Cisco Systems 3550 Configuring TACACS+

6-13

Catalyst 3550 Multilayer Switch Software Configuration Guide

78-11194-03

Chapter6 Administering the Swi tc h Controlling Switch Access with TACACS+

Configuring TACACS+

This section describes how to configure your switch to support TACACS+. At a minimum, you must

identify the host or hosts maintaining the TACACS+ daemon and define the method lists for TACACS+

authentication. You can optionally define method lists for TACACS+ authorization and accounting. A

method list defines the sequence and methods to be used to authenticate, to authorize, or t o keep accounts

on a user. You can use method lists to designate one or more security protocols to be used, thus ensuring

a backup system if the initial method fails. The software uses the first method listed to authenticate, to

authorize, or to keep accounts on users; if that method d oe s no t re spo nd, t he soft wa re se lec ts th e ne xt

method in the list. This process continues until there is successful communication with a listed method

or the method list is exhausted.

This section contains this configuration information:

•Default TACACS+ Configuration, page 6-13

•Identifying the TACACS+ Server Host and Setting the Authentication Key, page 6-13

•Configuring TACACS+ Login Authentication, page 6-14

•Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, page

6-16

•Starting TACACS+ Accounting, page 6-17

Default TACACS+ Configuration

TACACS+ and AAA are disabled by default.

To prevent a lapse in security, you cannot configure TACACS+ through a network management

application.When enabled, TACACS+ can authenticate users accessing the s witch th rough t he CLI.

Note Although TACACS+ configuration is performed through the CLI, the TACACS+ server

authenticates HTTP connections that have been configured with a privilege level of 15.

Identifying the TACACS+ Server Host and Setting the Authentication Key

You can configure the switch to use a single server or AAA server groups to group existing server hosts

for authentication. You can group servers to select a subset of the configured server hosts and u se them

for a particular service. The server group is used with a global server-host list and contains the list of IP

addresses of the selected server hosts.

