hit counter script
Cisco 4500M Software Manual
Cisco 4500M Software Manual

Cisco 4500M Software Manual

Software guide
Table of Contents

Advertisement

Catalyst 4500 Series Switch Cisco IOS
Software Configuration Guide
Release 12.2(25)EW
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Customer Order Number: DOC-OL6696=
Text Part Number: OL-6696-01

Advertisement

Table of Contents
loading

Summary of Contents for Cisco 4500M

  • Page 1 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Release 12.2(25)EW Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-OL6696= Text Part Number: OL-6696-01...
  • Page 2 OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCSP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco...
  • Page 3: Table Of Contents

    Commands in Task Tables Obtaining Documentation Cisco.com Ordering Documentation Documentation Feedback xxvi Obtaining Technical Assistance xxvi Cisco Technical Support Website xxvi Submitting a Service Request xxvii Definitions of Service Request Severity xxvii Obtaining Additional Publications and Information xxvii Product Overview...
  • Page 4 Accessing the CLI Using the EIA/TIA-232 Console Interface Accessing the CLI Through Telnet Performing Command-Line Processing Performing History Substitution Understanding Cisco IOS Command Modes Getting a List of Commands and Syntax ROMMOM Command-Line Interface Configuring the Switch for the First Time...
  • Page 5 Contents Controlling Access to Privileged EXEC Commands 3-13 Setting or Changing a Static enable Password 3-13 Using the enable password and enable secret Commands 3-14 Setting or Changing a Privileged Password 3-14 Setting TACACS+ Password Protection for Privileged EXEC Mode 3-15 Encrypting Passwords 3-15...
  • Page 6 5-11 Enabling ICMP Mask Reply Messages 5-11 Configuring Supervisor Engine Redundancy Using RPR and SSO C H A P T E R Understanding Cisco IOS NSF-Awareness Support Understanding Supervisor Engine Redundancy Overview RPR Operation SSO Operation Understanding Supervisor Engine Redundancy Synchronization...
  • Page 7 Software and Hardware Requirements Network Assistant-related Default Configuration Installing the Network Assistant Overview of the CLI Commands Configuring the Cisco Device for Use with Network Assistant Displaying the Network Assistant-Related Configuration Launching the Network Assistant 9-10 Connecting Network Assistant to a Device...
  • Page 8 Contents Configuring Dynamic VLAN Membership 11-1 C H A P T E R Understanding VMPS 11-1 VMPS Server Overview 11-1 Security Modes for VMPS Server 11-2 Fall-back VLAN 11-3 Illegal VMPS client requests 11-3 Understanding VMPS clients 11-4 Dynamic VLAN Membership Overview 11-4 Default VMPS Client Configuration 11-4...
  • Page 9 Contents STP Timers 14-4 Creating the STP Topology 14-4 STP Port States 14-5 MAC Address Allocation 14-5 STP and IEEE 802.1Q Trunks 14-6 Per-VLAN Rapid Spanning Tree 14-6 Default STP Configuration 14-6 Configuring STP 14-7 Enabling STP 14-7 Enabling the Extended System ID 14-8 Configuring the Root Bridge 14-9...
  • Page 10 Contents Understanding and Configuring Multiple Spanning Trees 16-1 C H A P T E R Overview of MST 16-1 IEEE 802.1s MST 16-2 IEEE 802.1w RSTP 16-3 MST-to-SST Interoperability 16-4 Common Spanning Tree 16-5 MST Instances 16-5 MST Configuration Parameters 16-5 MST Regions 16-6...
  • Page 11 Contents Default IGMP Snooping Configuration 18-4 Enabling IGMP Snooping 18-5 Configuring Learning Methods 18-6 Configuring a Multicast Router Port Statical 18-7 Enabling IGMP Immediate-Leave Processing 18-7 Configuring Explicit Host Tracking 18-8 Configuring a Host Statically 18-8 Suppressing Multicast Flooding 18-9 Displaying IGMP Snooping Information 18-11 Displaying Querier Information...
  • Page 12 23-2 Configuration Guidelines 23-3 Configuring Logical Layer 3 VLAN Interfaces 23-3 Configuring Physical Layer 3 Interfaces 23-4 Configuring Cisco Express Forwarding 24-1 C H A P T E R Overview of CEF 24-1 Benefits of CEF 24-1 Forwarding Information Base...
  • Page 13 Contents Configuring CEF 24-6 Enabling CEF 24-6 Configuring Load Balancing for CEF 24-7 Monitoring and Maintaining CEF 24-8 Displaying IP Statistics 24-8 Understanding and Configuring IP Multicast 25-1 C H A P T E R Overview of IP Multicast 25-1 IP Multicast Protocols 25-2 IP Multicast on the Catalyst 4500 Series Switch...
  • Page 14 Contents Deny ACE Example 26-6 Understanding and Configuring VTP 27-1 C H A P T E R Overview of VTP 27-1 Understanding the VTP Domain 27-2 Understanding VTP Modes 27-2 Understanding VTP Advertisements 27-3 Understanding VTP Version 2 27-3 Understanding VTP Pruning 27-3 VTP Configuration Guidelines and Restrictions 27-5...
  • Page 15 30-1 C H A P T E R Overview of Voice Interfaces 30-1 Configuring a Port to Connect to a Cisco 7690 IP Phone 30-2 Configuring Voice Ports for Voice and Data Traffic 30-2 Overriding the CoS Priority of Incoming Frames...
  • Page 16 Contents Authentication Initiation and Message Exchange 31-3 Ports in Authorized and Unauthorized States 31-4 Using 802.1X with VLAN Assignment 31-5 Using 802.1X Authentication for Guest VLANs 31-6 Using 802.1X with Port Security 31-6 802.1X RADIUS Accounting 31-7 Using 802.1X with Voice VLAN Ports 31-10 Supported Topologies 31-10...
  • Page 17 Contents Default Configuration for DHCP Snooping 33-3 Enabling DHCP Snooping 33-4 Enabling DHCP Snooping on Private VLAN 33-5 Enabling the DHCP Snooping Database Agent 33-6 Configuration Examples for the Database Agent 33-6 Displaying DHCP Snooping Information 33-9 Displaying a Binding Table 33-10 Displaying the DHCP Snooping Configuration 33-10...
  • Page 18 Contents Configuration Guidelines for Layer 4 Operations 35-8 How ACL Processing Impacts CPU 35-9 Configuring Unicast MAC Address Filtering 35-11 Configuring Named MAC Extended ACLs 35-11 Configuring VLAN Maps 35-12 VLAN Map Configuration Guidelines 35-13 Creating and Deleting VLAN Maps 35-13 Applying a VLAN Map to a VLAN 35-16...
  • Page 19 Contents Configuring Port Blocking 37-1 Blocking Flooded Traffic on an Interface 37-2 Resuming Normal Forwarding on a Port 37-3 Configuring Port-Based Traffic Control 38-1 C H A P T E R Overview of Storm Control 38-1 Hardware-based Storm Control Implementation 38-2 Software-based Storm Control Implementation 38-2...
  • Page 20 Contents Creating an RSPAN Destination Session 39-18 Creating an RSPAN Destination Session and Enabling Ingress Traffic 39-19 Removing Ports from an RSPAN Session 39-21 Specifying VLANs to Monitor 39-22 Specifying VLANs to Filter 39-23 Displaying SPAN and RSPAN Status 39-24 Configuring NetFlow Statistics Collection 40-1 C H A P T E R...
  • Page 21 Preface This preface describes who should read this document, how it is organized, and its conventions. The preface also tells you how to obtain Cisco documents, as well as how to obtain technical assistance. Audience This guide is for experienced network administrators who are responsible for configuring and maintaining Catalyst 4500 series switches.
  • Page 22 Describes how to configure 802.1Q and Layer 2 Protocol Tunneling protocol Tunneling Chapter 20 Understanding and Configuring Describes how to configure the Cisco Discovery Protocol (CDP) Chapter 21 Configuring UDLD Describes how to configure the UniDirectional Link Detection (UDLD) protocol...
  • Page 23: Related Documentation

    Catalyst 4500 Series Switch Cisco IOS System Message Guide • Release Notes for the Catalyst 4500 series switch • Cisco IOS configuration guides and command references—Use these publications to help you • configure Cisco IOS software features not described in the preceding publications: Configuration Fundamentals Configuration Guide –...
  • Page 24 – Voice, Video, and Fax Applications Command Reference Cisco IOS IP Configuration Guide – Cisco IOS IP Command Reference – The Cisco IOS configuration guides and command references are at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm For information about MIBs, refer to • http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml Conventions...
  • Page 25: Obtaining Documentation

    Catalyst 4500 Series Switch Cisco IOS Command Reference. Obtaining Documentation Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
  • Page 26: Documentation Feedback

    Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting a web or phone request for service. You can access the CPI tool from the Cisco Technical Support Website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts &...
  • Page 27: Submitting A Service Request

    Cisco TAC engineer. The TAC Service Request Tool is located at this URL: http://www.cisco.com/techsupport/servicerequest For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
  • Page 28 Preface Obtaining Additional Publications and Information Cisco Press publishes a wide range of general networking, training and certification titles. Both new • and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL: http://www.ciscopress.com...
  • Page 29: Layer 2 Software Features

    Management and Security Features, page 1-11 Note For more information about the chassis, modules, and software features supported by the Catalyst 4500 series switch, refer to the Release Notes for the Catalyst 4500 Series Switch, Cisco IOS Release 12.2(25)EW at http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/relnotes/...
  • Page 30: Chapter 1 Product Overview

    Using CDP, a device can advertise its existence to other devices and receive information about other devices on the same LAN. CDP enables Cisco switches and routers to exchange information, such as their MAC addresses, IP addresses, and outgoing interfaces. CDP runs over the data-link layer only, allowing two systems that support different network-layer protocols to learn about each other.
  • Page 31: Etherchannel Bundles

    DHCP server or another switch. For DHCP server configuration information, refer to the chapter, “Configuring DHCP,” in the Cisco IOS IP and IP Routing Configuration Guide at the following URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ip_c/ipcprt1/1cddhcp.htm...
  • Page 32: Pvrst+

    Chapter 1 Product Overview Layer 2 Software Features IEEE 802.1s Multiple Spanning Tree (MST) allows for multiple spanning tree instances within a single 802.1Q or Inter-Switch Link (ISL) VLAN trunk. MST extends the IEEE 802.1w Rapid Spanning Tree (RST) algorithm to multiple spanning trees. This extension provides both rapid convergence and load balancing within a VLAN environment.
  • Page 33: Udld

    Chapter 1 Product Overview Layer 2 Software Features UDLD The UniDirectional Link Detection (UDLD) protocol allows devices connected through fiber-optic or copper Ethernet cables to monitor the physical configuration of the cables and detect a unidirectional link. For information about UDLD, see Chapter 21, “Configuring UDLD.”...
  • Page 34: Layer 3 Software Features

    VRF-lite, page 1-10 • Cisco Express Forwarding (CEF) is an advanced Layer 3 IP-switching technology. CEF optimizes network performance and scalability in networks with large and dynamic traffic patterns, such as the Internet, and on networks that use intensive web-based applications or interactive sessions. Although you can use CEF in any part of a network, it is designed for high-performance, highly resilient Layer 3 IP-backbone switching.
  • Page 35 Chapter 1 Product Overview Layer 3 Software Features IGRP • EIGRP • • The Routing Information Protocol (RIP) is a distance-vector, intradomain routing protocol. RIP works well in small, homogeneous networks. In large, complex internetworks, it has many limitations, such as a maximum hop count of 15, lack of support for variable-length subnet masks (VLSMs), inefficient use of bandwidth, and slow convergence.
  • Page 36 CIDR eliminates the concept of network classes within BGP and supports the advertising of IP prefixes. CIDR routes can be carried by OSPF, EIGRP, and RIP. For BGP configuration information, refer to the chapter “Configuring BGP” in the Cisco IOS IP and IP Routing Configuration Guide at the following URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ip_c/ipcprt2/1cdbgp.htm...
  • Page 37: Multicast Services

    Multicast services save bandwidth by forcing the network to replicate packets only when necessary and by allowing hosts to join and leave groups dynamically. The following multicast services are supported: Cisco Group Management Protocol (CGMP) server—CGMP server manages multicast traffic. •...
  • Page 38: Policy-Based Routing

    Catalyst 4500 series switch supports trusted boundary, which uses the Cisco Discovery Protocol (CDP) to detect the presence of a Cisco IP phone (such as the Cisco IP Phone 7910, 7935, 7940, and 7960) on a switch port. If the telephone is not detected, the trusted boundary feature disables the trusted setting on the switch port and prevents misuse of a high-priority queue.
  • Page 39: Management And Security Features

    Intelligent Power Management—Intelligent Power Management (IPM)—Working with powered • devices (PDs) from Cisco, this feature uses power negotiation to refine the power consumption of a 802.3af-compliant PD beyond the granularity of power consumption provided by the 802.3af class. Power negotiation also enables the backward compatibility of newer PDs with older modules that do not support either 802.3af or high-power levels as required by IEEE standard.
  • Page 40 Access Controller Access Control System Plus (TACACS+) authentication—These authentication methods control access to the switch. For additional information, refer to the chapter “Authentication, Authorization, and Accounting (AAA),” in Cisco IOS Security Configuration Guide, Release 12.1, at the following URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/secur_c/scprt1/index.htm •...
  • Page 41 IP addresses from specified address pools within the router to DHCP clients. If the Cisco IOS DHCP server cannot satisfy a DHCP request from its own database, it can forward the request to one or more secondary DHCP servers defined by the network administrator.
  • Page 42 Chapter 1 Product Overview Management and Security Features Software Configuration Guide—Release 12.2(25)EW 1-14 OL-6696-01...
  • Page 43: Accessing The Switch Cli

    ROMMOM Command-Line Interface, page 2-6 For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm Accessing the Switch CLI The following sections describe how to access the switch CLI: •...
  • Page 44: Accessing The Cli Through Telnet

    Chapter 2 Command-Line Interfaces Accessing the Switch CLI To access the switch through the console interface, perform this task: Command Purpose Step 1 From the user EXEC prompt (>), enter enable to change Switch> enable to enable mode (also known as privileged mode or privileged EXEC mode).
  • Page 45: Chapter 2 Command-Line Interface

    Chapter 2 Command-Line Interfaces Performing Command-Line Processing This example shows how to open a Telnet session to the switch: unix_host% telnet Switch_1 Trying 172.20.52.40... Connected to 172.20.52.40. Escape character is '^]'. User Access Verification Password:< > Switch_1> enable Password: Switch_1# Performing Command-Line Processing Switch commands are not case sensitive.
  • Page 46: Understanding Cisco Ios Command Modes

    Reference at: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm The Cisco IOS user interface has many different modes: user EXEC, privileged EXEC (enable), global configuration, interface, subinterface, and protocol-specific. The commands available to you depend on which mode you are in. To get a list of the commands in a given mode, enter a question mark (?) at the system prompt.
  • Page 47: Getting A List Of Commands And Syntax

    Telnet. The Cisco IOS command interpreter, called the EXEC, interprets and runs the commands you enter. You can abbreviate commands and keywords by entering just enough characters to make the command unique from other commands. For example, you can abbreviate the show command to sh and the configure terminal command to config t.
  • Page 48: Rommom Command-Line Interface

    When you enter ROMMON mode, the prompt changes to rommon 1>. Use the ? command to see the available ROMMON commands. For more information about the ROMMON commands, refer to the Catalyst 4500 Series Switch Cisco IOS Command Reference. Software Configuration Guide—Release 12.2(25)EW OL-6696-01...
  • Page 49: Default Switch Configuration

    Modifying the Supervisor Engine Startup Configuration, page 3-18 For complete syntax and usage information for the switch commands used in this chapter, refer to the Note Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm Default Switch Configuration This section describes the default configurations for the Catalyst 4500 series switch.
  • Page 50: Configuring Dhcp-Based Autoconfiguration

    Example Configuration, page 3-7 • If your DHCP server is a Cisco device, or if you are configuring the switch as a DHCP server, refer to the “IP Addressing and Services” section in the Cisco IOS IP and IP Routing Configuration Guide for Cisco IOS Release 12.1 for additional information about configuring DHCP.
  • Page 51: Chapter 3 Configuring The Switch For The First Time

    Configuring the DHCP Server A switch can act as both the DHCP client and the DHCP server. By default, the Cisco IOS DHCP server and relay agent features are enabled on your switch.
  • Page 52: Configuring The Tftp Server

    Chapter 3 Configuring the Switch for the First Time Configuring DHCP-Based Autoconfiguration If you want the switch to receive IP address information, you must configure the DHCP server with these lease options: IP address of the client (required) • • Subnet mask of the client (required) DNS server IP address (optional) •...
  • Page 53: Configuring The Dns Server

    LAN must respond. Examples of such broadcast packets are DHCP, DNS, and in some cases, TFTP packets. If the relay device is a Cisco router, enable IP routing (ip routing global configuration command), and configure helper addresses (ip helper-address interface configuration command). For example, in...
  • Page 54: Obtaining Configuration Files

    Chapter 3 Configuring the Switch for the First Time Configuring DHCP-Based Autoconfiguration Figure 3-2 Relay Device Used in Autoconfiguration Switch Cisco router (DHCP client) (Relay) 10.0.0.2 10.0.0.1 20.0.0.1 20.0.0.2 20.0.0.3 20.0.0.4 DHCP server TFTP server DNS server Obtaining Configuration Files...
  • Page 55: Example Configuration

    Figure 3-3 DHCP-Based Autoconfiguration Network Example Switch 1 Switch 2 Switch 3 Switch 4 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004 Cisco router 10.0.0.10 10.0.0.1 10.0.0.2 10.0.0.3 DHCP server DNS server TFTP server (maritsu) Table 3-2 shows the configuration of the reserved leases on either the DHCP server or the DHCP server feature running on your switch.
  • Page 56: Configuring The Switch

    Chapter 3 Configuring the Switch for the First Time Configuring the Switch DNS Server Configuration The DNS server maps the TFTP server name maritsu to IP address 10.0.0.3. TFTP Server Configuration (on UNIX) The TFTP server base directory is set to /tftpserver/work/. This directory contains the network-confg file used in the two-file read method.
  • Page 57: Using Configuration Mode To Configure Your Switch

    Chapter 3 Configuring the Switch for the First Time Configuring the Switch Using Configuration Mode to Configure Your Switch To configure your switch from configuration mode, perform this procedure: Connect a console terminal to the console interface of your supervisor engine. Step 1 After a few seconds, you will see the user EXEC prompt ( ).
  • Page 58: Saving The Running Configuration Settings To Your Start-Up File

    Chapter 3 Configuring the Switch for the First Time Configuring the Switch hostname Switch <...output truncated...> line con 0 transport input none line vty 0 4 exec-timeout 0 0 password lab login transport input lat pad dsipcon mop telnet rlogin udptn nasi Switch# Saving the Running Configuration Settings to Your Start-up File This command saves the configuration settings that you created in configuration mode.
  • Page 59: Configuring A Default Gateway

    Chapter 3 Configuring the Switch for the First Time Configuring the Switch <...output truncated...> line con 0 exec-timeout 0 0 transport input none line vty 0 4 exec-timeout 0 0 password lab login transport input lat pad dsipcon mop telnet rlogin udptn nasi Switch# Configuring a Default Gateway The switch uses the default gateway only when it is not configured with a routing protocol.
  • Page 60 Chapter 3 Configuring the Switch for the First Time Configuring the Switch To configure a static route, perform this task: Command Purpose Step 1 Configures a static route to the remote network. Switch(config)# ip route dest_IP_address mask { forwarding_IP | vlan vlan_ID } Step 2 Verifies that the static route is displayed correctly.
  • Page 61: Controlling Access To Privileged Exec Commands

    Chapter 3 Configuring the Switch for the First Time Controlling Access to Privileged EXEC Commands ip default-gateway 172.20.52.35 ip classless ip route 171.20.5.3 255.255.255.255 Vlan1 no ip http server x25 host z line con 0 transport input none line vty 0 4 exec-timeout 0 0 password lab login...
  • Page 62: Using The Enable Password And Enable Secret Commands

    Chapter 3 Configuring the Switch for the First Time Controlling Access to Privileged EXEC Commands Using the enable password and enable secret Commands To provide an additional layer of security, particularly for passwords that cross the network or that are stored on a TFTP server, you can use either the enable password or enable secret command.
  • Page 63: Setting Tacacs+ Password Protection For Privileged Exec Mode

    Encrypting Passwords Because protocol analyzers can examine packets (and read passwords), you can increase access security by configuring the Cisco IOS software to encrypt passwords. Encryption prevents the password from being readable in the configuration file. To configure the Cisco IOS software to encrypt passwords, perform this task:...
  • Page 64: Configuring Multiple Privilege Levels

    3-17. Configuring Multiple Privilege Levels By default, Cisco IOS software has two modes of password security: user EXEC mode and privileged EXEC mode. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
  • Page 65 Chapter 3 Configuring the Switch for the First Time Controlling Access to Privileged EXEC Commands Changing the Default Privilege Level for Lines To change the default privilege level for a given line or a group of lines, perform this task: Command Purpose Changes the default privilege level for the line.
  • Page 66: Recovering A Lost Enable Password

    Chapter 3 Configuring the Switch for the First Time Recovering a Lost Enable Password This example shows how to display the privilege level configuration: Switch# show privilege Current privilege level is 15 Switch# Recovering a Lost Enable Password For more information on the configuration register which is preconfigured in NVRAM, see “Configuring Note the Software Configuration Register”...
  • Page 67: Configuring The Software Configuration Register

    Chapter 3 Configuring the Switch for the First Time Modifying the Supervisor Engine Startup Configuration Understanding the ROM Monitor The ROM monitor (ROMMON) is invoked at switch bootup, reset, or when a fatal exception occurs. The switch enters ROMMON mode if the switch does not find a valid software image, if the NVRAM configuration is corrupted, or if the configuration register is set to enter ROMMON mode.
  • Page 68 Chapter 3 Configuring the Switch for the First Time Modifying the Supervisor Engine Startup Configuration Table 3-3 Software Configuration Register Bits Bit Number Hexadecimal Meaning 00 to 03 0x0000 to 0x000F Boot field (see Table 3-4) 0x0010 Unused 0x0020 Bit two of console line speed 0x0040 Causes system software to ignore NVRAM contents 0x0080...
  • Page 69 Reboots the switch to make your changes take effect. Switch# reload To modify the configuration register while the switch is running Cisco IOS software, follow these steps: Enter the enable command and your password to enter privileged level, as follows: Step 1 Switch>...
  • Page 70 Switch#show version Cisco Internetwork Operating System Software IOS (tm) Catalyst 4000 L3 Switch Software (cat4000-IS-M), Experimental Version 12.1(20010828:211314) [cisco 105] Copyright (c) 1986-2001 by cisco Systems, Inc. Compiled Thu 06-Sep-01 15:40 by Image text-base:0x00000000, data-base:0x00ADF444 ROM:1.15 Switch uptime is 10 minutes...
  • Page 71: Specifying The Startup System Image

    Chapter 3 Configuring the Switch for the First Time Modifying the Supervisor Engine Startup Configuration cisco Catalyst 4000 (MPC8240) processor (revision 3) with 262144K bytes of memory. Processor board ID Ask SN 12345 Last reset from Reload Bridging software. 49 FastEthernet/IEEE 802.3 interface(s) 20 Gigabit Ethernet/IEEE 802.3 interface(s)
  • Page 72: Controlling Environment Variables

    Copy a system image to Flash memory using TFTP or other protocols. Refer to the “Cisco IOS File Step 1 Management” and “Loading and Maintaining System Images” chapters in the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2, at the following URL:...
  • Page 73: Overview Of Interface Configuration

    Monitoring and Maintaining the Interface, page 4-13 For complete syntax and usage information for the switch commands used in this chapter, refer to the Note Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm. Overview of Interface Configuration By default, all interfaces are enabled.
  • Page 74: Using The Interface Command

    When you are facing the front of the switch, the interfaces are numbered from left to right. You can identify interfaces by physically checking the slot/interface location on the switch. You can also use the Cisco IOS show commands to display information about a specific interface or all the interfaces. Using the interface Command...
  • Page 75: Chapter 4 Configuring Interface

    Chapter 4 Configuring Interfaces Using the interface Command Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles...
  • Page 76: Configuring A Range Of Interfaces

    Chapter 4 Configuring Interfaces Configuring a Range of Interfaces Follow each interface command with the interface configuration commands your particular interface Step 5 requires. The commands you enter define the protocols and applications that will run on the interface. The commands are collected and applied to the interface command until you enter another interface command or press Ctrl-Z to exit interface configuration mode and return to privileged EXEC mode.
  • Page 77: Defining And Using Interface-Range Macros

    Chapter 4 Configuring Interfaces Defining and Using Interface-Range Macros This example shows how to reenable all Fast Ethernet interfaces 5/1 to 5/5: Switch(config)# interface range fastethernet 5/1 - 5 Switch(config-if-range)# no shutdown Switch(config-if-range)# *Oct 6 08:24:35: %LINK-3-UPDOWN: Interface FastEthernet5/1, changed state to up *Oct 6 08:24:35: %LINK-3-UPDOWN: Interface FastEthernet5/2, changed state to up *Oct...
  • Page 78: Configuring Optional Interface Features

    Chapter 4 Configuring Interfaces Configuring Optional Interface Features To define an interface-range macro, perform this task: Command Purpose Defines the interface-range macro and Switch(config)# define interface-range macro_name {vlan vlan_ID - vlan_ID } | {{fastethernet | saves it in the running configuration file. gigabitethernet} slot/interface - interface } [, {vlan vlan_ID - vlan_ID } {{fastethernet | gigabitethernet} slot/interface - interface }]...
  • Page 79: Configuring Ethernet Interface Speed And Duplex Mode

    Chapter 4 Configuring Interfaces Configuring Optional Interface Features Configuring Ethernet Interface Speed and Duplex Mode Speed and Duplex Mode Configuration Guidelines, page 4-7 • • Setting the Interface Speed, page 4-7 Setting the Interface Duplex Mode, page 4-8 • • Displaying the Interface Speed and Duplex Mode Configuration, page 4-9 Adding a Description for an Interface, page 4-9 •...
  • Page 80 Chapter 4 Configuring Interfaces Configuring Optional Interface Features This example shows how to allow Fast Ethernet interface 5/4 to autonegotiate the speed and duplex mode: Switch(config)# interface fastethernet 5/4 Switch(config-if)# speed auto Note This is analogous to specifying speed auto 10 100. This example shows how to limit the interface speed to 10 and 100 Mbps on the Gigabit Ethernet interface 1/1 in auto-negotiation mode: Switch(config)# interface gigabitethernet 1/1...
  • Page 81: Adding A Description For An Interface

    Chapter 4 Configuring Interfaces Configuring Optional Interface Features Displaying the Interface Speed and Duplex Mode Configuration To display the interface speed and duplex mode configuration for an interface, perform this task: Command Purpose Displays the interface speed and duplex mode Switch# show interfaces [fastethernet | gigabitethernet | tengigabitethernet] configuration.
  • Page 82: Configuring Jumbo Frame Support

