Controlling Switch Access with Kerberos

Chapter 9 Configuring Switch-Based Authentication

As mentioned earlier, to configure RADIUS (whether vendor-proprietary or IETF draft-compliant), you must specify the host running the RADIUS server daemon and the secret text string it shares with the switch. You specify the RADIUS host and secret text string by using the radius-serverglobal configuration commands.

Beginning in privileged EXEC mode, follow these steps to specify a vendor-proprietary RADIUS server host and a shared secret text string:

	Command	Purpose
Step 1
Step 1	configure terminal	Enter global configuration mode.
Step 2
Step 2	radius-server host {hostname ip-address}non-standard	Specify the IP address or hostname of the remote
		RADIUS server host and identify that it is using a
		vendor-proprietary implementation of RADIUS.
Step 3
Step 3	radius-server key string	Specify the shared secret text string used between the
		switch and the vendor-proprietary RADIUS server.
		The switch and the RADIUS server use this text
		string to encrypt passwords and exchange responses.
		Note The key is a text string that must match the
		encryption key used on the RADIUS server.
		Leading spaces are ignored, but spaces within
		and at the end of the key are used. If you use
		spaces in your key, do not enclose the key in
		quotation marks unless the quotation marks
		are part of the key.
Step 4
Step 4	end	Return to privileged EXEC mode.
Step 5
Step 5	show running-config	Verify your settings.
Step 6
Step 6	copy running-config startup-config	(Optional) Save your entries in the configuration file.

To delete the vendor-proprietary RADIUS host, use the no radius-server host {hostname ip-address} non-standardglobal configuration command. To disable the key, use the no radius-server key global configuration command.

This example shows how to specify a vendor-proprietary RADIUS host and to use a secret key of rad124 between the switch and the server:

Switch(config)# radius-server host 172.20.30.15 nonstandard

Switch(config)# radius-server key rad124

Displaying the RADIUS Configuration

To display the RADIUS configuration, use the show running-configprivileged EXEC command.

Controlling Switch Access with Kerberos

This section describes how to enable and configure the Kerberos security system, which authenticates requests for network resources by using a trusted third party. To use this feature, the cryptographic (that is, supports encryption) versions of the switch software must be installed on your switch.

Catalyst 3750-E and 3560-E Switch Software Configuration Guide

	OL-9775-02	9-31

Page 233

Image 233

Cisco Systems 3750E manual Controlling Switch Access with Kerberos, Displaying the Radius Configuration