Contents

Main Catalyst 3550 Multilayer Switch Software Configuration Guide Page CONTENTS Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Preface Audience Purpose Organization Page Conventions Related Publications Obtaining Documentation World Wide Web Documentation CD-ROM Ordering Documentation Obtaining Technical Assistance Cisco.com Technical Assistance Center Cisco TAC Web Site Cisco TAC Escalation Center Overview Features Page Page Page Management Options Management Interface Options Advantages of Using CMS and Clustering Switches Network Configuration Examples Design Concepts Page Page 1-10 Small to Medium-Sized Network Using Mixed Switches 1-12 Large Network Using Only Catalyst 3550 Switches Multidwelling Network Using Catalyst 3550 Switches 1-15 Page Using the Command-Line Interface IOS Command Modes Page Getting Help Abbreviating Commands Using no and default Forms of Commands Understanding CLI Messages Using Command History Changing the Command History Buffer Size Recalling Commands Disabling the Command History Feature Using Editing Features Enabling and Disabling Editing Features Editing Commands through Keystrokes Page Editing Command Lines that Wrap Searching and Filtering Output of show and more Commands Accessing the CLI Page Getting Started with CMS Features 3-3 switch settings; read-only access for users allowed to only view switch settings consistent approach to setting configuration parameters 3-4 Front Panel View Cluster Tree Front-Panel Images Redundant Power System LED Port Modes and LEDs VLAN Membership Modes Topology View 3-11 Topology Icons Device and Link Labels Colors in the Topology View Topology Display Options Menus and Toolbar Menu Bar Page Page Page Page Page Toolbar Front Panel View Popup Menus Device Popup Menu Port Popup Menu Topology View Popup Menus Link Popup Menu Device Popup Menus Page Interaction Modes Guide Mode Expert Mode Wizards Tool Tips Online Help CMS Window Components Host Name List Tabs, Lists, and Tables Icons Used in Windows Buttons Accessing CMS Access Modes in CMS HTTP Access to CMS Verifying Your Changes Change Notification Error Checking Saving Your Changes Using Different Versions of CMS Where to Go Next Page Assigning the Switch IP Address and Default Gateway Understanding the Boot Process Assigning Switch Information Default Switch Information Understanding DHCP-Based Autoconfiguration DHCP Client Request Process Configuring the DHCP Server Configuring the TFTP Server Configuring the DNS Configuring the Relay Device Obtaining Configuration Files Example Configuration Page Manually Assigning IP Information Checking and Saving the Running Configuration 4-11 Modifying the Startup Configuration Default Boot Configuration Automatically Downloading a Configuration File Specifying the Filename to Read and Write the System Configuration Booting Manually Booting a Specific Software Image Controlling Environment Variables Page Scheduling a Reload of the Software Image Configuring a Scheduled Reload Displaying Scheduled Reload Information Clustering Switches Understanding Switch Clusters Command Switch Characteristics Standby Command Switch Characteristics Candidate and Member Switches Characteristics Planning a Switch Cluster Automatic Discovery of Cluster Candidates and Members Discovery through CDP Hops Discovery through Non-CDP-Capable and Noncluster-Capable Devices Discovery through Different VLANs Discovery through the Same Management VLAN Discovery through Different Management VLANs Discovery through Routed Ports Discovery of Newly Installed Switches HSRP and Standby Command Switches Virtual IP Addresses Automatic Recovery of Cluster Configuration Considerations for Cluster Standby Groups IP Addresses Host Names Passwords SNMP Community Strings TACACS+ Access Modes in CMS LRE Profiles Availability of Switch-Specific Features in Switch Clusters Creating a Switch Cluster Enabling a Command Switch Adding Member Switches 5-21 Creating a Cluster Standby Group 5-23 Verifying a Switch Cluster Using the CLI to Manage Switch Clusters Catalyst 1900 and Catalyst 2820 CLI Considerations Using SNMP to Manage Switch Clusters Administering the Switch Preventing Unauthorized Access to Your Switch Protecting Access to Privileged EXEC Commands Default Password and Privilege Level Configuration Setting or Changing a Static Enable Password Protecting Enable and Enable Secret Passwords with Encryption