Manuals / Cisco Systems / Computer Equipment / Webcam

Cisco Systems 3750E manual Using Vlan Maps with Router ACLs, 34-36

Models: 3750E

1 1236

Download 1236 pages 40.08 Kb

Page 734

Image 734

Chapter 34 Configuring Network Security with ACLs

Using VLAN Maps with Router ACLs

Figure 34-5 Deny Access to a Server on Another a VLAN

VLAN map

10.1.1.100

Server (VLAN 10)

10.1.1.4

Host (VLAN 10)

10.1.1.8

Host (VLAN 10)

			Subnet
	10.1.2.0/8






		Host (VLAN 20)
		Host (VLAN 20)
Layer 3 switch
		Packet		101356
		Packet		101356

	This example shows how to deny access to a server on another VLAN by creating the VLAN map
	SERVER 1 that denies access to hosts in subnet 10.1.2.0.8, host 10.1.1.4, and host 10.1.1.8 and permits
	other IP traffic. The final step is to apply the map SERVER1 to VLAN 10.

Step 1	Define the IP ACL that will match the correct packets.
	Switch(config)# ip access-list extended SERVER1_ACL
	Switch(config-ext-nacl))#permit ip 10.1.2.0 0.0.0.255 host 10.1.1.100
	Switch(config-ext-nacl))#permit ip host 10.1.1.4 host 10.1.1.100
	Switch(config-ext-nacl))#permit ip host 10.1.1.8 host 10.1.1.100
	Switch(config-ext-nacl))# exit
Step 2	Define a VLAN map using this ACL that will drop IP packets that match SERVER1_ACL and forward
	IP packets that do not match the ACL.
	Switch(config)# vlan access-map SERVER1_MAP
	Switch(config-access-map)#match ip address SERVER1_ACL
	Switch(config-access-map)# action drop
	Switch(config)# vlan access-map SERVER1_MAP 20
	Switch(config-access-map)# action forward
	Switch(config-access-map)# exit
Step 3	Apply the VLAN map to VLAN 10.
	Switch(config)# vlan filter SERVER1_MAP vlan-list 10.

Using VLAN Maps with Router ACLs

To access control both bridged and routed traffic, you can use VLAN maps only or a combination of router ACLs and VLAN maps. You can define router ACLs on both input and output routed VLAN interfaces, and you can define a VLAN map to access control the bridged traffic.

If a packet flow matches a VLAN-map deny clause in the ACL, regardless of the router ACL configuration, the packet flow is denied.

