Manuals / Brands / Computer Equipment / Switch / Cisco Systems / Computer Equipment / Switch

Cisco Systems IE 2000 Interface Trust States and Network Security

1 924

Download 924 pages, 22.8 Mb

26-3

Cisco IE 2000 Switch Software Configuration Guide

OL-25866-01

Chapter 26 Configuring Dynamic ARP Inspection

Information About Dynamic ARP Inspection

Interface Trust States and Network Security

DAI associates a trust state with each interface on the switch. Packets arriving on trusted interfaces

bypass all DAI validation checks, and those arriving on untrusted interfaces undergo the DAI validation

process.

In a typical network configuration, you configure all switch ports conne cted to host ports as untrusted

and configure all switch ports connected to switches as trusted. With this configuration, all ARP packets

entering the network from a given switch bypass the security check. N o other validation is needed at any

other place in the VLAN or in the network. You configure the trust setting by using the ip arp inspection

trust interface configuration command.

Caution Use the trust state configuration carefully. Configuring interfaces as untrusted when they should be

trusted can result in a loss of connectivity.

In Figure 26-2, assume that both Switch A and Switch B are running DAI on the VLAN that includes

Host 1 and Host 2. If Host 1 and Host 2 acquire their IP addresses from the DHCP server connected to

Switch A, only Switch A binds the IP-to-MAC address of Host 1. Therefore, if the interface between

Switch A and Switch B is untrusted, the ARP packets from Host 1 are dropped by Switch B. Connectivity

between Host 1 and Host 2 is lost.

Figure 26-2 ARP Packet Validation on a VLAN Enabled for DAI

Configuring interfaces to be trusted when they are actually untrusted leaves a security hole in the

network. If Switch A is not running DAI, Host 1 can easily poison the ARP cache of Switch B (and Host

2, if the link between the switches is configured as trusted). This condition can occur even though Switch

B is running DAI.

DAI ensures that hosts (on untrusted interfaces) connected to a switch running DAI do not poison the

ARP caches of other hosts in the network. However, DAI does not prevent hosts in other portions of the

network from poisoning the caches of the hosts that are co nnected to a switch running DAI.

If some switches in a VLAN run DAI and other switches do not, co nfigure the interfaces connecting

these switches as untrusted. However, to validate the bindings of packets from non-DAI switches,

configure the switch running DAI with ARP ACLs. When you cannot determine the bindi ngs, at Layer

3 isolate switches running DAI from switches not running DAI switches.

