SSL Configuration Guidelines

Chapter 9 Configuring Switch-Based Authentication

Configuring the Switch for Secure Socket Layer HTTP

When SSL is used in a switch cluster, the SSL session terminates at the cluster commander. Cluster member switches must run standard HTTP.

Before you configure a CA trustpoint, you should ensure that the system clock is set. If the clock is not set, the certificate is rejected due to an incorrect date.

In a Catalyst 3750-E switch stack, the SSL session terminates at the stack master.

Configuring a CA Trustpoint

For secure HTTP connections, we recommend that you configure an official CA trustpoint.

A CA trustpoint is more secure than a self-signed certificate.

Beginning in privileged EXEC mode, follow these steps to configure a CA trustpoint:

	Command	Purpose
Step 1
Step 1	configure terminal	Enter global configuration mode.
Step 2
Step 2	hostname hostname	Specify the hostname of the switch (required only if you have not
		previously configured a hostname). The hostname is required for security
		keys and certificates.
Step 3
Step 3	ip domain-name domain-name	Specify the IP domain name of the switch (required only if you have not
		previously configured an IP domain name). The domain name is required
		for security keys and certificates.
Step 4
Step 4	crypto key generate rsa	(Optional) Generate an RSA key pair. RSA key pairs are required before
		you can obtain a certificate for the switch. RSA key pairs are generated
		automatically. You can use this command to regenerate the keys, if
		needed.
Step 5
Step 5	crypto ca trustpoint name	Specify a local configuration name for the CA trustpoint and enter CA
		trustpoint configuration mode.
Step 6
Step 6	enrollment url url	Specify the URL to which the switch should send certificate requests.
Step 7
Step 7	enrollment http-proxy host-name	(Optional) Configure the switch to obtain certificates from the CA
	port-number	through an HTTP proxy server.
Step 8
Step 8	crl query url	Configure the switch to request a certificate revocation list (CRL) to
		ensure that the certificate of the peer has not been revoked.
Step 9
Step 9	primary	(Optional) Specify that the trustpoint should be used as the primary
		(default) trustpoint for CA requests.
Step 10
Step 10	exit	Exit CA trustpoint configuration mode and return to global configuration
		mode.
Step 11
Step 11	crypto ca authentication name	Authenticate the CA by getting the public key of the CA. Use the same
		name used in Step 5.
Step 12
Step 12	crypto ca enroll name	Obtain the certificate from the specified CA trustpoint. This command
		requests a signed certificate for each RSA key pair.
Step 13
Step 13	end	Return to privileged EXEC mode.
Step 14
Step 14	show crypto ca trustpoints	Verify the configuration.
Step 15
Step 15	copy running-config startup-config	(Optional) Save your entries in the configuration file.

		Catalyst 3750-E and 3560-E Switch Software Configuration Guide


OL-9775-02			9-45
OL-9775-02			9-45

Page 247

Image 247

Cisco Systems 3750E manual SSL Configuration Guidelines, Configuring a CA Trustpoint

