Full-length PDF for Catalyst 4500 Series Switch Software Configuration Guide, 12.2(54)SG

Catalyst 4500 Series Switch Cisco IOS Software Configuration GuideRelease 12.2(54)SG

Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883

Customer Order Number: DOC-OL22170=1 Customer Order Number: OL-22170-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCDE, CCENT, CCSI, Cisco Eos, Cisco Explorer, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R) Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Copyright 19992010 Cisco Systems, Inc. All rights reserved.

CONTENTSPrefacexlix xlix xlix lii

Audience Conventions

Organization

Related Documentation liii Hardware Documents liii Software Documentation liv Cisco IOS Documentation lv Commands in Task Tables lv Notices lv OpenSSL/Open SSL Project License Issues lvlv

Obtaining Documentation and Submitting a Service Request1

i-lvii

CHAPTER

Product Overview

1-1

Layer 2 Software Features 1-1 802.1Q Tunneling, VLAN Mapping, and Layer 2 Protocol Tunneling Auto SmartPort Macros 1-2 CDP 1-3 EtherChannel Bundles 1-3 Ethernet CFM 1-3 Ethernet OAM Protocol 1-3 Flex Links and MAC Address-Table Move Update 1-3 Jumbo Frames 1-4 Link Layer Discovery Protocol 1-4 Link State Tracking 1-4 Location Service 1-5 Multiple Spanning Tree 1-5 Per-VLAN Rapid Spanning Tree 1-5 QoS 1-5 Resilient Ethernet Protocol 1-6 SmartPort Macros 1-6 Spanning Tree Protocol 1-6 Stateful Switchover 1-7

1-2

Software Configuration GuideRelease 12.2(54)SG OL-22170-01

i

Contents

SVI Autostate 1-7 UBRL 1-7 UDLD 1-8 Unidirectional Ethernet 1-8 VLANs 1-8 Virtual Switch System 1-9 Y.1731 (AIS and RDI) 1-9 Layer 3 Software Features 1-9 CEF 1-10 EIGRP Stub Routing 1-10 HSRP 1-10 SSO Aware HSRP 1-11 IP Routing Protocols 1-11 BGP 1-11 EIGRP 1-12 GLBP 1-12 IGRP 1-12 IS-IS 1-13 OSPF 1-13 RIP 1-13 VRRP 1-14 IPv6 1-14 ISSU 1-14 Multicast Services 1-14 NSF with SSO 1-15 OSPF for Routed Access 1-16 Policy-Based Routing 1-16 Unidirectional Link Routing 1-16 VRF-lite 1-17 Management Features 1-17 Cisco Call Home 1-17 Cisco Energy Wise 1-18 Cisco Network Assistant and Embedded CiscoView 1-18 Dynamic Host Control Protocol 1-18 Ethernet Management Port 1-19 FAT File Management System (Supervisor Engine 6-E and 6L-E only) Forced 10/100 Autonegotiation 1-19 Intelligent Power Management 1-19 IP SLA 1-19 MAC Address Notification 1-20Software Configuration GuideRelease 12.2(54)SG

1-19

ii

OL-22170-01

Contents

MAC Notify MIB 1-20 NetFlow Statistics 1-20 Secure Shell 1-20 Simple Network Management Protocol 1-20 SPAN and RSPAN 1-21 Virtual Router Redundancy Protocol 1-21 Web Content Coordination Protocol 1-21 XML-PI 1-22 Security Features 1-22 802.1X Identity-Based Network Security 1-23 Cisco TrustSec SGT Exchange Protocol (SXP) IPv4 1-24 Dynamic ARP Inspection 1-24 Dynamic Host Configuration Protocol Snooping 1-24 Flood Blocking 1-25 Hardware-Based Control Plane Policing 1-25 IP Source Guard for Static Hosts 1-25 IP Source Guard 1-26 Local Authentication, RADIUS, and TACACS+ Authentication Network Admission Control 1-26 Network Security with ACLs 1-27 Port Security 1-27 PPPoE Intermediate Agent 1-27 Storm Control 1-27 uRPF Strict Mode 1-28 Utilities 1-28 Layer 2 Traceroute 1-28 Time Domain Reflectometry 1-28 Debugging Features 1-28 Web-based Authentication 1-292

1-26

CHAPTER

Command-Line Interfaces

2-1

Accessing the Switch CLI 2-2 Accessing the CLI Using the EIA/TIA-232 Console Interface Accessing the CLI Through Telnet 2-2 Performing Command-Line Processing Performing History Substitution About Cisco IOS Command Modes2-4 2-4 2-3

2-2

Getting a List of Commands and Syntax 2-5 Virtual Console for Standby Supervisor Engine

2-6


iii

Contents

ROMMON Command-Line Interface Archiving Crashfiles Information32-8

2-7

CHAPTER

Configuring the Switch for the First Time Default Switch Configuration3-1

3-1

Configuring DHCP-Based Autoconfiguration 3-2 About DHCP-Based Autoconfiguration 3-2 DHCP Client Request Process 3-3 Configuring the DHCP Server 3-4 Configuring the TFTP Server 3-4 Configuring the DNS Server 3-5 Configuring the Relay Device 3-5 Obtaining Configuration Files 3-6 Example Configuration 3-7 Configuring the Switch 3-8 Using Configuration Mode to Configure Your Switch 3-9 Verifying the Running Configuration Settings 3-9 Saving the Running Configuration Settings to Your Start-Up File Reviewing the Configuration in NVRAM 3-10 Configuring a Default Gateway 3-11 Configuring a Static Route 3-11

3-10

Controlling Access to Privileged EXEC Commands 3-13 Setting or Changing a Static enable Password 3-13 Using the enable password and enable secret Commands 3-14 Setting or Changing a Privileged Password 3-14 Controlling Switch Access with TACACS+ 3-15 Understanding TACACS+ 3-15 TACACS+ Operation 3-17 Configuring TACACS+ 3-17 Displaying the TACACS+ Configuration 3-22 Encrypting Passwords 3-22 Configuring Multiple Privilege Levels 3-23 Setting the Privilege Level for a Command 3-23 Changing the Default Privilege Level for Lines 3-23 Logging In to a Privilege Level 3-24 Exiting a Privilege Level 3-24 Displaying the Password, Access Level, and Privilege Level Configuration Recovering a Lost Enable Password3-25 3-25

3-24

Modifying the Supervisor Engine Startup ConfigurationSoftware Configuration GuideRelease 12.2(54)SG

iv

OL-22170-01

Contents

Understanding the Supervisor Engine Boot Configuration 3-25 Understanding the ROM Monitor 3-26 Configuring the Software Configuration Register 3-26 Modifying the Boot Field and Using the boot Command 3-27 Modifying the Boot Field 3-28 Verifying the Configuration Register Setting 3-29 Specifying the Startup System Image 3-30 Flash Memory Features 3-30 Security Precautions 3-30 Configuring Flash Memory 3-31 Controlling Environment Variables 3-31 Resetting a Switch to Factory Default Settings43-32

CHAPTER

Administering the Switch

4-1

Managing the System Time and Date 4-1 System Clock 4-2 Understanding Network Time Protocol 4-2 Configuring NTP 4-3 Default NTP Configuration 4-4 Configuring NTP Authentication 4-4 Configuring NTP Associations 4-6 Configuring NTP Broadcast Service 4-7 Configuring NTP Access Restrictions 4-8 Configuring the Source IP Address for NTP Packets 4-10 Displaying the NTP Configuration 4-11 Configuring Time and Date Manually 4-11 Setting the System Clock 4-11 Displaying the Time and Date Configuration 4-12 Configuring the Time Zone 4-12 Configuring Summer Time (Daylight Saving Time) 4-13 Configuring a System Name and Prompt 4-14 Configuring a System Name 4-15 Understanding DNS 4-15 Default DNS Configuration 4-16 Setting Up DNS 4-16 Displaying the DNS Configuration 4-17 Creating a Banner 4-17 Default Banner Configuration 4-18 Configuring a Message-of-the-Day Login Banner

4-18


v

Contents

Configuring a Login Banner

4-19

Managing the MAC Address Table 4-19 Building the Address Table 4-20 MAC Addresses and VLANs 4-20 Default MAC Address Table Configuration 4-21 Changing the Address Aging Time 4-21 Removing Dynamic Address Entries 4-22 Configuring MAC Change Notification Traps 4-22 Configuring MAC Move Notification Traps 4-24 Configuring MAC Threshold Notification Traps 4-26 Adding and Removing Static Address Entries 4-27 Configuring Unicast MAC Address Filtering 4-28 Disabling MAC Address Learning on a VLAN 4-30 Configuring Disable MAC Address Learning 4-30 Usage Guidelines 4-31 Deployment Scenarios 4-31 Feature Compatibility 4-33 Feature Incompatibility 4-34 Partial Feature Incompatibility 4-34 Displaying Address Table Entries 4-35 Managing the ARP Table4-35

Configuring Embedded CiscoView Support 4-35 Understanding Embedded CiscoView 4-36 Installing and Configuring Embedded CiscoView 4-36 Displaying Embedded CiscoView Information 4-395

CHAPTER

Configuring the Cisco IOS In-Service Software Upgrade Process Prerequisites to Performing ISSU5-1

5-1

About ISSU 5-2 Stateful Switchover Overview 5-3 NSF Overview 5-5 ISSU Process Overview 5-6 Guidelines for Performing ISSU 5-11 Versioning Capability in Cisco IOS Software to Support ISSU 5-11 Compatibility Matrix 5-12 SNMP Support for ISSU 5-13 Compatibility Verification Using Cisco Feature Navigator 5-13 Performing the ISSU Process 5-13 Verifying the ISSU Software InstallationSoftware Configuration GuideRelease 12.2(54)SG

5-14

vi

OL-22170-01

Contents

Verifying Redundancy Mode Before Beginning the ISSU Process 5-14 Verifying the ISSU State Before Beginning the ISSU Process 5-16 Loading New Cisco IOS Software on the Standby Supervisor Engine 5-16 Switching to the Standby Supervisor Engine 5-19 Stopping the ISSU Rollback Timer (Optional) 5-21 Loading New Cisco IOS Software on the New Standby Supervisor Engine 5-22 Aborting a Software Upgrade During ISSU 5-24 Configuring the Rollback Timer to Safeguard Against Upgrade Issues 5-25 Displaying ISSU Compatibility Matrix Information 5-26 Related Documents65-30

CHAPTER

Configuring Interfaces

6-1 6-2 6-2 6-4

About Interface Configuration Using the interface Command

Configuring a Range of Interfaces

Using the Ethernet Management Port 6-6 Understanding the Ethernet Management Port 6-6 Fa1 Interface and mgmtVrf 6-7 SSO Model 6-9 ISSU Model 6-9 Supported Features on the Ethernet Management Port Configuring the Ethernet Management Port 6-10 Defining and Using Interface-Range Macros Deploying SFP+ in X2 Ports6-11 6-10

6-9

Deploying 10-Gigabit Ethernet and Gigabit Ethernet SFP Ports

6-12

Deploying 10-Gigabit Ethernet or Gigabit Ethernet Ports on Supervisor Engine 6-E, Supervisor Engine 6L-E and WS-X4606-10GE-E 6-13 Port Numbering TwinGig Convertors 6-13 Limitations on Using a TwinGig Convertor 6-14 Selecting X2/TwinGig Convertor Mode 6-14 Invoking Shared-Backplane Uplink Mode on Supervisor Engine 6-E 6-16 Digital Optical Monitoring Transceiver Support6-16

Configuring Optional Interface Features 6-17 Configuring Ethernet Interface Speed and Duplex Mode 6-17 Speed and Duplex Mode Configuration Guidelines 6-17 Setting the Interface Speed 6-18 Setting the Interface Duplex Mode 6-19 Displaying the Interface Speed and Duplex Mode Configuration