    Chapter 4 Configuring Interfaces Configuring Optional Interface Features Configuring Jumbo Frame Support These subsections describe jumbo frame support: • Ports and Modules that Support Jumbo Frames, page 4-10 Understanding Jumbo Frame Support, page 4-10 • • Configuring MTU Sizes, page 4-12 Ports and Modules that Support Jumbo Frames The following ports and modules support jumbo frames: Supervisor uplink ports...
  • Page 83 With Cisco IOS Release 12.2(25)EW, configuring a nondefault MTU size on certain Ethernet ports limits the size of ingress packets. The MTU does not impact the egress packets. With releases earlier than Cisco IOS Release 12.1(13)EW, you can configure the MTU size only on Gigabit Ethernet.
  • Page 84: Interacting With The Baby Giants Feature

    Interacting with the Baby Giants Feature The baby giants feature, introduced in Cisco IOS Release 12.1(12c)EW, uses the global command system mtu <size> to set the global baby giant MTU. This feature also allows certain interfaces to support Ethernet payload size of up to 1552 bytes.
  • Page 85: Understanding Online Insertion And Removal

    • Monitoring Interface and Controller Status The Cisco IOS software for the Catalyst 4500 series switch contains commands that you can enter at the EXEC prompt to display information about the interface, including the version of the software and the hardware, the controller status, and statistics about the interfaces.
  • Page 86: Clearing And Resetting The Interface

    Chapter 4 Configuring Interfaces Monitoring and Maintaining the Interface This example shows how to display the status of Fast Ethernet interface 5/5: Switch# show protocols fastethernet 5/5 FastEthernet5/5 is up, line protocol is up Switch# Clearing and Resetting the Interface To clear the interface counters shown with the show interfaces command, enter the following command: Command Purpose...
  • Page 87 Chapter 4 Configuring Interfaces Monitoring and Maintaining the Interface This example shows how to shut down Fast Ethernet interface 5/5: Switch(config)# interface fastethernet 5/5 Switch(config-if)# shutdown Switch(config-if)# *Sep 30 08:33:47: %LINK-5-CHANGED: Interface FastEthernet5/5, changed state to a administratively down Switch(config-if)# This example shows how to reenable Fast Ethernet interface 5/5: Switch(config-if)# no shutdown Switch(config-if)#...
  • Page 88 Chapter 4 Configuring Interfaces Monitoring and Maintaining the Interface Software Configuration Guide—Release 12.2(25)EW 4-16 OL-6696-01...
  • Page 89: Checking Module Status

    • For complete syntax and usage information for the switch commands used in this chapter, refer to the Note Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm. Checking Module Status The Catalyst 4500 series switch is a multimodule system. You can see which modules are installed, as well as the MAC address ranges and version numbers for each module, by using the show module command.
  • Page 90: Checking Interfaces Status

    Chapter 5 Checking Port Status and Connectivity Checking Interfaces Status This example shows how to check module status for all modules on your switch: Switch# show module all Ports Card Type Model Serial No. ----+-----+--------------------------------------+-----------------+----------- 1000BaseX (GBIC) Supervisor Module WS-X4014 JAB012345AB 10/100/1000BaseTX (RJ45) WS-X4424-GB-RJ45 JAB045304EY...
  • Page 91: C H A P T E R 5 Checking Port Status And Connectivity

    Chapter 5 Checking Port Status and Connectivity Checking MAC Addresses Checking MAC Addresses In addition to displaying the MAC address range for a module using the show module command, you can display the MAC address table information of a specific MAC address or a specific interface in the switch using the show mac-address-table address and show mac-address-table interface commands.
  • Page 92: Changing The Logout Timer

    Chapter 5 Checking Port Status and Connectivity Changing the Logout Timer To establish a Telnet connection to another device on the network from the switch, perform this task: Command Purpose Opens a Telnet session to a remote host. Switch# telnet host [ port ] This example shows how to establish a Telnet connection from the switch to the remote host named labsparc: Switch# telnet labsparc...
  • Page 93: Using Ping

    Chapter 5 Checking Port Status and Connectivity Using Ping This example shows the output of the show users command when local authentication is enabled for console and Telnet sessions (the asterisk [*] indicates the current session): Switch#show users Line User Host(s) Idle Location...
  • Page 94: Running Ping

    Chapter 5 Checking Port Status and Connectivity Using Ping The ping command is configurable from normal executive and privileged EXEC mode. Ping returns one of the following responses: Normal response—The normal response (hostname is alive) occurs in 1 to 10 seconds, depending •...
  • Page 95: Using Ip Traceroute

    Chapter 5 Checking Port Status and Connectivity Using IP Traceroute Using IP Traceroute These sections describe how to use IP traceroute feature: • Understanding How IP Traceroute Works, page 5-7 Running IP Traceroute, page 5-7 • Understanding How IP Traceroute Works You can use IP traceroute to identify the path that packets take through the network on a hop-by-hop basis.
  • Page 96: Using Layer 2 Traceroute

    Switch# trace ip ABA.NYC.mil Type escape sequence to abort. Tracing the route to ABA.NYC.mil (26.0.0.73) 1 DEBRIS.CISCO.COM (192.180.1.6) 1000 msec 8 msec 4 msec 2 BARRNET-GW.CISCO.COM (192.180.16.2) 8 msec 8 msec 8 msec 3 EXTERNAL-A-GATEWAY.STANFORD.EDU (192.42.110.225) 8 msec 4 msec 4 msec 4 BB2.SU.BARRNET.NET (192.200.254.6) 8 msec 8 msec 8 msec...
  • Page 97: Running Layer 2 Traceroute

    Chapter 5 Checking Port Status and Connectivity Using Layer 2 Traceroute The maximum number of hops identified in the path is ten. • You can enter the traceroute mac or the traceroute mac ip command in privileged EXEC mode on •...
  • Page 98: Configuring Icmp

    Internet header. For detailed information on ICMP, refer to RFC 792. Enabling ICMP Protocol Unreachable Messages If the Cisco IOS software receives a nonbroadcast packet that uses an unknown protocol, it sends an ICMP Protocol Unreachable message back to the source.
  • Page 99: Enabling Icmp Redirect Messages

    (by default) for the interface. For more information on HSRP, refer to the following URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_c/ipcprt1/1cdip.htm To enable the sending of ICMP Redirect messages if the Cisco IOS software is forced to resend a packet through the same interface on which it was received, enter the following command in interface configuration mode:...
  • Page 100 Chapter 5 Checking Port Status and Connectivity Configuring ICMP To have the Cisco IOS software respond to ICMP mask requests by sending ICMP Mask Reply messages, perform this task: Command Purpose Enables response to ICMP destination mask requests. Switch (config-if)# [no] ip mask-reply Use the no keyword to disable this functionality.
  • Page 101 The minimum ROMMON requirement for running SSO is Release 12.1(20r)EW1 or Release 12.2(20r)EW. This chapter describes how to configure supervisor engine redundancy on the Catalyst 4507R and Catalyst 4510R switches. It also describes the relationship between SSO and Cisco IOS NSF-awareness. This chapter contains these major sections: •...
  • Page 102: C H A P T E R 6 Configuring Supervisor Engine Redundancy Using Rpr And Sso

    RP (Route Processor) switchover happens, this capability is referred to as NSF-awareness. Cisco IOS enhancements to the Layer 3 protocols OSPF, BGP, EIGRP and IS-IS are designed to prevent route-flapping so that the CEF routing table does not timeout or the NSF router does not drop routes.
  • Page 103: Understanding Supervisor Engine Redundancy

    Chapter 6 Configuring Supervisor Engine Redundancy Using RPR and SSO Understanding Supervisor Engine Redundancy Table 6-1 lists the supervisor engines and Catalyst 4500 series switches that support NSF-awareness: Table 6-1 NSF-Aware Capable Supervisor Engine and Catalyst 4500 Series Switch Matrix NSF-Aware Capable Supervisor Engine Switch Support Supervisor Engine III (WS-X4014)
  • Page 104: Rpr Operation

    Chapter 6 Configuring Supervisor Engine Redundancy Using RPR and SSO Understanding Supervisor Engine Redundancy When power is first applied to a switch, the supervisor engine that boots first becomes the active supervisor engine and remains active until a switchover occurs. A switchover will occur when one or more of the following events take place: •...
  • Page 105 Chapter 6 Configuring Supervisor Engine Redundancy Using RPR and SSO Understanding Supervisor Engine Redundancy Because the redundant supervisor engine recognizes the hardware link status of every link, ports that were active before the switchover will remain active, including the uplink ports. However, because uplink ports are physically on the supervisor engine, they will be disconnected if the supervisor engine is removed.
  • Page 106: Understanding Supervisor Engine Redundancy Synchronization

    Chapter 6 Configuring Supervisor Engine Redundancy Using RPR and SSO Understanding Supervisor Engine Redundancy Synchronization SSO is compatible with the following list of features. However, the protocol database for these features is not synchronized between the redundant and active supervisor engines: 802.1Q tunneling with Layer 2 Protocol Tunneling (L2PT) •...
  • Page 107: Sso Supervisor Engine Configuration Synchronization

    • • The Cisco Express Forwarding (CEF) table is cleared on a switchover. As a result, routed traffic is interrupted until route tables reconverge. This reconvergence time is minimal because the SSO feature reduces the supervisor engine redundancy switchover time from 30+ seconds to subseconds, so Layer 3 also has a faster failover time if the switch is configured for SSO.
  • Page 108: Configuring Supervisor Engine Redundancy

    Configuring Supervisor Engine Redundancy Using RPR and SSO Configuring Supervisor Engine Redundancy Starting with Cisco IOS Release 12.2, if an unsupported condition is detected (such as when the • active supervisor engine is running Release 12.2(20)EW and the redundant supervisor engine is running Release 12.1(20)EW), the redundant supervisor engine will be reset multiple times and then...
  • Page 109 Current Software state = ACTIVE Uptime in current state = 2 days, 2 hours, 39 minutes Image Version = Cisco Internetwork Operating System Software IOS (tm) Catalyst 4000 L3 Switch Software (cat4000-I5S-M), Version 12.2(20)EWA(3 .92), CISCO INTERNAL USE ONLY ENHANCED PRODUCTION VERSION Copyright (c) 1986-2004 by cisco Systems, Inc.
  • Page 110: Synchronizing The Supervisor Engine Configurations

    Chapter 6 Configuring Supervisor Engine Redundancy Using RPR and SSO Configuring Supervisor Engine Redundancy Manual Swact = Enabled Communications = Up client count = 21 client_notification_TMR = 240000 milliseconds keep_alive TMR = 9000 milliseconds keep_alive count = 0 keep_alive threshold = 18 RF debug mask = 0x0 Switch# This example shows how to change the system configuration from RPR to SSO mode:...
  • Page 111: Performing A Manual Switchover

    Chapter 6 Configuring Supervisor Engine Redundancy Using RPR and SSO Performing a Manual Switchover The auto-sync command controls the synchronization of the config-reg, bootvar, and startup/private Note configuration files only. The calendar and VLAN database files are always synchronized when they change.
  • Page 112: Performing A Software Upgrade

    Performing a Software Upgrade The software upgrade procedure supported by supervisor engine redundancy allows you to reload the Cisco IOS software image on the redundant supervisor engine, and once complete, reload the active supervisor engine once. To perform a software upgrade, perform this task:...
  • Page 113 Purpose Step 9 Reloads the redundant supervisor engine and brings it Switch# redundancy reload peer back online (using the new release of the Cisco IOS software). Before proceeding to Step 10, ensure that the switch Note is operating in RPR mode.
  • Page 114: Manipulating Bootflash On The Redundant Supervisor Engine

    Chapter 6 Configuring Supervisor Engine Redundancy Using RPR and SSO Manipulating Bootflash on the Redundant Supervisor Engine Manipulating Bootflash on the Redundant Supervisor Engine The console port on the redundant supervisor engine is not available. Note To manipulate the redundant supervisor engine bootflash, perform one or more of the following tasks: Command Purpose Lists the contents of the slot0: device on the redundant...
  • Page 115: Chapter 7 Environmental Monitoring And Power Management

    • For complete syntax and usage information for the switch commands used in this chapter, refer to the Note Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm. Understanding Environmental Monitoring This section contains the following subsections: Using CLI Commands to Monitor your Environment, page 7-2 •...
  • Page 116: Using Cli Commands To Monitor Your Environment

    Chapter 7 Environmental Monitoring and Power Management Understanding Environmental Monitoring Using CLI Commands to Monitor your Environment Use the show environment CLI command to monitor the system. This section gives a basic overview of the command and keywords you will need. Enter the show environment [alarm | status | temperature] command to display system status information.
  • Page 117: Power Management

    Chapter 7 Environmental Monitoring and Power Management Power Management Table 7-2 Alarms for Supervisor Engine and Switching Modules Alarm Supervisor LED Event Type Color Description and Action Supervisor engine temperature sensor Major Syslog message. exceeds major threshold If the over-temperature condition is not corrected, the system shuts down after 5 min.
  • Page 118: Power Management For The Catalyst 4500 Series Switches

    Chapter 7 Environmental Monitoring and Power Management Power Management These power supplies are incompatible with Catalyst 4500 series switches. Since Power over Ethernet (PoE) is not supported on the Catalyst 4948 switch, only a limited wattage is needed. (For information on PoE, see Chapter 8, “Configuring Power over Ethernet.”) When you insert power supplies in your...
  • Page 119 Chapter 7 Environmental Monitoring and Power Management Power Management The following example shows the output for the show power command for mixed power supplies: Switch# show power Power Inline Supply Model No Type Status Sensor Status ------ ---------------- --------- ----------- ------ ------ PWR-C45-2800AC...
  • Page 120 1000 W can support a fully loaded Catalyst 4503 switch with no powered device support. • 1300 W can support a fully loaded Catalyst 4503 switch with Cisco powered devices. • Each PoE port on a WS-X4148-RJ45V module requires 6.3 W. Five fully loaded WS-X4148-RJ45V •...
  • Page 121 Chapter 7 Environmental Monitoring and Power Management Power Management power always remain enabled, with no disruption of network connectivity. Modules placed in reset mode still consume some power and can be removed from the chassis to further reduce power requirements. If you configure the chassis correctly, the system will not enter the evaluation cycle.
  • Page 122 Chapter 7 Environmental Monitoring and Power Management Power Management If you have power supplies with different types or different wattages installed in your switch, the switch Caution will not recognize one of the power supplies and will not have power redundancy. For fixed power supplies, choose a power supply that by itself is powerful enough to support the •...
  • Page 123 Chapter 7 Environmental Monitoring and Power Management Power Management For variable power supplies, choose a power supply that provides enough power so that the chassis • and PoE requirements are less than the maximum available power. Variable power supplies automatically adjust the power resources at startup to accommodate the chassis and PoE requirements.
  • Page 124 Chapter 7 Environmental Monitoring and Power Management Power Management Table 7-3 Available Power for Switch Power Supplies Power Supply Redundant Mode (W) Combined Mode (W) Sharing Ratio 1000 W AC Chassis = 1000 Chassis = 1667 PoE = 0 PoE = 0 1300 W AC Chassis (max) = 1000 Chassis (min) = 767...
  • Page 125 Chapter 7 Environmental Monitoring and Power Management Power Management The software automatically adjusts between system power (for modules, backplane, and fans) and • PoE. Although PoE is 96 percent efficient, system power has only 75 percent efficiency. For example, each 120 W of system power requires 160 W from the DC input. This requirement is reflected in the “Power Used”...
  • Page 126: Power Management For The Catalyst 4006 Switch

    Chapter 7 Environmental Monitoring and Power Management Power Management Keep in mind the following guidelines when using a 1400 W DC SP power supply with your Catalyst 4500 series switch: When you use two 48 V power rails to drive two power supplies, you might employ cross-wiring to •...
  • Page 127 Chapter 7 Environmental Monitoring and Power Management Power Management If you opt to use the 1+1 redundancy mode, the type and number of modules supported are limited by the power available from a single power supply. To determine the power consumption for each module in your chassis, see the “Powering Down a Module”...
  • Page 128 Chapter 7 Environmental Monitoring and Power Management Power Management Fan tray—25 W • This configuration requires less than the maximum that a single power supply can provide in 1+1 redundancy mode. The following configuration requires more power than a single 400 W power supply can provide: WS-X4014 supervisor engine—110 W •...
  • Page 129: Power Consumption Of Chassis Components

    WS-X4306 00000110 1000BaseX (GBIC) WS-X4418 JAB025104WK Not enough power for module WS-X4148-FX-MT 00000000000 10/100BaseTX (RJ45)V, Cisco/IEEE WS-X4248-RJ45V JAB074804LE M MAC addresses Status --+--------------------------------+---+------------+----------------+--------- 1 005c.9d1a.f9d0 to 005c.9d1a.f9df 0.5 12.1(11br)EW 12.1(20020313:00 Ok 2 0010.7bab.9920 to 0010.7bab.9925 0.2 3 0050.7356.2b36 to 0050.7356.2b47 1.0 5 0001.64fe.a930 to 0001.64fe.a95f 0.0...
  • Page 130 Chapter 7 Environmental Monitoring and Power Management Power Management This example shows how to power down module 6: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# no hw-module module 6 power Switch(config)# end Switch# Software Configuration Guide—Release 12.2(25)EW 7-16 OL-6696-01...
  • Page 131: Chapter 8 Configuring Power Over Ethernet

    Cisco IP phone. For complete syntax and usage information for the switch commands used in this chapter, refer to the Note Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm. Power Management Modes If your switch has a module capable of providing PoE to end stations, you can set each interface on the module to automatically detect and apply PoE if the end station requires power.
  • Page 132 Chapter 8 Configuring Power over Ethernet The Catalyst 4500 series switch has three PoE modes: auto—PoE interface. The supervisor engine directs the switching module to power up the interface • only if the switching module discovers the phone and the switch has enough power. You can specify the maximum wattage that is allowed on the interface.
  • Page 133: Configuring Power Consumption For Powered Devices On An Interface

    Chapter 8 Configuring Power over Ethernet The following example shows how to set the Fast Ethernet interface 4/1 to automatically detect PoE and send power through that interface: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface fastethernet 4/1 Switch(config-if)# power inline auto Switch(config-if)# end...
  • Page 134 Chapter 8 Configuring Power over Ethernet To change the power consumption for the entire switch, perform this task: Command Purpose Step 1 Sets the PoE consumption (in milliwatts) of all powered Switch(config)# [no] power inline consumption default milli-watts devices connected to the switch. The power consumption can range from 4000 to 15,400.
  • Page 135 When a powered device (PD) is attached to a PoE-capable port, the port will detect the PD and provision power accordingly. If a Cisco PD is used, the switch and PD negotiate power using CDP packets to determine the precise amount of power needed by the PD. If the PD is 802.3af compatible, the difference between what is mandated by the 802.3af class and what is actually needed by the PD is...
  • Page 136: Displaying The Operational Status For An Interface

    8-1, a Catalyst 4500 series switch is connected to a balun through a short length of Cat5 UTP cable. Type 1/2 STP cable connects this balun to the next balun. Finally, another short length of Cat5 UTP cable connects the second balun to another Powered Device (e.g. Cisco IP phone). Displaying the Operational Status for an Interface Each interface has an operational status which reflects the PoE status for an interface.
  • Page 137: Displaying The Poe Consumed By A Module

    Chapter 8 Configuring Power over Ethernet Fa3/12 auto Fa3/13 auto Fa3/14 auto Fa3/15 auto Fa3/16 auto Fa3/17 auto Fa3/18 auto --------- ------ ---------- ---------- ---------- ------------------- ----- Totals: 117.5 104.6 Switch# This example shows how to display the operational status for Fast Ethernet interface 4/1: Switch#show power inline fa4/1 Available:677(w) Used:11(w)
  • Page 138 Chapter 8 Configuring Power over Ethernet Switch# show power module Watts Used of System Power (12V) Model currently out of reset in reset ---- ----------------- --------- ------------ -------- WS-X4013+TS WS-X4548-GB-RJ45V WS-X4548-GB-RJ45V Fan Tray ----------------------- --------- ------------ ------- Total Watts used of Chassis Inline Power (-50V) Inline Power Admin Inline Power Oper Model...
  • Page 139 Chapter 8 Configuring Power over Ethernet Module Inline Power Summary (Watts) (12V -> -48V on board conversion) --------------------------------- Maximum Used Available ---- --------- ---- --------- Watts Used of System Power (12V) Model currently out of reset in reset ---- ----------------- --------- ------------ --------...
  • Page 140 Gi1/8 auto 10.3 10.3 CNU Platform Gi1/9 auto 10.3 10.3 CNU Platform Gi1/10 auto 15.4 15.4 Cisco/Ieee PD Gi1/11 auto 10.3 10.3 CNU Platform Gi1/12 auto 10.3 10.3 CNU Platform --------- ------ ---------- ---------- ---------- ------------------- ----- Totals: 128.2 128.2...
  • Page 141 Chapter 8 Configuring Power over Ethernet Interface Admin Oper Power(Watts) Device Class From PS To Device --------- ------ ---------- ---------- ---------- ------------------- ----- Gi2/19 auto Gi2/20 auto Gi2/21 auto Gi2/22 auto Gi2/23 auto Gi2/24 auto Gi2/25 auto Gi2/26 auto Gi2/27 auto Gi2/28 auto...
  • Page 142 Chapter 8 Configuring Power over Ethernet Software Configuration Guide—Release 12.2(25)EW 8-12 OL-6696-01...
  • Page 143: Configuring And Using The Network Assistant

    Connecting Network Assistant to a Device, page 9-10 • • Clustering Switches, page 9-10 Note The Network Assistant is not bundled with an online software image on Cisco.com. You can download the Network Assistant from this URL: at http://www.cisco.com/go/NetworkAssistant Software Configuration Guide—Release 12.2(25)EW OL-6696-01...
  • Page 144: C H A P T E R 9 Configuring Switches With Web-Based Tools

    • • Windows XP Professional SP1+ Software and Hardware Requirements The minimum Cisco IOS software required on the Catalyst 4500 series switch is Release 12.2(20)EWA. Table 1 lists the hardware required to support the Network Assistant. Table 1 Hardware Supported for Network Assistant 1.0 Support...
  • Page 145: Network Assistant-Related Default Configuration

    To install Network Assistant on your workstation, follow these steps: Go to this Web address: www.cisco.com/go/NetworkAssistant. Step 1 You must be a registered Cisco.com user as a guest, but you need no access privileges. Click on Free Download. Step 2 Find the Network Assistant installer, cna-1 0-windows-k9-installer.1-0-1a.exe...
  • Page 146: Overview Of The Cli Commands

    • Enable Communication with Network Assistant Network Assistant communicates with a Catalyst 4500 series switch by sending Cisco IOS commands over a HTTP connection. To enable Network Assistant to connect to a Catalyst 4500 series switch, perform this task on the switch:...
  • Page 147 Chapter 9 Configuring Switches with Web-based Tools Configuring and Using the Network Assistant Command Purpose Step 4 (Optionally) Assigns an IP address to the Catalyst 4500 Switch(config-if)# ip address ip_address address_mask series This step is mandatory if the switch is a cluster Note command switch candidate.
  • Page 148 Chapter 9 Configuring Switches with Web-based Tools Configuring and Using the Network Assistant This example shows how to configure the authentication login to use local passwords and to verify the configuration: Switch(config)# ip http authentication local Switch(config)# end Switch# show running-config | include http ip http server ip http authentication local This example illustrates the sample configuration files for the cluster command switch candidate:...
  • Page 149 Chapter 9 Configuring Switches with Web-based Tools Configuring and Using the Network Assistant interface GigabitEthernet3/8 interface GigabitEthernet3/9 shutdown interface GigabitEthernet3/10 shutdown interface GigabitEthernet3/11 shutdown interface Vlan1 no ip address interface Vlan100 no ip address ip http server Enable Intra-Cluster Communication You can use the following interfaces for intra-cluster communication: a router, an switched virtual interface (SVI), an access port, or a trunk port.
  • Page 150 Chapter 9 Configuring Switches with Web-based Tools Configuring and Using the Network Assistant This example shows how to enable intra-cluster communication: Switch# configure terminal Switch(config)# cluster run Switch(config)# vlan 100 Switch(config-vlan)# no shutdown Switch(config)# interface vlan 100 Switch(config-if)# no shutdown witch(config-if)# interface Gigabit Ethernet 3/24 Switch(config-if)# switchport mode access SSwitch(config-if)# switchport access vlan 100...
  • Page 151: Displaying The Network Assistant-Related Configuration

    Chapter 9 Configuring Switches with Web-based Tools Configuring and Using the Network Assistant interface GigabitEthernet1/1 interface GigabitEthernet1/2 interface FastEthernet3/1 switchport access vlan 100 switchport mode access interface Vlan1 no ip address interface Vlan100 no ip address ip http server Displaying the Network Assistant-Related Configuration To display the Network Assistant configuration, perform this task: Command Purpose...
  • Page 152: Launching The Network Assistant

    Similarly, the feature bar fills with menus that list the device features that Network Assistant manages. For information on how to use Network Assistant, refer to Getting Started with Cisco Network Assistant, Note available at the URL: http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cna/v1_0/gsg/index.htmCisco.com...
  • Page 153: Understanding Switch Clusters

    For complete procedures about using Network Assistant to configure switch clusters, refer to Getting Note Started with Cisco Network Assistant, available at: http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cna/v1_0/gsg/index.htmCisco.com. For the CLI cluster commands, refer to the Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm. This section contains the following topics: •...
  • Page 154 Chapter 9 Configuring Switches with Web-based Tools Clustering Switches It has an IP address. • It has Cisco Discovery Protocol (CDP) version 2 enabled (the default). • • It is using cluster-capable software and has clustering enabled. • It has HTTP server enabled.
  • Page 155: Using The Cli To Manage Switch Clusters

    Telnet session (through a console or Telnet connection) and to access the cluster member switch CLI. The command mode changes and the Cisco IOS commands operate as usual. Enter the exit privileged EXEC command on the cluster member switch to return to the command-switch CLI.
  • Page 156: Installing And Configuring Embedded Ciscoview

    -rw- 20743 Jan 23 2003 04:23:46 +00:00 cv/Cat4000IOS-4.0_nos.jar -rw- 12383 Jan 23 2003 04:23:46 +00:00 cv/applet.html -rw- Jan 23 2003 04:23:46 +00:00 cv/cisco.x509 -rw- 2523 Jan 23 2003 04:23:46 +00:00 cv/identitydb.obj -rw- 9630880 Feb 27 2003 01:25:16 +00:00 kurt70.devtest-enh -rw-...
  • Page 157 Cat4000IOS-5.1_ace.html (7263 bytes) extracting Cat4000IOS-5.1_error.html (410 bytes) extracting Cat4000IOS-5.1_install.html (2743 bytes) extracting Cat4000IOS-5.1_jks.jar (20450 bytes) extracting Cat4000IOS-5.1_nos.jar (20782 bytes) extracting applet.html (12388 bytes) extracting cisco.x509 (529 bytes) extracting identitydb.obj (2523 bytes) Switch# Switch# dir Directory of bootflash:/ -rw- 8620304 Dec 23 2002 23:27:49 +00:00 wickwire.EW1...
  • Page 158: Displaying Embedded Ciscoview Information

