Controlling Switch Access with TACACS+

Chapter 9 Configuring Switch-Based Authentication

This section describes how to enable and configure Terminal Access Controller Access Control System Plus (TACACS+), which provides detailed accounting information and flexible administrative control over authentication and authorization processes. TACACS+ is facilitated through authentication, authorization, accounting (AAA) and can be enabled only through AAA commands.

Note For complete syntax and usage information for the commands used in this section, see the Cisco IOS Security Command Reference, Release 12.2.

These sections contain this configuration information:

•Understanding TACACS+, page 9-10

•TACACS+ Operation, page 9-12

•Configuring TACACS+, page 9-12

•Displaying the TACACS+ Configuration, page 9-17

Understanding TACACS+

TACACS+ is a security application that provides centralized validation of users attempting to gain access to your switch. TACACS+ services are maintained in a database on a TACACS+ daemon typically running on a UNIX or Windows NT workstation. You should have access to and should configure a TACACS+ server before the configuring TACACS+ features on your switch.

Note We recommend a redundant connection between a switch stack and the TACACS+ server. This is to help ensure that the TACACS+ server remains accessible in case one of the connected stack members is removed from the switch stack.

TACACS+ provides for separate and modular authentication, authorization, and accounting facilities. TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each service—authentication, authorization, and accounting—independently. Each service can be tied into its own database to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon.

The goal of TACACS+ is to provide a method for managing multiple network access points from a single management service. Your switch can be a network access server along with other Cisco routers and access servers. A network access server provides connections to a single user, to a network or subnetwork, and to interconnected networks as shown in Figure 9-1.

Catalyst 3750-E and 3560-E Switch Software Configuration Guide

9-10	OL-9775-02

Page 212

Image 212

Cisco Systems 3750E manual Controlling Switch Access with TACACS+, Understanding TACACS+

