Creating Standard and Extended IPv4 ACLs | Cisco Systems 3750E

Chapter 34 Configuring Network Security with ACLs

Configuring IPv4 ACLs

Creating Standard and Extended IPv4 ACLs

This section describes IP ACLs. An ACL is a sequential collection of permit and deny conditions. One by one, the switch tests packets against the conditions in an access list. The first match determines whether the switch accepts or rejects the packet. Because the switch stops testing after the first match, the order of the conditions is critical. If no conditions match, the switch denies the packet.

The software supports these types of ACLs or access lists for IPv4:

•Standard IP access lists use source addresses for matching operations.

•Extended IP access lists use source and destination addresses for matching operations and optional protocol-type information for finer granularity of control.

These sections describe access lists and how to create them:

•Access List Numbers, page 34-8

•ACL Logging, page 34-9

•Creating a Numbered Standard ACL, page 34-10

•Creating a Numbered Extended ACL, page 34-11

•Resequencing ACEs in an ACL, page 34-15

•Creating Named Standard and Extended ACLs, page 34-15

•Using Time Ranges with ACLs, page 34-17

•Including Comments in ACLs, page 34-19

Access List Numbers

The number you use to denote your ACL shows the type of access list that you are creating. Table 34-1lists the access-list number and corresponding access list type and shows whether or not they are supported in the switch. The switch supports IPv4 standard and extended access lists, numbers 1 to 199 and 1300 to 2699.

				Table 34-1	Access List Numbers

				Access List Number		Type	Supported

				1–99		IP standard access list	Yes

				100–199		IP extended access list	Yes

				200–299		Protocol type-code access list	No

				300–399		DECnet access list	No

				400–499		XNS standard access list	No

				500–599		XNS extended access list	No

				600–699		AppleTalk access list	No

				700–799		48-bit MAC address access list	No

				800–899		IPX standard access list	No

				900–999		IPX extended access list	No

				1000–1099		IPX SAP access list	No

				1100–1199		Extended 48-bit MAC address access list	No

			Catalyst 3750-E and 3560-E Switch Software Configuration Guide

	34-8							OL-9775-02
	34-8							OL-9775-02

Image 706

Cisco Systems 3750E Creating Standard and Extended IPv4 ACLs, Access List Numbers, Access List Number Type Supported, 34-8

