Page 1 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide Cisco IOS Release 12.2(50)SE March 2009 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-9639-07...
Page 2 Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.
Page 3: Table Of Contents
Multi-VRF CE Application 1-16 Where to Go Next 1-17 Using the Command-Line Interface C H A P T E R Understanding Command Modes Understanding the Help System Understanding Abbreviated Commands Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-07...
Page 4 Editing Command Lines that Wrap Searching and Filtering Output of show and more Commands Accessing the CLI Accessing the CLI through a Console Connection or through Telnet Assigning the Switch IP Address and Default Gateway C H A P T E R...
Page 5 C H A P T E R Understanding Cisco Configuration Engine Software Configuration Service Event Service NameSpace Mapper What You Should Know About the CNS IDs and Device Hostnames ConfigID DeviceID Hostname and DeviceID Using Hostname, DeviceID, and ConfigID Understanding Cisco IOS Agents...
Page 6 Default Banner Configuration 5-17 Configuring a Message-of-the-Day Login Banner 5-18 Configuring a Login Banner 5-19 Suppressing the Power-Supply Alarm on an ME 3400G-12CS Switch 5-19 Managing the MAC Address Table 5-20 Building the Address Table 5-21 MAC Addresses and VLANs...
Page 7 TACACS+ Operation 7-12 Configuring TACACS+ 7-12 Default TACACS+ Configuration 7-13 Identifying the TACACS+ Server Host and Setting the Authentication Key 7-13 Configuring TACACS+ Login Authentication 7-14 Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services 7-16 Starting TACACS+ Accounting...
Page 8 Identifying the RADIUS Server Host 7-20 Configuring RADIUS Login Authentication 7-23 Defining AAA Server Groups 7-25 Configuring RADIUS Authorization for User Privileged Access and Network Services 7-27 Starting RADIUS Accounting 7-28 Configuring Settings for All RADIUS Servers 7-29 Configuring the Switch to Use Vendor-Specific RADIUS Attributes...
Page 9 IEEE 802.1x Accounting Attribute-Value Pairs IEEE 802.1x Host Mode Using 802.1x Readiness Check Using IEEE 802.1x with Port Security Using IEEE 802.1x with VLAN Assignment 802.1x Switch Supplicant with Network Edge Access Topology (NEAT) Configuring IEEE 802.1x Authentication 8-10 Default IEEE 802.1x Configuration 8-11 IEEE 802.1x Configuration Guidelines...
Page 10 Applying Command Macros 10-4 Displaying Command Macros 10-5 Configuring VLANs 11-1 C H A P T E R Understanding VLANs 11-1 Supported VLANs 11-3 Normal-Range VLANs 11-3 Extended-Range VLANs 11-4 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-07...
Page 11 11-7 VLAN Configuration Guidelines 11-8 Creating or Modifying an Ethernet VLAN 11-9 Assigning Static-Access Ports to a VLAN 11-11 Creating an Extended-Range VLAN with an Internal VLAN ID 11-11 Configuring UNI-ENI VLANs 11-12 Configuration Guidelines 11-12 Configuring UNI-ENI VLANs 11-13...
Page 12 Configuring a Layer 2 Interface as a Private-VLAN Host Port 12-11 Configuring a Layer 2 Interface as a Private-VLAN Promiscuous Port 12-13 Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface 12-14 Monitoring Private VLANs 12-15 Configuring IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling...
Page 13 Listening State 14-6 Learning State 14-7 Forwarding State 14-7 Disabled State 14-7 How a Switch or Port Becomes the Root Switch or Root Port 14-7 Spanning Tree and Redundant Connectivity 14-8 Spanning-Tree Address Management 14-9 Accelerated Aging to Retain Connectivity 14-9...
Page 14 Configuring the Maximum-Hop Count 15-24 Specifying the Link Type to Ensure Rapid Transitions 15-25 Designating the Neighbor Type 15-25 Restarting the Protocol Migration Process 15-26 Displaying the MST Configuration and Status 15-27 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-07...
Page 15 17-13 Configuring SNMP Traps for REP 17-13 Monitoring REP 17-14 Configuring Flex Links and the MAC Address-Table Move Update Feature 18-1 C H A P T E R Understanding Flex Links and the MAC Address-Table Move Update 18-1 Flex Links...
Page 16 Contents Flex Link Multicast Fast Convergence 18-3 Learning the Other Flex Link Port as the mrouter Port 18-3 Generating IGMP Reports 18-3 Leaking IGMP Reports 18-4 MAC Address-Table Move Update 18-6 Configuring Flex Links and MAC Address-Table Move Update 18-7...
Page 17 Understanding Dynamic ARP Inspection 20-1 Interface Trust States and Network Security 20-3 Rate Limiting of ARP Packets 20-4 Relative Priority of ARP ACLs and DHCP Snooping Entries 20-4 Logging of Dropped Packets 20-4 Configuring Dynamic ARP Inspection 20-5 Default Dynamic ARP Inspection Configuration...
Page 18 Contents Configuring the IGMP Leave Timer 21-9 Configuring TCN-Related Commands 21-10 Controlling the Multicast Flooding Time After a TCN Event 21-10 Recovering from Flood Mode 21-11 Disabling Multicast Flooding During a TCN Event 21-11 Configuring the IGMP Snooping Querier 21-12...
Page 19 Monitoring and Maintaining LLDP and LLDP-MED 24-8 Configuring UDLD 25-1 C H A P T E R Understanding UDLD 25-1 Modes of Operation 25-1 Methods to Detect Unidirectional Links 25-2 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-07...
Page 20 Default SPAN and RSPAN Configuration 26-9 Configuring Local SPAN 26-10 SPAN Configuration Guidelines 26-10 Creating a Local SPAN Session 26-10 Creating a Local SPAN Session and Configuring Ingress Traffic 26-13 Specifying VLANs to Filter 26-14 Configuring RSPAN 26-15 RSPAN Configuration Guidelines 26-15...
Page 21 Enabling and Disabling Time Stamps on Log Messages 28-7 Enabling and Disabling Sequence Numbers in Log Messages 28-8 Defining the Message Severity Level 28-8 Limiting Syslog Messages Sent to the History Table and to SNMP 28-10 Enabling the Configuration-Change Logger 28-10 Configuring UNIX Syslog Servers 28-12...
Page 22 Embedded Event Manager Environment Variables 30-4 Configuring Embedded Event Manager 30-5 Registering and Defining an Embedded Event Manager Applet 30-5 Registering and Defining an Embedded Event Manager TCL Script 30-6 Displaying Embedded Event Manager Information 30-6 Configuring Network Security with ACLs 31-1...
Page 23 Denying Access to a Server on Another VLAN 31-34 Using VLAN Maps with Router ACLs 31-35 VLAN Maps and Router ACL Configuration Guidelines 31-36 Examples of Router ACLs and VLAN Maps Applied to VLANs 31-37 ACLs and Switched Packets 31-37 ACLs and Routed Packets 31-37...
Page 24 Creating IP Extended ACLs 33-32 Creating Layer 2 MAC ACLs 33-33 Using Class Maps to Define a Traffic Class 33-34 Configuring Table Maps 33-36 Attaching a Traffic Policy to an Interface 33-38 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide xxiv OL-9639-07...
Page 25 Configuring Input Policy Maps with Individual Policing 33-39 Configuring Input Policy Maps with Aggregate Policing 33-44 Configuring Input Policy Maps with Marking 33-46 Configuring Per-Port Per-VLAN QoS with Hierarchical Input Policy Maps 33-48 Configuring Output Policy Maps 33-52 Configuring Output Policy Maps with Class-Based-Weighted-Queuing 33-54...
Page 26 Enabling Directed Broadcast-to-Physical Broadcast Translation 35-12 Forwarding UDP Broadcast Packets and Protocols 35-13 Establishing an IP Broadcast Address 35-14 Flooding IP Broadcasts 35-15 Monitoring and Maintaining IP Addressing 35-16 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide xxvi OL-9639-07...
Page 27 Configuring BGP Filtering with Route Maps 35-52 Configuring BGP Filtering by Neighbor 35-52 Configuring Prefix Lists for BGP Filtering 35-54 Configuring BGP Community Filtering 35-55 Configuring BGP Neighbors and Peer Groups 35-56 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide xxvii OL-9639-07...
Page 28 35-87 User Interface for uRPF 35-88 User Interface for Syslog 35-88 User Interface for Traceroute 35-89 User Interface for FTP and TFTP 35-89 Configuring a VPN Routing Session 35-89 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide xxviii OL-9639-07...
Page 29 Dual IPv4 and IPv6 Protocol Stacks 36-5 DHCP for IPv6 Address Assignment 36-6 Static Routes for IPv6 36-6 RIP for IPv6 36-6 OSPF for IPv6 36-6 EIGRP IPv6 36-6 HTTP(S) Over IPv6 36-7 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide xxix OL-9639-07...
Page 30 C H A P T E R Understanding HSRP 38-1 HSRP Versions 38-3 Multiple HSRP 38-4 Configuring HSRP 38-5 Default HSRP Configuration 38-5 HSRP Configuration Guidelines 38-5 Enabling HSRP 38-6 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-07...
Page 31 Default Configuration 39-6 Configuration Guidelines 39-6 Configuring the IP SLAs Responder 39-7 Analyzing IP Service Levels by Using the UDP Jitter Operation 39-8 Analyzing IP Service Levels by Using the ICMP Echo Operation 39-11 Monitoring IP SLAs Operations 39-13 Configuring Enhanced Object Tracking...
Page 32 Configuring Ethernet CFM Service 41-7 Configuring Ethernet CFM Crosscheck 41-8 Configuring IP SLAs CFM Operation 41-9 Manually Configuring an IP SLAs CFM Probe or Jitter Operation 41-10 Configuring an IP SLAs Operation with Endpoint Discovery 41-12 Displaying Ethernet CFM Information 41-13...
Page 33 Configuring Source-Specific Multicast 42-13 SSM Components Overview 42-14 How SSM Differs from Internet Standard Multicast 42-14 SSM IP Address Range 42-14 SSM Operations 42-14 IGMPv3 Host Signalling 42-15 Configuration Guidelines 42-15 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide xxxiii OL-9639-07...
Page 34 Modifying the PIM Router-Query Message Interval 42-36 Configuring Optional IGMP Features 42-36 Default IGMP Configuration 42-37 Configuring the Switch as a Member of a Group 42-37 Controlling Access to IP Multicast Groups 42-38 Changing the IGMP Version 42-39 Modifying the IGMP Host-Query Message Interval...
Page 35 Filtering Source-Active Request Messages 43-9 Controlling Source Information that Your Switch Forwards 43-10 Using a Filter 43-11 Using TTL to Limit the Multicast Data Sent in SA Messages 43-12 Controlling Source Information that Your Switch Receives 43-12 Configuring an MSDP Mesh Group 43-14...
Page 36 A P P E N D I X MIB List Using FTP to Access the MIB Files Working with the Cisco IOS File System, Configuration Files, and Software Images A P P E N D I X Working with the Flash File System...
Page 37 Creating a Configuration File By Using a Text Editor B-10 Copying Configuration Files By Using TFTP B-10 Preparing to Download or Upload a Configuration File By Using TFTP B-10 Downloading the Configuration File By Using TFTP B-11 Uploading the Configuration File By Using TFTP...
Page 38 Unsupported Privileged EXEC Commands Unsupported Global Configuration Commands Unsupported Interface Configuration Commands IP Unicast Routing Unsupported Privileged EXEC or User EXEC Commands Unsupported Global Configuration Commands Unsupported Interface Configuration Commands Cisco ME 3400 Ethernet Access Switch Software Configuration Guide xxxviii OL-9639-07...
Page 39 Spanning Tree C-12 Unsupported Global Configuration Command C-12 Unsupported Interface Configuration Command C-12 VLAN C-12 Unsupported Global Configuration Command C-12 Unsupported User EXEC Commands C-12 N D E X Cisco ME 3400 Ethernet Access Switch Software Configuration Guide xxxix OL-9639-07...
Page 40 Contents Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-07...
Page 41 This guide is for the networking professional managing the Cisco Metro Ethernet (ME) 3400 Series Ethernet Access switch, hereafter referred to as the switch. We assume that you are familiar with the concepts and terminology of Ethernet and local area networking. If you are interested in more training and education in these areas, learning opportunities including training courses, self-study options, seminars, and career certifications programs are available on the Cisco Training &...
Page 42: Related Publications
• Braces ({ }) group required choices, and vertical bars ( | ) separate the alternative elements. • Braces and vertical bars within square brackets ([{ | }]) mean a required choice within an optional • element. Interactive examples use these conventions: Terminal sessions and system displays are in font.
Page 43: Obtaining Documentation And Submitting A Service Request
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.
Page 44 Preface Cisco ME 3400 Ethernet Access Switch Software Configuration Guide xliv OL-9639-07...
Page 45: Features
Some features noted in this chapter are available only on the cryptographic (that is, supports encryption) versions of the switch software image. You must obtain authorization to use this feature and to download the cryptographic version of the software from Cisco.com. For more information, see the release notes for this release.
Page 46: Chapter 1 Overview
(straight-through or crossover) and to configure the connection appropriately Support for routed frames up to 1998 bytes, for frames up to 9000 bytes that are bridged in hardware, •...
Page 47: Management Options
• messages • IGMP Helper to allow the switch to forward a host request to join a multicast stream to a specific IP destination address (requires the metro IP access image) • Multicast VLAN registration (MVR) to continuously send multicast streams in a multicast VLAN...
Page 48 Network Time Protocol (NTP) for providing a consistent time stamp to all switches from an external source Cisco IOS File System (IFS) for providing a single interface to all file systems that the switch uses • In-band management access for up to 16 simultaneous Telnet connections for multiple CLI-based •...
Page 49: Availability Features
IGMPv2 clients to utilize SSM, allowing listeners to connect to multicast sources dynamically and reducing dependencies on the application The HTTP client in Cisco IOS supports can send requests to both IPv4 and IPv6 HTTP servers, and •...
Page 50: Vlan Features
Private VLANs to address VLAN scalability problems, to provide a more controlled IP address allocation, and to allow Layer 2 ports to be isolated from ports on other switches Port security on a PVLAN host to limit the number of MAC addresses learned on a port, or define •...
Page 51: Switch Security
Dynamic ARP inspection to prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN Switch Security The Kerberos feature listed in this section is only available on the cryptographic versions of the switch Note software.
Page 52: Quality Of Service And Class Of Service Features
Beginning with IOS software release 12.2(25)SEG, you can use hierarchical policy maps for per-VLAN classification and apply the per-port, per-VLAN hierarchical policy maps to trunk ports. The option to disable CPU protection to increase the available QoS policers from 45 to 64 per port •...
Page 53: Layer 2 Virtual Private Network Services
Overview Features Layer 2 Virtual Private Network Services Layer 2 virtual private network (VPN) features are only available when the switch is running the metro IP access or metro access image. • IEEE 802.1Q tunneling enables service providers to offer multiple point Layer 2 VPN services to...
Page 54: Layer 3 Vpn Services
Syslog facility for logging system messages about authentication or authorization errors, resource • issues, and time-out events Layer 2 traceroute to identify the physical path that a packet takes from a source device to a • destination device •...
Page 55: Default Settings After Initial Switch Configuration
The switch is designed for plug-and-play operation; you only need to assign basic IP information to the switch and connect it to the other devices in your network. If you have specific network needs, you can change the interface-specific and system-wide settings.
Page 56 MAC Address-Table Move Update Feature” DHCP snooping Disabled Chapter 19, “Configuring DHCP Features and IP Source Guard” IP source guard Disabled Chapter 19, “Configuring DHCP Features and IP Source Guard” Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 1-12 OL-9639-07...
Page 57 HSRP groups (requires metro IP None configured Chapter 38, “Configuring HSRP” access image) Cisco IOS IP SLAs Not configured Chapter 39, “Configuring Cisco IOS IP SLAs Operations” Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 1-13 OL-9639-07...
Page 58: Network Configuration Examples
QoS command-line interface (CLI), or MQC, on Cisco ME switches provides an efficient method of QoS configuration. You can configure a policer on ingress UNIs to ensure that a customer can send only the amount of bandwidth paid for. On egress NNIs, you can use four different queues to provide different...
Page 59: Layer 2 Vpn Application
When an end station in one VLAN needs to communicate with an end station in another VLAN, a router or switch routes the traffic to the appropriate destination VLAN, providing inter-VLAN routing. VLAN access control lists (VLAN maps) provide intra-VLAN security and prevent unauthorized users from accessing critical pieces of the network.
Page 60: Multi-Vrf Ce Application
UPE = Cisco ME 3400 switch Multi-VRF CE Application A VPN is a collection of sites sharing a common routing table. A customer site is connected to the service-provider network by one or more interfaces, and the service provider associates each interface with a VPN routing table, called a VPN routing/forwarding (VRF) table.
Page 61: Where To Go Next
• link to one or more provider edge routers. The CE device advertises the site’s local routes to the router and learns the remote VPN routes from the router. The Cisco ME 3400 switch can be a CE device. Provider edge (PE) routers exchange routing information with CE devices by using static routing or •...
Page 62 Chapter 1 Overview Where to Go Next Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 1-18 OL-9639-07...
Page 63: Understanding No And Default Forms Of Commands
The Cisco IOS user interface is divided into many different modes. The commands available to you depend on which mode you are currently in. Enter a question mark (?) at the system prompt to obtain a list of commands available for each command mode.
Page 64: C H A P T E R 2 Using The Command-Line Interface
To return to console command. privileged EXEC mode, press Ctrl-Z or enter end. For more detailed information on the command modes, see the command reference guide for this release. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-07...
Page 65: Understanding The Help System
Understanding the Help System You can enter a question mark (?) at the system prompt to display a list of commands available for each command mode. You can also obtain a list of associated keywords and arguments for any command, as...
Page 66 Understanding no and default Forms of Commands Almost every configuration command also has a no form. In general, use the no form to disable a feature or function or reverse the action of a command. For example, the no shutdown interface configuration command reverses the shutdown of an interface.
Page 67: Changing The Command History Buffer Size
Changing the Command History Buffer Size By default, the switch records ten command lines in its history buffer. You can alter this number for a current terminal session or for all sessions on a particular line. These procedures are optional.
Page 68: Using Editing Features
Chapter 2 Using the Command-Line Interface Using Editing Features Using Editing Features This section describes the editing features that can help you manipulate the command line. It contains these sections: Enabling and Disabling Editing Features, page 2-6 (optional) • Editing Commands through Keystrokes, page 2-6 (optional) •...
Page 69 Recall the next buffer entry. The buffer contains only the last 10 items that you have deleted or cut. If you press Esc Y more than ten times, you cycle to the first buffer entry. Delete entries if you make a mistake Press the Delete or Erase the character to the left of the cursor.
Page 70: Editing Command Lines That Wrap
The dollar sign ($) shows that the line has been scrolled to the left. Each time the cursor reaches the end of the line, the line is again shifted ten spaces to the left.
Page 71: Accessing The Cli
Accessing the CLI through a Console Connection or through Telnet Before you can access the CLI, you must connect a terminal or PC to the switch console port and power on the switch as described in the hardware installation guide that shipped with your switch. Then, to...
Page 72 Chapter 2 Using the Command-Line Interface Accessing the CLI Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 2-10 OL-9639-07...
Page 73: Understanding The Boot Process
This chapter describes how to create the initial switch configuration (for example, assigning the switch IP address and default gateway information) for the Cisco Metro Ethernet (ME) 3400 Ethernet Access switch by using a variety of automatic and manual methods. It also describes how to modify the switch startup configuration.
Page 74: C H A P T E R 3 Assigning The Switch Ip Address And Default Gateway
Use a DHCP server for centralized control and automatic assignment of IP information after the server is configured. If you are using DHCP, do not respond to any of the questions in the setup program until the switch Note receives the dynamically assigned IP address and reads the configuration file.
Page 75: Default Switch Information
Trivial File Transfer Protocol (TFTP) server and a Domain Name System (DNS) server. The DHCP server for your switch can be on the same LAN or on a different LAN than the switch. If the DHCP server is running on a different LAN, you should configure a DHCP relay device between your switch and the DHCP server.
Page 76: Understanding Dhcp-Based Autoconfiguration And Image Update
You can use the DHCP image upgrade features to configure a DHCP server to download both a new image and a new configuration file to one or more switches in a network. This helps ensure that each new switch added to a network receives the same image and configuration.
Page 77: Dhcp Autoconfiguration
You can use DHCP auto-image upgrade with DHCP autoconfiguration to download both a configuration and a new image to one or more switches in your network. The switch (or switches) downloading the new configuration and the new image can be blank (or only have a default factory configuration loaded).
Page 78: Configuring Dhcp-Based Autoconfiguration
If the IP address and the subnet mask are not in the reply, the switch is not configured. If the router IP address or the TFTP server name are not found, the switch might send broadcast, instead of unicast, TFTP requests. Unavailability of other lease options does not affect autoconfiguration.
Page 79: Configuring The Dns
TFTP server name-to-IP-address mapping in the DNS-server database. If the TFTP server to be used is on a different LAN from the switch, or if it is to be accessed by the switch through the broadcast address (which occurs if the DHCP server response does not contain all the required information described previously), a relay must be configured to forward the TFTP packets to the TFTP server.
Page 80: Obtaining Configuration Files
If the hostname is not found in the file, the switch uses the hostname in the DHCP reply. If the hostname is not specified in the DHCP reply, the switch uses the default Switch as its hostname.
Page 81: Example Configuration
If the switch cannot read the network-confg, cisconet.cfg, or the hostname file, it reads the router-confg file. If the switch cannot read the router-confg file, it reads the ciscortr.cfg file. The switch broadcasts TFTP server requests if the TFTP server is not obtained from the DHCP replies, Note if all attempts to read the configuration file through unicast transmissions fail, or if the TFTP server name cannot be resolved to an IP address.
Page 82: Configuring The Dhcp Auto Configuration And Image Update Features
The TFTP server base directory is set to /tftpserver/work/. This directory contains the network-confg file used in the two-file read method. This file contains the hostname to be assigned to the switch based on its IP address. The base directory also contains a configuration file for each switch (switcha-confg, switchb-confg, and so forth) as shown in this display: prompt>...
Page 83: Configuring Dhcp Autoconfiguration (Only Configuration File)
Step 13 copy running-config startup-config (Optional) Save your entries in the configuration file. This example shows how to configure a switch as a DHCP server so that it will download a configura- tion file: Switch# configure terminal Switch(config)# ip dhcp pool pool1 Switch(dhcp-config)# network 10.10.10.0 255.255.255.0...
Page 84: Configuring Dhcp Auto-Image Update (Configuration File And Image)
Before following the steps in this table, you must create a text file (for example, autoinstall_dhcp) that Note will be uploaded to the switch. In the text file, put the name of the image that you want to download. This image must be a tar and not a bin file.
Page 85: Configuring The Client
Return to privileged EXEC mode. Step 6 show boot Verify the configuration. This example uses a Layer 3 SVI interface on VLAN 99 to enable DHCP-based autoconfiguration with a saved configuration: Switch# configure terminal Switch(conf)# boot host dhcp Switch(conf)# boot host retry timeout 300...
Page 86: Manually Assigning Ip Information
(SVI). If the switch is running the metro IP access image, you can also manually assign IP information to a port if you first put the port into Layer 3 mode by using the no switchport command. Command...
Page 87 8500 bc 1500 policy-map test3 interface FastEthernet0/1 interface FastEthernet0/2 shutdown interface FastEthernet0/3 shutdown interface FastEthernet0/4 shutdown interface FastEthernet0/5 shutdown interface FastEthernet0/6 shutdown interface FastEthernet0/7 shutdown <output truncated> interface GigabitEthernet0/1 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 3-15 OL-9639-07...
Page 88: Modifying The Startup Configuration
This command saves the configuration settings that you made. If you fail to do this, your configuration will be lost the next time you reload the system. To display information stored in the NVRAM section of flash memory, use the show startup-config or more startup-config privileged EXEC command.
Page 89: Default Boot Configuration
Specifying the Filename to Read and Write the System Configuration By default, the Cisco IOS software uses the file config.text to read and write a nonvolatile copy of the system configuration. However, you can specify a different filename, which will be loaded during the next boot cycle.
Page 90: Booting Manually
By default, the switch attempts to automatically boot the system using information in the BOOT environment variable. If this variable is not set, the switch attempts to load and execute the first executable image it can by performing a recursive, depth-first search throughout the flash file system. In a depth-first search of a directory, each encountered subdirectory is completely searched before continuing the search in the original directory.
Page 91: Controlling Environment Variables
• Cisco TAC has tabulated break keys for most common operating systems and provided an alternative break key sequence for terminal emulators that do not support the break keys. To view this table, see: http://www.cisco.com/warp/public/701/61.html#how-to When you enter the break key, the boot loader switch: prompt appears.
Page 92 Each line in these files contains an environment variable name and an equal sign followed by the value of the variable. A variable has no value if it is not listed in this file; it has a value if it is listed in the file even if the value is a null string.
Page 93: Scheduling A Reload Of The Software Image
Scheduling a Reload of the Software Image You can schedule a reload of the software image to occur on the switch at a later time (for example, late at night or during the weekend when the switch is used less), or you can synchronize a reload network-wide (for example, to perform a software upgrade on all switches in the network).
Page 94: Displaying Scheduled Reload Information
To cancel a previously scheduled reload, use the reload cancel privileged EXEC command. Displaying Scheduled Reload Information To display information about a previously scheduled reload or to find out if a reload has been scheduled on the switch, use the show reload privileged EXEC command.
Page 95: Configuring Cisco Ios Configuration Engine
Note For complete configuration information for the Cisco Configuration Engine, go to http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/tsd_products_support_series_home.html For complete syntax and usage information for the commands used in this chapter, go to the Cisco IOS Network Management Command Reference, Release 12.4 at http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_book.html This chapter consists of these sections: •...
Page 96: C H A P T E R 4 Configuring Cisco Ios Configuration Engine
(LDAP) URLs that reference the device-specific configuration information stored in a directory. The Cisco IOS agent can perform a syntax check on received configuration files and publish events to show the success or failure of the syntax check. The configuration agent can either apply configurations immediately or delay the application until receipt of a synchronization event from the configuration server.
Page 97: Event Service
For a subscriber, when given a unique device ID and event, the namespace mapping service returns a set of events to which to subscribe. Similarly, for a publisher, when given a unique group ID, device ID, and event, the mapping service returns a set of events on which to publish.
Page 98: Deviceid
Hostname and DeviceID The DeviceID is fixed at the time of the connection to the event gateway and does not change even when the switch hostname is reconfigured. When changing the switch hostname on the switch, the only way to refresh the DeviceID is to break the connection between the switch and the event gateway.