Contents

Text Part Number OL-9775-02 Americas HeadquartersPage Iii N T E N T S Assigning the Switch IP Address and Default Gateway Understanding Cisco Configuration Engine Software Clustering Switches Vii Catalyst 1900 and Catalyst 2820 CLI Considerations Viii Creating a Banner Changing the Default Privilege Level for Lines Device Roles Bypass Xii Routed Ports Xiii Monitoring and Maintaining the Interfaces Xiv Encapsulation Types Domain Names Xvi Private-VLAN Configuration Guidelines Xvii Disabled State Xviii Boundary Ports 19-25 Xix Dhcp Server Xxi Configuring Dynamic ARP Inspection Xxii Configuring MVR Xxiii Understanding Storm Control Xxiv Understanding Udld Modes of Operation Xxv Creating an Rspan Source Session Xxvi Snmp Agent Functions Xxvii Creating a Numbered Extended ACL Xxviii Interaction with Other Features and Switches Xxix Xxx Port-Channel Interfaces Xxxi Configuring IP Addressing Xxxii Nonstop Forwarding Awareness Xxxiii IPv6 Addresses Xxxiv Configuring Hsrp Priority Xxxv Configuring IP Multicast Routing Xxxvi Configuring Basic Dvmrp Interoperability Features Xxxvii Using a Filter 45-14 Xxxviii Xxxix Configuring Online Diagnostics Unsupported Route-Map Configuration Commands C-1 Xli Hsrp Xlii VTP Conventions PrefaceAudience Purpose Xliv Related Publications Xlv Xlvi Overview Features Availability and Redundancy Features, Vlan Features, Deployment Features Overview Features Performance Features Management Options Manageability Features Availability and Redundancy Features Security Features Vlan Features Overview Features QoS and CoS Features Layer 3 Features Power over Ethernet Features Monitoring Features Default Settings After Initial Switch ConfigurationVlan Overview Default Settings After Initial Switch Configuration Overview Default Settings After Initial Switch Configuration Design Concepts for Using the Switch Network Configuration Examples Network Demands Suggested Design Methods Cost-Effective Wiring Closet High-Performance Wiring Closet High-Performance Workgroup Gigabit-to-the-Desktop Redundant Gigabit Backbone Server Aggregation Linux Server Cluster Cisco SoftPhone Software Gigabit servers Internet Cisco 2600 or 3700 routers Catalyst 3560-E switches Large Network Using Catalyst 3750-E and 3560-E Switches Cisco 7x00 routers Catalyst Catalyst 3560-E Multidwelling Network Using Catalyst 3750-E Switches 11 Catalyst 3750-E Switches in a MAN Configuration Long-Distance, High-Bandwidth Transport Configuration Access layer Aggregation layer Where to Go Next OL-9775-02 Understanding Command Modes Using the Command-Line Interface Ctrl-Z Mode Access Method Prompt Exit Method About This ModeConfigure Quit Line vty or line Console commandCommand Purpose Understanding the Help System Command keyword ? Understanding Abbreviated CommandsUnderstanding no and default Forms of Commands Command ? Using Configuration Logging Understanding CLI Error MessagesError Message Meaning How to Get Help Action1 Result Using Command HistoryChanging the Command History Buffer Size Recalling Commands Switch# terminal editing Using Editing FeaturesDisabling the Command History Feature Enabling and Disabling Editing Features Capability Keystroke1 Purpose Editing Commands through Keystrokes Return and Space bar Editing Command Lines that WrapPress Ctrl-L or Ctrl-R Command begin include exclude regular-expression Accessing the CLISwitch# show interfaces include protocol Using the Command-Line Interface Accessing the CLI OL-9775-02 Understanding the Boot Process Assigning the Switch IP Address and Default Gateway Assigning Switch Information Understanding DHCP-Based Autoconfiguration Default Switch InformationFeature Default Setting Dhcp Client and Server Message Exchange Dhcp Client Request Process Dhcp Server Configuration Guidelines Configuring DHCP-Based Autoconfiguration Configuring the DNS Configuring the Tftp Server Obtaining Configuration Files Configuring the Relay DeviceRouterconfig-if#ip helper-address Tftpserver Example Configuration Dhcp Client Configuration Switch a Switch B Switch C Switch DDNS Server Configuration Tftp Server Configuration on Unix Manually Assigning IP Information Switch# show running-config Checking and Saving the Running ConfigurationSwitch# copy running-config startup-config Default Boot Configuration Modifying the Startup ConfigurationAutomatically Downloading a Configuration File Configure terminal Enter global configuration mode Booting ManuallyBoot config-file flash/ file-url Show boot Boot system filesystem /file-url Booting a Specific Software Image Controlling Environment Variables Boot system switch number all Set Switchpriority Set Manualboot yes Boot manualSet Switchnumber Switch current-stack-member-number renumber Reload in hhmm text Configuring a Scheduled ReloadScheduling a Reload of the Software Image Variable Description Switch# reload at 0200 jun Switch# reload atDisplaying Scheduled Reload Information Understanding Cisco Configuration Engine Software Configuring Cisco IOS CNS Agents Configuration Engine Architectural Overview Configuration Service NameSpace Mapper Event ServiceConfigID What You Should Know About the CNS IDs and Device Hostnames DeviceID Using Hostname, DeviceID, and ConfigIDHostname and DeviceID Understanding Cisco IOS Agents Initial Configuration Enabling Automated CNS Configuration Configuring Cisco IOS AgentsIncremental Partial Configuration Synchronized Configuration Device Required Configuration Show cns event connections Backup init-retry retry-count keepalive secondsShow running-config Enabling the CNS Event Agent Enabling the Cisco IOS CNS Agent Enabling an Initial Configuration Cns id hardware-serial hostname string string Cns config initial ip-address hostnameCns id interface num dns-reverse ipaddress Mac-address event Show cns config stats Enabling a Partial ConfigurationShow running-config Verify your entries Cns config partial ip-address hostname Show cns event subject Displaying CNS ConfigurationShow cns config connections Show cns event stats Understanding Switch Stacks Managing Switch Stacks Managing Switch Stacks Understanding Switch Stacks Switch Stack Membership Creating a Switch Stack from Two Standalone Switches Stack Master Election and Re-Election Adding a Standalone Switch to a Switch Stack Stack Member Numbers Switch Stack Bridge ID and Router MAC Address Stack Member Priority Values Effects of Adding a Provisioned Switch to a Switch Stack Switch Stack Offline ConfigurationScenario Result Scenario Result Effects of Replacing a Provisioned Switch in a Switch Stack Switch Stack Software Compatibility Recommendations Minor Version Number Incompatibility Among Switches Major Version Number Incompatibility Among SwitchesStack Protocol Version Compatibility Understanding Auto-Upgrade and Auto-Advise Switch Auto-Upgrade and Auto-Advise Example MessagesDirectory Mar 1 000422.537%IMAGEMGR-6-AUTOADVISESW Switch Stack Configuration Files Incompatible Software and Stack Member Image Upgrades Switch Stack Management Connectivity Connectivity to the Switch Stack Through an SSH Session Connectivity to the Switch Stack Through an IP AddressConnectivity to Specific Stack Members Use the switch stack-member-number Switch Stack Configuration ScenariosPriority new-priority-number global Current-stack-member-number Renumber new-stack-member-number Default Switch Stack Configuration Configuring the Switch StackEnabling Persistent MAC Address Time-value Stack-mac persistent timerShow switch Switchconfig# stack-mac persistent timer Assigning Stack Member Information Setting the Stack Member Priority ValueAssigning a Stack Member Number Provisioning a New Member for a Switch Stack Show switch stack-member-number Accessing the CLI of a Specific Stack MemberDisplaying Switch Stack Information Command Description Show switch stack-ring activity Show switch stack-portsDetail OL-9775-02 Understanding Switch Clusters Clustering Switches Switch Cisco IOS Release Cluster Capability Standby Cluster Command Switch Characteristics Cluster Command Switch Characteristics Candidate Switch and Cluster Member Switch Characteristics Planning a Switch Cluster Discovery Through CDP Hops Automatic Discovery of Cluster Candidates and Members Discovery Through CDP Hops Discovery Through Different VLANs Discovery Through Different VLANs Discovery Through Different Management VLANs Discovery Through Routed Ports New out-of-box Discovery of Newly Installed Switches Hsrp and Standby Cluster Command Switches Other Considerations for Cluster Standby Groups Virtual IP Addresses Automatic Recovery of Cluster Configuration Hostnames IP Addresses Snmp Community Strings Passwords Switch Stack Switch Cluster Switch Clusters and Switch StacksMembers Other cluster member switches LRE Profiles TACACS+ and Radius Switch# rcommand Using the CLI to Manage Switch ClustersCatalyst 1900 and Catalyst 2820 CLI Considerations Snmp Management for a Cluster Using Snmp to Manage Switch Clusters OL-9775-02 Managing the System Time and Date Administering the SwitchUnderstanding the System Clock NTP Understanding Network Time Protocol Typical NTP Network Configuration Configuring NTP Configuring NTP Authentication Default NTP ConfigurationNtp authenticate Configuring NTP Associations Key keyid source interface prefer Configuring NTP Broadcast ServiceSwitchconfig# ntp server 172.16.22.44 version Ntp peer ip-address version number Ntp broadcast client Interface interface-idNtp broadcast version number key keyid Destination-address Serve-onl y serve peer Configuring NTP Access RestrictionsNtp broadcastdelay microseconds Ntp access-group query-only Command Purpose Interface interface-id Configuring the Source IP Address for NTP Packets Fundamentals Command Reference, Release Configuring Time and Date ManuallyDisplaying the NTP Configuration Setting the System Clock Minutes-offset Displaying the Time and Date ConfigurationConfiguring the Time Zone Clock timezone zone hours-offset Hh mm offset Configuring Summer Time Daylight Saving TimeClock summer-time zone recurring Week day month hh mm week day month Clock summer-time zone date month Configuring a System Name and PromptClock summer-time zone date date Understanding DNS Default System Name and Prompt ConfigurationConfiguring a System Name Copy running-config startup-confi g Ip name-server server-address1 Default DNS ConfigurationSetting Up DNS Ip domain-name name Displaying the DNS Configuration Default Banner ConfigurationCreating a Banner Banner motd c message c Configuring a Message-of-the-Day Login BannerUnix telnet Banner login c message c Configuring a Login BannerManaging the MAC Address Table MAC Addresses and VLANs Building the Address Table Default MAC Address Table Configuration MAC Addresses and Switch StacksChanging the Address Aging Time Show mac address-table aging-time Configuring MAC Address Notification TrapsRemoving Dynamic Address Entries Mac address-table aging-time Mac address-table notification String by using the snmp-server communitySnmp-server enable traps mac-notification Snmp-server host host-addr traps informs version Adding and Removing Static Address Entries Show mac address-table static Configuring Unicast MAC Address FilteringMac address-table static mac-addr Vlan vlan-id interface interface-id Vlan vlan-id drop Displaying Address Table Entries Managing the ARP Table OL-9775-02 Understanding the SDM Templates Configuring SDM Templates Dual IPv4 and IPv6 SDM Templates Resource Access Default Routing IPv4-and-IPv6 Resource Default Routing SDM Templates