DHCP server

Switch A Switch B

Host 1 Host 2

Port 1 Port 3

111751

Contents

Main Cisco IE 2000 Switch Software Configuration Guide Page CONTENTS Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Preface Audience Purpose Conventions Related Publications Obtaining Documentation, Obtaining Support, and Security Guidelines Page Configuration Overview Features Feature Software Licensing Ease-of-Deployment and Ease-of-Use Features Performance Features Management Options Industrial Application Manageability Features Availability and Redundancy Features VLAN Features Security Features Page Page QoS and CoS Features Monitoring Features Default Settings After Initial Switch Configuration Page Page Network Configuration Examples Design Concepts for Using the Switch Ethernet-to-the-Factory Architecture Enterprise Zone Demilitarized Zone Manufacturing Zone 1-17 Figure 1-1 shows the EttF architecture. Topology Options Cell NetworkTrunk-Drop Topology Cell NetworkRing Topology Cell NetworkRedundant-Star Topology Where to Go Next Page Using the Command-Line Interface Information About Using the Command-Line Interface Command Modes Page Help System Understanding Abbreviated Commands No and default Forms of Commands CLI Error Messages Configuration Logging How to Use the CLI to Configure Features Configuring the Command History Changing the Command History Buffer Size Recalling Commands Disabling the Command History Feature Using Editing Features Enabling and Disabling Editing Features Editing Commands Through Keystrokes Page Editing Command Lines That Wrap Searching and Filtering Output of show and more Commands Accessing the CLI Accessing the CLI through a Console Connection or through Telnet Configuring Switch Alarms Finding Feature Information Information About Switch Alarms Global Status Monitoring Alarms FCS Error Hysteresis Threshold Port Status Monitoring Alarms Triggering Alarm Options External Alarms Default Switch Alarm Settings How to Configure Switch Alarms Configuring External Alarms Configuring the Power Supply Alarms Configuring the Switch Temperature Alarms Associating the Temperature Alarms to a Relay Configuring the FCS Bit Error Rate Alarm Setting the FCS Error Threshold Setting the FCS Error Hysteresis Threshold Configuring Alarm Profiles Creating an Alarm Profile Modifying an Alarm Profile Attaching an Alarm Profile to a Specific Port Monitoring and Maintaining Switch Alarms Status Enabling SNMP Traps Configuration Examples for Switch Alarms Configuring External Alarms: Example Associating Temperature Alarms to a Relay: Examples Creating or Modifying an Alarm Profile: Example 3-11 Setting the FCS Error Hysteresis Threshold: Example This example shows how to set the FCS bit error rate for a port to 10-10: Configuring a Dual Power Supply: Examples This example shows how to configure two power supplies: Displaying Alarm Settings: Example Page Page Page Performing Switch Setup Configuration Restrictions for Performing Switch Setup Configuration Information About Performing Switch Setup Configuration Switch Boot Process Page Default Switch Boot Settings Switch Boot Optimization Switch Information Assignment Switch Default Settings DHCP-Based Autoconfiguration Overview DHCP Client Request Process DHCP-Based Autoconfiguration and Image Update DHCP Autoconfiguration DHCP Auto-Image Update DHCP Server Configuration Guidelines TFTP Server DNS Server Relay Device How to Obtain Configuration Files How to Control Environment Variables Common Environment Variables Scheduled Reload of the Software Image How to Perform Switch Setup Configuration Configuring DHCP Autoconfiguration (Only Configuration File) Configuring DHCP Auto-Image Update (Configuration File and Image) Configuring the Client Manually Assigning IP Information on a Routed Port Manually Assigning IP Information to SVIs Modifying the Startup Configuration Specifying the Filename to Read and Write the System Configuration Manually Booting the Switch Booting a Specific Software Image Monitoring Switch Setup Configuration Verifying the Switch Running Configuration Configuration Examples for Performing Switch Setup Configuration Retrieving IP Information Using DHCP-Based Autoconfiguration: Example Page 4-20 DHCP Client Configuration No configuration file is present on Switch A through Switch D. Scheduling Software Image Reload: Examples This example shows how to reload the software on the switch on the current day at 7:30 p.m: This example shows how to reload the software on the switch at a future time: To cancel a previously scheduled reload, use the reload cancel privileged EXEC command. Configuring DHCP Auto-Image Update: Example Configuring Client to Download Files from DHCP Server Page Configuring Cisco IOS Configuration Engine Prerequisites for Configuring Cisco IOS Configuration Engine Information About Configuring Cisco IOS Configuration Engine Configuration Service Event Service NameSpace Mapper CNS IDs and Device Hostnames ConfigID DeviceID Hostname and DeviceID Interaction Cisco IOS Agents Initial Configuration Incremental (Partial) Configuration Synchronized Configuration V How to Configure Cisco IOS Configuration Engine Configuring Cisco IOS Agents Enabling CNS Event Agent Enabling Cisco IOS CNS Agent and an Initial Configuration Page Enabling a Partial Configuration Monitoring and Maintaining Cisco IOS Configuration Engine Configuration Examples for Cisco IOS Configuration Engine Enabling the CNS Event Agent: Example Configuring an Initial CNS Configuration: Examples Page Page Page Configuring Switch Clusters Finding Feature Information Prerequisites for Configuring Switch Clusters Cluster Command Switch Characteristics Standby Cluster Command Switch Characteristics Candidate Switch and Cluster Member Switch Characteristics Restrictions for Configuring Switch Clusters Information About Configuring Switch Clusters Benefits of Clustering Switches Eligible Cluster Switches How to Plan for Switch Clustering Automatic Discovery of Cluster Candidates and Members Discovery Through CDP Hops 6-6 Discovery Through Non-CDP-Capable and Noncluster-Capable Devices Discovery Through Different VLANs Discovery Through Different Management VLANs Discovery Through Routed Ports Discovery of Newly Installed Switches IP Addresses Hostnames Passwords SNMP Community Strings TACACS+ and RADIUS LRE Profiles Managing Switch Clusters Using the CLI to Manage Switch Clusters Using SNMP to Manage Switch Clusters Page Page Performing Switch Administration Finding Feature Information Information About Performing Switch Administration System Time and Date Management System Clock Network Time Protocol NTP Version 4 DNS Default DNS Configuration Login Banners System Name and Prompt MAC Address Table Address Table MAC Addresses and VLANs Default MAC Address Table Configuration Address Aging Time for VLANs MAC Address Change Notification Traps Static Addresses Unicast MAC Address Filtering MAC Address Learning on a VLAN ARP Table Management How to Perform Switch Administration Configuring Time and Date Manually Setting the System Clock Configuring the Time Zone Configuring Summer Time (Daylight Saving Time) Configuring Summer Time (Exact Date and Time) Configuring a System Name Setting Up DNS Configuring Login Banners Configuring a Message-of-the-Day Login Banner Configuring a Login Banner Managing the MAC Address Table Changing the Address Aging Time Configuring MAC Address Change Notification Traps Configuring MAC Address Move Notification Traps Configuring MAC Threshold Notification Traps Page Adding and Removing Static Address Entries Configuring Unicast MAC Address Filtering Disabling MAC Address Learning on a VLAN Monitoring and Maintaining Switch Administration Configuration Examples for Performing Switch Admininistration Setting the System Clock: Example Configuring Summer Time: Examples