Page 99: Understanding Cisco Ios Agents
Initial Configuration When the switch first comes up, it attempts to get an IP address by broadcasting a DHCP request on the network. Assuming there is no DHCP server on the subnet, the distribution switch acts as a DHCP relay agent and forwards the request to the DHCP server.
Page 100: Incremental (Partial) Configuration
(partial) configurations can be sent to the switch. The actual configuration can be sent as an event payload by way of the event gateway (push operation) or as a signal event that triggers the switch to initiate a pull operation.
Page 101: Enabling The Cns Event Agent
Engine, see the Cisco Configuration Engine Installation and Setup Guide, 1.5 for Linux at http://www.cisco.com/en/US/docs/net_mgmt/configuration_engine/1.5/installation_linux/guide/setup_ 1.html Enabling the CNS Event Agent You must enable the CNS event agent on the switch before you enable the CNS configuration agent. Note Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-07...
Page 102 To disable the CNS event agent, use the no cns event {ip-address | hostname} global configuration command. This example shows how to enable the CNS event agent, set the IP address gateway to 10.180.1.27, set 120 seconds as the keepalive interval, and set 10 as the retry count.
Page 103: Enabling The Cisco Ios Cns Agent
Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Enabling the Cisco IOS CNS Agent After enabling the CNS event agent, start the Cisco IOS CNS agent on the switch. You can enable the Cisco IOS agent with these commands: •...
Page 104 For line line-type, enter the line type. • Step 8 template name [ ... name] Specify the list of CNS connect templates in the CNS connect profile to be applied to the switch configuration. You can specify more than one template. Step 9 Repeat Steps 7 to 8 to specify more interface parameters and CNS connect templates in the CNS connect profile.
Page 105 For {dns-reverse | ipaddress | mac-address}, enter • dns-reverse to retrieve the hostname and assign it as the unique ID, enter ipaddress to use the IP address, or enter mac-address to use the MAC address as the unique ID. (Optional) Enter event to set the ID to be the event-id •...
Page 106 Verify your entries. To disable the CNS Cisco IOS agent, use the no cns config initial {ip-address | hostname} global configuration command. This example shows how to configure an initial configuration on a remote switch when the switch configuration is unknown (the CNS Zero Touch feature).
Page 107: Enabling A Partial Configuration
RemoteSwitch(config)# cns id ethernet 0 ipaddress RemoteSwitch(config)# cns config initial 172.28.129.22 no-persist Enabling a Partial Configuration Beginning in privileged EXEC mode, follow these steps to enable the Cisco IOS agent and to initiate a partial configuration on the switch: Command...
Page 108: Upgrading Devices With Cisco Ios Image Agent
Prerequisites for the CNS Image Agent Confirm these prerequisites before upgrading one or more devices with image agent: Determine where to store the Cisco IOS images on a file server to make the image available to the • other networking devices. If the CNS Event Bus is to be used to store and distribute the images, the CNS event agent must be configured.
Page 109: Displaying Cns Configuration
Switch(config)# cns image retry 1 Switch(config)# cns image server http://172.20.249.20:80/cns/HttpMsgDispatcher status http://172.20.249.20:80/cns/HttpMsgDispatcher Switch(config)# end You can check the status of the image download by using the show cns image status user EXEC command. Displaying CNS Configuration You can use the privileged EXEC commands in Table 4-2 to display CNS configuration information.
Page 110 Chapter 4 Configuring Cisco IOS Configuration Engine Displaying CNS Configuration Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 4-16 OL-9639-07...
Page 111: Administering The Switch
Managing the ARP Table, page 5-29 Managing the System Time and Date You can manage the system time and date on your switch using automatic configuration, such as the Network Time Protocol (NTP), or manual configuration methods. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Note Configuration Fundamentals Command Reference, Release 12.2.
Page 112: Chapter 5 Administering The Switch
However, in that case, information flow is one-way only. The time kept on a device is a critical resource; you should use the security features of NTP to avoid the accidental or malicious setting of an incorrect time. Two mechanisms are available: an access list-based restriction scheme and an encrypted authentication mechanism.
Page 113 Managing the System Time and Date Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet.
Page 114: Configuring Ntp
Configuring NTP Authentication This procedure must be coordinated with the administrator of the NTP server; the information you configure in this procedure must be matched by the servers used by the switch to synchronize its time to the NTP server.
Page 115: Configuring Ntp Associations
An NTP association can be a peer association (this switch can either synchronize to the other device or allow the other device to synchronize to it), or it can be a server association (meaning that only this switch synchronizes to the other device, and not the other way around).
Page 116: Configuring Ntp Broadcast Service
If you are using the default NTP version (Version 3) and NTP synchronization does not occur, try using NTP Version 2. Many NTP servers on the Internet run Version 2. To remove a peer or server association, use the no ntp peer ip-address or the no ntp server ip-address global configuration command.
Page 117 NTP broadcast server, such as a router, broadcasting time information on the network. The switch can send NTP broadcast packets to a peer so that the peer can synchronize to it. The switch can also receive NTP broadcast packets to synchronize its own clock. This section provides procedures for both sending and receiving NTP broadcast packets.
Page 118: Configuring Ntp Access Restrictions
(Optional) Save your entries in the configuration file. To disable an interface from receiving NTP broadcast packets, use the no ntp broadcast client interface configuration command. To change the estimated round-trip delay to the default, use the no ntp broadcastdelay global configuration command.
Page 119 If the source IP address matches the access lists for more than one access type, the first type is granted. If no access groups are specified, all access types are granted to all devices. If any access groups are specified, only the specified access types are granted.
Page 120: Configuring The Source Ip Address For Ntp Packets
The specified interface is used for the source address for all packets sent to all destinations. If a source address is to be used for a specific association, use the source keyword in the ntp peer or ntp server global configuration command as described in the “Configuring NTP Associations”...
Page 121: Displaying The Ntp Configuration
Configuring Time and Date Manually If no other source of time is available, you can manually configure the time and date after the system is restarted. The time remains accurate until the next system restart. We recommend that you use manual configuration only as a last resort.
Page 122: Displaying The Time And Date Configuration
The system clock keeps an authoritative flag that shows whether the time is authoritative (believed to be accurate). If the system clock has been set by a timing source such as NTP, the flag is set. If the time is not authoritative, it is used only for display purposes.
Page 123: Configuring Summer Time (Daylight Saving Time)
The first part of the clock summer-time global configuration command specifies when summer time begins, and the second part specifies when it ends. All times are relative to the local time zone. The start time is relative to standard time. The end time is relative to summer time. If the starting month is after the ending month, the system assumes that you are in the southern hemisphere.
Page 124: Configuring A System Name And Prompt
To disable summer time, use the no clock summer-time global configuration command. This example shows how to set summer time to start on October 12, 2000, at 02:00, and end on April 26, 2001, at 02:00:...
Page 125: Default System Name And Prompt Configuration
To keep track of domain names, IP has defined the concept of a domain name server, which holds a cache (or database) of names mapped to IP addresses. To map domain names to IP addresses, you must first identify the hostnames, specify the name server that is present on your network, and enable the DNS.
Page 126: Default Dns Configuration
DNS default domain name None configured. DNS servers No name server addresses are configured. Setting Up DNS Beginning in privileged EXEC mode, follow these steps to set up your switch to use the DNS: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 127: Displaying The Dns Configuration
If you use the switch IP address as its hostname, the IP address is used and no DNS query occurs. If you configure a hostname that contains no periods (.), a period followed by the default domain name is appended to the hostname before the DNS query is made to map the name to an IP address.
Page 128: Configuring A Message-Of-The-Day Login Banner
Creating a Banner Configuring a Message-of-the-Day Login Banner You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner:...
Page 129: Configuring A Login Banner
(Optional) Save your entries in the configuration file. To delete the login banner, use the no banner login global configuration command. This example shows how to configure a login banner for the switch by using the dollar sign ($) symbol as the beginning and ending delimiter: Switch(config)# banner login $ Access for authorized users only.
Page 130: Managing The Mac Address Table
All MAC addresses in the address table are associated with one or more ports. The address table includes these types of addresses: Dynamic address: a source MAC address that the switch learns and then ages when it is not in use. •...
Page 131: Building The Address Table
Using the MAC address table, the switch forwards the packet only to the port associated with the destination address. If the destination address is on the port that sent the packet, the packet is filtered and not forwarded. The switch always uses the store-and-forward method: complete packets are stored and checked for errors before transmission.
Page 132: Default Mac Address Table Configuration
Setting too short an aging time can cause addresses to be prematurely removed from the table. Then when the switch receives a packet for an unknown destination, it floods the packet to all ports in the same VLAN as the receiving port. This unnecessary flooding can impact performance. Setting too long an aging time can cause the address table to be filled with unused addresses, which prevents new addresses from being learned.
Page 133: Removing Dynamic Address Entries
Whenever the switch learns or removes a MAC address, an SNMP notification can be generated and sent to the NMS. If you have many users coming and going from the network, you can set a trap interval time to bundle the notification traps and reduce network traffic. The MAC notification history table stores the MAC address activity for each hardware port for which the trap is enabled.
Page 134 This example shows how to specify 172.20.10.10 as the NMS, enable the switch to send MAC address notification traps to the NMS, enable the MAC address notification feature, set the interval time to 60 seconds, set the history-size to 100 entries, and enable traps whenever a MAC address is added on the specified port.
Page 135: Adding And Removing Static Address Entries
You can specify a different list of destination ports for each source port. A packet with a static address that arrives on a VLAN where it has not been statically entered is flooded to all ports and not learned.
Page 136: Configuring Unicast Mac Address Filtering
Managing the MAC Address Table This example shows how to add the static address c2f3.220a.12f4 to the MAC address table. When a packet is received in VLAN 4 with this MAC address as its destination address, the packet is forwarded to the specified port: Switch(config)# mac address-table static c2f3.220a.12f4 vlan 4 interface...
Page 137: Disabling Mac Address Learning On A Vlan
Use caution before disabling MAC address learning on a VLAN with a configured switch virtual interface (SVI). The switch then floods all IP packets in the Layer 2 domain. You can disable MAC address learning on a single VLAN ID from 1 to 4094 (for example, no mac •...
Page 138: Displaying Address Table Entries
This example shows how to disable MAC address learning on VLAN 200: Switch(config)# no mac ddress-table learning vlan 200 You can display the MAC address learning status of all VLANs or a specified VLAN by entering the show mac-address-table learning [vlan vlan-id] privileged EXEC command. Displaying Address Table Entries...
Page 139: Managing The Arp Table
To communicate with a device (over Ethernet, for example), the software first must learn the 48-bit MAC address or the local data link address of that device. The process of learning the local data link address from an IP address is called address resolution.
Page 140 Chapter 5 Administering the Switch Managing the ARP Table Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 5-30 OL-9639-07...
Page 141: Configuring Sdm Templates
Understanding the SDM Templates If the switch is running the metro IP access image, you can use SDM templates to optimize system resources in the switch to support specific features, depending on how the switch is used in the network.
Page 142: Chapter 6 Configuring Sdm Template
IP access image. The values in the template are based on eight routed interfaces and approximately 1024 VLANs and represent the approximate hardware boundaries set when a template is selected. If a section of a hardware resource is full, all processing overflow is sent to the CPU, seriously impacting switch performance.
Page 143: Configuring The Switch Sdm Template
Configuring the Switch SDM Template An IPv4 route requires only one TCAM entry. Because of the hardware compression scheme used for Note IPv6, an IPv6 route can take more than one TCAM entry, reducing the number of entries forwarded in hardware. Table 6-2 defines the approximate feature resources allocated by each dual template.
Page 144: Sdm Template Configuration Guidelines
If you are using the switch for Layer 2 features only, select the layer-2 template. • Do not use the default template if you do not have routing enabled on your switch. The sdm prefer • default global configuration command prevents other features from using the memory allocated to unicast routing in the routing template.
Page 145: Displaying The Sdm Templates
Chapter 6 Configuring SDM Templates Displaying the SDM Templates This is an example of an output display when you have changed the template to the layer-2 template and have not reloaded the switch: Switch# show sdm prefer The current template is "default" template.
Page 146 IPv4/MAC qos aces: 0.5K number of IPv4/MAC security aces: This is an example of output from the show sdm prefer dual-ipv4-and-ipv6 routing command: Switch# show sdm prefer dual-ipv4-and-ipv6 routing "desktop IPv4 and IPv6 routing" template: The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs.
Page 147: Chapter 7 Configuring Switch-Based Authentication
At a minimum, you should configure passwords and privileges at each switch port. These passwords are locally stored on the switch. When users attempt to access the switch through a port or line, they must enter the password specified for the port or line before they can access the switch. For more information, see the “Protecting Access to Privileged EXEC Commands”...
Page 148: Protecting Access To Privileged Exec Commands
Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands If you want to use username and password pairs, but you want to store them centrally on a server • instead of locally, you can store them in a database on a security server. Multiple networking devices can then use the same database to obtain user authentication (and, if necessary, authorization) information.
Page 149: Setting Or Changing A Static Enable Password
Protecting Enable and Enable Secret Passwords with Encryption To provide an additional layer of security, particularly for passwords that cross the network or that are stored on a Trivial File Transfer Protocol (TFTP) server, you can use either the enable password or enable secret global configuration commands.
Page 150 Use the level keyword to define a password for a specific privilege level. After you specify the level and set a password, give the password only to users who need to have access at this level. Use the privilege level global configuration command to specify commands accessible at various levels. For more information, see the “Configuring Multiple Privilege Levels”...
Page 151: Disabling Password Recovery
Note on a secure server in case the end user interrupts the boot process and sets the system back to default values. Do not keep a backup copy of the configuration file on the switch. We recommend that you also keep a backup copy of the VLAN database file on a secure server.
Page 152: Setting A Telnet Password For A Terminal Line
You can configure username and password pairs, which are locally stored on the switch. These pairs are assigned to lines or ports and authenticate each user before that user can access the switch. If you have defined privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair.
Page 153: Configuring Multiple Privilege Levels
For example, if you want many users to have access to the clear line command, you can assign it level 2 security and distribute the level 2 password fairly widely. But if you want more restricted access to the configure command, you can assign it level 3 security and distribute that password to a more restricted group of users.
Page 154: Setting The Privilege Level For A Command
When you set a command to a privilege level, all commands whose syntax is a subset of that command are also set to that level. For example, if you set the show ip traffic command to level 15, the show commands and show ip commands are automatically set to privilege level 15 unless you set them individually to different levels.
Page 155: Changing The Default Privilege Level For Lines
Users can override the privilege level you set using the privilege level line configuration command by logging in to the line and enabling a different privilege level. They can lower the privilege level by using the disable command. If users know the password to a higher privilege level, they can use that password to enable the higher privilege level.
Page 156: Controlling Switch Access With Tacacs
The goal of TACACS+ is to provide a method for managing multiple network access points from a single management service. Your switch can be a network access server along with other Cisco routers and access servers.
Page 157 Authentication—Provides complete control of authentication through login and password dialog, challenge and response, and messaging support. The authentication facility can conduct a dialog with the user (for example, after a username and password are provided, to challenge a user with several questions, such as home address, mother’s maiden name, service type, and social security number).
Page 158: Tacacs+ Operation
You can use method lists to designate one or more security protocols to be used, thus ensuring a backup system if the initial method fails. The software uses the first method listed to authenticate, to authorize, or to keep accounts on users;...
Page 159: Default Tacacs+ Configuration
You can group servers to select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list and contains the list of IP addresses of the selected server hosts.
Page 160: Configuring Tacacs+ Login Authentication
The method list defines the types of authentication to be performed and the sequence in which they are performed; it must be applied to a specific port before any of the defined authentication methods are performed. The only exception is the default method list (which, by coincidence, is named default).
Page 161 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ authenticate users; if that method fails to respond, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted. If authentication fails at any point in this cycle—meaning that the security server or local username database responds by denying the user...
Page 162: Configuring Tacacs+ Authorization For Privileged Exec Access And Network Services
The user is granted access to a requested service only if the information in the user profile allows it.
Page 163: Starting Tacacs+ Accounting
When AAA accounting is enabled, the switch reports user activity to the TACACS+ security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing.
Page 164: Understanding Radius
Network in which the user must only access a single service. Using RADIUS, you can control user • access to a single host, to a single utility such as Telnet, or to the network through a protocol such as IEEE 802.1x. For more information about this protocol, see Chapter 8, “Configuring IEEE 802.1x...
Page 165: Radius Operation
Workstation RADIUS Operation When a user attempts to log in and authenticate to a switch that is access controlled by a RADIUS server, these events occur: The user is prompted to enter a username and password. The username and encrypted password are sent over the network to the RADIUS server.
Page 166: Configuring Radius
A method list defines the sequence and methods to be used to authenticate, to authorize, or to keep accounts on a user. You can use method lists to designate one or more security protocols to be used (such as TACACS+ or local username lookup), thus ensuring a backup system if the initial method fails. The software uses the first method listed to authenticate, to authorize, or to keep accounts on users;...
Page 167 You identify RADIUS security servers by their hostname or IP address, hostname and specific UDP port numbers, or their IP address and specific UDP port numbers. The combination of the IP address and the UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service.
Page 168 Switch(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1 Switch(config)# radius-server host 172.20.36.50 acct-port 1618 key rad2 This example shows how to configure host1 as the RADIUS server and to use the default ports for both authentication and accounting: Switch(config)# radius-server host host1...
Page 169: Configuring Radius Login Authentication
You also need to configure some settings on the RADIUS server. These settings include the IP address Note of the switch and the key string to be shared by both the server and the switch. For more information, see the RADIUS server documentation.
Page 170 [method2...] • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all ports.
Page 171: Defining Aaa Server Groups
You can configure the switch to use AAA server groups to group existing server hosts for authentication. You select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list, which lists the IP addresses of the selected server hosts.
Page 172 Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 173: Configuring Radius Authorization For User Privileged Access And Network Services
AAA authorization limits the services available to a user. When AAA authorization is enabled, the switch uses information retrieved from the user’s profile, which is in the local user database or on the security server, to configure the user’s session. The user is granted access to a requested service only if the information in the user profile allows it.
Page 174: Starting Radius Accounting
When AAA accounting is enabled, the switch reports user activity to the RADIUS security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing.
Page 175: Configuring Settings For All Radius Servers
Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting for the retransmit, timeout, and deadtime, use the no forms of these commands. Configuring the Switch to Use Vendor-Specific RADIUS Attributes...
Page 176: Configuring The Switch For Vendor-Proprietary Radius Server Communication
”tunnel-type(#64)=VLAN(13)” cisco-avpair= ”tunnel-medium-type(#65)=802 media(6)” cisco-avpair= ”tunnel-private-group-ID(#81)=vlanid” This example shows how to apply an input ACL in ASCII format to an interface for the duration of this connection: cisco-avpair= “ip:inacl#1=deny ip 10.10.10.10 0.0.255.255 20.20.20.20 255.255.0.0” cisco-avpair= “ip:inacl#2=deny ip 10.10.10.10 0.0.255.255 any”...
Page 177: Configuring Radius Server Load Balancing
As mentioned earlier, to configure RADIUS (whether vendor-proprietary or IETF draft-compliant), you must specify the host running the RADIUS server daemon and the secret text string it shares with the switch. You specify the RADIUS host and secret text string by using the radius-server global configuration commands.
Page 178: Controlling Switch Access With Kerberos
(KDC). Kerberos verifies that users are who they claim to be and the network services that they use are what the services claim to be. To do this, a KDC or trusted Kerberos server issues tickets to users. These tickets, which have a limited lifespan, are stored in user credential caches.
Page 179 This software release supports Kerberos 5, which allows organizations that are already using Kerberos 5 to use the same Kerberos authentication database on the KDC that they are already using on their other network hosts (such as UNIX servers and PCs).
Page 180: Kerberos Operation
4. SRVTAB = server table Kerberos Operation A Kerberos server can be a Cisco ME switch that is configured as a network security server and that can authenticate remote users by using the Kerberos protocol. Although you can customize Kerberos in a number of ways, remote users attempting to access network services must pass through three layers of security before they can access network services.
Page 181: Obtaining A Tgt From A Kdc
Kerberos realm to communicate and mutually authenticate users and network services. To do this, you must identify them to each other. You add entries for the hosts to the Kerberos database on the KDC and add KEYTAB files generated by the KDC to all hosts in the Kerberos realm. You also create entries for the users in the KDC database.
Page 182: Configuring The Switch For Local Authentication And Authorization
Configuring the Switch for Local Authentication and Authorization You can configure AAA to operate without a server by setting the switch to implement AAA in local mode. The switch then handles authentication and authorization. No accounting is available in this configuration.
Page 183: Configuring The Switch For Secure Shell
The SSH feature has an SSH server and an SSH integrated client, which are applications that run on the switch. You can use an SSH client to connect to a switch running the SSH server. The SSH server works with the SSH client supported in this release and with non-Cisco SSH clients. The SSH client also works with the SSH server supported in this release and with non-Cisco SSH servers.
Page 184: Limitations
Configuration Guidelines Follow these guidelines when configuring the switch as an SSH server or SSH client: An RSA key pair generated by a SSHv1 server can be used by an SSHv2 server, and the reverse. • If you get CLI error messages after entering the crypto key generate rsa global configuration •...
Page 185: Setting Up The Switch To Run Ssh
7-36. Beginning in privileged EXEC mode, follow these steps to configure a hostname and an IP domain name and to generate an RSA key pair. This procedure is required if you are configuring the switch as an SSH server. Command...
Page 186: Configuring The Ssh Server
To return to the default SSH control parameters, use the no ip ssh {timeout | authentication-retries} global configuration command. Displaying the SSH Configuration and Status To display the SSH server configuration and status, use one or more of the privileged EXEC commands Table 7-3:...
Page 187: Configuring The Switch For Secure Copy Protocol
SCP relies on Secure Shell (SSH), an application and a protocol that provides a secure replacement for the Berkeley r-tools. For SSH to work, the switch needs an RSA public/private key pair. This is the same with SCP, which relies on SSH for its secure transport.
Page 188 Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Copy Protocol Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 7-42 OL-9639-07...
Page 189: Understanding Ieee 802.1X Port-Based Authentication
For complete syntax and usage information for the commands used in this chapter, see the command reference for this release. Note Some IEEE 802.1x (dot1x) commands are visible on the switch but are not supported. For a list of unsupported commands see Appendix C, “Unsupported Commands in Cisco IOS Release 12.2(50)SE.”...
Page 190: C H A P T E R 8 Configuring Ieee 802.1X Port-Based Authentication
Authentication server—performs the actual authentication of the client. The authentication server validates the identity of the client and notifies the switch whether or not the client is authorized to access the LAN and switch services. Because the switch acts as the proxy, the authentication service is transparent to the client.
Page 191: Authentication Initiation And Message Exchange
If the client does not receive an EAP-request/identity frame after three attempts to start authentication, the client sends frames as if the port is in the authorized state. A port in the authorized state effectively means that the client has been successfully authenticated. For more information, see the “Ports in Authorized and Unauthorized States”...
Page 192: Ports In Authorized And Unauthorized States
Ports in Authorized and Unauthorized States Depending on the switch port state, the switch can grant a client access to the network. The port starts in the unauthorized state. While in this state, the port disallows all incoming and outgoing traffic except for IEEE 802.1x, CDP, and STP packets.
Page 193: Ieee 802.1X Accounting
When a client logs off, it sends an EAPOL-logoff message, causing the switch port to change to the unauthorized state. If the link state of a port changes from up to down, or if an EAPOL-logoff frame is received, the port returns to the unauthorized state.
Page 194: Ieee 802.1X Host Mode
The switch detects the client by sending an EAPOL frame when the port link state changes to the up state. If a client leaves or is replaced with another client, the switch changes the port link state to down, and the port returns to the unauthorized state.
Page 195: Using 802.1X Readiness Check
If the client address is aged, its place in the secure host table can be taken by another host.
Page 196: Using Ieee 802.1X With Vlan Assignment
VLAN based on the username of the client connected to the switch port. You can use this feature to limit network access for certain users. When configured on the switch and the RADIUS server, IEEE 802.1x with VLAN assignment has these characteristics: •...
Page 197: Switch Supplicant With Network Edge Access Topology (Neat)
802.1x supplicant feature. This configuration is helpful in a scenario where, for example, a switch is outside a wiring closet and is connected to an upstream switch through a trunk port. A switch configured with the 802.1x switch supplicant feature authenticates with the upstream switch for secure connectivity.
Page 198: Configuring Ieee 802.1X Authentication
• Setting the Re-Authentication Number, page 8-20 (optional) • Configuring the Host Mode, page 8-20 (optional) • Resetting the IEEE 802.1x Configuration to the Default Values, page 8-21 (optional) • • Configuring IEEE 802.1x Accounting, page 8-21 (optional) • Configuring 802.1x Switch Supplicant with NEAT, page 8-22...
Page 199 30 seconds (number of seconds that the switch should wait for a response to an EAP request/identity frame from the client before resending the request). Maximum retransmission number 2 times (number of times that the switch will send an EAP-request/identity frame before restarting the authentication process). Host mode Single-host mode.
Page 200: Ieee 802.1X Configuration Guidelines
This is the maximum number of devices allowed on an IEEE 802.1x-enabled port: • In single-host mode, only one device is allowed on the access VLAN. If the port is also configured with a voice VLAN, an unlimited number of Cisco IP phones can send and receive traffic through the voice VLAN.
Page 201: Configuring 802.1X Readiness Check
(Optional) Verify your modified timeout values. This example shows how to enable a readiness check on a switch to query a port. It also shows the response received from the queried port verifying that the device connected to it is IEEE 802.1x-capable:...
Page 202: Configuring Ieee 802.1X Violation Modes
Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Configuring IEEE 802.1x Violation Modes You can configure an IEEE 802.1x port so that it shuts down, generates a syslog error, or discards packets from a new device when: • a device connects to an IEEE 802.1x-enable port •...
Page 203 The switch sends a start message to an accounting server. Step 5 Re-authentication is performed, as necessary. Step 6 The switch sends an interim accounting update to the accounting server that is based on the result of re-authentication. Step 7 The user disconnects from the port.
Page 204: Configuring The Switch-To-Radius-Server Communication
This example shows how to specify the server with IP address 172.20.39.46 as the RADIUS server, to use port 1612 as the authorization port, and to set the encryption key to rad123, matching the key on the RADIUS server: Switch(config)# radius-server host 172.l20.39.46 auth-port 1612 key rad123...
Page 205: Configuring Periodic Re-Authentication
You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. For more information, see the RADIUS server documentation.
Page 206: Changing The Quiet Period
Configuring IEEE 802.1x Authentication Changing the Quiet Period When the switch cannot authenticate the client, the switch remains idle for a set period of time and then tries again. The dot1x timeout quiet-period interface configuration command controls the idle period.