and Switch Stacks Default SDM Template Configuring the Switch SDM TemplateSDM Template Configuration Guidelines Vlan routing vlan Setting the SDM TemplateSdm prefer access default Dual-ipv4-and-ipv6 default routing Switchconfig# sdm prefer dual-ipv4-and-ipv6 default Switchconfig# sdm prefer routingDisplaying the SDM Templates Policy based routing aces 25K OL-9775-02 Preventing Unauthorized Access to Your Switch Configuring Switch-Based Authentication Default Password and Privilege Level Configuration Protecting Access to Privileged Exec Commands Enable password password Setting or Changing a Static Enable PasswordSwitchconfig# enable password l1u2c3k4y5 Service password-encryption Enable password level level passwordEncryption-type encrypted-password Enable secret level level password No service password-recovery Disabling Password RecoveryShow version Switchconfig-line#password let45me67in89 Setting a Telnet Password for a Terminal LineConfiguring Username and Password Pairs Password password Username name privilege level Configuring Multiple Privilege LevelsUsername command Login local Privilege mode level level command Setting the Privilege Level for a CommandShow privilege Command Changing the Default Privilege Level for LinesLogging into and Exiting a Privilege Level Understanding TACACS+ Controlling Switch Access with TACACS+ Typical TACACS+ Network Configuration TACACS+ Operation Configuring TACACS+ Aaa group server tacacs+ group-name Default TACACS+ ConfigurationTacacs-server host hostname port Aaa new-model Aaa new-model Enable AAA Configuring TACACS+ Login AuthenticationShow tacacs Verify your entries Line console tty vty line-number Aaa authentication login defaultLogin authentication default Authentication login command Show running-config Verify your entries Displaying the TACACS+ Configuration Controlling Switch Access with RadiusStarting TACACS+ Accounting Understanding Radius Radius Operation Transitioning from Radius to TACACS+ Services Default Radius Configuration Configuring RadiusIdentifying the Radius Server Host Page Seconds retransmit retries key Acct-port port-number timeoutRadius-server host hostname Ip-address auth-port port-number Switchconfig# radius-server host host1 Configuring Radius Login Authentication Server Host section on Defining AAA Server Groups Aaa group server radius group-name Radius Aaa authorization network radius Starting Radius Accounting Radius-server retransmit retries Configuring Settings for All Radius ServersRadius-server timeout seconds Radius-server key string Cisco-avpair=ipoutacl#2=deny ip 10.10.10.10 0.0.255.255 any AuthenticationRadius-server vsa send accounting Cisco-avpair=shellpriv-lvl=15 Displaying the Radius Configuration Controlling Switch Access with KerberosRadius-server host hostname ip-address non-standard Understanding Kerberos KDC Term Definition Srvtab Authenticating to a Boundary SwitchKerberos Operation Keytab Authenticating to Network Services Configuring KerberosObtaining a TGT from a KDC Aaa authorization exec local Aaa authentication login default localAaa authorization network local Username command Configuring the Switch for Secure ShellUsername name privilege level SSH Servers, Integrated Clients, and Supported Versions Understanding SSH Configuration Guidelines Configuring SSHLimitations Setting Up the Switch to Run SSH Authentication-retries number Displaying the SSH Configuration and StatusConfiguring the SSH Server Ip ssh timeout seconds Understanding Secure Http Servers and Clients Configuring the Switch for Secure Socket Layer HttpCertificate Authority Trustpoints Rsakeypair TP-self-signed-3080755072 Default SSL Configuration Configuring Secure Http Servers and ClientsCipherSuites Configuring a CA Trustpoint SSL Configuration Guidelines Configuring the Secure Http Server Ip http client secure-trustpoint name Configuring the Secure Http ClientIp http timeout-policy idle seconds life Show ip http server secure status Show ip http client secure status Configuring the Switch for Secure Copy ProtocolDisplaying Secure Http Server and Client Status Ip http client secure-ciphersuite Html Information About Secure Copy OL-9775-02 Understanding Ieee 802.1x Port-Based Authentication Configuring Ieee 802.1x Port-Based Authentication10-1 10-2 Device Roles 10-3 Authentication Process 10-4 Authentication Flowchart 10-5 Authentication Initiation and Message Exchange EAPOL-Start 10-6 Ports in Authorized and Unauthorized States Ieee 802.1x Authentication and Switch Stacks10-7 10-8 Ieee 802.1x Host Mode 10-9 Ieee 802.1x AccountingIeee 802.1x Accounting Attribute-Value Pairs Attribute Number AV Pair Name 10-10 Using Ieee 802.1x Authentication with Vlan Assignment 10-11 Using Ieee 802.1x Authentication with Per-User ACLs 10-12 Using Ieee 802.1x Authentication with Guest Vlan 10-13 Using Ieee 802.1x Authentication with Restricted Vlan 10-14 10-15 Using Ieee 802.1x Authentication with Voice Vlan Ports 10-16 Using Ieee 802.1x Authentication with Port Security 10-17 Using Ieee 802.1x Authentication with Wake-on-LAN 10-18 Network Admission Control Layer 2 Ieee 802.1x Validation Using Multidomain Authentication10-19 For example Using Web Authentication10-20 10-21 Configuring Ieee 802.1x Authentication AAA Default Ieee 802.1x Authentication Configuration10-22 Ieee 802.1x Authentication Ieee 802.1x Authentication Configuration Guidelines10-23 10-24 MAC Authentication Bypass Configuring Ieee 802.1x Authentication10-25 10-26 Configuring the Switch-to-RADIUS-Server Communication 10-27 Ip-address auth-port port-number key Show dot1x interface interface-id Configuring the Host ModeDot1x host-mode multi-host Multi-domain Manually Re-Authenticating a Client Connected to a Port Configuring Periodic Re-Authentication10-29 Show dot1x interface interface-id Verify your entries Changing the Switch-to-Client Retransmission TimeDot1x timeout tx-period seconds Changing the Quiet Period Dot1x max-reauth-req count Setting the Switch-to-Client Frame-Retransmission NumberSwitchconfig-if#dot1x timeout tx-period Show dot1xinterface interface-id Verify your entries 10-32 Setting the Re-Authentication NumberConfiguring Ieee 802.1x Accounting Switchconfig-if#dot1x max-reauth-req 10-33 Configuring a Guest Vlan Dot1x guest-vlan vlan-id Configuring a Restricted VlanSwitchport mode private-vlan host Switchconfig# interface gigabitethernet2/0/2 10-35 Dot1x auth-fail vlan vlan-idDot1x auth-fail max-attempts max Attempts Tries tries Configuring the Inaccessible Authentication Bypass FeatureSwitchconfig-if#dot1x auth-fail max-attempts Radius-server dead-criteria time time 10-37 Show dot1x interface interface-id Configuring Ieee 802.1x Authentication with WoLDot1x critical recovery action Reinitialize vlan vlan-id Dot1x control-direction both Configuring MAC Authentication BypassSwitchconfig-if#dot1x control-direction both Switchconfig-if#dot1x mac-auth-bypass 10-40 Configuring NAC Layer 2 Ieee 802.1x Validation 10-41 Configuring Web Authentication 10-42 10-43 Disabling Ieee 802.1x Authentication on the PortNo dot1x pae Disable Ieee 802.1x authentication on the port Dot1x fallback fallback-profile 10-44 Displaying Ieee 802.1x Statistics and Status Understanding Interface Types Configuring Interface Characteristics11-1 Port-Based VLANs Switch Ports11-2 Trunk Ports Access Ports11-3 Tunnel Ports Routed Ports11-4 EtherChannel Port Groups Switch Virtual Interfaces11-5 11-6 Power over Ethernet PortsGigabit Ethernet Interfaces Supported Protocols and Standards Class Powered-Device Detection and Initial Power Allocation11-7 11-8 Power Management Modes 11-9 Power Monitoring and Power Policing 11-10 Maximum Power Allocation Cutoff Power on a PoE Port 11-11 Connecting Interfaces 11-12 Ethernet Management Port 11-13 Connecting a Switch Stack to a PC 11-14 Tftp Mgmtclr Using Interface Configuration ModeMgmtinit Mgmtshow 11-16 Procedures for Configuring Interfaces Show interfaces interface-id Configuring a Range of InterfacesInterface range port-range macro Macroname 11-18 Interface range macro macroname Configuring and Using Interface Range MacrosShow running-config include define Define interface-range macroname 11-20 Configuring Ethernet InterfacesSwitch# show running-config include define Switch# show run include define 11-21 Default Ethernet Interface Configuration Speed and Duplex Configuration Guidelines Configuring Interface Speed and Duplex Mode11-22 Duplex auto full half Setting the Interface Speed and Duplex ParametersSpeed 10 100 1000 auto 10 Nonegotiate Flowcontrol receive on off desired Configuring Ieee 802.3x Flow Control11-24 11-25 Configuring Auto-MDIX on an InterfaceLocal Side Auto-MDIX With Correct Cabling Interface-id phy Configuring a Power Management Mode on a PoE Port11-26 Neve r static max max-wattage Budgeting Power for Devices Connected to a PoE PortPower inline auto max max-wattage Show power inline i nterface-id 11-28 Wattage 11-29 Configuring Power Policing 11-30 Adding a Description for an Interface 11-31 Configuring Layer 3 InterfacesConfiguring Ethernet Management Ports Switch# show interfaces gigabitethernet1/0/2 description 11-32 No switchportInterface gigabitethernet interface-id vlan vlan-id No shutdown 11-33 Configuring the System MTU 11-34 Use the system mtu jumbo Use the system mtu routingSystem mtu jumbo bytes System mtu routing bytes Show system mtu Configuring the Cisco Redundant Power SystemSystem mtu bytes Reload 11-36 Power rps switch-number name string serialnumberPower rps switch-number port rps-port-id mode active Standby Show env rps Configuring the Power SuppliesPower supply switch-numberoff on Show env power Monitoring Interface Status Monitoring and Maintaining the Interfaces11-38 11-39 Clearing and Resetting Interfaces and Counters 11-40 Shutting Down and Restarting the InterfaceInterface vlan vlan-id gigabitethernet interface-id Shutdown Understanding Smartports Macros Configuring Smartports Macros12-1 12-2 Configuring Smartports MacrosDefault Smartports Macro Configuration Macro Name Description 12-3 Smartports Macro Configuration Guidelines Show parser macro name macro-name Creating Smartports MacrosMacro name macro-name Name Sample-Macro and macro name sample-macro will result 12-5 Applying Smartports Macros 12-6 Applying Cisco-Default Smartports MacrosShow parser macro Show parser macro macro-name Switchconfig-if#macro apply cisco-desktop $AVID Switch# show parser macro cisco-desktop12-7 12-8 Displaying Smartports MacrosShow parser macro brief Show parser macro description interface Understanding VLANs Configuring VLANs13-1 13-2 Vlan Port Membership Modes Supported VLANs13-3 13-4 Configuring Normal-Range VLANs 13-5 Vlan ID Token Ring VLANs Normal-Range Vlan Configuration Guidelines13-6 Vlan Configuration in Vlan Database Configuration Mode Vlan Configuration Mode OptionsSaving Vlan Configuration Vlan Configuration in config-vlan Mode 13-8 Default Ethernet Vlan ConfigurationParameter Default Range VLANxxxx, where 13-9 Copy running-config startup configCreating or Modifying an Ethernet Vlan Remote-span Vlan database Deleting a Vlan13-10 Show vlan brief Assigning Static-Access Ports to a VlanSwitchport access vlan vlan-id No vlan vlan-id Vlan fields of the display Configuring Extended-Range VLANsDefault Vlan Configuration Show interfaces interface-id switchport 13-13 Extended-Range Vlan Configuration Guidelines 13-14 Vtp mode transparentCreating an Extended-Range Vlan Show vlan id vlan-id Show vlan internal usage Switchconfig# vtp mode transparentSwitch# copy running-config