Page 1 Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide Cisco IOS Release 12.2(25)SEF June 2006 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Text Part Number: OL-8915-01...
Page 2 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE.
Page 3 C O N T E N T S Preface xxvii Audience xxvii Purpose xxvii Conventions xxviii Related Publications xxviii Obtaining Documentation xxix Cisco.com xxix Product Documentation DVD xxix Ordering Documentation Documentation Feedback Cisco Product Security Overview Reporting Security Problems in Cisco Products xxxi Obtaining Technical Assistance xxxi...
Page 4: Table Of Contents
Contents Using the Command-Line Interface C H A P T E R Understanding Command Modes Understanding the Help System Understanding Abbreviated Commands Understanding no and default Forms of Commands Understanding CLI Error Messages Using Configuration Logging Using Command History Changing the Command History Buffer Size Recalling Commands Disabling the Command History Feature Using Editing Features...
Page 5 Contents Booting Manually 3-15 Booting a Specific Software Image 3-16 Controlling Environment Variables 3-16 Scheduling a Reload of the Software Image 3-18 Configuring a Scheduled Reload 3-18 Displaying Scheduled Reload Information 3-19 Configuring Cisco IOS CNS Agents C H A P T E R Understanding Cisco Configuration Engine Software Configuration Service Event Service...
Page 6 Contents Configuring the Source IP Address for NTP Packets 5-10 Displaying the NTP Configuration 5-11 Configuring Time and Date Manually 5-11 Setting the System Clock 5-11 Displaying the Time and Date Configuration 5-12 Configuring the Time Zone 5-12 Configuring Summer Time (Daylight Saving Time) 5-13 Configuring a System Name and Prompt 5-14...
Page 7 Contents Configuring Multiple Privilege Levels Setting the Privilege Level for a Command Changing the Default Privilege Level for Lines Logging into and Exiting a Privilege Level Controlling Switch Access with TACACS+ 6-10 Understanding TACACS+ 6-10 TACACS+ Operation 6-12 Configuring TACACS+ 6-12 Default TACACS+ Configuration 6-13...
Page 8 Contents Configuring the Switch for Secure Shell 6-37 Understanding SSH 6-38 SSH Servers, Integrated Clients, and Supported Versions 6-38 Limitations 6-39 Configuring SSH 6-39 Configuration Guidelines 6-39 Setting Up the Switch to Run SSH 6-39 Configuring the SSH Server 6-41 Displaying the SSH Configuration and Status 6-41 Configuring the Switch for Secure Socket Layer HTTP...
Page 9 Contents Using IEEE 802.1x Authentication with Wake-on-LAN 7-16 Using IEEE 802.1x Authentication with MAC Authentication Bypass 7-17 Configuring IEEE 802.1x Authentication 7-18 Default IEEE 802.1x Authentication Configuration 7-19 IEEE 802.1x Authentication Configuration Guidelines 7-20 IEEE 802.1x Authentication 7-20 VLAN Assignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication Bypass 7-21 MAC Authentication Bypass...
Page 10 Contents Connecting Interfaces Management-Only Interface Using Interface Configuration Mode Procedures for Configuring Interfaces Configuring a Range of Interfaces Configuring and Using Interface Range Macros Configuring Ethernet Interfaces 8-10 Default Ethernet Interface Configuration 8-10 Configuring Interface Speed and Duplex Mode 8-11 Speed and Duplex Configuration Guidelines 8-11 Setting the Type of a Dual-Purpose Uplink Port...
Page 11 Contents VLAN Configuration Mode Options 10-6 VLAN Configuration in config-vlan Mode 10-6 VLAN Configuration in VLAN Database Configuration Mode 10-6 Saving VLAN Configuration 10-6 Default Ethernet VLAN Configuration 10-7 Creating or Modifying an Ethernet VLAN 10-8 Deleting a VLAN 10-9 Assigning Static-Access Ports to a VLAN 10-10 Configuring Extended-Range VLANs...
Page 12 Contents Troubleshooting Dynamic-Access Port VLAN Membership 10-30 VMPS Configuration Example 10-30 Configuring VTP 11-1 C H A P T E R Understanding VTP 11-1 The VTP Domain 11-2 VTP Modes 11-3 VTP Advertisements 11-3 VTP Version 2 11-4 VTP Pruning 11-4 Configuring VTP 11-6...
Page 13 Contents Configuring STP 13-1 C H A P T E R Understanding Spanning-Tree Features 13-1 STP Overview 13-2 Spanning-Tree Topology and BPDUs 13-3 Bridge ID, Switch Priority, and Extended System ID 13-4 Spanning-Tree Interface States 13-4 Blocking State 13-6 Listening State 13-6 Learning State 13-6...
Page 14 Contents Configuring MSTP 14-1 C H A P T E R Understanding MSTP 14-2 Multiple Spanning-Tree Regions 14-2 IST, CIST, and CST 14-3 Operations Within an MST Region 14-3 Operations Between MST Regions 14-4 IEEE 802.1s Terminology 14-5 Hop Count 14-5 Boundary Ports 14-6...
Page 15 Contents Configuring Optional Spanning-Tree Features 15-1 C H A P T E R Understanding Optional Spanning-Tree Features 15-1 Understanding Port Fast 15-2 Understanding BPDU Guard 15-2 Understanding BPDU Filtering 15-3 Understanding UplinkFast 15-3 Understanding BackboneFast 15-5 Understanding EtherChannel Guard 15-7 Understanding Root Guard 15-8 Understanding Loop Guard...
Page 16 Contents Configuring DHCP Features 17-1 C H A P T E R Understanding DHCP Features 17-1 DHCP Server 17-2 DHCP Relay Agent 17-2 DHCP Snooping 17-2 Option-82 Data Insertion 17-3 Configuring DHCP Features 17-6 Default DHCP Configuration 17-6 DHCP Snooping Configuration Guidelines 17-7 Configuring the DHCP Relay Agent 17-8...
Page 17 Contents Configuring MVR 18-19 Default MVR Configuration 18-19 MVR Configuration Guidelines and Limitations 18-20 Configuring MVR Global Parameters 18-20 Configuring MVR Interfaces 18-21 Displaying MVR Information 18-23 Configuring IGMP Filtering and Throttling 18-23 Default IGMP Filtering and Throttling Configuration 18-24 Configuring IGMP Profiles 18-24 Applying IGMP Profiles...
Page 18 Contents Configuring CDP 20-1 C H A P T E R Understanding CDP 20-1 Configuring CDP 20-2 Default CDP Configuration 20-2 Configuring the CDP Characteristics 20-2 Disabling and Enabling CDP 20-3 Disabling and Enabling CDP on an Interface 20-4 Monitoring and Maintaining CDP 20-4 Configuring UDLD 21-1...
Page 19 Contents Creating a Local SPAN Session 22-10 Creating a Local SPAN Session and Configuring Incoming Traffic 22-13 Specifying VLANs to Filter 22-14 Configuring RSPAN 22-15 RSPAN Configuration Guidelines 22-15 Configuring a VLAN as an RSPAN VLAN 22-16 Creating an RSPAN Source Session 22-17 Creating an RSPAN Destination Session 22-19...
Page 20 Contents Configuring SNMP 25-1 C H A P T E R Understanding SNMP 25-1 SNMP Versions 25-2 SNMP Manager Functions 25-3 SNMP Agent Functions 25-4 SNMP Community Strings 25-4 Using SNMP to Access MIB Variables 25-4 SNMP Notifications 25-5 SNMP ifIndex MIB Object Values 25-5 Configuring SNMP 25-6...
Page 21 Contents IPv4 ACL Configuration Examples 26-19 Numbered ACLs 26-19 Extended ACLs 26-19 Named ACLs 26-20 Time Range Applied to an IP ACL 26-20 Commented IP ACL Entries 26-20 Creating Named MAC Extended ACLs 26-21 Applying a MAC ACL to a Layer 2 Interface 26-22 Configuring VLAN Maps 26-23...
Page 22 Contents Enabling Auto-QoS for VoIP 27-26 Auto-QoS Configuration Example 27-27 Displaying Auto-QoS Information 27-29 Configuring Standard QoS 27-29 Default Standard QoS Configuration 27-30 Default Ingress Queue Configuration 27-30 Default Egress Queue Configuration 27-31 Default Mapping Table Configuration 27-32 Standard QoS Configuration Guidelines 27-32 QoS ACL Guidelines 27-32...
Page 23 Contents Configuring Egress Queue Characteristics 27-69 Configuration Guidelines 27-70 Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set 27-70 Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID 27-72 Configuring SRR Shaped Weights on Egress Queues 27-74 Configuring SRR Shared Weights on Egress Queues 27-75...
Page 24 Contents Troubleshooting 29-1 C H A P T E R Recovering from a Software Failure 29-2 Recovering from a Lost or Forgotten Password 29-3 Procedure with Password Recovery Enabled 29-4 Procedure with Password Recovery Disabled 29-6 Preventing Autonegotiation Mismatches 29-7 SFP Module Security and Identification 29-8 Monitoring SFP Module Status...
Page 25 Contents Working with the Cisco IOS File System, Configuration Files, and Software Images A P P E N D I X Working with the Flash File System Displaying Available File Systems Setting the Default File System Displaying Information about Files on a File System Changing Directories and Displaying the Working Directory Creating and Removing Directories Copying Files...
Page 26 Contents Uploading an Image File By Using TFTP B-24 Copying Image Files By Using FTP B-24 Preparing to Download or Upload an Image File By Using FTP B-25 Downloading an Image File By Using FTP B-26 Uploading an Image File By Using FTP B-27 Copying Image Files By Using RCP B-28...
Page 27 Contents Spanning Tree Unsupported Global Configuration Command Unsupported Interface Configuration Command VLAN Unsupported Global Configuration Commands Unsupported vlan-config Command Unsupported User EXEC Commands Unsupported Privileged EXEC Commands N D E X Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide xxvii OL-8915-01...
Page 28 Contents Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide xxviii OL-8915-01...
Page 29 Preface Audience This guide is for the networking professional managing the Cisco Catalyst Blade Switch 3020 for HP, hereafter referred to as the switch module. Before using this guide, you should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of Ethernet and local area networking.
Page 30: Related Publications
Preface Conventions Conventions This publication uses these conventions to convey instructions and information: Command descriptions use these conventions: Commands and keywords are in boldface text. • • Arguments for which you supply values are in italic. • Square brackets ([ ]) mean optional elements. Braces ({ }) group required choices, and vertical bars ( | ) separate the alternative elements.
Page 31: Obtaining Documentation
Preface Obtaining Documentation You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the “Obtaining Documentation” section on page xxix. Release Notes for the Cisco Catalyst Blade Switch 3020 for HP, Cisco IOS Release 12.2(25)SEF (not •...
Page 32: Ordering Documentation
Preface Documentation Feedback The Product Documentation DVD is available as a single unit or as a subscription. Registered Cisco.com users (Cisco direct customers) can order a Product Documentation DVD (product number DOC-DOCDVD= or DOC-DOCDVD=SUB) from Cisco Marketplace at this URL: http://www.cisco.com/go/marketplace/ Ordering Documentation Registered Cisco.com users may order Cisco documentation at the Product Documentation Store in the...
Page 33: Reporting Security Problems In Cisco Products
Preface Obtaining Technical Assistance To see security advisories, security notices, and security responses as they are updated in real time, you can subscribe to the Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed. Information about how to subscribe to the PSIRT RSS feed is found at this URL: http://www.cisco.com/en/US/products/products_psirt_rss_feed.html Reporting Security Problems in Cisco Products Cisco is committed to delivering secure products.
Page 34: Submitting A Service Request
Preface Obtaining Technical Assistance Cisco Technical Support & Documentation Website The Cisco Technical Support & Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, at this URL: http://www.cisco.com/techsupport Access to all tools on the Cisco Technical Support &...
Page 35: Definitions Of Service Request Severity
Preface Obtaining Additional Publications and Information Definitions of Service Request Severity To ensure that all service requests are reported in a standard format, Cisco has established severity definitions. Severity 1 (S1)—An existing network is down, or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Page 36 Preface Obtaining Additional Publications and Information iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies • learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions.
Page 37 C H A P T E R Overview This chapter provides these topics about the switch software: Features, page 1-1 • Default Settings After Initial Switch Configuration, page 1-8 • Design Concepts for Using the Switch, page 1-10 • • Where to Go Next, page 1-13 Unless otherwise noted, the term switch refers to a standalone blade switch.
Page 38: Performance Features
Chapter 1 Overview Features Ease-of-Deployment and Ease-of-Use Features The switch ships with these features to make the deployment and the use easier: Express Setup for quickly configuring a switch for the first time with basic IP information, contact • information, switch and Telnet passwords, and Simple Network Management Protocol (SNMP) information through a browser-based program.
Page 39: Management Options
Chapter 1 Overview Features Management Options These are the options for configuring and managing the switch: An embedded device manager—The device manager is a GUI that is integrated in the software • image. You use it to configure and to monitor a single switch. For information about launching the device manager, see the getting started guide.
Page 40: Availability And Redundancy Features
Chapter 1 Overview Features Cisco Discovery Protocol (CDP) Versions 1 and 2 for network topology discovery and mapping • between the switch and other Cisco devices on the network Network Time Protocol (NTP) for providing a consistent time stamp to all switches from an external •...
Page 41: Vlan Features
Chapter 1 Overview Features Optional spanning-tree features available in PVST+, rapid-PVST+, and MSTP mode: • Port Fast for eliminating the forwarding delay by enabling a port to immediately change from – the blocking state to the forwarding state BPDU guard for shutting down Port Fast-enabled ports that receive bridge protocol data units –...
Page 42 Chapter 1 Overview Features Port security option for limiting and identifying MAC addresses of the stations allowed to access • the port Port security aging to set the aging time for secure addresses on a port • BPDU guard for shutting down a Port Fast-configured port when an invalid configuration occurs •...
Page 43: Qos And Cos Features
Chapter 1 Overview Features QoS and CoS Features These are the QoS and CoS features: Automatic QoS (auto-QoS) to simplify the deployment of existing QoS features by classifying • traffic and configuring egress queues Classification • IP type-of-service/Differentiated Services Code Point (IP ToS/DSCP) and IEEE 802.1p CoS –...
Page 44: Monitoring Features
Chapter 1 Overview Default Settings After Initial Switch Configuration Monitoring Features These are the monitoring features: Switch LEDs that provide port- and switch-level status • MAC address notification traps and RADIUS accounting for tracking users on a network by storing •...
Page 45 Chapter 1 Overview Default Settings After Initial Switch Configuration NTP is enabled. For more information, see Chapter 5, “Administering the Switch.” • DNS is enabled. For more information, see Chapter 5, “Administering the Switch.” • TACACS+ is disabled. For more information, see Chapter 6, “Configuring Switch-Based •...
Page 46: Design Concepts For Using The Switch
Chapter 1 Overview Design Concepts for Using the Switch The IGMP snooping querier feature is disabled. For more information, see Chapter 18, “Configuring • IGMP Snooping and MVR.” MVR is disabled. For more information, see Chapter 18, “Configuring IGMP Snooping and MVR.” •...
Page 47 Chapter 1 Overview Design Concepts for Using the Switch Table 1-1 Increasing Network Performance Network Demands Suggested Design Methods Too many users on a single network Create smaller network segments so that fewer users share the bandwidth, and use • segment and a growing number of VLANs and IP subnets to place the network resources in the same logical network users accessing the Internet...
Page 48 Chapter 1 Overview Design Concepts for Using the Switch DSCP marking priorities on these switches. For high-speed IP forwarding at the distribution layer, connect the switches in the access layer to a Gigabit multilayer switch with routing capability, such as a Catalyst 3750 switch, or to a router. The first illustration is of an isolated high-performance workgroup, where the blade switches are connected to Catalyst 3750 switches in the distribution layer.
Page 49: Chapter 2 Using The Command-Line Interface
Chapter 1 Overview Where to Go Next Figure 1-2 Server Aggregation Campus core Catalyst 6500 switches Catalyst 3750 StackWise switch stacks Blade Switches Blade Servers Where to Go Next Before configuring the switch, review these sections for startup information: Chapter 2, “Using the Command-Line Interface” •...
Page 50 Chapter 1 Overview Where to Go Next Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide 1-14 OL-8915-01...
Page 51: Understanding Command Modes
C H A P T E R Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your switch. It contains these sections: Understanding Command Modes, page 2-1 • Understanding the Help System, page 2-3 •...
Page 52 Chapter 2 Using the Command-Line Interface Understanding Command Modes Table 2-1 describes the main command modes, how to access each one, the prompt you see in that mode, and how to exit the mode. The examples in the table use the hostname Switch. Table 2-1 Command Mode Summary Mode...
Page 53: Understanding The Help System
Chapter 2 Using the Command-Line Interface Understanding the Help System Table 2-1 Command Mode Summary (continued) Mode Access Method Prompt Exit Method About This Mode Interface While in global To exit to global Use this mode to configure Switch(config-if)# configuration configuration mode, configuration mode, parameters for the Ethernet...
Page 54: Understanding Abbreviated Commands
Chapter 2 Using the Command-Line Interface Understanding Abbreviated Commands Table 2-2 Help Summary (continued) Command Purpose List all commands available for a particular command mode. For example: Switch> ? command ? List the associated keywords for a command. For example: Switch>...
Page 55: Understanding Cli Error Messages
Chapter 2 Using the Command-Line Interface Understanding CLI Error Messages Understanding CLI Error Messages Table 2-3 lists some error messages that you might encounter while using the CLI to configure your switch. Table 2-3 Common CLI Error Messages Error Message Meaning How to Get Help You did not enter enough characters...
Page 56: Using Command History
Chapter 2 Using the Command-Line Interface Using Command History Using Command History The software provides a history or record of commands that you have entered. The command history feature is particularly useful for recalling long or complex commands or entries, including access lists. You can customize this feature to suit your needs as described in these sections: Changing the Command History Buffer Size, page 2-6 (optional)
Page 57: Disabling The Command History Feature
Chapter 2 Using the Command-Line Interface Using Editing Features Disabling the Command History Feature The command history feature is automatically enabled. You can disable it for the current terminal session or for the command line. These procedures are optional. To disable the feature during the current terminal session, enter the terminal no history privileged EXEC command.
Page 58 Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Keystroke Purpose Press Ctrl-F, or press the Move the cursor forward one character. right arrow key. Press Ctrl-A. Move the cursor to the beginning of the command line. Press Ctrl-E.
Page 59: Editing Command Lines That Wrap
Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Keystroke Purpose Scroll down a line or screen on Press the Return key. Scroll down one line. displays that are longer than the terminal screen can display.
Page 60: Searching And Filtering Output Of Show And More Commands
Chapter 2 Using the Command-Line Interface Searching and Filtering Output of show and more Commands Searching and Filtering Output of show and more Commands You can search and filter the output for show and more commands. This is useful when you need to sort through large amounts of output or if you want to exclude output that you do not need to see.
Page 61 Chapter 2 Using the Command-Line Interface Accessing the CLI For information about configuring the switch for Telnet access, see the “Setting a Telnet Password for a Terminal Line” section on page 6-6. The switch supports up to 16 simultaneous Telnet sessions. Changes made by one Telnet user are reflected in all other Telnet sessions.
Page 62 Chapter 2 Using the Command-Line Interface Accessing the CLI Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide 2-12 OL-8915-01...
Page 63: Chapter 3 Assigning The Switch Ip Address And Default Gateway
C H A P T E R Assigning the Switch IP Address and Default Gateway This chapter describes how to create the initial switch configuration (for example, assigning the IP address and default gateway information) by using a variety of automatic and manual methods. It also describes how to modify the switch startup configuration.
Page 64: Assigning Switch Information
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The boot loader provides access to the flash file system before the operating system is loaded. Normally, the boot loader is used only to load, uncompress, and launch the operating system. After the boot loader gives the operating system control of the CPU, the boot loader is not active until the next system reset or power-on.
Page 65: Default Switch Information
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Default Switch Information Table 3-1 shows the default switch information. Table 3-1 Default Switch Information Feature Default Setting IP address and subnet mask No IP address or subnet mask are defined. Default gateway No default gateway is defined.
Page 66: Dhcp Client Request Process
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information DHCP Client Request Process When you boot your switch, the DHCP client is invoked and requests configuration information from a DHCP server when the configuration file is not present on the switch. If the configuration file is present and the configuration includes the ip address dhcp interface configuration command on specific routed interfaces, the DHCP client is invoked and requests the IP address information for those interfaces.
Page 67: Configuring Dhcp-Based Autoconfiguration
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Configuring DHCP-Based Autoconfiguration These sections contain this configuration information: DHCP Server Configuration Guidelines, page 3-5 • Configuring the TFTP Server, page 3-6 • Configuring the DNS, page 3-6 •...
Page 68: Configuring The Dns
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Configuring the TFTP Server Based on the DHCP server configuration, the switch attempts to download one or more configuration files from the TFTP server. If you configured the DHCP server to respond to the switch with all the options required for IP connectivity to the TFTP server, and if you configured the DHCP server with a TFTP server name, address, and configuration filename, the switch attempts to download the specified configuration file from the specified TFTP server.
Page 69: Obtaining Configuration Files
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information For example, in Figure 3-2, configure the router interfaces as follows: On interface 10.0.0.2: router(config-if)# ip helper-address 20.0.0.2 router(config-if)# ip helper-address 20.0.0.3 router(config-if)# ip helper-address 20.0.0.4 On interface 20.0.0.1 router(config-if)# ip helper-address 10.0.0.1 Figure 3-2 Relay Device Used in Autoconfiguration...
Page 70: Example Configuration
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The default configuration file contains the hostnames-to-IP-address mapping for the switch. The switch fills its host table with the information in the file and obtains its hostname. If the hostname is not found in the file, the switch uses the hostname in the DHCP reply.
Page 71 Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Table 3-2 DHCP Server Configuration (continued) Switch A Switch B Switch C Switch D Boot filename (configuration file) switcha-confg switchb-confg switchc-confg switchd-confg (optional) Hostname (optional) switcha switchb switchc switchd DNS Server Configuration...
Page 72: Manually Assigning Ip Information
Chapter 3 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration Manually Assigning IP Information Beginning in privileged EXEC mode, follow these steps to manually assign IP information to multiple switched virtual interfaces (SVIs): Command Purpose Step 1 configure terminal...
Page 73 Chapter 3 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration no aaa new-model system env temperature threshold yellow 25 ip subnet-zero no ip domain-lookup no file verify auto spanning-tree mode pvst spanning-tree extend system-id vlan internal allocation policy ascending vlan 2-4,20-22,100,200,999 interface FastEthernet0...
Page 74 Chapter 3 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration interface GigabitEthernet0/11 speed 1000 spanning-tree portfast interface GigabitEthernet0/12 speed 1000 spanning-tree portfast interface GigabitEthernet0/13 speed 1000 spanning-tree portfast interface GigabitEthernet0/14 speed 1000 spanning-tree portfast interface GigabitEthernet0/15 speed 1000 spanning-tree portfast...
Page 75: Modifying The Startup Configuration
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration interface GigabitEthernet0/24 switchport access vlan 2 switchport trunk native vlan 2 interface Vlan1 no ip 2.2.2.122 255.255.255.0 no ip route-cache ip http server snmp-server community public RO control-plane To store the configuration or changes you have made to your startup configuration in flash memory, enter this privileged EXEC command:...
Page 76: Default Boot Configuration
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Default Boot Configuration Table 3-3 shows the default boot configuration. Table 3-3 Default Boot Configuration Feature Default Setting Operating system software image The switch attempts to automatically boot the system using information in the BOOT environment variable.
Page 77: Booting Manually
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Command Purpose Step 4 show boot Verify your entries. The boot config-file global configuration command changes the setting of the CONFIG_FILE environment variable. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
Page 78: Booting A Specific Software Image
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Booting a Specific Software Image By default, the switch attempts to automatically boot the system using information in the BOOT environment variable. If this variable is not set, the switch attempts to load and execute the first executable image it can by performing a recursive, depth-first search throughout the flash file system.
Page 79 Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Environment variables store two kinds of data: Data that controls code, which does not read the Cisco IOS configuration file. For example, the name • of a boot loader helper file, which extends or patches the functionality of the boot loader can be stored as an environment variable.
Page 80: Scheduling A Reload Of The Software Image
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Scheduling a Reload of the Software Image You can schedule a reload of the software image to occur on the switch at a later time (for example, late at night or during the weekend when the switch is used less), or you can synchronize a reload network-wide (for example, to perform a software upgrade on all switches in the network).
Page 81: Displaying Scheduled Reload Information
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image This example shows how to reload the software on the switch at a future time: Switch# reload at 02:00 jun 20 Reload scheduled for 02:00:00 UTC Thu Jun 20 1996 (in 344 hours and 53 minutes) Proceed with reload? [confirm] To cancel a previously scheduled reload, use the reload cancel privileged EXEC command.
Page 82 Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide 3-20 OL-8915-01...
Page 83: Chapter 4 Configuring Cisco Ios Cns Agents
C H A P T E R Configuring Cisco IOS CNS Agents This chapter describes how to configure the Cisco IOS CNS agents on the switch. For complete configuration information for the Cisco Configuration Engine, see this URL on Cisco.com Note http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/tsd_products_support_series_home.html This chapter consists of these sections:...
Page 84: Configuration Service
Chapter 4 Configuring Cisco IOS CNS Agents Understanding Cisco Configuration Engine Software Figure 4-1 Configuration Engine Architectural Overview Service provider network Data service Configuration directory engine Configuration server Event service Web-based user interface Order entry configuration management These sections contain this conceptual information: Configuration Service, page 4-2 •...
Page 85: Event Service
Chapter 4 Configuring Cisco IOS CNS Agents Understanding Cisco Configuration Engine Software Event Service The Cisco Configuration Engine uses the Event Service for receipt and generation of configuration events. The event agent is on the switch and facilitates the communication between the switch and the event gateway on the Configuration Engine.
Page 86: Deviceid
Chapter 4 Configuring Cisco IOS CNS Agents Understanding Cisco Configuration Engine Software DeviceID Each configured switch participating on the event bus has a unique DeviceID, which is analogous to the switch source address so that the switch can be targeted as a specific destination on the bus. All switches configured with the cns config partial global configuration command must access the event bus.
Page 87: Understanding Cisco Ios Agents
Chapter 4 Configuring Cisco IOS CNS Agents Understanding Cisco IOS Agents Understanding Cisco IOS Agents The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works with the Cisco IOS agent. The Cisco IOS agent feature supports the switch by providing these features: Initial Configuration, page 4-5 •...
Page 88: Incremental (Partial) Configuration
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Incremental (Partial) Configuration After the network is running, new services can be added by using the Cisco IOS agent. Incremental (partial) configurations can be sent to the switch. The actual configuration can be sent as an event payload by way of the event gateway (push operation) or as a signal event that triggers the switch to initiate a pull operation.
Page 89 Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Table 4-1 Prerequisites for Enabling Automatic Configuration Device Required Configuration Access switch Factory default (no configuration file) Distribution switch IP helper address • Enable DHCP relay agent • IP routing (if used as default gateway) •...
Page 90: Enabling The Cns Event Agent
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Enabling the CNS Event Agent You must enable the CNS event agent on the switch before you enable the CNS configuration agent. Note Beginning in privileged EXEC mode, follow these steps to enable the CNS event agent on the switch: Command Purpose Step 1...
Page 91: Enabling The Cisco Ios Cns Agent
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Enabling the Cisco IOS CNS Agent After enabling the CNS event agent, start the Cisco IOS CNS agent on the switch. You can enable the Cisco IOS agent with these commands: The cns config initial global configuration command enables the Cisco IOS agent and initiates an •...
Page 92 Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Command Purpose Step 7 cns id interface num {dns-reverse | ipaddress | Set the unique EventID or ConfigID used by the mac-address} [event] Configuration Engine. For interface num, enter the type of interface–for •...
Page 93: Enabling A Partial Configuration
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Command Purpose Step 10 show cns config connections Verify information about the configuration agent. Step 11 show running-config Verify your entries. To disable the CNS Cisco IOS agent, use the no cns config initial {ip-address | hostname} global configuration command.
Page 94: Displaying Cns Configuration
Chapter 4 Configuring Cisco IOS CNS Agents Displaying CNS Configuration Displaying CNS Configuration You can use the privileged EXEC commands in Table 4-2 to display CNS configuration information. Table 4-2 Displaying CNS Configuration Command Purpose show cns config connections Displays the status of the CNS Cisco IOS agent connections. show cns config outstanding Displays information about incremental (partial) CNS configurations that have started but are not yet completed.
Page 95 C H A P T E R Administering the Switch This chapter describes how to perform one-time operations to administer the switch. This chapter consists of these sections: Managing the System Time and Date, page 5-1 • Configuring a System Name and Prompt, page 5-14 •...
Page 96: Administering The Switch
Chapter 5 Administering the Switch Managing the System Time and Date The system clock can provide time to these services: User show commands • Logging and debugging messages • The system clock keeps track of time internally based on Universal Time Coordinated (UTC), also known as Greenwich Mean Time (GMT).
Page 97: Configuring Ntp
Chapter 5 Administering the Switch Managing the System Time and Date Figure 5-1 shows a typical network example using NTP. Switch A is the NTP master, with Switches B, C, and D configured in NTP server mode, in server association with Switch A. Switch E is configured as an NTP peer to the upstream and downstream switches, Switch B and Switch F.
Page 98: Default Ntp Configuration
Chapter 5 Administering the Switch Managing the System Time and Date These sections contain this configuration information: Default NTP Configuration, page 5-4 • Configuring NTP Authentication, page 5-4 • Configuring NTP Associations, page 5-5 • Configuring NTP Broadcast Service, page 5-6 •...
Page 99: Configuring Ntp Associations
Chapter 5 Administering the Switch Managing the System Time and Date Command Purpose Step 3 ntp authentication-key number md5 value Define the authentication keys. By default, none are defined. For number, specify a key number. The range is 1 to •...
Page 100: Configuring Ntp Broadcast Service
Chapter 5 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to form an NTP association with another device: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp peer ip-address [version number] Configure the switch system clock to synchronize a peer or to be [key keyid] [source interface] [prefer] synchronized by a peer (peer association).
Page 101 Chapter 5 Administering the Switch Managing the System Time and Date The switch can send or receive NTP broadcast packets on an interface-by-interface basis if there is an NTP broadcast server, such as a router, broadcasting time information on the network. The switch can send NTP broadcast packets to a peer so that the peer can synchronize to it.
Page 102: Configuring Ntp Access Restrictions
Chapter 5 Administering the Switch Managing the System Time and Date Command Purpose Step 5 ntp broadcastdelay microseconds (Optional) Change the estimated round-trip delay between the switch and the NTP broadcast server. The default is 3000 microseconds; the range is 1 to 999999. Step 6 Return to privileged EXEC mode.
Page 103 Chapter 5 Administering the Switch Managing the System Time and Date Command Purpose Step 3 access-list access-list-number permit Create the access list. source [source-wildcard] For access-list-number, enter the number specified in Step 2. • Enter the permit keyword to permit access if the conditions are •...
Page 104: Configuring The Source Ip Address For Ntp Packets
Chapter 5 Administering the Switch Managing the System Time and Date Disabling NTP Services on a Specific Interface NTP services are enabled on all interfaces by default. Beginning in privileged EXEC mode, follow these steps to disable NTP packets from being received on an interface: Command Purpose...
Page 105: Displaying The Ntp Configuration
Chapter 5 Administering the Switch Managing the System Time and Date Displaying the NTP Configuration You can use two privileged EXEC commands to display NTP information: show ntp associations [detail] • • show ntp status For detailed information about the fields in these displays, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Page 106: Displaying The Time And Date Configuration
Chapter 5 Administering the Switch Managing the System Time and Date Displaying the Time and Date Configuration To display the time and date configuration, use the show clock [detail] privileged EXEC command. The system clock keeps an authoritative flag that shows whether the time is authoritative (believed to be accurate).
Page 107: Configuring Summer Time (Daylight Saving Time)
Chapter 5 Administering the Switch Managing the System Time and Date Configuring Summer Time (Daylight Saving Time) Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year: Command Purpose Step 1...