6-19


vii

Contents

Adding a Description for an Interface 6-20 Configuring Flow Control 6-20 Configuring Jumbo Frame Support 6-22 Ports and Modules That Support Jumbo Frames 6-22 Jumbo Frame Support 6-23 Configuring MTU Sizes 6-25 Interacting with Baby Giants 6-26 Configuring the Port Debounce Timer 6-26 Configuring Auto-MDIX on a Port 6-27 Displaying the Interface Auto-MDIX Configuration 6-28 Understanding Online Insertion and Removal6-29

Monitoring and Maintaining the Interface 6-30 Monitoring Interface and Controller Status 6-30 Clearing and Resetting the Interface 6-31 Shutting Down and Restarting an Interface 6-31 Configuring Interface Link Status and Trunk Status Events 6-32 Configuring Link Status Event Notification for an Interface 6-32 Global Settings 6-32 Configuring a Switch Global Link Status Logging Event 6-33 Examples 6-33 Resetting the Interface to the Default Configuration 6-347

CHAPTER

Checking Port Status and Connectivity Checking Module Status Checking Interfaces Status Displaying MAC Addresses7-1 7-2 7-3

7-1

Checking Cable Status Using Time Domain Reflectometer Overview 7-4 Running the TDR Test 7-4 TDR Guidelines 7-5 Using Telnet7-6 7-6 7-6

7-3

Changing the Logout Timer Monitoring User Sessions

Using Ping 7-7 Understanding How Ping Works Running Ping 7-8

7-8

Using IP Traceroute 7-9 Understanding How IP Traceroute Works

7-9

Software Configuration GuideRelease 12.2(54)SG

viii

OL-22170-01

Contents

Running IP Traceroute

7-9

Using Layer 2 Traceroute 7-10 Layer 2 Traceroute Usage Guidelines Running Layer 2 Traceroute 7-11

7-10

Configuring ICMP 7-12 Enabling ICMP Protocol Unreachable Messages Enabling ICMP Redirect Messages 7-13 Enabling ICMP Mask Reply Messages 7-138

7-12

CHAPTER

Configuring Supervisor Engine Redundancy Using RPR and SSO About Supervisor Engine Redundancy Overview 8-2 RPR Operation 8-3 SSO Operation 8-38-2

8-1

About Supervisor Engine Redundancy Synchronization 8-4 RPR Supervisor Engine Configuration Synchronization 8-5 SSO Supervisor Engine Configuration Synchronization 8-5 Supervisor Engine Redundancy Guidelines and Restrictions8-5

Configuring Supervisor Engine Redundancy 8-7 Configuring Redundancy 8-7 Virtual Console for Standby Supervisor Engine 8-9 Synchronizing the Supervisor Engine Configurations 8-10 Performing a Manual Switchover Performing a Software Upgrade8-12 8-12 8-14

Manipulating Bootflash on the Redundant Supervisor Engine9

CHAPTER

Configuring Cisco NSF with SSO Supervisor Engine Redundancy About NSF with SSO Supervisor Engine Redundancy 9-1 About Cisco IOS NSF-Aware and NSF-Capable Support 9-2 NSF with SSO Supervisor Engine Redundancy Overview 9-4 SSO Operation 9-4 NSF Operation 9-5 Cisco Express Forwarding 9-5 Routing Protocols 9-5 BGP Operation 9-6 OSPF Operation 9-7 IS-IS Operation 9-7 EIGRP Operation 9-8

9-1


ix

Contents

NSF Guidelines and Restrictions

9-9 9-10

Configuring NSF with SSO Supervisor Engine Redundancy Configuring SSO 9-10 Configuring CEF NSF 9-11 Verifying CEF NSF 9-11 Configuring BGP NSF 9-12 Verifying BGP NSF 9-12 Configuring OSPF NSF 9-13 Verifying OSPF NSF 9-13 Configuring IS-IS NSF 9-14 Verifying IS-IS NSF 9-15 Configuring EIGRP NSF 9-17 Verifying EIGRP NSF 9-1710

CHAPTER

Environmental Monitoring and Power Management

10-1

About Environmental Monitoring 10-1 Using CLI Commands to Monitor your Environment 10-2 Displaying Environment Conditions 10-2 Conditions on Supervisor Engines II-Plus to V-10GE 10-2 Conditions on Supervisor Engine 6-E and Supervisor Engine 6L-E Emergency Actions 10-3 System Alarms 10-4

10-3

Power Management 10-6 Power Management for the Catalyst 4500 Series Switches 10-6 Supported Power Supplies 10-7 Power Management Modes for the Catalyst 4500 Switch 10-8 Selecting a Power Management Mode 10-8 Power Management Limitations in Catalyst 4500 Series Switches 10-9 Available Power for Catalyst 4500 Series Switches Power Supplies 10-13 Special Considerations for the 4200 W AC and 6000 W AC Power Supplies 10-14 Combined Mode Power Resiliency 10-16 Special Considerations for the 1400 W DC Power Supply 10-18 Special Considerations for the 1400 W DC SP Triple Input Power Supply 10-19 Insufficient Inline Power Handling for Supervisor Engine II-TS 10-19 Powering Down a Module 10-21 Power Management for the Catalyst 4948 Switches 10-21 Power Management Modes for the Catalyst 4948 Switch 10-22


x

OL-22170-01

Contents

CHAPTER

11

Configuring Power over Ethernet

11-1

About Power over Ethernet 11-1 Hardware Requirements 11-2 Power Management Modes 11-2 Intelligent Power Management11-4 11-5

Configuring Power Consumption for Powered Devices on an Interface Displaying the Operational Status for an Interface Displaying the PoE Consumed by a Module11-8 11-7

PoE Policing and Monitoring 11-12 PoE Policing Modes 11-13 Configuring Power Policing on an Interface 11-13 Displaying Power Policing on an Interface 11-14 Configuring Errdisable Recovery 11-15 Enhanced Power PoE Support on the E-Series Chassis1211-16

CHAPTER

Configuring the Catalyst 4500 Series Switch with Cisco Network Assistant 12-1 About Network Assistant 12-2 Clustering Overview 12-2 Network Assistant-Related Parameters and Their Defaults Network Assistant CLI Commands12-3 12-2

Configuring Your Switch for Network Assistant 12-4 (Minimum) Configuration Required to Access Catalyst 4500 from Cisco Network Assistant (Additional) Configuration Required to Use Community 12-5 (Additional) Configuration Required to Use Cluster 12-5 Managing a Network Using Community 12-6 Candidate and Member Requirements 12-7 Automatic Discovery of Candidates and Members Community Names 12-8 Hostnames 12-8 Passwords 12-8 Communication Protocols 12-9 Access Modes in Network Assistant 12-9 Community Information 12-9 Adding Devices 12-9 Converting a Cluster into a Community Managing a Network Using Cluster Understanding Switch Clusters12-10 12-11 12-11

12-4

12-7


xi

Contents

Cluster Command Switch Requirements 12-11 Network Assistant and VTY 12-12 Candidate Switch and Cluster Member Switch Requirements Using the CLI to Manage Switch Clusters 12-13

12-12

Configuring Network Assistant in Community or Cluster Mode 12-13 Configuring Network Assistant on a Networked Switch in Community Mode 12-13 Configuring Network Assistant in a Networked Switch in Cluster Mode 12-1713

CHAPTER

Configuring VLANs, VTP, and VMPS

13-1

VLANs 13-1 About VLANs 13-1 VLAN Configuration Guidelines and Restrictions 13-3 VLAN Ranges 13-3 Configurable Normal-Range VLAN Parameters 13-4 VLAN Default Configuration 13-4 Configuring VLANs 13-5 Configuring VLANs in Global Configuration Mode 13-6 Assigning a Layer 2 LAN Interface to a VLAN 13-7 VLAN Trunking Protocol 13-7 About VTP 13-8 Understanding the VTP Domain 13-8 Understanding VTP Modes 13-9 Understanding VTP Advertisements 13-9 Understanding VTP Versions 13-9 Understanding VTP Pruning 13-11 VTP Configuration Guidelines and Restrictions 13-12 VTP Default Configuration 13-13 Configuring VTP 13-14 Configuring VTP Global Parameters 13-14 Configuring the VTP Mode 13-16 Starting a Takeover 13-19 Displaying VTP Statistics 13-19 Displaying VTP Devices in a Domain 13-20 VLAN Membership Policy Server 13-20 About VMPS 13-21 Understanding the VMPS Server 13-21 Security Modes for VMPS Server 13-22 Fallback VLAN 13-23 Illegal VMPS Client Requests 13-23Software Configuration GuideRelease 12.2(54)SG

xii

OL-22170-01

Contents

Overview of VMPS Clients 13-23 Understanding Dynamic VLAN Membership 13-23 Default VMPS Client Configuration 13-24 Configuring a Switch as a VMPS Client 13-24 Administering and Monitoring the VMPS 13-28 Troubleshooting Dynamic Port VLAN Membership 13-29 Dynamic Port VLAN Membership Configuration Example 13-29 VMPS Database Configuration File Example 13-3214

CHAPTER

Configuring IP Unnumbered Interface Related Documents 14-1

14-1

About IP Unnumbered Interface Support 14-2 IP Unnumbered Interface Support with DHCP Server and Relay Agent DHCP Option 82 14-2 IP Unnumbered Interface with Connected Host Polling 14-3 IP Unnumbered Configuration Guidelines and Restrictions14-4

14-2

Configuring IP Unnumbered Interface Support with DHCP Server 14-4 Configuring IP Unnumbered Interface Support on LAN and VLAN Interfaces 14-4 Configuring IP Unnumbered Interface Support on a Range of Ethernet VLANs 14-5 Configuring IP Unnumbered Interface Support with Connected Host Polling Displaying IP Unnumbered Interface Settings Troubleshooting IP Unnumbered Interface1514-7 14-8 14-6

CHAPTER

Configuring Layer 2 Ethernet Interfaces

15-1

About Layer 2 Ethernet Switching 15-1 Layer 2 Ethernet Switching 15-2 Switching Frames Between Segments 15-2 Building the MAC Address Table 15-2 VLAN Trunks 15-3 Encapsulation Types 15-3 Layer 2 Interface Modes 15-4 Default Layer 2 Ethernet Interface Configuration15-4 15-5

Layer 2 Interface Configuration Guidelines and Restrictions

Configuring Ethernet Interfaces for Layer 2 Switching 15-5 Configuring an Ethernet Interface as a Layer 2 Trunk 15-6 Configuring an Interface as a Layer 2 Access Port 15-8 Clearing Layer 2 Configuration 15-9


xiii

Contents

CHAPTER

16

Configuring SmartPort Macros

16-1 16-1

About SmartPort Macros and Static SmartPort

Configuring SmartPort Macros 16-2 Passing Parameters Through the Macro 16-3 Macro Parameter Help 16-3 Default SmartPort Macro Configuration 16-4 cisco-global 16-4 cisco-desktop 16-4 cisco-phone 16-5 cisco-router 16-5 cisco-switch 16-5 SmartPort Macro Configuration Guidelines 16-6 Creating SmartPort Macros 16-8 Applying SmartPort Macros 16-9 cisco-global 16-10 cisco-desktop 16-11 cisco-phone 16-11 cisco-switch 16-12 cisco-router 16-13 Displaying SmartPort Macros16-14

Configuring Static SmartPort Macros 16-14 Default Static SmartPort Configuration 16-14 Static SmartPort Configuration Guidelines 16-15 Applying Static SmartPort Macros 16-1517

