Manuals / Cisco Systems / Computer Equipment / Webcam

Cisco Systems 3750E manual Using Ieee 802.1x Authentication with Per-User ACLs, 10-11

Models: 3750E

1 1236

Download 1236 pages 40.08 Kb

Page 263

Image 263

Chapter 10 Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

If an IEEE 802.1x port is authenticated and put in the RADIUS server-assigned VLAN, any change to the port access VLAN configuration does not take effect.

The IEEE 802.1x authentication with VLAN assignment feature is not supported on trunk ports, dynamic ports, or with dynamic-access port assignment through a VLAN Membership Policy Server (VMPS).

To configure VLAN assignment you need to perform these tasks:

•Enable AAA authorization by using the network keyword to allow interface configuration from the RADIUS server.

•Enable IEEE 802.1x authentication. (The VLAN assignment feature is automatically enabled when you configure IEEE 802.1x authentication on an access port).

•Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return these attributes to the switch:

–[64] Tunnel-Type = VLAN

–[65] Tunnel-Medium-Type = 802

–[81] Tunnel-Private-Group-ID = VLAN name or VLAN ID

Attribute [64] must contain the value VLAN (type 13). Attribute [65] must contain the value 802 (type 6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the

IEEE 802.1x-authenticated user.

For examples of tunnel attributes, see the “Configuring the Switch to Use Vendor-Specific RADIUS Attributes” section on page 9-29.

Using IEEE 802.1x Authentication with Per-User ACLs

You can enable per-user access control lists (ACLs) to provide different levels of network access and service to an IEEE 802.1x-authenticated user. When the RADIUS server authenticates a user connected to an IEEE 802.1x port, it retrieves the ACL attributes based on the user identity and sends them to the switch. The switch applies the attributes to the IEEE 802.1x port for the duration of the user session. The switch removes the per-user ACL configuration when the session is over, if authentication fails, or if a link-down condition occurs. The switch does not save RADIUS-specified ACLs in the running configuration. When the port is unauthorized, the switch removes the ACL from the port.

You can configure router ACLs and input port ACLs on the same switch. However, a port ACL takes precedence over a router ACL. If you apply input port ACL to an interface that belongs to a VLAN, the port ACL takes precedence over an input router ACL applied to the VLAN interface. Incoming packets received on the port to which a port ACL is applied are filtered by the port ACL. Incoming routed packets received on other ports are filtered by the router ACL. Outgoing routed packets are filtered by the router ACL. To avoid configuration conflicts, you should carefully plan the user profiles stored on the RADIUS server.

RADIUS supports per-user attributes, including vendor-specific attributes. These vendor-specific attributes (VSAs) are in octet-string format and are passed to the switch during the authentication process. The VSAs used for per-user ACLs are inacl#<n> for the ingress direction and outacl#<n> for the egress direction. MAC ACLs are supported only in the ingress direction. The switch supports VSAs only in the ingress direction. It does not support port ACLs in the egress direction on Layer 2 ports. For more information, see Chapter 34, “Configuring Network Security with ACLs.”

Use only the extended ACL syntax style to define the per-user configuration stored on the RADIUS server. When the definitions are passed from the RADIUS server, they are created by using the extended naming convention. However, if you use the Filter-Id attribute, it can point to a standard ACL.

	Catalyst 3750-E and 3560-E Switch Software Configuration Guide

OL-9775-02		10-11
OL-9775-02		10-11

Page 263

Image 263

Cisco Systems 3750E manual Using Ieee 802.1x Authentication with Per-User ACLs, 10-11

