Manuals / Cisco Systems / Computer Equipment / Webcam

Cisco Systems 3750E Configuring the Secure Http Client, Ip http timeout-policy idle seconds life

Models: 3750E

1 1236

Download 1236 pages 40.08 Kb

Page 249

Image 249

Chapter 9 Configuring Switch-Based Authentication

Configuring the Switch for Secure Socket Layer HTTP

	Command	Purpose
Step 11
Step 11	ip http timeout-policy idle seconds life	(Optional) Specify how long a connection to the HTTP server can remain
	seconds requests value	open under the defined circumstances:
		• idle—the maximum time period when no data is received or response
		data cannot be sent. The range is 1 to 600 seconds. The default is
		180 seconds (3 minutes).
		• life—the maximum time period from the time that the connection is
		established. The range is 1 to 86400 seconds (24 hours). The default
		is 180 seconds.
		• requests—the maximum number of requests processed on a
		persistent connection. The maximum value is 86400. The default is 1.
Step 12
Step 12	end	Return to privileged EXEC mode.
Step 13
Step 13	show ip http server secure status	Display the status of the HTTP secure server to verify the configuration.
Step 14
Step 14	copy running-config startup-config	(Optional) Save your entries in the configuration file.

Use the no ip http server global configuration command to disable the standard HTTP server. Use the no ip http secure-serverglobal configuration command to disable the secure HTTP server. Use the no ip http secure-portand the no ip http secure-ciphersuiteglobal configuration commands to return to the default settings. Use the no ip http secure-client-authglobal configuration command to remove the requirement for client authentication.

To verify the secure HTTP connection by using a Web browser, enter https://URL, where the URL is the IP address or hostname of the server switch. If you configure a port other than the default port, you must also specify the port number after the URL. For example:

https://209.165.129:1026

https://host.domain.com:1026

Configuring the Secure HTTP Client

The standard HTTP client and secure HTTP client are always enabled. A certificate authority is required for secure HTTP client certification. This procedure assumes that you have previously configured a CA trustpoint on the switch. If a CA trustpoint is not configured and the remote HTTPS server requires client authentication, connections to the secure HTTP client fail.

Beginning in privileged EXEC mode, follow these steps to configure a secure HTTP client:

	Command	Purpose
Step 1
Step 1	configure terminal	Enter global configuration mode.
Step 2
Step 2	ip http client secure-trustpoint name	(Optional) Specify the CA trustpoint to be used if the remote HTTP server
		requests client authentication. Using this command assumes that you have
		already configured a CA trustpoint by using the previous procedure. The
		command is optional if client authentication is not needed or if a primary
		trustpoint has been configured.

Catalyst 3750-E and 3560-E Switch Software Configuration Guide

	OL-9775-02	9-47

Page 249

Image 249

Cisco Systems 3750E manual Configuring the Secure Http Client, Ip http timeout-policy idle seconds life

