10-42

Chapter 10 Configuring IEEE 802.1x Port-Based Authentication

Configuring IEEE 802.1x Authentication

Beginning in privileged EXEC mode, follow these steps to configure a port to use web authentication:

	Command	Purpose
Step 1
Step 1	configure terminal	Enter global configuration mode.
Step 2
Step 2	ip admission name rule proxy http	Define a web authentication rule.
		Note The same rule cannot be used for both web authentication and
		NAC Layer 2 IP validation.
Step 3	interface interface-id
Step 3	interface interface-id	Specify the port to be configured, and enter interface configuration
		mode.
Step 4	switchport mode access
Step 4	switchport mode access	Set the port to access mode.
Step 5	ip access-group access-listin
Step 5	ip access-group access-listin	Specify the default access control list to be applied to network traffic
		before web authentication.
Step 6
Step 6	ip admission rule	Apply an IP admission rule to the interface.
Step 7
Step 7	end	Return to privileged EXEC mode.
Step 8
Step 8	show running-config interface	Verify your configuration.
	interface-id
Step 9
Step 9	copy running-config startup-config	(Optional) Save your entries in the configuration file.

This example shows how to configure only web authentication on a switch port:

Switch# configure terminal

Switch(config)# ip admission name rule1 proxy http

Switch(config)# interface gigabit1/0/1

Switch(config-if)#switchport mode access

Switch(config-if)#ip access-group policy1 in

Switch(config-if)# ip admission rule1

Switch(config-if)# end

Beginning in privileged EXEC mode, follow these steps to configure a switch port for IEEE 802.1x authentication with web authentication as a fallback method:


	Command		Purpose
Step 1
	configure terminal		Enter global configuration mode.

Step 2 ip admission name rule proxy http			Define a web authentication rule.
Step 3
	fallback profile fallback-profile		Define a fallback profile to allow an IEEE 802.1x port to
			authenticate a client by using web authentication.
Step 4
	ip access-group policy in		Specify the default access control list to apply to network traffic
			before web authentication.
Step 5
	ip admission rule		Associate an IP admission rule with the profile, and specify that
			a client connecting by web authentication uses this rule.
Step 6
	end		Return to privileged EXEC mode.
Step 7
	interface interface-id		Specify the port to be configured, and enter interface
			configuration mode.
Step 8
	switchport mode access		Set the port to access mode.
Step 9
	dot1x port-control auto		Enable IEEE 802.1x authentication on the interface.