Contents

Americas Headquarters Text Part Number OL-9775-02Page N T E N T S Iii Assigning the Switch IP Address and Default Gateway Understanding Cisco Configuration Engine Software Clustering Switches Catalyst 1900 and Catalyst 2820 CLI Considerations Vii Creating a Banner Viii Changing the Default Privilege Level for Lines Device Roles Bypass Routed Ports Xii Monitoring and Maintaining the Interfaces Xiii Encapsulation Types Xiv Domain Names Private-VLAN Configuration Guidelines Xvi Disabled State Xvii Boundary Ports Xviii Xix 19-25 Dhcp Server Configuring Dynamic ARP Inspection Xxi Configuring MVR Xxii Understanding Storm Control Xxiii Understanding Udld Modes of Operation Xxiv Creating an Rspan Source Session Xxv Snmp Agent Functions Xxvi Creating a Numbered Extended ACL Xxvii Interaction with Other Features and Switches Xxviii Xxix Port-Channel Interfaces Xxx Configuring IP Addressing Xxxi Nonstop Forwarding Awareness Xxxii IPv6 Addresses Xxxiii Configuring Hsrp Priority Xxxiv Configuring IP Multicast Routing Xxxv Configuring Basic Dvmrp Interoperability Features Xxxvi Using a Filter Xxxvii Xxxviii 45-14 Configuring Online Diagnostics Xxxix Unsupported Route-Map Configuration Commands C-1 Hsrp Xli VTP Xlii Preface AudiencePurpose Conventions Related Publications Xliv Xlv Xlvi Features Overview Deployment Features Availability and Redundancy Features, Vlan Features, Overview Features Performance Features Management Options Manageability Features Availability and Redundancy Features Vlan Features Security Features Overview Features QoS and CoS Features Layer 3 Features Power over Ethernet Features Vlan Default Settings After Initial Switch ConfigurationMonitoring Features Overview Default Settings After Initial Switch Configuration Overview Default Settings After Initial Switch Configuration Network Configuration Examples Design Concepts for Using the Switch Network Demands Suggested Design Methods Cost-Effective Wiring Closet High-Performance Wiring Closet High-Performance Workgroup Gigabit-to-the-Desktop Redundant Gigabit Backbone Server Aggregation Linux Server Cluster Cisco SoftPhone Software Gigabit servers Internet Cisco 2600 or 3700 routers Catalyst 3560-E switches Large Network Using Catalyst 3750-E and 3560-E Switches Cisco 7x00 routers Catalyst Catalyst 3560-E Multidwelling Network Using Catalyst 3750-E Switches Long-Distance, High-Bandwidth Transport Configuration 11 Catalyst 3750-E Switches in a MAN Configuration Where to Go Next Access layer Aggregation layer OL-9775-02 Using the Command-Line Interface Understanding Command Modes Mode Access Method Prompt Exit Method About This Mode ConfigureQuit Ctrl-Z Console command Command PurposeUnderstanding the Help System Line vty or line Understanding Abbreviated Commands Understanding no and default Forms of CommandsCommand ? Command keyword ? Error Message Meaning How to Get Help Understanding CLI Error MessagesUsing Configuration Logging Using Command History Changing the Command History Buffer SizeRecalling Commands Action1 Result Using Editing Features Disabling the Command History FeatureEnabling and Disabling Editing Features Switch# terminal editing Editing Commands through Keystrokes Capability Keystroke1 Purpose Press Ctrl-L or Ctrl-R Editing Command Lines that WrapReturn and Space bar Switch# show interfaces include protocol Accessing the CLICommand begin include exclude regular-expression Using the Command-Line Interface Accessing the CLI OL-9775-02 Assigning the Switch IP Address and Default Gateway Understanding the Boot Process Assigning Switch Information Feature Default Setting Default Switch InformationUnderstanding DHCP-Based Autoconfiguration Dhcp Client Request Process Dhcp Client and Server Message Exchange Configuring DHCP-Based Autoconfiguration Dhcp Server Configuration Guidelines Configuring the Tftp Server Configuring the DNS Routerconfig-if#ip helper-address Configuring the Relay DeviceObtaining Configuration Files Example Configuration Tftpserver Switch a Switch B Switch C Switch D DNS Server ConfigurationTftp Server Configuration on Unix Dhcp Client Configuration Manually Assigning IP Information Switch# copy running-config startup-config Checking and Saving the Running ConfigurationSwitch# show running-config Automatically Downloading a Configuration File Modifying the Startup ConfigurationDefault Boot Configuration Booting Manually Boot config-file flash/ file-urlShow boot Configure terminal Enter global configuration mode Booting a Specific Software Image Boot system filesystem /file-url Boot system switch number all Controlling Environment Variables Set Manualboot yes Boot manual Set SwitchnumberSwitch current-stack-member-number renumber Set Switchpriority Configuring a Scheduled Reload Scheduling a Reload of the Software ImageVariable Description Reload in hhmm text Displaying Scheduled Reload Information Switch# reload atSwitch# reload at 0200 jun Configuring Cisco IOS CNS Agents Understanding Cisco Configuration Engine Software Configuration Service Configuration Engine Architectural Overview Event Service ConfigIDWhat You Should Know About the CNS IDs and Device Hostnames NameSpace Mapper Hostname and DeviceID Using Hostname, DeviceID, and ConfigIDDeviceID Initial Configuration Understanding Cisco IOS Agents Configuring Cisco IOS Agents Incremental Partial ConfigurationSynchronized Configuration Enabling Automated CNS Configuration Device Required Configuration Backup init-retry retry-count keepalive seconds Show running-configEnabling the CNS Event Agent Show cns event connections Enabling an Initial Configuration Enabling the Cisco IOS CNS Agent Cns config initial ip-address hostname Cns id interface num dns-reverse ipaddressMac-address event Cns id hardware-serial hostname string string Enabling a Partial Configuration Show running-config Verify your entriesCns config partial ip-address hostname Show cns config stats Displaying CNS Configuration Show cns config connectionsShow cns event stats Show cns event subject Managing Switch Stacks Understanding Switch Stacks Managing Switch Stacks Understanding Switch Stacks Switch Stack Membership Creating a Switch Stack from Two Standalone Switches Adding a Standalone Switch to a Switch Stack Stack Master Election and Re-Election Switch Stack Bridge ID and Router MAC Address Stack Member Numbers Stack Member Priority Values Scenario Result Switch Stack Offline ConfigurationEffects of Adding a Provisioned Switch to a Switch Stack Scenario Result Switch Stack Software Compatibility Recommendations Effects of Replacing a Provisioned Switch in a Switch Stack Stack Protocol Version Compatibility Major Version Number Incompatibility Among SwitchesMinor Version Number Incompatibility Among Switches Understanding Auto-Upgrade and Auto-Advise Directory Auto-Upgrade and Auto-Advise Example MessagesSwitch Mar 1 000422.537%IMAGEMGR-6-AUTOADVISESW Incompatible Software and Stack Member Image Upgrades Switch Stack Configuration Files Switch Stack Management Connectivity Connectivity to Specific Stack Members Connectivity to the Switch Stack Through an IP AddressConnectivity to the Switch Stack Through an SSH Session Priority new-priority-number global Switch Stack Configuration ScenariosUse the switch stack-member-number Current-stack-member-number Renumber new-stack-member-number Enabling Persistent MAC Address Configuring the Switch StackDefault Switch Stack Configuration Stack-mac persistent timer Show switchSwitchconfig# stack-mac persistent timer Time-value Assigning a Stack Member Number Setting the Stack Member Priority ValueAssigning Stack Member Information Provisioning a New Member for a Switch Stack Accessing the CLI of a Specific Stack Member Displaying Switch Stack InformationCommand Description Show switch stack-member-number Detail Show switch stack-portsShow switch stack-ring activity OL-9775-02 Clustering Switches Understanding Switch Clusters Switch Cisco IOS Release Cluster Capability Cluster Command Switch Characteristics Standby Cluster Command Switch Characteristics Planning a Switch Cluster Candidate Switch and Cluster Member Switch Characteristics Automatic Discovery of Cluster Candidates and Members Discovery Through CDP Hops Discovery Through CDP Hops Discovery Through Different VLANs Discovery Through Different Management VLANs Discovery Through Different VLANs Discovery Through Routed Ports Discovery of Newly Installed Switches New out-of-box Hsrp and Standby Cluster Command Switches Virtual IP Addresses Other Considerations for Cluster Standby Groups Automatic Recovery of Cluster Configuration IP Addresses Hostnames Passwords Snmp Community Strings Members Other cluster member switches Switch Clusters and Switch StacksSwitch Stack Switch Cluster TACACS+ and Radius LRE Profiles Catalyst 1900 and Catalyst 2820 CLI Considerations Using the CLI to Manage Switch ClustersSwitch# rcommand Using Snmp to Manage Switch Clusters Snmp Management for a Cluster OL-9775-02 Understanding the System Clock Administering the SwitchManaging the System Time and Date Understanding Network Time Protocol NTP Configuring NTP Typical NTP Network Configuration Ntp authenticate Default NTP ConfigurationConfiguring NTP Authentication Configuring NTP Associations Configuring NTP Broadcast Service Switchconfig# ntp server 172.16.22.44 versionNtp peer ip-address version number Key keyid source interface prefer Interface interface-id Ntp broadcast version number key keyidDestination-address Ntp broadcast client Configuring NTP Access Restrictions Ntp broadcastdelay microsecondsNtp access-group query-only Serve-onl y serve peer Command Purpose Configuring the Source IP Address for NTP Packets Interface interface-id Configuring Time and Date Manually Displaying the NTP ConfigurationSetting the System Clock Fundamentals Command Reference, Release Displaying the Time and Date Configuration Configuring the Time ZoneClock timezone zone hours-offset Minutes-offset Configuring Summer Time Daylight Saving Time Clock summer-time zone recurringWeek day month hh mm week day month Hh mm offset Clock summer-time zone date date Configuring a System Name and PromptClock summer-time zone date month Default System Name and Prompt Configuration Configuring a System NameCopy running-config startup-confi g Understanding DNS Default DNS Configuration Setting Up DNSIp domain-name name Ip name-server server-address1 Creating a Banner Default Banner ConfigurationDisplaying the DNS Configuration Unix telnet Configuring a Message-of-the-Day Login BannerBanner motd c message c Managing the MAC Address Table Configuring a Login BannerBanner login c message c Building the Address Table MAC Addresses and VLANs Changing the Address Aging Time MAC Addresses and Switch StacksDefault MAC Address Table Configuration Configuring MAC Address Notification Traps Removing Dynamic Address EntriesMac address-table aging-time Show mac address-table aging-time String by using the snmp-server community Snmp-server enable traps mac-notificationSnmp-server host host-addr traps informs version Mac address-table notification Adding and Removing Static Address Entries Configuring Unicast MAC Address Filtering Mac address-table static mac-addrVlan vlan-id interface interface-id Show mac address-table static Vlan vlan-id drop Managing the ARP Table Displaying Address Table Entries OL-9775-02 Configuring SDM Templates Understanding the SDM Templates Resource Access Default Routing Dual IPv4 and IPv6 SDM Templates SDM Templates