Page 108: Configuring A System Name And Prompt
Chapter 5 Administering the Switch Configuring a System Name and Prompt Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events): Command Purpose Step 1...
Page 109: Default System Name And Prompt Configuration
Chapter 5 Administering the Switch Configuring a System Name and Prompt These sections contain this configuration information: Default System Name and Prompt Configuration, page 5-15 • Configuring a System Name, page 5-15 • Understanding DNS, page 5-15 • Default System Name and Prompt Configuration The default switch system name and prompt is Switch.
Page 110: Default Dns Configuration
Chapter 5 Administering the Switch Configuring a System Name and Prompt These sections contain this configuration information: Default DNS Configuration, page 5-16 • Setting Up DNS, page 5-16 • Displaying the DNS Configuration, page 5-17 • Default DNS Configuration Table 5-2 shows the default DNS configuration.
Page 111: Displaying The Dns Configuration
Chapter 5 Administering the Switch Creating a Banner Command Purpose Step 6 show running-config Verify your entries. Step 7 copy running-config (Optional) Save your entries in the configuration file. startup-config If you use the switch IP address as its hostname, the IP address is used and no DNS query occurs. If you configure a hostname that contains no periods (.), a period followed by the default domain name is appended to the hostname before the DNS query is made to map the name to an IP address.
Page 112: Configuring A Message-Of-The-Day Login Banner
Chapter 5 Administering the Switch Creating a Banner Configuring a Message-of-the-Day Login Banner You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner: Command Purpose Step 1...
Page 113: Configuring A Login Banner
Chapter 5 Administering the Switch Managing the MAC Address Table Configuring a Login Banner You can configure a login banner to be displayed on all connected terminals. This banner appears after the MOTD banner and before the login prompt. Beginning in privileged EXEC mode, follow these steps to configure a login banner: Command Purpose Step 1...
Page 114: Building The Address Table
Chapter 5 Administering the Switch Managing the MAC Address Table These sections contain this configuration information: Building the Address Table, page 5-20 • MAC Addresses and VLANs, page 5-20 • Default MAC Address Table Configuration, page 5-21 • Changing the Address Aging Time, page 5-21 •...
Page 115: Default Mac Address Table Configuration
Chapter 5 Administering the Switch Managing the MAC Address Table Default MAC Address Table Configuration Table 5-3 shows the default MAC address table configuration. Table 5-3 Default MAC Address Table Configuration Feature Default Setting Aging time 300 seconds Dynamic addresses Automatically learned Static addresses None configured...
Page 116: Removing Dynamic Address Entries
Chapter 5 Administering the Switch Managing the MAC Address Table Removing Dynamic Address Entries To remove all dynamic entries, use the clear mac address-table dynamic command in privileged EXEC mode. You can also remove a specific MAC address (clear mac address-table dynamic address mac-address), remove all addresses on the specified physical port or port channel (clear mac address-table dynamic interface interface-id), or remove all addresses on a specified VLAN (clear mac address-table dynamic vlan vlan-id).
Page 117 Chapter 5 Administering the Switch Managing the MAC Address Table Command Purpose Step 5 mac address-table notification [interval value] | Enter the trap interval time and the history table size. [history-size value] (Optional) For interval value, specify the • notification trap interval in seconds between each set of traps that are generated to the NMS.
Page 118: Adding And Removing Static Address Entries
Chapter 5 Administering the Switch Managing the MAC Address Table Adding and Removing Static Address Entries A static address has these characteristics: It is manually entered in the address table and must be manually removed. • It can be a unicast or multicast address. •...
Page 119: Configuring Unicast Mac Address Filtering
Chapter 5 Administering the Switch Managing the MAC Address Table Configuring Unicast MAC Address Filtering When unicast MAC address filtering is enabled, the switch drops packets with specific source or destination MAC addresses. This feature is disabled by default and only supports unicast static addresses.
Page 120: Displaying Address Table Entries
Chapter 5 Administering the Switch Managing the ARP Table This example shows how to enable unicast MAC address filtering and to configure the switch to drop packets that have a source or destination address of c2f3.220a.12f4. When a packet is received in VLAN 4 with this MAC address as its source or destination, the packet is dropped: Switch(config)# mac ddress-table static c2f3.220a.12f4 vlan 4 drop...
Page 121: Preventing Unauthorized Access To Your Switch
C H A P T E R Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the switch. It consists of these sections: Preventing Unauthorized Access to Your Switch, page 6-1 • Protecting Access to Privileged EXEC Commands, page 6-2 •...
Page 122: Protecting Access To Privileged Exec Commands
Chapter 6 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands If you want to use username and password pairs, but you want to store them centrally on a server • instead of locally, you can store them in a database on a security server. Multiple networking devices can then use the same database to obtain user authentication (and, if necessary, authorization) information.
Page 123: Setting Or Changing A Static Enable Password
Chapter 6 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting or Changing a Static Enable Password The enable password controls access to the privileged EXEC mode. Beginning in privileged EXEC mode, follow these steps to set or change a static enable password: Command Purpose Step 1...
Page 124 Chapter 6 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Beginning in privileged EXEC mode, follow these steps to configure encryption for enable and enable secret passwords: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 enable password [level level] {password | Define a new password or change an existing password for encryption-type encrypted-password}...
Page 125: Disabling Password Recovery
Chapter 6 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands This example shows how to configure the encrypted password $1$FaD0$Xyti5Rkls3LoyxzS8 for privilege level 2: Switch(config)# enable secret level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8 Disabling Password Recovery By default, any end user with physical access to the switch can recover from a lost password by interrupting the boot process while the switch is powering on and then by entering a new password.
Page 126: Setting A Telnet Password For A Terminal Line
Chapter 6 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting a Telnet Password for a Terminal Line When you power-up your switch for the first time, an automatic setup program runs to assign IP information and to create a default configuration for continued use. The setup program also prompts you to configure your switch for Telnet access through a password.
Page 127: Configuring Multiple Privilege Levels
Chapter 6 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Beginning in privileged EXEC mode, follow these steps to establish a username-based authentication system that requests a login username and a password: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 username name [privilege level] Enter the username, privilege level, and password for each user.
Page 128: Setting The Privilege Level For A Command
Chapter 6 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting the Privilege Level for a Command Beginning in privileged EXEC mode, follow these steps to set the privilege level for a command mode: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 129: Changing The Default Privilege Level For Lines
Chapter 6 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Changing the Default Privilege Level for Lines Beginning in privileged EXEC mode, follow these steps to change the default privilege level for a line: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 130: Controlling Switch Access With Tacacs
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Controlling Switch Access with TACACS+ This section describes how to enable and configure Terminal Access Controller Access Control System Plus (TACACS+), which provides detailed accounting information and flexible administrative control over authentication and authorization processes.
Page 131 Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Figure 6-1 Typical TACACS+ Network Configuration UNIX workstation (TACACS+ Catalyst 6500 server 1) series switch 171.20.10.7 UNIX workstation (TACACS+ server 2) 171.20.10.8 Configure the Blade switches with the TACACS+ server addresses. Set an authentication key (also configure the same key on the TACACS+ servers).
Page 132: Tacacs+ Operation
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ TACACS+ Operation When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process occurs: When the connection is established, the switch contacts the TACACS+ daemon to obtain a username prompt to show to the user.
Page 133: Default Tacacs+ Configuration
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ authorize, or to keep accounts on users; if that method does not respond, the software selects the next method in the list. This process continues until there is successful communication with a listed method or the method list is exhausted.
Page 134: Configuring Tacacs+ Login Authentication
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Command Purpose Step 3 aaa new-model Enable AAA. Step 4 aaa group server tacacs+ group-name (Optional) Define the AAA server-group with a group name. This command puts the switch in a server group subconfiguration mode. Step 5 server ip-address (Optional) Associate a particular TACACS+ server with the defined server...
Page 135 Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Command Purpose Step 3 aaa authentication login {default | Create a login authentication method list. list-name} method1 [method2...] To create a default list that is used when a named list is not specified •...
Page 136: Configuring Tacacs+ Authorization For Privileged Exec Access And Network Services
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ To secure the switch for HTTP access by using AAA methods, you must configure the switch with the Note ip http authentication aaa global configuration command. Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods.
Page 137: Starting Tacacs+ Accounting
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Starting TACACS+ Accounting The AAA accounting feature tracks the services that users are accessing and the amount of network resources that they are consuming. When AAA accounting is enabled, the switch reports user activity to the TACACS+ security server in the form of accounting records.
Page 138: Understanding Radius
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Understanding RADIUS RADIUS is a distributed client/server system that secures networks against unauthorized access. RADIUS clients run on supported Cisco routers and switches. Clients send authentication requests to a central RADIUS server, which contains all user authentication and network service access information. The RADIUS host is normally a multiuser system running RADIUS server software from Cisco (Cisco Secure Access Control Server Version 3.0), Livingston, Merit, Microsoft, or another software provider.
Page 139: Radius Operation
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Figure 6-2 Transitioning from RADIUS to TACACS+ Services RADIUS server RADIUS server TACACS+ server Remote TACACS+ server Workstation RADIUS Operation When a user attempts to log in and authenticate to a switch that is access controlled by a RADIUS server, these events occur: The user is prompted to enter a username and password.
Page 140: Configuring Radius
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring RADIUS This section describes how to configure your switch to support RADIUS. At a minimum, you must identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS authentication.
Page 141 Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS You identify RADIUS security servers by their hostname or IP address, hostname and specific UDP port numbers, or their IP address and specific UDP port numbers. The combination of the IP address and the UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service.
Page 142 Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to configure per-server RADIUS server communication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | Specify the IP address or hostname of the remote RADIUS server host.
Page 143: Configuring Radius Login Authentication
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command. This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting: Switch(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1 Switch(config)# radius-server host 172.20.36.50 acct-port 1618 key rad2...
Page 144 Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Command Purpose Step 3 aaa authentication login {default | Create a login authentication method list. list-name} method1 [method2...] To create a default list that is used when a named list is not specified •...
Page 145: Defining Aaa Server Groups
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable RADIUS authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
Page 146 Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | Specify the IP address or hostname of the remote RADIUS server host.
Page 147: Configuring Radius Authorization For User Privileged Access And Network Services
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Command Purpose Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Step 9 Enable RADIUS login authentication. See the “Configuring RADIUS Login Authentication” section on page 6-23.
Page 148: Starting Radius Accounting
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Command Purpose Step 3 aaa authorization exec radius Configure the switch for user RADIUS authorization if the user has privileged EXEC access. The exec keyword might return user profile information (such as autocommand information).
Page 149: Configuring Settings For All Radius Servers
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring Settings for All RADIUS Servers Beginning in privileged EXEC mode, follow these steps to configure global communication settings between the switch and all RADIUS servers: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 150 Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS This example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands: cisco-avpair= ”shell:priv-lvl=15“ This example shows how to specify an authorized VLAN in the RADIUS server database: cisco-avpair= ”tunnel-type(#64)=VLAN(13)”...
Page 151: Configuring The Switch For Vendor-Proprietary Radius Server Communication
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring the Switch for Vendor-Proprietary RADIUS Server Communication Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way.
Page 152: Controlling Switch Access With Kerberos
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Controlling Switch Access with Kerberos This section describes how to enable and configure the Kerberos security system, which authenticates requests for network resources by using a trusted third party. To use this feature, the cryptographic (that is, supports encryption) versions of the switch software must be installed on your switch.
Page 153 Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos This software release supports Kerberos 5, which allows organizations that are already using Kerberos 5 to use the same Kerberos authentication database on the KDC that they are already using on their other network hosts (such as UNIX servers and PCs).
Page 154: Kerberos Operation
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Table 6-2 Kerberos Terms (continued) Term Definition KEYTAB A password that a network service shares with the KDC. In Kerberos 5 and later Kerberos versions, the network service authenticates an encrypted service credential by using the KEYTAB to decrypt it.
Page 155: Obtaining A Tgt From A Kdc
Chapter 6 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos The KDC sends an encrypted TGT that includes the user identity to the switch. The switch attempts to decrypt the TGT by using the password that the user entered. If the decryption is successful, the user is authenticated to the switch. •...
Page 156: Configuring The Switch For Local Authentication And Authorization
Chapter 6 Configuring Switch-Based Authentication Configuring the Switch for Local Authentication and Authorization A Kerberos server can be a Cisco Catalyst Blade Switch 3020 for HP that is configured as a network Note security server and that can authenticate users by using the Kerberos protocol. To set up a Kerberos-authenticated server-client system, follow these steps: Configure the KDC by using Kerberos commands.
Page 157: Configuring The Switch For Secure Shell
Chapter 6 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Command Purpose Step 6 username name [privilege level] Enter the local database, and establish a username-based authentication {password encryption-type password} system. Repeat this command for each user. For name, specify the user ID as one word. Spaces and quotation •...
Page 158: Understanding Ssh
Chapter 6 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell For SSH configuration examples, see the “SSH Configuration Examples” section in the “Configuring Secure Shell” chapter of the Cisco IOS Security Configuration Guide, Cisco IOS Release 12.2, at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fothersf/ scfssh.htm For complete syntax and usage information for the commands used in this section, see the command...
Page 159: Limitations
Chapter 6 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Limitations These limitations apply to SSH: The switch supports Rivest, Shamir, and Adelman (RSA) authentication. • • SSH supports only the execution-shell application. The SSH server and the SSH client are supported only on DES (56-bit) and 3DES (168-bit) data •...
Page 160 Chapter 6 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Generate an RSA key pair for the switch, which automatically enables SSH. Follow this procedure only if you are configuring the switch as an SSH server. Configure user authentication for local or remote access. This step is required. For more information, see the “Configuring the Switch for Local Authentication and Authorization”...
Page 161: Configuring The Ssh Server
Chapter 6 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Configuring the SSH Server Beginning in privileged EXEC mode, follow these steps to configure the SSH server: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip ssh version [1 | 2] (Optional) Configure the switch to run SSH Version 1 or SSH Version 2.
Page 162: Configuring The Switch For Secure Socket Layer Http
Chapter 6 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP For more information about these commands, see the “Secure Shell Commands” section in the “Other Security Features” chapter of the Cisco IOS Security Command Reference, Cisco IOS Release 12.2, at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/fothercr/ srfssh.htm.
Page 163 Chapter 6 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP When a connection attempt is made, the HTTPS server provides a secure connection by issuing a certified X.509v3 certificate, obtained from a specified CA trustpoint, to the client. The client (usually a Web browser), in turn, has a public key that allows it to authenticate the certificate.
Page 164: Ciphersuites
Chapter 6 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP CipherSuites A CipherSuite specifies the encryption algorithm and the digest algorithm to use on a SSL connection. When connecting to the HTTPS server, the client Web browser offers a list of supported CipherSuites, and the client and server negotiate the best encryption algorithm to use from those on the list that are supported by both.
Page 165: Ssl Configuration Guidelines
Chapter 6 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP SSL Configuration Guidelines Before you configure a CA trustpoint, you should ensure that the system clock is set. If the clock is not set, the certificate is rejected due to an incorrect date. Configuring a CA Trustpoint For secure HTTP connections, we recommend that you configure an official CA trustpoint.
Page 166: Configuring The Secure Http Server
Chapter 6 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Configuring the Secure HTTP Server If you are using a certificate authority for certification, you should use the previous procedure to configure the CA trustpoint on the switch before enabling the HTTP server. If you have not configured a CA trustpoint, a self-signed certificate is generated the first time that you enable the secure HTTP server.
Page 167: Configuring The Secure Http Client
Chapter 6 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Command Purpose Step 11 ip http timeout-policy idle seconds life (Optional) Specify how long a connection to the HTTP server can remain seconds requests value open under the defined circumstances: idle—the maximum time period when no data is received or response •...
Page 168: Displaying Secure Http Server And Client Status
Chapter 6 Configuring Switch-Based Authentication Configuring the Switch for Secure Copy Protocol Command Purpose Step 3 ip http client secure-ciphersuite (Optional) Specify the CipherSuites (encryption algorithms) to be used {[3des-ede-cbc-sha] [rc4-128-md5] for encryption over the HTTPS connection. If you do not have a reason to [rc4-128-sha] [des-cbc-sha]} specify a particular CipherSuite, you should allow the server and client to negotiate a CipherSuite that they both support.
Page 169: Information About Secure Copy
Chapter 6 Configuring Switch-Based Authentication Configuring the Switch for Secure Copy Protocol Information About Secure Copy To configure Secure Copy feature, you should understand these concepts. The behavior of SCP is similar to that of remote copy (rcp), which comes from the Berkeley r-tools suite, except that SCP relies on SSH for security.
Page 170 Chapter 6 Configuring Switch-Based Authentication Configuring the Switch for Secure Copy Protocol Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide 6-50 OL-8915-01...
Page 171: Understanding Ieee 802.1X Port-Based Authentication
C H A P T E R Configuring IEEE 802.1x Port-Based Authentication This chapter describes how to configure IEEE 802.1x port-based authentication on the switch. IEEE 802.1x authentication prevents unauthorized devices (clients) from gaining access to the network. Note For complete syntax and usage information for the commands used in this chapter, see the “RADIUS Commands”...
Page 172: Device Roles
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication IEEE 802.1x Accounting Attribute-Value Pairs, page 7-9 • Using IEEE 802.1x Authentication with VLAN Assignment, page 7-10 • Using IEEE 802.1x Authentication with Per-User ACLs, page 7-11 • Using IEEE 802.1x Authentication with Guest VLAN, page 7-12 •...
Page 173: Authentication Process
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Switch (edge switch or wireless access point)—controls the physical access to the network based on • the authentication status of the client. The switch acts as an intermediary (proxy) between the client and the authentication server, requesting identity information from the client, verifying that information with the authentication server, and relaying a response to the client.
Page 174 Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Figure 7-2 shows the authentication process. Figure 7-2 Authentication Flowchart Start Is the client IEEE IEEE 802.1x authentication Is MAC authentication 802.1x capable? process times out. bypass enabled? The switch gets an EAPOL message, and the EAPOL...
Page 175: Authentication Initiation And Message Exchange
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The Termination-Action RADIUS attribute (Attribute [29]) specifies the action to take during re-authentication. The actions are Initialize and ReAuthenticate. When the Initialize action is set (the attribute value is DEFAULT), the IEEE 802.1x session ends, and connectivity is lost during re-authentication.
Page 176 Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The specific exchange of EAP frames depends on the authentication method being used. Figure 7-3 shows a message exchange initiated by the client when the client uses the One-Time-Password (OTP) authentication method with a RADIUS server.
Page 177: Ports In Authorized And Unauthorized States
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Figure 7-4 Message Exchange During MAC Authentication Bypass Authentication server Client (RADIUS) Switch EAPOL Request/Identity EAPOL Request/Identity EAPOL Request/Identity Ethernet packet RADIUS Access/Request RADIUS Access/Accept Ports in Authorized and Unauthorized States During IEEE 802.1x authentication, depending on the switch port state, the switch can grant a client access to the network.
Page 178: Ieee 802.1X Host Mode
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication If the client is successfully authenticated (receives an Accept frame from the authentication server), the port state changes to authorized, and all frames from the authenticated client are allowed through the port.
Page 179: Ieee 802.1X Accounting
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication IEEE 802.1x Accounting The IEEE 802.1x standard defines how users are authorized and authenticated for network access but does not keep track of network usage. IEEE 802.1x accounting is disabled by default. You can enable IEEE 802.1x accounting to monitor this activity on IEEE 802.1x-enabled ports: •...
Page 180: Using Ieee 802.1X Authentication With Vlan Assignment
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Table 7-1 Accounting AV Pairs (continued) Attribute Number AV Pair Name START INTERIM STOP Attribute[46] Acct-Session-Time Never Never Always Attribute[49] Acct-Terminate-Cause Never Never Always Attribute[61] NAS-Port-Type Always Always Always 1.
Page 181: Using Ieee 802.1X Authentication With Per-User Acls
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The IEEE 802.1x authentication with VLAN assignment feature is not supported on trunk ports, dynamic ports, or with dynamic-access port assignment through a VLAN Membership Policy Server (VMPS). To configure VLAN assignment you need to perform these tasks: Enable AAA authorization by using the network keyword to allow interface configuration from the •...
Page 182: Using Ieee 802.1X Authentication With Guest Vlan
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The maximum size of the per-user ACL is 4000 ASCII characters but is limited by the maximum size of RADIUS-server per-user ACLs. For examples of vendor-specific attributes, see the “Configuring the Switch to Use Vendor-Specific RADIUS Attributes”...
Page 183: Using Ieee 802.1X Authentication With Restricted Vlan
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication a username and password based on the MAC address. If authorization succeeds, the switch grants the client access to the network. If authorization fails, the switch assigns the port to the guest VLAN if one is specified.
Page 184: Using Ieee 802.1X Authentication With Inaccessible Authentication Bypass
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Using IEEE 802.1x Authentication with Inaccessible Authentication Bypass When the switch cannot reach the configured RADIUS servers and hosts cannot be authenticated, you can configure the switch to allow network access to the hosts connected to critical ports. A critical port is enabled for the inaccessible authentication bypass feature, also referred to as critical authentication or the AAA fail policy.
Page 185: Using Ieee 802.1X Authentication With Voice Vlan Ports
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Restricted VLAN—If the port is already authorized in a restricted VLAN and the RADIUS servers • are unavailable, the switch puts the critical port in the critical-authentication state in the restricted VLAN.
Page 186: Using Ieee 802.1X Authentication With Wake-On-Lan
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication IEEE 802.1x authentication authenticates the port, and port security manages network access for all MAC addresses, including that of the client. You can then limit the number or group of clients that can access the network through an IEEE 802.1x port.
Page 187: Using Ieee 802.1X Authentication With Mac Authentication Bypass
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication If PortFast is not enabled on the port, the port is forced to the bidirectional state. Note When you configure a port as unidirectional by using the dot1x control-direction in interface configuration command, the port changes to the spanning-tree forwarding state.
Page 188: Configuring Ieee 802.1X Authentication
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication MAC authentication bypass interacts with the features: IEEE 802.1x authentication—You can enable MAC authentication bypass only if IEEE 802.1x • authentication is enabled on the port. Guest VLAN—If a client has an invalid MAC address identity, the switch assigns the client to a •...
Page 189: Default Ieee 802.1X Authentication Configuration
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Default IEEE 802.1x Authentication Configuration Table 7-2 shows the default IEEE 802.1x authentication configuration. Table 7-2 Default IEEE 802.1x Authentication Configuration Feature Default Setting Switch IEEE 802.1x enable state Disabled.
Page 190: Ieee 802.1X Authentication Configuration Guidelines
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Table 7-2 Default IEEE 802.1x Authentication Configuration (continued) Feature Default Setting Authenticator (switch) mode None specified. MAC authentication bypass Disabled. IEEE 802.1x Authentication Configuration Guidelines These section has configuration guidelines for these features: •...
Page 191: Vlan Assignment, Guest Vlan, Restricted Vlan, And Inaccessible Authentication Bypass
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can – enable IEEE 802.1x authentication on a port that is a SPAN or RSPAN destination port. However, IEEE 802.1x authentication is disabled until the port is removed as a SPAN or RSPAN destination port.
Page 192: Mac Authentication Bypass
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication MAC Authentication Bypass These are the MAC authentication bypass configuration guidelines: Unless otherwise stated, the MAC authentication bypass guidelines are the same as the IEEE 802.1x • authentication guidelines. For more information, see the “IEEE 802.1x Authentication”...
Page 193: Configuring The Switch-To-Radius-Server Communication
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 3 aaa authentication dot1x {default} Create an IEEE 802.1x authentication method list. method1 To create a default list that is used when a named list is not specified in the authentication command, use the default keyword followed by the method that is to be used in default situations.
Page 194 Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to configure the RADIUS server parameters on the switch. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | Configure the RADIUS server parameters.
Page 195: Configuring The Host Mode
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Configuring the Host Mode Beginning in privileged EXEC mode, follow these steps to allow multiple hosts (clients) on an IEEE 802.1x-authorized port that has the dot1x port-control interface configuration command set to auto.
Page 196: Manually Re-Authenticating A Client Connected To A Port
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 4 dot1x timeout reauth-period {seconds | Set the number of seconds between re-authentication attempts. server} The keywords have these meanings: seconds—Sets the number of seconds from 1 to 65535; the default is •...
Page 197: Changing The Switch-To-Client Retransmission Time
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 3 dot1x timeout quiet-period seconds Set the number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client. The range is 1 to 65535 seconds;...
Page 198: Setting The Switch-To-Client Frame-Retransmission Number
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Setting the Switch-to-Client Frame-Retransmission Number In addition to changing the switch-to-client retransmission time, you can change the number of times that the switch sends an EAP-request/identity frame (assuming no response is received) to the client before restarting the authentication process.
Page 199: Setting The Re-Authentication Number
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Setting the Re-Authentication Number You can also change the number of times that the switch restarts the authentication process before the port changes to the unauthorized state. You should change the default value of this command only to adjust for unusual circumstances such as Note unreliable links or specific behavioral problems with certain clients and authentication servers.
Page 200: Configuring A Guest Vlan
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication You must configure the RADIUS server to perform accounting tasks, such as logging start, stop, and Note interim-update messages and time stamps. To turn on these functions, enable logging of “Update/Watchdog packets from this AAA client”...
Page 201: Configuring A Restricted Vlan
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 3 switchport mode access Set the port to access mode, switchport mode private-vlan host Configure the port as a private-VLAN host port. Step 4 dot1x port-control auto Enable IEEE 802.1x authentication on the port.
Page 202 Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 5 dot1x auth-fail vlan vlan-id Specify an active VLAN as an IEEE 802.1x restricted VLAN. The range is 1 to 4094. You can configure any active VLAN except an RSPAN VLAN or a voice VLAN as an IEEE 802.1x restricted VLAN.
Page 203: Configuring The Inaccessible Authentication Bypass Feature
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication This example shows how to set 2 as the number of authentication attempts allowed before the port moves to the restricted VLAN: Switch(config-if)# dot1x auth-fail max-attempts 2 Configuring the Inaccessible Authentication Bypass Feature You can configure the inaccessible bypass feature, also referred to as critical authentication or the AAA fail policy.
Page 204 Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 4 radius-server host ip-address (Optional) Configure the RADIUS server parameters by using these [acct-port udp-port] [auth-port keywords: udp-port] [key string] [test username acct-port udp-port—Specify the UDP port for the RADIUS •...
Page 205: Configuring Ieee 802.1X Authentication With Wol
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 7 dot1x critical [recovery action Enable the inaccessible authentication bypass feature, and use these reinitialize | vlan vlan-id] keywords to configure the feature: recovery action reinitialize—Enable the recovery feature, and •...
Page 206: Configuring Mac Authentication Bypass
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 4 Return to privileged EXEC mode. Step 5 show dot1x interface interface-id Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable IEEE 802.1x authentication with WoL, use the no dot1x control-direction interface configuration command.
Page 207: Configuring Ieee 802.1X Authentication Using A Radius Server
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Configuring IEEE 802.1x Authentication Using a RADIUS Server You can configure IEEE 802.1x authentication with a RADIUS server. Beginning in privileged EXEC mode, follow these steps to configure IEEE 802.1x authentication with a RADIUS server.
Page 208: Disabling Ieee 802.1X Authentication On The Port
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Disabling IEEE 802.1x Authentication on the Port You can disable IEEE 802.1x authentication on the port by using the no dot1x pae interface configuration command. Beginning in privileged EXEC mode, follow these steps to disable IEEE 802.1x authentication on the port.
Page 209: Displaying Ieee 802.1X Statistics And Status
Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Displaying IEEE 802.1x Statistics and Status Displaying IEEE 802.1x Statistics and Status To display IEEE 802.1x statistics for all ports, use the show dot1x all statistics privileged EXEC command. To display IEEE 802.1x statistics for a specific port, use the show dot1x statistics interface interface-id privileged EXEC command.