		Catalyst 3750-E and 3560-E Switch Software Configuration Guide

10-42			OL-9775-02

Page 294

Image 294

Contents

Americas Headquarters Text Part Number OL-9775-02Page N T E N T S Iii Assigning the Switch IP Address and Default Gateway Understanding Cisco Configuration Engine Software Clustering Switches Catalyst 1900 and Catalyst 2820 CLI Considerations Vii Creating a Banner Viii Changing the Default Privilege Level for Lines Device Roles Bypass Routed Ports Xii Monitoring and Maintaining the Interfaces Xiii Encapsulation Types Xiv Domain Names Private-VLAN Configuration Guidelines Xvi Disabled State Xvii Boundary Ports Xviii Xix 19-25 Dhcp Server Configuring Dynamic ARP Inspection Xxi Configuring MVR Xxii Understanding Storm Control Xxiii Understanding Udld Modes of Operation Xxiv Creating an Rspan Source Session Xxv Snmp Agent Functions Xxvi Creating a Numbered Extended ACL Xxvii Interaction with Other Features and Switches Xxviii Xxix Port-Channel Interfaces Xxx Configuring IP Addressing Xxxi Nonstop Forwarding Awareness Xxxii IPv6 Addresses Xxxiii Configuring Hsrp Priority Xxxiv Configuring IP Multicast Routing Xxxv Configuring Basic Dvmrp Interoperability Features Xxxvi Using a Filter Xxxvii Xxxviii 45-14 Configuring Online Diagnostics Xxxix Unsupported Route-Map Configuration Commands C-1 Hsrp Xli VTP Xlii Purpose PrefaceAudience Conventions Related Publications Xliv Xlv Xlvi Features Overview Deployment Features Availability and Redundancy Features, Vlan Features, Overview Features Performance Features Management Options Manageability Features Availability and Redundancy Features Vlan Features Security Features Overview Features QoS and CoS Features Layer 3 Features Power over Ethernet Features Default Settings After Initial Switch Configuration Monitoring FeaturesVlan Overview Default Settings After Initial Switch Configuration Overview Default Settings After Initial Switch Configuration Network Configuration Examples Design Concepts for Using the Switch Network Demands Suggested Design Methods Cost-Effective Wiring Closet High-Performance Wiring Closet High-Performance Workgroup Gigabit-to-the-Desktop Redundant Gigabit Backbone Server Aggregation Linux Server Cluster Cisco SoftPhone Software Gigabit servers Internet Cisco 2600 or 3700 routers Catalyst 3560-E switches Large Network Using Catalyst 3750-E and 3560-E Switches Cisco 7x00 routers Catalyst Catalyst 3560-E Multidwelling Network Using Catalyst 3750-E Switches Long-Distance, High-Bandwidth Transport Configuration 11 Catalyst 3750-E Switches in a MAN Configuration Where to Go Next Access layer Aggregation layer OL-9775-02 Using the Command-Line Interface Understanding Command Modes Quit Mode Access Method Prompt Exit Method About This ModeConfigure Ctrl-Z Understanding the Help System Console commandCommand Purpose Line vty or line Command ? Understanding Abbreviated CommandsUnderstanding no and default Forms of Commands Command keyword ? Understanding CLI Error Messages Using Configuration LoggingError Message Meaning How to Get Help Recalling Commands Using Command HistoryChanging the Command History Buffer Size Action1 Result Enabling and Disabling Editing Features Using Editing FeaturesDisabling the Command History Feature Switch# terminal editing Editing Commands through Keystrokes Capability Keystroke1 Purpose Editing Command Lines that Wrap Return and Space barPress Ctrl-L or Ctrl-R Accessing the CLI Command begin include exclude regular-expressionSwitch# show interfaces include protocol Using the Command-Line Interface Accessing the CLI OL-9775-02 Assigning the Switch IP Address and Default Gateway Understanding the Boot Process Assigning Switch Information Default Switch Information Understanding DHCP-Based AutoconfigurationFeature Default Setting Dhcp Client Request Process Dhcp Client and Server Message Exchange Configuring DHCP-Based Autoconfiguration Dhcp Server Configuration Guidelines Configuring the Tftp Server Configuring the DNS Configuring the Relay Device Obtaining Configuration FilesRouterconfig-if#ip helper-address Example Configuration Tftpserver Tftp Server Configuration on Unix Switch a Switch B Switch C Switch DDNS Server Configuration Dhcp Client Configuration Manually Assigning IP Information Checking and Saving the Running Configuration Switch# show running-configSwitch# copy running-config startup-config Modifying the Startup Configuration Default Boot ConfigurationAutomatically Downloading a Configuration File Show boot Booting ManuallyBoot config-file flash/ file-url Configure terminal Enter global configuration mode Booting a Specific Software Image Boot system filesystem /file-url Boot system switch number all Controlling Environment Variables Switch current-stack-member-number renumber Set Manualboot yes Boot manualSet Switchnumber Set Switchpriority Variable Description Configuring a Scheduled ReloadScheduling a Reload of the Software Image Reload in hhmm text Switch# reload at Switch# reload at 0200 junDisplaying Scheduled Reload Information Configuring Cisco IOS CNS Agents Understanding Cisco Configuration Engine Software Configuration Service Configuration Engine Architectural Overview What You Should Know About the CNS IDs and Device Hostnames Event ServiceConfigID NameSpace Mapper Using Hostname, DeviceID, and ConfigID DeviceIDHostname and DeviceID Initial Configuration Understanding Cisco IOS Agents Synchronized Configuration Configuring Cisco IOS AgentsIncremental Partial Configuration Enabling Automated CNS Configuration Device Required Configuration Enabling the CNS Event Agent Backup init-retry retry-count keepalive secondsShow running-config Show cns event connections Enabling an Initial Configuration Enabling the Cisco IOS CNS Agent Mac-address event Cns config initial ip-address hostnameCns id interface num dns-reverse ipaddress Cns id hardware-serial hostname string string Cns config partial ip-address hostname Enabling a Partial ConfigurationShow running-config Verify your entries Show cns config stats Show cns event stats Displaying CNS ConfigurationShow cns config connections Show cns event subject Managing Switch Stacks Understanding Switch Stacks Managing Switch Stacks Understanding Switch Stacks Switch Stack Membership Creating a Switch Stack from Two Standalone Switches Adding a Standalone Switch to a Switch Stack Stack Master Election and Re-Election Switch Stack Bridge ID and Router MAC Address Stack Member Numbers Stack Member Priority Values Switch Stack Offline Configuration Effects of Adding a Provisioned Switch to a Switch StackScenario Result Scenario Result Switch Stack Software Compatibility Recommendations Effects of Replacing a Provisioned Switch in a Switch Stack Major Version Number Incompatibility Among Switches Minor Version Number Incompatibility Among SwitchesStack Protocol Version Compatibility Understanding Auto-Upgrade and Auto-Advise Auto-Upgrade and Auto-Advise Example Messages SwitchDirectory Mar 1 000422.537%IMAGEMGR-6-AUTOADVISESW Incompatible Software and Stack Member Image Upgrades Switch Stack Configuration Files Switch Stack Management Connectivity Connectivity to the Switch Stack Through an IP Address Connectivity to the Switch Stack Through an SSH SessionConnectivity to Specific Stack Members Switch Stack Configuration Scenarios Use the switch stack-member-numberPriority new-priority-number global Current-stack-member-number Renumber new-stack-member-number Configuring the Switch Stack Default Switch Stack ConfigurationEnabling Persistent MAC Address Switchconfig# stack-mac persistent timer Stack-mac persistent timerShow switch Time-value Setting the Stack Member Priority Value Assigning Stack Member InformationAssigning a Stack Member Number Provisioning a New Member for a Switch Stack Command Description Accessing the CLI of a Specific Stack MemberDisplaying Switch Stack Information Show switch stack-member-number Show switch stack-ports Show switch stack-ring activityDetail OL-9775-02 Clustering Switches Understanding Switch Clusters Switch Cisco IOS Release Cluster Capability Cluster Command Switch Characteristics Standby Cluster Command Switch Characteristics Planning a Switch Cluster Candidate Switch and Cluster Member Switch Characteristics Automatic Discovery of Cluster Candidates and Members Discovery Through CDP Hops Discovery Through CDP Hops Discovery Through Different VLANs Discovery Through Different Management VLANs Discovery Through Different VLANs Discovery Through Routed Ports Discovery of Newly Installed Switches New out-of-box Hsrp and Standby Cluster Command Switches Virtual IP Addresses Other Considerations for Cluster Standby Groups Automatic Recovery of Cluster Configuration IP Addresses Hostnames Passwords Snmp Community Strings Switch Clusters and Switch Stacks Switch Stack Switch ClusterMembers Other cluster member switches TACACS+ and Radius LRE Profiles Using the CLI to Manage Switch Clusters Switch# rcommandCatalyst 1900 and Catalyst 2820 CLI Considerations Using Snmp to Manage Switch Clusters Snmp Management for a Cluster OL-9775-02 Administering the Switch Managing the System Time and DateUnderstanding the System Clock Understanding Network Time Protocol NTP Configuring NTP Typical NTP Network Configuration Default NTP Configuration Configuring NTP AuthenticationNtp authenticate Configuring NTP Associations Ntp peer ip-address version number Configuring NTP Broadcast ServiceSwitchconfig# ntp server 172.16.22.44 version Key keyid source interface prefer Destination-address Interface interface-idNtp broadcast version number key keyid Ntp broadcast client Ntp access-group query-only Configuring NTP Access RestrictionsNtp broadcastdelay microseconds Serve-onl y serve peer Command Purpose Configuring the Source IP Address for NTP Packets Interface interface-id Setting the System Clock Configuring Time and Date ManuallyDisplaying the NTP Configuration Fundamentals Command Reference, Release Clock timezone zone hours-offset Displaying the Time and Date ConfigurationConfiguring the Time Zone Minutes-offset Week day month hh mm week day month Configuring Summer Time Daylight Saving TimeClock summer-time zone recurring Hh mm offset Configuring a System Name and Prompt Clock summer-time zone date monthClock summer-time zone date date Copy running-config startup-confi g Default System Name and Prompt ConfigurationConfiguring a System Name Understanding DNS Ip domain-name name Default DNS ConfigurationSetting Up DNS Ip name-server server-address1 Default Banner Configuration Displaying the DNS ConfigurationCreating a Banner Configuring a Message-of-the-Day Login Banner Banner motd c message cUnix telnet Configuring a Login Banner Banner login c message cManaging the MAC Address Table Building the Address Table MAC Addresses and VLANs MAC Addresses and Switch Stacks Default MAC Address Table ConfigurationChanging the Address Aging Time Mac address-table aging-time Configuring MAC Address Notification TrapsRemoving Dynamic Address Entries Show mac address-table aging-time Snmp-server host host-addr traps informs version String by using the snmp-server communitySnmp-server enable traps mac-notification Mac address-table notification Adding and Removing Static Address Entries Vlan vlan-id interface interface-id Configuring Unicast MAC Address FilteringMac address-table static mac-addr Show mac address-table static Vlan vlan-id drop Managing the ARP Table Displaying Address Table Entries OL-9775-02 Configuring SDM Templates Understanding the SDM Templates Resource Access Default Routing