Catalyst 3560 Switch Software Configuration Guide

Corporate Headquarters Cisco Systems, Inc.

170 West Tasman Drive San Jose, CA 95134-1706 USA

http://www.cisco.com Tel: 408 526-4000

800 553-NETS (6387) Fax: 408 526-4100

Catalyst 3560 Switch Software Configuration Guide

Cisco IOS Release 12.2(25)SEC July 2005

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT

LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView Plus, TeleRouter, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0502R)

Catalyst 3560 Switch Software Configuration Guide

© 2004–2005 Cisco Systems, Inc. All rights reserved.

C O N T E N T S

Preface xxxvii

Audience

Purpose

Conventions

Related Publications

Obtaining Documentation

Cisco.com

Product Documentation DVD

Ordering Documentation

Documentation Feedback

Cisco Product Security Overview

Reporting Security Problems in Cisco Products

Obtaining Technical Assistance

Cisco Technical Support & Documentation Website

Submitting a Service Request

Definitions of Service Request Severity

Obtaining Additional Publications and Information

C H A P T E R 1 Overview 1-1

Features

Ease-of-Use and Ease-of-Deployment Features

Performance Features

Management Options

Manageability Features

Availability Features

VLAN Features

Security Features

QoS and CoS Features

Layer 3 Features

Power over Ethernet Features

Monitoring Features

Default Settings After Initial Switch Configuration

Network Configuration Examples

Design Concepts for Using the Switch

Small to Medium-Sized Network Using Catalyst 3560 Switches

Large Network Using Catalyst 3560 Switches

Long-Distance, High-Bandwidth Transport Configuration

Where to Go Next

C H A P T E R 2 Using the Command-Line Interface 2-1

Understanding Command Modes

Understanding the Help System

Understanding Abbreviated Commands

Understanding no and default Forms of Commands

Understanding CLI Error Messages

Using Configuration Logging

Using Command History

Changing the Command History Buffer Size

Recalling Commands

Disabling the Command History Feature

Using Editing Features

Enabling and Disabling Editing Features

Editing Commands through Keystrokes

Editing Command Lines that Wrap

Searching and Filtering Output of show and more Commands

Accessing the CLI

Accessing the CLI through a Console Connection or through Telnet

C H A P T E R 3 Assigning the Switch IP Address and Default Gateway 3-1

Understanding the Boot Process

Assigning Switch Information

Default Switch Information

Understanding DHCP-Based Autoconfiguration

DHCP Client Request Process

Configuring DHCP-Based Autoconfiguration

DHCP Server Configuration Guidelines

Configuring the TFTP Server

Configuring the DNS

Configuring the Relay Device

Contents

Obtaining Configuration Files

Example Configuration

Manually Assigning IP Information

Checking and Saving the Running Configuration

Modifying the Startup Configuration

Default Boot Configuration

Automatically Downloading a Configuration File

Specifying the Filename to Read and Write the System Configuration

Booting Manually

Booting a Specific Software Image

Controlling Environment Variables

Scheduling a Reload of the Software Image

Configuring a Scheduled Reload

Displaying Scheduled Reload Information

C H A P T E R 4 Configuring IE2100 CNS Agents 4-1

Understanding IE2100 Series Configuration Registrar Software

CNS Configuration Service

CNS Event Service

NameSpace Mapper

What You Should Know About ConfigID, DeviceID, and Hostname

ConfigID

DeviceID

Hostname and DeviceID

Using Hostname, DeviceID, and ConfigID

Understanding CNS Embedded Agents

Initial Configuration

Incremental (Partial) Configuration

Synchronized Configuration

Configuring CNS Embedded Agents

Enabling Automated CNS Configuration

Enabling the CNS Event Agent

Enabling the CNS Configuration Agent

Enabling an Initial Configuration

Enabling a Partial Configuration

Displaying CNS Configuration

C H A P T E R 5 Clustering Switches 5-1

Understanding Switch Clusters

Clustering Overview

Cluster Command Switch Characteristics

Standby Cluster Command Switch Characteristics

Candidate Switch and Cluster Member Switch Characteristics

Using the CLI to Manage Switch Clusters

Catalyst 1900 and Catalyst 2820 CLI Considerations

Using SNMP to Manage Switch Clusters

C H A P T E R 6 Administering the Switch 6-1

Managing the System Time and Date

Understanding the System Clock

Understanding Network Time Protocol

Configuring NTP

Default NTP Configuration

Configuring NTP Authentication

Configuring NTP Associations

Configuring NTP Broadcast Service

Configuring NTP Access Restrictions

Configuring the Source IP Address for NTP Packets

Displaying the NTP Configuration

Configuring Time and Date Manually

Setting the System Clock

Displaying the Time and Date Configuration

Configuring the Time Zone

Configuring Summer Time (Daylight Saving Time)