and Switch Stacks IPv4-and-IPv6 Resource Default Routing SDM Template Configuration Guidelines Configuring the Switch SDM TemplateDefault SDM Template Setting the SDM Template Sdm prefer access defaultDual-ipv4-and-ipv6 default routing Vlan routing vlan Displaying the SDM Templates Switchconfig# sdm prefer routingSwitchconfig# sdm prefer dual-ipv4-and-ipv6 default Policy based routing aces 25K OL-9775-02 Configuring Switch-Based Authentication Preventing Unauthorized Access to Your Switch Protecting Access to Privileged Exec Commands Default Password and Privilege Level Configuration Switchconfig# enable password l1u2c3k4y5 Setting or Changing a Static Enable PasswordEnable password password Enable password level level password Encryption-type encrypted-passwordEnable secret level level password Service password-encryption Show version Disabling Password RecoveryNo service password-recovery Setting a Telnet Password for a Terminal Line Configuring Username and Password PairsPassword password Switchconfig-line#password let45me67in89 Configuring Multiple Privilege Levels Username commandLogin local Username name privilege level Show privilege Setting the Privilege Level for a CommandPrivilege mode level level command Logging into and Exiting a Privilege Level Changing the Default Privilege Level for LinesCommand Controlling Switch Access with TACACS+ Understanding TACACS+ Typical TACACS+ Network Configuration Configuring TACACS+ TACACS+ Operation Default TACACS+ Configuration Tacacs-server host hostname portAaa new-model Aaa group server tacacs+ group-name Show tacacs Verify your entries Configuring TACACS+ Login AuthenticationAaa new-model Enable AAA Aaa authentication login default Login authentication defaultAuthentication login command Line console tty vty line-number Show running-config Verify your entries Starting TACACS+ Accounting Controlling Switch Access with RadiusDisplaying the TACACS+ Configuration Understanding Radius Transitioning from Radius to TACACS+ Services Radius Operation Identifying the Radius Server Host Configuring RadiusDefault Radius Configuration Page Acct-port port-number timeout Radius-server host hostnameIp-address auth-port port-number Seconds retransmit retries key Configuring Radius Login Authentication Switchconfig# radius-server host host1 Server Host section on Defining AAA Server Groups Aaa group server radius group-name Aaa authorization network radius Radius Starting Radius Accounting Configuring Settings for All Radius Servers Radius-server timeout secondsRadius-server key string Radius-server retransmit retries Authentication Radius-server vsa send accountingCisco-avpair=shellpriv-lvl=15 Cisco-avpair=ipoutacl#2=deny ip 10.10.10.10 0.0.255.255 any Radius-server host hostname ip-address non-standard Controlling Switch Access with KerberosDisplaying the Radius Configuration Understanding Kerberos Term Definition KDC Authenticating to a Boundary Switch Kerberos OperationKeytab Srvtab Obtaining a TGT from a KDC Configuring KerberosAuthenticating to Network Services Aaa authorization network local Aaa authentication login default localAaa authorization exec local Username name privilege level Configuring the Switch for Secure ShellUsername command Understanding SSH SSH Servers, Integrated Clients, and Supported Versions Limitations Configuring SSHConfiguration Guidelines Setting Up the Switch to Run SSH Displaying the SSH Configuration and Status Configuring the SSH ServerIp ssh timeout seconds Authentication-retries number Certificate Authority Trustpoints Configuring the Switch for Secure Socket Layer HttpUnderstanding Secure Http Servers and Clients Rsakeypair TP-self-signed-3080755072 CipherSuites Configuring Secure Http Servers and ClientsDefault SSL Configuration SSL Configuration Guidelines Configuring a CA Trustpoint Configuring the Secure Http Server Configuring the Secure Http Client Ip http timeout-policy idle seconds lifeShow ip http server secure status Ip http client secure-trustpoint name Configuring the Switch for Secure Copy Protocol Displaying Secure Http Server and Client StatusIp http client secure-ciphersuite Show ip http client secure status Information About Secure Copy Html OL-9775-02 10-1 Configuring Ieee 802.1x Port-Based AuthenticationUnderstanding Ieee 802.1x Port-Based Authentication Device Roles 10-2 Authentication Process 10-3 Authentication Flowchart 10-4 Authentication Initiation and Message Exchange 10-5 10-6 EAPOL-Start 10-7 Ieee 802.1x Authentication and Switch StacksPorts in Authorized and Unauthorized States Ieee 802.1x Host Mode 10-8 Ieee 802.1x Accounting Ieee 802.1x Accounting Attribute-Value PairsAttribute Number AV Pair Name 10-9 Using Ieee 802.1x Authentication with Vlan Assignment 10-10 Using Ieee 802.1x Authentication with Per-User ACLs 10-11 Using Ieee 802.1x Authentication with Guest Vlan 10-12 Using Ieee 802.1x Authentication with Restricted Vlan 10-13 10-14 Using Ieee 802.1x Authentication with Voice Vlan Ports 10-15 Using Ieee 802.1x Authentication with Port Security 10-16 Using Ieee 802.1x Authentication with Wake-on-LAN 10-17 10-18 10-19 Using Multidomain AuthenticationNetwork Admission Control Layer 2 Ieee 802.1x Validation 10-20 Using Web AuthenticationFor example Configuring Ieee 802.1x Authentication 10-21 10-22 Default Ieee 802.1x Authentication ConfigurationAAA 10-23 Ieee 802.1x Authentication Configuration GuidelinesIeee 802.1x Authentication 10-24 10-25 Configuring Ieee 802.1x AuthenticationMAC Authentication Bypass Configuring the Switch-to-RADIUS-Server Communication 10-26 Ip-address auth-port port-number key 10-27 Configuring the Host Mode Dot1x host-mode multi-hostMulti-domain Show dot1x interface interface-id 10-29 Configuring Periodic Re-AuthenticationManually Re-Authenticating a Client Connected to a Port Changing the Switch-to-Client Retransmission Time Dot1x timeout tx-period secondsChanging the Quiet Period Show dot1x interface interface-id Verify your entries Setting the Switch-to-Client Frame-Retransmission Number Switchconfig-if#dot1x timeout tx-periodShow dot1xinterface interface-id Verify your entries Dot1x max-reauth-req count Setting the Re-Authentication Number Configuring Ieee 802.1x AccountingSwitchconfig-if#dot1x max-reauth-req 10-32 Configuring a Guest Vlan 10-33 Configuring a Restricted Vlan Switchport mode private-vlan hostSwitchconfig# interface gigabitethernet2/0/2 Dot1x guest-vlan vlan-id Dot1x auth-fail vlan vlan-id Dot1x auth-fail max-attempts maxAttempts 10-35 Configuring the Inaccessible Authentication Bypass Feature Switchconfig-if#dot1x auth-fail max-attemptsRadius-server dead-criteria time time Tries tries 10-37 Configuring Ieee 802.1x Authentication with WoL Dot1x critical recovery actionReinitialize vlan vlan-id Show dot1x interface interface-id Configuring MAC Authentication Bypass Switchconfig-if#dot1x control-direction bothSwitchconfig-if#dot1x mac-auth-bypass Dot1x control-direction both Configuring NAC Layer 2 Ieee 802.1x Validation 10-40 Configuring Web Authentication 10-41 10-42 Disabling Ieee 802.1x Authentication on the Port No dot1x pae Disable Ieee 802.1x authentication on the portDot1x fallback fallback-profile 10-43 Displaying Ieee 802.1x Statistics and Status 10-44 11-1 Configuring Interface CharacteristicsUnderstanding Interface Types 11-2 Switch PortsPort-Based VLANs 11-3 Access PortsTrunk Ports 11-4 Routed PortsTunnel Ports 11-5 Switch Virtual InterfacesEtherChannel Port Groups Power over Ethernet Ports Gigabit Ethernet InterfacesSupported Protocols and Standards 11-6 11-7 Powered-Device Detection and Initial Power AllocationClass Power Management Modes 11-8 Power Monitoring and Power Policing 11-9 Maximum Power Allocation Cutoff Power on a PoE Port 11-10 Connecting Interfaces 11-11 Ethernet Management Port 11-12 Connecting a Switch Stack to a PC 11-13 Tftp 11-14 Using Interface Configuration Mode MgmtinitMgmtshow Mgmtclr Procedures for Configuring Interfaces 11-16 Configuring a Range of Interfaces Interface range port-range macroMacroname Show interfaces interface-id 11-18 Configuring and Using Interface Range Macros Show running-config include defineDefine interface-range macroname Interface range macro macroname Configuring Ethernet Interfaces Switch# show running-config include defineSwitch# show run include define 11-20 Default Ethernet Interface Configuration 11-21 11-22 Configuring Interface Speed and Duplex ModeSpeed and Duplex Configuration Guidelines Setting the Interface Speed and Duplex Parameters Speed 10 100 1000 auto 10Nonegotiate Duplex auto full half 11-24 Configuring Ieee 802.3x Flow ControlFlowcontrol receive on off desired Configuring Auto-MDIX on an Interface Local Side Auto-MDIXWith Correct Cabling 11-25 11-26 Configuring a Power Management Mode on a PoE PortInterface-id phy Budgeting Power for Devices Connected to a PoE Port Power inline auto max max-wattageShow power inline i nterface-id Neve r static max max-wattage Wattage 11-28 Configuring Power Policing 11-29 Adding a Description for an Interface 11-30 Configuring Layer 3 Interfaces Configuring Ethernet Management PortsSwitch# show interfaces gigabitethernet1/0/2 description 11-31 No switchport Interface gigabitethernet interface-id vlan vlan-idNo shutdown 11-32 Configuring the System MTU 11-33 Use the system mtu jumbo Use the system mtu routing System mtu jumbo bytesSystem mtu routing bytes 11-34 Configuring the Cisco Redundant Power System System mtu bytesReload Show system mtu Power rps switch-number name string serialnumber Power rps switch-number port rps-port-id mode activeStandby 11-36 Configuring the Power Supplies Power supply switch-numberoff onShow env power Show env rps 11-38 Monitoring and Maintaining the InterfacesMonitoring Interface Status Clearing and Resetting Interfaces and Counters 11-39 Shutting Down and Restarting the Interface Interface vlan vlan-id gigabitethernet interface-idShutdown 11-40 12-1 Configuring Smartports MacrosUnderstanding Smartports Macros Configuring Smartports Macros Default Smartports Macro ConfigurationMacro Name Description 12-2 Smartports Macro Configuration Guidelines 12-3 Creating Smartports Macros Macro name macro-nameName Sample-Macro and macro name sample-macro will result Show parser macro name macro-name Applying Smartports Macros 12-5 Applying Cisco-Default Smartports Macros Show parser macroShow parser macro macro-name 12-6 12-7 Switch# show parser macro cisco-desktopSwitchconfig-if#macro apply cisco-desktop $AVID Displaying Smartports Macros Show parser macro briefShow parser macro description interface 12-8 13-1 Configuring VLANsUnderstanding VLANs 13-2 13-3 Supported VLANsVlan Port Membership Modes Configuring Normal-Range VLANs 13-4 Vlan ID 13-5 13-6 Normal-Range Vlan Configuration GuidelinesToken Ring VLANs Vlan Configuration Mode Options Saving Vlan ConfigurationVlan Configuration in config-vlan Mode Vlan Configuration in Vlan Database Configuration Mode Default Ethernet Vlan Configuration Parameter Default RangeVLANxxxx, where 13-8 Copy running-config startup config Creating or Modifying an Ethernet VlanRemote-span 13-9 13-10 Deleting a VlanVlan database Assigning Static-Access Ports to a Vlan Switchport access vlan vlan-idNo vlan vlan-id Show vlan brief Configuring Extended-Range VLANs Default Vlan ConfigurationShow interfaces interface-id switchport Vlan fields of the display Extended-Range Vlan Configuration Guidelines 13-13 Vtp mode transparent Creating an Extended-Range VlanShow vlan id vlan-id 13-14 