Contents

Text Part Number OL-9775-02 Americas HeadquartersPage Iii N T E N T SAssigning the Switch IP Address and Default Gateway Understanding Cisco Configuration Engine Software Clustering Switches Vii Catalyst 1900 and Catalyst 2820 CLI ConsiderationsViii Creating a BannerChanging the Default Privilege Level for Lines Device Roles Bypass Xii Routed PortsXiii Monitoring and Maintaining the InterfacesXiv Encapsulation TypesDomain Names Xvi Private-VLAN Configuration GuidelinesXvii Disabled StateXviii Boundary Ports19-25 XixDhcp Server Xxi Configuring Dynamic ARP InspectionXxii Configuring MVRXxiii Understanding Storm ControlXxiv Understanding Udld Modes of OperationXxv Creating an Rspan Source SessionXxvi Snmp Agent FunctionsXxvii Creating a Numbered Extended ACLXxviii Interaction with Other Features and SwitchesXxix Xxx Port-Channel InterfacesXxxi Configuring IP AddressingXxxii Nonstop Forwarding AwarenessXxxiii IPv6 AddressesXxxiv Configuring Hsrp PriorityXxxv Configuring IP Multicast RoutingXxxvi Configuring Basic Dvmrp Interoperability FeaturesXxxvii Using a Filter45-14 XxxviiiXxxix Configuring Online DiagnosticsUnsupported Route-Map Configuration Commands C-1 Xli HsrpXlii VTPAudience PrefacePurpose ConventionsXliv Related PublicationsXlv Xlvi Overview FeaturesAvailability and Redundancy Features, Vlan Features, Deployment FeaturesOverview Features Performance Features Management Options Manageability Features Availability and Redundancy Features Security Features Vlan FeaturesOverview Features QoS and CoS Features Layer 3 Features Power over Ethernet Features Default Settings After Initial Switch Configuration Monitoring FeaturesVlan Overview Default Settings After Initial Switch Configuration Overview Default Settings After Initial Switch Configuration Design Concepts for Using the Switch Network Configuration ExamplesNetwork Demands Suggested Design Methods Cost-Effective Wiring Closet High-Performance Wiring Closet High-Performance Workgroup Gigabit-to-the-Desktop Redundant Gigabit Backbone Server Aggregation Linux Server Cluster Cisco SoftPhone Software Gigabit servers Internet Cisco 2600 or 3700 routers Catalyst 3560-E switches Large Network Using Catalyst 3750-E and 3560-E Switches Cisco 7x00 routers Catalyst Catalyst 3560-E Multidwelling Network Using Catalyst 3750-E Switches 11 Catalyst 3750-E Switches in a MAN Configuration Long-Distance, High-Bandwidth Transport ConfigurationAccess layer Aggregation layer Where to Go NextOL-9775-02 Understanding Command Modes Using the Command-Line InterfaceConfigure Mode Access Method Prompt Exit Method About This ModeQuit Ctrl-ZCommand Purpose Console commandUnderstanding the Help System Line vty or lineUnderstanding no and default Forms of Commands Understanding Abbreviated CommandsCommand ? Command keyword ?Understanding CLI Error Messages Using Configuration LoggingError Message Meaning How to Get Help Changing the Command History Buffer Size Using Command HistoryRecalling Commands Action1 ResultDisabling the Command History Feature Using Editing FeaturesEnabling and Disabling Editing Features Switch# terminal editingCapability Keystroke1 Purpose Editing Commands through KeystrokesEditing Command Lines that Wrap Return and Space barPress Ctrl-L or Ctrl-R Accessing the CLI Command begin include exclude regular-expressionSwitch# show interfaces include protocol Using the Command-Line Interface Accessing the CLI OL-9775-02 Understanding the Boot Process Assigning the Switch IP Address and Default GatewayAssigning Switch Information Default Switch Information Understanding DHCP-Based AutoconfigurationFeature Default Setting Dhcp Client and Server Message Exchange Dhcp Client Request ProcessDhcp Server Configuration Guidelines Configuring DHCP-Based AutoconfigurationConfiguring the DNS Configuring the Tftp ServerConfiguring the Relay Device Obtaining Configuration FilesRouterconfig-if#ip helper-address Tftpserver Example ConfigurationDNS Server Configuration Switch a Switch B Switch C Switch DTftp Server Configuration on Unix Dhcp Client ConfigurationManually Assigning IP Information Checking and Saving the Running Configuration Switch# show running-configSwitch# copy running-config startup-config Modifying the Startup Configuration Default Boot ConfigurationAutomatically Downloading a Configuration File Boot config-file flash/ file-url Booting ManuallyShow boot Configure terminal Enter global configuration modeBoot system filesystem /file-url Booting a Specific Software ImageControlling Environment Variables Boot system switch number allSet Switchnumber Set Manualboot yes Boot manualSwitch current-stack-member-number renumber Set SwitchpriorityScheduling a Reload of the Software Image Configuring a Scheduled ReloadVariable Description Reload in hhmm textSwitch# reload at Switch# reload at 0200 junDisplaying Scheduled Reload Information Understanding Cisco Configuration Engine Software Configuring Cisco IOS CNS AgentsConfiguration Engine Architectural Overview Configuration ServiceConfigID Event ServiceWhat You Should Know About the CNS IDs and Device Hostnames NameSpace MapperUsing Hostname, DeviceID, and ConfigID DeviceIDHostname and DeviceID Understanding Cisco IOS Agents Initial ConfigurationIncremental Partial Configuration Configuring Cisco IOS AgentsSynchronized Configuration Enabling Automated CNS ConfigurationDevice Required Configuration Show running-config Backup init-retry retry-count keepalive secondsEnabling the CNS Event Agent Show cns event connectionsEnabling the Cisco IOS CNS Agent Enabling an Initial ConfigurationCns id interface num dns-reverse ipaddress Cns config initial ip-address hostnameMac-address event Cns id hardware-serial hostname string stringShow running-config Verify your entries Enabling a Partial ConfigurationCns config partial ip-address hostname Show cns config statsShow cns config connections Displaying CNS ConfigurationShow cns event stats Show cns event subjectUnderstanding Switch Stacks Managing Switch StacksManaging Switch Stacks Understanding Switch Stacks Switch Stack Membership Creating a Switch Stack from Two Standalone Switches Stack Master Election and Re-Election Adding a Standalone Switch to a Switch StackStack Member Numbers Switch Stack Bridge ID and Router MAC AddressStack Member Priority Values Switch Stack Offline Configuration Effects of Adding a Provisioned Switch to a Switch StackScenario Result Scenario Result Effects of Replacing a Provisioned Switch in a Switch Stack Switch Stack Software Compatibility RecommendationsMajor Version Number Incompatibility Among Switches Minor Version Number Incompatibility Among SwitchesStack Protocol Version Compatibility Understanding Auto-Upgrade and Auto-Advise Auto-Upgrade and Auto-Advise Example Messages SwitchDirectory Mar 1 000422.537%IMAGEMGR-6-AUTOADVISESW Switch Stack Configuration Files Incompatible Software and Stack Member Image UpgradesSwitch Stack Management Connectivity Connectivity to the Switch Stack Through an IP Address Connectivity to the Switch Stack Through an SSH SessionConnectivity to Specific Stack Members Switch Stack Configuration Scenarios Use the switch stack-member-numberPriority new-priority-number global Current-stack-member-number Renumber new-stack-member-number Configuring the Switch Stack Default Switch Stack ConfigurationEnabling Persistent MAC Address Show switch Stack-mac persistent timerSwitchconfig# stack-mac persistent timer Time-valueSetting the Stack Member Priority Value Assigning Stack Member InformationAssigning a Stack Member Number Provisioning a New Member for a Switch Stack Displaying Switch Stack Information Accessing the CLI of a Specific Stack MemberCommand Description Show switch stack-member-numberShow switch stack-ports Show switch stack-ring activityDetail OL-9775-02 Understanding Switch Clusters Clustering SwitchesSwitch Cisco IOS Release Cluster Capability Standby Cluster Command Switch Characteristics Cluster Command Switch CharacteristicsCandidate Switch and Cluster Member Switch Characteristics Planning a Switch ClusterDiscovery Through CDP Hops Automatic Discovery of Cluster Candidates and MembersDiscovery Through CDP Hops Discovery Through Different VLANs Discovery Through Different VLANs Discovery Through Different Management VLANsDiscovery Through Routed Ports New out-of-box Discovery of Newly Installed SwitchesHsrp and Standby Cluster Command Switches Other Considerations for Cluster Standby Groups Virtual IP AddressesAutomatic Recovery of Cluster Configuration Hostnames IP AddressesSnmp Community Strings PasswordsSwitch Clusters and Switch Stacks Switch Stack Switch ClusterMembers Other cluster member switches LRE Profiles TACACS+ and RadiusUsing the CLI to Manage Switch Clusters Switch# rcommandCatalyst 1900 and Catalyst 2820 CLI Considerations Snmp Management for a Cluster Using Snmp to Manage Switch ClustersOL-9775-02 Administering the Switch Managing the System Time and DateUnderstanding the System Clock NTP Understanding Network Time ProtocolTypical NTP Network Configuration Configuring NTPDefault NTP Configuration Configuring NTP AuthenticationNtp authenticate Configuring NTP Associations Switchconfig# ntp server 172.16.22.44 version Configuring NTP Broadcast ServiceNtp peer ip-address version number Key keyid source interface preferNtp broadcast version number key keyid Interface interface-idDestination-address Ntp broadcast clientNtp broadcastdelay microseconds Configuring NTP Access RestrictionsNtp access-group query-only Serve-onl y serve peerCommand Purpose Interface interface-id Configuring the Source IP Address for NTP PacketsDisplaying the NTP Configuration Configuring Time and Date ManuallySetting the System Clock Fundamentals Command Reference, ReleaseConfiguring the Time Zone Displaying the Time and Date ConfigurationClock timezone zone hours-offset Minutes-offsetClock summer-time zone recurring Configuring Summer Time Daylight Saving TimeWeek day month hh mm week day month Hh mm offsetConfiguring a System Name and Prompt Clock summer-time zone date monthClock summer-time zone date date Configuring a System Name Default System Name and Prompt ConfigurationCopy running-config startup-confi g Understanding DNSSetting Up DNS Default DNS ConfigurationIp domain-name name Ip name-server server-address1Default Banner Configuration Displaying the DNS ConfigurationCreating a Banner Configuring a Message-of-the-Day Login Banner Banner motd c message cUnix telnet Configuring a Login Banner Banner login c message cManaging the MAC Address Table MAC Addresses and VLANs Building the Address TableMAC Addresses and Switch Stacks Default MAC Address Table ConfigurationChanging the Address Aging Time Removing Dynamic Address Entries Configuring MAC Address Notification TrapsMac address-table aging-time Show mac address-table aging-timeSnmp-server enable traps mac-notification String by using the snmp-server communitySnmp-server host host-addr traps informs version Mac address-table notificationAdding and Removing Static Address Entries Mac address-table static mac-addr Configuring Unicast MAC Address FilteringVlan vlan-id interface interface-id Show mac address-table staticVlan vlan-id drop Displaying Address Table Entries Managing the ARP TableOL-9775-02 Understanding the SDM Templates Configuring SDM TemplatesDual IPv4 and IPv6 SDM Templates Resource Access Default RoutingIPv4-and-IPv6 Resource Default Routing SDM