CHAPTER

Configuring Auto SmartPort Macros About Auto SmartPorts17-1

17-1

Configuring Auto SmartPorts 17-2 Enabling Auto SmartPorts 17-2 Auto SmartPorts Default Configuration 17-3 Auto SmartPorts Configuration Guidelines 17-4 Configuring Auto SmartPorts Built-in Macro Parameters 17-6 Configuring User-defined Event Triggers 17-7 802.1X-Based Event Trigger 17-7 MAC Address-Based Event Trigger 17-8 Configuring Mapping Between User-Defined Triggers and Built-in Macros Configuring Auto SmartPorts User-Defined Macros 17-9 Displaying Auto SmartPorts17-13

17-9


xiv

OL-22170-01

Contents

CHAPTER

18

Configuring STP and MST

18-1

About STP 18-1 Understanding the Bridge ID 18-2 Bridge Priority Value 18-2 Extended System ID 18-3 STP MAC Address Allocation 18-3 Bridge Protocol Data Units 18-3 Election of the Root Bridge 18-4 STP Timers 18-4 Creating the STP Topology 18-5 STP Port States 18-5 MAC Address Allocation 18-6 STP and IEEE 802.1Q Trunks 18-6 Per-VLAN Rapid Spanning Tree 18-6 Default STP Configuration18-7

Configuring STP 18-7 Enabling STP 18-8 Enabling the Extended System ID 18-9 Configuring the Root Bridge 18-9 Configuring a Secondary Root Switch 18-12 Configuring STP Port Priority 18-13 Configuring STP Port Cost 18-15 Configuring the Bridge Priority of a VLAN 18-17 Configuring the Hello Time 18-17 Configuring the Maximum Aging Time for a VLAN 18-18 Configuring the Forward-Delay Time for a VLAN 18-19 Disabling Spanning Tree Protocol 18-20 Enabling Per-VLAN Rapid Spanning Tree 18-20 Specifying the Link Type 18-21 Restarting Protocol Migration 18-21 About MST 18-22 IEEE 802.1s MST 18-22 IEEE 802.1w RSTP 18-23 RSTP Port Roles 18-24 RSTP Port States 18-24 MST-to-SST Interoperability 18-24 Common Spanning Tree 18-25 MST Instances 18-26 MST Configuration Parameters 18-26Software Configuration GuideRelease 12.2(54)SG OL-22170-01

xv

Contents

MST Regions 18-26 MST Region Overview 18-26 Boundary Ports 18-27 IST Master 18-27 Edge Ports 18-27 Link Type 18-28 Message Age and Hop Count 18-28 MST-to-PVST+ Interoperability 18-28 MST Configuration Restrictions and Guidelines18-29

Configuring MST 18-29 Enabling MST 18-29 Configuring MST Instance Parameters 18-31 Configuring MST Instance Port Parameters 18-32 Restarting Protocol Migration 18-33 Displaying MST Configurations 18-3319

CHAPTER

Configuring Flex Links and MAC Address-Table Move Update About Flex Links 19-1 Flex Links 19-2 VLAN Flex Link Load Balancing and Support Flex Link Failover Actions 19-3 MAC Address-Table Move Update19-4

19-1

19-2

Configuring Flex Links 19-5 Default Configuration 19-5 Configuration Guidelines 19-5 Configuring Flex Links 19-6 Configuring VLAN Load Balancing on Flex Links

19-8

Configuring MAC Address-Table Move Update 19-9 Default Configuration 19-9 Configuration Guidelines 19-9 Configuring the MAC Address-Table Move Update Feature 19-10 Configuring a Switch to Send MAC Address-Table Move Updates 19-10 Configuring a Switch to Receive MAC Address-Table Move Updates 19-11 Monitoring Flex Links and the MAC Address-Table Move Update19-12 19-12

CHAPTER

20

Configuring Resilient Ethernet Protocol About REP20-1

20-1


xvi

OL-22170-01

Contents

Link Integrity 20-3 Fast Convergence 20-3 VLAN Load Balancing 20-4 Spanning Tree Interaction 20-5 REP Ports 20-6 Configuring REP 20-6 Default REP Configuration 20-7 REP Configuration Guidelines 20-7 Configuring the REP Administrative VLAN 20-8 Configuring REP Interfaces 20-9 Setting Manual Preemption for VLAN Load Balancing Configuring SNMP Traps for REP 20-13 Monitoring REP2120-13

20-12

CHAPTER

Configuring Optional STP Features About Root Guard Enabling Root Guard About Loop Guard Enabling Loop Guard21-2 21-2 21-3 21-5 21-6

21-1

About EtherChannel Guard About PortFast Enabling PortFast About BPDU Guard Enabling BPDU Guard21-7 21-7 21-8 21-9

Enabling EtherChannel Guard (Optional)

21-6

About PortFast BPDU Filtering Enabling PortFast BPDU Filtering About UplinkFast Enabling UplinkFast About BackboneFast Enabling BackboneFast2221-11 21-12 21-14 21-16

21-9 21-10

CHAPTER

Configuring EtherChannel and Link State Tracking About EtherChannel 22-2 Port Channel Interfaces 22-2 Configuring EtherChannels 22-3 EtherChannel Configuration Overview

22-1

22-3


xvii

Contents

Manual EtherChannel Configuration 22-3 PAgP EtherChannel Configuration 22-3 IEEE 802.3ad LACP EtherChannel Configuration Load Balancing 22-5 EtherChannel Configuration Guidelines and Restrictions

22-4

22-5

Configuring EtherChannel 22-6 Configuring Layer 3 EtherChannels 22-6 Creating Port Channel Logical Interfaces 22-7 Configuring Physical Interfaces as Layer 3 EtherChannels Configuring Layer 2 EtherChannels 22-9 Configuring the LACP System Priority and System ID 22-11 Configuring EtherChannel Load Balancing 22-12 Removing an Interface from an EtherChannel 22-13 Removing an EtherChannel 22-14 Displaying EtherChannel to a Virtual Switch System 22-14 Understanding VSS Client 22-15 Virtual Switch System 22-15 Dual-Active Scenarios 22-15 Dual-Active Detection Using Enhance PAgP 22-15 Displaying EtherChannel Links to VSS 22-17 Understanding Link-State Tracking22-17

22-7

Configuring Link-State Tracking 22-20 Default Link-State Tracking Configuration 22-20 Link-State Tracking Configuration Guidelines 22-20 Configuring Link-State Tracking 22-20 Displaying Link-State Tracking Status 22-2123

CHAPTER

Configuring IGMP Snooping and Filtering About IGMP Snooping 23-1 Immediate-Leave Processing 23-3 IGMP Configurable-Leave Timer 23-4 IGMP Snooping Querier 23-4 Explicit Host Tracking 23-4

23-1

Configuring IGMP Snooping 23-5 Default IGMP Snooping Configuration 23-5 Enabling IGMP Snooping Globally 23-6 Enabling IGMP Snooping on a VLAN 23-6 Configuring Learning Methods 23-7 Configuring PIM/DVMRP Learning 23-7Software Configuration GuideRelease 12.2(54)SG

xviii

OL-22170-01

Contents

Configuring CGMP Learning 23-7 Configuring a Static Connection to a Multicast Router Enabling IGMP Immediate-Leave Processing 23-8 Configuring the IGMP Leave Timer 23-9 Configuring IGMP Snooping Querier 23-10 Configuring Explicit Host Tracking 23-11 Configuring a Host Statically 23-11 Suppressing Multicast Flooding 23-12 IGMP Snooping Interface Configuration 23-12 IGMP Snooping Switch Configuration 23-13

23-8

Displaying IGMP Snooping Information 23-14 Displaying Querier Information 23-15 Displaying IGMP Host Membership Information 23-15 Displaying Group Information 23-16 Displaying Multicast Router Interfaces 23-17 Displaying MAC Address Multicast Entries 23-18 Displaying IGMP Snooping Information on a VLAN Interface Displaying IGMP Snooping Querier Information 23-19 Configuring IGMP Filtering 23-20 Default IGMP Filtering Configuration 23-20 Configuring IGMP Profiles 23-21 Applying IGMP Profiles 23-22 Setting the Maximum Number of IGMP Groups Displaying IGMP Filtering Configuration2423-24

23-18

23-23

CHAPTER

Configuring IPv6 MLD Snooping

24-1

About MLD Snooping 24-1 MLD Messages 24-2 MLD Queries 24-3 Multicast Client Aging 24-3 Multicast Router Discovery 24-3 MLD Reports 24-4 MLD Done Messages and Immediate-Leave 24-4 Topology Change Notification Processing 24-4 Configuring IPv6 MLD Snooping 24-5 Default MLD Snooping Configuration 24-5 MLD Snooping Configuration Guidelines 24-6 Enabling or Disabling MLD Snooping 24-6 Configuring a Static Multicast Group 24-7Software Configuration GuideRelease 12.2(54)SG OL-22170-01

xix

Contents

Configuring a Multicast Router Port 24-7 Enabling MLD Immediate Leave 24-8 Configuring MLD Snooping Queries 24-9 Disabling MLD Listener Message Suppression Displaying MLD Snooping Information2524-11

24-10

CHAPTER

Configuring 802.1Q Tunneling, VLAN Mapping, and Layer 2 Protocol Tunneling About 802.1Q Tunneling25-2

25-1

Configuring 802.1Q Tunneling 25-3 802.1Q Tunneling Configuration Guidelines 25-3 Native VLANs 25-4 System MTU 25-5 802.1Q Tunneling and Other Features 25-5 Configuring an 802.1Q Tunneling Port 25-6 About VLAN Mapping 25-7 Deployment Example 25-7 Mapping Customer VLANs to Service-Provider VLANs Configuring VLAN Mapping 25-9 Default VLAN Mapping Configuration 25-9 VLAN Mapping Configuration Guidelines 25-10 Configuring VLAN Mapping 25-11 One-to-One Mapping 25-11 Traditional QinQ on a Trunk Port 25-12 Selective QinQ on a Trunk Port 25-12 About Layer 2 Protocol Tunneling25-13

25-9

Configuring Layer 2 Protocol Tunneling 25-15 Default Layer 2 Protocol Tunneling Configuration 25-16 Layer 2 Protocol Tunneling Configuration Guidelines 25-16 Configuring Layer 2 Tunneling 25-17 Monitoring and Maintaining Tunneling Status2625-19

CHAPTER

Configuring CDP About CDP

26-1

26-1

Configuring CDP 26-2 Enabling CDP Globally 26-2 Displaying the CDP Global Configuration 26-2 Enabling CDP on an Interface 26-3 Displaying the CDP Interface Configuration 26-3


xx

OL-22170-01

Contents

Monitoring and Maintaining CDP27

26-3

CHAPTER

Configuring LLDP, LLDP-MED, and Location Service About LLDP, LLDP-MED, and Location Service LLDP 27-1 LLDP-MED 27-2 Location Service 27-327-1

27-1

Configuring LLDP and LLDP-MED, and Location Service 27-4 Default LLDP Configuration 27-4 Configuring LLDP Characteristics 27-5 Disabling and Enabling LLDP Globally 27-6 Disabling and Enabling LLDP on an Interface 27-7 Configuring LLDP-MED TLVs 27-8 Configuring Network-Policy Profile 27-9 Configuring LLDP Power Negotiation 27-10 Configuring Location TLV and Location Service 27-11 Monitoring and Maintaining LLDP, LLDP-MED, and Location Service2827-13

CHAPTER

Configuring UDLD

28-1

About UDLD 28-1 UDLD Topology 28-2 Fast UDLD Topology 28-2 Operation Modes 28-3 Default States for UDLD 28-3 Default UDLD Configuration28-4

Configuring UDLD on the Switch 28-4 Fast UDLD Guidelines and Restrictions 28-4 Enabling UDLD Globally 28-5 Enabling UDLD on Individual Interfaces 28-6 Disabling UDLD on Individual Interfaces 28-7 Disabling UDLD on a Fiber-Optic Interface 28-7 Configuring a UDLD Probe Message Interval Globally 28-8 Configuring a Fast UDLD Probe Message Interval per Interface Resetting Disabled LAN Interfaces 28-8 Displaying UDLD Link Status2928-9