Configuring a System Name and Prompt

Default System Name and Prompt Configuration

Configuring a System Name

Understanding DNS

Default DNS Configuration

Setting Up DNS

Displaying the DNS Configuration

Creating a Banner

Default Banner Configuration

Configuring a Message-of-the-Day Login Banner

Configuring a Login Banner

Contents

Managing the MAC Address Table

Building the Address Table

MAC Addresses and VLANs

Default MAC Address Table Configuration

Changing the Address Aging Time

Removing Dynamic Address Entries

Configuring MAC Address Notification Traps

Adding and Removing Static Address Entries

Configuring Unicast MAC Address Filtering

Displaying Address Table Entries

Managing the ARP Table

C H A P T E R 7 Configuring SDM Templates 7-1

Understanding the SDM Templates

Dual IPv4 and IPv6 SDM Templates

Configuring the Switch SDM Template

Default SDM Template

SDM Template Configuration Guidelines

Setting the SDM Template

Displaying the SDM Templates

C H A P T E R 8 Configuring Switch-Based Authentication 8-1

Preventing Unauthorized Access to Your Switch

Protecting Access to Privileged EXEC Commands

Default Password and Privilege Level Configuration

Setting or Changing a Static Enable Password

Protecting Enable and Enable Secret Passwords with Encryption

Disabling Password Recovery

Setting a Telnet Password for a Terminal Line

Configuring Username and Password Pairs

Configuring Multiple Privilege Levels

Setting the Privilege Level for a Command

Changing the Default Privilege Level for Lines

Logging into and Exiting a Privilege Level

Controlling Switch Access with TACACS+

Understanding TACACS+

TACACS+ Operation

Configuring TACACS+

Default TACACS+ Configuration

Identifying the TACACS+ Server Host and Setting the Authentication Key

Configuring TACACS+ Login Authentication

Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services

Starting TACACS+ Accounting

Displaying the TACACS+ Configuration

Controlling Switch Access with RADIUS

Understanding RADIUS

RADIUS Operation

Configuring RADIUS

Default RADIUS Configuration

Identifying the RADIUS Server Host

Configuring RADIUS Login Authentication

Defining AAA Server Groups

Configuring RADIUS Authorization for User Privileged Access and Network Services

Starting RADIUS Accounting

Configuring Settings for All RADIUS Servers

Configuring the Switch to Use Vendor-Specific RADIUS Attributes

Configuring the Switch for Vendor-Proprietary RADIUS Server Communication

Displaying the RADIUS Configuration

Controlling Switch Access with Kerberos

Understanding Kerberos

Kerberos Operation

Authenticating to a Boundary Switch

Obtaining a TGT from a KDC

Authenticating to Network Services

Configuring Kerberos

Configuring the Switch for Local Authentication and Authorization

Configuring the Switch for Secure Shell

Understanding SSH

SSH Servers, Integrated Clients, and Supported Versions

Limitations

Configuring SSH

Configuration Guidelines

Setting Up the Switch to Run SSH

Configuring the SSH Server

Displaying the SSH Configuration and Status

Contents

Configuring the Switch for Secure Socket Layer HTTP

Understanding Secure HTTP Servers and Clients

Certificate Authority Trustpoints

CipherSuites

Configuring Secure HTTP Servers and Clients

Default SSL Configuration

SSL Configuration Guidelines

Configuring a CA Trustpoint

Configuring the Secure HTTP Server

Configuring the Secure HTTP Client

Displaying Secure HTTP Server and Client Status

Configuring the Switch for Secure Copy Protocol

C H A P T E R 9 Configuring IEEE 802.1x Port-Based Authentication 9-1

Understanding IEEE 802.1x Port-Based Authentication

Device Roles

Authentication Initiation and Message Exchange

Ports in Authorized and Unauthorized States

IEEE 802.1x Accounting

IEEE 802.1x Accounting Attribute-Value Pairs

IEEE 802.1x Host Mode

Using IEEE 802.1x with Port Security

Using IEEE 802.1x with Voice VLAN Ports

Using IEEE 802.1x with VLAN Assignment

Using IEEE 802.1x with Guest VLAN

Using IEEE 802.1x with Wake-on-LAN

Unidirectional State

Bidirectional State

Using IEEE 802.1x with Per-User ACLs

Configuring IEEE 802.1x Authentication

Default IEEE 802.1x Configuration

IEEE 802.1x Configuration Guidelines

Configuring IEEE 802.1x Authentication

Configuring the Switch-to-RADIUS-Server Communication

Configuring IEEE 802.1x Authentication Using a RADIUS Server

Configuring Periodic Re-Authentication

Manually Re-Authenticating a Client Connected to a Port

Changing the Quiet Period

Changing the Switch-to-Client Retransmission Time

Setting the Switch-to-Client Frame-Retransmission Number

Setting the Re-Authentication Number

Configuring the Host Mode

Configuring a Guest VLAN

Resetting the IEEE 802.1x Configuration to the Default Values

Configuring IEEE 802.1x Accounting

Displaying IEEE 802.1x Statistics and Status

C H A P T E R 10 Configuring Interface Characteristics 10-1

Understanding Interface Types

Port-Based VLANs

Switch Ports

Access Ports

Trunk Ports

Tunnel Ports

Routed Ports

Switch Virtual Interfaces

EtherChannel Port Groups

Power over Ethernet Ports

Supported Protocols and Standards

Powered-Device Detection and Initial Power Allocation

Power Management Modes

Connecting Interfaces

Using Interface Configuration Mode

Procedures for Configuring Interfaces

Configuring a Range of Interfaces

Configuring and Using Interface Range Macros

Configuring Ethernet Interfaces

Default Ethernet Interface Configuration

Configuring Interface Speed and Duplex Mode

Configuration Guidelines

Setting the Interface Speed and Duplex Parameters

Configuring IEEE 802.3z Flow Control

Configuring Auto-MDIX on an Interface

Configuring a Power Management Mode on a PoE Port

Adding a Description for an Interface

Configuring Layer 3 Interfaces

Configuring the System MTU

Contents

Monitoring Interface Status

Clearing and Resetting Interfaces and Counters

Shutting Down and Restarting the Interface

C H A P T E R 11 Configuring Smartports Macros 11-1

Understanding Smartports Macros

Configuring Smartports Macros

Default Smartports Macro Configuration

Smartports Macro Configuration Guidelines

Creating Smartports Macros

Applying Smartports Macros

Applying Cisco-Default Smartports Macros

Displaying Smartports Macros

C H A P T E R 12 Configuring VLANs 12-1

Understanding VLANs

Supported VLANs

VLAN Port Membership Modes

Configuring Normal-Range VLANs

Token Ring VLANs

Normal-Range VLAN Configuration Guidelines

VLAN Configuration Mode Options

VLAN Configuration in config-vlan Mode

VLAN Configuration in VLAN Database Configuration Mode

Saving VLAN Configuration

Default Ethernet VLAN Configuration

Creating or Modifying an Ethernet VLAN

Deleting a VLAN

Assigning Static-Access Ports to a VLAN

Configuring Extended-Range VLANs

Default VLAN Configuration

Extended-Range VLAN Configuration Guidelines

Creating an Extended-Range VLAN

Creating an Extended-Range VLAN with an Internal VLAN ID

Displaying VLANs

Configuring VLAN Trunks

Trunking Overview

Encapsulation Types

IEEE 802.1Q Configuration Considerations

Default Layer 2 Ethernet Interface VLAN Configuration

Configuring an Ethernet Interface as a Trunk Port

Interaction with Other Features

Configuring a Trunk Port

Defining the Allowed VLANs on a Trunk

Changing the Pruning-Eligible List

Configuring the Native VLAN for Untagged Traffic

Configuring Trunk Ports for Load Sharing

Load Sharing Using STP Port Priorities

Load Sharing Using STP Path Cost

Configuring VMPS

Understanding VMPS

Dynamic-Access Port VLAN Membership

Default VMPS Client Configuration

VMPS Configuration Guidelines

Configuring the VMPS Client

Entering the IP Address of the VMPS

Configuring Dynamic-Access Ports on VMPS Clients

Reconfirming VLAN Memberships

Changing the Reconfirmation Interval

Changing the Retry Count

Monitoring the VMPS

Troubleshooting Dynamic-Access Port VLAN Membership

VMPS Configuration Example

C H A P T E R 13 Configuring VTP 13-1

Understanding VTP

The VTP Domain

VTP Modes

VTP Advertisements

VTP Version 2

VTP Pruning

Contents

Configuring VTP

Default VTP Configuration

VTP Configuration Options

VTP Configuration in Global Configuration Mode

VTP Configuration in VLAN Database Configuration Mode

VTP Configuration Guidelines

Domain Names

Passwords

VTP Version

Configuration Requirements

Configuring a VTP Server

Configuring a VTP Client

Disabling VTP (VTP Transparent Mode)