Configuring a MOTD Banner: Examples Configuring a Login Banner: Example Configuring MAC Address Change Notification Traps: Example Sending MAC Address Move Notification Traps: Example Configuring MAC Threshold Notification Traps: Example Adding the Static Address to the MAC Address Table: Example Configuring Unicast MAC Address Filtering: Example Page Page Configuring PTP Finding Feature Information Prerequisites for Configuring PTP Restrictions for Configuring PTP Information About Configuring PTP How to Configure PTP Default PTP Settings Setting Up PTP Monitoring and Maintaining the PTP Configuration Troubleshooting the PTP Configuration Page Page Configuring PROFINET Finding Feature Information Restrictions for Configuring PROFINET Information About Configuring PROFINET PROFINET Device Roles PROFINET Device Data Exchange Page How to Configure PROFINET Configuring PROFINET Default Configuration Enabling PROFINET Monitoring and Maintaining PROFINET Troubleshooting PROFINET Page Configuring CIP Finding Feature Information Restrictions for Configuring CIP Information About Configuring CIP How to Configure CIP Monitoring CIP Troubleshooting CIP Page Page Configuring SDM Templates Finding Feature Information Prerequisites for Configuring SDM Templates Restrictions for Configuring SDM Templates Information About Configuring SDM Templates Page Dual IPv4 and IPv6 SDM Default Template How to Configure the Switch SDM Templates Setting the SDM Template Monitoring and Maintaining SDM Templates 11-5 This is an example of output from the show sdm prefer dual-ipv4-and-ipv6 default command: Configuration Examples for Configuring SDM Templates Configuring the IPv4-and-IPv6 Default Template: Example This example shows how to configure the IPv4-and-IPv6 default template on a desktop switch: Page Configuring Switch-Based Authentication Finding Feature Information Prerequisites for Configuring Switch-Based Authentication Restrictions for Configuring Switch-Based Authentication Information About Configuring Switch-Based Authentication Prevention for Unauthorized Switch Access Password Protection Default Password and Privilege Level Configuration Enable Secret Passwords with Encryption Password Recovery Telnet Password for a Terminal Line Username and Password Pairs Multiple Privilege Levels Switch Access with TACACS+ TACACS+ TACACS+ Operation Default TACACS+ Configuration TACACS+ Server Host and the Authentication Key TACACS+ Login Authentication TACACS+ Authorization for Privileged EXEC Access and Network Services TACACS+ Accounting Switch Access with RADIUS RADIUS RADIUS Operation Default RADIUS Configuration RADIUS Change of Authorization Radius COA Overview Change-of-Authorization Requests CoA Request Response Code CoA Session Identification CoA ACK Response Code CoA NAK Response Code CoA Request Commands CoA Session Reauthentication CoA Session Termination CoA Disconnect-Request CoA Request: Disable Host Port CoA Request: Bounce-Port RADIUS Server Host RADIUS Login Authentication Radius Method List AAA Server Groups RADIUS Authorization for User Privileged Access and Network Services RADIUS Accounting Establishing a Session with a Router if the AAA Server is Unreachable Vendor-Specific RADIUS Attributes Vendor-Proprietary RADIUS Server Communication Switch Access with Kerberos Understanding Kerberos Page Kerberos Operation Authenticating to a Boundary Switch Obtaining a TGT from a KDC Authenticating to Network Services Kerberos Configuration Local Authentication and Authorization Secure Shell SSH SSH Servers, Integrated Clients, and Supported Versions Limitations SSH Configuration Guidelines Switch for Secure Socket Layer HTTP Secure HTTP Servers and Clients Default SSL Settings Certificate Authority Trustpoints CipherSuites Secure Copy Protocol Page How to Configure Switch-Based Authentication Configuring Password Protection Setting or Changing a Static Enable Password Protecting Enable and Enable Secret Passwords with Encryption Disabling Password Recovery Setting a Telnet Password for a Terminal Line Configuring Username and Password Pairs Setting the Privilege Level for a Command Changing the Default Privilege Level for Lines Logging Into and Exiting a Privilege Level Configuring TACACS+ Identifying the TACACS+ Server Host and Setting the Authentication Key Configuring TACACS+ Login Authentication Page Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services Starting TACACS+ Accounting Configuring Radius Server Communication Page Defining AAA Server Groups Configuring RADIUS Login Authentication Configuring RADIUS Authorization for User Privileged Access and Network Services Starting RADIUS Accounting Configuring Settings for All RADIUS Servers Configuring the Switch for Vendor-Proprietary RADIUS Server Communication Configuring CoA on the Switch Configuring the Switch for Local Authentication and Authorization Configuring Secure Shell Setting Up the Switch to Run SSH Configuring the SSH Server Page Configuring Secure HTTP Servers and Clients Configuring a CA Trustpoint Configuring the Secure HTTP Server Page Configuring the Secure HTTP Client Monitoring and Maintaining Switch-Based Authentication Configuration Examples for Configuring Switch-Based Authentication Changing the Enable Password: Example Configuring the Encrypted Password: Example Setting the Telnet Password for a Terminal Line: Example Setting the Privilege Level for a Command: Example Defining AAA Server Groups: Example Configuring Vendor-Specific RADIUS Attributes: Examples Configuring a Vendor-Proprietary RADIUS Host: Example Sample Output for a Self-Signed Certificate: Example Verifying Secure HTTP Connection: Example Page Configuring IEEE 802.1x Port-Based Authentication Device Roles 13-3 Authentication Process access to the network. If 802.1x authentication times out while waiting for an EAPO L message exchange and MAC If the switch gets an invalid identity from an 802.1x-capable client and a restricted VLAN is specified, the switch can assign the client to a restricted VLAN that provides limited services. Switch-to-RADIUS-Server Communication Authentication Initiation and Message Exchange Page Authentication Manager Port-Based Authentication Methods Per-User ACLs and Filter-Ids Authentication Manager CLI Commands Ports in Authorized and Unauthorized States 802.1x Host Mode Multidomain Authentication 802.1x Multiple Authentication Mode MAC Move MAC Replace 802.1x Accounting 802.1x Accounting Attribute-Value Pairs 802.1x Readiness Check 802.1x Authentication with VLAN Assignment Voice Aware 802.1x Security 802.1x Authentication with Per-User ACLs 802.1x Authentication with Downloadable ACLs and Redirect URLs Cisco Secure ACS and Attribute-Value Pairs for the Redirect URL Cisco Secure ACS and Attribute-Value Pairs for Downloadable ACLs VLAN ID-Based MAC Authentication 802.1x Authentication with Guest VLAN 802.1x Authentication with Restricted VLAN 802.1x Authentication with Inaccessible Authentication Bypass Support on Multiple-Authentication Ports Authentication Results Feature Interactions 802.1x Authentication with Voice VLAN Ports 802.1x Authentication with Port Security 802.1x Authentication with Wake-on-LAN 802.1x Authentication with MAC Authentication Bypass 802.1x User Distribution 802.1x User Distribution Configuration Guidelines Network Admission Control Layer 2 802.1x Validation Flexible Authentication Ordering Open1x Authentication 802.1x Supplicant and Authenticator Switches with Network Edge Access Topology (NEAT) 802.1x Supplicant and Authenticator Switch Guidelines Using IEEE 802.1x Authentication with ACLs and the RADIUS Filter-Id Attribute 4 1 2 3 5 Authentication Manager Common Session ID Default 802.1x Authentication Settings 802.1x Accounting 802.1x Authentication Guidelines VLAN Assignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication Bypass Guidelines MAC Authentication Bypass Guidelines Maximum Number of Allowed Devices Per Port Guidelines How to Configure IEEE 802.1x Port-Based Authentication 802.1x Authentication Configuration Process Page Configuring the Switch-to-RADIUS-Server Communication Configuring 802.1x Readiness Check Enabling Voice Aware 802.1x Security Configuring 802.1x Violation Modes Configuring the Host Mode Configuring Periodic Reauthentication Configuring Optional 802.1x Authentication Features Page Configuring 802.1x Accounting Configuring a Guest VLAN Configuring a Restricted VLAN Configuring the Maximum Number of Authentication Attempts Configuring Inaccessible Authentication Bypass Page Configuring 802.1x User Distribution Configuring NAC Layer 2 802.1x Validation Configuring an Authenticator and Supplicant Configuring an Authenticator Configuring a Supplicant Switch with NEAT Configuring 802.1x Authentication with Downloadable ACLs and Redirect URLs Configuring Downloadable ACLs Configuring a Downloadable Policy Configuring Open1x Resetting the 802.1x Authentication Configuration to the Default Values Monitoring and Maintaining IEEE 802.1x Port-Based Authentication Configuration Examples for Configuring IEEE 802.1x Port-Based Authentication Enabling a Readiness Check: Example Enabling 802.1x Authentication: Example Enabling MDA: Example Disabling the VLAN Upon Switch Violoation: Example Configuring the Radius Server Parameters: Example Configuring 802.1x Accounting: Example Enabling an 802.1x Guest VLAN: Example Displaying Authentication Manager Common Session ID: Examples Configuring Inaccessible Authentication Bypass: Example Configuring VLAN Groups: Examples Configuring NAC Layer 2 802.1x Validation: Example Configuring an 802.1x Authenticator Switch: Example 13-55 Configuring an 802.1x Supplicant Switch: Example This example shows how to configure a switch as a supplicant: Configuring a Downloadable Policy: Example This example shows how to configure a switch for a downloadable policy: Configuring Open 1x on a Port: Example Page Page Page Configuring Web-Based Authentication Finding Feature Information Prerequisites for Configuring Web-Based Authentication Restrictions for Configuring Web-Based Authentication on the IE 2000 Switch Information About Configuring Web-Based Authentication Web-Based Authentication Device Roles Host Detection Session Creation Authentication Process Local Web Authentication Banner Page Web Authentication Customizable Web Pages Web Authentication Guidelines Page Web-Based Authentication Interactions with Other Features Port Security LAN Port IP Gateway IP ACLs Context-Based Access Control 802.1x Authentication EtherChannel Default Web-Based Authentication Settings Configuring Switch-to-RADIUS-Server Communication How to Configure Web-Based Authentication Configuring the Authentication Rule and Interfaces Configuring AAA Authentication Configuring Switch-to-RADIUS-Server Communication Configuring the HTTP Server Customizing the Authentication Proxy Web Pages Specifying a Redirection URL for Successful Login Configuring the Web-Based Authentication Parameters Configuring a Web Authentication Local Banner Removing Web-Based Authentication Cache Entries Enabling and Displaying Web-Based Authentication: Examples 14-15 This example shows how to verify the configuration: Enabling AAA: Example This example shows how to enable AAA: Configuring the RADIUS Server Parameters: Example This example shows how to configure the RADIUS server parameters on a switch: Configuring a Custom Authentication Proxy Web Page: Example Configuring a Redirection URL: Example This example shows how to configure a redirection URL for successful login: Verifying a Redirection URL: Example This example shows how to verify the redirection URL for successful login: Configuring a Local Banner: Example Page Page Configuring Interface Characteristics Finding Feature Information Restrictions for Configuring Interface Characteristics Information About Configuring Interface Characteristics Interface Types Port-Based VLANs Switch Ports Routed Ports Access Ports Trunk Ports EtherChannel Port Groups Dual-Purpose Uplink Ports Connecting Interfaces Using Interface Configuration Mode Page Default Ethernet Interface Settings Interface Speed and Duplex Mode Speed and Duplex Configuration Guidelines IEEE 802.3x Flow Control Auto-MDIX on an Interface SVI Autostate Exclude System MTU How to Configure Interface Characteristics Configuring Layer 3 Interfaces Page Configuring Interfaces Configuring a Range of Interfaces Interface Range Restrictions Configuring and Using Interface Range Macros Configuring Ethernet Interfaces Setting the Type of a Dual-Purpose Uplink Port Setting the Interface Speed and Duplex Parameters Configuring IEEE 802.3x Flow Control Configuring Auto-MDIX on an Interface Adding a Description for an Interface Configuring SVI Autostate Exclude Configuring the System MTU Monitoring and Maintaining Interface Characteristics Monitoring Interface Status Clearing and Resetting Interfaces and Counters Shutting Down and Restarting the Interface Configuration Examples for Configuring Interface Characteristics Configuring the Interface Range: Examples Configuring Interface Range Macros: Examples Setting Speed and Duplex Parameters: Example Enabling auto-MDIX: Example Adding a Description on a Port: Example Configuring SVI Autostate Exclude: Example Page Page Configuring Smartports Macros Finding Feature Information Information About Configuring Smartports Macros How to Configure Smartports Macros Default Smartports Settings Smartports Configuration Guidelines Applying Smartports Macros Monitoring and Maintaining Smartports Macros Configuration Examples for Smartports Macros Applying the Smartports Macro: Examples Page Page Configuring VLANs Finding Feature Information Information About Configuring VLANs VLANs Supported VLANs VLAN Port Membership Modes Normal-Range VLANs Token Ring VLANs Normal-Range VLAN Configuration Guidelines Default Ethernet VLAN Configuration Ethernet VLANs VLAN Removal Static-Access Ports for a VLAN Extended-Range VLANs Default VLAN Configuration Extended-Range VLAN Configuration Guidelines VLAN Trunks Trunking Overview IEEE 802.1Q Configuration Guidelines Default Layer 2 Ethernet Interface VLAN Settings Ethernet Interface as a Trunk Port Trunking Interaction with Other Features Allowed VLANs on a Trunk Native VLAN for Untagged Traffic Load Sharing Using Trunk Ports Load Sharing Using STP Port Priorities Load Sharing Using STP Path Cost VMPS Dynamic-Access Port VLAN Membership Default VMPS Client Settings VMPS Configuration Guidelines VMPS Reconfirmation Interval Dynamic-Access Port VLAN Membership How to Configure VLANs Creating or Modifying an Ethernet VLAN Deleting a VLAN Assigning Static-Access Ports to a VLAN Creating an Extended-Range VLAN Creating an Extended-Range VLAN with an Internal VLAN ID Configuring an Ethernet Interface as a Trunk Port Defining the Allowed VLANs on a Trunk Changing the Pruning-Eligible List Configuring the Native VLAN for Untagged Traffic Load Sharing Using STP Port Priorities Configuring Load Sharing Using STP Path Cost Configuring the VMPS Client Entering the IP Address of the VMPS Configuring Dynamic-Access Ports on VMPS Clients Monitoring and Maintaining VLANs 17-24 Configuration Examples for Configuring VLANs VMPS Network: Example Configuring a VLAN: Example Configuring an Access Port in a VLAN: Example Configuring an Extended-Range VLAN: Example Configuring a Trunk Port: Example Removing a VLAN: Example Page Configuring VTP Finding VTP Feature Information Prerequisites for Configuring VTP Restrictions for Configuring VTP Information About Configuring VTP VTP VTP Domain VTP Modes VTP Mode Guidelines VTP Advertisements VTP Version 2 VTP Version 3 VTP Version Guidelines VTP Pruning Page Default