2) to advertise subnet and host routing information to classful network boundaries. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-22 OL-13270-06...
Page 965: Configuring Rip Authentication
Return to privileged EXEC mode. Step 6 show running-config interface [interface-id] Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-23 OL-13270-06...
Page 966: Configuring Summary Addresses And Split Horizon
If split horizon is enabled, neither autosummary nor interface summary addresses (those configured with Note the ip summary-address rip router configuration command) are advertised. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-24 OL-13270-06...
Page 967: Configuring Split Horizon
This section briefly describes how to configure Open Shortest Path First (OSPF). For a complete description of the OSPF commands, see the “OSPF Commands” chapter of the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2.
Page 968 OSPF is an Interior Gateway Protocol (IGP) designed expressly for IP networks, supporting IP subnetting and tagging of externally derived routing information. OSPF also allows packet authentication and uses IP multicast when sending and receiving packets. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-26 OL-13270-06...
Page 969 Chapter 39 Configuring IP Unicast Routing Configuring OSPF The Cisco implementation conforms to the OSPF Version 2 specifications with these key features: Definition of stub areas is supported. • Routes learned through any IP routing protocol can be redistributed into another IP routing protocol.
Page 970: Default Ospf Configuration
. Allows Layer 3 switches to continue forwarding packets from a neighboring NSF-capable router during hardware or software changes. NSF capability Disabled. The switch stack supports OSPF NSF-capable routing Note for IPv4. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-28 OL-13270-06...
Page 971 Message-digest key (MD5): no key predefined. 1. NSF = nonstop forwarding. 2. OSPF NSF awareness is enabled for IPv4 on switches running the IP services feature set. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-29 OL-13270-06...
Page 972: Ospf For Routed Access
Configuring OSPF OSPF for Routed Access With Cisco IOS Release 12.2(55)SE, the IP Base image supports OSPF for routed access. The IP services image is required if you need multiple OSPFv2 and OSPFv3 instances without route restrictions. Additionally, the IP services image is required to enable the multi-VRF-CE feature.
Page 973: Configuring Basic Ospf Parameters
OSPF NSF Capability Beginning with Cisco IOS Release 12.2(58)SE, the switch supports the OSPFv2 NSF IETF format in addition to the the OSPFv2 NSF Cisco format that is supported in earlier releases. For information about this feature, see NSF—OSPF (RFC 3623 OSPF Graceful Restart).
Page 974: Configuring Ospf Interfaces
(Optional) Set the estimated number of seconds to wait before sending a link state update packet. The range is 1 to 65535 seconds. The default is 1 second. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-32 OL-13270-06...
Page 975: Configuring Ospf Area Parameters
An NSSA does not flood all LSAs from the core into the area, but can import autonomous-system external routes within the area by redistribution. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-33 OL-13270-06...
Page 976 (Optional) Save your entries in the configuration file. Use the no form of these commands to remove the configured parameter value or to return to the default value. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-34 OL-13270-06...
Page 977: Configuring Other Ospf Parameters
Enable OSPF routing, and enter router configuration mode. Step 3 summary-address address mask (Optional) Specify an address and IP subnet mask for redistributed routes so that only one summary route is advertised. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-35 OL-13270-06...
Page 978: Changing Lsa Group Pacing
Beginning in privileged EXEC mode, follow these steps to configure OSPF LSA pacing: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router ospf process-id Enable OSPF routing, and enter router configuration mode. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-36 OL-13270-06...
Page 979: Configuring A Loopback Interface
Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no interface loopback 0 global configuration command to disable the loopback interface. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-37 OL-13270-06...
Page 980: Monitoring Ospf
IP base image always behaves as if the connected and summary keywords were configured. Enhanced IGRP (EIGRP) is a Cisco-proprietary enhanced version of the IGRP. EIGRP uses the same distance vector algorithm and distance information as IGRP; however, the convergence properties and the operating efficiency of EIGRP are significantly improved.
Page 981 Less CPU usage because full update packets need not be processed each time they are received. • Protocol-independent neighbor discovery mechanism to learn about neighboring routers. • Variable-length subnet masks (VLSMs). • Arbitrary route summarization. • Scalable for large networks. • Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-39 OL-13270-06...
Page 982: Default Eigrp Configuration
Neighbor discovery and recovery is achieved by periodically sending small hello packets. As long as hello packets are received, the Cisco IOS software learns that a neighbor is alive and functioning. When this status is determined, the neighboring routers can exchange routing information.
Page 983 NSF capability Disabled. The switch supports EIGRP NSF-capable routing for IPv4. Note Offset-list Disabled. Router EIGRP Disabled. Set metric No metric set in the route map. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-41 OL-13270-06...
Page 984: Eigrp Nonstop Forwarding