Contents

Americas Headquarters Text Part Number OL-9775-02Page N T E N T S Iii Assigning the Switch IP Address and Default Gateway Understanding Cisco Configuration Engine Software Clustering Switches Catalyst 1900 and Catalyst 2820 CLI Considerations Vii Creating a Banner Viii Changing the Default Privilege Level for Lines Device Roles Bypass Routed Ports Xii Monitoring and Maintaining the Interfaces Xiii Encapsulation Types Xiv Domain Names Private-VLAN Configuration Guidelines Xvi Disabled State Xvii Boundary Ports Xviii Xix 19-25 Dhcp Server Configuring Dynamic ARP Inspection Xxi Configuring MVR Xxii Understanding Storm Control Xxiii Understanding Udld Modes of Operation Xxiv Creating an Rspan Source Session Xxv Snmp Agent Functions Xxvi Creating a Numbered Extended ACL Xxvii Interaction with Other Features and Switches Xxviii Xxix Port-Channel Interfaces Xxx Configuring IP Addressing Xxxi Nonstop Forwarding Awareness Xxxii IPv6 Addresses Xxxiii Configuring Hsrp Priority Xxxiv Configuring IP Multicast Routing Xxxv Configuring Basic Dvmrp Interoperability Features Xxxvi Using a Filter Xxxvii Xxxviii 45-14 Configuring Online Diagnostics Xxxix Unsupported Route-Map Configuration Commands C-1 Hsrp Xli VTP Xlii Purpose PrefaceAudience Conventions Related Publications Xliv Xlv Xlvi Features Overview Deployment Features Availability and Redundancy Features, Vlan Features, Overview Features Performance Features Management Options Manageability Features Availability and Redundancy Features Vlan Features Security Features Overview Features QoS and CoS Features Layer 3 Features Power over Ethernet Features Monitoring Features Default Settings After Initial Switch ConfigurationVlan Overview Default Settings After Initial Switch Configuration Overview Default Settings After Initial Switch Configuration Network Configuration Examples Design Concepts for Using the Switch Network Demands Suggested Design Methods Cost-Effective Wiring Closet High-Performance Wiring Closet High-Performance Workgroup Gigabit-to-the-Desktop Redundant Gigabit Backbone Server Aggregation Linux Server Cluster Cisco SoftPhone Software Gigabit servers Internet Cisco 2600 or 3700 routers Catalyst 3560-E switches Large Network Using Catalyst 3750-E and 3560-E Switches Cisco 7x00 routers Catalyst Catalyst 3560-E Multidwelling Network Using Catalyst 3750-E Switches Long-Distance, High-Bandwidth Transport Configuration 11 Catalyst 3750-E Switches in a MAN Configuration Where to Go Next Access layer Aggregation layer OL-9775-02 Using the Command-Line Interface Understanding Command Modes Quit Mode Access Method Prompt Exit Method About This ModeConfigure Ctrl-Z Understanding the Help System Console commandCommand Purpose Line vty or line Command ? Understanding Abbreviated CommandsUnderstanding no and default Forms of Commands Command keyword ? Using Configuration Logging Understanding CLI Error MessagesError Message Meaning How to Get Help Recalling Commands Using Command HistoryChanging the Command History Buffer Size Action1 Result Enabling and Disabling Editing Features Using Editing FeaturesDisabling the Command History Feature Switch# terminal editing Editing Commands through Keystrokes Capability Keystroke1 Purpose Return and Space bar Editing Command Lines that WrapPress Ctrl-L or Ctrl-R Command begin include exclude regular-expression Accessing the CLISwitch# show interfaces include protocol Using the Command-Line Interface Accessing the CLI OL-9775-02 Assigning the Switch IP Address and Default Gateway Understanding the Boot Process Assigning Switch Information Understanding DHCP-Based Autoconfiguration Default Switch InformationFeature Default Setting Dhcp Client Request Process Dhcp Client and Server Message Exchange Configuring DHCP-Based Autoconfiguration Dhcp Server Configuration Guidelines Configuring the Tftp Server Configuring the DNS Obtaining Configuration Files Configuring the Relay DeviceRouterconfig-if#ip helper-address Example Configuration Tftpserver Tftp Server Configuration on Unix Switch a Switch B Switch C Switch DDNS Server Configuration Dhcp Client Configuration Manually Assigning IP Information Switch# show running-config Checking and Saving the Running ConfigurationSwitch# copy running-config startup-config Default Boot Configuration Modifying the Startup ConfigurationAutomatically Downloading a Configuration File Show boot Booting ManuallyBoot config-file flash/ file-url Configure terminal Enter global configuration mode Booting a Specific Software Image Boot system filesystem /file-url Boot system switch number all Controlling Environment Variables Switch current-stack-member-number renumber Set Manualboot yes Boot manualSet Switchnumber Set Switchpriority Variable Description Configuring a Scheduled ReloadScheduling a Reload of the Software Image Reload in hhmm text Switch# reload at 0200 jun Switch# reload atDisplaying Scheduled Reload Information Configuring Cisco IOS CNS Agents Understanding Cisco Configuration Engine Software Configuration Service Configuration Engine Architectural Overview What You Should Know About the CNS IDs and Device Hostnames Event ServiceConfigID NameSpace Mapper DeviceID Using Hostname, DeviceID, and ConfigIDHostname and DeviceID Initial Configuration Understanding Cisco IOS Agents Synchronized Configuration Configuring Cisco IOS AgentsIncremental Partial Configuration Enabling Automated CNS Configuration Device Required Configuration Enabling the CNS Event Agent Backup init-retry retry-count keepalive secondsShow running-config Show cns event connections Enabling an Initial Configuration Enabling the Cisco IOS CNS Agent Mac-address event Cns config initial ip-address hostnameCns id interface num dns-reverse ipaddress Cns id hardware-serial hostname string string Cns config partial ip-address hostname Enabling a Partial ConfigurationShow running-config Verify your entries Show cns config stats Show cns event stats Displaying CNS ConfigurationShow cns config connections Show cns event subject Managing Switch Stacks Understanding Switch Stacks Managing Switch Stacks Understanding Switch Stacks Switch Stack Membership Creating a Switch Stack from Two Standalone Switches Adding a Standalone Switch to a Switch Stack Stack Master Election and Re-Election Switch Stack Bridge ID and Router MAC Address Stack Member Numbers Stack Member Priority Values Effects of Adding a Provisioned Switch to a Switch Stack Switch Stack Offline ConfigurationScenario Result Scenario Result Switch Stack Software Compatibility Recommendations Effects of Replacing a Provisioned Switch in a Switch Stack Minor Version Number Incompatibility Among Switches Major Version Number Incompatibility Among SwitchesStack Protocol Version Compatibility Understanding Auto-Upgrade and Auto-Advise Switch Auto-Upgrade and Auto-Advise Example MessagesDirectory Mar 1 000422.537%IMAGEMGR-6-AUTOADVISESW Incompatible Software and Stack Member Image Upgrades Switch Stack Configuration Files Switch Stack Management Connectivity Connectivity to the Switch Stack Through an SSH Session Connectivity to the Switch Stack Through an IP AddressConnectivity to Specific Stack Members Use the switch stack-member-number Switch Stack Configuration ScenariosPriority new-priority-number global Current-stack-member-number Renumber new-stack-member-number Default Switch Stack Configuration Configuring the Switch StackEnabling Persistent MAC Address Switchconfig# stack-mac persistent timer Stack-mac persistent timerShow switch Time-value Assigning Stack Member Information Setting the Stack Member Priority ValueAssigning a Stack Member Number Provisioning a New Member for a Switch Stack Command Description Accessing the CLI of a Specific Stack MemberDisplaying Switch Stack Information Show switch stack-member-number Show switch stack-ring activity Show switch stack-portsDetail OL-9775-02 Clustering Switches Understanding Switch Clusters Switch Cisco IOS Release Cluster Capability Cluster Command Switch Characteristics Standby Cluster Command Switch Characteristics Planning a Switch Cluster Candidate Switch and Cluster Member Switch Characteristics Automatic Discovery of Cluster Candidates and Members Discovery Through CDP Hops Discovery Through CDP Hops Discovery Through Different VLANs Discovery Through Different Management VLANs Discovery Through Different VLANs Discovery Through Routed Ports Discovery of Newly Installed Switches New out-of-box Hsrp and Standby Cluster Command Switches Virtual IP Addresses Other Considerations for Cluster Standby Groups Automatic Recovery of Cluster Configuration IP Addresses Hostnames Passwords Snmp Community Strings Switch Stack Switch Cluster Switch Clusters and Switch StacksMembers Other cluster member switches TACACS+ and Radius LRE Profiles Switch# rcommand Using the CLI to Manage Switch ClustersCatalyst 1900 and Catalyst 2820 CLI Considerations Using Snmp to Manage Switch Clusters Snmp Management for a Cluster OL-9775-02 Managing the System Time and Date Administering the SwitchUnderstanding the System Clock Understanding Network Time Protocol NTP Configuring NTP Typical NTP Network Configuration Configuring NTP Authentication Default NTP ConfigurationNtp authenticate Configuring NTP Associations Ntp peer ip-address version number Configuring NTP Broadcast ServiceSwitchconfig# ntp server 172.16.22.44 version Key keyid source interface prefer Destination-address Interface interface-idNtp broadcast version number key keyid Ntp broadcast client Ntp access-group query-only Configuring NTP Access RestrictionsNtp broadcastdelay microseconds Serve-onl y serve peer Command Purpose Configuring the Source IP Address for NTP Packets Interface interface-id Setting the System Clock Configuring Time and Date ManuallyDisplaying the NTP Configuration Fundamentals Command Reference, Release Clock timezone zone hours-offset Displaying the Time and Date ConfigurationConfiguring the Time Zone Minutes-offset Week day month hh mm week day month Configuring Summer Time Daylight Saving TimeClock summer-time zone recurring Hh mm offset Clock summer-time zone date month Configuring a System Name and PromptClock summer-time zone date date Copy running-config startup-confi g Default System Name and Prompt ConfigurationConfiguring a System Name Understanding DNS Ip domain-name name Default DNS ConfigurationSetting Up DNS Ip name-server server-address1 Displaying the DNS Configuration Default Banner ConfigurationCreating a Banner Banner motd c message c Configuring a Message-of-the-Day Login BannerUnix telnet Banner login c message c Configuring a Login BannerManaging the MAC Address Table Building the Address Table MAC Addresses and VLANs Default MAC Address Table Configuration MAC Addresses and Switch StacksChanging the Address Aging Time Mac address-table aging-time Configuring MAC Address Notification TrapsRemoving Dynamic Address Entries Show mac address-table aging-time Snmp-server host host-addr traps informs version String by using the snmp-server communitySnmp-server enable traps mac-notification Mac address-table notification Adding and Removing Static Address Entries Vlan vlan-id interface interface-id Configuring Unicast MAC Address FilteringMac address-table static mac-addr Show mac address-table static Vlan vlan-id drop Managing the ARP Table Displaying Address Table Entries OL-9775-02 Configuring SDM Templates Understanding the SDM Templates Resource Access Default Routing Dual IPv4 and IPv6 SDM Templates SDM