    ADP version Output modifiers < For more information about web access to the switch, refer to the “Using the Cisco Web Browser” chapter in the Cisco IOS Configuration Fundamentals Configuration Guide at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fun_c/fcprt1/fcd105.htm Displaying Embedded CiscoView Information...
  • Page 159 SIZE(in bytes) ------------------------------------------------ Cat4000IOS-5.1.sgz 1956591 Cat4000IOS-5.1_ace.html 7263 Cat4000IOS-5.1_error.html Cat4000IOS-5.1_install.html 2743 Cat4000IOS-5.1_jks.jar 20450 Cat4000IOS-5.1_nos.jar 20782 applet.html 12388 cisco.x509 identitydb.obj 2523 Switch# show ciscoview version Engine Version: 5.3.4 ADP Device: Cat4000IOS ADP Version: 5.1 ADK: 49 Switch# Software Configuration Guide—Release 12.2(25)EW 9-17 OL-6696-01...
  • Page 160 Chapter 9 Configuring Switches with Web-based Tools Configuring Embedded CiscoView Support Software Configuration Guide—Release 12.2(25)EW 9-18 OL-6696-01...
  • Page 161: Chapter 10 Understanding And Configuring Vlans

    • For complete syntax and usage information for the switch commands used in this chapter, refer to the Note Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm. Overview of VLANs A VLAN is a group of devices on one or more LANs that are configured to communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments.
  • Page 162 Figure 10-1 Sample VLANs Engineering Marketing Accounting VLAN VLAN VLAN Cisco router Floor 3 Fast Ethernet Floor 2 Floor 1 VLANs are often associated with IP subnetworks. For example, all of the end stations in a particular IP subnet belong to the same VLAN. Traffic between VLANs must be routed. You must assign LAN interface VLAN membership on an interface-by-interface basis (this is known as interface-based or static VLAN membership).
  • Page 163: Vlan Configuration Guidelines And Restrictions

    Note section on page 14-2. With Cisco IOS Release 12.2(25)EW and later, Catalyst 4500 series switches support 4096 VLANs in compliance with the IEEE 802.1Q standard. These VLANs are organized into three ranges: reserved, normal, and extended. Some of these VLANs are propagated to other switches in the network when you use the VLAN Trunking Protocol (VTP).
  • Page 164: Configurable Normal-Range Vlan Parameters

    Chapter 10 Understanding and Configuring VLANs VLAN Default Configuration Configurable Normal-Range VLAN Parameters Note Ethernet VLANs 1 and 1006 through 4094 use only default values. You can configure the following parameters for VLANs 2 through 1001: • VLAN name VLAN type •...
  • Page 165: Configuring Vlans In Global Configuration Mode

    VLANs support a number of parameters that are not discussed in detail in this section. For complete Note information, refer to the Catalyst 4500 Series Switch Cisco IOS Command Reference. Note The VLAN configuration is stored in the vlan.dat file, which is stored in nonvolatile memory. You can cause inconsistency in the VLAN database if you manually delete the vlan.dat file.
  • Page 166 Chapter 10 Understanding and Configuring VLANs Configuring VLANs To create a VLAN, perform this task: Command Purpose Step 1 Enters global configuration mode. Switch# configure terminal Step 2 Adds an Ethernet VLAN. Switch(config)# vlan vlan_ID Switch(config-vlan)# You cannot delete the default VLANs for these media types: Note Ethernet VLAN 1 and FDDI or Token Ring VLANs 1002 to 1005.
  • Page 167: Configuring Vlans In Vlan Database Mode

    Chapter 10 Understanding and Configuring VLANs Configuring VLANs Configuring VLANs in VLAN Database Mode When the switch is in VTP server or transparent mode, you can configure VLANs in the VLAN database mode. When you configure VLANs in VLAN database mode, the VLAN configuration is saved in the vlan.dat file, not the running-config or startup-config files.
  • Page 168: Assigning A Layer 2 Lan Interface To A Vlan

    Chapter 10 Understanding and Configuring VLANs Configuring VLANs Assigning a Layer 2 LAN Interface to a VLAN A VLAN created in a management domain remains unused until you assign one or more LAN interfaces to the VLAN. Note Make sure you assign LAN interfaces to a VLAN of the proper type. Assign Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet interfaces to Ethernet-type VLANs.
  • Page 169: Understanding Vmps

    VLAN for that host. A Catalyst 4500 series switch running Cisco IOS software does not support the functionality of a VMPS. It can only function as a VLAN Query Protocol (VQP) client, which communicates with a VMPS through the VQP.
  • Page 170: C H A P T E R 11 Configuring Dynamic Vlan Membership

    “port-shutdown” response from the VMPS, the switch disables the port. The port must be manually re-enabled by using the CLI, Cisco Visual Switch Manager (CVSM), or SNMP. You can also use an explicit entry in the configuration table to deny access to specific MAC addresses for security reasons.
  • Page 171: Fall-Back Vlan

    VMPS server. Although Catalyst 4500 series and Catalyst 6500 series switches running Catalyst operating system Note software support VMPS in all three operation modes, the Cisco network management tool URT (User Registration Tool) supports open mode only. Fall-back VLAN You can configure a fallback VLAN name on a VMPS server. If you connect a device with a MAC address that is not in the database, the VMPS sends the fallback VLAN name to the client.
  • Page 172: Understanding Vmps Clients

    Chapter 11 Configuring Dynamic VLAN Membership Understanding VMPS clients Understanding VMPS clients The following subsections describe how to configure a switch as a VMPS client and configure its ports for dynamic VLAN membership. The following topics are included: • Dynamic VLAN Membership Overview, page 11-4 Default VMPS Client Configuration, page 11-4 •...
  • Page 173: Configuring A Switch As A Vmps Client

    Chapter 11 Configuring Dynamic VLAN Membership Understanding VMPS clients Table 11-1 Default VMPS Client and Dynamic Port Configuration Feature Default Configuration VMPS domain server None VMPS reconfirm interval 60 minutes VMPS server retry count Dynamic ports None configured Configuring a Switch as a VMPS Client This section contains the following topics: Configuring the IP Address of the VMPS Server, page 11-5 •...
  • Page 174 Chapter 11 Configuring Dynamic VLAN Membership Understanding VMPS clients Switch# show vmps VQP Client Status: -------------------- VMPS VQP Version: Reconfirm Interval: 60 min Server Retry Count: 3 VMPS domain server: 172.20.128.179 (primary, current) 172.20.128.178 Reconfirmation status --------------------- VMPS Action: No Dynamic Port Configuring Dynamic Access Ports on a VMPS Client To configure a dynamic access port on a VMPS client switch, perform this task: Command...
  • Page 175: Reconfirming Vlan Memberships

    Chapter 11 Configuring Dynamic VLAN Membership Understanding VMPS clients Voice Ports If a VVID (voice VLAN ID) is configured on a dynamic access port, the port can belong to both an access VLAN and a voice VLAN. Consequently, an access port configured for connecting an IP phone can have separate VLANs for the following: •...
  • Page 176: Administering And Monitoring The Vmps

    Chapter 11 Configuring Dynamic VLAN Membership Understanding VMPS clients Configuring the Retry Interval You can set the number of times that the VMPS client attempts to contact the VMPS before querying the next server. To set the retry interval, perform this task: Command Purpose Step 1...
  • Page 177: Troubleshooting Dynamic Port Vlan Membership

    Denied: Wrong Domain: Wrong Version: Insufficient Resource: 0 Refer to the Catalyst 4500 Series Switch Cisco IOS Command Reference for details on VMPS statistics. Note Troubleshooting Dynamic Port VLAN Membership VMPS errdisables a dynamic port under the following conditions: The VMPS is in secure mode, and it will not allow the host to connect to the port. The VMPS •...
  • Page 178 Chapter 11 Configuring Dynamic VLAN Membership Understanding VMPS clients Software Configuration Guide—Release 12.2(25)EW 11-10 OL-6696-01...
  • Page 179: Overview Of Layer 2 Ethernet Switching

    Chapter 23, “Configuring Layer 3 Interfaces.” For complete syntax and usage information for the switch commands used in this chapter, refer to the Note Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm. Overview of Layer 2 Ethernet Switching...
  • Page 180: C H A P T E R 12 Configuring Layer 2 Ethernet Interfaces

    Chapter 12 Configuring Layer 2 Ethernet Interfaces Overview of Layer 2 Ethernet Switching With release 12.1(13)EW, the Catalyst 4500 series switches can handle packets of 1600 bytes, rather Note than treat them as “oversized” and discard them. This size is larger than the usual IEEE Ethernet Maximum Transmission Unit (MTU) (1518 bytes) and 802.1q MTU (1522 bytes).
  • Page 181: Understanding Vlan Trunks

    Trunks carry the traffic of multiple VLANs over a single link and allow you to extend VLANs across an entire network. Two trunking encapsulations are available on all Ethernet interfaces: Inter-Switch Link (ISL) Protocol—ISL is a Cisco-proprietary trunking encapsulation. • Note The blocking Gigabit ports on the WS-X4418-GB and WS-X4412-2GB-T modules do not support ISL.
  • Page 182: Layer 2 Interface Modes

    Chapter 12 Configuring Layer 2 Ethernet Interfaces Default Layer 2 Ethernet Interface Configuration Layer 2 Interface Modes Table 12-2 lists the Layer 2 interface modes and describes how they function on Ethernet interfaces. Table 12-2 Layer 2 Interface Modes Mode Purpose switchport mode access Puts the interface into permanent nontrunking mode and...
  • Page 183: Layer 2 Interface Configuration Guidelines And Restrictions

    VLANs allowed on the trunks. When you connect a Cisco switch to a non-Cisco device through an 802.1Q trunk, the Cisco switch combines the spanning tree instance of the native VLAN of the trunk with the spanning tree instance of the non-Cisco 802.1Q switch.
  • Page 184: Configuring An Ethernet Interface As A Layer 2 Trunk

    Chapter 12 Configuring Layer 2 Ethernet Interfaces Configuring Ethernet Interfaces for Layer 2 Switching Configuring an Ethernet Interface as a Layer 2 Trunk Note The default for Layer 2 interfaces is switchport mode dynamic auto. If the neighboring interface supports trunking and is configured to trunk mode or dynamic desirable mode, the link becomes a Layer 2 trunk.
  • Page 185 Chapter 12 Configuring Layer 2 Ethernet Interfaces Configuring Ethernet Interfaces for Layer 2 Switching Command Purpose Step 11 Displays the running configuration of the interface. Switch# show running-config interface {fastethernet | gigabitethernet | tengigabitethernet} slot / port Step 12 Displays the switch port configuration of the interface. Switch# show interfaces [fastethernet | gigabitethernet | tengigabitethernet] slot / port switchport...
  • Page 186: Configuring An Interface As A Layer 2 Access Port

    Chapter 12 Configuring Layer 2 Ethernet Interfaces Configuring Ethernet Interfaces for Layer 2 Switching Port Vlans allowed and active in management domain Fa5/8 1-6,10,20,50,100,152,200,300,303-305,349-351,400,500,521,524,570,801-8 02,850,917,999,1002-1005 Port Vlans in spanning tree forwarding state and not pruned Fa5/8 1-6,10,20,50,100,152,200,300,303-305,349-351,400,500,521,524,570,801-8 02,850,917,999,1002-1005 Switch# Configuring an Interface as a Layer 2 Access Port Note If you assign an interface to a VLAN that does not exist, the interface is not operational until you create the VLAN in the VLAN database (see the...
  • Page 187: Clearing Layer 2 Configuration

    Chapter 12 Configuring Layer 2 Ethernet Interfaces Configuring Ethernet Interfaces for Layer 2 Switching Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 200 Switch(config-if)# no shutdown Switch(config-if)# end Switch# exit This example shows how to verify the running configuration: Switch# show running-config interface fastethernet 5/6 Building configuration...
  • Page 188 Chapter 12 Configuring Layer 2 Ethernet Interfaces Configuring Ethernet Interfaces for Layer 2 Switching This example shows how to verify that the Layer 2 configuration was cleared: Switch# show running-config interface fastethernet 5/6 Building configuration... Current configuration: interface FastEthernet5/6 This example shows how to verify the switch port configuration: Switch# show interfaces fastethernet 5/6 switchport Name: Fa5/6 Switchport: Enabled...
  • Page 189: Chapter 13 Configuring Smartport Macros

    This chapter describes how to configure and apply SmartPort macros on your switch. For complete syntax and usage information for the switch commands used in this chapter, refer to the Note Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm. This chapter consists of these sections: •...
  • Page 190: Configuring Smart-Port Macros

    • Default SmartPort Macro Configuration This section illustrates the default configurations for the four supported macros. These macros can only be viewed and applied; they cannot be modified by the user. cisco-desktop, page 13-2 • cisco-phone, page 13-2 • cisco-switch, page 13-3 •...
  • Page 191 # and use inactivity timer switchport port-security violation restrict switchport port-security aging time 2 switchport port-security aging type inactivity # Enable auto-qos to extend trust to attached Cisco phone auto qos voip cisco-phone # Configure port as an edge network port spanning-tree portfast...
  • Page 192: Smartport Macro Configuration Guidelines

    Chapter 13 Configuring SmartPort Macros Configuring Smart-Port Macros SmartPort Macro Configuration Guidelines Follow these guidelines when configuring macros on your switch: • Do not use exit or end commands when creating a macro. This action could cause commands that follow exit or end to execute in a different command mode. When creating a macro, all CLI commands should be interface configuration mode commands.
  • Page 193 13-6 • cisco-router, page 13-7 • cisco-desktop This example shows how to apply the cisco-desktop macro to interface Fast Ethernet interface 2/9: Switch(config)# interface fastethernet2/9 Switch(config-if)# macro apply cisco-desktop $AVID 35 Switch(config-if)# end Switch# show parser macro name cisco-desktop...
  • Page 194 Chapter 13 Configuring SmartPort Macros Configuring Smart-Port Macros cisco-phone This example shows how to apply the cisco-phone macro to interface Fast Ethernet interface 2/9: Switch(config)# interface fastethernet2/9 Switch(config-if)# macro apply cisco-phone Switch(config-if)# macro description cisco-phone $AVID 35 $VVID 56 Switch(config-if)# end...
  • Page 195 -------------------------------------------------------------- Fa2/9 cisco-switch -------------------------------------------------------------- cisco-router This example shows how to apply the cisco-router macro to interface Fast Ethernet interface 2/9: Switch(config)# interface fastethernet2/9 Switch(config-if)# macro apply cisco-router Switch(config-if)# macro description cisco-router $NVID 45I Switch(config-if)# end Switch# show parser macro name cisco-router...
  • Page 196: Displaying Smartport Macros

    Chapter 13 Configuring SmartPort Macros Displaying SmartPort Macros Displaying SmartPort Macros To display the SmartPort macros, use one or more of the privileged EXEC commands in Table 13-1. Table 13-1 Commands for Displaying SmartPort Macros Command Purpose show parser macro Displays all configured macros.
  • Page 197: Chapter 14 Understanding And Configuring Stp

    Chapter 15, “Configuring STP Features.” For complete syntax and usage information for the switch commands used in this chapter, refer to the Note Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm. Overview of STP STP is a Layer 2 link management protocol that provides path redundancy while preventing undesirable loops in the network.
  • Page 198: Understanding The Bridge Id

    Chapter 14 Understanding and Configuring STP Overview of STP A spanning tree defines a tree with a root switch and a loop-free path from the root to all switches in the Layer 2 network. A spanning tree forces redundant data paths into a standby (blocked) state. If a network segment in the spanning tree fails and a redundant path exists, the spanning tree algorithm recalculates the spanning tree topology and activates the standby path.
  • Page 199: Bridge Protocol Data Units

    Chapter 14 Understanding and Configuring STP Overview of STP STP MAC Address Allocation A Catalyst 4500 series switch chassis has either 64 or 1024 MAC addresses available to support software features like STP. Enter the show module command to view the MAC address range on your chassis. Release 12.1(12c)EW and later releases support chassis with 64 or 1024 MAC addresses.
  • Page 200: Election Of The Root Bridge

    Chapter 14 Understanding and Configuring STP Overview of STP Election of the Root Bridge For each VLAN, the switch with the highest bridge priority (the lowest numerical priority value) is elected as the root bridge. If all switches are configured with the default priority value (32,768), the switch with the lowest MAC address in the VLAN becomes the root bridge.
  • Page 201: Stp Port States

    Chapter 14 Understanding and Configuring STP Overview of STP Figure 14-1 Spanning Tree Topology RP = Root Port DP = Designated Port For example, assume that one port on Switch B is a fiber-optic link, and another port on Switch B (an unshielded twisted-pair [UTP] link) is the root port.
  • Page 202: Stp And Ieee 802.1Q Trunks

    When you connect a Cisco switch to a non-Cisco device (that supports 802.1Q) through an 802.1Q trunk, the Cisco switch combines the spanning tree instance of the 802.1Q native VLAN of the trunk with the spanning tree instance of the non-Cisco 802.1Q switch. However, all per-VLAN spanning tree information is maintained by Cisco switches separated by a network of non-Cisco 802.1Q switches.
  • Page 203: Configuring Stp

    Chapter 14 Understanding and Configuring STP Configuring STP Table 14-4 Spanning Tree Default Configuration Values (continued) Feature Default Value Spanning tree VLAN port cost (configurable on a 10-Gigabit Ethernet: 2 • per-VLAN basis—used on interfaces configured as Gigabit Ethernet: 4 •...
  • Page 204: Enabling The Extended System Id

    Chapter 14 Understanding and Configuring STP Configuring STP To enable a spanning tree on a per-VLAN basis, perform this task: Command Purpose Step 1 Enters global configuration mode. Switch# configure terminal Step 2 Enables spanning tree for VLAN vlan_id. The vlan_ID value Switch(config)# spanning-tree vlan vlan_ID can range from 1 to 4094.
  • Page 205: Configuring The Root Bridge

    Chapter 14 Understanding and Configuring STP Configuring STP To enable the extended system ID, perform this task: Command Purpose Step 1 Enables the extended system ID. Switch(config)# spanning-tree extend system-id Disables the extended system ID. Note You cannot disable the extended system ID on chassis that support 64 MAC addresses or when you have configured extended range VLANs (see “Table 14-4Spanning Tree Default Configuration...
  • Page 206 Chapter 14 Understanding and Configuring STP Configuring STP Use the diameter keyword to specify the Layer 2 network diameter (the maximum number of bridge hops between any two end stations in the network). When you specify the network diameter, a switch automatically picks an optimal hello time, forward delay time, and maximum age time for a network of that diameter.
  • Page 207 Chapter 14 Understanding and Configuring STP Configuring STP Port 324 (FastEthernet6/4) of VLAN1 is blocking Port path cost 19, Port priority 128, Port Identifier 129.68. Designated root has priority 32768, address 0001.6445.4400 Designated bridge has priority 32768, address 0001.6445.4400 Designated port id is 129.68, designated path cost 0 Timers:message age 2, forward delay 0, hold 0 Number of transitions to forwarding state:0 BPDU:sent 1, received 89...
  • Page 208: Configuring A Secondary Root Switch

    Chapter 14 Understanding and Configuring STP Configuring STP Configuring a Secondary Root Switch When you configure a switch as the secondary root, the spanning tree bridge priority is modified from the default value (32,768) to 16,384. This means that the switch is likely to become the root bridge for the specified VLANs if the primary root bridge fails (assuming the other switches in the network use the default bridge priority of 32,768).
  • Page 209: Configuring Stp Port Priority

    The possible priority range is 0 through 240, configurable in increments of 16 (the default is 128). The Cisco IOS software uses the port priority value when the interface is configured as an access port Note and uses VLAN port priority values when the interface is configured as a trunk port.
  • Page 210: The Configuration

    Chapter 14 Understanding and Configuring STP Configuring STP This example shows how to display the details of the interface configuration when the interface is configured as an access port: Switch# show spanning-tree interface fastethernet 3/1 detail Port 129 (FastEthernet3/1) of VLAN0001 is forwarding Port path cost 19, Port priority 128, Port Identifier 128.129.
  • Page 211: Configuring Stp Port Cost

    Chapter 14 Understanding and Configuring STP Configuring STP This example shows how to configure the spanning tree VLAN port priority of a Fast Ethernet interface: Switch# configure terminal Switch(config)# interface fastethernet 5/8 Switch(config-if)# spanning-tree vlan 200 port-priority 64 Switch(config-if)# end Switch# This example shows how to verify the configuration of VLAN 200 on the interface when it is configured as a trunk port:...
  • Page 212: Configuring The Bridge Priority Of A Vlan

    Chapter 14 Understanding and Configuring STP Configuring STP This example shows how to change the spanning tree port cost of a Fast Ethernet interface: Switch# configure terminal Switch(config)# interface fastethernet 5/8 Switch(config-if)# spanning-tree cost 18 Switch(config-if)# end Switch# This example shows how to verify the configuration of the interface when it is configured as an access port: Switch# show spanning-tree interface fastethernet 5/8 Port 264 (FastEthernet5/8) of VLAN200 is forwarding...
  • Page 213: Configuring The Hello Time

    Chapter 14 Understanding and Configuring STP Configuring STP To configure the spanning tree bridge priority of a VLAN, perform this task: Command Purpose Step 1 Configures the bridge priority of a VLAN. The Switch(config)# [no] spanning-tree vlan vlan_ID priority bridge_priority bridge_priority value can be from 1 to 65,535.
  • Page 214: Configuring The Maximum Aging Time For A Vlan

    Chapter 14 Understanding and Configuring STP Configuring STP This example shows how to verify the configuration: Switch# show spanning-tree vlan 200 bridge brief Hello Max Vlan Bridge ID Time Age Delay Protocol ---------------- -------------------- ---- ---- ----- -------- VLAN200 49152 0050.3e8d.64c8 ieee Switch# Configuring the Maximum Aging Time for a VLAN...
  • Page 215: Disabling Spanning Tree Protocol

    Chapter 14 Understanding and Configuring STP Configuring STP To configure the spanning tree forward delay time for a VLAN, perform this task: Command Purpose Step 1 Configures the forward time of a VLAN. The Switch(config)# [no] spanning-tree vlan vlan_ID forward-time forward_time forward_time value can be from 4 to 30 seconds.
  • Page 216: Enabling Per-Vlan Rapid Spanning Tree

    Chapter 14 Understanding and Configuring STP Configuring STP This example shows how to disable spanning tree on VLAN 200: Switch# configure terminal Switch(config)# no spanning-tree vlan 200 Switch(config)# end Switch# This example shows how to verify the configuration: Switch# show spanning-tree vlan 200 Spanning tree instance for VLAN 200 does not exist.
  • Page 217: Specifying The Link Type

    Chapter 14 Understanding and Configuring STP Configuring STP The following example shows how to verify the configuration: Switch# show spanning-tree summary totals Switch is in rapid-pvst mode Root bridge for:VLAN0001 Extended system ID is disabled Portfast Default is disabled PortFast BPDU Guard Default is disabled Portfast BPDU Filter Default is disabled Loopguard Default...
  • Page 218 Chapter 14 Understanding and Configuring STP Configuring STP Software Configuration Guide—Release 12.2(25)EW 14-22 OL-6696-01...
  • Page 219: Configuring Stp Features

    Chapter 14, “Understanding and Configuring STP.” For complete syntax and usage information for the switch commands used in this chapter, refer to the Note Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm. Software Configuration Guide—Release 12.2(25)EW...
  • Page 220: Chapter 15 Configuring Stp Feature

    Chapter 15 Configuring STP Features Overview of Root Guard Overview of Root Guard Spanning Tree root guard forces an interface to become a designated port, to protect the current root status and prevent surrounding switches from becoming the root switch. When you enable root guard on a per-port basis, it is automatically applied to all of the active VLANs to which that port belongs.
  • Page 221: Overview Of Portfast

    Chapter 15 Configuring STP Features Overview of PortFast Figure 15-1 illustrates the following configuration: Switches A and B are distribution switches. • Switch C is an access switch. • • Loop guard is enabled on ports 3/1 and 3/2 on Switches A, B, and C. Enabling loop guard on a root switch has no effect but provides protection when a root switch becomes a nonroot switch.
  • Page 222: Overview Of Bpdu Guard

    PortFast-configured interfaces. Overview of PortFast BPDU Filtering Cisco IOS Release 12.2(25)EW and later support PortFast BPDU filtering, which allows the administrator to prevent the system from sending or even receiving BPDUs on specified ports. When configured globally, PortFast BPDU filtering applies to all operational PortFast ports. Ports in an operational PortFast state are supposed to be connected to hosts that typically drop BPDUs.
  • Page 223: Overview Of Uplinkfast

    Chapter 15 Configuring STP Features Overview of UplinkFast Table 15-1 PortFast BPDU Filtering Port Configurations Per-Port Configuration Global Configuration PortFast State PortFast BPDU Filtering State Default Enable Enable Enable Default Enable Disable Disable Default Disable Not applicable Disable Disable Not applicable Not applicable Disable Enable...
  • Page 224: Overview Of Backbonefast

    Chapter 15 Configuring STP Features Overview of BackboneFast Figure 15-3 UplinkFast After Direct Link Failure Switch A Switch B (Root) Link failure UplinkFast transitions port directly to forwarding state Switch C Overview of BackboneFast BackboneFast is a complementary technology to UplinkFast. Whereas UplinkFast is designed to quickly respond to failures on links directly connected to leaf-node switches, it does not help with indirect failures in the backbone core.
  • Page 225 Chapter 15 Configuring STP Features Overview of BackboneFast Figure 15-4 BackboneFast Before Indirect Link Failure Switch A Switch B (Root) Blocked port Switch C Next, assume that L1 fails. Switch A and Switch B, the switches directly connected to this segment, instantly know that the link is down.
  • Page 226: Enabling Root Guard

    Chapter 15 Configuring STP Features Enabling Root Guard Figure 15-5 BackboneFast after Indirect Link Failure Switch A (Root) Switch B Link failure BackboneFast transitions port through listening and learning states to forwarding state Switch C If a new switch is introduced into a shared-medium topology as shown in Figure 15-6, BackboneFast is not activated, because the inferior BPDUs did not come from the recognized designated bridge...
  • Page 227: Enabling Loop Guard

    Chapter 15 Configuring STP Features Enabling Loop Guard Command Purpose Step 3 Exits configuration mode. Switch(config-if)# end Step 4 Verifies the configuration. Switch# show spanning-tree This example shows how to enable root guard on Fast Ethernet interface 5/8: Switch(config)# interface fastethernet 5/8 Switch(config-if)# spanning-tree guard root Switch(config-if)# end Switch#...
  • Page 228 Chapter 15 Configuring STP Features Enabling Loop Guard This example shows how to enable loop guard globally: Switch(config)# spanning-tree loopguard default Switch(config)# Ctrl-Z This example shows how to verify the previous configuration of port 4/4: Switch# show spanning-tree interface fastethernet 4/4 detail Port 196 (FastEthernet4/4) of VLAN0010 is forwarding Port path cost 1000, Port priority 160, Port Identifier 160.196.
  • Page 229: Enabling Portfast

    Chapter 15 Configuring STP Features Enabling PortFast Enabling PortFast Use PortFast only when connecting a single end station to a Layer 2 access port. Otherwise, you might Caution create a network loop. To enable PortFast on a Layer 2 access port to force it to enter the forwarding state immediately, perform this task: Command Purpose...
  • Page 230: Enabling Bpdu Guard