Contents

Text Part Number OL-9775-02 Americas HeadquartersPage Iii N T E N T S Assigning the Switch IP Address and Default Gateway Understanding Cisco Configuration Engine Software Clustering Switches Vii Catalyst 1900 and Catalyst 2820 CLI Considerations Viii Creating a Banner Changing the Default Privilege Level for Lines Device Roles Bypass Xii Routed Ports Xiii Monitoring and Maintaining the Interfaces Xiv Encapsulation Types Domain Names Xvi Private-VLAN Configuration Guidelines Xvii Disabled State Xviii Boundary Ports 19-25 Xix Dhcp Server Xxi Configuring Dynamic ARP Inspection Xxii Configuring MVR Xxiii Understanding Storm Control Xxiv Understanding Udld Modes of Operation Xxv Creating an Rspan Source Session Xxvi Snmp Agent Functions Xxvii Creating a Numbered Extended ACL Xxviii Interaction with Other Features and Switches Xxix Xxx Port-Channel Interfaces Xxxi Configuring IP Addressing Xxxii Nonstop Forwarding Awareness Xxxiii IPv6 Addresses Xxxiv Configuring Hsrp Priority Xxxv Configuring IP Multicast Routing Xxxvi Configuring Basic Dvmrp Interoperability Features Xxxvii Using a Filter 45-14 Xxxviii Xxxix Configuring Online Diagnostics Unsupported Route-Map Configuration Commands C-1 Xli Hsrp Xlii VTP Audience PrefacePurpose Conventions Xliv Related Publications Xlv Xlvi Overview Features Availability and Redundancy Features, Vlan Features, Deployment Features Overview Features Performance Features Management Options Manageability Features Availability and Redundancy Features Security Features Vlan Features Overview Features QoS and CoS Features Layer 3 Features Power over Ethernet Features Vlan Default Settings After Initial Switch ConfigurationMonitoring Features Overview Default Settings After Initial Switch Configuration Overview Default Settings After Initial Switch Configuration Design Concepts for Using the Switch Network Configuration Examples Network Demands Suggested Design Methods Cost-Effective Wiring Closet High-Performance Wiring Closet High-Performance Workgroup Gigabit-to-the-Desktop Redundant Gigabit Backbone Server Aggregation Linux Server Cluster Cisco SoftPhone Software Gigabit servers Internet Cisco 2600 or 3700 routers Catalyst 3560-E switches Large Network Using Catalyst 3750-E and 3560-E Switches Cisco 7x00 routers Catalyst Catalyst 3560-E Multidwelling Network Using Catalyst 3750-E Switches 11 Catalyst 3750-E Switches in a MAN Configuration Long-Distance, High-Bandwidth Transport Configuration Access layer Aggregation layer Where to Go Next OL-9775-02 Understanding Command Modes Using the Command-Line Interface Configure Mode Access Method Prompt Exit Method About This ModeQuit Ctrl-Z Command Purpose Console commandUnderstanding the Help System Line vty or line Understanding no and default Forms of Commands Understanding Abbreviated CommandsCommand ? Command keyword ? Error Message Meaning How to Get Help Understanding CLI Error MessagesUsing Configuration Logging Changing the Command History Buffer Size Using Command HistoryRecalling Commands Action1 Result Disabling the Command History Feature Using Editing FeaturesEnabling and Disabling Editing Features Switch# terminal editing Capability Keystroke1 Purpose Editing Commands through Keystrokes Press Ctrl-L or Ctrl-R Editing Command Lines that WrapReturn and Space bar Switch# show interfaces include protocol Accessing the CLICommand begin include exclude regular-expression Using the Command-Line Interface Accessing the CLI OL-9775-02 Understanding the Boot Process Assigning the Switch IP Address and Default Gateway Assigning Switch Information Feature Default Setting Default Switch InformationUnderstanding DHCP-Based Autoconfiguration Dhcp Client and Server Message Exchange Dhcp Client Request Process Dhcp Server Configuration Guidelines Configuring DHCP-Based Autoconfiguration Configuring the DNS Configuring the Tftp Server Routerconfig-if#ip helper-address Configuring the Relay DeviceObtaining Configuration Files Tftpserver Example Configuration DNS Server Configuration Switch a Switch B Switch C Switch DTftp Server Configuration on Unix Dhcp Client Configuration Manually Assigning IP Information Switch# copy running-config startup-config Checking and Saving the Running ConfigurationSwitch# show running-config Automatically Downloading a Configuration File Modifying the Startup ConfigurationDefault Boot Configuration Boot config-file flash/ file-url Booting ManuallyShow boot Configure terminal Enter global configuration mode Boot system filesystem /file-url Booting a Specific Software Image Controlling Environment Variables Boot system switch number all Set Switchnumber Set Manualboot yes Boot manualSwitch current-stack-member-number renumber Set Switchpriority Scheduling a Reload of the Software Image Configuring a Scheduled ReloadVariable Description Reload in hhmm text Displaying Scheduled Reload Information Switch# reload atSwitch# reload at 0200 jun Understanding Cisco Configuration Engine Software Configuring Cisco IOS CNS Agents Configuration Engine Architectural Overview Configuration Service ConfigID Event ServiceWhat You Should Know About the CNS IDs and Device Hostnames NameSpace Mapper Hostname and DeviceID Using Hostname, DeviceID, and ConfigIDDeviceID Understanding Cisco IOS Agents Initial Configuration Incremental Partial Configuration Configuring Cisco IOS AgentsSynchronized Configuration Enabling Automated CNS Configuration Device Required Configuration Show running-config Backup init-retry retry-count keepalive secondsEnabling the CNS Event Agent Show cns event connections Enabling the Cisco IOS CNS Agent Enabling an Initial Configuration Cns id interface num dns-reverse ipaddress Cns config initial ip-address hostnameMac-address event Cns id hardware-serial hostname string string Show running-config Verify your entries Enabling a Partial ConfigurationCns config partial ip-address hostname Show cns config stats Show cns config connections Displaying CNS ConfigurationShow cns event stats Show cns event subject Understanding Switch Stacks Managing Switch Stacks Managing Switch Stacks Understanding Switch Stacks Switch Stack Membership Creating a Switch Stack from Two Standalone Switches Stack Master Election and Re-Election Adding a Standalone Switch to a Switch Stack Stack Member Numbers Switch Stack Bridge ID and Router MAC Address Stack Member Priority Values Scenario Result Switch Stack Offline ConfigurationEffects of Adding a Provisioned Switch to a Switch Stack Scenario Result Effects of Replacing a Provisioned Switch in a Switch Stack Switch Stack Software Compatibility Recommendations Stack Protocol Version Compatibility Major Version Number Incompatibility Among SwitchesMinor Version Number Incompatibility Among Switches Understanding Auto-Upgrade and Auto-Advise Directory Auto-Upgrade and Auto-Advise Example MessagesSwitch Mar 1 000422.537%IMAGEMGR-6-AUTOADVISESW Switch Stack Configuration Files Incompatible Software and Stack Member Image Upgrades Switch Stack Management Connectivity Connectivity to Specific Stack Members Connectivity to the Switch Stack Through an IP AddressConnectivity to the Switch Stack Through an SSH Session Priority new-priority-number global Switch Stack Configuration ScenariosUse the switch stack-member-number Current-stack-member-number Renumber new-stack-member-number Enabling Persistent MAC Address Configuring the Switch StackDefault Switch Stack Configuration Show switch Stack-mac persistent timerSwitchconfig# stack-mac persistent timer Time-value Assigning a Stack Member Number Setting the Stack Member Priority ValueAssigning Stack Member Information Provisioning a New Member for a Switch Stack Displaying Switch Stack Information Accessing the CLI of a Specific Stack MemberCommand Description Show switch stack-member-number Detail Show switch stack-portsShow switch stack-ring activity OL-9775-02 Understanding Switch Clusters Clustering Switches Switch Cisco IOS Release Cluster Capability Standby Cluster Command Switch Characteristics Cluster Command Switch Characteristics Candidate Switch and Cluster Member Switch Characteristics Planning a Switch Cluster Discovery Through CDP Hops Automatic Discovery of Cluster Candidates and Members Discovery Through CDP Hops Discovery Through Different VLANs Discovery Through Different VLANs Discovery Through Different Management VLANs Discovery Through Routed Ports New out-of-box Discovery of Newly Installed Switches Hsrp and Standby Cluster Command Switches Other Considerations for Cluster Standby Groups Virtual IP Addresses Automatic Recovery of Cluster Configuration Hostnames IP Addresses Snmp Community Strings Passwords Members Other cluster member switches Switch Clusters and Switch StacksSwitch Stack Switch Cluster LRE Profiles TACACS+ and Radius Catalyst 1900 and Catalyst 2820 CLI Considerations Using the CLI to Manage Switch ClustersSwitch# rcommand Snmp Management for a Cluster Using Snmp to Manage Switch Clusters OL-9775-02 Understanding the System Clock Administering the SwitchManaging the System Time and Date NTP Understanding Network Time Protocol Typical NTP Network Configuration Configuring NTP Ntp authenticate Default NTP ConfigurationConfiguring NTP Authentication Configuring NTP Associations Switchconfig# ntp server 172.16.22.44 version Configuring NTP Broadcast ServiceNtp peer ip-address version number Key keyid source interface prefer Ntp broadcast version number key keyid Interface interface-idDestination-address Ntp broadcast client Ntp broadcastdelay microseconds Configuring NTP Access RestrictionsNtp access-group query-only Serve-onl y serve peer Command Purpose Interface interface-id Configuring the Source IP Address for NTP Packets Displaying the NTP Configuration Configuring Time and Date ManuallySetting the System Clock Fundamentals Command Reference, Release Configuring the Time Zone Displaying the Time and Date ConfigurationClock timezone zone hours-offset Minutes-offset Clock summer-time zone recurring Configuring Summer Time Daylight Saving TimeWeek day month hh mm week day month Hh mm offset Clock summer-time zone date date Configuring a System Name and PromptClock summer-time zone date month Configuring a System Name Default System Name and Prompt ConfigurationCopy running-config startup-confi g Understanding DNS Setting Up DNS Default DNS ConfigurationIp domain-name name Ip name-server server-address1 Creating a Banner Default Banner ConfigurationDisplaying the DNS Configuration Unix telnet Configuring a Message-of-the-Day Login BannerBanner motd c message c Managing the MAC Address Table Configuring a Login BannerBanner login c message c MAC Addresses and VLANs Building the Address Table Changing the Address Aging Time MAC Addresses and Switch StacksDefault MAC Address Table Configuration Removing Dynamic Address Entries Configuring MAC Address Notification TrapsMac address-table aging-time Show mac address-table aging-time Snmp-server enable traps mac-notification String by using the snmp-server communitySnmp-server host host-addr traps informs version Mac address-table notification Adding and Removing Static Address Entries Mac address-table static mac-addr Configuring Unicast MAC Address FilteringVlan vlan-id interface interface-id Show mac address-table static Vlan vlan-id drop Displaying Address Table Entries Managing the ARP Table OL-9775-02 Understanding the SDM Templates Configuring SDM Templates Dual IPv4 and IPv6 SDM Templates Resource Access Default Routing IPv4-and-IPv6 Resource Default Routing SDM Templates and Switch