Dual IPv4 and IPv6 SDM Templates SDM Templates and Switch Stacks IPv4-and-IPv6 Resource Default Routing Configuring the Switch SDM Template Default SDM TemplateSDM Template Configuration Guidelines Dual-ipv4-and-ipv6 default routing Setting the SDM TemplateSdm prefer access default Vlan routing vlan Switchconfig# sdm prefer routing Switchconfig# sdm prefer dual-ipv4-and-ipv6 defaultDisplaying the SDM Templates Policy based routing aces 25K OL-9775-02 Configuring Switch-Based Authentication Preventing Unauthorized Access to Your Switch Protecting Access to Privileged Exec Commands Default Password and Privilege Level Configuration Setting or Changing a Static Enable Password Enable password passwordSwitchconfig# enable password l1u2c3k4y5 Enable secret level level password Enable password level level passwordEncryption-type encrypted-password Service password-encryption Disabling Password Recovery No service password-recoveryShow version Password password Setting a Telnet Password for a Terminal LineConfiguring Username and Password Pairs Switchconfig-line#password let45me67in89 Login local Configuring Multiple Privilege LevelsUsername command Username name privilege level Setting the Privilege Level for a Command Privilege mode level level commandShow privilege Changing the Default Privilege Level for Lines CommandLogging into and Exiting a Privilege Level Controlling Switch Access with TACACS+ Understanding TACACS+ Typical TACACS+ Network Configuration Configuring TACACS+ TACACS+ Operation Aaa new-model Default TACACS+ ConfigurationTacacs-server host hostname port Aaa group server tacacs+ group-name Configuring TACACS+ Login Authentication Aaa new-model Enable AAAShow tacacs Verify your entries Authentication login command Aaa authentication login defaultLogin authentication default Line console tty vty line-number Show running-config Verify your entries Controlling Switch Access with Radius Displaying the TACACS+ ConfigurationStarting TACACS+ Accounting Understanding Radius Transitioning from Radius to TACACS+ Services Radius Operation Configuring Radius Default Radius ConfigurationIdentifying the Radius Server Host Page Ip-address auth-port port-number Acct-port port-number timeoutRadius-server host hostname Seconds retransmit retries key Configuring Radius Login Authentication Switchconfig# radius-server host host1 Server Host section on Defining AAA Server Groups Aaa group server radius group-name Aaa authorization network radius Radius Starting Radius Accounting Radius-server key string Configuring Settings for All Radius ServersRadius-server timeout seconds Radius-server retransmit retries Cisco-avpair=shellpriv-lvl=15 AuthenticationRadius-server vsa send accounting Cisco-avpair=ipoutacl#2=deny ip 10.10.10.10 0.0.255.255 any Controlling Switch Access with Kerberos Displaying the Radius ConfigurationRadius-server host hostname ip-address non-standard Understanding Kerberos Term Definition KDC Keytab Authenticating to a Boundary SwitchKerberos Operation Srvtab Configuring Kerberos Authenticating to Network ServicesObtaining a TGT from a KDC Aaa authentication login default local Aaa authorization exec localAaa authorization network local Configuring the Switch for Secure Shell Username commandUsername name privilege level Understanding SSH SSH Servers, Integrated Clients, and Supported Versions Configuring SSH Configuration GuidelinesLimitations Setting Up the Switch to Run SSH Ip ssh timeout seconds Displaying the SSH Configuration and StatusConfiguring the SSH Server Authentication-retries number Configuring the Switch for Secure Socket Layer Http Understanding Secure Http Servers and ClientsCertificate Authority Trustpoints Rsakeypair TP-self-signed-3080755072 Configuring Secure Http Servers and Clients Default SSL ConfigurationCipherSuites SSL Configuration Guidelines Configuring a CA Trustpoint Configuring the Secure Http Server Show ip http server secure status Configuring the Secure Http ClientIp http timeout-policy idle seconds life Ip http client secure-trustpoint name Ip http client secure-ciphersuite Configuring the Switch for Secure Copy ProtocolDisplaying Secure Http Server and Client Status Show ip http client secure status Information About Secure Copy Html OL-9775-02 Configuring Ieee 802.1x Port-Based Authentication Understanding Ieee 802.1x Port-Based Authentication10-1 Device Roles 10-2 Authentication Process 10-3 Authentication Flowchart 10-4 Authentication Initiation and Message Exchange 10-5 10-6 EAPOL-Start Ieee 802.1x Authentication and Switch Stacks Ports in Authorized and Unauthorized States10-7 Ieee 802.1x Host Mode 10-8 Attribute Number AV Pair Name Ieee 802.1x AccountingIeee 802.1x Accounting Attribute-Value Pairs 10-9 Using Ieee 802.1x Authentication with Vlan Assignment 10-10 Using Ieee 802.1x Authentication with Per-User ACLs 10-11 Using Ieee 802.1x Authentication with Guest Vlan 10-12 Using Ieee 802.1x Authentication with Restricted Vlan 10-13 10-14 Using Ieee 802.1x Authentication with Voice Vlan Ports 10-15 Using Ieee 802.1x Authentication with Port Security 10-16 Using Ieee 802.1x Authentication with Wake-on-LAN 10-17 10-18 Using Multidomain Authentication Network Admission Control Layer 2 Ieee 802.1x Validation10-19 Using Web Authentication For example10-20 Configuring Ieee 802.1x Authentication 10-21 Default Ieee 802.1x Authentication Configuration AAA10-22 Ieee 802.1x Authentication Configuration Guidelines Ieee 802.1x Authentication10-23 10-24 Configuring Ieee 802.1x Authentication MAC Authentication Bypass10-25 Configuring the Switch-to-RADIUS-Server Communication 10-26 Ip-address auth-port port-number key 10-27 Multi-domain Configuring the Host ModeDot1x host-mode multi-host Show dot1x interface interface-id Configuring Periodic Re-Authentication Manually Re-Authenticating a Client Connected to a Port10-29 Changing the Quiet Period Changing the Switch-to-Client Retransmission TimeDot1x timeout tx-period seconds Show dot1x interface interface-id Verify your entries Show dot1xinterface interface-id Verify your entries Setting the Switch-to-Client Frame-Retransmission NumberSwitchconfig-if#dot1x timeout tx-period Dot1x max-reauth-req count Switchconfig-if#dot1x max-reauth-req Setting the Re-Authentication NumberConfiguring Ieee 802.1x Accounting 10-32 Configuring a Guest Vlan 10-33 Switchconfig# interface gigabitethernet2/0/2 Configuring a Restricted VlanSwitchport mode private-vlan host Dot1x guest-vlan vlan-id Attempts Dot1x auth-fail vlan vlan-idDot1x auth-fail max-attempts max 10-35 Radius-server dead-criteria time time Configuring the Inaccessible Authentication Bypass FeatureSwitchconfig-if#dot1x auth-fail max-attempts Tries tries 10-37 Reinitialize vlan vlan-id Configuring Ieee 802.1x Authentication with WoLDot1x critical recovery action Show dot1x interface interface-id Switchconfig-if#dot1x mac-auth-bypass Configuring MAC Authentication BypassSwitchconfig-if#dot1x control-direction both Dot1x control-direction both Configuring NAC Layer 2 Ieee 802.1x Validation 10-40 Configuring Web Authentication 10-41 10-42 Dot1x fallback fallback-profile Disabling Ieee 802.1x Authentication on the PortNo dot1x pae Disable Ieee 802.1x authentication on the port 10-43 Displaying Ieee 802.1x Statistics and Status 10-44 Configuring Interface Characteristics Understanding Interface Types11-1 Switch Ports Port-Based VLANs11-2 Access Ports Trunk Ports11-3 Routed Ports Tunnel Ports11-4 Switch Virtual Interfaces EtherChannel Port Groups11-5 Supported Protocols and Standards Power over Ethernet PortsGigabit Ethernet Interfaces 11-6 Powered-Device Detection and Initial Power Allocation Class11-7 Power Management Modes 11-8 Power Monitoring and Power Policing 11-9 Maximum Power Allocation Cutoff Power on a PoE Port 11-10 Connecting Interfaces 11-11 Ethernet Management Port 11-12 Connecting a Switch Stack to a PC 11-13 Tftp 11-14 Mgmtshow Using Interface Configuration ModeMgmtinit Mgmtclr Procedures for Configuring Interfaces 11-16 Macroname Configuring a Range of InterfacesInterface range port-range macro Show interfaces interface-id 11-18 Define interface-range macroname Configuring and Using Interface Range MacrosShow running-config include define Interface range macro macroname Switch# show run include define Configuring Ethernet InterfacesSwitch# show running-config include define 11-20 Default Ethernet Interface Configuration 11-21 Configuring Interface Speed and Duplex Mode Speed and Duplex Configuration Guidelines11-22 Nonegotiate Setting the Interface Speed and Duplex ParametersSpeed 10 100 1000 auto 10 Duplex auto full half Configuring Ieee 802.3x Flow Control Flowcontrol receive on off desired11-24 With Correct Cabling Configuring Auto-MDIX on an InterfaceLocal Side Auto-MDIX 11-25 Configuring a Power Management Mode on a PoE Port Interface-id phy11-26 Show power inline i nterface-id Budgeting Power for Devices Connected to a PoE PortPower inline auto max max-wattage Neve r static max max-wattage Wattage 11-28 Configuring Power Policing 11-29 Adding a Description for an Interface 11-30 Switch# show interfaces gigabitethernet1/0/2 description Configuring Layer 3 InterfacesConfiguring Ethernet Management Ports 11-31 No shutdown No switchportInterface gigabitethernet interface-id vlan vlan-id 11-32 Configuring the System MTU 11-33 System mtu routing bytes Use the system mtu jumbo Use the system mtu routingSystem mtu jumbo bytes 11-34 Reload Configuring the Cisco Redundant Power SystemSystem mtu bytes Show system mtu Standby Power rps switch-number name string serialnumberPower rps switch-number port rps-port-id mode active 11-36 Show env power Configuring the Power SuppliesPower supply switch-numberoff on Show env rps Monitoring and Maintaining the Interfaces Monitoring Interface Status11-38 Clearing and Resetting Interfaces and Counters 11-39 Shutdown Shutting Down and Restarting the InterfaceInterface vlan vlan-id gigabitethernet interface-id 11-40 Configuring Smartports Macros Understanding Smartports Macros12-1 Macro Name Description Configuring Smartports MacrosDefault Smartports Macro Configuration 12-2 Smartports Macro Configuration Guidelines 12-3 Name Sample-Macro and macro name sample-macro will result Creating Smartports MacrosMacro name macro-name Show parser macro name macro-name Applying Smartports Macros 12-5 Show parser macro macro-name Applying Cisco-Default Smartports MacrosShow parser macro 12-6 Switch# show parser macro cisco-desktop Switchconfig-if#macro apply cisco-desktop $AVID12-7 Show parser macro description interface Displaying Smartports MacrosShow parser macro brief 12-8 Configuring VLANs Understanding VLANs13-1 13-2 Supported VLANs Vlan Port Membership Modes13-3 Configuring Normal-Range VLANs 13-4 Vlan ID 13-5 Normal-Range Vlan Configuration Guidelines Token Ring VLANs13-6 Vlan Configuration in config-vlan Mode Vlan Configuration Mode OptionsSaving Vlan Configuration Vlan Configuration in Vlan Database Configuration Mode VLANxxxx, where Default Ethernet Vlan ConfigurationParameter Default Range 13-8 Remote-span Copy running-config startup configCreating or Modifying an Ethernet Vlan 13-9 Deleting a Vlan Vlan database13-10 No vlan vlan-id Assigning Static-Access Ports to a VlanSwitchport access vlan vlan-id Show vlan brief Show interfaces interface-id switchport Configuring Extended-Range VLANsDefault Vlan Configuration Vlan fields of the display Extended-Range Vlan Configuration Guidelines 13-13 Show vlan id vlan-id Vtp mode transparentCreating an Extended-Range Vlan 13-14 Creating an Extended-Range