Disabling Password Recovery Setting a Telnet Password for a Terminal Line Configuring Username and Password Pairs Configuring Multiple Privilege Levels Setting the Privilege Level for a Command Changing the Default Privilege Level for Lines Logging into and Exiting a Privilege Level Controlling Switch Access with TACACS+ Understanding TACACS+ Page TACACS+ Operation Configuring TACACS+ Default TACACS+ Configuration Identifying the TACACS+ Server Host and Setting the Authentication Key Configuring TACACS+ Login Authentication Page Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services Starting TACACS+ Accounting Displaying the TACACS+ Configuration Controlling Switch Access with RADIUS Understanding RADIUS RADIUS Operation Configuring RADIUS Default RADIUS Configuration Identifying the RADIUS Server Host Page Page Configuring RADIUS Login Authentication Defining AAA Server Groups Page Configuring RADIUS Authorization for User Privileged Access and Network Services Starting RADIUS Accounting Configuring Settings for All RADIUS Servers Configuring the Switch to Use Vendor-Specific RADIUS Attributes Configuring the Switch for Vendor-Proprietary RADIUS Server Communication Displaying the RADIUS Configuration Configuring the Switch for Local Authentication and Authorization Managing the System Time and Date Understanding the System Clock Understanding Network Time Protocol Page Configuring NTP Default NTP Configuration Configuring NTP Authentication Configuring NTP Associations Configuring NTP Broadcast Service Configuring NTP Access Restrictions Creating an Access Group and Assigning a Basic IP Access List Disabling NTP Services on a Specific Interface Configuring the Source IP Address for NTP Packets Displaying the NTP Configuration Configuring Time and Date Manually Setting the System Clock Displaying the Time and Date Configuration Configuring the Time Zone Configuring Summer Time (Daylight Saving Time) Page Configuring a System Name and Prompt Default System Name and Prompt Configuration Configuring a System Name Configuring a System Prompt Understanding DNS Default DNS Configuration Setting Up DNS Displaying the DNS Configuration Creating a Banner Default Banner Configuration Configuring a Message-of-the-Day Login Banner Configuring a Login Banner Managing the MAC Address Table Building the Address Table MAC Addresses and VLANs Default MAC Address Table Configuration Changing the Address Aging Time Removing Dynamic Address Entries Configuring MAC Address Notification Traps Page Adding and Removing Static Address Entries Displaying Address Table Entries Optimizing System Resources for User-Selected Features Page Using the Templates 6-60 This example shows how to configure a switch with the routing template and verify the configuration: Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Device Roles Authentication Initiation and Message Exchange Ports in Authorized and Unauthorized States Supported Topologies Configuring 802.1X Authentication Default 802.1X Configuration 802.1X Configuration Guidelines Enabling 802.1X Authentication Configuring the Switch-to-RADIUS-Server Communication Enabling Periodic Re-Authentication Manually Re-Authenticating a Client Connected to a Port Changing the Quiet Period Changing the Switch-to-Client Retransmission Time Setting the Switch-to-Client Frame-Retransmission Number Enabling Multiple Hosts Resetting the 802.1X Configuration to the Default Values Displaying 802.1X Statistics and Status Configuring Interface Characteristics Understanding Interface Types Port-Based VLANs Switch Ports Access Ports Trunk Ports EtherChannel Port Groups Switch Virtual Interfaces Routed Ports Connecting Interfaces Using the Interface Command Procedures for Configuring Interfaces 8-8 Configuring a Range of Interfaces Page Configuring and Using Interface Range Macros Configuring Layer 2 Interfaces Default Layer 2 Ethernet Interface Configuration Configuring Interface Speed and Duplex Mode Configuration Guidelines Setting the Interface Speed and Duplex Parameters Page Configuring IEEE 802.3X Flow Control Adding a Description for an Interface Monitoring and Maintaining the Layer 2 Interface Monitoring Interface and Controller Status 8-19 This example shows how to display the status of all interfaces: Table8-2 Show Commands for Interfaces (continued) Command Purpose Clearing and Resetting Interfaces and Counters Shutting Down and