Page 207: Setting The Switch-To-Client Frame-Retransmission Number
To return to the default retransmission time, use the no dot1x timeout tx-period interface configuration command. This example shows how to set 60 as the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request:...
Page 208: Setting The Re-Authentication Number
To return to the default re-authentication number, use the no dot1x max-reauth-req interface configuration command. This example shows how to set 4 as the number of times that the switch restarts the authentication process before the port changes to the unauthorized state:...
Page 209: Resetting The Ieee 802.1X Configuration To The Default Values
Configuring IEEE 802.1x Accounting Enabling AAA system accounting with IEEE 802.1x accounting allows system reload events to be sent to the accounting RADIUS server for logging. The server can then infer that all active IEEE 802.1x sessions are closed. Because RADIUS uses the unreliable UDP transport protocol, accounting messages might be lost due to poor network conditions.
Page 210: Configuring 802.1X Switch Supplicant With Neat
Chapter 8 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication You must configure the RADIUS server to perform accounting tasks, such as logging start, stop, and Note interim-update messages and time stamps. To turn on these functions, enable logging of “Update/Watchdog packets from this AAA client”...
Page 211 Chapter 8 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to configure a switch as an authenticator: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 cisp enable Enable CISP.
Page 212: Displaying Ieee 802.1X Statistics And Status
To display IEEE 802.1x statistics for a specific port, use the show dot1x statistics interface interface-id privileged EXEC command. To display the IEEE 802.1x administrative and operational status for the switch, use the show dot1x all privileged EXEC command. To display the IEEE 802.1x administrative and operational status for a specific port, use the show dot1x interface interface-id privileged EXEC command.
Page 213: Understanding Interface Types
C H A P T E R Configuring Interfaces This chapter defines the types of interfaces on the Cisco ME 3400 Ethernet Access switch and describes how to configure them. Understanding Interface Types, page 9-1 • Using Interface Configuration Mode, page 9-8 •...
Page 214: Uni, Nni, And Eni Port Types
If the switch is running the metro base or metro access image, only four ports on the switch can be configured as NNIs at one time. If the switch is running the metro IP access image, there is no limit to the number of NNIs that can be configured on the switch.
Page 215: Switch Ports
VLANs. A switch port can be an access port, a trunk port, a private-VLAN port, or a tunnel port. You can configure a port as an access port or trunk port. You configure a private VLAN port as a host or promiscuous port that belongs to a private-VLAN primary or secondary VLAN.
Page 216: Access Ports
By default, all possible VLANs (VLAN ID 1 to 4094) are in the allowed list. A trunk port can become a member of a VLAN only if the VLAN is in the enabled state.
Page 217: Routed Ports
Routed Ports A routed port is a physical port that acts like a port on a router; it does not have to be connected to a router. A routed port is not associated with a particular VLAN, as is an access port. A routed port behaves like a regular router interface, except that it does not support VLAN subinterfaces.
Page 218: Etherchannel Port Groups
VLAN ID configured for an access port. Configure a VLAN interface for each VLAN for which you want to route traffic, and assign it an IP address. For more information, see the “Manually Assigning IP Information” section on page 3-14.
Page 219: Connecting Interfaces
By using the switch with routing enabled, when you configure both VLAN 20 and VLAN 30 with an SVI to which an IP address is assigned, packets can be sent from Host A to Host B directly through the switch with no need for an external router (Figure 9-1).
Page 220: Using Interface Configuration Mode
0/1 or gigabitethernet 0/1. If there is more than one interface type (for example, 10/100 ports and SFP module ports), the port numbers restart with the second interface type: gigabitethernet 0/1.
Page 221: Configuring A Range Of Interfaces
“Monitoring and Maintaining the Interfaces” section on page 9-26. Enter the show interfaces privileged EXEC command to see a list of all interfaces on or configured for the switch. A report is provided for each interface that the device supports or for the specified interface.
Page 222: Configuring And Using Interface Range Macros
This example shows how to use a comma to add different interface type strings to the range to enable Fast Ethernet ports 1 to 3 and Gigabit Ethernet ports 1 and 2 to receive IEEE 802.3x flow control pause frames:...
Page 223 EXEC command displays the configured VLAN interfaces. VLAN interfaces not displayed by the show running-config command cannot be used as interface-ranges. All interfaces defined as in a range must be the same type (all Fast Ethernet ports, all Gigabit •...
Page 224: Configuring Ethernet Interfaces
When you put an interface that is in Layer 3 mode into Layer 2 mode, the previous configuration information related to the affected interface might be lost, and the interface is returned to its default configuration.
Page 225 Speed Autonegotiate. Duplex mode Autonegotiate. IEEE 802.3x flow control Flow control is set to receive: off. It is always off for sent packets. EtherChannel Disabled on all Ethernet ports. See Chapter 34, “Configuring EtherChannels and Link-State Tracking.” Port blocking (unknown multicast and unknown Disabled (not blocked) (only Layer 2 interfaces).
Page 226: Configuring The Port Type
Note messages on NNIs. Changing the port type from UNI or ENI to NNI or from NNI to UNI or ENI has no effect on the keepalive status. You can change the keepalive state from the default setting by entering the [no] keepalive interface configuration command.
Page 227: Configuring Interface Speed And Duplex Mode
Entering the no port-type or default port-type interface configuration command returns the port to the default state: UNI for Fast Ethernet ports and NNI for Gigabit Ethernet ports. This example shows how to change a port from a UNI to an NNI and save it to the running configuration. Switch# configure terminal Enter configuration commands, one per line.
Page 228: Setting The Interface Speed And Duplex Parameters
• both interfaces; do not use the auto setting on the supported side. When STP is enabled and a port is reconfigured, the switch can take up to 30 seconds to check for • loops. The port LED is amber while STP reconfigures. On the Cisco ME switch, STP is supported on NNIs by default and can be enabled on ENIs.
Page 229 (autonegotiate). To return all interface settings to the defaults, use the default interface interface-id interface configuration command. This example shows how to set the interface speed to 10 Mbps and the duplex mode to half on a 10/100 Mbps port:...
Page 230: Configuring A Dual-Purpose Port
(NNIs). If the switch is running the metro IP access image, you can configure any number of ports as NNIs. If the switch is running the metro base or metro access image, you can configure only four ports as NNIs.
Page 231 If you install both types of media in an enabled dual-purpose port, the switch selects the active link based on which type is installed first. If both media are installed in the dual-purpose port, and the switch is reloaded or the port is disabled •...
Page 232: Configuring Ieee 802.3X Flow Control
If one port experiences congestion and cannot receive any more traffic, it notifies the other port by sending a pause frame to stop sending until the condition clears. Upon receipt of a pause frame, the sending device stops sending any data packets, which prevents any loss of data packets during the congestion period.
Page 233: Configuring Auto-Mdix On An Interface
Auto-MDIX is enabled by default. When you enable auto-MDIX, you must also set the speed and duplex on the interface to auto so that the feature operates correctly. Auto-MDIX is supported on all 10/100 and 10/100/1000 Mbps interfaces and on Cisco 10/100/1000 BASE-T/TX SFP module interfaces. It is not supported on 1000 BASE-SX or -LX SFP module interfaces.
Page 234: Adding A Description For An Interface
Connects to Marketing Configuring Layer 3 Interfaces The switch must be running the metro IP access image to support Layer 3 interfaces. The Cisco ME switch supports these types of Layer 3 interfaces: SVIs: You should configure SVIs for any VLANs for which you want to route traffic. SVIs are •...
Page 235 A Layer 3 switch can have an IP address assigned to each routed port and SVI. There is no defined limit to the number of SVIs and routed ports that can be configured in a switch. However, the interrelationship between the number of SVIs and routed ports and the number of other features being configured might have an impact on CPU usage because of hardware limitations.
Page 236: Configuring The System Mtu
The default maximum transmission unit (MTU) size for frames received and sent on all interfaces on the switch is 1500 bytes. You can increase the MTU size for all interfaces operating at 10 or 100 Mbps by using the system mtu global configuration command. You can increase the MTU size to support jumbo frames on all Gigabit Ethernet interfaces by using the system mtu jumbo global configuration command.
Page 237 Save your entries in the configuration file. Step 7 reload Reload the operating system. If you enter a value that is outside the allowed range for the specific type of interface, the value is not accepted. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 9-25...
Page 238: Monitoring And Maintaining The Interfaces
Once the switch reloads, you can verify your settings by entering the show system mtu privileged EXEC command. This example shows how to set the maximum packet size for a Gigabit Ethernet port to 1800 bytes: Switch(config)# system mtu jumbo 1800...
Page 239: Clearing And Resetting Interfaces And Counters
To clear the interface counters shown by the show interfaces privileged EXEC command, use the clear counters privileged EXEC command. The clear counters command clears all current interface counters from the interface unless you specify optional arguments that clear only a specific interface type from a specific interface number.
Page 240: Shutting Down And Restarting The Interface
Shutting Down and Restarting the Interface Shutting down an interface disables all functions on the specified interface and marks the interface as unavailable on all monitoring command displays. This information is communicated to other network servers through all dynamic routing protocols. The interface is not mentioned in any routing updates.
Page 241: Understanding Command Macros
Configuring Command Macros You can create a new command macro or use an existing macro as a template to create a new macro that is specific to your application. After you create the macro, you can apply it globally to a switch, to a switch interface, or to a range of interfaces.
Page 242: Chapter 10 Configuring Command Macro
Keyword matching is case sensitive. All matching occurrences of the keyword are replaced with the corresponding value. Any full match of a keyword, even if it is part of a larger string, is considered a match and is replaced by the corresponding value.
Page 243: Creating Command Macros
This example shows how to create a macro that defines the switchport access VLAN and the number of secure MAC addresses and also includes two help string keywords by using # macro keywords:...
Page 244: Applying Command Macros
Some macros might contain keywords that require a parameter value. You can use the macro global apply macro-name ? command to display a list of any required values in the macro. If you apply a macro without entering the keyword values, the commands are invalid and are not applied.
Page 245: Displaying Command Macros
Configuring Command Macros Displaying Command Macros You can delete a global macro-applied configuration on a switch only by entering the no version of each command that is in the macro. You can delete a macro-applied configuration on an interface by entering the default interface interface-id interface configuration command.
Page 246 Chapter 10 Configuring Command Macros Displaying Command Macros Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 10-6 OL-9639-07...
Page 247: Configuring Vlans
VLANs have the same attributes as physical LANs, but you can group end stations even if they are not physically located on the same LAN segment. Any switch port can belong to a VLAN, and unicast, broadcast, and multicast packets are forwarded and flooded only to end stations in the VLAN.
Page 248: Supported Vlans
Floor 2 Floor 1 VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN. Interface VLAN membership on the switch is assigned manually on an interface-by-interface basis. When you assign switch interfaces to VLANs by using this method, it is known as interface-based, or static, VLAN membership.
Page 249 Caution You can cause inconsistency in the VLAN database if you try to manually delete the vlan.dat file. If you want to modify the VLAN configuration, use the commands described in these sections and in the command reference for this release.
Page 250: Extended-Range Vlans
Note VLAN Port Membership Modes You configure a port to belong to a VLAN by assigning a membership mode that specifies the kind of traffic that the port carries and the number of VLANs to which it can belong. Table 11-1 lists the membership modes and characteristics.
Page 251: Uni-Eni Vlans
11-26. Private VLAN A private VLAN port is a host or promiscuous port that belongs to a private VLAN primary or secondary VLAN. Only NNIs can be configured as promiscuous ports. For information about private VLANs, see Chapter 12, “Configuring Private VLANs.”...
Page 252 6 – 10 Customer-facing ports A UNI or ENI can be an access port, a trunk port, a private VLAN port, or an IEEE 802.1Q tunnel port. It can also be a member of an EtherChannel. When a UNI or ENI configured as an IEEE 802.1Q trunk port belongs to a UNI-ENI isolated VLAN, the VLAN on the trunk is isolated from the same VLAN ID on a different trunk port or an access port.
Page 253: Creating And Modifying Vlans
Configuring UNI-ENI VLANs, page 11-12 If the switch is running the metro IP access or metro access image, for more efficient management of the MAC address table space available on the switch, you can control which VLANs learn MAC addresses by disabling MAC address learning on specific VLANs.
Page 254: Vlan Configuration Guidelines
VLAN creates a VLAN on that switch that is not running spanning tree. If you have the default allowed list on the trunk ports of that switch (which is to allow all VLANs), the new VLAN is carried on all trunk ports. Depending on the topology of the network, this could create a loop in the new VLAN that would not be broken, particularly if there are several adjacent switches that all have run out of spanning-tree instances.
Page 255: Creating Or Modifying An Ethernet Vlan
To access VLAN configuration mode, enter the vlan global configuration command with a VLAN ID. Enter a new VLAN ID to create a VLAN, or enter an existing VLAN ID to modify that VLAN. You can use the default VLAN configuration (Table 11-2) or enter commands to configure the VLAN.
Page 256 (Optional) Change the MTU size. Step 5 Return to privileged EXEC mode. Step 6 show vlan {name vlan-name | id vlan-id} Verify your entries. The name option is only valid for VLAN IDs 1 to 1005. Step 7 copy running-config startup config (Optional) Save the configuration in the switch startup configuration file.
Page 257: Assigning Static-Access Ports To A Vlan
Creating and Modifying VLANs Assigning Static-Access Ports to a VLAN You can assign a static-access port to a VLAN. If you assign an interface to a VLAN that does not exist, the new VLAN is created. (See the “Creating Note or Modifying an Ethernet VLAN”...
Page 258: Configuring Uni-Eni Vlans
Chapter 11 Configuring VLANs Creating and Modifying VLANs Beginning in privileged EXEC mode, follow these steps to release a VLAN ID that is assigned to an internal VLAN and to create an extended-range VLAN with that ID: Command Purpose Step 1 show vlan internal usage Display the VLAN IDs being used internally by the switch.
Page 259: Configuring Uni-Eni Vlans
• VLAN as a UNI-ENI community VLAN if more than eight UNIs and ENIs belong to the VLAN. If you attempt to add a UNI or ENI static access port to a UNI-ENI community VLAN that has a • combination of eight UNIs and ENIs, the configuration is refused. If a UNI or ENI dynamic access port is added to a UNI-ENI community VLAN that has eight UNIs or ENIs, the port is error-disabled.
Page 260: Displaying Vlans
A trunk is a point-to-point link between one or more Ethernet switch interfaces and another networking device such as a router or a switch. Ethernet trunks carry the traffic of multiple VLANs over a single link, and you can extend the VLANs across an entire network. The switch supports the IEEE 802.1Q industry-standard trunking encapsulation.
Page 261: Ieee 802.1Q Configuration Considerations
Make sure that the native VLAN for an IEEE 802.1Q trunk is the same on both ends of the trunk • link. If the native VLAN on one end of the trunk is different from the native VLAN on the other end, spanning-tree loops might result.
Page 262: Default Layer 2 Ethernet Interface Vlan Configuration
STP is supported by default on NNIs, but must be enabled on ENIs. STP is not supported on Note UNIs. – trunk status: if one port in a port group ceases to be a trunk, all ports cease to be trunks. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-16 OL-9639-07...
Page 263: Configuring A Trunk Port
Configuring VLANs Configuring VLAN Trunks If you try to enable IEEE 802.1x on a trunk port, an error message appears, and IEEE 802.1x is not • enabled. If you try to change the mode of an IEEE 802.1x-enabled port to trunk, the port mode is not changed.
Page 264 The same is true for any VLAN that has been disabled on the port. A trunk port can become a member of a VLAN if the VLAN is enabled and if the VLAN is in the allowed list for the port.
Page 265: Configuring The Native Vlan For Untagged Traffic
To return to the default native VLAN, VLAN 1, use the no switchport trunk native vlan interface configuration command. If a packet has a VLAN ID that is the same as the sending port native VLAN ID, the packet is sent untagged; otherwise, the switch sends the packet with a tag.
Page 266: Load Sharing Using Stp Port Priorities
When two ports on the same switch form a loop, the switch uses the STP port priority to decide which port is enabled and which port is in a blocking state. You can set the priorities on a parallel STP trunk port so that the port carries all the traffic for a given VLAN.
Page 267: Load Sharing Using Stp Path Cost
(Optional) Save your entries in the configuration file. Follow the same steps on Switch B to configure the trunk port for Trunk 1 with a spanning-tree port priority of 16 for VLANs 8 through 10, and the configure trunk port for Trunk 2 with a spanning-tree port priority of 16 for VLANs 3 through 6.
Page 268 {nni | eni} Configure the interface as an NNI or ENI. UNIs do not support STP. If you configure the port as an ENI, you must also enable STP on the port by entering the spanning-tree interface configuration command.
Page 269: Configuring Vmps
(Optional) Save your entries in the configuration file. Follow the same steps on Switch B to configure the trunk port for Trunk 1 with a path cost of 30 for VLANs 2 through 4, and configure the trunk port for Trunk 2 with a path cost of 30 for VLANs 8 through...
Page 270: Dynamic-Access Port Vlan Membership
VLAN name and allowing access to the host. • If the host is not allowed on the port and the VMPS is in open mode, the VMPS sends an access-denied response. If the VLAN is not allowed on the port and the VMPS is in secure mode, the VMPS sends a •...
Page 271: Default Vmps Client Configuration
Port channels cannot be configured as dynamic-access ports. Configuring the VMPS Client You configure dynamic VLANs by using the VMPS (server). The switch can be a VMPS client; it cannot be a VMPS server. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide...
Page 272: Entering The Ip Address Of The Vmps
(Optional) Save your entries in the configuration file. You must have IP connectivity to the VMPS for dynamic-access ports to work. You can test for IP Note connectivity by pinging the IP address of the VMPS and verifying that you get a response.
Page 273: Reconfirming Vlan Memberships
Configuring VMPS To return an interface to its default configuration, use the default interface interface-id interface configuration command. To reset the access mode to the default VLAN for the switch, use the no switchport access vlan interface configuration command. Reconfirming VLAN Memberships...
Page 274: Monitoring The Vmps
Troubleshooting Dynamic-Access Port VLAN Membership The VMPS shuts down a dynamic-access port under these conditions: The VMPS is in secure mode, and it does not allow the host to connect to the port. The VMPS shuts • down the port to prevent the host from connecting to the network.
Page 275 Configuring VLANs Configuring VMPS End stations are connected to the clients, Switch B and Switch I. • The database configuration file is stored on the TFTP server with the IP address 172.20.22.7. • Figure 11-5 Dynamic Port VLAN Membership Configuration...
Page 276 Chapter 11 Configuring VLANs Configuring VMPS Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-30 OL-9639-07...
Page 277: Understanding Private Vlans
• To enable IP routing, each VLAN is assigned a subnet address space or a block of addresses, which can waste the unused IP addresses and cause IP address management problems.
Page 278: Chapter 12 Configuring Private Vlan
Community VLANs—Ports within a community VLAN can communicate with each other but • cannot communicate with ports in other communities at the Layer 2 level. A community VLAN can include a combination of no more than eight user network interfaces (UNIs) and enhanced network interfaces (ENIs).
Page 279 The switch also supports UNI-ENI isolated VLANs and UNI-ENI community VLANs. When a VLAN Note is created, it is by default a UNI-ENI isolated VLAN. Traffic is not switched among UNIs and ENIs on a switch that belong to a UNI-ENI isolated VLAN. For more information on UNI-ENI VLANs, see Chapter 11, “Configuring VLANs.”...
Page 280: Ip Addressing Scheme With Private Vlans
Assigning a separate VLAN to each customer creates an inefficient IP addressing scheme: Assigning a block of addresses to a customer VLAN can result in unused IP addresses. • If the number of devices in the VLAN increases, the number of assigned address might not be large • enough to accommodate them.
Page 281: Private Vlans And Unicast, Broadcast, And Multicast Traffic
If you try to create an SVI on a VLAN that is configured as a secondary VLAN and the secondary VLAN is already mapped at Layer 3, the SVI is not created, and an error is returned. If the SVI is not mapped at Layer 3, the SVI is created, but it is automatically shut down.
Page 282: Tasks For Configuring Private Vlans
12-10. If the VLAN is not created already, the private-VLAN configuration process creates it. Note Configure interfaces to be isolated or community host ports, and assign VLAN membership to the host Step 2 port. See the “Configuring a Layer 2 Interface as a Private-VLAN Host Port” section on page 12-11.
Page 283 VLAN, it is propagated to the secondary VLANs. If you configure DHCP on a secondary VLAN, the configuration does not take effect if the primary VLAN is already configured. If the switch is running the metro access or metro IP access image and you enable IP source guard •...
Page 284: Private-Vlan Port Configuration
• primary and secondary VLANs have not been removed from the trunk. A community private VLAN can include no more than eight UNIs and ENIs. If you try to add more • than eight, the configuration is not allowed. If you try to configure a VLAN that includes a combination of more than eight UNIs and ENIs as a community private VLAN, the configuration is not allowed.
Page 285: Configuring And Associating Vlans In A Private Vlan
VLANs. If you configure a static MAC address on a host port in a secondary VLAN, you must add the same static MAC address to the associated primary VLAN. When you delete a static MAC address from a private-VLAN port, you must remove all instances of the configured MAC address from the private VLAN.
Page 286 This example shows how to configure VLAN 20 as a primary VLAN, VLAN 501 as an isolated VLAN, and VLANs 502 and 503 as community VLANs, to associate them in a private VLAN, and to verify the configuration. It assumes that VLANs 502 and 503 have previously been configured as UNI-ENI...
Page 287: Configuring A Layer 2 Interface As A Private-Vlan Host Port
(Optional) Save your entries in the switch startup configuration file. This example shows how to configure an interface as a private-VLAN host port, associate it with a private-VLAN pair, and verify the configuration: Switch# configure terminal...
Page 288: Configuring A Layer 2 Interface As A Private-Vlan Promiscuous Port
Configuring a Layer 2 Interface as a Private-VLAN Promiscuous Port You can configure only NNIs as promiscuous ports. Beginning in privileged EXEC mode, follow these steps to configure a Layer 2 interface as a private-VLAN promiscuous port and map it to primary and secondary VLANs: Isolated and community VLANs are both secondary VLANs.
Page 289: Mapping Secondary Vlans To A Primary Vlan Layer 3 Vlan Interface
Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface If the switch is running the metro IP access image and the private VLAN will be used for inter-VLAN routing, you configure an SVI for the primary VLAN and map secondary VLANs to the SVI.
Page 290: Monitoring Private Vlans
• VLANs and the primary VLAN. This example shows how to map the interfaces of VLANs 501 and 502 to primary VLAN 10, which permits routing of secondary VLAN incoming traffic from private VLANs 501 to 502: Switch# configure terminal...
Page 291: Understanding 802.1Q Tunneling
A port configured to support 802.1Q tunneling is called a tunnel port. When you configure tunneling, you assign a tunnel port to a VLAN ID that is dedicated to tunneling. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide...
Page 292: C H A P T E R 13 Configuring Ieee 802.1Q Tunneling And Layer 2 Protocol Tunneling
802.1Q trunk port, and the other end is configured as a tunnel port. You assign the tunnel port interface to an access VLAN ID that is unique to each customer. See Figure 13-1.
Page 293 However, the metro tag is not added when the packet is sent out the tunnel port on the edge switch into the customer network. The packet is sent as a normal 802.1Q-tagged frame to preserve the original VLAN numbers in the customer network.
Page 294: Configuring 802.1Q Tunneling
VLAN 30 to the ingress tunnel port of Switch B in the service-provider network, which belongs to access VLAN 40. Because the access VLAN of the tunnel port (VLAN 40) is the same as the native VLAN of the edge-switch trunk port (VLAN 40), the metro tag is not added to tagged packets received from the tunnel port.
Page 295: System Mtu
4 bytes when the metro tag is added, you must configure all switches in the service-provider network to be able to process maximum frames by increasing the switch system MTU size to at least 1504 bytes. The maximum allowable system MTU for Gigabit Ethernet interfaces is 9000 bytes; the maximum system MTU for Fast Ethernet interfaces is 1998 bytes.
Page 296: Configuring An 802.1Q Tunneling Port
A tunnel port cannot be a routed port. • IP routing is not supported on a VLAN that includes 802.1Q tunnel ports. Packets received from a • tunnel port are forwarded based only on Layer 2 information. If routing is enabled on a switch virtual interface (SVI) that includes tunnel ports, untagged IP packets received from the tunnel port are recognized and routed by the switch.
Page 297: Understanding Layer 2 Protocol Tunneling
Customers at different sites connected across a service-provider network need to use various Layer 2 protocols to scale their topologies to include all remote sites, as well as the local sites. STP must run properly, and every VLAN should build a proper spanning tree that includes the local site and all remote sites across the service-provider network.
Page 298 If the network does not tunnel PDUs, switches on the far ends of the network cannot properly run STP, CDP, and VTP. For example, STP for a VLAN on a switch in Customer X, Site 1, will build a spanning tree on the switches at that site without considering convergence parameters based on Customer X’s switch in Site 2.
Page 299 VLANs 1 to 100 In an SP network, you can use Layer 2 protocol tunneling to enhance the creation of EtherChannels by emulating a point-to-point network topology. When you enable protocol tunneling (PAgP or LACP) on the SP switch, remote customer switches receive the PDUs and can negotiate the automatic creation of EtherChannels.
Page 300: Configuring Layer 2 Protocol Tunneling
VLAN tag. The core switches ignore the inner tags and forward the packet to all trunk ports in the same metro VLAN. The edge switches on the outbound side restore the proper Layer 2 protocol and MAC address information and forward the packets to all Layer 2 protocol-enabled access ports, tunnel ports, and trunk ports in the same metro VLAN.
Page 301: Default Layer 2 Protocol Tunneling Configuration
MAC address as the destination MAC address. These double-tagged packets have the metro VLAN tag of 40, as well as an inner VLAN tag (for example, VLAN 100). When the double-tagged packets enter Switch D, the outer VLAN tag 40 is removed, the well-known MAC address is replaced with the respective Layer 2 protocol MAC address, and the packet is sent to Customer Y on Site 2 as a single-tagged frame in VLAN 100.
Page 302: Configuring Layer 2 Protocol Tunneling
If an encapsulated PDU (with the proprietary destination MAC address) is received from a tunnel • port or access or trunk port with Layer 2 tunneling enabled, the tunnel port is shut down to prevent loops. The port also shuts down when a configured shutdown threshold for the protocol is reached.
Page 303 (Optional) Configure the CoS value for all tunneled Layer 2 PDUs. The range is 0 to 7; the default is the default CoS value for the interface. If none is configured, the default is 5. Step 11 Return to privileged EXEC mode.
Page 304: Configuring Layer 2 Tunneling For Etherchannels
Chapter 13 Configuring IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling This example shows how to configure Layer 2 protocol tunneling for CDP, STP, and VTP and to verify the configuration. Switch(config)# interface gigatethernet0/1 Switch(config-if)# l2protocol-tunnel cdp...