Templates and Switch StacksConfiguring the Switch SDM Template Default SDM TemplateSDM Template Configuration Guidelines Sdm prefer access default Setting the SDM TemplateDual-ipv4-and-ipv6 default routing Vlan routing vlanSwitchconfig# sdm prefer routing Switchconfig# sdm prefer dual-ipv4-and-ipv6 defaultDisplaying the SDM Templates Policy based routing aces 25K OL-9775-02 Preventing Unauthorized Access to Your Switch Configuring Switch-Based AuthenticationDefault Password and Privilege Level Configuration Protecting Access to Privileged Exec CommandsSetting or Changing a Static Enable Password Enable password passwordSwitchconfig# enable password l1u2c3k4y5 Encryption-type encrypted-password Enable password level level passwordEnable secret level level password Service password-encryptionDisabling Password Recovery No service password-recoveryShow version Configuring Username and Password Pairs Setting a Telnet Password for a Terminal LinePassword password Switchconfig-line#password let45me67in89Username command Configuring Multiple Privilege LevelsLogin local Username name privilege levelSetting the Privilege Level for a Command Privilege mode level level commandShow privilege Changing the Default Privilege Level for Lines CommandLogging into and Exiting a Privilege Level Understanding TACACS+ Controlling Switch Access with TACACS+Typical TACACS+ Network Configuration TACACS+ Operation Configuring TACACS+Tacacs-server host hostname port Default TACACS+ ConfigurationAaa new-model Aaa group server tacacs+ group-nameConfiguring TACACS+ Login Authentication Aaa new-model Enable AAAShow tacacs Verify your entries Login authentication default Aaa authentication login defaultAuthentication login command Line console tty vty line-numberShow running-config Verify your entries Controlling Switch Access with Radius Displaying the TACACS+ ConfigurationStarting TACACS+ Accounting Understanding Radius Radius Operation Transitioning from Radius to TACACS+ ServicesConfiguring Radius Default Radius ConfigurationIdentifying the Radius Server Host Page Radius-server host hostname Acct-port port-number timeoutIp-address auth-port port-number Seconds retransmit retries keySwitchconfig# radius-server host host1 Configuring Radius Login AuthenticationServer Host section on Defining AAA Server Groups Aaa group server radius group-name Radius Aaa authorization network radiusStarting Radius Accounting Radius-server timeout seconds Configuring Settings for All Radius ServersRadius-server key string Radius-server retransmit retriesRadius-server vsa send accounting AuthenticationCisco-avpair=shellpriv-lvl=15 Cisco-avpair=ipoutacl#2=deny ip 10.10.10.10 0.0.255.255 anyControlling Switch Access with Kerberos Displaying the Radius ConfigurationRadius-server host hostname ip-address non-standard Understanding Kerberos KDC Term DefinitionKerberos Operation Authenticating to a Boundary SwitchKeytab SrvtabConfiguring Kerberos Authenticating to Network ServicesObtaining a TGT from a KDC Aaa authentication login default local Aaa authorization exec localAaa authorization network local Configuring the Switch for Secure Shell Username commandUsername name privilege level SSH Servers, Integrated Clients, and Supported Versions Understanding SSHConfiguring SSH Configuration GuidelinesLimitations Setting Up the Switch to Run SSH Configuring the SSH Server Displaying the SSH Configuration and StatusIp ssh timeout seconds Authentication-retries numberConfiguring the Switch for Secure Socket Layer Http Understanding Secure Http Servers and ClientsCertificate Authority Trustpoints Rsakeypair TP-self-signed-3080755072 Configuring Secure Http Servers and Clients Default SSL ConfigurationCipherSuites Configuring a CA Trustpoint SSL Configuration GuidelinesConfiguring the Secure Http Server Ip http timeout-policy idle seconds life Configuring the Secure Http ClientShow ip http server secure status Ip http client secure-trustpoint nameDisplaying Secure Http Server and Client Status Configuring the Switch for Secure Copy ProtocolIp http client secure-ciphersuite Show ip http client secure statusHtml Information About Secure CopyOL-9775-02 Configuring Ieee 802.1x Port-Based Authentication Understanding Ieee 802.1x Port-Based Authentication10-1 10-2 Device Roles10-3 Authentication Process10-4 Authentication Flowchart10-5 Authentication Initiation and Message ExchangeEAPOL-Start 10-6Ieee 802.1x Authentication and Switch Stacks Ports in Authorized and Unauthorized States10-7 10-8 Ieee 802.1x Host ModeIeee 802.1x Accounting Attribute-Value Pairs Ieee 802.1x AccountingAttribute Number AV Pair Name 10-910-10 Using Ieee 802.1x Authentication with Vlan Assignment10-11 Using Ieee 802.1x Authentication with Per-User ACLs10-12 Using Ieee 802.1x Authentication with Guest Vlan10-13 Using Ieee 802.1x Authentication with Restricted Vlan10-14 10-15 Using Ieee 802.1x Authentication with Voice Vlan Ports10-16 Using Ieee 802.1x Authentication with Port Security10-17 Using Ieee 802.1x Authentication with Wake-on-LAN10-18 Using Multidomain Authentication Network Admission Control Layer 2 Ieee 802.1x Validation10-19 Using Web Authentication For example10-20 10-21 Configuring Ieee 802.1x AuthenticationDefault Ieee 802.1x Authentication Configuration AAA10-22 Ieee 802.1x Authentication Configuration Guidelines Ieee 802.1x Authentication10-23 10-24 Configuring Ieee 802.1x Authentication MAC Authentication Bypass10-25 10-26 Configuring the Switch-to-RADIUS-Server Communication10-27 Ip-address auth-port port-number keyDot1x host-mode multi-host Configuring the Host ModeMulti-domain Show dot1x interface interface-idConfiguring Periodic Re-Authentication Manually Re-Authenticating a Client Connected to a Port10-29 Dot1x timeout tx-period seconds Changing the Switch-to-Client Retransmission TimeChanging the Quiet Period Show dot1x interface interface-id Verify your entriesSwitchconfig-if#dot1x timeout tx-period Setting the Switch-to-Client Frame-Retransmission NumberShow dot1xinterface interface-id Verify your entries Dot1x max-reauth-req countConfiguring Ieee 802.1x Accounting Setting the Re-Authentication NumberSwitchconfig-if#dot1x max-reauth-req 10-3210-33 Configuring a Guest VlanSwitchport mode private-vlan host Configuring a Restricted VlanSwitchconfig# interface gigabitethernet2/0/2 Dot1x guest-vlan vlan-idDot1x auth-fail max-attempts max Dot1x auth-fail vlan vlan-idAttempts 10-35Switchconfig-if#dot1x auth-fail max-attempts Configuring the Inaccessible Authentication Bypass FeatureRadius-server dead-criteria time time Tries tries10-37 Dot1x critical recovery action Configuring Ieee 802.1x Authentication with WoLReinitialize vlan vlan-id Show dot1x interface interface-idSwitchconfig-if#dot1x control-direction both Configuring MAC Authentication BypassSwitchconfig-if#dot1x mac-auth-bypass Dot1x control-direction both10-40 Configuring NAC Layer 2 Ieee 802.1x Validation10-41 Configuring Web Authentication10-42 No dot1x pae Disable Ieee 802.1x authentication on the port Disabling Ieee 802.1x Authentication on the PortDot1x fallback fallback-profile 10-4310-44 Displaying Ieee 802.1x Statistics and StatusConfiguring Interface Characteristics Understanding Interface Types11-1 Switch Ports Port-Based VLANs11-2 Access Ports Trunk Ports11-3 Routed Ports Tunnel Ports11-4 Switch Virtual Interfaces EtherChannel Port Groups11-5 Gigabit Ethernet Interfaces Power over Ethernet PortsSupported Protocols and Standards 11-6Powered-Device Detection and Initial Power Allocation Class11-7 11-8 Power Management Modes11-9 Power Monitoring and Power Policing11-10 Maximum Power Allocation Cutoff Power on a PoE Port11-11 Connecting Interfaces11-12 Ethernet Management Port11-13 Connecting a Switch Stack to a PC11-14 TftpMgmtinit Using Interface Configuration ModeMgmtshow Mgmtclr11-16 Procedures for Configuring InterfacesInterface range port-range macro Configuring a Range of InterfacesMacroname Show interfaces interface-id11-18 Show running-config include define Configuring and Using Interface Range MacrosDefine interface-range macroname Interface range macro macronameSwitch# show running-config include define Configuring Ethernet InterfacesSwitch# show run include define 11-2011-21 Default Ethernet Interface ConfigurationConfiguring Interface Speed and Duplex Mode Speed and Duplex Configuration Guidelines11-22 Speed 10 100 1000 auto 10 Setting the Interface Speed and Duplex ParametersNonegotiate Duplex auto full halfConfiguring Ieee 802.3x Flow Control Flowcontrol receive on off desired11-24 Local Side Auto-MDIX Configuring Auto-MDIX on an InterfaceWith Correct Cabling 11-25Configuring a Power Management Mode on a PoE Port Interface-id phy11-26 Power inline auto max max-wattage Budgeting Power for Devices Connected to a PoE PortShow power inline i nterface-id Neve r static max max-wattage11-28 Wattage11-29 Configuring Power Policing11-30 Adding a Description for an InterfaceConfiguring Ethernet Management Ports Configuring Layer 3 InterfacesSwitch# show interfaces gigabitethernet1/0/2 description 11-31Interface gigabitethernet interface-id vlan vlan-id No switchportNo shutdown 11-3211-33 Configuring the System MTUSystem mtu jumbo bytes Use the system mtu jumbo Use the system mtu routingSystem mtu routing bytes 11-34System mtu bytes Configuring the Cisco Redundant Power SystemReload Show system mtuPower rps switch-number port rps-port-id mode active Power rps switch-number name string serialnumberStandby 11-36Power supply switch-numberoff on Configuring the Power SuppliesShow env power Show env rpsMonitoring and Maintaining the Interfaces Monitoring Interface Status11-38 11-39 Clearing and Resetting Interfaces and CountersInterface vlan vlan-id gigabitethernet interface-id Shutting Down and Restarting the InterfaceShutdown 11-40Configuring Smartports Macros Understanding Smartports Macros12-1 Default Smartports Macro Configuration Configuring Smartports MacrosMacro Name Description 12-212-3 Smartports Macro Configuration GuidelinesMacro name macro-name Creating Smartports MacrosName Sample-Macro and macro name sample-macro will result Show parser macro name macro-name12-5 Applying Smartports MacrosShow parser macro Applying Cisco-Default Smartports MacrosShow parser macro macro-name 12-6Switch# show parser macro cisco-desktop Switchconfig-if#macro apply cisco-desktop $AVID12-7 Show parser macro brief Displaying Smartports MacrosShow parser macro description interface 12-8Configuring VLANs Understanding VLANs13-1 13-2 Supported VLANs Vlan Port Membership Modes13-3 13-4 Configuring Normal-Range VLANs13-5 Vlan IDNormal-Range Vlan Configuration Guidelines Token Ring VLANs13-6 Saving Vlan Configuration Vlan Configuration Mode OptionsVlan Configuration in config-vlan Mode Vlan Configuration in Vlan Database Configuration ModeParameter Default Range Default Ethernet Vlan ConfigurationVLANxxxx, where 13-8Creating or Modifying an Ethernet Vlan Copy running-config startup configRemote-span 13-9Deleting a Vlan Vlan database13-10 Switchport access vlan vlan-id Assigning Static-Access Ports to a VlanNo vlan vlan-id Show vlan briefDefault Vlan Configuration Configuring Extended-Range VLANsShow interfaces interface-id switchport Vlan fields of the display13-13 Extended-Range Vlan Configuration GuidelinesCreating an Extended-Range Vlan Vtp mode transparentShow vlan id vlan-id 13-14Switch# copy running-config startup config Switchconfig# vtp mode