	Catalyst 3750-E and 3560-E Switch Software Configuration Guide
34-36	OL-9775-02

Page 734

Image 734

Cisco Systems 3750E manual Using Vlan Maps with Router ACLs, 34-36

Contents

Americas Headquarters Text Part Number OL-9775-02Page N T E N T S IiiAssigning the Switch IP Address and Default Gateway Understanding Cisco Configuration Engine Software Clustering Switches Catalyst 1900 and Catalyst 2820 CLI Considerations ViiCreating a Banner ViiiChanging the Default Privilege Level for Lines Device Roles Bypass Routed Ports XiiMonitoring and Maintaining the Interfaces XiiiEncapsulation Types XivDomain Names Private-VLAN Configuration Guidelines XviDisabled State XviiBoundary Ports XviiiXix 19-25Dhcp Server Configuring Dynamic ARP Inspection XxiConfiguring MVR XxiiUnderstanding Storm Control XxiiiUnderstanding Udld Modes of Operation XxivCreating an Rspan Source Session XxvSnmp Agent Functions XxviCreating a Numbered Extended ACL XxviiInteraction with Other Features and Switches XxviiiXxix Port-Channel Interfaces XxxConfiguring IP Addressing XxxiNonstop Forwarding Awareness XxxiiIPv6 Addresses XxxiiiConfiguring Hsrp Priority XxxivConfiguring IP Multicast Routing XxxvConfiguring Basic Dvmrp Interoperability Features XxxviUsing a Filter XxxviiXxxviii 45-14Configuring Online Diagnostics XxxixUnsupported Route-Map Configuration Commands C-1 Hsrp XliVTP XliiPurpose PrefaceAudience ConventionsRelated Publications XlivXlv Xlvi Features OverviewDeployment Features Availability and Redundancy Features, Vlan Features,Overview Features Performance Features Management Options Manageability Features Availability and Redundancy Features Vlan Features Security FeaturesOverview Features QoS and CoS Features Layer 3 Features Power over Ethernet Features Vlan Default Settings After Initial Switch ConfigurationMonitoring Features Overview Default Settings After Initial Switch Configuration Overview Default Settings After Initial Switch Configuration Network Configuration Examples Design Concepts for Using the SwitchNetwork Demands Suggested Design Methods Cost-Effective Wiring Closet High-Performance Wiring Closet High-Performance Workgroup Gigabit-to-the-Desktop Redundant Gigabit Backbone Server Aggregation Linux Server Cluster Cisco SoftPhone Software Gigabit servers Internet Cisco 2600 or 3700 routers Catalyst 3560-E switches Large Network Using Catalyst 3750-E and 3560-E Switches Cisco 7x00 routers Catalyst Catalyst 3560-E Multidwelling Network Using Catalyst 3750-E Switches Long-Distance, High-Bandwidth Transport Configuration 11 Catalyst 3750-E Switches in a MAN ConfigurationWhere to Go Next Access layer Aggregation layerOL-9775-02 Using the Command-Line Interface Understanding Command ModesQuit Mode Access Method Prompt Exit Method About This ModeConfigure Ctrl-ZUnderstanding the Help System Console commandCommand Purpose Line vty or lineCommand ? Understanding Abbreviated CommandsUnderstanding no and default Forms of Commands Command keyword ?Error Message Meaning How to Get Help Understanding CLI Error MessagesUsing Configuration Logging Recalling Commands Using Command HistoryChanging the Command History Buffer Size Action1 ResultEnabling and Disabling Editing Features Using Editing FeaturesDisabling the Command History Feature Switch# terminal editingEditing Commands through Keystrokes Capability Keystroke1 PurposePress Ctrl-L or Ctrl-R Editing Command Lines that WrapReturn and Space bar Switch# show interfaces include protocol Accessing the CLICommand begin include exclude regular-expression Using the Command-Line Interface Accessing the CLI OL-9775-02 Assigning the Switch IP Address and Default Gateway Understanding the Boot ProcessAssigning Switch Information Feature Default Setting Default Switch InformationUnderstanding DHCP-Based Autoconfiguration Dhcp Client Request Process Dhcp Client and Server Message ExchangeConfiguring DHCP-Based Autoconfiguration Dhcp Server Configuration GuidelinesConfiguring the Tftp Server Configuring the DNSRouterconfig-if#ip helper-address Configuring the Relay DeviceObtaining Configuration Files Example Configuration TftpserverTftp Server Configuration on Unix Switch a Switch B Switch C Switch DDNS Server Configuration Dhcp Client ConfigurationManually Assigning IP Information Switch# copy running-config startup-config Checking and Saving the Running ConfigurationSwitch# show running-config Automatically Downloading a Configuration File Modifying the Startup ConfigurationDefault Boot Configuration Show boot Booting ManuallyBoot config-file flash/ file-url Configure terminal Enter global configuration modeBooting a Specific Software Image Boot system filesystem /file-urlBoot system switch number all Controlling Environment VariablesSwitch current-stack-member-number renumber Set Manualboot yes Boot manualSet Switchnumber Set SwitchpriorityVariable Description Configuring a Scheduled ReloadScheduling a Reload of the Software Image Reload in hhmm textDisplaying Scheduled Reload Information Switch# reload atSwitch# reload at 0200 jun Configuring Cisco IOS CNS Agents Understanding Cisco Configuration Engine SoftwareConfiguration Service Configuration Engine Architectural OverviewWhat You Should Know About the CNS IDs and Device Hostnames Event ServiceConfigID NameSpace MapperHostname and DeviceID Using Hostname, DeviceID, and ConfigIDDeviceID Initial Configuration Understanding Cisco IOS AgentsSynchronized Configuration Configuring Cisco IOS AgentsIncremental Partial Configuration Enabling Automated CNS ConfigurationDevice Required Configuration Enabling the CNS Event Agent Backup init-retry retry-count keepalive secondsShow running-config Show cns event connectionsEnabling an Initial Configuration Enabling the Cisco IOS CNS AgentMac-address event Cns config initial ip-address hostnameCns id interface num dns-reverse ipaddress Cns id hardware-serial hostname string stringCns config partial ip-address hostname Enabling a Partial ConfigurationShow running-config Verify your entries Show cns config statsShow cns event stats Displaying CNS ConfigurationShow cns config connections Show cns event subjectManaging Switch Stacks Understanding Switch StacksManaging Switch Stacks Understanding Switch Stacks Switch Stack Membership Creating a Switch Stack from Two Standalone Switches Adding a Standalone Switch to a Switch Stack Stack Master Election and Re-ElectionSwitch Stack Bridge ID and Router MAC Address Stack Member NumbersStack Member Priority Values Scenario Result Switch Stack Offline ConfigurationEffects of Adding a Provisioned Switch to a Switch Stack Scenario Result Switch Stack Software Compatibility Recommendations Effects of Replacing a Provisioned Switch in a Switch StackStack Protocol Version Compatibility Major Version Number Incompatibility Among SwitchesMinor Version Number Incompatibility Among Switches Understanding Auto-Upgrade and Auto-Advise Directory Auto-Upgrade and Auto-Advise Example MessagesSwitch Mar 1 000422.537%IMAGEMGR-6-AUTOADVISESW Incompatible Software and Stack Member Image Upgrades Switch Stack Configuration FilesSwitch Stack Management Connectivity Connectivity to Specific Stack Members Connectivity to the Switch Stack Through an IP AddressConnectivity to the Switch Stack Through an SSH Session Priority new-priority-number global Switch Stack Configuration ScenariosUse the switch stack-member-number Current-stack-member-number Renumber new-stack-member-number Enabling Persistent MAC Address Configuring the Switch StackDefault Switch Stack Configuration Switchconfig# stack-mac persistent timer Stack-mac persistent timerShow switch Time-valueAssigning a Stack Member Number Setting the Stack Member Priority ValueAssigning Stack Member Information Provisioning a New Member for a Switch Stack Command Description Accessing the CLI of a Specific Stack MemberDisplaying Switch Stack Information Show switch stack-member-numberDetail Show switch stack-portsShow switch stack-ring activity OL-9775-02 Clustering Switches Understanding Switch ClustersSwitch Cisco IOS Release Cluster Capability Cluster Command Switch Characteristics Standby Cluster Command Switch CharacteristicsPlanning a Switch Cluster Candidate Switch and Cluster Member Switch CharacteristicsAutomatic Discovery of Cluster Candidates and Members Discovery Through CDP HopsDiscovery Through CDP Hops Discovery Through Different VLANs Discovery Through Different Management VLANs Discovery Through Different VLANsDiscovery Through Routed Ports Discovery of Newly Installed Switches New out-of-boxHsrp and Standby Cluster Command Switches Virtual IP Addresses Other Considerations for Cluster Standby GroupsAutomatic Recovery of Cluster Configuration IP Addresses HostnamesPasswords Snmp Community StringsMembers Other cluster member switches Switch Clusters and Switch StacksSwitch Stack Switch Cluster TACACS+ and Radius LRE ProfilesCatalyst 1900 and Catalyst 2820 CLI Considerations Using the CLI to Manage Switch ClustersSwitch# rcommand Using Snmp to Manage Switch Clusters Snmp Management for a ClusterOL-9775-02 Understanding the System Clock Administering the SwitchManaging the System Time and Date Understanding Network Time Protocol NTPConfiguring NTP Typical NTP Network ConfigurationNtp authenticate Default NTP ConfigurationConfiguring NTP Authentication Configuring NTP Associations Ntp peer ip-address version number Configuring NTP Broadcast ServiceSwitchconfig# ntp server 172.16.22.44 version Key keyid source interface preferDestination-address Interface interface-idNtp broadcast version number key keyid Ntp broadcast clientNtp access-group query-only Configuring NTP Access RestrictionsNtp broadcastdelay microseconds Serve-onl y serve peerCommand Purpose Configuring the Source IP Address for NTP Packets Interface interface-idSetting the System Clock Configuring Time and Date ManuallyDisplaying the NTP Configuration Fundamentals Command Reference, ReleaseClock timezone zone hours-offset Displaying the Time and Date ConfigurationConfiguring the Time Zone Minutes-offsetWeek day month hh mm week day month Configuring Summer Time Daylight Saving TimeClock summer-time zone recurring Hh mm offsetClock summer-time zone date date Configuring a System Name and PromptClock summer-time zone date month Copy running-config startup-confi g Default System Name and Prompt ConfigurationConfiguring a System Name Understanding DNSIp domain-name name Default DNS ConfigurationSetting Up DNS Ip name-server server-address1Creating a Banner Default Banner ConfigurationDisplaying the DNS Configuration Unix telnet Configuring a Message-of-the-Day Login BannerBanner motd c message c Managing the MAC Address Table Configuring a Login BannerBanner login c message c Building the Address Table MAC Addresses and VLANsChanging the Address Aging Time MAC Addresses and Switch StacksDefault MAC Address Table Configuration Mac address-table aging-time Configuring MAC Address Notification TrapsRemoving Dynamic Address Entries Show mac address-table aging-timeSnmp-server host host-addr traps informs version String by using the snmp-server communitySnmp-server enable traps mac-notification Mac address-table notificationAdding and Removing Static Address Entries Vlan vlan-id interface interface-id Configuring Unicast MAC Address FilteringMac address-table static mac-addr Show mac address-table staticVlan vlan-id drop Managing the ARP Table Displaying Address Table EntriesOL-9775-02 