Page 305 Use the no l2protocol-tunnel [point-to-point [pagp | lacp | udld]] interface configuration command to disable point-to-point protocol tunneling for one of the Layer 2 protocols or for all three. Use the no l2protocol-tunnel shutdown-threshold [point-to-point [pagp | lacp | udld]] and the no l2protocol-tunnel drop-threshold [[point-to-point [pagp | lacp | udld]] commands to return the shutdown and drop thresholds to the default settings.
Page 306: Configuring The Customer Switch
Figure 13-6 on page 13-10.) This example shows how to configure the SP edge switch 1 and edge switch 2. VLANs 17, 18, 19, and 20 are the access VLANs, Gigabit Ethernet interfaces 1 and 2 are point-to-point tunnel ports with PAgP and UDLD enabled, the drop threshold is 1000, and Fast Ethernet interface 3 is a trunk port.
Page 307 Switch(config-if)# switchport mode trunk This example shows how to configure the customer switch at Site 1. Fast Ethernet interfaces 1, 2, 3, and 4 are set for 802.1Q trunking, UDLD is enabled, EtherChannel group 1 is enabled, and the port channel is shut down and then enabled to activate the EtherChannel configuration.
Page 308: Monitoring And Maintaining Tunneling And Mapping Status
Monitoring and Maintaining Tunneling and Mapping Status Monitoring and Maintaining Tunneling and Mapping Status Table 13-2 shows the privileged EXEC commands for monitoring and maintaining 802.1Q and Layer 2 protocol tunneling and VLAN mapping. Table 13-2 Commands for Monitoring and Maintaining Tunneling...
Page 309: Configuring Stp
(rapid-PVST+) protocol based on the IEEE 802.1w standard. On the Cisco ME switch, STP is enabled by default on network node interfaces (NNIs). It is disabled by default, but can be enabled, on enhanced network interfaces (ENIs). User network interfaces (UNIs) on the switch do not participate in STP.
Page 310: Chapter 14 Configuring Stp
The switch that has all of its ports as the designated role or the backup role is the root switch. The switch that has at least one of its ports in the designated role is called the designated switch.
Page 311: Spanning-Tree Topology And Bpdus
When a switch receives a configuration BPDU that contains superior information (lower bridge ID, lower path cost, and so forth), it stores the information for that port. If this BPDU is received on the root port of the switch, the switch also forwards it with an updated message to all attached LANs for which it is the designated switch.
Page 312: Bridge Id, Switch Priority, And Extended System Id
LAN is called the designated port. For the Cisco ME switch, this only applies to NNIs or to ENIs on which STP has been specifically enabled. All paths that are not needed to reach the root switch from anywhere in the switched network are placed in the spanning-tree blocking mode.
Page 313: Spanning-Tree Interface States
When you power up the switch, spanning tree is enabled by default, and every NNI in the Cisco ME switch (and every ENI on which STP has been enabled), as well as any other port in other switches in the VLAN or network that are participating in spanning tree, goes through the blocking state and the transitory states of listening and learning.
Page 314: Blocking State
BPDUs with other switches. This exchange establishes which switch in the network is the root or root switch. If there is only one switch in the network, no exchange occurs, the forward-delay timer expires, and the interface moves to the listening state. An interface participating in spanning tree always enters the blocking state after switch initialization.
Page 315: Learning State
14-2, Switch A is elected as the root switch because the switch priority of all the switches is set to the default (32768) and Switch A has the lowest MAC address. However, because of traffic patterns, number of forwarding interfaces, or link types, Switch A might not be the ideal root switch.
Page 316: Spanning Tree And Redundant Connectivity
For instance, connecting higher-speed links to an interface that has a higher number than the root port can cause a root-port change. The goal is to make the fastest link the root port.
Page 317: Spanning-Tree Address Management
The PVST+ provides Layer 2 load balancing for the VLAN on which it runs. You can create different logical topologies by using the VLANs on your network to ensure that all of your links are used but that no one link is oversubscribed. Each instance of PVST+ on a VLAN has a single root switch.
Page 318: Supported Spanning-Tree Instances
VLANs to the same spanning-tree instance, which reduces the number of spanning-tree instances required to support a large number of VLANs. The MSTP runs on top of the RSTP (based on IEEE 802.1w), which provides for rapid convergence of the spanning tree by eliminating the forward delay and by quickly transitioning root ports and designated ports to the forwarding state.
Page 319: Stp And Ieee 802.1Q Trunks
VLAN allowed on the trunks. When you connect a Cisco switch to a non-Cisco device through an IEEE 802.1Q trunk, the Cisco switch uses PVST+ to provide spanning-tree interoperability. If rapid PVST+ is enabled, the switch uses it instead of PVST+.
Page 320: Spanning-Tree Configuration Guidelines
If 128 instances of spanning tree are already in use, you can disable spanning tree on STP ports in one of the VLANs and then enable it on the VLAN where you want it to run. Use the no spanning-tree vlan...
Page 321: Enabling Spanning Tree On An Eni
If you have already used all available spanning-tree instances on your switch, adding another VLAN creates a VLAN that is not running spanning tree on that switch. If you have the default allowed list on the trunk ports of that switch, the new VLAN is carried on all trunk ports. Depending on the topology of the network, this could create a loop in the new VLAN that will not be broken, particularly if there are several adjacent switches that have all run out of spanning-tree instances.
Page 322: Changing The Spanning-Tree Mode
The switch supports three spanning-tree modes: PVST+, rapid PVST+, or MSTP. By default, the switch runs the rapid PVST+ protocol on all NNIs and ENIs on which spanning tree is enabled. Beginning in privileged EXEC mode, follow these steps to change the spanning-tree mode. If you want to enable a mode that is different from the default mode, this procedure is required.
Page 323: Disabling Spanning Tree
Disabling Spanning Tree Spanning tree is enabled by default on all NNIs in VLAN 1 and in all newly created VLANs up to the spanning-tree limit specified in the “Supported Spanning-Tree Instances” section on page 14-10.
Page 324 Configuring Spanning-Tree Features If your network consists of switches that both do and do not support the extended system ID, it is unlikely that the switch with the extended system ID support will become the root switch. The extended system ID increases the switch priority value every time the VLAN number is greater than the priority of the connected switches running older software.
Page 325: Configuring A Secondary Root Switch
When you configure a switch as the secondary root, the switch priority is modified from the default value (32768) to 28672. The switch is then likely to become the root switch for the specified VLAN if the primary root switch fails. This is assuming that the other network switches use the default switch priority of 32768 and therefore are unlikely to become the root switch.
Page 326 The show spanning-tree interface interface-id privileged EXEC command displays information only Note if the port is in a link-up operative state. Otherwise, you can use the show running-config interface privileged EXEC command to confirm the configuration. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide...
Page 327: Configuring Path Cost
If a loop occurs, spanning tree uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last. If all NNIs (or port channels) have the same cost value, spanning tree puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces.
Page 328: Configuring The Switch Priority Of A Vlan
11-19. Configuring the Switch Priority of a VLAN You can configure the switch priority and make it more likely that the switch will be chosen as the root switch. Exercise care when using this command. For most situations, we recommend that you use the...
Page 329: Configuring Spanning-Tree Timers
Beginning in privileged EXEC mode, follow these steps to configure the hello time of a VLAN. This procedure is optional.
Page 330: Configuring The Forwarding-Delay Time For A Vlan
Chapter 14 Configuring STP Configuring Spanning-Tree Features Configuring the Forwarding-Delay Time for a VLAN Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for a VLAN. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 331: Displaying The Spanning-Tree Status
Chapter 14 Configuring STP Displaying the Spanning-Tree Status Displaying the Spanning-Tree Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 14-5: Table 14-5 Commands for Displaying Spanning-Tree Status Command Purpose show spanning-tree active Displays spanning-tree information only on active spanning-tree interfaces.
Page 332 Chapter 14 Configuring STP Displaying the Spanning-Tree Status Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 14-24 OL-9639-07...
Page 333 Layer 2 switched network. This deployment provides the highly available network required in a service-provider environment. When the switch is in the MST mode, the Rapid Spanning Tree Protocol (RSTP), which is based on IEEE 802.1w, is automatically enabled. The RSTP provides rapid convergence of the spanning tree through explicit handshaking that eliminates the IEEE 802.1D forwarding delay and quickly transitions root...
Page 334: Chapter 15 Configuring Mstp
A region can have one member or multiple members with the same MST configuration; each member must be capable of processing RSTP bridge protocol data units (BPDUs). There is no limit to the number of MST regions in a network, but each region can support up to 65 spanning-tree instances. You can assign a VLAN to only one spanning-tree instance at a time.
Page 335: Operations Within An Mst Region
15-4), which is the switch within the region with the lowest bridge ID and path cost to the CST root. The IST master also is the CST root if there is only one region within the network. If the CST root is outside the region, one of the MSTP switches at the boundary of the region is selected as the IST master.
Page 336 MST regions and a legacy IEEE 802.1D switch (D). The IST master for region 1 (A) is also the CST root. The IST master for region 2 (B) and the IST master for region 3 (C) are the roots for their respective subtrees within the CST. The RSTP runs in all regions.
Page 337: Ieee 802.1S Terminology
(trigger a reconfiguration). The root switch of the instance always sends a BPDU (or M-record) with a cost of 0 and the hop count set to the maximum value. When a switch receives this BPDU, it decrements the received remaining hop count by one and propagates this value as the remaining hop count in the BPDUs it generates.
Page 338: Boundary Ports
(coming from the same region) and external. When a message is external, it is received only by the CIST. If the CIST role is root or alternate, or if the external BPDU is a topology change, it could have an impact on the MST instances. When a message is internal, the CIST part is received by the CIST, and each MST instance receives its respective M-record.
Page 339: Port Role Naming Change
Assume that A is a standard switch and B a prestandard switch, both configured to be in the same region. A is the root switch for the CIST, and thus B has a root port (BX) on segment X and an alternate port (BY) on segment Y. If segment Y flaps, and the port on BY becomes the alternate before sending out a single prestandard BPDU, AY cannot detect that a prestandard switch is connected to Y and continues to send standard BPDUs.
Page 340: Detecting Unidirectional Link Failure
(a BPDU with the protocol version set to 0), it sends only IEEE 802.1D BPDUs on that port. An MSTP switch also can detect that a port is at the boundary of a region when it receives a legacy BPDU, an MSTP BPDU (Version 3) associated with a different region, or an RSTP BPDU (Version 2).
Page 341: Port Roles And The Active Topology
Disabled port—Has no role within the operation of the spanning tree. • A port with the root or a designated port role is included in the active topology. A port with the alternate or backup port role is excluded from the active topology.
Page 342: Rapid Convergence
• portfast interface configuration command, the edge port immediately transitions to the forwarding state. An edge port is the same as a Port Fast-enabled port, and you should enable it only on ports that connect to a single end station.
Page 343: Synchronization Of Port Roles
F = forwarding Synchronization of Port Roles When the switch receives a proposal message on one of its ports and that port is selected as the new root port, the RSTP forces all other ports to synchronize with the new root information.
Page 344: Bridge Protocol Data Unit Format And Processing
The RSTP BPDU format is the same as the IEEE 802.1D BPDU format except that the protocol version is set to 2. A new one-byte Version 1 Length field is set to zero, which means that no version 1 protocol information is present.
Page 345: Processing Superior Bpdu Information
If a port receives superior root information (lower bridge ID, lower path cost, and so forth) than currently stored for the port, the RSTP triggers a reconfiguration. If the port is proposed and is selected as the new root port, RSTP forces all the other ports to synchronize.
Page 346: Configuring Mstp Features
IEEE 802.1D switch and starts using only IEEE 802.1D BPDUs. However, if the RSTP switch is using IEEE 802.1D BPDUs on a port and receives an RSTP BPDU after the timer has expired, it restarts the timer and starts using RSTP BPDUs on that port.
Page 347: Mstp Configuration Guidelines
CST. If the MST cloud consists of multiple MST regions, one of the MST regions must contain the CST root, and all of the other MST regions must have a better path to the root contained within the MST cloud than a path through the PVST+ or rapid-PVST+ cloud.
Page 348: Specifying The Mst Region Configuration And Enabling Mstp
A region can have one member or multiple members with the same MST configuration; each member must be capable of processing RSTP BPDUs. There is no limit to the number of MST regions in a network, but each region can support up to 65 spanning-tree instances. You can assign a VLAN to only one spanning-tree instance at a time.
Page 349: Configuring The Root Switch
Table 14-1 on page 14-4.) If your network consists of switches that both do and do not support the extended system ID, it is unlikely that the switch with the extended system ID support will become the root switch. The extended system ID increases the switch priority value every time the VLAN number is greater than the priority of the connected switches running older software.
Page 350: Configuring A Secondary Root Switch
When you configure a switch with the extended system ID support as the secondary root, the switch priority is modified from the default value (32768) to 28672. The switch is then likely to become the root switch for the specified instance if the primary root switch fails. This is assuming that the other network switches use the default switch priority of 32768 and therefore are unlikely to become the root switch.
Page 351: Configuring Port Priority
Configuring Port Priority If a loop occurs, the MSTP uses the port priority when selecting an STP port to put into the forwarding state. You can assign higher priority values (lower numerical values) to STP ports that you want selected first and lower priority values (higher numerical values) that you want selected last.
Page 352 The show spanning-tree mst interface interface-id privileged EXEC command displays information Note only if the port is in a link-up operative state. Otherwise, you can use the show running-config interface privileged EXEC command to confirm the configuration. To return the interface to its default setting, use the no spanning-tree mst instance-id port-priority interface configuration command.
Page 353: Configuring Path Cost
Configuring Path Cost The MSTP path cost default value is derived from the media speed of an STP port. If a loop occurs, the MSTP uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to STP ports that you want selected first and higher cost values that you want selected last.
Page 354: Configuring The Switch Priority
Configuring the Switch Priority You can configure the switch priority and make it more likely that the switch will be chosen as the root switch. Exercise care when using this command. For most situations, we recommend that you use the...
Page 355: Configuring The Hello Time
Configuring MSTP Configuring MSTP Features Configuring the Hello Time You can configure the interval between the generation of configuration messages by the root switch by changing the hello time. Note Exercise care when using this command. For most situations, we recommend that you use the spanning-tree mst instance-id root primary and the spanning-tree mst instance-id root secondary global configuration commands to modify the hello time.
Page 356: Configuring The Maximum-Aging Time
Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst max-age global configuration command. Configuring the Maximum-Hop Count Beginning in privileged EXEC mode, follow these steps to configure the maximum-hop count for all MST instances.
Page 357: Specifying The Link Type To Ensure Rapid Transitions
Specifying the Link Type to Ensure Rapid Transitions If you connect an STP port to another STP port through a point-to-point link and the local port becomes a designated port, the RSTP negotiates a rapid transition with the other port by using the proposal-agreement handshake to ensure a loop-free topology as described in the “Rapid Convergence”...
Page 358: Restarting The Protocol Migration Process
0), it sends only 802.1D BPDUs on that port. An MSTP switch also can detect that a port is at the boundary of a region when it receives a legacy BPDU, an MST BPDU (Version 3) associated with a different region, or an RST BPDU (Version 2).
Page 359: Displaying The Mst Configuration And Status
Chapter 15 Configuring MSTP Displaying the MST Configuration and Status Displaying the MST Configuration and Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 15-5: Table 15-5 Commands for Displaying MST Status...
Page 360 Chapter 15 Configuring MSTP Displaying the MST Configuration and Status Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 15-28 OL-9639-07...
Page 361: Understanding Optional Spanning-Tree Features
(ENIs). User network interfaces (UNIs) on the switch do not participate in STP. UNIs and ENIs on which STP is not enabled immediately forward traffic when they are brought up.
Page 362: Understanding Port Fast
Note By default, STP is enabled on NNIs and disabled on ENIs. UNIs do not support STP. If a port is a UNI, you can configure it as an STP port by changing the port type to NNI or ENI and entering the port-type {nni | eni} interface configuration command.
Page 363: Understanding Bpdu Guard
Port Fast feature. This command prevents the interface from sending or receiving BPDUs. Enabling BPDU filtering on an STP port is the same as disabling spanning tree on it and can result in Caution spanning-tree loops.
Page 364: Understanding Root Guard
MST instances. A boundary port is an interface that connects to a LAN, the designated switch of which is either an 802.1D switch or a switch with a different MST region configuration.
Page 365: Understanding Loop Guard
Default Optional Spanning-Tree Configuration Table 16-1 shows the default optional spanning-tree configuration. Only NNIs or ENIs with STP enabled participate in STP on the switch. UNIs and ENIs that have not been configured for STP are always in the forwarding state. Table 16-1...
Page 366: Optional Spanning-Tree Configuration Guidelines
An STP port with the Port Fast feature enabled is moved directly to the spanning-tree forwarding state without waiting for the standard forward-time delay. Use Port Fast only when connecting a single end station to an access or trunk port. Enabling this feature Caution on an interface connected to a switch or hub could prevent spanning tree from detecting and disabling loops in your network, which could cause broadcast storms and address-learning problems.
Page 367: Enabling Bpdu Guard
Enabling BPDU Guard When you globally enable BPDU guard on ports that are Port Fast-enabled (the ports are in a Port Fast-operational state), spanning tree continues to run on the ports. They remain up unless they receive a BPDU.
Page 368: Enabling Bpdu Filtering
BPDUs. You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs. If a BPDU is received on a Port Fast-enabled STP port, the interface loses its Port Fast-operational status, and BPDU filtering is disabled.
Page 369: Enabling Etherchannel Guard
Chapter 16 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to globally enable the BPDU filtering feature. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree portfast bpdufilter default Globally enable BPDU filtering.
Page 370: Enabling Root Guard
You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link. This feature is most effective when it is configured on the entire switched network. Loop guard operates only on STP ports that are considered point-to-point by the spanning tree.
Page 371: Displaying The Spanning-Tree Status
You cannot enable both loop guard and root guard at the same time. Note You can enable this feature if your switch is running PVST+, rapid PVST+, or MSTP. Beginning in privileged EXEC mode, follow these steps to enable loop guard. This procedure is optional. Command Purpose...
Page 372 Chapter 16 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 16-12 OL-9639-07...
Page 373: Configuring Resilient Ethernet Protocol
A segment can go through a shared medium, but on any link, only two ports can belong to the same segment. REP is supported only on Layer 2 trunk interfaces.
Page 374 All hosts connected to switches inside the segment have two possible connections to the rest of the network through the edge ports, but only one connection is accessible at any time. If a host cannot access its usual gateway because of a failure, REP unblocks all ports to ensure that connectivity is available through the other gateway.
Page 375: C H A P T E R 17 Configuring Resilient Ethernet Protocol
Each port in a segment has a unique port ID. The port ID format is similar to that used by the spanning tree algorithm: a port number (unique on the bridge), associated to a MAC address (unique in the network).
Page 376: Fast Convergence
When you configure VLAN load balancing, you can specify the alternate port in one of three ways: Enter the port ID of the interface. To identify the port ID of a port in the segment, enter the show •...
Page 377 When the secondary port receives the message, it is reflected into the network to notify the alternate port to block the set of VLANs specified in the message and to notify the primary edge port to block the remaining VLANs.
Page 378: Spanning Tree Interaction
Spanning Tree Interaction REP does not interact with STP or with the Flex Link feature, but can coexist with both. A port that belongs to a segment is removed from spanning tree control and STP BPDUs are not accepted or sent from segment ports.
Page 379: Default Rep Configuration
• REP ports follow these rules: – There is no limit to the number of REP ports on a switch; however, only two ports on a switch can belong to the same REP segment. – If only one port on a switch is configured in a segment, the port should be an edge port.
Page 380: Configuring The Rep Administrative Vlan
You can use the rep lsl-age-timer value interface configuration command to set the time from 3000 ms to 10000 ms. The LSL hello timer is then set to the age-timer value divided by three. In normal operation, three LSL hellos are sent before the age timer on the peer switch expires and searches for hello messages.
Page 381: Configuring Rep Interfaces
EPA-INFO TLV rx: 4214, tx: 4190 Configuring REP Interfaces For REP operation, you need to enable it on each segment interface and to identify the segment ID. This step is required and must be done before other REP configuration. You must also configure a primary and secondary edge port on each segment.
Page 382 [edge [no-neighbor] Enable REP on the interface, and identify a segment number. The [primary]] [preferred] segment ID range is from 1 to 1024. These optional keywords are available. You must configure two edge ports, including one primary Note edge port for each segment.
Page 383 (Optional) Save your entries in the switch startup configuration file. Enter the no form of each command to return to the default configuration. Enter the show rep topology privileged EXEC command to see which port in the segment is the primary edge port.
Page 384 Configuring Resilient Ethernet Protocol Configuring REP This example shows how to configure an interface as the primary edge port for segment 1, to send STCNs to segments 2 through 5, and to configure the alternate port as the port with port ID 0009001818D68700 to block all VLANs after a preemption delay of 60 seconds after a segment port failure and recovery.
Page 385: Setting Manual Preemption For Vlan Load Balancing
Setting Manual Preemption for VLAN Load Balancing If you do not enter the rep preempt delay seconds interface configuration command on the primary edge port to configure a preemption time delay, the default is to manually trigger VLAN load balancing on the segment.
Page 386: Monitoring Rep
[segment segment_id] Displays REP topology information for a segment [archive] [detail] or for all segments, including the primary and secondary edge ports in the segment. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 17-14 OL-9639-07...
Page 387: Configuring Flex Links And The Mac Address-Table Move Update Feature
STP on the switch. If the switch is running STP, it is not necessary to configure Flex Links because STP already provides link-level redundancy or backup.
Page 388: Vlan Flex Link Load Balancing And Support
If port 1 is the active link, it begins forwarding traffic between port 1 and switch B; the link between port 2 (the backup link) and switch C is not forwarding traffic. If port 1 goes down, port 2 comes up and starts forwarding traffic to switch C.
Page 389: C H A P T E R 18 Configuring Flex Links And The Mac Address-Table Move Update Feature
A port that receives queries is added as an mrouter port on the switch. An mrouter port is part of all the multicast groups learned by the switch. After a changeover, queries are received by the other Flex Link port.
Page 390: Leaking Igmp Reports
To achieve multicast traffic convergence with minimal loss, a redundant data path must be set up before the Flex Link active link goes down. This can be achieved by leaking only IGMP report packets on the Flex Link backup link. These leaked IGMP report messages are processed by upstream distribution routers, so multicast data traffic gets forwarded to the backup interface.
Page 391 Gi0/11, Gi0/12, Gi0/10 When a host responds to the general query, the switch forwards this report on all the mrouter ports. In this example, when a host sends a report for the group 228.1.5.1, it is forwarded only on GigabitEthernet 0/11, because the backup port GigabitEthernet 0/12 is blocked.
Page 392: Mac Address-Table Move Update
Traffic from the PC to the server is forwarded from port 1 to port 3. The MAC address of the PC has been learned on port 3 of switch C. Traffic from the server to the PC is forwarded from port 3 to port 1.
Page 393: Configuring Flex Links And Mac Address-Table Move Update
• Configuring the MAC Address-Table Move Update Feature, page 18-12 Default Configuration The Flex Links are not configured, and there are no backup interfaces defined. The preemption mode is off. The preemption delay is 35 seconds. Flex Link VLAN load-balancing is not configured.
Page 394: Configuration Guidelines
• interface from the active interface. • An interface can belong to only one Flex Link pair. An interface can be a backup link for only one active link. An active link cannot belong to another Flex Link pair. •...
Page 395 Active Up/Backup Standby FastEthernet0/3 FastEthernet0/4 Active Up/Backup Standby Port-channel1 GigabitEthernet0/1 Active Up/Backup Standby Beginning in privileged EXEC mode, follow these steps to configure a preemption scheme for a pair of Flex Links: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 396: Configuring Vlan Load Balancing On Flex Links
(Optional) Save your entries in the switch startup configuration file. This example shows how to configure the preemption mode as forced for a backup interface pair and to verify the configuration: Switch# configure terminal Switch(conf)# interface gigabitethernet0/1...
Page 397 When a Flex Link interface comes up, VLANs preferred on this interface are blocked on the peer interface and moved to the forwarding state on the interface that has just come up. In this example, if interface 0/6 comes up, VLANs preferred on this interface are blocked on the peer interface 0/8 and forwarded on 0/6.
Page 398: Configuring The Mac Address-Table Move Update Feature
Configuring a switch to send MAC address-table move updates • Configuring a switch to get MAC address-table move updates Beginning in privileged EXEC mode, follow these steps to configure an access switch to send MAC address-table move updates: Command Purpose...
Page 399 Xmt threshold exceed count : 0 Xmt pak buf unavail cnt : 0 Xmt last interface : None Beginning in privileged EXEC mode, follow these steps to configure a switch to get and process MAC address-table move update messages: Command...
Page 400: Monitoring Flex Links And The Mac Address-Table Move Update
[interface-id] switchport Displays the Flex Link backup interface configured for an interface, or displays backup all Flex Links configured on the switch and the state of each active and backup interface (up or standby mode). show mac address-table move update Displays the MAC address-table move update information on the switch.
Page 401: Chapter 19 Configuring Dhcp Features And Ip Source Guard
Cisco ME 3400 Ethernet Access switch. It also describes how to configure the IP source guard feature. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release, and see the “DHCP Commands”...
Page 402: Dhcp Server
It does not have information regarding hosts interconnected with a trusted interface. In a service-provider network, a trusted interface is connected to a port on a device in the same network. An untrusted interface is connected to an untrusted interface in the network or to an interface on a device that is not in the network.
Page 403: Option-82 Data Insertion
IP addresses to subscribers connected to the switch at the access layer. Because the DHCP clients and their associated DHCP server do not reside on the same IP network or subnet, a DHCP relay agent (the Cisco ME switch) is configured with a helper address to enable broadcast forwarding and to transfer DHCP messages between the clients and the server.
Page 404 Option 82” section on page 19-11. • If the IP address of the relay agent is configured, the switch adds this IP address in the DHCP packet. • The switch forwards the DHCP request that includes the option-82 field to the DHCP server.
Page 405 24 10/100 ports and small form-factor pluggable (SFP) module slots, port 3 is the Fast Ethernet 0/1 port, port 4 is the Fast Ethernet 0/2 port, and so forth. Port 27 is the SFP module slot 0/1, and so forth.
Page 406: Cisco Ios Dhcp Server Database
An address binding is a mapping between an IP address and a MAC address of a host in the Cisco IOS DHCP server database. You can manually assign the client IP address, or the DHCP server can allocate an IP address from a DHCP address pool.