startup config Creating an Extended-Range Vlan with an Internal Vlan ID Trunking Overview Configuring Vlan TrunksCommand Command Mode Purpose Displaying VLANs 13-17 Switches in an ISL Trunking Environment 13-18 Mode FunctionEncapsulation Types Encapsulation Function 13-19 Default Layer 2 Ethernet Interface Vlan ConfigurationConfiguring an Ethernet Interface as a Trunk Port Ieee 802.1Q Configuration Considerations 13-20 Interaction with Other FeaturesConfiguring a Trunk Port Dot1q negotiate 13-21 Defining the Allowed VLANs on a Trunk 13-22 Switchport trunk allowed vlan addChanging the Pruning-Eligible List All except remove vlan-list Vlan ,vlan Configuring the Native Vlan for Untagged TrafficSwitchport trunk pruning vlan add Except none remove vlan-list 13-24 Configuring Trunk Ports for Load SharingLoad Sharing Using STP Port Priorities Switchport trunk native vlan vlan-id 13-25 Exit Return to global configuration mode Load Sharing Using STP Path CostOr switch stack Connect to the trunk ports configured on Switch a Spanning-tree vlan 2-4 cost Switchport trunk encapsulationInterface gigabitethernet1/0/1 Isl dot1q negotiate Understanding Vmps Configuring Vmps13-28 13-29 Default Vmps Client ConfigurationVmps Configuration Guidelines Dynamic-Access Port Vlan Membership Entering the IP Address of the Vmps Configuring the Vmps Client13-30 Vmps reconfirm Configuring Dynamic-Access Ports on Vmps ClientsSwitchport access vlan dynamic Reconfirming Vlan Memberships 13-32 Changing the Reconfirmation IntervalChanging the Retry Count Vmps reconfirm minutes Monitoring the Vmps Troubleshooting Dynamic-Access Port Vlan MembershipVmps Configuration Example Switch# show vmps 13-34 Dynamic Port Vlan Membership Configuration Understanding VTP Configuring VTP14-1 14-2 VTP Domain 14-3 VTP Mode DescriptionVTP Modes VTP Advertisements VTP Pruning VTP Version14-4 Vlan 14-5 VTP and Switch Stacks Configuring VTP14-6 14-7 Default VTP ConfigurationVTP Configuration Options VTP Configuration in Global Configuration Mode Domain Names VTP Configuration GuidelinesVTP Configuration in Vlan Database Configuration Mode Passwords 14-9 Configuring a VTP ServerConfiguration Requirements VTP Version Vtp server Vtp password passwordVtp password password Show vtp status 14-11 Configuring a VTP ClientVtp mode client Switch# vlan database 14-12 Disabling VTP VTP Transparent Mode Vtp version Enabling VTP Version14-13 14-14 Adding a VTP Client Switch to a VTP DomainEnabling VTP Pruning Vtp pruning 14-15 14-16 Monitoring VTP Understanding Voice Vlan Configuring Voice Vlan15-1 Cisco IP Phone Data Traffic Cisco IP Phone Voice Traffic15-2 15-3 Configuring Voice VlanDefault Voice Vlan Configuration Voice Vlan Configuration Guidelines 15-4 Configuring a Port Connected to a Cisco 7960 IP Phone 15-5 Configuring Cisco IP Phone Voice Traffic 15-6 Configuring the Priority of Incoming Data Frames 15-7 Displaying Voice Vlan 15-8 Understanding Private VLANs Configuring Private VLANs16-1 Private-VLAN Domain 16-2 16-3 IP Addressing Scheme with Private VLANs Private-VLAN Interaction with Other Features Private VLANs across Multiple Switches16-4 Private VLANs and SVIs Private VLANs and Unicast, Broadcast, and Multicast Traffic16-5 16-6 Configuring Private VLANsTasks for Configuring Private VLANs Private VLANs and Switch Stacks 16-7 Default Private-VLAN ConfigurationPrivate-VLAN Configuration Guidelines Secondary and Primary Vlan Configuration 16-8 Private-VLAN Port Configuration 16-9 Limitations with Other Features 16-10 Configuring and Associating VLANs in a Private Vlan Show interfaces status Show vlan private-vlan type16-11 Primaryvlanid secondaryvlanid Configuring a Layer 2 Interface as a Private-VLAN Host PortSwitchport private-vlan host-association Switch# show interfaces gigabitethernet1/0/22 switchport 16-13 Switchport mode private-vlan promiscuousSwitchport private-vlan mapping primaryvlanid Add remove secondaryvlanlist Show interface private-vlan mapping Switch# show interfaces private-vlan mappingInterface vlan primaryvlanid Private-vlan mapping add remove 16-15 Monitoring Private VLANs 16-16 Understanding Ieee 802.1Q Tunneling Configuring Ieee 802.1Q and Layer 2 Protocol Tunneling17-1 17-2 Ieee 802.1Q Tunnel Ports in a Service-Provider Network 17-3 Native VLANs Configuring Ieee 802.1Q TunnelingDefault Ieee 802.1Q Tunneling Configuration Ieee 802.1Q Tunneling Configuration Guidelines 17-5 System MTU 17-6 Ieee 802.1Q Tunneling and Other Features Show vlan dot1q tag native Configuring an Ieee 802.1Q Tunneling PortVlan dot1q tag native Show dot1q-tunnel 17-8 Understanding Layer 2 Protocol Tunneling Layer 2 Protocol Tunneling 17-9 17-10 Configuring Layer 2 Protocol Tunneling 17-11 Default Layer 2 Protocol Tunneling Configuration 17-12 Layer 2 Protocol Tunneling Configuration Guidelines 17-13 Configuring Layer 2 Protocol Tunneling Pagp lacp udld Configuring Layer 2 Tunneling for EtherChannelsConfiguring the SP Edge Switch L2protocol-tunnel point-to-point 17-15 17-16 Configuring the Customer Switch Switchconfig# interface port-channel Switchconfig-if#channel-group 1 mode desirable17-17 17-18 Monitoring and Maintaining Tunneling Status Understanding Spanning-Tree Features Configuring STP18-1 18-2 STP Overview 18-3 Spanning-Tree Topology and BPDUs 18-4 Bridge ID, Switch Priority, and Extended System ID 32768 16384 8192 4096 2048 1024 512 256 128 Switch Priority ValueSpanning-Tree Interface States Bit 18-6 2illustrates how an interface moves through the states Forwarding State Blocking StateListening State Learning State Disabled State How a Switch or Port Becomes the Root Switch or Root Port18-8 18-9 Spanning Tree and Redundant ConnectivitySpanning-Tree Address Management Accelerated Aging to Retain Connectivity Supported Spanning-Tree Instances Spanning-Tree Modes and Protocols18-10 Rapid PVST+ Spanning-Tree Interoperability and Backward CompatibilitySTP and Ieee 802.1Q Trunks VLAN-Bridge Spanning Tree Spanning Tree and Switch Stacks Configuring Spanning-Tree Features18-12 Spanning-Tree Configuration Guidelines Default Spanning-Tree Configuration18-13 18-14 18-15 Changing the Spanning-Tree Mode 18-16 Configuring the Root SwitchDisabling Spanning Tree Show spanning-tree vlan vlan-id Verify your entries 18-17 Spanning-tree vlan vlan-id root primaryDiameter net-diameter hello-time seconds Show spanning-tree detail Diameter net-diameter hello-time Configuring a Secondary Root SwitchConfiguring Port Priority Spanning-tree vlan vlan-id root secondary Show spanning-tree vlan vlan-id Spanning-tree port-priority prioritySpanning-tree vlan vlan-id port-priority priority Show spanning-tree interface interface-id Spanning-tree vlan vlan-id cost cost Configuring Path CostPort-channel-number Spanning-tree cost cost Spanning-tree vlan vlan-id priority priority Configuring the Switch Priority of a Vlan18-21 18-22 Configuring Spanning-Tree TimersConfiguring the Hello Time Spanning-tree vlan vlan-id hello-time seconds Spanning-tree vlan vlan-idmax-age seconds Configuring the Forwarding-Delay Time for a VlanConfiguring the Maximum-Aging Time for a Vlan Spanning-tree vlan vlan-id forward-time 18-24 Configuring the Transmit Hold-CountDisplaying the Spanning-Tree Status Show spanning-tree detail Verify your entries 19-1 Configuring Mstp Multiple Spanning-Tree Regions Understanding Mstp19-2 Operations Within an MST Region IST, CIST, and CST19-3 19-4 Operations Between MST Regions 19-5 Hop CountIeee 802.1s Terminology Cisco Prestandard Cisco Standard Ieee 802.1s Implementation Boundary Ports19-6 Port Role Naming Change Interoperation Between Legacy and Standard Switches19-7 Detecting Unidirectional Link Failure Mstp and Switch Stacks19-8 19-9 Understanding RstpInteroperability with Ieee 802.1D STP Port Roles and the Active Topology 19-10 Rapid Convergence 19-11 Synchronization of Port Roles Bit Function Bridge Protocol Data Unit Format and Processing19-12 19-13 Topology ChangesProcessing Superior Bpdu Information Processing Inferior Bpdu Information 19-14 Configuring Mstp Features Mstp Configuration Guidelines Default Mstp Configuration19-15 Name name Specifying the MST Region Configuration and Enabling MstpSpanning-tree mst configuration Instance instance-id vlan vlan-range Exit Spanning-tree mode mstRevision version Show pending 19-18 Spanning-tree mst instance-id root primary 19-19 Show spanning-tree mst interface interface-id Spanning-tree mst instance-id port-priority priority19-20 19-21 Spanning-tree mst instance-id cost cost 19-22 Configuring the Switch PriorityConfiguring the Hello Time Spanning-tree mst instance-id priority priority Show spanning-tree mst Configuring the Forwarding-Delay TimeShow spanning-tree mst Verify your entries Spanning-tree mst forward-time seconds Spanning-tree mst max-age seconds Configuring the Maximum-Aging TimeConfiguring the Maximum-Hop Count Specifying the Link Type to Ensure Rapid Transitions 19-25 Designating the Neighbor Type Restarting the Protocol Migration Process Displaying the MST Configuration and Status19-26 Understanding Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features20-1 Understanding Bpdu Guard Understanding Port Fast20-2 Understanding UplinkFast Understanding Bpdu Filtering20-3 20-4 Switches in a Hierarchical Network 20-5 Understanding Cross-Stack UplinkFast 20-6 How Csuf Works Events that Cause Fast Convergence Understanding BackboneFast20-7 BackboneFast Example Before Indirect Link Failure 20-8 20-9 Adding a Switch in a Shared-Medium Topology Understanding Root Guard Understanding EtherChannel Guard20-10 20-11 Understanding Loop Guard 20-12 Default Optional Spanning-Tree ConfigurationOptional Spanning-Tree Configuration Guidelines Enabling Port Fast Portfast Spanning-tree portfast trunk interface configurationEnabling Bpdu Guard Spanning-tree portfast trunk Enabling Bpdu Filtering Spanning-tree portfast Enable the Port Fast feature20-14 20-15 Enabling UplinkFast for Use with Redundant Links Enabling BackboneFast Spanning-tree uplinkfast max-update-rateUplinkfast command Enabling Cross-Stack UplinkFast 20-17 Spanning-tree backbonefast Enable BackboneFastEnabling EtherChannel Guard Show spanning-tree summary Verify your entries Enabling Loop Guard Enabling Root Guard20-18 20-19 20-20 21-1 Flex Links Vlan Flex Link Load Balancing and Support Switchport backup interface preemption delay commands21-2 21-3 MAC Address-Table Move Update 21-4 MAC Address-Table Move Update Example Default Configuration Configuration Guidelines21-5 Switch# show interface switchport backup Configuring Flex LinksSwitchport backup interface interface-id Show interface interface-id switchport backup 21-7 Switchport backup interface interface-id preemptionMode forced bandwidth off Delay delay-time Switch#show interfaces switchport backup Configuring Vlan Load Balancing on Flex LinksSwitchport backup interface interface-id prefer vlan Show interfaces interface-id switchport backup 21-9 Configuring the MAC Address-Table Move Update FeatureSwitchport backup interface interface-idmmu Primary vlan vlan-id 21-10 End Return to global configuration modeSwitchconf# mac address-table move update transmit Switch# show mac-address-table move update 21-11 Monitoring Flex Links and the MAC Address-Table Move Update 21-12 Understanding Dhcp Features Configuring Dhcp Features and IP Source Guard22-1 22-2 Dhcp ServerDhcp Relay Agent Dhcp Snooping 22-3 Option-82 Data Insertion Dhcp Relay Agent in a Metropolitan Ethernet Network 22-4 22-5 Remote ID Suboption Frame Format 22-6 Cisco IOS Dhcp Server DatabaseDhcp