Stacks SDM Template Configuration Guidelines Configuring the Switch SDM TemplateDefault SDM Template Sdm prefer access default Setting the SDM TemplateDual-ipv4-and-ipv6 default routing Vlan routing vlan Displaying the SDM Templates Switchconfig# sdm prefer routingSwitchconfig# sdm prefer dual-ipv4-and-ipv6 default Policy based routing aces 25K OL-9775-02 Preventing Unauthorized Access to Your Switch Configuring Switch-Based Authentication Default Password and Privilege Level Configuration Protecting Access to Privileged Exec Commands Switchconfig# enable password l1u2c3k4y5 Setting or Changing a Static Enable PasswordEnable password password Encryption-type encrypted-password Enable password level level passwordEnable secret level level password Service password-encryption Show version Disabling Password RecoveryNo service password-recovery Configuring Username and Password Pairs Setting a Telnet Password for a Terminal LinePassword password Switchconfig-line#password let45me67in89 Username command Configuring Multiple Privilege LevelsLogin local Username name privilege level Show privilege Setting the Privilege Level for a CommandPrivilege mode level level command Logging into and Exiting a Privilege Level Changing the Default Privilege Level for LinesCommand Understanding TACACS+ Controlling Switch Access with TACACS+ Typical TACACS+ Network Configuration TACACS+ Operation Configuring TACACS+ Tacacs-server host hostname port Default TACACS+ ConfigurationAaa new-model Aaa group server tacacs+ group-name Show tacacs Verify your entries Configuring TACACS+ Login AuthenticationAaa new-model Enable AAA Login authentication default Aaa authentication login defaultAuthentication login command Line console tty vty line-number Show running-config Verify your entries Starting TACACS+ Accounting Controlling Switch Access with RadiusDisplaying the TACACS+ Configuration Understanding Radius Radius Operation Transitioning from Radius to TACACS+ Services Identifying the Radius Server Host Configuring RadiusDefault Radius Configuration Page Radius-server host hostname Acct-port port-number timeoutIp-address auth-port port-number Seconds retransmit retries key Switchconfig# radius-server host host1 Configuring Radius Login Authentication Server Host section on Defining AAA Server Groups Aaa group server radius group-name Radius Aaa authorization network radius Starting Radius Accounting Radius-server timeout seconds Configuring Settings for All Radius ServersRadius-server key string Radius-server retransmit retries Radius-server vsa send accounting AuthenticationCisco-avpair=shellpriv-lvl=15 Cisco-avpair=ipoutacl#2=deny ip 10.10.10.10 0.0.255.255 any Radius-server host hostname ip-address non-standard Controlling Switch Access with KerberosDisplaying the Radius Configuration Understanding Kerberos KDC Term Definition Kerberos Operation Authenticating to a Boundary SwitchKeytab Srvtab Obtaining a TGT from a KDC Configuring KerberosAuthenticating to Network Services Aaa authorization network local Aaa authentication login default localAaa authorization exec local Username name privilege level Configuring the Switch for Secure ShellUsername command SSH Servers, Integrated Clients, and Supported Versions Understanding SSH Limitations Configuring SSHConfiguration Guidelines Setting Up the Switch to Run SSH Configuring the SSH Server Displaying the SSH Configuration and StatusIp ssh timeout seconds Authentication-retries number Certificate Authority Trustpoints Configuring the Switch for Secure Socket Layer HttpUnderstanding Secure Http Servers and Clients Rsakeypair TP-self-signed-3080755072 CipherSuites Configuring Secure Http Servers and ClientsDefault SSL Configuration Configuring a CA Trustpoint SSL Configuration Guidelines Configuring the Secure Http Server Ip http timeout-policy idle seconds life Configuring the Secure Http ClientShow ip http server secure status Ip http client secure-trustpoint name Displaying Secure Http Server and Client Status Configuring the Switch for Secure Copy ProtocolIp http client secure-ciphersuite Show ip http client secure status Html Information About Secure Copy OL-9775-02 10-1 Configuring Ieee 802.1x Port-Based AuthenticationUnderstanding Ieee 802.1x Port-Based Authentication 10-2 Device Roles 10-3 Authentication Process 10-4 Authentication Flowchart 10-5 Authentication Initiation and Message Exchange EAPOL-Start 10-6 10-7 Ieee 802.1x Authentication and Switch StacksPorts in Authorized and Unauthorized States 10-8 Ieee 802.1x Host Mode Ieee 802.1x Accounting Attribute-Value Pairs Ieee 802.1x AccountingAttribute Number AV Pair Name 10-9 10-10 Using Ieee 802.1x Authentication with Vlan Assignment 10-11 Using Ieee 802.1x Authentication with Per-User ACLs 10-12 Using Ieee 802.1x Authentication with Guest Vlan 10-13 Using Ieee 802.1x Authentication with Restricted Vlan 10-14 10-15 Using Ieee 802.1x Authentication with Voice Vlan Ports 10-16 Using Ieee 802.1x Authentication with Port Security 10-17 Using Ieee 802.1x Authentication with Wake-on-LAN 10-18 10-19 Using Multidomain AuthenticationNetwork Admission Control Layer 2 Ieee 802.1x Validation 10-20 Using Web AuthenticationFor example 10-21 Configuring Ieee 802.1x Authentication 10-22 Default Ieee 802.1x Authentication ConfigurationAAA 10-23 Ieee 802.1x Authentication Configuration GuidelinesIeee 802.1x Authentication 10-24 10-25 Configuring Ieee 802.1x AuthenticationMAC Authentication Bypass 10-26 Configuring the Switch-to-RADIUS-Server Communication 10-27 Ip-address auth-port port-number key Dot1x host-mode multi-host Configuring the Host ModeMulti-domain Show dot1x interface interface-id 10-29 Configuring Periodic Re-AuthenticationManually Re-Authenticating a Client Connected to a Port Dot1x timeout tx-period seconds Changing the Switch-to-Client Retransmission TimeChanging the Quiet Period Show dot1x interface interface-id Verify your entries Switchconfig-if#dot1x timeout tx-period Setting the Switch-to-Client Frame-Retransmission NumberShow dot1xinterface interface-id Verify your entries Dot1x max-reauth-req count Configuring Ieee 802.1x Accounting Setting the Re-Authentication NumberSwitchconfig-if#dot1x max-reauth-req 10-32 10-33 Configuring a Guest Vlan Switchport mode private-vlan host Configuring a Restricted VlanSwitchconfig# interface gigabitethernet2/0/2 Dot1x guest-vlan vlan-id Dot1x auth-fail max-attempts max Dot1x auth-fail vlan vlan-idAttempts 10-35 Switchconfig-if#dot1x auth-fail max-attempts Configuring the Inaccessible Authentication Bypass FeatureRadius-server dead-criteria time time Tries tries 10-37 Dot1x critical recovery action Configuring Ieee 802.1x Authentication with WoLReinitialize vlan vlan-id Show dot1x interface interface-id Switchconfig-if#dot1x control-direction both Configuring MAC Authentication BypassSwitchconfig-if#dot1x mac-auth-bypass Dot1x control-direction both 10-40 Configuring NAC Layer 2 Ieee 802.1x Validation 10-41 Configuring Web Authentication 10-42 No dot1x pae Disable Ieee 802.1x authentication on the port Disabling Ieee 802.1x Authentication on the PortDot1x fallback fallback-profile 10-43 10-44 Displaying Ieee 802.1x Statistics and Status 11-1 Configuring Interface CharacteristicsUnderstanding Interface Types 11-2 Switch PortsPort-Based VLANs 11-3 Access PortsTrunk Ports 11-4 Routed PortsTunnel Ports 11-5 Switch Virtual InterfacesEtherChannel Port Groups Gigabit Ethernet Interfaces Power over Ethernet PortsSupported Protocols and Standards 11-6 11-7 Powered-Device Detection and Initial Power AllocationClass 11-8 Power Management Modes 11-9 Power Monitoring and Power Policing 11-10 Maximum Power Allocation Cutoff Power on a PoE Port 11-11 Connecting Interfaces 11-12 Ethernet Management Port 11-13 Connecting a Switch Stack to a PC 11-14 Tftp Mgmtinit Using Interface Configuration ModeMgmtshow Mgmtclr 11-16 Procedures for Configuring Interfaces Interface range port-range macro Configuring a Range of InterfacesMacroname Show interfaces interface-id 11-18 Show running-config include define Configuring and Using Interface Range MacrosDefine interface-range macroname Interface range macro macroname Switch# show running-config include define Configuring Ethernet InterfacesSwitch# show run include define 11-20 11-21 Default Ethernet Interface Configuration 11-22 Configuring Interface Speed and Duplex ModeSpeed and Duplex Configuration Guidelines Speed 10 100 1000 auto 10 Setting the Interface Speed and Duplex ParametersNonegotiate Duplex auto full half 11-24 Configuring Ieee 802.3x Flow ControlFlowcontrol receive on off desired Local Side Auto-MDIX Configuring Auto-MDIX on an InterfaceWith Correct Cabling 11-25 11-26 Configuring a Power Management Mode on a PoE PortInterface-id phy Power inline auto max max-wattage Budgeting Power for Devices Connected to a PoE PortShow power inline i nterface-id Neve r static max max-wattage 11-28 Wattage 11-29 Configuring Power Policing 11-30 Adding a Description for an Interface Configuring Ethernet Management Ports Configuring Layer 3 InterfacesSwitch# show interfaces gigabitethernet1/0/2 description 11-31 Interface gigabitethernet interface-id vlan vlan-id No switchportNo shutdown 11-32 11-33 Configuring the System MTU System mtu jumbo bytes Use the system mtu jumbo Use the system mtu routingSystem mtu routing bytes 11-34 System mtu bytes Configuring the Cisco Redundant Power SystemReload Show system mtu Power rps switch-number port rps-port-id mode active Power rps switch-number name string serialnumberStandby 11-36 Power supply switch-numberoff on Configuring the Power SuppliesShow env power Show env rps 11-38 Monitoring and Maintaining the InterfacesMonitoring Interface Status 11-39 Clearing and Resetting Interfaces and Counters Interface vlan vlan-id gigabitethernet interface-id Shutting Down and Restarting the InterfaceShutdown 11-40 12-1 Configuring Smartports MacrosUnderstanding Smartports Macros Default Smartports Macro Configuration Configuring Smartports MacrosMacro Name Description 12-2 12-3 Smartports Macro Configuration Guidelines Macro name macro-name Creating Smartports MacrosName Sample-Macro and macro name sample-macro will result Show parser macro name macro-name 12-5 Applying Smartports Macros Show parser macro Applying Cisco-Default Smartports MacrosShow parser macro macro-name 12-6 12-7 Switch# show parser macro cisco-desktopSwitchconfig-if#macro apply cisco-desktop $AVID Show parser macro brief Displaying Smartports MacrosShow parser macro description interface 12-8 13-1 Configuring VLANsUnderstanding VLANs 13-2 13-3 Supported VLANsVlan Port Membership Modes 13-4 Configuring Normal-Range VLANs 13-5 Vlan ID 13-6 Normal-Range Vlan Configuration GuidelinesToken Ring VLANs Saving Vlan Configuration Vlan Configuration Mode OptionsVlan Configuration in config-vlan Mode Vlan Configuration in Vlan Database Configuration Mode Parameter Default Range Default Ethernet Vlan ConfigurationVLANxxxx, where 13-8 Creating or Modifying an Ethernet Vlan Copy running-config startup configRemote-span 13-9 13-10 Deleting a VlanVlan database Switchport access vlan vlan-id Assigning Static-Access Ports to a VlanNo vlan vlan-id Show vlan brief Default Vlan Configuration Configuring Extended-Range VLANsShow interfaces interface-id switchport Vlan fields of the display 13-13 Extended-Range Vlan Configuration Guidelines Creating an Extended-Range Vlan Vtp mode transparentShow vlan id vlan-id 13-14 Switch# copy running-config startup config Switchconfig# vtp mode transparentCreating an Extended-Range