transparentCreating an Extended-Range Vlan with an Internal Vlan ID Show vlan internal usageCommand Command Mode Purpose Configuring Vlan TrunksDisplaying VLANs Trunking Overview13-17 Switches in an ISL Trunking EnvironmentEncapsulation Types Mode FunctionEncapsulation Function 13-18Configuring an Ethernet Interface as a Trunk Port Default Layer 2 Ethernet Interface Vlan ConfigurationIeee 802.1Q Configuration Considerations 13-19Configuring a Trunk Port Interaction with Other FeaturesDot1q negotiate 13-2013-21 Defining the Allowed VLANs on a TrunkChanging the Pruning-Eligible List Switchport trunk allowed vlan addAll except remove vlan-list 13-22Switchport trunk pruning vlan add Configuring the Native Vlan for Untagged TrafficExcept none remove vlan-list Vlan ,vlanLoad Sharing Using STP Port Priorities Configuring Trunk Ports for Load SharingSwitchport trunk native vlan vlan-id 13-2413-25 Or switch stack Load Sharing Using STP Path CostConnect to the trunk ports configured on Switch a Exit Return to global configuration modeInterface gigabitethernet1/0/1 Switchport trunk encapsulationIsl dot1q negotiate Spanning-tree vlan 2-4 costConfiguring Vmps Understanding Vmps13-28 Vmps Configuration Guidelines Default Vmps Client ConfigurationDynamic-Access Port Vlan Membership 13-29Configuring the Vmps Client Entering the IP Address of the Vmps13-30 Switchport access vlan dynamic Configuring Dynamic-Access Ports on Vmps ClientsReconfirming Vlan Memberships Vmps reconfirmChanging the Retry Count Changing the Reconfirmation IntervalVmps reconfirm minutes 13-32Vmps Configuration Example Troubleshooting Dynamic-Access Port Vlan MembershipSwitch# show vmps Monitoring the Vmps13-34 Dynamic Port Vlan Membership ConfigurationConfiguring VTP Understanding VTP14-1 14-2 VTP DomainVTP Modes VTP Mode DescriptionVTP Advertisements 14-3VTP Version VTP Pruning14-4 Vlan 14-5Configuring VTP VTP and Switch Stacks14-6 VTP Configuration Options Default VTP ConfigurationVTP Configuration in Global Configuration Mode 14-7VTP Configuration in Vlan Database Configuration Mode VTP Configuration GuidelinesPasswords Domain NamesConfiguration Requirements Configuring a VTP ServerVTP Version 14-9Vtp password password Vtp password passwordShow vtp status Vtp serverVtp mode client Configuring a VTP ClientSwitch# vlan database 14-1114-12 Disabling VTP VTP Transparent ModeEnabling VTP Version Vtp version14-13 Enabling VTP Pruning Adding a VTP Client Switch to a VTP DomainVtp pruning 14-1414-15 14-16 Monitoring VTPConfiguring Voice Vlan Understanding Voice Vlan15-1 Cisco IP Phone Voice Traffic Cisco IP Phone Data Traffic15-2 Default Voice Vlan Configuration Configuring Voice VlanVoice Vlan Configuration Guidelines 15-315-4 Configuring a Port Connected to a Cisco 7960 IP Phone15-5 Configuring Cisco IP Phone Voice Traffic15-6 Configuring the Priority of Incoming Data Frames15-7 Displaying Voice Vlan15-8 Configuring Private VLANs Understanding Private VLANs16-1 Private-VLAN Domain 16-216-3 IP Addressing Scheme with Private VLANsPrivate VLANs across Multiple Switches Private-VLAN Interaction with Other Features16-4 Private VLANs and Unicast, Broadcast, and Multicast Traffic Private VLANs and SVIs16-5 Tasks for Configuring Private VLANs Configuring Private VLANsPrivate VLANs and Switch Stacks 16-6Private-VLAN Configuration Guidelines Default Private-VLAN ConfigurationSecondary and Primary Vlan Configuration 16-716-8 Private-VLAN Port Configuration16-9 Limitations with Other Features16-10 Configuring and Associating VLANs in a Private VlanShow vlan private-vlan type Show interfaces status16-11 Switchport private-vlan host-association Configuring a Layer 2 Interface as a Private-VLAN Host PortSwitch# show interfaces gigabitethernet1/0/22 switchport Primaryvlanid secondaryvlanidSwitchport private-vlan mapping primaryvlanid Switchport mode private-vlan promiscuousAdd remove secondaryvlanlist 16-13Interface vlan primaryvlanid Switch# show interfaces private-vlan mappingPrivate-vlan mapping add remove Show interface private-vlan mapping16-15 Monitoring Private VLANs16-16 Configuring Ieee 802.1Q and Layer 2 Protocol Tunneling Understanding Ieee 802.1Q Tunneling17-1 17-2 Ieee 802.1Q Tunnel Ports in a Service-Provider Network17-3 Default Ieee 802.1Q Tunneling Configuration Configuring Ieee 802.1Q TunnelingIeee 802.1Q Tunneling Configuration Guidelines Native VLANs17-5 System MTU17-6 Ieee 802.1Q Tunneling and Other FeaturesVlan dot1q tag native Configuring an Ieee 802.1Q Tunneling PortShow dot1q-tunnel Show vlan dot1q tag native17-8 Understanding Layer 2 Protocol TunnelingLayer 2 Protocol Tunneling 17-917-10 Configuring Layer 2 Protocol Tunneling17-11 Default Layer 2 Protocol Tunneling Configuration17-12 Layer 2 Protocol Tunneling Configuration Guidelines17-13 Configuring Layer 2 Protocol TunnelingConfiguring the SP Edge Switch Configuring Layer 2 Tunneling for EtherChannelsL2protocol-tunnel point-to-point Pagp lacp udld17-15 17-16 Configuring the Customer SwitchSwitchconfig-if#channel-group 1 mode desirable Switchconfig# interface port-channel17-17 17-18 Monitoring and Maintaining Tunneling StatusConfiguring STP Understanding Spanning-Tree Features18-1 18-2 STP Overview18-3 Spanning-Tree Topology and BPDUs18-4 Bridge ID, Switch Priority, and Extended System IDSpanning-Tree Interface States Switch Priority ValueBit 32768 16384 8192 4096 2048 1024 512 256 12818-6 2illustrates how an interface moves through the statesListening State Blocking StateLearning State Forwarding StateHow a Switch or Port Becomes the Root Switch or Root Port Disabled State18-8 Spanning-Tree Address Management Spanning Tree and Redundant ConnectivityAccelerated Aging to Retain Connectivity 18-9Spanning-Tree Modes and Protocols Supported Spanning-Tree Instances18-10 STP and Ieee 802.1Q Trunks Spanning-Tree Interoperability and Backward CompatibilityVLAN-Bridge Spanning Tree Rapid PVST+Configuring Spanning-Tree Features Spanning Tree and Switch Stacks18-12 Default Spanning-Tree Configuration Spanning-Tree Configuration Guidelines18-13 18-14 18-15 Changing the Spanning-Tree ModeDisabling Spanning Tree Configuring the Root SwitchShow spanning-tree vlan vlan-id Verify your entries 18-16Diameter net-diameter hello-time seconds Spanning-tree vlan vlan-id root primaryShow spanning-tree detail 18-17Configuring Port Priority Configuring a Secondary Root SwitchSpanning-tree vlan vlan-id root secondary Diameter net-diameter hello-timeSpanning-tree vlan vlan-id port-priority priority Spanning-tree port-priority priorityShow spanning-tree interface interface-id Show spanning-tree vlan vlan-idPort-channel-number Configuring Path CostSpanning-tree cost cost Spanning-tree vlan vlan-id cost costConfiguring the Switch Priority of a Vlan Spanning-tree vlan vlan-id priority priority18-21 Configuring the Hello Time Configuring Spanning-Tree TimersSpanning-tree vlan vlan-id hello-time seconds 18-22Configuring the Maximum-Aging Time for a Vlan Configuring the Forwarding-Delay Time for a VlanSpanning-tree vlan vlan-id forward-time Spanning-tree vlan vlan-idmax-age secondsDisplaying the Spanning-Tree Status Configuring the Transmit Hold-CountShow spanning-tree detail Verify your entries 18-2419-1 Configuring MstpUnderstanding Mstp Multiple Spanning-Tree Regions19-2 IST, CIST, and CST Operations Within an MST Region19-3 19-4 Operations Between MST RegionsIeee 802.1s Terminology Hop CountCisco Prestandard Cisco Standard 19-5Boundary Ports Ieee 802.1s Implementation19-6 Interoperation Between Legacy and Standard Switches Port Role Naming Change19-7 Mstp and Switch Stacks Detecting Unidirectional Link Failure19-8 Interoperability with Ieee 802.1D STP Understanding RstpPort Roles and the Active Topology 19-919-10 Rapid Convergence19-11 Synchronization of Port RolesBridge Protocol Data Unit Format and Processing Bit Function19-12 Processing Superior Bpdu Information Topology ChangesProcessing Inferior Bpdu Information 19-1319-14 Configuring Mstp FeaturesDefault Mstp Configuration Mstp Configuration Guidelines19-15 Spanning-tree mst configuration Specifying the MST Region Configuration and Enabling MstpInstance instance-id vlan vlan-range Name nameRevision version Spanning-tree mode mstShow pending Exit19-18 Spanning-tree mst instance-id root primary19-19 Spanning-tree mst instance-id port-priority priority Show spanning-tree mst interface interface-id19-20 19-21 Spanning-tree mst instance-id cost costConfiguring the Hello Time Configuring the Switch PrioritySpanning-tree mst instance-id priority priority 19-22Show spanning-tree mst Verify your entries Configuring the Forwarding-Delay TimeSpanning-tree mst forward-time seconds Show spanning-tree mstConfiguring the Maximum-Hop Count Configuring the Maximum-Aging TimeSpecifying the Link Type to Ensure Rapid Transitions Spanning-tree mst max-age seconds19-25 Designating the Neighbor TypeDisplaying the MST Configuration and Status Restarting the Protocol Migration Process19-26 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features20-1 Understanding Port Fast Understanding Bpdu Guard20-2 Understanding Bpdu Filtering Understanding UplinkFast20-3 20-4 Switches in a Hierarchical Network20-5 Understanding Cross-Stack UplinkFast20-6 How Csuf WorksUnderstanding BackboneFast Events that Cause Fast Convergence20-7 BackboneFast Example Before Indirect Link Failure 20-820-9 Adding a Switch in a Shared-Medium TopologyUnderstanding EtherChannel Guard Understanding Root Guard20-10 20-11 Understanding Loop GuardOptional Spanning-Tree Configuration Guidelines Default Optional Spanning-Tree ConfigurationEnabling Port Fast 20-12Enabling Bpdu Guard Spanning-tree portfast trunk interface configurationSpanning-tree portfast trunk PortfastSpanning-tree portfast Enable the Port Fast feature Enabling Bpdu Filtering20-14 20-15 Enabling UplinkFast for Use with Redundant LinksUplinkfast command Spanning-tree uplinkfast max-update-rateEnabling Cross-Stack UplinkFast Enabling BackboneFastEnabling EtherChannel Guard Spanning-tree backbonefast Enable BackboneFastShow spanning-tree summary Verify your entries 20-17Enabling Root Guard Enabling Loop Guard20-18 20-19 20-20 21-1 Flex LinksSwitchport backup interface preemption delay commands Vlan Flex Link Load Balancing and Support21-2 21-3 MAC Address-Table Move Update21-4 MAC Address-Table Move Update ExampleConfiguration Guidelines Default Configuration21-5 Switchport backup interface interface-id Configuring Flex LinksShow interface interface-id switchport backup Switch# show interface switchport backupMode forced bandwidth off Switchport backup interface interface-id preemptionDelay delay-time 21-7Switchport backup interface interface-id prefer vlan Configuring Vlan Load Balancing on Flex LinksShow interfaces interface-id switchport backup Switch#show interfaces switchport backupSwitchport backup interface interface-idmmu Configuring the MAC Address-Table Move Update FeaturePrimary vlan vlan-id 21-9Switchconf# mac address-table move update transmit End Return to global configuration modeSwitch# show mac-address-table move update 21-1021-11 Monitoring Flex Links and the MAC Address-Table Move Update21-12 Configuring Dhcp Features and IP Source Guard Understanding Dhcp Features22-1 Dhcp Relay Agent Dhcp ServerDhcp Snooping 22-222-3 Option-82 Data InsertionDhcp Relay Agent in a Metropolitan Ethernet Network 22-422-5 Remote ID Suboption Frame FormatDhcp Snooping Binding Database