Configuring SDM Templates Understanding the SDM TemplatesResource Access Default Routing Dual IPv4 and IPv6 SDM TemplatesSDM Templates and Switch Stacks IPv4-and-IPv6 Resource Default RoutingSDM Template Configuration Guidelines Configuring the Switch SDM TemplateDefault SDM Template Dual-ipv4-and-ipv6 default routing Setting the SDM TemplateSdm prefer access default Vlan routing vlanDisplaying the SDM Templates Switchconfig# sdm prefer routingSwitchconfig# sdm prefer dual-ipv4-and-ipv6 default Policy based routing aces 25K OL-9775-02 Configuring Switch-Based Authentication Preventing Unauthorized Access to Your SwitchProtecting Access to Privileged Exec Commands Default Password and Privilege Level ConfigurationSwitchconfig# enable password l1u2c3k4y5 Setting or Changing a Static Enable PasswordEnable password password Enable secret level level password Enable password level level passwordEncryption-type encrypted-password Service password-encryptionShow version Disabling Password RecoveryNo service password-recovery Password password Setting a Telnet Password for a Terminal LineConfiguring Username and Password Pairs Switchconfig-line#password let45me67in89Login local Configuring Multiple Privilege LevelsUsername command Username name privilege levelShow privilege Setting the Privilege Level for a CommandPrivilege mode level level command Logging into and Exiting a Privilege Level Changing the Default Privilege Level for LinesCommand Controlling Switch Access with TACACS+ Understanding TACACS+Typical TACACS+ Network Configuration Configuring TACACS+ TACACS+ OperationAaa new-model Default TACACS+ ConfigurationTacacs-server host hostname port Aaa group server tacacs+ group-nameShow tacacs Verify your entries Configuring TACACS+ Login AuthenticationAaa new-model Enable AAA Authentication login command Aaa authentication login defaultLogin authentication default Line console tty vty line-numberShow running-config Verify your entries Starting TACACS+ Accounting Controlling Switch Access with RadiusDisplaying the TACACS+ Configuration Understanding Radius Transitioning from Radius to TACACS+ Services Radius OperationIdentifying the Radius Server Host Configuring RadiusDefault Radius Configuration Page Ip-address auth-port port-number Acct-port port-number timeoutRadius-server host hostname Seconds retransmit retries keyConfiguring Radius Login Authentication Switchconfig# radius-server host host1Server Host section on Defining AAA Server Groups Aaa group server radius group-name Aaa authorization network radius RadiusStarting Radius Accounting Radius-server key string Configuring Settings for All Radius ServersRadius-server timeout seconds Radius-server retransmit retriesCisco-avpair=shellpriv-lvl=15 AuthenticationRadius-server vsa send accounting Cisco-avpair=ipoutacl#2=deny ip 10.10.10.10 0.0.255.255 anyRadius-server host hostname ip-address non-standard Controlling Switch Access with KerberosDisplaying the Radius Configuration Understanding Kerberos Term Definition KDCKeytab Authenticating to a Boundary SwitchKerberos Operation SrvtabObtaining a TGT from a KDC Configuring KerberosAuthenticating to Network Services Aaa authorization network local Aaa authentication login default localAaa authorization exec local Username name privilege level Configuring the Switch for Secure ShellUsername command Understanding SSH SSH Servers, Integrated Clients, and Supported VersionsLimitations Configuring SSHConfiguration Guidelines Setting Up the Switch to Run SSH Ip ssh timeout seconds Displaying the SSH Configuration and StatusConfiguring the SSH Server Authentication-retries numberCertificate Authority Trustpoints Configuring the Switch for Secure Socket Layer HttpUnderstanding Secure Http Servers and Clients Rsakeypair TP-self-signed-3080755072 CipherSuites Configuring Secure Http Servers and ClientsDefault SSL Configuration SSL Configuration Guidelines Configuring a CA TrustpointConfiguring the Secure Http Server Show ip http server secure status Configuring the Secure Http ClientIp http timeout-policy idle seconds life Ip http client secure-trustpoint nameIp http client secure-ciphersuite Configuring the Switch for Secure Copy ProtocolDisplaying Secure Http Server and Client Status Show ip http client secure statusInformation About Secure Copy HtmlOL-9775-02 10-1 Configuring Ieee 802.1x Port-Based AuthenticationUnderstanding Ieee 802.1x Port-Based Authentication Device Roles 10-2Authentication Process 10-3Authentication Flowchart 10-4Authentication Initiation and Message Exchange 10-510-6 EAPOL-Start10-7 Ieee 802.1x Authentication and Switch StacksPorts in Authorized and Unauthorized States Ieee 802.1x Host Mode 10-8Attribute Number AV Pair Name Ieee 802.1x AccountingIeee 802.1x Accounting Attribute-Value Pairs 10-9Using Ieee 802.1x Authentication with Vlan Assignment 10-10Using Ieee 802.1x Authentication with Per-User ACLs 10-11Using Ieee 802.1x Authentication with Guest Vlan 10-12Using Ieee 802.1x Authentication with Restricted Vlan 10-1310-14 Using Ieee 802.1x Authentication with Voice Vlan Ports 10-15Using Ieee 802.1x Authentication with Port Security 10-16Using Ieee 802.1x Authentication with Wake-on-LAN 10-1710-18 10-19 Using Multidomain AuthenticationNetwork Admission Control Layer 2 Ieee 802.1x Validation 10-20 Using Web AuthenticationFor example Configuring Ieee 802.1x Authentication 10-2110-22 Default Ieee 802.1x Authentication ConfigurationAAA 10-23 Ieee 802.1x Authentication Configuration GuidelinesIeee 802.1x Authentication 10-24 10-25 Configuring Ieee 802.1x AuthenticationMAC Authentication Bypass Configuring the Switch-to-RADIUS-Server Communication 10-26Ip-address auth-port port-number key 10-27Multi-domain Configuring the Host ModeDot1x host-mode multi-host Show dot1x interface interface-id10-29 Configuring Periodic Re-AuthenticationManually Re-Authenticating a Client Connected to a Port Changing the Quiet Period Changing the Switch-to-Client Retransmission TimeDot1x timeout tx-period seconds Show dot1x interface interface-id Verify your entriesShow dot1xinterface interface-id Verify your entries Setting the Switch-to-Client Frame-Retransmission NumberSwitchconfig-if#dot1x timeout tx-period Dot1x max-reauth-req countSwitchconfig-if#dot1x max-reauth-req Setting the Re-Authentication NumberConfiguring Ieee 802.1x Accounting 10-32Configuring a Guest Vlan 10-33Switchconfig# interface gigabitethernet2/0/2 Configuring a Restricted VlanSwitchport mode private-vlan host Dot1x guest-vlan vlan-idAttempts Dot1x auth-fail vlan vlan-idDot1x auth-fail max-attempts max 10-35Radius-server dead-criteria time time Configuring the Inaccessible Authentication Bypass FeatureSwitchconfig-if#dot1x auth-fail max-attempts Tries tries10-37 Reinitialize vlan vlan-id Configuring Ieee 802.1x Authentication with WoLDot1x critical recovery action Show dot1x interface interface-idSwitchconfig-if#dot1x mac-auth-bypass Configuring MAC Authentication BypassSwitchconfig-if#dot1x control-direction both Dot1x control-direction bothConfiguring NAC Layer 2 Ieee 802.1x Validation 10-40Configuring Web Authentication 10-4110-42 Dot1x fallback fallback-profile Disabling Ieee 802.1x Authentication on the PortNo dot1x pae Disable Ieee 802.1x authentication on the port 10-43Displaying Ieee 802.1x Statistics and Status 10-4411-1 Configuring Interface CharacteristicsUnderstanding Interface Types 11-2 Switch PortsPort-Based VLANs 11-3 Access PortsTrunk Ports 11-4 Routed PortsTunnel Ports 11-5 Switch Virtual InterfacesEtherChannel Port Groups Supported Protocols and Standards Power over Ethernet PortsGigabit Ethernet Interfaces 11-611-7 Powered-Device Detection and Initial Power AllocationClass Power Management Modes 11-8Power Monitoring and Power Policing 11-9Maximum Power Allocation Cutoff Power on a PoE Port 11-10Connecting Interfaces 11-11Ethernet Management Port 11-12Connecting a Switch Stack to a PC 11-13Tftp 11-14Mgmtshow Using Interface Configuration ModeMgmtinit MgmtclrProcedures for Configuring Interfaces 11-16Macroname Configuring a Range of InterfacesInterface range port-range macro Show interfaces interface-id11-18 Define interface-range macroname Configuring and Using Interface Range MacrosShow running-config include define Interface range macro macronameSwitch# show run include define Configuring Ethernet InterfacesSwitch# show running-config include define 11-20Default Ethernet Interface Configuration 11-2111-22 Configuring Interface Speed and Duplex ModeSpeed and Duplex Configuration Guidelines Nonegotiate Setting the Interface Speed and Duplex ParametersSpeed 10 100 1000 auto 10 Duplex auto full half11-24 Configuring Ieee 802.3x Flow ControlFlowcontrol receive on off desired With Correct Cabling Configuring Auto-MDIX on an InterfaceLocal Side Auto-MDIX 11-2511-26 Configuring a Power Management Mode on a PoE PortInterface-id phy Show power inline i nterface-id Budgeting Power for Devices Connected to a PoE PortPower inline auto max max-wattage Neve r static max max-wattageWattage 11-28Configuring Power Policing 11-29Adding a Description for an Interface 11-30Switch# show interfaces gigabitethernet1/0/2 description Configuring Layer 3 InterfacesConfiguring Ethernet Management Ports 11-31No shutdown No switchportInterface gigabitethernet interface-id vlan vlan-id 11-32Configuring the System MTU 11-33System mtu routing bytes Use the system mtu jumbo Use the system mtu routingSystem mtu jumbo bytes 11-34Reload Configuring the Cisco Redundant Power SystemSystem mtu bytes Show system mtuStandby Power rps switch-number name string serialnumberPower rps switch-number port rps-port-id mode active 11-36Show env power Configuring the Power SuppliesPower supply switch-numberoff on Show env rps11-38 Monitoring and Maintaining the InterfacesMonitoring Interface Status Clearing and Resetting Interfaces and Counters 11-39Shutdown Shutting Down and Restarting the InterfaceInterface vlan vlan-id gigabitethernet interface-id 11-4012-1 Configuring Smartports MacrosUnderstanding Smartports Macros Macro Name Description Configuring Smartports MacrosDefault Smartports Macro Configuration 12-2Smartports Macro Configuration Guidelines 12-3Name Sample-Macro and macro name sample-macro will result Creating Smartports MacrosMacro name macro-name Show parser macro name macro-nameApplying Smartports Macros 12-5Show parser macro macro-name Applying Cisco-Default Smartports MacrosShow parser macro 12-612-7 Switch# show parser macro cisco-desktopSwitchconfig-if#macro apply cisco-desktop $AVID Show parser macro description interface Displaying Smartports MacrosShow parser macro brief 12-813-1 Configuring VLANsUnderstanding VLANs 13-2 13-3 Supported VLANsVlan Port Membership Modes Configuring Normal-Range VLANs 13-4Vlan ID 13-513-6 Normal-Range Vlan Configuration GuidelinesToken Ring VLANs Vlan Configuration in config-vlan Mode Vlan Configuration Mode OptionsSaving Vlan Configuration Vlan Configuration in Vlan Database Configuration ModeVLANxxxx, where Default Ethernet Vlan ConfigurationParameter Default Range 13-8Remote-span Copy running-config startup configCreating or Modifying an Ethernet Vlan 13-913-10 Deleting a VlanVlan database No vlan vlan-id Assigning Static-Access Ports to a VlanSwitchport access vlan vlan-id Show vlan briefShow interfaces interface-id switchport Configuring Extended-Range VLANsDefault Vlan Configuration Vlan fields of the displayExtended-Range Vlan Configuration Guidelines 