Enabling VTP Version 2

Enabling VTP Pruning

Adding a VTP Client Switch to a VTP Domain

Monitoring VTP

C H A P T E R 14 Configuring Private VLANs 14-1

Understanding Private VLANs

IP Addressing Scheme with Private VLANs

Private VLANs across Multiple Switches

Private-VLAN Interaction with Other Features

Private VLANs and Unicast, Broadcast, and Multicast Traffic

Private VLANs and SVIs

Configuring Private VLANs

Tasks for Configuring Private VLANs

Default Private-VLAN Configuration

Private-VLAN Configuration Guidelines

Secondary and Primary VLAN Configuration

Private-VLAN Port Configuration

Limitations with Other Features

Configuring and Associating VLANs in a Private VLAN

Configuring a Layer 2 Interface as a Private-VLAN Host Port

Configuring a Layer 2 Interface as a Private-VLAN Promiscuous Port

Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface

Monitoring Private VLANs

C H A P T E R 15 Configuring Voice VLAN 15-1

Understanding Voice VLAN

Cisco IP Phone Voice Traffic

Cisco IP Phone Data Traffic

Configuring Voice VLAN

Default Voice VLAN Configuration

Voice VLAN Configuration Guidelines

Configuring a Port Connected to a Cisco 7960 IP Phone

Configuring IP Phone Voice Traffic

Configuring the Priority of Incoming Data Frames

Displaying Voice VLAN

C H A P T E R 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling 16-1

Understanding IEEE 802.1Q Tunneling

Configuring IEEE 802.1Q Tunneling

Default IEEE 802.1Q Tunneling Configuration

IEEE 802.1Q Tunneling Configuration Guidelines

Native VLANs

System MTU

IEEE 802.1Q Tunneling and Other Features

Configuring an IEEE 802.1Q Tunneling Port

Understanding Layer 2 Protocol Tunneling

Configuring Layer 2 Protocol Tunneling

Default Layer 2 Protocol Tunneling Configuration

Layer 2 Protocol Tunneling Configuration Guidelines

Configuring Layer 2 Protocol Tunneling

Configuring Layer 2 Tunneling for EtherChannels

Configuring the SP Edge Switch

Configuring the Customer Switch

Monitoring and Maintaining Tunneling Status

Contents

C H A P T E R 17 Configuring STP 17-1

Understanding Spanning-Tree Features

STP Overview

Spanning-Tree Topology and BPDUs

Bridge ID, Switch Priority, and Extended System ID

Spanning-Tree Interface States

Blocking State

Listening State

Learning State

Forwarding State

Disabled State

How a Switch or Port Becomes the Root Switch or Root Port

Spanning Tree and Redundant Connectivity

Spanning-Tree Address Management

Accelerated Aging to Retain Connectivity

Spanning-Tree Modes and Protocols

Supported Spanning-Tree Instances

Spanning-Tree Interoperability and Backward Compatibility

STP and IEEE 802.1Q Trunks

VLAN-Bridge Spanning Tree

Configuring Spanning-Tree Features

Default Spanning-Tree Configuration

Spanning-Tree Configuration Guidelines

Changing the Spanning-Tree Mode.