Cisco IOS Dhcp Server DatabaseRelease 22-622-7 Dhcp Snooping and Switch Stacks Configuring Dhcp FeaturesDefault Dhcp Configuration 22-822-9 Dhcp Snooping Configuration GuidelinesConfiguring the Dhcp Server Dhcp Server and Switch Stacks22-10 Specifying the Packet Forwarding Address Configuring the Dhcp Relay AgentIp helper-address address 22-11Switchport access vlan vlan-id Switchport mode accessEnabling Dhcp Snooping and Option Interface range port-range22-13 Enabling the Cisco IOS Dhcp Server Database Enabling Dhcp Snooping on Private VLANsEnabling the Dhcp Snooping Binding Database Agent Ip dhcp snooping database22-15 Displaying Dhcp Snooping InformationUnderstanding IP Source Guard Source IP Address Filtering22-16 Default IP Source Guard Configuration Configuring IP Source GuardIP Source Guard Configuration Guidelines Source IP and MAC Address Filtering22-18 Enabling IP Source Guard22-19 Displaying IP Source Guard Information22-20 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection23-1 ARP Cache Poisoning 23-223-3 Interface Trust States and Network SecurityRate Limiting of ARP Packets Relative Priority of ARP ACLs and Dhcp Snooping Entries23-4 Default Dynamic ARP Inspection Configuration Configuring Dynamic ARP InspectionLogging of Dropped Packets 23-523-6 Dynamic ARP Inspection Configuration GuidelinesShow cdp neighbors Configuring Dynamic ARP Inspection in Dhcp EnvironmentsIp arp inspection vlan vlan-range 23-723-8 Configuring ARP ACLs for Non-DHCP Environments23-9 Limiting the Rate of Incoming ARP Packets Show arp access-list acl-nameNo ip arp inspection trust Specified with the ip arp inspection vlan logging23-11 Performing Validation ChecksIp arp inspection validate Configuring the Log BufferSrc-mac dst-mac ip Show ip arp inspection vlanIp arp inspection log-buffer entries Number logs number interval23-13 23-14 Displaying Dynamic ARP Inspection InformationShow ip arp inspection statistics vlan Clear ip arp inspection statisticsClear ip arp inspection log Show ip arp inspection log23-16 24-1 Configuring Igmp Snooping and MVR24-2 Understanding Igmp SnoopingIgmp Versions Joining a Multicast Group24-3 24-4 224.1.2.324-5 Leaving a Multicast GroupImmediate Leave Igmp Configurable-Leave TimerIgmp Report Suppression 24-6Igmp Snooping and Switch Stacks Configuring Igmp SnoopingDefault Igmp Snooping Configuration PIM-DVMRPEnabling or Disabling Igmp Snooping Ip igmp snooping vlan vlan-id24-8 Ip igmp snooping vlan vlan-id mrouter Setting the Snooping MethodLearn cgmp pim-dvmrp Show ip igmp snoopingConfiguring a Multicast Router Port Show ip igmp snooping mrouter vlan vlan-id24-10 Enabling Igmp Immediate Leave Configuring a Host Statically to Join a GroupIp igmp snooping vlan vlan-id static ipaddress Show ip igmp snooping groups24-12 Configuring the Igmp Leave TimerRecovering from Flood Mode Configuring TCN-Related CommandsControlling the Multicast Flooding Time After a TCN Event CountDisabling Multicast Flooding During a TCN Event No ip igmp snooping tcn flood24-14 24-15 Configuring the Igmp Snooping QuerierDisabling Igmp Report Suppression No ip igmp snooping report-suppression24-16 24-17 Displaying Igmp Snooping Information24-18 Understanding Multicast Vlan Registration24-19 Using MVR in a Multicast Television ApplicationDefault MVR Configuration Configuring MVRMVR 24-20Configuring MVR Global Parameters MVR Configuration Guidelines and LimitationsMvr Enable MVR on the switch 24-2124-22 Configuring MVR InterfacesMvr immediate Mvr type source receiverShow mvr Show mvr interface Show mvr membersConfiguring Igmp Filtering and Throttling Displaying MVR Information24-24 Default Igmp Filtering and Throttling Configuration Configuring Igmp Profiles24-25 Permit deny Ip igmp profile profile numberRange ip multicast address Show ip igmp profile profile numberSwitch# show ip igmp profile Setting the Maximum Number of Igmp GroupsApplying Igmp Profiles Ip igmp filter profile numberShow running-config interface Verify the configuration Configuring the Igmp Throttling ActionEtherChannel group or a EtherChannel interface Interface-idIp igmp max-groups action deny Displaying Igmp Filtering and Throttling ConfigurationReplace Show ip igmp profile profile24-30 Configuring IPv6 MLD Snooping Understanding MLD Snooping25-1 25-2 MLD Queries MLD MessagesMulticast Client Aging Robustness 25-3MLD Reports Multicast Router DiscoveryMLD Done Messages and Immediate-Leave 25-4MLD Snooping in Switch Stacks Configuring IPv6 MLD SnoopingTopology Change Notification Processing 25-5Default MLD Snooping Configuration MLD Snooping Configuration Guidelines25-6 Ipv6 mld snooping Enabling or Disabling MLD SnoopingIpv6 mld snooping vlan vlan-id 25-7Ipv6 mld snooping vlan vlan-id static Configuring a Static Multicast GroupShow ipv6 mld snooping multicast-address user Show ipv6 mld snooping multicast-address vlanIpv6 mld snooping vlan vlan-id mrouter Enabling MLD Immediate LeaveShow ipv6 mld snooping mrouter vlan vlan-id 25-925-10 Configuring MLD Snooping QueriesDisplaying MLD Snooping Information Disabling MLD Listener Message Suppression25-11 Vlan-id count dynamic user Show ipv6 mld snooping querier vlan vlan-idVlan-id ipv6-multicast-address 25-12Configuring Storm Control Configuring Port-Based Traffic ControlUnderstanding Storm Control 26-1Broadcast Storm Control Example 26-2Default Storm Control Configuration Configuring Storm Control and Threshold Levels26-3 Unicast level level level-low bps bps Storm-control broadcast multicastBps-low pps pps pps-low Storm-control action shutdown trapDefault Protected Port Configuration Configuring Protected PortsShow storm-control interface-id broadcast Multicast unicastProtected Port Configuration Guidelines Configuring Port BlockingConfiguring a Protected Port 26-6Default Port Blocking Configuration Configuring Port SecurityBlocking Flooded Traffic on an Interface 26-7Understanding Port Security Secure MAC Addresses26-8 26-9 Security ViolationsPort Security Configuration Guidelines Default Port Security ConfigurationForwarded1 Trap Message Message2 Increments 26-1026-11 26-12 Enabling and Configuring Port SecurityProtect restrict shutdown Switchport port-security violationShutdown vlan 26-1326-14 Switchconfig-if#switchport port-security maximum Switchconfig-if#switchport port-securitySwitchconfig-if#switchport port-security mac-address sticky Switchconfig-if#switchport port-security violation restrict26-16 Enabling and Configuring Port Security AgingSwitchconfig# interface GigabitEthernet 1/0/8 Port Security and Switch StacksPort Security and Private VLANs 26-17Show port-security interface interface-idaddress Displaying Port-Based Traffic Control SettingsShow port-security interface interface-idvlan 26-18Configuring CDP Understanding CDP27-1 CDP and Switch Stacks Configuring CDPDefault CDP Configuration Configuring the CDP CharacteristicsCdp holdtime seconds Disabling and Enabling CDPCdp advertise-v2 Show cdpCdp enable Enable CDP on the interface after disabling it No cdp enable Disable CDP on the interfaceDisabling and Enabling CDP on an Interface 27-427-5 Monitoring and Maintaining CDP27-6 Understanding Lldp and LLDP-MED Configuring Lldp and LLDP-MEDUnderstanding Lldp 28-128-2 Understanding LLDP-MEDDefault Lldp Configuration Configuring Lldp and LLDP-MEDConfiguring Lldp Characteristics 28-328-4 Disabling and Enabling Lldp Globally28-5 Disabling and Enabling Lldp on an InterfaceTLV, and enter interface configuration mode Configuring LLDP-MED TLVsNo lldp med-tlv-select tlv Specify the TLV to disable Lldp med-tlv-select tlv Specify the TLV to enable28-7 Monitoring and Maintaining Lldp and LLDP-MED28-8 Understanding Udld Configuring UdldModes of Operation 29-129-2 Methods to Detect Unidirectional Links29-3 Configuring Udld29-4 Default Udld ConfigurationMessage-timer-interval Udld aggressive enable message timeEnabling Udld Globally Show udldUdld reset Show udld Resetting an Interface Disabled by UdldEnabling Udld on an Interface Udld port aggressive29-7 Displaying Udld Status29-8 Configuring Span and Rspan Understanding Span and Rspan30-1 30-2 Local Span30-3 Remote SpanSpan and Rspan Concepts and Terminology Span Sessions30-4 30-5 Monitored Traffic30-6 Source PortsSource VLANs Vlan Filtering30-7 30-8 Destination PortSpan and Rspan Interaction with Other Features Rspan Vlan30-9 Configuring Span and Rspan Span and Rspan and Switch Stacks30-10 Configuring Local Span Default Span and Rspan ConfigurationSpan Configuration Guidelines 30-1130-12 Creating a Local Span SessionDestination interface interface-id Monitor session sessionnumberEncapsulation replicate Show monitor session sessionnumber30-14 Specifying VLANs to Filter Monitor session sessionnumber filter vlan30-15 Rspan Configuration Guidelines Configuring RspanBe a Vlan 30-1630-17 Configuring a Vlan as an Rspan VlanInterfaces port-channelport-channel-number. Valid Creating an Rspan Source SessionDestination remote vlan vlan-id 30-18Creating an Rspan Destination Session Remote vlan vlan-id30-19 30-20 Ingress dot1q vlan vlan-id isl untagged Untagged vlan vlan-id or vlan vlan-id- Forward incoming30-21 30-22 Show monitor session sessionnumber30-23 Displaying Span and Rspan Status30-24 Configuring Rmon Understanding Rmon31-1 31-2 Configuring RmonDefault Rmon Configuration Configuring Rmon Alarms and Events31-3 Rmon event number description string log owner string Add an event in the Rmon event table that is31-4 Collecting Group Ethernet Statistics on an Interface Collecting Group History Statistics on an InterfaceRmon collection history index Show rmon historyRmon collection stats index owner ownername Displaying Rmon StatusShow rmon statistics 31-6Configuring System Message Logging Understanding System Message Logging32-1 Configuring System Message Logging System Log Message Format32-2 Hhmmss short uptime Text string that uniquely describes the message32-3 No logging console Disable message logging Default System Message Logging ConfigurationShow running-config Verify your entries Show logging Disabling Message LoggingLogging buffered size Setting the Message Display Destination DeviceLogging host 32-5Logging file flash filename Synchronizing Log MessagesTerminal monitor Session to see the debugging messagesLine vty Line console vty line-numberLogging synchronous level severity-level All limit number-of-buffersEnabling and Disabling Time Stamps on Log Messages Enabling and Disabling Sequence Numbers in Log Messages32-8 Logging console level Defining the Message Severity LevelLogging monitor level Logging trap level32-10 Level Description Syslog DefinitionLogging history level Enabling the Configuration-Change LoggerLogging history size number 32-11Configuring Unix Syslog Servers Logging Messages to a Unix Syslog Daemon32-12 Logging facility facility-type Configuring the Unix System Logging FacilityFacility-type keywords 32-13Displaying the Logging Configuration Facility Type Keyword Description32-14 Configuring Snmp Understanding Snmp33-1 33-2 Snmp VersionsSnmp Manager Functions Model Level Authentication Encryption ResultDES Operation DescriptionUsing Snmp to Access MIB Variables Snmp Agent Functions33-4 33-5 Snmp NotificationsSnmp ifIndex MIB Object Values Configuring SnmpIfIndex Range SVIDefault Snmp Configuration Snmp Configuration Guidelines33-7 No snmp-server Disable the Snmp agent operation Configuring Community StringsDisabling the Snmp Agent 33-8Access-list access-list-number