Vlan with an Internal Vlan ID Show vlan internal usage Command Command Mode Purpose Configuring Vlan TrunksDisplaying VLANs Trunking Overview 13-17 Switches in an ISL Trunking Environment Encapsulation Types Mode FunctionEncapsulation Function 13-18 Configuring an Ethernet Interface as a Trunk Port Default Layer 2 Ethernet Interface Vlan ConfigurationIeee 802.1Q Configuration Considerations 13-19 Configuring a Trunk Port Interaction with Other FeaturesDot1q negotiate 13-20 13-21 Defining the Allowed VLANs on a Trunk Changing the Pruning-Eligible List Switchport trunk allowed vlan addAll except remove vlan-list 13-22 Switchport trunk pruning vlan add Configuring the Native Vlan for Untagged TrafficExcept none remove vlan-list Vlan ,vlan Load Sharing Using STP Port Priorities Configuring Trunk Ports for Load SharingSwitchport trunk native vlan vlan-id 13-24 13-25 Or switch stack Load Sharing Using STP Path CostConnect to the trunk ports configured on Switch a Exit Return to global configuration mode Interface gigabitethernet1/0/1 Switchport trunk encapsulationIsl dot1q negotiate Spanning-tree vlan 2-4 cost 13-28 Configuring VmpsUnderstanding Vmps Vmps Configuration Guidelines Default Vmps Client ConfigurationDynamic-Access Port Vlan Membership 13-29 13-30 Configuring the Vmps ClientEntering the IP Address of the Vmps Switchport access vlan dynamic Configuring Dynamic-Access Ports on Vmps ClientsReconfirming Vlan Memberships Vmps reconfirm Changing the Retry Count Changing the Reconfirmation IntervalVmps reconfirm minutes 13-32 Vmps Configuration Example Troubleshooting Dynamic-Access Port Vlan MembershipSwitch# show vmps Monitoring the Vmps 13-34 Dynamic Port Vlan Membership Configuration 14-1 Configuring VTPUnderstanding VTP 14-2 VTP Domain VTP Modes VTP Mode DescriptionVTP Advertisements 14-3 14-4 VTP VersionVTP Pruning Vlan 14-5 14-6 Configuring VTPVTP and Switch Stacks VTP Configuration Options Default VTP ConfigurationVTP Configuration in Global Configuration Mode 14-7 VTP Configuration in Vlan Database Configuration Mode VTP Configuration GuidelinesPasswords Domain Names Configuration Requirements Configuring a VTP ServerVTP Version 14-9 Vtp password password Vtp password passwordShow vtp status Vtp server Vtp mode client Configuring a VTP ClientSwitch# vlan database 14-11 14-12 Disabling VTP VTP Transparent Mode 14-13 Enabling VTP VersionVtp version Enabling VTP Pruning Adding a VTP Client Switch to a VTP DomainVtp pruning 14-14 14-15 14-16 Monitoring VTP 15-1 Configuring Voice VlanUnderstanding Voice Vlan 15-2 Cisco IP Phone Voice TrafficCisco IP Phone Data Traffic Default Voice Vlan Configuration Configuring Voice VlanVoice Vlan Configuration Guidelines 15-3 15-4 Configuring a Port Connected to a Cisco 7960 IP Phone 15-5 Configuring Cisco IP Phone Voice Traffic 15-6 Configuring the Priority of Incoming Data Frames 15-7 Displaying Voice Vlan 15-8 16-1 Configuring Private VLANsUnderstanding Private VLANs Private-VLAN Domain 16-2 16-3 IP Addressing Scheme with Private VLANs 16-4 Private VLANs across Multiple SwitchesPrivate-VLAN Interaction with Other Features 16-5 Private VLANs and Unicast, Broadcast, and Multicast TrafficPrivate VLANs and SVIs Tasks for Configuring Private VLANs Configuring Private VLANsPrivate VLANs and Switch Stacks 16-6 Private-VLAN Configuration Guidelines Default Private-VLAN ConfigurationSecondary and Primary Vlan Configuration 16-7 16-8 Private-VLAN Port Configuration 16-9 Limitations with Other Features 16-10 Configuring and Associating VLANs in a Private Vlan 16-11 Show vlan private-vlan typeShow interfaces status Switchport private-vlan host-association Configuring a Layer 2 Interface as a Private-VLAN Host PortSwitch# show interfaces gigabitethernet1/0/22 switchport Primaryvlanid secondaryvlanid Switchport private-vlan mapping primaryvlanid Switchport mode private-vlan promiscuousAdd remove secondaryvlanlist 16-13 Interface vlan primaryvlanid Switch# show interfaces private-vlan mappingPrivate-vlan mapping add remove Show interface private-vlan mapping 16-15 Monitoring Private VLANs 16-16 17-1 Configuring Ieee 802.1Q and Layer 2 Protocol TunnelingUnderstanding Ieee 802.1Q Tunneling 17-2 Ieee 802.1Q Tunnel Ports in a Service-Provider Network 17-3 Default Ieee 802.1Q Tunneling Configuration Configuring Ieee 802.1Q TunnelingIeee 802.1Q Tunneling Configuration Guidelines Native VLANs 17-5 System MTU 17-6 Ieee 802.1Q Tunneling and Other Features Vlan dot1q tag native Configuring an Ieee 802.1Q Tunneling PortShow dot1q-tunnel Show vlan dot1q tag native 17-8 Understanding Layer 2 Protocol Tunneling Layer 2 Protocol Tunneling 17-9 17-10 Configuring Layer 2 Protocol Tunneling 17-11 Default Layer 2 Protocol Tunneling Configuration 17-12 Layer 2 Protocol Tunneling Configuration Guidelines 17-13 Configuring Layer 2 Protocol Tunneling Configuring the SP Edge Switch Configuring Layer 2 Tunneling for EtherChannelsL2protocol-tunnel point-to-point Pagp lacp udld 17-15 17-16 Configuring the Customer Switch 17-17 Switchconfig-if#channel-group 1 mode desirableSwitchconfig# interface port-channel 17-18 Monitoring and Maintaining Tunneling Status 18-1 Configuring STPUnderstanding Spanning-Tree Features 18-2 STP Overview 18-3 Spanning-Tree Topology and BPDUs 18-4 Bridge ID, Switch Priority, and Extended System ID Spanning-Tree Interface States Switch Priority ValueBit 32768 16384 8192 4096 2048 1024 512 256 128 18-6 2illustrates how an interface moves through the states Listening State Blocking StateLearning State Forwarding State 18-8 How a Switch or Port Becomes the Root Switch or Root PortDisabled State Spanning-Tree Address Management Spanning Tree and Redundant ConnectivityAccelerated Aging to Retain Connectivity 18-9 18-10 Spanning-Tree Modes and ProtocolsSupported Spanning-Tree Instances STP and Ieee 802.1Q Trunks Spanning-Tree Interoperability and Backward CompatibilityVLAN-Bridge Spanning Tree Rapid PVST+ 18-12 Configuring Spanning-Tree FeaturesSpanning Tree and Switch Stacks 18-13 Default Spanning-Tree ConfigurationSpanning-Tree Configuration Guidelines 18-14 18-15 Changing the Spanning-Tree Mode Disabling Spanning Tree Configuring the Root SwitchShow spanning-tree vlan vlan-id Verify your entries 18-16 Diameter net-diameter hello-time seconds Spanning-tree vlan vlan-id root primaryShow spanning-tree detail 18-17 Configuring Port Priority Configuring a Secondary Root SwitchSpanning-tree vlan vlan-id root secondary Diameter net-diameter hello-time Spanning-tree vlan vlan-id port-priority priority Spanning-tree port-priority priorityShow spanning-tree interface interface-id Show spanning-tree vlan vlan-id Port-channel-number Configuring Path CostSpanning-tree cost cost Spanning-tree vlan vlan-id cost cost 18-21 Configuring the Switch Priority of a VlanSpanning-tree vlan vlan-id priority priority Configuring the Hello Time Configuring Spanning-Tree TimersSpanning-tree vlan vlan-id hello-time seconds 18-22 Configuring the Maximum-Aging Time for a Vlan Configuring the Forwarding-Delay Time for a VlanSpanning-tree vlan vlan-id forward-time Spanning-tree vlan vlan-idmax-age seconds Displaying the Spanning-Tree Status Configuring the Transmit Hold-CountShow spanning-tree detail Verify your entries 18-24 19-1 Configuring Mstp 19-2 Understanding MstpMultiple Spanning-Tree Regions 19-3 IST, CIST, and CSTOperations Within an MST Region 19-4 Operations Between MST Regions Ieee 802.1s Terminology Hop CountCisco Prestandard Cisco Standard 19-5 19-6 Boundary PortsIeee 802.1s Implementation 19-7 Interoperation Between Legacy and Standard SwitchesPort Role Naming Change 19-8 Mstp and Switch StacksDetecting Unidirectional Link Failure Interoperability with Ieee 802.1D STP Understanding RstpPort Roles and the Active Topology 19-9 19-10 Rapid Convergence 19-11 Synchronization of Port Roles 19-12 Bridge Protocol Data Unit Format and ProcessingBit Function Processing Superior Bpdu Information Topology ChangesProcessing Inferior Bpdu Information 19-13 19-14 Configuring Mstp Features 19-15 Default Mstp ConfigurationMstp Configuration Guidelines Spanning-tree mst configuration Specifying the MST Region Configuration and Enabling MstpInstance instance-id vlan vlan-range Name name Revision version Spanning-tree mode mstShow pending Exit 19-18 Spanning-tree mst instance-id root primary 19-19 19-20 Spanning-tree mst instance-id port-priority priorityShow spanning-tree mst interface interface-id 19-21 Spanning-tree mst instance-id cost cost Configuring the Hello Time Configuring the Switch PrioritySpanning-tree mst instance-id priority priority 19-22 Show spanning-tree mst Verify your entries Configuring the Forwarding-Delay TimeSpanning-tree mst forward-time seconds Show spanning-tree mst Configuring the Maximum-Hop Count Configuring the Maximum-Aging TimeSpecifying the Link Type to Ensure Rapid Transitions Spanning-tree mst max-age seconds 19-25 Designating the Neighbor Type 19-26 Displaying the MST Configuration and StatusRestarting the Protocol Migration Process 20-1 Configuring Optional Spanning-Tree FeaturesUnderstanding Optional Spanning-Tree Features 20-2 Understanding Port FastUnderstanding Bpdu Guard 20-3 Understanding Bpdu FilteringUnderstanding UplinkFast 20-4 Switches in a Hierarchical Network 20-5 Understanding Cross-Stack UplinkFast 20-6 How Csuf Works 20-7 Understanding BackboneFastEvents that Cause Fast Convergence BackboneFast Example Before Indirect Link Failure 20-8 20-9 Adding a Switch in a Shared-Medium Topology 20-10 Understanding EtherChannel GuardUnderstanding Root Guard 20-11 Understanding Loop Guard Optional Spanning-Tree Configuration Guidelines Default Optional Spanning-Tree ConfigurationEnabling Port Fast 20-12 Enabling Bpdu Guard Spanning-tree portfast trunk interface configurationSpanning-tree portfast trunk Portfast 20-14 Spanning-tree portfast Enable the Port Fast featureEnabling Bpdu Filtering 20-15 Enabling UplinkFast for Use with Redundant Links Uplinkfast command Spanning-tree uplinkfast max-update-rateEnabling Cross-Stack UplinkFast Enabling BackboneFast Enabling EtherChannel Guard Spanning-tree backbonefast Enable BackboneFastShow spanning-tree summary Verify your entries 20-17 20-18 Enabling Root GuardEnabling Loop Guard 20-19 20-20 21-1 Flex Links 21-2 Switchport backup interface preemption delay commandsVlan Flex Link Load Balancing and Support 21-3 MAC Address-Table Move Update 21-4 MAC Address-Table Move Update Example 21-5 Configuration GuidelinesDefault Configuration Switchport backup interface interface-id Configuring Flex LinksShow interface interface-id switchport backup Switch# show interface switchport backup Mode forced bandwidth off Switchport backup interface interface-id preemptionDelay delay-time 21-7 Switchport backup interface interface-id prefer vlan Configuring Vlan Load Balancing on Flex LinksShow interfaces interface-id switchport backup Switch#show interfaces switchport backup Switchport backup interface interface-idmmu Configuring the MAC Address-Table Move Update FeaturePrimary vlan vlan-id 21-9 Switchconf# mac address-table move update transmit End Return to global configuration modeSwitch# show mac-address-table move update 21-10 21-11 Monitoring Flex Links and the MAC Address-Table Move Update 21-12 22-1 Configuring Dhcp Features and IP Source GuardUnderstanding Dhcp Features Dhcp Relay Agent Dhcp ServerDhcp Snooping 22-2 22-3 Option-82 Data Insertion Dhcp Relay Agent in a Metropolitan Ethernet Network 22-4 22-5 Remote ID Suboption Frame Format Dhcp Snooping Binding Database Cisco IOS Dhcp