Vlan with an Internal Vlan ID Switchconfig# vtp mode transparentSwitch# copy running-config startup config Show vlan internal usage Displaying VLANs Configuring Vlan TrunksCommand Command Mode Purpose Trunking Overview Switches in an ISL Trunking Environment 13-17 Encapsulation Function Mode FunctionEncapsulation Types 13-18 Ieee 802.1Q Configuration Considerations Default Layer 2 Ethernet Interface Vlan ConfigurationConfiguring an Ethernet Interface as a Trunk Port 13-19 Dot1q negotiate Interaction with Other FeaturesConfiguring a Trunk Port 13-20 Defining the Allowed VLANs on a Trunk 13-21 All except remove vlan-list Switchport trunk allowed vlan addChanging the Pruning-Eligible List 13-22 Except none remove vlan-list Configuring the Native Vlan for Untagged TrafficSwitchport trunk pruning vlan add Vlan ,vlan Switchport trunk native vlan vlan-id Configuring Trunk Ports for Load SharingLoad Sharing Using STP Port Priorities 13-24 13-25 Connect to the trunk ports configured on Switch a Load Sharing Using STP Path CostOr switch stack Exit Return to global configuration mode Isl dot1q negotiate Switchport trunk encapsulationInterface gigabitethernet1/0/1 Spanning-tree vlan 2-4 cost Configuring Vmps Understanding Vmps13-28 Dynamic-Access Port Vlan Membership Default Vmps Client ConfigurationVmps Configuration Guidelines 13-29 Configuring the Vmps Client Entering the IP Address of the Vmps13-30 Reconfirming Vlan Memberships Configuring Dynamic-Access Ports on Vmps ClientsSwitchport access vlan dynamic Vmps reconfirm Vmps reconfirm minutes Changing the Reconfirmation IntervalChanging the Retry Count 13-32 Switch# show vmps Troubleshooting Dynamic-Access Port Vlan MembershipVmps Configuration Example Monitoring the Vmps Dynamic Port Vlan Membership Configuration 13-34 Configuring VTP Understanding VTP14-1 VTP Domain 14-2 VTP Advertisements VTP Mode DescriptionVTP Modes 14-3 VTP Version VTP Pruning14-4 14-5 Vlan Configuring VTP VTP and Switch Stacks14-6 VTP Configuration in Global Configuration Mode Default VTP ConfigurationVTP Configuration Options 14-7 Passwords VTP Configuration GuidelinesVTP Configuration in Vlan Database Configuration Mode Domain Names VTP Version Configuring a VTP ServerConfiguration Requirements 14-9 Show vtp status Vtp password passwordVtp password password Vtp server Switch# vlan database Configuring a VTP ClientVtp mode client 14-11 Disabling VTP VTP Transparent Mode 14-12 Enabling VTP Version Vtp version14-13 Vtp pruning Adding a VTP Client Switch to a VTP DomainEnabling VTP Pruning 14-14 14-15 Monitoring VTP 14-16 Configuring Voice Vlan Understanding Voice Vlan15-1 Cisco IP Phone Voice Traffic Cisco IP Phone Data Traffic15-2 Voice Vlan Configuration Guidelines Configuring Voice VlanDefault Voice Vlan Configuration 15-3 Configuring a Port Connected to a Cisco 7960 IP Phone 15-4 Configuring Cisco IP Phone Voice Traffic 15-5 Configuring the Priority of Incoming Data Frames 15-6 Displaying Voice Vlan 15-7 15-8 Configuring Private VLANs Understanding Private VLANs16-1 16-2 Private-VLAN Domain IP Addressing Scheme with Private VLANs 16-3 Private VLANs across Multiple Switches Private-VLAN Interaction with Other Features16-4 Private VLANs and Unicast, Broadcast, and Multicast Traffic Private VLANs and SVIs16-5 Private VLANs and Switch Stacks Configuring Private VLANsTasks for Configuring Private VLANs 16-6 Secondary and Primary Vlan Configuration Default Private-VLAN ConfigurationPrivate-VLAN Configuration Guidelines 16-7 Private-VLAN Port Configuration 16-8 Limitations with Other Features 16-9 Configuring and Associating VLANs in a Private Vlan 16-10 Show vlan private-vlan type Show interfaces status16-11 Switch# show interfaces gigabitethernet1/0/22 switchport Configuring a Layer 2 Interface as a Private-VLAN Host PortSwitchport private-vlan host-association Primaryvlanid secondaryvlanid Add remove secondaryvlanlist Switchport mode private-vlan promiscuousSwitchport private-vlan mapping primaryvlanid 16-13 Private-vlan mapping add remove Switch# show interfaces private-vlan mappingInterface vlan primaryvlanid Show interface private-vlan mapping Monitoring Private VLANs 16-15 16-16 Configuring Ieee 802.1Q and Layer 2 Protocol Tunneling Understanding Ieee 802.1Q Tunneling17-1 Ieee 802.1Q Tunnel Ports in a Service-Provider Network 17-2 17-3 Ieee 802.1Q Tunneling Configuration Guidelines Configuring Ieee 802.1Q TunnelingDefault Ieee 802.1Q Tunneling Configuration Native VLANs System MTU 17-5 Ieee 802.1Q Tunneling and Other Features 17-6 Show dot1q-tunnel Configuring an Ieee 802.1Q Tunneling PortVlan dot1q tag native Show vlan dot1q tag native Understanding Layer 2 Protocol Tunneling 17-8 17-9 Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling 17-10 Default Layer 2 Protocol Tunneling Configuration 17-11 Layer 2 Protocol Tunneling Configuration Guidelines 17-12 Configuring Layer 2 Protocol Tunneling 17-13 L2protocol-tunnel point-to-point Configuring Layer 2 Tunneling for EtherChannelsConfiguring the SP Edge Switch Pagp lacp udld 17-15 Configuring the Customer Switch 17-16 Switchconfig-if#channel-group 1 mode desirable Switchconfig# interface port-channel17-17 Monitoring and Maintaining Tunneling Status 17-18 Configuring STP Understanding Spanning-Tree Features18-1 STP Overview 18-2 Spanning-Tree Topology and BPDUs 18-3 Bridge ID, Switch Priority, and Extended System ID 18-4 Bit Switch Priority ValueSpanning-Tree Interface States 32768 16384 8192 4096 2048 1024 512 256 128 2illustrates how an interface moves through the states 18-6 Learning State Blocking StateListening State Forwarding State How a Switch or Port Becomes the Root Switch or Root Port Disabled State18-8 Accelerated Aging to Retain Connectivity Spanning Tree and Redundant ConnectivitySpanning-Tree Address Management 18-9 Spanning-Tree Modes and Protocols Supported Spanning-Tree Instances18-10 VLAN-Bridge Spanning Tree Spanning-Tree Interoperability and Backward CompatibilitySTP and Ieee 802.1Q Trunks Rapid PVST+ Configuring Spanning-Tree Features Spanning Tree and Switch Stacks18-12 Default Spanning-Tree Configuration Spanning-Tree Configuration Guidelines18-13 18-14 Changing the Spanning-Tree Mode 18-15 Show spanning-tree vlan vlan-id Verify your entries Configuring the Root SwitchDisabling Spanning Tree 18-16 Show spanning-tree detail Spanning-tree vlan vlan-id root primaryDiameter net-diameter hello-time seconds 18-17 Spanning-tree vlan vlan-id root secondary Configuring a Secondary Root SwitchConfiguring Port Priority Diameter net-diameter hello-time Show spanning-tree interface interface-id Spanning-tree port-priority prioritySpanning-tree vlan vlan-id port-priority priority Show spanning-tree vlan vlan-id Spanning-tree cost cost Configuring Path CostPort-channel-number Spanning-tree vlan vlan-id cost cost Configuring the Switch Priority of a Vlan Spanning-tree vlan vlan-id priority priority18-21 Spanning-tree vlan vlan-id hello-time seconds Configuring Spanning-Tree TimersConfiguring the Hello Time 18-22 Spanning-tree vlan vlan-id forward-time Configuring the Forwarding-Delay Time for a VlanConfiguring the Maximum-Aging Time for a Vlan Spanning-tree vlan vlan-idmax-age seconds Show spanning-tree detail Verify your entries Configuring the Transmit Hold-CountDisplaying the Spanning-Tree Status 18-24 Configuring Mstp 19-1 Understanding Mstp Multiple Spanning-Tree Regions19-2 IST, CIST, and CST Operations Within an MST Region19-3 Operations Between MST Regions 19-4 Cisco Prestandard Cisco Standard Hop CountIeee 802.1s Terminology 19-5 Boundary Ports Ieee 802.1s Implementation19-6 Interoperation Between Legacy and Standard Switches Port Role Naming Change19-7 Mstp and Switch Stacks Detecting Unidirectional Link Failure19-8 Port Roles and the Active Topology Understanding RstpInteroperability with Ieee 802.1D STP 19-9 Rapid Convergence 19-10 Synchronization of Port Roles 19-11 Bridge Protocol Data Unit Format and Processing Bit Function19-12 Processing Inferior Bpdu Information Topology ChangesProcessing Superior Bpdu Information 19-13 Configuring Mstp Features 19-14 Default Mstp Configuration Mstp Configuration Guidelines19-15 Instance instance-id vlan vlan-range Specifying the MST Region Configuration and Enabling MstpSpanning-tree mst configuration Name name Show pending Spanning-tree mode mstRevision version Exit Spanning-tree mst instance-id root primary 19-18 19-19 Spanning-tree mst instance-id port-priority priority Show spanning-tree mst interface interface-id19-20 Spanning-tree mst instance-id cost cost 19-21 Spanning-tree mst instance-id priority priority Configuring the Switch PriorityConfiguring the Hello Time 19-22 Spanning-tree mst forward-time seconds Configuring the Forwarding-Delay TimeShow spanning-tree mst Verify your entries Show spanning-tree mst Specifying the Link Type to Ensure Rapid Transitions Configuring the Maximum-Aging TimeConfiguring the Maximum-Hop Count Spanning-tree mst max-age seconds Designating the Neighbor Type 19-25 Displaying the MST Configuration and Status Restarting the Protocol Migration Process19-26 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features20-1 Understanding Port Fast Understanding Bpdu Guard20-2 Understanding Bpdu Filtering Understanding UplinkFast20-3 Switches in a Hierarchical Network 20-4 Understanding Cross-Stack UplinkFast 20-5 How Csuf Works 20-6 Understanding BackboneFast Events that Cause Fast Convergence20-7 20-8 BackboneFast Example Before Indirect Link Failure Adding a Switch in a Shared-Medium Topology 20-9 Understanding EtherChannel Guard Understanding Root Guard20-10 Understanding Loop Guard 20-11 Enabling Port Fast Default Optional Spanning-Tree ConfigurationOptional Spanning-Tree Configuration Guidelines 20-12 Spanning-tree portfast trunk Spanning-tree portfast trunk interface configurationEnabling Bpdu Guard Portfast Spanning-tree portfast Enable the Port Fast feature Enabling Bpdu Filtering20-14 Enabling UplinkFast for Use with Redundant Links 20-15 Enabling Cross-Stack UplinkFast Spanning-tree uplinkfast max-update-rateUplinkfast command Enabling BackboneFast Show spanning-tree summary Verify your entries Spanning-tree backbonefast Enable BackboneFastEnabling EtherChannel Guard 20-17 Enabling Root Guard Enabling Loop Guard20-18 20-19 20-20 Flex Links 21-1 Switchport backup interface preemption delay commands Vlan Flex Link Load Balancing and Support21-2 MAC Address-Table Move Update 21-3 MAC Address-Table Move Update Example 21-4 Configuration Guidelines Default Configuration21-5 Show interface interface-id switchport backup Configuring Flex LinksSwitchport backup interface interface-id Switch# show interface switchport backup Delay delay-time Switchport backup interface interface-id preemptionMode forced bandwidth off 21-7 Show interfaces interface-id switchport backup Configuring Vlan Load Balancing on Flex LinksSwitchport backup interface interface-id prefer vlan Switch#show interfaces switchport backup Primary vlan vlan-id Configuring the MAC Address-Table Move Update FeatureSwitchport backup interface interface-idmmu 21-9 Switch# show mac-address-table move update End Return to global configuration modeSwitchconf# mac address-table move update transmit 21-10 Monitoring Flex Links and the MAC Address-Table Move Update 21-11 21-12 Configuring Dhcp Features and IP Source Guard Understanding Dhcp Features22-1 Dhcp Snooping Dhcp ServerDhcp Relay Agent 22-2 Option-82 Data Insertion 22-3 22-4 Dhcp Relay Agent in a Metropolitan Ethernet Network Remote ID Suboption Frame Format 22-5 Release