Templates and Switch Stacks IPv4-and-IPv6 Resource Default Routing Default SDM Template Configuring the Switch SDM TemplateSDM Template Configuration Guidelines Dual-ipv4-and-ipv6 default routing Setting the SDM TemplateSdm prefer access default Vlan routing vlan Switchconfig# sdm prefer dual-ipv4-and-ipv6 default Switchconfig# sdm prefer routingDisplaying the SDM Templates Policy based routing aces 25K OL-9775-02 Configuring Switch-Based Authentication Preventing Unauthorized Access to Your Switch Protecting Access to Privileged Exec Commands Default Password and Privilege Level Configuration Enable password password Setting or Changing a Static Enable PasswordSwitchconfig# enable password l1u2c3k4y5 Enable secret level level password Enable password level level passwordEncryption-type encrypted-password Service password-encryption No service password-recovery Disabling Password RecoveryShow version Password password Setting a Telnet Password for a Terminal LineConfiguring Username and Password Pairs Switchconfig-line#password let45me67in89 Login local Configuring Multiple Privilege LevelsUsername command Username name privilege level Privilege mode level level command Setting the Privilege Level for a CommandShow privilege Command Changing the Default Privilege Level for LinesLogging into and Exiting a Privilege Level Controlling Switch Access with TACACS+ Understanding TACACS+ Typical TACACS+ Network Configuration Configuring TACACS+ TACACS+ Operation Aaa new-model Default TACACS+ ConfigurationTacacs-server host hostname port Aaa group server tacacs+ group-name Aaa new-model Enable AAA Configuring TACACS+ Login AuthenticationShow tacacs Verify your entries Authentication login command Aaa authentication login defaultLogin authentication default Line console tty vty line-number Show running-config Verify your entries Displaying the TACACS+ Configuration Controlling Switch Access with RadiusStarting TACACS+ Accounting Understanding Radius Transitioning from Radius to TACACS+ Services Radius Operation Default Radius Configuration Configuring RadiusIdentifying the Radius Server Host Page Ip-address auth-port port-number Acct-port port-number timeoutRadius-server host hostname Seconds retransmit retries key Configuring Radius Login Authentication Switchconfig# radius-server host host1 Server Host section on Defining AAA Server Groups Aaa group server radius group-name Aaa authorization network radius Radius Starting Radius Accounting Radius-server key string Configuring Settings for All Radius ServersRadius-server timeout seconds Radius-server retransmit retries Cisco-avpair=shellpriv-lvl=15 AuthenticationRadius-server vsa send accounting Cisco-avpair=ipoutacl#2=deny ip 10.10.10.10 0.0.255.255 any Displaying the Radius Configuration Controlling Switch Access with KerberosRadius-server host hostname ip-address non-standard Understanding Kerberos Term Definition KDC Keytab Authenticating to a Boundary SwitchKerberos Operation Srvtab Authenticating to Network Services Configuring KerberosObtaining a TGT from a KDC Aaa authorization exec local Aaa authentication login default localAaa authorization network local Username command Configuring the Switch for Secure ShellUsername name privilege level Understanding SSH SSH Servers, Integrated Clients, and Supported Versions Configuration Guidelines Configuring SSHLimitations Setting Up the Switch to Run SSH Ip ssh timeout seconds Displaying the SSH Configuration and StatusConfiguring the SSH Server Authentication-retries number Understanding Secure Http Servers and Clients Configuring the Switch for Secure Socket Layer HttpCertificate Authority Trustpoints Rsakeypair TP-self-signed-3080755072 Default SSL Configuration Configuring Secure Http Servers and ClientsCipherSuites SSL Configuration Guidelines Configuring a CA Trustpoint Configuring the Secure Http Server Show ip http server secure status Configuring the Secure Http ClientIp http timeout-policy idle seconds life Ip http client secure-trustpoint name Ip http client secure-ciphersuite Configuring the Switch for Secure Copy ProtocolDisplaying Secure Http Server and Client Status Show ip http client secure status Information About Secure Copy Html OL-9775-02 Understanding Ieee 802.1x Port-Based Authentication Configuring Ieee 802.1x Port-Based Authentication10-1 Device Roles 10-2 Authentication Process 10-3 Authentication Flowchart 10-4 Authentication Initiation and Message Exchange 10-5 10-6 EAPOL-Start Ports in Authorized and Unauthorized States Ieee 802.1x Authentication and Switch Stacks10-7 Ieee 802.1x Host Mode 10-8 Attribute Number AV Pair Name Ieee 802.1x AccountingIeee 802.1x Accounting Attribute-Value Pairs 10-9 Using Ieee 802.1x Authentication with Vlan Assignment 10-10 Using Ieee 802.1x Authentication with Per-User ACLs 10-11 Using Ieee 802.1x Authentication with Guest Vlan 10-12 Using Ieee 802.1x Authentication with Restricted Vlan 10-13 10-14 Using Ieee 802.1x Authentication with Voice Vlan Ports 10-15 Using Ieee 802.1x Authentication with Port Security 10-16 Using Ieee 802.1x Authentication with Wake-on-LAN 10-17 10-18 Network Admission Control Layer 2 Ieee 802.1x Validation Using Multidomain Authentication10-19 For example Using Web Authentication10-20 Configuring Ieee 802.1x Authentication 10-21 AAA Default Ieee 802.1x Authentication Configuration10-22 Ieee 802.1x Authentication Ieee 802.1x Authentication Configuration Guidelines10-23 10-24 MAC Authentication Bypass Configuring Ieee 802.1x Authentication10-25 Configuring the Switch-to-RADIUS-Server Communication 10-26 Ip-address auth-port port-number key 10-27 Multi-domain Configuring the Host ModeDot1x host-mode multi-host Show dot1x interface interface-id Manually Re-Authenticating a Client Connected to a Port Configuring Periodic Re-Authentication10-29 Changing the Quiet Period Changing the Switch-to-Client Retransmission TimeDot1x timeout tx-period seconds Show dot1x interface interface-id Verify your entries Show dot1xinterface interface-id Verify your entries Setting the Switch-to-Client Frame-Retransmission NumberSwitchconfig-if#dot1x timeout tx-period Dot1x max-reauth-req count Switchconfig-if#dot1x max-reauth-req Setting the Re-Authentication NumberConfiguring Ieee 802.1x Accounting 10-32 Configuring a Guest Vlan 10-33 Switchconfig# interface gigabitethernet2/0/2 Configuring a Restricted VlanSwitchport mode private-vlan host Dot1x guest-vlan vlan-id Attempts Dot1x auth-fail vlan vlan-idDot1x auth-fail max-attempts max 10-35 Radius-server dead-criteria time time Configuring the Inaccessible Authentication Bypass FeatureSwitchconfig-if#dot1x auth-fail max-attempts Tries tries 10-37 Reinitialize vlan vlan-id Configuring Ieee 802.1x Authentication with WoLDot1x critical recovery action Show dot1x interface interface-id Switchconfig-if#dot1x mac-auth-bypass Configuring MAC Authentication BypassSwitchconfig-if#dot1x control-direction both Dot1x control-direction both Configuring NAC Layer 2 Ieee 802.1x Validation 10-40 Configuring Web Authentication 10-41 10-42 Dot1x fallback fallback-profile Disabling Ieee 802.1x Authentication on the PortNo dot1x pae Disable Ieee 802.1x authentication on the port 10-43 Displaying Ieee 802.1x Statistics and Status 10-44 Understanding Interface Types Configuring Interface Characteristics11-1 Port-Based VLANs Switch Ports11-2 Trunk Ports Access Ports11-3 Tunnel Ports Routed Ports11-4 EtherChannel Port Groups Switch Virtual Interfaces11-5 Supported Protocols and Standards Power over Ethernet PortsGigabit Ethernet Interfaces 11-6 Class Powered-Device Detection and Initial Power Allocation11-7 Power Management Modes 11-8 Power Monitoring and Power Policing 11-9 Maximum Power Allocation Cutoff Power on a PoE Port 11-10 Connecting Interfaces 11-11 Ethernet Management Port 11-12 Connecting a Switch Stack to a PC 11-13 Tftp 11-14 Mgmtshow Using Interface Configuration ModeMgmtinit Mgmtclr Procedures for Configuring Interfaces 11-16 Macroname Configuring a Range of InterfacesInterface range port-range macro Show interfaces interface-id 11-18 Define interface-range macroname Configuring and Using Interface Range MacrosShow running-config include define Interface range macro macroname Switch# show run include define Configuring Ethernet InterfacesSwitch# show running-config include define 11-20 Default Ethernet Interface Configuration 11-21 Speed and Duplex Configuration Guidelines Configuring Interface Speed and Duplex Mode11-22 Nonegotiate Setting the Interface Speed and Duplex ParametersSpeed 10 100 1000 auto 10 Duplex auto full half Flowcontrol receive on off desired Configuring Ieee 802.3x Flow Control11-24 With Correct Cabling Configuring Auto-MDIX on an InterfaceLocal Side Auto-MDIX 11-25 Interface-id phy Configuring a Power Management Mode on a PoE Port11-26 Show power inline i nterface-id Budgeting Power for Devices Connected to a PoE PortPower inline auto max max-wattage Neve r static max max-wattage Wattage 11-28 Configuring Power Policing 11-29 Adding a Description for an Interface 11-30 Switch# show interfaces gigabitethernet1/0/2 description Configuring Layer 3 InterfacesConfiguring Ethernet Management Ports 11-31 No shutdown No switchportInterface gigabitethernet interface-id vlan vlan-id 11-32 Configuring the System MTU 11-33 System mtu routing bytes Use the system mtu jumbo Use the system mtu routingSystem mtu jumbo bytes 11-34 Reload Configuring the Cisco Redundant Power SystemSystem mtu bytes Show system mtu Standby Power rps switch-number name string serialnumberPower rps switch-number port rps-port-id mode active 11-36 Show env power Configuring the Power SuppliesPower supply switch-numberoff on Show env rps Monitoring Interface Status Monitoring and Maintaining the Interfaces11-38 Clearing and Resetting Interfaces and Counters 11-39 Shutdown Shutting Down and Restarting the InterfaceInterface vlan vlan-id gigabitethernet interface-id 11-40 Understanding Smartports Macros Configuring Smartports Macros12-1 Macro Name Description Configuring Smartports MacrosDefault Smartports Macro Configuration 12-2 Smartports Macro Configuration Guidelines 12-3 Name Sample-Macro and macro name sample-macro will result Creating Smartports MacrosMacro name macro-name Show parser macro name macro-name Applying Smartports Macros 12-5 Show parser macro macro-name Applying Cisco-Default Smartports MacrosShow parser macro 12-6 Switchconfig-if#macro apply cisco-desktop $AVID Switch# show parser macro cisco-desktop12-7 Show parser macro description interface Displaying Smartports MacrosShow parser macro brief 12-8 Understanding VLANs Configuring VLANs13-1 13-2 Vlan Port Membership Modes Supported VLANs13-3 Configuring Normal-Range VLANs 13-4 Vlan ID 13-5 Token Ring VLANs Normal-Range Vlan Configuration Guidelines13-6 Vlan Configuration in config-vlan Mode Vlan Configuration Mode OptionsSaving Vlan Configuration Vlan Configuration in Vlan Database Configuration Mode VLANxxxx, where Default Ethernet Vlan ConfigurationParameter Default Range 13-8 Remote-span Copy running-config startup configCreating or Modifying an Ethernet Vlan 13-9 Vlan database Deleting a Vlan13-10 No vlan vlan-id Assigning Static-Access Ports to a VlanSwitchport access vlan vlan-id Show vlan brief Show interfaces interface-id switchport Configuring Extended-Range VLANsDefault Vlan Configuration Vlan fields of the display Extended-Range Vlan Configuration Guidelines 13-13 Show vlan id vlan-id Vtp mode transparentCreating an Extended-Range Vlan 