Contents

Text Part Number OL-9775-02 Americas HeadquartersPage Iii N T E N T SAssigning the Switch IP Address and Default Gateway Understanding Cisco Configuration Engine Software Clustering Switches Vii Catalyst 1900 and Catalyst 2820 CLI ConsiderationsViii Creating a BannerChanging the Default Privilege Level for Lines Device Roles Bypass Xii Routed PortsXiii Monitoring and Maintaining the InterfacesXiv Encapsulation TypesDomain Names Xvi Private-VLAN Configuration GuidelinesXvii Disabled StateXviii Boundary Ports19-25 XixDhcp Server Xxi Configuring Dynamic ARP InspectionXxii Configuring MVRXxiii Understanding Storm ControlXxiv Understanding Udld Modes of OperationXxv Creating an Rspan Source SessionXxvi Snmp Agent FunctionsXxvii Creating a Numbered Extended ACLXxviii Interaction with Other Features and SwitchesXxix Xxx Port-Channel InterfacesXxxi Configuring IP AddressingXxxii Nonstop Forwarding AwarenessXxxiii IPv6 AddressesXxxiv Configuring Hsrp PriorityXxxv Configuring IP Multicast RoutingXxxvi Configuring Basic Dvmrp Interoperability FeaturesXxxvii Using a Filter45-14 XxxviiiXxxix Configuring Online DiagnosticsUnsupported Route-Map Configuration Commands C-1 Xli HsrpXlii VTPConventions PrefaceAudience PurposeXliv Related PublicationsXlv Xlvi Overview FeaturesAvailability and Redundancy Features, Vlan Features, Deployment FeaturesOverview Features Performance Features Management Options Manageability Features Availability and Redundancy Features Security Features Vlan FeaturesOverview Features QoS and CoS Features Layer 3 Features Power over Ethernet Features Vlan Default Settings After Initial Switch ConfigurationMonitoring Features Overview Default Settings After Initial Switch Configuration Overview Default Settings After Initial Switch Configuration Design Concepts for Using the Switch Network Configuration ExamplesNetwork Demands Suggested Design Methods Cost-Effective Wiring Closet High-Performance Wiring Closet High-Performance Workgroup Gigabit-to-the-Desktop Redundant Gigabit Backbone Server Aggregation Linux Server Cluster Cisco SoftPhone Software Gigabit servers Internet Cisco 2600 or 3700 routers Catalyst 3560-E switches Large Network Using Catalyst 3750-E and 3560-E Switches Cisco 7x00 routers Catalyst Catalyst 3560-E Multidwelling Network Using Catalyst 3750-E Switches 11 Catalyst 3750-E Switches in a MAN Configuration Long-Distance, High-Bandwidth Transport ConfigurationAccess layer Aggregation layer Where to Go NextOL-9775-02 Understanding Command Modes Using the Command-Line InterfaceCtrl-Z Mode Access Method Prompt Exit Method About This ModeConfigure QuitLine vty or line Console commandCommand Purpose Understanding the Help SystemCommand keyword ? Understanding Abbreviated CommandsUnderstanding no and default Forms of Commands Command ?Error Message Meaning How to Get Help Understanding CLI Error MessagesUsing Configuration Logging Action1 Result Using Command HistoryChanging the Command History Buffer Size Recalling CommandsSwitch# terminal editing Using Editing FeaturesDisabling the Command History Feature Enabling and Disabling Editing FeaturesCapability Keystroke1 Purpose Editing Commands through KeystrokesPress Ctrl-L or Ctrl-R Editing Command Lines that WrapReturn and Space bar Switch# show interfaces include protocol Accessing the CLICommand begin include exclude regular-expression Using the Command-Line Interface Accessing the CLI OL-9775-02 Understanding the Boot Process Assigning the Switch IP Address and Default GatewayAssigning Switch Information Feature Default Setting Default Switch InformationUnderstanding DHCP-Based Autoconfiguration Dhcp Client and Server Message Exchange Dhcp Client Request ProcessDhcp Server Configuration Guidelines Configuring DHCP-Based AutoconfigurationConfiguring the DNS Configuring the Tftp ServerRouterconfig-if#ip helper-address Configuring the Relay DeviceObtaining Configuration Files Tftpserver Example ConfigurationDhcp Client Configuration Switch a Switch B Switch C Switch DDNS Server Configuration Tftp Server Configuration on UnixManually Assigning IP Information Switch# copy running-config startup-config Checking and Saving the Running ConfigurationSwitch# show running-config Automatically Downloading a Configuration File Modifying the Startup ConfigurationDefault Boot Configuration Configure terminal Enter global configuration mode Booting ManuallyBoot config-file flash/ file-url Show bootBoot system filesystem /file-url Booting a Specific Software ImageControlling Environment Variables Boot system switch number allSet Switchpriority Set Manualboot yes Boot manualSet Switchnumber Switch current-stack-member-number renumberReload in hhmm text Configuring a Scheduled ReloadScheduling a Reload of the Software Image Variable DescriptionDisplaying Scheduled Reload Information Switch# reload atSwitch# reload at 0200 jun Understanding Cisco Configuration Engine Software Configuring Cisco IOS CNS AgentsConfiguration Engine Architectural Overview Configuration ServiceNameSpace Mapper Event ServiceConfigID What You Should Know About the CNS IDs and Device HostnamesHostname and DeviceID Using Hostname, DeviceID, and ConfigIDDeviceID Understanding Cisco IOS Agents Initial ConfigurationEnabling Automated CNS Configuration Configuring Cisco IOS AgentsIncremental Partial Configuration Synchronized ConfigurationDevice Required Configuration Show cns event connections Backup init-retry retry-count keepalive secondsShow running-config Enabling the CNS Event AgentEnabling the Cisco IOS CNS Agent Enabling an Initial ConfigurationCns id hardware-serial hostname string string Cns config initial ip-address hostnameCns id interface num dns-reverse ipaddress Mac-address eventShow cns config stats Enabling a Partial ConfigurationShow running-config Verify your entries Cns config partial ip-address hostnameShow cns event subject Displaying CNS ConfigurationShow cns config connections Show cns event statsUnderstanding Switch Stacks Managing Switch StacksManaging Switch Stacks Understanding Switch Stacks Switch Stack Membership Creating a Switch Stack from Two Standalone Switches Stack Master Election and Re-Election Adding a Standalone Switch to a Switch StackStack Member Numbers Switch Stack Bridge ID and Router MAC AddressStack Member Priority Values Scenario Result Switch Stack Offline ConfigurationEffects of Adding a Provisioned Switch to a Switch Stack Scenario Result Effects of Replacing a Provisioned Switch in a Switch Stack Switch Stack Software Compatibility RecommendationsStack Protocol Version Compatibility Major Version Number Incompatibility Among SwitchesMinor Version Number Incompatibility Among Switches Understanding Auto-Upgrade and Auto-Advise Directory Auto-Upgrade and Auto-Advise Example MessagesSwitch Mar 1 000422.537%IMAGEMGR-6-AUTOADVISESW Switch Stack Configuration Files Incompatible Software and Stack Member Image UpgradesSwitch Stack Management Connectivity Connectivity to Specific Stack Members Connectivity to the Switch Stack Through an IP AddressConnectivity to the Switch Stack Through an SSH Session Priority new-priority-number global Switch Stack Configuration ScenariosUse the switch stack-member-number Current-stack-member-number Renumber new-stack-member-number Enabling Persistent MAC Address Configuring the Switch StackDefault Switch Stack Configuration Time-value Stack-mac persistent timerShow switch Switchconfig# stack-mac persistent timerAssigning a Stack Member Number Setting the Stack Member Priority ValueAssigning Stack Member Information Provisioning a New Member for a Switch Stack Show switch stack-member-number Accessing the CLI of a Specific Stack MemberDisplaying Switch Stack Information Command DescriptionDetail Show switch stack-portsShow switch stack-ring activity OL-9775-02 Understanding Switch Clusters Clustering SwitchesSwitch Cisco IOS Release Cluster Capability Standby Cluster Command Switch Characteristics Cluster Command Switch CharacteristicsCandidate Switch and Cluster Member Switch Characteristics Planning a Switch ClusterDiscovery Through CDP Hops Automatic Discovery of Cluster Candidates and MembersDiscovery Through CDP Hops Discovery Through Different VLANs Discovery Through Different VLANs Discovery Through Different Management VLANsDiscovery Through Routed Ports New out-of-box Discovery of Newly Installed SwitchesHsrp and Standby Cluster Command Switches Other Considerations for Cluster Standby Groups Virtual IP AddressesAutomatic Recovery of Cluster Configuration Hostnames IP AddressesSnmp Community Strings PasswordsMembers Other cluster member switches Switch Clusters and Switch StacksSwitch Stack Switch Cluster LRE Profiles TACACS+ and RadiusCatalyst 1900 and Catalyst 2820 CLI Considerations Using the CLI to Manage Switch ClustersSwitch# rcommand Snmp Management for a Cluster Using Snmp to Manage Switch ClustersOL-9775-02 Understanding the System Clock Administering the SwitchManaging the System Time and Date NTP Understanding Network Time ProtocolTypical NTP Network Configuration Configuring NTPNtp authenticate Default NTP ConfigurationConfiguring NTP Authentication Configuring NTP Associations Key keyid source interface prefer Configuring NTP Broadcast ServiceSwitchconfig# ntp server 172.16.22.44 version Ntp peer ip-address version numberNtp broadcast client Interface interface-idNtp broadcast version number key keyid Destination-addressServe-onl y serve peer Configuring NTP Access RestrictionsNtp broadcastdelay microseconds Ntp access-group query-onlyCommand Purpose Interface interface-id Configuring the Source IP Address for NTP PacketsFundamentals Command Reference, Release Configuring Time and Date ManuallyDisplaying the NTP Configuration Setting the System ClockMinutes-offset Displaying the Time and Date ConfigurationConfiguring the Time Zone Clock timezone zone hours-offsetHh mm offset Configuring Summer Time Daylight Saving TimeClock summer-time zone recurring Week day month hh mm week day monthClock summer-time zone date date Configuring a System Name and PromptClock summer-time zone date month Understanding DNS Default System Name and Prompt ConfigurationConfiguring a System Name Copy running-config startup-confi gIp name-server server-address1 Default DNS ConfigurationSetting Up DNS Ip domain-name nameCreating a Banner Default Banner ConfigurationDisplaying the DNS Configuration Unix telnet Configuring a Message-of-the-Day Login BannerBanner motd c message c Managing the MAC Address Table Configuring a Login BannerBanner login c message c MAC Addresses and VLANs Building the Address TableChanging the Address Aging Time MAC Addresses and Switch StacksDefault MAC Address Table Configuration Show mac address-table aging-time Configuring MAC Address Notification TrapsRemoving Dynamic Address Entries Mac address-table aging-timeMac address-table notification String by using the snmp-server communitySnmp-server enable traps mac-notification Snmp-server host host-addr traps informs versionAdding and Removing Static Address Entries Show mac address-table static Configuring Unicast MAC Address FilteringMac address-table static mac-addr Vlan vlan-id interface interface-idVlan vlan-id drop Displaying Address Table Entries Managing the ARP TableOL-9775-02 Understanding the SDM Templates Configuring SDM TemplatesDual IPv4 and IPv6 SDM Templates Resource Access Default