    Chapter 15 Configuring STP Features Enabling BPDU Guard Enabling BPDU Guard To enable BPDU guard to shut down PortFast-configured interfaces that receive BPDUs, perform this task: Command Purpose Step 1 Enables BPDU guard on all the switch’s Switch(config)# [no] spanning-tree portfast bpduguard PortFast-configured interfaces.
  • Page 231 Chapter 15 Configuring STP Features Enabling PortFast BPDU Filtering This example shows how to verify the BPDU configuration in PVST+ mode: Switch# show spanning-tree summary totals Root bridge for:VLAN0010 EtherChannel misconfiguration guard is enabled Extended system ID is disabled Portfast is enabled by default PortFast BPDU Guard is disabled by default...
  • Page 232: Enabling Uplinkfast

    Chapter 15 Configuring STP Features Enabling UplinkFast Enabling UplinkFast UplinkFast increases the bridge priority to 49,152 and adds 3000 to the spanning tree port cost of all interfaces on the switch, making it unlikely that the switch will become the root switch. The max_update_rate value represents the number of multicast packets transmitted per second (the default is 150 packets per second [pps]).
  • Page 233: Enabling Backbonefast

    Chapter 15 Configuring STP Features Enabling BackboneFast VLAN15 VLAN1002 Gi5/7(fwd) VLAN1003 Gi5/7(fwd) VLAN1004 Gi5/7(fwd) VLAN1005 Gi5/7(fwd) Switch# Enabling BackboneFast For BackboneFast to work, you must enable it on all switches in the network. BackboneFast is supported Note for use with third-party switches but it is not supported on Token Ring VLANs. To enable BackboneFast, perform this task: Command Purpose...
  • Page 234 Chapter 15 Configuring STP Features Enabling BackboneFast Name Blocking Listening Learning Forwarding STP Active ---------------------- -------- --------- -------- ---------- ---------- VLAN0001 VLAN1002 VLAN1003 VLAN1004 VLAN1005 ---------------------- -------- --------- -------- ---------- ---------- 5 vlans BackboneFast statistics ----------------------- Number of transition via backboneFast (all VLANs) Number of inferior BPDUs received (all VLANs) Number of RLQ request PDUs received (all VLANs) Number of RLQ response PDUs received (all VLANs)
  • Page 235: Overview Of Mst

    This chapter describes how to configure the IEEE 802.1s Multiple Spanning Tree (MST) protocol on the Catalyst 4500 series switch. MST is a new IEEE standard derived from Cisco's proprietary Multi-Instance Spanning-Tree Protocol (MISTP) implementation. With MST, you can map a single spanning-tree instance to several VLANs.
  • Page 236: C H A P T E R 16 Understanding And Configuring Multiple Spanning Trees

    Per VLAN Spanning Tree Plus (PVST+) and is backward compatible with 802.1D STP, 802.1w (Rapid Spanning Tree Protocol [RSTP]), and the Cisco PVST+ architecture. MST allows you to build multiple spanning trees over trunks. You can group and associate VLANs to spanning tree instances.
  • Page 237: Ieee 802.1W Rstp

    Chapter 16 Understanding and Configuring Multiple Spanning Trees Overview of MST MST switches operate as if MAC reduction is enabled. – For private VLANs (PVLANs), you must map a secondary VLAN to the same instance as the – primary. IEEE 802.1w RSTP RSTP, specified in 802.1w, supersedes STP specified in 802.1D, but remains compatible with STP.
  • Page 238: Mst-To-Sst Interoperability

    Chapter 16 Understanding and Configuring Multiple Spanning Trees Overview of MST RSTP Port States The port state controls the forwarding and learning processes and provides the values of discarding, learning, and forwarding. Table 16-1 shows the STP port states and RSTP port states. Table 16-1 Comparison Between STP and RSTP Port States Operational Status STP Port State...
  • Page 239: Common Spanning Tree

    Chapter 16 Understanding and Configuring Multiple Spanning Trees Overview of MST To STP running in the SST region, an MST region appears as a single SST or pseudobridge, which operates as follows: Although the values for root identifiers and root path costs match for all BPDUs in all •...
  • Page 240: Mst Regions

    Chapter 16 Understanding and Configuring Multiple Spanning Trees Overview of MST MST BPDUs contain the MST configuration ID and the checksum. An MST bridge accepts an MST BPDU only if the MST BPDU configuration ID and the checksum match its own MST region configuration ID and checksum.
  • Page 241: Message Age And Hop Count

    Chapter 16 Understanding and Configuring Multiple Spanning Trees Overview of MST IST Master The IST master of an MST region is the bridge with the lowest bridge identifier and the least path cost to the CST root. If an MST bridge is the root bridge for CST, then it is the IST master of that MST region. If the CST root is outside the MST region, then one of the MST bridges at the boundary is selected as the IST master.
  • Page 242: Mst-To-Pvst+ Interoperability

    VLAN is mapped. The topology change stays local to the first MST region, and the Cisco Access Manager (CAM) entries in the other region are not flushed. To make the topology change visible throughout other MST regions, you can map that VLAN to IST or connect the PVST+ switch to the two regions through access links.
  • Page 243: Configuring Mst

    Chapter 16 Understanding and Configuring Multiple Spanning Trees Configuring MST Configuring MST The following sections describe how to configure MST: • Enabling MST, page 16-9 Configuring MST Instance Parameters, page 16-11 • Configuring MST Instance Port Parameters, page 16-12 • Restarting Protocol Migration, page 16-12 •...
  • Page 244 Switch(config-mst)# show current Current MST configuration Name Revision Instance Vlans mapped -------- --------------------------------------------------------------------- 1-4094 ------------------------------------------------------------------------------- Switch(config-mst)# name cisco Switch(config-mst)# revision 2 Switch(config-mst)# instance 1 vlan 1 Switch(config-mst)# instance 2 vlan 1-1000 Switch(config-mst)# show pending Pending MST configuration Name [cisco] Revision Instance...
  • Page 245: Configuring Mst Instance Parameters

    Chapter 16 Understanding and Configuring Multiple Spanning Trees Configuring MST Configuring MST Instance Parameters To configure MST instance parameters, perform this task: Command Purpose Step 1 Configures the priority for an MST instance. Switch(config)# spanning-tree mst X priority Y Step 2 Configures the bridge as root for an MST instance.
  • Page 246: Configuring Mst Instance Port Parameters

    Chapter 16 Understanding and Configuring Multiple Spanning Trees Configuring MST Configuring MST Instance Port Parameters To configure MST instance port parameters, perform this task: Command Purpose Step 1 Configures the MST instance port cost. Switch(config-if)# spanning-tree mst x cost y Step 2 Configures the MST instance port priority.
  • Page 247: Displaying Mst Configurations

    Switch# show spanning-tree vlan vlan_ID The following examples show how to display spanning tree VLAN configurations in MST mode: Switch(config)# spanning-tree mst configuration Switch(config-mst)# instance 1 vlan 1-10 Switch(config-mst)# name cisco Switch(config-mst)# revision 1 Switch(config-mst)# Ctrl-D Switch# show spanning-tree mst configuration...
  • Page 248 Chapter 16 Understanding and Configuring Multiple Spanning Trees Configuring MST Switch# show spanning-tree mst 1 ###### MST01 vlans mapped: 1-10 Bridge address 00d0.00b8.1400 priority 32769 (32768 sysid 1) Root this switch for MST01 Interface Role Sts Cost Prio.Nbr Status ---------------- ---- --- --------- -------- -------------------------------- Fa4/4 Back BLK 1000 240.196...
  • Page 249 Chapter 16 Understanding and Configuring Multiple Spanning Trees Configuring MST FastEthernet4/48 of MST01 is boundary forwarding Port info port id 128.240 priority cost 200000 Designated root address 00d0.00b8.1400 priority 32769 cost Designated bridge address 00d0.00b8.1400 priority 32769 port id 128.240 Timers:message expires in 0 sec, forward delay 0, forward transitions 1 Bpdus (MRecords) sent 78, received 0 Switch# show spanning-tree vlan 10...
  • Page 250 Chapter 16 Understanding and Configuring Multiple Spanning Trees Configuring MST Software Configuration Guide—Release 12.2(25)EW 16-16 OL-6696-01...
  • Page 251: Overview Of Etherchannel

    For complete syntax and usage information for the switch commands used in this chapter, refer to the Note Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm. Overview of EtherChannel...
  • Page 252: C H A P T E R 17 Understanding And Configuring Etherchannel

    You can configure EtherChannels manually or you can use the Port Aggregation Control Protocol (PAgP) or, with Release Cisco IOS Release 12.2(25)EW and later, the Link Aggregation Control Protocol (LACP) to form EtherChannels. The EtherChannel protocols allow ports with similar characteristics to form an EtherChannel through dynamic negotiation with connected network devices.
  • Page 253 Understanding IEEE 802.3ad LACP EtherChannel Configuration Release Cisco IOS Release 12.2(25)EW and later releases support IEEE 802.3ad LACP EtherChannels. LACP supports the automatic creation of EtherChannels by exchanging LACP packets between LAN ports. LACP packets are exchanged only between ports in passive and active modes.
  • Page 254 Chapter 17 Understanding and Configuring EtherChannel Overview of EtherChannel The protocol learns the capabilities of LAN port groups dynamically and informs the other LAN ports. Once LACP identifies correctly matched Ethernet links, it facilitates grouping the links into an EtherChannel. The EtherChannel is then added to the spanning tree as a single bridge port. Both the passive and active modes allow LACP to negotiate between LAN ports to determine if they can form an EtherChannel, based on criteria such as port speed and trunking state.
  • Page 255: Understanding Load Balancing

    Chapter 17 Understanding and Configuring EtherChannel EtherChannel Configuration Guidelines and Restrictions Understanding Load Balancing EtherChannel can balance the traffic load across the links in the channel. It does this by reducing part of the binary pattern formed from the addresses or ports in the frame to a numerical value that selects one of the links in the channel.
  • Page 256: Configuring Etherchannel

    Chapter 17 Understanding and Configuring EtherChannel Configuring EtherChannel After you configure an EtherChannel, any configuration that you apply to the port-channel interface • affects the EtherChannel; any configuration that you apply to the physical interfaces affects only the interface where you apply the configuration. You cannot configure a 802.1X port in an EtherChannel.
  • Page 257 Chapter 17 Understanding and Configuring EtherChannel Configuring EtherChannel To create a port-channel interface for a Layer 3 EtherChannel, perform this task: Command Purpose Step 1 Creates the port-channel interface. The value for Switch(config)# interface port-channel port_channel_number port_channel_number can range from 1 to 64 Step 2 Assigns an IP address and subnet mask to the Switch(config-if)# ip address ip_address mask...
  • Page 258 Chapter 17 Understanding and Configuring EtherChannel Configuring EtherChannel Command Purpose Step 5 Exits configuration mode. Switch(config-if)# end Step 6 Verifies the configuration. Switch# show running-config interface port-channel port_channel_number Switch# show running-config interface {fastethernet | gigabitethernet | tengigabitethernet} slot / port Switch# show interfaces {fastethernet | gigabitethernet | tengigabitethernet} slot / port etherchannel...
  • Page 259: Configuring Layer 2 Etherchannels

    To configure Layer 2 EtherChannels, configure the Ethernet interfaces with the channel-group command. This creates the port-channel logical interface. Cisco IOS software creates port-channel interfaces for Layer 2 EtherChannels when you configure Note Layer 2 Ethernet interfaces with the channel-group command.
  • Page 260 Chapter 17 Understanding and Configuring EtherChannel Configuring EtherChannel To configure Layer 2 Ethernet interfaces as Layer 2 EtherChannels, perform this task for each interface: Command Purpose Step 1 Selects a physical interface to configure. Switch(config)# interface {fastethernet | gigabitethernet | tengigabitethernet} slot / port Step 2 Configures the interface in a port-channel and Switch(config-if)# channel-group port_channel_number mode...
  • Page 261: Configuring The Lacp System Priority And System Id

    Chapter 17 Understanding and Configuring EtherChannel Configuring EtherChannel Switch# show interfaces fastethernet 5/6 etherchannel Port state = EC-Enbld Up In-Bndl Usr-Config Channel group = 1 Mode = Desirable Gcchange = 0 Port-channel = Po1 = 0x00010001 Port indx Load = 0x55 Flags: S - Device is sending Slow hello.
  • Page 262: Configuring Etherchannel Load Balancing

    Chapter 17 Understanding and Configuring EtherChannel Configuring EtherChannel To configure the LACP system priority and system ID, perform this task: Command Purpose Step 1 (Optional for LACP) Valid values are 1 through 65535. Router(config)# lacp system-priority priority_value Higher numbers have lower priority. The default is 32768. Reverts to the default.
  • Page 263: Removing An Interface From An Etherchannel

    Chapter 17 Understanding and Configuring EtherChannel Configuring EtherChannel Command Purpose Step 2 Exits configuration mode. Switch(config)# end Step 3 Verifies the configuration. Switch# show etherchannel load-balance The load-balancing keywords are: src-mac—Source MAC addresses • dst-mac—Destination MAC addresses • src-dst-mac—Source and destination MAC addresses •...
  • Page 264: Removing An Etherchannel

    Chapter 17 Understanding and Configuring EtherChannel Configuring EtherChannel Removing an EtherChannel If you remove an EtherChannel, the member ports are shut down and removed from the Channel group. Note You must remove an EtherChannel before changing a port from Layer 2 to Layer 3, or Layer 3 to Layer 2. To remove an EtherChannel, perform this task: Command Purpose...
  • Page 265: Overview Of Igmp Snooping

    • • Displaying IGMP Filtering Configuration, page 18-20 To support Cisco Group Management Protocol (CGMP) client devices, configure the switch as a CGMP Note server. For more information, see the chapters “IP Multicast” and “Configuring IP Multicast Routing” in the Cisco IOS IP and IP Routing Configuration Guide, Release 12.2 at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ip_c/ipcprt3/1cdmulti.htm...
  • Page 266: C H A P T E R 18 Configuring Igmp Snooping And Filtering

    Chapter 18 Configuring IGMP Snooping and Filtering Overview of IGMP Snooping In contrast to IGMPv1 and IGMPv2, IGMPv3 snooping provides immediate-leave processing by default. It provides Explicit Host Tracking (EHT) and allows network administrators to deploy SSM functionality on Layer 2 devices that truly support IGMPv3. (See Explicit Host Tracking, page 18-3.) In subnets where IGMP is configured, IGMP snooping manages multicast traffic at Layer 2.
  • Page 267: Immediate-Leave Processing

    Chapter 18 Configuring IGMP Snooping and Filtering Overview of IGMP Snooping Immediate-Leave Processing IGMP snooping immediate-leave processing allows the switch to remove an interface from the forwarding-table entry without first sending out IGMP group-specific queries to the interface. The VLAN interface is pruned from the multicast tree for the multicast group specified in the original IGMP leave message.
  • Page 268: Configuring Igmp Snooping

    Chapter 18 Configuring IGMP Snooping and Filtering Configuring IGMP Snooping To determine whether or not EHT is enabled on a VLAN, use the show ip igmp snoop vlan command. Configuring IGMP Snooping When configuring IGMP, configure the VLAN in the VLAN database mode. (See Chapter 10, Note “Understanding and Configuring...
  • Page 269: Enabling Igmp Snooping

    Chapter 18 Configuring IGMP Snooping and Filtering Configuring IGMP Snooping Enabling IGMP Snooping To enable IGMP snooping globally, perform this task: Command Purpose Step 1 Enables IGMP snooping. Switch(config)# [no] ip igmp snooping Use the no keyword to disable IGMP snooping. Step 2 Exits configuration mode.
  • Page 270: Configuring Learning Methods

    Chapter 18 Configuring IGMP Snooping and Filtering Configuring IGMP Snooping This example shows how to enable IGMP snooping on VLAN 2 and verify the configuration: Switch# configure terminal Switch(config)# ip igmp snooping vlan 2 Switch(config)# end Switch# show ip igmp snooping vlan 2 Global IGMP Snooping configuration: ----------------------------------- IGMP snooping...
  • Page 271: Configuring A Multicast Router Port Statical

    Chapter 18 Configuring IGMP Snooping and Filtering Configuring IGMP Snooping This example shows how to configure IP IGMP snooping to learn from CGMP self-join packets: Switch(config)# ip igmp snooping vlan 1 mrouter learn cgmp Switch(config)# end Switch# Configuring a Multicast Router Port Statical To configure a static connection to a multicast router, enter the ip igmp snooping mrouter command on the switch.
  • Page 272: Configuring Explicit Host Tracking

    Chapter 18 Configuring IGMP Snooping and Filtering Configuring IGMP Snooping This example shows how to enable IGMP immediate-leave processing on interface VLAN 200 and to verify the configuration: Switch(config)# ip igmp snooping vlan 200 immediate-leave Configuring immediate leave on vlan 200 Switch(config)# end Switch# show ip igmp interface vlan 200 | include immediate leave Immediate leave...
  • Page 273: Suppressing Multicast Flooding

    Chapter 18 Configuring IGMP Snooping and Filtering Configuring IGMP Snooping Suppressing Multicast Flooding An IGMP snooping-enabled switch will flood multicast traffic to all ports in a VLAN when a spanning-tree Topology Change Notification (TCN) is received. Multicast flooding suppression enables a switch to stop sending such traffic.
  • Page 274 Chapter 18 Configuring IGMP Snooping and Filtering Configuring IGMP Snooping While in “multicast flooding mode,” IP multicast traffic is delivered to all ports in the VLAN, and not restricted to those ports on which multicast group members have been detected. Starting with 12.1(11b)EW, you can manually prevent IP multicast traffic from being flooded to a switchport by using the no ip igmp snooping tcn flood command on that port.
  • Page 275: Displaying Igmp Snooping Information

    Chapter 18 Configuring IGMP Snooping and Filtering Displaying IGMP Snooping Information This example shows how to modify the switch to stop flooding multicast traffic after four queries: Switch(config)# ip igmp snooping tcn flood query count 4 Switch(config)# end Switch# When a spanning tree root switch receives a topology change in an IGMP snooping-enabled VLAN, the switch issues a query solicitation that causes an IOS router to send out one or more general queries.
  • Page 276: Displaying Querier Information

    Chapter 18 Configuring IGMP Snooping and Filtering Displaying IGMP Snooping Information Displaying Querier Information To display querier information, perform this task: Command Purpose Displays multicast router interfaces. Switch# show ip igmp snooping querier [vlan vlan_ID ] This example shows how to display the IGMP snooping querier information for all VLANs on the switch: Switch# show ip igmp snooping querier Vlan...
  • Page 277: Displaying Group Information

    Chapter 18 Configuring IGMP Snooping and Filtering Displaying IGMP Snooping Information 40.40.40.5/224.10.10.10Fa2/1 20.20.20.20 00:39:42 00:09:17 - 40.40.40.6/224.10.10.10 Fa2/1 20.20.20.20 00:09:47 00:09:17 - Switch# clear ip igmp snooping membership vlan 20 This example shows how to display host membership for interface gi4/1: Switch# show ip igmp snooping membership interface gi4/1 #channels: 5 #hosts : 1...
  • Page 278: Displaying Multicast Router Interfaces

    Chapter 18 Configuring IGMP Snooping and Filtering Displaying IGMP Snooping Information This example shows how to display the host types and ports of a group in VLAN 1: Switch# show ip igmp snooping groups vlan 10 226.6.6.7 Vlan Group Version Ports --------------------------------------------------------- 226.6.6.7...
  • Page 279: Displaying Mac Address Multicast Entries

    Chapter 18 Configuring IGMP Snooping and Filtering Displaying IGMP Snooping Information To display multicast router interfaces, perform this task: Command Purpose Displays multicast router interfaces. Switch# show ip igmp snooping mrouter vlan vlan_ID This example shows how to display the multicast router interfaces in VLAN 1: Switch# show ip igmp snooping mrouter vlan 1 vlan ports...
  • Page 280: Configuring Igmp Filtering

    Chapter 18 Configuring IGMP Snooping and Filtering Configuring IGMP Filtering This example shows how to display IGMP snooping information on VLAN 5: Switch#show ip igmp snooping vlan 5 Global IGMP Snooping configuration: ----------------------------------- IGMP snooping :Enabled IGMPv3 snooping support :Full Report suppression :Enabled TCN solicit query...
  • Page 281: Default Igmp Filtering Configuration

    Chapter 18 Configuring IGMP Snooping and Filtering Configuring IGMP Filtering Default IGMP Filtering Configuration Table 18-2 shows the default IGMP filtering configuration. Table 18-2 Default IGMP Filtering Settings Feature Default Setting IGMP filters No filtering IGMP maximum number of IGMP groups No limit IGMP profiles None defined...
  • Page 282: Applying Igmp Profiles

    Chapter 18 Configuring IGMP Snooping and Filtering Configuring IGMP Filtering Command Purpose Step 6 Verifies the profile configuration. Switch# show ip igmp profile profile number Step 7 (Optional) Saves your entries in the configuration file. Switch# copy running-config startup-config To delete a profile, use the no ip igmp profile profile number global configuration command. To delete an IP multicast address or range of IP multicast addresses, use the no range ip multicast address IGMP profile configuration command.
  • Page 283: Setting The Maximum Number Of Igmp Groups

    Chapter 18 Configuring IGMP Snooping and Filtering Configuring IGMP Filtering To remove a profile from an interface, use the no ip igmp filter command. This example shows how to apply IGMP profile 4 to an interface and to verify the configuration: Switch# config t Switch(config)# interface fastethernet2/12 Switch(config-if)# ip igmp filter 4...
  • Page 284: Displaying Igmp Filtering Configuration

    Chapter 18 Configuring IGMP Snooping and Filtering Displaying IGMP Filtering Configuration To remove the maximum group limitation and return to the default of no maximum, use the no ip igmp max-groups command. This example shows how to limit the number of IGMP groups that an interface can join to 25. Switch# config t Switch(config)# interface fastethernet2/12 Switch(config-if)# ip igmp max-groups 25...
  • Page 285 Chapter 18 Configuring IGMP Snooping and Filtering Displaying IGMP Filtering Configuration This is an example of the show running-config privileged EXEC command when an interface is specified with IGMP maximum groups configured and IGMP profile 4 has been applied to the interface. Switch# show running-config interface fastethernet2/12 Building configuration...
  • Page 286 Chapter 18 Configuring IGMP Snooping and Filtering Displaying IGMP Filtering Configuration Software Configuration Guide—Release 12.2(25)EW 18-22 OL-6696-01...
  • Page 287: Chapter 19 Configuring 802.1Q And Layer 2 Protocol Tunneling

    Note Note For complete syntax and usage information for the switch commands used in this chapter, refer to the Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm. This chapter contains these sections: Understanding 802.1Q Tunneling, page 19-1 •...
  • Page 288 Chapter 19 Configuring 802.1Q and Layer 2 Protocol Tunneling Understanding 802.1Q Tunneling A port configured to support 802.1Q tunneling is called a tunnel port. When you configure tunneling, you assign a tunnel port to a VLAN ID that is dedicated to tunneling. Each customer requires a separate Service Provider VLAN ID, but that Service Provider VLAN ID supports VLANs of all the customers.
  • Page 289 Chapter 19 Configuring 802.1Q and Layer 2 Protocol Tunneling Understanding 802.1Q Tunneling Figure 19-2 Original (Normal), 802.1Q, and Double-Tagged Ethernet Packet Formats Source address Destination Length/ Frame Check address EtherType Sequence Original Ethernet frame Len/Etype Data IEE 802.1Q frame from Etype Len/Etype Data...
  • Page 290: Configuring 802.1Q Tunneling

    Chapter 19 Configuring 802.1Q and Layer 2 Protocol Tunneling Configuring 802.1Q Tunneling Configuring 802.1Q Tunneling These sections describe 802.1Q tunneling configuration: • 802.1Q Tunneling Configuration Guidelines, page 19-4 802.1Q Tunneling and Other Features, page 19-5 • Configuring an 802.1Q Tunneling Port, page 19-6 •...
  • Page 291: 802.1Q Tunneling And Other Features

    Chapter 19 Configuring 802.1Q and Layer 2 Protocol Tunneling Configuring 802.1Q Tunneling Figure 19-3 Potential Problem with 802.1Q Tunneling and Native VLANs Switch 4 Customer A Tag not added VLANs 30-40 for VLAN 40 removed Native VLAN 40 Service provider Tunnel port VLANs 5-50 Switch 2...
  • Page 292: Configuring An 802.1Q Tunneling Port

    • When a port is configured as an 802.1Q tunnel port, spanning-tree bridge protocol data unit (BPDU) • filtering is automatically enabled on the interface. Cisco Discovery Protocol (CDP) is automatically disabled on the interface. Configuring an 802.1Q Tunneling Port To configure a port as an 802.1Q tunnel port, perform this task:...
  • Page 293: Understanding Layer 2 Protocol Tunneling

    Users on each of a customer’s sites can properly run STP, and every VLAN can build a correct spanning tree, based on parameters from all sites and not just from the local site. • CDP discovers and shows information about the other Cisco devices connected through the Service Provider network. •...
  • Page 294 Chapter 19 Configuring 802.1Q and Layer 2 Protocol Tunneling Understanding Layer 2 Protocol Tunneling Customer A’s Site 1 will build a spanning tree on the switches at that site without considering convergence parameters based on Customer A’s switch in Site 2. Figure 19-5 shows one possible spanning tree topology.
  • Page 295: Configuring Layer 2 Protocol Tunneling

    Service Provider network, the switch overwrites the customer PDU-destination MAC address with a well-known Cisco proprietary multicast address (01-00-0c-cd-cd-d0). If 802.1Q tunneling is enabled, packets are also double-tagged; the outer tag is the customer metro tag, and the inner tag is the customer’s VLAN tag.
  • Page 296: Layer 2 Protocol Tunneling Configuration Guidelines

    Chapter 19 Configuring 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Layer 2 Protocol Tunneling Configuration Guidelines These are some configuration guidelines and operating characteristics of Layer 2 protocol tunneling: • The switch supports tunneling of CDP, STP, including multiple STP (MSTP), and VTP. Protocol tunneling is disabled by default but can be enabled for the individual protocols on 802.1Q tunnel ports or on access ports.
  • Page 297 Chapter 19 Configuring 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Command Purpose Step 3 Configures the interface as an access port or as an 802.1Q tunnel port. Switch(config-if)# switchport mode access switchport mode dot1q-tunnel Step 4 Enables protocol tunneling for the desired protocol.
  • Page 298: Monitoring And Maintaining Tunneling Status

    Chapter 19 Configuring 802.1Q and Layer 2 Protocol Tunneling Monitoring and Maintaining Tunneling Status Switch(config-if)# l2protocol-tunnel shutdown-threshold 1500 Switch(config-if)# l2protocol-tunnel drop-threshold 1000 Switch(config-if)# exit Switch(config)# l2protocol-tunnel cos 7 Switch(config)# end Switch# show l2protocol COS for Encapsulated Packets: 7 Port Protocol Shutdown Drop Encapsulation Decapsulation Drop Threshold Threshold Counter...
  • Page 299: Chapter 20 Understanding And Configuring Cdp

    Overview of CDP CDP is a protocol that runs over Layer 2 (the data link layer) on all Cisco routers, bridges, access servers, and switches. CDP allows network management applications to discover Cisco devices that are neighbors of already known devices, in particular, neighbors running lower-layer, transparent protocols.With CDP, network management applications can learn the device type and the SNMP agent...
  • Page 300: Configuring Cdp

    Chapter 20 Understanding and Configuring CDP Configuring CDP Configuring CDP The following sections describe how to configure CDP: • Enabling CDP Globally, page 20-2 Displaying the CDP Global Configuration, page 20-2 • Enabling CDP on an Interface, page 20-3 • Displaying the CDP Interface Configuration, page 20-3 •...
  • Page 301: Enabling Cdp On An Interface