Restarting the Interface Configuring Layer 3 Interfaces Page 8-24 This is an example of output from the show ip interface privileged EXEC command for an interface: Creating and Maintaining VLANs Understanding VLANs Number of Supported VLANs VLAN Port Membership Modes Using the VLAN Trunking Protocol The VTP Domain and VTP Modes VTP Advertisements VTP Version 2 VTP Pruning Page Configuring VTP Default VTP Configuration VTP Configuration Guidelines Domain Names Passwords VTP Version Configuration Requirements Configuring a VTP Server Configuring a VTP Client Disabling VTP (VTP Transparent Mode) Enabling VTP Version 2 Enabling VTP Pruning Monitoring VTP 9-14 This is an example of output from the show vtp status privileged EXEC command: This is an example of output from the show vtp counters privileged EXEC command: VLANs in the VTP Database Token Ring VLANs Default VLAN Configuration VLAN Configuration Guidelines Configuring VLANs in the VTP Database Adding an Ethernet VLAN Modifying an Ethernet VLAN Deleting a VLAN from the Database Assigning Static-Access Ports to a VLAN Page 9-21 Displaying VLANs in the VTP Database Understanding VLAN Trunks Trunking Overview Encapsulation Types 802.1Q Configuration Considerations Default Layer 2 Ethernet Interface VLAN Configuration Configuring an Ethernet Interface as a Trunk Port Configuring a Trunk Port Page Defining the Allowed VLANs on a Trunk Changing the Pruning-Eligible List Configuring the Native VLAN for Untagged Traffic Load Sharing Using STP Load Sharing Using STP Port Priorities Configuring STP Port Priorities and Load Sharing Page Load Sharing Using STP Path Cost Configuring STP Path Costs and Load Sharing Understanding VMPS Dynamic Port VLAN Membership VMPS Database Configuration File 9-35 each host belongs is defined. VMPS Configuration Guidelines Default VMPS Configuration Configuring an Interface as a Layer 2 Dynamic Access Port Entering the IP Address of the VMPS Configuring Dynamic Access Ports on VMPS Clients Reconfirming VLAN Memberships Changing the Reconfirmation Interval Changing the Retry Count Administering and Monitoring the VMPS Troubleshooting Dynamic Port VLAN Membership Dynamic Port VLAN Membership Configuration Example 9-41 Page Configuring STP Understanding Basic STP Features Supported STP Instances STP Overview Bridge ID, Switch Priority, and Extended System ID Election of the Root Switch Bridge Protocol Data Units STP Timers Creating the STP Topology STP Interface States Blocking State Listening State Learning State Forwarding State Disabled State STP Address Management STP and IEEE 802.1Q Trunks VLAN-Bridge STP STP and Redundant Connectivity Accelerated Aging to Retain Connectivity Understanding Advanced STP Features Understanding Port Fast Understanding BPDU Guard Understanding UplinkFast Understanding Cross-Stack UplinkFast How CSUF Works Events that Cause Fast Convergence Limitations Connecting the Stack Ports 10-17 Catalyst 3550 Multilayer Switch Software Configuration Guide 78-11194-03 Chapter10 Configuring STP Understanding Advanced STP Features GigaStack GBIC connection for normal convergence 1x 2x 3x 4x 5x 6x 7x 8x 9x 10x 11x 12x 13x 14x 15x 16x 17x 18x 19x 20x 21x 22x 23x 24x Understanding BackboneFast Page Understanding Root Guard Understanding EtherChannel Guard Configuring Basic STP Features Default STP Configuration Disabling STP Configuring the Root Switch Page Configuring a Secondary Root Switch Page Configuring STP Port Priority Configuring STP Path Cost Configuring the Switch Priority of a VLAN Configuring the Hello Time Configuring the Forwarding-Delay Time for a VLAN Configuring the Maximum-Aging Time for a VLAN Configuring STP for Use in a Cascaded Stack Displaying STP Status Configuring Advanced STP Features Configuring Port Fast Configuring BPDU Guard Configuring UplinkFast for Use with Redundant Links Configuring Cross-Stack UplinkFast Configuring BackboneFast Configuring Root Guard Enabling EtherChannel Guard Page Configuring IGMP Snooping and MVR Understanding IGMP Snooping Joining a Multicast Group Page Leaving a Multicast Group Immediate-Leave Processing Configuring IGMP Snooping Default IGMP Snooping Configuration Enabling or Disabling IGMP Snooping Setting the Snooping Method Configuring a Multicast Router Port Configuring a Host Statically to Join a Group Enabling IGMP Immediate-Leave Processing Displaying IGMP Snooping Information Page Page