Page 210 Chapter 7 Configuring IEEE 802.1x Port-Based Authentication Displaying IEEE 802.1x Statistics and Status Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide 7-40 OL-8915-01...
Page 211: Understanding Interface Types
C H A P T E R Configuring Interface Characteristics This chapter defines the types of interfaces on the switch and describes how to configure them. The chapter consists of these sections: Understanding Interface Types, page 8-1 • Using Interface Configuration Mode, page 8-6 •...
Page 212: Port-Based Vlans
Chapter 8 Configuring Interface Characteristics Understanding Interface Types Port-Based VLANs A VLAN is a switched network that is logically segmented by function, team, or application, without regard to the physical location of the users. For more information about VLANs, see Chapter 10, “Configuring VLANs.”...
Page 213: Access Ports
Chapter 8 Configuring Interface Characteristics Understanding Interface Types Access Ports An access port belongs to and carries the traffic of only one VLAN (unless it is configured as a voice VLAN port). Traffic is received and sent in native formats with no VLAN tagging. Traffic arriving on an access port is assumed to belong to the VLAN assigned to the port.
Page 214: Etherchannel Port Groups
Chapter 8 Configuring Interface Characteristics Understanding Interface Types EtherChannel Port Groups EtherChannel port groups treat multiple switch ports as one switch port. These port groups act as a single logical port for high-bandwidth connections between switches or between switches and servers. An EtherChannel balances the traffic load across the links in the channel.
Page 215: Connecting Interfaces
Chapter 8 Configuring Interface Characteristics Understanding Interface Types Connecting Interfaces Devices within a single VLAN can communicate directly through any switch. Ports in different VLANs cannot exchange data without going through a routing device. In the configuration shown in Figure 8-1, when Blade Server A in VLAN 20 sends data to Blade Server B in VLAN 30, the data must go from Blade Server A to the switch, to the router, back to the switch, and then to Blade Server B.
Page 216: Using Interface Configuration Mode
Chapter 8 Configuring Interface Characteristics Using Interface Configuration Mode Using Interface Configuration Mode The switch supports these interface types: Physical ports—switch ports • VLANs—switch virtual interfaces • • Port channels—EtherChannel interfaces You can also configure a range of interfaces (see the “Configuring a Range of Interfaces”...
Page 217: Configuring A Range Of Interfaces
Chapter 8 Configuring Interface Characteristics Using Interface Configuration Mode Follow each interface command with the interface configuration commands that the interface requires. Step 3 The commands that you enter define the protocols and applications that will run on the interface. The commands are collected and applied to the interface when you enter another interface command or enter end to return to privileged EXEC mode.
Page 218: Configuring And Using Interface Range Macros
Chapter 8 Configuring Interface Characteristics Using Interface Configuration Mode When using the interface range global configuration command, note these guidelines: Valid entries for port-range: • vlan vlan-ID, where the VLAN ID is 1 to 4094 – gigabitethernet module/{first port} - {last port}, where the module is always 0 –...
Page 219 Chapter 8 Configuring Interface Characteristics Using Interface Configuration Mode Command Purpose Step 3 interface range macro macro_name Select the interface range to be configured using the values saved in the interface-range macro called macro_name. You can now use the normal configuration commands to apply the configuration to all interfaces in the defined macro.
Page 220: Configuring Ethernet Interfaces
Chapter 8 Configuring Interface Characteristics Configuring Ethernet Interfaces This example shows how to delete the interface-range macro enet_list and to verify that it was deleted. Switch# configure terminal Switch(config)# no define interface-range enet_list Switch(config)# end Switch# show run | include define Switch# Configuring Ethernet Interfaces These sections contain this configuration information:...
Page 221: Configuring Interface Speed And Duplex Mode
Chapter 8 Configuring Interface Characteristics Configuring Ethernet Interfaces Table 8-1 Default Layer 2 Ethernet Interface Configuration (continued) Feature Default Setting Port security Disabled. See the “Default Port Security Configuration” section on page 19-10. Port Fast Disabled. Enabled by default on Gigabit Ethernet interfaces 0/1 to 0/16.
Page 222 Chapter 8 Configuring Interface Characteristics Configuring Ethernet Interfaces If both ends of the line support autonegotiation, we highly recommend the default setting of auto • negotiation. If one interface supports autonegotiation and the other end does not, configure duplex and speed on •...
Page 223 Chapter 8 Configuring Interface Characteristics Configuring Ethernet Interfaces Command Purpose Step 3 media-type {auto-select | rj45 | sfp | Select the interface and type of a dual-purpose uplink port. These internal} keyword meanings apply on Gigabit Ethernet interfaces 0/17 to 0/20 and 0/23 to 0/24;...
Page 224: Setting The Interface Speed And Duplex Parameters
Chapter 8 Configuring Interface Characteristics Configuring Ethernet Interfaces Setting the Interface Speed and Duplex Parameters Beginning in privileged EXEC mode, follow these steps to set the speed and duplex mode for a physical interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 225: Configuring Ieee 802.3X Flow Control
Chapter 8 Configuring Interface Characteristics Configuring Ethernet Interfaces Configuring IEEE 802.3x Flow Control Flow control enables connected Ethernet ports to control traffic rates during congestion by allowing congested nodes to pause link operation at the other end. If one port experiences congestion and cannot receive any more traffic, it notifies the other port by sending a pause frame to stop sending until the condition clears.
Page 226: Configuring Auto-Mdix On An Interface
Chapter 8 Configuring Interface Characteristics Configuring Ethernet Interfaces Configuring Auto-MDIX on an Interface When automatic medium-dependent interface crossover (auto-MDIX) is enabled on an interface, the interface automatically detects the required cable connection type (straight through or crossover) and configures the connection appropriately. When connecting switches without the auto-MDIX feature, you must use straight-through cables to connect to devices such as servers, workstations, or routers and crossover cables to connect to other switches or repeaters.
Page 227: Adding A Description For An Interface
Chapter 8 Configuring Interface Characteristics Configuring Ethernet Interfaces This example shows how to enable auto-MDIX on a port: Switch# configure terminal Switch(config)# interface gigabitethernet0/1 Switch(config-if)# speed auto Switch(config-if)# duplex auto Switch(config-if)# mdix auto Switch(config-if)# end Adding a Description for an Interface You can add a description about an interface to help you remember its function.
Page 228: Configuring The System Mtu
Chapter 8 Configuring Interface Characteristics Configuring the System MTU Configuring the System MTU The default maximum transmission unit (MTU) size for frames received and transmitted on all interfaces on the switch is 1500 bytes. You can increase the MTU size for all interfaces operating at 10 or 100 Mbps by using the system mtu global configuration command.
Page 229: Monitoring And Maintaining The Interfaces
Chapter 8 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces This example shows the response when you try to set Gigabit Ethernet interfaces to an out-of-range number: Switch(config)# system mtu jumbo 25000 % Invalid input detected at '^' marker. Monitoring and Maintaining the Interfaces These sections contain interface monitoring and maintenance information: Monitoring Interface Status, page 8-19 •...
Page 230: Clearing And Resetting Interfaces And Counters
Chapter 8 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Clearing and Resetting Interfaces and Counters Table 8-4 lists the privileged EXEC mode clear commands that you can use to clear counters and reset interfaces. Table 8-4 Clear Commands for Interfaces Command Purpose clear counters [interface-id]...
Page 231: Chapter 9 Configuring Smartports Macros
C H A P T E R Configuring Smartports Macros This chapter describes how to configure and apply Smartports macros on the switch. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.
Page 232: Configuring Smartports Macros
Chapter 9 Configuring Smartports Macros Configuring Smartports Macros Table 9-1 Cisco-Default Smartports Macros (continued) Macro Name Description cisco-phone Use this interface configuration macro when connecting a desktop device such as a PC with a Cisco IP Phone to a switch port. This macro is an extension of the cisco-desktop macro and provides the same security and resiliency features, but with the addition of dedicated voice VLANs to ensure proper treatment of delay-sensitive voice traffic.
Page 233: Smartports Macro Configuration Guidelines
Chapter 9 Configuring Smartports Macros Configuring Smartports Macros Smartports Macro Configuration Guidelines Follow these guidelines when configuring macros on your switch: When creating a macro, do not use the exit or end commands or change the command mode by using •...
Page 234: Creating Smartports Macros
Chapter 9 Configuring Smartports Macros Configuring Smartports Macros Follow these guidelines when you apply a Cisco-default Smartports macro on an interface: Display all macros on the switch by using the show parser macro user EXEC command. Display • the contents of a specific macro by using the show parser macro macro-name user EXEC command.
Page 235: Applying Smartports Macros
Chapter 9 Configuring Smartports Macros Configuring Smartports Macros Applying Smartports Macros Beginning in privileged EXEC mode, follow these steps to apply a Smartports macro: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 macro global {apply | trace} Apply each individual command defined in the macro to the switch by macro-name [parameter {value}] entering macro global apply macro-name.
Page 236: Applying Cisco-Default Smartports Macros
Chapter 9 Configuring Smartports Macros Configuring Smartports Macros This example shows how to apply the user-created macro called snmp, to set the hostname address to test-server, and to set the IP precedence value to 7: Switch(config)# macro global apply snmp ADDRESS test-server VALUE 7 This example shows how to debug the user-created macro called snmp by using the macro global trace global configuration command to find any syntax or configuration errors in the macro when it is applied to the switch.
Page 237 Chapter 9 Configuring Smartports Macros Configuring Smartports Macros Command Purpose Step 7 macro {apply | trace} macro-name Append the Cisco-default macro with the required values by using the [parameter {value}] [parameter parameter value keywords, and apply the macro to the interface. {value}] [parameter {value}] Keywords that begin with $ mean that a unique parameter value is required.
Page 238: Displaying Smartports Macros
Chapter 9 Configuring Smartports Macros Displaying Smartports Macros Displaying Smartports Macros To display the Smartports macros, use one or more of the privileged EXEC commands in Table 9-2. Table 9-2 Commands for Displaying Smartports Macros Command Purpose show parser macro Displays all configured macros.
Page 239: Chapter 10 Configuring Vlans
C H A P T E R Configuring VLANs This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the switch. It includes information about VLAN membership modes, VLAN configuration modes, VLAN trunks, and dynamic VLAN assignment from a VLAN Membership Policy Server (VMPS).
Page 240: Supported Vlans
Chapter 10 Configuring VLANs Understanding VLANs Figure 10-1 shows an example of VLANs segmented into logically defined networks. Figure 10-1 VLANs as Logically Defined Networks Engineering Marketing Accounting VLAN VLAN VLAN Cisco router Floor 3 Gigabit Ethernet Floor 2 Floor 1 VLANs are often associated with IP subnetworks.
Page 241: Vlan Port Membership Modes
Chapter 10 Configuring VLANs Understanding VLANs VLAN Port Membership Modes You configure a port to belong to a VLAN by assigning a membership mode that specifies the kind of traffic the port carries and the number of VLANs to which it can belong. Table 10-1 lists the membership modes and membership and VTP characteristics.
Page 242: Configuring Normal-Range Vlans
Chapter 10 Configuring VLANs Configuring Normal-Range VLANs Configuring Normal-Range VLANs Normal-range VLANs are VLANs with VLAN IDs 1 to 1005. If the switch is in VTP server or VTP transparent mode, you can add, modify or remove configurations for VLANs 2 to 1001 in the VLAN database.
Page 243: Token Ring Vlans
Chapter 10 Configuring VLANs Configuring Normal-Range VLANs These sections contain normal-range VLAN configuration information: Token Ring VLANs, page 10-5 • Normal-Range VLAN Configuration Guidelines, page 10-5 • VLAN Configuration Mode Options, page 10-6 • Saving VLAN Configuration, page 10-6 • •...
Page 244: Vlan Configuration Mode Options
Chapter 10 Configuring VLANs Configuring Normal-Range VLANs are several adjacent switches that all have run out of spanning-tree instances. You can prevent this possibility by setting allowed lists on the trunk ports of switches that have used up their allocation of spanning-tree instances.
Page 245: Default Ethernet Vlan Configuration
Chapter 10 Configuring VLANs Configuring Normal-Range VLANs When you save VLAN and VTP information (including extended-range VLAN configuration information) in the startup configuration file and reboot the switch, the switch configuration is selected as follows: • If the VTP mode is transparent in the startup configuration, and the VLAN database and the VTP domain name from the VLAN database matches that in the startup configuration file, the VLAN database is ignored (cleared), and the VTP and VLAN configurations in the startup configuration file are used.
Page 246: Creating Or Modifying An Ethernet Vlan
Chapter 10 Configuring VLANs Configuring Normal-Range VLANs Creating or Modifying an Ethernet VLAN Each Ethernet VLAN in the VLAN database has a unique, 4-digit ID that can be a number from 1 to 1001. VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs. To create a normal-range VLAN to be added to the VLAN database, assign a number and name to the VLAN.
Page 247: Deleting A Vlan
Chapter 10 Configuring VLANs Configuring Normal-Range VLANs You can also create or modify Ethernet VLANs by using the VLAN database configuration mode. VLAN database configuration mode does not support RSPAN VLAN configuration or extended-range Note VLANs. Beginning in privileged EXEC mode, follow these steps to use VLAN database configuration mode to create or modify an Ethernet VLAN: Command Purpose...
Page 248: Assigning Static-Access Ports To A Vlan
Chapter 10 Configuring VLANs Configuring Normal-Range VLANs Caution When you delete a VLAN, any ports assigned to that VLAN become inactive. They remain associated with the VLAN (and thus inactive) until you assign them to a new VLAN. Beginning in privileged EXEC mode, follow these steps to delete a VLAN on the switch: Command Purpose Step 1...
Page 249: Configuring Extended-Range Vlans
Chapter 10 Configuring VLANs Configuring Extended-Range VLANs To return an interface to its default configuration, use the default interface interface-id interface configuration command. This example shows how to configure a port as an access port in VLAN 2: Switch# configure terminal Enter configuration commands, one per line.
Page 250: Extended-Range Vlan Configuration Guidelines
Chapter 10 Configuring VLANs Configuring Extended-Range VLANs Extended-Range VLAN Configuration Guidelines Follow these guidelines when creating extended-range VLANs: To add an extended-range VLAN, you must use the vlan vlan-id global configuration command and • access config-vlan mode. You cannot add extended-range VLANs in VLAN database configuration mode (accessed by entering the vlan database privileged EXEC command).
Page 251: Displaying Vlans
Chapter 10 Configuring VLANs Displaying VLANs Command Purpose Step 3 vlan vlan-id Enter an extended-range VLAN ID and enter config-vlan mode. The range is 1006 to 4094. Step 4 mtu mtu-size (Optional) Modify the VLAN by changing the MTU size. Although all VLAN commands appear in the CLI help in Note config-vlan mode, only the mtu mtu-size, and remote-span...
Page 252: Configuring Vlan Trunks
Chapter 10 Configuring VLANs Configuring VLAN Trunks Table 10-3 VLAN Monitoring Commands (continued) Command Command Mode Purpose show interfaces [vlan Privileged EXEC Display characteristics for all interfaces or for vlan-id] the specified VLAN configured on the switch. show vlan [id vlan-id] Privileged EXEC Display parameters for all VLANs or the specified VLAN on the switch.
Page 253 Chapter 10 Configuring VLANs Configuring VLAN Trunks Figure 10-2 shows a network of blade switches that are connected by ISL trunks. Figure 10-2 Blade Switches in an ISL Trunking Environment Catalyst 6500 series switch trunk trunk trunk trunk Blade Blade switch switch Blade...
Page 254: Encapsulation Types
Chapter 10 Configuring VLANs Configuring VLAN Trunks Table 10-4 Layer 2 Interface Modes Mode Function switchport mode access Puts the interface (access port) into permanent nontrunking mode and negotiates to convert the link into a nontrunk link. The interface becomes a nontrunk interface regardless of whether or not the neighboring interface is a trunk interface.
Page 255: Default Layer 2 Ethernet Interface Vlan Configuration
Chapter 10 Configuring VLANs Configuring VLAN Trunks Make sure the native VLAN for an IEEE 802.1Q trunk is the same on both ends of the trunk link. If • the native VLAN on one end of the trunk is different from the native VLAN on the other end, spanning-tree loops might result.
Page 256: Configuring A Trunk Port
Chapter 10 Configuring VLANs Configuring VLAN Trunks STP Port Fast setting. – trunk status: if one port in a port group ceases to be a trunk, all ports cease to be trunks. – We recommend that you configure no more than 24 trunk ports in PVST mode and no more than 40 •...
Page 257: Defining The Allowed Vlans On A Trunk
Chapter 10 Configuring VLANs Configuring VLAN Trunks To return an interface to its default configuration, use the default interface interface-id interface configuration command. To reset all trunking characteristics of a trunking interface to the defaults, use the no switchport trunk interface configuration command. To disable trunking, use the switchport mode access interface configuration command to configure the port as a static-access port.
Page 258: Changing The Pruning-Eligible List
Chapter 10 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 4 switchport trunk allowed vlan {add | (Optional) Configure the list of VLANs allowed on the trunk. all | except | remove} vlan-list For explanations about using the add, all, except, and remove keywords, see the command reference for this release.
Page 259: Configuring The Native Vlan For Untagged Traffic
Chapter 10 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 5 show interfaces interface-id switchport Verify your entries in the Pruning VLANs Enabled field of the display. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default pruning-eligible list of all VLANs, use the no switchport trunk pruning vlan interface configuration command.
Page 260: Load Sharing Using Stp Port Priorities
Chapter 10 Configuring VLANs Configuring VLAN Trunks You configure load sharing on trunk ports by using STP port priorities or STP path costs. For load sharing using STP port priorities, both load-sharing links must be connected to the same switch. For load sharing using STP path costs, each load-sharing link can be connected to the same switch or to two different switches.
Page 261: Load Sharing Using Stp Path Cost
Chapter 10 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 6 show vlan Verify that the VLANs exist in the database on Switch A. Step 7 configure terminal Enter global configuration mode. Step 8 interface gigabitethernet 0/1 Define the interface to be configured as a trunk, and enter interface configuration mode.
Page 262 Chapter 10 Configuring VLANs Configuring VLAN Trunks Figure 10-4 Load-Sharing Trunks with Traffic Distributed by Path Cost Switch A Trunk port 1 Trunk port 2 VLANs 2 – 4 (path cost 30) VLANs 8 – 10 (path cost 30) VLANs 8 –...
Page 263: Configuring Vmps
Chapter 10 Configuring VLANs Configuring VMPS Configuring VMPS The VLAN Query Protocol (VQP) is used to support dynamic-access ports, which are not permanently assigned to a VLAN, but give VLAN assignments based on the MAC source addresses seen on the port. Each time an unknown MAC address is seen, the switch sends a VQP query to a remote VMPS;...
Page 264: Dynamic-Access Port Vlan Membership
Chapter 10 Configuring VLANs Configuring VMPS Dynamic-Access Port VLAN Membership A dynamic-access port can belong to only one VLAN with an ID from 1 to 4094. When the link comes up, the switch does not forward traffic to or from this port until the VMPS provides the VLAN assignment.
Page 265: Configuring The Vmps Client
Chapter 10 Configuring VLANs Configuring VMPS Trunk ports cannot be dynamic-access ports, but you can enter the switchport access vlan dynamic • interface configuration command for a trunk port. In this case, the switch retains the setting and applies it if the port is later configured as an access port. You must turn off trunking on the port before the dynamic-access setting takes effect.
Page 266: Reconfirming Vlan Memberships
Chapter 10 Configuring VLANs Configuring VMPS Beginning in privileged EXEC mode, follow these steps to configure a dynamic-access port on a VMPS client switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the switch port that is connected to the end station, and enter interface configuration mode.
Page 267: Changing The Retry Count
Chapter 10 Configuring VLANs Configuring VMPS To return the switch to its default setting, use the no vmps reconfirm global configuration command. Changing the Retry Count Beginning in privileged EXEC mode, follow these steps to change the number of times that the switch attempts to contact the VMPS before querying the next server: Command Purpose...
Page 268: Troubleshooting Dynamic-Access Port Vlan Membership
Chapter 10 Configuring VLANs Configuring VMPS Troubleshooting Dynamic-Access Port VLAN Membership The VMPS shuts down a dynamic-access port under these conditions: The VMPS is in secure mode, and it does not allow the host to connect to the port. The VMPS shuts •...
Page 269 Chapter 10 Configuring VLANs Configuring VMPS Figure 10-5 Dynamic Port VLAN Membership Configuration TFTP server Catalyst 6500 series switch A Primary VMPS Router Server 1 172.20.26.150 172.20.22.7 Client switch B Dynamic-access port 172.20.26.151 station 1 Trunk port Switch C Catalyst 6500 series 172.20.26.152 Secondary VMPS Server 2...
Page 270 Chapter 10 Configuring VLANs Configuring VMPS Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide 10-32 OL-8915-01...
Page 271: Chapter 11 Configuring Vtp
C H A P T E R Configuring VTP This chapter describes how to use the VLAN Trunking Protocol (VTP) and the VLAN database for managing VLANs with the switch. For complete syntax and usage information for the commands used in this chapter, see the Cisco Catalyst Note Blade Switch 3020 for HP Command Reference for this release.
Page 272: The Vtp Domain
Chapter 11 Configuring VTP Understanding VTP These sections contain this conceptual information: The VTP Domain, page 11-2 • VTP Modes, page 11-3 • VTP Advertisements, page 11-3 • VTP Version 2, page 11-4 • • VTP Pruning, page 11-4 The VTP Domain A VTP domain (also called a VLAN management domain) consists of one switch or several interconnected switches under the same administrative responsibility sharing the same VTP domain name.
Page 273: Vtp Modes
Chapter 11 Configuring VTP Understanding VTP VTP Modes You can configure a supported switch to be in one of the VTP modes listed in Table 11-1. Table 11-1 VTP Modes VTP Mode Description VTP server In VTP server mode, you can create, modify, and delete VLANs, and specify other configuration parameters (such as the VTP version) for the entire VTP domain.
Page 274: Vtp Version 2
Chapter 11 Configuring VTP Understanding VTP MD5 digest VLAN configuration, including maximum transmission unit (MTU) size for each • VLAN. Frame format • VTP advertisements distribute this VLAN information for each configured VLAN: VLAN IDs (ISL and IEEE 802.1Q) • VLAN name •...
Page 275 Chapter 11 Configuring VTP Understanding VTP Figure 11-1 shows a switched network without VTP pruning enabled. Port 1 on Switch A and Port 2 on Switch D are assigned to the Red VLAN. If a broadcast is sent from the host connected to Switch A, Switch A floods the broadcast and every switch in the network receives it, even though Switches C, E, and F have no ports in the Red VLAN.
Page 276: Default Vtp Configuration
Chapter 11 Configuring VTP Configuring VTP See the “Enabling VTP Pruning” section on page 11-14. VTP pruning takes effect several seconds after you enable it. VTP pruning does not prune traffic from VLANs that are pruning-ineligible. VLAN 1 and VLANs 1002 to 1005 are always pruning-ineligible; traffic from these VLANs cannot be pruned. Extended-range VLANs (VLAN IDs higher than 1005) are also pruning-ineligible.
Page 277: Vtp Configuration Options
Chapter 11 Configuring VTP Configuring VTP VTP Configuration Options You can configure VTP by using these configuration modes. VTP Configuration in Global Configuration Mode, page 11-7 • VTP Configuration in VLAN Database Configuration Mode, page 11-7 • You access VLAN database configuration mode by entering the vlan database privileged EXEC command.
Page 278: Vtp Configuration Guidelines
Chapter 11 Configuring VTP Configuring VTP VTP Configuration Guidelines These sections describe guidelines you should follow when implementing VTP in your network. Domain Names When configuring VTP for the first time, you must always assign a domain name. You must configure all switches in the VTP domain with the same domain name.
Page 279: Configuration Requirements
Chapter 11 Configuring VTP Configuring VTP Do not enable VTP Version 2 on a switch unless all of the switches in the same VTP domain are • Version-2-capable. When you enable Version 2 on a switch, all of the Version-2-capable switches in the domain enable Version 2.
Page 280 Chapter 11 Configuring VTP Configuring VTP This example shows how to use global configuration mode to configure the switch as a VTP server with the domain name eng_group and the password mypassword: Switch# config terminal Switch(config)# vtp mode server Switch(config)# vtp domain eng_group Switch(config)# vtp password mypassword Switch(config)# end You can also use VLAN database configuration mode to configure VTP parameters.
Page 281: Configuring A Vtp Client
Chapter 11 Configuring VTP Configuring VTP Configuring a VTP Client When a switch is in VTP client mode, you cannot change its VLAN configuration. The client switch receives VTP updates from a VTP server in the VTP domain and then modifies its configuration accordingly.
Page 282: Disabling Vtp (Vtp Transparent Mode)
Chapter 11 Configuring VTP Configuring VTP Disabling VTP (VTP Transparent Mode) When you configure the switch for VTP transparent mode, VTP is disabled on the switch. The switch does not send VTP updates and does not act on VTP updates received from other switches. However, a VTP transparent switch running VTP Version 2 does forward received VTP advertisements on its trunk links.
Page 283: Enabling Vtp Version 2
Chapter 11 Configuring VTP Configuring VTP Enabling VTP Version 2 VTP Version 2 is disabled by default on VTP Version 2-capable switches. When you enable VTP Version 2 on a switch, every VTP Version 2-capable switch in the VTP domain enables Version 2. You can only configure the version when the switches are in VTP server or transparent mode.
Page 284: Enabling Vtp Pruning
Chapter 11 Configuring VTP Configuring VTP Enabling VTP Pruning Pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the destination devices. You can only enable VTP pruning on a switch in VTP server mode.
Page 285 Chapter 11 Configuring VTP Configuring VTP Beginning in privileged EXEC mode, follow these steps to verify and reset the VTP configuration revision number on a switch before adding it to a VTP domain: Command Purpose Step 1 show vtp status Check the VTP configuration revision number.
Page 286: Monitoring Vtp
Chapter 11 Configuring VTP Monitoring VTP Monitoring VTP You monitor VTP by displaying VTP configuration information: the domain name, the current VTP revision, and the number of VLANs. You can also display statistics about the advertisements sent and received by the switch. Table 11-3 shows the privileged EXEC commands for monitoring VTP activity.
Page 287: Chapter 12 Configuring Voice Vlan
C H A P T E R Configuring Voice VLAN This chapter describes how to configure the voice VLAN feature on the switch. Voice VLAN is referred to as an auxiliary VLAN in some Catalyst 6500 family switch documentation. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.
Page 288: Cisco Ip Phone Voice Traffic
Chapter 12 Configuring Voice VLAN Understanding Voice VLAN Figure 12-1 shows one way to connect a Cisco 7960 IP Phone. Figure 12-1 Cisco 7960 IP Phone Connected to a Switch Cisco IP Phone 7960 Phone ASIC 3-port switch Access port Cisco IP Phone Voice Traffic You can configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone.
Page 289: Configuring Voice Vlan
Chapter 12 Configuring Voice VLAN Configuring Voice VLAN Untagged traffic from the device attached to the Cisco IP Phone passes through the phone unchanged, Note regardless of the trust state of the access port on the phone. Configuring Voice VLAN These sections contain this configuration information: Default Voice VLAN Configuration, page 12-3 •...
Page 290: Configuring A Port Connected To A Cisco 7960 Ip Phone
Chapter 12 Configuring Voice VLAN Configuring Voice VLAN The Cisco IP Phone uses IEEE 802.1p frames, and the device uses untagged frames. – The Cisco IP Phone uses untagged frames, and the device uses IEEE 802.1p frames. – The Cisco IP Phone uses IEEE 802.1Q frames, and the voice VLAN is the same as the access –...
Page 291 Chapter 12 Configuring Voice VLAN Configuring Voice VLAN voice traffic a higher priority and forward all voice traffic through the native (access) VLAN. The Cisco IP Phone can also send untagged voice traffic or use its own configuration to send voice traffic in the access VLAN.
Page 292: Configuring The Priority Of Incoming Data Frames
Chapter 12 Configuring Voice VLAN Displaying Voice VLAN Configuring the Priority of Incoming Data Frames You can connect a PC or other data device to a Cisco IP Phone port. To process tagged data traffic (in IEEE 802.1Q or IEEE 802.1p frames), you can configure the switch to send CDP packets to instruct the phone how to send data packets from the device attached to the access port on the Cisco IP Phone.
Page 293: Configuring Stp
C H A P T E R Configuring STP This chapter describes how to configure the Spanning Tree Protocol (STP) on port-based VLANs on the switch. The switch can use either the per-VLAN spanning-tree plus (PVST+) protocol based on the IEEE 802.1D standard and Cisco proprietary extensions, or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol based on the IEEE 802.1w standard.
Page 294: Understanding Spanning-Tree Features
Chapter 13 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Interoperability and Backward Compatibility, page 13-10 • STP and IEEE 802.1Q Trunks, page 13-10 • For configuration information, see the “Configuring Spanning-Tree Features” section on page 13-10. For information about optional spanning-tree features, see Chapter 15, “Configuring Optional Spanning-Tree Features.”...
Page 295: Spanning-Tree Topology And Bpdus
Chapter 13 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Topology and BPDUs The stable, active spanning-tree topology of a switched network is controlled by these elements: The unique bridge ID (switch priority and MAC address) associated with each VLAN on each •...
Page 296: Bridge Id, Switch Priority, And Extended System Id
Chapter 13 Configuring STP Understanding Spanning-Tree Features Bridge ID, Switch Priority, and Extended System ID The IEEE 802.1D standard requires that each switch has an unique bridge identifier (bridge ID), which controls the selection of the root switch. Because each VLAN is considered as a different logical bridge with PVST+ and rapid PVST+, the same switch must have a different bridge IDs for each configured VLAN.
Page 297 Chapter 13 Configuring STP Understanding Spanning-Tree Features An interface moves through these states: From initialization to blocking • From blocking to listening or to disabled • From listening to learning or to disabled • From learning to forwarding or to disabled •...
Page 298: Blocking State
Chapter 13 Configuring STP Understanding Spanning-Tree Features Blocking State A Layer 2 interface in the blocking state does not participate in frame forwarding. After initialization, a BPDU is sent to each switch interface. A switch initially functions as the root until it exchanges BPDUs with other switches.
Page 299: Disabled State
Chapter 13 Configuring STP Understanding Spanning-Tree Features Disabled State A Layer 2 interface in the disabled state does not participate in frame forwarding or in the spanning tree. An interface in the disabled state is nonoperational. A disabled interface performs these functions: •...
Page 300: Spanning Tree And Redundant Connectivity
Chapter 13 Configuring STP Understanding Spanning-Tree Features Spanning Tree and Redundant Connectivity You can create a redundant backbone with spanning tree by connecting two switch interfaces to another device or to two different devices, as shown in Figure 13-3. Spanning tree automatically disables one interface but enables it if the other one fails.
Page 301: Spanning-Tree Modes And Protocols
Chapter 13 Configuring STP Understanding Spanning-Tree Features Because each VLAN is a separate spanning-tree instance, the switch accelerates aging on a per-VLAN basis. A spanning-tree reconfiguration on one VLAN can cause the dynamic addresses learned on that VLAN to be subject to accelerated aging. Dynamic addresses on other VLANs can be unaffected and remain subject to the aging interval entered for the switch.
Page 302: Spanning-Tree Interoperability And Backward Compatibility
Chapter 13 Configuring STP Configuring Spanning-Tree Features Spanning-Tree Interoperability and Backward Compatibility Table 13-2 lists the interoperability and compatibility among the supported spanning-tree modes in a network. Table 13-2 PVST+, MSTP , and Rapid-PVST+ Interoperability PVST+ MSTP Rapid PVST+ PVST+ Yes (with restrictions) Yes (reverts to PVST+) MSTP...
Page 303: Default Spanning-Tree Configuration
Chapter 13 Configuring STP Configuring Spanning-Tree Features Disabling Spanning Tree, page 13-14 (optional) • Configuring the Root Switch, page 13-14 (optional) • Configuring a Secondary Root Switch, page 13-16 (optional) • Configuring Port Priority, page 13-16 (optional) • Configuring Path Cost, page 13-18 (optional) •...
Page 304: Spanning-Tree Configuration Guidelines
Chapter 13 Configuring STP Configuring Spanning-Tree Features Spanning-Tree Configuration Guidelines If more VLANs are defined in the VTP than there are spanning-tree instances, you can enable PVST+ or rapid PVST+ on only 128 VLANs on the switch. The remaining VLANs operate with spanning tree disabled.
Page 305: Changing The Spanning-Tree Mode
Chapter 13 Configuring STP Configuring Spanning-Tree Features Changing the Spanning-Tree Mode. The switch supports three spanning-tree modes: PVST+, rapid PVST+, or MSTP. By default, the switch runs the PVST+ protocol. Beginning in privileged EXEC mode, follow these steps to change the spanning-tree mode. If you want to enable a mode that is different from the default mode, this procedure is required.
Page 306: Disabling Spanning Tree
Chapter 13 Configuring STP Configuring Spanning-Tree Features Disabling Spanning Tree Spanning tree is enabled by default on VLAN 1 and on all newly created VLANs up to the spanning-tree limit specified in the “Supported Spanning-Tree Instances” section on page 13-9. Disable spanning tree only if you are sure there are no loops in the network topology.
Page 307 Chapter 13 Configuring STP Configuring Spanning-Tree Features The root switch for each spanning-tree instance should be a backbone or distribution switch. Do not Note configure an access switch as the spanning-tree primary root. Use the diameter keyword to specify the Layer 2 network diameter (that is, the maximum number of switch hops between any two end stations in the Layer 2 network).
