Catalyst 3550 Multilayer Switch Software Configuration Guide

Corporate Headquarters Cisco Systems, Inc.

170 West Tasman Drive San Jose, CA 95134-1706 USA

http://www.cisco.com Tel: 408 526-4000

800 553-NETS (6387) Fax: 408 526-4100

Catalyst 3550 Multilayer Switch Software Configuration Guide

Cisco IOS Release 12.2(25)SEE February 2006

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT

LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView Plus, TeleRouter, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0502R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

Catalyst 3550 Multilayer Switch Software Configuration Guide Copyright © 2006 Cisco Systems, Inc. All rights reserved.

C O N T E N T S

Preface iii

Audience

Purpose

Conventions

Related Publications

Obtaining Documentation

Cisco.com

Product Documentation DVD

Ordering Documentation

Documentation Feedback

Cisco Product Security Overview

Reporting Security Problems in Cisco Products

Obtaining Technical Assistance

Cisco Technical Support & Documentation Website

Submitting a Service Request

Definitions of Service Request Severity

Obtaining Additional Publications and Information

C H A P T E R 1 Overview 1-1

Features

Ease of Deployment and Ease of Use

Performance

Manageability

Redundancy

VLAN Support

Security

Quality of Service (QoS) and Class of Service (CoS)

Layer 3 Support

Monitoring

Power over Ethernet Support for the Catalyst 3550-24PWR Switch

Management Options

Management Interface Options

Advantages of Using Network Assistant and Clustering Switches

Contents

Network Configuration Examples

Design Concepts for Using the Switch

Small to Medium-Sized Network Using Mixed Switches

Large Network Using Only Catalyst 3550 Switches

Multidwelling Network Using Catalyst 3550 Switches

Long-Distance, High-Bandwidth Transport Configuration

Where to Go Next

C H A P T E R 2 Using the Command-Line Interface 2-1

Cisco IOS Command Modes

Getting Help

Abbreviating Commands

Using no and default Forms of Commands

Understanding CLI Messages

Using Configuration Logging

Using Command History

Changing the Command History Buffer Size

Recalling Commands

Disabling the Command History Feature

Using Editing Features

Enabling and Disabling Editing Features

Editing Commands through Keystrokes

Editing Command Lines that Wrap

Searching and Filtering Output of show and more Commands

Accessing the CLI

C H A P T E R 3 Assigning the Switch IP Address and Default Gateway 3-1

Understanding the Boot Process

Assigning Switch Information

Default Switch Information

Understanding DHCP-Based Autoconfiguration

DHCP Client Request Process

Configuring DHCP-Based Autoconfiguration

DHCP Server Configuration Guidelines

Configuring the TFTP Server

Configuring the DNS

Configuring the Relay Device

Contents

Obtaining Configuration Files

Example Configuration

Manually Assigning IP Information

Checking and Saving the Running Configuration

Modifying the Startup Configuration

Default Boot Configuration

Automatically Downloading a Configuration File

Specifying the Filename to Read and Write the System Configuration

Booting Manually

Booting a Specific Software Image

Controlling Environment Variables

Scheduling a Reload of the Software Image

Configuring a Scheduled Reload

Displaying Scheduled Reload Information

C H A P T E R 4 Configuring Cisco IOS CNS Agents 4-1

Understanding Cisco Configuration Engine Software

Configuration Service

Event Service

NameSpace Mapper

What You Should Know About the CNS IDs and Device Hostnames

ConfigID

DeviceID

Hostname and DeviceID

Using Hostname, DeviceID, and ConfigID

Understanding Cisco IOS Agents

Initial Configuration

Incremental (Partial) Configuration

Synchronized Configuration

Configuring Cisco IOS Agents

Enabling Automated CNS Configuration

Enabling the CNS Event Agent

Enabling the Cisco IOS CNS Agent

Enabling an Initial Configuration

Enabling a Partial Configuration

Upgrading Devices with Cisco IOS Image Agent

Prerequisites for the CNS Image Agent

Restrictions for the CNS Image Agent

Displaying CNS Configuration

Contents

C H A P T E R 5 Clustering Switches 5-1

Understanding Switch Clusters

Cluster Command Switch Characteristics

Standby Cluster Command Switch Characteristics

Candidate Switch and Member Switch Characteristics

Planning a Switch Cluster

Automatic Discovery of Cluster Candidates and Members

Discovery Through CDP Hops

Discovery Through Non-CDP-Capable and Noncluster-Capable Devices

Discovery Through Different VLANs

Discovery Through Different Management VLANs

Discovery Through Routed Ports

Discovery of Newly Installed Switches

HSRP and Standby Cluster Command Switches

Virtual IP Addresses

Other Considerations for Cluster Standby Groups

Automatic Recovery of Cluster Configuration

IP Addresses

Hostnames

Passwords

SNMP Community Strings

TACACS+ and RADIUS

console For instructions on configuring the switch for a Telnet session, see the “Disabling Password Recovery” section on page 6-5.Catalyst 1900 and Catalyst 2820 CLI Considerations