Understanding Multicast VLAN Registration Using MVR in a Multicast Television Application Page Configuring MVR Configuration Guidelines and Limitations Default MVR Configuration Configuring MVR Global Parameters Configuring MVR Interfaces Page Displaying MVR Information 11-19 This is an example of output from the show mvr interface privileged EXEC command: This is an example of output from the show mvr members privileged EXEC command: Configuring IGMP Filtering Default IGMP Filtering Configuration Configuring IGMP Profiles Page Applying IGMP Profiles Setting the Maximum Number of IGMP Groups Displaying IGMP Filtering Configuration Configuring Port-Based Traffic Control Configuring Storm Control Understanding Storm Control Page Default Storm Control Configuration Enabling Storm Control Disabling Storm Control Configuring Protected Ports Configuring Port Blocking Blocking Flooded Traffic on an Interface Resuming Normal Forwarding on a Port Configuring Port Security Understanding Port Security Default Port Security Configuration Configuration Guidelines Enabling and Configuring Port Security Page Displaying Port-Based Traffic Control Settings 12-12 This is a an example of output from the show interfaces switchport privileged EXEC command: This is a an example of output from the show interfaces counters broadcast privileged EXEC command: This is a an example of output from the show port-security address privileged EXEC command. Page Page Configuring CDP Understanding CDP Configuring CDP Default CDP Configuration Configuring the CDP Characteristics Disabling and Enabling CDP Disabling and Enabling CDP on an Interface Monitoring and Maintaining CDP 13-6 13-7 Page Configuring UDLD Understanding UDLD Page Configuring UDLD Default UDLD Configuration Enabling UDLD Globally Enabling UDLD on an Interface Resetting an Interface Shut Down by UDLD Page Page Configuring SPAN Understanding SPAN SPAN Concepts and Terminology SPAN Session Traffic Types Source Port Destination Port VLAN-Based SPAN SPAN Traffic SPAN Interaction with Other Features Configuring SPAN Default SPAN Configuration SPAN Configuration Guidelines Creating a SPAN Session and Specifying Ports to Monitor Page Removing Ports from a SPAN Session Specifying VLANs to Monitor Specifying VLANs to Filter Displaying SPAN Status Page Configuring RMON Understanding RMON Configuring RMON Default RMON Configuration Configuring RMON Alarms and Events Page Configuring RMON Collection on an Interface Displaying RMON Status Configuring System Message Logging Understanding System Message Logging Configuring System Message Logging System Log Message Format Default System Message Logging Configuration Disabling and Enabling Message Logging Setting the Message Display Destination Device Page Synchronizing Log Messages Enabling and Disabling Timestamps on Log Messages Enabling and Disabling Sequence Numbers in Log Messages Defining the Message Severity Level Page Limiting Syslog Messages Sent to the History Table and to SNMP Configuring UNIX Syslog Servers Logging Messages to a UNIX Syslog Daemon Configuring the UNIX System Logging Facility Displaying the Logging Configuration Configuring SNMP Understanding SNMP SNMP Versions SNMP Manager Functions SNMP Agent Functions SNMP Community Strings Using SNMP to Access MIB Variables Configuring SNMP Default SNMP Configuration Disabling the SNMP Agent Configuring Community Strings Page Configuring Trap Managers and Enabling Traps Page Setting the Agent Contact and Location Information Limiting TFTP Servers Used Through SNMP SNMP Examples Displaying SNMP Status Configuring Network Security with ACLs Understanding ACLs Supported ACLs Router ACLs VLAN Maps Handling Fragmented and Unfragmented Traffic Configuring Router ACLs Hardware and Software Handling of Router ACLs Unsupported Features Creating Standard and Extended IP ACLs Access List Numbers Creating a Numbered Standard ACL Creating a Numbered Extended ACL Page Page Page Page Creating Named Standard and Extended ACLs Applying Time Ranges to ACLs Page 19-17 This example uses named ACLs to permit and deny the same traffic. Including Comments About Entries in ACLs Applying the ACL to an Interface or Terminal Line Page Displaying ACLs and Access Groups 19-21 ACL Configuration Examples Page Numbered ACLs Extended ACLs Named ACLs Time Range Applied to an IP ACL Commented IP ACL Entries ACL Logging Configuring VLAN Maps