Server DatabaseRelease 22-6 22-7 Dhcp Snooping and Switch Stacks Configuring Dhcp FeaturesDefault Dhcp Configuration 22-8 22-9 Dhcp Snooping Configuration Guidelines 22-10 Configuring the Dhcp ServerDhcp Server and Switch Stacks Specifying the Packet Forwarding Address Configuring the Dhcp Relay AgentIp helper-address address 22-11 Switchport access vlan vlan-id Switchport mode accessEnabling Dhcp Snooping and Option Interface range port-range 22-13 Enabling the Cisco IOS Dhcp Server Database Enabling Dhcp Snooping on Private VLANsEnabling the Dhcp Snooping Binding Database Agent Ip dhcp snooping database 22-15 Displaying Dhcp Snooping Information 22-16 Understanding IP Source GuardSource IP Address Filtering Default IP Source Guard Configuration Configuring IP Source GuardIP Source Guard Configuration Guidelines Source IP and MAC Address Filtering 22-18 Enabling IP Source Guard 22-19 Displaying IP Source Guard Information 22-20 23-1 Configuring Dynamic ARP InspectionUnderstanding Dynamic ARP Inspection ARP Cache Poisoning 23-2 23-3 Interface Trust States and Network Security 23-4 Rate Limiting of ARP PacketsRelative Priority of ARP ACLs and Dhcp Snooping Entries Default Dynamic ARP Inspection Configuration Configuring Dynamic ARP InspectionLogging of Dropped Packets 23-5 23-6 Dynamic ARP Inspection Configuration Guidelines Show cdp neighbors Configuring Dynamic ARP Inspection in Dhcp EnvironmentsIp arp inspection vlan vlan-range 23-7 23-8 Configuring ARP ACLs for Non-DHCP Environments 23-9 Limiting the Rate of Incoming ARP Packets Show arp access-list acl-nameNo ip arp inspection trust Specified with the ip arp inspection vlan logging 23-11 Performing Validation Checks Ip arp inspection validate Configuring the Log BufferSrc-mac dst-mac ip Show ip arp inspection vlan 23-13 Ip arp inspection log-buffer entriesNumber logs number interval 23-14 Displaying Dynamic ARP Inspection Information Show ip arp inspection statistics vlan Clear ip arp inspection statisticsClear ip arp inspection log Show ip arp inspection log 23-16 24-1 Configuring Igmp Snooping and MVR 24-2 Understanding Igmp Snooping 24-3 Igmp VersionsJoining a Multicast Group 24-4 224.1.2.3 24-5 Leaving a Multicast Group Immediate Leave Igmp Configurable-Leave TimerIgmp Report Suppression 24-6 Igmp Snooping and Switch Stacks Configuring Igmp SnoopingDefault Igmp Snooping Configuration PIM-DVMRP 24-8 Enabling or Disabling Igmp SnoopingIp igmp snooping vlan vlan-id Ip igmp snooping vlan vlan-id mrouter Setting the Snooping MethodLearn cgmp pim-dvmrp Show ip igmp snooping 24-10 Configuring a Multicast Router PortShow ip igmp snooping mrouter vlan vlan-id Enabling Igmp Immediate Leave Configuring a Host Statically to Join a GroupIp igmp snooping vlan vlan-id static ipaddress Show ip igmp snooping groups 24-12 Configuring the Igmp Leave Timer Recovering from Flood Mode Configuring TCN-Related CommandsControlling the Multicast Flooding Time After a TCN Event Count 24-14 Disabling Multicast Flooding During a TCN EventNo ip igmp snooping tcn flood 24-15 Configuring the Igmp Snooping Querier 24-16 Disabling Igmp Report SuppressionNo ip igmp snooping report-suppression 24-17 Displaying Igmp Snooping Information 24-18 Understanding Multicast Vlan Registration 24-19 Using MVR in a Multicast Television Application Default MVR Configuration Configuring MVRMVR 24-20 Configuring MVR Global Parameters MVR Configuration Guidelines and LimitationsMvr Enable MVR on the switch 24-21 24-22 Configuring MVR Interfaces Mvr immediate Mvr type source receiverShow mvr Show mvr interface Show mvr members 24-24 Configuring Igmp Filtering and ThrottlingDisplaying MVR Information 24-25 Default Igmp Filtering and Throttling ConfigurationConfiguring Igmp Profiles Permit deny Ip igmp profile profile numberRange ip multicast address Show ip igmp profile profile number Switch# show ip igmp profile Setting the Maximum Number of Igmp GroupsApplying Igmp Profiles Ip igmp filter profile number Show running-config interface Verify the configuration Configuring the Igmp Throttling ActionEtherChannel group or a EtherChannel interface Interface-id Ip igmp max-groups action deny Displaying Igmp Filtering and Throttling ConfigurationReplace Show ip igmp profile profile 24-30 25-1 Configuring IPv6 MLD SnoopingUnderstanding MLD Snooping 25-2 MLD Queries MLD MessagesMulticast Client Aging Robustness 25-3 MLD Reports Multicast Router DiscoveryMLD Done Messages and Immediate-Leave 25-4 MLD Snooping in Switch Stacks Configuring IPv6 MLD SnoopingTopology Change Notification Processing 25-5 25-6 Default MLD Snooping ConfigurationMLD Snooping Configuration Guidelines Ipv6 mld snooping Enabling or Disabling MLD SnoopingIpv6 mld snooping vlan vlan-id 25-7 Ipv6 mld snooping vlan vlan-id static Configuring a Static Multicast GroupShow ipv6 mld snooping multicast-address user Show ipv6 mld snooping multicast-address vlan Ipv6 mld snooping vlan vlan-id mrouter Enabling MLD Immediate LeaveShow ipv6 mld snooping mrouter vlan vlan-id 25-9 25-10 Configuring MLD Snooping Queries 25-11 Displaying MLD Snooping InformationDisabling MLD Listener Message Suppression Vlan-id count dynamic user Show ipv6 mld snooping querier vlan vlan-idVlan-id ipv6-multicast-address 25-12 Configuring Storm Control Configuring Port-Based Traffic ControlUnderstanding Storm Control 26-1 Broadcast Storm Control Example 26-2 26-3 Default Storm Control ConfigurationConfiguring Storm Control and Threshold Levels Unicast level level level-low bps bps Storm-control broadcast multicastBps-low pps pps pps-low Storm-control action shutdown trap Default Protected Port Configuration Configuring Protected PortsShow storm-control interface-id broadcast Multicast unicast Protected Port Configuration Guidelines Configuring Port BlockingConfiguring a Protected Port 26-6 Default Port Blocking Configuration Configuring Port SecurityBlocking Flooded Traffic on an Interface 26-7 26-8 Understanding Port SecuritySecure MAC Addresses 26-9 Security Violations Port Security Configuration Guidelines Default Port Security ConfigurationForwarded1 Trap Message Message2 Increments 26-10 26-11 26-12 Enabling and Configuring Port Security Protect restrict shutdown Switchport port-security violationShutdown vlan 26-13 26-14 Switchconfig-if#switchport port-security maximum Switchconfig-if#switchport port-securitySwitchconfig-if#switchport port-security mac-address sticky Switchconfig-if#switchport port-security violation restrict 26-16 Enabling and Configuring Port Security Aging Switchconfig# interface GigabitEthernet 1/0/8 Port Security and Switch StacksPort Security and Private VLANs 26-17 Show port-security interface interface-idaddress Displaying Port-Based Traffic Control SettingsShow port-security interface interface-idvlan 26-18 27-1 Configuring CDPUnderstanding CDP CDP and Switch Stacks Configuring CDPDefault CDP Configuration Configuring the CDP Characteristics Cdp holdtime seconds Disabling and Enabling CDPCdp advertise-v2 Show cdp Cdp enable Enable CDP on the interface after disabling it No cdp enable Disable CDP on the interfaceDisabling and Enabling CDP on an Interface 27-4 27-5 Monitoring and Maintaining CDP 27-6 Understanding Lldp and LLDP-MED Configuring Lldp and LLDP-MEDUnderstanding Lldp 28-1 28-2 Understanding LLDP-MED Default Lldp Configuration Configuring Lldp and LLDP-MEDConfiguring Lldp Characteristics 28-3 28-4 Disabling and Enabling Lldp Globally 28-5 Disabling and Enabling Lldp on an Interface TLV, and enter interface configuration mode Configuring LLDP-MED TLVsNo lldp med-tlv-select tlv Specify the TLV to disable Lldp med-tlv-select tlv Specify the TLV to enable 28-7 Monitoring and Maintaining Lldp and LLDP-MED 28-8 Understanding Udld Configuring UdldModes of Operation 29-1 29-2 Methods to Detect Unidirectional Links 29-3 Configuring Udld 29-4 Default Udld Configuration Message-timer-interval Udld aggressive enable message timeEnabling Udld Globally Show udld Udld reset Show udld Resetting an Interface Disabled by UdldEnabling Udld on an Interface Udld port aggressive 29-7 Displaying Udld Status 29-8 30-1 Configuring Span and RspanUnderstanding Span and Rspan 30-2 Local Span 30-3 Remote Span 30-4 Span and Rspan Concepts and TerminologySpan Sessions 30-5 Monitored Traffic 30-6 Source Ports 30-7 Source VLANsVlan Filtering 30-8 Destination Port 30-9 Span and Rspan Interaction with Other FeaturesRspan Vlan 30-10 Configuring Span and RspanSpan and Rspan and Switch Stacks Configuring Local Span Default Span and Rspan ConfigurationSpan Configuration Guidelines 30-11 30-12 Creating a Local Span Session Destination interface interface-id Monitor session sessionnumberEncapsulation replicate Show monitor session sessionnumber 30-14 30-15 Specifying VLANs to FilterMonitor session sessionnumber filter vlan Rspan Configuration Guidelines Configuring RspanBe a Vlan 30-16 30-17 Configuring a Vlan as an Rspan Vlan Interfaces port-channelport-channel-number. Valid Creating an Rspan Source SessionDestination remote vlan vlan-id 30-18 30-19 Creating an Rspan Destination SessionRemote vlan vlan-id 30-20 30-21 Ingress dot1q vlan vlan-id isl untaggedUntagged vlan vlan-id or vlan vlan-id- Forward incoming 30-22 Show monitor session sessionnumber 30-23 Displaying Span and Rspan Status 30-24 31-1 Configuring RmonUnderstanding Rmon 31-2 Configuring Rmon 31-3 Default Rmon ConfigurationConfiguring Rmon Alarms and Events 31-4 Rmon event number description string log owner stringAdd an event in the Rmon event table that is Collecting Group Ethernet Statistics on an Interface Collecting Group History Statistics on an InterfaceRmon collection history index Show rmon history Rmon collection stats index owner ownername Displaying Rmon StatusShow rmon statistics 31-6 32-1 Configuring System Message LoggingUnderstanding System Message Logging 32-2 Configuring System Message LoggingSystem Log Message Format 32-3 Hhmmss short uptimeText string that uniquely describes the message No logging console Disable message logging Default System Message Logging ConfigurationShow running-config Verify your entries Show logging Disabling Message Logging Logging buffered size Setting the Message Display Destination DeviceLogging host 32-5 Logging file flash filename Synchronizing Log MessagesTerminal monitor Session to see the debugging messages Line vty Line console vty line-numberLogging synchronous level severity-level All limit number-of-buffers 32-8 Enabling and Disabling Time Stamps on Log MessagesEnabling and Disabling Sequence Numbers in Log Messages Logging console level Defining the Message Severity LevelLogging monitor level Logging trap level 32-10 Level Description Syslog Definition Logging history level Enabling the Configuration-Change LoggerLogging history size number 32-11 32-12 Configuring Unix Syslog ServersLogging Messages to a Unix Syslog Daemon Logging facility facility-type Configuring the Unix System Logging FacilityFacility-type keywords 32-13 32-14 Displaying the Logging ConfigurationFacility Type Keyword Description 33-1 Configuring SnmpUnderstanding Snmp 33-2 Snmp Versions Snmp Manager Functions Model Level Authentication Encryption ResultDES Operation Description 33-4 Using Snmp to Access MIB VariablesSnmp Agent Functions 33-5 Snmp Notifications Snmp ifIndex MIB Object Values Configuring SnmpIfIndex Range SVI 33-7 Default Snmp ConfigurationSnmp Configuration Guidelines No snmp-server Disable the Snmp agent operation Configuring Community StringsDisabling the Snmp Agent 33-8 Access-list access-list-number