Release 12.4. EIGRP NSF Capability Beginning with Cisco IOS Release 12.2(58)SE, the switch supports EIGRP Cisco NSF routing to speed up convergence and eliminate traffic loss following a stack master change. For details about this NSF capability, see the “Configuring Nonstop Forwarding” chapter in the High Availability Configuration Guide, Cisco IOS XE Release 3S at: http://www.cisco.com/en/US/docs/ios/ios_xe/ha/configuration/guide/ha-nonstp_fwdg_xe.html#wp108...
Page 985: Configuring Basic Eigrp Parameters
You can limit the offset list with an access list or an interface. Step 8 auto-summary (Optional) Enable automatic summarization of subnet routes into network-level routes. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-43 OL-13270-06...
Page 986: Configuring Eigrp Interfaces
Display which interfaces EIGRP is active on and information about EIGRP relating to those interfaces. Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-44 OL-13270-06...
Page 987: Configuring Eigrp Route Authentication
(Optional) Save your entries in the configuration file. Use the no forms of these commands to disable the feature or to return the setting to the default value. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-45...
Page 988: Eigrp Stub Routing
Table 39-8 lists the privileged EXEC commands for deleting neighbors and displaying statistics. For explanations of fields in the resulting display, see the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide...
Page 989: Configuring Bgp
Internet. You can find detailed information about BGP in Internet Routing Architectures, published by Cisco Press, and in the “Configuring BGP” chapter in the Cisco IP and IP Routing Configuration Guide. For details about BGP commands and keywords, see the “IP Routing Protocols” part of the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2.
Page 990 A router or switch running Cisco IOS does not select or use an IBGP route unless it has a route available to the next-hop router and it has received synchronization from an IGP (unless IGP synchronization is disabled).
Page 991: Default Bgp Configuration
Protocols” part of the Cisco IOS IP Configuration Guide, Release 12.2. For details about specific commands, see the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. For a list of BGP commands that are visible but not supported by the switch, see Appendix B, “Unsupported Commands in Cisco IOS Release 12.2(58)SE.”...
Page 992 Update source: Best local address. • Version: BGP Version 4. • Weight: Routes learned through BGP peer: 0; routes sourced by the local router: • 32768. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-50 OL-13270-06...
Page 993 Keepalive: 60 seconds; holdtime: 180 seconds. 1. NSF = nonstop forwarding. 2. NSF awareness can be enabled for IPv4 on switches with the IP services feature set by enabling graceful restart. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-51 OL-13270-06...
Page 994: Nonstop Forwarding Awareness
For more information, see the “BGP Nonstop Forwarding (NSF) Awareness” section of the Cisco IOS IP Routing Protocols Configuration Guide, Release 12.4.
Page 995 If NSF awareness is enabled on the switch, but not on the neighbor, this message appears: Graceful Restart Capability: advertised Step 13 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-53 OL-13270-06...
Page 996 EIGRP, which also use the network command to specify where to send updates. For detailed descriptions of BGP configuration, see the “IP Routing Protocols” part of the Cisco IOS IP Configuration Guide, Release 12.2. For details about specific commands, see the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2.
Page 997: Managing Routing Policy Changes
BGP sessions so that the configuration changes take effect. There are two types of reset, hard reset and soft reset. Cisco IOS Releases 12.1 and later support a soft reset without any prior configuration. To use a soft reset without preconfiguration, both BGP peers must support the soft-route refresh capability, which is advertised in the OPEN message sent when the peers establish a TCP session.
Page 998: Configuring Bgp Decision Attributes
You can disable next-hop processing by using route maps or the neighbor next-hop-self router configuration command. Prefer the path with the largest weight (a Cisco-proprietary parameter). The weight attribute is local to the router and not propagated in routing updates. By default, the weight attribute is 32768 for paths that the router originates and zero for other paths.
Page 999 Step 10 bgp deterministic med (Optional) Configure the switch to consider the MED variable when choosing among routes advertised by different peers in the same autonomous system. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-57 OL-13270-06...
Page 1000: Configuring Bgp Filtering With Route Maps
(Optional) Save your entries in the configuration file. Use the no route-map map-tag command to delete the route map. Use the no set ip next-hop ip-address command to re-enable next-hop processing. Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide 39-58 OL-13270-06...

This manual is also suitable for:

Catalyst blade 3130 Catalyst blade 3032

Cisco WS-CBS3032-DEL Software Configuration Manual

Table of Contents

Chapter 1 Overview

Using the Command-Line Interface

CHAPTER 3 Assigning the Switch IP Address and Default Gateway3-1

CHAPTER 4 Configuring Cisco IOS Configuration Engine4-1

Administering the Switch

Chapter 5 Administering the Switch

CHAPTER 6 Configuring Switch-Based Authentication6-1

Configuring Radius

Managing Switch Stack

Chapter 7 Managing Switch Stack

Chapter 8 Configuring SDM Template

Understanding Ieee 802.1X Port-Based Authentication

CHAPTER 9 Configuring IEEE 802.1X Port-Based Authentication9-1

Quick Links

Chapters

Troubleshooting

Related Manuals for Cisco WS-CBS3032-DEL

Summary of Contents for Cisco WS-CBS3032-DEL