Page 308: Configuring A Secondary Root Switch
Chapter 13 Configuring STP Configuring Spanning-Tree Features Configuring a Secondary Root Switch When you configure a switch as the secondary root, the switch priority is modified from the default value (32768) to 28672. The switch is then likely to become the root switch for the specified VLAN if the primary root switch fails.
Page 309 Chapter 13 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to configure the port priority of an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode.
Page 310: Configuring Path Cost
Chapter 13 Configuring STP Configuring Spanning-Tree Features Configuring Path Cost The spanning-tree path cost default value is derived from the media speed of an interface. If a loop occurs, spanning tree uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
Page 311: Configuring The Switch Priority Of A Vlan
Chapter 13 Configuring STP Configuring Spanning-Tree Features To return to the default setting, use the no spanning-tree [vlan vlan-id] cost interface configuration command. For information on how to configure load sharing on trunk ports by using spanning-tree path costs, see the “Configuring Trunk Ports for Load Sharing”...
Page 312: Configuring Spanning-Tree Timers
Chapter 13 Configuring STP Configuring Spanning-Tree Features Configuring Spanning-Tree Timers Table 13-4 describes the timers that affect the entire spanning-tree performance. Table 13-4 Spanning-Tree Timers Variable Description Hello timer Controls how often the switch broadcasts hello messages to other switches. Forward-delay timer Controls how long each of the listening and learning states last before the interface begins forwarding.
Page 313: Configuring The Forwarding-Delay Time For A Vlan
Chapter 13 Configuring STP Configuring Spanning-Tree Features Configuring the Forwarding-Delay Time for a VLAN Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for a VLAN. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 314: Configuring The Transmit Hold-Count
Chapter 13 Configuring STP Displaying the Spanning-Tree Status Configuring the Transmit Hold-Count You can configure the BPDU burst size by changing the transmit hold count value. Note Changing this parameter to a higher value can have a significant impact on CPU utilization, especially in Rapid-PVST mode.
Page 315: Chapter 14 Configuring Mstp
C H A P T E R Configuring MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1s Multiple STP (MSTP) on the switch. The multiple spanning-tree (MST) implementation in Cisco IOS Release 12.2(25)SEDis based on the Note IEEE 802.1s standard.
Page 316: Understanding Mstp
Chapter 14 Configuring MSTP Understanding MSTP Understanding MSTP MSTP, which uses RSTP for rapid convergence, enables VLANs to be grouped into a spanning-tree instance, with each instance having a spanning-tree topology independent of other spanning-tree instances. This architecture provides multiple forwarding paths for data traffic, enables load balancing, and reduces the number of spanning-tree instances required to support a large number of VLANs.
Page 317: Ist, Cist, And Cst
Chapter 14 Configuring MSTP Understanding MSTP IST, CIST, and CST Unlike PVST+ and rapid PVST+ in which all the spanning-tree instances are independent, the MSTP establishes and maintains two types of spanning trees: An internal spanning tree (IST), which is the spanning tree that runs in an MST region. •...
Page 318: Operations Between Mst Regions
Chapter 14 Configuring MSTP Understanding MSTP For correct operation, all switches in the MST region must agree on the same CIST regional root. Therefore, any two switches in the region only synchronize their port roles for an MST instance if they converge to a common CIST regional root.
Page 319: Ieee 802.1S Terminology
Chapter 14 Configuring MSTP Understanding MSTP hello time, forward time, max-age, and max-hops) are configured only on the CST instance but affect all MST instances. Parameters related to the spanning-tree topology (for example, switch priority, port VLAN cost, and port VLAN priority) can be configured on both the CST instance and the MST instance. MSTP switches use Version 3 RSTP BPDUs or IEEE 802.1D STP BPDUs to communicate with legacy IEEE 802.1D switches.
Page 320: Boundary Ports
Chapter 14 Configuring MSTP Understanding MSTP maximum value. When a switch receives this BPDU, it decrements the received remaining hop count by one and propagates this value as the remaining hop count in the BPDUs it generates. When the count reaches zero, the switch discards the BPDU and ages the information held for the port.
Page 321: Port Role Naming Change
Chapter 14 Configuring MSTP Understanding MSTP Port Role Naming Change The boundary role is no longer in the final MST standard, but this boundary concept is maintained in Cisco’s implementation. However, an MST instance port at a boundary of the region might not follow the state of the corresponding CIST port.
Page 322: Detecting Unidirectional Link Failure
Chapter 14 Configuring MSTP Understanding RSTP Detecting Unidirectional Link Failure This feature is not yet present in the IEEE MST standard, but it is included in this Cisco IOS release. The software checks the consistency of the port role and state in the received BPDUs to detect unidirectional link failures that could cause bridging loops.
Page 323: Port Roles And The Active Topology
Chapter 14 Configuring MSTP Understanding RSTP These sections describe how the RSTP works: Port Roles and the Active Topology, page 14-9 • Rapid Convergence, page 14-10 • Synchronization of Port Roles, page 14-11 • Bridge Protocol Data Unit Format and Processing, page 14-12 •...
Page 324: Rapid Convergence
Chapter 14 Configuring MSTP Understanding RSTP Rapid Convergence The RSTP provides for rapid recovery of connectivity following the failure of a switch, a switch port, or a LAN. It provides rapid convergence for edge ports, new root ports, and ports connected through point-to-point links as follows: •...
Page 325: Synchronization Of Port Roles
Chapter 14 Configuring MSTP Understanding RSTP Figure 14-4 Proposal and Agreement Handshaking for Rapid Convergence Switch A Switch B Proposal Designated switch Root Agreement Designated Switch C Root switch Proposal Designated Root switch Agreement DP = designated port RP = root port F = forwarding Synchronization of Port Roles When the switch receives a proposal message on one of its ports and that port is selected as the new root...
Page 326: Bridge Protocol Data Unit Format And Processing
Chapter 14 Configuring MSTP Understanding RSTP After ensuring that all of the ports are synchronized, the switch sends an agreement message to the designated switch corresponding to its root port. When the switches connected by a point-to-point link are in agreement about their port roles, the RSTP immediately transitions the port states to forwarding. The sequence of events is shown in Figure 14-5.
Page 327: Processing Superior Bpdu Information
Chapter 14 Configuring MSTP Understanding RSTP The sending switch sets the proposal flag in the RSTP BPDU to propose itself as the designated switch on that LAN. The port role in the proposal message is always set to the designated port. The sending switch sets the agreement flag in the RSTP BPDU to accept the previous proposal.
Page 328: Configuring Mstp Features
Chapter 14 Configuring MSTP Configuring MSTP Features Propagation—When an RSTP switch receives a TC message from another switch through a • designated or root port, it propagates the change to all of its nonedge, designated ports and to the root port (excluding the port on which it is received). The switch starts the TC-while timer for all such ports and flushes the information learned on them.
Page 329: Mstp Configuration Guidelines
Chapter 14 Configuring MSTP Configuring MSTP Features Table 14-4 Default MSTP Configuration (continued) Feature Default Setting Spanning-tree port priority (configurable on a per-CIST port basis) 128. Spanning-tree port cost (configurable on a per-CIST port basis) 1000 Mbps: 4. 100 Mbps: 19. 10 Mbps: 100.
Page 330: Specifying The Mst Region Configuration And Enabling Mstp
Chapter 14 Configuring MSTP Configuring MSTP Features Partitioning the network into a large number of regions is not recommended. However, if this • situation is unavoidable, we recommend that you partition the switched LAN into smaller LANs interconnected by routers or non-Layer 2 devices. •...
Page 331: Configuring The Root Switch
Chapter 14 Configuring MSTP Configuring MSTP Features Command Purpose Step 9 Return to privileged EXEC mode. Step 10 show running-config Verify your entries. Step 11 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default MST region configuration, use the no spanning-tree mst configuration global configuration command.
Page 332: Configuring A Secondary Root Switch
Chapter 14 Configuring MSTP Configuring MSTP Features The root switch for each spanning-tree instance should be a backbone or distribution switch. Do not configure an access switch as the spanning-tree primary root. Use the diameter keyword, which is available only for MST instance 0, to specify the Layer 2 network diameter (that is, the maximum number of switch hops between any two end stations in the Layer 2 network).
Page 333: Configuring Port Priority
Chapter 14 Configuring MSTP Configuring MSTP Features You can execute this command on more than one switch to configure multiple backup root switches. Use the same network diameter and hello-time values that you used when you configured the primary root switch with the spanning-tree mst instance-id root primary global configuration command.
Page 334: Configuring Path Cost
Chapter 14 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure the MSTP port priority of an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode.
Page 335: Configuring The Switch Priority
Chapter 14 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure the MSTP cost of an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode.
Page 336: Configuring The Hello Time
Chapter 14 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure the switch priority. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst instance-id priority priority Configure the switch priority.
Page 337: Configuring The Forwarding-Delay Time
Chapter 14 Configuring MSTP Configuring MSTP Features Configuring the Forwarding-Delay Time Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst forward-time seconds Configure the forward time for all MST instances.
Page 338: Configuring The Maximum-Hop Count
Chapter 14 Configuring MSTP Configuring MSTP Features Configuring the Maximum-Hop Count Beginning in privileged EXEC mode, follow these steps to configure the maximum-hop count for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst max-hops hop-count Specify the number of hops in a region before the BPDU is...
Page 339: Designating The Neighbor Type
Chapter 14 Configuring MSTP Configuring MSTP Features Designating the Neighbor Type A topology could contain both prestandard and IEEE 802.1s standard compliant devices. By default, ports can automatically detect prestandard devices, but they can still receive both standard and prestandard BPDUs. When there is a mismatch between a device and its neighbor, only the CIST runs on the interface.
Page 340: Displaying The Mst Configuration And Status
Chapter 14 Configuring MSTP Displaying the MST Configuration and Status Displaying the MST Configuration and Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 14-5: Table 14-5 Commands for Displaying MST Status Command Purpose show spanning-tree mst configuration...
Page 341: Understanding Optional Spanning-Tree Features
C H A P T E R Configuring Optional Spanning-Tree Features This chapter describes how to configure optional spanning-tree features on the switch. You can configure all of these features when your switch is running the per-VLAN spanning-tree plus (PVST+). You can configure only the noted features when your switch is running the Multiple Spanning Tree Protocol (MSTP) or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol.
Page 342: Understanding Port Fast
Chapter 15 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Port Fast Port Fast immediately brings an interface configured as an access or trunk port to the forwarding state from a blocking state, bypassing the listening and learning states. Figure 15-1, Port Fast is configured on the interfaces that are connected to blade servers.
Page 343: Understanding Bpdu Filtering
Chapter 15 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features The BPDU guard feature provides a secure response to invalid configurations because you must manually put the interface back in service. Use the BPDU guard feature in a service-provider network to prevent an access port from participating in the spanning tree.
Page 344 Chapter 15 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 15-2 Switches in a Hierarchical Network Backbone switches Root bridge Distribution switches Blade switches Active link Blocked link If a switch loses connectivity, it begins using the alternate paths as soon as the spanning tree selects a new root port.
Page 345: Understanding Backbonefast
Chapter 15 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 15-3 UplinkFast Example Before Direct Link Failure Switch A (Root) Switch B Blocked port Switch C If Switch C detects a link failure on the currently active link L2 on the root port (a direct link failure), UplinkFast unblocks the blocked interface on Switch C and transitions it to the forwarding state without going through the listening and learning states, as shown in Figure...
Page 346 Chapter 15 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features The switch tries to find if it has an alternate path to the root switch. If the inferior BPDU arrives on a blocked interface, the root port and other blocked interfaces on the switch become alternate paths to the root switch.
Page 347: Understanding Etherchannel Guard
Chapter 15 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 15-6 BackboneFast Example After Indirect Link Failure Switch A (Root) Switch B Link failure BackboneFast changes port through listening and learning states to forwarding state. Switch C If a new switch is introduced into a shared-medium topology as shown in Figure 15-7, BackboneFast is not activated because the inferior BPDUs did not come from the recognized designated switch...
Page 348: Understanding Root Guard
Chapter 15 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Root Guard The Layer 2 network of a service provider (SP) can include many connections to switches that are not owned by the SP. In such a topology, the spanning tree can reconfigure itself and select a customer switch as the root switch, as shown in Figure 15-8.
Page 349: Configuring Optional Spanning-Tree Features
Chapter 15 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Understanding Loop Guard You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link. This feature is most effective when it is enabled on the entire switched network.
Page 350: Optional Spanning-Tree Configuration Guidelines
Chapter 15 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Optional Spanning-Tree Configuration Guidelines You can configure PortFast, BPDU guard, BPDU filtering, EtherChannel guard, root guard, or loop guard if your switch is running PVST+, rapid PVST+, or MSTP. You can configure the UplinkFast or the BackboneFast feature for rapid PVST+ or for the MSTP, but the feature remains disabled (inactive) until you change the spanning-tree mode to PVST+.
Page 351: Enabling Bpdu Guard
Chapter 15 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features You can use the spanning-tree portfast default global configuration command to globally enable the Note Port Fast feature on all nontrunking ports. To disable the Port Fast feature, use the spanning-tree portfast disable interface configuration command.
Page 352: Enabling Bpdu Filtering
Chapter 15 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling BPDU Filtering When you globally enable BPDU filtering on Port Fast-enabled interfaces, it prevents interfaces that are in a Port Fast-operational state from sending or receiving BPDUs. The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs.
Page 353: Enabling Uplinkfast For Use With Redundant Links
Chapter 15 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling UplinkFast for Use with Redundant Links UplinkFast cannot be enabled on VLANs that have been configured with a switch priority. To enable UplinkFast on a VLAN with switch priority configured, first restore the switch priority on the VLAN to the default value by using the no spanning-tree vlan vlan-id priority global configuration command.
Page 354: Enabling Etherchannel Guard
Chapter 15 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features You can configure the BackboneFast feature for rapid PVST+ or for the MSTP, but the feature remains disabled (inactive) until you change the spanning-tree mode to PVST+. Beginning in privileged EXEC mode, follow these steps to enable BackboneFast. This procedure is optional.
Page 355: Enabling Root Guard
Chapter 15 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling Root Guard Root guard enabled on an interface applies to all the VLANs to which the interface belongs. Do not enable the root guard on interfaces to be used by the UplinkFast feature. With UplinkFast, the backup interfaces (in the blocked state) replace the root port in the case of a failure.
Page 356: Displaying The Spanning-Tree Status
Chapter 15 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Command Purpose Step 3 spanning-tree loopguard default Enable loop guard. By default, loop guard is disabled. Step 4 Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Page 357: Flex Links
C H A P T E R Configuring Flex Links and the MAC Address-Table Move Update Feature This chapter describes how to configure Flex Links, a pair of interfaces on the switch that provide a mutual backup. It also describes how to configure the MAC address-table move update feature, also referred to as the Flex Links bidirectional fast convergence feature.
Page 358: Mac Address-Table Move Update
Chapter 16 Configuring Flex Links and the MAC Address-Table Move Update Feature Understanding Flex Links and the MAC Address-Table Move Update only one of the interfaces is in the linkup state and forwarding traffic. If the primary link shuts down, the standby link starts forwarding traffic.
Page 359 Chapter 16 Configuring Flex Links and the MAC Address-Table Move Update Feature Understanding Flex Links and the MAC Address-Table Move Update You can configure the access switch, switch A, to send MAC address-table move update messages. You can also configure the uplink switches B, C, and D to get and process the MAC address-table move update messages.
Page 360: Configuring Flex Links And Mac Address-Table Move Update
Chapter 16 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Configuring Flex Links and MAC Address-Table Move Update These sections contain this information: Configuration Guidelines, page 16-4 • Default Configuration, page 16-4 •...
Page 361: Configuring Flex Links And Mac Address-Table Move Update
Chapter 16 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Configuring Flex Links and MAC Address-Table Move Update This section contains this information: Configuring Flex Links, page 16-5 • Configuring the MAC Address-Table Move Update Feature, page 16-6 •...
Page 362: Configuring The Mac Address-Table Move Update Feature
Chapter 16 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Command Purpose Step 3 switchport backup interface interface-id Configure a physical Layer 2 interface (or port channel) as part of a Flex Links pair with the interface. When one link is forwarding traffic, the other interface is in standby mode.
Page 363 Chapter 16 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Beginning in privileged EXEC mode, follow these steps to configure an access switch to send MAC address-table move updates: Command Purpose Step 1 configure terminal...
Page 364: Monitoring Flex Links And The Mac Address-Table Move Update
Chapter 16 Configuring Flex Links and the MAC Address-Table Move Update Feature Monitoring Flex Links and the MAC Address-Table Move Update Rcv invalid packet count : 0 Rcv packet count this min : 0 Rcv threshold exceed count : 0 Rcv last sequence# this min : 0 Rcv last interface : Po2 Rcv last src-mac-address : 000b.462d.c502...
Page 365: Understanding Dhcp Features
C H A P T E R Configuring DHCP Features This chapter describes how to configure DHCP snooping and the option-82 data insertion features on the switch. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release, and see the “DHCP Commands”...
Page 366: Dhcp Server
Chapter 17 Configuring DHCP Features Understanding DHCP Features DHCP Server The DHCP server assigns IP addresses from specified address pools on a switch or router to DHCP clients and manages them. If the DHCP server cannot give the DHCP client the requested configuration parameters from its database, it forwards the request to one or more secondary DHCP servers defined by the network administrator.
Page 367: Option-82 Data Insertion
Chapter 17 Configuring DHCP Features Understanding DHCP Features The switch drops a DHCP packet when one of these situations occurs: A packet from a DHCP server, such as a DHCPOFFER, DHCPACK, DHCPNAK, or • DHCPLEASEQUERY packet, is received from outside the network or firewall. A packet is received on an untrusted interface, and the source MAC address and the DHCP client •...
Page 368 Chapter 17 Configuring DHCP Features Understanding DHCP Features Figure 17-1 is an example of a metropolitan Ethernet network in which a centralized DHCP server assigns IP addresses to subscribers connected to the switch at the access layer. Because the DHCP clients and their associated DHCP server do not reside on the same IP network or subnet, a DHCP relay agent (the Catalyst switch) is configured with a helper address to enable broadcast forwarding and to transfer DHCP messages between the clients and the server.
Page 369 Chapter 17 Configuring DHCP Features Understanding DHCP Features Length of the suboption type – Remote-ID type – Length of the remote-ID type – In the port field of the circuit ID suboption, the port numbers start at 1. For example, on a Cisco Catalyst Blade Switch 3020 for HP, which has 24 ports, port 1 is the Gigabit Ethernet 0/1 port, port 2 is the Gigabit Ethernet 0/2 port, port 3 is the Gigabit Ethernet 0/3 port, and so on.
Page 370: Configuring Dhcp Features
Chapter 17 Configuring DHCP Features Configuring DHCP Features Remote-ID suboption fields • The remote-ID type is 1. – The length values are variable, depending on the length of the string that you configure. – Circuit ID Suboption Frame Format (for user-configured string): Suboption Circuit type...
Page 371: Dhcp Snooping Configuration Guidelines
Chapter 17 Configuring DHCP Features Configuring DHCP Features Table 17-1 Default DHCP Configuration (continued) Feature Default Setting DHCP relay agent forwarding policy Replace the existing relay agent information DHCP snooping enabled globally Disabled DHCP snooping information option Enabled DHCP snooping option to accept packets on Disabled untrusted input interfaces DHCP snooping limit rate...
Page 372: Configuring The Dhcp Relay Agent
Chapter 17 Configuring DHCP Features Configuring DHCP Features If a switch port is connected to a DHCP client, configure a port as untrusted by entering the no ip • dhcp snooping trust interface configuration command. Do not enter the ip dhcp snooping information option allow-untrusted command on an •...
Page 373 Chapter 17 Configuring DHCP Features Configuring DHCP Features Command Purpose Step 5 ip dhcp snooping information option (Optional) Configure the remote-ID suboption. format remote-id [string ASCII-string | You can configure the remote ID to be: hostname] String of up to 63 ASCII characters (no spaces) •...
Page 374: Enabling The Cisco Ios Dhcp Server Database
Chapter 17 Configuring DHCP Features Displaying DHCP Snooping Information To disable DHCP snooping, use the no ip dhcp snooping global configuration command. To disable DHCP snooping on a VLAN or range of VLANs, use the no ip dhcp snooping vlan vlan-range global configuration command.
Page 375: Understanding Igmp Snooping
C H A P T E R Configuring IGMP Snooping and MVR This chapter describes how to configure Internet Group Management Protocol (IGMP) snooping on the switch, including an application of local IGMP snooping, Multicast VLAN Registration (MVR). It also includes procedures for controlling multicast group membership by using IGMP filtering and procedures for configuring the IGMP throttling action.
Page 376: Igmp Versions
Chapter 18 Configuring IGMP Snooping and MVR Understanding IGMP Snooping For more information on IP multicast and IGMP, see RFC 1112 and RFC 2236. Note The multicast router sends out periodic general queries to all VLANs. All hosts interested in this multicast traffic send join requests and are added to the forwarding table entry.
Page 377: Joining A Multicast Group
Chapter 18 Configuring IGMP Snooping and MVR Understanding IGMP Snooping IGMPv3 join and leave messages are not supported on switches running IGMP filtering or MVR. Note An IGMPv3 switch can receive messages from and forward messages to a device running the Source Specific Multicast (SSM) feature.
Page 378 Chapter 18 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Router A sends a general query to the switch, which forwards the query to ports 2 through 5, which are all members of the same VLAN. Blade Server 1 wants to join multicast group 224.1.2.3 and multicasts an IGMP membership report (IGMP join message) to the group.
Page 379: Leaving A Multicast Group
Chapter 18 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Leaving a Multicast Group The router sends periodic multicast general queries, and the switch forwards these queries through all ports in the VLAN. Interested blade servers respond to the queries. If at least one blade server in the VLAN wishes to receive multicast traffic, the router continues forwarding the multicast traffic to the VLAN.
Page 380: Igmp Report Suppression
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping IGMP Report Suppression IGMP report suppression is supported only when the multicast query has IGMPv1 and IGMPv2 reports. Note This feature is not supported when the query includes IGMPv3 reports. The switch uses IGMP report suppression to forward only one IGMP report per multicast router query to multicast devices.
Page 381: Enabling Or Disabling Igmp Snooping
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Table 18-3 Default IGMP Snooping Configuration (continued) Feature Default Setting Multicast router learning (snooping) method PIM-DVMRP IGMP snooping Immediate Leave Disabled Static groups None configured flood query count TCN query solicitation Disabled IGMP snooping querier Disabled...
Page 382: Setting The Snooping Method
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Command Purpose Step 3 Return to privileged EXEC mode. Step 4 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable IGMP snooping on a VLAN interface, use the no ip igmp snooping vlan vlan-id global configuration command for the specified VLAN number.
Page 383: Configuring A Multicast Router Port
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping To return to the default learning method, use the no ip igmp snooping vlan vlan-id mrouter learn cgmp global configuration command. This example shows how to configure IGMP snooping to use CGMP packets as the learning method: Switch# configure terminal Switch(config)# ip igmp snooping vlan 1 mrouter learn cgmp Switch(config)# end...
Page 384: Enabling Igmp Immediate Leave
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Beginning in privileged EXEC mode, follow these steps to add a Layer 2 port as a member of a multicast group: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp snooping vlan vlan-id static ip_address Statically configure a Layer 2 port as a member of a multicast...
Page 385: Configuring The Igmp Leave Timer
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping To disable IGMP Immediate Leave on a VLAN, use the no ip igmp snooping vlan vlan-id immediate-leave global configuration command. This example shows how to enable IGMP Immediate Leave on VLAN 130: Switch# configure terminal Switch(config)# ip igmp snooping vlan 130 immediate-leave Switch(config)# end...
Page 386: Controlling The Multicast Flooding Time After A Tcn Event
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Controlling the Multicast Flooding Time After a TCN Event You can control the time that multicast traffic is flooded after a TCN event by using the ip igmp snooping tcn flood query count global configuration command. This command configures the number of general queries for which multicast data traffic is flooded after a TCN event.
Page 387: Disabling Multicast Flooding During A Tcn Event
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Command Purpose Step 4 show ip igmp snooping Verify the TCN settings. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default query solicitation, use the no ip igmp snooping tcn query solicit global configuration command.
Page 388 Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Snooping When administratively enabled, the IGMP snooping querier moves to the nonquerier state if it • detects the presence of a multicast router in the network. When it is administratively enabled, the IGMP snooping querier moves to the operationally disabled •...
Page 389: Disabling Igmp Report Suppression
Chapter 18 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information This example shows how to set the IGMP snooping querier feature to version 2: Switch# configure terminal Switch(config)# no ip igmp snooping querier version 2 Switch(config)# end Disabling IGMP Report Suppression IGMP report suppression is supported only when the multicast query has IGMPv1 and IGMPv2 reports.
Page 390 Chapter 18 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information To display IGMP snooping information, use one or more of the privileged EXEC commands in Table 18-4. Table 18-4 Commands for Displaying IGMP Snooping Information Command Purpose show ip igmp snooping [vlan vlan-id] Display the snooping configuration information for all VLANs on the switch or for a specified VLAN.
Page 391: Understanding Multicast Vlan Registration
Chapter 18 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Understanding Multicast VLAN Registration Multicast VLAN Registration (MVR) is designed for applications using wide-scale deployment of multicast traffic across an Ethernet ring-based service-provider network (for example, the broadcast of multiple television channels over a service-provider network).
Page 392: Using Mvr In A Multicast Television Application
Chapter 18 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Using MVR in a Multicast Television Application In a multicast television application, a PC or a television with a set-top box can receive the multicast stream. Multiple set-top boxes or PCs can be connected to one subscriber port, which is a switch port configured as an MVR receiver port.
Page 393: Configuring Mvr
Chapter 18 Configuring IGMP Snooping and MVR Configuring MVR When a subscriber changes channels or turns off the television, the set-top box sends an IGMP leave message for the multicast stream. The switch CPU sends a MAC-based general query through the receiver port VLAN.
Page 394: Mvr Configuration Guidelines And Limitations
Chapter 18 Configuring IGMP Snooping and MVR Configuring MVR Table 18-5 Default MVR Configuration (continued) Feature Default Setting Interface (per port) default Neither a receiver nor a source port Immediate Leave Disabled on all ports MVR Configuration Guidelines and Limitations Follow these guidelines when configuring MVR: •...
Page 395: Configuring Mvr Interfaces
Chapter 18 Configuring IGMP Snooping and MVR Configuring MVR Command Purpose Step 4 mvr querytime value (Optional) Define the maximum time to wait for IGMP report memberships on a receiver port before removing the port from multicast group membership. The value is in units of tenths of a second. The range is 1 to 100, and the default is 5 tenths or one-half second.
Page 396 Chapter 18 Configuring IGMP Snooping and MVR Configuring MVR Command Purpose Step 4 mvr type {source | receiver} Configure an MVR port as one of these: source—Configure uplink ports that receive and send multicast data as • source ports. Subscribers cannot be directly connected to source ports. All source ports on a switch belong to the single multicast VLAN.
Page 397: Displaying Mvr Information
Chapter 18 Configuring IGMP Snooping and MVR Displaying MVR Information Displaying MVR Information You can display MVR information for the switch or for a specified interface. Beginning in privileged EXEC mode, use the commands in Table 18-6 to display MVR configuration: Table 18-6 Commands for Displaying MVR Information Command...
Page 398: Default Igmp Filtering And Throttling Configuration
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling IGMP filtering is applicable only to the dynamic learning of IP multicast group addresses, not static configuration. With the IGMP throttling feature, you can set the maximum number of IGMP groups that a Layer 2 interface can join.
Page 399: Applying Igmp Profiles
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling permit: Specifies that matching addresses are permitted. • range: Specifies a range of IP addresses for the profile. You can enter a single IP address or a range •...
Page 400: Setting The Maximum Number Of Igmp Groups
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Beginning in privileged EXEC mode, follow these steps to apply an IGMP profile to a switch port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the physical interface, and enter interface configuration mode.
Page 401: Configuring The Igmp Throttling Action
Chapter 18 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling To remove the maximum group limitation and return to the default of no maximum, use the no ip igmp max-groups interface configuration command. This example shows how to limit to 25 the number of IGMP groups that a port can join. Switch(config)# interface gigabitethernet0/2 Switch(config-if)# ip igmp max-groups 25 Switch(config-if)# end...
Page 402: Displaying Igmp Filtering And Throttling Configuration
Chapter 18 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Command Purpose Step 4 Return to privileged EXEC mode. Step 5 show running-config interface Verify the configuration. interface-id Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default action of dropping the report, use the no ip igmp max-groups action interface configuration command.
Page 403: Configuring Storm Control
C H A P T E R Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on the switch. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.
Page 404 Chapter 19 Configuring Port-Based Traffic Control Configuring Storm Control Storm control uses one of these methods to measure traffic activity: Bandwidth as a percentage of the total available bandwidth of the port that can be used by the • broadcast, multicast, or unicast traffic Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received •...
Page 405: Default Storm Control Configuration
Chapter 19 Configuring Port-Based Traffic Control Configuring Storm Control Default Storm Control Configuration By default, unicast, broadcast, and multicast storm control are disabled on the switch interfaces; that is, the suppression level is 100 percent. Configuring Storm Control and Threshold Levels You configure storm control on a port and enter the threshold level that you want to be used for a particular type of traffic.
Page 406 Chapter 19 Configuring Port-Based Traffic Control Configuring Storm Control Command Purpose Step 3 storm-control {broadcast | multicast | Configure broadcast, multicast, or unicast storm control. By unicast} level {level [level-low] | bps bps default, storm control is disabled. [bps-low] | pps pps [pps-low]} The keywords have these meanings: For level, specify the rising threshold level for broadcast, •...
Page 407: Configuring Protected Ports
Chapter 19 Configuring Port-Based Traffic Control Configuring Protected Ports Command Purpose Step 6 show storm-control [interface-id] [broadcast | Verify the storm control suppression levels set on the interface for multicast | unicast] the specified traffic type. If you do not enter a traffic type, broadcast storm control settings are displayed.
Page 408: Default Protected Port Configuration
Chapter 19 Configuring Port-Based Traffic Control Configuring Port Blocking Default Protected Port Configuration The default is to have no protected ports defined. Protected Port Configuration Guidelines You can configure protected ports on a physical interface (for example, Gigabit Ethernet port 1) or an EtherChannel group (for example, port-channel 5).