deny View-name ro rw access-list-numberSnmp-server community string view Permit source source-wildcard Snmp-server engineID local engineid-string Configuring Snmp Groups and UsersSnmp-server engineID local 33-10 Snmp-server group groupname v1 v2c Write writeview notify notifyview accessAuth noauth priv read readview 33-11 Remote host udp-port port v1 access Configuring Snmp NotificationsEncrypted access access-list auth md5 Notification Type Keyword Description 33-13 33-14 33-12 , or enter snmp-server enable traps ? Setting the Agent Contact and Location InformationEnable traps command for each trap type Notification-types Limiting Tftp Servers Used Through Snmp Switchconfig# snmp-server community publicSnmp Examples Snmp-server tftp-server-list 33-17 Displaying Snmp Status 33-18 34-1 Configuring Network Security with ACLsUnderstanding ACLs 34-2 Supported ACLs 34-3 Port ACLs 34-4 Router ACLs 34-5 Handling Fragmented and Unfragmented TrafficVlan Maps 34-6 ACLs and Switch Stacks 34-7 Configuring IPv4 ACLs Access List Number Type Supported Access List NumbersCreating Standard and Extended IPv4 ACLs 34-8 34-9 ACL Logging Show access-lists number name Access-list access-list-number deny permitCreating a Numbered Standard ACL Source source-wildcard log 34-11 Creating a Numbered Extended ACL 34-12 34-13 34-14 34-15 Resequencing ACEs in an ACLCreating Named Standard and Extended ACLs Ip access-list extended name Ip access-list standard nameAny log Tos tos established log time-range 34-17 Using Time Ranges with ACLs Periodic weekdays weekend daily Absolute start time dateShow time-range 34-18 Applying an IPv4 ACL to a Terminal Line Switch# show ip access-listsIncluding Comments in ACLs 34-19 Applying an IPv4 ACL to an Interface Access-class access-list-numberOut 34-20 34-21 Ip access-group access-list-number 34-22 IPv4 ACL Configuration ExamplesHardware and Software Treatment of IP ACLs 34-23 Switchconfig# access-list 6 permit 172.20.128.64Switchconfig# access-list 106 permit ip any 172.20.128.64 34-24 Numbered ACLsExtended ACLs Time Range Applied to an IP ACL Named ACLsCommented IP ACL Entries 34-25 34-26 Switch# show loggingSwitchconfig-if#ip access-group ext1 34-27 Creating Named MAC Extended ACLs 34-28 Applying a MAC ACL to a Layer 2 Interface Mac access-group name Configuring Vlan MapsShow mac access-group interface interface-id ACL 34-30 Vlan Map Configuration Guidelines Creating a Vlan Map Vlan access-map name numberAction drop forward Match ip mac address name 34-32 Examples of ACLs and Vlan Maps 34-33 Wiring Closet Configuration Using Vlan Maps in Your NetworkApplying a Vlan Map to a Vlan Vlan filter mapname vlan-list list Switchconfig# vlan access-map map2 Denying Access to a Server on Anothera VlanSwitchconfig# ip access-list extended matchall Switchconfig# vlan filter map2 vlan 34-36 Using Vlan Maps with Router ACLs 34-37 Vlan Maps and Router ACL Configuration Guidelines Examples of Router ACLs and Vlan Maps Applied to VLANs ACLs and Switched PacketsACLs and Bridged Packets 34-38 34-39 ACLs and Routed Packets Show ip access-lists number name Displaying IPv4 ACL ConfigurationACLs and Multicast Packets 34-40 Show mac access-group interface interface-id Show running-config interface interface-idShow ip interface interface-id 34-41 34-42 35-1 Configuring IPv6 ACLs 35-2 Understanding IPv6 ACLs IPv6 ACLs and Switch Stacks Supported ACL FeaturesIPv6 ACL Limitations 35-3 Default IPv6 ACL Configuration Configuring IPv6 ACLsInteraction with Other Features and Switches 35-4 35-5 Ipv6 access-list access-list-nameCreating IPv6 ACLs Log-input routing sequence Dscp value fragments logValue time-range name 35-6 35-7 Applying an IPv6 ACL to an Interface Ipv6 traffic-filter access-list-nameIpv6 address ipv6-address 35-8 Show ipv6 access-list access-list-name Show access-listsDisplaying IPv6 ACLs 35-9 35-10 36-1 Configuring QoS 36-2 Understanding QoS 36-3 Basic QoS Model Basic QoS Model 36-4 36-5 Classification Check if packet came with CoS label tag Yes 36-6 36-7 Classification Based on QoS ACLsClassification Based on Class Maps and Policy Maps 36-8 Policing and Marking 36-9 Policing on Physical Ports 36-10 Policing on SVIs 36-11 Policing and Marking Flowchart on SVIs 36-12 Mapping Tables 36-13 Queueing and Scheduling Overview 36-14 Weighted Tail DropSRR Shaping and Sharing 36-15 Queueing and Scheduling on Ingress Queues 36-16 Queue Type Function 36-17 WTD Thresholds 36-18 Queueing and Scheduling on Egress Queues 36-19 36-20 Buffer and Memory Allocation 36-21 Packet Modification 36-22 Configuring Auto-QoS 36-23 Generated Auto-QoS Configuration 36-24 Description Automatically Generated Command 36-25 Sizes. It configures the bandwidth and the SRR mode shaped Switch automatically configures the egress queue bufferIf you entered the auto qos voip trust command, the switch Or shared on the egress queues mapped to the port 36-27 Effects of Auto-QoS on the ConfigurationAuto-QoS Configuration Guidelines Auto qos voip cisco-phone Enabling Auto-QoS for VoIPCisco-softphone trust Show auto qos interface interface-id 36-29 36-30 Auto-QoS Configuration Example Debug auto qos Cdp enableAuto qos voip trust Show auto qos 36-32 Configuring Standard QoSDisplaying Auto-QoS Information 36-33 Default Standard QoS ConfigurationDefault Ingress Queue Configuration 36-34 Default Egress Queue ConfigurationDscp Value Queue ID -Threshold ID Default Mapping Table Configuration Standard QoS Configuration GuidelinesQoS ACL Guidelines Applying QoS on Interfaces 36-36 Policing GuidelinesGeneral QoS Guidelines 36-37 Enabling QoS GloballyEnabling VLAN-Based QoS on Physical Ports 36-38 Configuring Classification Using Port Trust StatesConfiguring the Trust State on Ports within the QoS Domain 15 Port Trusted States within the QoS Domain 36-39 Mls qos trust cos dscp ip-precedence Configuring the CoS Value for an InterfaceShow mls qos interface 36-40 36-41 Configuring a Trusted Boundary to Ensure Port SecurityMls qos cos default-cos override Mls qos trust dscp Enabling Dscp Transparency ModeMls qos trust device cisco-phone 36-42 36-43 No mls qos rewrite ip dscp Mls qos dscp-mutation Mls qos map dscp-mutationShow mls qos maps dscp-mutation 36-44 36-45 Configuring a QoS PolicySwitchconfig-if#mls qos dscp-mutation gi1/0/2-mutation 36-46 Classifying Traffic by Using ACLs Switchconfig# access-list 102 permit pim any 224.0.0.2 dscp Switchconfig# access-list 100 permit ip any any dscpPermit protocol source source-wildcard Source-wildcard 36-48 Mac access-list extended name Class-map match-all match-any Classifying Traffic by Using Class MapsIs match-all Match-any keywords Ip dscp dscp-list ip precedence Match access-group acl-index-or-nameIp-precedence-list Show class-map 36-51 36-52 Policy-map policy-map-nameClass class-map-name 36-53 36-54 Service-policy input policy-map-nameShow policy-map policy-map-nameclass Switchconfig-pmap#class macclass2 maclist2 Switchconfig# policy-map macpolicy1Switchconfig-if#service-policy input macpolicy1 36-55 36-56 Traffic by Using Class Maps section on 36-57 Drop policed-dscp-transmit Police rate-bps burst-byte exceed-actionExceed-action policed-dscp-transmit keywords to mark down 36-58 36-59 Service-policy policy-map-name Show mls qos vlan-based Service-policy input policy-map-nameShow policy-map policy-map-nameclass Aggregate-policer-name rate-bps burst-byte Mls qos aggregate-policerExceed-action drop Policed-dscp-transmit Aggregate-policer-name Only one policy map per ingress port is supportedShow mls qos aggregate-policer Configuring the CoS-to-DSCP Map Configuring Dscp MapsSwitchconfig-pmap-c#police aggregate transmit1 CoS Value Dscp Value Mls qos map cos-dscp dscp1...dscp8 Configuring the IP-Precedence-to-DSCP MapIP Precedence Value Dscp Value 36-64 36-65 Configuring the Policed-DSCP Map Dscp Value CoS Value Configuring the DSCP-to-CoS Map36-66 Show Mls qos map dscp-cos dscp-list to cos Configuring the DSCP-to-DSCP-Mutation MapShow mls qos maps dscp-to-cos 36-67 36-68 Switchconfig-if#mls qos dscp-mutation mutation1Switch# show mls qos maps dscp-mutation mutation1 36-69 Configuring Ingress Queue Characteristics Mls qos srr-queue input cos-map Mls qos srr-queue input dscp-mapMls qos srr-queue input threshold Show mls qos maps Allocating Bandwidth Between the Ingress Queues Allocating Buffer Space Between the Ingress QueuesMls qos srr-queue input buffers Show mls qos interface buffer Weight1 weight2 Configuring the Ingress Priority QueueMls qos srr-queue input bandwidth Show mls qos interface queueing Weight Configuring Egress Queue CharacteristicsMls qos srr-queue input Priority-queue queue-id bandwidth 36-74 36-75 Mls qos queue-set output qset-idQueue-set qset-id 36-76 36-77 Mls qos srr-queue output dscp-mapMls qos srr-queue output cos-map Srr-queue bandwidth shape weight1 Configuring SRR Shaped Weights on Egress QueuesWeight2 weight3 weight4 Queueing Configuring the Egress Expedite Queue Configuring SRR Shared Weights on Egress QueuesSrr-queue bandwidth share weight1 36-79 Srr-queue bandwidth limit weight1 Mls qos Enable QoS on a switchLimiting the Bandwidth on an Egress Interface 36-80 36-81 Displaying Standard QoS Information 36-82 Show running-config include rewrite 37-1 Configuring EtherChannels and Link-State TrackingUnderstanding EtherChannels 37-2 EtherChannel Overview 37-3 Single-Switch EtherChannel 37-4 Port-Channel Interfaces 37-5 Port Aggregation Protocol Mode Description PAgP Interaction with Other FeaturesPAgP Modes Auto Link Aggregation Control Protocol Lacp Interaction with Other FeaturesLacp Modes 37-7 37-8 EtherChannel On ModeLoad-Balancing and Forwarding Methods 37-9 37-10 EtherChannel and Switch Stacks 37-11 Configuring EtherChannelsDefault EtherChannel Configuration 37-12 EtherChannel Configuration Guidelines 37-13 Configuring Layer 2 EtherChannels 37-14 Auto non-silent desirable non-silent onActive passive Switchconfig-if-range#channel-group 5 mode active Configuring Layer 3 EtherChannelsCreating Port-Channel Logical Interfaces 37-15 Interface port-channel port-channel-number Configuring the Physical InterfacesShow etherchannel channel-group-number detail No ip address For channel-group-number, the range is 1 to 48. This number Partner that is PAgP capable, configure the switch port forMust be the same as the port-channel-number logical port 37-17 Port-channel load-balance dst-ip dst-mac Configuring EtherChannel Load-BalancingSrc-dst-ip src-dst-mac src-ip src-mac 37-18 37-19 Configuring the PAgP Learn Method and PriorityShow etherchannel load-balance Verify your entries Pagp learn-method physical-port Configuring Lacp Hot-Standby PortsPagp port-priority priority Show pagp channel-group-number internal 37-21 Configuring the Lacp System PriorityShow running-config Verify your entries Show lacp sys-id Lacp port-priority priority Configuring the Lacp Port PriorityShow lacp channel-group-number Internal 37-23 Displaying EtherChannel, PAgP, and Lacp StatusUnderstanding Link-State Tracking 37-24 37-25 Configuring Link-State Tracking Link-State Tracking Configuration Guidelines Default Link-State Tracking ConfigurationConfiguring Link-State Tracking 37-26 Switch show link state group detail Switch show link state groupDisplaying Link-State Tracking Status 37-27 37-28 38-1 Configuring IP Unicast Routing 38-2 Understanding IP RoutingTypes of Routing 38-3 IP Routing and Switch Stacks 38-4 38-5 Steps for Configuring RoutingConfiguring IP Addressing ARP Default Addressing ConfigurationIrdp 38-6 Assigning IP Addresses to Network Interfaces Show running-config