Cisco IOS Dhcp Server DatabaseDhcp Snooping Binding Database 22-6 22-7 Default Dhcp Configuration Configuring Dhcp FeaturesDhcp Snooping and Switch Stacks 22-8 Dhcp Snooping Configuration Guidelines 22-9 Configuring the Dhcp Server Dhcp Server and Switch Stacks22-10 Ip helper-address address Configuring the Dhcp Relay AgentSpecifying the Packet Forwarding Address 22-11 Enabling Dhcp Snooping and Option Switchport mode accessSwitchport access vlan vlan-id Interface range port-range 22-13 Enabling the Dhcp Snooping Binding Database Agent Enabling Dhcp Snooping on Private VLANsEnabling the Cisco IOS Dhcp Server Database Ip dhcp snooping database Displaying Dhcp Snooping Information 22-15 Understanding IP Source Guard Source IP Address Filtering22-16 IP Source Guard Configuration Guidelines Configuring IP Source GuardDefault IP Source Guard Configuration Source IP and MAC Address Filtering Enabling IP Source Guard 22-18 Displaying IP Source Guard Information 22-19 22-20 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection23-1 23-2 ARP Cache Poisoning Interface Trust States and Network Security 23-3 Rate Limiting of ARP Packets Relative Priority of ARP ACLs and Dhcp Snooping Entries23-4 Logging of Dropped Packets Configuring Dynamic ARP InspectionDefault Dynamic ARP Inspection Configuration 23-5 Dynamic ARP Inspection Configuration Guidelines 23-6 Ip arp inspection vlan vlan-range Configuring Dynamic ARP Inspection in Dhcp EnvironmentsShow cdp neighbors 23-7 Configuring ARP ACLs for Non-DHCP Environments 23-8 23-9 No ip arp inspection trust Show arp access-list acl-nameLimiting the Rate of Incoming ARP Packets Specified with the ip arp inspection vlan logging Performing Validation Checks 23-11 Src-mac dst-mac ip Configuring the Log BufferIp arp inspection validate Show ip arp inspection vlan Ip arp inspection log-buffer entries Number logs number interval23-13 Displaying Dynamic ARP Inspection Information 23-14 Clear ip arp inspection log Clear ip arp inspection statisticsShow ip arp inspection statistics vlan Show ip arp inspection log 23-16 Configuring Igmp Snooping and MVR 24-1 Understanding Igmp Snooping 24-2 Igmp Versions Joining a Multicast Group24-3 224.1.2.3 24-4 Leaving a Multicast Group 24-5 Igmp Report Suppression Igmp Configurable-Leave TimerImmediate Leave 24-6 Default Igmp Snooping Configuration Configuring Igmp SnoopingIgmp Snooping and Switch Stacks PIM-DVMRP Enabling or Disabling Igmp Snooping Ip igmp snooping vlan vlan-id24-8 Learn cgmp pim-dvmrp Setting the Snooping MethodIp igmp snooping vlan vlan-id mrouter Show ip igmp snooping Configuring a Multicast Router Port Show ip igmp snooping mrouter vlan vlan-id24-10 Ip igmp snooping vlan vlan-id static ipaddress Configuring a Host Statically to Join a GroupEnabling Igmp Immediate Leave Show ip igmp snooping groups Configuring the Igmp Leave Timer 24-12 Controlling the Multicast Flooding Time After a TCN Event Configuring TCN-Related CommandsRecovering from Flood Mode Count Disabling Multicast Flooding During a TCN Event No ip igmp snooping tcn flood24-14 Configuring the Igmp Snooping Querier 24-15 Disabling Igmp Report Suppression No ip igmp snooping report-suppression24-16 Displaying Igmp Snooping Information 24-17 Understanding Multicast Vlan Registration 24-18 Using MVR in a Multicast Television Application 24-19 MVR Configuring MVRDefault MVR Configuration 24-20 Mvr Enable MVR on the switch MVR Configuration Guidelines and LimitationsConfiguring MVR Global Parameters 24-21 Configuring MVR Interfaces 24-22 Show mvr Mvr type source receiverMvr immediate Show mvr interface Show mvr members Configuring Igmp Filtering and Throttling Displaying MVR Information24-24 Default Igmp Filtering and Throttling Configuration Configuring Igmp Profiles24-25 Range ip multicast address Ip igmp profile profile numberPermit deny Show ip igmp profile profile number Applying Igmp Profiles Setting the Maximum Number of Igmp GroupsSwitch# show ip igmp profile Ip igmp filter profile number EtherChannel group or a EtherChannel interface Configuring the Igmp Throttling ActionShow running-config interface Verify the configuration Interface-id Replace Displaying Igmp Filtering and Throttling ConfigurationIp igmp max-groups action deny Show ip igmp profile profile 24-30 Configuring IPv6 MLD Snooping Understanding MLD Snooping25-1 25-2 Multicast Client Aging Robustness MLD MessagesMLD Queries 25-3 MLD Done Messages and Immediate-Leave Multicast Router DiscoveryMLD Reports 25-4 Topology Change Notification Processing Configuring IPv6 MLD SnoopingMLD Snooping in Switch Stacks 25-5 Default MLD Snooping Configuration MLD Snooping Configuration Guidelines25-6 Ipv6 mld snooping vlan vlan-id Enabling or Disabling MLD SnoopingIpv6 mld snooping 25-7 Show ipv6 mld snooping multicast-address user Configuring a Static Multicast GroupIpv6 mld snooping vlan vlan-id static Show ipv6 mld snooping multicast-address vlan Show ipv6 mld snooping mrouter vlan vlan-id Enabling MLD Immediate LeaveIpv6 mld snooping vlan vlan-id mrouter 25-9 Configuring MLD Snooping Queries 25-10 Displaying MLD Snooping Information Disabling MLD Listener Message Suppression25-11 Vlan-id ipv6-multicast-address Show ipv6 mld snooping querier vlan vlan-idVlan-id count dynamic user 25-12 Understanding Storm Control Configuring Port-Based Traffic ControlConfiguring Storm Control 26-1 26-2 Broadcast Storm Control Example Default Storm Control Configuration Configuring Storm Control and Threshold Levels26-3 Bps-low pps pps pps-low Storm-control broadcast multicastUnicast level level level-low bps bps Storm-control action shutdown trap Show storm-control interface-id broadcast Configuring Protected PortsDefault Protected Port Configuration Multicast unicast Configuring a Protected Port Configuring Port BlockingProtected Port Configuration Guidelines 26-6 Blocking Flooded Traffic on an Interface Configuring Port SecurityDefault Port Blocking Configuration 26-7 Understanding Port Security Secure MAC Addresses26-8 Security Violations 26-9 Forwarded1 Trap Message Message2 Increments Default Port Security ConfigurationPort Security Configuration Guidelines 26-10 26-11 Enabling and Configuring Port Security 26-12 Shutdown vlan Switchport port-security violationProtect restrict shutdown 26-13 26-14 Switchconfig-if#switchport port-security mac-address sticky Switchconfig-if#switchport port-securitySwitchconfig-if#switchport port-security maximum Switchconfig-if#switchport port-security violation restrict Enabling and Configuring Port Security Aging 26-16 Port Security and Private VLANs Port Security and Switch StacksSwitchconfig# interface GigabitEthernet 1/0/8 26-17 Show port-security interface interface-idvlan Displaying Port-Based Traffic Control SettingsShow port-security interface interface-idaddress 26-18 Configuring CDP Understanding CDP27-1 Default CDP Configuration Configuring CDPCDP and Switch Stacks Configuring the CDP Characteristics Cdp advertise-v2 Disabling and Enabling CDPCdp holdtime seconds Show cdp Disabling and Enabling CDP on an Interface No cdp enable Disable CDP on the interfaceCdp enable Enable CDP on the interface after disabling it 27-4 Monitoring and Maintaining CDP 27-5 27-6 Understanding Lldp Configuring Lldp and LLDP-MEDUnderstanding Lldp and LLDP-MED 28-1 Understanding LLDP-MED 28-2 Configuring Lldp Characteristics Configuring Lldp and LLDP-MEDDefault Lldp Configuration 28-3 Disabling and Enabling Lldp Globally 28-4 Disabling and Enabling Lldp on an Interface 28-5 No lldp med-tlv-select tlv Specify the TLV to disable Configuring LLDP-MED TLVsTLV, and enter interface configuration mode Lldp med-tlv-select tlv Specify the TLV to enable Monitoring and Maintaining Lldp and LLDP-MED 28-7 28-8 Modes of Operation Configuring UdldUnderstanding Udld 29-1 Methods to Detect Unidirectional Links 29-2 Configuring Udld 29-3 Default Udld Configuration 29-4 Enabling Udld Globally Udld aggressive enable message timeMessage-timer-interval Show udld Enabling Udld on an Interface Resetting an Interface Disabled by UdldUdld reset Show udld Udld port aggressive Displaying Udld Status 29-7 29-8 Configuring Span and Rspan Understanding Span and Rspan30-1 Local Span 30-2 Remote Span 30-3 Span and Rspan Concepts and Terminology Span Sessions30-4 Monitored Traffic 30-5 Source Ports 30-6 Source VLANs Vlan Filtering30-7 Destination Port 30-8 Span and Rspan Interaction with Other Features Rspan Vlan30-9 Configuring Span and Rspan Span and Rspan and Switch Stacks30-10 Span Configuration Guidelines Default Span and Rspan ConfigurationConfiguring Local Span 30-11 Creating a Local Span Session 30-12 Encapsulation replicate Monitor session sessionnumberDestination interface interface-id Show monitor session sessionnumber 30-14 Specifying VLANs to Filter Monitor session sessionnumber filter vlan30-15 Be a Vlan Configuring RspanRspan Configuration Guidelines 30-16 Configuring a Vlan as an Rspan Vlan 30-17 Destination remote vlan vlan-id Creating an Rspan Source SessionInterfaces port-channelport-channel-number. Valid 30-18 Creating an Rspan Destination Session Remote vlan vlan-id30-19 30-20 Ingress dot1q vlan vlan-id isl untagged Untagged vlan vlan-id or vlan vlan-id- Forward incoming30-21 Show monitor session sessionnumber 30-22 Displaying Span and Rspan Status 30-23 30-24 Configuring Rmon Understanding Rmon31-1 Configuring Rmon 31-2 Default Rmon Configuration Configuring Rmon Alarms and Events31-3 Rmon event number description string log owner string Add an event in the Rmon event table that is31-4 Rmon collection history index Collecting Group History Statistics on an InterfaceCollecting Group Ethernet Statistics on an Interface Show rmon history Show rmon statistics Displaying Rmon StatusRmon collection stats index owner ownername 31-6 Configuring System Message Logging Understanding System Message Logging32-1 Configuring System Message Logging System Log Message Format32-2 Hhmmss short uptime Text string that uniquely describes the message32-3 Show running-config Verify your entries Show logging Default System Message Logging ConfigurationNo logging console Disable message logging Disabling Message Logging Logging host Setting the Message Display Destination DeviceLogging buffered size 32-5 Terminal monitor Synchronizing Log MessagesLogging file flash filename Session to see the debugging messages Logging synchronous level severity-level Line console vty line-numberLine vty All limit number-of-buffers Enabling and Disabling Time Stamps on Log Messages Enabling and Disabling Sequence Numbers in Log Messages32-8 Logging monitor level Defining the Message Severity LevelLogging console level Logging trap level Level Description Syslog Definition 32-10 Logging history size number Enabling the Configuration-Change LoggerLogging history level 32-11 Configuring Unix Syslog Servers Logging Messages to a Unix Syslog Daemon32-12 Facility-type keywords Configuring the Unix System Logging FacilityLogging facility facility-type 32-13 Displaying the Logging Configuration Facility Type Keyword Description32-14 Configuring Snmp Understanding Snmp33-1 Snmp Versions 33-2 DES Model Level Authentication Encryption ResultSnmp Manager Functions Operation Description Using Snmp to Access MIB Variables Snmp Agent Functions33-4 Snmp Notifications 33-5 IfIndex Range Configuring SnmpSnmp ifIndex MIB Object Values SVI Default Snmp Configuration Snmp Configuration Guidelines33-7 Disabling the Snmp Agent Configuring Community StringsNo snmp-server Disable the Snmp agent operation 33-8 Snmp-server community