RoutingIPv4-and-IPv6 Resource Default Routing SDM Templates and Switch StacksSDM Template Configuration Guidelines Configuring the Switch SDM TemplateDefault SDM Template Vlan routing vlan Setting the SDM TemplateSdm prefer access default Dual-ipv4-and-ipv6 default routingDisplaying the SDM Templates Switchconfig# sdm prefer routingSwitchconfig# sdm prefer dual-ipv4-and-ipv6 default Policy based routing aces 25K OL-9775-02 Preventing Unauthorized Access to Your Switch Configuring Switch-Based AuthenticationDefault Password and Privilege Level Configuration Protecting Access to Privileged Exec CommandsSwitchconfig# enable password l1u2c3k4y5 Setting or Changing a Static Enable PasswordEnable password password Service password-encryption Enable password level level passwordEncryption-type encrypted-password Enable secret level level passwordShow version Disabling Password RecoveryNo service password-recovery Switchconfig-line#password let45me67in89 Setting a Telnet Password for a Terminal LineConfiguring Username and Password Pairs Password passwordUsername name privilege level Configuring Multiple Privilege LevelsUsername command Login localShow privilege Setting the Privilege Level for a CommandPrivilege mode level level command Logging into and Exiting a Privilege Level Changing the Default Privilege Level for LinesCommand Understanding TACACS+ Controlling Switch Access with TACACS+Typical TACACS+ Network Configuration TACACS+ Operation Configuring TACACS+Aaa group server tacacs+ group-name Default TACACS+ ConfigurationTacacs-server host hostname port Aaa new-modelShow tacacs Verify your entries Configuring TACACS+ Login AuthenticationAaa new-model Enable AAA Line console tty vty line-number Aaa authentication login defaultLogin authentication default Authentication login commandShow running-config Verify your entries Starting TACACS+ Accounting Controlling Switch Access with RadiusDisplaying the TACACS+ Configuration Understanding Radius Radius Operation Transitioning from Radius to TACACS+ ServicesIdentifying the Radius Server Host Configuring RadiusDefault Radius Configuration Page Seconds retransmit retries key Acct-port port-number timeoutRadius-server host hostname Ip-address auth-port port-numberSwitchconfig# radius-server host host1 Configuring Radius Login AuthenticationServer Host section on Defining AAA Server Groups Aaa group server radius group-name Radius Aaa authorization network radiusStarting Radius Accounting Radius-server retransmit retries Configuring Settings for All Radius ServersRadius-server timeout seconds Radius-server key stringCisco-avpair=ipoutacl#2=deny ip 10.10.10.10 0.0.255.255 any AuthenticationRadius-server vsa send accounting Cisco-avpair=shellpriv-lvl=15Radius-server host hostname ip-address non-standard Controlling Switch Access with KerberosDisplaying the Radius Configuration Understanding Kerberos KDC Term DefinitionSrvtab Authenticating to a Boundary SwitchKerberos Operation KeytabObtaining a TGT from a KDC Configuring KerberosAuthenticating to Network Services Aaa authorization network local Aaa authentication login default localAaa authorization exec local Username name privilege level Configuring the Switch for Secure ShellUsername command SSH Servers, Integrated Clients, and Supported Versions Understanding SSHLimitations Configuring SSHConfiguration Guidelines Setting Up the Switch to Run SSH Authentication-retries number Displaying the SSH Configuration and StatusConfiguring the SSH Server Ip ssh timeout secondsCertificate Authority Trustpoints Configuring the Switch for Secure Socket Layer HttpUnderstanding Secure Http Servers and Clients Rsakeypair TP-self-signed-3080755072 CipherSuites Configuring Secure Http Servers and ClientsDefault SSL Configuration Configuring a CA Trustpoint SSL Configuration GuidelinesConfiguring the Secure Http Server Ip http client secure-trustpoint name Configuring the Secure Http ClientIp http timeout-policy idle seconds life Show ip http server secure statusShow ip http client secure status Configuring the Switch for Secure Copy ProtocolDisplaying Secure Http Server and Client Status Ip http client secure-ciphersuiteHtml Information About Secure CopyOL-9775-02 10-1 Configuring Ieee 802.1x Port-Based AuthenticationUnderstanding Ieee 802.1x Port-Based Authentication 10-2 Device Roles10-3 Authentication Process10-4 Authentication Flowchart10-5 Authentication Initiation and Message ExchangeEAPOL-Start 10-610-7 Ieee 802.1x Authentication and Switch StacksPorts in Authorized and Unauthorized States 10-8 Ieee 802.1x Host Mode10-9 Ieee 802.1x AccountingIeee 802.1x Accounting Attribute-Value Pairs Attribute Number AV Pair Name10-10 Using Ieee 802.1x Authentication with Vlan Assignment10-11 Using Ieee 802.1x Authentication with Per-User ACLs10-12 Using Ieee 802.1x Authentication with Guest Vlan10-13 Using Ieee 802.1x Authentication with Restricted Vlan10-14 10-15 Using Ieee 802.1x Authentication with Voice Vlan Ports10-16 Using Ieee 802.1x Authentication with Port Security10-17 Using Ieee 802.1x Authentication with Wake-on-LAN10-18 10-19 Using Multidomain AuthenticationNetwork Admission Control Layer 2 Ieee 802.1x Validation 10-20 Using Web AuthenticationFor example 10-21 Configuring Ieee 802.1x Authentication10-22 Default Ieee 802.1x Authentication ConfigurationAAA 10-23 Ieee 802.1x Authentication Configuration GuidelinesIeee 802.1x Authentication 10-24 10-25 Configuring Ieee 802.1x AuthenticationMAC Authentication Bypass 10-26 Configuring the Switch-to-RADIUS-Server Communication10-27 Ip-address auth-port port-number keyShow dot1x interface interface-id Configuring the Host ModeDot1x host-mode multi-host Multi-domain10-29 Configuring Periodic Re-AuthenticationManually Re-Authenticating a Client Connected to a Port Show dot1x interface interface-id Verify your entries Changing the Switch-to-Client Retransmission TimeDot1x timeout tx-period seconds Changing the Quiet PeriodDot1x max-reauth-req count Setting the Switch-to-Client Frame-Retransmission NumberSwitchconfig-if#dot1x timeout tx-period Show dot1xinterface interface-id Verify your entries10-32 Setting the Re-Authentication NumberConfiguring Ieee 802.1x Accounting Switchconfig-if#dot1x max-reauth-req10-33 Configuring a Guest VlanDot1x guest-vlan vlan-id Configuring a Restricted VlanSwitchport mode private-vlan host Switchconfig# interface gigabitethernet2/0/210-35 Dot1x auth-fail vlan vlan-idDot1x auth-fail max-attempts max AttemptsTries tries Configuring the Inaccessible Authentication Bypass FeatureSwitchconfig-if#dot1x auth-fail max-attempts Radius-server dead-criteria time time10-37 Show dot1x interface interface-id Configuring Ieee 802.1x Authentication with WoLDot1x critical recovery action Reinitialize vlan vlan-idDot1x control-direction both Configuring MAC Authentication BypassSwitchconfig-if#dot1x control-direction both Switchconfig-if#dot1x mac-auth-bypass10-40 Configuring NAC Layer 2 Ieee 802.1x Validation10-41 Configuring Web Authentication10-42 10-43 Disabling Ieee 802.1x Authentication on the PortNo dot1x pae Disable Ieee 802.1x authentication on the port Dot1x fallback fallback-profile10-44 Displaying Ieee 802.1x Statistics and Status11-1 Configuring Interface CharacteristicsUnderstanding Interface Types 11-2 Switch PortsPort-Based VLANs 11-3 Access PortsTrunk Ports 11-4 Routed PortsTunnel Ports 11-5 Switch Virtual InterfacesEtherChannel Port Groups 11-6 Power over Ethernet PortsGigabit Ethernet Interfaces Supported Protocols and Standards11-7 Powered-Device Detection and Initial Power AllocationClass 11-8 Power Management Modes11-9 Power Monitoring and Power Policing11-10 Maximum Power Allocation Cutoff Power on a PoE Port11-11 Connecting Interfaces11-12 Ethernet Management Port11-13 Connecting a Switch Stack to a PC11-14 TftpMgmtclr Using Interface Configuration ModeMgmtinit Mgmtshow11-16 Procedures for Configuring InterfacesShow interfaces interface-id Configuring a Range of InterfacesInterface range port-range macro Macroname11-18 Interface range macro macroname Configuring and Using Interface Range MacrosShow running-config include define Define interface-range macroname11-20 Configuring Ethernet InterfacesSwitch# show running-config include define Switch# show run include define11-21 Default Ethernet Interface Configuration11-22 Configuring Interface Speed and Duplex ModeSpeed and Duplex Configuration Guidelines Duplex auto full half Setting the Interface Speed and Duplex ParametersSpeed 10 100 1000 auto 10 Nonegotiate11-24 Configuring Ieee 802.3x Flow ControlFlowcontrol receive on off desired 11-25 Configuring Auto-MDIX on an InterfaceLocal Side Auto-MDIX With Correct Cabling11-26 Configuring a Power Management Mode on a PoE PortInterface-id phy Neve r static max max-wattage Budgeting Power for Devices Connected to a PoE PortPower inline auto max max-wattage Show power inline i nterface-id11-28 Wattage11-29 Configuring Power Policing11-30 Adding a Description for an Interface11-31 Configuring Layer 3 InterfacesConfiguring Ethernet Management Ports Switch# show interfaces gigabitethernet1/0/2 description11-32 No switchportInterface gigabitethernet interface-id vlan vlan-id No shutdown11-33 Configuring the System MTU11-34 Use the system mtu jumbo Use the system mtu routingSystem mtu jumbo bytes System mtu routing bytesShow system mtu Configuring the Cisco Redundant Power SystemSystem mtu bytes Reload11-36 Power rps switch-number name string serialnumberPower rps switch-number port rps-port-id mode active StandbyShow env rps Configuring the Power SuppliesPower supply switch-numberoff on Show env power11-38 Monitoring and Maintaining the InterfacesMonitoring Interface Status 11-39 Clearing and Resetting Interfaces and Counters11-40 Shutting Down and Restarting the InterfaceInterface vlan vlan-id gigabitethernet interface-id Shutdown12-1 Configuring Smartports MacrosUnderstanding Smartports Macros 12-2 Configuring Smartports MacrosDefault Smartports Macro Configuration Macro Name Description12-3 Smartports Macro Configuration GuidelinesShow parser macro name macro-name Creating Smartports MacrosMacro name macro-name Name Sample-Macro and macro name sample-macro will result12-5 Applying Smartports Macros12-6 Applying Cisco-Default Smartports MacrosShow parser macro Show parser macro macro-name12-7 Switch# show parser macro cisco-desktopSwitchconfig-if#macro apply cisco-desktop $AVID 12-8 Displaying Smartports MacrosShow parser macro brief Show parser macro description interface13-1 Configuring VLANsUnderstanding VLANs 13-2 13-3 Supported VLANsVlan Port Membership Modes 13-4 Configuring Normal-Range VLANs13-5 Vlan ID13-6 Normal-Range Vlan Configuration GuidelinesToken Ring VLANs Vlan Configuration in Vlan Database Configuration Mode Vlan Configuration Mode OptionsSaving Vlan Configuration Vlan Configuration in config-vlan Mode13-8 Default Ethernet Vlan ConfigurationParameter Default Range VLANxxxx, where13-9 Copy running-config startup configCreating or Modifying an Ethernet Vlan Remote-span13-10 Deleting a VlanVlan database Show vlan brief Assigning Static-Access Ports to a VlanSwitchport access vlan vlan-id No vlan vlan-idVlan fields of the display Configuring Extended-Range VLANsDefault Vlan Configuration Show interfaces interface-id switchport13-13 Extended-Range Vlan Configuration Guidelines13-14 Vtp mode transparentCreating an Extended-Range Vlan