Disabling Spanning Tree

Configuring the Root Switch

Configuring a Secondary Root Switch

Configuring Port Priority

Configuring Path Cost

Configuring the Switch Priority of a VLAN

Configuring Spanning-Tree Timers

Configuring the Hello Time

Configuring the Forwarding-Delay Time for a VLAN

Configuring the Maximum-Aging Time for a VLAN

Configuring the Transmit Hold-Count

Displaying the Spanning-Tree Status

C H A P T E R 18 Configuring MSTP 18-1

Understanding MSTP

Multiple Spanning-Tree Regions

IST, CIST, and CST

Operations Within an MST Region

Operations Between MST Regions

IEEE 802.1s Terminology

Hop Count

Boundary Ports

IEEE 802.1s Implementation

Port Role Naming Change

Interoperation Between Legacy and Standard Switches

Detecting Unidirectional Link Failure

Interoperability with IEEE 802.1D STP

Understanding RSTP

Port Roles and the Active Topology

Rapid Convergence

Synchronization of Port Roles

Bridge Protocol Data Unit Format and Processing

Processing Superior BPDU Information

Processing Inferior BPDU Information

Topology Changes

Configuring MSTP Features

Default MSTP Configuration

MSTP Configuration Guidelines

Specifying the MST Region Configuration and Enabling MSTP

Configuring the Root Switch

Configuring a Secondary Root Switch

Configuring Port Priority

Configuring Path Cost

Configuring the Switch Priority

Configuring the Hello Time

Configuring the Forwarding-Delay Time

Configuring the Maximum-Aging Time

Configuring the Maximum-Hop Count

Specifying the Link Type to Ensure Rapid Transitions

Designating the Neighbor Type

Restarting the Protocol Migration Process

Displaying the MST Configuration and Status

Contents

C H A P T E R 19 Configuring Optional Spanning-Tree Features 19-1

Understanding Optional Spanning-Tree Features

Understanding Port Fast

Understanding BPDU Guard

Understanding BPDU Filtering

Understanding UplinkFast

Understanding BackboneFast

Understanding EtherChannel Guard

Understanding Root Guard

Understanding Loop Guard

Configuring Optional Spanning-Tree Features

Default Optional Spanning-Tree Configuration

Optional Spanning-Tree Configuration Guidelines

Enabling Port Fast

Enabling BPDU Guard

Enabling BPDU Filtering

Enabling UplinkFast for Use with Redundant Links

Enabling BackboneFast

Enabling EtherChannel Guard

Enabling Root Guard

Enabling Loop Guard

Displaying the Spanning-Tree Status

C H A P T E R 20 Configuring Flex Links 20-1

Understanding Flex Links

Configuring Flex Links

Default Flex Link Configuration

Flex Link Configuration Guidelines

Configuring Flex Links

Monitoring Flex Links

C H A P T E R 21 Configuring DHCP Features and IP Source Guard 21-1

Understanding DHCP Features

DHCP Server

DHCP Relay Agent

DHCP Snooping

Option-82 Data Insertion

Cisco IOS DHCP Server Database

DHCP Snooping Binding Database

Configuring DHCP Features

Default DHCP Configuration

DHCP Snooping Configuration Guidelines

Configuring the DHCP Server

Configuring the DHCP Relay Agent

Specifying the Packet Forwarding Address

Enabling DHCP Snooping and Option 82

Enabling DHCP Snooping on Private VLANs

Enabling the Cisco IOS DHCP Server Database

Enabling the DHCP Snooping Binding Database Agent

Displaying DHCP Snooping Information

Understanding IP Source Guard

Source IP Address Filtering

Source IP and MAC Address Filtering

Configuring IP Source Guard

Default IP Source Guard Configuration

IP Source Guard Configuration Guidelines

Enabling IP Source Guard

Displaying IP Source Guard Information

C H A P T E R 22 Configuring Dynamic ARP Inspection 22-1

Understanding Dynamic ARP Inspection

Interface Trust States and Network Security

Rate Limiting of ARP Packets

Relative Priority of ARP ACLs and DHCP Snooping Entries

Logging of Dropped Packets

Configuring Dynamic ARP Inspection

Default Dynamic ARP Inspection Configuration

Dynamic ARP Inspection Configuration Guidelines

Configuring Dynamic ARP Inspection in DHCP Environments

Configuring ARP ACLs for Non-DHCP Environments

Limiting the Rate of Incoming ARP Packets

Performing Validation Checks

Configuring the Log Buffer

Displaying Dynamic ARP Inspection Information

Contents

C H A P T E R 23 Configuring IGMP Snooping and MVR 23-1

Understanding IGMP Snooping

IGMP Versions

Joining a Multicast Group

Leaving a Multicast Group

Immediate Leave

IGMP Configurable-Leave Timer

IGMP Report Suppression

Configuring IGMP Snooping

Default IGMP Snooping Configuration

Enabling or Disabling IGMP Snooping

Setting the Snooping Method

Configuring a Multicast Router Port

Configuring a Host Statically to Join a Group

Enabling IGMP Immediate Leave

Configuring the IGMP Leave Timer

Configuring the IGMP Snooping Querier

Disabling IGMP Report Suppression

Displaying IGMP Snooping Information

Understanding Multicast VLAN Registration

Using MVR in a Multicast Television Application

Configuring MVR

Default MVR Configuration

MVR Configuration Guidelines and Limitations

Configuring MVR Global Parameters

Configuring MVR Interfaces

Displaying MVR Information

Configuring IGMP Filtering and Throttling

Default IGMP Filtering and Throttling Configuration

Configuring IGMP Profiles

Applying IGMP Profiles

Setting the Maximum Number of IGMP Groups

Configuring the IGMP Throttling Action

Displaying IGMP Filtering and Throttling Configuration

C H A P T E R 24 Configuring Port-Based Traffic Control 24-1

Configuring Storm Control

Understanding Storm Control

Default Storm Control Configuration

Configuring Storm Control and Threshold Levels

Configuring Protected Ports

Default Protected Port Configuration

Protected Port Configuration Guidelines

Configuring a Protected Port

Configuring Port Blocking

Default Port Blocking Configuration

Blocking Flooded Traffic on an Interface

Configuring Port Security

Understanding Port Security

Secure MAC Addresses

Security Violations

Default Port Security Configuration

Port Security Configuration Guidelines

Enabling and Configuring Port Security