string view View-name ro rw access-list-numberAccess-list access-list-number deny Permit source source-wildcard Snmp-server engineID local Configuring Snmp Groups and UsersSnmp-server engineID local engineid-string 33-10 Auth noauth priv read readview Write writeview notify notifyview accessSnmp-server group groupname v1 v2c 33-11 Encrypted access access-list auth md5 Configuring Snmp NotificationsRemote host udp-port port v1 access Notification Type Keyword Description 33-13 33-14 Enable traps command for each trap type Setting the Agent Contact and Location Information33-12 , or enter snmp-server enable traps ? Notification-types Snmp Examples Switchconfig# snmp-server community publicLimiting Tftp Servers Used Through Snmp Snmp-server tftp-server-list Displaying Snmp Status 33-17 33-18 Configuring Network Security with ACLs Understanding ACLs34-1 Supported ACLs 34-2 Port ACLs 34-3 Router ACLs 34-4 Handling Fragmented and Unfragmented Traffic Vlan Maps34-5 ACLs and Switch Stacks 34-6 Configuring IPv4 ACLs 34-7 Creating Standard and Extended IPv4 ACLs Access List NumbersAccess List Number Type Supported 34-8 ACL Logging 34-9 Creating a Numbered Standard ACL Access-list access-list-number deny permitShow access-lists number name Source source-wildcard log Creating a Numbered Extended ACL 34-11 34-12 34-13 34-14 Resequencing ACEs in an ACL Creating Named Standard and Extended ACLs34-15 Any log Ip access-list standard nameIp access-list extended name Tos tos established log time-range Using Time Ranges with ACLs 34-17 Show time-range Absolute start time datePeriodic weekdays weekend daily 34-18 Including Comments in ACLs Switch# show ip access-listsApplying an IPv4 ACL to a Terminal Line 34-19 Out Access-class access-list-numberApplying an IPv4 ACL to an Interface 34-20 Ip access-group access-list-number 34-21 IPv4 ACL Configuration Examples Hardware and Software Treatment of IP ACLs34-22 Switchconfig# access-list 6 permit 172.20.128.64 Switchconfig# access-list 106 permit ip any 172.20.128.6434-23 Numbered ACLs Extended ACLs34-24 Commented IP ACL Entries Named ACLsTime Range Applied to an IP ACL 34-25 Switch# show logging Switchconfig-if#ip access-group ext134-26 Creating Named MAC Extended ACLs 34-27 Applying a MAC ACL to a Layer 2 Interface 34-28 Show mac access-group interface interface-id Configuring Vlan MapsMac access-group name ACL Vlan Map Configuration Guidelines 34-30 Action drop forward Vlan access-map name numberCreating a Vlan Map Match ip mac address name Examples of ACLs and Vlan Maps 34-32 34-33 Applying a Vlan Map to a Vlan Using Vlan Maps in Your NetworkWiring Closet Configuration Vlan filter mapname vlan-list list Switchconfig# ip access-list extended matchall Denying Access to a Server on Anothera VlanSwitchconfig# vlan access-map map2 Switchconfig# vlan filter map2 vlan Using Vlan Maps with Router ACLs 34-36 Vlan Maps and Router ACL Configuration Guidelines 34-37 ACLs and Bridged Packets ACLs and Switched PacketsExamples of Router ACLs and Vlan Maps Applied to VLANs 34-38 ACLs and Routed Packets 34-39 ACLs and Multicast Packets Displaying IPv4 ACL ConfigurationShow ip access-lists number name 34-40 Show ip interface interface-id Show running-config interface interface-idShow mac access-group interface interface-id 34-41 34-42 Configuring IPv6 ACLs 35-1 Understanding IPv6 ACLs 35-2 IPv6 ACL Limitations Supported ACL FeaturesIPv6 ACLs and Switch Stacks 35-3 Interaction with Other Features and Switches Configuring IPv6 ACLsDefault IPv6 ACL Configuration 35-4 Ipv6 access-list access-list-name Creating IPv6 ACLs35-5 Value time-range name Dscp value fragments logLog-input routing sequence 35-6 35-7 Ipv6 address ipv6-address Ipv6 traffic-filter access-list-nameApplying an IPv6 ACL to an Interface 35-8 Displaying IPv6 ACLs Show access-listsShow ipv6 access-list access-list-name 35-9 35-10 Configuring QoS 36-1 Understanding QoS 36-2 Basic QoS Model 36-3 36-4 Basic QoS Model Classification 36-5 36-6 Check if packet came with CoS label tag Yes Classification Based on QoS ACLs Classification Based on Class Maps and Policy Maps36-7 Policing and Marking 36-8 Policing on Physical Ports 36-9 Policing on SVIs 36-10 Policing and Marking Flowchart on SVIs 36-11 Mapping Tables 36-12 Queueing and Scheduling Overview 36-13 Weighted Tail Drop SRR Shaping and Sharing36-14 Queueing and Scheduling on Ingress Queues 36-15 Queue Type Function 36-16 WTD Thresholds 36-17 Queueing and Scheduling on Egress Queues 36-18 36-19 Buffer and Memory Allocation 36-20 Packet Modification 36-21 Configuring Auto-QoS 36-22 Generated Auto-QoS Configuration 36-23 Description Automatically Generated Command 36-24 36-25 If you entered the auto qos voip trust command, the switch Switch automatically configures the egress queue bufferSizes. It configures the bandwidth and the SRR mode shaped Or shared on the egress queues mapped to the port Effects of Auto-QoS on the Configuration Auto-QoS Configuration Guidelines36-27 Cisco-softphone trust Enabling Auto-QoS for VoIPAuto qos voip cisco-phone Show auto qos interface interface-id 36-29 Auto-QoS Configuration Example 36-30 Auto qos voip trust Cdp enableDebug auto qos Show auto qos Configuring Standard QoS Displaying Auto-QoS Information36-32 Default Standard QoS Configuration Default Ingress Queue Configuration36-33 Default Egress Queue Configuration Dscp Value Queue ID -Threshold ID36-34 QoS ACL Guidelines Standard QoS Configuration GuidelinesDefault Mapping Table Configuration Applying QoS on Interfaces Policing Guidelines General QoS Guidelines36-36 Enabling QoS Globally Enabling VLAN-Based QoS on Physical Ports36-37 Configuring Classification Using Port Trust States Configuring the Trust State on Ports within the QoS Domain36-38 36-39 15 Port Trusted States within the QoS Domain Show mls qos interface Configuring the CoS Value for an InterfaceMls qos trust cos dscp ip-precedence 36-40 Configuring a Trusted Boundary to Ensure Port Security Mls qos cos default-cos override36-41 Mls qos trust device cisco-phone Enabling Dscp Transparency ModeMls qos trust dscp 36-42 No mls qos rewrite ip dscp 36-43 Show mls qos maps dscp-mutation Mls qos map dscp-mutationMls qos dscp-mutation 36-44 Configuring a QoS Policy Switchconfig-if#mls qos dscp-mutation gi1/0/2-mutation36-45 Classifying Traffic by Using ACLs 36-46 Permit protocol source source-wildcard Switchconfig# access-list 100 permit ip any any dscpSwitchconfig# access-list 102 permit pim any 224.0.0.2 dscp Source-wildcard Mac access-list extended name 36-48 Is match-all Classifying Traffic by Using Class MapsClass-map match-all match-any Match-any keywords Ip-precedence-list Match access-group acl-index-or-nameIp dscp dscp-list ip precedence Show class-map 36-51 Policy-map policy-map-name Class class-map-name36-52 36-53 Service-policy input policy-map-name Show policy-map policy-map-nameclass36-54 Switchconfig-if#service-policy input macpolicy1 Switchconfig# policy-map macpolicy1Switchconfig-pmap#class macclass2 maclist2 36-55 Traffic by Using Class Maps section on 36-56 36-57 Exceed-action policed-dscp-transmit keywords to mark down Police rate-bps burst-byte exceed-actionDrop policed-dscp-transmit 36-58 Service-policy policy-map-name 36-59 Service-policy input policy-map-name Show policy-map policy-map-nameclassShow mls qos vlan-based Exceed-action drop Mls qos aggregate-policerAggregate-policer-name rate-bps burst-byte Policed-dscp-transmit Only one policy map per ingress port is supported Show mls qos aggregate-policerAggregate-policer-name Switchconfig-pmap-c#police aggregate transmit1 Configuring Dscp MapsConfiguring the CoS-to-DSCP Map CoS Value Dscp Value IP Precedence Value Dscp Value Configuring the IP-Precedence-to-DSCP MapMls qos map cos-dscp dscp1...dscp8 36-64 Configuring the Policed-DSCP Map 36-65 36-66 Configuring the DSCP-to-CoS MapDscp Value CoS Value Show Show mls qos maps dscp-to-cos Configuring the DSCP-to-DSCP-Mutation MapMls qos map dscp-cos dscp-list to cos 36-67 Switchconfig-if#mls qos dscp-mutation mutation1 Switch# show mls qos maps dscp-mutation mutation136-68 Configuring Ingress Queue Characteristics 36-69 Mls qos srr-queue input threshold Mls qos srr-queue input dscp-mapMls qos srr-queue input cos-map Show mls qos maps Mls qos srr-queue input buffers Allocating Buffer Space Between the Ingress QueuesAllocating Bandwidth Between the Ingress Queues Show mls qos interface buffer Mls qos srr-queue input bandwidth Configuring the Ingress Priority QueueWeight1 weight2 Show mls qos interface queueing Mls qos srr-queue input Configuring Egress Queue CharacteristicsWeight Priority-queue queue-id bandwidth 36-74 Mls qos queue-set output qset-id Queue-set qset-id36-75 36-76 Mls qos srr-queue output dscp-map Mls qos srr-queue output cos-map36-77 Weight2 weight3 weight4 Configuring SRR Shaped Weights on Egress QueuesSrr-queue bandwidth shape weight1 Queueing Srr-queue bandwidth share weight1 Configuring SRR Shared Weights on Egress QueuesConfiguring the Egress Expedite Queue 36-79 Limiting the Bandwidth on an Egress Interface Mls qos Enable QoS on a switchSrr-queue bandwidth limit weight1 36-80 Displaying Standard QoS Information 36-81 Show running-config include rewrite 36-82 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels37-1 EtherChannel Overview 37-2 Single-Switch EtherChannel 37-3 Port-Channel Interfaces 37-4 Port Aggregation Protocol 37-5 PAgP Modes PAgP Interaction with Other FeaturesMode Description Auto Lacp Modes Lacp Interaction with Other FeaturesLink Aggregation Control Protocol 37-7 EtherChannel On Mode Load-Balancing and Forwarding Methods37-8 37-9 EtherChannel and Switch Stacks 37-10 Configuring EtherChannels Default EtherChannel Configuration37-11 EtherChannel Configuration Guidelines 37-12 Configuring Layer 2 EtherChannels 37-13 Auto non-silent desirable non-silent on Active passive37-14 Creating Port-Channel Logical Interfaces Configuring Layer 3 EtherChannelsSwitchconfig-if-range#channel-group 5 mode active 37-15 Show etherchannel channel-group-number detail Configuring the Physical InterfacesInterface port-channel port-channel-number No ip address Must be the same as the port-channel-number logical port Partner that is PAgP capable, configure the switch port forFor channel-group-number, the range is 1 to 48. This number 37-17 Src-dst-ip src-dst-mac src-ip src-mac Configuring EtherChannel Load-BalancingPort-channel load-balance dst-ip dst-mac 37-18 Configuring the PAgP Learn Method and Priority Show etherchannel load-balance Verify your entries37-19 Pagp port-priority priority Configuring Lacp Hot-Standby PortsPagp learn-method physical-port Show pagp channel-group-number internal Configuring the Lacp System Priority Show running-config Verify your entries Show lacp sys-id37-21 Show lacp channel-group-number Configuring the Lacp Port PriorityLacp port-priority priority Internal Displaying EtherChannel, PAgP, and Lacp Status Understanding Link-State Tracking37-23 37-24 Configuring Link-State Tracking 37-25 Configuring Link-State Tracking Default Link-State Tracking ConfigurationLink-State Tracking Configuration Guidelines 37-26 Displaying Link-State Tracking Status Switch show link state groupSwitch show link state group detail 37-27 37-28 Configuring IP Unicast Routing 38-1 Understanding IP Routing Types of Routing38-2 IP Routing and Switch Stacks 38-3 38-4 Steps for Configuring Routing Configuring IP Addressing38-5 Irdp Default Addressing ConfigurationARP 38-6 Use of Subnet Zero Show running-config Verify your entryAssigning IP Addresses to Network