Show vlan id vlan-idShow vlan internal usage Switchconfig# vtp mode transparentSwitch# copy running-config startup config Creating an Extended-Range Vlan with an Internal Vlan IDTrunking Overview Configuring Vlan TrunksCommand Command Mode Purpose Displaying VLANs13-17 Switches in an ISL Trunking Environment13-18 Mode FunctionEncapsulation Types Encapsulation Function13-19 Default Layer 2 Ethernet Interface Vlan ConfigurationConfiguring an Ethernet Interface as a Trunk Port Ieee 802.1Q Configuration Considerations13-20 Interaction with Other FeaturesConfiguring a Trunk Port Dot1q negotiate13-21 Defining the Allowed VLANs on a Trunk13-22 Switchport trunk allowed vlan addChanging the Pruning-Eligible List All except remove vlan-listVlan ,vlan Configuring the Native Vlan for Untagged TrafficSwitchport trunk pruning vlan add Except none remove vlan-list13-24 Configuring Trunk Ports for Load SharingLoad Sharing Using STP Port Priorities Switchport trunk native vlan vlan-id13-25 Exit Return to global configuration mode Load Sharing Using STP Path CostOr switch stack Connect to the trunk ports configured on Switch aSpanning-tree vlan 2-4 cost Switchport trunk encapsulationInterface gigabitethernet1/0/1 Isl dot1q negotiate13-28 Configuring VmpsUnderstanding Vmps 13-29 Default Vmps Client ConfigurationVmps Configuration Guidelines Dynamic-Access Port Vlan Membership13-30 Configuring the Vmps ClientEntering the IP Address of the Vmps Vmps reconfirm Configuring Dynamic-Access Ports on Vmps ClientsSwitchport access vlan dynamic Reconfirming Vlan Memberships13-32 Changing the Reconfirmation IntervalChanging the Retry Count Vmps reconfirm minutesMonitoring the Vmps Troubleshooting Dynamic-Access Port Vlan MembershipVmps Configuration Example Switch# show vmps13-34 Dynamic Port Vlan Membership Configuration14-1 Configuring VTPUnderstanding VTP 14-2 VTP Domain14-3 VTP Mode DescriptionVTP Modes VTP Advertisements14-4 VTP VersionVTP Pruning Vlan 14-514-6 Configuring VTPVTP and Switch Stacks 14-7 Default VTP ConfigurationVTP Configuration Options VTP Configuration in Global Configuration ModeDomain Names VTP Configuration GuidelinesVTP Configuration in Vlan Database Configuration Mode Passwords14-9 Configuring a VTP ServerConfiguration Requirements VTP VersionVtp server Vtp password passwordVtp password password Show vtp status14-11 Configuring a VTP ClientVtp mode client Switch# vlan database14-12 Disabling VTP VTP Transparent Mode14-13 Enabling VTP VersionVtp version 14-14 Adding a VTP Client Switch to a VTP DomainEnabling VTP Pruning Vtp pruning14-15 14-16 Monitoring VTP15-1 Configuring Voice VlanUnderstanding Voice Vlan 15-2 Cisco IP Phone Voice TrafficCisco IP Phone Data Traffic 15-3 Configuring Voice VlanDefault Voice Vlan Configuration Voice Vlan Configuration Guidelines15-4 Configuring a Port Connected to a Cisco 7960 IP Phone15-5 Configuring Cisco IP Phone Voice Traffic15-6 Configuring the Priority of Incoming Data Frames15-7 Displaying Voice Vlan15-8 16-1 Configuring Private VLANsUnderstanding Private VLANs Private-VLAN Domain 16-216-3 IP Addressing Scheme with Private VLANs16-4 Private VLANs across Multiple SwitchesPrivate-VLAN Interaction with Other Features 16-5 Private VLANs and Unicast, Broadcast, and Multicast TrafficPrivate VLANs and SVIs 16-6 Configuring Private VLANsTasks for Configuring Private VLANs Private VLANs and Switch Stacks16-7 Default Private-VLAN ConfigurationPrivate-VLAN Configuration Guidelines Secondary and Primary Vlan Configuration16-8 Private-VLAN Port Configuration16-9 Limitations with Other Features16-10 Configuring and Associating VLANs in a Private Vlan16-11 Show vlan private-vlan typeShow interfaces status Primaryvlanid secondaryvlanid Configuring a Layer 2 Interface as a Private-VLAN Host PortSwitchport private-vlan host-association Switch# show interfaces gigabitethernet1/0/22 switchport16-13 Switchport mode private-vlan promiscuousSwitchport private-vlan mapping primaryvlanid Add remove secondaryvlanlistShow interface private-vlan mapping Switch# show interfaces private-vlan mappingInterface vlan primaryvlanid Private-vlan mapping add remove16-15 Monitoring Private VLANs16-16 17-1 Configuring Ieee 802.1Q and Layer 2 Protocol TunnelingUnderstanding Ieee 802.1Q Tunneling 17-2 Ieee 802.1Q Tunnel Ports in a Service-Provider Network17-3 Native VLANs Configuring Ieee 802.1Q TunnelingDefault Ieee 802.1Q Tunneling Configuration Ieee 802.1Q Tunneling Configuration Guidelines17-5 System MTU17-6 Ieee 802.1Q Tunneling and Other FeaturesShow vlan dot1q tag native Configuring an Ieee 802.1Q Tunneling PortVlan dot1q tag native Show dot1q-tunnel17-8 Understanding Layer 2 Protocol TunnelingLayer 2 Protocol Tunneling 17-917-10 Configuring Layer 2 Protocol Tunneling17-11 Default Layer 2 Protocol Tunneling Configuration17-12 Layer 2 Protocol Tunneling Configuration Guidelines17-13 Configuring Layer 2 Protocol TunnelingPagp lacp udld Configuring Layer 2 Tunneling for EtherChannelsConfiguring the SP Edge Switch L2protocol-tunnel point-to-point17-15 17-16 Configuring the Customer Switch17-17 Switchconfig-if#channel-group 1 mode desirableSwitchconfig# interface port-channel 17-18 Monitoring and Maintaining Tunneling Status18-1 Configuring STPUnderstanding Spanning-Tree Features 18-2 STP Overview18-3 Spanning-Tree Topology and BPDUs18-4 Bridge ID, Switch Priority, and Extended System ID32768 16384 8192 4096 2048 1024 512 256 128 Switch Priority ValueSpanning-Tree Interface States Bit18-6 2illustrates how an interface moves through the statesForwarding State Blocking StateListening State Learning State18-8 How a Switch or Port Becomes the Root Switch or Root PortDisabled State 18-9 Spanning Tree and Redundant ConnectivitySpanning-Tree Address Management Accelerated Aging to Retain Connectivity18-10 Spanning-Tree Modes and ProtocolsSupported Spanning-Tree Instances Rapid PVST+ Spanning-Tree Interoperability and Backward CompatibilitySTP and Ieee 802.1Q Trunks VLAN-Bridge Spanning Tree18-12 Configuring Spanning-Tree FeaturesSpanning Tree and Switch Stacks 18-13 Default Spanning-Tree ConfigurationSpanning-Tree Configuration Guidelines 18-14 18-15 Changing the Spanning-Tree Mode18-16 Configuring the Root SwitchDisabling Spanning Tree Show spanning-tree vlan vlan-id Verify your entries18-17 Spanning-tree vlan vlan-id root primaryDiameter net-diameter hello-time seconds Show spanning-tree detailDiameter net-diameter hello-time Configuring a Secondary Root SwitchConfiguring Port Priority Spanning-tree vlan vlan-id root secondaryShow spanning-tree vlan vlan-id Spanning-tree port-priority prioritySpanning-tree vlan vlan-id port-priority priority Show spanning-tree interface interface-idSpanning-tree vlan vlan-id cost cost Configuring Path CostPort-channel-number Spanning-tree cost cost18-21 Configuring the Switch Priority of a VlanSpanning-tree vlan vlan-id priority priority 18-22 Configuring Spanning-Tree TimersConfiguring the Hello Time Spanning-tree vlan vlan-id hello-time secondsSpanning-tree vlan vlan-idmax-age seconds Configuring the Forwarding-Delay Time for a VlanConfiguring the Maximum-Aging Time for a Vlan Spanning-tree vlan vlan-id forward-time18-24 Configuring the Transmit Hold-CountDisplaying the Spanning-Tree Status Show spanning-tree detail Verify your entries19-1 Configuring Mstp19-2 Understanding MstpMultiple Spanning-Tree Regions 19-3 IST, CIST, and CSTOperations Within an MST Region 19-4 Operations Between MST Regions19-5 Hop CountIeee 802.1s Terminology Cisco Prestandard Cisco Standard19-6 Boundary PortsIeee 802.1s Implementation 19-7 Interoperation Between Legacy and Standard SwitchesPort Role Naming Change 19-8 Mstp and Switch StacksDetecting Unidirectional Link Failure 19-9 Understanding RstpInteroperability with Ieee 802.1D STP Port Roles and the Active Topology19-10 Rapid Convergence19-11 Synchronization of Port Roles19-12 Bridge Protocol Data Unit Format and ProcessingBit Function 19-13 Topology ChangesProcessing Superior Bpdu Information Processing Inferior Bpdu Information19-14 Configuring Mstp Features19-15 Default Mstp ConfigurationMstp Configuration Guidelines Name name Specifying the MST Region Configuration and Enabling MstpSpanning-tree mst configuration Instance instance-id vlan vlan-rangeExit Spanning-tree mode mstRevision version Show pending19-18 Spanning-tree mst instance-id root primary19-19 19-20 Spanning-tree mst instance-id port-priority priorityShow spanning-tree mst interface interface-id 19-21 Spanning-tree mst instance-id cost cost19-22 Configuring the Switch PriorityConfiguring the Hello Time Spanning-tree mst instance-id priority priorityShow spanning-tree mst Configuring the Forwarding-Delay TimeShow spanning-tree mst Verify your entries Spanning-tree mst forward-time secondsSpanning-tree mst max-age seconds Configuring the Maximum-Aging TimeConfiguring the Maximum-Hop Count Specifying the Link Type to Ensure Rapid Transitions19-25 Designating the Neighbor Type19-26 Displaying the MST Configuration and StatusRestarting the Protocol Migration Process 20-1 Configuring Optional Spanning-Tree FeaturesUnderstanding Optional Spanning-Tree Features 20-2 Understanding Port FastUnderstanding Bpdu Guard 20-3 Understanding Bpdu FilteringUnderstanding UplinkFast 20-4 Switches in a Hierarchical Network20-5 Understanding Cross-Stack UplinkFast20-6 How Csuf Works20-7 Understanding BackboneFastEvents that Cause Fast Convergence BackboneFast Example Before Indirect Link Failure 20-820-9 Adding a Switch in a Shared-Medium Topology20-10 Understanding EtherChannel GuardUnderstanding Root Guard 20-11 Understanding Loop Guard20-12 Default Optional Spanning-Tree ConfigurationOptional Spanning-Tree Configuration Guidelines Enabling Port FastPortfast Spanning-tree portfast trunk interface configurationEnabling Bpdu Guard Spanning-tree portfast trunk20-14 Spanning-tree portfast Enable the Port Fast featureEnabling Bpdu Filtering 20-15 Enabling UplinkFast for Use with Redundant LinksEnabling BackboneFast Spanning-tree uplinkfast max-update-rateUplinkfast command Enabling Cross-Stack UplinkFast20-17 Spanning-tree backbonefast Enable BackboneFastEnabling EtherChannel Guard Show spanning-tree summary Verify your entries20-18 Enabling Root GuardEnabling Loop Guard 20-19 20-20 21-1 Flex Links21-2 Switchport backup interface preemption delay commandsVlan Flex Link Load Balancing and Support 21-3 MAC Address-Table Move Update21-4 MAC Address-Table Move Update Example21-5 Configuration GuidelinesDefault Configuration Switch# show interface switchport backup Configuring Flex LinksSwitchport backup interface interface-id Show interface interface-id switchport backup21-7 Switchport backup interface interface-id preemptionMode forced bandwidth off Delay delay-timeSwitch#show interfaces switchport backup Configuring Vlan Load Balancing on Flex LinksSwitchport backup interface interface-id prefer vlan Show interfaces interface-id switchport backup21-9 Configuring the MAC Address-Table Move Update FeatureSwitchport backup interface interface-idmmu Primary vlan vlan-id21-10 End Return to global configuration modeSwitchconf# mac address-table move update transmit Switch# show mac-address-table move update21-11 Monitoring Flex Links and the MAC Address-Table Move Update21-12 22-1 Configuring Dhcp Features and IP Source GuardUnderstanding Dhcp Features 22-2 Dhcp ServerDhcp Relay Agent Dhcp