Page 407: Configuring Dhcp Features
The switch also updates the entries in the binding file. The frequency at which the file is updated is based on a configurable delay, and the updates are batched. If the file is not updated in a specified time (set by the write-delay and abort-timeout values), the update stops.
Page 408: Default Dhcp Configuration
1. The switch responds to DHCP requests only if it is configured as a DHCP server. 2. The switch relays DHCP packets only if the IP address of the DHCP server is configured on the SVI of the DHCP client.
Page 409 If the DHCP relay agent is enabled but DHCP snooping is disabled, the DHCP option-82 data • insertion feature is not supported. If a switch port is connected to a DHCP server, configure a port as trusted by entering the ip dhcp • snooping trust interface configuration command.
Page 410: Configuring The Dhcp Server
Configuring DHCP Features Configuring the DHCP Server The switch can act as a DHCP server. By default, the Cisco IOS DHCP server and relay agent features are enabled on your switch but are not configured. These features are not operational.
Page 411: Enabling Dhcp Snooping And Option 82
To remove the DHCP packet forwarding address, use the no ip helper-address address interface configuration command. Enabling DHCP Snooping and Option 82 Beginning in privileged EXEC mode, follow these steps to enable DHCP snooping on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 412 Specify the VLAN and port identifier, using a VLAN ID in the range of 1 ASCII-string to 4094. You can configure the circuit ID to be a string of 3 to 63 ASCII characters (no spaces). The default circuit ID is the port identifier, in the format vlan-mod-port.
Page 413: Enabling Dhcp Snooping On Private Vlans
To disable DHCP snooping, use the no ip dhcp snooping global configuration command. To disable DHCP snooping on a VLAN or range of VLANs, use the no ip dhcp snooping vlan vlan-range global configuration command. To disable the insertion and removal of the option-82 field, use the no ip dhcp snooping information option global configuration command.
Page 414: Enabling The Dhcp Snooping Binding Database Agent
(Optional) Save your entries in the configuration file. To stop using the database agent and binding files, use the no ip dhcp snooping database global configuration command.To reset the timeout or delay values, use the ip dhcp snooping database timeout seconds or the ip dhcp snooping database write-delay seconds global configuration command.
Page 415: Displaying Dhcp Snooping Information
Display the dynamically and statically configured bindings. 1. If DHCP snooping is enabled and an interface changes to the down state, the switch does not delete the manually configured bindings. Understanding DHCP Server Port-Based Address Allocation...
Page 416: Default Port-Based Address Allocation Configuration
• Preassigned addresses are automatically excluded from normal dynamic IP address assignment. Preassigned addresses cannot be used in host pools, but there can be multiple preassigned addresses per DHCP address pool. Enabling DHCP Server Port-Based Address Allocation Beginning in privileged EXEC mode, follow these steps to globally enable port-based address allocation and to automatically generate a subscriber identifier on an interface.
Page 417 After enabling DHCP port-based address allocation on the switch, use the ip dhcp pool global configuration command to preassign IP addresses and to associate them to clients. Beginning in privileged EXEC mode follow these steps to preassign an IP address and to associate it to a client identified by the interface name.
Page 418: Displaying Dhcp Server Port-Based Address Allocation
IP source guard is a security feature that restricts IP traffic on nonrouted, Layer 2 interfaces by filtering traffic based on the DHCP snooping binding database and on manually configured IP source bindings. You can use IP source guard to prevent traffic attacks caused when a host tries to use the IP address of its neighbor.
Page 419: Source Ip Address Filtering
If you enable IP source guard on an interface on which IP source bindings (dynamically learned by DHCP snooping or manually configured) are not configured, the switch creates and applies a port ACL that denies all IP traffic on the interface. If you disable IP source guard, the switch removes the port ACL from the interface.
Page 420: Ip Source Guard Configuration Guidelines
• is enabled on all the VLANs, the source IP address filter is applied on all the VLANs. If IP source guard is enabled and you enable or disable DHCP snooping on a VLAN on the Note trunk interface, the switch might not properly filter traffic.
Page 421 To delete a static IP source binding entry, use the no ip source global configuration command. This example shows how to enable IP source guard with source IP and MAC filtering on VLANs 10 and 11: Switch# configure terminal Enter configuration commands, one per line.
Page 422: Displaying Ip Source Guard Information
Chapter 19 Configuring DHCP Features and IP Source Guard Displaying IP Source Guard Information Displaying IP Source Guard Information To display the IP source guard information, use one or more of the privileged EXEC commands in Table 19-4: Table 19-4...
Page 423: Configuring Dynamic Arp Inspection
ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address. For example, Host B wants to send information to Host A but does not have the MAC address of Host A in its ARP cache. Host B generates a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP address of Host A.
Page 424: C H A P T E R 20 Configuring Dynamic Arp Inspection
Understanding Dynamic ARP Inspection Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the same subnet. Their IP and MAC addresses are shown in parentheses; for example, Host A uses IP address IA and MAC address MA.
Page 425: Interface Trust States And Network Security
20-2, assume that both Switch A and Switch B are running dynamic ARP inspection on the VLAN that includes Host 1 and Host 2. If Host 1 and Host 2 acquire their IP addresses from the DHCP server connected to Switch A, only Switch A binds the IP-to-MAC address of Host 1. Therefore, if the interface between Switch A and Switch B is untrusted, the ARP packets from Host 1 are dropped by Switch B.
Page 426: Rate Limiting Of Arp Packets
20-8. Note Depending on the setup of the DHCP server and the network, it might not be possible to validate a given ARP packet on all switches in the VLAN. Rate Limiting of ARP Packets The switch CPU performs dynamic ARP inspection validation checks; therefore, the number of incoming ARP packets is rate-limited to prevent a denial-of-service attack.
Page 427: Default Dynamic Arp Inspection Configuration
Per-VLAN logging All denied or dropped ARP packets are logged. Dynamic ARP Inspection Configuration Guidelines Dynamic ARP inspection is an ingress security feature; it does not perform any egress checking. • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide...
Page 428 Layer 2 broadcast domain, separate the domain with dynamic ARP inspection checks from the one with no checking. This action secures the ARP caches of hosts in the domain enabled for dynamic ARP inspection.
Page 429: Configuring Dynamic Arp Inspection In Dhcp Environments
A DHCP server is connected to Switch A. Both hosts acquire their IP addresses from the same DHCP server. Therefore, Switch A has the bindings for Host 1 and Host 2, and Switch B has the binding for Host 2.
Page 430: Configuring Arp Acls For Non-Dhcp Environments
Host 1 could be attacked by either Switch B or Host 2. To prevent this possibility, you must configure port 1 on Switch A as untrusted. To permit ARP packets from Host 2, you must set up an ARP ACL and apply it to VLAN 1.
Page 431 Chapter 20 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Beginning in privileged EXEC mode, follow these steps to configure an ARP ACL on Switch A. This procedure is required in non-DHCP environments. Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 432: Limiting The Rate Of Incoming Arp Packets
Unless you configure a rate limit on an interface, changing the trust state of the interface also changes its rate limit to the default value for that trust state. After you configure the rate limit, the interface retains the rate limit even when its trust state is changed. If you enter the no ip arp inspection limit interface configuration command, the interface reverts to its default rate limit.
Page 433: Performing Validation Checks
For configuration guidelines for rate limiting trunk ports and EtherChannel ports, see the “Dynamic ARP Inspection Configuration Guidelines” section on page 20-5. Beginning in privileged EXEC mode, follow these steps to limit the rate of incoming ARP packets. This procedure is optional. Command Purpose...
Page 434: Configuring The Log Buffer
Configuring the Log Buffer When the switch drops a packet, it places an entry in the log buffer and then generates system messages on a rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer.
Page 435 Configuring Dynamic ARP Inspection If the log buffer overflows, it means that a log event does not fit into the log buffer, and the display for the show ip arp inspection log privileged EXEC command is affected. A -- in the display appears in place of all data except the packet count and the time.
Page 436: Displaying Dynamic Arp Inspection Information
(Optional) Save your entries in the configuration file. To return to the default log buffer settings, use the no ip arp inspection log-buffer {entries | logs} global configuration command. To return to the default VLAN log settings, use the no ip arp inspection vlan vlan-range logging {acl-match | dhcp-bindings} global configuration command.
Page 437 For the show ip arp inspection statistics command, the switch increments the number of forwarded packets for each ARP request and response packet on a trusted dynamic ARP inspection port. The switch increments the number of ACL or DHCP permitted packets for each packet that is denied by source MAC, destination MAC, or IP validation checks, and the switch increments the appropriate failure count.
Page 438 Chapter 20 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 20-16 OL-9639-07...
Page 439: Chapter 21 Configuring Igmp Snooping And Mvr
When the switch receives an IGMP report from a host for a particular multicast group, the switch adds the host port number to the forwarding table entry; when it receives an IGMP Leave Group message from a host, it removes the host port from the table entry. It also periodically deletes entries if it does not receive IGMP membership reports from the multicast clients.
Page 440: Igmp Versions
The multicast router sends out periodic general queries to all VLANs. All hosts interested in this multicast traffic send join requests and are added to the forwarding table entry. The switch creates one entry per VLAN in the IGMP snooping IP multicast forwarding table for each group from which it receives an IGMP join request.
Page 441: Joining A Multicast Group
Joining a Multicast Group When a host connected to the switch wants to join an IP multicast group and it is an IGMP Version 2 client, it sends an unsolicited IGMP join message, specifying the IP multicast group to join.
Page 442 The information in the table tells the switching engine to send frames addressed to the 224.1.2.3 multicast IP address that are not IGMP packets to the router and to the host that has joined the group. If another host (for example, Host 4) sends an unsolicited IGMP join message for the same group...
Page 443: Leaving A Multicast Group
The router sends periodic multicast general queries, and the switch forwards these queries through all ports in the VLAN. Interested hosts respond to the queries. If at least one host in the VLAN wishes to receive multicast traffic, the router continues forwarding the multicast traffic to the VLAN. The switch forwards multicast group traffic only to those hosts listed in the forwarding table for that IP multicast group maintained by IGMP snooping.
Page 444 When IGMP router suppression is enabled (the default), the switch sends the first IGMP report from all hosts for a group to all the multicast routers. The switch does not send the remaining IGMP reports for the group to the multicast routers. This feature prevents duplicate reports from being sent to the multicast devices.
Page 445: Configuring Igmp Snooping
VLAN number. Configuring a Multicast Router Port To add a multicast router port (add a static connection to a multicast router), use the ip igmp snooping vlan mrouter global configuration command on the switch. Note Static connections to multicast routers are supported only on switch ports.
Page 446: Configuring A Host Statically To Join A Group
Hosts or Layer 2 ports normally join multicast groups dynamically, but you can also statically configure a host on an interface. Beginning in privileged EXEC mode, follow these steps to add a Layer 2 port as a member of a multicast group:...
Page 447: Enabling Igmp Immediate Leave
The IGMP configurable leave time is only supported on hosts running IGMP Version 2. • The actual leave latency in the network is usually the configured leave time. However, the leave time • might vary around the configured time, depending on real-time CPU load conditions, network delays and the amount of traffic sent through the interface.
Page 448: Configuring Tcn-Related Commands
TCN event. Some examples of TCN events are the client changed its location and the receiver is on same port that was blocked but is now forwarding, and a port went down without sending a leave message.
Page 449: Recovering From Flood Mode
If the switch has many ports with attached hosts that are subscribed to different multicast groups, the flooding might exceed the capacity of the link and cause packet loss. You can use the ip igmp snooping tcn flood interface configuration command to control this behavior.
Page 450: Configuring The Igmp Snooping Querier
IGMP querier tries to use the VLAN switch virtual interface (SVI) IP address (if one exists). If there is no SVI IP address, the switch uses the first available IP address configured on the switch. The first IP address available appears in the output of the show ip interface privileged EXEC command. The IGMP snooping querier does not generate an IGMP general query if it cannot find an available IP address on the switch.
Page 451 This example shows how to set the IGMP snooping querier source address to 10.0.0.64: Switch# configure terminal Switch(config)# ip igmp snooping querier 10.0.0.64 Switch(config)# end This example shows how to set the IGMP snooping querier maximum response time to 25 seconds: Switch# configure terminal Switch(config)# ip igmp snooping querier query-interval 25 Switch(config)# end...
Page 452: Disabling Igmp Report Suppression
This feature is not supported when the query includes IGMPv3 reports. IGMP report suppression is enabled by default. When it is enabled, the switch forwards only one IGMP report per multicast router query. When report suppression is disabled, all IGMP reports are forwarded to the multicast routers.
Page 453: Understanding Multicast Vlan Registration
VLAN. It allows the single multicast VLAN to be shared in the network while subscribers remain in separate VLANs. MVR provides the ability to continuously send multicast streams in the multicast VLAN, but to isolate the streams from the subscriber VLANs for bandwidth and security reasons.
Page 454: Using Mvr In A Multicast Television Application
DHCP assigns an IP address to the set-top box or the PC. When a subscriber selects a channel, the set-top box or PC sends an IGMP report to Switch A to join the appropriate multicast. If the IGMP report matches one of the...
Page 455 Without Immediate Leave, when the switch receives an IGMP leave message from a subscriber on a receiver port, it sends out an IGMP query on that port and waits for IGMP group membership reports. If no reports are received in a configured time period, the receiver port is removed from multicast group membership.
Page 456: Configuring Mvr
VLANs. IGMP reports are sent to the same IP multicast group address as the multicast data. The Switch A CPU must capture all IGMP join and leave messages from receiver ports and forward them to the multicast VLAN of the source (uplink) port, based on the MVR mode.
Page 457: Configuring Mvr Global Parameters
Configuring MVR Global Parameters You do not need to set the optional MVR parameters if you choose to use the default settings. If you do want to change the default parameters (except for the MVR VLAN), you must first enable MVR.
Page 458: Configuring Mvr On Access Ports
(Optional) Save your entries in the configuration file. startup-config To return the switch to its default settings, use the no mvr [mode | group ip-address | querytime | vlan] global configuration commands. This example shows how to enable MVR, configure the group address, set the query time to 1 second...
Page 459 Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the interface to its default settings, use the no mvr [type | immediate | vlan vlan-id | group] interface configuration commands. This example shows how to configure a port as a receiver port, statically configure the port to receive multicast traffic sent to the multicast group address, configure Immediate Leave on the port, and verify the results.
Page 460: Configuring Mvr On Trunk Ports
(Optional) Save your entries in the configuration file. This example shows how to configure a port as an MVR trunk receiver port, assign it to a VLAN, configure the port to be a static member of a group, and verify the results.
Page 461: Displaying Mvr Information
In some environments, for example, metropolitan or multiple-dwelling unit (MDU) installations, you might want to control the set of multicast groups to which a user on a switch port can belong. You can control the distribution of multicast services, such as IP/TV, based on some type of subscription or service plan.
Page 462: Default Igmp Filtering And Throttling Configuration
IGMP filtering is applicable only to the dynamic learning of IP multicast group addresses, not static configuration. With the IGMP throttling feature, you can set the maximum number of IGMP groups that a Layer 2 interface can join. If the maximum number of IGMP groups is set, the IGMP snooping forwarding table...
Page 463: Configuring Igmp Profiles
• permit: Specifies that matching addresses are permitted. • range: Specifies a range of IP addresses for the profile. You can enter a single IP address or a range • with a start and an end address. The default is for the switch to have no IGMP profiles configured. When a profile is configured, if neither the permit nor deny keyword is included, the default is to deny access to the range of IP addresses.
Page 464: Applying Igmp Profiles
Setting the Maximum Number of IGMP Groups You can set the maximum number of IGMP groups that a Layer 2 interface can join by using the ip igmp max-groups interface configuration command. Use the no form of this command to set the maximum back to the default, which is no limit.
Page 465: Configuring The Igmp Throttling Action
(Optional) Save your entries in the configuration file. To remove the maximum group limitation and return to the default of no maximum, use the no ip igmp max-groups interface configuration command. This example shows how to limit to 25 the number of IGMP groups that a port can join.
Page 466: Displaying Igmp Filtering And Throttling Configuration
(Optional) Save your entries in the configuration file. To return to the default action of dropping the report, use the no ip igmp max-groups action interface configuration command. This example shows how to configure a port to remove a randomly selected multicast entry in the forwarding table and to add an IGMP group to the forwarding table when the maximum number of entries is in the table.
Page 467 Commands for Displaying IGMP Filtering and Throttling Configuration Command Purpose show ip igmp profile [profile Displays the specified IGMP profile or all the IGMP profiles defined on the switch. number] show running-config [interface Displays the configuration of the specified interface or the configuration of all interfaces...
Page 468 Chapter 21 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 21-30 OL-9639-07...
Page 469: Chapter 22 Configuring Port-Based Traffic Control
• Understanding Storm Control Storm control prevents traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on one of the physical interfaces. A LAN storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. Errors in the protocol-stack implementation or in the network configuration can cause a storm.
Page 470 A higher threshold allows more packets to pass through. A threshold value of 100 percent means that no limit is placed on the traffic. A value of 0.0 means that all broadcast, multicast, or unicast traffic on that port is blocked.
Page 471: Default Storm Control Configuration
100 percent. Configuring Storm Control and Threshold Levels You configure storm control on a port and enter the threshold level that you want to be used for a particular type of traffic. However, because of hardware limitations and the way in which packets of different sizes are counted, threshold percentages are approximations.
Page 472 • (Optional) For bps-low, specify the falling threshold level in bits per second (up to one decimal place). It can be less than or equal to the rising threshold level. The port forwards traffic when traffic drops below this level. The range is 0.0 to 10000000000.0.
Page 473: Configuring Small-Frame Arrival Rate
Switch(config-if)# storm-control unicast level 87 65 This example shows how to enable broadcast address storm control on a port to a level of 20 percent. When the broadcast traffic exceeds the configured level of 20 percent of the total available bandwidth of...
Page 474: Configuring Protected Ports
Switch(config-if)# end Configuring Protected Ports Some applications require that no traffic be forwarded at Layer 2 between ports on the same switch so that one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of protected ports ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports on the switch.
Page 475: Configuring A Protected Port
Blocking Flooded Traffic on an Interface, page 22-8 • Default Port Blocking Configuration The default is to not block flooding of unknown multicast and unicast traffic out of a port, but to flood these packets to all ports. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide...
Page 476: Blocking Flooded Traffic On An Interface
If a port is configured as a secure port and the maximum number of secure MAC addresses is reached, when the MAC address of a station attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs.
Page 477: Understanding Port Security
You configure the maximum number of secure addresses allowed on a port by using the switchport port-security maximum value interface configuration command. If you try to set the maximum value to a number less than the number of secure addresses already Note configured on an interface, the command is rejected.
Page 478: Security Violations
An address learned or configured on one secure interface is seen on another secure interface in the • same VLAN. You can configure the interface for one of three violation modes, based on the action to be taken if a violation occurs: protect—when the number of secure MAC addresses reaches the maximum limit allowed on the •...
Page 479: Default Port Security Configuration
Static aging is disabled. Type is absolute. Port Security Configuration Guidelines Port security can only be configured on static access ports or trunk ports. A secure port cannot be a • dynamic access port. A secure port cannot be a destination port for Switched Port Analyzer (SPAN).
Page 480: Enabling And Configuring Port Security
Dynamic Address Resolution Protocol (ARP) inspection Flex Links Enabling and Configuring Port Security Beginning in privileged EXEC mode, follow these steps to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port: Command...
Page 481 • shutdown—The interface is error-disabled when a violation occurs, and the port LED turns off. An SNMP trap is sent, a syslog message is logged, and the violation counter increments. When a secure port is in the error-disabled state, you can bring it out...
Page 482 (Optional) Save your entries in the configuration file. startup-config To return the interface to the default condition as not a secure port, use the no switchport port-security interface configuration command. If you enter this command when sticky learning is enabled, the sticky secure addresses remain part of the running configuration but are removed from the address table.
Page 483 This example shows how to enable port security on a port and to set the maximum number of secure addresses to 50. The violation mode is the default, no static secure MAC addresses are configured, and sticky learning is enabled.
Page 484: Enabling And Configuring Port Security Aging
Configuring Port-Based Traffic Control Configuring Port Security Enabling and Configuring Port Security Aging You can use port security aging to set the aging time for all secure addresses on a port. Two types of aging are supported per port: •...
Page 485: Port Security And Private Vlans
Chapter 22 Configuring Port-Based Traffic Control Configuring Port Security This example shows how to set the aging time as 2 hours for the secure addresses on a port: Switch(config)# interface gigabitethernet0/1 Switch(config-if)# switchport port-security aging time 120 This example shows how to set the aging time as 2 minutes for the inactivity aging type with aging...
Page 486: Displaying Port-Based Traffic Control Settings
The show storm-control and show port-security privileged EXEC commands display those storm control and port security settings. To display traffic control information, use one or more of the privileged EXEC commands in Table 22-4.
Page 487: Configuring Cdp
• Understanding CDP CDP is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches) and allows network management applications to discover Cisco devices that are neighbors of already known devices. With CDP, network management applications can learn the device type and the Simple Network Management Protocol (SNMP) agent address of neighboring devices running lower-layer, transparent protocols.
Page 488: Default Cdp Configuration
Enabled Configuring the CDP Characteristics You can configure the frequency of CDP updates, the amount of time to hold the information before discarding it, and whether or not to send Version-2 advertisements. Beginning in privileged EXEC mode, follow these steps to configure the CDP timer, holdtime, and advertisement type.
Page 489: Chapter 23 Configuring Cdp
“Monitoring and Maintaining CDP” section on page 23-5. Disabling and Enabling CDP CDP is enabled by default on NNIs. It is disabled by default on ENIs but can be enabled. Cisco devices (such as Cisco IP Phones) regularly exchange CDP messages with connected devices. Note Disabling CDP can interrupt device connectivity.
Page 490: Disabling And Enabling Cdp On An Interface
Disabling and Enabling CDP on an Interface CDP is enabled by default on NNIs to send and to receive CDP information. You can enable CDP on ENIs, but it is not supported on UNIs. Beginning in privileged EXEC mode, follow these steps to disable...
Page 491: Monitoring And Maintaining Cdp
Chapter 23 Configuring CDP Monitoring and Maintaining CDP Monitoring and Maintaining CDP To monitor and maintain CDP on your device, perform one or more of these tasks, beginning in privileged EXEC mode. Command Description clear cdp counters Reset the traffic counters to zero.
Page 492 Chapter 23 Configuring CDP Monitoring and Maintaining CDP Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 23-6 OL-9639-07...
Page 493: Configuring Lldp And Lldp-Med
• Understanding LLDP The Cisco Discovery Protocol (CDP) is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches). CDP allows network management applications to automatically discover and learn about other Cisco devices connected to the network.
Page 494: Chapter 24 Configuring Lldp And Lldp-Med
Layer 2 and Layer 3 attributes for the specific application on that port. For example, the switch can notify a phone of the VLAN number that it should use. The phone can connect into any switch, obtain its VLAN number, and then start communicating with the call control Power management TLV •...
Page 495: Configuring Lldp And Lldp-Med
Provides the location information of a caller. The location is determined by the Emergency location identifier number (ELIN), which is a phone number that routes an emergency call to the local public safety answering point (PSAP) and which the PSAP can use to call back the emergency caller.
Page 496: Configuring Lldp Characteristics
Configuring LLDP and LLDP-MED Configuring LLDP Characteristics You can configure the frequency of LLDP updates, the amount of time to hold the information before discarding it, and the initialization delay time. You can also select the LLDP and LLDP-MED TLVs to be sent and received.
Page 497: Disabling And Enabling Lldp Globally
Configuring LLDP and LLDP-MED Disabling and Enabling LLDP Globally LLDP is disabled globally by default and is enabled on NNIs. It is disabled by default on ENIs, but can be enabled per interface. LLDP is not supported on UNIs. Beginning in privileged EXEC mode, follow these steps to globally disable LLDP:...
Page 498: Configuring Lldp-Med Tlvs
Return to privileged EXEC mode. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Beginning in privileged EXEC mode, follow these steps to enable LLDP on an interface when it has been disabled: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 499 Return to privileged EXEC mode. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. This example shows how to enable a TLV on an interface when it has been disabled. Switch# configure terminal Switch(config)# interface GigabitEthernet1/0/1 Switch(config-if)# lldp med-tlv-select inventory-management...
Page 500: Monitoring And Maintaining Lldp And Lldp-Med
Configuring LLDP and LLDP-MED Monitoring and Maintaining LLDP and LLDP-MED Monitoring and Maintaining LLDP and LLDP-MED To monitor and maintain LLDP and LLDP-MED on your device, perform one or more of these tasks, beginning in privileged EXEC mode. Command Description clear lldp counters Reset the traffic counters to zero.
Page 501: Understanding Udld
Layer 2 detections work together to prevent physical and logical unidirectional connections and the malfunctioning of other protocols. A unidirectional link occurs whenever traffic sent by a local device is received by its neighbor but traffic from the neighbor is not received by the local device.
Page 502: Chapter 25 Configuring Udld
UDLD does not disable the port. When UDLD is in normal mode, if one of the fiber strands in a pair is disconnected, as long as autonegotiation is active, the link does not stay up because the Layer 1 mechanisms detects a physical problem with the link.
Page 503: Configuring Udld
If UDLD in normal mode is in the advertisement or in the detection phase and all the neighbor cache entries are aged out, UDLD restarts the link-up sequence to resynchronize with any potentially out-of-sync neighbors.
Page 504: Default Udld Configuration
• both sides of the link. Caution Loop guard works only on point-to-point links. We recommend that each end of the link has a directly connected device that is running STP. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide...
Page 505: Enabling Udld Globally
Configuring UDLD Configuring UDLD Enabling UDLD Globally Beginning in privileged EXEC mode, follow these steps to enable UDLD in the aggressive or normal mode and to set the configurable message timer on all fiber-optic ports on the switch: Command Purpose...
Page 506: Resetting An Interface Disabled By Udld
Displaying UDLD Status To display the UDLD status for the specified port or for all ports, use the show udld [interface-id] privileged EXEC command. For detailed information about the fields in the command output, see the command reference for this release.
Page 507: Configuring Span And Rspan
You can analyze network traffic passing through ports or VLANs by using SPAN or RSPAN to send a copy of the traffic to another port on the switch or on another switch that has been connected to a network analyzer or other monitoring or security device. SPAN copies (or mirrors) traffic received or sent (or both) on source ports or source VLANs to a destination port for analysis.
Page 508: Chapter 26 Configuring Span And Rspan
Figure 26-1, all traffic on port 5 (the source port) is mirrored to port 10 (the destination port). A network analyzer on port 10 receives all network traffic from port 5 without being physically attached to port 5. Figure 26-1...
Page 509: Span And Rspan Concepts And Terminology
This section describes concepts and terminology associated with SPAN and RSPAN configuration. SPAN Sessions SPAN sessions (local or remote) allow you to monitor traffic on one or more ports, or one or more VLANs, and send the monitored traffic to one or more destination ports.