Using SNMP to Manage Switch Clusters

C H A P T E R 6 Administering the Switch 6-1

Managing the System Time and Date

Understanding the System Clock

Understanding Network Time Protocol

Configuring NTP

Default NTP Configuration

Configuring NTP Authentication

Configuring NTP Associations

Configuring NTP Broadcast Service

Configuring NTP Access Restrictions

Configuring the Source IP Address for NTP Packets

Displaying the NTP Configuration

Contents

Configuring Time and Date Manually

Setting the System Clock

Displaying the Time and Date Configuration

Configuring the Time Zone

Configuring Summer Time (Daylight Saving Time)

Configuring a System Name and Prompt

Default System Name and Prompt Configuration

Configuring a System Name

Understanding DNS

Default DNS Configuration

Setting Up DNS

Displaying the DNS Configuration

Creating a Banner

Default Banner Configuration

Configuring a Message-of-the-Day Login Banner

Configuring a Login Banner

Managing the MAC Address Table

Building the Address Table

MAC Addresses and VLANs

Default MAC Address Table Configuration

Changing the Address Aging Time

Removing Dynamic Address Entries

Configuring MAC Address Notification Traps

Adding and Removing Static Address Entries

Configuring Unicast MAC Address Filtering

Displaying Address Table Entries

Optimizing System Resources for User-Selected Features

Using the Templates

Managing the ARP Table

C H A P T E R 7 Configuring Switch-Based Authentication 7-1

Preventing Unauthorized Access to Your Switch

Protecting Access to Privileged EXEC Commands

Default Password and Privilege Level Configuration

Setting or Changing a Static Enable Password

Protecting Enable and Enable Secret Passwords with Encryption

Disabling Password Recovery

Setting a Telnet Password for a Terminal Line

Configuring Username and Password Pairs

Contents

Configuring Multiple Privilege Levels

Setting the Privilege Level for a Command

Changing the Default Privilege Level for Lines

Logging into and Exiting a Privilege Level

Controlling Switch Access with TACACS+

Understanding TACACS+

TACACS+ Operation

Configuring TACACS+

Default TACACS+ Configuration

Identifying the TACACS+ Server Host and Setting the Authentication Key

Configuring TACACS+ Login Authentication

Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services

Starting TACACS+ Accounting

Displaying the TACACS+ Configuration

Controlling Switch Access with RADIUS

Understanding RADIUS

RADIUS Operation

Configuring RADIUS

Default RADIUS Configuration

Identifying the RADIUS Server Host

Configuring RADIUS Login Authentication

Defining AAA Server Groups

Configuring RADIUS Authorization for User Privileged Access and Network Services

Starting RADIUS Accounting

Configuring Settings for All RADIUS Servers

Configuring the Switch to Use Vendor-Specific RADIUS Attributes

Configuring the Switch for Vendor-Proprietary RADIUS Server Communication

Displaying the RADIUS Configuration

Controlling Switch Access with Kerberos

Understanding Kerberos

Kerberos Operation

Authenticating to a Boundary Switch

Obtaining a TGT from a KDC

Authenticating to Network Services

Configuring Kerberos

Configuring the Switch for Local Authentication and Authorization

Contents

Configuring the Switch for Secure Shell

Understanding SSH

SSH Servers, Integrated Clients, and Supported Versions

Limitations

Configuring SSH

Configuration Guidelines

Setting Up the Switch to Run SSH

Configuring the SSH Server

Displaying the SSH Configuration and Status

Configuring the Switch for Secure Socket Layer HTTP

Understanding Secure HTTP Servers and Clients

Certificate Authority Trustpoints

CipherSuites

Configuring Secure HTTP Servers and Clients

Default SSL Configuration

SSL Configuration Guidelines

Configuring a CA Trustpoint

Configuring the Secure HTTP Server

Configuring the Secure HTTP Client

Displaying Secure HTTP Server and Client Status

Configuring the Switch for Secure Copy Protocol

C H A P T E R 8 Configuring IEEE 802.1x Port-Based Authentication 8-1

Understanding IEEE 802.1x Port-Based Authentication

Device Roles

Authentication Process

Authentication Initiation and Message Exchange

Ports in Authorized and Unauthorized States

IEEE 802.1x Host Mode

IEEE 802.1x Accounting

IEEE 802.1x Accounting Attribute-Value Pairs

Using IEEE 802.1x Authentication with VLAN Assignment

Using IEEE 802.1x Authentication with Per-User ACLs

Using IEEE 802.1x Authentication with Guest VLAN

Using IEEE 802.1x Authentication with Restricted VLAN

Using IEEE 802.1x Authentication with Inaccessible Authentication Bypass

Using IEEE 802.1x Authentication with Voice VLAN Ports

Using IEEE 802.1x Authentication with Port Security

Using IEEE 802.1x Authentication with Wake-on-LAN

Contents