    Chapter 20 Understanding and Configuring CDP Configuring CDP Enabling CDP on an Interface To enable CDP on an interface, perform this task: Command Purpose Enables CDP on an interface. Switch(config-if)# [no] cdp enable Use the no keyword to disable CDP on an interface. This example shows how to enable CDP on Fast Ethernet interface 5/1: Switch(config)# interface fastethernet 5/1 Switch(config-if)# cdp enable...
  • Page 302 Chapter 20 Understanding and Configuring CDP Configuring CDP Command Purpose Displays information about a specific neighbor. The Switch# show cdp entry entry_name [protocol | version] display can be limited to protocol or version information. Displays information about interfaces on which CDP is Switch# show cdp interface [ type / number ] enabled.
  • Page 303: Chapter 21 Configuring Udld

    • For complete syntax and usage information for the switch commands used in this chapter, refer to the Note Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm. Overview of UDLD UDLD allows devices connected through fiber-optic or copper Ethernet cables (for example, Category 5 cabling) to monitor the physical configuration of the cables and detect when a unidirectional link exists.
  • Page 304: Default Udld Configuration

    Chapter 21 Configuring UDLD Default UDLD Configuration The switch periodically transmits UDLD packets to neighbor devices on interfaces with UDLD enabled. If the packets are echoed back within a specific time frame and they are lacking a specific acknowledgment (echo), the link is flagged as unidirectional and the interface is shut down. Devices on both ends of the link must support UDLD in order for the protocol to successfully identify and disable unidirectional links.
  • Page 305: Enabling Udld Globally

    Chapter 21 Configuring UDLD Configuring UDLD on the Switch Enabling UDLD Globally To enable UDLD globally on all fiber-optic interfaces on the switch, perform this task: Command Purpose Enables UDLD globally on fiber-optic interfaces on the Switch(config)# [no] udld enable switch.
  • Page 306: Disabling Udld On Fiber-Optic Interfaces

    Chapter 21 Configuring UDLD Configuring UDLD on the Switch Disabling UDLD on Fiber-Optic Interfaces To disable UDLD on individual fiber-optic interfaces, perform this task: Command Purpose Step 1 Disables UDLD on a fiber-optic interface. Switch(config-if)# udld disable This command is not supported on nonfiber-optic Note interfaces.
  • Page 307: Chapter 22 Configuring Unidirectional Ethernet

    • Note For complete syntax and usage information for the switch commands used in this chapter, refer to the Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm. Overview of Unidirectional Ethernet You can set non-blocking GigaPorts to unidirectionally transmit or receive traffic. Unidirectional Ethernet uses only one strand of fiber for either transmitting or receiving one-way traffic for the GigaPort, instead of two strands of fiber for a full-duplex GigaPort Ethernet.
  • Page 308 Chapter 22 Configuring Unidirectional Ethernet Configuring Unidirectional Ethernet To enable Unidirectional Ethernet, perform this task: Command Purpose Step 1 Selects the interface to configure. Switch(config)# interface {vlan vlan_ID | {fastethernet | gigabitethernet | tengigabitethernet} slot/interface Port-channel number } Step 2 Enables Unidirectional Ethernet.
  • Page 309 Chapter 22 Configuring Unidirectional Ethernet Configuring Unidirectional Ethernet This example shows how to disable Unidirectional Ethernet on Gigabit Ethernet interface 1/1: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet 1/1 Switch(config-if)# no unidirectional Switch(config-if)# end This example shows the result of issuing the show interface command for a port that does not support Unidirectional Ethernet:...
  • Page 310 Chapter 22 Configuring Unidirectional Ethernet Configuring Unidirectional Ethernet Software Configuration Guide—Release 12.2(25)EW 22-4 OL-6696-01...
  • Page 311: Chapter 23 Configuring Layer 3 Interfaces

    Physical Layer 3 Interfaces, page 23-2 The Catalyst 4500 series switch supports Layer 3 interfaces with the Cisco IOS IP and IP routing protocols. Layer 3, the network layer, is primarily responsible for the routing of data in packets across logical internetwork paths.
  • Page 312: Logical Layer 3 Vlan Interfaces

    Chapter 23 Configuring Layer 3 Interfaces Overview of Layer 3 Interfaces Logical Layer 3 VLAN Interfaces The logical Layer 3 VLAN interfaces provide logical routing interfaces to VLANs on Layer 2 switches. A traditional network requires a physical interface from a router to a switch to perform inter-VLAN routing.
  • Page 313: Configuration Guidelines

    A Catalyst 4500 series switch supports AppleTalk routing and IPX routing. For AppleTalk routing and IPX routing information, refer to “Configuring AppleTalk” and “Configuring Novell IPX” in the Cisco IOS AppleTalk and Novell IPX Configuration Guide at the following URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/atipx_c/index.htm A Catalyst 4500 series switch does not support subinterfaces or the encapsulation keyword on Layer 3 Fast Ethernet or Gigabit Ethernet interfaces.
  • Page 314: Configuring Physical Layer 3 Interfaces

    Chapter 23 Configuring Layer 3 Interfaces Configuring Physical Layer 3 Interfaces This example uses the show interfaces command to display the interface IP address configuration and status of Layer 3 VLAN interface vlan 2: Switch# show interfaces vlan 2 Vlan2 is up, line protocol is down Hardware is Ethernet SVI, address is 00D.588F.B604 (bia 00D.588F.B604) Internet address is 172.20.52.106/29 MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,...
  • Page 315: Configuring Physical Layer 3 Interfaces

    Chapter 23 Configuring Layer 3 Interfaces Configuring Physical Layer 3 Interfaces To configure physical Layer 3 interfaces, perform this task: Command Purpose Step 1 Enables IP routing (Required only if disabled.) Switch(config)#ip routing Step 2 Selects an interface to configure. Switch(config)# interface {fastethernet | gigabitethernet | tengigabitethernet} slot / port } | {port-channel port_channel_number }...
  • Page 316 Chapter 23 Configuring Layer 3 Interfaces Configuring Physical Layer 3 Interfaces Software Configuration Guide—Release 12.2(25)EW 23-6 OL-6696-01...
  • Page 317: Chapter 24 Configuring Cisco Express Forwarding

    C H A P T E R Configuring Cisco Express Forwarding This chapter describes Cisco Express Forwarding (CEF) on the Catalyst 4500 series switch. It also provides guidelines, procedures, and examples to configure this feature. This chapter includes the following major sections: Overview of CEF, page 24-1 •...
  • Page 318: Forwarding Information Base

    Chapter 24 Configuring Cisco Express Forwarding Overview of CEF CEF provides the following benefits: Improves performance over the caching schemes of multilayer switches, which often flush the entire • cache when information changes in the routing tables. • Provides load balancing that distributes packets across multiple links based on Layer 3 routing information.
  • Page 319: Catalyst 4500 Series Switch Implementation Of Cef

    Chapter 24 Configuring Cisco Express Forwarding Catalyst 4500 Series Switch Implementation of CEF Adjacency Types That Require Special Handling In addition to adjacencies for next-hop interfaces (host-route adjacencies), other types of adjacencies are used to expedite switching when certain exception conditions exist. When the prefix is defined, prefixes...
  • Page 320: Hardware And Software Switching

    Chapter 24 Configuring Cisco Express Forwarding Catalyst 4500 Series Switch Implementation of CEF Figure 24-1 Logical L2/L3 Switch Components Integrated Switching Engine (ASIC) L3 physical interface Gig 1/1 Logical Router L3 logical interfaces VLAN1 VLAN2 L2 switchports The Integrated Switching Engine performs inter-VLAN routing on logical Layer 3 interfaces with the ASIC hardware.
  • Page 321 Chapter 24 Configuring Cisco Express Forwarding Catalyst 4500 Series Switch Implementation of CEF Figure 24-2 Hardware and Software Switching Components Integrated Switching Engine CPU Subsystem L3 physical interface Gig 1/1 Router L3 interfaces VLAN1 VLAN2 tunnel tunnel L2 switchports The Integrated Switching Engine performs inter-VLAN routing in hardware. The CPU subsystem software supports Layer 3 interfaces to VLANs that use Subnetwork Access Protocol (SNAP) encapsulation.
  • Page 322: Load Balancing

    Software Interfaces Cisco IOS for the Catalyst 4500 series switch supports GRE and IP tunnel interfaces that are not part of the hardware forwarding engine. All packets that flow to or from these interfaces must be processed in software and will have a significantly lower forwarding rate than that of hardware-switched interfaces.
  • Page 323: Configuring Load Balancing For Cef

    Enables load sharing hash function to use source Switch (config)# [no] ip cef load-sharing algorithm include-ports source and destination ports. destination] Use the no keyword to set the switch to use the default Cisco IOS load-sharing algorithm. Software Configuration Guide—Release 12.2(25)EW 24-7 OL-6696-01...
  • Page 324: Monitoring And Maintaining Cef

    Chapter 24 Configuring Cisco Express Forwarding Monitoring and Maintaining CEF For more information on load sharing, refer to the Configuring Cisco Express Forwarding module of the Cisco IOS documentation at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fwitch_c/swprt1/ xcfcefc.htm The include-ports option does not apply to software-switched traffic on the Catalyst 4500 series Note switches.
  • Page 325 Chapter 24 Configuring Cisco Express Forwarding Monitoring and Maintaining CEF This example shows how to display IP unicast statistics for Part 3/1: Switch# show interface fastethernet 3/1 counters detail Port InBytes InUcastPkts InMcastPkts InBcastPkts Fa3/1 7263539133 5998222 6412307 Port OutBytes...
  • Page 326 Chapter 24 Configuring Cisco Express Forwarding Monitoring and Maintaining CEF Software Configuration Guide—Release 12.2(25)EW 24-10 OL-6696-01...
  • Page 327: Chapter 25 Understanding And Configuring Ip Multicast

    For complete syntax and usage information for the switch commands used in this chapter, refer to the Note Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm. For more detailed information on IP multicast, refer to the discussion at: Note http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr_c/ipcpt3/...
  • Page 328: Ip Multicast Protocols

    The Catalyst 4500 series switch primarily uses these protocols to implement IP multicast routing: Internet Group Management Protocol (IGMP) • Protocol Independent Multicast (PIM) • IGMP snooping and Cisco Group Management Protocol • Figure 25-1 shows where these protocols operate within the IP multicast environment. Software Configuration Guide—Release 12.2(25)EW...
  • Page 329 For more detailed information on PIM Dense and Spare Mode, refer to this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr_c/ipcpt3. Software Configuration Guide—Release 12.2(25)EW 25-3...
  • Page 330: Ip Multicast On The Catalyst 4500 Series Switch

    CGMP client. To configure a Catalyst 4500 series switch as a client, use IGMP snooping. CGMP is a Cisco protocol that allows Catalyst switches to leverage IGMP information on Cisco routers to make Layer 2 forwarding decisions. CGMP is configured on the multicast routers and the Layer 2 switches.
  • Page 331 The implementation of IP multicast on the Catalyst 4500 series switch is an extension of centralized Cisco Express Forwarding (CEF). CEF extracts information from the unicast routing table, which is created by unicast routing protocols, such as BGP, OSPF, and EIGR and loads it into the hardware Forwarding Information Base (FIB).
  • Page 332 Chapter 25 Understanding and Configuring IP Multicast Overview of IP Multicast The Catalyst 4500 series switch performs Layer 3 routing and Layer 2 bridging at the same time. There can be multiple Layer 2 switchports on any VLAN interface. To determine the set of output switchports on which to forward a multicast packet, the Supervisor Engine III combines Layer 3 MFIB information with Layer 2 forwarding information and stores it in the hardware MET for packet replication.
  • Page 333 Chapter 25 Understanding and Configuring IP Multicast Overview of IP Multicast If VLAN 1 contains 1/1 and 1/2, VLAN 2 contains 2/1 and 2/2, and VLAN 3 contains 3/1 and 3/2, the MET chain for this route would contain these switchports: (1/1,1/2,2/1,2/2,3/1, and 3/2). If IGMP snooping is on, the packet should not be forwarded to all output switchports on VLAN 2.
  • Page 334 Chapter 25 Understanding and Configuring IP Multicast Overview of IP Multicast Output interface lists are stored in the multicast expansion table (MET). The MET has room for up to 32,000 output interface lists. The MET resources are shared by both Layer 3 multicast routes and by Layer 2 multicast entries.
  • Page 335 Chapter 25 Understanding and Configuring IP Multicast Overview of IP Multicast Hardware routes occur when the Integrated Switching Engine hardware forwards all replicas of a packet. Software routes occur when the CPU subsystem software forwards all replicas of a packet. Partial routes occur when the Integrated Switching Engine forwards some of the replicas in hardware and the CPU subsystem forwards some of the replicas in software.
  • Page 336 Chapter 25 Understanding and Configuring IP Multicast Overview of IP Multicast Figure 25-6 Redundant Multicast Router Configuration in a Stub Network Router A Router B Network A Network B Multicast Traffic Non-RPF Traffic In this kind of topology, only Router A, the PIM designated router (PIM DR), forwards data to the common VLAN.
  • Page 337 Chapter 25 Understanding and Configuring IP Multicast Overview of IP Multicast Multicast Forwarding Information Base The Multicast Forwarding Information Base (MFIB) subsystem supports IP multicast routing in the Integrated Switching Engine hardware on the Catalyst 4500 series switch. The MFIB logically resides between the IP multicast routing protocols in the CPU subsystem software (PIM, IGMP, MSDP, MBGP, and DVMRP) and the platform-specific code that manages IP multicast routing in hardware.
  • Page 338: Unsupported Features

    Enabling PIM on an Interface, page 25-13 • For more detailed information on IP multicast routing, such as Auto-RP, PIM Version 2, and IP multicast static routes, refer to the Cisco IOS IP and IP Routing Configuration Guide, Release 12.2. Software Configuration Guide—Release 12.2(25)EW 25-12...
  • Page 339: Default Configuration In Ip Multicast Routing

    Source-specific multicast and IGMP v3 are supported. Note For more information about source-specific multicast with IGMPv3 and IGMP, see the following URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr_c/ipcpt3/1cfssm.htm Enabling IP Multicast Routing Enabling IP multicast routing allows the Catalyst 4500 series switch to forward multicast packets. To...
  • Page 340: Enabling Dense Mode

    Chapter 25 Understanding and Configuring IP Multicast Configuring IP Multicast Routing When the switch populates the multicast routing table, dense-mode interfaces are always added to the table. Sparse-mode interfaces are added to the table only when periodic join messages are received from downstream routers, or when there is a directly connected member on the interface.
  • Page 341: Monitoring And Maintaining Ip Multicast Routing

    Chapter 25 Understanding and Configuring IP Multicast Monitoring and Maintaining IP Multicast Routing When an interface is treated in dense mode, it is populated in a multicast routing table’s outgoing interface list when either of the following is true: When there are members or DVMRP neighbors on the interface •...
  • Page 342: Displaying The Multicast Routing Table

    Chapter 25 Understanding and Configuring IP Multicast Monitoring and Maintaining IP Multicast Routing Displaying the Multicast Routing Table The following is sample output from the show ip mroute command for a router operating in dense mode. This command displays the contents of the IP multicast FIB table for the multicast group named cbone-audio.
  • Page 343 The following is sample output from the show ip mroute command with the active keyword: Switch# show ip mroute active Active IP Multicast Sources - sending >= 4 kbps Group: 224.2.127.254, (sdr.cisco.com) Source: 146.137.28.69 (mbone.ipd.anl.gov) Rate: 1 pps/4 kbps(1sec), 4 kbps(last 1 secs), 4 kbps(life avg) Group: 224.2.201.241, ACM 97...
  • Page 344: Displaying Ip Mfib

    Chapter 25 Understanding and Configuring IP Multicast Monitoring and Maintaining IP Multicast Routing Group: 224.2.201.241, Source count: 36, Group pkt count: 54152 RP-tree: 7/0/108/0 Source: 13.242.36.83/32, 99/0/123/0 Source: 36.29.1.3/32, 71/0/110/0 Source: 128.9.160.96/32, 505/1/106/0 Source: 128.32.163.170/32, 661/1/88/0 Source: 128.115.31.26/32, 192/0/118/0 Source: 128.146.111.45/32, 500/0/87/0 Source: 128.183.33.134/32, 248/0/119/0 Source: 128.195.7.62/32, 527/0/118/0 Source: 128.223.32.25/32, 554/0/105/0...
  • Page 345: Displaying Ip Mfib Fast Drop

    Chapter 25 Understanding and Configuring IP Multicast Monitoring and Maintaining IP Multicast Routing The following is sample output from the show ip mfib command. IP Multicast Forwarding Information Base Entry Flags: C - Directly Connected, S - Signal, IC - Internal Copy Interface Flags: A - Accept, F - Forward, S - Signal, NP - Not platform switched Packets: Fast/Partial/Slow Bytes: Fast/Partial/Slow:...
  • Page 346: Displaying Pim Statistics

    Chapter 25 Understanding and Configuring IP Multicast Monitoring and Maintaining IP Multicast Routing Displaying PIM Statistics The following is sample output from the show ip pim interface command: Switch# show ip pim interface Address Interface Mode Neighbor Query Count Interval 198.92.37.6 Ethernet0 Dense...
  • Page 347: Configuration Examples

    Chapter 25 Understanding and Configuring IP Multicast Configuration Examples Configuration Examples The following sections provide IP multicast routing configuration examples: • PIM Dense Mode Example, page 25-21 PIM Sparse Mode Example, page 25-21 • BSR Configuration Example, page 25-21 • PIM Dense Mode Example This example is a configuration of dense-mode PIM on an Ethernet interface: ip multicast-routing...
  • Page 348 Chapter 25 Understanding and Configuring IP Multicast Configuration Examples Software Configuration Guide—Release 12.2(25)EW 25-22 OL-6696-01...
  • Page 349: Chapter 26 Configuring Policy-Based Routing

    Policy-Based Routing Configuration Task List, page 26-3 • Policy-Based Routing Configuration Examples, page 26-5 • For a complete description of the PBR commands in this chapter, refer to the Cisco IOS Quality of Note Service Solutions Command Reference at: http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123tcr/123tqr/...
  • Page 350: Understanding Pbr

    Chapter 26 Configuring Policy-Based Routing Overview of Policy-Based Routing PBR allows you to perform the following tasks: Classify traffic based on extended access list criteria. Access lists, then establish the match criteria. • • Route packets to specific traffic-engineered paths. Policies can be based on IP address, port numbers, or protocols.
  • Page 351: Policy-Based Routing Configuration Task List

    Chapter 26 Configuring Policy-Based Routing Policy-Based Routing Configuration Task List Policy-Based Routing Configuration Task List To configure PBR, perform the tasks described in the following sections. The task in the first section is required; the tasks in the remaining sections are optional. See the end of this chapter for the section “Policy-Based Routing Configuration Examples.”...
  • Page 352 Chapter 26 Configuring Policy-Based Routing Policy-Based Routing Configuration Task List Command Purpose Step 3 Specifies the action or actions to take on the packets that match the criteria. You can specify any or all of the following: Specifies the next hop for which to route the packet (the •...
  • Page 353: Enabling Local Pbr

    Use the show ip local policy command to display the route map used for local PBR, if one exists. Unsupported Commands The following PBR commands in config-route-map mode are in the CLI but not supported in Cisco IOS for the Catalyst 4500 series switches. If you attempt to use these commands, an error message displays.
  • Page 354: Differing Next Hops Example

    Chapter 26 Configuring Policy-Based Routing Policy-Based Routing Configuration Examples route-map equal-access permit 10 match ip address 1 set ip default next-hop 6.6.6.6 route-map equal-access permit 20 match ip address 2 set ip default next-hop 7.7.7.7 route-map equal-access permit 30 set default interface null0 If the packets you want to drop do not match either of the first two route-map clauses, then change set Note default interface null0 to set interface null0.
  • Page 355: Chapter 27 Understanding And Configuring Vtp

    • For complete syntax and usage information for the switch commands used in this chapter, refer to the Note Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm. Overview of VTP VTP is a Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the addition, deletion, and renaming of VLANs within a VTP domain.
  • Page 356: Understanding The Vtp Domain

    Chapter 27 Understanding and Configuring VTP Overview of VTP Understanding VTP Version 2, page 27-3 • Understanding VTP Pruning, page 27-3 • Understanding the VTP Domain A VTP domain is made up of one or more interconnected network devices that share the same VTP domain name.
  • Page 357: Understanding Vtp Advertisements

    Chapter 27 Understanding and Configuring VTP Overview of VTP Understanding VTP Advertisements Each network device in the VTP domain sends periodic advertisements out each trunking LAN interface to a reserved multicast address. VTP advertisements are received by neighboring network devices, which update their VTP and VLAN configurations as necessary.
  • Page 358 Chapter 27 Understanding and Configuring VTP Overview of VTP For VTP pruning to be effective, all devices in the management domain must either support VTP pruning or, on devices that do not support VTP pruning, you must manually configure the VLANs allowed on trunks.
  • Page 359: Vtp Configuration Guidelines And Restrictions

    Chapter 27 Understanding and Configuring VTP VTP Configuration Guidelines and Restrictions Enabling VTP pruning on a VTP server enables pruning for the entire management domain. VTP pruning takes effect several seconds after you enable it. By default, VLANs 2 through 1000 are eligible for pruning.
  • Page 360: Configuring Vtp

    Chapter 27 Understanding and Configuring VTP Configuring VTP Configuring VTP The following sections describe how to configure VTP: • Configuring VTP Global Parameters, page 27-6 Configuring the Switch as a VTP Server, page 27-7 • Configuring the Switch as a VTP Client, page 27-8 •...
  • Page 361: Configuring The Switch As A Vtp Server

    Chapter 27 Understanding and Configuring VTP Configuring VTP This example shows how to enable VTP pruning in the management domain: Switch# vtp pruning Pruning switched ON This example shows how to verify the configuration: Switch# show vtp status | include Pruning VTP Pruning Mode : Enabled Switch#...
  • Page 362: Configuring The Switch As A Vtp Client

    Chapter 27 Understanding and Configuring VTP Configuring VTP Command Purpose Step 4 Exits VLAN configuration mode. Switch(config)# end Step 5 Verifies the configuration. Switch# show vtp status This example shows how to configure the switch as a VTP server: Switch# configuration terminal Switch(config)# vtp mode server Setting device to VTP SERVER mode.
  • Page 363: Disabling Vtp (Vtp Transparent Mode)

    Chapter 27 Understanding and Configuring VTP Configuring VTP This example shows how to verify the configuration: Switch# show vtp status VTP Version Configuration Revision : 247 Maximum VLANs supported locally : 1005 Number of existing VLANs : 33 VTP Operating Mode : Client VTP Domain Name : Lab_Network...
  • Page 364: Displaying Vtp Statistics

    Chapter 27 Understanding and Configuring VTP Configuring VTP Displaying VTP Statistics To display VTP statistics, including VTP advertisements sent and received and VTP errors, perform this task: Command Purpose Displays VTP statistics. Switch# show vtp counters This example shows how to display VTP statistics: Switch# show vtp counters VTP statistics: Summary advertisements received...
  • Page 365: Chapter 28 Configuring Vrf-Lite

    Note The switch does not use Multiprotocol Label Switching (MPLS) to support VPNs. For information about MPLS VRF, refer to the Cisco IOS Switching Services Configuration Guide for Release 12.3 at: http://www.cisco.com/univerd/cc/td/doc/product/software/ios123/123cgcr/swit_vcg.htm This chapter includes these topics: Understanding VRF-lite, page 28-2 •...
  • Page 366: Understanding Vrf-Lite

    Chapter 28 Configuring VRF-lite Understanding VRF-lite Understanding VRF-lite VRF-lite is a feature that enables a service provider to support two or more VPNs, where IP addresses can be overlapped among the VPNs. VRF-lite uses input interfaces to distinguish routes for different VPNs and forms virtual packet-forwarding tables by associating one or more Layer 3 interfaces with each VRF.
  • Page 367: Default Vrf-Lite Configuration

    Chapter 28 Configuring VRF-lite Default VRF-lite Configuration This is the packet-forwarding process in a VRF-lite CE-enabled network as shown in Figure 28-1: When the CE receives a packet from a VPN, it looks up the routing table based on the input interface. •...
  • Page 368: Vrf-Lite Configuration Guidelines

    Chapter 28 Configuring VRF-lite VRF-lite Configuration Guidelines VRF-lite Configuration Guidelines Consider these points when configuring VRF in your network: • A switch with VRF-lite is shared by multiple customers, and all customers have their own routing tables. • Because customers use different VRF tables, the same IP addresses can be reused. Overlapped IP addresses are allowed in different VPNs.
  • Page 369: Configuring Vrfs

    For complete syntax and usage information for the commands, refer to the switch command reference Note for this release and the Cisco IOS Switching Services Command Reference for Release 12.2. Use the no ip vrf vrf-name global configuration command to delete a VRF and to remove all interfaces from it.
  • Page 370: Configuring Bgp Pe To Ce Routing Sessions

    Chapter 28 Configuring VRF-lite Configuring BGP PE to CE Routing Sessions To configure OSPF in the VPN, perform this task: Command Purpose Step 1 Enters global configuration mode. Switch# configure terminal Step 2 Enables OSPF routing, specifies a VPN forwarding table, Switch(config)# router ospf process-id vrf vrf-name and enters router configuration mode.
  • Page 371: Vrf-Lite Configuration Example

    Chapter 28 Configuring VRF-lite VRF-lite Configuration Example Command Purpose ] Verifies BGP configuration. Step 10 Switch# show ip bgp ipv4 neighbors Step 11 (Optional) Saves your entries in the configuration file. Switch# copy running-config startup-config Use the no router bgp autonomous-system-number global configuration command to delete the BGP routing process.
  • Page 372: Configuring Switch S8

    Chapter 28 Configuring VRF-lite VRF-lite Configuration Example Configuring Switch S8 On switch S8, enable routing and configure VRF. Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# ip routing Switch(config)# ip vrf v11 Switch(config-vrf)# rd 800:1 Switch(config-vrf)# route-target export 800:1 Switch(config-vrf)# route-target import 800:1 Switch(config-vrf)# exit...
  • Page 373: Configuring Switch S20

    Chapter 28 Configuring VRF-lite VRF-lite Configuration Example Switch(config)# interface Vlan118 Switch(config-if)# ip vrf forwarding v12 Switch(config-if)# ip address 118.0.0.8 255.255.255.0 Switch(config-if)# exit Switch(config)# interface Vlan208 Switch(config-if)# ip vrf forwarding v11 Switch(config-if)# ip address 208.0.0.8 255.255.255.0 Switch(config-if)# exit Configure OSPF routing in VPN1 and VPN2: Switch(config)# router ospf 1 vrf vl1 Switch(config-router)# redistribute bgp 800 subnets Switch(config-router)# network 208.0.0.0 0.0.0.255 area 0...
  • Page 374: Configuring Switch S11

    Chapter 28 Configuring VRF-lite VRF-lite Configuration Example Configuring Switch S11 Configure S11 to connect to CE: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# ip routing Switch(config)# interface Gigabit Ethernet 0/3 Switch(config-if)# switchport trunk encapsulation dot1q Switch(config-if)# switchport mode trunk Switch(config-if)# no ip address Switch(config-if)# exit...
  • Page 375: Displaying Vrf-Lite Status