13-13Show vlan id vlan-id Vtp mode transparentCreating an Extended-Range Vlan 13-14Creating an Extended-Range Vlan with an Internal Vlan ID Switchconfig# vtp mode transparentSwitch# copy running-config startup config Show vlan internal usageDisplaying VLANs Configuring Vlan TrunksCommand Command Mode Purpose Trunking OverviewSwitches in an ISL Trunking Environment 13-17Encapsulation Function Mode FunctionEncapsulation Types 13-18Ieee 802.1Q Configuration Considerations Default Layer 2 Ethernet Interface Vlan ConfigurationConfiguring an Ethernet Interface as a Trunk Port 13-19Dot1q negotiate Interaction with Other FeaturesConfiguring a Trunk Port 13-20Defining the Allowed VLANs on a Trunk 13-21All except remove vlan-list Switchport trunk allowed vlan addChanging the Pruning-Eligible List 13-22Except none remove vlan-list Configuring the Native Vlan for Untagged TrafficSwitchport trunk pruning vlan add Vlan ,vlanSwitchport trunk native vlan vlan-id Configuring Trunk Ports for Load SharingLoad Sharing Using STP Port Priorities 13-2413-25 Connect to the trunk ports configured on Switch a Load Sharing Using STP Path CostOr switch stack Exit Return to global configuration modeIsl dot1q negotiate Switchport trunk encapsulationInterface gigabitethernet1/0/1 Spanning-tree vlan 2-4 cost13-28 Configuring VmpsUnderstanding Vmps Dynamic-Access Port Vlan Membership Default Vmps Client ConfigurationVmps Configuration Guidelines 13-2913-30 Configuring the Vmps ClientEntering the IP Address of the Vmps Reconfirming Vlan Memberships Configuring Dynamic-Access Ports on Vmps ClientsSwitchport access vlan dynamic Vmps reconfirmVmps reconfirm minutes Changing the Reconfirmation IntervalChanging the Retry Count 13-32Switch# show vmps Troubleshooting Dynamic-Access Port Vlan MembershipVmps Configuration Example Monitoring the VmpsDynamic Port Vlan Membership Configuration 13-3414-1 Configuring VTPUnderstanding VTP VTP Domain 14-2VTP Advertisements VTP Mode DescriptionVTP Modes 14-314-4 VTP VersionVTP Pruning 14-5 Vlan14-6 Configuring VTPVTP and Switch Stacks VTP Configuration in Global Configuration Mode Default VTP ConfigurationVTP Configuration Options 14-7Passwords VTP Configuration GuidelinesVTP Configuration in Vlan Database Configuration Mode Domain NamesVTP Version Configuring a VTP ServerConfiguration Requirements 14-9Show vtp status Vtp password passwordVtp password password Vtp serverSwitch# vlan database Configuring a VTP ClientVtp mode client 14-11Disabling VTP VTP Transparent Mode 14-1214-13 Enabling VTP VersionVtp version Vtp pruning Adding a VTP Client Switch to a VTP DomainEnabling VTP Pruning 14-1414-15 Monitoring VTP 14-1615-1 Configuring Voice VlanUnderstanding Voice Vlan 15-2 Cisco IP Phone Voice TrafficCisco IP Phone Data Traffic Voice Vlan Configuration Guidelines Configuring Voice VlanDefault Voice Vlan Configuration 15-3Configuring a Port Connected to a Cisco 7960 IP Phone 15-4Configuring Cisco IP Phone Voice Traffic 15-5Configuring the Priority of Incoming Data Frames 15-6Displaying Voice Vlan 15-715-8 16-1 Configuring Private VLANsUnderstanding Private VLANs 16-2 Private-VLAN DomainIP Addressing Scheme with Private VLANs 16-316-4 Private VLANs across Multiple SwitchesPrivate-VLAN Interaction with Other Features 16-5 Private VLANs and Unicast, Broadcast, and Multicast TrafficPrivate VLANs and SVIs Private VLANs and Switch Stacks Configuring Private VLANsTasks for Configuring Private VLANs 16-6Secondary and Primary Vlan Configuration Default Private-VLAN ConfigurationPrivate-VLAN Configuration Guidelines 16-7Private-VLAN Port Configuration 16-8Limitations with Other Features 16-9Configuring and Associating VLANs in a Private Vlan 16-1016-11 Show vlan private-vlan typeShow interfaces status Switch# show interfaces gigabitethernet1/0/22 switchport Configuring a Layer 2 Interface as a Private-VLAN Host PortSwitchport private-vlan host-association Primaryvlanid secondaryvlanidAdd remove secondaryvlanlist Switchport mode private-vlan promiscuousSwitchport private-vlan mapping primaryvlanid 16-13Private-vlan mapping add remove Switch# show interfaces private-vlan mappingInterface vlan primaryvlanid Show interface private-vlan mappingMonitoring Private VLANs 16-1516-16 17-1 Configuring Ieee 802.1Q and Layer 2 Protocol TunnelingUnderstanding Ieee 802.1Q Tunneling Ieee 802.1Q Tunnel Ports in a Service-Provider Network 17-217-3 Ieee 802.1Q Tunneling Configuration Guidelines Configuring Ieee 802.1Q TunnelingDefault Ieee 802.1Q Tunneling Configuration Native VLANsSystem MTU 17-5Ieee 802.1Q Tunneling and Other Features 17-6Show dot1q-tunnel Configuring an Ieee 802.1Q Tunneling PortVlan dot1q tag native Show vlan dot1q tag nativeUnderstanding Layer 2 Protocol Tunneling 17-817-9 Layer 2 Protocol TunnelingConfiguring Layer 2 Protocol Tunneling 17-10Default Layer 2 Protocol Tunneling Configuration 17-11Layer 2 Protocol Tunneling Configuration Guidelines 17-12Configuring Layer 2 Protocol Tunneling 17-13L2protocol-tunnel point-to-point Configuring Layer 2 Tunneling for EtherChannelsConfiguring the SP Edge Switch Pagp lacp udld17-15 Configuring the Customer Switch 17-1617-17 Switchconfig-if#channel-group 1 mode desirableSwitchconfig# interface port-channel Monitoring and Maintaining Tunneling Status 17-1818-1 Configuring STPUnderstanding Spanning-Tree Features STP Overview 18-2Spanning-Tree Topology and BPDUs 18-3Bridge ID, Switch Priority, and Extended System ID 18-4Bit Switch Priority ValueSpanning-Tree Interface States 32768 16384 8192 4096 2048 1024 512 256 1282illustrates how an interface moves through the states 18-6Learning State Blocking StateListening State Forwarding State18-8 How a Switch or Port Becomes the Root Switch or Root PortDisabled State Accelerated Aging to Retain Connectivity Spanning Tree and Redundant ConnectivitySpanning-Tree Address Management 18-918-10 Spanning-Tree Modes and ProtocolsSupported Spanning-Tree Instances VLAN-Bridge Spanning Tree Spanning-Tree Interoperability and Backward CompatibilitySTP and Ieee 802.1Q Trunks Rapid PVST+18-12 Configuring Spanning-Tree FeaturesSpanning Tree and Switch Stacks 18-13 Default Spanning-Tree ConfigurationSpanning-Tree Configuration Guidelines 18-14 Changing the Spanning-Tree Mode 18-15Show spanning-tree vlan vlan-id Verify your entries Configuring the Root SwitchDisabling Spanning Tree 18-16Show spanning-tree detail Spanning-tree vlan vlan-id root primaryDiameter net-diameter hello-time seconds 18-17Spanning-tree vlan vlan-id root secondary Configuring a Secondary Root SwitchConfiguring Port Priority Diameter net-diameter hello-timeShow spanning-tree interface interface-id Spanning-tree port-priority prioritySpanning-tree vlan vlan-id port-priority priority Show spanning-tree vlan vlan-idSpanning-tree cost cost Configuring Path CostPort-channel-number Spanning-tree vlan vlan-id cost cost18-21 Configuring the Switch Priority of a VlanSpanning-tree vlan vlan-id priority priority Spanning-tree vlan vlan-id hello-time seconds Configuring Spanning-Tree TimersConfiguring the Hello Time 18-22Spanning-tree vlan vlan-id forward-time Configuring the Forwarding-Delay Time for a VlanConfiguring the Maximum-Aging Time for a Vlan Spanning-tree vlan vlan-idmax-age secondsShow spanning-tree detail Verify your entries Configuring the Transmit Hold-CountDisplaying the Spanning-Tree Status 18-24Configuring Mstp 19-119-2 Understanding MstpMultiple Spanning-Tree Regions 19-3 IST, CIST, and CSTOperations Within an MST Region Operations Between MST Regions 19-4Cisco Prestandard Cisco Standard Hop CountIeee 802.1s Terminology 19-519-6 Boundary PortsIeee 802.1s Implementation 19-7 Interoperation Between Legacy and Standard SwitchesPort Role Naming Change 19-8 Mstp and Switch StacksDetecting Unidirectional Link Failure Port Roles and the Active Topology Understanding RstpInteroperability with Ieee 802.1D STP 19-9Rapid Convergence 19-10Synchronization of Port Roles 19-1119-12 Bridge Protocol Data Unit Format and ProcessingBit Function Processing Inferior Bpdu Information Topology ChangesProcessing Superior Bpdu Information 19-13Configuring Mstp Features 19-1419-15 Default Mstp ConfigurationMstp Configuration Guidelines Instance instance-id vlan vlan-range Specifying the MST Region Configuration and Enabling MstpSpanning-tree mst configuration Name nameShow pending Spanning-tree mode mstRevision version ExitSpanning-tree mst instance-id root primary 19-1819-19 19-20 Spanning-tree mst instance-id port-priority priorityShow spanning-tree mst interface interface-id Spanning-tree mst instance-id cost cost 19-21Spanning-tree mst instance-id priority priority Configuring the Switch PriorityConfiguring the Hello Time 19-22Spanning-tree mst forward-time seconds Configuring the Forwarding-Delay TimeShow spanning-tree mst Verify your entries Show spanning-tree mstSpecifying the Link Type to Ensure Rapid Transitions Configuring the Maximum-Aging TimeConfiguring the Maximum-Hop Count Spanning-tree mst max-age secondsDesignating the Neighbor Type 19-2519-26 Displaying the MST Configuration and StatusRestarting the Protocol Migration Process 20-1 Configuring Optional Spanning-Tree FeaturesUnderstanding Optional Spanning-Tree Features 20-2 Understanding Port FastUnderstanding Bpdu Guard 20-3 Understanding Bpdu FilteringUnderstanding UplinkFast Switches in a Hierarchical Network 20-4Understanding Cross-Stack UplinkFast 20-5How Csuf Works 20-620-7 Understanding BackboneFastEvents that Cause Fast Convergence 20-8 BackboneFast Example Before Indirect Link FailureAdding a Switch in a Shared-Medium Topology 20-920-10 Understanding EtherChannel GuardUnderstanding Root Guard Understanding Loop Guard 20-11Enabling Port Fast Default Optional Spanning-Tree ConfigurationOptional Spanning-Tree Configuration Guidelines 20-12Spanning-tree portfast trunk Spanning-tree portfast trunk interface configurationEnabling Bpdu Guard Portfast20-14 Spanning-tree portfast Enable the Port Fast featureEnabling Bpdu Filtering Enabling UplinkFast for Use with Redundant Links 20-15Enabling Cross-Stack UplinkFast Spanning-tree uplinkfast max-update-rateUplinkfast command Enabling BackboneFastShow spanning-tree summary Verify your entries Spanning-tree backbonefast Enable BackboneFastEnabling EtherChannel Guard 20-1720-18 Enabling Root GuardEnabling Loop Guard 20-19 20-20 Flex Links 21-121-2 Switchport backup interface preemption delay commandsVlan Flex Link Load Balancing and Support MAC Address-Table Move Update 21-3MAC Address-Table Move Update Example 21-421-5 Configuration GuidelinesDefault Configuration Show interface interface-id switchport backup Configuring Flex LinksSwitchport backup interface interface-id Switch# show interface switchport backupDelay delay-time Switchport backup interface interface-id preemptionMode forced bandwidth off 21-7Show interfaces interface-id switchport backup Configuring Vlan Load Balancing on Flex LinksSwitchport backup interface interface-id prefer vlan Switch#show interfaces switchport backupPrimary vlan vlan-id Configuring the MAC Address-Table Move Update FeatureSwitchport backup interface interface-idmmu 21-9Switch# show mac-address-table move update End Return to global configuration modeSwitchconf# mac address-table move update transmit 21-10Monitoring Flex Links and the MAC Address-Table Move Update 21-1121-12 22-1 Configuring Dhcp Features and IP Source GuardUnderstanding Dhcp Features Dhcp Snooping Dhcp ServerDhcp