deny View-name ro rw access-list-numberSnmp-server community string view Permit source source-wildcardSnmp-server engineID local engineid-string Configuring Snmp Groups and UsersSnmp-server engineID local 33-10Snmp-server group groupname v1 v2c Write writeview notify notifyview accessAuth noauth priv read readview 33-11Remote host udp-port port v1 access Configuring Snmp NotificationsEncrypted access access-list auth md5 Notification Type Keyword Description33-13 33-14 33-12 , or enter snmp-server enable traps ? Setting the Agent Contact and Location InformationEnable traps command for each trap type Notification-typesLimiting Tftp Servers Used Through Snmp Switchconfig# snmp-server community publicSnmp Examples Snmp-server tftp-server-list33-17 Displaying Snmp Status33-18 Configuring Network Security with ACLs Understanding ACLs34-1 34-2 Supported ACLs34-3 Port ACLs34-4 Router ACLsHandling Fragmented and Unfragmented Traffic Vlan Maps34-5 34-6 ACLs and Switch Stacks34-7 Configuring IPv4 ACLsAccess List Number Type Supported Access List NumbersCreating Standard and Extended IPv4 ACLs 34-834-9 ACL LoggingShow access-lists number name Access-list access-list-number deny permitCreating a Numbered Standard ACL Source source-wildcard log34-11 Creating a Numbered Extended ACL34-12 34-13 34-14 Resequencing ACEs in an ACL Creating Named Standard and Extended ACLs34-15 Ip access-list extended name Ip access-list standard nameAny log Tos tos established log time-range34-17 Using Time Ranges with ACLsPeriodic weekdays weekend daily Absolute start time dateShow time-range 34-18Applying an IPv4 ACL to a Terminal Line Switch# show ip access-listsIncluding Comments in ACLs 34-19Applying an IPv4 ACL to an Interface Access-class access-list-numberOut 34-2034-21 Ip access-group access-list-numberIPv4 ACL Configuration Examples Hardware and Software Treatment of IP ACLs34-22 Switchconfig# access-list 6 permit 172.20.128.64 Switchconfig# access-list 106 permit ip any 172.20.128.6434-23 Numbered ACLs Extended ACLs34-24 Time Range Applied to an IP ACL Named ACLsCommented IP ACL Entries 34-25Switch# show logging Switchconfig-if#ip access-group ext134-26 34-27 Creating Named MAC Extended ACLs34-28 Applying a MAC ACL to a Layer 2 InterfaceMac access-group name Configuring Vlan MapsShow mac access-group interface interface-id ACL34-30 Vlan Map Configuration GuidelinesCreating a Vlan Map Vlan access-map name numberAction drop forward Match ip mac address name34-32 Examples of ACLs and Vlan Maps34-33 Wiring Closet Configuration Using Vlan Maps in Your NetworkApplying a Vlan Map to a Vlan Vlan filter mapname vlan-list listSwitchconfig# vlan access-map map2 Denying Access to a Server on Anothera VlanSwitchconfig# ip access-list extended matchall Switchconfig# vlan filter map2 vlan34-36 Using Vlan Maps with Router ACLs34-37 Vlan Maps and Router ACL Configuration GuidelinesExamples of Router ACLs and Vlan Maps Applied to VLANs ACLs and Switched PacketsACLs and Bridged Packets 34-3834-39 ACLs and Routed PacketsShow ip access-lists number name Displaying IPv4 ACL ConfigurationACLs and Multicast Packets 34-40Show mac access-group interface interface-id Show running-config interface interface-idShow ip interface interface-id 34-4134-42 35-1 Configuring IPv6 ACLs35-2 Understanding IPv6 ACLsIPv6 ACLs and Switch Stacks Supported ACL FeaturesIPv6 ACL Limitations 35-3Default IPv6 ACL Configuration Configuring IPv6 ACLsInteraction with Other Features and Switches 35-4Ipv6 access-list access-list-name Creating IPv6 ACLs35-5 Log-input routing sequence Dscp value fragments logValue time-range name 35-635-7 Applying an IPv6 ACL to an Interface Ipv6 traffic-filter access-list-nameIpv6 address ipv6-address 35-8Show ipv6 access-list access-list-name Show access-listsDisplaying IPv6 ACLs 35-935-10 36-1 Configuring QoS36-2 Understanding QoS36-3 Basic QoS ModelBasic QoS Model 36-436-5 ClassificationCheck if packet came with CoS label tag Yes 36-6Classification Based on QoS ACLs Classification Based on Class Maps and Policy Maps36-7 36-8 Policing and Marking36-9 Policing on Physical Ports36-10 Policing on SVIs36-11 Policing and Marking Flowchart on SVIs36-12 Mapping Tables36-13 Queueing and Scheduling OverviewWeighted Tail Drop SRR Shaping and Sharing36-14 36-15 Queueing and Scheduling on Ingress Queues36-16 Queue Type Function36-17 WTD Thresholds36-18 Queueing and Scheduling on Egress Queues36-19 36-20 Buffer and Memory Allocation36-21 Packet Modification36-22 Configuring Auto-QoS36-23 Generated Auto-QoS Configuration36-24 Description Automatically Generated Command36-25 Sizes. It configures the bandwidth and the SRR mode shaped Switch automatically configures the egress queue bufferIf you entered the auto qos voip trust command, the switch Or shared on the egress queues mapped to the portEffects of Auto-QoS on the Configuration Auto-QoS Configuration Guidelines36-27 Auto qos voip cisco-phone Enabling Auto-QoS for VoIPCisco-softphone trust Show auto qos interface interface-id36-29 36-30 Auto-QoS Configuration ExampleDebug auto qos Cdp enableAuto qos voip trust Show auto qosConfiguring Standard QoS Displaying Auto-QoS Information36-32 Default Standard QoS Configuration Default Ingress Queue Configuration36-33 Default Egress Queue Configuration Dscp Value Queue ID -Threshold ID36-34 Default Mapping Table Configuration Standard QoS Configuration GuidelinesQoS ACL Guidelines Applying QoS on InterfacesPolicing Guidelines General QoS Guidelines36-36 Enabling QoS Globally Enabling VLAN-Based QoS on Physical Ports36-37 Configuring Classification Using Port Trust States Configuring the Trust State on Ports within the QoS Domain36-38 15 Port Trusted States within the QoS Domain 36-39Mls qos trust cos dscp ip-precedence Configuring the CoS Value for an InterfaceShow mls qos interface 36-40Configuring a Trusted Boundary to Ensure Port Security Mls qos cos default-cos override36-41 Mls qos trust dscp Enabling Dscp Transparency ModeMls qos trust device cisco-phone 36-4236-43 No mls qos rewrite ip dscpMls qos dscp-mutation Mls qos map dscp-mutationShow mls qos maps dscp-mutation 36-44Configuring a QoS Policy Switchconfig-if#mls qos dscp-mutation gi1/0/2-mutation36-45 36-46 Classifying Traffic by Using ACLsSwitchconfig# access-list 102 permit pim any 224.0.0.2 dscp Switchconfig# access-list 100 permit ip any any dscpPermit protocol source source-wildcard Source-wildcard36-48 Mac access-list extended nameClass-map match-all match-any Classifying Traffic by Using Class MapsIs match-all Match-any keywordsIp dscp dscp-list ip precedence Match access-group acl-index-or-nameIp-precedence-list Show class-map36-51 Policy-map policy-map-name Class class-map-name36-52 36-53 Service-policy input policy-map-name Show policy-map policy-map-nameclass36-54 Switchconfig-pmap#class macclass2 maclist2 Switchconfig# policy-map macpolicy1Switchconfig-if#service-policy input macpolicy1 36-5536-56 Traffic by Using Class Maps section on36-57 Drop policed-dscp-transmit Police rate-bps burst-byte exceed-actionExceed-action policed-dscp-transmit keywords to mark down 36-5836-59 Service-policy policy-map-nameService-policy input policy-map-name Show policy-map policy-map-nameclassShow mls qos vlan-based Aggregate-policer-name rate-bps burst-byte Mls qos aggregate-policerExceed-action drop Policed-dscp-transmitOnly one policy map per ingress port is supported Show mls qos aggregate-policerAggregate-policer-name Configuring the CoS-to-DSCP Map Configuring Dscp MapsSwitchconfig-pmap-c#police aggregate transmit1 CoS Value Dscp ValueMls qos map cos-dscp dscp1...dscp8 Configuring the IP-Precedence-to-DSCP MapIP Precedence Value Dscp Value 36-6436-65 Configuring the Policed-DSCP MapDscp Value CoS Value Configuring the DSCP-to-CoS Map36-66 ShowMls qos map dscp-cos dscp-list to cos Configuring the DSCP-to-DSCP-Mutation MapShow mls qos maps dscp-to-cos 36-67Switchconfig-if#mls qos dscp-mutation mutation1 Switch# show mls qos maps dscp-mutation mutation136-68 36-69 Configuring Ingress Queue CharacteristicsMls qos srr-queue input cos-map Mls qos srr-queue input dscp-mapMls qos srr-queue input threshold Show mls qos mapsAllocating Bandwidth Between the Ingress Queues Allocating Buffer Space Between the Ingress QueuesMls qos srr-queue input buffers Show mls qos interface bufferWeight1 weight2 Configuring the Ingress Priority QueueMls qos srr-queue input bandwidth Show mls qos interface queueingWeight Configuring Egress Queue CharacteristicsMls qos srr-queue input Priority-queue queue-id bandwidth36-74 Mls qos queue-set output qset-id Queue-set qset-id36-75 36-76 Mls qos srr-queue output dscp-map Mls qos srr-queue output cos-map36-77 Srr-queue bandwidth shape weight1 Configuring SRR Shaped Weights on Egress QueuesWeight2 weight3 weight4 QueueingConfiguring the Egress Expedite Queue Configuring SRR Shared Weights on Egress QueuesSrr-queue bandwidth share weight1 36-79Srr-queue bandwidth limit weight1 Mls qos Enable QoS on a switchLimiting the Bandwidth on an Egress Interface 36-8036-81 Displaying Standard QoS Information36-82 Show running-config include rewriteConfiguring EtherChannels and Link-State Tracking Understanding EtherChannels37-1 37-2 EtherChannel Overview37-3 Single-Switch EtherChannel37-4 Port-Channel Interfaces37-5 Port Aggregation ProtocolMode Description PAgP Interaction with Other FeaturesPAgP Modes AutoLink Aggregation Control Protocol Lacp Interaction with Other FeaturesLacp Modes 37-7EtherChannel On Mode Load-Balancing and Forwarding Methods37-8 37-9 37-10 EtherChannel and Switch StacksConfiguring EtherChannels Default EtherChannel Configuration37-11 37-12 EtherChannel Configuration Guidelines37-13 Configuring Layer 2 EtherChannelsAuto non-silent desirable non-silent on Active passive37-14 Switchconfig-if-range#channel-group 5 mode active Configuring Layer 3 EtherChannelsCreating Port-Channel Logical Interfaces 37-15Interface port-channel port-channel-number Configuring the Physical InterfacesShow etherchannel channel-group-number detail No ip addressFor channel-group-number, the range is 1 to 48. This number Partner that is PAgP capable, configure the switch port forMust be the same as the port-channel-number logical port 37-17Port-channel load-balance dst-ip dst-mac Configuring EtherChannel Load-BalancingSrc-dst-ip src-dst-mac src-ip src-mac 37-18Configuring the PAgP Learn Method and Priority Show etherchannel load-balance Verify your entries37-19 Pagp learn-method physical-port Configuring Lacp Hot-Standby PortsPagp port-priority priority Show pagp channel-group-number internalConfiguring the Lacp System Priority Show running-config Verify your entries Show lacp sys-id37-21 Lacp port-priority priority Configuring the Lacp Port PriorityShow lacp channel-group-number InternalDisplaying EtherChannel, PAgP, and Lacp Status Understanding Link-State Tracking37-23 37-24 37-25 Configuring Link-State TrackingLink-State Tracking Configuration Guidelines Default Link-State Tracking ConfigurationConfiguring Link-State Tracking 37-26Switch show link state group detail Switch show link state groupDisplaying Link-State Tracking Status 37-2737-28 38-1 Configuring IP Unicast RoutingUnderstanding IP Routing Types of Routing38-2 38-3 IP Routing and Switch Stacks38-4 Steps for Configuring Routing Configuring IP Addressing38-5 ARP Default Addressing ConfigurationIrdp 38-6Assigning IP Addresses to Network Interfaces Show running-config