Enabling and Configuring Port Security Aging

Displaying Port-Based Traffic Control Settings

C H A P T E R 25 Configuring CDP 26-1

Understanding CDP

Configuring CDP

Default CDP Configuration

Configuring the CDP Characteristics

Disabling and Enabling CDP

Disabling and Enabling CDP on an Interface

Monitoring and Maintaining CDP

C H A P T E R 26 Configuring UDLD 26-1

Understanding UDLD

Modes of Operation

Methods to Detect Unidirectional Links

Configuring UDLD

Default UDLD Configuration

Configuration Guidelines

Contents

Enabling UDLD Globally

Enabling UDLD on an Interface

Resetting an Interface Disabled by UDLD

Displaying UDLD Status

C H A P T E R 27 Configuring SPAN and RSPAN 27-1

Understanding SPAN and RSPAN

Local SPAN

Remote SPAN

SPAN and RSPAN Concepts and Terminology

SPAN Sessions

Monitored Traffic

Source Ports

Source VLANs

VLAN Filtering

Destination Port

RSPAN VLAN

SPAN and RSPAN Interaction with Other Features

Configuring SPAN and RSPAN

Default SPAN and RSPAN Configuration

Configuring Local SPAN

SPAN Configuration Guidelines

Creating a Local SPAN Session

Creating a Local SPAN Session and Configuring Ingress Traffic

Specifying VLANs to Filter

Configuring RSPAN

RSPAN Configuration Guidelines

Configuring a VLAN as an RSPAN VLAN

Creating an RSPAN Source Session

Creating an RSPAN Destination Session

Creating an RSPAN Destination Session and Configuring Ingress Traffic

Specifying VLANs to Filter

Displaying SPAN and RSPAN Status

C H A P T E R 28 Configuring RMON 28-1

Understanding RMON

Configuring RMON

Default RMON Configuration

Configuring RMON Alarms and Events

Collecting Group History Statistics on an Interface

Collecting Group Ethernet Statistics on an Interface

Displaying RMON Status

C H A P T E R 29 Configuring System Message Logging 29-1

Understanding System Message Logging

Configuring System Message Logging

System Log Message Format

Default System Message Logging Configuration

Disabling Message Logging

Setting the Message Display Destination Device

Synchronizing Log Messages

Enabling and Disabling Time Stamps on Log Messages

Enabling and Disabling Sequence Numbers in Log Messages

Defining the Message Severity Level

Limiting Syslog Messages Sent to the History Table and to SNMP

Configuring UNIX Syslog Servers

Logging Messages to a UNIX Syslog Daemon

Configuring the UNIX System Logging Facility

Displaying the Logging Configuration

C H A P T E R 30 Configuring SNMP 30-1

Understanding SNMP

SNMP Versions

SNMP Manager Functions

SNMP Agent Functions

SNMP Community Strings

Using SNMP to Access MIB Variables

SNMP Notifications

SNMP ifIndex MIB Object Values

Configuring SNMP

Default SNMP Configuration

SNMP Configuration Guidelines

Disabling the SNMP Agent

Configuring Community Strings

Configuring SNMP Groups and Users

Configuring SNMP Notifications

Setting the Agent Contact and Location Information

Contents

Limiting TFTP Servers Used Through SNMP

SNMP Examples

Displaying SNMP Status

C H A P T E R 31 Configuring Network Security with ACLs 31-1

Understanding ACLs

Supported ACLs

Port ACLs

Router ACLs

VLAN Maps

Handling Fragmented and Unfragmented Traffic

Configuring IPv4 ACLs

Creating Standard and Extended IPv4 ACLs

Access List Numbers

ACL Logging

Creating a Numbered Standard ACL

Creating a Numbered Extended ACL

Resequencing ACEs in an ACL

Creating Named Standard and Extended ACLs

Using Time Ranges with ACLs

Including Comments in ACLs

Applying an IPv4 ACL to a Terminal Line

Applying an IPv4 ACL to an Interface

Hardware and Software Treatment of IP ACLs

IPv4 ACL Configuration Examples

Numbered ACLs

Extended ACLs

Named ACLs

Time Range Applied to an IP ACL

Commented IP ACL Entries

ACL Logging

Creating Named MAC Extended ACLs

Applying a MAC ACL to a Layer 2 Interface

Configuring VLAN Maps

VLAN Map Configuration Guidelines

Creating a VLAN Map

Examples of ACLs and VLAN Maps

Applying a VLAN Map to a VLAN

Using VLAN Maps in Your Network

Wiring Closet Configuration

Denying Access to a Server on Another VLAN

Using VLAN Maps with Router ACLs

VLAN Maps and Router ACL Configuration Guidelines

Examples of Router ACLs and VLAN Maps Applied to VLANs

ACLs and Switched Packets

ACLs and Bridged Packets

ACLs and Routed Packets

ACLs and Multicast Packets

Displaying IPv4 ACL Configuration

C H A P T E R 32 Configuring QoS 32-1

Understanding QoS

Basic QoS Model

Classification

Classification Based on QoS ACLs

Classification Based on Class Maps and Policy Maps

Policing and Marking

Policing on Physical Ports

Policing on SVIs

Mapping Tables

Queueing and Scheduling Overview

Weighted Tail Drop

SRR Shaping and Sharing

Queueing and Scheduling on Ingress Queues

Queueing and Scheduling on Egress Queues

Packet Modification

Configuring Auto-QoS

Generated Auto-QoS Configuration

Effects of Auto-QoS on the Configuration

Auto-QoS Configuration Guidelines

Upgrading from a Previous Software Release

Enabling Auto-QoS for VoIP

Auto-QoS Configuration Example

Displaying Auto-QoS Information

Contents

Configuring Standard QoS

Default Standard QoS Configuration

Default Ingress Queue Configuration

Default Egress Queue Configuration

Default Mapping Table Configuration

Standard QoS Configuration Guidelines

QoS ACL Guidelines

Applying QoS on Interfaces

Policing Guidelines

General QoS Guidelines

Enabling QoS Globally

Enabling VLAN-Based QoS on Physical Ports

Configuring Classification Using Port Trust States

Configuring the Trust State on Ports within the QoS Domain

Configuring the CoS Value for an Interface

Configuring a Trusted Boundary to Ensure Port Security

Enabling DSCP Transparency Mode

Configuring the DSCP Trust State on a Port Bordering Another QoS Domain

Configuring a QoS Policy

Classifying Traffic by Using ACLs

Classifying Traffic by Using Class Maps

Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps

Classifying, Policing, and Marking Traffic on SVIs by Using Hierarchical Policy Maps