13-14 Creating an Extended-Range Vlan with an Internal Vlan ID Switchconfig# vtp mode transparentSwitch# copy running-config startup config Show vlan internal usage Displaying VLANs Configuring Vlan TrunksCommand Command Mode Purpose Trunking Overview Switches in an ISL Trunking Environment 13-17 Encapsulation Function Mode FunctionEncapsulation Types 13-18 Ieee 802.1Q Configuration Considerations Default Layer 2 Ethernet Interface Vlan ConfigurationConfiguring an Ethernet Interface as a Trunk Port 13-19 Dot1q negotiate Interaction with Other FeaturesConfiguring a Trunk Port 13-20 Defining the Allowed VLANs on a Trunk 13-21 All except remove vlan-list Switchport trunk allowed vlan addChanging the Pruning-Eligible List 13-22 Except none remove vlan-list Configuring the Native Vlan for Untagged TrafficSwitchport trunk pruning vlan add Vlan ,vlan Switchport trunk native vlan vlan-id Configuring Trunk Ports for Load SharingLoad Sharing Using STP Port Priorities 13-24 13-25 Connect to the trunk ports configured on Switch a Load Sharing Using STP Path CostOr switch stack Exit Return to global configuration mode Isl dot1q negotiate Switchport trunk encapsulationInterface gigabitethernet1/0/1 Spanning-tree vlan 2-4 cost Understanding Vmps Configuring Vmps13-28 Dynamic-Access Port Vlan Membership Default Vmps Client ConfigurationVmps Configuration Guidelines 13-29 Entering the IP Address of the Vmps Configuring the Vmps Client13-30 Reconfirming Vlan Memberships Configuring Dynamic-Access Ports on Vmps ClientsSwitchport access vlan dynamic Vmps reconfirm Vmps reconfirm minutes Changing the Reconfirmation IntervalChanging the Retry Count 13-32 Switch# show vmps Troubleshooting Dynamic-Access Port Vlan MembershipVmps Configuration Example Monitoring the Vmps Dynamic Port Vlan Membership Configuration 13-34 Understanding VTP Configuring VTP14-1 VTP Domain 14-2 VTP Advertisements VTP Mode DescriptionVTP Modes 14-3 VTP Pruning VTP Version14-4 14-5 Vlan VTP and Switch Stacks Configuring VTP14-6 VTP Configuration in Global Configuration Mode Default VTP ConfigurationVTP Configuration Options 14-7 Passwords VTP Configuration GuidelinesVTP Configuration in Vlan Database Configuration Mode Domain Names VTP Version Configuring a VTP ServerConfiguration Requirements 14-9 Show vtp status Vtp password passwordVtp password password Vtp server Switch# vlan database Configuring a VTP ClientVtp mode client 14-11 Disabling VTP VTP Transparent Mode 14-12 Vtp version Enabling VTP Version14-13 Vtp pruning Adding a VTP Client Switch to a VTP DomainEnabling VTP Pruning 14-14 14-15 Monitoring VTP 14-16 Understanding Voice Vlan Configuring Voice Vlan15-1 Cisco IP Phone Data Traffic Cisco IP Phone Voice Traffic15-2 Voice Vlan Configuration Guidelines Configuring Voice VlanDefault Voice Vlan Configuration 15-3 Configuring a Port Connected to a Cisco 7960 IP Phone 15-4 Configuring Cisco IP Phone Voice Traffic 15-5 Configuring the Priority of Incoming Data Frames 15-6 Displaying Voice Vlan 15-7 15-8 Understanding Private VLANs Configuring Private VLANs16-1 16-2 Private-VLAN Domain IP Addressing Scheme with Private VLANs 16-3 Private-VLAN Interaction with Other Features Private VLANs across Multiple Switches16-4 Private VLANs and SVIs Private VLANs and Unicast, Broadcast, and Multicast Traffic16-5 Private VLANs and Switch Stacks Configuring Private VLANsTasks for Configuring Private VLANs 16-6 Secondary and Primary Vlan Configuration Default Private-VLAN ConfigurationPrivate-VLAN Configuration Guidelines 16-7 Private-VLAN Port Configuration 16-8 Limitations with Other Features 16-9 Configuring and Associating VLANs in a Private Vlan 16-10 Show interfaces status Show vlan private-vlan type16-11 Switch# show interfaces gigabitethernet1/0/22 switchport Configuring a Layer 2 Interface as a Private-VLAN Host PortSwitchport private-vlan host-association Primaryvlanid secondaryvlanid Add remove secondaryvlanlist Switchport mode private-vlan promiscuousSwitchport private-vlan mapping primaryvlanid 16-13 Private-vlan mapping add remove Switch# show interfaces private-vlan mappingInterface vlan primaryvlanid Show interface private-vlan mapping Monitoring Private VLANs 16-15 16-16 Understanding Ieee 802.1Q Tunneling Configuring Ieee 802.1Q and Layer 2 Protocol Tunneling17-1 Ieee 802.1Q Tunnel Ports in a Service-Provider Network 17-2 17-3 Ieee 802.1Q Tunneling Configuration Guidelines Configuring Ieee 802.1Q TunnelingDefault Ieee 802.1Q Tunneling Configuration Native VLANs System MTU 17-5 Ieee 802.1Q Tunneling and Other Features 17-6 Show dot1q-tunnel Configuring an Ieee 802.1Q Tunneling PortVlan dot1q tag native Show vlan dot1q tag native Understanding Layer 2 Protocol Tunneling 17-8 17-9 Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling 17-10 Default Layer 2 Protocol Tunneling Configuration 17-11 Layer 2 Protocol Tunneling Configuration Guidelines 17-12 Configuring Layer 2 Protocol Tunneling 17-13 L2protocol-tunnel point-to-point Configuring Layer 2 Tunneling for EtherChannelsConfiguring the SP Edge Switch Pagp lacp udld 17-15 Configuring the Customer Switch 17-16 Switchconfig# interface port-channel Switchconfig-if#channel-group 1 mode desirable17-17 Monitoring and Maintaining Tunneling Status 17-18 Understanding Spanning-Tree Features Configuring STP18-1 STP Overview 18-2 Spanning-Tree Topology and BPDUs 18-3 Bridge ID, Switch Priority, and Extended System ID 18-4 Bit Switch Priority ValueSpanning-Tree Interface States 32768 16384 8192 4096 2048 1024 512 256 128 2illustrates how an interface moves through the states 18-6 Learning State Blocking StateListening State Forwarding State Disabled State How a Switch or Port Becomes the Root Switch or Root Port18-8 Accelerated Aging to Retain Connectivity Spanning Tree and Redundant ConnectivitySpanning-Tree Address Management 18-9 Supported Spanning-Tree Instances Spanning-Tree Modes and Protocols18-10 VLAN-Bridge Spanning Tree Spanning-Tree Interoperability and Backward CompatibilitySTP and Ieee 802.1Q Trunks Rapid PVST+ Spanning Tree and Switch Stacks Configuring Spanning-Tree Features18-12 Spanning-Tree Configuration Guidelines Default Spanning-Tree Configuration18-13 18-14 Changing the Spanning-Tree Mode 18-15 Show spanning-tree vlan vlan-id Verify your entries Configuring the Root SwitchDisabling Spanning Tree 18-16 Show spanning-tree detail Spanning-tree vlan vlan-id root primaryDiameter net-diameter hello-time seconds 18-17 Spanning-tree vlan vlan-id root secondary Configuring a Secondary Root SwitchConfiguring Port Priority Diameter net-diameter hello-time Show spanning-tree interface interface-id Spanning-tree port-priority prioritySpanning-tree vlan vlan-id port-priority priority Show spanning-tree vlan vlan-id Spanning-tree cost cost Configuring Path CostPort-channel-number Spanning-tree vlan vlan-id cost cost Spanning-tree vlan vlan-id priority priority Configuring the Switch Priority of a Vlan18-21 Spanning-tree vlan vlan-id hello-time seconds Configuring Spanning-Tree TimersConfiguring the Hello Time 18-22 Spanning-tree vlan vlan-id forward-time Configuring the Forwarding-Delay Time for a VlanConfiguring the Maximum-Aging Time for a Vlan Spanning-tree vlan vlan-idmax-age seconds Show spanning-tree detail Verify your entries Configuring the Transmit Hold-CountDisplaying the Spanning-Tree Status 18-24 Configuring Mstp 19-1 Multiple Spanning-Tree Regions Understanding Mstp19-2 Operations Within an MST Region IST, CIST, and CST19-3 Operations Between MST Regions 19-4 Cisco Prestandard Cisco Standard Hop CountIeee 802.1s Terminology 19-5 Ieee 802.1s Implementation Boundary Ports19-6 Port Role Naming Change Interoperation Between Legacy and Standard Switches19-7 Detecting Unidirectional Link Failure Mstp and Switch Stacks19-8 Port Roles and the Active Topology Understanding RstpInteroperability with Ieee 802.1D STP 19-9 Rapid Convergence 19-10 Synchronization of Port Roles 19-11 Bit Function Bridge Protocol Data Unit Format and Processing19-12 Processing Inferior Bpdu Information Topology ChangesProcessing Superior Bpdu Information 19-13 Configuring Mstp Features 19-14 Mstp Configuration Guidelines Default Mstp Configuration19-15 Instance instance-id vlan vlan-range Specifying the MST Region Configuration and Enabling MstpSpanning-tree mst configuration Name name Show pending Spanning-tree mode mstRevision version Exit Spanning-tree mst instance-id root primary 19-18 19-19 Show spanning-tree mst interface interface-id Spanning-tree mst instance-id port-priority priority19-20 Spanning-tree mst instance-id cost cost 19-21 Spanning-tree mst instance-id priority priority Configuring the Switch PriorityConfiguring the Hello Time 19-22 Spanning-tree mst forward-time seconds Configuring the Forwarding-Delay TimeShow spanning-tree mst Verify your entries Show spanning-tree mst Specifying the Link Type to Ensure Rapid Transitions Configuring the Maximum-Aging TimeConfiguring the Maximum-Hop Count Spanning-tree mst max-age seconds Designating the Neighbor Type 19-25 Restarting the Protocol Migration Process Displaying the MST Configuration and Status19-26 Understanding Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features20-1 Understanding Bpdu Guard Understanding Port Fast20-2 Understanding UplinkFast Understanding Bpdu Filtering20-3 Switches in a Hierarchical Network 20-4 Understanding Cross-Stack UplinkFast 20-5 How Csuf Works 20-6 Events that Cause Fast Convergence Understanding BackboneFast20-7 20-8 BackboneFast Example Before Indirect Link Failure Adding a Switch in a Shared-Medium Topology 20-9 Understanding Root Guard Understanding EtherChannel Guard20-10 Understanding Loop Guard 20-11 Enabling Port Fast Default Optional Spanning-Tree ConfigurationOptional Spanning-Tree Configuration Guidelines 20-12 Spanning-tree portfast trunk Spanning-tree portfast trunk interface configurationEnabling Bpdu Guard Portfast Enabling Bpdu Filtering Spanning-tree portfast Enable the Port Fast feature20-14 Enabling UplinkFast for Use with Redundant Links 20-15 Enabling Cross-Stack UplinkFast Spanning-tree uplinkfast max-update-rateUplinkfast command Enabling BackboneFast Show spanning-tree summary Verify your entries Spanning-tree backbonefast Enable BackboneFastEnabling EtherChannel Guard 20-17 Enabling Loop Guard Enabling Root Guard20-18 20-19 20-20 Flex Links 21-1 Vlan Flex Link Load Balancing and Support Switchport backup interface preemption delay commands21-2 MAC Address-Table Move Update 21-3 MAC Address-Table Move Update Example 21-4 Default Configuration Configuration Guidelines21-5 Show interface interface-id switchport backup Configuring Flex LinksSwitchport backup interface interface-id Switch# show interface switchport backup Delay delay-time Switchport backup interface interface-id preemptionMode forced bandwidth off 21-7 Show interfaces interface-id switchport backup Configuring Vlan Load Balancing on Flex LinksSwitchport backup interface interface-id prefer vlan Switch#show interfaces switchport backup Primary vlan vlan-id Configuring the MAC Address-Table Move Update FeatureSwitchport backup interface interface-idmmu 21-9 Switch# show mac-address-table move update End Return to global configuration modeSwitchconf# mac address-table move update transmit 21-10 Monitoring Flex Links and the MAC Address-Table Move Update 21-11 21-12 Understanding Dhcp Features Configuring Dhcp Features and IP Source Guard22-1 Dhcp Snooping Dhcp ServerDhcp Relay Agent 22-2 Option-82 Data Insertion 22-3 