Verify your entryUse of Subnet Zero 38-738-8 Classless RoutingConfiguring Address Resolution Methods No ip classless Disable classless routing behavior38-9 Define a Static ARP Cache Arp ip-address hardware-address type38-10 38-11 Set ARP EncapsulationEnable Proxy ARP Routing Assistance When IP Routing is DisabledDefault Gateway Proxy ARP38-13 Icmp Router Discovery Protocol Irdp38-14 Configuring Broadcast Packet HandlingIp directed-broadcast access-list-number Ip forward-protocol udp port nd sdns38-15 38-16 Forwarding UDP Broadcast Packets and ProtocolsFlooding IP Broadcasts Establishing an IP Broadcast AddressIp broadcast-address ip-address 38-17Clear arp-cache Monitoring and Maintaining IP AddressingClear host name Clear ip route network mask38-19 Enabling IP Unicast Routing38-20 Configuring RIPConfiguring Basic RIP Parameters Default RIP ConfigurationRouter rip Network network number38-22 Configuring Summary Addresses and Split Horizon Configuring RIP AuthenticationIp rip authentication key-chain name-of-chain Ip rip authentication mode text md5Switchconfig-router#neighbor 2.2.2.2 peer-group mygroup Configuring Split HorizonIp summary-address rip ip address ip-network mask No ip split horizonConfiguring Ospf No ip split-horizon38-25 38-26 Default Ospf Configuration38-27 Ospf Nonstop Forwarding38-28 Ospf NSF AwarenessConfiguring Basic Ospf Parameters Configuring Ospf Interfaces38-29 38-30 38-31 Configuring Ospf Area Parameters38-32 Configuring Other Ospf Parameters38-33 Changing LSA Group Pacing Configuring a Loopback InterfaceIp address address mask 38-34Configuring Eigrp Monitoring Ospf38-35 38-36 38-37 Default Eigrp Configuration38-38 Eigrp Nonstop ForwardingRouter eigrp autonomous-system Configuring Basic Eigrp ParametersNetwork network-number Eigrp log-neighbor-changesNo auto-summary Configuring Eigrp InterfacesIp summary-address eigrp 38-40Ip hello-interval eigrp autonomous-system-number Configuring Eigrp Route AuthenticationNo ip split-horizon eigrp autonomous-system-number Show ip eigrp interface38-42 Eigrp Stub RoutingConfiguring BGP Monitoring and Maintaining Eigrp38-43 EBGP, IBGP, and Multiple Autonomous Systems 38-4438-45 Default BGP Configuration38-46 38-47 Nonstop Forwarding AwarenessRouter bgp autonomous-system Enabling BGP RoutingNetwork network-number mask network-mask Route-map route-map-name38-49 Switch# show ip bgp neighbors Switchconfig-router#neighbor 192.208.10.2 remote-asManaging Routing Policy Changes 38-50Show ip bgp neighbors Type of Reset Advantages DisadvantagesClear ip bgp * address Show ip bgp38-52 Configuring BGP Decision Attributes38-53 Configuring BGP Filtering with Route Maps Configuring BGP Filtering by Neighbor38-54 Out weight weight Ip as-path access-list access-list-numberRoute-map map-tag in out Show ip bgp neighbors paths38-56 Configuring Prefix Lists for BGP FilteringIp community-listcommunity-list-number Configuring BGP Community FilteringPermit deny community-number Send-communitySet comm-list list-num delete Configuring BGP Neighbors and Peer GroupsIp bgp-community new-format Show ip bgp community38-59 38-60 Configuring Aggregate AddressesConfiguring Routing Domain Confederations Configuring BGP Route Reflectors38-61 Route-reflector-client Configuring Route DampeningBgp cluster-id cluster-id No bgp client-to-client reflection38-63 Monitoring and Maintaining BGP38-64 Configuring Multi-VRF CE38-65 Understanding Multi-VRF CE38-66 Multi-VRF CE Configuration Guidelines Default Multi-VRF CE ConfigurationVRF 38-67Route-target export import both Configuring VRFsImport map route-map Ip vrf forwarding vrf-nameShow ip vrf brief detail interfaces Configuring a VPN Routing SessionLog-adjacency-changes Redistribute bgpConfiguring BGP PE to CE Routing Sessions Multi-VRF CE Configuration Example38-70 VPN2 CE1 38-7138-72 Configuring Switch aSwitchconfig-router-af#network 8.8.1.0 mask Switchconfig-router-af#network 8.8.2.0 maskSwitchconfig-if#ip address 208.0.0.20 38-7338-74 Router# configure terminalConfiguring Unicast Reverse Path Forwarding Displaying Multi-VRF CE Status38-75 Configuring Protocol-Independent Features Configuring Distributed Cisco Express Forwarding38-76 38-77 Configuring the Number of Equal-Cost Routing PathsRouter bgp rip ospf eigrp Configuring Static Unicast RoutesMaximum-paths maximum Show ip routeRoute Source Default Distance Specifying Default Routes and NetworksIp default-network network number Specify a default network 38-7938-80 Using Route Maps to Redistribute Routing Information38-81 38-82 38-83 Configuring Policy-Based Routing38-84 PBR Configuration Guidelines38-85 Enabling PBRIp route-cache policy Ip policy route-map map-tagIp local policy route-map map-tag 38-86Setting Passive Interfaces Filtering Routing Information38-87 Filtering Sources of Routing Information Controlling Advertising and Processing in Routing UpdatesRouter bgp rip eigrp 38-88Distance weight ip-address ip-address mask Managing Authentication KeysIp access list 38-8938-90 Monitoring and Maintaining the IP Network38-91 38-92 Configuring IPv6 Unicast Routing Understanding IPv639-1 39-2 IPv6 AddressesSupported IPv6 Unicast Routing Features Bit Wide Unicast Addresses39-3 Path MTU Discovery for IPv6 Unicast DNS for IPv6ICMPv6 Neighbor Discovery39-5 IPv6 ApplicationsUnsupported IPv6 Unicast Routing Features Dual IPv4 and IPv6 Protocol Stacks39-6 IPv6 and Switch Stacks Limitations39-7 39-8 SDM Templates Dual IPv4-and IPv6 SDM Templates39-9 39-10 Configuring IPv6Default IPv6 Configuration Configuring IPv6 Addressing and Enabling IPv6 Routing39-11 39-12 Ip routing Enable routing on the switch Configuring IPv4 and IPv6 Protocol StacksSwitchconfig-if#ipv6 address 20010DB8c181/64 eui 39-1339-14 Configuring CEF and dCEF for IPv6 Configuring IPv6 Icmp Rate LimitingIpv6 icmp error-interval interval bucketsize Show ipv6 interface interface-id39-16 Configuring Static Routing for IPv6Ipv6 route ipv6-prefix/prefix length Administrative distanceIpv6-address interface-id ipv6-address 39-17Show ipv6 route static updated Configuring RIP for IPv6Show ipv6 static ipv6-address Interface-id recursive detail39-19 39-20 Configuring Ospf for IPv639-21 Switch# show ipv6 interface Displaying IPv639-22 Switch# show ipv6 protocols Switch# show ipv6 cef /0Switch# show ipv6 rip 39-23Switch# show ipv6 static Switch# show ipv6 neighborsSwitch# show ipv6 route Switch# show ipv6 traffic39-25 39-26 Configuring Hsrp and Enhanced Object Tracking Understanding Hsrp40-1 40-2 40-3 Multiple HsrpConfiguring Hsrp Hsrp and Switch Stacks40-4 Hsrp Configuration Guidelines Default Hsrp ConfigurationEnabling Hsrp 40-5Standby group-number ip ip-address Switch# show standbySecondary Show standby interface-id group40-7 Configuring Hsrp PriorityStandby group-number priority Priority preempt delay delayStandby group-number track 40-8Configuring Hsrp Authentication and Timers Configuring MhsrpSwitchconfig-if#standby 2 ip 40-9Standby group-number timers hellotime Standby group-number authentication stringSwitchconfig-if#standby 1 authentication word HoldtimeConfiguring Hsrp Groups and Clustering Displaying Hsrp ConfigurationsEnabling Hsrp Support for Icmp Redirect Messages Show standby interface-idgroup brief detailConfiguring Enhanced Object Tracking Understanding Enhanced Object Tracking40-12 Tracking Interface Line-Protocol or IP Routing State Configuring Enhanced Object Tracking FeaturesTrack object-number interface 40-13Switch# show track 33 Track Configuring a Tracked ListTrack track-numberlist boolean Object object-number notThreshold weight up number WeightTrack track-numberlist threshold 40-15Percentage Track track-number list thresholdObject object-number Threshold percentage up number40-17 Configuring Hsrp Object TrackingConfiguring Other Tracking Characteristics Show standby40-18 Configuring Web Cache Services By Using Understanding Wccp41-1 41-2 Wccp Message ExchangeWccp Negotiation Packet Redirection and Service GroupsMD5 Security 41-341-4 Wccp and Switch StacksUnsupported Wccp Features Configuring WccpDefault Wccp Configuration Wccp Configuration Guidelines41-6 Enabling the Web Cache Service41-7 41-8 Switchconfig-if-range#switchport access vlan Switchconfig# interface range gigabitethernet1/0/3Monitoring and Maintaining Wccp 41-941-10 Enabled / disabled42-1 Configuring IP Multicast RoutingIP Multicast Routing Protocols 42-2Understanding Igmp Igmp Version42-3 PIM Versions Understanding PIMPIM Modes 42-442-5 PIM Stub Routing42-6 Auto-RPBootstrap Router Multicast Forwarding and Reverse Path Check42-7 Understanding Dvmrp Network Port42-8 Multicast Routing and Switch Stacks Understanding Cgmp42-9 Default Multicast Routing Configuration Configuring IP Multicast RoutingMulticast Routing Configuration Guidelines 42-10Auto-RP and BSR Configuration Guidelines PIMv1 and PIMv2 Interoperability42-11 Configuring Basic Multicast Routing Ip multicast-routing distributed42-12 Ip pim version 1 Configuring PIM Stub RoutingIp pim dense-mode sparse-mode Sparse-dense-modeManually Assigning an RP to Multicast Groups Configuring a Rendezvous PointIp pim passive 42-14Access-list-number override Ip pim rp-address ip-address42-15 42-16 Configuring Auto-RPIp pim send-rp-announce interface-id Scope ttl group-list access-list-numberInterval seconds 42-17Show ip pim rp mapping Ip pim send-rp-discovery scope ttlShow ip pim rp 42-18Access-list-number group-list Ip pim rp-announce-filter rp-list42-19 Configuring PIMv2 BSR Ip pim bsr-border42-20 42-21 Ip multicast boundaryIp pim bsr-candidate interface-id Hash-mask-length priority42-22 Group-list access-list-number Ip pim rp-candidate interface-id42-23 Show ip pim rp group-name Using Auto-RP and a BSRGroup-address mapping Show ip pim rp-hash groupTroubleshooting PIMv1 and PIMv2 Interoperability Problems Configuring Advanced PIM FeaturesMonitoring the RP Mapping Information Understanding PIM Shared Tree and Source TreeShared Tree and Source Tree Shortest-Path Tree 42-26Delaying the Use of PIM Shortest-Path Tree Ip pim spt-threshold kbps infinity42-27 Modifying the PIM Router-Query Message Interval Configuring Optional Igmp FeaturesIp pim query-interval seconds Show ip igmp interface interface-idConfiguring the Switch as a Member of a Group Default Igmp ConfigurationIp igmp join-group group-address 42-29Ip igmp access-group access-list-number Controlling Access to IP Multicast GroupsShow ip igmp interface interface-id Verify your entries 42-30Modifying the Igmp Host-Query Message Interval Changing the Igmp VersionIp igmp version 1 Query-interval or the ip igmp query-max-response-timeIp igmp querier-timeout seconds Changing the Igmp Query Timeout for IGMPv2Ip igmp query-interval seconds 42-32Changing the Maximum Query Response Time for IGMPv2 Configuring the Switch as a Statically Connected MemberIp igmp query-max-response-time 42-33Enabling Cgmp Server Support Configuring Optional Multicast Routing FeaturesIp igmp static-group group-address 42-34Configuring sdr Listener Support Ip cgmp proxy42-35 Enabling sdr Listener Support Ip sdr listen Enable sdr listener supportLimiting How Long an sdr Cache Entry Exists 42-3642-37 Configuring an IP Multicast Boundary42-38 Configuring Basic Dvmrp Interoperability Features42-39 Configuring Dvmrp Interoperability42-40 Ip dvmrp metric metric list42-41 Configuring a Dvmrp TunnelNeighbor-list access-list-number Access-list-number distanceAdvertising Network 0.0.0.0 to Dvmrp Neighbors Ip dvmrp