Classifying, Policing, and Marking Traffic by Using Aggregate Policers

Configuring DSCP Maps

Configuring the CoS-to-DSCP Map

Configuring the IP-Precedence-to-DSCP Map

Configuring the Policed-DSCP Map

Configuring the DSCP-to-CoS Map

Configuring the DSCP-to-DSCP-Mutation Map

Configuring Ingress Queue Characteristics

Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds

Allocating Buffer Space Between the Ingress Queues

Allocating Bandwidth Between the Ingress Queues

Configuring the Ingress Priority Queue

Configuring Egress Queue Characteristics

Configuration Guidelines

Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set

Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID

Configuring SRR Shaped Weights on Egress Queues

Configuring SRR Shared Weights on Egress Queues

Configuring the Egress Expedite Queue

Limiting the Bandwidth on an Egress Interface

Displaying Standard QoS Information

C H A P T E R 33 Configuring EtherChannels 33-1

Understanding EtherChannels

EtherChannel Overview

Port-Channel Interfaces

Port Aggregation Protocol

PAgP Modes

PAgP Interaction with Other Features

Link Aggregation Control Protocol

LACP Modes

LACP Interaction with Other Features

Load Balancing and Forwarding Methods

Configuring EtherChannels

Default EtherChannel Configuration

EtherChannel Configuration Guidelines

Configuring Layer 2 EtherChannels

Configuring Layer 3 EtherChannels

Creating Port-Channel Logical Interfaces

Configuring the Physical Interfaces

Configuring EtherChannel Load Balancing

Configuring the PAgP Learn Method and Priority

Configuring LACP Hot-Standby Ports

Configuring the LACP System Priority

Configuring the LACP Port Priority

Displaying EtherChannel, PAgP, and LACP Status

C H A P T E R 34 Configuring IP Unicast Routing 34-1

Understanding IP Routing

Types of Routing

Steps for Configuring Routing

Configuring IP Addressing

Default Addressing Configuration

Assigning IP Addresses to Network Interfaces

Use of Subnet Zero

Contents

Configuring Address Resolution Methods

Define a Static ARP Cache

Set ARP Encapsulation

Enable Proxy ARP

Routing Assistance When IP Routing is Disabled

Proxy ARP

Default Gateway

ICMP Router Discovery Protocol (IRDP)