VLAN Map Configuration Guidelines Creating Named MAC Extended ACLs Page Creating a VLAN Map Examples of ACLs and VLAN Maps Example 1 Example 2 Example 3 Example 4 Applying a VLAN Map to a VLAN Displaying VLAN Map Information Using VLAN Maps in Your Network Wiring Closet Configuration Denying Access to a Server on Another VLAN Using VLAN Maps with Router ACLs Guidelines Determining if the ACL Configuration Fits in Hardware 19-38 Examples of Router ACLs and VLAN Maps Applied to VLANs ACLs and Switched Packets 19-40 ACLs and Bridged Packets ACLs and Routed Packets ACLs and Multicast Packets Configuring QoS Understanding QoS Page Basic QoS Model Classification Page 20-6 Classification Based on QoS ACLs Classification Based on Class Maps and Policy Maps Policing and Marking Page 20-10 Mapping Tables Queueing and Scheduling Queueing and Scheduling on Gigabit-Capable Ports Tail Drop WRED Queueing and Scheduling on 10/100 Ethernet Ports Page Packet Modification Configuring QoS Default QoS Configuration Page Configuration Guidelines Enabling QoS Globally Configuring Classification Using Port Trust States Configuring the Trust State on Ports within the QoS Domain Page Configuring the CoS Value for an Interface Configuring the DSCP Trust State on a Port Bordering Another QoS Domain Configuring a QoS Policy Classifying Traffic by Using ACLs Page Page Classifying Traffic by Using Class Maps Page Classifying, Policing, and Marking Traffic by Using Policy Maps Page Page Page Page Classifying, Policing, and Marking Traffic by Using Aggregate Policers Page Configuring DSCP Maps Configuring the CoS-to-DSCP Map Configuring the IP-Precedence-to-DSCP Map Configuring the Policed-DSCP Map Configuring the DSCP-to-CoS Map Configuring the DSCP-to-DSCP-Mutation Map Configuring Egress Queues on Gigabit-Capable Ethernet Ports Mapping CoS Values to Select Egress Queues Configuring the Egress Queue Size Ratios Configuring Tail-Drop Threshold Percentages Configuring WRED Drop Thresholds Percentages Page Configuring the Egress Expedite Queue Allocating Bandwidth among Egress Queues Configuring Egress Queues on 10/100 Ethernet Ports Mapping CoS Values to Select Egress Queues Configuring the Minimum-Reserve Levels Configuring the Egress Expedite Queue Allocating Bandwidth among Egress Queues Page Displaying QoS Information QoS Configuration Examples QoS Configuration for the Common Wiring Closet QoS Configuration for the Intelligent Wiring Closet QoS Configuration for the Distribution Layer Page Page Page Configuring EtherChannel Understanding EtherChannel Understanding Port-Channel Interfaces Understanding the Port Aggregation Protocol PAgP Modes Physical Learners and Aggregate-Port Learners PAgP Interaction with Other Features Understanding Load Balancing and Forwarding Methods Page Configuring EtherChannel Default EtherChannel Configuration EtherChannel Configuration Guidelines Configuring Layer 2 EtherChannels Page Configuring Layer 3 EtherChannels Creating Port-Channel Logical Interfaces Configuring the Physical Interfaces Configuring EtherChannel Load Balancing Configuring the PAgP Learn Method and Priority Page Displaying EtherChannel and PAgP Status Configuring IP Unicast Routing Understanding Routing Steps for Configuring Routing Configuring IP Addressing Default Addressing Configuration Assigning IP Addresses to Network Interfaces Page 22-7 Use of Subnet Zero Classless Routing Page Configuring Address Resolution Methods Define a Static ARP Cache Set ARP Encapsulation Enable Proxy ARP Routing Assistance When IP Routing is Disabled Proxy ARP Default Gateway ICMP Router Discovery Protocol (IRDP) Page Configuring Broadcast Packet Handling Enabling Directed Broadcast-to-Physical Broadcast Translation Forwarding UDP Broadcast Packets and Protocols Page Establishing an IP Broadcast Address Flooding IP Broadcasts Monitoring and Maintaining IP Addressing Page 22-23 Enabling IP Routing Configuring RIP Page Page RIP Authentication Summary Addresses and Split Horizon Page Configuring IGRP Load Balancing and Traffic Distribution Control Page Page Split Horizon Configuring OSPF Page Page OSPF Interface Parameters OSPF Area Parameters Page Other OSPF Behavior Parameters Page Change LSA Group Pacing Loopback Interface Monitoring OSPF Page Configuring EIGRP Page EIGRP Router Mode Commands EIGRP Interface Mode Commands Configure EIGRP Route Authentication Monitoring and Maintaining