VTP Settings VTP Configuration Guidelines Domain Names Passwords Adding a VTP Client Switch to a VTP Domain How to Configure VTP Configuring VTP Domain and Parameters Configuring a VTP Version 3 Password Enabling the VTP Version Enabling VTP Pruning Configuring VTP on a Per-Port Basis Adding a VTP Client Switch to a VTP Domain Monitoring and Maintaining VTP Configuration Examples for Configuring VTP Configuring a VTP Server: Example Configuring a Hidden VTP Password: Example Configuring a VTP Version 3 Primary Server: Example Additional References for Configuring VTP Page Configuring Voice VLAN Information About Configuring Voice VLAN Voice VLAN Cisco IP Phone Voice Traffic Cisco IP Phone Data Traffic Default Voice VLAN Configuration Voice VLAN Configuration Guidelines Port Connection to a Cisco 7960 IP Phone Priority of Incoming Data Frames How to Configure VTP Configuring Cisco IP Phone for Voice Traffic Configuring the Priority of Incoming Data Frames Monitoring and Maintaining Voice VLAN Configuration Examples for Configuring Voice VLAN Configuring a Cisco IP Phone for Voice Traffic: Example Configuring the Cisco IP Phone Priority of Incoming Data Frames: Example Additional References for Configuring Voice VLAN Page Page Configuring STP Finding Feature Information Prerequisites for Configuring STP Restrictions for Configuring STP Information About Configuring STP STP Spanning-Tree Topology and BPDUs Bridge ID, Switch Priority, and Extended System ID Spanning-Tree Interface States Blocking State Listening State Learning State Forwarding State Disabled State How a Switch or Port Becomes the Root Switch or Root Port Spanning Tree and Redundant Connectivity Spanning-Tree Address Management Accelerated Aging to Retain Connectivity Spanning-Tree Modes and Protocols Supported Spanning-Tree Instances Spanning-Tree Interoperability and Backward Compatibility STP and IEEE 802.1Q Trunks VLAN-Bridge Spanning Tree Default Spanning-Tree Settings Disabling Spanning Tree Root Switch Secondary Root Switch Port Priority Path Cost Spanning-Tree Timers Spanning-Tree Configuration Guidelines How to Configure STP Changing the Spanning-Tree Mode Configuring the Root Switch Configuring a Secondary Root Switch Configuring Port Priority Configuring Path Cost Configuring Optional STP Parameters Monitoring and Maintaining STP Page Configuring MSTP Information About Configuring MSTP MSTP Multiple Spanning-Tree Regions IST, CIST, and CST Operations Within an MST Region Operations Between MST Regions IEEE 802.1s Terminology Hop Count Boundary Ports IEEE 802.1s Implementation Port Role Naming Change Interoperation Between Legacy and Standard Switches Detecting Unidirectional Link Failure Interoperability with IEEE 802.1D STP RSTP Port Roles and the Active Topology Rapid Convergence Synchronization of Port Roles Bridge Protocol Data Unit Format and Processing Processing Superior BPDU Information Processing Inferior BPDU Information Topology Changes Default MSTP Settings MSTP Configuration Guidelines Root Switch Secondary Root Switch Port Priority Path Cost Link Type to Ensure Rapid Transitions Neighbor Type How to Configure MSTP Specifying the MST Region Configuration and Enabling MSTP Configuring the Root Switch Configuring the Optional MSTP Parameters Page Monitoring and Maintaining MSTP Configuration Examples for Configuring MSTP Configuring the MST Region: Example Page Page Configuring Optional Spanning-Tree Features BPDU Guard BPDU Filtering UplinkFast Page BackboneFast Page EtherChannel Guard Root Guard Loop Guard Default Optional Spanning-Tree Settings How to Configure the Optional Spanning-Tree Features Enabling Optional SPT Features Maintaining and Monitoring Optional Spanning-Tree Features Page Page Configuring Resilient Ethernet Protocol Finding Feature Information Prerequisites for REP Restrictions for REP Information About Configuring REP Page Page Link Integrity Fast Convergence VLAN Load Balancing Page Spanning Tree Interaction REP Ports REP Segments Default REP Configuration REP Configuration Guidelines REP Administrative VLAN How to Configure REP Configuring the REP Administrative VLAN Configuring REP Interfaces Page Page Setting Manual Preemption for VLAN Load Balancing Monitoring and Maintaining REP Configuring SNMP Traps for REP 23-13 Configuration Examples for Configuring REP Configuring the Administrative VLAN: Example Configuring a Primary Edge Port: Examples Configuring VLAN Blocking: Example Page Page Configuring FlexLinks and the MAC Address-Table Move Update Restrictions for the FlexLinks and the MAC Address-Table Move Update Information About Configuring the FlexLinks and the MAC Address-Table Move Update FlexLinks VLAN FlexLinks Load Balancing and Support FlexLinks Multicast Fast Convergence Learning the Other FlexLinks Port as the mrouter Port Generating IGMP Reports Leaking IGMP Reports MAC Address-Table Move Update Default Settings for FlexLinks and MAC Address-Table Move Update Configuration Guidelines for FlexLinks and MAC Address-Table Move Update How to Configure the FlexLinks and MAC Address-Table Move Update Configuring FlexLinks Configuring a Preemption Scheme for FlexLinks Configuring VLAN Load Balancing on FlexLinks Configuring the MAC Address-Table Move Update Feature Configuring the MAC Address-Table Move Update Messages Maintaining and Monitoring the FlexLinks and MAC Address-Table Move Update Configuration Examples for the FlexLinks and MAC Address-Table Move Update Configuring FlexLinks Port: Examples Page Configuring a Backup Interface: Example Configuring a Preemption Scheme: Example Configuring VLAN Load Balancing on FlexLinks: Examples Configuring MAC Address-Table Move Update: Example Page Configuring DHCP Information About Configuring DHCP DHCP Snooping DHCP Server DHCP Relay Agent DHCP Snooping Option-82 Data Insertion Page Circuit ID Suboption Frame Format Remote ID Suboption Frame Format Cisco IOS DHCP Server Database DHCP Snooping Binding Database Circuit ID Suboption Frame Format (for user-configured string): Remote ID Suboption Frame Format (for user-configured string): Default DHCP Snooping Settings DHCP Snooping Configuration Guidelines DHCP Snooping Binding Database Guidelines Packet Forwarding Address DHCP Server Port-Based Address Allocation How to Configure DHCP Configuring the DHCP Relay Agent Specifying the Packet Forwarding Address Enabling DHCP Snooping and Option 82 Enabling the DHCP Snooping Binding Database Agent Enabling DHCP Server Port-Based Address Allocation Preassigning an IP Address Monitoring and Maintaining DHCP 25-15 Configuration Examples for Configuring DHCP Enabling DHCP Server Port-Based Address Allocation: Examples This example shows that the preassigned address was correctly reserved in the DHCP pool: Enabling DHCP Snooping: Example Page Configuring Dynamic ARP Inspection Prerequisites for Dynamic ARP Inspection Restrictions for Dynamic ARP Inspection Information About Dynamic ARP Inspection Dynamic ARP Inspection Page Interface Trust States and Network Security Rate Limiting of ARP Packets Relative Priority of ARP ACLs and DHCP Snooping Entries Logging of Dropped Packets Default Dynamic ARP Inspection Settings Dynamic ARP Inspection Configuration Guidelines How to Configure Dynamic ARP Inspection Configuring Dynamic ARP Inspection in DHCP Environments Configuring ARP ACLs for Non-DHCP Environments Page Limiting the Rate of Incoming ARP Packets Performing Validation Checks Configuring the Log Buffer Monitoring and Maintaining Dynamic ARP Inspection Configuration Examples for Dynamic ARP Inspection Configuring Dynamic ARP Inspection in DHCP Environments: Example Configuring ARP ACLs for Non-DHCP Environments: Example Page Page Configuring IP Source Guard Prerequisites for IP Source Guard Restrictions for IP Source Guard Information About IP Source Guard IP Source Guard