Configuring Broadcast Packet Handling

Enabling Directed Broadcast-to-Physical Broadcast Translation

Forwarding UDP Broadcast Packets and Protocols

Establishing an IP Broadcast Address

Flooding IP Broadcasts

Monitoring and Maintaining IP Addressing

Enabling IP Unicast Routing

Configuring RIP

Default RIP Configuration

Configuring Basic RIP Parameters

Configuring RIP Authentication

Configuring Summary Addresses and Split Horizon

Configuring Split Horizon

Configuring OSPF

Default OSPF Configuration

Nonstop Forwarding Awareness

Configuring Basic OSPF Parameters

Configuring OSPF Interfaces

Configuring OSPF Area Parameters

Configuring Other OSPF Parameters

Changing LSA Group Pacing

Configuring a Loopback Interface

Monitoring OSPF

Configuring EIGRP

Default EIGRP Configuration

Nonstop Forwarding Awareness

Configuring Basic EIGRP Parameters

Configuring EIGRP Interfaces

Configuring EIGRP Route Authentication

Monitoring and Maintaining EIGRP

Configuring BGP

Default BGP Configuration

Nonstop Forwarding Awareness

Enabling BGP Routing

Managing Routing Policy Changes

Configuring BGP Decision Attributes

Configuring BGP Filtering with Route Maps

Configuring BGP Filtering by Neighbor

Configuring Prefix Lists for BGP Filtering

Configuring BGP Community Filtering

Configuring BGP Neighbors and Peer Groups

Configuring Aggregate Addresses

Configuring Routing Domain Confederations

Configuring BGP Route Reflectors

Configuring Route Dampening

Monitoring and Maintaining BGP

Configuring Multi-VRF CE

Understanding Multi-VRF CE

Default Multi-VRF CE Configuration

Multi-VRF CE Configuration Guidelines

Configuring VRFs

Configuring a VPN Routing Session

Configuring BGP PE to CE Routing Sessions

Multi-VRF CE Configuration Example

Displaying Multi-VRF CE Status

Configuring Protocol-Independent Features

Configuring Cisco Express Forwarding

Configuring the Number of Equal-Cost Routing Paths

Configuring Static Unicast Routes

Specifying Default Routes and Networks

Using Route Maps to Redistribute Routing Information

Configuring Policy-Based Routing

PBR Configuration Guidelines

Enabling PBR

Filtering Routing Information

Setting Passive Interfaces

Controlling Advertising and Processing in Routing Updates

Filtering Sources of Routing Information

Managing Authentication Keys

Contents

Monitoring and Maintaining the IP Network

C H A P T E R 35 Configuring IPv6 Unicast Routing 35-1

Understanding IPv6

IPv6 Addresses

Supported IPv6 Unicast Routing Features

128-Bit Wide Unicast Addresses

DNS for IPv6

Path MTU Discovery for IPv6 Unicast

ICMPv6

IPv6 Stateless Autoconfiguration and Duplicate Address Detection

IPv6 Applications

Dual IPv4 and IPv6 Protocol Stacks

Unsupported IPv6 Unicast Routing Features

Limitations

SDM Templates

Dual IPv4-and IPv6 SDM Templates

Configuring IPv6

Default IPv6 Configuration

Configuring IPv6 Addressing and Enabling IPv6 Routing

Configuring IPv4 and IPv6 Protocol Stacks

Configuring IPv6 ICMP Rate Limiting

Configuring CEF for IPv6

Configuring Static Routing for IPv6

Configuring RIP for IPv6

Configuring OSPF for IPv6

Displaying IPv6

C H A P T E R 36 Configuring HSRP 36-1

Understanding HSRP

Multiple HSRP

Configuring HSRP

Default HSRP Configuration

HSRP Configuration Guidelines

Enabling HSRP

Configuring HSRP Priority

Configuring MHSRP

Configuring HSRP Authentication and Timers

Enabling HSRP Support for ICMP Redirect Messages

Configuring HSRP Groups and Clustering

Displaying HSRP Configurations

C H A P T E R 37 Configuring IP Multicast Routing 37-1

Understanding Cisco’s Implementation of IP Multicast Routing

Understanding IGMP

IGMP Version 1

IGMP Version 2

Understanding PIM

PIM Versions

PIM Modes

Auto-RP

Bootstrap Router

Multicast Forwarding and Reverse Path Check

Understanding DVMRP

Understanding CGMP

Configuring IP Multicast Routing

Default Multicast Routing Configuration

Multicast Routing Configuration Guidelines

PIMv1 and PIMv2 Interoperability

Auto-RP and BSR Configuration Guidelines

Configuring Basic Multicast Routing

Configuring a Rendezvous Point

Manually Assigning an RP to Multicast Groups

Configuring Auto-RP

Configuring PIMv2 BSR

Using Auto-RP and a BSR

Monitoring the RP Mapping Information

Troubleshooting PIMv1 and PIMv2 Interoperability Problems