Relay Agent 22-2Option-82 Data Insertion 22-322-4 Dhcp Relay Agent in a Metropolitan Ethernet NetworkRemote ID Suboption Frame Format 22-5Release Cisco IOS Dhcp Server DatabaseDhcp Snooping Binding Database 22-622-7 Default Dhcp Configuration Configuring Dhcp FeaturesDhcp Snooping and Switch Stacks 22-8Dhcp Snooping Configuration Guidelines 22-922-10 Configuring the Dhcp ServerDhcp Server and Switch Stacks Ip helper-address address Configuring the Dhcp Relay AgentSpecifying the Packet Forwarding Address 22-11Enabling Dhcp Snooping and Option Switchport mode accessSwitchport access vlan vlan-id Interface range port-range22-13 Enabling the Dhcp Snooping Binding Database Agent Enabling Dhcp Snooping on Private VLANsEnabling the Cisco IOS Dhcp Server Database Ip dhcp snooping databaseDisplaying Dhcp Snooping Information 22-1522-16 Understanding IP Source GuardSource IP Address Filtering IP Source Guard Configuration Guidelines Configuring IP Source GuardDefault IP Source Guard Configuration Source IP and MAC Address FilteringEnabling IP Source Guard 22-18Displaying IP Source Guard Information 22-1922-20 23-1 Configuring Dynamic ARP InspectionUnderstanding Dynamic ARP Inspection 23-2 ARP Cache PoisoningInterface Trust States and Network Security 23-323-4 Rate Limiting of ARP PacketsRelative Priority of ARP ACLs and Dhcp Snooping Entries Logging of Dropped Packets Configuring Dynamic ARP InspectionDefault Dynamic ARP Inspection Configuration 23-5Dynamic ARP Inspection Configuration Guidelines 23-6Ip arp inspection vlan vlan-range Configuring Dynamic ARP Inspection in Dhcp EnvironmentsShow cdp neighbors 23-7Configuring ARP ACLs for Non-DHCP Environments 23-823-9 No ip arp inspection trust Show arp access-list acl-nameLimiting the Rate of Incoming ARP Packets Specified with the ip arp inspection vlan loggingPerforming Validation Checks 23-11Src-mac dst-mac ip Configuring the Log BufferIp arp inspection validate Show ip arp inspection vlan23-13 Ip arp inspection log-buffer entriesNumber logs number interval Displaying Dynamic ARP Inspection Information 23-14Clear ip arp inspection log Clear ip arp inspection statisticsShow ip arp inspection statistics vlan Show ip arp inspection log23-16 Configuring Igmp Snooping and MVR 24-1Understanding Igmp Snooping 24-224-3 Igmp VersionsJoining a Multicast Group 224.1.2.3 24-4Leaving a Multicast Group 24-5Igmp Report Suppression Igmp Configurable-Leave TimerImmediate Leave 24-6Default Igmp Snooping Configuration Configuring Igmp SnoopingIgmp Snooping and Switch Stacks PIM-DVMRP24-8 Enabling or Disabling Igmp SnoopingIp igmp snooping vlan vlan-id Learn cgmp pim-dvmrp Setting the Snooping MethodIp igmp snooping vlan vlan-id mrouter Show ip igmp snooping24-10 Configuring a Multicast Router PortShow ip igmp snooping mrouter vlan vlan-id Ip igmp snooping vlan vlan-id static ipaddress Configuring a Host Statically to Join a GroupEnabling Igmp Immediate Leave Show ip igmp snooping groupsConfiguring the Igmp Leave Timer 24-12Controlling the Multicast Flooding Time After a TCN Event Configuring TCN-Related CommandsRecovering from Flood Mode Count24-14 Disabling Multicast Flooding During a TCN EventNo ip igmp snooping tcn flood Configuring the Igmp Snooping Querier 24-1524-16 Disabling Igmp Report SuppressionNo ip igmp snooping report-suppression Displaying Igmp Snooping Information 24-17Understanding Multicast Vlan Registration 24-18Using MVR in a Multicast Television Application 24-19MVR Configuring MVRDefault MVR Configuration 24-20Mvr Enable MVR on the switch MVR Configuration Guidelines and LimitationsConfiguring MVR Global Parameters 24-21Configuring MVR Interfaces 24-22Show mvr Mvr type source receiverMvr immediate Show mvr interface Show mvr members24-24 Configuring Igmp Filtering and ThrottlingDisplaying MVR Information 24-25 Default Igmp Filtering and Throttling ConfigurationConfiguring Igmp Profiles Range ip multicast address Ip igmp profile profile numberPermit deny Show ip igmp profile profile numberApplying Igmp Profiles Setting the Maximum Number of Igmp GroupsSwitch# show ip igmp profile Ip igmp filter profile numberEtherChannel group or a EtherChannel interface Configuring the Igmp Throttling ActionShow running-config interface Verify the configuration Interface-idReplace Displaying Igmp Filtering and Throttling ConfigurationIp igmp max-groups action deny Show ip igmp profile profile24-30 25-1 Configuring IPv6 MLD SnoopingUnderstanding MLD Snooping 25-2 Multicast Client Aging Robustness MLD MessagesMLD Queries 25-3MLD Done Messages and Immediate-Leave Multicast Router DiscoveryMLD Reports 25-4Topology Change Notification Processing Configuring IPv6 MLD SnoopingMLD Snooping in Switch Stacks 25-525-6 Default MLD Snooping ConfigurationMLD Snooping Configuration Guidelines Ipv6 mld snooping vlan vlan-id Enabling or Disabling MLD SnoopingIpv6 mld snooping 25-7Show ipv6 mld snooping multicast-address user Configuring a Static Multicast GroupIpv6 mld snooping vlan vlan-id static Show ipv6 mld snooping multicast-address vlanShow ipv6 mld snooping mrouter vlan vlan-id Enabling MLD Immediate LeaveIpv6 mld snooping vlan vlan-id mrouter 25-9Configuring MLD Snooping Queries 25-1025-11 Displaying MLD Snooping InformationDisabling MLD Listener Message Suppression Vlan-id ipv6-multicast-address Show ipv6 mld snooping querier vlan vlan-idVlan-id count dynamic user 25-12Understanding Storm Control Configuring Port-Based Traffic ControlConfiguring Storm Control 26-126-2 Broadcast Storm Control Example26-3 Default Storm Control ConfigurationConfiguring Storm Control and Threshold Levels Bps-low pps pps pps-low Storm-control broadcast multicastUnicast level level level-low bps bps Storm-control action shutdown trapShow storm-control interface-id broadcast Configuring Protected PortsDefault Protected Port Configuration Multicast unicastConfiguring a Protected Port Configuring Port BlockingProtected Port Configuration Guidelines 26-6Blocking Flooded Traffic on an Interface Configuring Port SecurityDefault Port Blocking Configuration 26-726-8 Understanding Port SecuritySecure MAC Addresses Security Violations 26-9Forwarded1 Trap Message Message2 Increments Default Port Security ConfigurationPort Security Configuration Guidelines 26-1026-11 Enabling and Configuring Port Security 26-12Shutdown vlan Switchport port-security violationProtect restrict shutdown 26-1326-14 Switchconfig-if#switchport port-security mac-address sticky Switchconfig-if#switchport port-securitySwitchconfig-if#switchport port-security maximum Switchconfig-if#switchport port-security violation restrictEnabling and Configuring Port Security Aging 26-16Port Security and Private VLANs Port Security and Switch StacksSwitchconfig# interface GigabitEthernet 1/0/8 26-17Show port-security interface interface-idvlan Displaying Port-Based Traffic Control SettingsShow port-security interface interface-idaddress 26-1827-1 Configuring CDPUnderstanding CDP Default CDP Configuration Configuring CDPCDP and Switch Stacks Configuring the CDP CharacteristicsCdp advertise-v2 Disabling and Enabling CDPCdp holdtime seconds Show cdpDisabling and Enabling CDP on an Interface No cdp enable Disable CDP on the interfaceCdp enable Enable CDP on the interface after disabling it 27-4Monitoring and Maintaining CDP 27-527-6 Understanding Lldp Configuring Lldp and LLDP-MEDUnderstanding Lldp and LLDP-MED 28-1Understanding LLDP-MED 28-2Configuring Lldp Characteristics Configuring Lldp and LLDP-MEDDefault Lldp Configuration 28-3Disabling and Enabling Lldp Globally 28-4Disabling and Enabling Lldp on an Interface 28-5No lldp med-tlv-select tlv Specify the TLV to disable Configuring LLDP-MED TLVsTLV, and enter interface configuration mode Lldp med-tlv-select tlv Specify the TLV to enableMonitoring and Maintaining Lldp and LLDP-MED 28-728-8 Modes of Operation Configuring UdldUnderstanding Udld 29-1Methods to Detect Unidirectional Links 29-2Configuring Udld 29-3Default Udld Configuration 29-4Enabling Udld Globally Udld aggressive enable message timeMessage-timer-interval Show udldEnabling Udld on an Interface Resetting an Interface Disabled by UdldUdld reset Show udld Udld port aggressiveDisplaying Udld Status 29-729-8 30-1 Configuring Span and RspanUnderstanding Span and Rspan Local Span 30-2Remote Span 30-330-4 Span and Rspan Concepts and TerminologySpan Sessions Monitored Traffic 30-5Source Ports 30-630-7 Source VLANsVlan Filtering Destination Port 30-830-9 Span and Rspan Interaction with Other FeaturesRspan Vlan 30-10 Configuring Span and RspanSpan and Rspan and Switch Stacks Span Configuration Guidelines Default Span and Rspan ConfigurationConfiguring Local Span 30-11Creating a Local Span Session 30-12Encapsulation replicate Monitor session sessionnumberDestination interface interface-id Show monitor session sessionnumber30-14 30-15 Specifying VLANs to FilterMonitor session sessionnumber filter vlan Be a Vlan Configuring RspanRspan Configuration Guidelines 30-16Configuring a Vlan as an Rspan Vlan 30-17Destination remote vlan vlan-id Creating an Rspan Source SessionInterfaces port-channelport-channel-number. Valid 30-1830-19 Creating an Rspan Destination SessionRemote vlan vlan-id 30-20 30-21 Ingress dot1q vlan vlan-id isl untaggedUntagged vlan vlan-id or vlan vlan-id- Forward incoming Show monitor session sessionnumber 30-22Displaying Span and Rspan Status 30-2330-24 31-1 Configuring RmonUnderstanding Rmon Configuring Rmon 31-231-3 Default Rmon ConfigurationConfiguring Rmon Alarms and Events 31-4 Rmon event number description string log owner stringAdd an event in the Rmon event table that is Rmon collection history index Collecting Group History Statistics on an InterfaceCollecting Group Ethernet Statistics on an Interface Show rmon historyShow rmon statistics Displaying Rmon StatusRmon collection stats index owner ownername 31-632-1 Configuring System Message LoggingUnderstanding System Message Logging 32-2 Configuring System Message LoggingSystem Log Message Format 32-3 Hhmmss short uptimeText string that uniquely describes the message Show running-config Verify your entries Show logging Default System Message Logging ConfigurationNo logging console Disable message logging Disabling Message LoggingLogging host Setting the Message Display Destination DeviceLogging buffered size 32-5Terminal monitor Synchronizing Log MessagesLogging file flash filename Session to see the debugging messagesLogging synchronous level severity-level Line console vty line-numberLine vty All limit number-of-buffers32-8 Enabling and Disabling Time Stamps on Log MessagesEnabling and Disabling Sequence Numbers in Log Messages Logging monitor level Defining the Message Severity LevelLogging console level Logging trap levelLevel Description Syslog Definition 32-10Logging history size number Enabling the Configuration-Change LoggerLogging history level 32-1132-12 Configuring Unix Syslog ServersLogging Messages to a Unix Syslog Daemon Facility-type keywords Configuring the Unix System Logging FacilityLogging facility facility-type 32-1332-14 Displaying the Logging ConfigurationFacility Type Keyword Description 33-1 Configuring SnmpUnderstanding Snmp Snmp Versions 33-2DES Model Level Authentication Encryption ResultSnmp Manager Functions Operation Description33-4 Using Snmp to Access MIB VariablesSnmp Agent Functions Snmp Notifications 33-5IfIndex Range Configuring SnmpSnmp ifIndex MIB Object Values SVI33-7 Default