Snooping Binding Database Release 22-7 22-8 Configuring Dhcp FeaturesDhcp Snooping and Switch Stacks Default Dhcp Configuration 22-9 Dhcp Snooping Configuration Guidelines Dhcp Server and Switch Stacks Configuring the Dhcp Server22-10 22-11 Configuring the Dhcp Relay AgentSpecifying the Packet Forwarding Address Ip helper-address address Interface range port-range Switchport mode accessSwitchport access vlan vlan-id Enabling Dhcp Snooping and Option 22-13 Ip dhcp snooping database Enabling Dhcp Snooping on Private VLANsEnabling the Cisco IOS Dhcp Server Database Enabling the Dhcp Snooping Binding Database Agent 22-15 Displaying Dhcp Snooping Information Source IP Address Filtering Understanding IP Source Guard22-16 Source IP and MAC Address Filtering Configuring IP Source GuardDefault IP Source Guard Configuration IP Source Guard Configuration Guidelines 22-18 Enabling IP Source Guard 22-19 Displaying IP Source Guard Information 22-20 Understanding Dynamic ARP Inspection Configuring Dynamic ARP Inspection23-1 ARP Cache Poisoning 23-2 23-3 Interface Trust States and Network Security Relative Priority of ARP ACLs and Dhcp Snooping Entries Rate Limiting of ARP Packets23-4 23-5 Configuring Dynamic ARP InspectionDefault Dynamic ARP Inspection Configuration Logging of Dropped Packets 23-6 Dynamic ARP Inspection Configuration Guidelines 23-7 Configuring Dynamic ARP Inspection in Dhcp EnvironmentsShow cdp neighbors Ip arp inspection vlan vlan-range 23-8 Configuring ARP ACLs for Non-DHCP Environments 23-9 Specified with the ip arp inspection vlan logging Show arp access-list acl-nameLimiting the Rate of Incoming ARP Packets No ip arp inspection trust 23-11 Performing Validation Checks Show ip arp inspection vlan Configuring the Log BufferIp arp inspection validate Src-mac dst-mac ip Number logs number interval Ip arp inspection log-buffer entries23-13 23-14 Displaying Dynamic ARP Inspection Information Show ip arp inspection log Clear ip arp inspection statisticsShow ip arp inspection statistics vlan Clear ip arp inspection log 23-16 24-1 Configuring Igmp Snooping and MVR 24-2 Understanding Igmp Snooping Joining a Multicast Group Igmp Versions24-3 24-4 224.1.2.3 24-5 Leaving a Multicast Group 24-6 Igmp Configurable-Leave TimerImmediate Leave Igmp Report Suppression PIM-DVMRP Configuring Igmp SnoopingIgmp Snooping and Switch Stacks Default Igmp Snooping Configuration Ip igmp snooping vlan vlan-id Enabling or Disabling Igmp Snooping24-8 Show ip igmp snooping Setting the Snooping MethodIp igmp snooping vlan vlan-id mrouter Learn cgmp pim-dvmrp Show ip igmp snooping mrouter vlan vlan-id Configuring a Multicast Router Port24-10 Show ip igmp snooping groups Configuring a Host Statically to Join a GroupEnabling Igmp Immediate Leave Ip igmp snooping vlan vlan-id static ipaddress 24-12 Configuring the Igmp Leave Timer Count Configuring TCN-Related CommandsRecovering from Flood Mode Controlling the Multicast Flooding Time After a TCN Event No ip igmp snooping tcn flood Disabling Multicast Flooding During a TCN Event24-14 24-15 Configuring the Igmp Snooping Querier No ip igmp snooping report-suppression Disabling Igmp Report Suppression24-16 24-17 Displaying Igmp Snooping Information 24-18 Understanding Multicast Vlan Registration 24-19 Using MVR in a Multicast Television Application 24-20 Configuring MVRDefault MVR Configuration MVR 24-21 MVR Configuration Guidelines and LimitationsConfiguring MVR Global Parameters Mvr Enable MVR on the switch 24-22 Configuring MVR Interfaces Show mvr interface Show mvr members Mvr type source receiverMvr immediate Show mvr Displaying MVR Information Configuring Igmp Filtering and Throttling24-24 Configuring Igmp Profiles Default Igmp Filtering and Throttling Configuration24-25 Show ip igmp profile profile number Ip igmp profile profile numberPermit deny Range ip multicast address Ip igmp filter profile number Setting the Maximum Number of Igmp GroupsSwitch# show ip igmp profile Applying Igmp Profiles Interface-id Configuring the Igmp Throttling ActionShow running-config interface Verify the configuration EtherChannel group or a EtherChannel interface Show ip igmp profile profile Displaying Igmp Filtering and Throttling ConfigurationIp igmp max-groups action deny Replace 24-30 Understanding MLD Snooping Configuring IPv6 MLD Snooping25-1 25-2 25-3 MLD MessagesMLD Queries Multicast Client Aging Robustness 25-4 Multicast Router DiscoveryMLD Reports MLD Done Messages and Immediate-Leave 25-5 Configuring IPv6 MLD SnoopingMLD Snooping in Switch Stacks Topology Change Notification Processing MLD Snooping Configuration Guidelines Default MLD Snooping Configuration25-6 25-7 Enabling or Disabling MLD SnoopingIpv6 mld snooping Ipv6 mld snooping vlan vlan-id Show ipv6 mld snooping multicast-address vlan Configuring a Static Multicast GroupIpv6 mld snooping vlan vlan-id static Show ipv6 mld snooping multicast-address user 25-9 Enabling MLD Immediate LeaveIpv6 mld snooping vlan vlan-id mrouter Show ipv6 mld snooping mrouter vlan vlan-id 25-10 Configuring MLD Snooping Queries Disabling MLD Listener Message Suppression Displaying MLD Snooping Information25-11 25-12 Show ipv6 mld snooping querier vlan vlan-idVlan-id count dynamic user Vlan-id ipv6-multicast-address 26-1 Configuring Port-Based Traffic ControlConfiguring Storm Control Understanding Storm Control Broadcast Storm Control Example 26-2 Configuring Storm Control and Threshold Levels Default Storm Control Configuration26-3 Storm-control action shutdown trap Storm-control broadcast multicastUnicast level level level-low bps bps Bps-low pps pps pps-low Multicast unicast Configuring Protected PortsDefault Protected Port Configuration Show storm-control interface-id broadcast 26-6 Configuring Port BlockingProtected Port Configuration Guidelines Configuring a Protected Port 26-7 Configuring Port SecurityDefault Port Blocking Configuration Blocking Flooded Traffic on an Interface Secure MAC Addresses Understanding Port Security26-8 26-9 Security Violations 26-10 Default Port Security ConfigurationPort Security Configuration Guidelines Forwarded1 Trap Message Message2 Increments 26-11 26-12 Enabling and Configuring Port Security 26-13 Switchport port-security violationProtect restrict shutdown Shutdown vlan 26-14 Switchconfig-if#switchport port-security violation restrict Switchconfig-if#switchport port-securitySwitchconfig-if#switchport port-security maximum Switchconfig-if#switchport port-security mac-address sticky 26-16 Enabling and Configuring Port Security Aging 26-17 Port Security and Switch StacksSwitchconfig# interface GigabitEthernet 1/0/8 Port Security and Private VLANs 26-18 Displaying Port-Based Traffic Control SettingsShow port-security interface interface-idaddress Show port-security interface interface-idvlan Understanding CDP Configuring CDP27-1 Configuring the CDP Characteristics Configuring CDPCDP and Switch Stacks Default CDP Configuration Show cdp Disabling and Enabling CDPCdp holdtime seconds Cdp advertise-v2 27-4 No cdp enable Disable CDP on the interfaceCdp enable Enable CDP on the interface after disabling it Disabling and Enabling CDP on an Interface 27-5 Monitoring and Maintaining CDP 27-6 28-1 Configuring Lldp and LLDP-MEDUnderstanding Lldp and LLDP-MED Understanding Lldp 28-2 Understanding LLDP-MED 28-3 Configuring Lldp and LLDP-MEDDefault Lldp Configuration Configuring Lldp Characteristics 28-4 Disabling and Enabling Lldp Globally 28-5 Disabling and Enabling Lldp on an Interface Lldp med-tlv-select tlv Specify the TLV to enable Configuring LLDP-MED TLVsTLV, and enter interface configuration mode No lldp med-tlv-select tlv Specify the TLV to disable 28-7 Monitoring and Maintaining Lldp and LLDP-MED 28-8 29-1 Configuring UdldUnderstanding Udld Modes of Operation 29-2 Methods to Detect Unidirectional Links 29-3 Configuring Udld 29-4 Default Udld Configuration Show udld Udld aggressive enable message timeMessage-timer-interval Enabling Udld Globally Udld port aggressive Resetting an Interface Disabled by UdldUdld reset Show udld Enabling Udld on an Interface 29-7 Displaying Udld Status 29-8 Understanding Span and Rspan Configuring Span and Rspan30-1 30-2 Local Span 30-3 Remote Span Span Sessions Span and Rspan Concepts and Terminology30-4 30-5 Monitored Traffic 30-6 Source Ports Vlan Filtering Source VLANs30-7 30-8 Destination Port Rspan Vlan Span and Rspan Interaction with Other Features30-9 Span and Rspan and Switch Stacks Configuring Span and Rspan30-10 30-11 Default Span and Rspan ConfigurationConfiguring Local Span Span Configuration Guidelines 30-12 Creating a Local Span Session Show monitor session sessionnumber Monitor session sessionnumberDestination interface interface-id Encapsulation replicate 30-14 Monitor session sessionnumber filter vlan Specifying VLANs to Filter30-15 30-16 Configuring RspanRspan Configuration Guidelines Be a Vlan 30-17 Configuring a Vlan as an Rspan Vlan 30-18 Creating an Rspan Source SessionInterfaces port-channelport-channel-number. Valid Destination remote vlan vlan-id Remote vlan vlan-id Creating an Rspan Destination Session30-19 30-20 Untagged vlan vlan-id or vlan vlan-id- Forward incoming Ingress dot1q vlan vlan-id isl untagged30-21 30-22 Show monitor session sessionnumber 30-23 Displaying Span and Rspan Status 30-24 Understanding Rmon Configuring Rmon31-1 31-2 Configuring Rmon Configuring Rmon Alarms and Events Default Rmon Configuration31-3 Add an event in the Rmon event table that is Rmon event number description string log owner string31-4 Show rmon history Collecting Group History Statistics on an InterfaceCollecting Group Ethernet Statistics on an Interface Rmon collection history index 31-6 Displaying Rmon StatusRmon collection stats index owner ownername Show rmon statistics Understanding System Message Logging Configuring System Message Logging32-1 System Log Message Format Configuring System Message Logging32-2 Text string that uniquely describes the message Hhmmss short uptime32-3 Disabling Message Logging Default System Message Logging ConfigurationNo logging console Disable message logging Show running-config Verify your entries Show logging 32-5 Setting the Message Display Destination DeviceLogging buffered size Logging host Session to see the debugging messages Synchronizing Log MessagesLogging file flash filename Terminal monitor All limit number-of-buffers Line console vty line-numberLine vty Logging synchronous level severity-level Enabling and Disabling Sequence Numbers in Log Messages Enabling and Disabling Time Stamps on Log Messages32-8 Logging trap level Defining the Message Severity LevelLogging console level Logging monitor level 32-10 Level Description Syslog Definition 32-11 Enabling the Configuration-Change LoggerLogging history level Logging history size number Logging Messages to a Unix Syslog Daemon Configuring Unix Syslog Servers32-12 32-13 Configuring the Unix System Logging FacilityLogging facility facility-type Facility-type keywords Facility Type Keyword Description Displaying the Logging Configuration32-14 Understanding Snmp Configuring Snmp33-1 33-2 Snmp Versions Operation Description Model Level Authentication Encryption ResultSnmp Manager Functions DES Snmp Agent Functions Using Snmp to Access MIB Variables33-4 33-5 Snmp Notifications SVI Configuring SnmpSnmp ifIndex MIB Object Values IfIndex Range Snmp Configuration Guidelines Default Snmp Configuration33-7 33-8 Configuring Community StringsNo snmp-server Disable the Snmp agent operation Disabling the Snmp Agent Permit source