28-8

CHAPTER

Configuring Unidirectional Ethernet About Unidirectional Ethernet29-1

29-1


xxi

Contents

Configuring Unidirectional Ethernet30

29-2

CHAPTER

Configuring Layer 3 Interfaces

30-1

About Layer 3 Interfaces 30-1 Logical Layer 3 VLAN Interfaces 30-2 Physical Layer 3 Interfaces 30-2 Understanding SVI Autostate Exclude 30-3 Understanding Layer 3 Interface Counters 30-3 Configuration Guidelines30-5 30-6

Configuring Logical Layer 3 VLAN Interfaces

Configuring VLANs as Layer 3 Interfaces 30-7 Configuring SVI Autostate Exclude 30-7 Configuring IP MTU Sizes 30-9 Configuring Layer 3 Interface Counters 30-10 Configuring Physical Layer 3 Interfaces30-12

Configuring EIGRP Stub Routing 30-13 About EIGRP Stub Routing 30-13 Configuring EIGRP Stub Routing 30-14 Dual-Homed Remote Topology 30-15 EIGRP Stub Routing Configuration Tasks Monitoring and Maintaining EIGRP 30-19 EIGRP Configuration Examples 30-19 Route Summarization Example 30-19 Route Authentication Example 30-20 Stub Routing Example 30-2031

30-18

CHAPTER

Configuring Cisco Express Forwarding

31-1

About CEF 31-1 Benefits of CEF 31-1 Forwarding Information Base 31-2 Adjacency Tables 31-2 Adjacency Discovery 31-2 Adjacency Resolution 31-2 Adjacency Types That Require Special Handling Unresolved Adjacency 31-3 Catalyst 4500 Series Switch Implementation of CEF Hardware and Software Switching 31-4 Hardware Switching 31-5 Software Switching 31-5Software Configuration GuideRelease 12.2(54)SG

31-3

31-3

xxii

OL-22170-01

Contents

Load Balancing 31-6 Software Interfaces 31-6 CEF Configuration Restrictions31-6

Configuring CEF 31-6 Enabling CEF 31-6 Configuring Load Balancing for CEF 31-7 Configuring Per-Destination Load Balancing 31-7 Configuring Load Sharing Hash Function 31-7 Viewing CEF Information 31-8 Monitoring and Maintaining CEF 31-8 Displaying IP Statistics 31-832

CHAPTER

Configuring Unicast Reverse Path Forwarding

32-1

About Unicast Reverse Path Forwarding 32-2 How Unicast RPF Works 32-2 Implementing Unicast RPF 32-4 Security Policy and Unicast RPF 32-5 Where to Use Unicast RPF 32-5 Routing Table Requirements 32-7 Where Not to Use Unicast RPF 32-7 Unicast RPF with BOOTP and DHCP 32-8 Restrictions 32-8 Limitation 32-8 Related Features and Technologies 32-8 Prerequisites to Configuring Unicast RPF 32-9 Unicast RPF Configuration Tasks 32-9 Configuring Unicast RPF 32-9 Verifying Unicast RPF 32-10 Monitoring and Maintaining Unicast RPF Unicast RPF Configuration Example: Inbound and Outbound Filters 32-123332-11

CHAPTER

Configuring IP Multicast

33-1

About IP Multicast 33-1 IP Multicast Protocols 33-2 Internet Group Management Protocol 33-3 Protocol-Independent Multicast 33-3 Rendezvous Point (RP) 33-4 IGMP Snooping 33-4Software Configuration GuideRelease 12.2(54)SG OL-22170-01

xxiii

Contents

IP Multicast Implementation on the Catalyst 4500 Series Switch CEF, MFIB, and Layer 2 Forwarding 33-5 IP Multicast Tables 33-7 Hardware and Software Forwarding 33-9 Non-Reverse Path Forwarding Traffic 33-10 Multicast Fast Drop 33-11 Multicast Forwarding Information Base 33-12 S/M, 224/4 33-13 Restrictions on Using Bidirectional PIM 33-13 Configuring IP Multicast Routing 33-13 Default Configuration in IP Multicast Routing Enabling IP Multicast Routing 33-14 Enabling PIM on an Interface 33-14 Enabling Dense Mode 33-15 Enabling Sparse Mode 33-15 Enabling Sparse-Dense Mode 33-15 Enabling Bidirectional Mode 33-16 Enabling PIM-SSM Mapping 33-17 Configuring a Rendezvous Point 33-17 Configuring Auto-RP 33-17 Configuring a Single Static RP 33-21 Load Splitting of IP Multicast Traffic 33-2333-13

33-5

Monitoring and Maintaining IP Multicast Routing 33-24 Displaying System and Network Statistics 33-24 Displaying the Multicast Routing Table 33-24 Displaying IP MFIB 33-27 Displaying Bidirectional PIM Information 33-28 Displaying PIM Statistics 33-28 Clearing Tables and Databases 33-29 Configuration Examples 33-29 PIM Dense Mode Example 33-29 PIM Sparse Mode Example 33-30 Bidirectional PIM Mode Example 33-30 Sparse Mode with a Single Static RP Example Sparse Mode with Auto-RP: Example 33-3134

33-30

CHAPTER

Configuring ANCP Client About ANCP Client34-1

34-1

Enabling and Configuring ANCP ClientSoftware Configuration GuideRelease 12.2(54)SG

34-2

xxiv

OL-22170-01

Contents

Identifying a Port with the ANCP Protocol 34-2 Example 1 34-3 Example 2 34-4 Identifying a Port with DHCP Option 82 34-4 ANCP Guidelines and Restrictions3534-5

CHAPTER

Configuring Policy-Based Routing

35-1

About Policy-Based Routing 35-1 About PBR 35-2 Understanding Route-Maps 35-2 PBR on Supervisor Engine 6-E, Supervisor Engine 6L-E, Catalyst 4900M, and Catalyst 4948E 35-5 PBR Flow Switching 35-5 Using Policy-Based Routing 35-5 Policy-Based Routing Configuration Tasks Enabling PBR 35-6 Enabling Local PBR 35-8 Unsupported Commands 35-835-6

Policy-Based Routing Configuration Examples Equal Access 35-8 Differing Next Hops 35-9 Deny ACE 35-936

35-8

CHAPTER

Configuring VRF-lite About VRF-lite

36-1

36-2 36-3 36-4

Default VRF-lite Configuration Configuring VRFs36-5

VRF-lite Configuration Guidelines

Configuring VRF-Aware Services 36-6 Configuring the User Interface for ARP 36-6 Configuring the User Interface for PING 36-6 Configuring the User Interface for SNMP 36-7 Configuring the User Interface for uRPF 36-7 Configuring the User Interface for Syslog 36-8 Configuring the User Interface for Traceroute 36-8 Configuring the User Interface for FTP and TFTP 36-8 Configuring the User Interface for Telnet and SSH 36-9 Configuring the User Interface for NTP 36-9


xxv

Contents

Configuring Per-VRF for TACACS+ Servers Configuring Multicast VRFs36-11 36-12

36-9

Configuring a VPN Routing Session

Configuring BGP PE to CE Routing Sessions VRF-lite Configuration Example 36-13 Configuring Switch S8 36-14 Configuring Switch S20 36-15 Configuring Switch S11 36-16 Configuring the PE Switch S3 36-16 Displaying VRF-lite Status3736-17

36-12

CHAPTER

Configuring Quality of Service

37-1

About QoS 37-2 Prioritization 37-2 QoS Terminology 37-3 Basic QoS Model 37-6 Classification 37-6 Classification Based on QoS ACLs 37-9 Classification Based on Class Maps and Policy Maps 37-9 Policing and Marking 37-10 Internal DSCP Values 37-14 Mapping Tables 37-15 Queueing and Scheduling 37-15 Active Queue Management 37-15 Sharing Link Bandwidth Among Transmit Queues 37-16 Strict Priority / Low Latency Queueing 37-16 Traffic Shaping 37-17 Packet Modification 37-17 Per-Port Per-VLAN QoS 37-17 QoS and Software Processed Packets 37-17 Configuring QoS on Supervisor Engines II-Plus, II+10GE, IV, V, V-10GE, 4924, 4948, and 4948-10GE Default QoS Configuration 37-19 Configuration Guidelines 37-20 Enabling QoS Globally 37-21 Enabling IP DSCP Rewrite 37-21 Configuring a Trusted Boundary to Ensure Port Security 37-22 Enabling Dynamic Buffer Limiting 37-23 Enabling DBL Globally 37-24 Selectively Enable DBL 37-24Software Configuration GuideRelease 12.2(54)SG

37-18

xxvi

OL-22170-01

Contents

Creating Named Aggregate Policers 37-27 Configuring a QoS Policy 37-29 Overview of QoS Policy Configuration 37-29 Configuring a Class Map (Optional) 37-30 Configuring a Policy Map 37-32 Attaching a Policy Map to an Interface 37-36 Configuring CoS Mutation 37-37 Configuring User-Based Rate-Limiting 37-38 Examples 37-39 Configuring Hierarchical Policers 37-42 Enabling Per-Port Per-VLAN QoS 37-44 Enabling or Disabling QoS on an Interface 37-47 Configuring VLAN-Based QoS on Layer 2 Interfaces 37-48 Configuring the Trust State of Interfaces 37-49 Configuring the CoS Value for an Interface 37-50 Configuring DSCP Values for an Interface 37-50 Configuring Transmit Queues 37-51 Mapping DSCP Values to Specific Transmit Queues 37-52 Allocating Bandwidth Among Transmit Queues 37-52 Configuring Traffic Shaping of Transmit Queues 37-53 Configuring a High Priority Transmit Queue 37-54 Configuring DSCP Maps 37-54 Configuring the CoS-to-DSCP Map 37-54 Configuring the Policed-DSCP Map 37-55 Configuring the DSCP-to-CoS Map 37-56 Configuring Auto-QoS on Supervisor Engines II-Plus, II+10GE, IV, V, V-10GE, 4924, 4948, and 4948-10GE 37-57 Generated Auto-QoS Configuration 37-58 Effects of Auto-QoS on the Configuration 37-59 Configuration Guidelines 37-59 Enabling Auto-QoS for VoIP 37-60 Displaying Auto-QoS Information 37-61 Auto-QoS Configuration Example 37-61 Configuring QoS on Supervisor Engine 6-E, Supervisor Engine 6L-E, Catalyst 4900M, and Catalyst 4948E 37-64 MQC-Based QoS Configuration 37-64 MQC-Based QoS on the Supervisor Engine 6-E and 6L-E 37-65 Platform-Supported Classification Criteria and QoS Features 37-66 Platform Hardware Capabilities 37-67 Prerequisites for Applying a QoS Service Policy 37-67Software Configuration GuideRelease 12.2(54)SG OL-22170-01

xxvii

Contents

Restrictions for Applying a QoS Service Policy 37-67 Classification 37-67 Classification Statistics 37-68 Policing 37-68 Implementing Policing 37-69 Platform Restrictions 37-69 Marking Network Traffic 37-70 Information about Marking Network Traffic 37-70 Marking Action Drivers 37-72 Traffic Marking Procedure Flowchart 37-73 Restrictions for Marking Network Traffic 37-73 Multi-attribute Marking Support 37-74 Hardware Capabilities for Marking 37-74 Configuring the Policy-Map Marking Action 37-74 Marking Statistics 37-76 Shaping, Sharing (Bandwidth), Priority Queuing, Queue-Limiting and DBL 37-76 Shaping 37-77 Sharing (Bandwidth) 37-79 Priority Queuing 37-81 Queue-limiting 37-83 Queue Allocation Failure 37-84 Active Queue Management by Using Dynamic Buffer Limiting 37-85 Transmit Queue Statistics 37-86 Policy Associations 37-86 Software QoS 37-88 Configuring Auto-QoS on Supervisor Engine 6-E, Supervisor Engine 6L-E, Catalyst 4900M, and Catalyst 4948E 37-8938