Snooping22-3 Option-82 Data InsertionDhcp Relay Agent in a Metropolitan Ethernet Network 22-422-5 Remote ID Suboption Frame Format22-6 Cisco IOS Dhcp Server DatabaseDhcp Snooping Binding Database Release22-7 22-8 Configuring Dhcp FeaturesDhcp Snooping and Switch Stacks Default Dhcp Configuration22-9 Dhcp Snooping Configuration Guidelines22-10 Configuring the Dhcp ServerDhcp Server and Switch Stacks 22-11 Configuring the Dhcp Relay AgentSpecifying the Packet Forwarding Address Ip helper-address addressInterface range port-range Switchport mode accessSwitchport access vlan vlan-id Enabling Dhcp Snooping and Option22-13 Ip dhcp snooping database Enabling Dhcp Snooping on Private VLANsEnabling the Cisco IOS Dhcp Server Database Enabling the Dhcp Snooping Binding Database Agent22-15 Displaying Dhcp Snooping Information22-16 Understanding IP Source GuardSource IP Address Filtering Source IP and MAC Address Filtering Configuring IP Source GuardDefault IP Source Guard Configuration IP Source Guard Configuration Guidelines22-18 Enabling IP Source Guard22-19 Displaying IP Source Guard Information22-20 23-1 Configuring Dynamic ARP InspectionUnderstanding Dynamic ARP Inspection ARP Cache Poisoning 23-223-3 Interface Trust States and Network Security23-4 Rate Limiting of ARP PacketsRelative Priority of ARP ACLs and Dhcp Snooping Entries 23-5 Configuring Dynamic ARP InspectionDefault Dynamic ARP Inspection Configuration Logging of Dropped Packets23-6 Dynamic ARP Inspection Configuration Guidelines23-7 Configuring Dynamic ARP Inspection in Dhcp EnvironmentsShow cdp neighbors Ip arp inspection vlan vlan-range23-8 Configuring ARP ACLs for Non-DHCP Environments23-9 Specified with the ip arp inspection vlan logging Show arp access-list acl-nameLimiting the Rate of Incoming ARP Packets No ip arp inspection trust23-11 Performing Validation ChecksShow ip arp inspection vlan Configuring the Log BufferIp arp inspection validate Src-mac dst-mac ip23-13 Ip arp inspection log-buffer entriesNumber logs number interval 23-14 Displaying Dynamic ARP Inspection InformationShow ip arp inspection log Clear ip arp inspection statisticsShow ip arp inspection statistics vlan Clear ip arp inspection log23-16 24-1 Configuring Igmp Snooping and MVR24-2 Understanding Igmp Snooping24-3 Igmp VersionsJoining a Multicast Group 24-4 224.1.2.324-5 Leaving a Multicast Group24-6 Igmp Configurable-Leave TimerImmediate Leave Igmp Report SuppressionPIM-DVMRP Configuring Igmp SnoopingIgmp Snooping and Switch Stacks Default Igmp Snooping Configuration24-8 Enabling or Disabling Igmp SnoopingIp igmp snooping vlan vlan-id Show ip igmp snooping Setting the Snooping MethodIp igmp snooping vlan vlan-id mrouter Learn cgmp pim-dvmrp24-10 Configuring a Multicast Router PortShow ip igmp snooping mrouter vlan vlan-id Show ip igmp snooping groups Configuring a Host Statically to Join a GroupEnabling Igmp Immediate Leave Ip igmp snooping vlan vlan-id static ipaddress24-12 Configuring the Igmp Leave TimerCount Configuring TCN-Related CommandsRecovering from Flood Mode Controlling the Multicast Flooding Time After a TCN Event24-14 Disabling Multicast Flooding During a TCN EventNo ip igmp snooping tcn flood 24-15 Configuring the Igmp Snooping Querier24-16 Disabling Igmp Report SuppressionNo ip igmp snooping report-suppression 24-17 Displaying Igmp Snooping Information24-18 Understanding Multicast Vlan Registration24-19 Using MVR in a Multicast Television Application24-20 Configuring MVRDefault MVR Configuration MVR24-21 MVR Configuration Guidelines and LimitationsConfiguring MVR Global Parameters Mvr Enable MVR on the switch24-22 Configuring MVR InterfacesShow mvr interface Show mvr members Mvr type source receiverMvr immediate Show mvr24-24 Configuring Igmp Filtering and ThrottlingDisplaying MVR Information 24-25 Default Igmp Filtering and Throttling ConfigurationConfiguring Igmp Profiles Show ip igmp profile profile number Ip igmp profile profile numberPermit deny Range ip multicast addressIp igmp filter profile number Setting the Maximum Number of Igmp GroupsSwitch# show ip igmp profile Applying Igmp ProfilesInterface-id Configuring the Igmp Throttling ActionShow running-config interface Verify the configuration EtherChannel group or a EtherChannel interfaceShow ip igmp profile profile Displaying Igmp Filtering and Throttling ConfigurationIp igmp max-groups action deny Replace24-30 25-1 Configuring IPv6 MLD SnoopingUnderstanding MLD Snooping 25-2 25-3 MLD MessagesMLD Queries Multicast Client Aging Robustness25-4 Multicast Router DiscoveryMLD Reports MLD Done Messages and Immediate-Leave25-5 Configuring IPv6 MLD SnoopingMLD Snooping in Switch Stacks Topology Change Notification Processing25-6 Default MLD Snooping ConfigurationMLD Snooping Configuration Guidelines 25-7 Enabling or Disabling MLD SnoopingIpv6 mld snooping Ipv6 mld snooping vlan vlan-idShow ipv6 mld snooping multicast-address vlan Configuring a Static Multicast GroupIpv6 mld snooping vlan vlan-id static Show ipv6 mld snooping multicast-address user25-9 Enabling MLD Immediate LeaveIpv6 mld snooping vlan vlan-id mrouter Show ipv6 mld snooping mrouter vlan vlan-id25-10 Configuring MLD Snooping Queries25-11 Displaying MLD Snooping InformationDisabling MLD Listener Message Suppression 25-12 Show ipv6 mld snooping querier vlan vlan-idVlan-id count dynamic user Vlan-id ipv6-multicast-address26-1 Configuring Port-Based Traffic ControlConfiguring Storm Control Understanding Storm ControlBroadcast Storm Control Example 26-226-3 Default Storm Control ConfigurationConfiguring Storm Control and Threshold Levels Storm-control action shutdown trap Storm-control broadcast multicastUnicast level level level-low bps bps Bps-low pps pps pps-lowMulticast unicast Configuring Protected PortsDefault Protected Port Configuration Show storm-control interface-id broadcast26-6 Configuring Port BlockingProtected Port Configuration Guidelines Configuring a Protected Port26-7 Configuring Port SecurityDefault Port Blocking Configuration Blocking Flooded Traffic on an Interface26-8 Understanding Port SecuritySecure MAC Addresses 26-9 Security Violations26-10 Default Port Security ConfigurationPort Security Configuration Guidelines Forwarded1 Trap Message Message2 Increments26-11 26-12 Enabling and Configuring Port Security26-13 Switchport port-security violationProtect restrict shutdown Shutdown vlan26-14 Switchconfig-if#switchport port-security violation restrict Switchconfig-if#switchport port-securitySwitchconfig-if#switchport port-security maximum Switchconfig-if#switchport port-security mac-address sticky26-16 Enabling and Configuring Port Security Aging26-17 Port Security and Switch StacksSwitchconfig# interface GigabitEthernet 1/0/8 Port Security and Private VLANs26-18 Displaying Port-Based Traffic Control SettingsShow port-security interface interface-idaddress Show port-security interface interface-idvlan27-1 Configuring CDPUnderstanding CDP Configuring the CDP Characteristics Configuring CDPCDP and Switch Stacks Default CDP ConfigurationShow cdp Disabling and Enabling CDPCdp holdtime seconds Cdp advertise-v227-4 No cdp enable Disable CDP on the interfaceCdp enable Enable CDP on the interface after disabling it Disabling and Enabling CDP on an Interface27-5 Monitoring and Maintaining CDP27-6 28-1 Configuring Lldp and LLDP-MEDUnderstanding Lldp and LLDP-MED Understanding Lldp28-2 Understanding LLDP-MED28-3 Configuring Lldp and LLDP-MEDDefault Lldp Configuration Configuring Lldp Characteristics28-4 Disabling and Enabling Lldp Globally28-5 Disabling and Enabling Lldp on an InterfaceLldp med-tlv-select tlv Specify the TLV to enable Configuring LLDP-MED TLVsTLV, and enter interface configuration mode No lldp med-tlv-select tlv Specify the TLV to disable28-7 Monitoring and Maintaining Lldp and LLDP-MED28-8 29-1 Configuring UdldUnderstanding Udld Modes of Operation29-2 Methods to Detect Unidirectional Links29-3 Configuring Udld29-4 Default Udld ConfigurationShow udld Udld aggressive enable message timeMessage-timer-interval Enabling Udld GloballyUdld port aggressive Resetting an Interface Disabled by UdldUdld reset Show udld Enabling Udld on an Interface29-7 Displaying Udld Status29-8 30-1 Configuring Span and RspanUnderstanding Span and Rspan 30-2 Local Span30-3 Remote Span30-4 Span and Rspan Concepts and TerminologySpan Sessions 30-5 Monitored Traffic30-6 Source Ports30-7 Source VLANsVlan Filtering 30-8 Destination Port30-9 Span and Rspan Interaction with Other FeaturesRspan Vlan 30-10 Configuring Span and RspanSpan and Rspan and Switch Stacks 30-11 Default Span and Rspan ConfigurationConfiguring Local Span Span Configuration Guidelines30-12 Creating a Local Span SessionShow monitor session sessionnumber Monitor session sessionnumberDestination interface interface-id Encapsulation replicate30-14 30-15 Specifying VLANs to FilterMonitor session sessionnumber filter vlan 30-16 Configuring RspanRspan Configuration Guidelines Be a Vlan30-17 Configuring a Vlan as an Rspan Vlan30-18 Creating an Rspan Source SessionInterfaces port-channelport-channel-number. Valid Destination remote vlan vlan-id30-19 Creating an Rspan Destination SessionRemote vlan vlan-id 30-20 30-21 Ingress dot1q vlan vlan-id isl untaggedUntagged vlan vlan-id or vlan vlan-id- Forward incoming 30-22 Show monitor session sessionnumber30-23 Displaying Span and Rspan Status30-24 31-1 Configuring RmonUnderstanding Rmon 31-2 Configuring Rmon31-3 Default Rmon ConfigurationConfiguring Rmon Alarms and Events 31-4 Rmon event number description string log owner stringAdd an event in the Rmon event table that is Show rmon history Collecting Group History Statistics on an InterfaceCollecting Group Ethernet Statistics on an Interface Rmon collection history index31-6 Displaying Rmon StatusRmon collection stats index owner ownername Show rmon statistics32-1 Configuring System Message LoggingUnderstanding System Message Logging 32-2 Configuring System Message LoggingSystem Log Message Format 32-3 Hhmmss short uptimeText string that uniquely describes the message Disabling Message Logging Default System Message Logging ConfigurationNo logging console Disable message logging Show running-config Verify your entries Show logging32-5 Setting the Message Display Destination DeviceLogging buffered size Logging hostSession to see the debugging messages Synchronizing Log MessagesLogging file flash filename Terminal monitorAll limit number-of-buffers Line console vty line-numberLine vty Logging synchronous level severity-level32-8 Enabling and Disabling Time Stamps on Log MessagesEnabling and Disabling Sequence Numbers in Log Messages Logging trap level Defining the Message Severity LevelLogging console level Logging monitor level32-10 Level Description Syslog Definition32-11 Enabling the Configuration-Change LoggerLogging history level Logging history size number32-12 Configuring Unix Syslog ServersLogging Messages to a Unix Syslog Daemon 32-13 Configuring the Unix System Logging FacilityLogging facility facility-type Facility-type keywords32-14 Displaying the Logging ConfigurationFacility Type Keyword Description 33-1 Configuring SnmpUnderstanding Snmp 33-2 Snmp VersionsOperation Description Model Level Authentication Encryption ResultSnmp Manager Functions DES33-4 Using Snmp to Access MIB VariablesSnmp Agent Functions 33-5 Snmp NotificationsSVI Configuring SnmpSnmp ifIndex MIB