source-wildcard View-name ro rw access-list-numberAccess-list access-list-number deny Snmp-server community string view 33-10 Configuring Snmp Groups and UsersSnmp-server engineID local engineid-string Snmp-server engineID local 33-11 Write writeview notify notifyview accessSnmp-server group groupname v1 v2c Auth noauth priv read readview Notification Type Keyword Description Configuring Snmp NotificationsRemote host udp-port port v1 access Encrypted access access-list auth md5 33-13 33-14 Notification-types Setting the Agent Contact and Location Information33-12 , or enter snmp-server enable traps ? Enable traps command for each trap type Snmp-server tftp-server-list Switchconfig# snmp-server community publicLimiting Tftp Servers Used Through Snmp Snmp Examples 33-17 Displaying Snmp Status 33-18 Understanding ACLs Configuring Network Security with ACLs34-1 34-2 Supported ACLs 34-3 Port ACLs 34-4 Router ACLs Vlan Maps Handling Fragmented and Unfragmented Traffic34-5 34-6 ACLs and Switch Stacks 34-7 Configuring IPv4 ACLs 34-8 Access List NumbersAccess List Number Type Supported Creating Standard and Extended IPv4 ACLs 34-9 ACL Logging Source source-wildcard log Access-list access-list-number deny permitShow access-lists number name Creating a Numbered Standard ACL 34-11 Creating a Numbered Extended ACL 34-12 34-13 34-14 Creating Named Standard and Extended ACLs Resequencing ACEs in an ACL34-15 Tos tos established log time-range Ip access-list standard nameIp access-list extended name Any log 34-17 Using Time Ranges with ACLs 34-18 Absolute start time datePeriodic weekdays weekend daily Show time-range 34-19 Switch# show ip access-listsApplying an IPv4 ACL to a Terminal Line Including Comments in ACLs 34-20 Access-class access-list-numberApplying an IPv4 ACL to an Interface Out 34-21 Ip access-group access-list-number Hardware and Software Treatment of IP ACLs IPv4 ACL Configuration Examples34-22 Switchconfig# access-list 106 permit ip any 172.20.128.64 Switchconfig# access-list 6 permit 172.20.128.6434-23 Extended ACLs Numbered ACLs34-24 34-25 Named ACLsTime Range Applied to an IP ACL Commented IP ACL Entries Switchconfig-if#ip access-group ext1 Switch# show logging34-26 34-27 Creating Named MAC Extended ACLs 34-28 Applying a MAC ACL to a Layer 2 Interface ACL Configuring Vlan MapsMac access-group name Show mac access-group interface interface-id 34-30 Vlan Map Configuration Guidelines Match ip mac address name Vlan access-map name numberCreating a Vlan Map Action drop forward 34-32 Examples of ACLs and Vlan Maps 34-33 Vlan filter mapname vlan-list list Using Vlan Maps in Your NetworkWiring Closet Configuration Applying a Vlan Map to a Vlan Switchconfig# vlan filter map2 vlan Denying Access to a Server on Anothera VlanSwitchconfig# vlan access-map map2 Switchconfig# ip access-list extended matchall 34-36 Using Vlan Maps with Router ACLs 34-37 Vlan Maps and Router ACL Configuration Guidelines 34-38 ACLs and Switched PacketsExamples of Router ACLs and Vlan Maps Applied to VLANs ACLs and Bridged Packets 34-39 ACLs and Routed Packets 34-40 Displaying IPv4 ACL ConfigurationShow ip access-lists number name ACLs and Multicast Packets 34-41 Show running-config interface interface-idShow mac access-group interface interface-id Show ip interface interface-id 34-42 35-1 Configuring IPv6 ACLs 35-2 Understanding IPv6 ACLs 35-3 Supported ACL FeaturesIPv6 ACLs and Switch Stacks IPv6 ACL Limitations 35-4 Configuring IPv6 ACLsDefault IPv6 ACL Configuration Interaction with Other Features and Switches Creating IPv6 ACLs Ipv6 access-list access-list-name35-5 35-6 Dscp value fragments logLog-input routing sequence Value time-range name 35-7 35-8 Ipv6 traffic-filter access-list-nameApplying an IPv6 ACL to an Interface Ipv6 address ipv6-address 35-9 Show access-listsShow ipv6 access-list access-list-name Displaying IPv6 ACLs 35-10 36-1 Configuring QoS 36-2 Understanding QoS 36-3 Basic QoS Model Basic QoS Model 36-4 36-5 Classification Check if packet came with CoS label tag Yes 36-6 Classification Based on Class Maps and Policy Maps Classification Based on QoS ACLs36-7 36-8 Policing and Marking 36-9 Policing on Physical Ports 36-10 Policing on SVIs 36-11 Policing and Marking Flowchart on SVIs 36-12 Mapping Tables 36-13 Queueing and Scheduling Overview SRR Shaping and Sharing Weighted Tail Drop36-14 36-15 Queueing and Scheduling on Ingress Queues 36-16 Queue Type Function 36-17 WTD Thresholds 36-18 Queueing and Scheduling on Egress Queues 36-19 36-20 Buffer and Memory Allocation 36-21 Packet Modification 36-22 Configuring Auto-QoS 36-23 Generated Auto-QoS Configuration 36-24 Description Automatically Generated Command 36-25 Or shared on the egress queues mapped to the port Switch automatically configures the egress queue bufferSizes. It configures the bandwidth and the SRR mode shaped If you entered the auto qos voip trust command, the switch Auto-QoS Configuration Guidelines Effects of Auto-QoS on the Configuration36-27 Show auto qos interface interface-id Enabling Auto-QoS for VoIPAuto qos voip cisco-phone Cisco-softphone trust 36-29 36-30 Auto-QoS Configuration Example Show auto qos Cdp enableDebug auto qos Auto qos voip trust Displaying Auto-QoS Information Configuring Standard QoS36-32 Default Ingress Queue Configuration Default Standard QoS Configuration36-33 Dscp Value Queue ID -Threshold ID Default Egress Queue Configuration36-34 Applying QoS on Interfaces Standard QoS Configuration GuidelinesDefault Mapping Table Configuration QoS ACL Guidelines General QoS Guidelines Policing Guidelines36-36 Enabling VLAN-Based QoS on Physical Ports Enabling QoS Globally36-37 Configuring the Trust State on Ports within the QoS Domain Configuring Classification Using Port Trust States36-38 15 Port Trusted States within the QoS Domain 36-39 36-40 Configuring the CoS Value for an InterfaceMls qos trust cos dscp ip-precedence Show mls qos interface Mls qos cos default-cos override Configuring a Trusted Boundary to Ensure Port Security36-41 36-42 Enabling Dscp Transparency ModeMls qos trust dscp Mls qos trust device cisco-phone 36-43 No mls qos rewrite ip dscp 36-44 Mls qos map dscp-mutationMls qos dscp-mutation Show mls qos maps dscp-mutation Switchconfig-if#mls qos dscp-mutation gi1/0/2-mutation Configuring a QoS Policy36-45 36-46 Classifying Traffic by Using ACLs Source-wildcard Switchconfig# access-list 100 permit ip any any dscpSwitchconfig# access-list 102 permit pim any 224.0.0.2 dscp Permit protocol source source-wildcard 36-48 Mac access-list extended name Match-any keywords Classifying Traffic by Using Class MapsClass-map match-all match-any Is match-all Show class-map Match access-group acl-index-or-nameIp dscp dscp-list ip precedence Ip-precedence-list 36-51 Class class-map-name Policy-map policy-map-name36-52 36-53 Show policy-map policy-map-nameclass Service-policy input policy-map-name36-54 36-55 Switchconfig# policy-map macpolicy1Switchconfig-pmap#class macclass2 maclist2 Switchconfig-if#service-policy input macpolicy1 36-56 Traffic by Using Class Maps section on 36-57 36-58 Police rate-bps burst-byte exceed-actionDrop policed-dscp-transmit Exceed-action policed-dscp-transmit keywords to mark down 36-59 Service-policy policy-map-name Show policy-map policy-map-nameclass Service-policy input policy-map-nameShow mls qos vlan-based Policed-dscp-transmit Mls qos aggregate-policerAggregate-policer-name rate-bps burst-byte Exceed-action drop Show mls qos aggregate-policer Only one policy map per ingress port is supportedAggregate-policer-name CoS Value Dscp Value Configuring Dscp MapsConfiguring the CoS-to-DSCP Map Switchconfig-pmap-c#police aggregate transmit1 36-64 Configuring the IP-Precedence-to-DSCP MapMls qos map cos-dscp dscp1...dscp8 IP Precedence Value Dscp Value 36-65 Configuring the Policed-DSCP Map Show Configuring the DSCP-to-CoS MapDscp Value CoS Value 36-66 36-67 Configuring the DSCP-to-DSCP-Mutation MapMls qos map dscp-cos dscp-list to cos Show mls qos maps dscp-to-cos Switch# show mls qos maps dscp-mutation mutation1 Switchconfig-if#mls qos dscp-mutation mutation136-68 36-69 Configuring Ingress Queue Characteristics Show mls qos maps Mls qos srr-queue input dscp-mapMls qos srr-queue input cos-map Mls qos srr-queue input threshold Show mls qos interface buffer Allocating Buffer Space Between the Ingress QueuesAllocating Bandwidth Between the Ingress Queues Mls qos srr-queue input buffers Show mls qos interface queueing Configuring the Ingress Priority QueueWeight1 weight2 Mls qos srr-queue input bandwidth Priority-queue queue-id bandwidth Configuring Egress Queue CharacteristicsWeight Mls qos srr-queue input 36-74 Queue-set qset-id Mls qos queue-set output qset-id36-75 36-76 Mls qos srr-queue output cos-map Mls qos srr-queue output dscp-map36-77 Queueing Configuring SRR Shaped Weights on Egress QueuesSrr-queue bandwidth shape weight1 Weight2 weight3 weight4 36-79 Configuring SRR Shared Weights on Egress QueuesConfiguring the Egress Expedite Queue Srr-queue bandwidth share weight1 36-80 Mls qos Enable QoS on a switchSrr-queue bandwidth limit weight1 Limiting the Bandwidth on an Egress Interface 36-81 Displaying Standard QoS Information 36-82 Show running-config include rewrite Understanding EtherChannels Configuring EtherChannels and Link-State Tracking37-1 37-2 EtherChannel Overview 37-3 Single-Switch EtherChannel 37-4 Port-Channel Interfaces 37-5 Port Aggregation Protocol Auto PAgP Interaction with Other FeaturesMode Description PAgP Modes 37-7 Lacp Interaction with Other FeaturesLink Aggregation Control Protocol Lacp Modes Load-Balancing and Forwarding Methods EtherChannel On Mode37-8 37-9 37-10 EtherChannel and Switch Stacks Default EtherChannel Configuration Configuring EtherChannels37-11 37-12 EtherChannel Configuration Guidelines 37-13 Configuring Layer 2 EtherChannels Active passive Auto non-silent desirable non-silent on37-14 37-15 Configuring Layer 3 EtherChannelsSwitchconfig-if-range#channel-group 5 mode active Creating Port-Channel Logical Interfaces No ip address Configuring the Physical InterfacesInterface port-channel port-channel-number Show etherchannel channel-group-number detail 37-17 Partner that is PAgP capable, configure the switch port forFor channel-group-number, the range is 1 to 48. This number Must be the same as the port-channel-number logical port 37-18 Configuring EtherChannel Load-BalancingPort-channel load-balance dst-ip dst-mac Src-dst-ip src-dst-mac src-ip src-mac Show etherchannel load-balance Verify your entries Configuring the PAgP Learn Method and Priority37-19 Show pagp channel-group-number internal Configuring Lacp Hot-Standby PortsPagp learn-method physical-port Pagp port-priority priority Show running-config Verify your entries Show lacp sys-id Configuring the Lacp System Priority37-21 Internal Configuring the Lacp Port PriorityLacp port-priority priority Show lacp channel-group-number Understanding Link-State Tracking Displaying EtherChannel, PAgP, and Lacp Status37-23 37-24 37-25 Configuring Link-State Tracking 37-26 Default Link-State Tracking ConfigurationLink-State Tracking Configuration Guidelines Configuring Link-State Tracking 37-27 Switch show link state groupSwitch show link state group detail Displaying Link-State Tracking Status 37-28 38-1 Configuring IP Unicast Routing Types of Routing Understanding IP Routing38-2 38-3 IP Routing and Switch Stacks 38-4 Configuring IP Addressing Steps for Configuring Routing38-5 38-6 Default Addressing ConfigurationARP Irdp 38-7 Show running-config Verify your