22-4 Dhcp Relay Agent in a Metropolitan Ethernet Network Remote ID Suboption Frame Format 22-5 Release Cisco IOS Dhcp Server DatabaseDhcp Snooping Binding Database 22-6 22-7 Default Dhcp Configuration Configuring Dhcp FeaturesDhcp Snooping and Switch Stacks 22-8 Dhcp Snooping Configuration Guidelines 22-9 Dhcp Server and Switch Stacks Configuring the Dhcp Server22-10 Ip helper-address address Configuring the Dhcp Relay AgentSpecifying the Packet Forwarding Address 22-11 Enabling Dhcp Snooping and Option Switchport mode accessSwitchport access vlan vlan-id Interface range port-range 22-13 Enabling the Dhcp Snooping Binding Database Agent Enabling Dhcp Snooping on Private VLANsEnabling the Cisco IOS Dhcp Server Database Ip dhcp snooping database Displaying Dhcp Snooping Information 22-15 Source IP Address Filtering Understanding IP Source Guard22-16 IP Source Guard Configuration Guidelines Configuring IP Source GuardDefault IP Source Guard Configuration Source IP and MAC Address Filtering Enabling IP Source Guard 22-18 Displaying IP Source Guard Information 22-19 22-20 Understanding Dynamic ARP Inspection Configuring Dynamic ARP Inspection23-1 23-2 ARP Cache Poisoning Interface Trust States and Network Security 23-3 Relative Priority of ARP ACLs and Dhcp Snooping Entries Rate Limiting of ARP Packets23-4 Logging of Dropped Packets Configuring Dynamic ARP InspectionDefault Dynamic ARP Inspection Configuration 23-5 Dynamic ARP Inspection Configuration Guidelines 23-6 Ip arp inspection vlan vlan-range Configuring Dynamic ARP Inspection in Dhcp EnvironmentsShow cdp neighbors 23-7 Configuring ARP ACLs for Non-DHCP Environments 23-8 23-9 No ip arp inspection trust Show arp access-list acl-nameLimiting the Rate of Incoming ARP Packets Specified with the ip arp inspection vlan logging Performing Validation Checks 23-11 Src-mac dst-mac ip Configuring the Log BufferIp arp inspection validate Show ip arp inspection vlan Number logs number interval Ip arp inspection log-buffer entries23-13 Displaying Dynamic ARP Inspection Information 23-14 Clear ip arp inspection log Clear ip arp inspection statisticsShow ip arp inspection statistics vlan Show ip arp inspection log 23-16 Configuring Igmp Snooping and MVR 24-1 Understanding Igmp Snooping 24-2 Joining a Multicast Group Igmp Versions24-3 224.1.2.3 24-4 Leaving a Multicast Group 24-5 Igmp Report Suppression Igmp Configurable-Leave TimerImmediate Leave 24-6 Default Igmp Snooping Configuration Configuring Igmp SnoopingIgmp Snooping and Switch Stacks PIM-DVMRP Ip igmp snooping vlan vlan-id Enabling or Disabling Igmp Snooping24-8 Learn cgmp pim-dvmrp Setting the Snooping MethodIp igmp snooping vlan vlan-id mrouter Show ip igmp snooping Show ip igmp snooping mrouter vlan vlan-id Configuring a Multicast Router Port24-10 Ip igmp snooping vlan vlan-id static ipaddress Configuring a Host Statically to Join a GroupEnabling Igmp Immediate Leave Show ip igmp snooping groups Configuring the Igmp Leave Timer 24-12 Controlling the Multicast Flooding Time After a TCN Event Configuring TCN-Related CommandsRecovering from Flood Mode Count No ip igmp snooping tcn flood Disabling Multicast Flooding During a TCN Event24-14 Configuring the Igmp Snooping Querier 24-15 No ip igmp snooping report-suppression Disabling Igmp Report Suppression24-16 Displaying Igmp Snooping Information 24-17 Understanding Multicast Vlan Registration 24-18 Using MVR in a Multicast Television Application 24-19 MVR Configuring MVRDefault MVR Configuration 24-20 Mvr Enable MVR on the switch MVR Configuration Guidelines and LimitationsConfiguring MVR Global Parameters 24-21 Configuring MVR Interfaces 24-22 Show mvr Mvr type source receiverMvr immediate Show mvr interface Show mvr members Displaying MVR Information Configuring Igmp Filtering and Throttling24-24 Configuring Igmp Profiles Default Igmp Filtering and Throttling Configuration24-25 Range ip multicast address Ip igmp profile profile numberPermit deny Show ip igmp profile profile number Applying Igmp Profiles Setting the Maximum Number of Igmp GroupsSwitch# show ip igmp profile Ip igmp filter profile number EtherChannel group or a EtherChannel interface Configuring the Igmp Throttling ActionShow running-config interface Verify the configuration Interface-id Replace Displaying Igmp Filtering and Throttling ConfigurationIp igmp max-groups action deny Show ip igmp profile profile 24-30 Understanding MLD Snooping Configuring IPv6 MLD Snooping25-1 25-2 Multicast Client Aging Robustness MLD MessagesMLD Queries 25-3 MLD Done Messages and Immediate-Leave Multicast Router DiscoveryMLD Reports 25-4 Topology Change Notification Processing Configuring IPv6 MLD SnoopingMLD Snooping in Switch Stacks 25-5 MLD Snooping Configuration Guidelines Default MLD Snooping Configuration25-6 Ipv6 mld snooping vlan vlan-id Enabling or Disabling MLD SnoopingIpv6 mld snooping 25-7 Show ipv6 mld snooping multicast-address user Configuring a Static Multicast GroupIpv6 mld snooping vlan vlan-id static Show ipv6 mld snooping multicast-address vlan Show ipv6 mld snooping mrouter vlan vlan-id Enabling MLD Immediate LeaveIpv6 mld snooping vlan vlan-id mrouter 25-9 Configuring MLD Snooping Queries 25-10 Disabling MLD Listener Message Suppression Displaying MLD Snooping Information25-11 Vlan-id ipv6-multicast-address Show ipv6 mld snooping querier vlan vlan-idVlan-id count dynamic user 25-12 Understanding Storm Control Configuring Port-Based Traffic ControlConfiguring Storm Control 26-1 26-2 Broadcast Storm Control Example Configuring Storm Control and Threshold Levels Default Storm Control Configuration26-3 Bps-low pps pps pps-low Storm-control broadcast multicastUnicast level level level-low bps bps Storm-control action shutdown trap Show storm-control interface-id broadcast Configuring Protected PortsDefault Protected Port Configuration Multicast unicast Configuring a Protected Port Configuring Port BlockingProtected Port Configuration Guidelines 26-6 Blocking Flooded Traffic on an Interface Configuring Port SecurityDefault Port Blocking Configuration 26-7 Secure MAC Addresses Understanding Port Security26-8 Security Violations 26-9 Forwarded1 Trap Message Message2 Increments Default Port Security ConfigurationPort Security Configuration Guidelines 26-10 26-11 Enabling and Configuring Port Security 26-12 Shutdown vlan Switchport port-security violationProtect restrict shutdown 26-13 26-14 Switchconfig-if#switchport port-security mac-address sticky Switchconfig-if#switchport port-securitySwitchconfig-if#switchport port-security maximum Switchconfig-if#switchport port-security violation restrict Enabling and Configuring Port Security Aging 26-16 Port Security and Private VLANs Port Security and Switch StacksSwitchconfig# interface GigabitEthernet 1/0/8 26-17 Show port-security interface interface-idvlan Displaying Port-Based Traffic Control SettingsShow port-security interface interface-idaddress 26-18 Understanding CDP Configuring CDP27-1 Default CDP Configuration Configuring CDPCDP and Switch Stacks Configuring the CDP Characteristics Cdp advertise-v2 Disabling and Enabling CDPCdp holdtime seconds Show cdp Disabling and Enabling CDP on an Interface No cdp enable Disable CDP on the interfaceCdp enable Enable CDP on the interface after disabling it 27-4 Monitoring and Maintaining CDP 27-5 27-6 Understanding Lldp Configuring Lldp and LLDP-MEDUnderstanding Lldp and LLDP-MED 28-1 Understanding LLDP-MED 28-2 Configuring Lldp Characteristics Configuring Lldp and LLDP-MEDDefault Lldp Configuration 28-3 Disabling and Enabling Lldp Globally 28-4 Disabling and Enabling Lldp on an Interface 28-5 No lldp med-tlv-select tlv Specify the TLV to disable Configuring LLDP-MED TLVsTLV, and enter interface configuration mode Lldp med-tlv-select tlv Specify the TLV to enable Monitoring and Maintaining Lldp and LLDP-MED 28-7 28-8 Modes of Operation Configuring UdldUnderstanding Udld 29-1 Methods to Detect Unidirectional Links 29-2 Configuring Udld 29-3 Default Udld Configuration 29-4 Enabling Udld Globally Udld aggressive enable message timeMessage-timer-interval Show udld Enabling Udld on an Interface Resetting an Interface Disabled by UdldUdld reset Show udld Udld port aggressive Displaying Udld Status 29-7 29-8 Understanding Span and Rspan Configuring Span and Rspan30-1 Local Span 30-2 Remote Span 30-3 Span Sessions Span and Rspan Concepts and Terminology30-4 Monitored Traffic 30-5 Source Ports 30-6 Vlan Filtering Source VLANs30-7 Destination Port 30-8 Rspan Vlan Span and Rspan Interaction with Other Features30-9 Span and Rspan and Switch Stacks Configuring Span and Rspan30-10 Span Configuration Guidelines Default Span and Rspan ConfigurationConfiguring Local Span 30-11 Creating a Local Span Session 30-12 Encapsulation replicate Monitor session sessionnumberDestination interface interface-id Show monitor session sessionnumber 30-14 Monitor session sessionnumber filter vlan Specifying VLANs to Filter30-15 Be a Vlan Configuring RspanRspan Configuration Guidelines 30-16 Configuring a Vlan as an Rspan Vlan 30-17 Destination remote vlan vlan-id Creating an Rspan Source SessionInterfaces port-channelport-channel-number. Valid 30-18 Remote vlan vlan-id Creating an Rspan Destination Session30-19 30-20 Untagged vlan vlan-id or vlan vlan-id- Forward incoming Ingress dot1q vlan vlan-id isl untagged30-21 Show monitor session sessionnumber 30-22 Displaying Span and Rspan Status 30-23 30-24 Understanding Rmon Configuring Rmon31-1 Configuring Rmon 31-2 Configuring Rmon Alarms and Events Default Rmon Configuration31-3 Add an event in the Rmon event table that is Rmon event number description string log owner string31-4 Rmon collection history index Collecting Group History Statistics on an InterfaceCollecting Group Ethernet Statistics on an Interface Show rmon history Show rmon statistics Displaying Rmon StatusRmon collection stats index owner ownername 31-6 Understanding System Message Logging Configuring System Message Logging32-1 System Log Message Format Configuring System Message Logging32-2 Text string that uniquely describes the message Hhmmss short uptime32-3 Show running-config Verify your entries Show logging Default System Message Logging ConfigurationNo logging console Disable message logging Disabling Message Logging Logging host Setting the Message Display Destination DeviceLogging buffered size 32-5 Terminal monitor Synchronizing Log MessagesLogging file flash filename Session to see the debugging messages Logging synchronous level severity-level Line console vty line-numberLine vty All limit number-of-buffers Enabling and Disabling Sequence Numbers in Log Messages Enabling and Disabling Time Stamps on Log Messages32-8 Logging monitor level Defining the Message Severity LevelLogging console level Logging trap level Level Description Syslog Definition 32-10 Logging history size number Enabling the Configuration-Change LoggerLogging history level 32-11 Logging Messages to a Unix Syslog Daemon Configuring Unix Syslog Servers32-12 Facility-type keywords Configuring the Unix System Logging FacilityLogging facility facility-type 32-13 Facility Type Keyword Description Displaying the Logging Configuration32-14 Understanding Snmp Configuring Snmp33-1 Snmp Versions 33-2 DES Model Level Authentication Encryption ResultSnmp Manager Functions Operation Description Snmp Agent Functions Using Snmp to Access MIB Variables33-4 Snmp Notifications 33-5 IfIndex Range Configuring SnmpSnmp ifIndex MIB Object Values SVI Snmp