Page 409: Default Port Blocking Configuration
Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security Default Port Blocking Configuration The default is to not block flooding of unknown multicast and unicast traffic out of a port, but to flood these packets to all ports. Blocking Flooded Traffic on an Interface The interface can be a physical interface or an EtherChannel group.
Page 410: Understanding Port Security
Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security These sections contain this conceptual and configuration information: Understanding Port Security, page 19-8 • Default Port Security Configuration, page 19-10 • Port Security Configuration Guidelines, page 19-10 • Enabling and Configuring Port Security, page 19-11 •...
Page 411: Security Violations
Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number of available MAC addresses allowed in the system. This number is the total of available MAC addresses, including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces.
Page 412: Default Port Security Configuration
Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security Default Port Security Configuration Table 19-2 shows the default port security configuration for an interface. Table 19-2 Default Port Security Configuration Feature Default Setting Port security Disabled on a port. Sticky address learning Disabled.
Page 413: Enabling And Configuring Port Security
Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security Table 19-3 summarizes port security compatibility with other port-based features. Table 19-3 Port Security Compatibility with Other Switch Features Type of Port or Feature on Port Compatible with Port Security port Trunk port Dynamic-access port SPAN source port...
Page 414 Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security Command Purpose Step 6 switchport port-security (Optional) Set the maximum number of secure MAC addresses for the [maximum value [vlan {vlan-list | interface. The maximum number of secure MAC addresses that you can {access | voice}}]] configure on a switch is set by the maximum number of available MAC addresses allowed in the system.
Page 415 Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security Command Purpose Step 8 switchport port-security (Optional) Enter a secure MAC address for the interface. You can use this [mac-address mac-address [vlan command to enter the maximum number of secure MAC addresses. If you {vlan-id | {access | voice}}] configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned.
Page 416 Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security To return the interface to the default condition as not a secure port, use the no switchport port-security interface configuration command. If you enter this command when sticky learning is enabled, the sticky secure addresses remain part of the running configuration but are removed from the address table.
Page 417: Enabling And Configuring Port Security Aging
Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security Switch(config-if)# switchport port-security mac-address 0000.0000.0003 Switch(config-if)# switchport port-security mac-address sticky 0000.0000.0001 vlan voice Switch(config-if)# switchport port-security mac-address 0000.0000.0004 vlan voice Switch(config-if)# switchport port-security maximum 10 vlan access Switch(config-if)# switchport port-security maximum 10 vlan voice Enabling and Configuring Port Security Aging You can use port security aging to set the aging time for all secure addresses on a port.
Page 418: Displaying Port-Based Traffic Control Settings
Chapter 19 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings To disable port security aging for all secure addresses on a port, use the no switchport port-security aging time interface configuration command. To disable aging for only statically configured secure addresses, use the no switchport port-security aging static interface configuration command.
Page 419: Chapter 20 Configuring Cdp
C H A P T E R Configuring CDP This chapter describes how to configure Cisco Discovery Protocol (CDP) on the switch. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release and the “System Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Page 420: Configuring Cdp
Chapter 20 Configuring CDP Configuring CDP Configuring CDP These sections contain this configuration information: Default CDP Configuration, page 20-2 • Configuring the CDP Characteristics, page 20-2 • • Disabling and Enabling CDP, page 20-3 • Disabling and Enabling CDP on an Interface, page 20-4 Default CDP Configuration Table 20-1 shows the default CDP configuration.
Page 421: Disabling And Enabling Cdp
Chapter 20 Configuring CDP Configuring CDP Command Purpose Step 6 show cdp Verify your settings. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of the CDP commands to return to the default settings. This example shows how to configure CDP characteristics.
Page 422: Disabling And Enabling Cdp On An Interface
Chapter 20 Configuring CDP Monitoring and Maintaining CDP Disabling and Enabling CDP on an Interface CDP is enabled by default on all supported interfaces to send and to receive CDP information. Beginning in privileged EXEC mode, follow these steps to disable CDP on a port: Command Purpose Step 1...
Page 423 Chapter 20 Configuring CDP Monitoring and Maintaining CDP Command Description show cdp entry entry-name Display information about a specific neighbor. [protocol version] You can enter an asterisk (*) to display all CDP neighbors, or you can enter the name of the neighbor about which you want information. You can also limit the display to information about the protocols enabled on the specified neighbor or information about the version of software running on the device.
Page 424 Chapter 20 Configuring CDP Monitoring and Maintaining CDP Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide 20-6 OL-8915-01...
Page 425: Chapter 21 Configuring Udld
C H A P T E R Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on the switch. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.
Page 426: Methods To Detect Unidirectional Links
Chapter 21 Configuring UDLD Understanding UDLD In normal mode, UDLD detects a unidirectional link when fiber strands in a fiber-optic port are misconnected and the Layer 1 mechanisms do not detect this misconnection. If the ports are connected correctly but the traffic is one way, UDLD does not detect the unidirectional link because the Layer 1 mechanism, which is supposed to detect this condition, does not do so.
Page 427: Configuring Udld
Chapter 21 Configuring UDLD Configuring UDLD If the detection window ends and no valid reply message is received, the link might shut down, depending on the UDLD mode. When UDLD is in normal mode, the link might be considered undetermined and might not be shut down. When UDLD is in aggressive mode, the link is considered unidirectional, and the port is disabled.
Page 428: Default Udld Configuration
Chapter 21 Configuring UDLD Configuring UDLD Default UDLD Configuration Table 21-1 shows the default UDLD configuration. Table 21-1 Default UDLD Configuration Feature Default Setting UDLD global enable state Globally disabled UDLD per-port enable state for fiber-optic media Disabled on all Ethernet fiber-optic ports UDLD per-port enable state for twisted-pair (copper) media Disabled on all Ethernet 10/100 and 1000BASE ports UDLD aggressive mode...
Page 429: Enabling Udld Globally
Chapter 21 Configuring UDLD Configuring UDLD Enabling UDLD Globally Beginning in privileged EXEC mode, follow these steps to enable UDLD in the aggressive or normal mode and to set the configurable message timer on all fiber-optic ports on the switch: Command Purpose Step 1...
Page 430: Resetting An Interface Disabled By Udld
Chapter 21 Configuring UDLD Displaying UDLD Status Command Purpose Step 3 udld port [aggressive] UDLD is disabled by default. udld port—Enables UDLD in normal mode on the specified port. • udld port aggressive—Enables UDLD in aggressive mode on the • specified port.
Page 431: Chapter 22 Configuring Span And Rspan
C H A P T E R Configuring SPAN and RSPAN This chapter describes how to configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on the switch. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.
Page 432: Local Span
Chapter 22 Configuring SPAN and RSPAN Understanding SPAN and RSPAN These sections contain this conceptual information: Local SPAN, page 22-2 • Remote SPAN, page 22-2 • SPAN and RSPAN Concepts and Terminology, page 22-3 • SPAN and RSPAN Interaction with Other Features, page 22-8 •...
Page 433: Span And Rspan Concepts And Terminology
Chapter 22 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Figure 22-2 Example of RSPAN Configuration RSPAN destination ports RSPAN Switch C destination session Intermediate switches must support RSPAN VLAN RSPAN VLAN Switch A Switch B RSPAN RSPAN source source session A session B RSPAN...
Page 434: Monitored Traffic
Chapter 22 Configuring SPAN and RSPAN Understanding SPAN and RSPAN An RSPAN source session is very similar to a local SPAN session, except for where the packet stream is directed. In an RSPAN source session, SPAN packets are relabeled with the RSPAN VLAN ID and directed over normal trunk ports to the destination switch.
Page 435: Source Ports
Chapter 22 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Transmit (Tx) SPAN—The goal of transmit (or egress) SPAN is to monitor as much as possible all • the packets sent by the source interface after all modification and processing is performed by the switch.
Page 436: Source Vlans
Chapter 22 Configuring SPAN and RSPAN Understanding SPAN and RSPAN It can be an access port, trunk port, or voice VLAN port. • It cannot be a destination port. • Source ports can be in the same or different VLANs. •...
Page 437: Rspan Vlan
Chapter 22 Configuring SPAN and RSPAN Understanding SPAN and RSPAN A destination port has these characteristics: For a local SPAN session, the destination port must reside on the same switch as the source port. For • an RSPAN session, it is located on the switch containing the RSPAN destination session. There is no destination port on a switch running only an RSPAN source session.
Page 438: Span And Rspan Interaction With Other Features
Chapter 22 Configuring SPAN and RSPAN Understanding SPAN and RSPAN For VLANs 1 to 1005 that are visible to VLAN Trunking Protocol (VTP), the VLAN ID and its associated RSPAN characteristic are propagated by VTP. If you assign an RSPAN VLAN ID in the extended VLAN range (1006 to 4094), you must manually configure all intermediate switches.
Page 439: Configuring Span And Rspan
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN An IEEE 802.1x port can be a SPAN source port. You can enable IEEE 802.1x on a port that is a • SPAN destination port; however, IEEE 802.1x is disabled until the port is removed as a SPAN destination.
Page 440: Span Configuration Guidelines
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN SPAN Configuration Guidelines Follow these guidelines when configuring SPAN: For SPAN sources, you can monitor traffic for a single port or VLAN or a series or range of ports • or VLANs for each session.
Page 441 Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 3 monitor session session_number source Specify the SPAN session and the source port (monitored port). {interface interface-id | vlan vlan-id} [, | -] For session_number, the range is 1 to 66. [both | rx | tx] For interface-id, specify the source port or source VLAN to monitor.
Page 442 Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 6 show monitor [session session_number] Verify the configuration. show running-config Step 7 copy running-config startup-config (Optional) Save the configuration in the configuration file. To delete a SPAN session, use the no monitor session session_number global configuration command. To remove a source or destination port or VLAN from the SPAN session, use the no monitor session session_number source {interface interface-id | vlan vlan-id} global configuration command or the no monitor session session_number destination interface interface-id global configuration command.
Page 443: Creating A Local Span Session And Configuring Incoming Traffic
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Creating a Local SPAN Session and Configuring Incoming Traffic Beginning in privileged EXEC mode, follow these steps to create a SPAN session, to specify the source ports or VLANs and the destination ports, and to enable incoming traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance).
Page 444: Specifying Vlans To Filter
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN To delete a SPAN session, use the no monitor session session_number global configuration command. To remove a source or destination port or VLAN from the SPAN session, use the no monitor session session_number source {interface interface-id | vlan vlan-id} global configuration command or the no monitor session session_number destination interface interface-id global configuration command.
Page 445: Configuring Rspan
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 5 monitor session session_number Specify the SPAN session and the destination port (monitoring port). destination {interface interface-id [, | -] For session_number, specify the session number entered in Step 3. [encapsulation replicate]} For interface-id, specify the destination port.
Page 446: Configuring A Vlan As An Rspan Vlan
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN You can apply an output ACL to RSPAN traffic to selectively filter or monitor specific packets. • Specify these ACLs on the RSPAN VLAN in the RSPAN source switches. For RSPAN configuration, you can distribute the source ports and the destination ports across •...
Page 447: Creating An Rspan Source Session
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Beginning in privileged EXEC mode, follow these steps to create an RSPAN VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vlan vlan-id Enter a VLAN ID to create a VLAN, or enter the VLAN ID of an existing VLAN, and enter VLAN configuration mode.
Page 448 Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 3 monitor session session_number source Specify the RSPAN session and the source port (monitored port). {interface interface-id | vlan vlan-id} [, | -] For session_number, the range is 1 to 66. [both | rx | tx] Enter a source port or source VLAN for the RSPAN session: For interface-id, specify the source port to monitor.
Page 449: Creating An Rspan Destination Session
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Creating an RSPAN Destination Session You configure the RSPAN destination session on a different switch; that is, not the switch on which the source session was configured. Beginning in privileged EXEC mode, follow these steps to define the RSPAN VLAN on that switch, to create an RSPAN destination session, and to specify the source RSPAN VLAN and the destination port: Command Purpose...
Page 450: Creating An Rspan Destination Session And Configuring Incoming Traffic
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN This example shows how to configure VLAN 901 as the source remote VLAN and port 1 as the destination interface: Switch(config)# monitor session 1 source remote vlan 901 Switch(config)# monitor session 1 destination interface gigabitethernet0/1 Switch(config)# end Creating an RSPAN Destination Session and Configuring Incoming Traffic Beginning in privileged EXEC mode, follow these steps to create an RSPAN destination session, to...
Page 451 Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 4 monitor session session_number Specify the SPAN session, the destination port, the packet destination {interface interface-id [, | -] encapsulation, and the incoming VLAN and encapsulation. [ingress {dot1q vlan vlan-id | isl | untagged For session_number, enter the number defined in Step 4.
Page 452: Specifying Vlans To Filter
Chapter 22 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Specifying VLANs to Filter Beginning in privileged EXEC mode, follow these steps to configure the RSPAN source session to limit RSPAN source traffic to specific VLANs: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 453: Displaying Span And Rspan Status
Chapter 22 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Displaying SPAN and RSPAN Status To display the current SPAN or RSPAN configuration, use the show monitor user EXEC command. You can also use the show running-config privileged EXEC command to display configured SPAN or RSPAN sessions.
Page 454 Chapter 22 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide 22-24 OL-8915-01...
Page 455: Chapter 23 Configuring Rmon
C H A P T E R Configuring RMON This chapter describes how to configure Remote Network Monitoring (RMON) on the switch. RMON is a standard monitoring specification that defines a set of statistics and functions that can be exchanged between RMON-compliant console systems and network probes. RMON provides you with comprehensive network-fault diagnosis, planning, and performance-tuning information.
Page 456: Configuring Rmon
Chapter 23 Configuring RMON Configuring RMON Figure 23-1 Remote Monitoring Example Network management station with generic RMON console application RMON history and statistic collection enabled. RMON alarms and Blade Blade events configured. switch switch SNMP configured. Blade Servers Blade Servers The switch supports these RMON groups (defined in RFC 1757): •...
Page 457: Default Rmon Configuration
Chapter 23 Configuring RMON Configuring RMON Default RMON Configuration RMON is disabled by default; no alarms or events are configured. Only RMON 1 is supported on the switch. Configuring RMON Alarms and Events You can configure your switch for RMON by using the command-line interface (CLI) or an SNMP-compatible network management station.
Page 458 Chapter 23 Configuring RMON Configuring RMON Command Purpose Step 3 rmon event number [description string] [log] [owner string] Add an event in the RMON event table that is [trap community] associated with an RMON event number. For number, assign an event number. The range •...
Page 459: Collecting Group History Statistics On An Interface
Chapter 23 Configuring RMON Configuring RMON Collecting Group History Statistics on an Interface You must first configure RMON alarms and events to display collection information. Beginning in privileged EXEC mode, follow these steps to collect group history statistics on an interface. This procedure is optional.
Page 460: Displaying Rmon Status
Chapter 23 Configuring RMON Displaying RMON Status Command Purpose Step 3 rmon collection stats index [owner ownername] Enable RMON statistic collection on the interface. For index, specify the RMON group of statistics. The range • is from 1 to 65535. (Optional) For owner ownername, enter the name of the •...
Page 461: Chapter 24 Configuring System Message Logging
C H A P T E R Configuring System Message Logging This chapter describes how to configure system message logging on the switch. For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Note Configuration Fundamentals Command Reference, Release 12.2.
Page 462: Configuring System Message Logging
Chapter 24 Configuring System Message Logging Configuring System Message Logging Configuring System Message Logging These sections contain this configuration information: System Log Message Format, page 24-2 • Default System Message Logging Configuration, page 24-3 • • Disabling Message Logging, page 24-3 (optional) •...
Page 463: Default System Message Logging Configuration
Chapter 24 Configuring System Message Logging Configuring System Message Logging Table 24-1 System Log Message Elements (continued) Element Description MNEMONIC Text string that uniquely describes the message. description Text string containing detailed information about the event being reported. This example shows a partial switch system message: 00:00:46: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up 00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up 00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to up...
Page 464: Setting The Message Display Destination Device
Chapter 24 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to disable message logging. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no logging console Disable message logging.
Page 465: Synchronizing Log Messages
Chapter 24 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 3 logging host Log messages to a UNIX syslog server host. For host, specify the name or IP address of the host to be used as the syslog server.
Page 466 Chapter 24 Configuring System Message Logging Configuring System Message Logging is returned. Therefore, unsolicited messages and debug command output are not interspersed with solicited device output and prompts. After the unsolicited messages appear, the console again displays the user prompt. Beginning in privileged EXEC mode, follow these steps to configure synchronous logging.
Page 467: Enabling And Disabling Time Stamps On Log Messages
Chapter 24 Configuring System Message Logging Configuring System Message Logging Enabling and Disabling Time Stamps on Log Messages By default, log messages are not time-stamped. Beginning in privileged EXEC mode, follow these steps to enable time-stamping of log messages. This procedure is optional.
Page 468: Defining The Message Severity Level
Chapter 24 Configuring System Message Logging Configuring System Message Logging To disable sequence numbers, use the no service sequence-numbers global configuration command. This example shows part of a logging display with sequence numbers enabled: 000019: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) Defining the Message Severity Level You can limit messages displayed to the selected device by specifying the severity level of the message, which are described in...
Page 469: Limiting Syslog Messages Sent To The History Table And To Snmp
Chapter 24 Configuring System Message Logging Configuring System Message Logging Table 24-3 describes the level keywords. It also lists the corresponding UNIX syslog definitions from the most severe level to the least severe level. Table 24-3 Message Logging Level Keywords Level Keyword Level Description...
Page 470: Configuring Unix Syslog Servers
Chapter 24 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 3 logging history size number Specify the number of syslog messages that can be stored in the history table. The default is to store one message. The range is 0 to 500 messages. Step 4 Return to privileged EXEC mode.
Page 471: Configuring The Unix System Logging Facility
Chapter 24 Configuring System Message Logging Configuring System Message Logging Make sure the syslog daemon reads the new changes: Step 3 $ kill -HUP `cat /etc/syslog.pid` For more information, see the man syslog.conf and man syslogd commands on your UNIX system. Configuring the UNIX System Logging Facility When sending system log messages to an external device, you can cause the switch to identify its messages as originating from any of the UNIX syslog facilities.
Page 472: Displaying The Logging Configuration
Chapter 24 Configuring System Message Logging Displaying the Logging Configuration Table 24-4 Logging Facility-Type Keywords (continued) Facility Type Keyword Description mail Mail system news USENET news sys9-14 System use syslog System log user User process uucp UNIX-to-UNIX copy system Displaying the Logging Configuration To display the logging configuration and the contents of the log buffer, use the show logging privileged EXEC command.
Page 473: Understanding Snmp
C H A P T E R Configuring SNMP This chapter describes how to configure the Simple Network Management Protocol (SNMP) on the switch. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release and the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Page 474: Snmp Versions
Chapter 25 Configuring SNMP Understanding SNMP Using SNMP to Access MIB Variables, page 25-4 • SNMP Notifications, page 25-5 • SNMP ifIndex MIB Object Values, page 25-5 • SNMP Versions This software release supports these SNMP versions: SNMPv1—The Simple Network Management Protocol, a Full Internet Standard, defined in •...
Page 475: Snmp Manager Functions
Chapter 25 Configuring SNMP Understanding SNMP Table 25-1 identifies the characteristics of the different combinations of security models and levels. Table 25-1 SNMP Security Models and Levels Model Level Authentication Encryption Result SNMPv1 noAuthNoPriv Community string No Uses a community string match for authentication. SNMPv2C noAuthNoPriv Community string No...
Page 476: Snmp Agent Functions
Chapter 25 Configuring SNMP Understanding SNMP SNMP Agent Functions The SNMP agent responds to SNMP manager requests as follows: Get a MIB variable—The SNMP agent begins this function in response to a request from the NMS. • The agent retrieves the value of the requested MIB variable and responds to the NMS with that value. Set a MIB variable—The SNMP agent begins this function in response to a message from the NMS.
Page 477: Snmp Notifications
Chapter 25 Configuring SNMP Understanding SNMP SNMP Notifications SNMP allows the switch to send notifications to SNMP managers when particular events occur. SNMP notifications can be sent as traps or inform requests. In command syntax, unless there is an option in the command to select either traps or informs, the keyword traps refers to either traps or informs, or both.
Page 478: Configuring Snmp
Chapter 25 Configuring SNMP Configuring SNMP Configuring SNMP These sections contain this configuration information: Default SNMP Configuration, page 25-6 • SNMP Configuration Guidelines, page 25-6 • • Disabling the SNMP Agent, page 25-7 • Configuring Community Strings, page 25-8 Configuring SNMP Groups and Users, page 25-9 •...
Page 479: Disabling The Snmp Agent
Chapter 25 Configuring SNMP Configuring SNMP When configuring SNMP, follow these guidelines: When configuring an SNMP group, do not specify a notify view. The snmp-server host global • configuration command autogenerates a notify view for the user and then adds it to the group associated with that user.
Page 480: Configuring Community Strings
Chapter 25 Configuring SNMP Configuring SNMP Configuring Community Strings You use the SNMP community string to define the relationship between the SNMP manager and the agent. The community string acts like a password to permit access to the agent on the switch. Optionally, you can specify one or more of these characteristics associated with the string: •...
Page 481: Configuring Snmp Groups And Users
Chapter 25 Configuring SNMP Configuring SNMP Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable access for an SNMP community, set the community string for that community to the null Note string (do not enter a value for the community string).
Page 482 Chapter 25 Configuring SNMP Configuring SNMP Command Purpose Step 3 snmp-server group groupname {v1 | v2c | v3 Configure a new SNMP group on the remote device. {auth | noauth | priv}} [read readview] For groupname, specify the name of the group. •...
Page 483: Configuring Snmp Notifications
Chapter 25 Configuring SNMP Configuring SNMP Command Purpose Step 4 snmp-server user username groupname Add a new user for an SNMP group. {remote host [udp-port port]} {v1 [access The username is the name of the user on the host that connects •...
Page 484 Chapter 25 Configuring SNMP Configuring SNMP Table 25-5 Switch Notification Types (continued) Notification Type Keyword Description config-copy Generates a trap for SNMP copy configuration changes. entity Generates a trap for SNMP entity changes. envmon Generates environmental monitor traps. You can enable any or all of these environmental traps: fan, shutdown, status, supply, temperature.
Page 485 Chapter 25 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure the switch to send traps or informs to a host: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server engineID remote Specify the engine ID for the remote host.
Page 486: Setting The Agent Contact And Location Information
Chapter 25 Configuring SNMP Configuring SNMP Command Purpose Step 9 snmp-server trap-timeout seconds (Optional) Define how often to resend trap messages. The range is 1 to 1000; the default is 30 seconds. Step 10 Return to privileged EXEC mode. Step 11 show running-config Verify your entries.
Page 487: Limiting Tftp Servers Used Through Snmp
Chapter 25 Configuring SNMP Configuring SNMP Limiting TFTP Servers Used Through SNMP Beginning in privileged EXEC mode, follow these steps to limit the TFTP servers used for saving and loading configuration files through SNMP to the servers specified in an access list: Command Purpose Step 1...
Page 488: Displaying Snmp Status
Chapter 25 Configuring SNMP Displaying SNMP Status This example shows how to allow read-only access for all objects to members of access list 4 that use the comaccess community string. No other SNMP managers have access to any objects. SNMP Authentication Failure traps are sent by SNMPv2C to the host cisco.com using the community string public.
Page 489: Chapter 26 Configuring Network Security With Acls
C H A P T E R Configuring Network Security with ACLs This chapter describes how to configure network security on the switch by using access control lists (ACLs), which in commands and tables are also referred to as access lists. Information in this chapter about IP ACLs is specific to IP Version 4 (IPv4).
Page 490: Supported Acls
Chapter 26 Configuring Network Security with ACLs Understanding ACLs You configure access lists on a switch to provide basic security for your network. If you do not configure ACLs, all packets passing through the switch could be allowed onto all parts of the network. You can use ACLs to control which hosts can access different parts of a network or to decide which types of traffic are forwarded or blocked.
Page 491: Port Acls
Chapter 26 Configuring Network Security with ACLs Understanding ACLs Port ACLs Port ACLs are ACLs that are applied to Layer 2 interfaces on a switch. Port ACLs are supported only on physical interfaces and not on EtherChannel interfaces and can be applied only on interfaces in the inbound direction.
Page 492: Vlan Maps
Chapter 26 Configuring Network Security with ACLs Understanding ACLs You cannot apply more than one IP access list and one MAC access list to a Layer 2 interface. If an IP Note access list or MAC access list is already configured on a Layer 2 interface and you apply a new IP access list or MAC access list to the interface, the new ACL replaces the previously configured one.
Page 493: Configuring Ipv4 Acls
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs Consider access list 102, configured with these commands, applied to three fragmented packets: Switch(config)# access-list 102 permit tcp any host 10.1.1.1 eq smtp Switch(config)# access-list 102 deny tcp any host 10.1.1.2 eq telnet Switch(config)# access-list 102 permit tcp any host 10.1.1.2 Switch(config)# access-list 102 deny tcp any any In the first and second ACEs in the examples, the eq keyword after the destination address means to test...
Page 494: Creating Standard And Extended Ipv4 Acls
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs These are the steps to use IP ACLs on the switch: Create an ACL by specifying an access list number or name and the access conditions. Step 1 Step 2 Apply the ACL to interfaces or terminal lines.
Page 495: Access List Numbers
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs Access List Numbers The number you use to denote your ACL shows the type of access list that you are creating. Table 26-1 lists the access-list number and corresponding access list type and shows whether or not they are supported in the switch.
Page 496: Creating A Numbered Standard Acl
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs Creating a Numbered Standard ACL Beginning in privileged EXEC mode, follow these steps to create a numbered standard ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | permit} Define a standard IPv4 access list by using a source address and source [source-wildcard]...
Page 497: Creating A Numbered Extended Acl
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs The switch always rewrites the order of standard access lists so that entries with host matches and entries with matches having a don’t care mask of 0.0.0.0 are moved to the top of the list, above any entries with non-zero don’t care masks.
Page 498 Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to create an extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2a access-list access-list-number Define an extended IPv4 access list and the access conditions. {deny | permit} protocol The access-list-number is a decimal number from 100 to 199 or 2000 to 2699.
Page 499 Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs Command Purpose access-list access-list-number Define an extended IP access list by using an abbreviation for a source and a {deny | permit} protocol source wildcard of source 0.0.0.0 and an abbreviation for a destination and host source host destination destination wildcard of destination 0.0.0.0.
Page 500 Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs Command Purpose Step 2d access-list access-list-number (Optional) Define an extended ICMP access list and the access conditions. {deny | permit} icmp source Enter icmp for Internet Control Message Protocol. source-wildcard destination The ICMP parameters are the same as those described for most IP protocols in destination-wildcard [icmp-type | Step 2a, with the addition of the ICMP message type and code parameters.
Page 501: Resequencing Aces In An Acl
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs After creating a numbered extended ACL, you can apply it to terminal lines (see the “Applying an IPv4 ACL to a Terminal Line” section on page 26-17), to interfaces (see the “Applying an IPv4 ACL to an Interface”...
Page 502 Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs Command Purpose Step 3 deny {source [source-wildcard] | host source | In access-list configuration mode, specify one or more conditions any} denied or permitted to decide if the packet is forwarded or dropped. host source—A source and source wildcard of source 0.0.0.0.
Page 503: Using Time Ranges With Acls
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs After you create an ACL, any additions are placed at the end of the list. You cannot selectively add ACL entries to a specific ACL. However, you can use no permit and no deny access-list configuration mode commands to remove entries from a named ACL.
Page 504: Configuration Command
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs Command Purpose Step 4 Return to privileged EXEC mode. Step 5 show time-range Verify the time-range configuration. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Repeat the steps if you have multiple items that you want in effect at different times.
Page 505: Including Comments In Acls
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs Including Comments in ACLs You can use the remark keyword to include comments (remarks) about entries in any IP standard or extended ACL. The remarks make the ACL easier for you to understand and scan. Each remark line is limited to 100 characters.
Page 506: Applying An Ipv4 Acl To An Interface
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs Command Purpose Step 4 Return to privileged EXEC mode. Step 5 show running-config Display the access list configuration. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove an ACL from a terminal line, use the no access-class access-list-number {in | out} line configuration command.
Page 507: Hardware And Software Treatment Of Ip Acls
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs Hardware and Software Treatment of IP ACLs ACL processing is primarily accomplished in hardware, but requires forwarding of some traffic flows to the CPU for software processing. If the hardware reaches its capacity to store ACL configurations, packets are sent to the CPU for forwarding.
Page 508: Named Acls
Chapter 26 Configuring Network Security with ACLs Configuring IPv4 ACLs SMTP uses TCP port 25 on one end of the connection and a random port number on the other end. The same port numbers are used throughout the life of the connection. Mail packets coming in from the Internet have a destination port of 25.
Page 509: Creating Named Mac Extended Acls
Chapter 26 Configuring Network Security with ACLs Creating Named MAC Extended ACLs In this example of a numbered ACL, the Winter and Smith servers are not allowed to browse the web: Switch(config)# access-list 100 remark Do not allow Winter to browse the web Switch(config)# access-list 100 deny host 171.69.3.85 any eq www Switch(config)# access-list 100 remark Do not allow Smith to browse the web Switch(config)# access-list 100 deny host 171.69.3.13 any eq www...
Page 510: Applying A Mac Acl To A Layer 2 Interface