entryAssigning IP Addresses to Network Interfaces Use of Subnet Zero 38-8 Classless Routing No ip classless Disable classless routing behavior Configuring Address Resolution Methods38-9 Arp ip-address hardware-address type Define a Static ARP Cache38-10 38-11 Set ARP Encapsulation Proxy ARP Routing Assistance When IP Routing is DisabledEnable Proxy ARP Default Gateway 38-13 Icmp Router Discovery Protocol Irdp 38-14 Configuring Broadcast Packet Handling Ip forward-protocol udp port nd sdns Ip directed-broadcast access-list-number38-15 38-16 Forwarding UDP Broadcast Packets and Protocols 38-17 Establishing an IP Broadcast AddressFlooding IP Broadcasts Ip broadcast-address ip-address Clear ip route network mask Monitoring and Maintaining IP AddressingClear arp-cache Clear host name 38-19 Enabling IP Unicast Routing 38-20 Configuring RIP Network network number Default RIP ConfigurationConfiguring Basic RIP Parameters Router rip 38-22 Ip rip authentication mode text md5 Configuring RIP AuthenticationConfiguring Summary Addresses and Split Horizon Ip rip authentication key-chain name-of-chain No ip split horizon Configuring Split HorizonSwitchconfig-router#neighbor 2.2.2.2 peer-group mygroup Ip summary-address rip ip address ip-network mask No ip split-horizon Configuring Ospf38-25 38-26 Default Ospf Configuration 38-27 Ospf Nonstop Forwarding 38-28 Ospf NSF Awareness Configuring Ospf Interfaces Configuring Basic Ospf Parameters38-29 38-30 38-31 Configuring Ospf Area Parameters 38-32 Configuring Other Ospf Parameters 38-33 38-34 Configuring a Loopback InterfaceChanging LSA Group Pacing Ip address address mask Monitoring Ospf Configuring Eigrp38-35 38-36 38-37 Default Eigrp Configuration 38-38 Eigrp Nonstop Forwarding Eigrp log-neighbor-changes Configuring Basic Eigrp ParametersRouter eigrp autonomous-system Network network-number 38-40 Configuring Eigrp InterfacesNo auto-summary Ip summary-address eigrp Show ip eigrp interface Configuring Eigrp Route AuthenticationIp hello-interval eigrp autonomous-system-number No ip split-horizon eigrp autonomous-system-number 38-42 Eigrp Stub Routing Monitoring and Maintaining Eigrp Configuring BGP38-43 EBGP, IBGP, and Multiple Autonomous Systems 38-44 38-45 Default BGP Configuration 38-46 38-47 Nonstop Forwarding Awareness Route-map route-map-name Enabling BGP RoutingRouter bgp autonomous-system Network network-number mask network-mask 38-49 38-50 Switchconfig-router#neighbor 192.208.10.2 remote-asSwitch# show ip bgp neighbors Managing Routing Policy Changes Show ip bgp Type of Reset Advantages DisadvantagesShow ip bgp neighbors Clear ip bgp * address 38-52 Configuring BGP Decision Attributes 38-53 Configuring BGP Filtering by Neighbor Configuring BGP Filtering with Route Maps38-54 Show ip bgp neighbors paths Ip as-path access-list access-list-numberOut weight weight Route-map map-tag in out 38-56 Configuring Prefix Lists for BGP Filtering Send-community Configuring BGP Community FilteringIp community-listcommunity-list-number Permit deny community-number Show ip bgp community Configuring BGP Neighbors and Peer GroupsSet comm-list list-num delete Ip bgp-community new-format 38-59 38-60 Configuring Aggregate Addresses Configuring BGP Route Reflectors Configuring Routing Domain Confederations38-61 No bgp client-to-client reflection Configuring Route DampeningRoute-reflector-client Bgp cluster-id cluster-id 38-63 Monitoring and Maintaining BGP 38-64 Configuring Multi-VRF CE 38-65 Understanding Multi-VRF CE 38-66 38-67 Default Multi-VRF CE ConfigurationMulti-VRF CE Configuration Guidelines VRF Ip vrf forwarding vrf-name Configuring VRFsRoute-target export import both Import map route-map Redistribute bgp Configuring a VPN Routing SessionShow ip vrf brief detail interfaces Log-adjacency-changes Multi-VRF CE Configuration Example Configuring BGP PE to CE Routing Sessions38-70 VPN2 CE1 38-71 38-72 Configuring Switch a 38-73 Switchconfig-router-af#network 8.8.2.0 maskSwitchconfig-router-af#network 8.8.1.0 mask Switchconfig-if#ip address 208.0.0.20 38-74 Router# configure terminal Displaying Multi-VRF CE Status Configuring Unicast Reverse Path Forwarding38-75 Configuring Distributed Cisco Express Forwarding Configuring Protocol-Independent Features38-76 38-77 Configuring the Number of Equal-Cost Routing Paths Show ip route Configuring Static Unicast RoutesRouter bgp rip ospf eigrp Maximum-paths maximum 38-79 Specifying Default Routes and NetworksRoute Source Default Distance Ip default-network network number Specify a default network 38-80 Using Route Maps to Redistribute Routing Information 38-81 38-82 38-83 Configuring Policy-Based Routing 38-84 PBR Configuration Guidelines 38-85 Enabling PBR 38-86 Ip policy route-map map-tagIp route-cache policy Ip local policy route-map map-tag Filtering Routing Information Setting Passive Interfaces38-87 38-88 Controlling Advertising and Processing in Routing UpdatesFiltering Sources of Routing Information Router bgp rip eigrp 38-89 Managing Authentication KeysDistance weight ip-address ip-address mask Ip access list 38-90 Monitoring and Maintaining the IP Network 38-91 38-92 Understanding IPv6 Configuring IPv6 Unicast Routing39-1 39-2 IPv6 Addresses Bit Wide Unicast Addresses Supported IPv6 Unicast Routing Features39-3 Neighbor Discovery DNS for IPv6Path MTU Discovery for IPv6 Unicast ICMPv6 39-5 IPv6 Applications Dual IPv4 and IPv6 Protocol Stacks Unsupported IPv6 Unicast Routing Features39-6 Limitations IPv6 and Switch Stacks39-7 39-8 Dual IPv4-and IPv6 SDM Templates SDM Templates39-9 39-10 Configuring IPv6 Configuring IPv6 Addressing and Enabling IPv6 Routing Default IPv6 Configuration39-11 39-12 39-13 Configuring IPv4 and IPv6 Protocol StacksIp routing Enable routing on the switch Switchconfig-if#ipv6 address 20010DB8c181/64 eui 39-14 Show ipv6 interface interface-id Configuring IPv6 Icmp Rate LimitingConfiguring CEF and dCEF for IPv6 Ipv6 icmp error-interval interval bucketsize 39-16 Configuring Static Routing for IPv6 39-17 Administrative distanceIpv6 route ipv6-prefix/prefix length Ipv6-address interface-id ipv6-address Interface-id recursive detail Configuring RIP for IPv6Show ipv6 route static updated Show ipv6 static ipv6-address 39-19 39-20 Configuring Ospf for IPv6 39-21 Displaying IPv6 Switch# show ipv6 interface39-22 39-23 Switch# show ipv6 cef /0Switch# show ipv6 protocols Switch# show ipv6 rip Switch# show ipv6 traffic Switch# show ipv6 neighborsSwitch# show ipv6 static Switch# show ipv6 route 39-25 39-26 Understanding Hsrp Configuring Hsrp and Enhanced Object Tracking40-1 40-2 40-3 Multiple Hsrp Hsrp and Switch Stacks Configuring Hsrp40-4 40-5 Default Hsrp ConfigurationHsrp Configuration Guidelines Enabling Hsrp Show standby interface-id group Switch# show standbyStandby group-number ip ip-address Secondary 40-7 Configuring Hsrp Priority 40-8 Priority preempt delay delayStandby group-number priority Standby group-number track 40-9 Configuring MhsrpConfiguring Hsrp Authentication and Timers Switchconfig-if#standby 2 ip Holdtime Standby group-number authentication stringStandby group-number timers hellotime Switchconfig-if#standby 1 authentication word Show standby interface-idgroup brief detail Displaying Hsrp ConfigurationsConfiguring Hsrp Groups and Clustering Enabling Hsrp Support for Icmp Redirect Messages Understanding Enhanced Object Tracking Configuring Enhanced Object Tracking40-12 40-13 Configuring Enhanced Object Tracking FeaturesTracking Interface Line-Protocol or IP Routing State Track object-number interface Object object-number not Configuring a Tracked ListSwitch# show track 33 Track Track track-numberlist boolean 40-15 WeightThreshold weight up number Track track-numberlist threshold Threshold percentage up number Track track-number list thresholdPercentage Object object-number 40-17 Configuring Hsrp Object Tracking Show standby Configuring Other Tracking Characteristics40-18 Understanding Wccp Configuring Web Cache Services By Using41-1 41-2 Wccp Message Exchange 41-3 Packet Redirection and Service GroupsWccp Negotiation MD5 Security 41-4 Wccp and Switch Stacks Wccp Configuration Guidelines Configuring WccpUnsupported Wccp Features Default Wccp Configuration 41-6 Enabling the Web Cache Service 41-7 41-8 41-9 Switchconfig# interface range gigabitethernet1/0/3Switchconfig-if-range#switchport access vlan Monitoring and Maintaining Wccp 41-10 Enabled / disabled 42-1 Configuring IP Multicast Routing IP Multicast Routing Protocols 42-2 Igmp Version Understanding Igmp42-3 42-4 Understanding PIMPIM Versions PIM Modes 42-5 PIM Stub Routing 42-6 Auto-RP Multicast Forwarding and Reverse Path Check Bootstrap Router42-7 Network Port Understanding Dvmrp42-8 Understanding Cgmp Multicast Routing and Switch Stacks42-9 42-10 Configuring IP Multicast RoutingDefault Multicast Routing Configuration Multicast Routing Configuration Guidelines PIMv1 and PIMv2 Interoperability Auto-RP and BSR Configuration Guidelines42-11 Ip multicast-routing distributed Configuring Basic Multicast Routing42-12 Sparse-dense-mode Configuring PIM Stub RoutingIp pim version 1 Ip pim dense-mode sparse-mode 42-14 Configuring a Rendezvous PointManually Assigning an RP to Multicast Groups Ip pim passive Ip pim rp-address ip-address Access-list-number override42-15 42-16 Configuring Auto-RP 42-17 Scope ttl group-list access-list-numberIp pim send-rp-announce interface-id Interval seconds 42-18 Ip pim send-rp-discovery scope ttlShow ip pim rp mapping Show ip pim rp Ip pim rp-announce-filter rp-list Access-list-number group-list42-19 Ip pim bsr-border Configuring PIMv2 BSR42-20 42-21 Ip multicast boundary Hash-mask-length priority Ip pim bsr-candidate interface-id42-22 Ip pim rp-candidate interface-id Group-list access-list-number42-23 Show ip pim rp-hash group Using Auto-RP and a BSRShow ip pim rp group-name Group-address mapping Understanding PIM Shared Tree and Source Tree Configuring Advanced PIM FeaturesTroubleshooting PIMv1 and PIMv2 Interoperability Problems Monitoring the RP Mapping Information Shared Tree and Source Tree Shortest-Path Tree 42-26 Ip pim spt-threshold kbps infinity Delaying the Use of PIM Shortest-Path Tree42-27 Show ip igmp interface interface-id Configuring Optional Igmp FeaturesModifying the PIM Router-Query Message Interval Ip pim query-interval seconds 42-29 Default Igmp ConfigurationConfiguring the Switch as a Member of a Group Ip igmp join-group group-address 42-30 Controlling Access to IP Multicast GroupsIp igmp access-group access-list-number Show ip igmp interface interface-id Verify your entries Query-interval or the ip igmp query-max-response-time Changing the Igmp VersionModifying the Igmp Host-Query Message Interval Ip igmp version 1 42-32 Changing the Igmp Query Timeout for IGMPv2Ip igmp querier-timeout seconds Ip igmp query-interval seconds 42-33 Configuring the Switch as a Statically Connected MemberChanging the Maximum Query Response Time for IGMPv2 Ip igmp query-max-response-time 42-34 Configuring Optional Multicast Routing FeaturesEnabling Cgmp Server Support Ip igmp static-group group-address Ip cgmp proxy Configuring sdr Listener Support42-35 42-36 Ip sdr listen Enable sdr listener supportEnabling sdr Listener Support Limiting How Long an sdr Cache Entry Exists 42-37 Configuring an IP Multicast Boundary 42-38 Configuring Basic Dvmrp Interoperability Features 42-39 Configuring Dvmrp Interoperability 42-40 Ip dvmrp metric metric list 42-41 Configuring a Dvmrp Tunnel Ip dvmrp accept-filter Access-list-number distanceNeighbor-list access-list-number