Snmp ConfigurationSnmp Configuration Guidelines Disabling the Snmp Agent Configuring Community StringsNo snmp-server Disable the Snmp agent operation 33-8Snmp-server community string view View-name ro rw access-list-numberAccess-list access-list-number deny Permit source source-wildcardSnmp-server engineID local Configuring Snmp Groups and UsersSnmp-server engineID local engineid-string 33-10Auth noauth priv read readview Write writeview notify notifyview accessSnmp-server group groupname v1 v2c 33-11Encrypted access access-list auth md5 Configuring Snmp NotificationsRemote host udp-port port v1 access Notification Type Keyword Description33-13 33-14 Enable traps command for each trap type Setting the Agent Contact and Location Information33-12 , or enter snmp-server enable traps ? Notification-typesSnmp Examples Switchconfig# snmp-server community publicLimiting Tftp Servers Used Through Snmp Snmp-server tftp-server-listDisplaying Snmp Status 33-1733-18 34-1 Configuring Network Security with ACLsUnderstanding ACLs Supported ACLs 34-2Port ACLs 34-3Router ACLs 34-434-5 Handling Fragmented and Unfragmented TrafficVlan Maps ACLs and Switch Stacks 34-6Configuring IPv4 ACLs 34-7Creating Standard and Extended IPv4 ACLs Access List NumbersAccess List Number Type Supported 34-8ACL Logging 34-9Creating a Numbered Standard ACL Access-list access-list-number deny permitShow access-lists number name Source source-wildcard logCreating a Numbered Extended ACL 34-1134-12 34-13 34-14 34-15 Resequencing ACEs in an ACLCreating Named Standard and Extended ACLs Any log Ip access-list standard nameIp access-list extended name Tos tos established log time-rangeUsing Time Ranges with ACLs 34-17Show time-range Absolute start time datePeriodic weekdays weekend daily 34-18Including Comments in ACLs Switch# show ip access-listsApplying an IPv4 ACL to a Terminal Line 34-19Out Access-class access-list-numberApplying an IPv4 ACL to an Interface 34-20Ip access-group access-list-number 34-2134-22 IPv4 ACL Configuration ExamplesHardware and Software Treatment of IP ACLs 34-23 Switchconfig# access-list 6 permit 172.20.128.64Switchconfig# access-list 106 permit ip any 172.20.128.64 34-24 Numbered ACLsExtended ACLs Commented IP ACL Entries Named ACLsTime Range Applied to an IP ACL 34-2534-26 Switch# show loggingSwitchconfig-if#ip access-group ext1 Creating Named MAC Extended ACLs 34-27Applying a MAC ACL to a Layer 2 Interface 34-28Show mac access-group interface interface-id Configuring Vlan MapsMac access-group name ACLVlan Map Configuration Guidelines 34-30Action drop forward Vlan access-map name numberCreating a Vlan Map Match ip mac address nameExamples of ACLs and Vlan Maps 34-3234-33 Applying a Vlan Map to a Vlan Using Vlan Maps in Your NetworkWiring Closet Configuration Vlan filter mapname vlan-list listSwitchconfig# ip access-list extended matchall Denying Access to a Server on Anothera VlanSwitchconfig# vlan access-map map2 Switchconfig# vlan filter map2 vlanUsing Vlan Maps with Router ACLs 34-36Vlan Maps and Router ACL Configuration Guidelines 34-37ACLs and Bridged Packets ACLs and Switched PacketsExamples of Router ACLs and Vlan Maps Applied to VLANs 34-38ACLs and Routed Packets 34-39ACLs and Multicast Packets Displaying IPv4 ACL ConfigurationShow ip access-lists number name 34-40Show ip interface interface-id Show running-config interface interface-idShow mac access-group interface interface-id 34-4134-42 Configuring IPv6 ACLs 35-1Understanding IPv6 ACLs 35-2IPv6 ACL Limitations Supported ACL FeaturesIPv6 ACLs and Switch Stacks 35-3Interaction with Other Features and Switches Configuring IPv6 ACLsDefault IPv6 ACL Configuration 35-435-5 Ipv6 access-list access-list-nameCreating IPv6 ACLs Value time-range name Dscp value fragments logLog-input routing sequence 35-635-7 Ipv6 address ipv6-address Ipv6 traffic-filter access-list-nameApplying an IPv6 ACL to an Interface 35-8Displaying IPv6 ACLs Show access-listsShow ipv6 access-list access-list-name 35-935-10 Configuring QoS 36-1Understanding QoS 36-2Basic QoS Model 36-336-4 Basic QoS ModelClassification 36-536-6 Check if packet came with CoS label tag Yes36-7 Classification Based on QoS ACLsClassification Based on Class Maps and Policy Maps Policing and Marking 36-8Policing on Physical Ports 36-9Policing on SVIs 36-10Policing and Marking Flowchart on SVIs 36-11Mapping Tables 36-12Queueing and Scheduling Overview 36-1336-14 Weighted Tail DropSRR Shaping and Sharing Queueing and Scheduling on Ingress Queues 36-15Queue Type Function 36-16WTD Thresholds 36-17Queueing and Scheduling on Egress Queues 36-1836-19 Buffer and Memory Allocation 36-20Packet Modification 36-21Configuring Auto-QoS 36-22Generated Auto-QoS Configuration 36-23Description Automatically Generated Command 36-2436-25 If you entered the auto qos voip trust command, the switch Switch automatically configures the egress queue bufferSizes. It configures the bandwidth and the SRR mode shaped Or shared on the egress queues mapped to the port36-27 Effects of Auto-QoS on the ConfigurationAuto-QoS Configuration Guidelines Cisco-softphone trust Enabling Auto-QoS for VoIPAuto qos voip cisco-phone Show auto qos interface interface-id36-29 Auto-QoS Configuration Example 36-30Auto qos voip trust Cdp enableDebug auto qos Show auto qos36-32 Configuring Standard QoSDisplaying Auto-QoS Information 36-33 Default Standard QoS ConfigurationDefault Ingress Queue Configuration 36-34 Default Egress Queue ConfigurationDscp Value Queue ID -Threshold ID QoS ACL Guidelines Standard QoS Configuration GuidelinesDefault Mapping Table Configuration Applying QoS on Interfaces36-36 Policing GuidelinesGeneral QoS Guidelines 36-37 Enabling QoS GloballyEnabling VLAN-Based QoS on Physical Ports 36-38 Configuring Classification Using Port Trust StatesConfiguring the Trust State on Ports within the QoS Domain 36-39 15 Port Trusted States within the QoS DomainShow mls qos interface Configuring the CoS Value for an InterfaceMls qos trust cos dscp ip-precedence 36-4036-41 Configuring a Trusted Boundary to Ensure Port SecurityMls qos cos default-cos override Mls qos trust device cisco-phone Enabling Dscp Transparency ModeMls qos trust dscp 36-42No mls qos rewrite ip dscp 36-43Show mls qos maps dscp-mutation Mls qos map dscp-mutationMls qos dscp-mutation 36-4436-45 Configuring a QoS PolicySwitchconfig-if#mls qos dscp-mutation gi1/0/2-mutation Classifying Traffic by Using ACLs 36-46Permit protocol source source-wildcard Switchconfig# access-list 100 permit ip any any dscpSwitchconfig# access-list 102 permit pim any 224.0.0.2 dscp Source-wildcardMac access-list extended name 36-48Is match-all Classifying Traffic by Using Class MapsClass-map match-all match-any Match-any keywordsIp-precedence-list Match access-group acl-index-or-nameIp dscp dscp-list ip precedence Show class-map36-51 36-52 Policy-map policy-map-nameClass class-map-name 36-53 36-54 Service-policy input policy-map-nameShow policy-map policy-map-nameclass Switchconfig-if#service-policy input macpolicy1 Switchconfig# policy-map macpolicy1Switchconfig-pmap#class macclass2 maclist2 36-55Traffic by Using Class Maps section on 36-5636-57 Exceed-action policed-dscp-transmit keywords to mark down Police rate-bps burst-byte exceed-actionDrop policed-dscp-transmit 36-58Service-policy policy-map-name 36-59Show mls qos vlan-based Service-policy input policy-map-nameShow policy-map policy-map-nameclass Exceed-action drop Mls qos aggregate-policerAggregate-policer-name rate-bps burst-byte Policed-dscp-transmitAggregate-policer-name Only one policy map per ingress port is supportedShow mls qos aggregate-policer Switchconfig-pmap-c#police aggregate transmit1 Configuring Dscp MapsConfiguring the CoS-to-DSCP Map CoS Value Dscp ValueIP Precedence Value Dscp Value Configuring the IP-Precedence-to-DSCP MapMls qos map cos-dscp dscp1...dscp8 36-64Configuring the Policed-DSCP Map 36-6536-66 Configuring the DSCP-to-CoS MapDscp Value CoS Value ShowShow mls qos maps dscp-to-cos Configuring the DSCP-to-DSCP-Mutation MapMls qos map dscp-cos dscp-list to cos 36-6736-68 Switchconfig-if#mls qos dscp-mutation mutation1Switch# show mls qos maps dscp-mutation mutation1 Configuring Ingress Queue Characteristics 36-69Mls qos srr-queue input threshold Mls qos srr-queue input dscp-mapMls qos srr-queue input cos-map Show mls qos mapsMls qos srr-queue input buffers Allocating Buffer Space Between the Ingress QueuesAllocating Bandwidth Between the Ingress Queues Show mls qos interface bufferMls qos srr-queue input bandwidth Configuring the Ingress Priority QueueWeight1 weight2 Show mls qos interface queueingMls qos srr-queue input Configuring Egress Queue CharacteristicsWeight Priority-queue queue-id bandwidth36-74 36-75 Mls qos queue-set output qset-idQueue-set qset-id 36-76 36-77 Mls qos srr-queue output dscp-mapMls qos srr-queue output cos-map Weight2 weight3 weight4 Configuring SRR Shaped Weights on Egress QueuesSrr-queue bandwidth shape weight1 QueueingSrr-queue bandwidth share weight1 Configuring SRR Shared Weights on Egress QueuesConfiguring the Egress Expedite Queue 36-79Limiting the Bandwidth on an Egress Interface Mls qos Enable QoS on a switchSrr-queue bandwidth limit weight1 36-80Displaying Standard QoS Information 36-81Show running-config include rewrite 36-8237-1 Configuring EtherChannels and Link-State TrackingUnderstanding EtherChannels EtherChannel Overview 37-2Single-Switch EtherChannel 37-3Port-Channel Interfaces 37-4Port Aggregation Protocol 37-5PAgP Modes PAgP Interaction with Other FeaturesMode Description AutoLacp Modes Lacp Interaction with Other FeaturesLink Aggregation Control Protocol 37-737-8 EtherChannel On ModeLoad-Balancing and Forwarding Methods 37-9 EtherChannel and Switch Stacks 37-1037-11 Configuring EtherChannelsDefault EtherChannel Configuration EtherChannel Configuration Guidelines 37-12Configuring Layer 2 EtherChannels 37-1337-14 Auto non-silent desirable non-silent onActive passive Creating Port-Channel Logical Interfaces Configuring Layer 3 EtherChannelsSwitchconfig-if-range#channel-group 5 mode active 37-15Show etherchannel channel-group-number detail Configuring the Physical InterfacesInterface port-channel port-channel-number No ip addressMust be the same as the port-channel-number logical port Partner that is PAgP capable, configure the switch port forFor channel-group-number, the range is 1 to 48. This number 37-17Src-dst-ip src-dst-mac src-ip src-mac Configuring EtherChannel Load-BalancingPort-channel load-balance dst-ip dst-mac 37-1837-19 Configuring the PAgP Learn Method and PriorityShow etherchannel load-balance Verify your entries Pagp port-priority priority Configuring Lacp Hot-Standby PortsPagp learn-method physical-port Show pagp channel-group-number internal37-21 Configuring the Lacp System PriorityShow running-config Verify your entries Show lacp sys-id Show lacp channel-group-number Configuring the Lacp Port PriorityLacp port-priority priority Internal37-23 Displaying EtherChannel, PAgP, and Lacp StatusUnderstanding Link-State Tracking 37-24 Configuring Link-State Tracking 37-25Configuring Link-State Tracking Default Link-State Tracking ConfigurationLink-State Tracking Configuration Guidelines 37-26Displaying Link-State Tracking Status Switch show link state groupSwitch show link state group detail 37-2737-28 Configuring IP Unicast Routing 38-138-2 Understanding IP RoutingTypes of Routing IP Routing and Switch Stacks 