Verify your entryUse of Subnet Zero 38-7 38-8 Classless Routing 38-9 Configuring Address Resolution MethodsNo ip classless Disable classless routing behavior 38-10 Define a Static ARP CacheArp ip-address hardware-address type 38-11 Set ARP Encapsulation Enable Proxy ARP Routing Assistance When IP Routing is DisabledDefault Gateway Proxy ARP 38-13 Icmp Router Discovery Protocol Irdp 38-14 Configuring Broadcast Packet Handling 38-15 Ip directed-broadcast access-list-numberIp forward-protocol udp port nd sdns 38-16 Forwarding UDP Broadcast Packets and Protocols Flooding IP Broadcasts Establishing an IP Broadcast AddressIp broadcast-address ip-address 38-17 Clear arp-cache Monitoring and Maintaining IP AddressingClear host name Clear ip route network mask 38-19 Enabling IP Unicast Routing 38-20 Configuring RIP Configuring Basic RIP Parameters Default RIP ConfigurationRouter rip Network network number 38-22 Configuring Summary Addresses and Split Horizon Configuring RIP AuthenticationIp rip authentication key-chain name-of-chain Ip rip authentication mode text md5 Switchconfig-router#neighbor 2.2.2.2 peer-group mygroup Configuring Split HorizonIp summary-address rip ip address ip-network mask No ip split horizon 38-25 Configuring OspfNo ip split-horizon 38-26 Default Ospf Configuration 38-27 Ospf Nonstop Forwarding 38-28 Ospf NSF Awareness 38-29 Configuring Basic Ospf ParametersConfiguring Ospf Interfaces 38-30 38-31 Configuring Ospf Area Parameters 38-32 Configuring Other Ospf Parameters 38-33 Changing LSA Group Pacing Configuring a Loopback InterfaceIp address address mask 38-34 38-35 Configuring EigrpMonitoring Ospf 38-36 38-37 Default Eigrp Configuration 38-38 Eigrp Nonstop Forwarding Router eigrp autonomous-system Configuring Basic Eigrp ParametersNetwork network-number Eigrp log-neighbor-changes No auto-summary Configuring Eigrp InterfacesIp summary-address eigrp 38-40 Ip hello-interval eigrp autonomous-system-number Configuring Eigrp Route AuthenticationNo ip split-horizon eigrp autonomous-system-number Show ip eigrp interface 38-42 Eigrp Stub Routing 38-43 Configuring BGPMonitoring and Maintaining Eigrp EBGP, IBGP, and Multiple Autonomous Systems 38-44 38-45 Default BGP Configuration 38-46 38-47 Nonstop Forwarding Awareness Router bgp autonomous-system Enabling BGP RoutingNetwork network-number mask network-mask Route-map route-map-name 38-49 Switch# show ip bgp neighbors Switchconfig-router#neighbor 192.208.10.2 remote-asManaging Routing Policy Changes 38-50 Show ip bgp neighbors Type of Reset Advantages DisadvantagesClear ip bgp * address Show ip bgp 38-52 Configuring BGP Decision Attributes 38-53 38-54 Configuring BGP Filtering with Route MapsConfiguring BGP Filtering by Neighbor Out weight weight Ip as-path access-list access-list-numberRoute-map map-tag in out Show ip bgp neighbors paths 38-56 Configuring Prefix Lists for BGP Filtering Ip community-listcommunity-list-number Configuring BGP Community FilteringPermit deny community-number Send-community Set comm-list list-num delete Configuring BGP Neighbors and Peer GroupsIp bgp-community new-format Show ip bgp community 38-59 38-60 Configuring Aggregate Addresses 38-61 Configuring Routing Domain ConfederationsConfiguring BGP Route Reflectors Route-reflector-client Configuring Route DampeningBgp cluster-id cluster-id No bgp client-to-client reflection 38-63 Monitoring and Maintaining BGP 38-64 Configuring Multi-VRF CE 38-65 Understanding Multi-VRF CE 38-66 Multi-VRF CE Configuration Guidelines Default Multi-VRF CE ConfigurationVRF 38-67 Route-target export import both Configuring VRFsImport map route-map Ip vrf forwarding vrf-name Show ip vrf brief detail interfaces Configuring a VPN Routing SessionLog-adjacency-changes Redistribute bgp 38-70 Configuring BGP PE to CE Routing SessionsMulti-VRF CE Configuration Example VPN2 CE1 38-71 38-72 Configuring Switch a Switchconfig-router-af#network 8.8.1.0 mask Switchconfig-router-af#network 8.8.2.0 maskSwitchconfig-if#ip address 208.0.0.20 38-73 38-74 Router# configure terminal 38-75 Configuring Unicast Reverse Path ForwardingDisplaying Multi-VRF CE Status 38-76 Configuring Protocol-Independent FeaturesConfiguring Distributed Cisco Express Forwarding 38-77 Configuring the Number of Equal-Cost Routing Paths Router bgp rip ospf eigrp Configuring Static Unicast RoutesMaximum-paths maximum Show ip route Route Source Default Distance Specifying Default Routes and NetworksIp default-network network number Specify a default network 38-79 38-80 Using Route Maps to Redistribute Routing Information 38-81 38-82 38-83 Configuring Policy-Based Routing 38-84 PBR Configuration Guidelines 38-85 Enabling PBR Ip route-cache policy Ip policy route-map map-tagIp local policy route-map map-tag 38-86 38-87 Setting Passive InterfacesFiltering Routing Information Filtering Sources of Routing Information Controlling Advertising and Processing in Routing UpdatesRouter bgp rip eigrp 38-88 Distance weight ip-address ip-address mask Managing Authentication KeysIp access list 38-89 38-90 Monitoring and Maintaining the IP Network 38-91 38-92 39-1 Configuring IPv6 Unicast RoutingUnderstanding IPv6 39-2 IPv6 Addresses 39-3 Supported IPv6 Unicast Routing FeaturesBit Wide Unicast Addresses Path MTU Discovery for IPv6 Unicast DNS for IPv6ICMPv6 Neighbor Discovery 39-5 IPv6 Applications 39-6 Unsupported IPv6 Unicast Routing FeaturesDual IPv4 and IPv6 Protocol Stacks 39-7 IPv6 and Switch StacksLimitations 39-8 39-9 SDM TemplatesDual IPv4-and IPv6 SDM Templates 39-10 Configuring IPv6 39-11 Default IPv6 ConfigurationConfiguring IPv6 Addressing and Enabling IPv6 Routing 39-12 Ip routing Enable routing on the switch Configuring IPv4 and IPv6 Protocol StacksSwitchconfig-if#ipv6 address 20010DB8c181/64 eui 39-13 39-14 Configuring CEF and dCEF for IPv6 Configuring IPv6 Icmp Rate LimitingIpv6 icmp error-interval interval bucketsize Show ipv6 interface interface-id 39-16 Configuring Static Routing for IPv6 Ipv6 route ipv6-prefix/prefix length Administrative distanceIpv6-address interface-id ipv6-address 39-17 Show ipv6 route static updated Configuring RIP for IPv6Show ipv6 static ipv6-address Interface-id recursive detail 39-19 39-20 Configuring Ospf for IPv6 39-21 39-22 Switch# show ipv6 interfaceDisplaying IPv6 Switch# show ipv6 protocols Switch# show ipv6 cef /0Switch# show ipv6 rip 39-23 Switch# show ipv6 static Switch# show ipv6 neighborsSwitch# show ipv6 route Switch# show ipv6 traffic 39-25 39-26 40-1 Configuring Hsrp and Enhanced Object TrackingUnderstanding Hsrp 40-2 40-3 Multiple Hsrp 40-4 Configuring HsrpHsrp and Switch Stacks Hsrp Configuration Guidelines Default Hsrp ConfigurationEnabling Hsrp 40-5 Standby group-number ip ip-address Switch# show standbySecondary Show standby interface-id group 40-7 Configuring Hsrp Priority Standby group-number priority Priority preempt delay delayStandby group-number track 40-8 Configuring Hsrp Authentication and Timers Configuring MhsrpSwitchconfig-if#standby 2 ip 40-9 Standby group-number timers hellotime Standby group-number authentication stringSwitchconfig-if#standby 1 authentication word Holdtime Configuring Hsrp Groups and Clustering Displaying Hsrp ConfigurationsEnabling Hsrp Support for Icmp Redirect Messages Show standby interface-idgroup brief detail 40-12 Configuring Enhanced Object TrackingUnderstanding Enhanced Object Tracking Tracking Interface Line-Protocol or IP Routing State Configuring Enhanced Object Tracking FeaturesTrack object-number interface 40-13 Switch# show track 33 Track Configuring a Tracked ListTrack track-numberlist boolean Object object-number not Threshold weight up number WeightTrack track-numberlist threshold 40-15 Percentage Track track-number list thresholdObject object-number Threshold percentage up number 40-17 Configuring Hsrp Object Tracking 40-18 Configuring Other Tracking CharacteristicsShow standby 41-1 Configuring Web Cache Services By UsingUnderstanding Wccp 41-2 Wccp Message Exchange Wccp Negotiation Packet Redirection and Service GroupsMD5 Security 41-3 41-4 Wccp and Switch Stacks Unsupported Wccp Features Configuring WccpDefault Wccp Configuration Wccp Configuration Guidelines 41-6 Enabling the Web Cache Service 41-7 41-8 Switchconfig-if-range#switchport access vlan Switchconfig# interface range gigabitethernet1/0/3Monitoring and Maintaining Wccp 41-9 41-10 Enabled / disabled 42-1 Configuring IP Multicast Routing IP Multicast Routing Protocols 42-2 42-3 Understanding IgmpIgmp Version PIM Versions Understanding PIMPIM Modes 42-4 42-5 PIM Stub Routing 42-6 Auto-RP 42-7 Bootstrap RouterMulticast Forwarding and Reverse Path Check 42-8 Understanding DvmrpNetwork Port 42-9 Multicast Routing and Switch StacksUnderstanding Cgmp Default Multicast Routing Configuration Configuring IP Multicast RoutingMulticast Routing Configuration Guidelines 42-10 42-11 Auto-RP and BSR Configuration GuidelinesPIMv1 and PIMv2 Interoperability 42-12 Configuring Basic Multicast RoutingIp multicast-routing distributed Ip pim version 1 Configuring PIM Stub RoutingIp pim dense-mode sparse-mode Sparse-dense-mode Manually Assigning an RP to Multicast Groups Configuring a Rendezvous PointIp pim passive 42-14 42-15 Access-list-number overrideIp pim rp-address ip-address 42-16 Configuring Auto-RP Ip pim send-rp-announce interface-id Scope ttl group-list access-list-numberInterval seconds 42-17 Show ip pim rp mapping Ip pim send-rp-discovery scope ttlShow ip pim rp 42-18 42-19 Access-list-number group-listIp pim rp-announce-filter rp-list 42-20 Configuring PIMv2 BSRIp pim bsr-border 42-21 Ip multicast boundary 42-22 Ip pim bsr-candidate interface-idHash-mask-length priority 42-23 Group-list access-list-numberIp pim rp-candidate interface-id Show ip pim rp group-name Using Auto-RP and a BSRGroup-address mapping Show ip pim rp-hash group Troubleshooting PIMv1 and PIMv2 Interoperability Problems Configuring Advanced PIM FeaturesMonitoring the RP Mapping Information Understanding PIM Shared Tree and Source Tree Shared Tree and Source Tree Shortest-Path Tree 42-26 42-27 Delaying the Use of PIM Shortest-Path TreeIp pim spt-threshold kbps infinity Modifying the PIM Router-Query Message Interval Configuring Optional Igmp FeaturesIp pim query-interval seconds Show ip igmp interface interface-id Configuring the Switch as a Member of a Group Default Igmp ConfigurationIp igmp join-group group-address 42-29 Ip igmp access-group access-list-number Controlling Access to IP Multicast GroupsShow ip igmp interface interface-id Verify your entries 42-30 Modifying the Igmp Host-Query Message Interval Changing the Igmp VersionIp igmp version 1 Query-interval or the ip igmp query-max-response-time Ip igmp querier-timeout seconds Changing the Igmp Query Timeout for IGMPv2Ip igmp query-interval seconds 42-32 Changing the Maximum Query Response Time for IGMPv2 Configuring the Switch as a Statically Connected MemberIp igmp query-max-response-time 42-33 Enabling Cgmp Server Support Configuring Optional Multicast Routing FeaturesIp igmp static-group group-address 42-34 42-35 Configuring sdr Listener SupportIp cgmp proxy Enabling sdr Listener Support Ip sdr listen Enable sdr listener supportLimiting How Long an sdr Cache Entry Exists 42-36 42-37 Configuring an IP Multicast Boundary 42-38 Configuring Basic Dvmrp Interoperability Features 42-39 Configuring Dvmrp Interoperability 42-40 Ip dvmrp metric metric list 42-41 Configuring a Dvmrp Tunnel Neighbor-list access-list-number Access-list-number distanceAdvertising Network 0.0.0.0 to Dvmrp Neighbors Ip dvmrp