Object Values IfIndex Range33-7 Default Snmp ConfigurationSnmp Configuration Guidelines 33-8 Configuring Community StringsNo snmp-server Disable the Snmp agent operation Disabling the Snmp AgentPermit source source-wildcard View-name ro rw access-list-numberAccess-list access-list-number deny Snmp-server community string view33-10 Configuring Snmp Groups and UsersSnmp-server engineID local engineid-string Snmp-server engineID local33-11 Write writeview notify notifyview accessSnmp-server group groupname v1 v2c Auth noauth priv read readviewNotification Type Keyword Description Configuring Snmp NotificationsRemote host udp-port port v1 access Encrypted access access-list auth md533-13 33-14 Notification-types Setting the Agent Contact and Location Information33-12 , or enter snmp-server enable traps ? Enable traps command for each trap typeSnmp-server tftp-server-list Switchconfig# snmp-server community publicLimiting Tftp Servers Used Through Snmp Snmp Examples33-17 Displaying Snmp Status33-18 34-1 Configuring Network Security with ACLsUnderstanding ACLs 34-2 Supported ACLs34-3 Port ACLs34-4 Router ACLs34-5 Handling Fragmented and Unfragmented TrafficVlan Maps 34-6 ACLs and Switch Stacks34-7 Configuring IPv4 ACLs34-8 Access List NumbersAccess List Number Type Supported Creating Standard and Extended IPv4 ACLs34-9 ACL LoggingSource source-wildcard log Access-list access-list-number deny permitShow access-lists number name Creating a Numbered Standard ACL34-11 Creating a Numbered Extended ACL34-12 34-13 34-14 34-15 Resequencing ACEs in an ACLCreating Named Standard and Extended ACLs Tos tos established log time-range Ip access-list standard nameIp access-list extended name Any log34-17 Using Time Ranges with ACLs34-18 Absolute start time datePeriodic weekdays weekend daily Show time-range34-19 Switch# show ip access-listsApplying an IPv4 ACL to a Terminal Line Including Comments in ACLs34-20 Access-class access-list-numberApplying an IPv4 ACL to an Interface Out34-21 Ip access-group access-list-number34-22 IPv4 ACL Configuration ExamplesHardware and Software Treatment of IP ACLs 34-23 Switchconfig# access-list 6 permit 172.20.128.64Switchconfig# access-list 106 permit ip any 172.20.128.64 34-24 Numbered ACLsExtended ACLs 34-25 Named ACLsTime Range Applied to an IP ACL Commented IP ACL Entries34-26 Switch# show loggingSwitchconfig-if#ip access-group ext1 34-27 Creating Named MAC Extended ACLs34-28 Applying a MAC ACL to a Layer 2 InterfaceACL Configuring Vlan MapsMac access-group name Show mac access-group interface interface-id34-30 Vlan Map Configuration GuidelinesMatch ip mac address name Vlan access-map name numberCreating a Vlan Map Action drop forward34-32 Examples of ACLs and Vlan Maps34-33 Vlan filter mapname vlan-list list Using Vlan Maps in Your NetworkWiring Closet Configuration Applying a Vlan Map to a VlanSwitchconfig# vlan filter map2 vlan Denying Access to a Server on Anothera VlanSwitchconfig# vlan access-map map2 Switchconfig# ip access-list extended matchall34-36 Using Vlan Maps with Router ACLs34-37 Vlan Maps and Router ACL Configuration Guidelines34-38 ACLs and Switched PacketsExamples of Router ACLs and Vlan Maps Applied to VLANs ACLs and Bridged Packets34-39 ACLs and Routed Packets34-40 Displaying IPv4 ACL ConfigurationShow ip access-lists number name ACLs and Multicast Packets34-41 Show running-config interface interface-idShow mac access-group interface interface-id Show ip interface interface-id34-42 35-1 Configuring IPv6 ACLs35-2 Understanding IPv6 ACLs35-3 Supported ACL FeaturesIPv6 ACLs and Switch Stacks IPv6 ACL Limitations35-4 Configuring IPv6 ACLsDefault IPv6 ACL Configuration Interaction with Other Features and Switches35-5 Ipv6 access-list access-list-nameCreating IPv6 ACLs 35-6 Dscp value fragments logLog-input routing sequence Value time-range name35-7 35-8 Ipv6 traffic-filter access-list-nameApplying an IPv6 ACL to an Interface Ipv6 address ipv6-address35-9 Show access-listsShow ipv6 access-list access-list-name Displaying IPv6 ACLs35-10 36-1 Configuring QoS36-2 Understanding QoS36-3 Basic QoS ModelBasic QoS Model 36-436-5 ClassificationCheck if packet came with CoS label tag Yes 36-636-7 Classification Based on QoS ACLsClassification Based on Class Maps and Policy Maps 36-8 Policing and Marking36-9 Policing on Physical Ports36-10 Policing on SVIs36-11 Policing and Marking Flowchart on SVIs36-12 Mapping Tables36-13 Queueing and Scheduling Overview36-14 Weighted Tail DropSRR Shaping and Sharing 36-15 Queueing and Scheduling on Ingress Queues36-16 Queue Type Function36-17 WTD Thresholds36-18 Queueing and Scheduling on Egress Queues36-19 36-20 Buffer and Memory Allocation36-21 Packet Modification36-22 Configuring Auto-QoS36-23 Generated Auto-QoS Configuration36-24 Description Automatically Generated Command36-25 Or shared on the egress queues mapped to the port Switch automatically configures the egress queue bufferSizes. It configures the bandwidth and the SRR mode shaped If you entered the auto qos voip trust command, the switch36-27 Effects of Auto-QoS on the ConfigurationAuto-QoS Configuration Guidelines Show auto qos interface interface-id Enabling Auto-QoS for VoIPAuto qos voip cisco-phone Cisco-softphone trust36-29 36-30 Auto-QoS Configuration ExampleShow auto qos Cdp enableDebug auto qos Auto qos voip trust36-32 Configuring Standard QoSDisplaying Auto-QoS Information 36-33 Default Standard QoS ConfigurationDefault Ingress Queue Configuration 36-34 Default Egress Queue ConfigurationDscp Value Queue ID -Threshold ID Applying QoS on Interfaces Standard QoS Configuration GuidelinesDefault Mapping Table Configuration QoS ACL Guidelines36-36 Policing GuidelinesGeneral QoS Guidelines 36-37 Enabling QoS GloballyEnabling VLAN-Based QoS on Physical Ports 36-38 Configuring Classification Using Port Trust StatesConfiguring the Trust State on Ports within the QoS Domain 15 Port Trusted States within the QoS Domain 36-3936-40 Configuring the CoS Value for an InterfaceMls qos trust cos dscp ip-precedence Show mls qos interface36-41 Configuring a Trusted Boundary to Ensure Port SecurityMls qos cos default-cos override 36-42 Enabling Dscp Transparency ModeMls qos trust dscp Mls qos trust device cisco-phone36-43 No mls qos rewrite ip dscp36-44 Mls qos map dscp-mutationMls qos dscp-mutation Show mls qos maps dscp-mutation36-45 Configuring a QoS PolicySwitchconfig-if#mls qos dscp-mutation gi1/0/2-mutation 36-46 Classifying Traffic by Using ACLsSource-wildcard Switchconfig# access-list 100 permit ip any any dscpSwitchconfig# access-list 102 permit pim any 224.0.0.2 dscp Permit protocol source source-wildcard36-48 Mac access-list extended nameMatch-any keywords Classifying Traffic by Using Class MapsClass-map match-all match-any Is match-allShow class-map Match access-group acl-index-or-nameIp dscp dscp-list ip precedence Ip-precedence-list36-51 36-52 Policy-map policy-map-nameClass class-map-name 36-53 36-54 Service-policy input policy-map-nameShow policy-map policy-map-nameclass 36-55 Switchconfig# policy-map macpolicy1Switchconfig-pmap#class macclass2 maclist2 Switchconfig-if#service-policy input macpolicy136-56 Traffic by Using Class Maps section on36-57 36-58 Police rate-bps burst-byte exceed-actionDrop policed-dscp-transmit Exceed-action policed-dscp-transmit keywords to mark down36-59 Service-policy policy-map-nameShow mls qos vlan-based Service-policy input policy-map-nameShow policy-map policy-map-nameclass Policed-dscp-transmit Mls qos aggregate-policerAggregate-policer-name rate-bps burst-byte Exceed-action dropAggregate-policer-name Only one policy map per ingress port is supportedShow mls qos aggregate-policer CoS Value Dscp Value Configuring Dscp MapsConfiguring the CoS-to-DSCP Map Switchconfig-pmap-c#police aggregate transmit136-64 Configuring the IP-Precedence-to-DSCP MapMls qos map cos-dscp dscp1...dscp8 IP Precedence Value Dscp Value36-65 Configuring the Policed-DSCP MapShow Configuring the DSCP-to-CoS MapDscp Value CoS Value 36-6636-67 Configuring the DSCP-to-DSCP-Mutation MapMls qos map dscp-cos dscp-list to cos Show mls qos maps dscp-to-cos36-68 Switchconfig-if#mls qos dscp-mutation mutation1Switch# show mls qos maps dscp-mutation mutation1 36-69 Configuring Ingress Queue CharacteristicsShow mls qos maps Mls qos srr-queue input dscp-mapMls qos srr-queue input cos-map Mls qos srr-queue input thresholdShow mls qos interface buffer Allocating Buffer Space Between the Ingress QueuesAllocating Bandwidth Between the Ingress Queues Mls qos srr-queue input buffersShow mls qos interface queueing Configuring the Ingress Priority QueueWeight1 weight2 Mls qos srr-queue input bandwidthPriority-queue queue-id bandwidth Configuring Egress Queue CharacteristicsWeight Mls qos srr-queue input36-74 36-75 Mls qos queue-set output qset-idQueue-set qset-id 36-76 36-77 Mls qos srr-queue output dscp-mapMls qos srr-queue output cos-map Queueing Configuring SRR Shaped Weights on Egress QueuesSrr-queue bandwidth shape weight1 Weight2 weight3 weight436-79 Configuring SRR Shared Weights on Egress QueuesConfiguring the Egress Expedite Queue Srr-queue bandwidth share weight136-80 Mls qos Enable QoS on a switchSrr-queue bandwidth limit weight1 Limiting the Bandwidth on an Egress Interface36-81 Displaying Standard QoS Information36-82 Show running-config include rewrite37-1 Configuring EtherChannels and Link-State TrackingUnderstanding EtherChannels 37-2 EtherChannel Overview37-3 Single-Switch EtherChannel37-4 Port-Channel Interfaces37-5 Port Aggregation ProtocolAuto PAgP Interaction with Other FeaturesMode Description PAgP Modes37-7 Lacp Interaction with Other FeaturesLink Aggregation Control Protocol Lacp Modes37-8 EtherChannel On ModeLoad-Balancing and Forwarding Methods 37-9 37-10 EtherChannel and Switch Stacks37-11 Configuring EtherChannelsDefault EtherChannel Configuration 37-12 EtherChannel Configuration Guidelines37-13 Configuring Layer 2 EtherChannels37-14 Auto non-silent desirable non-silent onActive passive 37-15 Configuring Layer 3 EtherChannelsSwitchconfig-if-range#channel-group 5 mode active Creating Port-Channel Logical InterfacesNo ip address Configuring the Physical InterfacesInterface port-channel port-channel-number Show etherchannel channel-group-number detail37-17 Partner that is PAgP capable, configure the switch port forFor channel-group-number, the range is 1 to 48. This number Must be the same as the port-channel-number logical port37-18 Configuring EtherChannel Load-BalancingPort-channel load-balance dst-ip dst-mac Src-dst-ip src-dst-mac src-ip src-mac37-19 Configuring the PAgP Learn Method and PriorityShow etherchannel load-balance Verify your entries Show pagp channel-group-number internal Configuring Lacp Hot-Standby PortsPagp learn-method physical-port Pagp port-priority priority37-21 Configuring the Lacp System PriorityShow running-config Verify your entries Show lacp sys-id Internal Configuring the Lacp Port PriorityLacp port-priority priority Show lacp channel-group-number37-23 Displaying EtherChannel, PAgP, and Lacp StatusUnderstanding Link-State Tracking 37-24 37-25 Configuring Link-State Tracking37-26 Default Link-State Tracking ConfigurationLink-State Tracking Configuration Guidelines Configuring Link-State Tracking37-27 Switch show link state groupSwitch show link state group detail Displaying Link-State Tracking Status37-28 38-1 Configuring