Interfaces 38-7 Classless Routing 38-8 Configuring Address Resolution Methods No ip classless Disable classless routing behavior38-9 Define a Static ARP Cache Arp ip-address hardware-address type38-10 Set ARP Encapsulation 38-11 Default Gateway Routing Assistance When IP Routing is DisabledEnable Proxy ARP Proxy ARP Icmp Router Discovery Protocol Irdp 38-13 Configuring Broadcast Packet Handling 38-14 Ip directed-broadcast access-list-number Ip forward-protocol udp port nd sdns38-15 Forwarding UDP Broadcast Packets and Protocols 38-16 Ip broadcast-address ip-address Establishing an IP Broadcast AddressFlooding IP Broadcasts 38-17 Clear host name Monitoring and Maintaining IP AddressingClear arp-cache Clear ip route network mask Enabling IP Unicast Routing 38-19 Configuring RIP 38-20 Router rip Default RIP ConfigurationConfiguring Basic RIP Parameters Network network number 38-22 Ip rip authentication key-chain name-of-chain Configuring RIP AuthenticationConfiguring Summary Addresses and Split Horizon Ip rip authentication mode text md5 Ip summary-address rip ip address ip-network mask Configuring Split HorizonSwitchconfig-router#neighbor 2.2.2.2 peer-group mygroup No ip split horizon Configuring Ospf No ip split-horizon38-25 Default Ospf Configuration 38-26 Ospf Nonstop Forwarding 38-27 Ospf NSF Awareness 38-28 Configuring Basic Ospf Parameters Configuring Ospf Interfaces38-29 38-30 Configuring Ospf Area Parameters 38-31 Configuring Other Ospf Parameters 38-32 38-33 Ip address address mask Configuring a Loopback InterfaceChanging LSA Group Pacing 38-34 Configuring Eigrp Monitoring Ospf38-35 38-36 Default Eigrp Configuration 38-37 Eigrp Nonstop Forwarding 38-38 Network network-number Configuring Basic Eigrp ParametersRouter eigrp autonomous-system Eigrp log-neighbor-changes Ip summary-address eigrp Configuring Eigrp InterfacesNo auto-summary 38-40 No ip split-horizon eigrp autonomous-system-number Configuring Eigrp Route AuthenticationIp hello-interval eigrp autonomous-system-number Show ip eigrp interface Eigrp Stub Routing 38-42 Configuring BGP Monitoring and Maintaining Eigrp38-43 38-44 EBGP, IBGP, and Multiple Autonomous Systems Default BGP Configuration 38-45 38-46 Nonstop Forwarding Awareness 38-47 Network network-number mask network-mask Enabling BGP RoutingRouter bgp autonomous-system Route-map route-map-name 38-49 Managing Routing Policy Changes Switchconfig-router#neighbor 192.208.10.2 remote-asSwitch# show ip bgp neighbors 38-50 Clear ip bgp * address Type of Reset Advantages DisadvantagesShow ip bgp neighbors Show ip bgp Configuring BGP Decision Attributes 38-52 38-53 Configuring BGP Filtering with Route Maps Configuring BGP Filtering by Neighbor38-54 Route-map map-tag in out Ip as-path access-list access-list-numberOut weight weight Show ip bgp neighbors paths Configuring Prefix Lists for BGP Filtering 38-56 Permit deny community-number Configuring BGP Community FilteringIp community-listcommunity-list-number Send-community Ip bgp-community new-format Configuring BGP Neighbors and Peer GroupsSet comm-list list-num delete Show ip bgp community 38-59 Configuring Aggregate Addresses 38-60 Configuring Routing Domain Confederations Configuring BGP Route Reflectors38-61 Bgp cluster-id cluster-id Configuring Route DampeningRoute-reflector-client No bgp client-to-client reflection Monitoring and Maintaining BGP 38-63 Configuring Multi-VRF CE 38-64 Understanding Multi-VRF CE 38-65 38-66 VRF Default Multi-VRF CE ConfigurationMulti-VRF CE Configuration Guidelines 38-67 Import map route-map Configuring VRFsRoute-target export import both Ip vrf forwarding vrf-name Log-adjacency-changes Configuring a VPN Routing SessionShow ip vrf brief detail interfaces Redistribute bgp Configuring BGP PE to CE Routing Sessions Multi-VRF CE Configuration Example38-70 38-71 VPN2 CE1 Configuring Switch a 38-72 Switchconfig-if#ip address 208.0.0.20 Switchconfig-router-af#network 8.8.2.0 maskSwitchconfig-router-af#network 8.8.1.0 mask 38-73 Router# configure terminal 38-74 Configuring Unicast Reverse Path Forwarding Displaying Multi-VRF CE Status38-75 Configuring Protocol-Independent Features Configuring Distributed Cisco Express Forwarding38-76 Configuring the Number of Equal-Cost Routing Paths 38-77 Maximum-paths maximum Configuring Static Unicast RoutesRouter bgp rip ospf eigrp Show ip route Ip default-network network number Specify a default network Specifying Default Routes and NetworksRoute Source Default Distance 38-79 Using Route Maps to Redistribute Routing Information 38-80 38-81 38-82 Configuring Policy-Based Routing 38-83 PBR Configuration Guidelines 38-84 Enabling PBR 38-85 Ip local policy route-map map-tag Ip policy route-map map-tagIp route-cache policy 38-86 Setting Passive Interfaces Filtering Routing Information38-87 Router bgp rip eigrp Controlling Advertising and Processing in Routing UpdatesFiltering Sources of Routing Information 38-88 Ip access list Managing Authentication KeysDistance weight ip-address ip-address mask 38-89 Monitoring and Maintaining the IP Network 38-90 38-91 38-92 Configuring IPv6 Unicast Routing Understanding IPv639-1 IPv6 Addresses 39-2 Supported IPv6 Unicast Routing Features Bit Wide Unicast Addresses39-3 ICMPv6 DNS for IPv6Path MTU Discovery for IPv6 Unicast Neighbor Discovery IPv6 Applications 39-5 Unsupported IPv6 Unicast Routing Features Dual IPv4 and IPv6 Protocol Stacks39-6 IPv6 and Switch Stacks Limitations39-7 39-8 SDM Templates Dual IPv4-and IPv6 SDM Templates39-9 Configuring IPv6 39-10 Default IPv6 Configuration Configuring IPv6 Addressing and Enabling IPv6 Routing39-11 39-12 Switchconfig-if#ipv6 address 20010DB8c181/64 eui Configuring IPv4 and IPv6 Protocol StacksIp routing Enable routing on the switch 39-13 39-14 Ipv6 icmp error-interval interval bucketsize Configuring IPv6 Icmp Rate LimitingConfiguring CEF and dCEF for IPv6 Show ipv6 interface interface-id Configuring Static Routing for IPv6 39-16 Ipv6-address interface-id ipv6-address Administrative distanceIpv6 route ipv6-prefix/prefix length 39-17 Show ipv6 static ipv6-address Configuring RIP for IPv6Show ipv6 route static updated Interface-id recursive detail 39-19 Configuring Ospf for IPv6 39-20 39-21 Switch# show ipv6 interface Displaying IPv639-22 Switch# show ipv6 rip Switch# show ipv6 cef /0Switch# show ipv6 protocols 39-23 Switch# show ipv6 route Switch# show ipv6 neighborsSwitch# show ipv6 static Switch# show ipv6 traffic 39-25 39-26 Configuring Hsrp and Enhanced Object Tracking Understanding Hsrp40-1 40-2 Multiple Hsrp 40-3 Configuring Hsrp Hsrp and Switch Stacks40-4 Enabling Hsrp Default Hsrp ConfigurationHsrp Configuration Guidelines 40-5 Secondary Switch# show standbyStandby group-number ip ip-address Show standby interface-id group Configuring Hsrp Priority 40-7 Standby group-number track Priority preempt delay delayStandby group-number priority 40-8 Switchconfig-if#standby 2 ip Configuring MhsrpConfiguring Hsrp Authentication and Timers 40-9 Switchconfig-if#standby 1 authentication word Standby group-number authentication stringStandby group-number timers hellotime Holdtime Enabling Hsrp Support for Icmp Redirect Messages Displaying Hsrp ConfigurationsConfiguring Hsrp Groups and Clustering Show standby interface-idgroup brief detail Configuring Enhanced Object Tracking Understanding Enhanced Object Tracking40-12 Track object-number interface Configuring Enhanced Object Tracking FeaturesTracking Interface Line-Protocol or IP Routing State 40-13 Track track-numberlist boolean Configuring a Tracked ListSwitch# show track 33 Track Object object-number not Track track-numberlist threshold WeightThreshold weight up number 40-15 Object object-number Track track-number list thresholdPercentage Threshold percentage up number Configuring Hsrp Object Tracking 40-17 Configuring Other Tracking Characteristics Show standby40-18 Configuring Web Cache Services By Using Understanding Wccp41-1 Wccp Message Exchange 41-2 MD5 Security Packet Redirection and Service GroupsWccp Negotiation 41-3 Wccp and Switch Stacks 41-4 Default Wccp Configuration Configuring WccpUnsupported Wccp Features Wccp Configuration Guidelines Enabling the Web Cache Service 41-6 41-7 41-8 Monitoring and Maintaining Wccp Switchconfig# interface range gigabitethernet1/0/3Switchconfig-if-range#switchport access vlan 41-9 Enabled / disabled 41-10 Configuring IP Multicast Routing 42-1 42-2 IP Multicast Routing Protocols Understanding Igmp Igmp Version42-3 PIM Modes Understanding PIMPIM Versions 42-4 PIM Stub Routing 42-5 Auto-RP 42-6 Bootstrap Router Multicast Forwarding and Reverse Path Check42-7 Understanding Dvmrp Network Port42-8 Multicast Routing and Switch Stacks Understanding Cgmp42-9 Multicast Routing Configuration Guidelines Configuring IP Multicast RoutingDefault Multicast Routing Configuration 42-10 Auto-RP and BSR Configuration Guidelines PIMv1 and PIMv2 Interoperability42-11 Configuring Basic Multicast Routing Ip multicast-routing distributed42-12 Ip pim dense-mode sparse-mode Configuring PIM Stub RoutingIp pim version 1 Sparse-dense-mode Ip pim passive Configuring a Rendezvous PointManually Assigning an RP to Multicast Groups 42-14 Access-list-number override Ip pim rp-address ip-address42-15 Configuring Auto-RP 42-16 Interval seconds Scope ttl group-list access-list-numberIp pim send-rp-announce interface-id 42-17 Show ip pim rp Ip pim send-rp-discovery scope ttlShow ip pim rp mapping 42-18 Access-list-number group-list Ip pim rp-announce-filter rp-list42-19 Configuring PIMv2 BSR Ip pim bsr-border42-20 Ip multicast boundary 42-21 Ip pim bsr-candidate interface-id Hash-mask-length priority42-22 Group-list access-list-number Ip pim rp-candidate interface-id42-23 Group-address mapping Using Auto-RP and a BSRShow ip pim rp group-name Show ip pim rp-hash group Monitoring the RP Mapping Information Configuring Advanced PIM FeaturesTroubleshooting PIMv1 and PIMv2 Interoperability Problems Understanding PIM Shared Tree and Source Tree 42-26 Shared Tree and Source Tree Shortest-Path Tree Delaying the Use of PIM Shortest-Path Tree Ip pim spt-threshold kbps infinity42-27 Ip pim query-interval seconds Configuring Optional Igmp FeaturesModifying the PIM Router-Query Message Interval Show ip igmp interface interface-id Ip igmp join-group group-address Default Igmp ConfigurationConfiguring the Switch as a Member of a Group 42-29 Show ip igmp interface interface-id Verify your entries Controlling Access to IP Multicast GroupsIp igmp access-group access-list-number 42-30 Ip igmp version 1 Changing the Igmp VersionModifying the Igmp Host-Query Message Interval Query-interval or the ip igmp query-max-response-time Ip igmp query-interval seconds Changing the Igmp Query Timeout for IGMPv2Ip igmp querier-timeout seconds 42-32 Ip igmp query-max-response-time Configuring the Switch as a Statically Connected MemberChanging the Maximum Query Response Time for IGMPv2 42-33 Ip igmp static-group group-address Configuring Optional Multicast Routing FeaturesEnabling Cgmp Server Support 42-34 Configuring sdr Listener Support Ip cgmp proxy42-35 Limiting How Long an sdr Cache Entry Exists Ip sdr listen Enable sdr listener supportEnabling sdr Listener Support 42-36 Configuring an IP Multicast Boundary 42-37 Configuring Basic Dvmrp Interoperability Features 42-38 Configuring Dvmrp Interoperability 42-39 Ip dvmrp metric metric list 42-40 Configuring a Dvmrp Tunnel 42-41 Advertising Network 0.0.0.0 to Dvmrp Neighbors Access-list-number distanceNeighbor-list access-list-number Ip dvmrp accept-filter Responding to mrinfo Requests