accept-filterIp dvmrp default-information Configuring Advanced Dvmrp Interoperability FeaturesResponding to mrinfo Requests Originate only42-44 Enabling Dvmrp Unicast Routing42-45 Rejecting a Dvmrp Nonpruning Neighbor42-46 Enter interface configuration modeControlling Route Exchanges By default, 7000 routes are advertised. The range is 0 toLimiting the Number of Dvmrp Routes Advertised Changing the Dvmrp Route ThresholdDefault is 10,000 routes. The range is 1 to Configuring a Dvmrp Summary AddressRoute-count 42-4842-49 Ip dvmrp summary-address address Disabling Dvmrp AutosummarizationMask metric value No ip dvmrp auto-summaryIp dvmrp metric-offset in out Adding a Metric Offset to the Dvmrp RouteIncrement 42-51Clearing Caches, Tables, and Databases Monitoring and Maintaining IP Multicast RoutingDisplaying System and Network Statistics 42-5242-53 Monitoring IP Multicast Routing42-54 Configuring Msdp Understanding Msdp43-1 43-2 Msdp Operation43-3 Msdp BenefitsDefault Msdp Configuration Configuring MsdpConfiguring a Default Msdp Peer 43-4Ip msdp default-peer ip-address name Prefix-list list43-5 Ip prefix-list name description string Caching Source-Active StateSeq number permit deny network Ip msdp description peer-name43-7 Ip msdp cache-sa-state listRequesting Source Information from an Msdp Peer Switchconfig# ip msdp sa-requestIp msdp sa-request ip-address name 43-8Redistributing Sources Controlling Source Information that Your Switch OriginatesIp msdp redistribute list 43-943-10 Filtering Source-Active Request Messages Name list access-list-numberIp msdp filter-sa-request ip-address 43-11Using a Filter Controlling Source Information that Your Switch ForwardsIp msdp sa-filter out ip-address name Route-map map-tag43-13 Using TTL to Limit the Multicast Data Sent in SA Messages Controlling Source Information that Your Switch ReceivesIp msdp ttl-threshold ip-address name TtlSwitchconfig# ip msdp sa-filter in switch.cisco.com Ip msdp sa-filter in ip-address name43-15 Shutting Down an Msdp Peer Configuring an Msdp Mesh GroupIp msdp mesh-group name ip-address 43-16Ip msdp shutdown peer-name peer Including a Bordering PIM Dense-Mode Region in MsdpIp msdp border sa-address interface-id 43-1743-18 Configuring an Originating Address other than the RP AddressClear ip msdp peer peer-addressname Monitoring and Maintaining MsdpClear ip msdp statistics peer-addressname Clear ip msdp sa-cache group-addressname43-20 Understanding Fallback Bridging Configuring Fallback BridgingFallback Bridging Overview 44-144-2 Configuring Fallback Bridging Fallback Bridging and Switch Stacks44-3 Fallback Bridging Configuration Guidelines Default Fallback Bridging ConfigurationCreating a Bridge Group 44-4Vlan-bridge Bridge bridge-group protocolBridge-group bridge-group 44-5Adjusting Spanning-Tree Parameters Switchconfig# bridge 10 protocol vlan-bridge44-6 Changing the Interface Priority Changing the VLAN-Bridge Spanning-Tree PriorityBridge bridge-group priority number Bridge-group bridge-grouppriorityBridge-group bridge-group path-cost Assigning a Path CostCost 44-8Switchconfig# bridge 10 hello-time Adjusting Bpdu IntervalsBridge bridge-group hello-time seconds 44-9Switchconfig# bridge 10 max-age Switchconfig# bridge 10 forward-timeBridge bridge-group forward-time Bridge bridge-group max-age secondsDisabling the Spanning Tree on an Interface Monitoring and Maintaining Fallback BridgingClear bridge bridge-group Show bridge bridge-group group44-12 45-1 Troubleshooting45-2 Recovering from a Software FailureSwitch flashinit Recovering from a Lost or Forgotten PasswordSwitch loadhelper Switch copy xmodem flashimagefilename.bin45-4 45-5 Procedure with Password Recovery Enabled45-6 Copy the configuration file into memoryProcedure with Password Recovery Disabled Switch dir flash45-7 45-8 Preventing Switch Stack Problems45-9 Recovering from a Command Switch FailureReplacing a Failed Command Switch with a Cluster Member Switchconfig# no cluster commander-address45-10 45-11 Replacing a Failed Command Switch with Another Switch45-12 Troubleshooting Power over Ethernet Switch Ports Recovering from Lost Cluster Member ConnectivityPreventing Autonegotiation Mismatches 45-13Disabled Port Caused by False Link Up Disabled Port Caused by Power LossShow controllers power inline privileged Exec command SFP Module Security and IdentificationUsing Ping Monitoring TemperatureMonitoring SFP Module Status Understanding PingExecuting Ping Switch# pingCharacter Description 45-16Understanding Layer 2 Traceroute Using Layer 2 TracerouteUsage Guidelines 45-17Displaying the Physical Path Using IP TracerouteUnderstanding IP Traceroute 45-18Executing IP Traceroute Switch# traceroute ipTraceroute ip host Trace the path that packets take through the networkUsing TDR Understanding TDR45-20 Enabling Debugging on a Specific Feature Using Debug CommandsRunning TDR and Displaying the Results 45-21Enabling All-System Diagnostics Redirecting Debug and Error Message Output45-22 Using the show platform forward Command 45-23Udp 10 45-24 Using the crashinfo Files Basic crashinfo Files45-25 Extended crashinfo Files Using On-Board Failure LoggingUnderstanding Obfl 45-2645-27 Configuring ObflDisplaying Obfl Information Show logging onboard module45-28 Configuring Online Diagnostics Understanding Online Diagnostics46-1 Scheduling Online Diagnostics Configuring Online DiagnosticsDiagnostic schedule switch Non-disruptive daily hhmmDiagnostic monitor interval switch Configuring Health-Monitoring DiagnosticsDiagnostic content command output Diagnostic monitor syslogDiagnostic monitor switch number test Diagnostic monitor threshold switchShow diagnostic content post result Schedule status switchStarting Online Diagnostic Tests Running Online Diagnostic TestsDiagnostic start switch number All basic non-disruptive46-6 Displaying Online Diagnostic Tests and Test ResultsSupported MIBs MIB ListCISCO-FTP-CLIENT-MIB CISCO-HSRP-MIB CISCO-RTTMON-MIB CISCO-SMI-MIB CISCO-IGMP-FILTER-MIBETHERLIKE-MIB IEEE8021-PAE-MIB IEEE8023-LAG-MIB IGMP-MIB INET-ADDRESS-MIB IPMROUTE-MIBTCP-MIB UDP-MIB Using FTP to Access the MIB Files Working with the Flash File System Displaying Available File Systems Switch# show file systemsField Value Setting the Default File SystemDisplaying Information about Files on a File System Cd newconfigsChanging Directories and Displaying the Working Directory PwdMkdir oldconfigs Creating and Removing DirectoriesCopying Files Switch# delete myconfig Deleting FilesCreating, Displaying, and Extracting Files Archive /create destination-url FlashArchive /table source-url Extract a file into a directory on the flash file system Archive /xtract source-urlDirectories are extracted More /ascii /binary /ebcdicWorking with Configuration Files Configuration File Types and Location Guidelines for Creating and Using Configuration FilesCopying Configuration Files By Using Tftp Creating a Configuration File By Using a Text EditorUploading the Configuration File By Using Tftp Downloading the Configuration File By Using TftpCopying Configuration Files By Using FTP Downloading a Configuration File By Using FTP Ip ftp password passwordIp ftp username username Ftp // username password @ location /directory Uploading a Configuration File By Using FTPFilename systemrunning-config Filename nvramstartup-configCopy systemrunning-config Copying Configuration Files By Using RCPCopy nvramstartup-config Ftp // username password @ location /directory FilenameHostname Switch1 Ip rcmd remote-username User0 Systemrunning-config Downloading a Configuration File By Using RCPNvramstartup-config Ip rcmd remote-username usernameClearing Configuration Information Uploading a Configuration File By Using RCPSwitch# copy nvramstartup-config rcp Clearing the Startup Configuration File Deleting a Stored Configuration FileWorking with Software Images File Format of Images on a Server or Cisco.com Image Location on the SwitchField Description Copying Image Files By Using TftpDownloading an Image File By Using Tftp Preparing to Download or Upload an Image File By Using TftpArchive download-sw Allow-feature-upgrade /directoryOverwrite /reload Archive download-sw /directoryUploading an Image File By Using Tftp Archive upload-swTftp //location /directory /image-name .tar Preparing to Download or Upload an Image File By Using FTP Copying Image Files By Using FTPDownloading an Image File By Using FTP Directory /overwrite /reload Archive download-sw /allow-feature-upgradeFor /directory /image-name1 .tar Directory /image-name2 .tar image-name3 .tarUploading an Image File By Using FTP Copying Image Files By Using RCP Preparing to Download or Upload an Image File By Using RCP File By Using RCP section on page B-31 Downloading an Image File By Using RCPOr Upload an Image File By Using RCP section on Uploading an Image File By Using RCP Copying an Image File from One Stack Member to Another Rcp // username @ location /directory /image-naMe.tar Destination-stack-member-number /force-reload Archive copy-sw /destination-systemSource-stack-member-number For /destination-system destination-stack-member-numberAccess Control Lists Unsupported Commands Cisco IOS Release 12.237SEUnsupported Privileged Exec Commands Unsupported Global Configuration CommandsARP Commands Archive CommandsBoot Loader Commands Debug CommandsBridge bridge-groupacquire Fallback BridgingBridge crb Bridge bridge-group domain domain-name bridge irbX25 map bridge x.121-address broadcast options-keywords HsrpIgmp Snooping Commands Interface CommandsIP Multicast Routing Show ip pim vc group-address name type number Ip pim accept-rpaddress auto-rpgroup-access-list-numberShow ip rtp header-compression type number detail Ip multicast-routing vrf vrf-nameIP Unicast Routing Unsupported Privileged Exec or User Exec CommandsUnsupported BGP Router Configuration Commands Unsupported VPN Configuration CommandsUnsupported Route Map Commands Show cable-diagnostics prbs Test cable-diagnostics prbs MAC Address CommandsMiscellaneous Set tag tag-valueMsdp NetFlow CommandsUnsupported Global Configuration Command Network Address Translation NAT CommandsUnsupported Policy-Map Configuration Command QoSUnsupported User Exec Commands Unsupported Interface Configuration CommandUnsupported Privileged Exec Command Spanning TreeIN-1 NumericsIN-2 ACLsEigrp CDP Lldp RIPHsrp TACACS+BGP CidrIN-4 IN-5 BpduCEF CDPCgmp CLIIN-7 CNSIN-8 Dhcp DNSIN-9 TACACS+ Udld SnmpVmps WccpIN-11 Dhcp optionIN-12 DTPIN-13 DvmrpIN-14 Dynamic ARP inspectionIN-15 LacpSTP FIBIN-16 Mstp STP FTPIN-17 Https IcmpIN-18 IN-19 IgmpIN-20 IN-21 IP addressesIN-22 MboneIN-23 IGPIN-24 IP unicast routingIN-25 ISLIN-26 LLDP-MEDIN-27 MDA MhsrpIN-28 IN-29 MsdpIST CSTMTU IN-30IN-31 NACIN-32 NSSA, OspfObfl PBRIN-33 IN-34 PIMIN-35 Port-based authenticationPvid VvidIN-36 IN-37 Private VLANsIN-38 QoSIN-39 IN-40 RCPRFC Radius TACACS+Rmon IN-41Rspan RPSRstp IN-42IN-43 SDMIN-44 SnmpSpan SRRIN-45 SSL VTPIN-46 IN-47 Stacks, switchIN-48 LLDP-MED OspfIN-49 STPIN-50 IN-51 System message loggingIN-52 IN-53 IN-54 IN-55 VLANsVPN VQPIN-56 IN-57 WTDIN-58

Command

ip http timeout-policy idle seconds life

end

Return to privileged EXEC mode.

show ip http server secure status

copy running-config startup-config

(Optional) Save your entries in the configuration file.

Configuring the Secure HTTP Client

Command

configure terminal

ip http client secure-trustpoint name

trustpoint has been configured.