Page 510 An RSPAN destination session takes all packets received on the RSPAN VLAN, strips off the VLAN tagging, and presents them on the destination port. Its purpose is to present a copy of all RSPAN VLAN packets (except Layer 2 control packets) to the user for analysis.
Page 511 For example, a bidirectional (both Rx and Tx) SPAN session is configured for the Rx monitor on port A and Tx monitor on port B. If a packet enters the switch through port A and is switched to port B, both incoming and outgoing packets are sent to the destination port. Both packets are the same (unless a Layer-3 rewrite occurs, in which case the packets are different because of the packet modification).
Page 512: Vlan Filtering
Source VLANs VLAN-based SPAN (VSPAN) is the monitoring of the network traffic in one or more VLANs. The SPAN or RSPAN source interface in VSPAN is a VLAN ID, and traffic is monitored on all the ports for that VLAN.
Page 513 If the port was in an EtherChannel group, it is removed from the group while it is a destination port. • If the switch is running the metro IP access image and the port was a routed port, it is no longer a routed port.
Page 514: Span And Rspan Interaction With Other Features
An RSPAN VLAN cannot be a private-VLAN primary or secondary VLAN. It is normal to have multiple RSPAN VLANs in a network at the same time with each RSPAN VLAN defining a network-wide RSPAN session. That is, multiple RSPAN source sessions anywhere in the network can contribute packets to the RSPAN session.
Page 515: Configuring Span And Rspan
• An IEEE 802.1x port can be a SPAN source port. You can enable IEEE 802.1x on a port that is a SPAN destination port; however, IEEE 802.1x is disabled until the port is removed as a SPAN destination.
Page 516 • can have a total of 66 SPAN sessions (local, RSPAN source, and RSPAN destination) on a switch. For SPAN sources, you can monitor traffic for a single port or VLAN or a series or range of ports • or VLANs for each session. You cannot mix source ports and source VLANs within a single SPAN session.
Page 517 VLANs), defined in a series of commands, but you cannot combine source ports and source VLANs in one session. (Optional) [, | -] Specify a series or range of interfaces. Enter a space before and after the comma; enter a space before and after the hyphen.
Page 518 Switch(config)# no monitor session 1 source interface gigabitethernet0/1 rx The monitoring of traffic received on port 1 is disabled, but traffic sent from this port continues to be monitored. This example shows how to remove any existing configuration on SPAN session 2, configure SPAN session 2 to monitor received traffic on all ports belonging to VLANs 1 through 3, and send it to destination Gigabit Ethernet port 2.
Page 519 Beginning in privileged EXEC mode, follow these steps to create a SPAN session, to specify the source ports or VLANs and the destination ports, and to enable ingress traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance).
Page 520: Specifying Vlans To Filter
To delete a SPAN session, use the no monitor session session_number global configuration command. To remove a source or destination port or VLAN from the SPAN session, use the no monitor session session_number source {interface interface-id | vlan vlan-id} global configuration command or the no monitor session session_number destination interface interface-id global configuration command.
Page 521: Rspan Configuration Guidelines
This example shows how to remove any existing configuration on SPAN session 2, configure SPAN session 2 to monitor traffic received on Gigabit Ethernet trunk port 2, and send traffic for only VLANs 1 through 5 and VLAN 9 to destination Gigabit Ethernet port 1.
Page 522: Configuring A Vlan As An Rspan Vlan
Configuring a VLAN as an RSPAN VLAN Create a new VLAN to be the RSPAN VLAN for the RSPAN session. You must create the RSPAN VLAN in all switches that will participate in RSPAN. You must configure RSPAN VLAN on source and destination switches and any intermediate switches.
Page 523: Creating An Rspan Source Session
Switch(config)# vlan 901 Switch(config-vlan)# remote span Switch(config-vlan)# end Creating an RSPAN Source Session Beginning in privileged EXEC mode, follow these steps to start an RSPAN source session and to specify the monitored source and the destination RSPAN VLAN: Command Purpose...
Page 524: Creating An Rspan Destination Session
Switch(config)# end Creating an RSPAN Destination Session You configure the RSPAN destination session on a different switch; that is, not the switch on which the source session was configured. Beginning in privileged EXEC mode, follow these steps to define the RSPAN VLAN on that switch, to...
Page 525: Creating An Rspan Destination Session And Configuring Ingress Traffic
To remove the RSPAN VLAN from the session, use the no monitor session session_number source remote vlan vlan-id. This example shows how to configure VLAN 901 as the source remote VLAN and port 1 as the destination interface:...
Page 526 This example shows how to configure VLAN 901 as the source remote VLAN in RSPAN session 2, to configure Gigabit Ethernet source port 2 as the destination interface, and to enable ingress forwarding on the interface with VLAN 6 as the default incoming VLAN.
Page 527 This example shows how to remove any existing configuration on RSPAN session 2, configure RSPAN session 2 to monitor traffic received on trunk port 2, and send traffic for only VLANs 2 through 5 and 9 to destination RSPAN VLAN 902.
Page 528: Displaying Span And Rspan Status
Displaying SPAN and RSPAN Status Displaying SPAN and RSPAN Status To display the current SPAN or RSPAN configuration, use the show monitor user EXEC command. You can also use the show running-config privileged EXEC command to display configured SPAN or RSPAN sessions.
Page 529: Understanding Rmon
This chapter describes how to configure Remote Network Monitoring (RMON) on the Cisco ME 3400 Ethernet Access switch. RMON is a standard monitoring specification that defines a set of statistics and functions that can be exchanged between RMON-compliant console systems and network probes. RMON provides you with comprehensive network-fault diagnosis, planning, and performance-tuning information.
Page 530: Chapter 27 Configuring Rmon
(falling threshold). Alarms can be used with events; the alarm triggers an event, which can generate a log entry or an SNMP trap. Event (RMON group 9)—Specifies the action to take when an event is triggered by an alarm. The •...
Page 531: Default Rmon Configuration
RMON is disabled by default; no alarms or events are configured. Configuring RMON Alarms and Events You can configure your switch for RMON by using the command-line interface (CLI) or an SNMP-compatible network management station. We recommend that you use a generic RMON console application on the network management station (NMS) to take advantage of the RMON network management capabilities.
Page 532 The alarm monitors the MIB variable ifEntry.20.1 once every 20 seconds until the alarm is disabled and checks the change in the variable’s rise or fall. If the ifEntry.20.1 value shows a MIB counter increase of 15 or more, such as from 100000 to 100015, the alarm is triggered.
Page 533: Collecting Group History Statistics On An Interface
Collecting Group History Statistics on an Interface You must first configure RMON alarms and events to display collection information. Beginning in privileged EXEC mode, follow these steps to collect group history statistics on an interface. This procedure is optional. Command...
Page 534: Displaying Rmon Status
(Optional) Save your entries in the configuration file. To disable the collection of group Ethernet statistics, use the no rmon collection stats index interface configuration command. This example shows how to collect RMON statistics for the owner root:...
Page 535: Understanding System Message Logging
Messages appear on the console after the process that generated them has finished. You can set the severity level of the messages to control the type of messages displayed on the consoles and each of the destinations. You can time-stamp log messages or set the syslog source address to enhance real-time debugging and management.
Page 536: Configuring System Message Logging
The switch software saves syslog messages in an internal buffer. You can remotely monitor system messages by viewing the logs on a syslog server or by accessing the switch through Telnet or through the console port.
Page 537: C H A P T E R 28 Configuring System Message Logging
The facility to which the message refers (for example, SNMP, SYS, and so forth). For a list of supported facilities, see Table 28-4 on page 28-13. severity Single-digit code from 0 to 7 that is the severity of the message. For a description of the severity levels, see Table 28-3 on page 28-9. MNEMONIC Text string that uniquely describes the message.
Page 538: Disabling Message Logging
28-9). Disabling Message Logging Message logging is enabled by default. It must be enabled to send messages to any destination other than the console. When enabled, log messages are sent to a logging process, which logs messages to designated locations asynchronously to the processes that generated the messages.
Page 539: Setting The Message Display Destination Device
Configuring System Message Logging Setting the Message Display Destination Device If message logging is enabled, you can send messages to specific locations in addition to the console. Beginning in privileged EXEC mode, use one or more of the following commands to specify the locations that receive messages.
Page 540: Synchronizing Log Messages
To display the messages that are logged in the buffer, use the show logging privileged EXEC command. The first message displayed is the oldest message in the buffer. To clear the contents of the buffer, use the clear logging privileged EXEC command.
Page 541: Enabling And Disabling Time Stamps On Log Messages
(Optional) Save your entries in the configuration file. To disable time stamps for both debug and log messages, use the no service timestamps global configuration command. This example shows part of a logging display with the service timestamps log datetime global...
Page 542: Enabling And Disabling Sequence Numbers In Log Messages
Enabling and Disabling Sequence Numbers in Log Messages Because there is a chance that more than one log message can have the same time stamp, you can display messages with sequence numbers so that you can unambiguously see a single message. By default, sequence numbers in log messages are not displayed.
Page 543 (Optional) Save your entries in the configuration file. Specifying a level causes messages at that level and numerically lower levels to appear at the destination. Note To disable logging to the console, use the no logging console global configuration command. To disable logging to a terminal other than the console, use the no logging monitor global configuration command.
Page 544: Limiting Syslog Messages Sent To The History Table And To Snmp
(Optional) Save your entries in the configuration file. Table 28-3 lists the level keywords and severity level. For SNMP usage, the severity level values increase by 1. For example, emergencies equal 1, not 0, and critical equals 3, not 2.
Page 545 Step 7 show archive log config Verify your entries by viewing the configuration log. This example shows how to enable the configuration-change logger and to set the number of entries in the log to 500. Switch(config)# archive Switch(config-archive)# log config...
Page 546: Configuring Unix Syslog Servers
The syslog daemon sends messages at this level or at a more severe level to the file specified in the next field. The file must already exist, and the syslog daemon must have permission to write to it.
Page 547: Displaying The Logging Configuration
(Optional) Save your entries in the configuration file. To remove a syslog server, use the no logging host global configuration command, and specify the syslog server IP address. To disable logging to syslog servers, enter the no logging trap global configuration command.
Page 548 Chapter 28 Configuring System Message Logging Displaying the Logging Configuration Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 28-14 OL-9639-07...
Page 549: Understanding Snmp
The SNMP agent contains MIB variables whose values the SNMP manager can request or change. A manager can get a value from an agent or store a value into the agent. The agent gathers data from the MIB, the repository for information about device parameters and network data. The agent can also respond to a manager’s requests to get or set data.
Page 550: Chapter 29 Configuring Snmp
Both SNMPv1 and SNMPv2C use a community-based form of security. The community of managers able to access the agent’s MIB is defined by an IP address access control list and password. SNMPv2C includes a bulk retrieval mechanism and more detailed error message reporting to management stations.
Page 551: Snmp Manager Functions
An unsolicited message sent by an SNMP agent to an SNMP manager when some event has occurred. 1. With this operation, an SNMP manager does not need to know the exact variable name. A sequential search is performed to find the needed variable from within a table.
Page 552: Snmp Agent Functions
The SNMP agent also sends unsolicited trap messages to notify an NMS that a significant event has occurred on the agent. Examples of trap conditions include, but are not limited to, when a port or module goes up or down, when spanning-tree topology changes occur, and when authentication failures occur.
Page 553: Snmp Notifications
The characteristics that make informs more reliable than traps also consume more resources in the switch and in the network. Unlike a trap, which is discarded as soon as it is sent, an inform request is held in memory until a response is received or the request times out. Traps are sent only once, but an inform might be re-sent or retried several times.
Page 554: Mib Data Collection And Transfer
(unless you configure the device to keep the file in memory for a specified time period). You can configure the switch to send an SNMP notification to the NMS if a transfer is not successful and to enter a syslog message on the local device.
Page 555: Default Snmp Configuration
SNMP agent is enabled. An SNMP group is a table that maps SNMP users to SNMP views. An SNMP user is a member of an SNMP group. An SNMP host is the recipient of an SNMP trap operation. An SNMP engine ID is a name for the local or remote SNMP engine.
Page 556: Disabling The Snmp Agent
The no snmp-server global configuration command disables all running versions (Version 1, Version 2C, and Version 3) on the device. No specific Cisco IOS command exists to enable SNMP. The first snmp-server global configuration command that you enter enables all versions of SNMP.
Page 557 Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable access for an SNMP community, set the community string for that community to the null Note string (do not enter a value for the community string).
Page 558: Configuring Snmp Groups And Users
This example shows how to assign the string comaccess to SNMP, to allow read-only access, and to specify that IP access list 4 can use the community string to gain access to the switch SNMP agent: Switch(config)# snmp-server community comaccess ro 4...
Page 559 (Optional) Enter read readview with a string (not to exceed 64 • characters) that is the name of the view in which you can only view the contents of the agent. (Optional) Enter write writeview with a string (not to exceed 64 •...
Page 560: Configuring Snmp Notifications
A trap manager is a management station that receives and processes traps. Traps are system alerts that the switch generates when certain events occur. By default, no trap manager is defined, and no traps are sent. Switches can have an unlimited number of trap managers.
Page 561 Generates a trap for SNMP storm-control. You can also set a maximum trap rate per minute. The range is from 0 to 1000; the default is 0 (no limit is imposed; a trap is sent at every occurrence). stpx Generates SNMP STP Extended MIB traps.
Page 562 You can use the snmp-server host global configuration command to a specific host to receive the notification types listed in Table 29-5. Beginning in privileged EXEC mode, follow these steps to configure the switch to send traps or informs to a host: Command Purpose...
Page 563 29-12. If no type is specified, all notifications are sent. Step 6 snmp-server enable traps Enable the switch to send traps or informs and specify the type of notification-types notifications to be sent. For a list of notification types, see Table 29-5 on...
Page 564: Setting The Cpu Threshold Notification Types And Values
(for traps and informs). To enable a host to receive an inform, you must configure an snmp-server host informs command for the host and globally enable informs by using the snmp-server enable traps command.
Page 565: Setting The Agent Contact And Location Information
Configuring SNMP Setting the Agent Contact and Location Information Beginning in privileged EXEC mode, follow these steps to set the system contact and location of the SNMP agent so that these descriptions can be accessed through the configuration file: Command...
Page 566: Configuring Mib Data Collection And Transfer
(Optional) Save your entries in the configuration file. Configuring MIB Data Collection and Transfer This section includes basic configuration for MIB data collection. For more information, see the Periodic MIB Data Collection and Transfer Mechanism feature module at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a008014c77d.
Page 567 Switch(config)# snmp mib bulkstat schema testschema Switch(config-bulk-sc)# object-list ifMIB Switch(config-bulk-sc)# instance wild oil 1 Switch(config-bulk-sc)# poll-interval 1 Switch(config-bulk-sc)# exit Beginning in privileged EXEC mode, follow these steps to configure bulk-statistics transfer options: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 568: Configuring The Cisco Process Mib Cpu Threshold Table
Enter the no enable bulk statistics transfer configuration mode command to stop the collection process. Enter the enable command again to restart the operation. Every time you restart the process with the enable command, data is collected in a new bulk-statistics file.
Page 569: Snmp Examples
(Optional) Save your entries in the configuration file. SNMP Examples This example shows how to enable all versions of SNMP. The configuration permits any SNMP manager to access all objects with read-only permissions using the community string public. This configuration does not cause the switch to send any traps.
Page 570: Displaying Snmp Status
Configuring SNMP Displaying SNMP Status This example shows how to allow read-only access for all objects to members of access list 4 that use the comaccess community string. No other SNMP managers have access to any objects. SNMP Authentication Failure traps are sent by SNMPv2C to the host cisco.com using the community string public.
Page 571 Displays SNMP statistics. show snmp engineID [local | remote] Displays information on the local SNMP engine and all remote engines that have been configured on the device. show snmp group Displays information on each SNMP group on the network.
Page 572 Chapter 29 Configuring SNMP Displaying SNMP Status Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 29-24 OL-9639-07...
Page 573: Understanding Embedded Event Manager
The embedded event manager (EEM) monitors key system events and then acts on them through a set policy. This policy is a programmed script that you can use to customize a script to invoke an action based on a given set of events occurring. The script generates actions such as generating custom syslog or Simple Network Management Protocol (SNMP) traps, invoking CLI commands, forcing a failover, and so forth.
Page 574: Event Detectors
EEM software programs known as event detectors determine when an EEM event occurs. Event detectors are separate systems that provide an interface between the agent being monitored, for example SNMP, and the EEM polices where an action can be implemented.
Page 575: C H A P T E R 30 Configuring Embedded Event Manager
50 an event would be published when the interface counter increases by 50. This detector also publishes an event about an interface based on the rate of change for the entry and exit values.
Page 576: Embedded Event Manager Actions
EEM can monitor events and provide information, or take corrective action when the monitored events occur or a threshold is reached. An EEM policy is an entity that defines an event and the actions to be taken when that event occurs.
Page 577: Configuring Embedded Event Manager
Only one event applet command is allowed in an EEM applet. Multiple action applet commands are Note permitted. If you do not specify the no event and no action commands, the applet is removed when you exit configuration mode. Command...
Page 578: Registering And Defining An Embedded Event Manager Tcl Script
$_snmp_oid_val bytes" Switch (config-applet)# action 2.0 force-switchover Registering and Defining an Embedded Event Manager TCL Script Beginning in privileged EXEC mode, perform this task to register a TCL script with EEM and to define the TCL script and policy commands. Command...
Page 579: Understanding Acls
ACLs to verify that the packet has the required permissions to be forwarded, based on the criteria specified in the access lists. One by one, it tests packets against the conditions in an access list. The first match decides whether the switch accepts or rejects the packets. Because the switch stops testing after the first match, the order of conditions in the list is critical.
Page 580: Supported Acls
An ACL contains an ordered list of access control entries (ACEs). Each ACE specifies permit or deny and a set of conditions the packet must satisfy in order to match the ACE. The meaning of permit or deny depends on the context in which the ACL is used.
Page 581: C H A P T E R 31 Configuring Network Security With Acls
If IEEE 802.1Q tunneling is configured on an interface, any IEEE 802.1Q encapsulated IPv4 packets received on the tunnel port can be filtered by MAC ACLs, but not by IP v4 ACLs. This is because the switch does not recognize the protocol inside the IEEE 802.1Q header. This restriction applies to router ACLs, port ACLs, and VLAN maps.
Page 582: Router Acls
Note You cannot apply more than one IP access list and one MAC access list to a Layer 2 interface. If an IP access list or MAC access list is already configured on a Layer 2 interface and you apply a new IP access list or MAC access list to the interface, the new ACL replaces the previously configured one.
Page 583: Vlan Maps
VLAN ACLs or VLAN maps can access-control all traffic. You can apply VLAN maps to all packets that are routed into or out of a VLAN or are forwarded within a VLAN in the switch. VLAN maps are used for security packet filtering and are not defined by direction (input or output).
Page 584: Configuring Ipv4 Acls
Switch(config)# access-list 102 permit tcp any host 10.1.1.2 Switch(config)# access-list 102 deny tcp any any In the first and second ACEs in the examples, the eq keyword after the destination address means to test Note for the TCP-destination-port well-known numbers equaling Simple Mail Transfer Protocol (SMTP) and Telnet, respectively.
Page 585: Creating Standard And Extended Ipv4 Acls
These are the steps to use IP ACLs on the switch: Create an ACL by specifying an access list number or name and the access conditions. Step 1 Apply the ACL to interfaces or terminal lines. You can also apply standard and extended IP ACLs to Step 2 VLAN maps.
Page 586: Ipv4 Access List Numbers
Note named IPv4 ACLs by using the supported numbers. That is, the name of a standard IP ACL can be 1 to 99; the name of an extended IP ACL can be 100 to 199. The advantage of using named ACLs instead of numbered lists is that you can delete individual entries from a named list.
Page 587: Creating A Numbered Standard Acl
When creating an ACL, remember that, by default, the end of the ACL contains an implicit deny Note statement for all packets that it did not find a match for before reaching the end. With standard access lists, if you omit the mask from an associated IP host address ACL specification, 0.0.0.0 is assumed to be the mask.
Page 588: Creating A Numbered Extended Acl
The switch always rewrites the order of standard access lists so that entries with host matches and entries with matches having a don’t care mask of 0.0.0.0 are moved to the top of the list, above any entries with non-zero don’t care masks. Therefore, in show command output and in the configuration file, the ACEs do not necessarily appear in the order in which they were entered.
Page 589 DSCP value specified by a number • from 0 to 63, or use the question mark (?) to see a list of available values. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 31-11...
Page 590 (range requires two port numbers separated by a space). Enter the port number as a decimal number (from 0 to 65535) or the name of a TCP port. To see TCP port names, use the ? or see the “Configuring IP Services”...
Page 591 10 deny tcp 171.69.198.0 0.0.0.255 172.20.52.0 0.0.0.255 eq telnet 20 permit tcp any any After an ACL is created, any additions (possibly entered from the terminal) are placed at the end of the list. You cannot selectively add or remove access list entries from a numbered access list.
Page 592: Resequencing Aces In An Acl
Note list numbers. That is, the name of a standard IP ACL can be 1 to 99; the name of an extended IP ACL can be 100 to 199. The advantage of using named ACLs instead of numbered lists is that you can delete individual entries from a named list.
Page 593 After you create an ACL, any additions are placed at the end of the list. You cannot selectively add ACL entries to a specific ACL. However, you can use no permit and no deny access-list configuration mode commands to remove entries from a named ACL.
Page 594: Using Time Ranges With Acls
You can use the time range to define when the permit or deny statements in the ACL are in effect, for example, during a specified time period or on specified days of the week. The time-range keyword and argument are referenced in the named and numbered extended ACL task tables in the previous sections, the “Creating Standard and Extended IPv4 ACLs”...
Page 595 Repeat the steps if you want multiple items in effect at different times. To remove a configured time-range limitation, use the no time-range time-range-name global configuration command. This example shows how to configure time ranges for workhours and to configure January 1, 2006 as a company holiday and to verify your configuration.
Page 596: Including Comments In Acls
100 characters. The remark can go before or after a permit or deny statement. You should be consistent about where you put the remark so that it is clear which remark describes which permit or deny statement. For example, it would be confusing to have some remarks before the associated permit or deny statements and some remarks after the associated statements.
Page 597: Applying An Ipv4 Acl To An Interface
• When controlling access to an interface, you can use a named or numbered ACL. If you apply an ACL to a Layer 2 interface that is a member of a VLAN, the Layer 2 (port) ACL • takes precedence over an input Layer 3 ACL applied to the VLAN interface or a VLAN map applied to the VLAN.
Page 598: Hardware And Software Treatment Of Ip Acls
When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied to the interface and permits all packets. Remember this behavior if you use undefined ACLs for network security.
Page 599: Troubleshooting Acls
The flows matching a permit statement are switched in hardware. Adding the log keyword to an ACE in a router ACL causes a copy of the packet to be sent to the •...
Page 600: Ipv4 Acl Configuration Examples
ACL 79 to ACL 1). You can now apply the first ACE in the ACL to the interface. The switch allocates the ACE to available mapping bits in the Opselect index and then allocates flag-related operators to use the same bits in the TCAM.
Page 601: Numbered Acls
For another example of using an extended ACL, suppose that you have a network connected to the Internet, and you want any host on the network to be able to form TCP connections to any host on the Internet. However, you do not want IP hosts to be able to form TCP connections to hosts on your network, except to the mail (SMTP) port of a dedicated mail host.
Page 602: Named Acls
Configuring IPv4 ACLs SMTP uses TCP port 25 on one end of the connection and a random port number on the other end. The same port numbers are used throughout the life of the connection. Mail packets coming in from the Internet have a destination port of 25.
Page 603: Commented Ip Acl Entries
Switch(config-if)# ip access-group strict in Commented IP ACL Entries In this example of a numbered ACL, the workstation that belongs to Jones is allowed access, and the workstation that belongs to Smith is not allowed access: Switch(config)# access-list 1 remark Permit only Jones workstation through Switch(config)# access-list 1 permit 171.69.2.88...
Page 604: Creating Named Mac Extended Acls
Creating Named MAC Extended ACLs You can filter non-IPv4 traffic on a VLAN or on a Layer 2 interface by using MAC addresses and named MAC extended ACLs. The procedure is similar to that of configuring other extended named ACLs.
Page 605 Chapter 31 Configuring Network Security with ACLs Creating Named MAC Extended ACLs Though visible in the command-line help strings, appletalk is not supported as a matching condition for Note the deny and permit MAC access-list configuration mode commands. Beginning in privileged EXEC mode, follow these steps to create a named MAC extended ACL:...
Page 606: Applying A Mac Acl To A Layer 2 Interface
• If you apply an ACL to a Layer 2 interface that is a member of a VLAN, the Layer 2 (port) ACL takes precedence over an input Layer 3 ACL applied to the VLAN interface or a VLAN map applied to the VLAN.
Page 607: Configuring Vlan Maps
ACL with specific source or destination addresses. If there is a match clause for that type of packet (IP or MAC) in the VLAN map, the default action is to drop the packet if the packet does not match any of the entries within the map.
Page 608: Creating A Vlan Map
Configuring Network Security with ACLs Configuring VLAN Maps If the VLAN map has at least one match clause for the type of packet (IP or MAC) and the packet • does not match any of these match clauses, the default is to drop the packet. If there is no match clause for that type of packet in the VLAN map, the default is to forward the packet.
Page 609: Examples Of Acls And Vlan Maps
VLAN maps do not use the specific permit or deny keywords. To deny a packet by using VLAN maps, create an ACL that would match the packet, and set the action to drop. A permit in the ACL counts as a match.
Page 610 Configuring VLAN Maps Example 2 In this example, the VLAN map has a default action of drop for IP packets and a default action of forward for MAC packets. Used with standard ACL 101 and extended named access lists igmp-match and...
Page 611: Applying A Vlan Map To A Vlan
Configuring VLAN Maps Example 4 In this example, the VLAN map has a default action of drop for all packets (IP and non-IP). Used with access lists tcp-match and good-hosts from Examples 2 and 3, the map will have the following results: Forward all TCP packets •...
Page 612: Denying Access To A Server On Another Vlan
Packet If you do not want HTTP traffic switched from Host X to Host Y, you can configure a VLAN map on Switch A to drop all HTTP traffic from Host X (IP address 10.1.1.32) to Host Y (IP address 10.1.1.34) at Switch A and not forward it to Switch B.
Page 613: Using Vlan Maps With Router Acls
Packet Host (VLAN 10) This example shows how to deny access to a server on another VLAN by creating the VLAN map SERVER 1 that denies access to hosts in subnet 10.1.2.0.8, host 10.1.1.4, and host 10.1.1.8 and permits other IP traffic. The final step is to apply the map SERVER1 to VLAN 10.