Chapter 26 Configuring Network Security with ACLs Creating Named MAC Extended ACLs Command Purpose Step 3 {deny | permit} {any | host source MAC In extended MAC access-list configuration mode, specify to address | source MAC address mask} {any | permit or deny any source MAC address, a source MAC address host destination MAC address | destination with a mask, or a specific host source MAC address and any...
Page 511: Configuring Vlan Maps
Chapter 26 Configuring Network Security with ACLs Configuring VLAN Maps A Layer 2 interface can have only one MAC access list. If you apply a MAC access list to a Layer 2 • interface that has a MAC ACL configured, the new ACL replaces the previously configured one. Beginning in privileged EXEC mode, follow these steps to apply a MAC access list to control access to a Layer 2 interface: Command...
Page 512: Vlan Map Configuration Guidelines
Chapter 26 Configuring Network Security with ACLs Configuring VLAN Maps To create a VLAN map and apply it to one or more VLANs, perform these steps: Create the standard or extended IPv4 ACLs or named MAC extended ACLs that you want to apply to the Step 1 VLAN.
Page 513: Creating A Vlan Map
Chapter 26 Configuring Network Security with ACLs Configuring VLAN Maps Creating a VLAN Map Each VLAN map consists of an ordered series of entries. Beginning in privileged EXEC mode, follow these steps to create, add to, or delete a VLAN map entry: Command Purpose Step 1...
Page 514 Chapter 26 Configuring Network Security with ACLs Configuring VLAN Maps This example shows how to create a VLAN map to permit a packet. ACL ip2 permits UDP packets and any packets that match the ip2 ACL are forwarded. In this map, any IP packets that did not match any of the previous ACLs (that is, packets that are not TCP packets or UDP packets) would get dropped.
Page 515: Applying A Vlan Map To A Vlan
Chapter 26 Configuring Network Security with ACLs Configuring VLAN Maps Switch(config-ext-macl)# permit any any decnet-ip Switch(config-ext-macl)# permit any any vines-ip Switch(config-ext-nacl)# exit Switch(config)# vlan access-map drop-mac-default 10 Switch(config-access-map)# match mac address good-hosts Switch(config-access-map)# action forward Switch(config-access-map)# exit Switch(config)# vlan access-map drop-mac-default 20 Switch(config-access-map)# match mac address good-protocols Switch(config-access-map)# action forward Example 4...
Page 516: Using Vlan Maps In Your Network
Chapter 26 Configuring Network Security with ACLs Configuring VLAN Maps Using VLAN Maps in Your Network These sections describes some typical uses for VLAN maps: Wiring Closet Configuration, page 26-28 • Denying Access to a Server on a VLAN, page 26-29 •...
Page 517: Denying Access To A Server On A Vlan
Chapter 26 Configuring Network Security with ACLs Configuring VLAN Maps Next, create VLAN access map map2 so that traffic that matches the http access list is dropped and all other IP traffic is forwarded. Switch(config)# vlan access-map map2 10 Switch(config-access-map)# match ip address http Switch(config-access-map)# action drop Switch(config-access-map)# exit Switch(config)# ip access-list extended match_all...
Page 518: Displaying Ipv4 Acl Configuration
Chapter 26 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration Switch(config)# vlan access-map SERVER1_MAP 20 Switch(config-access-map)# action forward Switch(config-access-map)# exit Apply the VLAN map to VLAN 10. Step 3 Switch(config)# vlan filter SERVER1_MAP vlan-list 10. Displaying IPv4 ACL Configuration You can display the ACLs that are configured on the switch, and you can display the ACLs that have been applied to interfaces and VLANs.
Page 519: Chapter 27 Configuring Qos
C H A P T E R Configuring QoS This chapter describes how to configure quality of service (QoS) by using automatic QoS (auto-QoS) commands or by using standard QoS commands on the switch. With QoS, you can provide preferential treatment to certain types of traffic at the expense of others.
Page 520 Chapter 27 Configuring QoS Understanding QoS The QoS implementation is based on the Differentiated Services (Diff-Serv) architecture, an emerging standard from the Internet Engineering Task Force (IETF). This architecture specifies that each packet is classified upon entry into the network. The classification is carried in the IP packet header, using 6 bits from the deprecated IP type of service (ToS) field to carry the classification (class) information.
Page 521: Basic Qos Model
Chapter 27 Configuring QoS Understanding QoS Figure 27-1 QoS Classification Layers in Frames and Packets Encapsulated Packet Layer 2 IP header Data header Layer 2 ISL Frame ISL header Encapsulated frame 1... (26 bytes) (24.5 KB) (4 bytes) 3 bits used for CoS Layer 2 802.1Q and 802.1p Frame Start frame Preamble...
Page 522 Chapter 27 Configuring QoS Understanding QoS Figure 27-2 shows the basic QoS model. Actions at the ingress port include classifying traffic, policing, marking, queueing, and scheduling: Classifying a distinct path for a packet by associating it with a QoS label. The switch maps the CoS •...
Page 523: Classification
Chapter 27 Configuring QoS Understanding QoS Classification Classification is the process of distinguishing one kind of traffic from another by examining the fields in the packet. Classification is enabled only if QoS is globally enabled on the switch. By default, QoS is globally disabled, so no classification occurs.
Page 524 Chapter 27 Configuring QoS Understanding QoS After classification, the packet is sent to the policing, marking, and the ingress queueing and scheduling stages. Figure 27-3 Classification Flowchart Start Trust CoS (IP and non-IP traffic). Read ingress interface Trust DSCP (IP traffic). configuration for classification.
Page 525: Classification Based On Qos Acls
Chapter 27 Configuring QoS Understanding QoS Classification Based on QoS ACLs You can use IP standard, IP extended, or Layer 2 MAC ACLs to define a group of packets with the same characteristics (class). In the QoS context, the permit and deny actions in the access control entries (ACEs) have different meanings than with security ACLs: If a match with a permit action is encountered (first-match principle), the specified QoS-related •...
Page 526: Policing And Marking
Chapter 27 Configuring QoS Understanding QoS The policy map can contain the police and police aggregate policy-map class configuration commands, which define the policer, the bandwidth limitations of the traffic, and the action to take if the limits are exceeded. To enable the policy map, you attach it to a port by using the service-policy interface configuration command.
Page 527: Policing On Physical Ports
Chapter 27 Configuring QoS Understanding QoS Policing on Physical Ports In policy maps on physical ports, you can create these types of policers: Individual—QoS applies the bandwidth limits specified in the policer separately to each matched • traffic class. You configure this type of policer within a policy map by using the police policy-map class configuration command.
Page 528: Policing On Svis
Chapter 27 Configuring QoS Understanding QoS Figure 27-4 Policing and Marking Flowchart on Physical Ports Start Get the clasification result for the packet. Is a policer configured for this packet? Check if the packet is in profile by querying the policer. Pass through Drop...
Page 529 Chapter 27 Configuring QoS Understanding QoS See the “Classifying, Policing, and Marking Traffic on SVIs by Using Hierarchical Policy Maps” section on page 27-51 for an example of a hierarchical policy map. Figure 27-5 shows the policing and marking process when hierarchical policy maps on an SVI. Figure 27-5 Policing and Marking Flowchart on SVIs Start...
Page 530: Mapping Tables
Chapter 27 Configuring QoS Understanding QoS Mapping Tables During QoS processing, the switch represents the priority of all traffic (including non-IP traffic) with an QoS label based on the DSCP or CoS value from the classification stage: During classification, QoS uses configurable mapping tables to derive a corresponding DSCP or •...
Page 531: Queueing And Scheduling Overview
Chapter 27 Configuring QoS Understanding QoS Queueing and Scheduling Overview The switch has queues at specific points to help prevent congestion as shown in Figure 27-6. Figure 27-6 Ingress and Egress Queue Location Policer Marker Internal Egress ring queues Policer Marker Ingress queues...
Page 532: Srr Shaping And Sharing
Chapter 27 Configuring QoS Understanding QoS Figure 27-7 WTD and Queue Operation CoS 6-7 100% 1000 CoS 4-5 CoS 0-3 For more information, see the “Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds” section on page 27-66, the “Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set”...
Page 533: Queueing And Scheduling On Ingress Queues
Chapter 27 Configuring QoS Understanding QoS Queueing and Scheduling on Ingress Queues Figure 27-8 shows the queueing and scheduling flowchart for ingress ports. Figure 27-8 Queueing and Scheduling Flowchart for Ingress Ports Start Read QoS label (DSCP or CoS value). Determine ingress queue number, buffer allocation, and WTD thresholds.
Page 534 Chapter 27 Configuring QoS Understanding QoS You assign each packet that flows through the switch to a queue and to a threshold. Specifically, you map DSCP or CoS values to an ingress queue and map DSCP or CoS values to a threshold ID. You use the mls qos srr-queue input dscp-map queue queue-id {dscp1...dscp8 | threshold threshold-id dscp1...dscp8} or the mls qos srr-queue input cos-map queue queue-id {cos1...cos8 | threshold threshold-id cos1...cos8} global configuration command.
Page 535: Queueing And Scheduling On Egress Queues
Chapter 27 Configuring QoS Understanding QoS Queueing and Scheduling on Egress Queues Figure 27-9 shows the queueing and scheduling flowchart for egress ports. Note If the expedite queue is enabled, SRR services it until it is empty before servicing the other three queues. Figure 27-9 Queueing and Scheduling Flowchart for Egress Ports Start...
Page 536 Chapter 27 Configuring QoS Understanding QoS Figure 27-10 shows the egress queue buffer. The buffer space is divided between the common pool and the reserved pool. The switch uses a buffer allocation scheme to reserve a minimum amount of buffers for each egress queue, to prevent any queue or port from consuming all the buffers and depriving other queues, and to control whether to grant buffer space to a requesting queue.
Page 537: Packet Modification
Chapter 27 Configuring QoS Understanding QoS WTD Thresholds You can assign each packet that flows through the switch to a queue and to a threshold. Specifically, you map DSCP or CoS values to an egress queue and map DSCP or CoS values to a threshold ID. You use the mls qos srr-queue output dscp-map queue queue-id {dscp1...dscp8 | threshold threshold-id dscp1...dscp8} or the mls qos srr-queue output cos-map queue queue-id {cos1...cos8 | threshold threshold-id cos1...cos8} global configuration command.
Page 538: Configuring Auto-Qos
Chapter 27 Configuring QoS Configuring Auto-QoS During policing, IP and non-IP packets can have another DSCP assigned to them (if they are out of • profile and the policer specifies a markdown DSCP). Once again, the DSCP in the packet is not modified, but an indication of the marked-down value is carried along.
Page 539: Generated Auto-Qos Configuration
Chapter 27 Configuring QoS Configuring Auto-QoS Generated Auto-QoS Configuration By default, auto-QoS is disabled on all ports. When auto-QoS is enabled, it uses the ingress packet label to categorize traffic, to assign packet labels, and to configure the ingress and egress queues as shown in Table 27-2.
Page 540 Chapter 27 Configuring QoS Configuring Auto-QoS trust the QoS label received in the packet. When a Cisco IP Phone is absent, the ingress classification is set to not trust the QoS label in the packet. The switch configures ingress and egress queues on the port according to the settings in Table 27-3 Table...
Page 541 Chapter 27 Configuring QoS Configuring Auto-QoS Table 27-5 Generated Auto-QoS Configuration (continued) Description Automatically Generated Command The switch automatically maps DSCP values to an ingress Switch(config)# no mls qos srr-queue input dscp-map Switch(config)# mls qos srr-queue input dscp-map queue and to a threshold ID. queue 1 threshold 2 9 10 11 12 13 14 15 Switch(config)# mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7...
Page 542 Chapter 27 Configuring QoS Configuring Auto-QoS Table 27-5 Generated Auto-QoS Configuration (continued) Description Automatically Generated Command The switch automatically configures the egress queue buffer Switch(config)# mls qos queue-set output 1 threshold 1 138 138 92 138 sizes. It configures the bandwidth and the SRR mode (shaped Switch(config)# mls qos queue-set output 1 threshold or shared) on the egress queues mapped to the port.
Page 543: Effects Of Auto-Qos On The Configuration
Chapter 27 Configuring QoS Configuring Auto-QoS Effects of Auto-QoS on the Configuration When auto-QoS is enabled, the auto qos voip interface configuration command and the generated configuration are added to the running configuration. The switch applies the auto-QoS-generated commands as if the commands were entered from the CLI. An existing user configuration can cause the application of the generated commands to fail or to be overridden by the generated commands.
Page 544: Enabling Auto-Qos For Voip
Chapter 27 Configuring QoS Configuring Auto-QoS Enabling Auto-QoS for VoIP Beginning in privileged EXEC mode, follow these steps to enable auto-QoS for VoIP within a QoS domain: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port that is connected to a Cisco IP Phone, the port that is connected to a device running the Cisco SoftPhone feature, or the uplink port that is connected to another trusted switch or router in the...
Page 545: Auto-Qos Configuration Example
Chapter 27 Configuring QoS Configuring Auto-QoS Auto-QoS Configuration Example This section describes how you could implement auto-QoS in a network, as shown in Figure 27-11. For optimum QoS performance, enable auto-QoS on all the devices in the network. Figure 27-11 Auto-QoS Configuration Example Network Cisco router To Internet...
Page 546 Chapter 27 Configuring QoS Configuring Auto-QoS You should not configure any standard QoS commands before entering the auto-QoS commands. You Note can fine-tune the QoS configuration, but we recommend that you do so only after the auto-QoS configuration is completed. Beginning in privileged EXEC mode, follow these steps to configure the switch at the edge of the QoS domain to prioritize the VoIP traffic over all other traffic: Command...
Page 547: Displaying Auto-Qos Information
Chapter 27 Configuring QoS Displaying Auto-QoS Information Displaying Auto-QoS Information To display the initial auto-QoS configuration, use the show auto qos [interface [interface-id]] privileged EXEC command. To display any user changes to that configuration, use the show running-config privileged EXEC command. You can compare the show auto qos and the show running-config command output to identify the user-defined QoS settings.
Page 548: Default Standard Qos Configuration
Chapter 27 Configuring QoS Configuring Standard QoS Default Standard QoS Configuration QoS is disabled. There is no concept of trusted or untrusted ports because the packets are not modified (the CoS, DSCP, and IP precedence values in the packet are not changed). Traffic is switched in pass-through mode (packets are switched without any rewrites and classified as best effort without any policing).
Page 549: Default Egress Queue Configuration
Chapter 27 Configuring QoS Configuring Standard QoS Default Egress Queue Configuration Table 27-9 shows the default egress queue configuration for each queue-set when QoS is enabled. All ports are mapped to queue-set 1. The port bandwidth limit is set to 100 percent and rate unlimited. Table 27-9 Default Egress Queue Configuration Feature...
Page 550: Default Mapping Table Configuration
Chapter 27 Configuring QoS Configuring Standard QoS Default Mapping Table Configuration The default CoS-to-DSCP map is shown in Table 27-12 on page 27-59. The default IP-precedence-to-DSCP map is shown in Table 27-13 on page 27-60. The default DSCP-to-CoS map is shown in Table 27-14 on page 27-62.
Page 551: Policing Guidelines
Chapter 27 Configuring QoS Configuring Standard QoS Follow these guidelines when configuring policy maps on physical ports or SVIs: • You cannot apply the same policy map to a physical port and to an SVI. – If VLAN-based QoS is configured on a physical port, the switch removes all the port-based –...
Page 552: Enabling Qos Globally
Chapter 27 Configuring QoS Configuring Standard QoS Enabling QoS Globally By default, QoS is disabled on the switch. Beginning in privileged EXEC mode, follow these steps to enable QoS. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos Enable QoS globally.
Page 553: Configuring Classification Using Port Trust States
Chapter 27 Configuring QoS Configuring Standard QoS Configuring Classification Using Port Trust States These sections describe how to classify incoming traffic by using port trust states. Depending on your network configuration, you must perform one or more of these tasks or one or more of the tasks in the “Configuring a QoS Policy”...
Page 554 Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the port to trust the classification of the traffic that it receives: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be trusted, and enter interface configuration mode.
Page 555: Configuring The Cos Value For An Interface
Chapter 27 Configuring QoS Configuring Standard QoS Configuring the CoS Value for an Interface QoS assigns the CoS value specified with the mls qos cos interface configuration command to untagged frames received on trusted and untrusted ports. Beginning in privileged EXEC mode, follow these steps to define the default CoS value of a port or to assign the default CoS to all incoming packets on the port: Command Purpose...
Page 556 Chapter 27 Configuring QoS Configuring Standard QoS the telephone is connected to trust the CoS labels of all traffic received on that port. Use the mls qos trust dscp interface configuration command to configure a routed port to which the telephone is connected to trust the DSCP labels of all traffic received on that port.
Page 557: Enabling Dscp Transparency Mode
Chapter 27 Configuring QoS Configuring Standard QoS Enabling DSCP Transparency Mode The switch supports the DSCP transparency feature. It affects only the DSCP field of a packet at egress. By default, DSCP transparency is disabled. The switch modifies the DSCP field in an incoming packet, and the DSCP field in the outgoing packet is based on the quality of service (QoS) configuration, including the port trust setting, policing and marking, and the DSCP-to-DSCP mutation map.
Page 558 Chapter 27 Configuring QoS Configuring Standard QoS Figure 27-13 DSCP-Trusted State on a Port Bordering Another QoS Domain QoS Domain 1 QoS Domain 2 IP traffic Set interface to the DSCP-trusted state. Configure the DSCP-to-DSCP-mutation map. Beginning in privileged EXEC mode, follow these steps to configure the DSCP-trusted state on a port and modify the DSCP-to-DSCP-mutation map.
Page 559: Configuring A Qos Policy
Chapter 27 Configuring QoS Configuring Standard QoS To return a port to its non-trusted state, use the no mls qos trust interface configuration command. To return to the default DSCP-to-DSCP-mutation map values, use the no mls qos map dscp-mutation dscp-mutation-name global configuration command. This example shows how to configure a port to the DSCP-trusted state and to modify the DSCP-to-DSCP-mutation map (named gi0/21-mutation) so that incoming DSCP values 10 to 13 are mapped to DSCP 30:...
Page 560: Classifying Traffic By Using Acls
Chapter 27 Configuring QoS Configuring Standard QoS Classifying Traffic by Using ACLs You can classify IP traffic by using IP standard or IP extended ACLs; you can classify non-IP traffic by using Layer 2 MAC ACLs. Beginning in privileged EXEC mode, follow these steps to create an IP standard ACL for IP traffic: Command Purpose Step 1...
Page 561 Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create an IP extended ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | Create an IP extended ACL, repeating the command as many times as permit} protocol source source-wildcard necessary.
Page 562 Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create a Layer 2 MAC ACL for non-IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac access-list extended name Create a Layer 2 MAC ACL by specifying the name of the list.
Page 563: Classifying Traffic By Using Class Maps
Chapter 27 Configuring QoS Configuring Standard QoS Classifying Traffic by Using Class Maps You use the class-map global configuration command to name and to isolate a specific traffic flow (or class) from all other traffic. The class map defines the criteria to use to match against a specific traffic flow to further classify it.
Page 564 Chapter 27 Configuring QoS Configuring Standard QoS Command Purpose Step 4 match {access-group acl-index-or-name | Define the match criterion to classify traffic. ip dscp dscp-list | ip precedence By default, no match criterion is defined. ip-precedence-list} Only one match criterion per class map is supported, and only one ACL per class map is supported.
Page 565: Classifying, Policing, And Marking Traffic On Physical Ports By Using Policy Maps
Chapter 27 Configuring QoS Configuring Standard QoS Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps You can configure a nonhierarchical policy map on a physical port that specifies which traffic class to act on. Actions can include trusting the CoS, DSCP, or IP precedence values in the traffic class; setting a specific DSCP or IP precedence value in the traffic class;...
Page 566 Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create a nonhierarchical policy map: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 class-map [match-all | match-any] Create a class map, and enter class-map configuration mode. class-map-name By default, no class maps are defined.
Page 567 Chapter 27 Configuring QoS Configuring Standard QoS Command Purpose Step 5 trust [cos | dscp | ip-precedence] Configure the trust state, which QoS uses to generate a CoS-based or DSCP-based QoS label. This command is mutually exclusive with the set command Note within the same policy map.
Page 568 Chapter 27 Configuring QoS Configuring Standard QoS Command Purpose Step 8 exit Return to policy map configuration mode. Step 9 exit Return to global configuration mode. Step 10 interface interface-id Specify the port to attach to the policy map, and enter interface configuration mode.
Page 569: Classifying, Policing, And Marking Traffic On Svis By Using Hierarchical Policy Maps
Chapter 27 Configuring QoS Configuring Standard QoS Switch(config-ext-mac)# exit Switch(config)# class-map macclass1 Switch(config-cmap)# match access-group maclist1 Switch(config-cmap)# exit Switch(config)# policy-map macpolicy1 Switch(config-pmap)# class macclass1 Switch(config-pmap-c)# set dscp 63 Switch(config-pmap-c)# exit Switch(config-pmap)# class macclass2 maclist2 Switch(config-pmap-c)# set dscp 45 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface gigabitethernet0/1 Switch(config-if)# mls qos trust cos...
Page 570 Chapter 27 Configuring QoS Configuring Standard QoS The hierarchical policy map is attached to the SVI and affects all traffic belonging to the VLAN. • The actions specified in the VLAN-level policy map affect the traffic belonging to the SVI. The police action on the port-level policy map affects the ingress traffic on the affected physical interfaces.
Page 571 Chapter 27 Configuring QoS Configuring Standard QoS Command Purpose Step 5 exit Return to global configuration mode. Step 6 class-map [match-all | match-any] Create an interface-level class map, and enter class-map configuration class-map-name mode. By default, no class maps are defined. (Optional) Use the match-all keyword to perform a logical-AND •...
Page 572 Chapter 27 Configuring QoS Configuring Standard QoS Command Purpose Step 12 police rate-bps burst-byte [exceed-action Define an individual policer for the classified traffic. {drop | policed-dscp-transmit}] By default, no policer is defined. For information on the number of policers supported, see the “Standard QoS Configuration Guidelines”...
Page 573 Chapter 27 Configuring QoS Configuring Standard QoS Command Purpose Step 17 trust [cos | dscp | ip-precedence] Configure the trust state, which QoS uses to generate a CoS-based or DSCP-based QoS label. This command is mutually exclusive with the set command Note within the same policy map.
Page 574 Chapter 27 Configuring QoS Configuring Standard QoS Command Purpose Step 24 Return to privileged EXEC mode. Step 25 show policy-map [policy-map-name [class Verify your entries. class-map-name]] show mls qos vlan-based Step 26 copy running-config startup-config (Optional) Save your entries in the configuration file. To delete an existing policy map, use the no policy-map policy-map-name global configuration command.
Page 575: Classifying, Policing, And Marking Traffic By Using Aggregate Policers
Chapter 27 Configuring QoS Configuring Standard QoS Switch(config-pmap)#exit Switch(config-pmap)#class-map cm-4 Switch(config-pmap-c)#trust dscp Switch(config-pmap)#exit Switch(config)#interface vlan 10 Switch(config-if)# Switch(config-if)#ser input vlan-plcmap Switch(config-if)#exit Switch(config)#exit Switch# Classifying, Policing, and Marking Traffic by Using Aggregate Policers By using an aggregate policer, you can create a policer that is shared by multiple traffic classes within the same policy map.
Page 576 Chapter 27 Configuring QoS Configuring Standard QoS Command Purpose Step 5 class class-map-name Define a traffic classification, and enter policy-map class configuration mode. For more information, see the “Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps” section on page 27-47.
Page 577: Configuring Dscp Maps
Chapter 27 Configuring QoS Configuring Standard QoS Switch(config-pmap)# exit Switch(config)# interface gigabitethernet0/1 Switch(config-if)# service-policy input aggflow1 Switch(config-if)# exit Configuring DSCP Maps These sections contain this configuration information: Configuring the CoS-to-DSCP Map, page 27-59 (optional) • • Configuring the IP-Precedence-to-DSCP Map, page 27-60 (optional) Configuring the Policed-DSCP Map, page 27-61 (optional, unless the null settings in the map are...
Page 578: Configuring The Ip-Precedence-To-Dscp Map
Chapter 27 Configuring QoS Configuring Standard QoS Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map cos-dscp dscp1...dscp8 Modify the CoS-to-DSCP map. For dscp1...dscp8, enter eight DSCP values that correspond to CoS values 0 to 7. Separate each DSCP value with a space. The DSCP range is 0 to 63.
Page 579: Configuring The Policed-Dscp Map
Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the IP-precedence-to-DSCP map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map ip-prec-dscp Modify the IP-precedence-to-DSCP map.
Page 580: Configuring The Dscp-To-Cos Map
Chapter 27 Configuring QoS Configuring Standard QoS To return to the default map, use the no mls qos policed-dscp global configuration command. This example shows how to map DSCP 50 to 57 to a marked-down DSCP value of 0: Switch(config)# mls qos map policed-dscp 50 51 52 53 54 55 56 57 to 0 Switch(config)# end Switch# show mls qos maps policed-dscp Policed-dscp map:...
Page 581: Configuring The Dscp-To-Dscp-Mutation Map
Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the DSCP-to-CoS map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map dscp-cos dscp-list to cos Modify the DSCP-to-CoS map.
Page 582 Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the DSCP-to-DSCP-mutation map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map dscp-mutation Modify the DSCP-to-DSCP-mutation map.
Page 583: Configuring Ingress Queue Characteristics
Chapter 27 Configuring QoS Configuring Standard QoS In the above DSCP-to-DSCP-mutation map, the mutated values are shown in the body of the matrix. The Note d1 column specifies the most-significant digit of the original DSCP; the d2 row specifies the least-significant digit of the original DSCP.
Page 584: Mapping Dscp Or Cos Values To An Ingress Queue And Setting Wtd Thresholds
Chapter 27 Configuring QoS Configuring Standard QoS Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds You can prioritize traffic by placing packets with particular DSCPs or CoSs into certain queues and adjusting the queue thresholds so that packets with lower priorities are dropped. Beginning in privileged EXEC mode, follow these steps to map DSCP or CoS values to an ingress queue and to set WTD thresholds.
Page 585: Allocating Buffer Space Between The Ingress Queues
Chapter 27 Configuring QoS Configuring Standard QoS This example shows how to map DSCP values 0 to 6 to ingress queue 1 and to threshold 1 with a drop threshold of 50 percent. It maps DSCP values 20 to 26 to ingress queue 1 and to threshold 2 with a drop threshold of 70 percent: Switch(config)# mls qos srr-queue input dscp-map queue 1 threshold 1 0 1 2 3 4 5 6 Switch(config)# mls qos srr-queue input dscp-map queue 1 threshold 2 20 21 22 23 24 25 26...
Page 586: Configuring The Ingress Priority Queue
Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to allocate bandwidth between the ingress queues. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue input bandwidth Assign shared round robin weights to the ingress queues.
Page 587: Configuring Egress Queue Characteristics
Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the priority queue. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue input Assign a queue as the priority queue and guarantee bandwidth on the priority-queue queue-id bandwidth internal ring if the ring is congested.
Page 588: Configuration Guidelines
Chapter 27 Configuring QoS Configuring Standard QoS These sections contain this configuration information: Configuration Guidelines, page 27-70 • Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set, page 27-70 • (optional) Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID, page 27-72 (optional) •...
Page 589 Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the memory allocation and to drop thresholds for a queue-set. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos queue-set output qset-id Allocate buffers to a queue-set.
Page 590: Mapping Dscp Or Cos Values To An Egress Queue And To A Threshold Id
Chapter 27 Configuring QoS Configuring Standard QoS Command Purpose Step 7 show mls qos interface [interface-id] Verify your entries. buffers Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no mls qos queue-set output qset-id buffers global configuration command.
Page 591 Chapter 27 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to map DSCP or CoS values to an egress queue and to a threshold ID. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 592: Configuring Srr Shaped Weights On Egress Queues
Chapter 27 Configuring QoS Configuring Standard QoS Configuring SRR Shaped Weights on Egress Queues You can specify how much of the available bandwidth is allocated to each queue. The ratio of the weights is the ratio of frequency in which the SRR scheduler sends packets from each queue. You can configure the egress queues for shaped or shared weights, or both.
Page 593: Configuring Srr Shared Weights On Egress Queues
Chapter 27 Configuring QoS Configuring Standard QoS Configuring SRR Shared Weights on Egress Queues In shared mode, the queues share the bandwidth among them according to the configured weights. The bandwidth is guaranteed at this level but not limited to it. For example, if a queue empties and does not require a share of the link, the remaining queues can expand into the unused bandwidth and share it among them.
Page 594: Configuring The Egress Expedite Queue
Chapter 27 Configuring QoS Configuring Standard QoS Configuring the Egress Expedite Queue You can ensure that certain packets have priority over all others by queuing them in the egress expedite queue. SRR services this queue until it is empty before servicing the other queues. Beginning in privileged EXEC mode, follow these steps to enable the egress expedite queue.
Page 595: Displaying Standard Qos Information
Chapter 27 Configuring QoS Displaying Standard QoS Information Command Purpose Step 3 srr-queue bandwidth limit weight1 Specify the percentage of the port speed to which the port should be limited. The range is 10 to 90. By default, the port is not rate limited and is set to 100 percent. Step 4 Return to privileged EXEC mode.
Page 596 Chapter 27 Configuring QoS Displaying Standard QoS Information Table 27-15 Commands for Displaying Standard QoS Information (continued) Command Purpose show policy-map [policy-map-name [class Display QoS policy maps, which define classification criteria for class-map-name]] incoming traffic. Do not use the show policy-map interface privileged Note EXEC command to display classification information for incoming traffic.
Page 597: Chapter 28 Configuring Etherchannels And Layer 2 Trunk Failover
C H A P T E R Configuring EtherChannels and Layer 2 Trunk Failover This chapter describes how to configure EtherChannels on Layer 2 ports on the switch. EtherChannel provides fault-tolerant high-speed links between switches, routers, and servers. You can use it to increase the bandwidth between the wiring closets and the data center, and you can deploy it anywhere in the network where bottlenecks are likely to occur.
Page 598: Etherchannel Overview
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Understanding EtherChannels EtherChannel Overview An EtherChannel consists of individual Gigabit Ethernet links bundled into a single logical link as shown Figure 28-1. Figure 28-1 Typical EtherChannel Configuration Catalyst 6500 series switch Gigabit EtherChannel Blade Switch...
Page 599: Port-Channel Interfaces
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Understanding EtherChannels Port-Channel Interfaces When you create a Layer 2 EtherChannel, a port-channel logical interface is involved. You can create the EtherChannel in these ways: Use the channel-group interface configuration command. This command automatically creates the •...
Page 600: Port Aggregation Protocol
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Understanding EtherChannels Port Aggregation Protocol The Port Aggregation Protocol (PAgP) is a Cisco-proprietary protocol that can be run only on Cisco switches and on those switches licensed by vendors to support PAgP. PAgP facilitates the automatic creation of EtherChannels by exchanging PAgP packets between Ethernet ports.
Page 601: Pagp Interaction With Other Features
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Understanding EtherChannels PAgP Interaction with Other Features The Dynamic Trunking Protocol (DTP) and the Cisco Discovery Protocol (CDP) send and receive packets over the physical ports in the EtherChannel. Trunk ports send and receive PAgP protocol data units (PDUs) on the lowest numbered VLAN.
Page 602: Lacp Interaction With Other Features
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Understanding EtherChannels LACP Interaction with Other Features The DTP and the CDP send and receive packets over the physical ports in the EtherChannel. Trunk ports send and receive LACP PDUs on the lowest numbered VLAN. In Layer 2 EtherChannels, the first port in the channel that comes up provides its MAC address to the EtherChannel.
Page 603 Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Understanding EtherChannels With source-IP address-based forwarding, when packets are forwarded to an EtherChannel, they are distributed across the ports in the EtherChannel based on the source-IP address of the incoming packet. Therefore, to provide load-balancing, packets from different IP addresses use different ports in the channel, but packets from the same IP address use the same port in the channel.
Page 604: Configuring Etherchannels
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Configuring EtherChannels Figure 28-3 Load Distribution and Forwarding Methods Blade Blade Server 1 Server 16 Blade Switch with source-based forwarding enabled EtherChannel Cisco router with destination-based forwarding enabled Client Client Configuring EtherChannels These sections contain this configuration information: Default EtherChannel Configuration, page 28-9 •...
Page 605: Default Etherchannel Configuration
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Configuring EtherChannels Default EtherChannel Configuration Table 28-3 shows the default EtherChannel configuration. Table 28-3 Default EtherChannel Configuration Feature Default Setting Channel groups None assigned. Port-channel logical interface None defined. PAgP mode No default.
Page 606: Configuring Layer 2 Etherchannels
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Configuring EtherChannels Do not configure an EtherChannel in both the PAgP and LACP modes. EtherChannel groups running • PAgP and LACP can coexist on the same switch. Individual EtherChannel groups can run either PAgP or LACP, but they cannot interoperate.