Switchconfig# vtp mode transparent Switch# copy running-config startup configCreating an Extended-Range Vlan with an Internal Vlan ID Show vlan internal usage Configuring Vlan Trunks Command Command Mode PurposeDisplaying VLANs Trunking Overview Switches in an ISL Trunking Environment 13-17 Mode Function Encapsulation TypesEncapsulation Function 13-18 Default Layer 2 Ethernet Interface Vlan Configuration Configuring an Ethernet Interface as a Trunk PortIeee 802.1Q Configuration Considerations 13-19 Interaction with Other Features Configuring a Trunk PortDot1q negotiate 13-20 Defining the Allowed VLANs on a Trunk 13-21 Switchport trunk allowed vlan add Changing the Pruning-Eligible ListAll except remove vlan-list 13-22 Configuring the Native Vlan for Untagged Traffic Switchport trunk pruning vlan addExcept none remove vlan-list Vlan ,vlan Configuring Trunk Ports for Load Sharing Load Sharing Using STP Port PrioritiesSwitchport trunk native vlan vlan-id 13-24 13-25 Load Sharing Using STP Path Cost Or switch stackConnect to the trunk ports configured on Switch a Exit Return to global configuration mode Switchport trunk encapsulation Interface gigabitethernet1/0/1Isl dot1q negotiate Spanning-tree vlan 2-4 cost 13-28 Configuring VmpsUnderstanding Vmps Default Vmps Client Configuration Vmps Configuration GuidelinesDynamic-Access Port Vlan Membership 13-29 13-30 Configuring the Vmps ClientEntering the IP Address of the Vmps Configuring Dynamic-Access Ports on Vmps Clients Switchport access vlan dynamicReconfirming Vlan Memberships Vmps reconfirm Changing the Reconfirmation Interval Changing the Retry CountVmps reconfirm minutes 13-32 Troubleshooting Dynamic-Access Port Vlan Membership Vmps Configuration ExampleSwitch# show vmps Monitoring the Vmps Dynamic Port Vlan Membership Configuration 13-34 14-1 Configuring VTPUnderstanding VTP VTP Domain 14-2 VTP Mode Description VTP ModesVTP Advertisements 14-3 14-4 VTP VersionVTP Pruning 14-5 Vlan 14-6 Configuring VTPVTP and Switch Stacks Default VTP Configuration VTP Configuration OptionsVTP Configuration in Global Configuration Mode 14-7 VTP Configuration Guidelines VTP Configuration in Vlan Database Configuration ModePasswords Domain Names Configuring a VTP Server Configuration RequirementsVTP Version 14-9 Vtp password password Vtp password passwordShow vtp status Vtp server Configuring a VTP Client Vtp mode clientSwitch# vlan database 14-11 Disabling VTP VTP Transparent Mode 14-12 14-13 Enabling VTP VersionVtp version Adding a VTP Client Switch to a VTP Domain Enabling VTP PruningVtp pruning 14-14 14-15 Monitoring VTP 14-16 15-1 Configuring Voice VlanUnderstanding Voice Vlan 15-2 Cisco IP Phone Voice TrafficCisco IP Phone Data Traffic Configuring Voice Vlan Default Voice Vlan ConfigurationVoice Vlan Configuration Guidelines 15-3 Configuring a Port Connected to a Cisco 7960 IP Phone 15-4 Configuring Cisco IP Phone Voice Traffic 15-5 Configuring the Priority of Incoming Data Frames 15-6 Displaying Voice Vlan 15-7 15-8 16-1 Configuring Private VLANsUnderstanding Private VLANs 16-2 Private-VLAN Domain IP Addressing Scheme with Private VLANs 16-3 16-4 Private VLANs across Multiple SwitchesPrivate-VLAN Interaction with Other Features 16-5 Private VLANs and Unicast, Broadcast, and Multicast TrafficPrivate VLANs and SVIs Configuring Private VLANs Tasks for Configuring Private VLANsPrivate VLANs and Switch Stacks 16-6 Default Private-VLAN Configuration Private-VLAN Configuration GuidelinesSecondary and Primary Vlan Configuration 16-7 Private-VLAN Port Configuration 16-8 Limitations with Other Features 16-9 Configuring and Associating VLANs in a Private Vlan 16-10 16-11 Show vlan private-vlan typeShow interfaces status Configuring a Layer 2 Interface as a Private-VLAN Host Port Switchport private-vlan host-associationSwitch# show interfaces gigabitethernet1/0/22 switchport Primaryvlanid secondaryvlanid Switchport mode private-vlan promiscuous Switchport private-vlan mapping primaryvlanidAdd remove secondaryvlanlist 16-13 Switch# show interfaces private-vlan mapping Interface vlan primaryvlanidPrivate-vlan mapping add remove Show interface private-vlan mapping Monitoring Private VLANs 16-15 16-16 17-1 Configuring Ieee 802.1Q and Layer 2 Protocol TunnelingUnderstanding Ieee 802.1Q Tunneling Ieee 802.1Q Tunnel Ports in a Service-Provider Network 17-2 17-3 Configuring Ieee 802.1Q Tunneling Default Ieee 802.1Q Tunneling ConfigurationIeee 802.1Q Tunneling Configuration Guidelines Native VLANs System MTU 17-5 Ieee 802.1Q Tunneling and Other Features 17-6 Configuring an Ieee 802.1Q Tunneling Port Vlan dot1q tag nativeShow dot1q-tunnel Show vlan dot1q tag native Understanding Layer 2 Protocol Tunneling 17-8 17-9 Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling 17-10 Default Layer 2 Protocol Tunneling Configuration 17-11 Layer 2 Protocol Tunneling Configuration Guidelines 17-12 Configuring Layer 2 Protocol Tunneling 17-13 Configuring Layer 2 Tunneling for EtherChannels Configuring the SP Edge SwitchL2protocol-tunnel point-to-point Pagp lacp udld 17-15 Configuring the Customer Switch 17-16 17-17 Switchconfig-if#channel-group 1 mode desirableSwitchconfig# interface port-channel Monitoring and Maintaining Tunneling Status 17-18 18-1 Configuring STPUnderstanding Spanning-Tree Features STP Overview 18-2 Spanning-Tree Topology and BPDUs 18-3 Bridge ID, Switch Priority, and Extended System ID 18-4 Switch Priority Value Spanning-Tree Interface StatesBit 32768 16384 8192 4096 2048 1024 512 256 128 2illustrates how an interface moves through the states 18-6 Blocking State Listening StateLearning State Forwarding State 18-8 How a Switch or Port Becomes the Root Switch or Root PortDisabled State Spanning Tree and Redundant Connectivity Spanning-Tree Address ManagementAccelerated Aging to Retain Connectivity 18-9 18-10 Spanning-Tree Modes and ProtocolsSupported Spanning-Tree Instances Spanning-Tree Interoperability and Backward Compatibility STP and Ieee 802.1Q TrunksVLAN-Bridge Spanning Tree Rapid PVST+ 18-12 Configuring Spanning-Tree FeaturesSpanning Tree and Switch Stacks 18-13 Default Spanning-Tree ConfigurationSpanning-Tree Configuration Guidelines 18-14 Changing the Spanning-Tree Mode 18-15 Configuring the Root Switch Disabling Spanning TreeShow spanning-tree vlan vlan-id Verify your entries 18-16 Spanning-tree vlan vlan-id root primary Diameter net-diameter hello-time secondsShow spanning-tree detail 18-17 Configuring a Secondary Root Switch Configuring Port PrioritySpanning-tree vlan vlan-id root secondary Diameter net-diameter hello-time Spanning-tree port-priority priority Spanning-tree vlan vlan-id port-priority priorityShow spanning-tree interface interface-id Show spanning-tree vlan vlan-id Configuring Path Cost Port-channel-numberSpanning-tree cost cost Spanning-tree vlan vlan-id cost cost 18-21 Configuring the Switch Priority of a VlanSpanning-tree vlan vlan-id priority priority Configuring Spanning-Tree Timers Configuring the Hello TimeSpanning-tree vlan vlan-id hello-time seconds 18-22 Configuring the Forwarding-Delay Time for a Vlan Configuring the Maximum-Aging Time for a VlanSpanning-tree vlan vlan-id forward-time Spanning-tree vlan vlan-idmax-age seconds Configuring the Transmit Hold-Count Displaying the Spanning-Tree StatusShow spanning-tree detail Verify your entries 18-24 Configuring Mstp 19-1 19-2 Understanding MstpMultiple Spanning-Tree Regions 19-3 IST, CIST, and CSTOperations Within an MST Region Operations Between MST Regions 19-4 Hop Count Ieee 802.1s TerminologyCisco Prestandard Cisco Standard 19-5 19-6 Boundary PortsIeee 802.1s Implementation 19-7 Interoperation Between Legacy and Standard SwitchesPort Role Naming Change 19-8 Mstp and Switch StacksDetecting Unidirectional Link Failure Understanding Rstp Interoperability with Ieee 802.1D STPPort Roles and the Active Topology 19-9 Rapid Convergence 19-10 Synchronization of Port Roles 19-11 19-12 Bridge Protocol Data Unit Format and ProcessingBit Function Topology Changes Processing Superior Bpdu InformationProcessing Inferior Bpdu Information 19-13 Configuring Mstp Features 19-14 19-15 Default Mstp ConfigurationMstp Configuration Guidelines Specifying the MST Region Configuration and Enabling Mstp Spanning-tree mst configurationInstance instance-id vlan vlan-range Name name Spanning-tree mode mst Revision versionShow pending Exit Spanning-tree mst instance-id root primary 19-18 19-19 19-20 Spanning-tree mst instance-id port-priority priorityShow spanning-tree mst interface interface-id Spanning-tree mst instance-id cost cost 19-21 Configuring the Switch Priority Configuring the Hello TimeSpanning-tree mst instance-id priority priority 19-22 Configuring the Forwarding-Delay Time Show spanning-tree mst Verify your entriesSpanning-tree mst forward-time seconds Show spanning-tree mst Configuring the Maximum-Aging Time Configuring the Maximum-Hop CountSpecifying the Link Type to Ensure Rapid Transitions Spanning-tree mst max-age seconds Designating the Neighbor Type 19-25 19-26 Displaying the MST Configuration and StatusRestarting the Protocol Migration Process 20-1 Configuring Optional Spanning-Tree FeaturesUnderstanding Optional Spanning-Tree Features 20-2 Understanding Port FastUnderstanding Bpdu Guard 20-3 Understanding Bpdu FilteringUnderstanding UplinkFast Switches in a Hierarchical Network 20-4 Understanding Cross-Stack UplinkFast 20-5 How Csuf Works 20-6 20-7 Understanding BackboneFastEvents that Cause Fast Convergence 20-8 BackboneFast Example Before Indirect Link Failure Adding a Switch in a Shared-Medium Topology 20-9 20-10 Understanding EtherChannel GuardUnderstanding Root Guard Understanding Loop Guard 20-11 Default Optional Spanning-Tree Configuration Optional Spanning-Tree Configuration GuidelinesEnabling Port Fast 20-12 Spanning-tree portfast trunk interface configuration Enabling Bpdu GuardSpanning-tree portfast trunk Portfast 20-14 Spanning-tree portfast Enable the Port Fast featureEnabling Bpdu Filtering Enabling UplinkFast for Use with Redundant Links 20-15 Spanning-tree uplinkfast max-update-rate Uplinkfast commandEnabling Cross-Stack UplinkFast Enabling BackboneFast Spanning-tree backbonefast Enable BackboneFast Enabling EtherChannel GuardShow spanning-tree summary Verify your entries 20-17 20-18 Enabling Root GuardEnabling Loop Guard 20-19 20-20 Flex Links 21-1 21-2 Switchport backup interface preemption delay commandsVlan Flex Link Load Balancing and Support MAC Address-Table Move Update 21-3 MAC Address-Table Move Update Example 21-4 21-5 Configuration GuidelinesDefault Configuration Configuring Flex Links Switchport backup interface interface-idShow interface interface-id switchport backup Switch# show interface switchport backup Switchport backup interface interface-id preemption Mode forced bandwidth offDelay delay-time 21-7 Configuring Vlan Load Balancing on Flex Links Switchport backup interface interface-id prefer vlanShow interfaces interface-id switchport backup Switch#show interfaces switchport backup Configuring the MAC Address-Table Move Update Feature Switchport backup interface interface-idmmuPrimary vlan vlan-id 21-9 End Return to global configuration mode Switchconf# mac address-table move update transmitSwitch# show mac-address-table move update 21-10 Monitoring Flex Links and the MAC Address-Table Move Update 21-11 21-12 22-1 Configuring Dhcp Features and IP Source GuardUnderstanding Dhcp Features Dhcp Server Dhcp Relay AgentDhcp Snooping 22-2 Option-82 Data Insertion 