Using IEEE 802.1x Authentication with MAC Authentication Bypass

Network Admission Control Layer 2 IEEE 802.1x Validation

Configuring IEEE 802.1x Authentication

Default IEEE 802.1x Authentication Configuration

IEEE 802.1x Authentication Configuration Guidelines

IEEE 802.1x Authentication

VLAN Assignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication Bypass

MAC Authentication Bypass

Upgrading from a Previous Software Release

Configuring IEEE 802.1x Authentication

Configuring the Switch-to-RADIUS-Server Communication

Configuring the Host Mode

Enabling Periodic Re-Authentication

Manually Re-Authenticating a Client Connected to a Port

Changing the Quiet Period

Changing the Switch-to-Client Retransmission Time

Setting the Switch-to-Client Frame-Retransmission Number

Setting the Re-Authentication Number

Configuring IEEE 802.1x Accounting

Configuring a Guest VLAN

Configuring a Restricted VLAN

Configuring the Inaccessible Authentication Bypass Feature

Configuring IEEE 802.1x Authentication with WoL

Configuring MAC Authentication Bypass

Configuring NAC Layer 2 IEEE 802.1x Validation

Disabling IEEE 802.1x on the Port

Resetting the IEEE 802.1x Configuration to the Default Values

Displaying IEEE 802.1x Statistics and Status

C H A P T E R 9 Configuring Interface Characteristics 9-1

Understanding Interface Types

Port-Based VLANs

Switch Ports

Access Ports

Trunk Ports

Tunnel Ports

Switch Virtual Interfaces

Routed Ports

Contents

EtherChannel Port Groups

Power Over Ethernet Ports

Supported Protocols and Standards

Powered-Device Detection and Initial Power Allocation

Power Management Modes

Connecting Interfaces

Using the Interface Command

Procedures for Configuring Interfaces

Configuring a Range of Interfaces

Configuring and Using Interface Range Macros

Configuring Ethernet Interfaces

Default Ethernet Interface Configuration

Configuring Interface Speed and Duplex Mode

Configuration Guidelines

Setting the Interface Speed and Duplex Parameters

Configuring Power over Ethernet on the Catalyst 3550-24PWR Ports

Configuring IEEE 802.3x Flow Control

Adding a Description for an Interface

Configuring Layer 3 Interfaces

Monitoring and Maintaining the Interfaces

Monitoring Interface and Controller Status

Clearing and Resetting Interfaces and Counters

Shutting Down and Restarting the Interface

C H A P T E R 10 Configuring Smartports Macros 10-1

Understanding Smartports Macros

Configuring Smartports Macros

Default Smartports Macro Configuration

Smartports Macro Configuration Guidelines

Creating Smartports Macros

Applying Smartports Macros

Applying Cisco-Default Smartports Macros

Displaying Smartports Macros

Contents

C H A P T E R 11 Configuring VLANs 11-1

Understanding VLANs

Supported VLANs

VLAN Port Membership Modes

Configuring Normal-Range VLANs

Token Ring VLANs

Normal-Range VLAN Configuration Guidelines

VLAN Configuration Mode Options

VLAN Configuration in config-vlan Mode

VLAN Configuration in VLAN Configuration Mode

Saving VLAN Configuration

Default Ethernet VLAN Configuration

Creating or Modifying an Ethernet VLAN

Deleting a VLAN

Assigning Static-Access Ports to a VLAN

Configuring Extended-Range VLANs

Default VLAN Configuration

Extended-Range VLAN Configuration Guidelines

Creating an Extended-Range VLAN

Creating an Extended-Range VLAN with an Internal VLAN ID

Displaying VLANs

Configuring VLAN Trunks

Trunking Overview

Encapsulation Types

IEEE 802.1Q Configuration Considerations

Default Layer 2 Ethernet Interface VLAN Configuration

Configuring an Ethernet Interface as a Trunk Port

Interaction with Other Features

Configuring a Trunk Port

Defining the Allowed VLANs on a Trunk

Changing the Pruning-Eligible List

Configuring the Native VLAN for Untagged Traffic

Load Sharing Using STP

Load Sharing Using STP Port Priorities

Load Sharing Using STP Path Cost

Contents

Configuring VMPS

Understanding VMPS

Dynamic Port VLAN Membership

VMPS Database Configuration File

Default VMPS Client Configuration

VMPS Configuration Guidelines

Configuring the VMPS Client

Entering the IP Address of the VMPS

Configuring Dynamic Access Ports on VMPS Clients

Reconfirming VLAN Memberships

Changing the Reconfirmation Interval

Changing the Retry Count

Monitoring the VMPS

Troubleshooting Dynamic Port VLAN Membership

VMPS Configuration Example

C H A P T E R 12 Configuring VTP 12-1

Understanding VTP

The VTP Domain

VTP Modes

VTP Advertisements

VTP Version 2

VTP Pruning

Configuring VTP

Default VTP Configuration

VTP Configuration Options

VTP Configuration in Global Configuration Mode

VTP Configuration in VLAN Configuration Mode

VTP Configuration Guidelines

Domain Names

Passwords

VTP Version

Configuration Requirements

Configuring a VTP Server

Configuring a VTP Client

Disabling VTP (VTP Transparent Mode)