CHAPTER

Configuring Voice Interfaces

38-1

About Voice Interfaces 38-1 Cisco IP Phone Voice Traffic 38-2 Cisco IP Phone Data Traffic 38-2 Configuring a Port to Connect to a Cisco 7960 IP Phone Configuring Voice Ports for Voice and Data Traffic Overriding the CoS Priority of Incoming Frames Configuring Power3938-5 38-3 38-5 38-3

CHAPTER

Configuring Private VLANs About Private VLANs39-1

39-1


xxviii

OL-22170-01

Contents

PVLAN Overview 39-2 PVLAN Terminology 39-3 PVLANs Across Multiple Switches 39-4 Standard Trunk Ports 39-4 Isolated PVLAN Trunk Ports 39-5 Promiscuous PVLAN Trunk Ports 39-7 Private VLAN Interaction with Other Features 39-7 PVLANs and VLAN ACL and QoS 39-8 PVLANs and Unicast, Broadcast, and Multicast Traffic PVLANs and SVIs 39-9 Per-Virtual Port Error-Disable on PVLANs 39-9 PVLAN Commands39-9

39-8

Configuring PVLANs 39-10 Basic PVLAN Configuration Procedure 39-11 Default Private VLAN Configuration 39-11 PVLAN Configuration Guidelines and Restrictions 39-11 Configuring a VLAN as a PVLAN 39-14 Associating a Secondary VLAN with a Primary VLAN 39-15 Configuring a Layer 2 Interface as a PVLAN Promiscuous Port 39-16 Configuring a Layer 2 Interface as a PVLAN Host Port 39-17 Configuring a Layer 2 Interface as an Isolated PVLAN Trunk Port 39-18 Configuring a Layer 2 Interface as a Promiscuous PVLAN Trunk Port 39-19 Permitting Routing of Secondary VLAN Ingress Traffic 39-2140

CHAPTER

Configuring 802.1X Port-Based Authentication

40-1

About 802.1X Port-Based Authentication 40-1 Device Roles 40-2 802.1X and Network Access Control 40-3 Authentication Initiation and Message Exchange 40-4 Ports in Authorized and Unauthorized States 40-5 802.1X Host Mode 40-7 Single-Host Mode 40-8 Multiple-Hosts Mode 40-8 Multidomain Authentication Mode 40-8 Multiauthentication Mode 40-9 Preauthentication Open Access 40-9 802.1X Violation Mode 40-10 Using MAC Move 40-10 Using MAC Replace 40-10


xxix

Contents

Using 802.1X with VLAN Assignment 40-11 Using 802.1X for Guest VLANs 40-12 Usage Guidelines for Using 802.1X Authentication with Guest VLANs 40-12 Usage Guidelines for Using 802.1X Authentication with Guest VLANs on Windows-XP Hosts 40-13 Using 802.1X with MAC Authentication Bypass 40-13 Feature Interaction 40-14 Using 802.1X with Web-Based Authentication 40-15 Using 802.1X with Inaccessible Authentication Bypass 40-15 Using 802.1X with Unidirectional Controlled Port 40-16 Unidirectional State 40-16 Bidirectional State 40-16 Using 802.1X with VLAN User Distribution 40-16 Deployment Example 40-17 Using 802.1X with Authentication Failed VLAN Assignment 40-18 Usage Guidelines for Using Authentication Failed VLAN Assignment 40-18 Using 802.1X with Port Security 40-19 Using 802.1X Authentication with ACL Assignments and Redirect URLs 40-20 Cisco Secure ACS and AV Pairs for URL-Redirect 40-20 ACLs 40-21 Using 802.1X with RADIUS-Provided Session Timeouts 40-21 Using 802.1X with Voice VLAN Ports 40-22 Using Multiple Domain Authentication and Multiple Authentication 40-23 802.1X Supplicant and Authenticator Switches with Network Edge Access Topology 40-24 Deployment 40-24 Supported Topologies 40-25 Configuring 802.1X Port-Based Authentication 40-26 Default 802.1X Configuration 40-27 802.1X Configuration Guidelines 40-28 Enabling 802.1X Authentication 40-28 Configuring Switch-to-RADIUS-Server Communication 40-32 Configuring Multiple Domain Authentication and Multiple Authorization 40-33 Configuring 802.1X Authentication with ACL Assignments and Redirect URLs 40-37 Downloadable ACL 40-37 URL-Redirect 40-39 Configuring a Downloadable Policy 40-42 Configuring 802.1X Authentication with Per-User ACL and Filter-ID ACL 40-43 Per-User ACL and Filter-ID ACL 40-43 Configuring a Per-User ACL and Filter-ID ACL 40-49 Configuring RADIUS-Provided Session Timeouts 40-50Software Configuration GuideRelease 12.2(54)SG

xxx

OL-22170-01

Contents

Configuring MAC Move 40-52 Configuring MAC Replace 40-52 Configuring Violation Action 40-53 Configuring 802.1X with Guest VLANs 40-54 Configuring 802.1X with MAC Authentication Bypass 40-57 Configuring 802.1X with Inaccessible Authentication Bypass 40-59 Configuring 802.1X with Unidirectional Controlled Port 40-62 Configuring 802.1X with VLAN User Distribution 40-64 Configuring the Switch 40-64 ACS Configuration 40-65 Configuring 802.1X with Authentication Failed 40-67 Configuring 802.1X with Voice VLAN 40-69 Configuring 802.1X with VLAN Assignment 40-70 Cisco ACS Configuration for VLAN Assignment 40-71 Enabling Fallback Authentication 40-71 Enabling Periodic Reauthentication 40-76 Enabling Multiple Hosts 40-77 Changing the Quiet Period 40-79 Changing the Switch-to-Client Retransmission Time 40-80 Setting the Switch-to-Client Frame-Retransmission Number 40-81 Configuring an Authenticator and a Supplicant Switch with NEAT 40-82 Configuring Switch as an Authenticator 40-83 Cisco AV Pair Configuration 40-84 Configuring Switch as a Supplicant 40-85 Configuring NEAT with ASP 40-86 Configuration Guidelines 40-87 Manually Reauthenticating a Client Connected to a Port 40-88 Initializing the 802.1X Authentication State 40-88 Removing 802.1X Client Information 40-88 Resetting the 802.1X Configuration to the Default Values 40-88 Controlling Switch Access with RADIUS 40-89 Understanding RADIUS 40-89 RADIUS Operation 40-90 RADIUS Change of Authorization 40-91 Overview 40-91 Change-of-Authorization Requests 40-91 CoA Request Response Code 40-92 CoA Request Commands 40-93 Configuring RADIUS 40-96 Default RADIUS Configuration 40-96Software Configuration GuideRelease 12.2(54)SG OL-22170-01

xxxi

Contents

Identifying the RADIUS Server Host 40-96 Configuring RADIUS Login Authentication 40-99 Defining AAA Server Groups 40-101 Configuring RADIUS Authorization for User Privileged Access and Network Services 40-103 Starting RADIUS Accounting 40-104 Configuring Settings for All RADIUS Servers 40-105 Configuring the Switch to Use Vendor-Specific RADIUS Attributes 40-105 Configuring the Switch for Vendor-Proprietary RADIUS Server Communication 40-107 Configuring CoA on the Switch 40-108 Monitoring and Troubleshooting CoA Functionality 40-109 Configuring RADIUS Server Load Balancing 40-109 Displaying the RADIUS Configuration 40-109 Displaying 802.1X Statistics and Status40-109

Displaying Authentication Details 40-110 Determining the Authentication Methods Registered with the Auth Manager 40-110 Displaying the Auth Manager Summary for an Interface 40-110 Displaying the Summary of All Auth Manager Sessions on the Switch 40-110 Displaying a Summary of All Auth Manager Sessions on the Switch Authorized for a Specified Authentication Method 40-111 Verifying the Auth Manager Session for an Interface 40-111 Displaying MAB Details 40-113 EPM Logging 40-11341

CHAPTER

Configuring the PPPoE Intermediate Agent Related Documents41-2

41-1

RFCs 41-2 About PPPoE Intermediate Agent 41-2 Enabling PPPoE IA on a Switch 41-2 Configuring the Access Node Identifier for PPPoE IA on a Switch 41-2 Configuring the Identifier String, Option, and Delimiter for PPPoE IA on an Switch Configuring the Generic Error Message for PPPoE IA on an Switch 41-3 Enabling PPPoE IA on an Interface 41-4 Configuring the PPPoE IA Trust Setting on an Interface 41-4 Configuring PPPoE IA Rate Limiting Setting on an Interface 41-4 Configuring PPPoE IA Vendor-tag Stripping on an Interface 41-5 Configuring PPPoE IA Circuit-ID and Remote-ID on an Interface 41-5 Enabling PPPoE IA for a Specific VLAN on an Interface 41-5 Configuring PPPoE IA Circuit-ID and Remote-ID for a VLAN on an Interface 41-6 Displaying Configuration Parameters41-6

41-3


xxxii

OL-22170-01

Contents

Clearing Packet Counters Troubleshooting Tips4241-9

41-8 41-8

Debugging PPPoE Intermediate Agent

CHAPTER

Configuring Web-Based Authentication

42-1

About Web-Based Authentication 42-1 Device Roles 42-2 Host Detection 42-2 Session Creation 42-3 Authentication Process 42-3 AAA Fail Policy 42-4 Customization of the Authentication Proxy Web Pages 42-4 Web-Based Authentication Interactions with Other Features 42-4 Port Security 42-5 LAN Port IP 42-5 Gateway IP 42-5 ACLs 42-5 Context-Based Access Control 42-5 802.1X Authentication 42-6 EtherChannel 42-6 Switchover 42-6 Configuring Web-Based Authentication 42-6 Default Web-Based Authentication Configuration 42-6 Web-Based Authentication Configuration Guidelines and Restrictions Web-Based Authentication Configuration Task List 42-7 Configuring the Authentication Rule and Interfaces 42-8 Configuring AAA Authentication 42-9 Configuring Switch-to-RADIUS-Server Communication 42-9 Configuring the HTTP Server 42-11 Customizing the Authentication Proxy Web Pages 42-11 Specifying a Redirection URL for Successful Login 42-13 Configuring an AAA Fail Policy 42-13 Configuring the Web-Based Authentication Parameters 42-14 Removing Web-Based Authentication Cache Entries 42-15 Displaying Web-Based Authentication Status4342-15

42-7

CHAPTER

Configuring Port Security Port Security Commands About Port Security43-3

43-1 43-2


xxxiii

Contents

Secure MAC Addresses 43-4 Maximum Number of Secure MAC Addresses Aging Secure MAC Addresses 43-5 Sticky Addresses on a Port 43-5 Violation Actions 43-6 Invalid Packet Handling 43-7