Page 614: Vlan Maps And Router Acl Configuration Guidelines
Using VLAN Maps with Router ACLs If the VLAN map has a match clause for the type of packet (IP or MAC) and the packet does not match the type, the default is to drop the packet. If there is no match clause in the VLAN map, and no action specified, the packet is forwarded if it does not match any VLAN map entry.
Page 615: Examples Of Router Acls And Vlan Maps Applied To Vlans
Although the following illustrations show packets being forwarded to their destination, each time the packet’s path crosses a line indicating a VLAN map or an ACL, it is also possible that the packet might be dropped, rather than forwarded.
Page 616: Acls And Multicast Packets
ACL and VLAN map would apply for each destination VLAN. The final result is that the packet might be permitted in some of the output VLANs and not in others. A copy of the packet is forwarded to those destinations where it is permitted. However, if the input VLAN...
Page 617: Displaying Ipv4 Acl Configuration
Displaying IPv4 ACL Configuration Displaying IPv4 ACL Configuration You can display the ACLs that are configured on the switch, and you can display the ACLs that have been applied to interfaces and VLANs. When you use the ip access-group interface configuration command to apply ACLs to a Layer 2 or 3 interface, you can display the access groups on the interface.
Page 618 Chapter 31 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 31-40 OL-9639-07...
Page 619 Layer 2 control packets and some Layer 3 control packets for UNIs. You can also configure a third port type, an enhanced network interface (ENI). An ENI, like a UNI, is a customer-facing interface. By default on an ENI, Layer 2 control protocols, such as Cisco Discovery Protocol (CDP), Spanning-Tree Protocol (STP), Link Layer Discovery Protocol (LLDP) are disabled.
Page 620: C H A P T E R 32 Configuring Control-Plane Security
The switch uses policing to accomplish control-plane security by either dropping or rate-limiting Layer 2 control packets. If a Layer 2 protocol is enabled on a UNI or ENI port or tunneled on the switch, those protocol packets are rate-limited; otherwise control packets are dropped.
Page 621 A policer of 26 means a drop policer and is a global policer; any traffic type shown as 26 on any port is dropped. A policer of a value of 0 to...
Page 622 Understanding Control-Plane Security 25 means that a rate-limiting policer is assigned to the port for the protocol. The policers 0 to 23 are logical identifiers for Fast Ethernet ports 1 to 24; policers 24 and 25 refer to Gigabit Ethernet ports 1 and 2, respectively.
Page 623 64 policers per port. Note these limitations when you disable CPU protection: • When CPU protection is disabled, you can configure a maximum of 63 policers per port (62 on every 4th port) for user-defined classes and one for class-default. •...
Page 624: Configuring Control-Plane Security
You can configure only the rate-limiting threshold. The configured threshold applies to all supported control protocols on all UNIs and ENIs. It also applies to STP, CDP, LLDP, LACP, and PAgP when the protocol is enabled on an ENI.
Page 625 Configuring Control-Plane Security Monitoring Control-Plane Security Monitoring Control-Plane Security You can monitor control-plane security settings and statistics on the switch or on an interface, and you can clear these statistics at any time by using the privileged EXEC commands in Table 32-2.
Page 626: Monitoring Control-Plane Security
Chapter 32 Configuring Control-Plane Security Monitoring Control-Plane Security Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-8 OL-9639-07...
Page 627: Understanding Qos
Understanding QoS Typically, networks operate on a best-effort delivery basis, which means that all traffic has equal priority and an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an equal chance of being dropped.
Page 628: Chapter 33 Configuring Qo
“Classification” section on page 33-5. Packet policing determines whether a packet is in or out of profile by comparing the rate of the • incoming traffic to the configured policer. You can control the traffic flow for packets that conform to or exceed the configured policer.
Page 629: Modular Qos Cli
Modular QoS CLI (MQC) allows users to create traffic policies and attach these policies to interfaces. A traffic policy contains a traffic class and one or more QoS features. You use a traffic class to classify traffic, and the QoS features in the traffic policy determine how to treat the classified traffic.
Page 630: Input And Output Policies
Warning: Detaching Policy test1 from Interface GigabitEthernet0/1 Input and Output Policies Policy maps are either input policy maps or output policy maps, attached to packets as they enter or leave the switch by service policies applied to interfaces. Input policy maps perform policing and marking on received traffic.
Page 631: Output Policy Maps
When a packet is received, the switch examines the header and identifies all key packet fields. A packet can be classified based on an ACL, on the DSCP, the CoS, or the IP precedence value in the packet, or by the VLAN ID.
Page 632 Chapter 33 Configuring QoS Understanding QoS Layer 3 IP packets can carry either an IP precedence value or a DSCP value. QoS supports the use • of either value because DSCP values are backward-compatible with IP precedence values. IP precedence values range from 0 to 7. DSCP values range from 0 to 63.
Page 633: Class Maps
CoS, IP DSCP, and IP precedence values. These values are referred to as markings on a packet. You can also match an access group, a QoS group, or a VLAN ID or ID range for per-port, per-VLAN QoS.
Page 634: Classification Based On Layer 2 Cos
Understanding QoS Classification Based on Layer 2 CoS You can use the match command to classify Layer 2 traffic based on the CoS value, which ranges from 0 to 7. A match cos command is supported only on Layer 2 802.1Q trunk ports.
Page 635: Classification Comparisons
Match packets with CS7(precedence 7) dscp (111000) default Match packets with default dscp (000000) Match packets with EF dscp (101110) For more information on DSCP prioritization, see RFC-2597 (AF per-hop behavior), RFC-2598 (EF), or RFC-2475 (DSCP). Classification Comparisons Table 33-1 shows suggested IP DSCP, IP precedence, and CoS values for typical traffic types.
Page 636: Classification Based On Qos Acls
You cannot configure match access-group for an output policy map. You can use IP standard, IP extended, or Layer 2 MAC ACLs to define a group of packets with the same characteristics (a class). You use the access-list global configuration command to configure IP ACLS to classify IP traffic based on Layer 3 and Layer 4 parameters.
Page 637 You can use QoS groups to aggregate multiple input streams across input classes and policy maps for the same QoS treatment on the egress port. Assign the same QoS group number in the input policy map to all streams that require the same egress treatment, and match to the QoS group number in the output policy map to specify the required queuing and scheduling actions.
Page 638: Classification Based On Vlan Ids
Per-VLAN classification is not required on access ports because access ports carry traffic for a single VLAN. If you try to attach an input per-port, per VLAN hierarchical policy to a port that is not a trunk port, the configuration is rejected.
Page 639: Table Maps
Table Maps You can use table maps to manage a large number of traffic flows with a single command. You can specify table maps in set commands and use them as mark-down mapping for the policers. You can also use table maps to map an incoming QoS marking to a replacement marking without having to configure a large number of explicit matches and sets.
Page 640: Policing
Switch(config-tablemap)# default 63 Switch(config-tablemap)# exit The switch supports a maximum of 256 unique table maps. You can enter up to 64 different map from–to entries in a table map. These table maps are supported on the switch: DSCP to CoS •...
Page 641: Individual Policing
This is an example of basic policing for all traffic received with a CoS of 4. The first value following the police command limits the average traffic rate to 10, 000,000 bits per second (bps); the second value represents the additional burst size (10 kilobytes).
Page 642: Aggregate Policing
QoS group value for classification at the egress. Exceed actions are to drop the packet, to send the packet without modification, to set a new CoS, DSCP, or IP precedence to a value, or to set a QoS group value for classification at the egress.
Page 643 Configuring QoS Understanding QoS When you use a table map in an input policy map, the protocol type for the from–action in the table map Note must be the same as the protocol type of the associated classification. For example, if a class map represents IP classification, the from–type action in the table map must be either dscp or precedence.
Page 644: Unconditional Priority Policing
This example shows how to use the priority with police commands to configure out-class1 as the priority queue, with traffic going to the queue limited to 20,000,000 bps so that the priority queue never uses more than that. Traffic above that rate is dropped. This allows other traffic queues to receive some port bandwidth, in this case a minimum bandwidth guarantee of 500,000 and 200,000 kbps.
Page 645: Marking
After network traffic is organized into classes, you use marking to identify certain traffic types for unique handling. For example, you can change the CoS value in a class or set IP DSCP or IP precedence values for a specific type of traffic. These new values are then used to determine how the traffic should be treated.
Page 646: Marking And Queuing Cpu-Generated Traffic
QoS default class map that matches all traffic not matched by class AF31-AF33 and sets all traffic to an IP DSCP value of 1. The second marking sets the traffic in classes AF31 to AF33 to an IP DSCP of 3.
Page 647: Traffic Shaping
Class-based shaping uses the shape average policy-map class configuration command to limit the rate of data transmission as the number of bits per second to be used for the committed information rate for a class of traffic. The switch supports separate queues for three classes of traffic. The fourth queue is always the default queue for class class-default, unclassified traffic.
Page 648 The first policy level, the parent level, is used for port shaping, and you can specific only one class of type class-default within the policy. This is an example of a parent-level policy map:...
Page 649: Class-Based Weighted Fair Queuing
This means that the class is allocated bandwidth only if there is excess bandwidth on the port, and if there is no minimum bandwidth guarantee for this traffic class.
Page 650 CIR of all the classes in the policy map is divided among the classes in the same proportion as the CIR rates. If the CIR rate of a class is configured as 0, that class is also not eligible for any excess bandwidth and as a result receives no bandwidth.
Page 651: Priority Queuing
33-58. This example shows how to configure the class out-class1 as a strict priority queue so that all packets in that class are sent before any other class of traffic. Other traffic queues are configured so that out-class-2 gets 50 percent of the remaining bandwidth and out-class3 gets 20 percent of the remaining bandwidth.
Page 652: Congestion Avoidance And Queuing
400 frames, traffic reclassified to 60 percent is dropped when the queue depth exceeds 600 frames, and traffic up to 400 frames can be queued at the 40-percent threshold, up to 600 frames at the 60-percent threshold, and up to 1000 frames at the 100-percent threshold.
Page 653 CoS 4-5 CoS 0-3 In this example, CoS values 6 and 7 have a greater importance than the other CoS values, and they are assigned to the 100-percent drop threshold (queue-full state). CoS values 4 and 5 are assigned to the 60-percent threshold, and CoS values 0 to 3 are assigned to the 40-percent threshold.
Page 654 QoS: Configuration failed. Maximum number of allowable unique queue-limit configurations exceeded. When you configure a queue limit for a class in an output policy map, all other output policy maps must Note use the same qualifier type and qualifier value format. Only the queue-limit threshold values can be different.
Page 655: Configuring Qos
Switch(config-if)# service-policy output out-policy Switch(config-if)# exit You can configure and attach as many output policy maps as there are switch ports, but only three unique queue-limit configurations are allowed. When another output policy map uses the same queue-limit and class configurations, even if the bandwidth percentages are different, it is considered to be the same queue-limit configuration.
Page 656: Default Qos Configuration
VLANs received through the port is classified, policed, and marked according to the policy map attached to the port. If a per-port, per-VLAN policy map is attached, traffic on the trunk port is classified, policed, and marked for the VLANs specified in the parent-level policy, according to the child policy map associated with each VLAN.
Page 657: Using Acls To Classify Traffic
Configuring QoS Using ACLs to Classify Traffic You can classify IP traffic by using IP standard or IP extended ACLs. You can classify IP and non-IP traffic by using Layer 2 MAC ACLs. For more information about configuring ACLs, see Chapter 31, “Configuring Network Security with ACLs.”...
Page 658: Creating Ip Extended Acls
Chapter 33 Configuring QoS Configuring QoS This example shows how to allow access for only those hosts on the three specified networks. The wildcard bits apply to the host portions of the network addresses. Switch(config)# access-list 1 permit 192.5.255.0 0.0.0.255 Switch(config)# access-list 1 permit 128.88.0.0 0.0.255.255...
Page 659: Creating Layer 2 Mac Acls
DSCP value set to 32: Switch(config)# access-list 100 permit ip any any dscp 32 This example shows how to create an ACL that permits IP traffic from a source host at 10.1.1.1 to a destination host at 10.1.1.2 with a precedence value of 5: Switch(config)# access-list 100 permit ip host 10.1.1.1 host 10.1.1.2 precedence 5...
Page 660: Using Class Maps To Define A Traffic Class
You use the class-map global configuration command to name and to isolate a specific traffic flow (or class) from all other traffic. A class map defines the criteria to use to match against a specific traffic flow to further classify it. Match statements can include criteria such as an ACL, CoS value, DSCP value, IP precedence values, QoS group values, or VLAN IDs.
Page 661 Chapter 33 Configuring QoS Configuring QoS Beginning in privileged EXEC mode, follow these steps to create a class map and to define the match criterion to classify traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 class-map [match-all | match-any] Create a class map, and enter class-map configuration mode.
Page 662: Configuring Table Maps
(Optional) Save your entries in the configuration file. Use the no form of the appropriate command to delete an existing class map or remove a match criterion. This example shows how to create access list 103 and configure the class map called class1. The class1 has one match criterion, which is access list 103.
Page 663 This example shows how to create a DSCP-to-CoS table map. A complete table would typically include additional map statements for the higher DSCP values. The default of 4 in this table means that unmapped DSCP values will be assigned a CoS value of 4.
Page 664: Attaching A Traffic Policy To An Interface
Policy Maps” section on page 33-52 for restrictions on input and output policy maps. You can attach a service policy only to a physical port. You can attach only one input policy map and one output policy map per port.
Page 665: Configuring Input Policy Maps With Individual Policing
For the parent policy of a hierarchical policy map, you cannot add or delete a class at the parent level if the policy map is attached to an interface. You must detach the policy from the interface, modify the policy, and then re-attach it to the interface.
Page 666 Configuring QoS Configuring QoS When you use a table map for police exceed-action in an input policy map, the protocol type of the • map from type of action must be the same as the protocol type of the associated classification. For example, if the associated class map represents an IP classification, the map from type of action that references the table map must be dscp or precedence.
Page 667 CIR. table-map-name] | precedence [table • For cos cos_value, enter a new CoS value to be assigned to the table-map-name]} classified traffic. The range is 0 to 7. For [ip] dscp dscp_value, enter a new DSCP value to be •...
Page 668 For example: Warning: Detaching Policy test1 from Interface GigabitEthernet0/1 After you have created an input policy map, you attach it to an interface in the input direction. See the “Attaching a Traffic Policy to an Interface” section on page 33-38.
Page 669 10000 bytes. The policy map includes the default conform action (transmit) and the exceed action to mark the Layer 2 CoS value based on the table map and to mark IP DSCP to af41. Switch(config)# policy-map in-policy...
Page 670: Configuring Input Policy Maps With Aggregate Policing
VLANs on a port in a per-port, per-VLAN policy map. • When you use a table map for police exceed-action in an input policy map, the protocol type of the map from type of action must be the same as the protocol type of the associated classification. For example, if the associated class map represents an IP classification, the map from type of action that references the table map must be either dscp or precedence.
Page 671 Chapter 33 Configuring QoS Configuring QoS Beginning in privileged EXEC mode, follow these steps to create an aggregate policer: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 policer aggregate aggregate-policer-name Define the policer parameters that can be applied to multiple traffic {rate-bps | cir cir-bps} [bc burst- value] classes within the same policy map.
Page 672: Configuring Input Policy Maps With Marking
You can configure a maximum of 100 QoS groups on the switch. • When you use a table map for marking in an input policy map, the protocol type of the map from type of action must be the same as the protocol type of the associated classification. For example, if the associated class map represents an IP classification, the map from type of action that references the table map must be either dscp or precedence.
Page 673 QoS default class map that matches all traffic not matched by class AF31-AF33 and sets all traffic to an IP DSCP value of 1. The second marking sets the traffic in classes AF31 to AF33 to an IP DSCP of 3.
Page 674: Configuring Per-Port Per-Vlan Qos With Hierarchical Input Policy Maps
VLANs, and you can apply independent QoS policies to each parent-service class using any child policy map A policy is considered a parent policy map when it has one or more of its classes associated with a • child policy map. Each class within a parent policy-map is called a parent-class. In parent classes, you can configure only the match vlan class-map configuration command.
Page 675 Chapter 33 Configuring QoS Configuring QoS Creating Child-Policy Class Maps Beginning in privileged EXEC mode, follow these steps to create one or more child-policy class maps: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 class-map [match-all | match-any] Create a class map, and enter class-map configuration mode.
Page 676 Step 4 Use the police policy-map class configuration command to configure policers and the action to take for a class of traffic, or use the set policy-map class configuration command to mark traffic belonging to the class.
Page 677 Chapter 33 Configuring QoS Configuring QoS Creating a Parent Policy Map Beginning in privileged EXEC mode, follow these steps to create a parent policy map and attach it to an interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 678: Configuring Output Policy Maps
You use output policy maps to manage congestion avoidance, queuing, and scheduling of packets leaving the switch. The switch has four egress queues, and you use output policy maps to control the queue traffic. You configure shaping, queue-limit, and bandwidth on these queues. You can use high priority...
Page 679 For example, if you attach an output policy map that shapes DSCP 23 traffic to a port, DSCP traffic that is sent out of any other port without a policy map attached could be incorrectly scheduled or ordered incorrectly with respect to other traffic sent out of the same port.
Page 680: Configuring Output Policy Maps With Class-Based-Weighted-Queuing
CIR rates. If you configure the CIR rate of a class to be 0, that class is not eligible for any excess bandwidth and will receive no bandwidth. Beginning in privileged EXEC mode, follow these steps to use CBWFQ to control bandwidth allocated...
Page 681 For example: Warning: Detaching Policy test1 from Interface GigabitEthernet0/1 This example shows how to set the precedence of a queue by allocating 25 percent of the total available bandwidth to the traffic class defined by the class map:...
Page 682: Configuring Output Policy Maps With Class-Based Shaping
Policy to an Interface” section on page 33-38. Use the no form of the appropriate command to delete an existing policy map or class map or to delete a class-based shaping configuration. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide...
Page 683: Configuring Output Policy Maps With Port Shaping
Configuring Output Policy Maps with Port Shaping Port shaping is applied to all traffic leaving an interface. It uses a policy map with only class default when the maximum bandwidth for the port is specified by using the shape average command. A child policy can be attached to the class-default in a hierarchical policy map format to specify class-based actions for the queues on the shaped port.
Page 684: Configuring Output Policy Maps With Class-Based Priority Queuing
With strict priority queuing, the priority queue is constantly serviced; all packets in the queue are scheduled and sent until the queue is empty. Excessive use of the priority queues can possibly delay packets in other queues and create unnecessary congestion.
Page 685 Policy to an Interface” section on page 33-38. Use the no form of the appropriate command to delete an existing policy map or class map or to cancel strict priority queuing for the priority class or the bandwidth setting for the other classes.
Page 686 • You cannot configure a policer committed burst size for an unconditional priority policer even though the keyword is visible in the CLI help. Any configured burst size is ignored when you try to attach the output service policy. The allowed police rate range is 64000 to 1000000000 bps, even though the range that appears in •...
Page 687 Step 7 conform-action [transmit] (Optional) Enter the action to be taken on packets that conform to the CIR. If no action is entered, the default action is to send the packet. You can enter a single conform-action as part of the Note command string following the police command.
Page 688: Configuring Output Policy Maps With Weighted Tail Drop
Policy to an Interface” section on page 33-38. Use the no form of the appropriate command to delete an existing policy map or class map or to cancel the priority queuing or policing for the priority class or the bandwidth setting for the other classes.
Page 689 30 and dscp 50 in policy-map1, and you configure class A queue-limits in policy-map 2, you must use dscp 30 and dscp 50 as qualifiers. You cannot use dscp 20 and dscp 40. The threshold values can be different, but different threshold values would create a new unique queue-limit configuration.
Page 690 “Configuring Output Policy Maps” section on page 33-52. Use the no form of the appropriate command to delete an existing policy map or class map or to delete a WTD configuration. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide...
Page 691: Displaying Qos Information
This example shows a policy map with a specified bandwidth and queue size. Traffic that is not DSCP 30 or 10 is assigned a queue limit of 112 packets. Traffic with a DSCP value of 30 is assigned a queue-limit of 48 packets, and traffic with a DSCP value of 10 is assigned a queue limit of 32 packets.
Page 692: Configuration Examples For Policy Maps
This count includes the total number of packets that are sent and dropped for that class. You can use the same command to view the per-class tail drop statistics.
Page 693 Switch(config-cmap)# match ip dscp af31 Switch(config-cmap)# exit This example shows how to configure an input policy map that marks the gold class and polices the silver class to 50 Mb/s and the bronze class to 20 Mb/s. Switch(config)# policy-map input-all...
Page 694: Qos Configuration For Customer B
In the initial configuration for Customer B, Fast Ethernet ports 1 through 8 are UNIs and are active. Fast Ethernet ports 9 through 24 are UNIs and are shut down. Gigabit Ethernet ports 1 and 2 are NNIs and are enabled by default.
Page 695: Modifying Output Policies And Adding Or Deleting Classification Criteria
In the initial configuration, Fast Ethernet ports 1 through 12 are UNIs and are active. Fast Ethernet ports 13 through 24 are UNIs and are shut down. Gigabit Ethernet ports 1 and 2 are NNIs and are enabled by default.
Page 696: Modifying Output Policies And Changing Queuing Or Scheduling Parameters
In the initial configuration, Fast Ethernet ports 1 through 12 are UNIs and are active. Fast Ethernet ports 13 through 24 are UNIs and are shut down. Gigabit Ethernet ports 1 and 2 are NNIs and are enabled by default.
Page 697: Modifying Output Policies And Adding Or Deleting A Class
In the initial configuration, Fast Ethernet ports 1 through 12 are UNIs and are active. Fast Ethernet ports 13 through 24 are UNIs and are shut down. Gigabit Ethernet ports 1 and 2 are NNIs and are enabled by default.
Page 698 Switch(config)# interface range gigabitethernet0/1-2 Switch(config-if-range)# no service-policy output output-g1-2 Switch(config-if-range)# exit These steps delete a class from all output policy maps and input policy maps; the input policy can be left attached or can be detached: Switch(config)# policy-map output1-8 Switch(config-pmap)# no class bronze-out...
Page 699 Fast Ethernet port 1. In this case, it would be three. In some cases, packets for a flow out of Fast Ethernet port 2 might be reordered if a flow splits across more than one queue.
Page 700 Chapter 33 Configuring QoS Configuration Examples for Policy Maps Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 33-74 OL-9639-07...
Page 701: Understanding Etherchannels
You can use it to increase the bandwidth between the wiring closets and the data center, and you can deploy it anywhere in the network where bottlenecks are likely to occur. EtherChannel provides automatic recovery for the loss of a link by redistributing the load across the remaining links.
Page 702: Etherchannel Overview
The EtherChannel provides full-duplex bandwidth of up to 800 Mbps between your switch and another switch or host for Fast EtherChannel on a switch with 24 Fast Ethernet ports. For Gigabit EtherChannel, you can configure up to 8 Gbps (8 ports of 1 Gbps), depending on the number of supported Gigabit Ethernet interfaces.
Page 703: C H A P T E R 34 Configuring Etherchannels And Link-State Tracking
The local port is put into an independent state and continues to carry data traffic as would any other single link. The port configuration does not change, but the port does not participate in the EtherChannel.
Page 704: Port Aggregation Protocol
Configuration changes applied to the physical port affect only the port to which you apply the configuration. To change the parameters of all ports in an EtherChannel, apply the configuration commands to the port-channel interface.
Page 705: Pagp Modes
A port in the auto mode can form an EtherChannel with another port that is in the desirable mode. • A port in the auto mode cannot form an EtherChannel with another port that is also in the auto mode because neither port starts PAgP negotiation.
Page 706: Link Aggregation Control Protocol
EtherChannel. If this port is removed from the bundle, one of the remaining ports in the bundle provides its MAC address to the EtherChannel. PAgP sends and receives PAgP PDUs only from ports that are up and have PAgP enabled for the auto or desirable mode.
Page 707: Lacp Interaction With Other Features
Caution You should use care when using the on mode. This is a manual configuration, and ports on both ends of the EtherChannel must have the same configuration. If the group is misconfigured, packet loss or spanning-tree loops can occur.
Page 708 In this method, packets sent from the IP address A to IP address B, from IP address A to IP address C, and from IP address C to IP address B could all use different ports in the channel.
Page 709: Configuring Etherchannels
After you configure an EtherChannel, configuration changes applied to the port-channel interface apply Note to all the physical ports assigned to the port-channel interface, and configuration changes applied to the physical port affect only the port to which you apply the configuration.
Page 710: Default Etherchannel Configuration
EtherChannel. UNIs and ENIs are disabled by default. NNIs are enabled by default. When a group is first created, all ports follow the parameters set for the first port to be added to the •...
Page 711: Configuring Layer 2 Etherchannels
EtherChannel can support LACP and PAgP at the same time. If the switch is running the metro IP access image, there is no limit to the number of NNIs that can be configured on the switch.
Page 712 Chapter 34 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Beginning in privileged EXEC mode, follow these steps to assign a Layer 2 Ethernet port to a Layer 2 EtherChannel. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 713 Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove a port from the EtherChannel group, use the no channel-group interface configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 34-13...
Page 714: Configuring Layer 3 Etherchannels
Then you put the logical interface into the channel group by using the channel-group interface configuration command. To move an IP address from a physical port to an EtherChannel, you must delete the IP address from the Note physical port before configuring it on the port-channel interface.
Page 715: Configuring The Physical Interfaces
34-15. To remove the port-channel, use the no interface port-channel port-channel-number global configuration command. This example shows how to create the logical port channel 5 and assign 172.10.20.10 as its IP address: Switch# configure terminal Switch(config)# interface port-channel 5 Switch(config-if)# no switchport Switch(config-if)# ip address 172.10.20.10 255.255.255.0...
Page 716 Command Purpose Step 6 channel-group channel-group-number mode Assign the port to a channel group, and specify the PAgP or the {auto [non-silent] | desirable [non-silent] | on} | LACP mode. {active | passive} For channel-group-number, the range is 1 to 48. This number...
Page 717: Configuring Etherchannel Load Balancing
Chapter 34 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels This example shows how to configure an EtherChannel. It assigns two ports to channel 5 with the LACP mode active: Switch# configure terminal Switch(config)# interface range gigabitethernet0/1 -2 Switch(config-if-range)# no ip address...
Page 718: Configuring The Pagp Learn Method And Priority
You also can configure a single port within the group for all transmissions and use other ports for hot standby. The unused ports in the group can be swapped into operation in just a few seconds if the selected single port loses hardware-signal detection. You can configure which port is always selected for packet transmission by changing its priority with the pagp port-priority interface configuration command.