Configuration Guidelines Default Snmp Configuration33-7 Disabling the Snmp Agent Configuring Community StringsNo snmp-server Disable the Snmp agent operation 33-8 Snmp-server community string view View-name ro rw access-list-numberAccess-list access-list-number deny Permit source source-wildcard Snmp-server engineID local Configuring Snmp Groups and UsersSnmp-server engineID local engineid-string 33-10 Auth noauth priv read readview Write writeview notify notifyview accessSnmp-server group groupname v1 v2c 33-11 Encrypted access access-list auth md5 Configuring Snmp NotificationsRemote host udp-port port v1 access Notification Type Keyword Description 33-13 33-14 Enable traps command for each trap type Setting the Agent Contact and Location Information33-12 , or enter snmp-server enable traps ? Notification-types Snmp Examples Switchconfig# snmp-server community publicLimiting Tftp Servers Used Through Snmp Snmp-server tftp-server-list Displaying Snmp Status 33-17 33-18 Understanding ACLs Configuring Network Security with ACLs34-1 Supported ACLs 34-2 Port ACLs 34-3 Router ACLs 34-4 Vlan Maps Handling Fragmented and Unfragmented Traffic34-5 ACLs and Switch Stacks 34-6 Configuring IPv4 ACLs 34-7 Creating Standard and Extended IPv4 ACLs Access List NumbersAccess List Number Type Supported 34-8 ACL Logging 34-9 Creating a Numbered Standard ACL Access-list access-list-number deny permitShow access-lists number name Source source-wildcard log Creating a Numbered Extended ACL 34-11 34-12 34-13 34-14 Creating Named Standard and Extended ACLs Resequencing ACEs in an ACL34-15 Any log Ip access-list standard nameIp access-list extended name Tos tos established log time-range Using Time Ranges with ACLs 34-17 Show time-range Absolute start time datePeriodic weekdays weekend daily 34-18 Including Comments in ACLs Switch# show ip access-listsApplying an IPv4 ACL to a Terminal Line 34-19 Out Access-class access-list-numberApplying an IPv4 ACL to an Interface 34-20 Ip access-group access-list-number 34-21 Hardware and Software Treatment of IP ACLs IPv4 ACL Configuration Examples34-22 Switchconfig# access-list 106 permit ip any 172.20.128.64 Switchconfig# access-list 6 permit 172.20.128.6434-23 Extended ACLs Numbered ACLs34-24 Commented IP ACL Entries Named ACLsTime Range Applied to an IP ACL 34-25 Switchconfig-if#ip access-group ext1 Switch# show logging34-26 Creating Named MAC Extended ACLs 34-27 Applying a MAC ACL to a Layer 2 Interface 34-28 Show mac access-group interface interface-id Configuring Vlan MapsMac access-group name ACL Vlan Map Configuration Guidelines 34-30 Action drop forward Vlan access-map name numberCreating a Vlan Map Match ip mac address name Examples of ACLs and Vlan Maps 34-32 34-33 Applying a Vlan Map to a Vlan Using Vlan Maps in Your NetworkWiring Closet Configuration Vlan filter mapname vlan-list list Switchconfig# ip access-list extended matchall Denying Access to a Server on Anothera VlanSwitchconfig# vlan access-map map2 Switchconfig# vlan filter map2 vlan Using Vlan Maps with Router ACLs 34-36 Vlan Maps and Router ACL Configuration Guidelines 34-37 ACLs and Bridged Packets ACLs and Switched PacketsExamples of Router ACLs and Vlan Maps Applied to VLANs 34-38 ACLs and Routed Packets 34-39 ACLs and Multicast Packets Displaying IPv4 ACL ConfigurationShow ip access-lists number name 34-40 Show ip interface interface-id Show running-config interface interface-idShow mac access-group interface interface-id 34-41 34-42 Configuring IPv6 ACLs 35-1 Understanding IPv6 ACLs 35-2 IPv6 ACL Limitations Supported ACL FeaturesIPv6 ACLs and Switch Stacks 35-3 Interaction with Other Features and Switches Configuring IPv6 ACLsDefault IPv6 ACL Configuration 35-4 Creating IPv6 ACLs Ipv6 access-list access-list-name35-5 Value time-range name Dscp value fragments logLog-input routing sequence 35-6 35-7 Ipv6 address ipv6-address Ipv6 traffic-filter access-list-nameApplying an IPv6 ACL to an Interface 35-8 Displaying IPv6 ACLs Show access-listsShow ipv6 access-list access-list-name 35-9 35-10 Configuring QoS 36-1 Understanding QoS 36-2 Basic QoS Model 36-3 36-4 Basic QoS Model Classification 36-5 36-6 Check if packet came with CoS label tag Yes Classification Based on Class Maps and Policy Maps Classification Based on QoS ACLs36-7 Policing and Marking 36-8 Policing on Physical Ports 36-9 Policing on SVIs 36-10 Policing and Marking Flowchart on SVIs 36-11 Mapping Tables 36-12 Queueing and Scheduling Overview 36-13 SRR Shaping and Sharing Weighted Tail Drop36-14 Queueing and Scheduling on Ingress Queues 36-15 Queue Type Function 36-16 WTD Thresholds 36-17 Queueing and Scheduling on Egress Queues 36-18 36-19 Buffer and Memory Allocation 36-20 Packet Modification 36-21 Configuring Auto-QoS 36-22 Generated Auto-QoS Configuration 36-23 Description Automatically Generated Command 36-24 36-25 If you entered the auto qos voip trust command, the switch Switch automatically configures the egress queue bufferSizes. It configures the bandwidth and the SRR mode shaped Or shared on the egress queues mapped to the port Auto-QoS Configuration Guidelines Effects of Auto-QoS on the Configuration36-27 Cisco-softphone trust Enabling Auto-QoS for VoIPAuto qos voip cisco-phone Show auto qos interface interface-id 36-29 Auto-QoS Configuration Example 36-30 Auto qos voip trust Cdp enableDebug auto qos Show auto qos Displaying Auto-QoS Information Configuring Standard QoS36-32 Default Ingress Queue Configuration Default Standard QoS Configuration36-33 Dscp Value Queue ID -Threshold ID Default Egress Queue Configuration36-34 QoS ACL Guidelines Standard QoS Configuration GuidelinesDefault Mapping Table Configuration Applying QoS on Interfaces General QoS Guidelines Policing Guidelines36-36 Enabling VLAN-Based QoS on Physical Ports Enabling QoS Globally36-37 Configuring the Trust State on Ports within the QoS Domain Configuring Classification Using Port Trust States36-38 36-39 15 Port Trusted States within the QoS Domain Show mls qos interface Configuring the CoS Value for an InterfaceMls qos trust cos dscp ip-precedence 36-40 Mls qos cos default-cos override Configuring a Trusted Boundary to Ensure Port Security36-41 Mls qos trust device cisco-phone Enabling Dscp Transparency ModeMls qos trust dscp 36-42 No mls qos rewrite ip dscp 36-43 Show mls qos maps dscp-mutation Mls qos map dscp-mutationMls qos dscp-mutation 36-44 Switchconfig-if#mls qos dscp-mutation gi1/0/2-mutation Configuring a QoS Policy36-45 Classifying Traffic by Using ACLs 36-46 Permit protocol source source-wildcard Switchconfig# access-list 100 permit ip any any dscpSwitchconfig# access-list 102 permit pim any 224.0.0.2 dscp Source-wildcard Mac access-list extended name 36-48 Is match-all Classifying Traffic by Using Class MapsClass-map match-all match-any Match-any keywords Ip-precedence-list Match access-group acl-index-or-nameIp dscp dscp-list ip precedence Show class-map 36-51 Class class-map-name Policy-map policy-map-name36-52 36-53 Show policy-map policy-map-nameclass Service-policy input policy-map-name36-54 Switchconfig-if#service-policy input macpolicy1 Switchconfig# policy-map macpolicy1Switchconfig-pmap#class macclass2 maclist2 36-55 Traffic by Using Class Maps section on 36-56 36-57 Exceed-action policed-dscp-transmit keywords to mark down Police rate-bps burst-byte exceed-actionDrop policed-dscp-transmit 36-58 Service-policy policy-map-name 36-59 Show policy-map policy-map-nameclass Service-policy input policy-map-nameShow mls qos vlan-based Exceed-action drop Mls qos aggregate-policerAggregate-policer-name rate-bps burst-byte Policed-dscp-transmit Show mls qos aggregate-policer Only one policy map per ingress port is supportedAggregate-policer-name Switchconfig-pmap-c#police aggregate transmit1 Configuring Dscp MapsConfiguring the CoS-to-DSCP Map CoS Value Dscp Value IP Precedence Value Dscp Value Configuring the IP-Precedence-to-DSCP MapMls qos map cos-dscp dscp1...dscp8 36-64 Configuring the Policed-DSCP Map 36-65 36-66 Configuring the DSCP-to-CoS MapDscp Value CoS Value Show Show mls qos maps dscp-to-cos Configuring the DSCP-to-DSCP-Mutation MapMls qos map dscp-cos dscp-list to cos 36-67 Switch# show mls qos maps dscp-mutation mutation1 Switchconfig-if#mls qos dscp-mutation mutation136-68 Configuring Ingress Queue Characteristics 36-69 Mls qos srr-queue input threshold Mls qos srr-queue input dscp-mapMls qos srr-queue input cos-map Show mls qos maps Mls qos srr-queue input buffers Allocating Buffer Space Between the Ingress QueuesAllocating Bandwidth Between the Ingress Queues Show mls qos interface buffer Mls qos srr-queue input bandwidth Configuring the Ingress Priority QueueWeight1 weight2 Show mls qos interface queueing Mls qos srr-queue input Configuring Egress Queue CharacteristicsWeight Priority-queue queue-id bandwidth 36-74 Queue-set qset-id Mls qos queue-set output qset-id36-75 36-76 Mls qos srr-queue output cos-map Mls qos srr-queue output dscp-map36-77 Weight2 weight3 weight4 Configuring SRR Shaped Weights on Egress QueuesSrr-queue bandwidth shape weight1 Queueing Srr-queue bandwidth share weight1 Configuring SRR Shared Weights on Egress QueuesConfiguring the Egress Expedite Queue 36-79 Limiting the Bandwidth on an Egress Interface Mls qos Enable QoS on a switchSrr-queue bandwidth limit weight1 36-80 Displaying Standard QoS Information 36-81 Show running-config include rewrite 36-82 Understanding EtherChannels Configuring EtherChannels and Link-State Tracking37-1 EtherChannel Overview 37-2 Single-Switch EtherChannel 37-3 Port-Channel Interfaces 37-4 Port Aggregation Protocol 37-5 PAgP Modes PAgP Interaction with Other FeaturesMode Description Auto Lacp Modes Lacp Interaction with Other FeaturesLink Aggregation Control Protocol 37-7 Load-Balancing and Forwarding Methods EtherChannel On Mode37-8 37-9 EtherChannel and Switch Stacks 37-10 Default EtherChannel Configuration Configuring EtherChannels37-11 EtherChannel Configuration Guidelines 37-12 Configuring Layer 2 EtherChannels 37-13 Active passive Auto non-silent desirable non-silent on37-14 Creating Port-Channel Logical Interfaces Configuring Layer 3 EtherChannelsSwitchconfig-if-range#channel-group 5 mode active 37-15 Show etherchannel channel-group-number detail Configuring the Physical InterfacesInterface port-channel port-channel-number No ip address Must be the same as the port-channel-number logical port Partner that is PAgP capable, configure the switch port forFor channel-group-number, the range is 1 to 48. This number 37-17 Src-dst-ip src-dst-mac src-ip src-mac Configuring EtherChannel Load-BalancingPort-channel load-balance dst-ip dst-mac 37-18 Show etherchannel load-balance Verify your entries Configuring the PAgP Learn Method and Priority37-19 Pagp port-priority priority Configuring Lacp Hot-Standby PortsPagp learn-method physical-port Show pagp channel-group-number internal Show running-config Verify your entries Show lacp sys-id Configuring the Lacp System Priority37-21 Show lacp channel-group-number Configuring the Lacp Port PriorityLacp port-priority priority Internal Understanding Link-State Tracking Displaying EtherChannel, PAgP, and Lacp Status37-23 37-24 Configuring Link-State Tracking 37-25 Configuring Link-State Tracking Default Link-State Tracking ConfigurationLink-State Tracking Configuration Guidelines 37-26 Displaying Link-State Tracking Status Switch show link state groupSwitch show link state group detail 37-27 37-28 Configuring IP Unicast Routing 38-1 Types of