Source IP Address Filtering Source IP and MAC Address Filtering IP Source Guard for Static Hosts IP Source Guard Configuration Guidelines How to Configure IP Source Guard Enabling IP Source Guard Configuring IP Source Guard for Static Hosts on a Layer 2 Access Port Configuring IP Source Guard for Static Hosts on a Private VLAN Host Port Page Monitoring and Maintaining IP Source Guard Configuration Examples for IP Source Guard Enabling IPSG with Source IP and MAC Filtering: Example Disabling IPSG with Static Hosts: Example Enabling IPSG for Static Hosts: Examples 27-8 Displaying IP or MAC Binding Entries: Examples 27-9 This example displays all active IP or MAC binding entries for all interfaces: This example displays the count of all IP device tracking host entries for all interfaces: Enabling IPSG for Static Hosts: Examples This example shows how to enable IPSG for static hosts with IP filters on a private VLAN host port: 27-10 The output shows that the five valid IP-MAC bindings are on both the primary and sec ondary VLAN. The following sections provide references related to switch administration: Page Page Configuring IGMP Snooping and MVR Restrictions for IGMP Snooping and MVR Information About IGMP Snooping and MVR IGMP Snooping IGMP Versions Joining a Multicast Group Page Leaving a Multicast Group Immediate Leave IGMP Configurable-Leave Timer IGMP Report Suppression Default IGMP Snooping Configuration Snooping Methods Multicast Flooding Time After a TCN Event Flood Mode for TCN Multicast Flooding During a TCN Event IGMP Snooping Querier Guidelines IGMP Report Suppression Multicast VLAN Registration MVR in a Multicast Television Application Page Default MVR Settings MVR Configuration Guidelines and Limitations IGMP Filtering and Throttling Default IGMP Filtering and Throttling Configuration IGMP Profiles IGMP Throttling Action How to Configure IGMP Snooping and MVR Configuring IGMP Snooping Setting IGMP Snooping Parameters Enabling or Disabling IGMP Snooping Configuring TCN Configuring the IGMP Snooping Querier Disabling IGMP Report Suppression Configuring MVR Configuring MVR Global Parameters Configuring MVR Interfaces Configuring IGMP Configuring IGMP Profiles Configuring IGMP Interfaces Monitoring and Maintaining IGMP Snooping and MVR Page Configuration Examples for IGMP Snooping Configuring IGMP Snooping: Example Disabling a Multicast Router Port: Example Statically Configuring a Host on a Port: Example Enabling IGMP Immediate Leave: Example Enabling MVR: Examples Creating an IGMP Profile: Example Applying an IGMP Profile: Example Limiting IGMP Groups: Example Page Configuring Port-Based Traffic Control Restrictions for Port-Based Traffic Control Information About Port-Based Traffic Control Storm Control Default Storm Control Configuration Storm Control and Threshold Levels Small-Frame Arrival Rate Protected Ports Protected Port Configuration Guidelines Port Blocking Port Security Secure MAC Addresses Security Violations Default Port Security Configuration Port Security Configuration Guidelines Page Port Security Aging Port Security and Private VLANs Protocol Storm Protection How to Configure Port-Based Traffic Control Configuring Storm Control Configuring Storm Control and Threshold Levels Configuring Small-Frame Arrival Rate Configuring Protected Ports Configuring Port Blocking Blocking Flooded Traffic on an Interface Configuring Port Security Enabling and Configuring Port Security Page Page Page Enabling and Configuring Port Security Aging Configuring Protocol Storm Protection Enabling Protocol Storm Protection Monitoring and Maintaining Port-Based Traffic Control Configuration Examples for Port-Based Traffic Control Enabling Unicast Storm Control: Example Enabling Broadcast Address Storm Control on a Port: Example Enabling Small-Frame Arrival Rate: Example Configuring a Protected Port: Example Blocking Flooding on a Port: Example Configuring Port Security: Examples Configuring Port Security Aging: Examples Configuring Protocol Storm Protection: Example Page Page Configuring SPAN and RSPAN Prerequisites for SPAN and RSPAN Restrictions for SPAN and RSPAN Information About SPAN and RSPAN SPAN and RSPAN Local SPAN Remote SPAN SPAN Sessions Monitored Traffic Types for SPAN Sessions Source Ports Source VLANs VLAN Filtering Destination Port RSPAN VLAN SPAN and RSPAN Interaction with Other Features Local SPAN Configuration Guidelines RSPAN Configuration Guidelines Default SPAN and RSPAN Settings How to Configure SPAN and RSPAN Creating a Local SPAN Session Page Creating a Local SPAN Session and Configuring Incoming Traffic Specifying VLANs to Filter Configuring a VLAN as an RSPAN VLAN Creating an RSPAN Source Session Creating an RSPAN Destination Session Creating an RSPAN Destination Session and Configuring Incoming Traffic Specifying VLANs to Filter Monitoring and Maintaining SPAN and RSPAN Configuration Examples for SPAN and RSPAN Configuring a Local SPAN Session: Example Modifying Local SPAN Sessions: Examples Configuring an RSPAN: Example Configuring a VLAN for a SPAN Session: Example Modifying RSPAN Sessions: Examples Page Page Configuring LLDP, LLDP-MED, and Wired Location Service Restrictions for LLDP, LLDP-MED, and Wired Location Service Information About LLDP, LLDP-MED, and Wired Location Service LLDP-MED Wired Location Service Default LLDP Configuration LLDP, LLDP-MED, and Wired Location Service Configuration Guidelines LLDP-MED TLVs How to Configure LLDP, LLDP-MED, and Wired Location Service Enabling LLDP Configuring LLDP Characteristics Configuring LLDP-MED TLVs Configuring Network-Policy TLV Configuring Location TLV and Wired Location Service Monitoring and Maintaining LLDP, LLDP-MED, and Wired Location Service Configuration Examples for Configuring LLDP, LLDP-MED, and Wired Location Service Enabling LLDP: Examples Configuring LDP Parameters: Examples Configuring TLV: Example Configuring Network Policy: Example Configuring Voice Application: Example Configuring Civic Location Information: Example Enabling NMSP: Example Page Page Configuring CDP Finding Feature Information Information About CDP CDP Default CDP Configuration How to Configure CDP Configuring the CDP Parameters Disabling CDP Monitoring and Maintaining CDP Configuration Examples for CDP Configuring CDP Parameters: Example Enabling CDP: Examples Page Page Configuring UDLD Prerequisites for UDLD Restrictions for UDLD Information About UDLD UDLD Modes of Operation Methods to Detect Unidirectional Links Page Default UDLD Settings How to Configure UDLD Enabling UDLD Globally Enabling UDLD on an Interface Setting and Resetting UDLD Parameters Maintaining and Monitoring UDLD Page Page Configuring RMON Prerequisites for RMON Restrictions for RMON Information About RMON RMON Page How to Configure RMON Configuring RMON Alarms and Events Collecting Group History Statistics on an Interface Collecting Group Ethernet Statistics on an Interface Monitoring and Maintaining RMON Configuration Examples for RMON Configuring an RMON Alarm Number: Example Creating an RMON Event Number: Example Configuring RMON Statistics: Example Page Page Page Configuring System Message Logging Restrictions for System Message Logging Information About System Message Logging System Message Logging System Log Message Format Log Messages Message Severity Levels Configuring UNIX Syslog Servers Logging Messages to a UNIX Syslog Daemon Default System Message Logging Configuration How to Configure System Message Logging Disabling Message Logging Setting the Message Display Destination Device Synchronizing Log Messages Enabling and Disabling Time Stamps on Log Messages Enabling and Disabling Sequence Numbers in Log Messages Defining the Message Severity Level Limiting Syslog Messages Sent to the History Table and to SNMP Enabling the Configuration-Change Logger Configuring the UNIX System