accept-filter Ip dvmrp default-information Configuring Advanced Dvmrp Interoperability FeaturesResponding to mrinfo Requests Originate only 42-44 Enabling Dvmrp Unicast Routing 42-45 Rejecting a Dvmrp Nonpruning Neighbor 42-46 Enter interface configuration mode Controlling Route Exchanges By default, 7000 routes are advertised. The range is 0 toLimiting the Number of Dvmrp Routes Advertised Changing the Dvmrp Route Threshold Default is 10,000 routes. The range is 1 to Configuring a Dvmrp Summary AddressRoute-count 42-48 42-49 Ip dvmrp summary-address address Disabling Dvmrp AutosummarizationMask metric value No ip dvmrp auto-summary Ip dvmrp metric-offset in out Adding a Metric Offset to the Dvmrp RouteIncrement 42-51 Clearing Caches, Tables, and Databases Monitoring and Maintaining IP Multicast RoutingDisplaying System and Network Statistics 42-52 42-53 Monitoring IP Multicast Routing 42-54 43-1 Configuring MsdpUnderstanding Msdp 43-2 Msdp Operation 43-3 Msdp Benefits Default Msdp Configuration Configuring MsdpConfiguring a Default Msdp Peer 43-4 43-5 Ip msdp default-peer ip-address namePrefix-list list Ip prefix-list name description string Caching Source-Active StateSeq number permit deny network Ip msdp description peer-name 43-7 Ip msdp cache-sa-state list Requesting Source Information from an Msdp Peer Switchconfig# ip msdp sa-requestIp msdp sa-request ip-address name 43-8 Redistributing Sources Controlling Source Information that Your Switch OriginatesIp msdp redistribute list 43-9 43-10 Filtering Source-Active Request Messages Name list access-list-numberIp msdp filter-sa-request ip-address 43-11 Using a Filter Controlling Source Information that Your Switch ForwardsIp msdp sa-filter out ip-address name Route-map map-tag 43-13 Using TTL to Limit the Multicast Data Sent in SA Messages Controlling Source Information that Your Switch ReceivesIp msdp ttl-threshold ip-address name Ttl 43-15 Switchconfig# ip msdp sa-filter in switch.cisco.comIp msdp sa-filter in ip-address name Shutting Down an Msdp Peer Configuring an Msdp Mesh GroupIp msdp mesh-group name ip-address 43-16 Ip msdp shutdown peer-name peer Including a Bordering PIM Dense-Mode Region in MsdpIp msdp border sa-address interface-id 43-17 43-18 Configuring an Originating Address other than the RP Address Clear ip msdp peer peer-addressname Monitoring and Maintaining MsdpClear ip msdp statistics peer-addressname Clear ip msdp sa-cache group-addressname 43-20 Understanding Fallback Bridging Configuring Fallback BridgingFallback Bridging Overview 44-1 44-2 44-3 Configuring Fallback BridgingFallback Bridging and Switch Stacks Fallback Bridging Configuration Guidelines Default Fallback Bridging ConfigurationCreating a Bridge Group 44-4 Vlan-bridge Bridge bridge-group protocolBridge-group bridge-group 44-5 44-6 Adjusting Spanning-Tree ParametersSwitchconfig# bridge 10 protocol vlan-bridge Changing the Interface Priority Changing the VLAN-Bridge Spanning-Tree PriorityBridge bridge-group priority number Bridge-group bridge-grouppriority Bridge-group bridge-group path-cost Assigning a Path CostCost 44-8 Switchconfig# bridge 10 hello-time Adjusting Bpdu IntervalsBridge bridge-group hello-time seconds 44-9 Switchconfig# bridge 10 max-age Switchconfig# bridge 10 forward-timeBridge bridge-group forward-time Bridge bridge-group max-age seconds Disabling the Spanning Tree on an Interface Monitoring and Maintaining Fallback BridgingClear bridge bridge-group Show bridge bridge-group group 44-12 45-1 Troubleshooting 45-2 Recovering from a Software Failure Switch flashinit Recovering from a Lost or Forgotten PasswordSwitch loadhelper Switch copy xmodem flashimagefilename.bin 45-4 45-5 Procedure with Password Recovery Enabled 45-6 Copy the configuration file into memory 45-7 Procedure with Password Recovery DisabledSwitch dir flash 45-8 Preventing Switch Stack Problems 45-9 Recovering from a Command Switch Failure 45-10 Replacing a Failed Command Switch with a Cluster MemberSwitchconfig# no cluster commander-address 45-11 Replacing a Failed Command Switch with Another Switch 45-12 Troubleshooting Power over Ethernet Switch Ports Recovering from Lost Cluster Member ConnectivityPreventing Autonegotiation Mismatches 45-13 Disabled Port Caused by False Link Up Disabled Port Caused by Power LossShow controllers power inline privileged Exec command SFP Module Security and Identification Using Ping Monitoring TemperatureMonitoring SFP Module Status Understanding Ping Executing Ping Switch# pingCharacter Description 45-16 Understanding Layer 2 Traceroute Using Layer 2 TracerouteUsage Guidelines 45-17 Displaying the Physical Path Using IP TracerouteUnderstanding IP Traceroute 45-18 Executing IP Traceroute Switch# traceroute ipTraceroute ip host Trace the path that packets take through the network 45-20 Using TDRUnderstanding TDR Enabling Debugging on a Specific Feature Using Debug CommandsRunning TDR and Displaying the Results 45-21 45-22 Enabling All-System DiagnosticsRedirecting Debug and Error Message Output Udp 10 Using the show platform forward Command45-23 45-24 45-25 Using the crashinfo FilesBasic crashinfo Files Extended crashinfo Files Using On-Board Failure LoggingUnderstanding Obfl 45-26 45-27 Configuring Obfl 45-28 Displaying Obfl InformationShow logging onboard module 46-1 Configuring Online DiagnosticsUnderstanding Online Diagnostics Scheduling Online Diagnostics Configuring Online DiagnosticsDiagnostic schedule switch Non-disruptive daily hhmm Diagnostic monitor interval switch Configuring Health-Monitoring DiagnosticsDiagnostic content command output Diagnostic monitor syslog Diagnostic monitor switch number test Diagnostic monitor threshold switchShow diagnostic content post result Schedule status switch Starting Online Diagnostic Tests Running Online Diagnostic TestsDiagnostic start switch number All basic non-disruptive 46-6 Displaying Online Diagnostic Tests and Test Results CISCO-FTP-CLIENT-MIB CISCO-HSRP-MIB Supported MIBsMIB List CISCO-RTTMON-MIB CISCO-SMI-MIB CISCO-IGMP-FILTER-MIBETHERLIKE-MIB IEEE8021-PAE-MIB IEEE8023-LAG-MIB IGMP-MIB INET-ADDRESS-MIB IPMROUTE-MIB TCP-MIB UDP-MIB Using FTP to Access the MIB Files Working with the Flash File System Displaying Available File Systems Switch# show file systems Field Value Setting the Default File System Displaying Information about Files on a File System Cd newconfigsChanging Directories and Displaying the Working Directory Pwd Copying Files Mkdir oldconfigsCreating and Removing Directories Creating, Displaying, and Extracting Files Switch# delete myconfigDeleting Files Archive /table source-url Archive /create destination-urlFlash Extract a file into a directory on the flash file system Archive /xtract source-urlDirectories are extracted More /ascii /binary /ebcdic Working with Configuration Files Configuration File Types and Location Guidelines for Creating and Using Configuration Files Copying Configuration Files By Using Tftp Creating a Configuration File By Using a Text Editor Uploading the Configuration File By Using Tftp Downloading the Configuration File By Using Tftp Copying Configuration Files By Using FTP Ip ftp username username Downloading a Configuration File By Using FTPIp ftp password password Ftp // username password @ location /directory Uploading a Configuration File By Using FTPFilename systemrunning-config Filename nvramstartup-config Copy systemrunning-config Copying Configuration Files By Using RCPCopy nvramstartup-config Ftp // username password @ location /directory Filename Hostname Switch1 Ip rcmd remote-username User0 Systemrunning-config Downloading a Configuration File By Using RCPNvramstartup-config Ip rcmd remote-username username Switch# copy nvramstartup-config rcp Clearing Configuration InformationUploading a Configuration File By Using RCP Working with Software Images Clearing the Startup Configuration FileDeleting a Stored Configuration File File Format of Images on a Server or Cisco.com Image Location on the Switch Field Description Copying Image Files By Using Tftp Downloading an Image File By Using Tftp Preparing to Download or Upload an Image File By Using Tftp Archive download-sw Allow-feature-upgrade /directoryOverwrite /reload Archive download-sw /directory Tftp //location /directory /image-name .tar Uploading an Image File By Using TftpArchive upload-sw Preparing to Download or Upload an Image File By Using FTP Copying Image Files By Using FTP Downloading an Image File By Using FTP Directory /overwrite /reload Archive download-sw /allow-feature-upgradeFor /directory /image-name1 .tar Directory /image-name2 .tar image-name3 .tar Uploading an Image File By Using FTP Copying Image Files By Using RCP Preparing to Download or Upload an Image File By Using RCP File By Using RCP section on page B-31 Downloading an Image File By Using RCP Or Upload an Image File By Using RCP section on Uploading an Image File By Using RCP Me.tar Copying an Image File from One Stack Member to AnotherRcp // username @ location /directory /image-na Destination-stack-member-number /force-reload Archive copy-sw /destination-systemSource-stack-member-number For /destination-system destination-stack-member-number Access Control Lists Unsupported Commands Cisco IOS Release 12.237SEUnsupported Privileged Exec Commands Unsupported Global Configuration Commands ARP Commands Archive CommandsBoot Loader Commands Debug Commands Bridge bridge-groupacquire Fallback BridgingBridge crb Bridge bridge-group domain domain-name bridge irb X25 map bridge x.121-address broadcast options-keywords Hsrp IP Multicast Routing Igmp Snooping CommandsInterface Commands Show ip pim vc group-address name type number Ip pim accept-rpaddress auto-rpgroup-access-list-numberShow ip rtp header-compression type number detail Ip multicast-routing vrf vrf-name IP Unicast Routing Unsupported Privileged Exec or User Exec Commands Unsupported Route Map Commands Unsupported BGP Router Configuration CommandsUnsupported VPN Configuration Commands Show cable-diagnostics prbs Test cable-diagnostics prbs MAC Address CommandsMiscellaneous Set tag tag-value Msdp NetFlow Commands Unsupported Global Configuration Command Network Address Translation NAT CommandsUnsupported Policy-Map Configuration Command QoS Unsupported User Exec Commands Unsupported Interface Configuration CommandUnsupported Privileged Exec Command Spanning Tree IN-1 Numerics IN-2 ACLs Eigrp CDP Lldp RIPHsrp TACACS+ IN-4 BGPCidr IN-5 Bpdu CEF CDPCgmp CLI IN-7 CNS IN-8 IN-9 DhcpDNS TACACS+ Udld SnmpVmps Wccp IN-11 Dhcp option IN-12 DTP IN-13 Dvmrp IN-14 Dynamic ARP inspection IN-15 Lacp IN-16 STPFIB IN-17 Mstp STPFTP IN-18 HttpsIcmp IN-19 Igmp IN-20 IN-21 IP addresses IN-22 Mbone IN-23 IGP IN-24 IP unicast routing IN-25 ISL IN-26 LLDP-MED IN-27 IN-28 MDAMhsrp IN-29 Msdp IST CSTMTU IN-30 IN-31 NAC IN-32 NSSA, Ospf IN-33 ObflPBR IN-34 PIM IN-35 Port-based authentication IN-36 PvidVvid IN-37 Private VLANs IN-38 QoS IN-39 IN-40 RCP RFC Radius TACACS+Rmon IN-41 Rspan RPSRstp IN-42 IN-43 SDM IN-44 Snmp IN-45 SpanSRR IN-46 SSLVTP IN-47 Stacks, switch IN-48 LLDP-MED Ospf IN-49 STP IN-50 IN-51 System message logging IN-52 IN-53 IN-54 IN-55 VLANs IN-56 VPNVQP IN-57 WTD IN-58

Cisco Systems 3750E Controlling Switch Access with Kerberos, Displaying the Radius Configuration

Models: 3750E

Command

configure terminal

radius-server host {hostname ip-address}non-standard

radius-server key string

show running-config

copy running-config startup-config

Displaying the RADIUS Configuration

Controlling Switch Access with Kerberos