Routing Understanding IP Routing38-2 IP Routing and Switch Stacks 38-3 38-4 Configuring IP Addressing Steps for Configuring Routing38-5 Irdp Default Addressing ConfigurationARP 38-6 Use of Subnet Zero Show running-config Verify your entryAssigning IP Addresses to Network Interfaces 38-7 Classless Routing 38-8 No ip classless Disable classless routing behavior Configuring Address Resolution Methods38-9 Arp ip-address hardware-address type Define a Static ARP Cache38-10 Set ARP Encapsulation 38-11 Default Gateway Routing Assistance When IP Routing is DisabledEnable Proxy ARP Proxy ARP Icmp Router Discovery Protocol Irdp 38-13 Configuring Broadcast Packet Handling 38-14 Ip forward-protocol udp port nd sdns Ip directed-broadcast access-list-number38-15 Forwarding UDP Broadcast Packets and Protocols 38-16 Ip broadcast-address ip-address Establishing an IP Broadcast AddressFlooding IP Broadcasts 38-17 Clear host name Monitoring and Maintaining IP AddressingClear arp-cache Clear ip route network mask Enabling IP Unicast Routing 38-19 Configuring RIP 38-20 Router rip Default RIP ConfigurationConfiguring Basic RIP Parameters Network network number 38-22 Ip rip authentication key-chain name-of-chain Configuring RIP AuthenticationConfiguring Summary Addresses and Split Horizon Ip rip authentication mode text md5 Ip summary-address rip ip address ip-network mask Configuring Split HorizonSwitchconfig-router#neighbor 2.2.2.2 peer-group mygroup No ip split horizon No ip split-horizon Configuring Ospf38-25 Default Ospf Configuration 38-26 Ospf Nonstop Forwarding 38-27 Ospf NSF Awareness 38-28 Configuring Ospf Interfaces Configuring Basic Ospf Parameters38-29 38-30 Configuring Ospf Area Parameters 38-31 Configuring Other Ospf Parameters 38-32 38-33 Ip address address mask Configuring a Loopback InterfaceChanging LSA Group Pacing 38-34 Monitoring Ospf Configuring Eigrp38-35 38-36 Default Eigrp Configuration 38-37 Eigrp Nonstop Forwarding 38-38 Network network-number Configuring Basic Eigrp ParametersRouter eigrp autonomous-system Eigrp log-neighbor-changes Ip summary-address eigrp Configuring Eigrp InterfacesNo auto-summary 38-40 No ip split-horizon eigrp autonomous-system-number Configuring Eigrp Route AuthenticationIp hello-interval eigrp autonomous-system-number Show ip eigrp interface Eigrp Stub Routing 38-42 Monitoring and Maintaining Eigrp Configuring BGP38-43 38-44 EBGP, IBGP, and Multiple Autonomous Systems Default BGP Configuration 38-45 38-46 Nonstop Forwarding Awareness 38-47 Network network-number mask network-mask Enabling BGP RoutingRouter bgp autonomous-system Route-map route-map-name 38-49 Managing Routing Policy Changes Switchconfig-router#neighbor 192.208.10.2 remote-asSwitch# show ip bgp neighbors 38-50 Clear ip bgp * address Type of Reset Advantages DisadvantagesShow ip bgp neighbors Show ip bgp Configuring BGP Decision Attributes 38-52 38-53 Configuring BGP Filtering by Neighbor Configuring BGP Filtering with Route Maps38-54 Route-map map-tag in out Ip as-path access-list access-list-numberOut weight weight Show ip bgp neighbors paths Configuring Prefix Lists for BGP Filtering 38-56 Permit deny community-number Configuring BGP Community FilteringIp community-listcommunity-list-number Send-community Ip bgp-community new-format Configuring BGP Neighbors and Peer GroupsSet comm-list list-num delete Show ip bgp community 38-59 Configuring Aggregate Addresses 38-60 Configuring BGP Route Reflectors Configuring Routing Domain Confederations38-61 Bgp cluster-id cluster-id Configuring Route DampeningRoute-reflector-client No bgp client-to-client reflection Monitoring and Maintaining BGP 38-63 Configuring Multi-VRF CE 38-64 Understanding Multi-VRF CE 38-65 38-66 VRF Default Multi-VRF CE ConfigurationMulti-VRF CE Configuration Guidelines 38-67 Import map route-map Configuring VRFsRoute-target export import both Ip vrf forwarding vrf-name Log-adjacency-changes Configuring a VPN Routing SessionShow ip vrf brief detail interfaces Redistribute bgp Multi-VRF CE Configuration Example Configuring BGP PE to CE Routing Sessions38-70 38-71 VPN2 CE1 Configuring Switch a 38-72 Switchconfig-if#ip address 208.0.0.20 Switchconfig-router-af#network 8.8.2.0 maskSwitchconfig-router-af#network 8.8.1.0 mask 38-73 Router# configure terminal 38-74 Displaying Multi-VRF CE Status Configuring Unicast Reverse Path Forwarding38-75 Configuring Distributed Cisco Express Forwarding Configuring Protocol-Independent Features38-76 Configuring the Number of Equal-Cost Routing Paths 38-77 Maximum-paths maximum Configuring Static Unicast RoutesRouter bgp rip ospf eigrp Show ip route Ip default-network network number Specify a default network Specifying Default Routes and NetworksRoute Source Default Distance 38-79 Using Route Maps to Redistribute Routing Information 38-80 38-81 38-82 Configuring Policy-Based Routing 38-83 PBR Configuration Guidelines 38-84 Enabling PBR 38-85 Ip local policy route-map map-tag Ip policy route-map map-tagIp route-cache policy 38-86 Filtering Routing Information Setting Passive Interfaces38-87 Router bgp rip eigrp Controlling Advertising and Processing in Routing UpdatesFiltering Sources of Routing Information 38-88 Ip access list Managing Authentication KeysDistance weight ip-address ip-address mask 38-89 Monitoring and Maintaining the IP Network 38-90 38-91 38-92 Understanding IPv6 Configuring IPv6 Unicast Routing39-1 IPv6 Addresses 39-2 Bit Wide Unicast Addresses Supported IPv6 Unicast Routing Features39-3 ICMPv6 DNS for IPv6Path MTU Discovery for IPv6 Unicast Neighbor Discovery IPv6 Applications 39-5 Dual IPv4 and IPv6 Protocol Stacks Unsupported IPv6 Unicast Routing Features39-6 Limitations IPv6 and Switch Stacks39-7 39-8 Dual IPv4-and IPv6 SDM Templates SDM Templates39-9 Configuring IPv6 39-10 Configuring IPv6 Addressing and Enabling IPv6 Routing Default IPv6 Configuration39-11 39-12 Switchconfig-if#ipv6 address 20010DB8c181/64 eui Configuring IPv4 and IPv6 Protocol StacksIp routing Enable routing on the switch 39-13 39-14 Ipv6 icmp error-interval interval bucketsize Configuring IPv6 Icmp Rate LimitingConfiguring CEF and dCEF for IPv6 Show ipv6 interface interface-id Configuring Static Routing for IPv6 39-16 Ipv6-address interface-id ipv6-address Administrative distanceIpv6 route ipv6-prefix/prefix length 39-17 Show ipv6 static ipv6-address Configuring RIP for IPv6Show ipv6 route static updated Interface-id recursive detail 39-19 Configuring Ospf for IPv6 39-20 39-21 Displaying IPv6 Switch# show ipv6 interface39-22 Switch# show ipv6 rip Switch# show ipv6 cef /0Switch# show ipv6 protocols 39-23 Switch# show ipv6 route Switch# show ipv6 neighborsSwitch# show ipv6 static Switch# show ipv6 traffic 39-25 39-26 Understanding Hsrp Configuring Hsrp and Enhanced Object Tracking40-1 40-2 Multiple Hsrp 40-3 Hsrp and Switch Stacks Configuring Hsrp40-4 Enabling Hsrp Default Hsrp ConfigurationHsrp Configuration Guidelines 40-5 Secondary Switch# show standbyStandby group-number ip ip-address Show standby interface-id group Configuring Hsrp Priority 40-7 Standby group-number track Priority preempt delay delayStandby group-number priority 40-8 Switchconfig-if#standby 2 ip Configuring MhsrpConfiguring Hsrp Authentication and Timers 40-9 Switchconfig-if#standby 1 authentication word Standby group-number authentication stringStandby group-number timers hellotime Holdtime Enabling Hsrp Support for Icmp Redirect Messages Displaying Hsrp ConfigurationsConfiguring Hsrp Groups and Clustering Show standby interface-idgroup brief detail Understanding Enhanced Object Tracking Configuring Enhanced Object Tracking40-12 Track object-number interface Configuring Enhanced Object Tracking FeaturesTracking Interface Line-Protocol or IP Routing State 40-13 Track track-numberlist boolean Configuring a Tracked ListSwitch# show track 33 Track Object object-number not Track track-numberlist threshold WeightThreshold weight up number 40-15 Object object-number Track track-number list thresholdPercentage Threshold percentage up number Configuring Hsrp Object Tracking 40-17 Show standby Configuring Other Tracking Characteristics40-18 Understanding Wccp Configuring Web Cache Services By Using41-1 Wccp Message Exchange 41-2 MD5 Security Packet Redirection and Service GroupsWccp Negotiation 41-3 Wccp and Switch Stacks 41-4 Default Wccp Configuration Configuring WccpUnsupported Wccp Features Wccp Configuration Guidelines Enabling the Web Cache Service 41-6 41-7 41-8 Monitoring and Maintaining Wccp Switchconfig# interface range gigabitethernet1/0/3Switchconfig-if-range#switchport access vlan 41-9 Enabled / disabled 41-10 Configuring IP Multicast Routing 42-1 42-2 IP Multicast Routing Protocols Igmp Version Understanding Igmp42-3 PIM Modes Understanding PIMPIM Versions 42-4 PIM Stub Routing 42-5 Auto-RP 42-6 Multicast Forwarding and Reverse Path Check Bootstrap Router42-7 Network Port Understanding Dvmrp42-8 Understanding Cgmp Multicast Routing and Switch Stacks42-9 Multicast Routing Configuration Guidelines Configuring IP Multicast RoutingDefault Multicast Routing Configuration 42-10 PIMv1 and PIMv2 Interoperability Auto-RP and BSR Configuration Guidelines42-11 Ip multicast-routing distributed Configuring Basic Multicast Routing42-12 Ip pim dense-mode sparse-mode Configuring PIM Stub RoutingIp pim version 1 Sparse-dense-mode Ip pim passive Configuring a Rendezvous PointManually Assigning an RP to Multicast Groups 42-14 Ip pim rp-address ip-address Access-list-number override42-15 Configuring Auto-RP 42-16 Interval seconds Scope ttl group-list access-list-numberIp pim send-rp-announce interface-id 42-17 Show ip pim rp Ip pim send-rp-discovery scope ttlShow ip pim rp mapping 42-18 Ip pim rp-announce-filter rp-list Access-list-number group-list42-19 Ip pim bsr-border Configuring PIMv2 BSR42-20 Ip multicast boundary 42-21 Hash-mask-length priority Ip pim bsr-candidate interface-id42-22 Ip pim rp-candidate interface-id Group-list access-list-number42-23 Group-address mapping Using Auto-RP and a BSRShow ip pim rp group-name Show ip pim rp-hash group Monitoring the RP Mapping Information Configuring Advanced PIM FeaturesTroubleshooting PIMv1 and PIMv2 Interoperability Problems Understanding PIM Shared Tree and Source Tree 42-26 Shared Tree and Source Tree Shortest-Path Tree Ip pim spt-threshold kbps infinity Delaying the Use of PIM Shortest-Path Tree42-27 Ip pim query-interval seconds Configuring Optional Igmp FeaturesModifying the PIM Router-Query Message Interval Show ip igmp interface interface-id Ip igmp join-group group-address Default Igmp ConfigurationConfiguring the Switch as a Member of a Group 42-29 Show ip igmp interface interface-id Verify your entries Controlling Access to IP Multicast GroupsIp igmp access-group access-list-number 42-30 Ip igmp version 1 Changing the Igmp VersionModifying the Igmp Host-Query Message Interval Query-interval or the ip igmp query-max-response-time Ip igmp query-interval seconds Changing the Igmp Query Timeout for IGMPv2Ip igmp querier-timeout seconds 42-32 Ip igmp query-max-response-time Configuring the Switch as a Statically Connected MemberChanging the Maximum Query Response Time for IGMPv2 42-33 Ip igmp static-group group-address Configuring Optional Multicast Routing FeaturesEnabling Cgmp Server Support 42-34 Ip cgmp proxy Configuring sdr Listener Support42-35 Limiting How Long an sdr Cache Entry Exists Ip sdr listen Enable sdr listener supportEnabling sdr Listener Support 42-36 Configuring an IP Multicast