Advertising Network 0.0.0.0 to Dvmrp Neighbors Originate only Configuring Advanced Dvmrp Interoperability FeaturesIp dvmrp default-information Responding to mrinfo Requests 42-44 Enabling Dvmrp Unicast Routing 42-45 Rejecting a Dvmrp Nonpruning Neighbor 42-46 Enter interface configuration mode Changing the Dvmrp Route Threshold By default, 7000 routes are advertised. The range is 0 toControlling Route Exchanges Limiting the Number of Dvmrp Routes Advertised 42-48 Configuring a Dvmrp Summary AddressDefault is 10,000 routes. The range is 1 to Route-count 42-49 No ip dvmrp auto-summary Disabling Dvmrp AutosummarizationIp dvmrp summary-address address Mask metric value 42-51 Adding a Metric Offset to the Dvmrp RouteIp dvmrp metric-offset in out Increment 42-52 Monitoring and Maintaining IP Multicast RoutingClearing Caches, Tables, and Databases Displaying System and Network Statistics 42-53 Monitoring IP Multicast Routing 42-54 Understanding Msdp Configuring Msdp43-1 43-2 Msdp Operation 43-3 Msdp Benefits 43-4 Configuring MsdpDefault Msdp Configuration Configuring a Default Msdp Peer Prefix-list list Ip msdp default-peer ip-address name43-5 Ip msdp description peer-name Caching Source-Active StateIp prefix-list name description string Seq number permit deny network 43-7 Ip msdp cache-sa-state list 43-8 Switchconfig# ip msdp sa-requestRequesting Source Information from an Msdp Peer Ip msdp sa-request ip-address name 43-9 Controlling Source Information that Your Switch OriginatesRedistributing Sources Ip msdp redistribute list 43-10 43-11 Name list access-list-numberFiltering Source-Active Request Messages Ip msdp filter-sa-request ip-address Route-map map-tag Controlling Source Information that Your Switch ForwardsUsing a Filter Ip msdp sa-filter out ip-address name 43-13 Ttl Controlling Source Information that Your Switch ReceivesUsing TTL to Limit the Multicast Data Sent in SA Messages Ip msdp ttl-threshold ip-address name Ip msdp sa-filter in ip-address name Switchconfig# ip msdp sa-filter in switch.cisco.com43-15 43-16 Configuring an Msdp Mesh GroupShutting Down an Msdp Peer Ip msdp mesh-group name ip-address 43-17 Including a Bordering PIM Dense-Mode Region in MsdpIp msdp shutdown peer-name peer Ip msdp border sa-address interface-id 43-18 Configuring an Originating Address other than the RP Address Clear ip msdp sa-cache group-addressname Monitoring and Maintaining MsdpClear ip msdp peer peer-addressname Clear ip msdp statistics peer-addressname 43-20 44-1 Configuring Fallback BridgingUnderstanding Fallback Bridging Fallback Bridging Overview 44-2 Fallback Bridging and Switch Stacks Configuring Fallback Bridging44-3 44-4 Default Fallback Bridging ConfigurationFallback Bridging Configuration Guidelines Creating a Bridge Group 44-5 Bridge bridge-group protocolVlan-bridge Bridge-group bridge-group Switchconfig# bridge 10 protocol vlan-bridge Adjusting Spanning-Tree Parameters44-6 Bridge-group bridge-grouppriority Changing the VLAN-Bridge Spanning-Tree PriorityChanging the Interface Priority Bridge bridge-group priority number 44-8 Assigning a Path CostBridge-group bridge-group path-cost Cost 44-9 Adjusting Bpdu IntervalsSwitchconfig# bridge 10 hello-time Bridge bridge-group hello-time seconds Bridge bridge-group max-age seconds Switchconfig# bridge 10 forward-timeSwitchconfig# bridge 10 max-age Bridge bridge-group forward-time Show bridge bridge-group group Monitoring and Maintaining Fallback BridgingDisabling the Spanning Tree on an Interface Clear bridge bridge-group 44-12 45-1 Troubleshooting 45-2 Recovering from a Software Failure Switch copy xmodem flashimagefilename.bin Recovering from a Lost or Forgotten PasswordSwitch flashinit Switch loadhelper 45-4 45-5 Procedure with Password Recovery Enabled 45-6 Copy the configuration file into memory Switch dir flash Procedure with Password Recovery Disabled45-7 45-8 Preventing Switch Stack Problems 45-9 Recovering from a Command Switch Failure Switchconfig# no cluster commander-address Replacing a Failed Command Switch with a Cluster Member45-10 45-11 Replacing a Failed Command Switch with Another Switch 45-12 45-13 Recovering from Lost Cluster Member ConnectivityTroubleshooting Power over Ethernet Switch Ports Preventing Autonegotiation Mismatches SFP Module Security and Identification Disabled Port Caused by Power LossDisabled Port Caused by False Link Up Show controllers power inline privileged Exec command Understanding Ping Monitoring TemperatureUsing Ping Monitoring SFP Module Status 45-16 Switch# pingExecuting Ping Character Description 45-17 Using Layer 2 TracerouteUnderstanding Layer 2 Traceroute Usage Guidelines 45-18 Using IP TracerouteDisplaying the Physical Path Understanding IP Traceroute Trace the path that packets take through the network Switch# traceroute ipExecuting IP Traceroute Traceroute ip host Understanding TDR Using TDR45-20 45-21 Using Debug CommandsEnabling Debugging on a Specific Feature Running TDR and Displaying the Results Redirecting Debug and Error Message Output Enabling All-System Diagnostics45-22 45-23 Using the show platform forward CommandUdp 10 45-24 Basic crashinfo Files Using the crashinfo Files45-25 45-26 Using On-Board Failure LoggingExtended crashinfo Files Understanding Obfl 45-27 Configuring Obfl Show logging onboard module Displaying Obfl Information45-28 Understanding Online Diagnostics Configuring Online Diagnostics46-1 Non-disruptive daily hhmm Configuring Online DiagnosticsScheduling Online Diagnostics Diagnostic schedule switch Diagnostic monitor syslog Configuring Health-Monitoring DiagnosticsDiagnostic monitor interval switch Diagnostic content command output Schedule status switch Diagnostic monitor threshold switchDiagnostic monitor switch number test Show diagnostic content post result All basic non-disruptive Running Online Diagnostic TestsStarting Online Diagnostic Tests Diagnostic start switch number 46-6 Displaying Online Diagnostic Tests and Test Results MIB List Supported MIBsCISCO-FTP-CLIENT-MIB CISCO-HSRP-MIB IGMP-MIB INET-ADDRESS-MIB IPMROUTE-MIB CISCO-IGMP-FILTER-MIBCISCO-RTTMON-MIB CISCO-SMI-MIB ETHERLIKE-MIB IEEE8021-PAE-MIB IEEE8023-LAG-MIB TCP-MIB UDP-MIB Using FTP to Access the MIB Files Working with the Flash File System Displaying Available File Systems Switch# show file systems Field Value Setting the Default File System Pwd Cd newconfigsDisplaying Information about Files on a File System Changing Directories and Displaying the Working Directory Creating and Removing Directories Mkdir oldconfigsCopying Files Deleting Files Switch# delete myconfigCreating, Displaying, and Extracting Files Flash Archive /create destination-urlArchive /table source-url More /ascii /binary /ebcdic Archive /xtract source-urlExtract a file into a directory on the flash file system Directories are extracted Working with Configuration Files Configuration File Types and Location Guidelines for Creating and Using Configuration Files Copying Configuration Files By Using Tftp Creating a Configuration File By Using a Text Editor Uploading the Configuration File By Using Tftp Downloading the Configuration File By Using Tftp Copying Configuration Files By Using FTP Ip ftp password password Downloading a Configuration File By Using FTPIp ftp username username Filename nvramstartup-config Uploading a Configuration File By Using FTPFtp // username password @ location /directory Filename systemrunning-config Ftp // username password @ location /directory Filename Copying Configuration Files By Using RCPCopy systemrunning-config Copy nvramstartup-config Hostname Switch1 Ip rcmd remote-username User0 Ip rcmd remote-username username Downloading a Configuration File By Using RCPSystemrunning-config Nvramstartup-config Uploading a Configuration File By Using RCP Clearing Configuration InformationSwitch# copy nvramstartup-config rcp Deleting a Stored Configuration File Clearing the Startup Configuration FileWorking with Software Images File Format of Images on a Server or Cisco.com Image Location on the Switch Field Description Copying Image Files By Using Tftp Downloading an Image File By Using Tftp Preparing to Download or Upload an Image File By Using Tftp Archive download-sw /directory Allow-feature-upgrade /directoryArchive download-sw Overwrite /reload Archive upload-sw Uploading an Image File By Using TftpTftp //location /directory /image-name .tar Preparing to Download or Upload an Image File By Using FTP Copying Image Files By Using FTP Downloading an Image File By Using FTP Directory /image-name2 .tar image-name3 .tar Archive download-sw /allow-feature-upgradeDirectory /overwrite /reload For /directory /image-name1 .tar Uploading an Image File By Using FTP Copying Image Files By Using RCP Preparing to Download or Upload an Image File By Using RCP File By Using RCP section on page B-31 Downloading an Image File By Using RCP Or Upload an Image File By Using RCP section on Uploading an Image File By Using RCP Rcp // username @ location /directory /image-na Copying an Image File from One Stack Member to AnotherMe.tar For /destination-system destination-stack-member-number Archive copy-sw /destination-systemDestination-stack-member-number /force-reload Source-stack-member-number Unsupported Global Configuration Commands Unsupported Commands Cisco IOS Release 12.237SEAccess Control Lists Unsupported Privileged Exec Commands Debug Commands Archive CommandsARP Commands Boot Loader Commands Bridge bridge-group domain domain-name bridge irb Fallback BridgingBridge bridge-groupacquire Bridge crb X25 map bridge x.121-address broadcast options-keywords Hsrp Interface Commands Igmp Snooping CommandsIP Multicast Routing Ip multicast-routing vrf vrf-name Ip pim accept-rpaddress auto-rpgroup-access-list-numberShow ip pim vc group-address name type number Show ip rtp header-compression type number detail IP Unicast Routing Unsupported Privileged Exec or User Exec Commands Unsupported VPN Configuration Commands Unsupported BGP Router Configuration CommandsUnsupported Route Map Commands Set tag tag-value MAC Address CommandsShow cable-diagnostics prbs Test cable-diagnostics prbs Miscellaneous Msdp NetFlow Commands QoS Network Address Translation NAT CommandsUnsupported Global Configuration Command Unsupported Policy-Map Configuration Command Spanning Tree Unsupported Interface Configuration CommandUnsupported User Exec Commands Unsupported Privileged Exec Command IN-1 Numerics IN-2 ACLs TACACS+ CDP Lldp RIPEigrp Hsrp Cidr BGPIN-4 IN-5 Bpdu CLI CDPCEF Cgmp IN-7 CNS IN-8 DNS DhcpIN-9 Wccp SnmpTACACS+ Udld Vmps IN-11 Dhcp option IN-12 DTP IN-13 Dvmrp IN-14 Dynamic ARP inspection IN-15 Lacp FIB STPIN-16 FTP Mstp STPIN-17 Icmp HttpsIN-18 IN-19 Igmp IN-20 IN-21 IP addresses IN-22 Mbone IN-23 IGP IN-24 IP unicast routing IN-25 ISL IN-26 LLDP-MED IN-27 Mhsrp MDAIN-28 IN-29 Msdp IN-30 CSTIST MTU IN-31 NAC IN-32 NSSA, Ospf PBR ObflIN-33 IN-34 PIM IN-35 Port-based authentication Vvid PvidIN-36 IN-37 Private VLANs IN-38 QoS IN-39 IN-40 RCP IN-41 Radius TACACS+RFC Rmon IN-42 RPSRspan Rstp IN-43 SDM IN-44 Snmp SRR SpanIN-45 VTP SSLIN-46 IN-47 Stacks, switch IN-48 LLDP-MED Ospf IN-49 STP IN-50 IN-51 System message logging IN-52 IN-53 IN-54 IN-55 VLANs VQP VPNIN-56 IN-57 WTD IN-58

SSL Configuration Guidelines

Configuring a CA Trustpoint

Command

configure terminal

ip domain-name domain-name

crypto key generate rsa

crypto ca trustpoint name

enrollment http-proxy host-name

crl query url

primary

crypto ca authentication name

crypto ca enroll name

copy running-config startup-config