Enabling VTP Version 2

Contents

Enabling VTP Pruning

Adding a VTP Client Switch to a VTP Domain

Monitoring VTP

C H A P T E R 13 Configuring Voice VLAN 13-1

Understanding Voice VLAN

Configuring Voice VLAN

Default Voice VLAN Configuration

Voice VLAN Configuration Guidelines

Configuring a Port to Connect to a Cisco 7960 IP Phone

Configuring Ports to Carry Voice Traffic in IEEE 802.1Q Frames

Configuring Ports to Carry Voice Traffic in IEEE 802.1p Priority-Tagged Frames

Overriding the CoS Priority of Incoming Data Frames

Configuring the IP Phone to Trust the CoS Priority of Incoming Data Frames

Displaying Voice VLAN

C H A P T E R 14 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling 14-1

Understanding IEEE 802.1Q Tunneling

Configuring IEEE 802.1Q Tunneling

Default IEEE 802.1Q Tunneling Configuration

IEEE 802.1Q Tunneling Configuration Guidelines

Native VLANs

System MTU

IEEE 802.1Q Tunneling and Other Features

Configuring an IEEE 802.1Q Tunneling Port

Understanding Layer 2 Protocol Tunneling

Configuring Layer 2 Protocol Tunneling

Default Layer 2 Protocol Tunneling Configuration

Layer 2 Protocol Tunneling Configuration Guidelines

Configuring Layer 2 Tunneling

Configuring Layer 2 Tunneling for EtherChannels

Configuring the SP Edge Switch

Configuring the Customer Switch

Monitoring and Maintaining Tunneling Status

Contents

C H A P T E R 15 Configuring STP 15-1

Understanding Spanning-Tree Features

STP Overview

Spanning-Tree Topology and BPDUs

Bridge ID, Switch Priority, and Extended System ID

Spanning-Tree Interface States

Blocking State

Listening State

Learning State

Forwarding State

Disabled State

How a Switch or Port Becomes the Root Switch or Root Port

Spanning Tree and Redundant Connectivity

Spanning-Tree Address Management

Accelerated Aging to Retain Connectivity

Spanning-Tree Modes and Protocols

Supported Spanning-Tree Instances

Spanning-Tree Interoperability and Backward Compatibility

STP and IEEE 802.1Q Trunks

VLAN-Bridge Spanning Tree

Configuring Spanning-Tree Features

Default Spanning-Tree Configuration

Spanning-Tree Configuration Guidelines

Changing the Spanning-Tree Mode

Disabling Spanning Tree

Configuring the Root Switch

Configuring a Secondary Root Switch

Configuring the Port Priority

Configuring the Path Cost

Configuring the Switch Priority of a VLAN

Configuring Spanning-Tree Timers

Configuring the Hello Time

Configuring the Forwarding-Delay Time for a VLAN

Configuring the Maximum-Aging Time for a VLAN

Configuring Spanning Tree for Use in a Cascaded Stack

Configuring the Transmit Hold Count

Displaying the Spanning-Tree Status

Contents

C H A P T E R 16 Configuring MSTP 16-1

Understanding MSTP

Multiple Spanning-Tree Regions

IST, CIST, and CST

Operations Within an MST Region

Operations Between MST Regions

IEEE 802.1s Terminology

Hop Count

Boundary Ports

IEEE 802.1s Implementation

Port Role Naming Change

Interoperation Between Legacy and Standard Switches

Detecting Unidirectional Link Failure

Interoperability with IEEE 802.1D STP

Understanding RSTP

Port Roles and the Active Topology

Rapid Convergence

Synchronization of Port Roles

Bridge Protocol Data Unit Format and Processing

Processing Superior BPDU Information

Processing Inferior BPDU Information

Topology Changes

Configuring MSTP Features

Default MSTP Configuration

MSTP Configuration Guidelines

Specifying the MST Region Configuration and Enabling MSTP

Configuring the Root Switch

Configuring a Secondary Root Switch

Configuring the Port Priority

Configuring the Path Cost

Configuring the Switch Priority

Configuring the Hello Time

Configuring the Forwarding-Delay Time

Configuring the Maximum-Aging Time

Configuring the Maximum-Hop Count

Specifying the Link Type to Ensure Rapid Transitions

Designating the Neighbor Type

Restarting the Protocol Migration Process

Displaying the MST Configuration and Status

Contents

C H A P T E R 17 Configuring Optional Spanning-Tree Features 17-1

Understanding Optional Spanning-Tree Features

Understanding Port Fast

Understanding BPDU Guard

Understanding BPDU Filtering

Understanding UplinkFast

Understanding Cross-Stack UplinkFast

How CSUF Works

Events that Cause Fast Convergence

Limitations

Connecting the Stack Ports

Understanding BackboneFast

Understanding EtherChannel Guard

Understanding Root Guard

Understanding Loop Guard

Configuring Optional Spanning-Tree Features

Default Optional Spanning-Tree Configuration

Optional Spanning-Tree Configuration Guidelines

Enabling Port Fast

Enabling BPDU Guard

Enabling BPDU Filtering

Enabling UplinkFast for Use with Redundant Links

Enabling Cross-Stack UplinkFast

Enabling BackboneFast

Enabling EtherChannel Guard

Enabling Root Guard

Enabling Loop Guard

Displaying the Spanning-Tree Status

C H A P T E R 18 Configuring Flex Links and the MAC Address-Table Move Update Feature 18-1