22-3 22-4 Dhcp Relay Agent in a Metropolitan Ethernet Network Remote ID Suboption Frame Format 22-5 Cisco IOS Dhcp Server Database Dhcp Snooping Binding DatabaseRelease 22-6 22-7 Configuring Dhcp Features Dhcp Snooping and Switch StacksDefault Dhcp Configuration 22-8 Dhcp Snooping Configuration Guidelines 22-9 22-10 Configuring the Dhcp ServerDhcp Server and Switch Stacks Configuring the Dhcp Relay Agent Specifying the Packet Forwarding AddressIp helper-address address 22-11 Switchport mode access Switchport access vlan vlan-idEnabling Dhcp Snooping and Option Interface range port-range 22-13 Enabling Dhcp Snooping on Private VLANs Enabling the Cisco IOS Dhcp Server DatabaseEnabling the Dhcp Snooping Binding Database Agent Ip dhcp snooping database Displaying Dhcp Snooping Information 22-15 22-16 Understanding IP Source GuardSource IP Address Filtering Configuring IP Source Guard Default IP Source Guard ConfigurationIP Source Guard Configuration Guidelines Source IP and MAC Address Filtering Enabling IP Source Guard 22-18 Displaying IP Source Guard Information 22-19 22-20 23-1 Configuring Dynamic ARP InspectionUnderstanding Dynamic ARP Inspection 23-2 ARP Cache Poisoning Interface Trust States and Network Security 23-3 23-4 Rate Limiting of ARP PacketsRelative Priority of ARP ACLs and Dhcp Snooping Entries Configuring Dynamic ARP Inspection Default Dynamic ARP Inspection ConfigurationLogging of Dropped Packets 23-5 Dynamic ARP Inspection Configuration Guidelines 23-6 Configuring Dynamic ARP Inspection in Dhcp Environments Show cdp neighborsIp arp inspection vlan vlan-range 23-7 Configuring ARP ACLs for Non-DHCP Environments 23-8 23-9 Show arp access-list acl-name Limiting the Rate of Incoming ARP PacketsNo ip arp inspection trust Specified with the ip arp inspection vlan logging Performing Validation Checks 23-11 Configuring the Log Buffer Ip arp inspection validateSrc-mac dst-mac ip Show ip arp inspection vlan 23-13 Ip arp inspection log-buffer entriesNumber logs number interval Displaying Dynamic ARP Inspection Information 23-14 Clear ip arp inspection statistics Show ip arp inspection statistics vlanClear ip arp inspection log Show ip arp inspection log 23-16 Configuring Igmp Snooping and MVR 24-1 Understanding Igmp Snooping 24-2 24-3 Igmp VersionsJoining a Multicast Group 224.1.2.3 24-4 Leaving a Multicast Group 24-5 Igmp Configurable-Leave Timer Immediate LeaveIgmp Report Suppression 24-6 Configuring Igmp Snooping Igmp Snooping and Switch StacksDefault Igmp Snooping Configuration PIM-DVMRP 24-8 Enabling or Disabling Igmp SnoopingIp igmp snooping vlan vlan-id Setting the Snooping Method Ip igmp snooping vlan vlan-id mrouterLearn cgmp pim-dvmrp Show ip igmp snooping 24-10 Configuring a Multicast Router PortShow ip igmp snooping mrouter vlan vlan-id Configuring a Host Statically to Join a Group Enabling Igmp Immediate LeaveIp igmp snooping vlan vlan-id static ipaddress Show ip igmp snooping groups Configuring the Igmp Leave Timer 24-12 Configuring TCN-Related Commands Recovering from Flood ModeControlling the Multicast Flooding Time After a TCN Event Count 24-14 Disabling Multicast Flooding During a TCN EventNo ip igmp snooping tcn flood Configuring the Igmp Snooping Querier 24-15 24-16 Disabling Igmp Report SuppressionNo ip igmp snooping report-suppression Displaying Igmp Snooping Information 24-17 Understanding Multicast Vlan Registration 24-18 Using MVR in a Multicast Television Application 24-19 Configuring MVR Default MVR ConfigurationMVR 24-20 MVR Configuration Guidelines and Limitations Configuring MVR Global ParametersMvr Enable MVR on the switch 24-21 Configuring MVR Interfaces 24-22 Mvr type source receiver Mvr immediateShow mvr Show mvr interface Show mvr members 24-24 Configuring Igmp Filtering and ThrottlingDisplaying MVR Information 24-25 Default Igmp Filtering and Throttling ConfigurationConfiguring Igmp Profiles Ip igmp profile profile number Permit denyRange ip multicast address Show ip igmp profile profile number Setting the Maximum Number of Igmp Groups Switch# show ip igmp profileApplying Igmp Profiles Ip igmp filter profile number Configuring the Igmp Throttling Action Show running-config interface Verify the configurationEtherChannel group or a EtherChannel interface Interface-id Displaying Igmp Filtering and Throttling Configuration Ip igmp max-groups action denyReplace Show ip igmp profile profile 24-30 25-1 Configuring IPv6 MLD SnoopingUnderstanding MLD Snooping 25-2 MLD Messages MLD QueriesMulticast Client Aging Robustness 25-3 Multicast Router Discovery MLD ReportsMLD Done Messages and Immediate-Leave 25-4 Configuring IPv6 MLD Snooping MLD Snooping in Switch StacksTopology Change Notification Processing 25-5 25-6 Default MLD Snooping ConfigurationMLD Snooping Configuration Guidelines Enabling or Disabling MLD Snooping Ipv6 mld snoopingIpv6 mld snooping vlan vlan-id 25-7 Configuring a Static Multicast Group Ipv6 mld snooping vlan vlan-id staticShow ipv6 mld snooping multicast-address user Show ipv6 mld snooping multicast-address vlan Enabling MLD Immediate Leave Ipv6 mld snooping vlan vlan-id mrouterShow ipv6 mld snooping mrouter vlan vlan-id 25-9 Configuring MLD Snooping Queries 25-10 25-11 Displaying MLD Snooping InformationDisabling MLD Listener Message Suppression Show ipv6 mld snooping querier vlan vlan-id Vlan-id count dynamic userVlan-id ipv6-multicast-address 25-12 Configuring Port-Based Traffic Control Configuring Storm ControlUnderstanding Storm Control 26-1 26-2 Broadcast Storm Control Example 26-3 Default Storm Control ConfigurationConfiguring Storm Control and Threshold Levels Storm-control broadcast multicast Unicast level level level-low bps bpsBps-low pps pps pps-low Storm-control action shutdown trap Configuring Protected Ports Default Protected Port ConfigurationShow storm-control interface-id broadcast Multicast unicast Configuring Port Blocking Protected Port Configuration GuidelinesConfiguring a Protected Port 26-6 Configuring Port Security Default Port Blocking ConfigurationBlocking Flooded Traffic on an Interface 26-7 26-8 Understanding Port SecuritySecure MAC Addresses Security Violations 26-9 Default Port Security Configuration Port Security Configuration GuidelinesForwarded1 Trap Message Message2 Increments 26-10 26-11 Enabling and Configuring Port Security 26-12 Switchport port-security violation Protect restrict shutdownShutdown vlan 26-13 26-14 Switchconfig-if#switchport port-security Switchconfig-if#switchport port-security maximumSwitchconfig-if#switchport port-security mac-address sticky Switchconfig-if#switchport port-security violation restrict Enabling and Configuring Port Security Aging 26-16 Port Security and Switch Stacks Switchconfig# interface GigabitEthernet 1/0/8Port Security and Private VLANs 26-17 Displaying Port-Based Traffic Control Settings Show port-security interface interface-idaddressShow port-security interface interface-idvlan 26-18 27-1 Configuring CDPUnderstanding CDP Configuring CDP CDP and Switch StacksDefault CDP Configuration Configuring the CDP Characteristics Disabling and Enabling CDP Cdp holdtime secondsCdp advertise-v2 Show cdp No cdp enable Disable CDP on the interface Cdp enable Enable CDP on the interface after disabling itDisabling and Enabling CDP on an Interface 27-4 Monitoring and Maintaining CDP 27-5 27-6 Configuring Lldp and LLDP-MED Understanding Lldp and LLDP-MEDUnderstanding Lldp 28-1 Understanding LLDP-MED 28-2 Configuring Lldp and LLDP-MED Default Lldp ConfigurationConfiguring Lldp Characteristics 28-3 Disabling and Enabling Lldp Globally 28-4 Disabling and Enabling Lldp on an Interface 28-5 Configuring LLDP-MED TLVs TLV, and enter interface configuration modeNo lldp med-tlv-select tlv Specify the TLV to disable Lldp med-tlv-select tlv Specify the TLV to enable Monitoring and Maintaining Lldp and LLDP-MED 28-7 28-8 Configuring Udld Understanding UdldModes of Operation 29-1 Methods to Detect Unidirectional Links 29-2 Configuring Udld 29-3 Default Udld Configuration 29-4 Udld aggressive enable message time Message-timer-intervalEnabling Udld Globally Show udld Resetting an Interface Disabled by Udld Udld reset Show udldEnabling Udld on an Interface Udld port aggressive Displaying Udld Status 29-7 29-8 30-1 Configuring Span and RspanUnderstanding Span and Rspan Local Span 30-2 Remote Span 30-3 30-4 Span and Rspan Concepts and TerminologySpan Sessions Monitored Traffic 30-5 Source Ports 30-6 30-7 Source VLANsVlan Filtering Destination Port 30-8 30-9 Span and Rspan Interaction with Other FeaturesRspan Vlan 30-10 Configuring Span and RspanSpan and Rspan and Switch Stacks Default Span and Rspan Configuration Configuring Local SpanSpan Configuration Guidelines 30-11 Creating a Local Span Session 30-12 Monitor session sessionnumber Destination interface interface-idEncapsulation replicate Show monitor session sessionnumber 30-14 30-15 Specifying VLANs to FilterMonitor session sessionnumber filter vlan Configuring Rspan Rspan Configuration GuidelinesBe a Vlan 30-16 Configuring a Vlan as an Rspan Vlan 30-17 Creating an Rspan Source Session Interfaces port-channelport-channel-number. ValidDestination remote vlan vlan-id 30-18 30-19 Creating an Rspan Destination SessionRemote vlan vlan-id 30-20 30-21 Ingress dot1q vlan vlan-id isl untaggedUntagged vlan vlan-id or vlan vlan-id- Forward incoming Show monitor session sessionnumber 30-22 Displaying Span and Rspan Status 30-23 30-24 31-1 Configuring RmonUnderstanding Rmon Configuring Rmon 31-2 31-3 Default Rmon ConfigurationConfiguring Rmon Alarms and Events 31-4 Rmon event number description string log owner stringAdd an event in the Rmon event table that is Collecting Group History Statistics on an Interface Collecting Group Ethernet Statistics on an InterfaceRmon collection history index Show rmon history Displaying Rmon Status Rmon collection stats index owner ownernameShow rmon statistics 31-6 32-1 Configuring System Message LoggingUnderstanding System Message Logging 32-2 Configuring System Message LoggingSystem Log Message Format 32-3 Hhmmss short uptimeText string that uniquely describes the message Default System Message Logging Configuration No logging console Disable message loggingShow running-config Verify your entries Show logging Disabling Message Logging Setting the Message Display Destination Device Logging buffered sizeLogging host 32-5 Synchronizing Log Messages Logging file flash filenameTerminal monitor Session to see the debugging messages Line console vty line-number Line vtyLogging synchronous level severity-level All limit number-of-buffers 32-8 Enabling and Disabling Time Stamps on Log MessagesEnabling and Disabling Sequence Numbers in Log Messages Defining the Message Severity Level Logging console levelLogging monitor level Logging trap level Level Description Syslog Definition 32-10 Enabling the Configuration-Change Logger Logging history levelLogging history size number 32-11 32-12 Configuring Unix Syslog ServersLogging Messages to a Unix Syslog Daemon Configuring the Unix System Logging Facility Logging facility facility-typeFacility-type keywords 32-13 32-14 Displaying the Logging ConfigurationFacility Type Keyword Description 33-1 Configuring SnmpUnderstanding Snmp Snmp Versions 33-2 Model Level Authentication Encryption Result Snmp Manager FunctionsDES Operation Description 33-4 Using Snmp to Access MIB VariablesSnmp Agent Functions Snmp Notifications 33-5 Configuring Snmp Snmp ifIndex MIB Object ValuesIfIndex Range SVI 