38-338-4 38-5 Steps for Configuring RoutingConfiguring IP Addressing Irdp Default Addressing ConfigurationARP 38-6Use of Subnet Zero Show running-config Verify your entryAssigning IP Addresses to Network Interfaces 38-7Classless Routing 38-838-9 Configuring Address Resolution MethodsNo ip classless Disable classless routing behavior 38-10 Define a Static ARP CacheArp ip-address hardware-address type Set ARP Encapsulation 38-11Default Gateway Routing Assistance When IP Routing is DisabledEnable Proxy ARP Proxy ARPIcmp Router Discovery Protocol Irdp 38-13Configuring Broadcast Packet Handling 38-1438-15 Ip directed-broadcast access-list-numberIp forward-protocol udp port nd sdns Forwarding UDP Broadcast Packets and Protocols 38-16Ip broadcast-address ip-address Establishing an IP Broadcast AddressFlooding IP Broadcasts 38-17Clear host name Monitoring and Maintaining IP AddressingClear arp-cache Clear ip route network maskEnabling IP Unicast Routing 38-19Configuring RIP 38-20Router rip Default RIP ConfigurationConfiguring Basic RIP Parameters Network network number38-22 Ip rip authentication key-chain name-of-chain Configuring RIP AuthenticationConfiguring Summary Addresses and Split Horizon Ip rip authentication mode text md5Ip summary-address rip ip address ip-network mask Configuring Split HorizonSwitchconfig-router#neighbor 2.2.2.2 peer-group mygroup No ip split horizon38-25 Configuring OspfNo ip split-horizon Default Ospf Configuration 38-26Ospf Nonstop Forwarding 38-27Ospf NSF Awareness 38-2838-29 Configuring Basic Ospf ParametersConfiguring Ospf Interfaces 38-30 Configuring Ospf Area Parameters 38-31Configuring Other Ospf Parameters 38-3238-33 Ip address address mask Configuring a Loopback InterfaceChanging LSA Group Pacing 38-3438-35 Configuring EigrpMonitoring Ospf 38-36 Default Eigrp Configuration 38-37Eigrp Nonstop Forwarding 38-38Network network-number Configuring Basic Eigrp ParametersRouter eigrp autonomous-system Eigrp log-neighbor-changesIp summary-address eigrp Configuring Eigrp InterfacesNo auto-summary 38-40No ip split-horizon eigrp autonomous-system-number Configuring Eigrp Route AuthenticationIp hello-interval eigrp autonomous-system-number Show ip eigrp interfaceEigrp Stub Routing 38-4238-43 Configuring BGPMonitoring and Maintaining Eigrp 38-44 EBGP, IBGP, and Multiple Autonomous SystemsDefault BGP Configuration 38-4538-46 Nonstop Forwarding Awareness 38-47Network network-number mask network-mask Enabling BGP RoutingRouter bgp autonomous-system Route-map route-map-name38-49 Managing Routing Policy Changes Switchconfig-router#neighbor 192.208.10.2 remote-asSwitch# show ip bgp neighbors 38-50Clear ip bgp * address Type of Reset Advantages DisadvantagesShow ip bgp neighbors Show ip bgpConfiguring BGP Decision Attributes 38-5238-53 38-54 Configuring BGP Filtering with Route MapsConfiguring BGP Filtering by Neighbor Route-map map-tag in out Ip as-path access-list access-list-numberOut weight weight Show ip bgp neighbors pathsConfiguring Prefix Lists for BGP Filtering 38-56Permit deny community-number Configuring BGP Community FilteringIp community-listcommunity-list-number Send-communityIp bgp-community new-format Configuring BGP Neighbors and Peer GroupsSet comm-list list-num delete Show ip bgp community38-59 Configuring Aggregate Addresses 38-6038-61 Configuring Routing Domain ConfederationsConfiguring BGP Route Reflectors Bgp cluster-id cluster-id Configuring Route DampeningRoute-reflector-client No bgp client-to-client reflectionMonitoring and Maintaining BGP 38-63Configuring Multi-VRF CE 38-64Understanding Multi-VRF CE 38-6538-66 VRF Default Multi-VRF CE ConfigurationMulti-VRF CE Configuration Guidelines 38-67Import map route-map Configuring VRFsRoute-target export import both Ip vrf forwarding vrf-nameLog-adjacency-changes Configuring a VPN Routing SessionShow ip vrf brief detail interfaces Redistribute bgp38-70 Configuring BGP PE to CE Routing SessionsMulti-VRF CE Configuration Example 38-71 VPN2 CE1Configuring Switch a 38-72Switchconfig-if#ip address 208.0.0.20 Switchconfig-router-af#network 8.8.2.0 maskSwitchconfig-router-af#network 8.8.1.0 mask 38-73Router# configure terminal 38-7438-75 Configuring Unicast Reverse Path ForwardingDisplaying Multi-VRF CE Status 38-76 Configuring Protocol-Independent FeaturesConfiguring Distributed Cisco Express Forwarding Configuring the Number of Equal-Cost Routing Paths 38-77Maximum-paths maximum Configuring Static Unicast RoutesRouter bgp rip ospf eigrp Show ip routeIp default-network network number Specify a default network Specifying Default Routes and NetworksRoute Source Default Distance 38-79Using Route Maps to Redistribute Routing Information 38-8038-81 38-82 Configuring Policy-Based Routing 38-83PBR Configuration Guidelines 38-84Enabling PBR 38-85Ip local policy route-map map-tag Ip policy route-map map-tagIp route-cache policy 38-8638-87 Setting Passive InterfacesFiltering Routing Information Router bgp rip eigrp Controlling Advertising and Processing in Routing UpdatesFiltering Sources of Routing Information 38-88Ip access list Managing Authentication KeysDistance weight ip-address ip-address mask 38-89Monitoring and Maintaining the IP Network 38-9038-91 38-92 39-1 Configuring IPv6 Unicast RoutingUnderstanding IPv6 IPv6 Addresses 39-239-3 Supported IPv6 Unicast Routing FeaturesBit Wide Unicast Addresses ICMPv6 DNS for IPv6Path MTU Discovery for IPv6 Unicast Neighbor DiscoveryIPv6 Applications 39-539-6 Unsupported IPv6 Unicast Routing FeaturesDual IPv4 and IPv6 Protocol Stacks 39-7 IPv6 and Switch StacksLimitations 39-8 39-9 SDM TemplatesDual IPv4-and IPv6 SDM Templates Configuring IPv6 39-1039-11 Default IPv6 ConfigurationConfiguring IPv6 Addressing and Enabling IPv6 Routing 39-12 Switchconfig-if#ipv6 address 20010DB8c181/64 eui Configuring IPv4 and IPv6 Protocol StacksIp routing Enable routing on the switch 39-1339-14 Ipv6 icmp error-interval interval bucketsize Configuring IPv6 Icmp Rate LimitingConfiguring CEF and dCEF for IPv6 Show ipv6 interface interface-idConfiguring Static Routing for IPv6 39-16Ipv6-address interface-id ipv6-address Administrative distanceIpv6 route ipv6-prefix/prefix length 39-17Show ipv6 static ipv6-address Configuring RIP for IPv6Show ipv6 route static updated Interface-id recursive detail39-19 Configuring Ospf for IPv6 39-2039-21 39-22 Switch# show ipv6 interfaceDisplaying IPv6 Switch# show ipv6 rip Switch# show ipv6 cef /0Switch# show ipv6 protocols 39-23Switch# show ipv6 route Switch# show ipv6 neighborsSwitch# show ipv6 static Switch# show ipv6 traffic39-25 39-26 40-1 Configuring Hsrp and Enhanced Object TrackingUnderstanding Hsrp 40-2 Multiple Hsrp 40-340-4 Configuring HsrpHsrp and Switch Stacks Enabling Hsrp Default Hsrp ConfigurationHsrp Configuration Guidelines 40-5Secondary Switch# show standbyStandby group-number ip ip-address Show standby interface-id groupConfiguring Hsrp Priority 40-7Standby group-number track Priority preempt delay delayStandby group-number priority 40-8Switchconfig-if#standby 2 ip Configuring MhsrpConfiguring Hsrp Authentication and Timers 40-9Switchconfig-if#standby 1 authentication word Standby group-number authentication stringStandby group-number timers hellotime HoldtimeEnabling Hsrp Support for Icmp Redirect Messages Displaying Hsrp ConfigurationsConfiguring Hsrp Groups and Clustering Show standby interface-idgroup brief detail40-12 Configuring Enhanced Object TrackingUnderstanding Enhanced Object Tracking Track object-number interface Configuring Enhanced Object Tracking FeaturesTracking Interface Line-Protocol or IP Routing State 40-13Track track-numberlist boolean Configuring a Tracked ListSwitch# show track 33 Track Object object-number notTrack track-numberlist threshold WeightThreshold weight up number 40-15Object object-number Track track-number list thresholdPercentage Threshold percentage up numberConfiguring Hsrp Object Tracking 40-1740-18 Configuring Other Tracking CharacteristicsShow standby 41-1 Configuring Web Cache Services By UsingUnderstanding Wccp Wccp Message Exchange 41-2MD5 Security Packet Redirection and Service GroupsWccp Negotiation 41-3Wccp and Switch Stacks 41-4Default Wccp Configuration Configuring WccpUnsupported Wccp Features Wccp Configuration GuidelinesEnabling the Web Cache Service 41-641-7 41-8 Monitoring and Maintaining Wccp Switchconfig# interface range gigabitethernet1/0/3Switchconfig-if-range#switchport access vlan 41-9Enabled / disabled 41-10Configuring IP Multicast Routing 42-142-2 IP Multicast Routing Protocols42-3 Understanding IgmpIgmp Version PIM Modes Understanding PIMPIM Versions 42-4PIM Stub Routing 42-5Auto-RP 42-642-7 Bootstrap RouterMulticast Forwarding and Reverse Path Check 42-8 Understanding DvmrpNetwork Port 42-9 Multicast Routing and Switch StacksUnderstanding Cgmp Multicast Routing Configuration Guidelines Configuring IP Multicast RoutingDefault Multicast Routing Configuration 42-1042-11 Auto-RP and BSR Configuration GuidelinesPIMv1 and PIMv2 Interoperability 42-12 Configuring Basic Multicast RoutingIp multicast-routing distributed Ip pim dense-mode sparse-mode Configuring PIM Stub RoutingIp pim version 1 Sparse-dense-modeIp pim passive Configuring a Rendezvous PointManually Assigning an RP to Multicast Groups 42-1442-15 Access-list-number overrideIp pim rp-address ip-address Configuring Auto-RP 42-16Interval seconds Scope ttl group-list access-list-numberIp pim send-rp-announce interface-id 42-17Show ip pim rp Ip pim send-rp-discovery scope ttlShow ip pim rp mapping 42-1842-19 Access-list-number group-listIp pim rp-announce-filter rp-list 42-20 Configuring PIMv2 BSRIp pim bsr-border Ip multicast boundary 42-2142-22 Ip pim bsr-candidate interface-idHash-mask-length priority 42-23 Group-list access-list-numberIp pim rp-candidate interface-id Group-address mapping Using Auto-RP and a BSRShow ip pim rp group-name Show ip pim rp-hash groupMonitoring the RP Mapping Information Configuring Advanced PIM FeaturesTroubleshooting PIMv1 and PIMv2 Interoperability Problems Understanding PIM Shared Tree and Source Tree42-26 Shared Tree and Source Tree Shortest-Path Tree42-27 Delaying the Use of PIM Shortest-Path TreeIp pim spt-threshold kbps infinity Ip pim query-interval seconds Configuring Optional Igmp FeaturesModifying the PIM Router-Query Message Interval Show ip igmp interface interface-idIp igmp join-group group-address Default Igmp ConfigurationConfiguring the Switch as a Member of a Group 42-29Show ip igmp interface interface-id Verify your entries Controlling Access to IP Multicast GroupsIp igmp access-group access-list-number 42-30Ip igmp version 1 Changing the Igmp VersionModifying the Igmp Host-Query Message Interval Query-interval or the ip igmp query-max-response-timeIp igmp query-interval seconds Changing the Igmp Query Timeout for IGMPv2Ip igmp querier-timeout seconds 42-32Ip igmp query-max-response-time Configuring the Switch as a Statically Connected MemberChanging the Maximum Query Response Time for IGMPv2 42-33Ip igmp static-group group-address Configuring Optional Multicast Routing FeaturesEnabling Cgmp Server Support 42-3442-35 Configuring sdr Listener SupportIp cgmp proxy Limiting How Long an sdr Cache Entry Exists Ip sdr listen Enable sdr listener supportEnabling sdr Listener Support 42-36Configuring an IP Multicast Boundary 42-37Configuring Basic Dvmrp Interoperability Features 42-38Configuring Dvmrp Interoperability 42-39Ip dvmrp metric metric