Understanding Flex Links and the MAC Address-Table Move Update

Flex Links

MAC Address-Table Move Update

Configuring Flex Links and MAC Address-Table Move Update

Configuration Guidelines

Default Configuration

Contents

Configuring Flex Links and MAC Address-Table Move Update

Configuring Flex Links

Configuring the MAC Address-Table Move Update Feature

Monitoring Flex Links and the MAC Address-Table Move Update

C H A P T E R 19 Configuring DHCP Features 18-1

Understanding DHCP Features

DHCP Server

DHCP Relay Agent

DHCP Snooping

Option-82 Data Insertion

Cisco IOS DHCP Server Database

DHCP Snooping Binding Database

Configuring DHCP Features

Default DHCP Configuration

DHCP Snooping Configuration Guidelines

Upgrading from a Previous Software Release

Configuring the DHCP Server

Enabling Only the DHCP Relay Agent

Enabling the DHCP Relay Agent and Option 82

Validating the Relay Agent Information Option 82

Configuring the Reforwarding Policy

Specifying the Packet Forwarding Address

Enabling DHCP Snooping and Option 82

Enabling DHCP Snooping on Private VLANs

Enabling the Cisco IOS DHCP Server Database

Enabling the DHCP Snooping Binding Database Agent

Displaying DHCP Information

Understanding IP Source Guard

Source IP Address Filtering

Source IP and MAC Address Filtering

Configuring IP Source Guard

Default IP Source Guard Configuration

IP Source Guard Configuration Guidelines

Enabling IP Source Guard

Displaying IP Source Guard Information

Contents

C H A P T E R 20 Configuring Dynamic ARP Inspection 19-1

Understanding Dynamic ARP Inspection

Interface Trust States and Network Security

Rate Limiting of ARP Packets

Relative Priority of ARP ACLs and DHCP Snooping Entries

Logging of Dropped Packets

Configuring Dynamic ARP Inspection

Default Dynamic ARP Inspection Configuration

Dynamic ARP Inspection Configuration Guidelines

Configuring Dynamic ARP Inspection in DHCP Environments

Configuring ARP ACLs for Non-DHCP Environments

Limiting the Rate of Incoming ARP Packets

Performing Validation Checks

Configuring the Log Buffer

Displaying Dynamic ARP Inspection Information

C H A P T E R 21 Configuring IGMP Snooping and MVR 20-1

Understanding IGMP Snooping

IGMP Versions

Joining a Multicast Group

Leaving a Multicast Group

Immediate-Leave Processing

IGMP Configurable-Leave Timer

IGMP Report Suppression

Source-Only Networks

Configuring IGMP Snooping

Default IGMP Snooping Configuration

Enabling or Disabling IGMP Snooping

Setting the Snooping Method

Configuring a Multicast Router Port

Configuring a Host Statically to Join a Group

Enabling IGMP Immediate-Leave Processing

Configuring the IGMP Leave Timer

Configuring TCN-Related Commands

Controlling the Multicast Flooding Time After a TCN Event

Recovering from Flood Mode

Disabling Multicast Flooding During a TCN Event

Disabling IGMP Report Suppression

Configuring the Aging Time

Contents

Displaying IGMP Snooping Information

Understanding Multicast VLAN Registration

Using MVR in a Multicast Television Application

Configuring MVR

Default MVR Configuration

MVR Configuration Guidelines and Limitations

Configuring MVR Global Parameters

Configuring MVR Interfaces

Displaying MVR Information

Configuring IGMP Filtering and Throttling

Default IGMP Filtering and Throttling Configuration

Configuring IGMP Profiles

Applying IGMP Profiles

Setting the Maximum Number of IGMP Groups

Configuring the IGMP Throttling Action

Displaying IGMP Filtering and Throttling Configuration

C H A P T E R 22 Configuring Port-Based Traffic Control 21-1

Configuring Storm Control

Understanding Storm Control

Default Storm Control Configuration

Configuring Storm Control and Threshold Levels

Configuring Protected Ports

Configuring Port Blocking

Blocking Flooded Traffic on an Interface

Resuming Normal Forwarding on a Port

Configuring Port Security

Understanding Port Security

Secure MAC Addresses

Security Violations

Default Port Security Configuration

Port Security Configuration Guidelines

Enabling and Configuring Port Security

Enabling and Configuring Port Security Aging

Displaying Port-Based Traffic Control Settings