43-4

Configuring Port Security on Access Ports 43-7 Configuring Port Security on Access Ports 43-8 Examples of Port Security on Access Ports 43-11 Example 1: Setting Maximum Number of Secure Addresses 43-12 Example 2: Setting a Violation Mode 43-12 Example 3: Setting the Aging Timer 43-12 Example 4: Setting the Aging Timer Type 43-13 Example 5: Configuring a Secure MAC Address 43-13 Example 6: Configuring Sticky Port Security 43-14 Example 7: Setting a Rate Limit for Bad Packets 43-14 Example 8: Clearing Dynamic Secure MAC Addresses 43-15 Configuring Port Security on PVLAN Ports 43-15 Configuring Port Security on an Isolated Private VLAN Host Port 43-15 Example of Port Security on an Isolated Private VLAN Host Port 43-17 Configuring Port Security on a Private VLAN Promiscous Port 43-17 Example of Port Security on a Private VLAN Promiscous Port 43-18 Configuring Port Security on Trunk Ports 43-18 Configuring Trunk Port Security 43-18 Examples of Trunk Port Security 43-20 Example 1: Configuring a Maximum Limit of Secure MAC Addresses for All VLANs 43-20 Example 2: Configuring a Maximum Limit of Secure MAC Addresses for Specific VLANs 43-21 Example 3: Configuring Secure MAC Addresses in a VLAN Range 43-21 Trunk Port Security Configuration Guidelines and Restrictions 43-22 Port Mode Changes 43-23 Configuring Port Security on Voice Ports 43-23 Configuring Port Security on Voice Ports 43-24 Examples of Voice Port Security 43-26 Example 1: Configuring Maximum MAC Addresses for Voice and Data VLANs 43-26 Example 2: Configuring Sticky MAC Addresses for Voice and Data VLANs 43-27 Voice Port Security Configuration Guidelines and Restrictions 43-28 Displaying Port Security Settings 43-28 Examples of Security Settings 43-29 Example 1: Displaying Security Settings for the Entire SwitchSoftware Configuration GuideRelease 12.2(54)SG

43-29

xxxiv

OL-22170-01

Contents

Example 2: Displaying Security Settings for an Interface 43-30 Example 3: Displaying All Secure Addresses for the Entire Switch 43-30 Example 4: Displaying a Maximum Number of MAC Addresses on an Interface 43-31 Example 5: Displaying Security Settings on an Interface for a VLAN Range 43-31 Example 6: Displaying Secured MAC Addresses and Aging Information on an Interface 43-31 Example 7: Displaying Secured MAC Addresses for a VLAN Range on an Interface 43-32 Configuring Port Security with Other Features/Environments 43-32 DHCP and IP Source Guard 43-32 802.1X Authentication 43-33 Configuring Port Security in a Wireless Environment 43-33 Configuring Port Security over Layer 2 EtherChannel 43-34 Port Security Configuration Guidelines and Restrictions4443-34

CHAPTER

Configuring Control Plane Policing and Layer 2 Control Packet QoS

44-1

Configuring Control Plane Policing 44-1 About Control Plane Policing 44-2 General Guidelines for Control Plane Policing 44-3 Default Configuration 44-4 Configuring CoPP for Control Plane Traffic 44-4 Configuring CoPP for Data Plane and Management Plane Traffic 44-6 Control Plane Policing Configuration Guidelines and Restrictions 44-8 All supervisor engines 44-8 Do not apply to Catalyst 4900M, Catalyst 4948E, Supervisor Engine 6-E, and Supervisor Engine 6L-E 44-8 Monitoring CoPP44-9

Configuring Layer 2 Control Packet QoS 44-11 Understanding Layer 2 Control Packet QoS 44-11 Default Configuration 44-11 Enabling Layer 2 Control Packet QoS 44-12 Disabling Layer 2 Control Packet QoS 44-13 Layer 2 Control Packet QoS Configuration Examples 44-14 Layer 2 Control Packet QoS Guidelines and Restrictions 44-16 Policing IPv6 Control Traffic4544-16

CHAPTER

Configuring DHCP Snooping, IP Source Guard, and IPSG for Static Hosts About DHCP Snooping 45-1 Trusted and Untrusted Sources 45-2 About the DHCP Snooping Database Agent Option 82 Data Insertion 45-4

45-1

45-2


xxxv

Contents

Configuring DHCP Snooping 45-6 Default Configuration for DHCP Snooping 45-7 Enabling DHCP Snooping 45-7 Enabling DHCP Snooping on the Aggregration Switch 45-9 Enabling DHCP Snooping and Option 82 45-10 Enabling DHCP Snooping on Private VLAN 45-12 Configuring DHCP Snooping on Private VLAN 45-12 Configuring DHCP Snooping with an Ethernet Channel Group 45-12 Enabling the DHCP Snooping Database Agent 45-13 Limiting the Rate of Incoming DHCP Packets 45-13 Configuration Examples for the Database Agent 45-15 Example 1: Enabling the Database Agent 45-15 Example 2: Reading Binding Entries from a TFTP File 45-17 Example 3: Adding Information to the DHCP Snooping Database 45-18 Displaying DHCP Snooping Information 45-18 Displaying a Binding Table 45-19 Displaying the DHCP Snooping Configuration About IP Source Guard45-19

45-19

Configuring IP Source Guard 45-20 Configuring IP Source Guard on Private VLANs Displaying IP Source Guard Information Displaying IP Source Binding Information45-22 45-23

45-22

Configuring IP Source Guard for Static Hosts 45-24 About IP Source Guard for Static Hosts 45-24 Configuring IPSG for Static Hosts on a Layer 2 Access Port IPSG for Static Hosts on a PVLAN Host Port 45-2746

45-25

CHAPTER

Configuring Dynamic ARP Inspection

46-1

About Dynamic ARP Inspection 46-1 ARP Cache Poisoning 46-2 Purpose of Dynamic ARP Inspection 46-2 Interface Trust State, Security Coverage and Network Configuration 46-3 Relative Priority of Static Bindings and DHCP Snooping Entries 46-4 Logging of Dropped Packets 46-4 Rate Limiting of ARP Packets 46-4 Port Channels Function 46-5 Configuring Dynamic ARP Inspection 46-5 Configuring Dynamic ARP Inspection in DHCP Environments DAI Configuration Example 46-7Software Configuration GuideRelease 12.2(54)SG

46-5

xxxvi

OL-22170-01

Contents

Switch A 46-7 Switch B 46-9 Configuring ARP ACLs for Non-DHCP Environments Configuring the Log Buffer 46-14 Limiting the Rate of Incoming ARP Packets 46-16 Performing Validation Checks 46-1947

46-11

CHAPTER

Configuring Network Security with ACLs About ACLs 47-2 Overview 47-2 Supported Features That Use ACLs Router ACLs 47-3 Port ACLs 47-4 Dynamic ACLs 47-5 VLAN Maps 47-5 Hardware and Software ACL Support

47-1

47-3

47-6

TCAM Programming and ACLs for Supervisor Engine II-Plus, Supervisor Engine IV, Supervisor Engine V, and Supervisor Engine V-10GE TCAM Programming Algorithms 47-8 Changing the Programming Algorithm 47-9 Resizing the TCAM Regions 47-11 Troubleshooting High CPU Due to ACLs 47-12 Selecting Mode of Capturing Control Packets 47-13 Guidelines and Restrictions 47-14 Selecting Control Packet Capture 47-14 Layer 4 Operators in ACLs 47-16 Restrictions for Layer 4 Operations 47-16 Configuration Guidelines for Layer 4 Operations How ACL Processing Impacts CPU 47-18 Configuring Unicast MAC Address Filtering Configuring Named MAC Extended ACLs Configuring EtherType Matching Configuring Named IPv6 ACLs47-21 47-22 47-23 47-19 47-20

47-7

TCAM Programming and ACLs for Supervisor Engine 6-E and Supervisor Engine 6L-E

47-15

47-17

Applying IPv6 ACLs to a Layer 3 Interface

Configuring VLAN Maps 47-24 VLAN Map Configuration Guidelines 47-25 Creating and Deleting VLAN Maps 47-25


xxxvii

Contents

Examples of ACLs and VLAN Maps 47-26 Applying a VLAN Map to a VLAN 47-28 Using VLAN Maps in Your Network 47-28 Denying Access to a Server on Another VLAN Displaying VLAN Access Map Information47-31

47-30

Using VLAN Maps with Router ACLs 47-31 Guidelines for Using Router ACLs and VLAN Maps on the Same VLAN Examples of Router ACLs and VLAN Maps Applied to VLANs 47-32 ACLs and Switched Packets 47-32 ACLs and Routed Packets 47-33 Configuring PACLs 47-34 Creating a PACL 47-34 PACL Configuration Guidelines 47-35 Removing the Requirement for a Port ACL 47-35 Configuration Restrictions 47-36 Debugging Considerations 47-36 Webauth Fallback 47-36 Configuring IPv4, IPv6, and MAC ACLs on a Layer 2 Interface 47-37 Using PACL with Access-Group Mode 47-37 Configuring Access-group Mode on Layer 2 Interface 47-38 Applying ACLs to a Layer 2 Interface 47-38 Displaying an ACL Configuration on a Layer 2 Interface 47-39 Using PACL with VLAN Maps and Router ACLs Configuring RA Guard 47-42 Introduction 47-42 Deployment 47-43 Configuring RA Guard 47-44 Examples 47-44 Usage Guidelines 47-454847-39

47-31

CHAPTER

Support for IPv6

48-1 48-1

Finding Feature Information

About IPv6 48-1 IPv6 Addressing and Basic Connectivity DHCP 48-3 Security 48-3 QoS 48-3 Management 48-4 Multicast 48-4Software Configuration GuideRelease 12.2(54)SG

48-2

xxxviii

OL-22170-01

Contents

Static Routes 48-5 First-Hop Redundancy Protocols Unicast Routing 48-5 RIP 48-6 OSPF 48-6 EIGRP 48-6 IS-IS 48-6 Multiprotocol BGP 48-6 Tunneling 48-7 IPv6 Default States4948-7

48-5

CHAPTER

Port Unicast and Multicast Flood Blocking About Flood Blocking49-1

49-1

Configuring Port Blocking 49-1 Blocking Flooded Traffic on an Interface 49-2 Resuming Normal Forwarding on a Port 49-350

CHAPTER

Configuring Storm Control

50-1

About Storm Control 50-1 Hardware-Based Storm Control Implementation 50-2 Software-Based Storm Control Implementation 50-3 Enabling Broadcast Storm Control50-3

Enabling Multicast Storm Control 50-4 Enabling Multicast Suppression on Catalyst 4900M, Catalyst 4948E, Supervisor Engine 6-E, and Supervisor Engine 6L-E 50-5 Enabling Multicast Suppression on the WS-X4515, WS-X4014, and WS-X4013+ Supervisor Engines 50-5 Enabling Multicast Suppression on All Other Supervisor Engines 50-6 Disabling Broadcast Storm Control Disabling Multicast Storm Control Displaying Storm Control5150-8 50-6 50-7

CHAPTER

Configuring SPAN and RSPAN

51-1

About SPAN and RSPAN 51-1 SPAN and RSPAN Concepts and Terminology SPAN Session 51-3 Traffic Types 51-3 Source Port 51-4 Destination Port 51-5

51-3


xxxix

Contents

VLAN-Based SPAN 51-5 SPAN Traffic 51-6 SPAN and RSPAN Session Limits 51-6 Default SPAN and RSPAN Configuration

51-6

Configuring SPAN 51-7 SPAN Configuration Guidelines and Restrictions 51-7 Configuring SPAN Sources 51-8 Configuring SPAN Destinations 51-9 Monitoring Source VLANs on a Trunk Interface 51-9 Configuration Scenario 51-10 Verifying a SPAN Configuration 51-10 CPU Port Sniffing Ingress Packets51-10 51-12

Encapsulation Configuration51-12

Access List Filtering 51-13 ACL Configuration Guidelines 51-13 Configuring Access List Filtering 51-14 Packet Type Filtering Configuration Example51-15 51-16

Configuring RSPAN 51-16 RSPAN Configuration Guidelines 51-16 Creating an RSPAN Session 51-17 Creating an RSPAN Destination Session 51-19 Creating an RSPAN Destination Session and Enabling Ingress Traffic Removing Ports from an RSPAN Session 51-21 Specifying VLANs to Monitor 51-22 Specifying VLANs to Filter 51-23 Displaying SPAN and RSPAN Status5251-25