IP Unicast Routing38-2 Understanding IP RoutingTypes of Routing 38-3 IP Routing and Switch Stacks38-4 38-5 Steps for Configuring RoutingConfiguring IP Addressing 38-6 Default Addressing ConfigurationARP Irdp38-7 Show running-config Verify your entryAssigning IP Addresses to Network Interfaces Use of Subnet Zero38-8 Classless Routing38-9 Configuring Address Resolution MethodsNo ip classless Disable classless routing behavior 38-10 Define a Static ARP CacheArp ip-address hardware-address type 38-11 Set ARP EncapsulationProxy ARP Routing Assistance When IP Routing is DisabledEnable Proxy ARP Default Gateway38-13 Icmp Router Discovery Protocol Irdp38-14 Configuring Broadcast Packet Handling38-15 Ip directed-broadcast access-list-numberIp forward-protocol udp port nd sdns 38-16 Forwarding UDP Broadcast Packets and Protocols38-17 Establishing an IP Broadcast AddressFlooding IP Broadcasts Ip broadcast-address ip-addressClear ip route network mask Monitoring and Maintaining IP AddressingClear arp-cache Clear host name38-19 Enabling IP Unicast Routing38-20 Configuring RIPNetwork network number Default RIP ConfigurationConfiguring Basic RIP Parameters Router rip38-22 Ip rip authentication mode text md5 Configuring RIP AuthenticationConfiguring Summary Addresses and Split Horizon Ip rip authentication key-chain name-of-chainNo ip split horizon Configuring Split HorizonSwitchconfig-router#neighbor 2.2.2.2 peer-group mygroup Ip summary-address rip ip address ip-network mask38-25 Configuring OspfNo ip split-horizon 38-26 Default Ospf Configuration38-27 Ospf Nonstop Forwarding38-28 Ospf NSF Awareness38-29 Configuring Basic Ospf ParametersConfiguring Ospf Interfaces 38-30 38-31 Configuring Ospf Area Parameters38-32 Configuring Other Ospf Parameters38-33 38-34 Configuring a Loopback InterfaceChanging LSA Group Pacing Ip address address mask38-35 Configuring EigrpMonitoring Ospf 38-36 38-37 Default Eigrp Configuration38-38 Eigrp Nonstop ForwardingEigrp log-neighbor-changes Configuring Basic Eigrp ParametersRouter eigrp autonomous-system Network network-number38-40 Configuring Eigrp InterfacesNo auto-summary Ip summary-address eigrpShow ip eigrp interface Configuring Eigrp Route AuthenticationIp hello-interval eigrp autonomous-system-number No ip split-horizon eigrp autonomous-system-number38-42 Eigrp Stub Routing38-43 Configuring BGPMonitoring and Maintaining Eigrp EBGP, IBGP, and Multiple Autonomous Systems 38-4438-45 Default BGP Configuration38-46 38-47 Nonstop Forwarding AwarenessRoute-map route-map-name Enabling BGP RoutingRouter bgp autonomous-system Network network-number mask network-mask38-49 38-50 Switchconfig-router#neighbor 192.208.10.2 remote-asSwitch# show ip bgp neighbors Managing Routing Policy ChangesShow ip bgp Type of Reset Advantages DisadvantagesShow ip bgp neighbors Clear ip bgp * address38-52 Configuring BGP Decision Attributes38-53 38-54 Configuring BGP Filtering with Route MapsConfiguring BGP Filtering by Neighbor Show ip bgp neighbors paths Ip as-path access-list access-list-numberOut weight weight Route-map map-tag in out38-56 Configuring Prefix Lists for BGP FilteringSend-community Configuring BGP Community FilteringIp community-listcommunity-list-number Permit deny community-numberShow ip bgp community Configuring BGP Neighbors and Peer GroupsSet comm-list list-num delete Ip bgp-community new-format38-59 38-60 Configuring Aggregate Addresses38-61 Configuring Routing Domain ConfederationsConfiguring BGP Route Reflectors No bgp client-to-client reflection Configuring Route DampeningRoute-reflector-client Bgp cluster-id cluster-id38-63 Monitoring and Maintaining BGP38-64 Configuring Multi-VRF CE38-65 Understanding Multi-VRF CE38-66 38-67 Default Multi-VRF CE ConfigurationMulti-VRF CE Configuration Guidelines VRFIp vrf forwarding vrf-name Configuring VRFsRoute-target export import both Import map route-mapRedistribute bgp Configuring a VPN Routing SessionShow ip vrf brief detail interfaces Log-adjacency-changes38-70 Configuring BGP PE to CE Routing SessionsMulti-VRF CE Configuration Example VPN2 CE1 38-7138-72 Configuring Switch a38-73 Switchconfig-router-af#network 8.8.2.0 maskSwitchconfig-router-af#network 8.8.1.0 mask Switchconfig-if#ip address 208.0.0.2038-74 Router# configure terminal38-75 Configuring Unicast Reverse Path ForwardingDisplaying Multi-VRF CE Status 38-76 Configuring Protocol-Independent FeaturesConfiguring Distributed Cisco Express Forwarding 38-77 Configuring the Number of Equal-Cost Routing PathsShow ip route Configuring Static Unicast RoutesRouter bgp rip ospf eigrp Maximum-paths maximum38-79 Specifying Default Routes and NetworksRoute Source Default Distance Ip default-network network number Specify a default network38-80 Using Route Maps to Redistribute Routing Information38-81 38-82 38-83 Configuring Policy-Based Routing38-84 PBR Configuration Guidelines38-85 Enabling PBR38-86 Ip policy route-map map-tagIp route-cache policy Ip local policy route-map map-tag38-87 Setting Passive InterfacesFiltering Routing Information 38-88 Controlling Advertising and Processing in Routing UpdatesFiltering Sources of Routing Information Router bgp rip eigrp38-89 Managing Authentication KeysDistance weight ip-address ip-address mask Ip access list38-90 Monitoring and Maintaining the IP Network38-91 38-92 39-1 Configuring IPv6 Unicast RoutingUnderstanding IPv6 39-2 IPv6 Addresses39-3 Supported IPv6 Unicast Routing FeaturesBit Wide Unicast Addresses Neighbor Discovery DNS for IPv6Path MTU Discovery for IPv6 Unicast ICMPv639-5 IPv6 Applications39-6 Unsupported IPv6 Unicast Routing FeaturesDual IPv4 and IPv6 Protocol Stacks 39-7 IPv6 and Switch StacksLimitations 39-8 39-9 SDM TemplatesDual IPv4-and IPv6 SDM Templates 39-10 Configuring IPv639-11 Default IPv6 ConfigurationConfiguring IPv6 Addressing and Enabling IPv6 Routing 39-12 39-13 Configuring IPv4 and IPv6 Protocol StacksIp routing Enable routing on the switch Switchconfig-if#ipv6 address 20010DB8c181/64 eui39-14 Show ipv6 interface interface-id Configuring IPv6 Icmp Rate LimitingConfiguring CEF and dCEF for IPv6 Ipv6 icmp error-interval interval bucketsize39-16 Configuring Static Routing for IPv639-17 Administrative distanceIpv6 route ipv6-prefix/prefix length Ipv6-address interface-id ipv6-addressInterface-id recursive detail Configuring RIP for IPv6Show ipv6 route static updated Show ipv6 static ipv6-address39-19 39-20 Configuring Ospf for IPv639-21 39-22 Switch# show ipv6 interfaceDisplaying IPv6 39-23 Switch# show ipv6 cef /0Switch# show ipv6 protocols Switch# show ipv6 ripSwitch# show ipv6 traffic Switch# show ipv6 neighborsSwitch# show ipv6 static Switch# show ipv6 route39-25 39-26 40-1 Configuring Hsrp and Enhanced Object TrackingUnderstanding Hsrp 40-2 40-3 Multiple Hsrp40-4 Configuring HsrpHsrp and Switch Stacks 40-5 Default Hsrp ConfigurationHsrp Configuration Guidelines Enabling HsrpShow standby interface-id group Switch# show standbyStandby group-number ip ip-address Secondary40-7 Configuring Hsrp Priority40-8 Priority preempt delay delayStandby group-number priority Standby group-number track40-9 Configuring MhsrpConfiguring Hsrp Authentication and Timers Switchconfig-if#standby 2 ipHoldtime Standby group-number authentication stringStandby group-number timers hellotime Switchconfig-if#standby 1 authentication wordShow standby interface-idgroup brief detail Displaying Hsrp ConfigurationsConfiguring Hsrp Groups and Clustering Enabling Hsrp Support for Icmp Redirect Messages40-12 Configuring Enhanced Object TrackingUnderstanding Enhanced Object Tracking 40-13 Configuring Enhanced Object Tracking FeaturesTracking Interface Line-Protocol or IP Routing State Track object-number interfaceObject object-number not Configuring a Tracked ListSwitch# show track 33 Track Track track-numberlist boolean40-15 WeightThreshold weight up number Track track-numberlist thresholdThreshold percentage up number Track track-number list thresholdPercentage Object object-number40-17 Configuring Hsrp Object Tracking40-18 Configuring Other Tracking CharacteristicsShow standby 41-1 Configuring Web Cache Services By UsingUnderstanding Wccp 41-2 Wccp Message Exchange41-3 Packet Redirection and Service GroupsWccp Negotiation MD5 Security41-4 Wccp and Switch StacksWccp Configuration Guidelines Configuring WccpUnsupported Wccp Features Default Wccp Configuration41-6 Enabling the Web Cache Service41-7 41-8 41-9 Switchconfig# interface range gigabitethernet1/0/3Switchconfig-if-range#switchport access vlan Monitoring and Maintaining Wccp41-10 Enabled / disabled42-1 Configuring IP Multicast RoutingIP Multicast Routing Protocols 42-242-3 Understanding IgmpIgmp Version 42-4 Understanding PIMPIM Versions PIM Modes42-5 PIM Stub Routing42-6 Auto-RP42-7 Bootstrap RouterMulticast Forwarding and Reverse Path Check 42-8 Understanding DvmrpNetwork Port 42-9 Multicast Routing and Switch StacksUnderstanding Cgmp 42-10 Configuring IP Multicast RoutingDefault Multicast Routing Configuration Multicast Routing Configuration Guidelines42-11 Auto-RP and BSR Configuration GuidelinesPIMv1 and PIMv2 Interoperability 42-12 Configuring Basic Multicast RoutingIp multicast-routing distributed Sparse-dense-mode Configuring PIM Stub RoutingIp pim version 1 Ip pim dense-mode sparse-mode42-14 Configuring a Rendezvous PointManually Assigning an RP to Multicast Groups Ip pim passive42-15 Access-list-number overrideIp pim rp-address ip-address 42-16 Configuring Auto-RP42-17 Scope ttl group-list access-list-numberIp pim send-rp-announce interface-id Interval seconds42-18 Ip pim send-rp-discovery scope ttlShow ip pim rp mapping Show ip pim rp42-19 Access-list-number group-listIp pim rp-announce-filter rp-list 42-20 Configuring PIMv2 BSRIp pim bsr-border 42-21 Ip multicast boundary42-22 Ip pim bsr-candidate interface-idHash-mask-length priority 42-23 Group-list access-list-numberIp pim rp-candidate interface-id Show ip pim rp-hash group Using Auto-RP and a BSRShow ip pim rp group-name Group-address mappingUnderstanding PIM Shared Tree and Source Tree Configuring Advanced PIM FeaturesTroubleshooting PIMv1 and PIMv2 Interoperability Problems Monitoring the RP Mapping InformationShared Tree and Source Tree Shortest-Path Tree 42-2642-27 Delaying the Use of PIM Shortest-Path TreeIp pim spt-threshold kbps infinity Show ip igmp interface interface-id Configuring Optional Igmp FeaturesModifying the PIM Router-Query Message Interval Ip pim query-interval seconds42-29 Default Igmp ConfigurationConfiguring the Switch as a Member of a Group Ip igmp join-group group-address42-30 Controlling Access to IP Multicast GroupsIp igmp access-group access-list-number Show ip igmp interface interface-id Verify your entriesQuery-interval or the ip igmp query-max-response-time Changing the Igmp VersionModifying the Igmp Host-Query Message Interval Ip igmp version 142-32 Changing the Igmp Query Timeout for IGMPv2Ip igmp querier-timeout seconds Ip igmp query-interval seconds42-33 Configuring the Switch as a Statically Connected MemberChanging the Maximum Query Response Time for IGMPv2 Ip igmp query-max-response-time42-34 Configuring Optional Multicast Routing FeaturesEnabling Cgmp Server Support Ip igmp static-group group-address42-35 Configuring sdr Listener SupportIp cgmp proxy 42-36 Ip sdr listen Enable sdr listener supportEnabling sdr Listener Support Limiting How Long an sdr Cache Entry Exists42-37 