Contents

C H A P T E R 23 Configuring CDP 22-1

Understanding CDP

Configuring CDP

Default CDP Configuration

Configuring the CDP Characteristics

Disabling and Enabling CDP

Disabling and Enabling CDP on an Interface

Monitoring and Maintaining CDP

C H A P T E R 24 Configuring UDLD 23-1

Understanding UDLD

Modes of Operation

Methods to Detect Unidirectional Links

Configuring UDLD

Default UDLD Configuration

Configuration Guidelines

Enabling UDLD Globally

Enabling UDLD on an Interface

Resetting an Interface Shut Down by UDLD

Displaying UDLD Status

C H A P T E R 25 Configuring SPAN and RSPAN 24-1

Understanding SPAN and RSPAN

SPAN and RSPAN Concepts and Terminology

SPAN Session

Traffic Types

Source Port

Destination Port

Reflector Port

VLAN-Based SPAN

SPAN Traffic

SPAN and RSPAN Interaction with Other Features

SPAN and RSPAN Session Limits

Default SPAN and RSPAN Configuration

Configuring SPAN

SPAN Configuration Guidelines

Creating a SPAN Session and Specifying Ports to Monitor

Creating a SPAN Session and Enabling Ingress Traffic

Contents

Removing Ports from a SPAN Session

Specifying VLANs to Monitor

Specifying VLANs to Filter

Configuring RSPAN

RSPAN Configuration Guidelines

Configuring a VLAN as an RSPAN VLAN

Creating an RSPAN Source Session

Creating an RSPAN Destination Session

Creating an RSPAN Destination Session and Enabling Ingress Traffic

Removing Ports from an RSPAN Session

Specifying VLANs to Monitor

Specifying VLANs to Filter

Displaying SPAN and RSPAN Status

C H A P T E R 26 Configuring RMON 25-1

Understanding RMON

Configuring RMON

Default RMON Configuration

Configuring RMON Alarms and Events

Configuring RMON Collection on an Interface

Displaying RMON Status

C H A P T E R 27 Configuring System Message Logging 26-1

Understanding System Message Logging

Configuring System Message Logging

System Log Message Format

Default System Message Logging Configuration

Disabling and Enabling Message Logging

Setting the Message Display Destination Device

Synchronizing Log Messages

Enabling and Disabling Timestamps on Log Messages

Enabling and Disabling Sequence Numbers in Log Messages

Defining the Message Severity Level

Limiting Syslog Messages Sent to the History Table and to SNMP

Configuring UNIX Syslog Servers

Logging Messages to a UNIX Syslog Daemon

Configuring the UNIX System Logging Facility

Displaying the Logging Configuration

Contents

C H A P T E R 28 Configuring SNMP 27-1

Understanding SNMP

SNMP Versions

SNMP Manager Functions

SNMP Agent Functions

SNMP Community Strings

Using SNMP to Access MIB Variables

SNMP Notifications

SNMP ifIndex MIB Object Values

Configuring SNMP

Default SNMP Configuration

SNMP Configuration Guidelines

Disabling the SNMP Agent

Configuring Community Strings

Configuring SNMP Groups and Users

Configuring SNMP Notifications

Configuring SNMP Trap Notification Priority

Setting the Agent Contact and Location Information

Limiting TFTP Servers Used Through SNMP

SNMP Examples

Displaying SNMP Status

C H A P T E R 29 Configuring Network Security with ACLs 28-1

Understanding ACLs

Supported ACLs

Router ACLs

Port ACLs

VLAN Maps

Handling Fragmented and Unfragmented Traffic

Configuring IP ACLs

Hardware and Software Handling of Router ACLs

Configuration Guidelines for Input Router ACLs

Unsupported Features

Creating Standard and Extended IP ACLs

Access List Numbers

Creating a Numbered Standard ACL

Creating a Numbered Extended ACL

Resequencing ACEs in an ACL

Creating Named Standard and Extended IP ACLs

Contents

Using Time Ranges with ACLs

Including Comments in ACLs

Applying an IP ACL to an Interface or Terminal Line

IP ACL Configuration Examples

Numbered ACLs

Extended ACLs

Named ACLs

Time Range Applied to an IP ACL

Commented IP ACL Entries

ACL Logging

Configuring Named MAC Extended ACLs

Applying a MAC ACL to a Layer 2 Interface

Configuring VLAN Maps

VLAN Map Configuration Guidelines

Creating a VLAN Map

Examples of ACLs and VLAN Maps

Applying a VLAN Map to a VLAN

Using VLAN Maps in Your Network

Wiring Closet Configuration

Denying Access to a Server on Another VLAN

Using VLAN Maps with Router ACLs