Page 607 Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Configuring EtherChannels Command Purpose Step 3 switchport mode {access | trunk} Assign all ports as static-access ports in the same VLAN, or configure them as trunks. switchport access vlan vlan-id If you configure the port as a static-access port, assign it to only one VLAN.
Page 608: Configuring Etherchannel Load Balancing
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Configuring EtherChannels This example shows how to configure an EtherChannel. It assigns two ports as static-access ports in VLAN 10 to channel 5 with the PAgP mode desirable: Switch# configure terminal Switch(config)# interface range gigabitethernet0/1 -2 Switch(config-if-range)# switchport mode access Switch(config-if-range)# switchport access vlan 10...
Page 609: Configuring The Pagp Learn Method And Priority
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Configuring EtherChannels Command Purpose Step 4 show etherchannel load-balance Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return EtherChannel load balancing to the default configuration, use the no port-channel load-balance global configuration command.
Page 610: Configuring Lacp Hot-Standby Ports
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Configuring EtherChannels Beginning in privileged EXEC mode, follow these steps to configure your switch as a PAgP physical-port learner and to adjust the priority so that the same port in the bundle is selected for sending packets.
Page 611: Configuring The Lacp System Priority
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Configuring EtherChannels If you configure more than eight links for an EtherChannel group, the software automatically decides which of the hot-standby ports to make active based on the LACP priority. To every link between systems that operate LACP, the software assigns a unique priority made up of these elements (in priority order): •...
Page 612: Configuring The Lacp Port Priority
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Configuring EtherChannels Configuring the LACP Port Priority By default, all ports use the same port priority. If the local system has a lower value for the system priority and the system ID than the remote system, you can affect which of the hot-standby links become active first by changing the port priority of LACP EtherChannel ports to a lower value than the default.
Page 613: Displaying Etherchannel, Pagp, And Lacp Status
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Displaying EtherChannel, PAgP, and LACP Status Displaying EtherChannel, PAgP, and LACP Status To display EtherChannel, PAgP, and LACP status information, use the privileged EXEC commands described in Table 28-4: Table 28-4 Commands for Displaying EtherChannel, PAgP , and LACP Status Command Description...
Page 614: Configuring Layer 2 Trunk Failover
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Understanding Layer 2 Trunk Failover In a link-state group, the link states of the downstream interfaces are dependent on the link states of the upstream interfaces. If all of the upstream interfaces in a link-state group are in the link-down state, the associated downstream interfaces are forced into the link-down state.
Page 615: Layer 2 Trunk Failover Configuration Guidelines
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Understanding Layer 2 Trunk Failover Layer 2 Trunk Failover Configuration Guidelines Follow these guidelines to avoid configuration problems: Do not configure a cross-connect interface (gi0/23 or gi0/24) as a member of a link-state •...
Page 616: Displaying Layer 2 Trunk Failover Status
Chapter 28 Configuring EtherChannels and Layer 2 Trunk Failover Understanding Layer 2 Trunk Failover Displaying Layer 2 Trunk Failover Status Use the show link state group command to display the link-state group information. Enter this command without keywords to display information about all link-state groups. Enter the group number to display information specific to the group.
Page 617: Chapter 29 Troubleshooting
C H A P T E R Troubleshooting This chapter describes how to identify and resolve software problems related to the Cisco IOS software on the switch. Depending on the nature of the problem, you can use the command-line interface (CLI) or the device manager to identify and solve problems.
Page 618: Recovering From A Software Failure
Chapter 29 Troubleshooting Recovering from a Software Failure Recovering from a Software Failure Switch software can be corrupted during an upgrade, by downloading the wrong file to the switch, and by deleting the image file. In all of these cases, the switch does not pass the power-on self-test (POST), and there is no connectivity.
Page 619: Recovering From A Lost Or Forgotten Password
Chapter 29 Troubleshooting Recovering from a Lost or Forgotten Password You can release the Mode button a second or two after the LED above port 1 goes off. Several lines of information about the software appear along with instructions: The system has been interrupted prior to initializing the flash file system. The following commands will initialize the flash file system, and finish loading the operating system software# flash_init...
Page 620: Procedure With Password Recovery Enabled
Chapter 29 Troubleshooting Recovering from a Lost or Forgotten Password You enable or disable password recovery by using the service password-recovery global configuration command. Follow the steps in this procedure if you have forgotten or lost the switch password. Connect a terminal or PC with terminal-emulation software to the switch console port. Step 1 Set the line speed on the emulation software to 9600 baud.
Page 621 Chapter 29 Troubleshooting Recovering from a Lost or Forgotten Password switch: load_helper Display the contents of flash memory: Step 4 switch: dir flash: The switch file system appears: Directory of flash: drwx Mar 01 1993 22:30:48 cbs30x0-lanbase-mz.122-25.SEE -rwx 5825 Mar 01 1993 22:31:59 config.text -rwx Mar 01 1993 02:21:30...
Page 622: Procedure With Password Recovery Disabled
Chapter 29 Troubleshooting Recovering from a Lost or Forgotten Password This procedure is likely to leave your switch virtual interface in a shutdown state. You can see Note which interface is in this state by entering the show running-config privileged EXEC command. To re-enable the interface, enter the interface vlan vlan-id global configuration command, and specify the VLAN ID of the shutdown interface.
Page 623: Preventing Autonegotiation Mismatches
Chapter 29 Troubleshooting Preventing Autonegotiation Mismatches Boot the system: Step 4 Switch: boot You are prompted to start the setup program. To continue with password recovery, enter N at the prompt: Continue with the configuration dialog? [yes/no]: N At the switch prompt, enter privileged EXEC mode: Step 5 Switch>...
Page 624: Sfp Module Security And Identification
Chapter 29 Troubleshooting SFP Module Security and Identification To maximize switch performance and ensure a link, follow one of these guidelines when changing the settings for duplex and speed: Let both ports autonegotiate both speed and duplex. • Manually set the speed and duplex parameters for the ports on both ends of the connection. •...
Page 625: Monitoring Temperature
Chapter 29 Troubleshooting Monitoring Temperature Monitoring Temperature The Cisco Catalyst Blade Switch 3020 for HP monitors the switch temperature conditions. Use the show env temperature status privileged EXEC command to display the temperature value, state, and thresholds. The temperature value is the temperature in the switch (not the external temperature).You can configure only the yellow threshold level (in Celsius) by using the system env temperature threshold yellow value global configuration command to set the difference between the yellow and red thresholds.
Page 626: Using Layer 2 Traceroute
Chapter 29 Troubleshooting Using Layer 2 Traceroute This example shows how to ping an IP host: Switch# ping 172.20.52.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echoes to 172.20.52.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms Switch# Table 29-1 describes the possible ping character output.
Page 627: Usage Guidelines
Chapter 29 Troubleshooting Using Layer 2 Traceroute Usage Guidelines These are the Layer 2 traceroute usage guidelines: Cisco Discovery Protocol (CDP) must be enabled on all the devices in the network. For Layer 2 • traceroute to function properly, do not disable CDP. For a list of switches that support Layer 2 traceroute, see the “Usage Guidelines”...
Page 628: Displaying The Physical Path
Chapter 29 Troubleshooting Using IP Traceroute Displaying the Physical Path You can display physical path that a packet takes from a source device to a destination device by using one of these privileged EXEC commands: tracetroute mac [interface interface-id] {source-mac-address} [interface interface-id] •...
Page 629: Executing Ip Traceroute
Chapter 29 Troubleshooting Using IP Traceroute Executing IP Traceroute Beginning in privileged EXEC mode, follow this step to trace that the path packets take through the network: Command Purpose traceroute ip host Trace the path that packets take through the network. Though other protocol keywords are available with the traceroute privileged EXEC command, they are Note not supported in this release.
Page 630: Using Tdr
Chapter 29 Troubleshooting Using TDR Using TDR These sections contain this information: Understanding TDR, page 29-14 • Running TDR and Displaying the Results, page 29-14 • Understanding TDR You can use the Time Domain Reflector (TDR) feature to diagnose and resolve cabling problems. When running TDR, a local device sends a signal through a cable and compares the reflected signal to the initial signal.
Page 631: Enabling Debugging On A Specific Feature
Chapter 29 Troubleshooting Using Debug Commands Caution Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. It is best to use debug commands during periods of lower network traffic and fewer users.
Page 632: Redirecting Debug And Error Message Output
Chapter 29 Troubleshooting Using the show platform forward Command The no debug all privileged EXEC command disables all diagnostic output. Using the no debug all command is a convenient way to ensure that you have not accidentally left any debug commands enabled.
Page 633 Chapter 29 Troubleshooting Using the show platform forward Command Egress:Asic 2, switch 1 Output Packets: ------------------------------------------ Packet 1 Lookup Key-Used Index-Hit A-Data OutptACL 50_0D020202_0D010101-00_40000014_000A0000 01FFE 03000000 Port Vlan SrcMac DstMac Dscpv Gi0/1 0005 0001.0001.0001 0002.0002.0002 ------------------------------------------ Packet 2 Lookup Key-Used Index-Hit A-Data OutptACL 50_0D020202_0D010101-00_40000014_000A0000...
Page 634: Using The Crashinfo Files
Chapter 29 Troubleshooting Using the crashinfo Files Using the crashinfo Files The crashinfo files save information that helps Cisco technical support representatives to debug problems that caused the Cisco IOS image to fail (crash). The switch writes the crash information to the console at the time of the failure.
Page 635: Appendix
A P P E N D I X Supported MIBs This appendix lists the supported management information base (MIBs) for this release on the switch. It contains these sections: MIB List, page A-1 • Using FTP to Access the MIB Files, page A-3 •...
Page 636 Appendix A Supported MIBs MIB List CISCO-MEMORY-POOL-MIB • CISCO-PAE-MIB • CISCO-PAGP-MIB • CISCO-PING-MIB • CISCO-PORT-QOS-MIB • • CISCO-PRODUCTS-MIB • CISCO-PROCESS-MIB • CISCO-RTTMON-MIB CISCO-SMI-MIB • CISCO-STACKMAKER-MIB • CISCO-STP-EXTENSIONS-MIB • CISCO-SYSLOG-MIB • CISCO-TC-MIB • CISCO-TCP-MIB • • CISCO-UDLDP-MIB CISCO-VLAN-IFTABLE-RELATIONSHIP-MIB • CISCO-VLAN-MEMBERSHIP-MIB • CISCO-VTP-MIB •...
Page 637: Using Ftp To Access The Mib Files
Appendix A Supported MIBs Using FTP to Access the MIB Files SNMP-FRAMEWORK-MIB • SNMP-MPD-MIB • SNMP-NOTIFICATION-MIB • SNMP-TARGET-MIB • SNMPv2-MIB • • SNMP-VACM-MIB (SNMP-VIEW-BASED-ACM-MIB) • SNMP-USM-MIB (SNMP-USER-BASED-SM-MIB) • TCP-MIB UDP-MIB • You can also use this URL for a list of supported MIBs for the Cisco Catalyst Blade Switch 3020 for HP: Note ftp://ftp.cisco.com/pub/mibs/supportlists/cbs3020 for HP/cbs3020-supportlist.htm You can access other information about MIBs and Cisco products on the Cisco web site:...
Page 638 Appendix A Supported MIBs Using FTP to Access the MIB Files Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide OL-8915-01...
Page 639: Appendix
A P P E N D I X Working with the Cisco IOS File System, Configuration Files, and Software Images This appendix describes how to manipulate the switch flash file system, how to copy configuration files, and how to archive (upload and download) software images to a switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release and the Cisco IOS Configuration Fundamentals Command Reference, Release...
Page 640: Displaying Available File Systems
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Displaying Available File Systems To display the available file systems on your switch, use the show file systems privileged EXEC command as shown in this example.
Page 641: Setting The Default File System
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Setting the Default File System You can specify the file system or directory that the system uses as the default file system by using the cd filesystem: privileged EXEC command.
Page 642: Creating And Removing Directories
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating and Removing Directories Beginning in privileged EXEC mode, follow these steps to create and remove a directory: Command Purpose Step 1 dir filesystem: Display the directories on the specified file system.
Page 643: Deleting Files
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Some invalid combinations of source and destination exist. Specifically, you cannot copy these combinations: From a running configuration to a running configuration •...
Page 644: Creating A Tar File
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating a tar File To create a tar file and write files into it, use this privileged EXEC command: archive tar /create destination-url flash:/file-url For destination-url, specify the destination URL alias for the local or network file system and the name of the tar file to create.
Page 645 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System This example shows how to display the contents of a switch tar file that is in flash memory: Switch# archive tar /table flash:cbs30x0-lanbase-tar.122-25.SEE.tar info (219 bytes) cbs30x0-lanbase-tar.122-25.SEE/ (directory) cbs30x0-lanbase-tar.122-25.SEE/html/ (directory)
Page 646: Extracting A Tar File
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Extracting a tar File To extract a tar file into a directory on the flash file system, use this privileged EXEC command: archive tar /xtract source-url flash:/file-url [dir/file...] For source-url, specify the source URL alias for the local file system.
Page 647: Guidelines For Creating And Using Configuration Files
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files You can copy (download) configuration files from a TFTP, FTP, or RCP server to the running configuration or startup configuration of the switch. You might want to perform this for one of these reasons: •...
Page 648: Preparing To Download Or Upload A Configuration File By Using Tftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files some commands in the existing configuration might not be replaced or negated. In this case, the resulting configuration file is a mixture of the existing configuration file and the copied configuration file, with the copied configuration file having precedence.
Page 649 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Preparing to Download or Upload a Configuration File By Using TFTP Before you begin downloading or uploading a configuration file by using TFTP, do these tasks: Ensure that the workstation acting as the TFTP server is properly configured.
Page 650: Copying Configuration Files By Using Ftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files This example shows how to configure the software from the file tokyo-confg at IP address 172.16.2.155: Switch# copy tftp://172.16.2.155/tokyo-confg system:running-config Configure using tokyo-confg from 172.16.2.155? [confirm] y Booting tokyo-confg from 172.16.2.155:!!! [OK - 874/16000 bytes] Uploading the Configuration File By Using TFTP To upload a configuration file from a switch to a TFTP server for storage, follow these steps:...
Page 651: Preparing To Download Or Upload A Configuration File By Using Ftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files The username and password must be associated with an account on the FTP server. If you are writing to the server, the FTP server must be properly configured to accept your FTP write request. Use the ip ftp username and ip ftp password commands to specify a username and password for all copies.
Page 652: Uploading A Configuration File By Using Ftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 4 ip ftp username username (Optional) Change the default remote username. Step 5 ip ftp password password (Optional) Change the default password. Step 6 Return to privileged EXEC mode.
Page 653: Copying Configuration Files By Using Rcp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 3 configure terminal Enter global configuration mode. This step is required only if you override the default remote username or password (see Steps 4, 5, and 6). Step 4 ip ftp username username (Optional) Change the default remote username.
Page 654: Preparing To Download Or Upload A Configuration File By Using Rcp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files The RCP requires a client to send a remote username with each RCP request to a server. When you copy a configuration file from the switch to a server, the Cisco IOS software sends the first valid username in this list: •...
Page 655 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Downloading a Configuration File By Using RCP Beginning in privileged EXEC mode, follow these steps to download a configuration file by using RCP: Command Purpose Step 1...
Page 656: Clearing Configuration Information
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Uploading a Configuration File By Using RCP Beginning in privileged EXEC mode, follow these steps to upload a configuration file by using RCP: Command Purpose Step 1...
Page 657: Clearing The Startup Configuration File
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Clearing the Startup Configuration File To clear the contents of your startup configuration, use the erase nvram: or the erase startup-config privileged EXEC command. You cannot restore the startup configuration file after it has been deleted.
Page 658: Tar File Format Of Images On A Server Or Cisco.com
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Copying Image Files By Using FTP, page B-24 • Copying Image Files By Using RCP, page B-28 • For a list of software images and the supported upgrade paths, see the release notes. Note Image Location on the Switch The Cisco IOS image is stored as a .bin file in a directory that shows the version number.
Page 659: Copying Image Files By Using Tftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Table B-3 info File Description Field Description version_suffix Specifies the Cisco IOS image version string suffix version_directory Specifies the directory where the Cisco IOS image and the HTML subdirectory are installed image_name Specifies the name of the Cisco IOS image within the tar file ios_image_file_size...
Page 660: Downloading An Image File By Using Tftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images You must restart the inetd daemon after modifying the /etc/inetd.conf and /etc/services files. Note To restart the daemon, either stop the inetd process and restart it, or enter a fastboot command (on the SunOS 4.x) or a reboot command (on Solaris 2.x or SunOS 5.x).
Page 661 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 3 archive download-sw /overwrite /reload Download the image file from the TFTP server to the switch, and tftp:[[//location]/directory]/image-name.tar overwrite the current image. The /overwrite option overwrites the software image in flash •...
Page 662: Uploading An Image File By Using Tftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Uploading an Image File By Using TFTP You can upload an image from the switch to a TFTP server. You can later download this image to the switch or to another switch of the same type.
Page 663 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Preparing to Download or Upload an Image File By Using FTP You can copy images files to or from an FTP server. The FTP protocol requires a client to send a remote username and password on each FTP request to a server.
Page 664 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Downloading an Image File By Using FTP You can download a new image file and overwrite the current image or keep the current image. Beginning in privileged EXEC mode, follow Steps 1 through 7 to download a new image from an FTP server and overwrite the existing image.
Page 665 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 8 archive download-sw /leave-old-sw /reload Download the image file from the FTP server to the switch, ftp:[[//username[:password]@location]/directory] and keep the current image. /image-name.tar The /leave-old-sw option keeps the old software version •...
Page 666: Copying Image Files By Using Rcp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Beginning in privileged EXEC mode, follow these steps to upload an image to an FTP server: Command Purpose Step 1 Verify that the FTP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File By Using FTP”...
Page 667: Preparing To Download Or Upload An Image File By Using Rcp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Instead of using the copy privileged EXEC command or the archive tar privileged EXEC command, we Note recommend using the archive download-sw and archive upload-sw privileged EXEC commands to download and upload software image files.
Page 668 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images operations. The new username is stored in NVRAM. If you are accessing the switch through a Telnet session and you have a valid username, this username is used, and there is no need to set the RCP username.
Page 669 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 6 archive download-sw /overwrite /reload Download the image file from the RCP server to the switch, rcp:[[[//[username@]location]/directory]/image-na and overwrite the current image. me.tar] The /overwrite option overwrites the software image in •...
Page 670 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The algorithm installs the downloaded image onto the system board flash device (flash:). The image is placed into a new directory named with the software version string, and the BOOT environment variable is updated to point to the newly installed image.
Page 671 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the tar file format.
Page 672 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide B-34 OL-8915-01...
Page 673: Appendix
A P P E N D I X Unsupported Commands in Cisco IOS Release 12.2(25)SEF This appendix lists some of the command-line interface (CLI) commands that appear when you enter the question mark (?) at the switch prompt but are not supported in this release, either because they are not tested or because of switch hardware limitations.
Page 674: Igmp Snooping Commands
Appendix C Unsupported Commands in Cisco IOS Release 12.2(25)SEF IGMP Snooping Commands IGMP Snooping Commands Unsupported Global Configuration Commands ip igmp snooping tcn Interface Commands Unsupported Privileged EXEC Commands show interfaces [interface-id | vlan vlan-id] [crb | fair-queue | irb | mac-accounting | precedence | irb | random-detect | rate-limit | shape] Unsupported Global Configuration Commands interface tunnel...
Page 675: Unsupported Global Configuration Commands
Appendix C Unsupported Commands in Cisco IOS Release 12.2(25)SEF Miscellaneous Use the show ip igmp snooping groups privileged EXEC command to display Layer 2 multicast Note address-table entries for a VLAN. Unsupported Global Configuration Commands mac-address-table aging-time mac-address-table notification mac-address-table static Miscellaneous Unsupported Privileged EXEC Commands file verify auto...
Page 676: Unsupported Interface Configuration Commands
Appendix C Unsupported Commands in Cisco IOS Release 12.2(25)SEF RADIUS Unsupported Interface Configuration Commands priority-group rate-limit Unsupported Policy-Map Configuration Commands class class-default where class-default is the class-map-name. RADIUS Unsupported Global Configuration Commands aaa nas port extended radius-server attribute nas-port radius-server configure radius-server extended-portnames SNMP Unsupported Global Configuration Commands...
Page 677: Unsupported User Exec Commands
Appendix C Unsupported Commands in Cisco IOS Release 12.2(25)SEF VLAN VLAN Unsupported Global Configuration Commands vlan internal allocation policy {ascending | descending} Unsupported vlan-config Command private-vlan Unsupported User EXEC Commands show running-config vlan show vlan ifindex show vlan private-vlan Unsupported Privileged EXEC Commands vtp {password password | pruning | version number} This command has been replaced by the vtp global configuration command.
Page 678 Appendix C Unsupported Commands in Cisco IOS Release 12.2(25)SEF Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide OL-8915-01...
Page 679 I N D E X extended IPv4 creating 26-9 abbreviating commands matching criteria 26-6 access-class command 26-17 hardware and software handling 26-19 access control entries host keyword 26-11 See ACEs access-denied response, VMPS 10-25 creating 26-6 access lists fragments and QoS guidelines 27-32 See ACLs implicit deny...
Page 680 Index support for maximum support in hardware for MSTP 26-19 14-23, 14-24 time ranges for STP 26-15 13-21, 13-22 types supported 26-2 alarms, RMON 23-3 unsupported features, IPv4 allowed-VLAN list 26-5 10-19 VLAN maps configuration guidelines defined 26-24 1-3, 5-26 configuring table 26-23...
Page 681 Index autonegotiation BPDU duplex mode error-disabled state 15-2 interface configuration guidelines filtering 8-12 15-3 mismatches 29-7 RSTP format 14-12 autosensing, port speed BPDU filtering auxiliary VLAN described 15-3 See voice VLAN disabling 15-12 availability, features enabling 15-12 support for BPDU guard described 15-2 disabling...
Page 682 Index transmission timer and holdtime, setting 20-2 changing the buffer size updates described 20-2 CGMP disabling as IGMP snooping learning method 18-8 recalling commands joining multicast group no and default forms of commands 18-3 CipherSuites client mode, VTP 6-44 11-3 Cisco 7960 IP Phone clock 12-1...
Page 683 Index configuration files publication xxviii clearing the startup configuration text B-19 xxviii creating using a text editor corrupted software, recovery steps with Xmodem B-10 29-2 default name 3-14 deleting a stored configuration in Layer 2 frames B-19 27-2 described override priority 12-6 downloading trust priority...
Page 684 Index Flex Links 16-4 device B-19 IGMP filtering device discovery protocol 18-24 20-1 IGMP snooping device manager 18-6 IGMP throttling 18-24 benefits initial switch information described 1-2, 1-3 Layer 2 interfaces in-band management 8-10 MAC address table requirements 5-21 xxviii MAC address-table move update upgrading a switch 16-4...
Page 685 Index packet format, suboption Domain Name System circuit ID See DNS 17-5 remote ID downloading 17-5 remote ID suboption 17-5 configuration files DHCP server preparing B-11, B-13, B-16 DHCP snooping reasons for accepting untrusted packets form edge switch using FTP 17-3, 17-9 B-13 configuration guidelines...
Page 686 Index dynamic port VLAN membership LACP described described 10-26 28-5 reconfirming displaying status 10-28 28-17 troubleshooting 10-30 hot-standby ports 28-14 types of connections interaction with other features 10-27 28-6 Dynamic Trunking Protocol modes 28-5 See DTP port priority 28-16 system priority 28-15 load balancing 28-6, 28-12...
Page 687 Index configuration guidelines 10-12 filtering configuring in a VLAN 10-11 26-23 creating non-IP traffic 10-12 26-21 defined 10-1 show and more command output 2-10 extended system ID filtering show and more command output 2-10 MSTP filters, IP 14-17 See ACLs, IP 13-4, 13-14 Extensible Authentication Protocol over LAN flash device, number of...
Page 688 Index HTTPS 6-42 configuring 6-46 get-bulk-request operation 25-3 self-signed certificate 6-43 get-next-request operation 25-3, 25-4 HTTP secure server 6-42 get-request operation 25-3, 25-4 get-response operation 25-3 global configuration mode global leave, IGMP 18-12 ICMP guest VLAN and 802.1x 7-12 time-exceeded messages 29-12 guide traceroute and...
Page 689 Index flooded multicast traffic global configuration 18-7 controlling the length of time Immediate Leave 18-12 18-5 disabling on an interface method 18-13 18-8 global leave 18-12 monitoring 18-15 query solicitation querier 18-12 recovering from flood mode configuration guidelines 18-12 18-13 joining multicast group configuring 18-3...
Page 690 Index management IP traceroute monitoring executing 8-19 29-13 naming overview 8-17 29-12 physical, identifying IPv4 ACLs range of applying to interfaces 26-18 restarting extended, creating 8-20 26-9 shutting down named 8-20 26-13 speed and duplex, configuring standard, creating 8-14 26-8 status 8-19 supported...
Page 691 Index terms 6-33 local SPAN 22-2 login authentication 6-34 tickets with RADIUS 6-32 6-23 key distribution center with TACACS+ 6-14 See KDC login banners 5-17 log messages See system message logging loop guard described 15-9 LACP enabling 15-15 See EtherChannel support for Layer 2 frames, classification with CoS 27-2...
Page 692 Index MAC extended access lists membership mode, VLAN port 10-3 applying to Layer 2 interfaces messages, to users through banners 26-22 5-17 configuring for QoS MIBs 27-44 creating 26-21 accessing files with FTP defined location of files 26-21 for QoS classification overview 27-5 25-1...
Page 693 Index MSTP effects on secondary root switch 14-18 boundary ports unexpected behavior 14-17 configuration guidelines IEEE 802.1s 14-15 described 14-6 implementation 14-6 BPDU filtering port role naming change 14-7 described terminology 15-3 14-5 enabling instances supported 15-12 13-9 BPDU guard interface state, blocking to forwarding 15-2 described...
Page 694 Index effects of extended system ID 14-17 native VLAN unexpected behavior configuring 14-17 10-21 shutdown Port Fast-enabled port default 15-2 10-21 status, displaying 14-26 Network Assistant multicast groups benefits Immediate Leave described 18-5 joining network configuration examples 18-3 leaving increasing network performance 18-5 1-10 static joins...
Page 695 Index peer VTP domain 11-8 server path cost default configuration MSTP 14-20 displaying the configuration 5-11 13-18 overview performance, network design 1-10 restricting access performance features creating an access group persistent self-signed certificate 6-43 disabling NTP services per interface per-VLAN spanning-tree plus 5-10 source IP address, configuring See PVST+...
Page 696 Index nonhierarchical on physical ports guest VLAN configuration guidelines configuration guidelines 27-32 7-12, 7-13 configuring described 27-47 7-12 described 27-9 host mode port ACLs inaccessible authentication bypass defined configuring 26-2 7-33 types of described 26-3 7-14 Port Aggregation Protocol guidelines 7-21 See EtherChannel initiation and message exchange...
Page 697 Index voice VLAN preemption described default configuration 7-15 16-4 PVID preemption delay 7-15 VVID 7-15 default configuration 16-4 wake-on-LAN, described preferential treatment of traffic 7-16 port blocking See QoS 1-2, 19-6 port-channel preventing unauthorized access See EtherChannel primary links 16-2 Port Fast priority described...
Page 698 Index configuration guidelines auto-QoS 27-25 standard QoS 27-32 and MQC commands 27-1 configuring auto-QoS aggregate policers 27-57 categorizing traffic 27-21 auto-QoS 27-20 configuration and defaults display 27-29 default port CoS value 27-37 configuration guidelines 27-25 DSCP maps 27-59 described 27-20 DSCP transparency 27-39 disabling...
Page 699 Index ingress queueing and scheduling 27-15 policies, attaching to an interface 27-8 policing and marking policing 27-10 implicit deny described 27-7 27-4, 27-8 ingress queues token bucket algorithm 27-9 allocating bandwidth policy maps 27-67 allocating buffer space characteristics of 27-67 27-47 buffer and bandwidth allocation, described displaying...
Page 700 Index authorization 6-27 reconfirming dynamic VLAN membership 10-28 communication, global recovery procedures 6-21, 6-29 29-1 communication, per-server redundancy 6-20, 6-21 multiple UDP ports 6-21 EtherChannel 28-2 default configuration 6-20 defining AAA server groups backbone 6-25 13-8 displaying the configuration path cost 6-31 10-23 identifying the server...
Page 701 Index defined 22-3 1112, IP multicast and IGMP limiting source traffic to specific VLANs 18-2 22-22 1157, SNMPv1 specifying monitored ports 25-2 22-16 1305, NTP with ingress traffic enabled 22-20 1757, RMON source ports 23-2 22-5 1901, SNMPv2C transmitted traffic 25-2 22-5 1902 to 1907, SNMPv2...
Page 702 Index secure HTTP server Smartports macros configuring applying Cisco-default macros 6-46 displaying applying global parameter values 6-48 9-5, 9-6 secure MAC addresses applying macros deleting applying parameter values 19-14 9-5, 9-7 maximum number of configuration guidelines 19-9 types of creating 19-8 secure remote connections default configuration...
Page 703 Index MIBs destination ports 22-6 location of displaying status 22-23 supported interaction with other features 22-8 notifications 25-5 monitored ports 22-5 overview monitoring ports 25-1, 25-4 22-6 security levels overview 25-3 1-8, 22-1 status, displaying ports, restrictions 25-16 19-11 system contact and location received traffic 25-14 22-4...
Page 704 Index support for configuration guidelines thresholds 6-45 19-1 configuring a secure HTTP client 6-47 configuring a secure HTTP server 6-46 accelerating root port selection 15-4 cryptographic software image BackboneFast 6-42 described described 6-42 15-5 monitoring disabling 6-48 15-14 standby links enabling 16-2 15-13...
Page 705 Index EtherChannel guard Port Fast described described 15-7 15-2 disabling enabling 15-14 15-10 enabling 15-14 port priorities 10-22 extended system ID preventing root switch selection 15-8 effects on root switch protocols supported 13-14 13-9 effects on the secondary root switch redundant connectivity 13-16 13-8...
Page 706 Index syslog See system message logging TACACS+ system clock accounting, defined 6-11 configuring authentication, defined 6-11 daylight saving time 5-13 authorization, defined 6-11 manually 5-11 configuring summer time 5-13 accounting 6-17 time zones 5-12 authentication key 6-13 displaying the time and date 5-12 authorization 6-16...
Page 707 Index configuring for autoconfiguration traffic suppression 19-1 image files transmit hold-count deleting see STP B-23 downloading B-22 transparent mode, VTP 11-3, 11-12 preparing the server trap-door mechanism B-21 uploading traps B-24 limiting access by servers configuring MAC address notification 25-15 5-22 TFTP server configuring managers...
Page 708 Index pruning-eligible list 10-20 and router MAC addresses 5-25 to non-DTP device configuration guidelines 10-15 5-25 trusted boundary for QoS described 27-37 5-25 trusted port states unicast storm 19-1 between QoS domains unicast storm control command 27-39 19-4 classification options unicast traffic, blocking 27-5 19-7...
Page 709 Index support for wiring closet configuration example 26-28 version-dependent transparent mode 11-4 VLAN membership vlan.dat file 10-4 confirming 10-28 VLAN 1, disabling on a trunk port 10-19 modes 10-3 VLAN 1 minimization 10-19 VLAN Query Protocol VLAN ACLs See VQP See VLAN maps VLANs vlan-assignment response, VMPS...
Page 710 Index Token Ring 10-5 traffic between adding a client to a domain 10-2 11-14 VTP modes advertisements 11-3 10-17, 11-3 VLAN Trunking Protocol and extended-range VLANs 11-1 See VTP and normal-range VLANs 11-1 VLAN trunks client mode, configuring 10-14 11-11 VMPS configuration administering...
Page 711 Index overview 11-4 support for pruning-eligible list, changing 10-20 server mode, configuring 11-9 statistics 11-16 support for Token Ring support 11-4 transparent mode, configuring 11-12 using 11-1 version, guidelines 11-8 Version 1 11-4 Version 2 configuration guidelines 11-8 disabling 11-13 enabling 11-13 overview...
Page 712 Index Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide IN-34 OL-8915-01...