51-20

CHAPTER

Configuring System Message Logging About System Message Logging52-1

52-1

Configuring System Message Logging 52-2 System Log Message Format 52-2 Default System Message Logging Configuration 52-3 Disabling Message Logging 52-4 Setting the Message Display Destination Device 52-5 Synchronizing Log Messages 52-6 Enabling and Disabling Timestamps on Log Messages 52-7


xl

OL-22170-01

Contents

Enabling and Disabling Sequence Numbers in Log Messages (Optional) 52-7 Defining the Message Severity Level (Optional) 52-8 Limiting Syslog Messages Sent to the History Table and to SNMP (Optional) 52-9 Configuring UNIX Syslog Servers 52-10 Logging Messages to a UNIX Syslog Daemon 52-10 Configuring the UNIX System Logging Facility 52-11 Displaying the Logging Configuration5352-12

CHAPTER

Configuring SNMP

53-1

About SNMP 53-1 SNMP Versions 53-2 SNMP Manager Functions 53-3 SNMP Agent Functions 53-4 SNMP Community Strings 53-4 Using SNMP to Access MIB Variables SNMP Notifications 53-5

53-4

Configuring SNMP 53-5 Default SNMP Configuration 53-5 SNMP Configuration Guidelines 53-6 Disabling the SNMP Agent 53-7 Configuring Community Strings 53-7 Configuring SNMP Groups and Users 53-9 Configuring SNMP Notifications 53-11 Setting the Agent Contact and Location Information Limiting TFTP Servers Used Through SNMP 53-15 SNMP Examples 53-15 Displaying SNMP Status5453-16

53-14

CHAPTER

Configuring NetFlow

54-1

About NetFlow Statistics Collection 54-2 NDE Versions 54-2 Information Derived from Hardware 54-3 Information Derived from Software 54-4 Assigning the Input and Output Interface and AS Numbers 54-4 Assigning the Inferred Fields 54-4 Assigning the Output Interface and Output-Related Inferred Fields 54-4 Assigning the Input Interface and Input-Related Inferred Fields 54-4 Feature Interaction of NetFlow Statistics with UBRL and Microflow Policing 54-5 VLAN Statistics 54-5Software Configuration GuideRelease 12.2(54)SG OL-22170-01

xli

Contents

Configuring NetFlow Statistics Collection 54-6 Checking for Required Hardware 54-6 Enabling NetFlow Statistics Collection 54-7 Configuring Switched/Bridged IP Flows 54-8 Exporting NetFlow Statistics 54-9 Managing NetFlow Statistics Collection 54-9 Configuring an Aggregation Cache 54-10 Verifying Aggregation Cache Configuration and Data Export 54-10 Configuring a NetFlow Minimum Prefix Mask for Router-Based Aggregation 54-11 Configuring the Minimum Mask of a Prefix Aggregation Scheme 54-11 Configuring the Minimum Mask of a Destination-Prefix Aggregation Scheme 54-11 Configuring the Minimum Mask of a Source-Prefix Aggregation Scheme 54-12 Monitoring and Maintaining Minimum Masks for Aggregation Schemes 54-12 Configuring NetFlow Aging Parameters 54-12 NetFlow Statistics Collection Configuration Example54-13

NetFlow Configuration Examples 54-14 NetFlow Enabling Scheme Examples 54-14 NetFlow Aggregation Configuration Examples 54-14 Autonomous System Configuration 54-15 Destination Prefix Configuration 54-15 Prefix Configuration 54-15 Protocol Port Configuration 54-15 Source Prefix Configuration 54-16 NetFlow Minimum Prefix Mask Router-Based Aggregation Scheme Examples Prefix Aggregation Scheme 54-16 Destination-Prefix Aggregation Scheme 54-16 Source-Prefix Aggregation Scheme 54-1655

54-16

CHAPTER

Configuring Ethernet OAM and CFM Ethernet CFM and OAM Commands

55-1 55-1

About Ethernet CFM 55-2 Ethernet CFM and OAM Definitions 55-3 CFM Domain 55-3 CFM Maintenance Points 55-4 General Packet Forwarding Rules 55-5 Inward-Facing MEPs 55-5 Outward-Facing MEPs 55-6 Transparent Ports 55-6 CFM Messages 55-6Software Configuration GuideRelease 12.2(54)SG

xlii

OL-22170-01

Contents

Crosscheck Function 55-7 SNMP Traps 55-7 IP SLAs Support for CFM 55-7 Configuring Ethernet CFM 55-8 Ethernet CFM Default Configuration 55-8 Ethernet CFM Configuration Guidelines 55-8 Disabling CFM on a Port 55-9 Configuring the Ethernet CFM Service over VLANs 55-9 Configuring Ethernet CFM Crosscheck for VLANs 55-11 Configuring IP SLAs CFM Operation 55-12 Manually Configuring an IP SLAs CFM Probe or Jitter Operation 55-13 Configuring an IP SLAs Operation with Endpoint Discovery 55-15 Example: Configuring Switch Port and VLAN CFM with an Inward-Facing MEP Displaying Ethernet CFM Information About Ethernet OAM Protocol OAM Features 55-19 OAM Messages 55-2055-19 55-18

55-16

Enabling and Configuring Ethernet OAM 55-20 Ethernet OAM Default Configuration 55-20 Ethernet OAM Configuration Guidelines 55-20 Enabling Ethernet OAM on an Interface 55-21 Enabling Ethernet OAM Remote Loopback 55-22 Configuring Ethernet OAM Link Monitoring 55-24 Configuring Ethernet OAM Remote Failure Indications Configuring Ethernet OAM Templates 55-29 Displaying Ethernet OAM Protocol Information55-33

55-26

Ethernet CFM and Ethernet OAM Interaction 55-35 Example: Configuring Ethernet OAM and CFM 55-3556

CHAPTER

Configuring Y.1731 (AIS and RDI) AIS and RDI Terminology56-1

56-1

About Y.1731 56-2 Server MEP 56-2 Alarm Indication Signal 56-2 Ethernet Remote Defect Indication

56-3

Configuring Y.1731 56-4 Y.1731 Configuration Guidelines 56-4 Configuring AIS Parameters 56-5 Clearing MEP from the AIS Defect Condition

56-6


xliii

Contents

Clearing SMEP from the AIS Defect Condition Displaying Y.1731 Information5756-6

56-6

CHAPTER

Configuring Call Home

57-1

About Call Home 57-2 Obtaining Smart Call Home

57-2

Configuring Call Home 57-3 Configuring Contact Information 57-4 Configuring Destination Profiles 57-5 Copying a Destination Profile 57-6 Subscribing to Alert Groups 57-6 Configuring Periodic Notification 57-8 Configuring Message Severity Threshold 57-8 Configuring Syslog Pattern Matching 57-9 Configuring General E-Mail Options 57-9 Enabling Call Home 57-10 Testing Call Home Communications 57-10 Sending a Call Home Test Message Manually 57-10 Sending a Call Home Alert Group Message Manually 57-11 Sending a Request for an Analysis and Report 57-12 Sending the Output of a Command 57-13 Configuring and Enabling Smart Call Home 57-13 Displaying Call Home Configuration Information Call Home Default Settings57-18 57-18 57-13

Alert Group Trigger Events and Commands

Message Contents 57-21 Syslog Alert Notification in Long-Text Format Example 57-25 Syslog Alert Notification in XML Format Example 57-2858

CHAPTER

Configuring Cisco IOS IP SLA Operations Cisco IP SLA Commands58-2

58-1

About Cisco IOS IP SLA 58-2 Using Cisco IOS IP SLAs to Measure Network Performance IP SLAs Responder and IP SLAs Control Protocol 58-4 Response Time Computation for IP SLAs 58-5 IP SLAs Operation Scheduling 58-6 IP SLAs Operation Threshold Monitoring 58-6 Configuring IP SLAs Operations58-7

58-3


xliv

OL-22170-01

Contents

IP SLA Default Configuration 58-7 IP SLA Configuration Guidelines 58-7 Configuring the IP SLAs Responder 58-8 Analyzing IP Service Levels by Using the UDP Jitter Operation 58-9 Analyzing IP Service Levels by Using the ICMP Echo Operation 58-11 Monitoring IP SLAs Operations5958-13

CHAPTER

Configuring RMON About RMON

59-1

59-1

Configuring RMON 59-3 Default RMON Configuration 59-3 Configuring RMON Alarms and Events 59-3 Configuring RMON Collection on an Interface Displaying RMON Status6059-6

59-5

CHAPTER

Performing Diagnostics 60-1 Configuring Online Diagnostics 60-1 Configuring On-Demand Online Diagnostics 60-2 Scheduling Online Diagnostics 60-2 Performing Diagnostics 60-3 Starting and Stopping Online Diagnostic Tests 60-3 Displaying Online Diagnostic Tests and Test Results 60-4 Displaying Data Path Online Diagnostics Test Results 60-7 line Card Online Diagnostics 60-8 Troubleshooting with Online Diagnostics 60-8 Power-On Self-Test Diagnostics 60-10 Overview of Power-On Self-Test Diagnostics 60-10 POST Result Example 60-11 Power-On Self-Test Results for Supervisor Engine V-10GE 60-15 POST on the Active Supervisor Engine 60-16 POST Results on an Active Supervisor Engine Example 60-16 POST on a Standby Supervisor Engine 60-18 Display of the POST on a Standby Supervisor Engine Example 60-19 Troubleshooting the Test Failures 60-21 Configuring WCCP Version 2 Services About WCCP 61-2 Overview 61-2 Hardware Acceleration61-1

CHAPTER

61

61-2


xlv

Contents

Understanding WCCP Configuration 61-3 WCCP Features 61-4 HTTP and Non-HTTP Services Support Multiple Routers Support 61-4 MD5 Security 61-5 Web Content Packet Return 61-5 Restrictions for WCCP61-5

61-4

Configuring WCCP 61-6 Configuring a Service Group Using WCCP 61-6 Specifying a Web Cache Service 61-7 Using Access Lists for a WCCP Service Group 61-7 Setting a Password for a Router and Cache Engines 61-8 Verifying and Monitoring WCCP Configuration Settings61-8

WCCP Configuration Examples 61-9 Performing a General WCCP Configuration Example 61-9 Running a Web Cache Service Example 61-9 Running a Reverse Proxy Service Example 61-9 Using Access Lists Example 61-10 Setting a Password for a Switch and Content Engines Example Verifying WCCP Settings Example 61-1062

61-10

CHAPTER

ROM Monitor

62-1 62-1 62-2 62-3

Entering the ROM Monitor ROM Monitor Commands

ROM Monitor Command Descriptions

Configuration Register 62-3 Changing the Configuration Register Manually 62-3 Changing the Configuration Register Using Prompts 62-4 Console Download 62-4 Error Reporting 62-5 Debug Commands62-5 62-6

Exiting the ROM Monitor63

CHAPTER

Configuring MIB Support

63-1 63-1

Determining MIB Support for Cisco IOS Releases Using Cisco IOS MIB Tools63-2

Downloading and Compiling MIBs 63-2 Guidelines for Working with MIBs 63-3Software Configuration GuideRelease 12.2(54)SG

xlvi

OL-22170-01

Contents

Downloading MIBs 63-3 Compiling MIBs 63-4 Enabling SNMP Support63-4 A-1

Acronyms and Abbreviations


xlvii

Contents


xlviii

OL-22170-01

PrefaceThis preface describes who should read this document, how it is organized, and its conventions. The preface also tells you how to obtain Cisco documents, as well as how to obtain technical assistance.

AudienceThis guide is for experienced network administrators who are responsible for configuring and maintaining Catalyst 4500 series switches.