33-7 Default Snmp ConfigurationSnmp Configuration Guidelines Configuring Community Strings No snmp-server Disable the Snmp agent operationDisabling the Snmp Agent 33-8 View-name ro rw access-list-number Access-list access-list-number denySnmp-server community string view Permit source source-wildcard Configuring Snmp Groups and Users Snmp-server engineID local engineid-stringSnmp-server engineID local 33-10 Write writeview notify notifyview access Snmp-server group groupname v1 v2cAuth noauth priv read readview 33-11 Configuring Snmp Notifications Remote host udp-port port v1 accessEncrypted access access-list auth md5 Notification Type Keyword Description 33-13 33-14 Setting the Agent Contact and Location Information 33-12 , or enter snmp-server enable traps ?Enable traps command for each trap type Notification-types Switchconfig# snmp-server community public Limiting Tftp Servers Used Through SnmpSnmp Examples Snmp-server tftp-server-list Displaying Snmp Status 33-17 33-18 34-1 Configuring Network Security with ACLsUnderstanding ACLs Supported ACLs 34-2 Port ACLs 34-3 Router ACLs 34-4 34-5 Handling Fragmented and Unfragmented TrafficVlan Maps ACLs and Switch Stacks 34-6 Configuring IPv4 ACLs 34-7 Access List Numbers Access List Number Type SupportedCreating Standard and Extended IPv4 ACLs 34-8 ACL Logging 34-9 Access-list access-list-number deny permit Show access-lists number nameCreating a Numbered Standard ACL Source source-wildcard log Creating a Numbered Extended ACL 34-11 34-12 34-13 34-14 34-15 Resequencing ACEs in an ACLCreating Named Standard and Extended ACLs Ip access-list standard name Ip access-list extended nameAny log Tos tos established log time-range Using Time Ranges with ACLs 34-17 Absolute start time date Periodic weekdays weekend dailyShow time-range 34-18 Switch# show ip access-lists Applying an IPv4 ACL to a Terminal LineIncluding Comments in ACLs 34-19 Access-class access-list-number Applying an IPv4 ACL to an InterfaceOut 34-20 Ip access-group access-list-number 34-21 34-22 IPv4 ACL Configuration ExamplesHardware and Software Treatment of IP ACLs 34-23 Switchconfig# access-list 6 permit 172.20.128.64Switchconfig# access-list 106 permit ip any 172.20.128.64 34-24 Numbered ACLsExtended ACLs Named ACLs Time Range Applied to an IP ACLCommented IP ACL Entries 34-25 34-26 Switch# show loggingSwitchconfig-if#ip access-group ext1 Creating Named MAC Extended ACLs 34-27 Applying a MAC ACL to a Layer 2 Interface 34-28 Configuring Vlan Maps Mac access-group nameShow mac access-group interface interface-id ACL Vlan Map Configuration Guidelines 34-30 Vlan access-map name number Creating a Vlan MapAction drop forward Match ip mac address name Examples of ACLs and Vlan Maps 34-32 34-33 Using Vlan Maps in Your Network Wiring Closet ConfigurationApplying a Vlan Map to a Vlan Vlan filter mapname vlan-list list Denying Access to a Server on Anothera Vlan Switchconfig# vlan access-map map2Switchconfig# ip access-list extended matchall Switchconfig# vlan filter map2 vlan Using Vlan Maps with Router ACLs 34-36 Vlan Maps and Router ACL Configuration Guidelines 34-37 ACLs and Switched Packets Examples of Router ACLs and Vlan Maps Applied to VLANsACLs and Bridged Packets 34-38 ACLs and Routed Packets 34-39 Displaying IPv4 ACL Configuration Show ip access-lists number nameACLs and Multicast Packets 34-40 Show running-config interface interface-id Show mac access-group interface interface-idShow ip interface interface-id 34-41 34-42 Configuring IPv6 ACLs 35-1 Understanding IPv6 ACLs 35-2 Supported ACL Features IPv6 ACLs and Switch StacksIPv6 ACL Limitations 35-3 Configuring IPv6 ACLs Default IPv6 ACL ConfigurationInteraction with Other Features and Switches 35-4 35-5 Ipv6 access-list access-list-nameCreating IPv6 ACLs Dscp value fragments log Log-input routing sequenceValue time-range name 35-6 35-7 Ipv6 traffic-filter access-list-name Applying an IPv6 ACL to an InterfaceIpv6 address ipv6-address 35-8 Show access-lists Show ipv6 access-list access-list-nameDisplaying IPv6 ACLs 35-9 35-10 Configuring QoS 36-1 Understanding QoS 36-2 Basic QoS Model 36-3 36-4 Basic QoS Model Classification 36-5 36-6 Check if packet came with CoS label tag Yes 36-7 Classification Based on QoS ACLsClassification Based on Class Maps and Policy Maps Policing and Marking 36-8 Policing on Physical Ports 36-9 Policing on SVIs 36-10 Policing and Marking Flowchart on SVIs 36-11 Mapping Tables 36-12 Queueing and Scheduling Overview 36-13 36-14 Weighted Tail DropSRR Shaping and Sharing Queueing and Scheduling on Ingress Queues 36-15 Queue Type Function 36-16 WTD Thresholds 36-17 Queueing and Scheduling on Egress Queues 36-18 36-19 Buffer and Memory Allocation 36-20 Packet Modification 36-21 Configuring Auto-QoS 36-22 Generated Auto-QoS Configuration 36-23 Description Automatically Generated Command 36-24 36-25 Switch automatically configures the egress queue buffer Sizes. It configures the bandwidth and the SRR mode shapedIf you entered the auto qos voip trust command, the switch Or shared on the egress queues mapped to the port 36-27 Effects of Auto-QoS on the ConfigurationAuto-QoS Configuration Guidelines Enabling Auto-QoS for VoIP Auto qos voip cisco-phoneCisco-softphone trust Show auto qos interface interface-id 36-29 Auto-QoS Configuration Example 36-30 Cdp enable Debug auto qosAuto qos voip trust Show auto qos 36-32 Configuring Standard QoSDisplaying Auto-QoS Information 36-33 Default Standard QoS ConfigurationDefault Ingress Queue Configuration 36-34 Default Egress Queue ConfigurationDscp Value Queue ID -Threshold ID Standard QoS Configuration Guidelines Default Mapping Table ConfigurationQoS ACL Guidelines Applying QoS on Interfaces 36-36 Policing GuidelinesGeneral QoS Guidelines 36-37 Enabling QoS GloballyEnabling VLAN-Based QoS on Physical Ports 36-38 Configuring Classification Using Port Trust StatesConfiguring the Trust State on Ports within the QoS Domain 36-39 15 Port Trusted States within the QoS Domain Configuring the CoS Value for an Interface Mls qos trust cos dscp ip-precedenceShow mls qos interface 36-40 36-41 Configuring a Trusted Boundary to Ensure Port SecurityMls qos cos default-cos override Enabling Dscp Transparency Mode Mls qos trust dscpMls qos trust device cisco-phone 36-42 No mls qos rewrite ip dscp 36-43 Mls qos map dscp-mutation Mls qos dscp-mutationShow mls qos maps dscp-mutation 36-44 36-45 Configuring a QoS PolicySwitchconfig-if#mls qos dscp-mutation gi1/0/2-mutation Classifying Traffic by Using ACLs 36-46 Switchconfig# access-list 100 permit ip any any dscp Switchconfig# access-list 102 permit pim any 224.0.0.2 dscpPermit protocol source source-wildcard Source-wildcard Mac access-list extended name 36-48 Classifying Traffic by Using Class Maps Class-map match-all match-anyIs match-all Match-any keywords Match access-group acl-index-or-name Ip dscp dscp-list ip precedenceIp-precedence-list Show class-map 36-51 36-52 Policy-map policy-map-nameClass class-map-name 36-53 36-54 Service-policy input policy-map-nameShow policy-map policy-map-nameclass Switchconfig# policy-map macpolicy1 Switchconfig-pmap#class macclass2 maclist2Switchconfig-if#service-policy input macpolicy1 36-55 Traffic by Using Class Maps section on 36-56 36-57 Police rate-bps burst-byte exceed-action Drop policed-dscp-transmitExceed-action policed-dscp-transmit keywords to mark down 36-58 Service-policy policy-map-name 36-59 Show mls qos vlan-based Service-policy input policy-map-nameShow policy-map policy-map-nameclass Mls qos aggregate-policer Aggregate-policer-name rate-bps burst-byteExceed-action drop Policed-dscp-transmit Aggregate-policer-name Only one policy map per ingress port is supportedShow mls qos aggregate-policer Configuring Dscp Maps Configuring the CoS-to-DSCP MapSwitchconfig-pmap-c#police aggregate transmit1 CoS Value Dscp Value Configuring the IP-Precedence-to-DSCP Map Mls qos map cos-dscp dscp1...dscp8IP Precedence Value Dscp Value 36-64 Configuring the Policed-DSCP Map 36-65 Configuring the DSCP-to-CoS Map Dscp Value CoS Value36-66 Show Configuring the DSCP-to-DSCP-Mutation Map Mls qos map dscp-cos dscp-list to cosShow mls qos maps dscp-to-cos 36-67 36-68 Switchconfig-if#mls qos dscp-mutation mutation1Switch# show mls qos maps dscp-mutation mutation1 Configuring Ingress Queue Characteristics 36-69 Mls qos srr-queue input dscp-map Mls qos srr-queue input cos-mapMls qos srr-queue input threshold Show mls qos maps Allocating Buffer Space Between the Ingress Queues Allocating Bandwidth Between the Ingress QueuesMls qos srr-queue input buffers Show mls qos interface buffer Configuring the Ingress Priority Queue Weight1 weight2Mls qos srr-queue input bandwidth Show mls qos interface queueing Configuring Egress Queue Characteristics WeightMls qos srr-queue input Priority-queue queue-id bandwidth 36-74 36-75 Mls qos queue-set output qset-idQueue-set qset-id 36-76 36-77 Mls qos srr-queue output dscp-mapMls qos srr-queue output cos-map Configuring SRR Shaped Weights on Egress Queues Srr-queue bandwidth shape weight1Weight2 weight3 weight4 Queueing Configuring SRR Shared Weights on Egress Queues Configuring the Egress Expedite QueueSrr-queue bandwidth share weight1 36-79 Mls qos Enable QoS on a switch Srr-queue bandwidth limit weight1Limiting the Bandwidth on an Egress Interface 36-80 Displaying Standard QoS Information 36-81 Show running-config include rewrite 36-82 37-1 Configuring EtherChannels and Link-State TrackingUnderstanding EtherChannels EtherChannel Overview 37-2 Single-Switch EtherChannel 37-3 Port-Channel Interfaces 37-4 Port Aggregation Protocol 37-5 PAgP Interaction with Other Features Mode DescriptionPAgP Modes Auto Lacp Interaction with Other Features Link Aggregation Control ProtocolLacp Modes 37-7 37-8 EtherChannel On ModeLoad-Balancing and Forwarding Methods 37-9 EtherChannel and Switch Stacks 37-10 37-11 Configuring EtherChannelsDefault EtherChannel Configuration EtherChannel Configuration Guidelines 37-12 Configuring Layer 2 EtherChannels 37-13 37-14 Auto non-silent desirable non-silent onActive passive Configuring Layer 3 EtherChannels Switchconfig-if-range#channel-group 5 mode activeCreating Port-Channel Logical Interfaces 37-15 Configuring the Physical Interfaces Interface port-channel port-channel-numberShow etherchannel channel-group-number detail No ip address Partner that is PAgP capable, configure the switch port for For channel-group-number, the range is 1 to 48. This numberMust be the same as the port-channel-number logical port 37-17 Configuring EtherChannel Load-Balancing Port-channel load-balance dst-ip dst-macSrc-dst-ip src-dst-mac src-ip src-mac 37-18 37-19 Configuring the PAgP Learn Method and PriorityShow etherchannel load-balance Verify your entries Configuring Lacp Hot-Standby Ports Pagp learn-method physical-portPagp port-priority priority Show pagp channel-group-number internal 37-21 Configuring the Lacp System PriorityShow running-config Verify your entries Show lacp sys-id Configuring the Lacp Port Priority Lacp port-priority priorityShow lacp channel-group-number Internal 37-23 Displaying EtherChannel, PAgP, and Lacp StatusUnderstanding Link-State Tracking 37-24 Configuring Link-State Tracking 37-25 Default Link-State Tracking Configuration Link-State Tracking Configuration GuidelinesConfiguring Link-State Tracking 37-26 Switch show link state group Switch show link state group detailDisplaying Link-State Tracking Status 37-27 37-28 Configuring IP Unicast Routing 38-1 38-2 