Logging Facility Monitoring and Maintaining the System Message Log Configuration Examples for the System Message Log System Message: Example Logging Display: Examples Enabling the Logger: Example Configuration Log Output: Example Page Page Page Configuring SNMP Prerequisites for SNMP Restrictions for SNMP Information About SNMP SNMP SNMP Versions Page SNMP Manager Functions SNMP Agent Functions SNMP Community Strings Using SNMP to Access MIB Variables SNMP Notifications SNMP ifIndex MIB Object Values Community Strings SNMP Notifications Page Default SNMP Settings How to Configure SNMP Disabling the SNMP Agent Configuring Community Strings Configuring SNMP Groups and Users Page Configuring SNMP Notifications Page Setting the CPU Threshold Notification Types and Values Setting the Agent Contact and Location Information Limiting TFTP Servers Used Through SNMP Monitoring and Maintaining SNMP Configuration Examples for SNMP Enabling SNMP Versions: Example Permit SNMP Manager Access: Example Allow Read-Only Access: Example Configure SNMP Traps: Examples Associating a User with a Remote Host: Example Assigning a String to SNMP: Example Page Configuring Network Security with ACLs Restrictions for Network Security with ACLs Information About Network Security with ACLs ACLs Supported ACLs Port ACLs Handling Fragmented and Unfragmented Traffic IPv4 ACLs Standard and Extended IPv4 ACLs Access List Numbers ACL Logging Numbered Extended ACL Resequencing ACEs in an ACL Named Standard and Extended ACLs Time Ranges with ACLs Comments in ACLs IPv4 ACL to a Terminal Line IPv4 ACL Application to an Interface Guidelines Hardware and Software Handling of IP ACLs Troubleshooting ACLs Named MAC Extended ACLs MAC ACL to a Layer 2 Interface How to Configure Network Security with ACLs Creating a Numbered Standard ACL Page Creating a Numbered Extended ACL Page Creating Named Standard and Extended ACLs Using Time Ranges with ACLs Applying an IPv4 ACL to a Terminal Line Applying an IPv4 ACL to an Interface Creating Named MAC Extended ACLs Applying a MAC ACL to a Layer 2 Interface Monitoring and Maintaining Network Security with ACLs Configuration Examples for Network Security with ACLs Creating a Standard ACL: Example Creating an Extended ACL: Example 37-20 Configuring Time Ranges: Examples Using Named ACLs: Example This example uses named ACLs to permit and deny the same traffic. Including Comments in ACLs: Examples Applying ACL to a Port: Example Applying an ACL to an Interface: Example Routed ACLs: Examples Configuring Numbered ACLs: Example Configuring Extended ACLs: Examples Creating Named ACLs: Example Applying Time Range to an IP ACL: Example Creating Commented IP ACL Entries: Examples Configuring ACL Logging: Examples Applying a MAC ACL to a Layer 2 Interface: Examples Page Page Configuring Standard QoS Prerequisites for Standard QoS Restrictions for Standard QoS Information About Standard QoS Page Standard QoS Model Standard QoS Configuration Guidelines QoS ACL QoS on Interfaces Policing Default Standard QoS Configuration Default Ingress Queue Settings Default Egress Queue Settings Default Mapping Table Settings Page Classification Page 38-12 Classification Based on QoS ACLs Classification Based on Class Maps and Policy Maps Policing and Marking Policing on Physical Ports Policing on SVIs Page Mapping Tables Queueing and Scheduling Overview Weighted Tail Drop SRR Shaping and Sharing Queueing and Scheduling on Ingress Queues WTD Thresholds Buffer and Bandwidth Allocation Priority Queueing Queueing and Scheduling on Egress Queues Page Buffer and Memory Allocation WTD Thresholds Shaped or Shared Mode Packet Modification Classification Using Port Trust States Trust State on Ports within the QoS Domain Configuring a Trusted Boundary to Ensure Port Security DSCP Transparency Mode DSCP Trust State on a Port Bordering Another QoS Domain QoS Policies Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps Classifying, Policing, and Marking Traffic on SVIs by Using Hierarchical Policy Maps DSCP Maps DSCP-to-DSCP-Mutation Map Ingress Queue Characteristics Ingress Priority Queue Egress Queue Characteristics Egress Queue Configuration Guidelines Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set How to Configure Standard QoS Enabling QoS Globally Enabling VLAN-Based QoS on Physical Ports Configuring Classification Using Port Trust States Configuring the Trust State on Ports Within the QoS Domain Configuring the CoS Value for an Interface Configuring a Trusted Boundary to Ensure Port Security Enabling DSCP Transparency Mode Configuring the DSCP Trust State on a Port Bordering Another QoS Domain Configuring a QoS Policy Creating IP Standard ACLs Creating IP Extended ACLs Creating a Layer 2 MAC ACL for Non-IP Traffic Creating Class Maps Page Creating Nonhierarchical Policy Maps Page Creating Hierarchical Policy Maps Page Page Page Creating Aggregate Policers Configuring DSCP Maps Configuring the CoS-to-DSCP Map Configuring the IP-Precedence-to-DSCP Map Configuring the Policed-DSCP Map Configuring the DSCP-to-CoS Map Configuring the DSCP-to-DSCP-Mutation Map Configuring Ingress Queue Characteristics Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds Allocating Buffer Space Between the Ingress Queues Allocating Bandwidth Between the Ingress Queues Configuring the Ingress Priority Queue Configuring Egress Queue Characteristics Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID Configuring SRR Shaped Weights on Egress Queues Configuring SRR Shared Weights on Egress Queues Configuring the Egress Expedite Queue Monitoring and Maintaining Standard QoS Limiting the Bandwidth on an Egress Interface Configuration Examples for Standard QoS Configuring the SRR Scheduler: Example Configuring DSCP-Trusted State on a Port: Example Allowing ACL Permission for IP Traffic: Examples Configuring a Class Map: Examples Creating a Policy Map: Example Creating a Layer 2 MAC ACL: Example Creating an Aggregate Policer: Example Configuring COS-to-DSCP Map: Example Configuring DSCP Maps: Examples Configuring an Ingress Queue: Example Configuring the Egress Queue: Examples Creating a Layer 2 MAC ACL: Example Page Page Page Configuring Auto-QoS Prerequisites for Auto-QoS Restrictions for Auto-QoS Information About Auto-QoS Auto-QoS Generated Auto-QoS Configuration Page 39-5 The switch automatically maps CoS values to an egress queue and to a threshold ID. The switch automatically maps DSCP values to an ingress queue and to a threshold ID. The switch automatically maps DSCP values to an egress queue and to a threshold ID. Table 39-4 Generated Auto-QoS Configuration (continued) Page Effects of Auto-QoS on the Configuration How to Configure Auto-QoS Enabling Auto-QoS for VoIP Configuring QoS to Prioritize VoIP Traffic Monitoring and Maintaining Auto-QoS 39-10 Configuration Examples for Auto-QoS Auto-QoS Network: Example Enabling Auto-QoS VOIP Trust: Example Page Configuring EtherChannels Finding Feature Information Restrictions for Configuring EtherChannels Information About Configuring EtherChannels EtherChannels Port-Channel Interfaces Port Aggregation Protocol PAgP Modes PAgP Learn Method and Priority PAgP Interaction with Virtual Switches and Dual-Active Detection PAgP Interaction with Other Features Link Aggregation Control Protocol LACP Modes LACP Hot-Standby Ports LACP Interaction with Other Features EtherChannel On Mode Load Balancing and Forwarding Methods Page Default EtherChannel Settings EtherChannel Configuration Guidelines How to Configure EtherChannels Configuring Layer 2 EtherChannels Page Page Configuring EtherChannel Load Balancing Configuring the PAgP Learn Method and Priority Configuring the LACP Hot-Standby Ports Monitoring and Maintaining EtherChannels on the IE 2000 Switch Configuration Examples for Configuring EtherChannels Configuring EtherChannels: Examples