list 42-40Configuring a Dvmrp Tunnel 42-41Advertising Network 0.0.0.0 to Dvmrp Neighbors Access-list-number distanceNeighbor-list access-list-number Ip dvmrp accept-filterResponding to mrinfo Requests Configuring Advanced Dvmrp Interoperability FeaturesIp dvmrp default-information Originate onlyEnabling Dvmrp Unicast Routing 42-44Rejecting a Dvmrp Nonpruning Neighbor 42-45Enter interface configuration mode 42-46Limiting the Number of Dvmrp Routes Advertised By default, 7000 routes are advertised. The range is 0 toControlling Route Exchanges Changing the Dvmrp Route ThresholdRoute-count Configuring a Dvmrp Summary AddressDefault is 10,000 routes. The range is 1 to 42-4842-49 Mask metric value Disabling Dvmrp AutosummarizationIp dvmrp summary-address address No ip dvmrp auto-summaryIncrement Adding a Metric Offset to the Dvmrp RouteIp dvmrp metric-offset in out 42-51Displaying System and Network Statistics Monitoring and Maintaining IP Multicast RoutingClearing Caches, Tables, and Databases 42-52Monitoring IP Multicast Routing 42-5342-54 43-1 Configuring MsdpUnderstanding Msdp Msdp Operation 43-2Msdp Benefits 43-3Configuring a Default Msdp Peer Configuring MsdpDefault Msdp Configuration 43-443-5 Ip msdp default-peer ip-address namePrefix-list list Seq number permit deny network Caching Source-Active StateIp prefix-list name description string Ip msdp description peer-nameIp msdp cache-sa-state list 43-7Ip msdp sa-request ip-address name Switchconfig# ip msdp sa-requestRequesting Source Information from an Msdp Peer 43-8Ip msdp redistribute list Controlling Source Information that Your Switch OriginatesRedistributing Sources 43-943-10 Ip msdp filter-sa-request ip-address Name list access-list-numberFiltering Source-Active Request Messages 43-11Ip msdp sa-filter out ip-address name Controlling Source Information that Your Switch ForwardsUsing a Filter Route-map map-tag43-13 Ip msdp ttl-threshold ip-address name Controlling Source Information that Your Switch ReceivesUsing TTL to Limit the Multicast Data Sent in SA Messages Ttl43-15 Switchconfig# ip msdp sa-filter in switch.cisco.comIp msdp sa-filter in ip-address name Ip msdp mesh-group name ip-address Configuring an Msdp Mesh GroupShutting Down an Msdp Peer 43-16Ip msdp border sa-address interface-id Including a Bordering PIM Dense-Mode Region in MsdpIp msdp shutdown peer-name peer 43-17Configuring an Originating Address other than the RP Address 43-18Clear ip msdp statistics peer-addressname Monitoring and Maintaining MsdpClear ip msdp peer peer-addressname Clear ip msdp sa-cache group-addressname43-20 Fallback Bridging Overview Configuring Fallback BridgingUnderstanding Fallback Bridging 44-144-2 44-3 Configuring Fallback BridgingFallback Bridging and Switch Stacks Creating a Bridge Group Default Fallback Bridging ConfigurationFallback Bridging Configuration Guidelines 44-4Bridge-group bridge-group Bridge bridge-group protocolVlan-bridge 44-544-6 Adjusting Spanning-Tree ParametersSwitchconfig# bridge 10 protocol vlan-bridge Bridge bridge-group priority number Changing the VLAN-Bridge Spanning-Tree PriorityChanging the Interface Priority Bridge-group bridge-grouppriorityCost Assigning a Path CostBridge-group bridge-group path-cost 44-8Bridge bridge-group hello-time seconds Adjusting Bpdu IntervalsSwitchconfig# bridge 10 hello-time 44-9Bridge bridge-group forward-time Switchconfig# bridge 10 forward-timeSwitchconfig# bridge 10 max-age Bridge bridge-group max-age secondsClear bridge bridge-group Monitoring and Maintaining Fallback BridgingDisabling the Spanning Tree on an Interface Show bridge bridge-group group44-12 Troubleshooting 45-1Recovering from a Software Failure 45-2Switch loadhelper Recovering from a Lost or Forgotten PasswordSwitch flashinit Switch copy xmodem flashimagefilename.bin45-4 Procedure with Password Recovery Enabled 45-5Copy the configuration file into memory 45-645-7 Procedure with Password Recovery DisabledSwitch dir flash Preventing Switch Stack Problems 45-8Recovering from a Command Switch Failure 45-945-10 Replacing a Failed Command Switch with a Cluster MemberSwitchconfig# no cluster commander-address Replacing a Failed Command Switch with Another Switch 45-1145-12 Preventing Autonegotiation Mismatches Recovering from Lost Cluster Member ConnectivityTroubleshooting Power over Ethernet Switch Ports 45-13Show controllers power inline privileged Exec command Disabled Port Caused by Power LossDisabled Port Caused by False Link Up SFP Module Security and IdentificationMonitoring SFP Module Status Monitoring TemperatureUsing Ping Understanding PingCharacter Description Switch# pingExecuting Ping 45-16Usage Guidelines Using Layer 2 TracerouteUnderstanding Layer 2 Traceroute 45-17Understanding IP Traceroute Using IP TracerouteDisplaying the Physical Path 45-18Traceroute ip host Switch# traceroute ipExecuting IP Traceroute Trace the path that packets take through the network45-20 Using TDRUnderstanding TDR Running TDR and Displaying the Results Using Debug CommandsEnabling Debugging on a Specific Feature 45-2145-22 Enabling All-System DiagnosticsRedirecting Debug and Error Message Output Udp 10 Using the show platform forward Command45-23 45-24 45-25 Using the crashinfo FilesBasic crashinfo Files Understanding Obfl Using On-Board Failure LoggingExtended crashinfo Files 45-26Configuring Obfl 45-2745-28 Displaying Obfl InformationShow logging onboard module 46-1 Configuring Online DiagnosticsUnderstanding Online Diagnostics Diagnostic schedule switch Configuring Online DiagnosticsScheduling Online Diagnostics Non-disruptive daily hhmmDiagnostic content command output Configuring Health-Monitoring DiagnosticsDiagnostic monitor interval switch Diagnostic monitor syslogShow diagnostic content post result Diagnostic monitor threshold switchDiagnostic monitor switch number test Schedule status switchDiagnostic start switch number Running Online Diagnostic TestsStarting Online Diagnostic Tests All basic non-disruptiveDisplaying Online Diagnostic Tests and Test Results 46-6CISCO-FTP-CLIENT-MIB CISCO-HSRP-MIB Supported MIBsMIB List ETHERLIKE-MIB IEEE8021-PAE-MIB IEEE8023-LAG-MIB CISCO-IGMP-FILTER-MIBCISCO-RTTMON-MIB CISCO-SMI-MIB IGMP-MIB INET-ADDRESS-MIB IPMROUTE-MIBTCP-MIB UDP-MIB Using FTP to Access the MIB Files Working with the Flash File System Switch# show file systems Displaying Available File SystemsSetting the Default File System Field ValueChanging Directories and Displaying the Working Directory Cd newconfigsDisplaying Information about Files on a File System PwdCopying Files Mkdir oldconfigsCreating and Removing Directories Creating, Displaying, and Extracting Files Switch# delete myconfigDeleting Files Archive /table source-url Archive /create destination-urlFlash Directories are extracted Archive /xtract source-urlExtract a file into a directory on the flash file system More /ascii /binary /ebcdicWorking with Configuration Files Guidelines for Creating and Using Configuration Files Configuration File Types and LocationCreating a Configuration File By Using a Text Editor Copying Configuration Files By Using TftpDownloading the Configuration File By Using Tftp Uploading the Configuration File By Using TftpCopying Configuration Files By Using FTP Ip ftp username username Downloading a Configuration File By Using FTPIp ftp password password Filename systemrunning-config Uploading a Configuration File By Using FTPFtp // username password @ location /directory Filename nvramstartup-configCopy nvramstartup-config Copying Configuration Files By Using RCPCopy systemrunning-config Ftp // username password @ location /directory FilenameHostname Switch1 Ip rcmd remote-username User0 Nvramstartup-config Downloading a Configuration File By Using RCPSystemrunning-config Ip rcmd remote-username usernameSwitch# copy nvramstartup-config rcp Clearing Configuration InformationUploading a Configuration File By Using RCP Working with Software Images Clearing the Startup Configuration FileDeleting a Stored Configuration File Image Location on the Switch File Format of Images on a Server or Cisco.comCopying Image Files By Using Tftp Field DescriptionPreparing to Download or Upload an Image File By Using Tftp Downloading an Image File By Using TftpOverwrite /reload Allow-feature-upgrade /directoryArchive download-sw Archive download-sw /directoryTftp //location /directory /image-name .tar Uploading an Image File By Using TftpArchive upload-sw Copying Image Files By Using FTP Preparing to Download or Upload an Image File By Using FTPDownloading an Image File By Using FTP For /directory /image-name1 .tar Archive download-sw /allow-feature-upgradeDirectory /overwrite /reload Directory /image-name2 .tar image-name3 .tarUploading an Image File By Using FTP Copying Image Files By Using RCP Preparing to Download or Upload an Image File By Using RCP Downloading an Image File By Using RCP File By Using RCP section on page B-31Or Upload an Image File By Using RCP section on Uploading an Image File By Using RCP Me.tar Copying an Image File from One Stack Member to AnotherRcp // username @ location /directory /image-na Source-stack-member-number Archive copy-sw /destination-systemDestination-stack-member-number /force-reload For /destination-system destination-stack-member-numberUnsupported Privileged Exec Commands Unsupported Commands Cisco IOS Release 12.237SEAccess Control Lists Unsupported Global Configuration CommandsBoot Loader Commands Archive CommandsARP Commands Debug CommandsBridge crb Fallback BridgingBridge bridge-groupacquire Bridge bridge-group domain domain-name bridge irbHsrp X25 map bridge x.121-address broadcast options-keywordsIP Multicast Routing Igmp Snooping CommandsInterface Commands Show ip rtp header-compression type number detail Ip pim accept-rpaddress auto-rpgroup-access-list-numberShow ip pim vc group-address name type number Ip multicast-routing vrf vrf-nameUnsupported Privileged Exec or User Exec Commands IP Unicast RoutingUnsupported Route Map Commands Unsupported BGP Router Configuration CommandsUnsupported VPN Configuration Commands Miscellaneous MAC Address CommandsShow cable-diagnostics prbs Test cable-diagnostics prbs Set tag tag-valueNetFlow Commands MsdpUnsupported Policy-Map Configuration Command Network Address Translation NAT CommandsUnsupported Global Configuration Command QoSUnsupported Privileged Exec Command Unsupported Interface Configuration CommandUnsupported User Exec Commands Spanning TreeNumerics IN-1ACLs IN-2Hsrp CDP Lldp RIPEigrp TACACS+IN-4 BGPCidr Bpdu IN-5Cgmp CDPCEF CLICNS IN-7IN-8 IN-9 DhcpDNS Vmps SnmpTACACS+ Udld WccpDhcp option IN-11DTP IN-12Dvmrp IN-13Dynamic ARP inspection IN-14Lacp IN-15IN-16 STPFIB IN-17 Mstp STPFTP IN-18 HttpsIcmp Igmp IN-19IN-20 IP addresses IN-21Mbone IN-22IGP IN-23IP unicast routing IN-24ISL IN-25LLDP-MED IN-26IN-27 IN-28 MDAMhsrp Msdp IN-29MTU CSTIST IN-30NAC IN-31NSSA, Ospf IN-32IN-33 ObflPBR PIM IN-34Port-based authentication IN-35IN-36 PvidVvid Private VLANs IN-37QoS IN-38IN-39 RCP IN-40Rmon Radius TACACS+RFC IN-41Rstp RPSRspan IN-42SDM IN-43Snmp IN-44IN-45 SpanSRR IN-46 SSLVTP Stacks, switch IN-47LLDP-MED Ospf IN-48STP IN-49IN-50 System message logging IN-51IN-52 IN-53 IN-54 VLANs IN-55IN-56 VPNVQP WTD IN-57IN-58

Figure 34-5 Deny Access to a Server on Another a VLAN

10.1.1.8

Define the IP ACL that will match the correct packets.

IP packets that do not match the ACL.

Using VLAN Maps with Router ACLs

34-36