Understanding IP RoutingTypes of Routing IP Routing and Switch Stacks 38-3 38-4 38-5 Steps for Configuring RoutingConfiguring IP Addressing Default Addressing Configuration ARPIrdp 38-6 Show running-config Verify your entry Assigning IP Addresses to Network InterfacesUse of Subnet Zero 38-7 Classless Routing 38-8 38-9 Configuring Address Resolution MethodsNo ip classless Disable classless routing behavior 38-10 Define a Static ARP CacheArp ip-address hardware-address type Set ARP Encapsulation 38-11 Routing Assistance When IP Routing is Disabled Enable Proxy ARPDefault Gateway Proxy ARP Icmp Router Discovery Protocol Irdp 38-13 Configuring Broadcast Packet Handling 38-14 38-15 Ip directed-broadcast access-list-numberIp forward-protocol udp port nd sdns Forwarding UDP Broadcast Packets and Protocols 38-16 Establishing an IP Broadcast Address Flooding IP BroadcastsIp broadcast-address ip-address 38-17 Monitoring and Maintaining IP Addressing Clear arp-cacheClear host name Clear ip route network mask Enabling IP Unicast Routing 38-19 Configuring RIP 38-20 Default RIP Configuration Configuring Basic RIP ParametersRouter rip Network network number 38-22 Configuring RIP Authentication Configuring Summary Addresses and Split HorizonIp rip authentication key-chain name-of-chain Ip rip authentication mode text md5 Configuring Split Horizon Switchconfig-router#neighbor 2.2.2.2 peer-group mygroupIp summary-address rip ip address ip-network mask No ip split horizon 38-25 Configuring OspfNo ip split-horizon Default Ospf Configuration 38-26 Ospf Nonstop Forwarding 38-27 Ospf NSF Awareness 38-28 38-29 Configuring Basic Ospf ParametersConfiguring Ospf Interfaces 38-30 Configuring Ospf Area Parameters 38-31 Configuring Other Ospf Parameters 38-32 38-33 Configuring a Loopback Interface Changing LSA Group PacingIp address address mask 38-34 38-35 Configuring EigrpMonitoring Ospf 38-36 Default Eigrp Configuration 38-37 Eigrp Nonstop Forwarding 38-38 Configuring Basic Eigrp Parameters Router eigrp autonomous-systemNetwork network-number Eigrp log-neighbor-changes Configuring Eigrp Interfaces No auto-summaryIp summary-address eigrp 38-40 Configuring Eigrp Route Authentication Ip hello-interval eigrp autonomous-system-numberNo ip split-horizon eigrp autonomous-system-number Show ip eigrp interface Eigrp Stub Routing 38-42 38-43 Configuring BGPMonitoring and Maintaining Eigrp 38-44 EBGP, IBGP, and Multiple Autonomous Systems Default BGP Configuration 38-45 38-46 Nonstop Forwarding Awareness 38-47 Enabling BGP Routing Router bgp autonomous-systemNetwork network-number mask network-mask Route-map route-map-name 38-49 Switchconfig-router#neighbor 192.208.10.2 remote-as Switch# show ip bgp neighborsManaging Routing Policy Changes 38-50 Type of Reset Advantages Disadvantages Show ip bgp neighborsClear ip bgp * address Show ip bgp Configuring BGP Decision Attributes 38-52 38-53 38-54 Configuring BGP Filtering with Route MapsConfiguring BGP Filtering by Neighbor Ip as-path access-list access-list-number Out weight weightRoute-map map-tag in out Show ip bgp neighbors paths Configuring Prefix Lists for BGP Filtering 38-56 Configuring BGP Community Filtering Ip community-listcommunity-list-numberPermit deny community-number Send-community Configuring BGP Neighbors and Peer Groups Set comm-list list-num deleteIp bgp-community new-format Show ip bgp community 38-59 Configuring Aggregate Addresses 38-60 38-61 Configuring Routing Domain ConfederationsConfiguring BGP Route Reflectors Configuring Route Dampening Route-reflector-clientBgp cluster-id cluster-id No bgp client-to-client reflection Monitoring and Maintaining BGP 38-63 Configuring Multi-VRF CE 38-64 Understanding Multi-VRF CE 38-65 38-66 Default Multi-VRF CE Configuration Multi-VRF CE Configuration GuidelinesVRF 38-67 Configuring VRFs Route-target export import bothImport map route-map Ip vrf forwarding vrf-name Configuring a VPN Routing Session Show ip vrf brief detail interfacesLog-adjacency-changes Redistribute bgp 38-70 Configuring BGP PE to CE Routing SessionsMulti-VRF CE Configuration Example 38-71 VPN2 CE1 Configuring Switch a 38-72 Switchconfig-router-af#network 8.8.2.0 mask Switchconfig-router-af#network 8.8.1.0 maskSwitchconfig-if#ip address 208.0.0.20 38-73 Router# configure terminal 38-74 38-75 Configuring Unicast Reverse Path ForwardingDisplaying Multi-VRF CE Status 38-76 Configuring Protocol-Independent FeaturesConfiguring Distributed Cisco Express Forwarding Configuring the Number of Equal-Cost Routing Paths 38-77 Configuring Static Unicast Routes Router bgp rip ospf eigrpMaximum-paths maximum Show ip route Specifying Default Routes and Networks Route Source Default DistanceIp default-network network number Specify a default network 38-79 Using Route Maps to Redistribute Routing Information 38-80 38-81 38-82 Configuring Policy-Based Routing 38-83 PBR Configuration Guidelines 38-84 Enabling PBR 38-85 Ip policy route-map map-tag Ip route-cache policyIp local policy route-map map-tag 38-86 38-87 Setting Passive InterfacesFiltering Routing Information Controlling Advertising and Processing in Routing Updates Filtering Sources of Routing InformationRouter bgp rip eigrp 38-88 Managing Authentication Keys Distance weight ip-address ip-address maskIp access list 38-89 Monitoring and Maintaining the IP Network 38-90 38-91 38-92 39-1 Configuring IPv6 Unicast RoutingUnderstanding IPv6 IPv6 Addresses 39-2 39-3 Supported IPv6 Unicast Routing FeaturesBit Wide Unicast Addresses DNS for IPv6 Path MTU Discovery for IPv6 UnicastICMPv6 Neighbor Discovery IPv6 Applications 39-5 39-6 Unsupported IPv6 Unicast Routing FeaturesDual IPv4 and IPv6 Protocol Stacks 39-7 IPv6 and Switch StacksLimitations 39-8 39-9 SDM TemplatesDual IPv4-and IPv6 SDM Templates Configuring IPv6 39-10 39-11 Default IPv6 ConfigurationConfiguring IPv6 Addressing and Enabling IPv6 Routing 39-12 Configuring IPv4 and IPv6 Protocol Stacks Ip routing Enable routing on the switchSwitchconfig-if#ipv6 address 20010DB8c181/64 eui 39-13 39-14 Configuring IPv6 Icmp Rate Limiting Configuring CEF and dCEF for IPv6Ipv6 icmp error-interval interval bucketsize Show ipv6 interface interface-id Configuring Static Routing for IPv6 39-16 Administrative distance Ipv6 route ipv6-prefix/prefix lengthIpv6-address interface-id ipv6-address 39-17 Configuring RIP for IPv6 Show ipv6 route static updatedShow ipv6 static ipv6-address Interface-id recursive detail 39-19 Configuring Ospf for IPv6 39-20 39-21 39-22 Switch# show ipv6 interfaceDisplaying IPv6 Switch# show ipv6 cef /0 Switch# show ipv6 protocolsSwitch# show ipv6 rip 39-23 Switch# show ipv6 neighbors Switch# show ipv6 staticSwitch# show ipv6 route Switch# show ipv6 traffic 39-25 39-26 40-1 Configuring Hsrp and Enhanced Object TrackingUnderstanding Hsrp 40-2 Multiple Hsrp 40-3 40-4 Configuring HsrpHsrp and Switch Stacks Default Hsrp Configuration Hsrp Configuration GuidelinesEnabling Hsrp 40-5 Switch# show standby Standby group-number ip ip-addressSecondary Show standby interface-id group Configuring Hsrp Priority 40-7 Priority preempt delay delay Standby group-number priorityStandby group-number track 40-8 Configuring Mhsrp Configuring Hsrp Authentication and TimersSwitchconfig-if#standby 2 ip 40-9 Standby group-number authentication string Standby group-number timers hellotimeSwitchconfig-if#standby 1 authentication word Holdtime Displaying Hsrp Configurations Configuring Hsrp Groups and ClusteringEnabling Hsrp Support for Icmp Redirect Messages Show standby interface-idgroup brief detail 40-12 Configuring Enhanced Object TrackingUnderstanding Enhanced Object Tracking Configuring Enhanced Object Tracking Features Tracking Interface Line-Protocol or IP Routing StateTrack object-number interface 40-13 Configuring a Tracked List Switch# show track 33 TrackTrack track-numberlist boolean Object object-number not Weight Threshold weight up numberTrack track-numberlist threshold 40-15 Track track-number list threshold PercentageObject object-number Threshold percentage up number Configuring Hsrp Object Tracking 40-17 40-18 Configuring Other Tracking CharacteristicsShow standby 41-1 Configuring Web Cache Services By UsingUnderstanding Wccp Wccp Message Exchange 41-2 Packet Redirection and Service Groups Wccp NegotiationMD5 Security 41-3 Wccp and Switch Stacks 41-4 Configuring Wccp Unsupported Wccp FeaturesDefault Wccp Configuration Wccp Configuration Guidelines Enabling the Web Cache Service 41-6 41-7 41-8 Switchconfig# interface range gigabitethernet1/0/3 Switchconfig-if-range#switchport access vlanMonitoring and Maintaining Wccp 41-9 Enabled / disabled 41-10 Configuring IP Multicast Routing 42-1 42-2 IP Multicast Routing Protocols 42-3 Understanding IgmpIgmp Version Understanding PIM PIM VersionsPIM Modes 42-4 PIM Stub Routing 42-5 Auto-RP 42-6 42-7 Bootstrap RouterMulticast Forwarding and Reverse Path Check 42-8 Understanding DvmrpNetwork Port 42-9 Multicast Routing and Switch StacksUnderstanding Cgmp Configuring IP Multicast Routing Default Multicast Routing ConfigurationMulticast Routing Configuration Guidelines 42-10 42-11 Auto-RP and BSR Configuration GuidelinesPIMv1 and PIMv2 Interoperability 42-12 Configuring Basic Multicast RoutingIp multicast-routing distributed Configuring PIM Stub Routing Ip pim version 1Ip pim dense-mode sparse-mode Sparse-dense-mode Configuring a Rendezvous Point Manually Assigning an RP to Multicast GroupsIp pim passive 42-14 42-15 Access-list-number overrideIp pim rp-address ip-address Configuring Auto-RP 42-16 Scope ttl group-list access-list-number Ip pim send-rp-announce interface-idInterval seconds 42-17 Ip pim send-rp-discovery scope ttl Show ip pim rp mappingShow ip pim rp 42-18 42-19 Access-list-number group-listIp pim rp-announce-filter rp-list 42-20 Configuring PIMv2 BSRIp pim bsr-border Ip multicast boundary 42-21 42-22 Ip pim bsr-candidate interface-idHash-mask-length priority 42-23 Group-list access-list-numberIp pim rp-candidate interface-id Using Auto-RP and a BSR Show ip pim rp group-nameGroup-address mapping Show ip pim rp-hash group Configuring Advanced PIM Features Troubleshooting PIMv1 and PIMv2 Interoperability ProblemsMonitoring the RP Mapping Information Understanding PIM Shared Tree and Source Tree 42-26 Shared Tree and Source Tree Shortest-Path Tree 42-27 Delaying the Use of PIM Shortest-Path TreeIp pim spt-threshold kbps infinity Configuring Optional Igmp Features Modifying the PIM Router-Query Message IntervalIp pim query-interval seconds Show ip igmp interface interface-id Default Igmp Configuration Configuring the Switch as a Member of a GroupIp igmp join-group group-address 42-29 Controlling Access to IP Multicast Groups Ip igmp access-group access-list-numberShow ip igmp interface interface-id Verify your entries 42-30 Changing the Igmp Version Modifying the Igmp Host-Query Message IntervalIp igmp version 1 Query-interval or the ip igmp query-max-response-time Changing the Igmp Query Timeout for IGMPv2 Ip igmp querier-timeout secondsIp igmp query-interval seconds 42-32 Configuring the Switch as a Statically Connected Member Changing the Maximum Query Response Time for IGMPv2Ip igmp query-max-response-time 42-33 Configuring Optional Multicast Routing Features Enabling Cgmp Server SupportIp igmp static-group group-address 42-34 42-35 Configuring sdr Listener SupportIp cgmp proxy Ip sdr listen Enable sdr listener support Enabling sdr Listener SupportLimiting How Long an sdr Cache Entry Exists 42-36 Configuring an IP Multicast