Configuring an IP Multicast Boundary42-38 Configuring Basic Dvmrp Interoperability Features42-39 Configuring Dvmrp Interoperability42-40 Ip dvmrp metric metric list42-41 Configuring a Dvmrp TunnelIp dvmrp accept-filter Access-list-number distanceNeighbor-list access-list-number Advertising Network 0.0.0.0 to Dvmrp NeighborsOriginate only Configuring Advanced Dvmrp Interoperability FeaturesIp dvmrp default-information Responding to mrinfo Requests42-44 Enabling Dvmrp Unicast Routing42-45 Rejecting a Dvmrp Nonpruning Neighbor42-46 Enter interface configuration modeChanging the Dvmrp Route Threshold By default, 7000 routes are advertised. The range is 0 toControlling Route Exchanges Limiting the Number of Dvmrp Routes Advertised42-48 Configuring a Dvmrp Summary AddressDefault is 10,000 routes. The range is 1 to Route-count42-49 No ip dvmrp auto-summary Disabling Dvmrp AutosummarizationIp dvmrp summary-address address Mask metric value42-51 Adding a Metric Offset to the Dvmrp RouteIp dvmrp metric-offset in out Increment42-52 Monitoring and Maintaining IP Multicast RoutingClearing Caches, Tables, and Databases Displaying System and Network Statistics42-53 Monitoring IP Multicast Routing42-54 43-1 Configuring MsdpUnderstanding Msdp 43-2 Msdp Operation43-3 Msdp Benefits43-4 Configuring MsdpDefault Msdp Configuration Configuring a Default Msdp Peer43-5 Ip msdp default-peer ip-address namePrefix-list list Ip msdp description peer-name Caching Source-Active StateIp prefix-list name description string Seq number permit deny network43-7 Ip msdp cache-sa-state list43-8 Switchconfig# ip msdp sa-requestRequesting Source Information from an Msdp Peer Ip msdp sa-request ip-address name43-9 Controlling Source Information that Your Switch OriginatesRedistributing Sources Ip msdp redistribute list43-10 43-11 Name list access-list-numberFiltering Source-Active Request Messages Ip msdp filter-sa-request ip-addressRoute-map map-tag Controlling Source Information that Your Switch ForwardsUsing a Filter Ip msdp sa-filter out ip-address name43-13 Ttl Controlling Source Information that Your Switch ReceivesUsing TTL to Limit the Multicast Data Sent in SA Messages Ip msdp ttl-threshold ip-address name43-15 Switchconfig# ip msdp sa-filter in switch.cisco.comIp msdp sa-filter in ip-address name 43-16 Configuring an Msdp Mesh GroupShutting Down an Msdp Peer Ip msdp mesh-group name ip-address43-17 Including a Bordering PIM Dense-Mode Region in MsdpIp msdp shutdown peer-name peer Ip msdp border sa-address interface-id43-18 Configuring an Originating Address other than the RP AddressClear ip msdp sa-cache group-addressname Monitoring and Maintaining MsdpClear ip msdp peer peer-addressname Clear ip msdp statistics peer-addressname43-20 44-1 Configuring Fallback BridgingUnderstanding Fallback Bridging Fallback Bridging Overview44-2 44-3 Configuring Fallback BridgingFallback Bridging and Switch Stacks 44-4 Default Fallback Bridging ConfigurationFallback Bridging Configuration Guidelines Creating a Bridge Group44-5 Bridge bridge-group protocolVlan-bridge Bridge-group bridge-group44-6 Adjusting Spanning-Tree ParametersSwitchconfig# bridge 10 protocol vlan-bridge Bridge-group bridge-grouppriority Changing the VLAN-Bridge Spanning-Tree PriorityChanging the Interface Priority Bridge bridge-group priority number44-8 Assigning a Path CostBridge-group bridge-group path-cost Cost44-9 Adjusting Bpdu IntervalsSwitchconfig# bridge 10 hello-time Bridge bridge-group hello-time secondsBridge bridge-group max-age seconds Switchconfig# bridge 10 forward-timeSwitchconfig# bridge 10 max-age Bridge bridge-group forward-timeShow bridge bridge-group group Monitoring and Maintaining Fallback BridgingDisabling the Spanning Tree on an Interface Clear bridge bridge-group44-12 45-1 Troubleshooting45-2 Recovering from a Software FailureSwitch copy xmodem flashimagefilename.bin Recovering from a Lost or Forgotten PasswordSwitch flashinit Switch loadhelper45-4 45-5 Procedure with Password Recovery Enabled45-6 Copy the configuration file into memory45-7 Procedure with Password Recovery DisabledSwitch dir flash 45-8 Preventing Switch Stack Problems45-9 Recovering from a Command Switch Failure45-10 Replacing a Failed Command Switch with a Cluster MemberSwitchconfig# no cluster commander-address 45-11 Replacing a Failed Command Switch with Another Switch45-12 45-13 Recovering from Lost Cluster Member ConnectivityTroubleshooting Power over Ethernet Switch Ports Preventing Autonegotiation MismatchesSFP Module Security and Identification Disabled Port Caused by Power LossDisabled Port Caused by False Link Up Show controllers power inline privileged Exec commandUnderstanding Ping Monitoring TemperatureUsing Ping Monitoring SFP Module Status45-16 Switch# pingExecuting Ping Character Description45-17 Using Layer 2 TracerouteUnderstanding Layer 2 Traceroute Usage Guidelines45-18 Using IP TracerouteDisplaying the Physical Path Understanding IP TracerouteTrace the path that packets take through the network Switch# traceroute ipExecuting IP Traceroute Traceroute ip host45-20 Using TDRUnderstanding TDR 45-21 Using Debug CommandsEnabling Debugging on a Specific Feature Running TDR and Displaying the Results45-22 Enabling All-System DiagnosticsRedirecting Debug and Error Message Output Udp 10 Using the show platform forward Command45-23 45-24 45-25 Using the crashinfo FilesBasic crashinfo Files 45-26 Using On-Board Failure LoggingExtended crashinfo Files Understanding Obfl45-27 Configuring Obfl45-28 Displaying Obfl InformationShow logging onboard module 46-1 Configuring Online DiagnosticsUnderstanding Online Diagnostics Non-disruptive daily hhmm Configuring Online DiagnosticsScheduling Online Diagnostics Diagnostic schedule switchDiagnostic monitor syslog Configuring Health-Monitoring DiagnosticsDiagnostic monitor interval switch Diagnostic content command outputSchedule status switch Diagnostic monitor threshold switchDiagnostic monitor switch number test Show diagnostic content post resultAll basic non-disruptive Running Online Diagnostic TestsStarting Online Diagnostic Tests Diagnostic start switch number46-6 Displaying Online Diagnostic Tests and Test ResultsCISCO-FTP-CLIENT-MIB CISCO-HSRP-MIB Supported MIBsMIB List IGMP-MIB INET-ADDRESS-MIB IPMROUTE-MIB CISCO-IGMP-FILTER-MIBCISCO-RTTMON-MIB CISCO-SMI-MIB ETHERLIKE-MIB IEEE8021-PAE-MIB IEEE8023-LAG-MIBTCP-MIB UDP-MIB Using FTP to Access the MIB Files Working with the Flash File System Displaying Available File Systems Switch# show file systemsField Value Setting the Default File SystemPwd Cd newconfigsDisplaying Information about Files on a File System Changing Directories and Displaying the Working DirectoryCopying Files Mkdir oldconfigsCreating and Removing Directories Creating, Displaying, and Extracting Files Switch# delete myconfigDeleting Files Archive /table source-url Archive /create destination-urlFlash More /ascii /binary /ebcdic Archive /xtract source-urlExtract a file into a directory on the flash file system Directories are extractedWorking with Configuration Files Configuration File Types and Location Guidelines for Creating and Using Configuration FilesCopying Configuration Files By Using Tftp Creating a Configuration File By Using a Text EditorUploading the Configuration File By Using Tftp Downloading the Configuration File By Using TftpCopying Configuration Files By Using FTP Ip ftp username username Downloading a Configuration File By Using FTPIp ftp password password Filename nvramstartup-config Uploading a Configuration File By Using FTPFtp // username password @ location /directory Filename systemrunning-configFtp // username password @ location /directory Filename Copying Configuration Files By Using RCPCopy systemrunning-config Copy nvramstartup-configHostname Switch1 Ip rcmd remote-username User0 Ip rcmd remote-username username Downloading a Configuration File By Using RCPSystemrunning-config Nvramstartup-configSwitch# copy nvramstartup-config rcp Clearing Configuration InformationUploading a Configuration File By Using RCP Working with Software Images Clearing the Startup Configuration FileDeleting a Stored Configuration File File Format of Images on a Server or Cisco.com Image Location on the SwitchField Description Copying Image Files By Using TftpDownloading an Image File By Using Tftp Preparing to Download or Upload an Image File By Using TftpArchive download-sw /directory Allow-feature-upgrade /directoryArchive download-sw Overwrite /reloadTftp //location /directory /image-name .tar Uploading an Image File By Using TftpArchive upload-sw Preparing to Download or Upload an Image File By Using FTP Copying Image Files By Using FTPDownloading an Image File By Using FTP Directory /image-name2 .tar image-name3 .tar Archive download-sw /allow-feature-upgradeDirectory /overwrite /reload For /directory /image-name1 .tarUploading an Image File By Using FTP Copying Image Files By Using RCP Preparing to Download or Upload an Image File By Using RCP File By Using RCP section on page B-31 Downloading an Image File By Using RCPOr Upload an Image File By Using RCP section on Uploading an Image File By Using RCP Me.tar Copying an Image File from One Stack Member to AnotherRcp // username @ location /directory /image-na For /destination-system destination-stack-member-number Archive copy-sw /destination-systemDestination-stack-member-number /force-reload Source-stack-member-numberUnsupported Global Configuration Commands Unsupported Commands Cisco IOS Release 12.237SEAccess Control Lists Unsupported Privileged Exec CommandsDebug Commands Archive CommandsARP Commands Boot Loader CommandsBridge bridge-group domain domain-name bridge irb Fallback BridgingBridge bridge-groupacquire Bridge crbX25 map bridge x.121-address broadcast options-keywords HsrpIP Multicast Routing Igmp Snooping CommandsInterface Commands Ip multicast-routing vrf vrf-name Ip pim accept-rpaddress auto-rpgroup-access-list-numberShow ip pim vc group-address name type number Show ip rtp header-compression type number detailIP Unicast Routing Unsupported Privileged Exec or User Exec CommandsUnsupported Route Map Commands Unsupported BGP Router Configuration CommandsUnsupported VPN Configuration Commands Set tag tag-value MAC Address CommandsShow cable-diagnostics prbs Test cable-diagnostics prbs MiscellaneousMsdp NetFlow CommandsQoS Network Address Translation NAT CommandsUnsupported Global Configuration Command Unsupported Policy-Map Configuration CommandSpanning Tree Unsupported Interface Configuration CommandUnsupported User Exec Commands Unsupported Privileged Exec CommandIN-1 NumericsIN-2 ACLsTACACS+ CDP Lldp RIPEigrp HsrpIN-4 BGPCidr IN-5 BpduCLI CDPCEF CgmpIN-7 CNSIN-8 IN-9 DhcpDNS Wccp SnmpTACACS+ Udld VmpsIN-11 Dhcp optionIN-12 DTPIN-13 DvmrpIN-14 Dynamic ARP inspectionIN-15 LacpIN-16 STPFIB IN-17 Mstp STPFTP IN-18 HttpsIcmp IN-19 IgmpIN-20 IN-21 IP addressesIN-22 MboneIN-23 IGPIN-24 IP unicast routingIN-25 ISLIN-26 LLDP-MEDIN-27 IN-28 MDAMhsrp IN-29 MsdpIN-30 CSTIST MTUIN-31 NACIN-32 NSSA, OspfIN-33 ObflPBR IN-34 PIMIN-35 Port-based authenticationIN-36 PvidVvid IN-37 Private VLANsIN-38 QoSIN-39 IN-40 RCPIN-41 Radius TACACS+RFC RmonIN-42 RPSRspan RstpIN-43 SDMIN-44 SnmpIN-45 SpanSRR IN-46 SSLVTP IN-47 Stacks, switchIN-48 LLDP-MED OspfIN-49 STPIN-50 IN-51 System message loggingIN-52 IN-53 IN-54 IN-55 VLANsIN-56 VPNVQP IN-57 WTDIN-58