Boundary 42-37 Configuring Basic Dvmrp Interoperability Features 42-38 Configuring Dvmrp Interoperability 42-39 Ip dvmrp metric metric list 42-40 Configuring a Dvmrp Tunnel 42-41 Advertising Network 0.0.0.0 to Dvmrp Neighbors Access-list-number distanceNeighbor-list access-list-number Ip dvmrp accept-filter Responding to mrinfo Requests Configuring Advanced Dvmrp Interoperability FeaturesIp dvmrp default-information Originate only Enabling Dvmrp Unicast Routing 42-44 Rejecting a Dvmrp Nonpruning Neighbor 42-45 Enter interface configuration mode 42-46 Limiting the Number of Dvmrp Routes Advertised By default, 7000 routes are advertised. The range is 0 toControlling Route Exchanges Changing the Dvmrp Route Threshold Route-count Configuring a Dvmrp Summary AddressDefault is 10,000 routes. The range is 1 to 42-48 42-49 Mask metric value Disabling Dvmrp AutosummarizationIp dvmrp summary-address address No ip dvmrp auto-summary Increment Adding a Metric Offset to the Dvmrp RouteIp dvmrp metric-offset in out 42-51 Displaying System and Network Statistics Monitoring and Maintaining IP Multicast RoutingClearing Caches, Tables, and Databases 42-52 Monitoring IP Multicast Routing 42-53 42-54 Understanding Msdp Configuring Msdp43-1 Msdp Operation 43-2 Msdp Benefits 43-3 Configuring a Default Msdp Peer Configuring MsdpDefault Msdp Configuration 43-4 Prefix-list list Ip msdp default-peer ip-address name43-5 Seq number permit deny network Caching Source-Active StateIp prefix-list name description string Ip msdp description peer-name Ip msdp cache-sa-state list 43-7 Ip msdp sa-request ip-address name Switchconfig# ip msdp sa-requestRequesting Source Information from an Msdp Peer 43-8 Ip msdp redistribute list Controlling Source Information that Your Switch OriginatesRedistributing Sources 43-9 43-10 Ip msdp filter-sa-request ip-address Name list access-list-numberFiltering Source-Active Request Messages 43-11 Ip msdp sa-filter out ip-address name Controlling Source Information that Your Switch ForwardsUsing a Filter Route-map map-tag 43-13 Ip msdp ttl-threshold ip-address name Controlling Source Information that Your Switch ReceivesUsing TTL to Limit the Multicast Data Sent in SA Messages Ttl Ip msdp sa-filter in ip-address name Switchconfig# ip msdp sa-filter in switch.cisco.com43-15 Ip msdp mesh-group name ip-address Configuring an Msdp Mesh GroupShutting Down an Msdp Peer 43-16 Ip msdp border sa-address interface-id Including a Bordering PIM Dense-Mode Region in MsdpIp msdp shutdown peer-name peer 43-17 Configuring an Originating Address other than the RP Address 43-18 Clear ip msdp statistics peer-addressname Monitoring and Maintaining MsdpClear ip msdp peer peer-addressname Clear ip msdp sa-cache group-addressname 43-20 Fallback Bridging Overview Configuring Fallback BridgingUnderstanding Fallback Bridging 44-1 44-2 Fallback Bridging and Switch Stacks Configuring Fallback Bridging44-3 Creating a Bridge Group Default Fallback Bridging ConfigurationFallback Bridging Configuration Guidelines 44-4 Bridge-group bridge-group Bridge bridge-group protocolVlan-bridge 44-5 Switchconfig# bridge 10 protocol vlan-bridge Adjusting Spanning-Tree Parameters44-6 Bridge bridge-group priority number Changing the VLAN-Bridge Spanning-Tree PriorityChanging the Interface Priority Bridge-group bridge-grouppriority Cost Assigning a Path CostBridge-group bridge-group path-cost 44-8 Bridge bridge-group hello-time seconds Adjusting Bpdu IntervalsSwitchconfig# bridge 10 hello-time 44-9 Bridge bridge-group forward-time Switchconfig# bridge 10 forward-timeSwitchconfig# bridge 10 max-age Bridge bridge-group max-age seconds Clear bridge bridge-group Monitoring and Maintaining Fallback BridgingDisabling the Spanning Tree on an Interface Show bridge bridge-group group 44-12 Troubleshooting 45-1 Recovering from a Software Failure 45-2 Switch loadhelper Recovering from a Lost or Forgotten PasswordSwitch flashinit Switch copy xmodem flashimagefilename.bin 45-4 Procedure with Password Recovery Enabled 45-5 Copy the configuration file into memory 45-6 Switch dir flash Procedure with Password Recovery Disabled45-7 Preventing Switch Stack Problems 45-8 Recovering from a Command Switch Failure 45-9 Switchconfig# no cluster commander-address Replacing a Failed Command Switch with a Cluster Member45-10 Replacing a Failed Command Switch with Another Switch 45-11 45-12 Preventing Autonegotiation Mismatches Recovering from Lost Cluster Member ConnectivityTroubleshooting Power over Ethernet Switch Ports 45-13 Show controllers power inline privileged Exec command Disabled Port Caused by Power LossDisabled Port Caused by False Link Up SFP Module Security and Identification Monitoring SFP Module Status Monitoring TemperatureUsing Ping Understanding Ping Character Description Switch# pingExecuting Ping 45-16 Usage Guidelines Using Layer 2 TracerouteUnderstanding Layer 2 Traceroute 45-17 Understanding IP Traceroute Using IP TracerouteDisplaying the Physical Path 45-18 Traceroute ip host Switch# traceroute ipExecuting IP Traceroute Trace the path that packets take through the network Understanding TDR Using TDR45-20 Running TDR and Displaying the Results Using Debug CommandsEnabling Debugging on a Specific Feature 45-21 Redirecting Debug and Error Message Output Enabling All-System Diagnostics45-22 45-23 Using the show platform forward CommandUdp 10 45-24 Basic crashinfo Files Using the crashinfo Files45-25 Understanding Obfl Using On-Board Failure LoggingExtended crashinfo Files 45-26 Configuring Obfl 45-27 Show logging onboard module Displaying Obfl Information45-28 Understanding Online Diagnostics Configuring Online Diagnostics46-1 Diagnostic schedule switch Configuring Online DiagnosticsScheduling Online Diagnostics Non-disruptive daily hhmm Diagnostic content command output Configuring Health-Monitoring DiagnosticsDiagnostic monitor interval switch Diagnostic monitor syslog Show diagnostic content post result Diagnostic monitor threshold switchDiagnostic monitor switch number test Schedule status switch Diagnostic start switch number Running Online Diagnostic TestsStarting Online Diagnostic Tests All basic non-disruptive Displaying Online Diagnostic Tests and Test Results 46-6 MIB List Supported MIBsCISCO-FTP-CLIENT-MIB CISCO-HSRP-MIB ETHERLIKE-MIB IEEE8021-PAE-MIB IEEE8023-LAG-MIB CISCO-IGMP-FILTER-MIBCISCO-RTTMON-MIB CISCO-SMI-MIB IGMP-MIB INET-ADDRESS-MIB IPMROUTE-MIB TCP-MIB UDP-MIB Using FTP to Access the MIB Files Working with the Flash File System Switch# show file systems Displaying Available File Systems Setting the Default File System Field Value Changing Directories and Displaying the Working Directory Cd newconfigsDisplaying Information about Files on a File System Pwd Creating and Removing Directories Mkdir oldconfigsCopying Files Deleting Files Switch# delete myconfigCreating, Displaying, and Extracting Files Flash Archive /create destination-urlArchive /table source-url Directories are extracted Archive /xtract source-urlExtract a file into a directory on the flash file system More /ascii /binary /ebcdic Working with Configuration Files Guidelines for Creating and Using Configuration Files Configuration File Types and Location Creating a Configuration File By Using a Text Editor Copying Configuration Files By Using Tftp Downloading the Configuration File By Using Tftp Uploading the Configuration File By Using Tftp Copying Configuration Files By Using FTP Ip ftp password password Downloading a Configuration File By Using FTPIp ftp username username Filename systemrunning-config Uploading a Configuration File By Using FTPFtp // username password @ location /directory Filename nvramstartup-config Copy nvramstartup-config Copying Configuration Files By Using RCPCopy systemrunning-config Ftp // username password @ location /directory Filename Hostname Switch1 Ip rcmd remote-username User0 Nvramstartup-config Downloading a Configuration File By Using RCPSystemrunning-config Ip rcmd remote-username username Uploading a Configuration File By Using RCP Clearing Configuration InformationSwitch# copy nvramstartup-config rcp Deleting a Stored Configuration File Clearing the Startup Configuration FileWorking with Software Images Image Location on the Switch File Format of Images on a Server or Cisco.com Copying Image Files By Using Tftp Field Description Preparing to Download or Upload an Image File By Using Tftp Downloading an Image File By Using Tftp Overwrite /reload Allow-feature-upgrade /directoryArchive download-sw Archive download-sw /directory Archive upload-sw Uploading an Image File By Using TftpTftp //location /directory /image-name .tar Copying Image Files By Using FTP Preparing to Download or Upload an Image File By Using FTP Downloading an Image File By Using FTP For /directory /image-name1 .tar Archive download-sw /allow-feature-upgradeDirectory /overwrite /reload Directory /image-name2 .tar image-name3 .tar Uploading an Image File By Using FTP Copying Image Files By Using RCP Preparing to Download or Upload an Image File By Using RCP Downloading an Image File By Using RCP File By Using RCP section on page B-31 Or Upload an Image File By Using RCP section on Uploading an Image File By Using RCP Rcp // username @ location /directory /image-na Copying an Image File from One Stack Member to AnotherMe.tar Source-stack-member-number Archive copy-sw /destination-systemDestination-stack-member-number /force-reload For /destination-system destination-stack-member-number Unsupported Privileged Exec Commands Unsupported Commands Cisco IOS Release 12.237SEAccess Control Lists Unsupported Global Configuration Commands Boot Loader Commands Archive CommandsARP Commands Debug Commands Bridge crb Fallback BridgingBridge bridge-groupacquire Bridge bridge-group domain domain-name bridge irb Hsrp X25 map bridge x.121-address broadcast options-keywords Interface Commands Igmp Snooping CommandsIP Multicast Routing Show ip rtp header-compression type number detail Ip pim accept-rpaddress auto-rpgroup-access-list-numberShow ip pim vc group-address name type number Ip multicast-routing vrf vrf-name Unsupported Privileged Exec or User Exec Commands IP Unicast Routing Unsupported VPN Configuration Commands Unsupported BGP Router Configuration CommandsUnsupported Route Map Commands Miscellaneous MAC Address CommandsShow cable-diagnostics prbs Test cable-diagnostics prbs Set tag tag-value NetFlow Commands Msdp Unsupported Policy-Map Configuration Command Network Address Translation NAT CommandsUnsupported Global Configuration Command QoS Unsupported Privileged Exec Command Unsupported Interface Configuration CommandUnsupported User Exec Commands Spanning Tree Numerics IN-1 ACLs IN-2 Hsrp CDP Lldp RIPEigrp TACACS+ Cidr BGPIN-4 Bpdu IN-5 Cgmp CDPCEF CLI CNS IN-7 IN-8 DNS DhcpIN-9 Vmps SnmpTACACS+ Udld Wccp Dhcp option IN-11 DTP IN-12 Dvmrp IN-13 Dynamic ARP inspection IN-14 Lacp IN-15 FIB STPIN-16 FTP Mstp STPIN-17 Icmp HttpsIN-18 Igmp IN-19 IN-20 IP addresses IN-21 Mbone IN-22 IGP IN-23 IP unicast routing IN-24 ISL IN-25 LLDP-MED IN-26 IN-27 Mhsrp MDAIN-28 Msdp IN-29 MTU CSTIST IN-30 NAC IN-31 NSSA, Ospf IN-32 PBR ObflIN-33 PIM IN-34 Port-based authentication IN-35 Vvid PvidIN-36 Private VLANs IN-37 QoS IN-38 IN-39 RCP IN-40 Rmon Radius TACACS+RFC IN-41 Rstp RPSRspan IN-42 SDM IN-43 Snmp IN-44 SRR SpanIN-45 VTP SSLIN-46 Stacks, switch IN-47 LLDP-MED Ospf IN-48 STP IN-49 IN-50 System message logging IN-51 IN-52 IN-53 IN-54 VLANs IN-55 VQP VPNIN-56 WTD IN-57 IN-58