Configuring Advanced Dvmrp Interoperability FeaturesIp dvmrp default-information Originate only Enabling Dvmrp Unicast Routing 42-44 Rejecting a Dvmrp Nonpruning Neighbor 42-45 Enter interface configuration mode 42-46 Limiting the Number of Dvmrp Routes Advertised By default, 7000 routes are advertised. The range is 0 toControlling Route Exchanges Changing the Dvmrp Route Threshold Route-count Configuring a Dvmrp Summary AddressDefault is 10,000 routes. The range is 1 to 42-48 42-49 Mask metric value Disabling Dvmrp AutosummarizationIp dvmrp summary-address address No ip dvmrp auto-summary Increment Adding a Metric Offset to the Dvmrp RouteIp dvmrp metric-offset in out 42-51 Displaying System and Network Statistics Monitoring and Maintaining IP Multicast RoutingClearing Caches, Tables, and Databases 42-52 Monitoring IP Multicast Routing 42-53 42-54 Configuring Msdp Understanding Msdp43-1 Msdp Operation 43-2 Msdp Benefits 43-3 Configuring a Default Msdp Peer Configuring MsdpDefault Msdp Configuration 43-4 Ip msdp default-peer ip-address name Prefix-list list43-5 Seq number permit deny network Caching Source-Active StateIp prefix-list name description string Ip msdp description peer-name Ip msdp cache-sa-state list 43-7 Ip msdp sa-request ip-address name Switchconfig# ip msdp sa-requestRequesting Source Information from an Msdp Peer 43-8 Ip msdp redistribute list Controlling Source Information that Your Switch OriginatesRedistributing Sources 43-9 43-10 Ip msdp filter-sa-request ip-address Name list access-list-numberFiltering Source-Active Request Messages 43-11 Ip msdp sa-filter out ip-address name Controlling Source Information that Your Switch ForwardsUsing a Filter Route-map map-tag 43-13 Ip msdp ttl-threshold ip-address name Controlling Source Information that Your Switch ReceivesUsing TTL to Limit the Multicast Data Sent in SA Messages Ttl Switchconfig# ip msdp sa-filter in switch.cisco.com Ip msdp sa-filter in ip-address name43-15 Ip msdp mesh-group name ip-address Configuring an Msdp Mesh GroupShutting Down an Msdp Peer 43-16 Ip msdp border sa-address interface-id Including a Bordering PIM Dense-Mode Region in MsdpIp msdp shutdown peer-name peer 43-17 Configuring an Originating Address other than the RP Address 43-18 Clear ip msdp statistics peer-addressname Monitoring and Maintaining MsdpClear ip msdp peer peer-addressname Clear ip msdp sa-cache group-addressname 43-20 Fallback Bridging Overview Configuring Fallback BridgingUnderstanding Fallback Bridging 44-1 44-2 Configuring Fallback Bridging Fallback Bridging and Switch Stacks44-3 Creating a Bridge Group Default Fallback Bridging ConfigurationFallback Bridging Configuration Guidelines 44-4 Bridge-group bridge-group Bridge bridge-group protocolVlan-bridge 44-5 Adjusting Spanning-Tree Parameters Switchconfig# bridge 10 protocol vlan-bridge44-6 Bridge bridge-group priority number Changing the VLAN-Bridge Spanning-Tree PriorityChanging the Interface Priority Bridge-group bridge-grouppriority Cost Assigning a Path CostBridge-group bridge-group path-cost 44-8 Bridge bridge-group hello-time seconds Adjusting Bpdu IntervalsSwitchconfig# bridge 10 hello-time 44-9 Bridge bridge-group forward-time Switchconfig# bridge 10 forward-timeSwitchconfig# bridge 10 max-age Bridge bridge-group max-age seconds Clear bridge bridge-group Monitoring and Maintaining Fallback BridgingDisabling the Spanning Tree on an Interface Show bridge bridge-group group 44-12 Troubleshooting 45-1 Recovering from a Software Failure 45-2 Switch loadhelper Recovering from a Lost or Forgotten PasswordSwitch flashinit Switch copy xmodem flashimagefilename.bin 45-4 Procedure with Password Recovery Enabled 45-5 Copy the configuration file into memory 45-6 Procedure with Password Recovery Disabled Switch dir flash45-7 Preventing Switch Stack Problems 45-8 Recovering from a Command Switch Failure 45-9 Replacing a Failed Command Switch with a Cluster Member Switchconfig# no cluster commander-address45-10 Replacing a Failed Command Switch with Another Switch 45-11 45-12 Preventing Autonegotiation Mismatches Recovering from Lost Cluster Member ConnectivityTroubleshooting Power over Ethernet Switch Ports 45-13 Show controllers power inline privileged Exec command Disabled Port Caused by Power LossDisabled Port Caused by False Link Up SFP Module Security and Identification Monitoring SFP Module Status Monitoring TemperatureUsing Ping Understanding Ping Character Description Switch# pingExecuting Ping 45-16 Usage Guidelines Using Layer 2 TracerouteUnderstanding Layer 2 Traceroute 45-17 Understanding IP Traceroute Using IP TracerouteDisplaying the Physical Path 45-18 Traceroute ip host Switch# traceroute ipExecuting IP Traceroute Trace the path that packets take through the network Using TDR Understanding TDR45-20 Running TDR and Displaying the Results Using Debug CommandsEnabling Debugging on a Specific Feature 45-21 Enabling All-System Diagnostics Redirecting Debug and Error Message Output45-22 Using the show platform forward Command 45-23Udp 10 45-24 Using the crashinfo Files Basic crashinfo Files45-25 Understanding Obfl Using On-Board Failure LoggingExtended crashinfo Files 45-26 Configuring Obfl 45-27 Displaying Obfl Information Show logging onboard module45-28 Configuring Online Diagnostics Understanding Online Diagnostics46-1 Diagnostic schedule switch Configuring Online DiagnosticsScheduling Online Diagnostics Non-disruptive daily hhmm Diagnostic content command output Configuring Health-Monitoring DiagnosticsDiagnostic monitor interval switch Diagnostic monitor syslog Show diagnostic content post result Diagnostic monitor threshold switchDiagnostic monitor switch number test Schedule status switch Diagnostic start switch number Running Online Diagnostic TestsStarting Online Diagnostic Tests All basic non-disruptive Displaying Online Diagnostic Tests and Test Results 46-6 Supported MIBs MIB ListCISCO-FTP-CLIENT-MIB CISCO-HSRP-MIB ETHERLIKE-MIB IEEE8021-PAE-MIB IEEE8023-LAG-MIB CISCO-IGMP-FILTER-MIBCISCO-RTTMON-MIB CISCO-SMI-MIB IGMP-MIB INET-ADDRESS-MIB IPMROUTE-MIB TCP-MIB UDP-MIB Using FTP to Access the MIB Files Working with the Flash File System Switch# show file systems Displaying Available File Systems Setting the Default File System Field Value Changing Directories and Displaying the Working Directory Cd newconfigsDisplaying Information about Files on a File System Pwd Mkdir oldconfigs Creating and Removing DirectoriesCopying Files Switch# delete myconfig Deleting FilesCreating, Displaying, and Extracting Files Archive /create destination-url FlashArchive /table source-url Directories are extracted Archive /xtract source-urlExtract a file into a directory on the flash file system More /ascii /binary /ebcdic Working with Configuration Files Guidelines for Creating and Using Configuration Files Configuration File Types and Location Creating a Configuration File By Using a Text Editor Copying Configuration Files By Using Tftp Downloading the Configuration File By Using Tftp Uploading the Configuration File By Using Tftp Copying Configuration Files By Using FTP Downloading a Configuration File By Using FTP Ip ftp password passwordIp ftp username username Filename systemrunning-config Uploading a Configuration File By Using FTPFtp // username password @ location /directory Filename nvramstartup-config Copy nvramstartup-config Copying Configuration Files By Using RCPCopy systemrunning-config Ftp // username password @ location /directory Filename Hostname Switch1 Ip rcmd remote-username User0 Nvramstartup-config Downloading a Configuration File By Using RCPSystemrunning-config Ip rcmd remote-username username Clearing Configuration Information Uploading a Configuration File By Using RCPSwitch# copy nvramstartup-config rcp Clearing the Startup Configuration File Deleting a Stored Configuration FileWorking with Software Images Image Location on the Switch File Format of Images on a Server or Cisco.com Copying Image Files By Using Tftp Field Description Preparing to Download or Upload an Image File By Using Tftp Downloading an Image File By Using Tftp Overwrite /reload Allow-feature-upgrade /directoryArchive download-sw Archive download-sw /directory Uploading an Image File By Using Tftp Archive upload-swTftp //location /directory /image-name .tar Copying Image Files By Using FTP Preparing to Download or Upload an Image File By Using FTP Downloading an Image File By Using FTP For /directory /image-name1 .tar Archive download-sw /allow-feature-upgradeDirectory /overwrite /reload Directory /image-name2 .tar image-name3 .tar Uploading an Image File By Using FTP Copying Image Files By Using RCP Preparing to Download or Upload an Image File By Using RCP Downloading an Image File By Using RCP File By Using RCP section on page B-31 Or Upload an Image File By Using RCP section on Uploading an Image File By Using RCP Copying an Image File from One Stack Member to Another Rcp // username @ location /directory /image-naMe.tar Source-stack-member-number Archive copy-sw /destination-systemDestination-stack-member-number /force-reload For /destination-system destination-stack-member-number Unsupported Privileged Exec Commands Unsupported Commands Cisco IOS Release 12.237SEAccess Control Lists Unsupported Global Configuration Commands Boot Loader Commands Archive CommandsARP Commands Debug Commands Bridge crb Fallback BridgingBridge bridge-groupacquire Bridge bridge-group domain domain-name bridge irb Hsrp X25 map bridge x.121-address broadcast options-keywords Igmp Snooping Commands Interface CommandsIP Multicast Routing Show ip rtp header-compression type number detail Ip pim accept-rpaddress auto-rpgroup-access-list-numberShow ip pim vc group-address name type number Ip multicast-routing vrf vrf-name Unsupported Privileged Exec or User Exec Commands IP Unicast Routing Unsupported BGP Router Configuration Commands Unsupported VPN Configuration CommandsUnsupported Route Map Commands Miscellaneous MAC Address CommandsShow cable-diagnostics prbs Test cable-diagnostics prbs Set tag tag-value NetFlow Commands Msdp Unsupported Policy-Map Configuration Command Network Address Translation NAT CommandsUnsupported Global Configuration Command QoS Unsupported Privileged Exec Command Unsupported Interface Configuration CommandUnsupported User Exec Commands Spanning Tree Numerics IN-1 ACLs IN-2 Hsrp CDP Lldp RIPEigrp TACACS+ BGP CidrIN-4 Bpdu IN-5 Cgmp CDPCEF CLI CNS IN-7 IN-8 Dhcp DNSIN-9 Vmps SnmpTACACS+ Udld Wccp Dhcp option IN-11 DTP IN-12 Dvmrp IN-13 Dynamic ARP inspection IN-14 Lacp IN-15 STP FIBIN-16 Mstp STP FTPIN-17 Https IcmpIN-18 Igmp IN-19 IN-20 IP addresses IN-21 Mbone IN-22 IGP IN-23 IP unicast routing IN-24 ISL IN-25 LLDP-MED IN-26 IN-27 MDA MhsrpIN-28 Msdp IN-29 MTU CSTIST IN-30 NAC IN-31 NSSA, Ospf IN-32 Obfl PBRIN-33 PIM IN-34 Port-based authentication IN-35 Pvid VvidIN-36 Private VLANs IN-37 QoS IN-38 IN-39 RCP IN-40 Rmon Radius TACACS+RFC IN-41 Rstp RPSRspan IN-42 SDM IN-43 Snmp IN-44 Span SRRIN-45 SSL VTPIN-46 Stacks, switch IN-47 LLDP-MED Ospf IN-48 STP IN-49 IN-50 System message logging IN-51 IN-52 IN-53 IN-54 VLANs IN-55 VPN VQPIN-56 WTD IN-57 IN-58

Cisco Systems 3750E manual 10-42

Models: 3750E

Command

configure terminal

ip admission name rule proxy http

interface interface-id

switchport mode access

ip access-group access-listin

copy running-config startup-config

Command

configure terminal

fallback profile fallback-profile

ip access-group policy in

interface interface-id

switchport mode access

dot1x port-control auto

OL-9775-02