Guidelines for Using Router ACLs and VLAN Maps

Examples of Router ACLs and VLAN Maps Applied to VLANs

ACLs and Switched Packets

ACLs and Bridged Packets

ACLs and Routed Packets

ACLs and Multicast Packets

Displaying ACL Information

Displaying ACL Configuration

Displaying ACL Resource Usage and Configuration Problems

Configuration Conflicts

ACL Configuration Fitting in Hardware

TCAM Usage

Contents

C H A P T E R 30 Configuring QoS 29-1

Understanding QoS

Basic QoS Model

Classification

Classification Based on QoS ACLs

Classification Based on Class Maps and Policy Maps

Policing and Marking

Mapping Tables

Queueing and Scheduling

Queueing and Scheduling on Gigabit-Capable Ports

Queueing and Scheduling on 10/100 Ethernet Ports

Packet Modification

Configuring Auto-QoS

Generated Auto-QoS Configuration

Effects of Auto-QoS on the Configuration

Configuration Guidelines

Upgrading from a Previous Software Release

Enabling Auto-QoS for VoIP

Displaying Auto-QoS Information

Auto-QoS Configuration Example

Configuring Standard QoS

Default Standard QoS Configuration

Standard QoS Configuration Guidelines

Enabling QoS Globally

Configuring Classification By Using Port Trust States

Configuring the Trust State on Ports within the QoS Domain

Configuring the CoS Value for an Interface

Configuring a Trusted Boundary to Ensure Port Security

Enabling Pass-Through Mode

Configuring the DSCP Trust State on a Port Bordering Another QoS Domain

Configuring a QoS Policy

Classifying Traffic by Using ACLs

Classifying Traffic on a Physical-Port Basis by Using Class Maps

Classifying Traffic on a Per-Port Per-VLAN Basis by Using Class Maps

Classifying, Policing, and Marking Traffic by Using Policy Maps

Classifying, Policing, and Marking Traffic by Using Aggregate Policers

Configuring DSCP Maps

Configuring the CoS-to-DSCP Map

Configuring the IP-Precedence-to-DSCP Map

Contents

Configuring the Policed-DSCP Map

Configuring the DSCP-to-CoS Map

Configuring the DSCP-to-DSCP-Mutation Map

Configuring Egress Queues on Gigabit-Capable Ethernet Ports

Mapping CoS Values to Select Egress Queues

Configuring the Egress Queue Size Ratios

Configuring Tail-Drop Threshold Percentages

Configuring WRED Drop Thresholds Percentages

Configuring the Egress Expedite Queue

Allocating Bandwidth among Egress Queues

Configuring Egress Queues on 10/100 Ethernet Ports

Mapping CoS Values to Select Egress Queues

Configuring the Minimum-Reserve Levels

Configuring the Egress Expedite Queue

Allocating Bandwidth among Egress Queues

Displaying Standard QoS Information

Standard QoS Configuration Examples

QoS Configuration for the Existing Wiring Closet

QoS Configuration for the Intelligent Wiring Closet

QoS Configuration for the Distribution Layer

C H A P T E R 31 Configuring EtherChannels 30-1

Understanding EtherChannels

Understanding Port-Channel Interfaces

Understanding the Port Aggregation Protocol and Link Aggregation Protocol

PAgP and LACP Modes

Physical Learners and Aggregate-Port Learners

PAgP and LACP Interaction with Other Features

EtherChannel On Mode

Understanding Load Balancing and Forwarding Methods

Configuring EtherChannels

Default EtherChannel Configuration

EtherChannel Configuration Guidelines

Configuring Layer 2 EtherChannels

Configuring Layer 3 EtherChannels

Creating Port-Channel Logical Interfaces

Configuring the Physical Interfaces

Configuring EtherChannel Load Balancing

Configuring the PAgP Learn Method and Priority

Contents

Configuring the LACP Port Priority

Configuring Hot Standby Ports

Configuring the LACP System Priority

Displaying EtherChannel, PAgP, and LACP Status

C H A P T E R 32 Configuring IP Unicast Routing 31-1

Understanding IP Routing

Steps for Configuring Routing

Configuring IP Addressing on Layer 3 Interfaces

Default Addressing Configuration

Assigning IP Addresses to Network Interfaces

Use of Subnet Zero

Classless Routing

Configuring Address Resolution Methods

Define a Static ARP Cache

Set ARP Encapsulation

Enable Proxy ARP

Routing Assistance When IP Routing is Disabled

Proxy ARP

Default Gateway

ICMP Router Discovery Protocol (IRDP)