Cisco 3020 - Catalyst Blade Switch Configuration Manual

Chapter 2 Using the Command-Line Interface

Chapter 3 Assigning the Switch IP Address and Default Gateway

Chapter 4 Configuring Cisco IOS CNS Agents

CHAPTER 5 Administering the Switch

Default MAC Address Table Configuration

Changing the Address Aging Time

Removing Dynamic Address Entries

Configuring MAC Address Notification Traps

Adding and Removing Static Address Entries

Configuring Unicast MAC Address Filtering

Displaying Address Table Entries

CHAPTER 6 Configuring Switch-Based Authentication

Understanding IEEE 802.1X Port-Based Authentication

CHAPTER 7 Configuring IEEE 802.1X Port-Based Authentication

Authentication Process

Authentication Initiation and Message Exchange

Ports in Authorized and Unauthorized States

IEEE 802.1X Host Mode

IEEE 802.1X Accounting

IEEE 802.1X Accounting Attribute-Value Pairs

Using IEEE 802.1X Authentication with VLAN Assignment

Using IEEE 802.1X Authentication with Per-User Acls

Using IEEE 802.1X Authentication with Guest VLAN

Using IEEE 802.1X Authentication with Restricted VLAN

Using IEEE 802.1X Authentication with Inaccessible Authentication Bypass

Using IEEE 802.1X Authentication with Voice VLAN Ports

Using IEEE 802.1X Authentication with Port Security

Using IEEE 802.1X Authentication with Wake-On-LAN

Using IEEE 802.1X Authentication with MAC Authentication Bypass

Default IEEE 802.1X Authentication Configuration

IEEE 802.1X Authentication Configuration Guidelines

Configuring IEEE 802.1X Authentication

Configuring the Switch-To-RADIUS-Server Communication

Configuring the Host Mode

Configuring Periodic Re-Authentication

Manually Re-Authenticating a Client Connected to a Port

Changing the Quiet Period

Changing the Switch-To-Client Retransmission Time

Setting the Switch-To-Client Frame-Retransmission Number

Setting the Re-Authentication Number

Configuring IEEE 802.1X Accounting

Configuring a Guest VLAN

Configuring a Restricted VLAN

Configuring the Inaccessible Authentication Bypass Feature

Configuring IEEE 802.1X Authentication with Wol

Configuring MAC Authentication Bypass

Disabling IEEE 802.1X Authentication on the Port

Resetting the IEEE 802.1X Authentication Configuration to the Default Values

CHAPTER 8 Configuring Interface Characteristics

Table

Chapter 9 Configuring Smartports Macros

Chapter 10 Configuring Vlans

VLAN Configuration Mode Options

Saving VLAN Configuration

Default Ethernet VLAN Configuration

Creating or Modifying an Ethernet VLAN

Deleting a VLAN

Assigning Static-Access Ports to a VLAN

Quick Links

Troubleshooting

Related Manuals for Cisco 3020 - Cisco Catalyst Blade Switch

Summary of Contents for Cisco 3020 - Cisco Catalyst Blade Switch