    Displays information about the defined VRF Switch# show ip vrf brief detail interfaces vrf-name instances. Note For more information about the information in the displays, refer to the Cisco IOS Switching Services Command Reference for Release 12.2 at: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fswtch_r Software Configuration Guide—Release 12.2(25)EW 28-11 OL-6696-01...
  • Page 376 Chapter 28 Configuring VRF-lite Displaying VRF-lite Status Software Configuration Guide—Release 12.2(25)EW 28-12 OL-6696-01...
  • Page 377: Chapter 29 Configuring Qos

    • For complete syntax and usage information for the switch commands used in this chapter, refer to the Note Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm. Overview of QoS Typically, networks operate on a best-effort delivery basis, which means that all traffic has equal priority and an equal chance of being delivered in a timely manner.
  • Page 378: Prioritization

    Chapter 29 Configuring QoS Overview of QoS Prioritization The QoS implementation for this release is based on the DiffServ architecture, an emerging standard from the Internet Engineering Task Force (IETF). This architecture specifies that each packet is classified upon entry into the network. The classification is carried in the IP packet header, using 6 bits from the deprecated IP type of service (TOS) field to carry the classification (class) information.
  • Page 379: Qos Terminology

    Chapter 29 Configuring QoS Overview of QoS All switches and routers across the Internet rely on the class information to provide the same forwarding treatment to packets with the same class information and different treatment to packets with different class information. The class information in the packet can be assigned by end hosts or by switches or routers along the way, based on a configured policy, detailed examination of the packet, or both.
  • Page 380 Chapter 29 Configuring QoS Overview of QoS Table 29-1 IP Precedence and DSCP Values 3-bit IP 6 MSb of ToS 6-bit 3-bit IP 6 MSb of ToS 6-bit Precedence DSCP Precedence DSCP 8 7 6 5 4 3 8 7 6 5 4 3 1.
  • Page 381: Basic Qos Model

    Chapter 29 Configuring QoS Overview of QoS Basic QoS Model Figure 29-2 shows the basic QoS model. Actions at the ingress and egress interfaces include classifying traffic, policing, and marking: Classifying distinguishes one kind of traffic from another. The process generates an internal DSCP •...
  • Page 382 Chapter 29 Configuring QoS Overview of QoS For non-IP traffic, you have the following classification options: Use the port default. If the packet is a non-IP packet, assign the default port DSCP value to the • incoming packet. • Trust the CoS value in the incoming frame (configure the port to trust CoS). Then use the configurable CoS-to-DSCP map to generate the internal DSCP value.
  • Page 383 Chapter 29 Configuring QoS Overview of QoS Figure 29-3 Classification Flowchart Start Read interface configuration for classification. Are there Is there a any more QoS policy attached traffic classes with to this interface? actions? Does the packet satisfy the classification match criteria? Does the policy action...
  • Page 384 Chapter 29 Configuring QoS Overview of QoS Classification Based on QoS ACLs A packet can be classified for QoS using multiple match criteria, and the classification can specify whether the packet should match all of the specified match criteria or at least one of the match criteria. To define a QoS classifier, you can provide the match criteria using the match statements in a class map.
  • Page 385: Policing And Marking

    Chapter 29 Configuring QoS Overview of QoS You create a class map by using the class-map global configuration command. When you enter the class-map command, the switch enters the class-map configuration mode. In this mode, you define the match criteria for the traffic by using the match class-map configuration command. You create and name a policy map by using the policy-map global configuration command.
  • Page 386 Chapter 29 Configuring QoS Overview of QoS When configuring policing and policers, keep these items in mind: For IP packets, only the length of the IP payload (the total length field in the IP header) is used by • the policer for policing computation. The Layer 2 header and trailer length are not taken into account.
  • Page 387 Chapter 29 Configuring QoS Overview of QoS Figure 29-4 Policing and Marking Flowchart Start Is there Is the a QoS Policy port QoS VLAN- attached to the based? port? Is there a QoS Is there a QoS Policy attached to the Policy attached to the VLAN to which the VLAN to which the...
  • Page 388 Chapter 29 Configuring QoS Overview of QoS Internal DSCP Values The following sections describe the internal DSCP values: Internal DSCP Sources, page 29-12 • Egress ToS and CoS Sources, page 29-12 • Internal DSCP Sources During processing, QoS represents the priority of all traffic (including non-IP traffic) with an internal DSCP value.
  • Page 389: Mapping Tables

    Chapter 29 Configuring QoS Overview of QoS Mapping Tables During QoS processing, the switch represents the priority of all traffic (including non-IP traffic) with an internal DSCP value: During classification, QoS uses configurable mapping tables to derive the internal DSCP (a 6-bit •...
  • Page 390 Chapter 29 Configuring QoS Overview of QoS Sharing Link Bandwidth Among Transmit Queues The four transmit queues for a transmit port share the available link bandwidth of that transmit port. You can set the link bandwidth to be shared differently among the transmit queues using bandwidth command in interface transmit queue configuration mode.
  • Page 391: Packet Modification

    The Catalyst 4500 platform does not apply the QoS marking or policing configuration for any packets that are forwarded or generated by the Cisco IOS software. This means that any input or output QoS policy configured on the port or VLAN is not applied to packets if the Cisco IOS is forwarding or generating packets.
  • Page 392: Configuring Auto-Qos

    Layer 2. (The classification is set to trust DSCP if the interface is configured as Layer 3.) When a Cisco IP phone is absent, the ingress classification is set to not trust the cos label in the packet.
  • Page 393: Effects Of Auto-Qos On The Configuration

    Configuration Guidelines Before configuring auto-QoS, you should be aware of this information: In this release, auto-QoS configures the switch only for VoIP with Cisco IP phones. • To take advantage of the auto-QoS defaults, do not configure any standard-QoS commands before •...
  • Page 394: Enabling Auto-Qos For Voip

    This example shows how to enable auto-QoS and to trust the CoS labels in incoming packets when the device connected to Fast Ethernet interface 1/1 is detected as a Cisco IP phone: Switch(config)# interface fastethernet1/1 Switch(config-if)# auto qos voip cisco-phone...
  • Page 395: Displaying Auto-Qos Information

    Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet1/1 Switch(config-if)# auto qos voip cisco-phone Displaying Auto-QoS Information To display the initial auto-QoS configuration, use the show auto qos [interface [interface-id]] privileged EXEC command. To display any user changes to that configuration, use the show running-config privileged EXEC command.
  • Page 396: Auto-Qos Configuration Example

    Fast Ethernet 2/3 Fast Ethernet 2/3 QoS domain QoS domain Cisco IP phones Cisco IP phones The intelligent wiring closets in Figure 29-5 are composed of Catalyst 4500 switches. The object of this example is to prioritize the VoIP traffic over all other traffic. To do so, enable auto-QoS on the switches at the edge of the QoS domains in the wiring closets.
  • Page 397 Step 5 Enables auto-QoS on the interface, and specifies that the interface Switch(config-if)# auto qos voip cisco-phone is connected to a Cisco IP phone. The CoS labels of incoming packets are trusted only when the IP phone is detected. Step 6 Enters interface configuration mode.
  • Page 398: Configuring Qos

    Chapter 29 Configuring QoS Configuring QoS Configuring QoS Before configuring QoS, you must have a thorough understanding of these items: • The types of applications used and the traffic patterns on your network. Traffic characteristics and needs of your network. Is the traffic bursty? Do you need to reserve •...
  • Page 399 Chapter 29 Configuring QoS Configuring QoS Table 29-3 QoS Default Configuration (continued) Feature Default Value CoS to DSCP map CoS 0 = DSCP 0 (DSCP set from CoS values) CoS 1 = DSCP 8 CoS 2 = DSCP 16 CoS 3 = DSCP 24 CoS 4 = DSCP 32 CoS 5 = DSCP 40 CoS 6 = DSCP 48...
  • Page 400: Configuration Guidelines

    QoS is enabled globally Switch# Configuring a Trusted Boundary to Ensure Port Security In a typical network, you connect a Cisco IP phone to a switch port as discussed in Chapter 30, “Configuring Voice Interfaces.” Traffic sent from the telephone to the switch is typically marked with a tag that uses the 802.1Q header.
  • Page 401 The trusted boundary feature solves this problem by using the CDP to detect the presence of a Cisco IP phone (such as the Cisco IP Phone 7910, 7935, 7940, and 7960) on a switch port. If CDP is not running on the switch globally or on the port in question, trusted boundary will not work.
  • Page 402: Enabling Dynamic Buffer Limiting

    Chapter 29 Configuring QoS Configuring QoS Enabling Dynamic Buffer Limiting To enable DBL globally on the switch, perform this task: Command Purpose Step 1 Enables DBL on the switch. Switch(config)# qos dbl Use the no qos dbl command to disable AQM. Step 2 Exits configuration mode.
  • Page 403 Chapter 29 Configuring QoS Configuring QoS In effect, if you apply a single aggregate policer to ports and VLANs in different directions, then you have created the equivalent of four aggregate policers; one for all ports sharing the policer in input direction, one for all ports sharing the policer in output direction, one for all VLANs sharing the policer in input direction and one for all VLANs sharing the policer in output direction.
  • Page 404: Configuring A Qos Policy

    Chapter 29 Configuring QoS Configuring QoS This example shows how to create a named aggregate policer with a 10 Mbps rate limit and a 1-MB burst size that transmits conforming traffic and marks down out-of-profile traffic. Switch(config)# qos aggregate-policer aggr-1 10000000 1000000 conform-action transmit exceed-action policed-dscp-transmit Switch(config)# end Switch#...
  • Page 405 Chapter 29 Configuring QoS Configuring QoS policy-map—Enter the policy-map command to define the following for each class of traffic: • Internal DSCP source – – Aggregate or individual policing and marking • service-policy—Enter the service-policy command to attach a policy map to an interface. Configuring a Class Map (Optional) The following subsections describe class map configuration: Creating a Class Map, page 29-29...
  • Page 406: Configuring A Policy Map

    Chapter 29 Configuring QoS Configuring QoS Any Input or Output policy that uses a class map with the match ip precedence or match ip dscp Note class-map commands, requires that the port on which the packet is received, be configured to trust dscp. If the incoming port trust state is not set to trust dscp, the IP packet DSCP/IP-precedence is not used for matching the traffic;...
  • Page 407 Chapter 29 Configuring QoS Configuring QoS Creating a Policy Map To create a policy map, perform this task: Command Purpose Creates a policy map with a user-specified name. Switch(config)# [no] policy-map policy_name Use the no keyword to delete the policy map. Configuring Policy-Map Class Actions These sections describe policy-map class action configuration: •...
  • Page 408 Chapter 29 Configuring QoS Configuring QoS When configuring the policy-map class DBL state, note the following: Any class that uses a named aggregate policer must have the same DBL configuration to work. • Configuring Policy-Map Class Policing These sections describe configuration of policy-map class policing: Using a Named Aggregate Policer, page 29-32 •...
  • Page 409 Chapter 29 Configuring QoS Configuring QoS The valid range of values for the burst parameter is as follows: • Minimum—1 kilobyte – – Maximum—512 megabytes • Bursts can be entered in bytes, or you can use the following abbreviation: k to denote 1000 bytes –...
  • Page 410 Chapter 29 Configuring QoS Configuring QoS This example shows how to verify the configuration: Switch# show policy-map ipp5-policy show policy ipp5-policy Policy Map ipp5-policy class ipp5 set ip precedence 6 police 2000000000 2000000 conform-action transmit exceed-action policed-dscp-transmit Switch# Attaching a Policy Map to an Interface To attach a policy map to an interface, perform this task: Command Purpose...
  • Page 411: Configuring User Based Rate Limiting

    Chapter 29 Configuring QoS Configuring QoS Configuring User Based Rate Limiting The feature User Based Rate Limiting (UBRL) adopts microflow policing to dynamically learn traffic flows and rate limit each unique flow to an individual rate. A flow is defined as a five-tuple (IP source address, IP destination address, IP head protocol field, Layer 4 source and destination ports).
  • Page 412 Chapter 29 Configuring QoS Configuring QoS Assume there are two active flows on the Fast Ethernet interface 6/1 with source addresses 192.168.10.20 and 192.168.10.21. The following example shows how to maintain each flow at 1 Mbps with an allowed burst value of 9000 bytes: Switch# conf t Enter configuration commands, one per line.
  • Page 413 Chapter 29 Configuring QoS Configuring QoS Class-map: c1 (match-all) 2965072 packets Match: flow ip destination-address police: Per-interface Conform: 6105636 bytes Exceed: 476652528 bytes Class-map: class-default (match-any) 0 packets Match: any 0 packets Hierarchical policers You can tie flow policers with the existing policers to create dual policing rates on an interface. For example, using dual policing, you can limit all incoming traffic rates on a given interface to 50 Mbps and can limit the rate of each flow that is part of this traffic to 2 Mbps.
  • Page 414 Chapter 29 Configuring QoS Configuring QoS The following example shows the configuration for this scenario: class-map match-all flow-class match flow ip source-address match access-group 20 class-map match-all aggregate-class match access-group 10 policy-map flow-policy class flow-class police 2000000 bps 10000 byte conform-action transmit exceed-action drop policy-map aggregate-policy class aggregate-class police 50000000 bps 40000 byte conform-action transmit exceed-action drop...
  • Page 415: Enabling Or Disabling Qos On An Interface

    Chapter 29 Configuring QoS Configuring QoS Enabling or Disabling QoS on an Interface The qos interface command reenables any previously configured QoS features. The qos interface command does not affect the interface queueing configuration. To enable or disable QoS features for traffic from an interface, perform this task: Command Purpose Step 1...
  • Page 416: Configuring The Trust State Of Interfaces

    Chapter 29 Configuring QoS Configuring QoS If no input QoS policy is attached to a Layer 2 interface, then the input QoS policy attached to the VLAN Note (on which the packet is received), if any, is used even if the port is not configured as VLAN-based. If you do not want this default, attach a placeholder input QoS policy to the Layer 2 interface.
  • Page 417: Configuring The Cos Value For An Interface

    Chapter 29 Configuring QoS Configuring QoS When configuring the trust state of an interface, note the following: You can use the no qos trust command to set the interface state to untrusted. • • For traffic received on an ingress interface configured to trust CoS using the qos trust cos command, the transmit CoS is always the incoming packet CoS (or the ingress interface default CoS if the packet is received untagged).
  • Page 418: Configuring Dscp Values For An Interface

    Chapter 29 Configuring QoS Configuring QoS This example shows how to verify the configuration: Switch# show qos interface fastethernet 5/24 | include Default COS Default COS is 5 Switch# Configuring DSCP Values for an Interface QoS assigns the DSCP value specified with this command to non IPv4 frames received on interfaces configured to trust DSCP and to all frames received on interfaces configured as untrusted.
  • Page 419: Configuring Transmit Queues

    Chapter 29 Configuring QoS Configuring QoS Configuring Transmit Queues The following sections describes how to configure the transmit queues: • Mapping DSCP Values to Specific Transmit Queues, page 29-43 Allocating Bandwidth Among Transmit Queues, page 29-44 • • Configuring Traffic Shaping of Transmit Queues, page 29-44 Configuring a High Priority Transmit Queue, page 29-45 •...
  • Page 420 Chapter 29 Configuring QoS Configuring QoS Allocating Bandwidth Among Transmit Queues To configure the transmit queue bandwidth, perform this task: Command Purpose Step 1 Selects the interface to configure. Switch(config)# interface gigabitethernet slot/interface Step 2 Selects the transmit queue to configure. Switch(config-if)# tx-queue queue_id Step 3 Sets the bandwidth rate for the transmit queue.
  • Page 421: Configuring Dscp Maps

    Chapter 29 Configuring QoS Configuring QoS Command Purpose Step 4 Exits configuration mode. Switch(config-if-tx-queue)# end Step 5 Verifies the configuration. Switch# show qos interface This example shows how to configure the shape rate to 1 Mbps on transmit queue 2. Switch# configure terminal Enter configuration commands, one per line.
  • Page 422 Chapter 29 Configuring QoS Configuring QoS Configuring the CoS-to-DSCP Map You use the CoS-to-DSCP map to map CoS values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic. Table 29-4 shows the default CoS-to-DSCP map. Table 29-4 Default CoS-to-DSCP Map CoS value DSCP value...
  • Page 423 Chapter 29 Configuring QoS Configuring QoS To modify the CoS-to-DSCP map, perform this task: Command Purpose Step 1 Enters global configuration mode. Switch# configure terminal Step 2 Modifies the policed-DSCP map. Switch(config)# qos map dscp policed dscp-list to dscp mark-down-dscp •...
  • Page 424 Chapter 29 Configuring QoS Configuring QoS To modify the DSCP-to-CoS map, perform this task: Command Purpose Step 1 Enters global configuration mode. Switch# configure terminal Step 2 Modifies the DSCP-to-CoS map. Switch(config)# qos map dscp dscp-list to cos cos • For dscp-list, enter up to 8 DSCP values separated by spaces.
  • Page 425: Chapter 30 Configuring Voice Interfaces

    QoS. You can configure the Cisco 7960 IP phone to forward traffic with an 802.1p priority. You can use the CLI to configure a Catalyst 4500 series switch to honor or ignore a traffic priority assigned by a Cisco 7960 IP phone.
  • Page 426: Configuring A Port To Connect To A Cisco 7690 Ip Phone

    Configuring a Port to Connect to a Cisco 7690 IP Phone Because a Cisco 7960 IP phone also supports connection to a PC or another device, an interface connecting a Catalyst 4500 series switch to a Cisco 7960 IP phone can carry a mix of voice and data traffic.
  • Page 427: Overriding The Cos Priority Of Incoming Frames

    Overriding the CoS Priority of Incoming Frames A PC or another data device can connect to a Cisco 7960 IP phone port. The PC can generate packets with an assigned CoS value. You can also use the switch CLI to override the priority of frames arriving on the phone port from connected devices, and you can set the phone port to accept (trust) the priority of frames arriving on the port.
  • Page 428: Configuring Inline Power

    The Catalyst 4500 series switch senses if it is connected to a Cisco 7960 IP phone. The Catalyst 4500 series switch can supply inline power to the Cisco 7960 IP phone if there is no power on the circuit. The Cisco 7960 IP phone can also be connected to an AC power source and supply its own power to the voice circuit.
  • Page 429: Chapter 31 Understanding And Configuring 802.1X Port-Based Authentication

    • For complete syntax and usage information for the switch commands used in this chapter, refer to the Note Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm. Understanding 802.1X Port-Based Authentication To configure 802.1X port-based authentication, you need to understand the concepts in these sections: Device Roles, page 31-2 •...
  • Page 430: Device Roles

    Cisco devices that are capable of functioning as an 802.1X network access point include Catalyst 4500 series switches, the Catalyst 3550 multilayer switch, the Catalyst 2950 switch, and a Cisco Airnet series wireless access point. These devices must be running software that supports the RADIUS client and 802.1X.
  • Page 431: Authentication Initiation And Message Exchange

    LAN and switch services. (The only supported authentication server is the RADIUS authentication server with EAP extensions; it is available in Cisco Secure Access Control Server version 3.2 and later.) Authentication Initiation and Message Exchange The switch or the client can initiate authentication.
  • Page 432: Ports In Authorized And Unauthorized States

    Chapter 31 Understanding and Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Figure 31-2 Message Exchange Client Catalyst 4500 Network Workstation RADIUS Access Switch EAPOL-Start EAP-Request/Identity EAP-Response/Identity RADIUS Access-Request EAP-Request/OTP RADIUS Access-Challenge EAP-Response/OTP RADIUS Access-Request EAP-Success RADIUS Access-Accept Port Authorized EAPOL-Logoff Port Unauthorized Authenticator...
  • Page 433: Using 802.1X With Vlan Assignment

    Chapter 31 Understanding and Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication auto—Enables 802.1X authentication and causes the port to begin in the unauthorized state, • allowing only EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port transitions from down to up or when an EAPOL-start frame is received.
  • Page 434: Using 802.1X Authentication For Guest Vlans

    Chapter 31 Understanding and Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Assign vendor-specific tunnel attributes in the RADIUS server. To ensure proper VLAN assignment, • the RADIUS server must return these attributes to the switch: Tunnel-Type = VLAN – –...
  • Page 435: 802.1X Radius Accounting

    Chapter 31 Understanding and Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication These examples describe the interaction between 802.1X and port security on the switch: When a client is authenticated, and the port security table is not full, the client’s MAC address is •...
  • Page 436 Chapter 31 Understanding and Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Figure 31-3 Radius Accounting Client Catalyst 4500 Network Workstation RADIUS Access Switch EAPOL-Start EAP-Request/Identity EAP-Response/Identity RADIUS Access-Request EAP-Request/OTP RADIUS Access-Challenge EAP-Response/OTP RADIUS Access-Request EAP-Success RADIUS Access-Accept Port Authorized RADIUS Account-Request (start) RADIUS Account-Response EAPOL-Logoff...
  • Page 437 Chapter 31 Understanding and Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication When the port state transitions between authorized and unauthorized, the RADIUS messages are transmitted to the RADIUS server. The switch does not log any accounting information. Instead, it sends such information to the RADIUS server, which must be configured to log accounting messages.
  • Page 438: Using 802.1X With Voice Vlan Ports

    802.1X port security works with the 802.1X voice VLAN port feature and is configured per port. Three secure addresses must be configured: one for the Cisco IP phone MAC address on the VVID, one for the PC MAC-address on PVID, and a third to allow the Cisco IP phone MAC address on the PVID.
  • Page 439: How To Configure 802.1X

    Chapter 31 Understanding and Configuring 802.1X Port-Based Authentication How to Configure 802.1X Figure 31-4 illustrates 802.1X port-based authentication in a wireless LAN. You must configure the 802.1X port as a multiple-host port that is authorized as a wireless access point once the client is authenticated.
  • Page 440: Default 802.1X Configuration

    Chapter 31 Understanding and Configuring 802.1X Port-Based Authentication How to Configure 802.1X Default 802.1X Configuration Table 31-1 shows the default 802.1X configuration. Table 31-1 Default 802.1X Configuration Feature Default Setting Authentication, authorization, and accounting (AAA) Disabled RADIUS server • IP address •...
  • Page 441: 802.1X Configuration Guidelines

    AAA commands. For information how to configure AAA, refer to “Enabling 802.1X Authentication” on page 13 and “Enabling 802.1X Accounting” on page 16. Alternatively, you can refer to the Cisco IOS security documentation. Refer to the following Cisco IOS security documentation for information on how to configure AAA system accounting: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/index.htm •...
  • Page 442 Chapter 31 Understanding and Configuring 802.1X Port-Based Authentication How to Configure 802.1X To configure 802.1X port-based authentication, perform this task: Command Purpose Step 1 Enters global configuration mode. Switch# configure terminal Step 2 Enables the 802.1X feature on your switch. Switch(config)# [no] dot1x system-auth-control Step 3...
  • Page 443: Configuring Switch-To-Radius-Server Communication

    Chapter 31 Understanding and Configuring 802.1X Port-Based Authentication How to Configure 802.1X This example shows how to enable AAA and 802.1X on Fast Ethernet port 2/1: Switch# configure terminal Switch(config)# dot1x system-auth-control Switch(config)# aaa new-model Switch(config)# aaa authentication dot1x default group radius Switch(config)# interface fastethernet2/1 Switch(config-if)# dot1x port-control auto Switch(config-if)# end...
  • Page 444: Enabling 802.1X Accounting

    You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. Refer to the following Cisco IOS security documentation for information on how to configure AAA system accounting: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/index.htm...
  • Page 445: Configuring 802.1X With Guest Vlans

    Chapter 31 Understanding and Configuring 802.1X Port-Based Authentication How to Configure 802.1X This example shows how to configure 802.1X accounting. The first command configures the RADIUS server, specifying 1813 as the UDP port for accounting: Switch(config)# radius-server host 172.120.39.46 auth-port 1812 acct-port 1813 key rad123 Switch(config)# aaa accounting dot1x default start-stop group radius Switch(config)# aaa accounting system default start-stop group radius You must configure the RADIUS server to perform accounting tasks, such as logging start, stop, and...
  • Page 446: Configuring 802.1X With Voice Vlan

    Chapter 31 Understanding and Configuring 802.1X Port-Based Authentication How to Configure 802.1X Configuring 802.1X with Voice VLAN To enable 802.1X with voice VLAN feature, perform this task: Command Purpose Step 1 Enters global configuration mode. Switch # configure terminal Step 2 Enters interface configuration mode.
  • Page 447: Manually Reauthenticating A Client Connected To A Port

    Chapter 31 Understanding and Configuring 802.1X Port-Based Authentication How to Configure 802.1X Command Purpose Step 3 Enables periodic reauthentication of the client, which is disabled by Switch(config-if)# dot1x re-authentication default. Step 4 Specifies the number of seconds between reauthentication attempts. Switch(config)# dot1x timeout reauth-period seconds The range is 1 to 65,535;...
  • Page 448: Changing The Switch-To-Client Retransmission Time

    Chapter 31 Understanding and Configuring 802.1X Port-Based Authentication How to Configure 802.1X Command Purpose Step 3 Sets the number of seconds that the switch remains in the quiet-period Switch(config)# dot1x timeout quiet-period seconds following a failed authentication exchange with the client. The range is 0 to 65,535 seconds;...
  • Page 449: Setting The Switch-To-Client Frame-Retransmission Number

    Chapter 31 Understanding and Configuring 802.1X Port-Based Authentication How to Configure 802.1X Setting the Switch-to-Client Frame-Retransmission Number In addition to changing the switch-to-client retransmission times, you can change the number of times that the switch sends EAP-Request/Identity and other EAP-Request frames to the client before restarting the authentication process.
  • Page 450: Resetting The 802.1X Configuration To The Default Values

    Chapter 31 Understanding and Configuring 802.1X Port-Based Authentication Displaying 802.1X Statistics and Status To allow multiple hosts (clients) on an 802.1X-authorized port that has the dot1x port-control interface configuration command set to auto, perform this task: Command Purpose Step 1 Enters global configuration mode.
  • Page 451: Chapter 32 Configuring Port Security

    For complete syntax and usage information for the switch commands used in this chapter, refer to the Note Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm. This chapter consists of these sections: Overview of Port Security, page 32-1 •...
  • Page 452 Chapter 32 Configuring Port Security Overview of Port Security If the port shuts down, all dynamically learned addresses are removed. Note • You can configure MAC addresses to be sticky. These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, the interface does not need to dynamically relearn them when the switch restarts.
  • Page 453: Default Port Security Configuration

    Chapter 32 Configuring Port Security Default Port Security Configuration Default Port Security Configuration Table 32-1 shows the default port security configuration for an interface. Table 32-1 Default Port Security Configuration Feature Default Setting Port security Disabled on a port Maximum number of secure MAC addresses Violation mode Shutdown.
  • Page 454: Configuring Port Security On An Interface

    Chapter 32 Configuring Port Security Configuring Port Security Configuring Port Security on an Interface To restrict traffic through a port by limiting and identifying MAC addresses of the stations allowed to access the port, perform this task: Command Purpose Step 1 Enters interface configuration mode and enters the Switch(config)# interface interface_id physical interface to configure, for example...
  • Page 455 Chapter 32 Configuring Port Security Configuring Port Security To return the interface to the default condition as not a secure port, use the no switchport • port-security interface configuration command. To return the interface to the default number of secure MAC addresses, use the no switchport •...
  • Page 456: Configuring Port Security Aging