EIGRP 22-52 This is an example of output from the show ip eigrp interface privileged EXEC command: This is an example of output from the show ip eigrp neighbors privileged EXEC command: This is an example of output from the show ip eigrp topology privileged EXEC command: This is an example of output from the show ip eigrp traffic privileged EXEC command: Configuring Protocol-Independent Features Configuring Cisco Express Forwarding Configuring the Number of Equal-Cost Routing Paths Configuring Static Routes Specifying Default Routes Specifying a Default Network Redistributing Routing Information Page Page Page Filtering Routing Information Setting Passive Interfaces Controlling Advertising and Processing in Routing Updates Filtering Sources of Routing Information Managing Authentication Keys Monitoring and Maintaining the IP Network 22-65 This is an example of output from the show ip route summary privileged EXEC command: 22-66 This is an example of output from the show route-map privileged EXEC command: Configuring HSRP Understanding HSRP Page Configuring HSRP Default HSRP Configuration Enabling HSRP Page Configuring HSRP Group Attributes Configuring HSRP Priority Page Configuring HSRP Authentication and Timers Configuring HSRP Groups and Clustering Displaying HSRP Configurations Configuring IP Multicast Routing Cisco Implementation of IP Multicast Routing Understanding IGMP IGMP Version 1 IGMP Version 2 Understanding PIM PIM Versions PIM Modes PIM DM Page PIM SM Auto-RP Bootstrap Router Multicast Forwarding and Reverse Path Check Neighbor Discovery Understanding DVMRP DVMRP Neighbor Discovery DVMRP Route Table DVMRP Source Distribution Tree Understanding CGMP Joining a Group with CGMP Leaving a Group with CGMP Configuring IP Multicast Routing Default Multicast Routing Configuration Multicast Routing Configuration Guidelines PIMv1 and PIMv2 Interoperability Auto-RP and BSR Configuration Guidelines Configuring Basic Multicast Routing Page Configuring a Rendezvous Point Manually Assigning an RP to Multicast Groups Configuring Auto-RP Setting up Auto-RP in a New Internetwork Adding Auto-RP to an Existing Sparse-Mode Cloud Preventing Join Messages to False RPs Preventing Candidate RP Spoofing Configuring PIMv2 BSR Defining the PIM Domain Border Page Defining the IP Multicast Boundary Configuring Candidate BSRs Configuring Candidate RPs Using Auto-RP and a BSR Monitoring the RP Mapping Information Troubleshooting PIMv1 and PIMv2 Interoperability Problems Configuring Advanced PIM Features Understanding PIM Shared Tree and Source Tree Delaying the Use of PIM Shortest-Path Tree Modifying the PIM Router-Query Message Interval Configuring Optional IGMP Features Default IGMP Configuration Changing the IGMP Version Changing the IGMP Query Timeout for IGMPv2 Changing the Maximum Query Response Time for IGMPv2 Configuring the Multilayer Switch as a Member of a Group Controlling Access to IP Multicast Groups Modifying the IGMP Host-Query Message Interval Configuring the Multilayer Switch as a Statically Connected Member Configuring Optional Multicast Routing Features Enabling CGMP Server Support Configuring sdr Listener Support Enabling sdr Listener Support Limiting How Long an sdr Cache Entry Exists Configuring the TTL Threshold Page Configuring an IP Multicast Boundary Configuring Basic DVMRP Interoperability Features Configuring DVMRP Interoperability Controlling Unicast Route Advertisements Page Configuring a DVMRP Tunnel Page Advertising Network 0.0.0.0 to DVMRP Neighbors Responding to mrinfo Requests Configuring Advanced DVMRP Interoperability Features Enabling DVMRP Unicast Routing Rejecting a DVMRP Nonpruning Neighbor Page Controlling Route Exchanges Limiting the Number of DVMRP Routes Advertised Changing the DVMRP Route Threshold Configuring a DVMRP Summary Address Page Disabling DVMRP Autosummarization Adding a Metric Offset to the DVMRP Route Monitoring and Maintaining IP Multicast Routing Clearing Caches, Tables, and Databases Displaying System and Network Statistics Monitoring IP Multicast Routing Page Configuring MSDP Understanding MSDP MSDP Operation MSDP Benefits Configuring MSDP Default MSDP Configuration Configuring a Default MSDP Peer Page Caching Source-Active State Page Requesting Source Information from an MSDP Peer Controlling Source Information that Your Switch Originates Redistributing Sources Page Filtering Source-Active Request