Configuring Advanced PIM Features

Understanding PIM Shared Tree and Source Tree

Delaying the Use of PIM Shortest-Path Tree

Modifying the PIM Router-Query Message Interval

Configuring Optional IGMP Features

Default IGMP Configuration

Configuring the Switch as a Member of a Group

Controlling Access to IP Multicast Groups

Contents

Modifying the IGMP Host-Query Message Interval

Changing the IGMP Query Timeout for IGMPv2

Changing the Maximum Query Response Time for IGMPv2

Configuring the Switch as a Statically Connected Member

Configuring Optional Multicast Routing Features

Enabling CGMP Server Support

Configuring sdr Listener Support

Enabling sdr Listener Support

Limiting How Long an sdr Cache Entry Exists

Configuring an IP Multicast Boundary

Configuring Basic DVMRP Interoperability Features

Configuring DVMRP Interoperability

Configuring a DVMRP Tunnel

Advertising Network 0.0.0.0 to DVMRP Neighbors

Responding to mrinfo Requests

Configuring Advanced DVMRP Interoperability Features

Enabling DVMRP Unicast Routing

Rejecting a DVMRP Nonpruning Neighbor

Controlling Route Exchanges

Limiting the Number of DVMRP Routes Advertised

Changing the DVMRP Route Threshold

Configuring a DVMRP Summary Address

Disabling DVMRP Autosummarization

Adding a Metric Offset to the DVMRP Route

Monitoring and Maintaining IP Multicast Routing

Clearing Caches, Tables, and Databases

Displaying System and Network Statistics

Monitoring IP Multicast Routing

C H A P T E R 38 Configuring MSDP 38-1

Understanding MSDP

MSDP Operation

MSDP Benefits

Configuring MSDP

Default MSDP Configuration

Configuring a Default MSDP Peer

Caching Source-Active State

Requesting Source Information from an MSDP Peer

Controlling Source Information that Your Switch Originates

Redistributing Sources

Filtering Source-Active Request Messages

Controlling Source Information that Your Switch Forwards

Using a Filter

Using TTL to Limit the Multicast Data Sent in SA Messages

Controlling Source Information that Your Switch Receives

Configuring an MSDP Mesh Group

Shutting Down an MSDP Peer

Including a Bordering PIM Dense-Mode Region in MSDP

Configuring an Originating Address other than the RP Address

Monitoring and Maintaining MSDP

C H A P T E R 39 Configuring Fallback Bridging 39-1

Understanding Fallback Bridging

Configuring Fallback Bridging

Default Fallback Bridging Configuration

Fallback Bridging Configuration Guidelines

Creating a Bridge Group

Adjusting Spanning-Tree Parameters

Changing the VLAN-Bridge Spanning-Tree Priority

Changing the Interface Priority

Assigning a Path Cost

Adjusting BPDU Intervals

Disabling the Spanning Tree on an Interface

Monitoring and Maintaining Fallback Bridging

C H A P T E R 40 Troubleshooting 40-1

Recovering from a Software Failure

Recovering from a Lost or Forgotten Password

Procedure with Password Recovery Enabled

Procedure with Password Recovery Disabled

Recovering from a Command Switch Failure

Replacing a Failed Command Switch with a Cluster Member

Replacing a Failed Command Switch with Another Switch

Recovering from Lost Cluster Member Connectivity

Preventing Autonegotiation Mismatches

Contents

Troubleshooting Power over Ethernet Switch Ports

Disabled Port Caused by Power Loss

Disabled Port Caused by False Link Up

SFP Module Security and Identification

Monitoring SFP Module Status

Monitoring Temperature

Using Ping

Understanding Ping

Executing Ping

Using Layer 2 Traceroute

Understanding Layer 2 Traceroute

Usage Guidelines

Displaying the Physical Path

Using IP Traceroute

Understanding IP Traceroute

Executing IP Traceroute

Using TDR

Understanding TDR

Running TDR and Displaying the Results

Using Debug Commands

Enabling Debugging on a Specific Feature

Enabling All-System Diagnostics

Redirecting Debug and Error Message Output

Using the show platform forward Command

Using the crashinfo File

A P P E N D I X A Supported MIBs A-1

MIB List

Using FTP to Access the MIB Files

A P P E N D I X B Working with the Cisco IOS File System, Configuration Files, and Software Images B-1

Working with the Flash File System

Displaying Available File Systems

Setting the Default File System

Displaying Information about Files on a File System

Changing Directories and Displaying the Working Directory

Creating and Removing Directories

Copying Files