OrganizationThis guide is organized into the following chapters: Chapter Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Title Product Overview Command-Line Interfaces Configuring the Switch for the First Time Administering the Switch Configuring the Cisco IOS In-Service Software Upgrade Process Configuring Interfaces Description Presents an overview of the Cisco IOS software for the Catalyst 4500 series switches. Describes how to use the CLI. Describes how to perform a baseline configuration of the switch. Describes how to administer the switch. Describes how to configure ISSU on the switch.

Chapter 6

Describes how to configure non-layer-specific features on Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet interfaces. Describes how to check module and interface status.

Chapter 7 Chapter 8

Checking Port Status and Connectivity

Configuring Supervisor Engine Describes how to configure RPR and SSO on the Redundancy Using RPR and SSO Catalyst 4507R and 4510R switches.


xlix

Preface

Chapter Chapter 9

Title

Description

Configuring Cisco NSF with SSO Describes how to configure supervisor engine Supervisor Engine Redundancy redundancy using Cisco nonstop forwarding (NSF) with stateful switchover (SSO). Environmental Monitoring and Power Management Configuring Power over Ethernet Describes how to configure power management and environmental monitoring features. Describes how to configure Power over Ethernet (PoE).

Chapter 10 Chapter 11 Chapter 12

Configuring the Catalyst 4500 Describes how to install and configure Network Series Switch with Cisco Network Assistant and Embedded CiscoView. Assistant Configuring VLANs, VTP, and VMPS Configuring IP Unnumbered Interface Configuring Layer 2 Ethernet Interfaces Configuring SmartPort Macros Configuring Auto SmartPort Macros Configuring STP and MST Describes how to configure VLANs, VTP, and VMPS. Describes how to configure IP Unnumbered support. Describes how to configure interfaces to support Layer 2 features, including VLAN trunks. Describes how to configure SmartPort macros. Describes how to configure Auto SmartPort Macros Describes how to configure the Spanning Tree Protocol (STP) and the Multiple Spanning Tree (MST) protocol and explains how they work.

Chapter 13 Chapter 14 Chapter 15 Chapter 16 Chapter 17 Chapter 18


Configuring Flex Links and MAC Describes how to how to configure Flex Links on a Address-Table Move Update switch. Configuring Resilient Ethernet Protocol Configuring Optional STP Features Configuring EtherChannel and Link State Tracking Configuring IGMP Snooping and Filtering Configuring 802.1Q Tunneling, VLAN Mapping, and Layer 2 Protocol Tunneling Configuring CDP Configuring LLDP, LLDP-MED, and Location Service Configuring UDLD Describes how to configure Resilient Ethernet Protocol (REP). Describes how to configure the spanning-tree PortFast, UplinkFast, BackboneFast, and other STP features Describes how to configure Layer 2 and Layer 3 EtherChannel port bundles. Describes how to configure Internet Group Management Protocol (IGMP) snooping. Describes how to configure 802.1Q and Layer 2 protocol Tunneling. Describes how to configure the Cisco Discovery Protocol (CDP). Describes how to configure Link Layer Discovery Protocol (LLDP). Describes how to configure the UniDirectional Link Detection (UDLD) protocol.

Chapter 22 Chapter 23 Chapter 24 Chapter 25

Configuring IPv6 MLD Snooping Describes how to configure IPv6 MLD Snooping.



l

OL-22170-01

Preface

Chapter Chapter 29 Chapter 30 Chapter 31 Chapter 32 Chapter 33 Chapter 34 Chapter 35 Chapter 36

Title Configuring Unidirectional Ethernet Configuring Layer 3 Interfaces Configuring Cisco Express Forwarding

Description Describes how to configure unidirectional Ethernet. Describes how to configure interfaces to support Layer 3 features. Describes how to configure Cisco Express Forwarding (CEF) for IP unicast traffic.

Configuring Unicast Reverse Path Describes how to configure Unicast Reverse Path Forwarding Forwarding. Configuring IP Multicast Configuring ANCP Client Configuring Policy-Based Routing Configuring VRF-lite Describes how to configure IP Multicast Multilayer Switching (MMLS). Describes how to configure ANCP. Describes how to configure policy-based routing. Describes how to configure multiple VPN routing/forwarding (multi-VRF) instances in customer edge (CE) devices. Describes how to configure quality of service (QoS). Describes how to configure voice interfaces. Describes how to set up and modify private VLANs. Describes how to conf.igure 802.1X port-based authentication. Describes how to configure PPPoE Intermediate Agent. Describes how to configure web-based authentication. Describes how to configure port security and trunk port security. Describes how to protect your Catalyst 4500 series switch using control plane policing (CoPP).

Chapter 37 Chapter 38 Chapter 39 Chapter 40 Chapter 41 Chapter 42 Chapter 43 Chapter 44

Configuring Quality of Service Configuring Voice Interfaces Configuring Private VLANs Configuring 802.1X Port-Based Authentication Configuring the PPPoE Intermediate Agent Configuring Web-Based Authentication Configuring Port Security Configuring Control Plane Policing and Layer 2 Control Packet QoS

Chapter 45

Configuring DHCP Snooping, IP Describes how to configure DHCP snooping and IP Source Guard, and IPSG for Static Source Guard. Hosts Configuring Dynamic ARP Inspection Configuring Network Security with ACLs Support for IPv6 Port Unicast and Multicast Flood Blocking Configuring Storm Control Describes how to configure Dynamic ARP Inspection. Describes how to configure ACLS, VACLs, and MACLs. Describes the support for IPv6 on the switch. Describes how to configure unicast flood blocking. Describes how to configure storm control suppression.

Chapter 46 Chapter 47 Chapter 48 Chapter 49 Chapter 50


li

Preface

Chapter Chapter 51 Chapter 52 Chapter 53 Chapter 54 Chapter 55 Chapter 56 Chapter 57 Chapter 58 Chapter 59 Chapter 60 Chapter 61

Title Configuring SPAN and RSPAN Configuring System Message Logging Configuring SNMP Configuring NetFlow Configuring Ethernet OAM and CFM Configuring Y.1731 (AIS and RDI) Configuring Call Home Configuring Cisco IOS IP SLA Operations Configuring RMON Performing Diagnostics Configuring WCCP Version 2 Services

Description Describes how to configure the Switched Port Analyzer (SPAN). Describes how to configure system message logging. Describes how to configure the Simple Network Management Protocol (SNMP). Describes how to configure NetFlow statistics gathering. Describes how to configure Ethernet OAM and CFM. Describes how to configure Y.1731. Describes how to configure Call Home. Describes how to configure Cisco IOS IP SLA operations. Describes how to configure Remote Network Monitoring (RMON). Describes vaious types of diagnostics on the Catalyst 4500 series switch. Describes how to configure the Catalyst 4500 series switches to redirect traffic to cache engines (web caches) using the Web Cache Communication Protocol (WCCP), and describes how to manage cache engine clusters (cache farms). Describes the ROM Monitor. Describes how to configure configure SNMP and MIB support. Defines acronyms and abbreviations used in this book.

Chapter 62 Chapter 63

ROM Monitor Configuring MIB Support

Appendix A Acronyms and Abbreviations

ConventionsThis document uses the following typographical conventions: Convention boldface font italic font [ ] {x|y|z} [x|y|z] Description Commands, command options, and keywords are in boldface. Command arguments for which you supply values are in italics. Command elements in square brackets are optional. Alternative keywords in command lines are grouped in braces and separated by vertical bars. Optional alternative keywords are grouped in brackets and separated by vertical bars.


lii

OL-22170-01

Preface

Convention stringscreen

Description A nonquoted set of characters. Do not use quotation marks around the string because the string will include the quotation marks.

font

System displays are in screen font. Information you must enter verbatim is in boldface screen font. Arguments for which you supply values are in italic screen font. This pointer highlights an important line of text in an example. Represents the key labeled Controlfor example, the key combination ^D in a screen display means hold down the Control key while you press the D key. Nonprinting characters such as passwords are in angle brackets.

boldface screen

fontitalic screen

font

^ < >

Notes use the following conventions: Means reader take note. Notes contain helpful suggestions or references to material not covered in the publication. Cautions use the following conventions: Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data.

Note

Caution

Related DocumentationRefer to the following documents for additional Catalyst 4500 series information:

Catalyst 4500 Series Switch Documentation Home http://www.cisco.com/go/cat4500/docs Catalyst 4900 Series Switch Documentation Home http://www.cisco.com/go/cat4900/docs Cisco ME 4900 Series Ethernet Switches Documentation Home http://www.cisco.com/en/US/products/ps7009/tsd_products_support_series_home.html

Hardware DocumentsInstallation guides and notes including specifications and relevant safety information are available at the following URLs:

Catalyst 4500 Series Switches Installation Guide http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/hardware/installation/guide/78-14409 -08/4500inst.html


liii

Preface

Catalyst 4500 E-series Switches Installation Guide http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/hardware/catalyst4500e/installation/g uide/Eseries.html

For information about individual switching modules and supervisors, refer to the Catalyst 4500 Series Module Installation Guide at: http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/hardware/module/guide/mod_inst.ht ml

Regulatory Compliance and Safety Information for the Catalyst 4500 Series Switches http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/hardware/regulatory/compliance/78_ 13233.html

Installation notes for specific supervisor engines or for accessory hardware are available at: http://www.cisco.com/en/US/products/hw/switches/ps4324/prod_installation_guides_list.html Catalyst 4900 and 4900M hardware installation information is available at: http://www.cisco.com/en/US/products/ps6021/prod_installation_guides_list.html Cisco ME 4900 Series Ethernet Switches installation information is available at: http://www.cisco.com/en/US/products/ps7009/prod_installation_guides_list.html

Software DocumentationSoftware release notes, configuration guides, command references, and system message guides are available at the following URLs:

Catalyst 4500 release notes are available at: http://www.cisco.com/en/US/products/hw/switches/ps4324/prod_release_notes_list.html Catalyst 4900 release notes are available at: http://www.cisco.com/en/US/products/ps6021/prod_release_notes_list.html Cisco ME4900 4900 Series Ethernet Switch release notes are available at: http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/release/note/OL_11511.html

Software documents for the Catalyst 4500 Classic, Catalyst 4500 E-Series, Catalyst 4900, and Cisco ME 4900 Series Ethernet Switches are available at the following URLs:

Catalyst 4500 Series Software Configuration Guide http://www.cisco.com/en/US/products/hw/switches/ps4324/products_installation_and_configurati on_guides_list.html

Catalyst 4500 Series Software Command Reference http://www.cisco.com/en/US/products/hw/switches/ps4324/prod_command_reference_list.html Catalyst 4500 Series Software System Message Guide http://www.cisco.com/en/US/products/hw/switches/ps4324/products_system_message_guides_list .html


liv

OL-22170-01

Preface

Cisco IOS DocumentationPlatform- independent Cisco IOS documentation may also apply to the Catalyst 4500 and 4900 switches. These documents are available at the following URLs:

Cisco IOS configuration guides, Release 12.x Cisco IOS command references, Release 12.x http://www.cisco.com/en/US/products/ps6350/prod_command_reference_list.html You can also use the Command Lookup Tool at: http://tools.cisco.com/Support/CLILookup/cltSearchAction.do Cisco IOS system messages, version 12.x http://www.cisco.com/en/US/products/ps6350/products_system_message_guides_list.html You can also use the Error Message Decoder tool at: http://www.cisco.com/pcgi-bin/Support/Errordecoder/index.cgi

http://www.cisco.com/en/US/products/ps6350/products_installation_and_configuration_guides_list.html

Commands in Task TablesCommands listed in task tables show only the relevant informa

Full-length PDF for Catalyst 4500 Series Switch Software Configuration Guide, 12.2(54)SG

Documents

Transcript of Full-length PDF for Catalyst 4500 Series Switch Software Configuration Guide, 12.2(54)SG