Configuring Broadcast Packet Handling

Enabling Directed Broadcast-to-Physical Broadcast Translation

Forwarding UDP Broadcast Packets and Protocols

Establishing an IP Broadcast Address

Flooding IP Broadcasts

Monitoring and Maintaining IP Addressing

Enabling IP Unicast Routing

Configuring RIP

Default RIP Configuration

Configuring Basic RIP Parameters

Configuring RIP Authentication

Configuring Summary Addresses and Split Horizon

Configuring OSPF

Default OSPF Configuration

Nonstop Forwarding Awareness

Configuring Basic OSPF Parameters

Configuring OSPF Interfaces

Configuring OSPF Area Parameters

Contents

Configuring Other OSPF Parameters

Changing LSA Group Pacing

Configuring a Loopback Interface

Monitoring OSPF

Configuring EIGRP

Default EIGRP Configuration

Nonstop Forwarding Awareness

Configuring Basic EIGRP Parameters

Configuring EIGRP Interfaces

Configuring EIGRP Route Authentication

EIGRP Stub Routing

Monitoring and Maintaining EIGRP

Configuring BGP

Default BGP Configuration

Nonstop Forwarding Awareness

Enabling BGP Routing

Managing Routing Policy Changes

Configuring BGP Decision Attributes

Configuring BGP Filtering with Route Maps

Configuring BGP Filtering by Neighbor

Configuring Prefix Lists for BGP Filtering

Configuring BGP Community Filtering

Configuring BGP Neighbors and Peer Groups

Configuring Aggregate Addresses

Configuring a Routing Domain Confederation

Configuring BGP Route Reflectors

Configuring Route Dampening

Monitoring and Maintaining BGP

Configuring Multi-VRF CE

Understanding Multi-VRF CE

Default Multi-VRF CE Configuration

Multi-VRF CE Configuration Guidelines

Configuring VRFs

Configuring a VPN Routing Session

Configuring BGP PE to CE Routing Sessions

Multi-VRF CE Configuration Example

Displaying Multi-VRF CE Status

Contents

Configuring Protocol-Independent Features

Configuring Cisco Express Forwarding

Configuring the Number of Equal-Cost Routing Paths

Configuring Static Unicast Routes

Specifying Default Routes and Networks

Using Route Maps to Redistribute Routing Information

Configuring Policy-Based Routing

PBR Configuration Guidelines

Enabling PBR

Filtering Routing Information

Setting Passive Interfaces

Controlling Advertising and Processing in Routing Updates

Filtering Sources of Routing Information

Managing Authentication Keys

Monitoring and Maintaining the IP Network

C H A P T E R 33 Configuring HSRP 32-1

Understanding HSRP

Configuring HSRP

Default HSRP Configuration

HSRP Configuration Guidelines and Limitations

Enabling HSRP

Configuring HSRP Priority

Configuring HSRP Authentication and Timers

Configuring HSRP Groups and Clustering

Displaying HSRP Configurations

C H A P T E R 34 Configuring Web Cache Services By Using WCCP 33-1

Understanding WCCP

WCCP Message Exchange

WCCP Negotiation

MD5 Security

Packet Redirection

Unsupported WCCPv2 Features

Contents

Configuring WCCP

Default WCCP Configuration

WCCP Configuration Guidelines

Enabling the Web Cache Service, Setting the Password, and Redirecting Traffic Received From a Client

Monitoring and Maintaining WCCP

C H A P T E R 35 Configuring IP Multicast Routing 34-1

Understanding Cisco’s Implementation of IP Multicast Routing

Understanding IGMP

IGMP Version 1

IGMP Version 2

Understanding PIM

PIM Versions

PIM Modes

Auto-RP

Bootstrap Router

Multicast Forwarding and Reverse Path Check

Understanding DVMRP

Understanding CGMP

Configuring IP Multicast Routing

Default Multicast Routing Configuration

Multicast Routing Configuration Guidelines

PIMv1 and PIMv2 Interoperability

Auto-RP and BSR Configuration Guidelines

Configuring Basic Multicast Routing

Configuring a Rendezvous Point

Manually Assigning an RP to Multicast Groups

Configuring Auto-RP

Configuring PIMv2 BSR

Using Auto-RP and a BSR

Monitoring the RP Mapping Information

Troubleshooting PIMv1 and PIMv2 Interoperability Problems

Configuring Advanced PIM Features

Understanding PIM Shared Tree and Source Tree

Delaying the Use of PIM Shortest-Path Tree

Modifying the PIM Router-Query Message Interval

Contents

Configuring Optional IGMP Features

Default IGMP Configuration

Configuring the Multilayer Switch as a Member of a Group

Controlling Access to IP Multicast Groups

Changing the IGMP Version

Modifying the IGMP Host-Query Message Interval

Changing the IGMP Query Timeout for IGMPv2

Changing the Maximum Query Response Time for IGMPv2

Configuring the Multilayer Switch as a Statically Connected Member

Configuring Optional Multicast Routing Features

Enabling CGMP Server Support

Configuring sdr Listener Support

Enabling sdr Listener Support

Limiting How Long an sdr Cache Entry Exists

Configuring the TTL Threshold

Configuring an IP Multicast Boundary

Configuring Basic DVMRP Interoperability Features

Configuring DVMRP Interoperability

Configuring a DVMRP Tunnel

Advertising Network 0.0.0.0 to DVMRP Neighbors

Responding to mrinfo Requests

Configuring Advanced DVMRP Interoperability Features

Enabling DVMRP Unicast Routing

Rejecting a DVMRP Nonpruning Neighbor

Controlling Route Exchanges

Limiting the Number of DVMRP Routes Advertised

Changing the DVMRP Route Threshold

Configuring a DVMRP Summary Address

Disabling DVMRP Autosummarization

Adding a Metric Offset to the DVMRP Route

Monitoring and Maintaining IP Multicast Routing

Clearing Caches, Tables, and Databases

Displaying System and Network Statistics

Monitoring IP Multicast Routing

Contents

C H A P T E R 36 Configuring MSDP 35-1

Understanding MSDP

MSDP Operation

MSDP Benefits

Configuring MSDP

Default MSDP Configuration

Configuring a Default MSDP Peer

Caching Source-Active State

Requesting Source Information from an MSDP Peer

Controlling Source Information that Your Switch Originates

Redistributing Sources

Filtering Source-Active Request Messages

Controlling Source Information that Your Switch Forwards

Using a Filter

Using TTL to Limit the Multicast Data Sent in SA Messages

Controlling Source Information that Your Switch Receives

Configuring an MSDP Mesh Group

Shutting Down an MSDP Peer

Including a Bordering PIM Dense-Mode Region in MSDP

Configuring an Originating Address other than the RP Address

Monitoring and Maintaining MSDP

C H A P T E R 37 Configuring Fallback Bridging 36-1

Understanding Fallback Bridging

Configuring Fallback Bridging

Default Fallback Bridging Configuration

Fallback Bridging Configuration Guidelines

Creating a Bridge Group

Preventing the Forwarding of Dynamically Learned Stations

Configuring the Bridge Table Aging Time

Filtering Frames by a Specific MAC Address

Adjusting Spanning-Tree Parameters

Changing the Switch Priority

Changing the Interface Priority

Assigning a Path Cost

Adjusting BPDU Intervals

Disabling the Spanning Tree on an Interface

Monitoring and Maintaining Fallback Bridging