    Chapter 32 Configuring Port Security Configuring Port Security Switch#show port address Secure Mac Address Table ------------------------------------------------------------------------ Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 0000.0000.0001 SecureSticky Fa5/1 0000.0000.0002 SecureSticky Fa5/1 0000.0000.0003 SecureConfigured Fa5/1 ------------------------------------------------------------------------ Total Addresses in System (excluding one mac per port) Max Addresses limit in System (excluding one mac per port) : 1024 Configuring Port Security Aging You can use port security aging to set the aging time and aging type for all secure addresses on a port.
  • Page 457: Displaying Port Security Settings

    Chapter 32 Configuring Port Security Displaying Port Security Settings This example shows how to set the aging time as 2 minutes: Switch(config-if)# switchport port-security aging time 2 You can verify the previous commands by entering the show port-security interface interface_id command.
  • Page 458 Chapter 32 Configuring Port Security Displaying Port Security Settings This example displays output from the show port-security command for a specified interface: Switch# show port-security interface fastethernet 5/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type...
  • Page 459: Chapter 33 Configuring Dhcp Snooping And Ip Source Guard

    • For complete syntax and usage information for the switch commands used in this chapter, refer to the Note Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm. Overview of DHCP Snooping DHCP snooping is a DHCP security feature that provides security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table.
  • Page 460: Overview Of The Dhcp Snooping Database Agent

    Chapter 33 Configuring DHCP Snooping and IP Source Guard Overview of DHCP Snooping In order to enable DHCP snooping on a VLAN, you must enable DHCP snooping on the switch. Note You can configure DHCP snooping for switches and VLANs. When you enable DHCP snooping on a switch, the interface acts as a Layer 2 bridge, intercepting and safeguarding DHCP messages going to a Layer 2 VLAN.
  • Page 461: Configuring Dhcp Snooping On The Switch

    Enabling the DHCP Snooping Database Agent, page 33-6 • Configuration Examples for the Database Agent, page 33-6 • For DHCP server configuration information, refer to “Configuring DHCP” in the Cisco IOS IP and IP Note Routing Configuration Guide at: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ip_c/ipcprt1/1cddhcp.htm Default Configuration for DHCP Snooping DHCP snooping is disabled by default.
  • Page 462: Enabling Dhcp Snooping

    Switch# show ip dhcp snooping Cisco recommends not configuring the untrusted interface rate limit to more than 100 packets per second. The recommended rate limit for each untrusted client is 15 packets per second. Normally, the rate limit applies to untrusted interfaces. If you want to set up rate limiting for trusted interfaces, keep in mind that trusted interfaces aggregate all DHCP traffic in the switch, and you will need to adjust the rate limit to a higher value.
  • Page 463: Enabling Dhcp Snooping On Private Vlan

    Chapter 33 Configuring DHCP Snooping and IP Source Guard Configuring DHCP Snooping on the Switch Switch(config)# end Switch# show ip dhcp snooping Switch DHCP snooping is enabled. DHCP Snooping is configured on the following VLANs: 10-100 Insertion of option 82 information is enabled. Interface Trusted Rate limit (pps)
  • Page 464: Enabling The Dhcp Snooping Database Agent

    Chapter 33 Configuring DHCP Snooping and IP Source Guard Configuring DHCP Snooping on the Switch Enabling the DHCP Snooping Database Agent To configure the database agent, perform one or more of the following tasks: Command Purpose (Required) Configures a URL for the database agent (or file) Switch(config)# ip dhcp snooping database { url | write-delay seconds | timeout seconds } and the related timeout values.
  • Page 465 Chapter 33 Configuring DHCP Snooping and IP Source Guard Configuring DHCP Snooping on the Switch Agent Running : No Delay Timer Expiry : 7 (00:00:07) Abort Timer Expiry : Not Running Last Succeded Time : None Last Failed Time : 17:14:25 UTC Sat Jul 7 2001 Last Failed Reason : Unable to access URL.
  • Page 466 Chapter 33 Configuring DHCP Snooping and IP Source Guard Configuring DHCP Snooping on the Switch The switch maintains two sets of counters for these ignored bindings. One provides the counters for a read that has at least one binding ignored by at least one of these conditions. These counters are shown as the “Last ignored bindings counters.”...
  • Page 467: Displaying Dhcp Snooping Information

    Chapter 33 Configuring DHCP Snooping and IP Source Guard Displaying DHCP Snooping Information Last Succeded Time : 15:24:34 UTC Sun Jul 8 2001 Last Failed Time : None Last Failed Reason : No failure recorded. Total Attempts Startup Failures : Successful Transfers : Failed Transfers : Successful Reads...
  • Page 468: Displaying A Binding Table

    Chapter 33 Configuring DHCP Snooping and IP Source Guard Overview of IP Source Guard Displaying a Binding Table The DHCP snooping binding table for each switch contains binding entries that correspond to untrusted ports. The table does not contain information about hosts interconnected with a trusted port because each interconnected switch will have its own DHCP snooping binding table.
  • Page 469: Configuring Ip Source Guard On The Switch

    Chapter 33 Configuring DHCP Snooping and IP Source Guard Configuring IP Source Guard on the Switch If IP Source Guard is enabled on a trunk port with a large number of VLANs that have DHCP snooping Note enabled, you might run out of ACL hardware resources, and some packets might be switched in software instead.
  • Page 470: Configuring Ip Source Guard On Private Vlans

    Chapter 33 Configuring DHCP Snooping and IP Source Guard Configuring IP Source Guard on the Switch Command Purpose Step 5 Enables security rate limiting for learned source MAC Switch(config-if)# switchport port-security limit rate invalid-source-mac N addresses on the port. This limit only applies to the port where IP Note Source Guard is enabled as filtering both IP and MAC addresses.
  • Page 471: Displaying Ip Source Guard Information

    Chapter 33 Configuring DHCP Snooping and IP Source Guard Displaying IP Source Guard Information Displaying IP Source Guard Information You can display IP Source Guard PVACL information for all interfaces on a switch using the show ip verify source command. •...
  • Page 472: Displaying Ip Source Binding Information

    Chapter 33 Configuring DHCP Snooping and IP Source Guard Displaying IP Source Binding Information You can also use the show ip verify source command to display all interfaces on the switch that have IP source guard enabled: Interface Filter-type Filter-mode IP-address Mac-address Vlan...
  • Page 473: Chapter 34 Understanding And Configuring Dynamic Arp Inspection

    Configuring Dynamic ARP Inspection, page 34-5 For complete syntax and usage information for the switch commands used in this chapter, refer to the Note Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm. Overview of Dynamic ARP Inspection Dynamic ARP Inspection (DAI) is a security feature that validates Address Resolution Protocol (ARP) packets in a network.
  • Page 474: Arp Cache Poisoning

    Chapter 34 Understanding and Configuring Dynamic ARP Inspection Overview of Dynamic ARP Inspection ARP Cache Poisoning You can attack hosts, switches, and routers connected to your Layer 2 network by “poisoning” their ARP caches. For example, a malicious user might intercept traffic intended for other hosts on the subnet by poisoning the ARP caches of systems connected to the subnet.
  • Page 475: Interface Trust State, Security Coverage And Network Configuration

    Chapter 34 Understanding and Configuring Dynamic ARP Inspection Overview of Dynamic ARP Inspection Interface Trust state, Security Coverage and Network Configuration DAI associates a trust state with each interface on the system. Packets arriving on trusted interfaces bypass all DAI validation checks, while those arriving on untrusted interfaces go through the DAI validation process.
  • Page 476: Relative Priority Of Static Bindings And Dhcp Snooping Entries

    Chapter 34 Understanding and Configuring Dynamic ARP Inspection Overview of Dynamic ARP Inspection Relative Priority of Static Bindings and DHCP Snooping Entries As mentioned previously, DAI populates its database of valid MAC address to IP address bindings through DHCP snooping. It also validates ARP packets against statically configured ARP ACLs. It is important to note that ARP ACLs have precedence over entries in the DHCP snooping database.
  • Page 477: Configuring Dynamic Arp Inspection

    Chapter 34 Understanding and Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection This section includes these scenarios: • Scenario One: Two Switches Support Dynamic ARP Inspection, page 34-5 Scenario Two: One Switch Supports Dynamic ARP Inspection, page 34-9 •...
  • Page 478 Chapter 34 Understanding and Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Configure interface fa6/3 as trusted: Step 3 S1# conf t Enter configuration commands, one per line. End with CNTL/Z. S1(config)# in fa6/3 S1(config-if)# ip arp inspection trust S1(config-if)# end S1# show ip arp inspection interfaces fastEthernet 6/3 Interface Trust State...
  • Page 479 Chapter 34 Understanding and Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection The statistics will display as follows: Vlan Forwarded Dropped DHCP Drops ACL Drops ---- --------- ------- ---------- ---------- Vlan DHCP Permits ACL Permits Source MAC Failures ---- ------------ ----------- ------------------- Vlan...
  • Page 480 Chapter 34 Understanding and Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Interface Trust State Rate (pps) --------------- ----------- ---------- Gi1/1 Untrusted Gi1/2 Untrusted Gi3/1 Untrusted Gi3/2 Untrusted Fa3/3 Trusted None Fa3/4 Untrusted Fa3/5 Untrusted Fa3/6 Untrusted Fa3/7 Untrusted <output truncated> Verify the list of DHCP snooping bindings: Step 4 S2# show ip dhcp snooping binding...
  • Page 481: Scenario Two: One Switch Supports Dynamic Arp Inspection

    Chapter 34 Understanding and Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection The statistics will display as follows: S2# show ip arp inspection statistics vlan 1 Vlan Forwarded Dropped DHCP Drops ACL Drops ---- --------- ------- ---------- ---------- Vlan DHCP Permits ACL Permits Source MAC Failures ----...
  • Page 482 Chapter 34 Understanding and Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Vlan ACL Logging DHCP Logging ---- ----------- ------------ Deny Deny Establish the interface fa6/3 as untrusted, and verify the configuration: Step 3 S1# conf t Enter configuration commands, one per line. End with CNTL/Z.
  • Page 483: Chapter 35 Configuring Network Security With Acls

    Catalyst 4500 series switches. For complete syntax and usage information for the switch commands used in this chapter, refer to the Note Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm. This chapter consists of the following major sections: Understanding ACLs, page 35-1 •...
  • Page 484: Acl Overview

    Router ACLs are applied to Layer 3 interfaces. They control the access of routed traffic between • VLANs. All Catalyst 4500 series switches can create router ACLs, but you must have a Cisco IOS software image on your switch to apply an ACL to a Layer 3 interface and filter packets routed between VLANs.
  • Page 485: Router Acls

    Chapter 35 Configuring Network Security with ACLs Understanding ACLs You can apply only one IP access list and one MAC access list to a Layer 2 interface. VLAN ACLs or VLAN maps control the access of all packets (bridged and routed). You can use •...
  • Page 486: Port Acls

    Chapter 35 Configuring Network Security with ACLs Understanding ACLs Figure 35-1 Using ACLs to Control Traffic to a Network Catalyst 4500 series switch Host A Host B Human Research & Resources Development network network = ACL denying traffic from Host B and permitting traffic from Host A = Packet Port ACLs...
  • Page 487: Vlan Maps

    Chapter 35 Configuring Network Security with ACLs Hardware and Software ACL Support VLAN Maps VLAN maps can control the access of all traffic in a VLAN. You can apply VLAN maps on the switch to all packets that are routed into or out of a VLAN or are bridged within a VLAN. Unlike router ACLs, VLAN maps are not defined by direction (input or output).
  • Page 488: Tcam Programming And Acls

    Chapter 35 Configuring Network Security with ACLs TCAM Programming and ACLs Packets that require logging are processed in software. A copy of the packets is sent to the CPU for Note logging while the actual packets are forwarded in hardware so that non-logged packet processing is not impacted.
  • Page 489: Layer 4 Operators In Acls

    Chapter 35 Configuring Network Security with ACLs Layer 4 Operators in ACLs Switch# show platform hardware acl statistics utilization brief Entries/Total(%) Masks/Total(%) ----------------- --------------- Input Acl(PortAndVlan) 2016 / 4096 ( 49) 460 / 512 ( 89) Input Acl(PortOrVlan) 6 / 4096 ( 512 ( Input Qos(PortAndVlan)
  • Page 490: Restrictions For Layer 4 Operations

    Chapter 35 Configuring Network Security with ACLs Layer 4 Operators in ACLs Restrictions for Layer 4 Operations You can specify these operator types, each of which uses one Layer 4 operation in the hardware: • gt (greater than) lt (less than) •...
  • Page 491: How Acl Processing Impacts Cpu

    Chapter 35 Configuring Network Security with ACLs Layer 4 Operators in ACLs Access lists 101 and 102 use the following Layer 4 operations: Access list 101 Layer 4 operations: 5 • – gt 10 permit and gt 10 deny both use the same operation because they are identical and both operate on the destination port.
  • Page 492 Chapter 35 Configuring Network Security with ACLs Layer 4 Operators in ACLs Access lists 104 and 105 are identical; established is shorthand for rst and ack. Access list 101, below, will be processed completely in software: access-list 101 permit tcp any any urg Because four source and two destination operations exist, access list 106, below, will be processed in hardware: access-list 106 permit tcp any range 100 120 any range 120 140...
  • Page 493: Configuring Unicast Mac Address Filtering

    Named MAC extended ACLs cannot be applied to Layer 3 interfaces. Note For more information about the supported non-IP protocols in the mac access-list extended command, refer to the Catalyst 4500 Series Switch Cisco IOS Command Reference. To create a named MAC extended ACL, perform this task: Command...
  • Page 494: Configuring Vlan Maps

    Chapter 35 Configuring Network Security with ACLs Configuring VLAN Maps You can use the no mac access-list extended name global configuration command to delete the entire ACL. You can also delete individual ACEs from named MAC extended ACLs. This example shows how to create and display an access list named mac1, denying only EtherType DECnet Phase IV traffic, but permitting all other types of traffic.
  • Page 495: Vlan Map Configuration Guidelines

    Chapter 35 Configuring Network Security with ACLs Configuring VLAN Maps You cannot apply a VLAN map to a VLAN on a switch that has ACLs applied to Layer 2 interfaces (port Note ACLs). VLAN Map Configuration Guidelines Keep the following guidelines in mind when configuring VLAN maps: VLAN maps do not filter IPv4 ARP packets.
  • Page 496: Examples Of Acls And Vlan Maps

    Chapter 35 Configuring Network Security with ACLs Configuring VLAN Maps Command Purpose Step 6 Displays the access list configuration. Switch(config)# show running-config Step 7 (Optional) Saves your entries in the configuration file. Switch(config)# copy running-config startup-config You can use the no vlan access-map name global configuration command to delete a map. You can use the no vlan access-map name number global configuration command to delete a single sequence entry from within the map.
  • Page 497 Chapter 35 Configuring Network Security with ACLs Configuring VLAN Maps Example 2 In this example, the VLAN map is configured to drop IP packets and to forward MAC packets by default. By applying standard ACL 101 and the extended named access lists igmp-match and tcp-match, the VLAN map is configured to do the following: Forward all UDP packets •...
  • Page 498: Applying A Vlan Map To A Vlan

    Chapter 35 Configuring Network Security with ACLs Configuring VLAN Maps Example 4 In this example, the VLAN map is configured to drop all packets (IP and non-IP). By applying access lists tcp-match and good-hosts, the VLAN map is configured to do the following: Forward all TCP packets •...
  • Page 499 Chapter 35 Configuring Network Security with ACLs Configuring VLAN Maps Figure 35-3 Wiring Closet Configuration Catalyst 4500 series switch Switch B Switch A Switch C VLAN map: Deny HTTP from X to Y HTTP is dropped at entry point Host X Host Y 10.1.1.32 10.1.1.34...
  • Page 500: Denying Access To A Server On Another Vlan

    Chapter 35 Configuring Network Security with ACLs Configuring VLAN Maps Denying Access to a Server on Another VLAN Figure 35-4 shows how to restrict access to a server on another VLAN. In this example, server 10.1.1.100 in VLAN 10 has the following access restrictions: Hosts in subnet 10.1.2.0/8 in VLAN 20 should not have access.
  • Page 501: Displaying Vlan Access Map Information

    Chapter 35 Configuring Network Security with ACLs Displaying VLAN Access Map Information Displaying VLAN Access Map Information To display information about VLAN access maps or VLAN filters, perform one of these tasks. Command Purpose Show information about all VLAN access-maps or the Switch# show vlan access-map [ mapname ] specified access map.
  • Page 502: Guidelines For Using Router Acls And Vlan Maps

    Chapter 35 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Guidelines for Using Router ACLs and VLAN Maps Use these guidelines when you need to use a router ACL and a VLAN map on the same VLAN. Because the switch hardware performs one lookup for each direction (input and output), you must merge a router ACL and a VLAN map when they are configured on the same VLAN.
  • Page 503 Chapter 35 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Figure 35-5 Applying ACLs on Switched Packets Catalyst 4500 series switch Input Output VLAN 10 router router VLAN 20 Frame Host A (VLAN 10) Routing function Host C (VLAN 10) VLAN 10 VLAN 20...
  • Page 504: Configuring Pacls

    Chapter 35 Configuring Network Security with ACLs Configuring PACLs Figure 35-6 Applying ACLs on Routed Packets Catalyst 4500 series switch Input Output VLAN 10 router router VLAN 20 Frame Host A Host B (VLAN 10) (VLAN 20) Routing function VLAN 10 VLAN 20 Packet Configuring PACLs...
  • Page 505: Pacl Configuration Guidelines

    The access group mode can change the way PACLs interact with other ACLs. To maintain consistent • behavior across Cisco platforms, use the default access group mode. Configuring IP and MAC ACLs on a Layer 2 Interface Only IP or MAC ACLs can be applied to Layer 2 physical interfaces. Standard (numbered, named) and Extended (numbered, named) IP ACLs, and Extended Named MAC ACLs are also supported.
  • Page 506: Using Pacl With Access-Group Mode

    Chapter 35 Configuring Network Security with ACLs Configuring PACLs The following example shows how to configure the Extended Named IP ACL simple-ip-acl to permit all TCP traffic and implicitly deny all other IP traffic: Switch(config)# ip access-list extended simple-ip-acl Switch(config-ext-nacl)# permit tcp any any Switch(config-ext-nacl)# end The following example shows how to configure the Extended Named MACL simple-mac-acl to permit source host 000.000.011 to any destination host:...
  • Page 507: Applying Acls To A Layer 2 Interface

    Chapter 35 Configuring Network Security with ACLs Configuring PACLs This example shows how to merge and apply features other than PACL on the interface: Switch# configure t Switch(config)# interface interface Switch(config-if)# access-group mode prefer port This example shows how to merge applicable ACL features before they are programmed into hardware: Switch# configure t Switch(config)# interface interface Switch(config-if)# access-group mode merge...
  • Page 508: Using Pacl With Vlan Maps And Router Acls

    Chapter 35 Configuring Network Security with ACLs Using PACL with VLAN Maps and Router ACLs This example shows that the IP access group simple-ip-acl is configured on the inbound direction of interface fa6/1: Switch# show ip interface fast 6/1 FastEthernet6/1 is up, line protocol is up Inbound access list is simple-ip-acl Outgoing access list is not set...
  • Page 509 Chapter 35 Configuring Network Security with ACLs Using PACL with VLAN Maps and Router ACLs Scenario 1: Host A is connected to an interface in VLAN 20, which has an SVI configured. The interface has input PACL configured, and the SVI has input Router ACL configured as shown in Figure 35-7: Figure 35-7 Scenario 1: PACL Interaction with an Input Router ACL...
  • Page 510 Chapter 35 Configuring Network Security with ACLs Using PACL with VLAN Maps and Router ACLs If the interface access group mode is prefer port, then only the input PACL is applied on the ingress traffic from Host A. If the mode is prefer vlan, then only the VACL is applied to the ingress traffic from Host A.
  • Page 511: Chapter 36 Configuring Private Vlans

    • For complete syntax and usage information for the switch commands used in this chapter, refer to the Note Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm. Overview of PVLANs PVLANs provide Layer 2 isolation between ports within the same PVLAN. There are three types of PVLAN ports: •...
  • Page 512: Pvlan Trunks

    Chapter 36 Configuring Private VLANs Overview of PVLANs Isolated and community VLANs are called secondary VLANs. You can extend PVLANs across multiple devices by trunking the primary, isolated, and community VLANs to other devices that support PVLANs. In a switched environment, you can assign an individual PVLAN and associated IP subnet to each individual or common group of end stations.
  • Page 513: How To Configure Pvlans

    Chapter 36 Configuring Private VLANs How to Configure PVLANs When a packet is transmitted out of a PVLAN host or trunk port, the packet logically belongs to the primary VLAN. This relationship applies even though the packet may be transmitted with the secondary VLAN tagging for PVLAN trunk ports.
  • Page 514 Do not apply dynamic access control entries (ACEs) to primary VLANs. • Cisco IOS dynamic ACL configuration applied to a primary VLAN is inactive while the VLAN is part of the PVLAN configuration. To prevent spanning tree loops due to misconfigurations, enable PortFast on the PVLAN trunk ports •...
  • Page 515: Configuring A Vlan As A Pvlan

    VLANs. (See Chapter 29, “Configuring QoS.”) Cisco IOS ACLs applied to the Layer 3 VLAN interface of a primary VLAN automatically apply to the associated isolated and community VLANs. On a PVLAN trunk port a secondary VLAN ACL is applied on ingress traffic and a primary VLAN •...
  • Page 516: Associating A Secondary Vlan With A Primary Vlan

    Chapter 36 Configuring Private VLANs How to Configure PVLANs Primary Secondary Type Interfaces ------- --------- ----------------- ------------------------------------------ primary This example shows how to configure VLAN 303 as a community VLAN and verify the configuration: Switch# configure terminal Switch(config)# vlan 303 Switch(config-vlan)# private-vlan community Switch(config-vlan)# end Switch# show vlan private-vlan...
  • Page 517: Configuring A Layer 2 Interface As A Pvlan Promiscuous Port

    Chapter 36 Configuring Private VLANs How to Configure PVLANs Use the remove keyword with a secondary_vlan_list to clear the association between secondary • VLANs and a primary VLAN. The command does not take effect until you exit VLAN configuration submode. •...
  • Page 518: Configuring A Layer 2 Interface As A Pvlan Host Port

    Chapter 36 Configuring Private VLANs How to Configure PVLANs Use the remove keyword with a secondary_vlan_list to clear the mapping between secondary • VLANs and the PVLAN promiscuous port. This example shows how to configure interface FastEthernet 5/2 as a PVLAN promiscuous port, map it to a PVLAN, and verify the configuration: Switch# configure terminal Switch(config)# interface fastethernet 5/2...
  • Page 519: Configuring A Layer 2 Interface As A Pvlan Trunk Port

    Chapter 36 Configuring Private VLANs How to Configure PVLANs This example shows how to configure interface FastEthernet 5/1 as a PVLAN host port and verify the configuration: Switch# configure terminal Switch(config)# interface fastethernet 5/1 Switch(config-if)# switchport mode private-vlan host Switch(config-if)# switchport private-vlan host-association 202 440 Switch(config-if)# end Switch#show interfaces fastethernet 5/1 switchport Name: Fa5/1...
  • Page 520 Chapter 36 Configuring Private VLANs How to Configure PVLANs Command Purpose Step 5 Configures association between primary VLANs and Switch(config-if)# [no] switchport private-vlan association trunk primary_vlan_ID secondary VLANs the PVLAN trunk port with a secondary_vlan_ID PVLAN. Multiple PVLAN pairs can be specified using Note this command so that a PVLAN trunk port can carry multiple secondary VLANs.
  • Page 521: Permitting Routing Of Secondary Vlan Ingress Traffic

    Chapter 36 Configuring Private VLANs How to Configure PVLANs Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Voice VLAN: none Appliance trust: none Administrative Private Vlan Host Association: 202 (VLAN0202) 440 (VLAN0440) Promiscuous Mapping: none Trunk encapsulation : dot1q Trunk vlans: 202 (VLAN0202) 440 (VLAN0440) Operational private-vlan(s):...
  • Page 522 Chapter 36 Configuring Private VLANs How to Configure PVLANs This example shows how to permit routing of secondary VLAN ingress traffic from private VLANs 303 through 307, 309, and 440 and verify the configuration: Switch# configure terminal Switch(config)# interface vlan 202 Switch(config-if)# private-vlan mapping add 303-307,309,440 Switch(config-if)# end Switch# show interfaces private-vlan mapping...
  • Page 523: Chapter 37 Port Unicast And Multicast Flood Blocking

    • Note For complete syntax and usage information for the switch commands used in this chapter, refer to the Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm. Overview of Flood Blocking Occasionally, unknown unicast or multicast traffic is flooded to a switch port because a MAC address has timed out or has not been learned by the switch.
  • Page 524: Blocking Flooded Traffic On An Interface

    Chapter 37 Port Unicast and Multicast Flood Blocking Configuring Port Blocking Blocking Flooded Traffic on an Interface Note The interface can be a physical interface (for example, GigabitEthernet 1/1) or an EtherChannel group (such as port-channel 5). When you block multicast or unicast traffic for a port channel, it is blocked on all ports in the port channel group.
  • Page 525: Resuming Normal Forwarding On A Port

    Chapter 37 Port Unicast and Multicast Flood Blocking Configuring Port Blocking Resuming Normal Forwarding on a Port To resume normal forwarding on a port, perform this task: Command Purpose Step 1 Enters global configuration mode. Switch# configure terminal Step 2 Enters interface configuration mode and enter the type and number of Switch(config)# interface interface-id...
  • Page 526 Chapter 37 Port Unicast and Multicast Flood Blocking Configuring Port Blocking Software Configuration Guide—Release 12.2(25)EW 37-4 OL-6696-01...
  • Page 527: Chapter 38 Configuring Port-Based Traffic Control

    This chapter describes how to configure port-based traffic control on the Catalyst 4500 series switch. For complete syntax and usage information for the switch commands used in this chapter, refer to the Note Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm. This chapter consists of these sections: •...
  • Page 528: Hardware-Based Storm Control Implementation

    Chapter 38 Configuring Port-Based Traffic Control Overview of Storm Control Hardware-based Storm Control Implementation Broadcast suppression uses filtering that measures broadcast activity in a subnet over a one-second interval and compares the measurement with a predefined threshold. If the threshold is reached, further broadcast activity is suppressed for the duration of the interval.
  • Page 529: Enabling Storm Control

    Chapter 38 Configuring Port-Based Traffic Control Enabling Storm Control Enabling Storm Control To enable storm control, perform this task: Command Purpose Step 1 Enters global configuration mode. Switch# configure terminal Step 2 Enters interface configuration mode and enter the port to configure. Switch(config)# interface interface-id Step 3 Configures broadcast storm control.
  • Page 530: Disabling Storm Control

    Chapter 38 Configuring Port-Based Traffic Control Disabling Storm Control Disabling Storm Control To disable storm control, perform this task: Command Purpose Step 1 Enters global configuration mode. Switch# configure terminal Step 2 Enters interface configuration mode and enter the port to configure. Switch(config)# interface interface-id Step 3...
  • Page 531 Chapter 38 Configuring Port-Based Traffic Control Displaying Storm Control Speed: 1000 Duplex: full Trunk encap. type: 802.1Q Trunk mode: on,off,desirable,nonegotiate Channel: Broadcast suppression: percentage(0-100), sw Flowcontrol: rx-(off,on,desired),tx-(off,on,desired) VLAN Membership: static, dynamic Fast Start: Queuing: rx-(N/A), tx-(4q1t, Shaping) CoS rewrite: ToS rewrite: Inline power: SPAN: source/destination...
  • Page 532: Multicast Storm Control