Additional References Page Page Configuring Static IP Unicast Routing Finding Feature Information Restrictions for Static IP Unicast Routing Information About Configuring Static IP Unicast Routing IP Routing Types of Routing How to Configure Static IP Unicast Routing Steps for Configuring Routing Enabling IP Unicast Routing Assigning IP Addresses to SVIs Configuring Static Unicast Routes Monitoring and Maintaining the IP Network Additional References for Configuring IP Unicast Routing Page Configuring IPv6 Host Functions Prerequisites Configuring IPv6 Host Functions Information About Configuring IPv6 Host Functions IPv6 IPv6 Addresses Supported IPv6 Host Features 128-Bit Wide Unicast Addresses DNS for IPv6 ICMPv6 Neighbor Discovery Default Router Preference IPv6 Stateless Autoconfiguration and Duplicate Address Detection IPv6 Applications Dual IPv4 and IPv6 Protocol Stacks Static Routes for IPv6 SNMP and Syslog Over IPv6 HTTP over IPv6 Default IPv6 Settings How to Configure IPv6 Hosting Configuring IPv6 Addressing and Enabling IPv6 Host Configuring Default Router Preference Configuring IPv6 ICMP Rate Limiting Monitoring and Maintaining IPv6 Host Information 42-10 Configuration Examples for IPv6 Host Functions Enabling IPv6: Example Configuring DRP: Example This example shows how to configure a DRP of high for the router on an interface. Configuring an IPv6 ICMP Error Message Interval Displaying Show Command Output: Examples This is an example of the output from the show ipv6 interfac e privileged EXEC command: This is an example of the output from the show ipv6 protocols privileged EXEC command : This is an example of the output from the show ipv6 neighbor privileged EXEC command: This is an example of the output from the show ipv6 route privileged EXEC command: 42-12 Page Page Configuring Link State Tracking Finding Feature Information Restrictions for Configuring Link State Tracking Information About Configuring Link State Tracking Link State Tracking Page 43-3 Default Link State Tracking Configuration There are no link state groups defined, and link state trac king is not enabled for any group. How to Configure Link State Tracking Configuring Link State Tracking Displaying Link State Information: Examples Creating a Link State Group: Example Page Configuring IPv6 MLD Snooping Finding Feature Information Prerequisites for Configuring IPv6 MLD Snooping Restrictions for Configuring IPv6 MLD Snooping Information About Configuring IPv6 MLD Snooping MLD Messages MLD Queries Multicast Client Aging Robustness Multicast Router Discovery MLD Reports MLD Done Messages and Immediate-Leave Topology Change Notification Processing Default MLD Snooping Configuration MLD Snooping Configuration Guidelines Enabling or Disabling MLD Snooping Multicast Router Port MLD Immediate Leave How to Configure IPv6 MLD Snooping Enabling or Disabling MLD Snooping Configuring a Static Multicast Group Configuring a Multicast Router Port Enabling MLD Immediate Leave Configuring MLD Snooping Queries Disabling MLD Listener Message Suppression Monitoring and Maintaining IPv6 MLD Snooping Configuration Examples for Configuring IPv6 MLD Snooping Statically Configure an IPv6 Multicast Group: Example Adding a Multicast Router Port to a VLAN: Example Enabling MLD Immediate Leave on a VLAN: Example Setting MLD Snooping Global Robustness: Example Page Page Page Page Configuring Cisco IOS IP SLAs Operations Finding Feature Information Prerequisites for Configuring Cisco IOS IP SLAs Operations Restrictions for Configuring Cisco IOS IP SLAs Operations Information About Configuring Cisco IOS IP SLAs Operations Cisco IOS IP SLAs Cisco IOS IP SLAs to Measure Network Performance IP SLAs Responder and IP SLAs Control Protocol Response Time Computation for IP SLAs IP SLAs Operation Scheduling IP SLAs Operation Threshold Monitoring IP Service Levels by Using the UDP Jitter Operation IP Service Levels by Using the ICMP Echo Operation How to Configure Cisco IOS IP SLAs Operations Configuring the IP SLAs Responder Configuring UDP Jitter Operation Page Analyzing IP Service Levels by Using the ICMP Echo Operation Monitoring and Maintaining Cisco IP SLAs Operations Configuration Examples for Configuring Cisco IP SLAs Operations Configuring an ICMP Echo IP SLAs Operation: Example 45-12 Sample Output for Show IP SLA Command: Example This is an example of the output from the command: Configuring a Responder UDP Jitter IP SLAs Operation: Example Configuring a UDP Jitter IP SLAs Operation: Example This example shows how to configure a UDP jitter IP SLAs operation: Page Page Troubleshooting Information for Troubleshooting Autonegotiation Mismatches Prevention SFP Module Security and Identification Ping Layer 2 Traceroute Layer 2 Traceroute Usage Guidelines IP Traceroute TDR Crashinfo Files Basic crashinfo Files Extended crashinfo Files CPU Utilization Problem and Cause for High CPU Utilization How to Troubleshoot Recovering from Software Failures Recovering from a Lost or Forgotten Password Recovering from Lost Cluster Member Connectivity Executing Ping Executing IP Traceroute Running TDR and Displaying the Results Enabling Debugging on a Specific Feature Enabling All-System Diagnostics Redirecting Debug and Error Message Output Monitoring Information Physical Path SFP Module Status Troubleshooting Examples show platform forward Command 46-15 Page Page Page APPENDIX A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Displaying Available File Systems A-2 Detecting an Unsupported SD Flash Memory Card This example shows a supported SD flash memory card: SD Flash Memory Card LED Setting the Default File System Displaying Information About Files on a File System Changing Directories and Displaying the Working Directory Creating and Removing Directories Copying Files Deleting Files Creating, Displaying, and Extracting tar Files Creating a tar File Displaying the Contents of a tar File Extracting a tar File Displaying the Contents of a File Working with Configuration Files Guidelines for Creating and Using Configuration Files Configuration File Types and Location Creating a Configuration File By Using a Text Editor Copying Configuration Files By Using TFTP Preparing to Download or Upload a Configuration File By Using TFTP Downloading the Configuration File By Using TFTP Uploading the Configuration File By Using TFTP Copying Configuration Files By Using FTP Preparing to Download or Upload a Configuration File By Using FTP Downloading a Configuration File By Using FTP Uploading a Configuration File By Using FTP Copying Configuration Files By Using RCP Preparing to Download or Upload a Configuration File By Using RCP Downloading a Configuration File By Using RCP Uploading a Configuration File By Using RCP Clearing Configuration Information Clearing the Startup Configuration File Deleting a Stored Configuration File Replacing and Rolling Back Configurations Understanding Configuration Replacement and Rollback Configuration Guidelines Configuring the Configuration Archive Performing a Configuration Replacement or Rollback Operation Working with Software Images Image Location on the Switch tar File Format of Images on a Server or Cisco.com Copying Image Files By Using TFTP Preparing to Download or Upload an Image File By Using TFTP Downloading an Image File By Using TFTP Page Uploading an Image File By Using TFTP Copying Image Files By Using FTP Preparing to Download or Upload an Image File By Using FTP Downloading an Image File By Using FTP Uploading an Image File By Using FTP Copying Image Files By Using RCP Preparing to Download or Upload an Image File By Using RCP Downloading an Image File By Using RCP Uploading an Image File By Using RCP Page Page INDEX Numerics A Page B C Page D Page Page Page E F G H I Page Page J K L M Page Page N O P Page Page Q R Page Page S Page Page Page T Page U V Page W X