Boundary 42-37 Configuring Basic Dvmrp Interoperability Features 42-38 Configuring Dvmrp Interoperability 42-39 Ip dvmrp metric metric list 42-40 Configuring a Dvmrp Tunnel 42-41 Access-list-number distance Neighbor-list access-list-numberAdvertising Network 0.0.0.0 to Dvmrp Neighbors Ip dvmrp accept-filter Configuring Advanced Dvmrp Interoperability Features Ip dvmrp default-informationResponding to mrinfo Requests Originate only Enabling Dvmrp Unicast Routing 42-44 Rejecting a Dvmrp Nonpruning Neighbor 42-45 Enter interface configuration mode 42-46 By default, 7000 routes are advertised. The range is 0 to Controlling Route ExchangesLimiting the Number of Dvmrp Routes Advertised Changing the Dvmrp Route Threshold Configuring a Dvmrp Summary Address Default is 10,000 routes. The range is 1 toRoute-count 42-48 42-49 Disabling Dvmrp Autosummarization Ip dvmrp summary-address addressMask metric value No ip dvmrp auto-summary Adding a Metric Offset to the Dvmrp Route Ip dvmrp metric-offset in outIncrement 42-51 Monitoring and Maintaining IP Multicast Routing Clearing Caches, Tables, and DatabasesDisplaying System and Network Statistics 42-52 Monitoring IP Multicast Routing 42-53 42-54 43-1 Configuring MsdpUnderstanding Msdp Msdp Operation 43-2 Msdp Benefits 43-3 Configuring Msdp Default Msdp ConfigurationConfiguring a Default Msdp Peer 43-4 43-5 Ip msdp default-peer ip-address namePrefix-list list Caching Source-Active State Ip prefix-list name description stringSeq number permit deny network Ip msdp description peer-name Ip msdp cache-sa-state list 43-7 Switchconfig# ip msdp sa-request Requesting Source Information from an Msdp PeerIp msdp sa-request ip-address name 43-8 Controlling Source Information that Your Switch Originates Redistributing SourcesIp msdp redistribute list 43-9 43-10 Name list access-list-number Filtering Source-Active Request MessagesIp msdp filter-sa-request ip-address 43-11 Controlling Source Information that Your Switch Forwards Using a FilterIp msdp sa-filter out ip-address name Route-map map-tag 43-13 Controlling Source Information that Your Switch Receives Using TTL to Limit the Multicast Data Sent in SA MessagesIp msdp ttl-threshold ip-address name Ttl 43-15 Switchconfig# ip msdp sa-filter in switch.cisco.comIp msdp sa-filter in ip-address name Configuring an Msdp Mesh Group Shutting Down an Msdp PeerIp msdp mesh-group name ip-address 43-16 Including a Bordering PIM Dense-Mode Region in Msdp Ip msdp shutdown peer-name peerIp msdp border sa-address interface-id 43-17 Configuring an Originating Address other than the RP Address 43-18 Monitoring and Maintaining Msdp Clear ip msdp peer peer-addressnameClear ip msdp statistics peer-addressname Clear ip msdp sa-cache group-addressname 43-20 Configuring Fallback Bridging Understanding Fallback BridgingFallback Bridging Overview 44-1 44-2 44-3 Configuring Fallback BridgingFallback Bridging and Switch Stacks Default Fallback Bridging Configuration Fallback Bridging Configuration GuidelinesCreating a Bridge Group 44-4 Bridge bridge-group protocol Vlan-bridgeBridge-group bridge-group 44-5 44-6 Adjusting Spanning-Tree ParametersSwitchconfig# bridge 10 protocol vlan-bridge Changing the VLAN-Bridge Spanning-Tree Priority Changing the Interface PriorityBridge bridge-group priority number Bridge-group bridge-grouppriority Assigning a Path Cost Bridge-group bridge-group path-costCost 44-8 Adjusting Bpdu Intervals Switchconfig# bridge 10 hello-timeBridge bridge-group hello-time seconds 44-9 Switchconfig# bridge 10 forward-time Switchconfig# bridge 10 max-ageBridge bridge-group forward-time Bridge bridge-group max-age seconds Monitoring and Maintaining Fallback Bridging Disabling the Spanning Tree on an InterfaceClear bridge bridge-group Show bridge bridge-group group 44-12 Troubleshooting 45-1 Recovering from a Software Failure 45-2 Recovering from a Lost or Forgotten Password Switch flashinitSwitch loadhelper Switch copy xmodem flashimagefilename.bin 45-4 Procedure with Password Recovery Enabled 45-5 Copy the configuration file into memory 45-6 45-7 Procedure with Password Recovery DisabledSwitch dir flash Preventing Switch Stack Problems 45-8 Recovering from a Command Switch Failure 45-9 45-10 Replacing a Failed Command Switch with a Cluster MemberSwitchconfig# no cluster commander-address Replacing a Failed Command Switch with Another Switch 45-11 45-12 Recovering from Lost Cluster Member Connectivity Troubleshooting Power over Ethernet Switch PortsPreventing Autonegotiation Mismatches 45-13 Disabled Port Caused by Power Loss Disabled Port Caused by False Link UpShow controllers power inline privileged Exec command SFP Module Security and Identification Monitoring Temperature Using PingMonitoring SFP Module Status Understanding Ping Switch# ping Executing PingCharacter Description 45-16 Using Layer 2 Traceroute Understanding Layer 2 TracerouteUsage Guidelines 45-17 Using IP Traceroute Displaying the Physical PathUnderstanding IP Traceroute 45-18 Switch# traceroute ip Executing IP TracerouteTraceroute ip host Trace the path that packets take through the network 45-20 Using TDRUnderstanding TDR Using Debug Commands Enabling Debugging on a Specific FeatureRunning TDR and Displaying the Results 45-21 45-22 Enabling All-System DiagnosticsRedirecting Debug and Error Message Output Udp 10 Using the show platform forward Command45-23 45-24 45-25 Using the crashinfo FilesBasic crashinfo Files Using On-Board Failure Logging Extended crashinfo FilesUnderstanding Obfl 45-26 Configuring Obfl 45-27 45-28 Displaying Obfl InformationShow logging onboard module 46-1 Configuring Online DiagnosticsUnderstanding Online Diagnostics Configuring Online Diagnostics Scheduling Online DiagnosticsDiagnostic schedule switch Non-disruptive daily hhmm Configuring Health-Monitoring Diagnostics Diagnostic monitor interval switchDiagnostic content command output Diagnostic monitor syslog Diagnostic monitor threshold switch Diagnostic monitor switch number testShow diagnostic content post result Schedule status switch Running Online Diagnostic Tests Starting Online Diagnostic TestsDiagnostic start switch number All basic non-disruptive Displaying Online Diagnostic Tests and Test Results 46-6 CISCO-FTP-CLIENT-MIB CISCO-HSRP-MIB Supported MIBsMIB List CISCO-IGMP-FILTER-MIB CISCO-RTTMON-MIB CISCO-SMI-MIBETHERLIKE-MIB IEEE8021-PAE-MIB IEEE8023-LAG-MIB IGMP-MIB INET-ADDRESS-MIB IPMROUTE-MIB TCP-MIB UDP-MIB Using FTP to Access the MIB Files Working with the Flash File System Switch# show file systems Displaying Available File Systems Setting the Default File System Field Value Cd newconfigs Displaying Information about Files on a File SystemChanging Directories and Displaying the Working Directory Pwd Copying Files Mkdir oldconfigsCreating and Removing Directories Creating, Displaying, and Extracting Files Switch# delete myconfigDeleting Files Archive /table source-url Archive /create destination-urlFlash Archive /xtract source-url Extract a file into a directory on the flash file systemDirectories are extracted More /ascii /binary /ebcdic Working with Configuration Files Guidelines for Creating and Using Configuration Files Configuration File Types and Location Creating a Configuration File By Using a Text Editor Copying Configuration Files By Using Tftp Downloading the Configuration File By Using Tftp Uploading the Configuration File By Using Tftp Copying Configuration Files By Using FTP Ip ftp username username Downloading a Configuration File By Using FTPIp ftp password password Uploading a Configuration File By Using FTP Ftp // username password @ location /directoryFilename systemrunning-config Filename nvramstartup-config Copying Configuration Files By Using RCP Copy systemrunning-configCopy nvramstartup-config Ftp // username password @ location /directory Filename Hostname Switch1 Ip rcmd remote-username User0 Downloading a Configuration File By Using RCP Systemrunning-configNvramstartup-config Ip rcmd remote-username username Switch# copy nvramstartup-config rcp Clearing Configuration InformationUploading a Configuration File By Using RCP Working with Software Images Clearing the Startup Configuration FileDeleting a Stored Configuration File Image Location on the Switch File Format of Images on a Server or Cisco.com Copying Image Files By Using Tftp Field Description Preparing to Download or Upload an Image File By Using Tftp Downloading an Image File By Using Tftp Allow-feature-upgrade /directory Archive download-swOverwrite /reload Archive download-sw /directory Tftp //location /directory /image-name .tar Uploading an Image File By Using TftpArchive upload-sw Copying Image Files By Using FTP Preparing to Download or Upload an Image File By Using FTP Downloading an Image File By Using FTP Archive download-sw /allow-feature-upgrade Directory /overwrite /reloadFor /directory /image-name1 .tar Directory /image-name2 .tar image-name3 .tar Uploading an Image File By Using FTP Copying Image Files By Using RCP Preparing to Download or Upload an Image File By Using RCP Downloading an Image File By Using RCP File By Using RCP section on page B-31 Or Upload an Image File By Using RCP section on Uploading an Image File By Using RCP Me.tar Copying an Image File from One Stack Member to AnotherRcp // username @ location /directory /image-na Archive copy-sw /destination-system Destination-stack-member-number /force-reloadSource-stack-member-number For /destination-system destination-stack-member-number Unsupported Commands Cisco IOS Release 12.237SE Access Control ListsUnsupported Privileged Exec Commands Unsupported Global Configuration Commands Archive Commands ARP CommandsBoot Loader Commands Debug Commands Fallback Bridging Bridge bridge-groupacquireBridge crb Bridge bridge-group domain domain-name bridge irb Hsrp X25 map bridge x.121-address broadcast options-keywords IP Multicast Routing Igmp Snooping CommandsInterface Commands Ip pim accept-rpaddress auto-rpgroup-access-list-number Show ip pim vc group-address name type numberShow ip rtp header-compression type number detail Ip multicast-routing vrf vrf-name Unsupported Privileged Exec or User Exec Commands IP Unicast Routing Unsupported Route Map Commands Unsupported BGP Router Configuration CommandsUnsupported VPN Configuration Commands MAC Address Commands Show cable-diagnostics prbs Test cable-diagnostics prbsMiscellaneous Set tag tag-value NetFlow Commands Msdp Network Address Translation NAT Commands Unsupported Global Configuration CommandUnsupported Policy-Map Configuration Command QoS Unsupported Interface Configuration Command Unsupported User Exec CommandsUnsupported Privileged Exec Command Spanning Tree Numerics IN-1 ACLs IN-2 CDP Lldp RIP EigrpHsrp TACACS+ IN-4 BGPCidr Bpdu IN-5 CDP CEFCgmp CLI CNS IN-7 IN-8 IN-9 DhcpDNS Snmp TACACS+ UdldVmps Wccp Dhcp option IN-11 DTP IN-12 Dvmrp IN-13 Dynamic ARP inspection IN-14 Lacp IN-15 IN-16 STPFIB IN-17 Mstp STPFTP IN-18 HttpsIcmp Igmp IN-19 IN-20 IP addresses IN-21 Mbone IN-22 IGP IN-23 IP unicast routing IN-24 ISL IN-25 LLDP-MED IN-26 IN-27 IN-28 MDAMhsrp Msdp IN-29 CST ISTMTU IN-30 NAC IN-31 NSSA, Ospf IN-32 IN-33 ObflPBR PIM IN-34 Port-based authentication IN-35 IN-36 PvidVvid Private VLANs IN-37 QoS IN-38 IN-39 RCP IN-40 Radius TACACS+ RFCRmon IN-41 RPS RspanRstp IN-42 SDM IN-43 Snmp IN-44 IN-45 SpanSRR IN-46 SSLVTP Stacks, switch IN-47 LLDP-MED Ospf IN-48 STP IN-49 IN-50 System message logging IN-51 IN-52 IN-53 IN-54 VLANs IN-55 IN-56 VPNVQP WTD IN-57 IN-58