    Chapter 38 Configuring Port-Based Traffic Control Multicast Storm Control Use the show storm-control command to display the configured thresholds and status of storm on an Note interface. Switch# show storm-control Interface Filter State Upper Lower Current --------- ------------- ------- ------- ------- Gi4/4 Forwarding...
  • Page 533: Multicast Suppression On The Ws-X4515, Ws-X4014, And Ws-X4013+ Supervisor Engines

    Chapter 38 Configuring Port-Based Traffic Control Multicast Storm Control The following example shows how to enable multicast suppression on ports that have broadcast suppression already enabled: Switch# configuration terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface fa3/1 Switch(config-if)# storm-control broadcast include multicast Switch(config-if)# end Switch#...
  • Page 534 Chapter 38 Configuring Port-Based Traffic Control Multicast Storm Control Software Configuration Guide—Release 12.2(25)EW 38-8 OL-6696-01...
  • Page 535: Chapter 39 Configuring Span And Rspan

    Displaying SPAN and RSPAN Status, page 39-24 For complete syntax and usage information for the switch commands used in this chapter, refer to the Note Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm. Overview of SPAN and RSPAN...
  • Page 536 You can use the SPAN or RSPAN destination port to forward transmitted traffic from a network security device. For example, if you connect a Cisco Intrusion Detection System (IDS) sensor appliance to a destination port, the IDS device can send TCP reset packets to close down the TCP session of a suspected attacker.
  • Page 537: Span And Rspan Concepts And Terminology

    Chapter 39 Configuring SPAN and RSPAN Overview of SPAN and RSPAN SPAN and RSPAN Concepts and Terminology This section describes concepts and terminology associated with SPAN and RSPAN configuration and includes the following subsections: SPAN Session, page 39-3 • Traffic Types, page 39-3 •...
  • Page 538 Chapter 39 Configuring SPAN and RSPAN Overview of SPAN and RSPAN Some features that can cause a packet to be dropped during receive processing have no effect on SPAN; the destination port receives a copy of the packet even if the actual incoming packet is dropped.
  • Page 539 Chapter 39 Configuring SPAN and RSPAN Overview of SPAN and RSPAN Destination Port Each local SPAN session or RSPAN destination session must have a destination port (also called a monitoring port) that receives a copy of traffic from the source ports and VLANs. A destination port has these characteristics: A destination port must reside on the same switch as the source port (for a local SPAN session).
  • Page 540: Span And Rspan Session Limits

    You can use local SPAN to monitor all network traffic, including multicast and bridge protocol data unit (BPDU) packets, Cisco Discovery Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol (DTP), Spanning Tree Protocol (STP), and Port Aggregation Protocol (PAgP) packets. You cannot use RSPAN to monitor Layer 2 protocols.
  • Page 541: Span Configuration Guidelines And Restrictions

    Chapter 39 Configuring SPAN and RSPAN Configuring SPAN Configuration Scenario, page 39-10 • Verifying a SPAN Configuration, page 39-10 • Entering SPAN configuration commands does not clear previously configured SPAN parameters. You Note must enter the no monitor session command to clear configured SPAN parameters. SPAN Configuration Guidelines and Restrictions Follow these guidelines and restrictions when configuring SPAN: •...
  • Page 542: Configuring Span Sources

    Chapter 39 Configuring SPAN and RSPAN Configuring SPAN Configuring SPAN Sources To configure the source for a SPAN session, perform this task: Command Purpose Specifies the SPAN session number (1 through 6), Switch(config)# [no] monitor session { session_number } {source {interface the source interfaces (FastEthernet or <...
  • Page 543: Configuring Span Destinations

    Chapter 39 Configuring SPAN and RSPAN Configuring SPAN Configuring SPAN Destinations To configure the destination for a SPAN session, perform this task: Command Purpose Specifies the SPAN session number (1 through Switch(config)# [no] monitor session < session_number > destination interface 6) and the destination interfaces or VLANs.
  • Page 544: Configuration Scenario

    Chapter 39 Configuring SPAN and RSPAN CPU Port Sniffing Configuration Scenario This example shows how to use the commands described in this chapter to completely configure and unconfigure a span session. Assume that you want to monitor bidirectional traffic from source interface Fast Ethernet 4/10, which is configured as a trunk interface carrying VLANs 1 through 4094.
  • Page 545 Chapter 39 Configuring SPAN and RSPAN CPU Port Sniffing To configure CPU source sniffing, perform this task: Command Purpose Specifies that the CPU will cause traffic received Switch(config)# [no] monitor session { session_number } {source {interface by or sent from the CPU to be copied to the interface_list | {vlan vlan_IDs | cpu destination of the session.
  • Page 546: Encapsulation Configuration

    Chapter 39 Configuring SPAN and RSPAN Encapsulation Configuration Encapsulation Configuration When configuring a SPAN destination port, you can explicitly specify the encapsulation type used by the port. Packets sent out the port are tagged in accordance with the specified mode. (The encapsulation mode also controls how tagged packets are handled when the ingress packet option is enabled.) The Catalyst 4500 series switch supervisor engines support ISL encapsulation and 802.1q encapsulation, as well as untagged packets.
  • Page 547: Access List Filtering

    Chapter 39 Configuring SPAN and RSPAN Access List Filtering This example shows how to configure a destination port with 802.1q encapsulation and ingress packets using native VLAN 7: Switch(config)# monitor session 1 destination interface fastethernet 5/48 encapsulation dot1q ingress vlan 7 With this configuration, traffic from SPAN sources associated with session 1 would be copied out of interface Fast Ethernet 5/48, with 802.1q encapsulation.
  • Page 548: Configuring Access List Filtering

    Chapter 39 Configuring SPAN and RSPAN Packet Type Filtering No policing is allowed on traffic exiting SPAN ports. • Only IP ACLs are supported on SPAN sessions. • Configuring Access List Filtering To configure access list filtering, perform this task: Command Purpose Specifies filter sniffing based on the access list.
  • Page 549: Configuration Example

    Chapter 39 Configuring SPAN and RSPAN Configuration Example There are two categories of packet filtering: packet-based (good, error) or address-based (unicast/multicast/broadcast). Packet-based filters can only be applied in the ingress direction. Packets are classified as broadcast, multicast, or unicast by the hardware based on the destination address. When filters of both types are configured, only packets that pass both filters are spanned.
  • Page 550: Configuring Rspan

    Chapter 39 Configuring SPAN and RSPAN Configuring RSPAN Configuring RSPAN This section describes how to configure RSPAN on your switch and it contains this configuration information: • RSPAN Configuration Guidelines, page 39-16 • Creating an RSPAN Session, page 39-17 Creating an RSPAN Destination Session, page 39-18 •...
  • Page 551: Creating An Rspan Session

    Chapter 39 Configuring SPAN and RSPAN Configuring RSPAN Creating an RSPAN Session First create an RSPAN VLAN that does not exist for the RSPAN session in any of the switches that will participate in RSPAN. With VTP enabled in the network, you can create the RSPAN VLAN in one switch, and then VTP propagates it to the other switches in the VTP domain for VLAN-IDs that are lower than 1005.
  • Page 552: Creating An Rspan Destination Session

    Chapter 39 Configuring SPAN and RSPAN Configuring RSPAN Command Purpose Step 5 Returns to privileged EXEC mode. Switch(config)# end Step 6 Verifies your entries. Switch# show monitor [session session_number ] Step 7 (Optional) Saves your entries in the configuration file. Switch# copy running-config startup-config This example shows how to clear any existing RSPAN configuration for session 1, configure RSPAN...
  • Page 553: Creating An Rspan Destination Session And Enabling Ingress Traffic

    Creating an RSPAN Destination Session and Enabling Ingress Traffic To create an RSPAN destination session, to specify the source RSPAN VLAN, and to enable ingress traffic on the destination port for a network security device (such as a Cisco IDS [Intrusion Detection System] sensor appliance), perform this task:...
  • Page 554 Chapter 39 Configuring SPAN and RSPAN Configuring RSPAN Command Purpose Step 3 Specifies the RSPAN session, the destination port, the packet Switch(config)# [monitor session session_number destination interface encapsulation, and the ingress VLAN. interface-id [encapsulation {dot1q For session_number, specifies the session number identified with this [ingress vlan vlan id ] | ISL [ingress]} | ingress vlan vlan id ] [learning]] RSPAN session (1 through 6).
  • Page 555: Removing Ports From An Rspan Session

    Chapter 39 Configuring SPAN and RSPAN Configuring RSPAN Removing Ports from an RSPAN Session To remove a port as an RSPAN source for a session, perform this task: Command Purpose Step 1 Enters global configuration mode. Switch# configure terminal Step 2 Specifies the characteristics of the RSPAN source port (monitored Switch(config)# [no] monitor session { session_number } {source {interface...
  • Page 556: Specifying Vlans To Monitor

    Chapter 39 Configuring SPAN and RSPAN Configuring RSPAN Specifying VLANs to Monitor VLAN monitoring is similar to port monitoring. To specify VLANs to monitor, perform this task: Command Purpose Step 1 Enters global configuration mode. Switch# configure terminal Step 2 Clears any existing SPAN configuration for the session.
  • Page 557: Specifying Vlans To Filter

    Chapter 39 Configuring SPAN and RSPAN Configuring RSPAN This example shows how to clear any existing configuration on RSPAN session 2, configure RSPAN session 2 to monitor received traffic on all ports belonging to VLANs 1 through 3, and send it to destination remote VLAN 902.
  • Page 558: Displaying Span And Rspan Status

    Chapter 39 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Command Purpose Step 4 Limits the RSPAN source traffic to specific VLANs. Switch(config)# monitor session session_number filter vlan vlan-id [, For session_number, specifies the session number identified with this | -] RSPAN session (1 through 6).
  • Page 559 Chapter 39 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Source VLANs: RX Only: None TX Only: None Both: None Source RSPAN VLAN: None Destination Ports: None Encapsulation: DOT1Q Ingress:Enabled, default VLAN=5 Filter VLANs: None Dest RSPAN VLAN: None Ingress : Enabled, default VLAN=2 Learning : Disabled Software Configuration Guide—Release 12.2(25)EW...
  • Page 560 Chapter 39 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Software Configuration Guide—Release 12.2(25)EW 39-26 OL-6696-01...
  • Page 561: Chapter 40 Configuring Netflow Statistics Collection

    For complete syntax and usage information for the commands used in this chapter, refer to the Note Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm. Refer to the NetFlow Solutions Guide for more detailed information on NetFlow usage and management.
  • Page 562 Chapter 40 Configuring NetFlow Statistics Collection Overview of NetFlow Statistics Collection NetFlow exports flow information in UDP datagrams in one of two formats. The version 1 format was the initial released version, and version 5 is a later enhancement to add Border Gateway Protocol (BGP) autonomous system (AS) information and flow sequence numbers.
  • Page 563: Information Derived From Hardware

    Chapter 40 Configuring NetFlow Statistics Collection Overview of NetFlow Statistics Collection Table 40-2 NDE Version 5 Flow Record Format Flow masks: • X=Populated • A=Additional field Bytes Content Description 0–3 srcaddr Source IP address 4–7 dstaddr Destination IP address 8–11 nexthop Next hop router’s IP address 12–13 input...
  • Page 564: Information Derived From Software

    Chapter 40 Configuring NetFlow Statistics Collection Overview of NetFlow Statistics Collection source and destination IP addresses • IP protocol • • source and destination port numbers. Information Derived from Software The software infers the following fields: Input and output identifiers •...
  • Page 565: Feature Interaction Of Netflow Statistics With Ubrl And Microflow Policing

    Chapter 40 Configuring NetFlow Statistics Collection Overview of NetFlow Statistics Collection Determining the Input Interface and Input Related Inferred Fields Similarly, the input interface and the source AS number for the source IP address are determined by looking up the FIB entry in the default FIB table based on the source IP address. Therefore, the input interface is based solely on the source IP address and a reverse lookup is done to determine to which interface a packet with this IP destination address needs to be routed.
  • Page 566: Configuring Netflow Statistics Collection

    Chapter 40 Configuring NetFlow Statistics Collection Configuring NetFlow Statistics Collection The following example shows the CLI output for a specific VLAN: cat4k-sup4-2# sh vlan counters or show vlan id 22 count * Multicast counters include broadcast packets Vlan Id L2 Unicast Packets L2 Unicast Octets :2432 L3 Input Unicast Packets...
  • Page 567: Enabling Netflow Statistics Collection

    Note To enable NetFlow switching, first configure the switch for IP routing as described in the IP configuration chapters in the Cisco IOS IP and IP Routing Configuration Guide. After you configure IP routing, perform one of these tasks: Command Purpose Enables NetFlow for IP routing.
  • Page 568: Exporting Netflow Statistics

    Chapter 40 Configuring NetFlow Statistics Collection Configuring NetFlow Statistics Collection Exporting NetFlow Statistics To configure the switch to export NetFlow Statistics to a workstation when a flow expires, perform one of these tasks: Command Purpose (Required) Configures the switch to export NetFlow cache Switch(config)# ip flow-export destination hostname ip-address...
  • Page 569: Configuring A Netflow Minimum Prefix Mask For Router-Based Aggregation

    Chapter 40 Configuring NetFlow Statistics Collection Configuring NetFlow Statistics Collection To configure an aggregation cache, you must enter the aggregation cache configuration mode, and you must decide which type of aggregation scheme you would like to configure: autonomous system, destination prefix, protocol prefix, or source prefix aggregation cache. Once you define the aggregation scheme, define the operational parameters for that scheme.
  • Page 570 Chapter 40 Configuring NetFlow Statistics Collection Configuring NetFlow Statistics Collection The default value of the minimum mask is zero. The configurable range for the minimum mask is from Note 1 to 32. You should chose an appropriate value depending on the traffic. A higher value for the minimum mask will provide more detailed network addresses, but it may also result in increased number of flows in the aggregation cache.
  • Page 571: Configuring Netflow Aging Parameters

    Chapter 40 Configuring NetFlow Statistics Collection NetFlow Statistics Collection Configuration Example Monitoring and Maintaining Minimum Masks for Aggregation Schemes To view the configured value of the minimum mask, use the following commands for each aggregation scheme, as needed: Command Purpose Displays the configured value of the Router# show ip cache flow aggregation prefix minimum mask in the prefix aggregation...
  • Page 572 Chapter 40 Configuring NetFlow Statistics Collection NetFlow Statistics Collection Configuration Example 0 export packets were sent up to process level 0 export packets were dropped due to no fib 0 export packets were dropped due to adjacency issues 0 export packets were dropped due to fragmentation failures 0 export packets were dropped due to encapsulation fixup failures Switch# Switch# show ip cache flow...
  • Page 573: Netflow Configuration Examples

    Chapter 40 Configuring NetFlow Statistics Collection NetFlow Configuration Examples NetFlow Configuration Examples This section provides the following basic configuration examples: • Sample NetFlow Enabling Schemes, page 40-13 Sample NetFlow Aggregation Configurations, page 40-13 • Sample NetFlow Minimum Prefix Mask Router-Based Aggregation Schemes, page 40-14 •...
  • Page 574: Sample Netflow Minimum Prefix Mask Router-Based Aggregation Schemes

    Chapter 40 Configuring NetFlow Statistics Collection NetFlow Configuration Examples Destination Prefix Configuration This example shows how to configure a destination prefix aggregation cache with an inactive timeout of 200 seconds, a cache active timeout of 45 minutes, an export destination IP address of 10.42.42.1, and a destination port of 9992: Switch(config)# ip flow-aggregation cache destination-prefix Switch(config-flow-cache)# cache timeout inactive 200...
  • Page 575 Chapter 40 Configuring NetFlow Statistics Collection NetFlow Configuration Examples Prefix Aggregation Scheme This is an example of a prefix aggregation cache configuration: ip flow-aggregation cache prefix mask source minimum 24 mask destination minimum 28 In this example, assume the following configuration: ip route 118.42.20.160 255.255.255.224 110.42.13.2 ip route 122.16.93.160 255.255.255.224 111.22.21.2 Both routes have a 27-bit subnet mask in the routing table on the switch.
  • Page 576 Chapter 40 Configuring NetFlow Statistics Collection NetFlow Configuration Examples Software Configuration Guide—Release 12.2(25)EW 40-16 OL-6696-01...
  • Page 577: Appendix

    Bisync BSTUN Block Serial Tunnel broadcast and unknown server bridge-group virtual interface content-addressable memory committed access rate circuit card assembly Cisco Discovery Protocol Cisco Express Forwarding CGMP Cisco Group Management Protocol — Software Configuration Guide Release 12.2(25)EW OL-6696-01...
  • Page 578: Appendix A Acronym

    Common Spanning Tree CUDD University of Colorado Decision Diagram Dynamic Buffer Limiting Data Country Code dCEF distributed Cisco Express Forwarding dial-on-demand routing discard eligibility Digital Equipment Corporation Domain-Specific Part Format Identifier Dynamic Feedback Protocol DISL Dynamic Inter-Switch Link...
  • Page 579 Appendix A Acronyms Table A-1 Acronyms (continued) Acronym Expansion Extensible Authentication Protocol EARL Enhanced Address Recognition Logic EEPROM electrically erasable programmable read-only memory EHSA enhanced high system availability Explicit Host Tracking Electronic Industries Association ELAN Emulated Local Area Network EOBC Ethernet out-of-band channel end-system identifier FECN...
  • Page 580 Appendix A Acronyms Table A-1 Acronyms (continued) Acronym Expansion Local Director Acceleration Link Control Protocol LAN Emulation Client LECS LAN Emulation Configuration Server link error monitor link error rate LAN Emulation Server Logical Link Control Local Target Logic Media Access Control MACL MAC Access Control Message Digest 5...
  • Page 581 Appendix A Acronyms Table A-1 Acronyms (continued) Acronym Expansion Operation, Administration, and Maintenance order dependent merge Open System Interconnection OSPF open shortest path first PACL Port Access Control List port access entity PAgP Port Aggregation Protocol packet buffer daughterboard Policy Based Routing Personal Computer pulse code modulation peak cell rate...
  • Page 582 SNAP Subnetwork Access Protocol SNMP Simple Network Management Protocol SPAN Switched Port Analyzer SSTP Cisco Shared Spanning Tree Spanning Tree Protocol switched virtual circuit switched virtual interface TACACS+ Terminal Access Controller Access Control System Plus TARP Target Identifier Address Resolution Protocol...
  • Page 583 Appendix A Acronyms Table A-1 Acronyms (continued) Acronym Expansion type-length-value Time To Live valid transmission UDLD UniDirectional Link Detection Protocol User Datagram Protocol User-Network Interface Coordinated Universal Time VACL VLAN access control list virtual channel circuit virtual circuit identifier Virtual Configuration Register VINES Virtual Network System VLAN...
  • Page 584 Appendix A Acronyms — Software Configuration Guide Release 12.2(25)EW OL-6696-01...
  • Page 585 I N D E X abbreviating commands Numerics access control entries See ACEs 10/100 autonegotiation feature, forced access list filtering, SPAN enhancement 39-13 802.10 SAID (default) 10-4 access ports 802.1Q and Layer 2 protocol tunneling 19-9 trunks 14-6 configuring 12-8 tunneling access VLANs 12-6...
  • Page 586 Index limitations link failure (figure) 35-4 15-7, 15-8 processing 35-9 not supported MST 16-2 types supported understanding 35-2 15-6 acronyms, list of See also STP active queue management 29-13 addresses routing session with multi-VRF CE 28-6 See MAC addresses blocking packets 37-1 adjacency tables blocking state (STP)
  • Page 587 Cisco Discovery Protocol overview 9-11 See CDP planning considerations Cisco Express Forwarding 9-13 See CEF command-line processing Cisco Group Management Protocol command modes See CGMP commands Cisco IOS NSF-awareness support listing Cisco IP Phones command switch Software Configuration Guide—Release 12.2(25)EW...
  • Page 588 29-41 TFTP server definition 29-3 example figure 29-2 lease options overriding on Cisco IP Phones 30-3 for IP address information priority 30-3 for receiving the configuration file CoS-to-DSCP maps 29-46 overview counters relationship to BOOTP Software Configuration Guide—Release 12.2(25)EW...
  • Page 589 Index DHCP snooping definition 29-3 configuring 33-3 IP precedence 29-2 default configuration mapping markdown 33-3 29-23 displaying binding tables mapping to transmit queues 33-10 29-43 displaying configuration 33-10 enabling VLAN trunks and 33-4 12-3 enabling on private VLAN duplex command 33-5 enabling the database agent duplex mode...
  • Page 590 Index installing and configuring 9-14 overview 9-13 FastDrop enable command 3-9, 3-21 clearing entries 25-20 enable mode displaying entries 25-19 encapsulation types 12-3 overview 25-10 Enhanced Interior Gateway Routing Protocol See EIGRP description 24-2 environmental monitoring See also MFIB LED indications filtering SNMP traps in a VLAN...
  • Page 591 5-10 See fast-leave processing ping ingress packets, SPAN enhancement 39-12 running IP traceroute inline power time exceeded messages configuring on Cisco IP phones 30-4 Intelligent Power Management using with SPAN and RSPAN 39-2 interface command 3-9, 4-1 IEEE 802.1s interface port-channel command...
  • Page 592 9-12 automatic classification and queueing 29-16 command switch configuring voice ports 9-12 30-2 See also IP information See Cisco IP Phones 30-1 ip cef command 24-6 trusted boundary for QoS 29-24 ip flow-aggregation cache destination-prefix ip pim command 25-14...
  • Page 593 Index ip unreachables command assigning VLANs 5-10 10-8 configuring 12-5 redistribution of route information with EIGRP configuring as PVLAN host ports 36-8 configuring as PVLAN promiscuous ports 36-7 encapsulation configuring as PVLAN trunk ports 12-3 36-9 trunking with 802.1Q tunneling defaults 19-4 12-5...
  • Page 594 Index description (table) match ip address command 26-3 listening state (STP) maximum aging time (STP) RSTP comparisons (table) configuring 16-4 14-18 load balancing member switch configuring for CEF defined 24-7 9-11 configuring for EtherChannel managing 17-12 9-13 overview requirements 17-5, 24-6 9-12 per-destination metro tags...
  • Page 595 Index number supported packet-forwarding process 16-5 28-3 interoperability with PVST+ 16-2 link type 16-7 master 16-7 message age 16-7 native VLAN regions 16-5, 16-6 and 802.1Q tunneling 19-4 restrictions 16-8 specifying 12-6 to-SST interoperability 16-4 NetFlow MSTP aggregation M-record 16-2 minimum mask,default value 40-10 M-tree...
  • Page 596 Index installing launch 9-10 packets overview of CLI commands modifying 29-15 software and hardware requirements software processed understanding and QoS 29-15 network fault tolerance 1-4, 16-2 packet type filtering network management overview 39-14 configuring 20-1 SPAN enhancement 39-14 Next Hop Resolution Protocol PAgP See NHRP understanding...
  • Page 597 Index ping configuration guidelines 31-13 executing configure 802.1X accounting 31-16 overview configure switch-to-RADIUS server communication 31-15 ping command 5-6, 25-15 configure with Guest-VLANs 31-17, 31-18 configuring Guest-VLAN 31-15 configuring power consumption for single device configuring manual re-authentication of a client 31-19 configuring power consumption for switch controlling authorization state...
  • Page 598 Index and MST inline 16-2 30-4 BPDU filter, configuring 15-12 power dc input command 7-11 configuring or enabling power inline command 15-11 overview power inline consumption command 15-3 PortFast BPDU filtering power management and MST 1+1 redundancy mode 16-2 7-12 enabling 2+1 redundancy mode 15-12...
  • Page 599 Index setting mode basic model 36-12 29-5 protocol timers 14-4 burst size 29-27 provider edge devices classification 28-2 29-5 to 29-9 pruning, VTP configuration guidelines 29-24 See VTP pruning auto-QoS 29-17 pseudobridges configuring description auto-QoS 16-5 29-16 PVACL DSCP maps 33-10 29-45 PVID (port VLAN ID)
  • Page 600 Index DSCP-to-CoS See RSTP 29-47 policed-DSCP 29-46 rcommand command 9-13 types re-authentication of a client 29-13 QoS marking configuring manual 31-19 description enabling periodic 29-4 31-18 QoS policers reduced MAC address 14-2 burst size redundancy 29-27 types of configuring 29-9 QoS policing guidelines and restrictions definition...
  • Page 601 Index and MST 16-2 enabling 15-8 SAID overview 15-2 See 802.10 SAID routed packets scheduling 29-13 ACLs 35-21 defined 29-4 route-map (IP) command 26-3 overview 29-5 route maps secondary root switch 14-12 defining 26-3 secondary VLANs 26-2 associating with primary 36-6 router ACLs description...
  • Page 602 Index show environment command slot numbers, description show history command SmartPort macros show interfaces command configuration guidelines 4-12, 4-13 13-4 show interfaces status command configuring 13-2 show ip cache flow aggregation destination-prefix creating and applying 13-4 command 40-11 default configuration 13-2 show ip cache flow aggregation prefix command 40-11...
  • Page 603 Index SPAN destination ports displaying PIM 25-20 802.1X authentication not supported 31-13 NetFlow accounting 40-8 SPAN enhancements sticky learning access list filtering configuration file 39-13 32-2 configuration example defined 39-15 32-2 CPU port sniffing disabling 39-10 32-2 encapsulation configuration enabling 39-12 32-2 ingress packets...
  • Page 604 Index default configuration reviewing configuration 3-10 default gateways 3-11 settings at startup 3-20 environmental monitoring system images ROM monitor loading from Flash memory 3-19 3-23 startup configuration modifying boot field 3-18 3-20 static routes specifying 3-11 3-23 synchronizing configurations system MTU 6-10 SVIs 802.1Q tunneling...
  • Page 605 Index traceroute mac ip command traffic UDLD blocking flooded 37-2 default configuration 21-2 traffic control disabling 21-3 using ACLs (figure) 35-4 enabling 21-3 using VLAN maps (figure) 35-5 overview 21-1, 34-1 traffic shaping 29-14 unauthorized ports with 802.1X 31-4 translational bridge numbers (defaults) 10-4 unicast transmit queues...
  • Page 606 Index See VLAN maps VLAN Trunking Protocol vlan command 10-6, 10-7 See VTP vlan database command VLAN trunks 10-7 vlan dot1q tag native command overview 19-4 12-3 VLAN Management Policy Server VMPS See VMPS configuring dynamic access ports on client 11-6 VLAN maps configuring retry interval...
  • Page 607 Index using 802.1X VTY and Network Assistant 31-10 9-12 VVID (voice VLAN ID) configuring routing in and 802.1X authentication 28-5 31-10 forwarding configuring 28-3 30-2 in service provider networks 28-1 routes 28-2 routing and forwarding table See VRF defining 28-3 tables 28-1 configuration guidelines...
  • Page 608 Index Software Configuration Guide—Release 12.2(25)EW IN-24 OL-6696-01...

This manual is also suitable for:

4500 series

Table of Contents