Messages Controlling Source Information that Your Switch Forwards Using a Filter Page Using TTL to Limit the Multicast Data Sent in SA Messages Controlling Source Information that Your Switch Receives Page Configuring an MSDP Mesh Group Shutting Down an MSDP Peer Including a Bordering PIM Dense-Mode Region in MSDP Configuring an Originating Address other than the RP Address Monitoring and Maintaining MSDP Page Configuring Fallback Bridging Understanding Fallback Bridging Page Configuring Fallback Bridging Default Fallback Bridging Configuration Creating a Bridge Group Preventing the Forwarding of Dynamically Learned Stations Configuring the Bridge Table Aging Time Filtering Frames by a Specific MAC Address Adjusting Spanning-Tree Parameters Changing the Switch Priority Changing the Interface Priority Assigning a Path Cost Adjusting BPDU Intervals Adjusting the Interval between Hello BPDUs Changing the Forward-Delay Interval Changing the Maximum-Idle Interval Disabling the Spanning Tree on an Interface Monitoring and Maintaining the Network Troubleshooting Using Recovery Procedures Recovering from Corrupted Software Recovering from a Lost or Forgotten Password Password Recovery with Password Recovery Enabled Page Procedure with Password Recovery Disabled Page Recovering from a Command Switch Failure Replacing a Failed Command Switch with a Cluster Member Page Replacing a Failed Command Switch with Another Switch Recovering from Lost Member Connectivity Preventing Autonegotiation Mismatches Diagnosing Connectivity Problems Understanding Ping Executing Ping Understanding IP Traceroute Executing IP Traceroute Using Debug Commands Enabling Debugging on a Specific Feature Enabling All-System Diagnostics Redirecting Debug and Error Message Output Using the show forward Command Page Using the crashinfo File Page A Supported MIBs MIB List Using FTP to Access the MIB Files B Working with the IOS File System, Configuration Files, and Software Images Working with the Flash File System Displaying Available File Systems Setting the Default File System Displaying Information about Files on a File System Changing Directories and Displaying the Working Directory Creating and Removing Directories Copying Files Deleting Files Creating, Displaying, and Extracting tar Files Creating a tar File Displaying the Contents of a tar File Extracting a tar File Displaying the Contents of a File Working with Configuration Files Guidelines for Creating and Using Configuration Files Configuration File Types and Location Creating a Configuration File By Using a Text Editor Copying Configuration Files By Using TFTP Preparing to Download or Upload a Configuration File By Using TFTP Downloading the Configuration File By Using TFTP Uploading the Configuration File By Using TFTP Copying Configuration Files By Using FTP Preparing to Download or Upload a Configuration File By Using FTP Downloading a Configuration File By Using FTP Page Uploading a Configuration File By Using FTP Copying Configuration Files By Using RCP Preparing to Download or Upload a Configuration File By Using RCP Downloading a Configuration File By Using RCP Uploading a Configuration File By Using RCP Clearing Configuration Information Clearing the Startup Configuration File Deleting a Stored Configuration File Working with Software Images Image Location on the Switch tar File Format of Images on a Server or Cisco.com Copying Image Files By Using TFTP Preparing to Download or Upload an Image File By Using TFTP Downloading an Image File By Using TFTP Page Uploading an Image File By Using TFTP Copying Image Files By Using FTP Preparing to Download or Upload an Image File By Using FTP Downloading an Image File By Using FTP Page Uploading an Image File By Using FTP Copying Image Files By Using RCP Preparing to Download or Upload an Image File By Using RCP Downloading an Image File By Using RCP Page Uploading an Image File By Using RCP Page Page C Unsupported CLI Commands Access Control Lists ARP Commands FallBack Bridging HSRP Interface Configuration Commands IP Multicast Routing IP Unicast Routing Unsupported Privileged EXEC or User EXEC Commands Unsupported VPN Configuration Commands Unsupported VRF Configuration Commands Unsupported Route Map Commands MSDP RADIUS Page INDEX Numerics A Page B C Page Page D Page Page E F Page G H I Page Page Page J L M Page N O P Page Page Q R Page S Page Page Page T Page U V Page W X