Page 719: Configuring Lacp Hot-Standby Ports
When enabled, LACP tries to configure the maximum number of LACP-compatible ports in a channel, up to a maximum of 16 ports. Only eight LACP links can be active at one time. The software places any additional links in a hot-standby mode. If one of the active links becomes inactive, a link that is in the hot-standby mode becomes active in its place.
Page 720: Configuring The Lacp System Priority
Otherwise, the port is selected for standby mode. You can change the default values of the LACP system priority and the LACP port priority to affect how the software selects active and standby links. For more information, see the “Configuring the LACP...
Page 721: Configuring The Lacp Port Priority
Configuring the LACP Port Priority By default, all ports use the same port priority. If the local system has a lower value for the system priority and the system ID than the remote system, you can affect which of the hot-standby links become active first by changing the port priority of LACP EtherChannel ports to a lower value than the default.
Page 722: Displaying Etherchannel, Pagp, And Lacp Status
SP network. This configuration ensures that the traffic flow is balanced from the customer site to the SP and the reverse. Ports connected to the CPE are referred to as downstream ports, and ports connected to PE switches are referred to as upstream ports.
Page 723 When you enable link-state tracking on the switch, the link state of the downstream ports is bound to the link state of one or more of the upstream ports. After you associate a set of downstream ports to a set of upstream ports, if all of the upstream ports become unavailable, link-state tracking automatically puts the associated downstream ports in an error-disabled state.
Page 724: Configuring Link-State Tracking
An interface cannot be a member of more than one link-state group. • You can configure only two link-state groups per switch. • Configuring Link-State Tracking Beginning in privileged EXEC mode, follow these steps to configure a link-state group and to assign an interface to a group: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 725: Displaying Link-State Tracking Status
Upstream Interfaces : Fa0/15(Dwn) Fa0/16(Dwn) Fa0/17(Dwn) Downstream Interfaces : Fa0/11(Dis) Fa0/12(Dis) Fa0/13(Dis) Fa0/14(Dis) (Up):Interface up (Dwn):Interface Down (Dis):Interface disabled For detailed information about the fields in the display, see the command reference for this release. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 34-25...
Page 726 Chapter 34 Configuring EtherChannels and Link-State Tracking Displaying Link-State Tracking Status Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 34-26 OL-9639-07...
Page 727: Configuring Ip Unicast Routing
C H A P T E R Configuring IP Unicast Routing This chapter describes how to configure IP Version 4 (IPv4) unicast routing on the Cisco ME 3400 Ethernet Access switch. For information about IPv6 routing, see Chapter 36, “Configuring IPv6 Unicast Routing.”...
Page 728: Chapter 35 Configuring Ip Unicast Routing
Switch A forwards the packet directly to Host B, without sending it to the router. When Host A sends a packet to Host C in VLAN 20, Switch A forwards the packet to the router, which receives the traffic on the VLAN 10 interface. The router checks the routing table, finds the correct outgoing interface, and forwards the packet on the VLAN 20 interface to Switch B.
Page 729: Steps For Configuring Routing
“Assigning IP Addresses to Network Interfaces” section on page 35-5. A Layer 3 switch can have an IP address assigned to each routed port and SVI. The number of routed Note ports and SVIs that you can configure is not limited by software. However, the interrelationship between this number and the number and volume of features being implemented might have an impact on CPU utilization because of hardware limitations.
Page 730: Default Addressing Configuration
Domain list: No domain names defined. Domain lookup: Enabled. Domain name: Enabled. IP forward-protocol If a helper address is defined or User Datagram Protocol (UDP) flooding is configured, UDP forwarding is enabled on default ports. Any-local-broadcast: Disabled. Turbo-flood: Disabled. IP helper address Disabled.
Page 731: Assigning Ip Addresses To Network Interfaces
IP address. A mask identifies the bits that denote the network number in an IP address. When you use the mask to subnet a network, the mask is referred to as a subnet mask. To receive an assigned network number, contact your Internet service provider.
Page 732: Classless Routing
By default, classless routing behavior is enabled on the switch when it is configured to route. With classless routing, if a router receives packets for a subnet of a network with no default route, the router forwards the packet to the best supernet route. A supernet consists of contiguous blocks of Class C address spaces used to simulate a single, larger address space and is designed to relieve the pressure on the rapidly depleting Class B address space.
Page 733: Configuring Address Resolution Methods
Proxy ARP helps hosts with no routing tables learn the MAC addresses of hosts on other networks or subnets. If the switch (router) receives an ARP request for a host that is not on the same interface as the ARP request sender, and if the router has all of its routes to the host through other interfaces, it generates a proxy ARP packet giving its own local data link address.
Page 734: Define A Static Arp Cache
Optionally, you can also specify that the switch respond to ARP requests as if it were the owner of the specified IP address. If you do not want the ARP entry to be permanent, you can specify a timeout period for the ARP entry.
Page 735: Set Arp Encapsulation
To disable an encapsulation type, use the no arp arpa or no arp snap interface configuration command. Enable Proxy ARP By default, the switch uses proxy ARP to help hosts learn MAC addresses of hosts on other networks or subnets.
Page 736: Routing Assistance When Ip Routing Is Disabled
ARP request for a host that is not on the same network as the sender, the switch evaluates whether it has the best route to that host. If it does, it sends an ARP reply packet with its own Ethernet MAC address, and the host that sent the request sends the packet to the switch, which forwards it to the intended host.
Page 737 The advantage of using IRDP is that it allows each router to specify both a priority and the time after which a device is assumed to be down if no further packets are received.
Page 738: Configuring Broadcast Packet Handling
After configuring an IP interface address, you can enable routing and configure one or more routing protocols, or you can configure the way the switch responds to network broadcasts. A broadcast is a data packet destined for all hosts on a physical network. The switch supports two kinds of broadcasting: A directed broadcast packet is sent to a specific network or series of networks.
Page 739: Forwarding Udp Broadcast Packets And Protocols
Network hosts occasionally use UDP broadcasts to find address, configuration, and name information. If such a host is on a network segment that does not include a server, UDP broadcasts are normally not forwarded. You can configure an interface on a router to forward certain classes of broadcasts to a helper address.
Page 740: Establishing An Ip Broadcast Address
The most popular IP broadcast address (and the default) is an address consisting of all ones (255.255.255.255). However, the switch can be configured to generate any form of IP broadcast address. Beginning in privileged EXEC mode, follow these steps to set the IP broadcast address on an interface: Command...
Page 741: Flooding Ip Broadcasts
When a flooded UDP datagram is sent out an interface (and the destination address possibly changed), the datagram is handed to the normal IP output routines and is, therefore, subject to access lists, if they are present on the output interface.
Page 742: Monitoring And Maintaining Ip Addressing
To disable this feature, use the no ip forward-protocol turbo-flood global configuration command. Monitoring and Maintaining IP Addressing When the contents of a particular cache, table, or database have become or are suspected to be invalid, you can remove all its contents by using the clear privileged EXEC commands.
Page 743: Enabling Ipv4 Unicast Routing
Enabling IPv4 Unicast Routing Enabling IPv4 Unicast Routing By default, the switch is in Layer 2 switching mode and IP routing is disabled. To use the Layer 3 capabilities of the switch, you must enable IP routing. Beginning in privileged EXEC mode, follow these steps to enable IP routing:...
Page 744: Default Rip Configuration
RIP uses hop counts to rate the value of different routes. The hop count is the number of routers that can be traversed in a route. A directly connected network has a hop count of zero; a network with a hop count of 16 is unreachable.
Page 745: Configuring Basic Rip Parameters
Version 2 packets. By default, the switch receives Version 1 and 2 but sends only Version 1. You can also use the interface commands ip rip {send | receive} version 1 | 2 | 1 2} to control what versions are used for sending and receiving on interfaces.
Page 746: Configuring Rip Authentication
RIP Version 1 does not support authentication. If you are sending and receiving RIP Version 2 packets, you can enable RIP authentication on an interface. The key chain specifies the set of keys that can be used on the interface. If a key chain is not configured, no authentication is performed, not even the default.
Page 747: Configuring Split Horizon
To enable the split horizon mechanism, use the ip split-horizon interface configuration command. Configuring Summary Addresses To configure an interface running RIP to advertise a summarized local IP address pool on a network access server for dial-up clients, use the ip summary-address rip interface configuration command.
Page 748: Configuring Ospf
10.0.0.0 so that 10.2.0.0 is advertised out interface Gigabit Ethernet port 2, and 10.0.0.0 is not advertised. If the interface is in Layer 2 mode (the default), you must enter a no switchport interface configuration command before entering the ip address interface configuration command.
Page 749 • Routes learned through any IP routing protocol can be redistributed into another IP routing protocol. At the intradomain level, this means that OSPF can import routes learned through EIGRP and RIP. OSPF routes can also be exported into RIP.
Page 750: Default Ospf Configuration
NSSA: No NSSA area defined. Auto cost 100 Mbps. Default-information originate Disabled. When enabled, the default metric setting is 10, and the external route type default is Type 2. Default metric Built-in, automatic metric translation, as appropriate for each routing protocol.
Page 751: Nonstop Forwarding Awareness
2. OSPF NSF awareness is enabled for IPv4 on switches running the metro IP access image Nonstop Forwarding Awareness The OSPF NSF Awareness feature is supported for IPv4 in the metro IP access image. When the neighboring router is NSF-capable, the Layer 3 switch continues to forward packets from the...
Page 752: Configuring Ospf Interfaces
Configuring OSPF To terminate an OSPF routing process, use the no router ospf process-id global configuration command. This example shows how to configure an OSPF routing process and assign it a process number of 109: Switch(config)# router ospf 109 Switch(config-router)# network 131.108.0.0 255.255.255.0 area 24...
Page 753: Configuring Ospf Network Types
Step 16 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of these commands to remove the configured parameter value or return to the default value. Configuring OSPF Network Types OSPF classifies different media into the three types of networks by default: Broadcast networks (Ethernet, Token Ring, and FDDI) •...
Page 754: Configuring Network Types For Ospf Interfaces
Assigning a cost to a neighbor is optional. Configuring Network Types for OSPF Interfaces You can configure network interfaces as either broadcast or NBMA and as point-to point or point-to-multipoint, regardless of the default media type.
Page 755: Configuring Ospf Area Parameters
(Optional) Save your entries in the configuration file. Use the no form of the ip ospf network command to return to the default network type for the media. Configuring OSPF Area Parameters You can optionally configure several OSPF area parameters. These parameters include authentication for password-based protection against unauthorized access to an area, stub areas, and not-so-stubby-areas (NSSAs).
Page 756 (Optional) Save your entries in the configuration file. Use the no form of these commands to remove the configured parameter value or to return to the default value. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide...
Page 757: Configuring Other Ospf Parameters
Route Maps to Redistribute Routing Information” section on page 35-99, each route is advertised individually in an external LSA. To help decrease the size of the OSPF link state database, you can use the summary-address router configuration command to advertise a single router for all the redistributed routes included in a specified network address and mask.
Page 758: Changing Lsa Group Pacing
For example, if you have approximately 10,000 LSAs in the database, decreasing the pacing interval would benefit you. If you have a very small database (40 to 100 LSAs), increasing the pacing interval to 10 to 20 minutes might benefit you slightly.
Page 759: Configuring A Loopback Interface
Configuring a Loopback Interface OSPF uses the highest IP address configured on the interfaces as its router ID. If this interface is down or removed, the OSPF process must recalculate a new router ID and resend all its routing information out its interfaces.
Page 760: Monitoring Ospf
15 hops. Because the EIGRP metric is large enough to support thousands of hops, the only barrier to expanding the network is the transport-layer hop counter. EIGRP increments the transport control field only when an IP packet has traversed 15 routers and the next hop to the destination was learned through EIGRP.
Page 761 Therefore, EIGRP sends a single multicast hello with an indication in the packet informing the receivers that the packet need not be acknowledged. Other types of packets (such as updates) require acknowledgment, which is shown in the packet.
Page 762: Default Eigrp Configuration
Distributed proportionately to the ratios of the metrics. Variance 1 (equal-cost load balancing). 1. NSF = Nonstop Forwarding 2. EIGRP NSF awareness is enabled for IPv4 on switches running the metro IP access image. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 35-36 OL-9639-07...
Page 763: Configuring Basic Eigrp Parameters
Configuring EIGRP To create an EIGRP routing process, you must enable EIGRP and associate networks. EIGRP sends updates to the interfaces in the specified networks. If you do not specify an interface network, it is not advertised in any EIGRP update.
Page 764: Configuring Eigrp Interfaces
(Optional) Save your entries in the configuration file. Use the no forms of these commands to disable the feature or return the setting to the default value. Configuring EIGRP Interfaces Other optional EIGRP parameters can be configured on an interface basis.
Page 765: Configuring Eigrp Route Authentication
(Optional) Save your entries in the configuration file. Use the no forms of these commands to disable the feature or return the setting to the default value. Configuring EIGRP Route Authentication EIGRP route authentication provides MD5 authentication of routing updates from the EIGRP routing protocol to prevent the introduction of unauthorized or false routing messages from unapproved sources.
Page 766: Configuring Eigrp Stub Routing
(Optional) Save your entries in the configuration file. Use the no forms of these commands to disable the feature or to return the setting to the default value. Configuring EIGRP Stub Routing The EIGRP stub routing feature reduces resource utilization by moving routed traffic closer to the end user.
Page 767: Monitoring And Maintaining Eigrp
You can delete neighbors from the neighbor table. You can also display various EIGRP routing statistics. Table 35-8 lists the privileged EXEC commands for deleting neighbors and displaying statistics. For explanations of fields in the resulting display, see the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. Table 35-8...
Page 768: Configuring Bgp
In Figure 35-5, Routers A and B are BGP peers, as are Routers B and C and Routers C and D. The routing information is a series of AS numbers that describe the full path to the destination network. BGP uses this information to construct a loop-free map of autonomous systems.
Page 769 AS must be fully meshed logically. BGP4 provides two techniques that reduce the requirement for a logical full mesh: confederations and route reflectors. AS 200 is a transit AS for AS 100 and AS 300—that is, AS 200 is used to transfer packets between •...
Page 770: Default Bgp Configuration
Protocols” part of the Cisco IOS IP Configuration Guide, Release 12.2. For details about specific commands, see the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2.For a list of BGP commands that are visible but not supported by the switch, see Appendix C, “Unsupported Commands in Cisco IOS Release 12.2(50)SE.”...
Page 771 Keepalive: 60 seconds; holdtime: 180 seconds. 1. NSF = Nonstop Forwarding 2. BGP NSF Awareness can be enabled for IPv4 on switches with the metro IP access image by enabling Graceful Restart. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide...
Page 772: Enabling Bgp Routing
AS path includes private AS numbers, these numbers are dropped. If your AS must pass traffic through it from another AS to a third AS, it is important to be consistent about the routes it advertises. If BGP advertises a route before all routers in the network learn about the route through the IGP, the AS might receive traffic that some routers can not yet route.
Page 773 (Optional) Save your entries in the configuration file. Use the no router bgp autonomous-system global configuration command to remove a BGP AS. Use the no network network-number router configuration command to remove the network from the BGP table.
Page 774: Managing Routing Policy Changes
Connections established 11; dropped 10 Anything other than state = established means that the peers are not running. The remote router ID is the highest IP address on that router (or the highest loopback interface). Each time the table is updated with new information, the table version number increments.
Page 775 Configuring IP Unicast Routing Configuring BGP There are two types of reset, hard reset and soft reset. The switch supports a soft reset without any prior configuration when both BGP peers support the soft route refresh capability, which is advertised in the OPEN message sent when the peers establish a TCP session.
Page 776: Configuring Bgp Decision Attributes
BGP routing table and propagated to its neighbors. When a BGP peer learns two EBGP paths for a prefix from a neighboring AS, it chooses the best path and inserts that path in the IP routing table. If BGP multipath support is enabled and the EBGP paths are learned from the same neighboring autonomous systems, multiple paths are installed in the IP routing table.
Page 777 Chapter 35 Configuring IP Unicast Routing Configuring BGP Beginning in privileged EXEC mode, follow these steps to configure some decision attributes: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router bgp autonomous-system Enable a BGP routing process, assign it an AS number, and enter router configuration mode.
Page 778: Configuring Bgp Filtering With Route Maps
You can use route maps on a per-neighbor basis to filter updates and to modify various attributes. A route map can be applied to either inbound or outbound updates. Only the routes that pass the route map are sent or accepted in updates.
Page 779 (Optional) Save your entries in the configuration file. Use the no neighbor distribute-list command to remove the access list from the neighbor. Use the no neighbor route-map map-tag router configuration command to remove the route map from the neighbor.
Page 780: Configuring Prefix Lists For Bgp Filtering
Filtering by a prefix list involves matching the prefixes of routes with those listed in the prefix list, as when matching access lists. When there is a match, the route is used. Whether a prefix is permitted or denied is based upon these rules: An empty prefix list permits all prefixes.
Page 781: Configuring Bgp Community Filtering
COMMUNITIES attribute that contains all communities from all the initial routes. You can use community lists to create groups of communities to use in a match clause of a route map. As with an access list, a series of community lists can be created. Statements are checked until a match is found.
Page 782: Configuring Bgp Neighbors And Peer Groups
When you have configured many peers, we recommend this approach. To configure a BGP peer group, you create the peer group, assign options to the peer group, and add neighbors as peer group members. You configure the peer group by using the neighbor router configuration commands.
Page 783 (Optional) Allow BGP sessions, even when the neighbor is not ebgp-multihop on a directly connected segment. The multihop session is not established if the only route to the multihop peer’s address is the default route (0.0.0.0). Step 11 neighbor {ip-address | peer-group-name} (Optional) Specify an AS number to use as the local AS.
Page 784: Configuring Aggregate Addresses
BGP or by creating an aggregate entry in the BGP routing table. An aggregate address is added to the BGP table when there is at least one more specific entry in the BGP table. Beginning in privileged EXEC mode, use these commands to create an aggregate address in the routing...
Page 785: Configuring Routing Domain Confederations
(Optional) Save your entries in the configuration file. Configuring BGP Route Reflectors BGP requires that all of the IBGP speakers be fully meshed. When a router receives a route from an external neighbor, it must advertise it to all internal neighbors. To prevent a routing information loop, all IBPG speakers must be connected.
Page 786: Configuring Route Dampening
The reuse limit is a configurable value that is compared with the penalty. If the penalty is less than the reuse limit, a suppressed route that is up is advertised again.
Page 787: Monitoring And Maintaining Bgp
Monitoring and Maintaining BGP You can remove all contents of a particular cache, table, or database. This might be necessary when the contents of the particular structure have become or are suspected to be invalid. You can display specific statistics, such as the contents of BGP routing tables, caches, and databases.
Page 788: Configuring Iso Clns Routing
Open System Interconnection (OSI) model. Addresses in the ISO network architecture are referred to as network service access point (NSAP) addresses and network entity titles (NETs). Each node in an OSI network has one or more NETs. In addition, each node has many NSAP addresses.
Page 789: Configuring Is-Is Dynamic Routing
For IS-IS multiarea routing, you can configure only one process to perform Level 2 routing, although you can define up to 29 Level 1 areas for each Cisco unit. If Level 2 routing is configured on any process, all additional processes are automatically configured as Level 1. You can configure this process to perform Level 1 routing at the same time.
Page 790: Enabling Is-Is Routing
Enabling IS-IS Routing To enable IS-IS, you specify a name and NET for each routing process. You then enable IS-IS routing on the interface and specify the area for each instance of the routing process. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide...
Page 791 Chapter 35 Configuring IP Unicast Routing Configuring ISO CLNS Routing Beginning in privileged EXEC mode, follow these steps to enable IS-IS and specify the area for each instance of the IS-IS routing process: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 792: Configuring Is-Is Global Parameters
Configuring IP Unicast Routing Configuring ISO CLNS Routing This example shows how to configure three routers to run conventional IS-IS as an IP routing protocol. In conventional IS-IS, all routers act as Level 1 and Level 2 routers (by default).
Page 793 You can configure the switch to generate a log message when an IS-IS adjacency changes state (up or down). If a link in the network has a maximum transmission unit (MTU) size of less than 1500 bytes, you • can lower the LSP MTU so that routing will still occur.
Page 794 Configuring ISO CLNS Routing Command Purpose Step 10 lsp-refresh-interval seconds (Optional) Set an LSP refresh interval in seconds. The range is from 1 to 65535 seconds. The default is to send LSP refreshes every 900 seconds (15 minutes). Step 11 max-lsp-lifetime seconds (Optional) Set the maximum time that LSP packets remain in the router database without being refreshed.
Page 795: Configuring Is-Is Interface Parameters
These are some interface level parameters you can configure: • The default metric on the interface, which is used as a value for the IS-IS metric and assigned when there is no quality of service (QoS) routing performed. The hello interval (length of time between hello packets sent on the interface) or the default hello •...
Page 796 (Optional) Configure the metric (or cost) for the specified interface. The level-2] range is from 0 to 63. The default is 10. If no level is entered, the default is to apply to both Level 1 and Level 2 routers.
Page 797: Monitoring And Maintaining Is-Is
To return to the default settings, use the no forms of the commands. Monitoring and Maintaining IS-IS You can remove all contents of a CLNS cache or remove information for a particular neighbor or route. You can display specific CLNS or IS-IS statistics, such as the contents of routing tables, caches, and databases.
Page 798: Configuring Bfd
OSPF and BFD. When OSPF discovers a neighbor (1), it sends a request to the BFD process to initiate a BFD neighbor session with the neighbor OSPF router (2), establishing the BFD neighbor session (3).
Page 799 BGP, EIGRP, and HSRP clients. You can use one BFD session for multiple client protocols. For example, if a network is running OSPF and EIGRP across the same link to the same peer, you need to create only one BFD session, and information is shared with both routing protocols.
Page 800: Default Bfd Configuration
To run BFD on a switch, you need to configure basic BFD interval parameters on BFD interfaces, enable routing on the switch, and enable one or more one routing protocol clients for BFD. You also need to confirm that Cisco Express Forwarding (CEF) is enabled (the default) on participating switches.
Page 801: Configuring Bfd Session Parameters On An Interface
Configuring IP Unicast Routing Configuring BFD In HSRP BFD, standby BFD is enabled globally by default and on all interfaces. If you disable it on an interface, you then must disable and reenable it globally for BFD sessions to be active.
Page 802: Enabling Bfd Routing Protocol Clients
If you want to run OSPF BFD on only one or a few interfaces, you can enter the ip ospf bfd interface configuration command on those interfaces instead of enabling it globally. See the next procedure.
Page 803: Configuring Bfd For Is-Is
(Optional) Save your entries in the configuration file. To disable OSPF BFD on an interface, enter the no ip osfp bfd or the ip ospf bfd disable interface configuration command on the interface. This is an example of configuring BFD for OSPF on a single interface:...
Page 804 To disable it on the specified interface, enter the no isis bfd or the isis bfd disable interface configuration command on the interface. If you only want to run IS-IS BFD on a few interfaces, instead of enabling it globally, you can enter the isis bfd interface configuration command on those interfaces. See the next procedure.
Page 805: Configuring Bfd For Bgp
Configuring IP Unicast Routing Configuring BFD To disable IS-IS BFD on an interface, enter the no isis bfd or the isis bfd disable interface configuration command on the interface. This is an example of configuring BFD for IS-IS on a single interface:...
Page 806: Configuring Bfd For Hsrp
To disable it on an interface, enter the no bfd interface interface-id router configuration command. Configuring BFD for HSRP HSRP supports BFD by default; it is globally enabled on all interfaces. If HSRP support has been manually disabled, you can reenable it in interface or global configuration mode. All participating devices must have HSRP enabled and CEF enabled (the default).
Page 807: Disabling Bfd Echo Mode
When you configure a BFD session, BFD echo mode is enabled by default on BFD interfaces. You can disable echo mode on an interface so it sends no echo packets and but only sends back echo packets received from a neighbor. When echo mode is disabled, control packets are used detect forwarding failures.
Page 808: Understanding Multi-Vrf Ce
VPNs and forms virtual packet-forwarding tables by associating one or more Layer 3 interfaces with each VRF. Interfaces in a VRF can be either physical, such as Ethernet ports, or logical, such as VLAN SVIs, but an interface cannot belong to more than one VRF at any time.
Page 809 PE = Provider-edge device When the CE switch receives a command to add a Layer 3 interface to a VRF, it sets up the appropriate mapping between the VLAN ID and the policy label (PL) in multi-VRF-CE-related data structures and adds the VLAN ID and PL to the VLAN database.
Page 810: Default Multi-Vrf Ce Configuration
• both. The SVIs can be connected through an access port or a trunk port. A customer can use multiple VLANs as long as they do not overlap with those of other customers. • A customer’s VLANs are mapped to a specific routing table ID that is used to identify the appropriate routing tables stored on the switch.
Page 811: Configuring Vrfs
• VRF and policy-based routing (PBR) are mutually-exclusive on a switch interface. You cannot enable VRF when PBR is enabled on an interface. In contrast, you cannot enable PBR when VRF is enabled on an interface. Configuring VRFs Beginning in privileged EXEC mode, follow these steps to configure one or more VRFs. For complete syntax and usage information for the commands, refer to the switch command reference for this release and the Cisco IOS Switching Services Command Reference, Release 12.2.
Page 812: Configuring Vrf-Aware Services
VRF in the system can be specified for a VRF-aware service. VRF-Aware services are implemented in platform-independent modules. VRF means multiple routing instances in Cisco IOS. Each platform has its own limit on the number of VRFs it supports. VRF-aware services have the following characteristics: The user can ping a host in a user-specified VRF.
Page 813: User Interface For Snmp
Return to privileged EXEC mode. User Interface for HSRP HSRP support for VRFs ensures that HSRP virtual IP addresses are added to the correct IP routing table. Beginning in privileged EXEC mode, follow these steps to configure VRF-aware services for HSRP. For complete syntax and usage information for the commands, refer to the switch command reference for this release and the Cisco IOS Switching Services Command Reference, Release 12.2.
Page 814: User Interface For Urpf
Configuring Multi-VRF CE User Interface for uRPF uRPF can be configured on an interface assigned to a VRF, and source lookup is done in the VRF table. Beginning in privileged EXEC mode, follow these steps to configure VRF-aware services for uRPF. For complete syntax and usage information for the commands, refer to the switch command reference for this release and the Cisco IOS Switching Services Command Reference, Release 12.2.
Page 815: User Interface For Traceroute
So that FTP and TFTP are VRF-aware, you must configure some FTP/TFTP CLIs. For example, if you want to use a VRF table that is attached to an interface, say E1/0, you need to configure the CLI ip [t]ftp source-interface E1/0 to inform [t]ftp to use a specific routing table. In this example, the VRF table is used to look up the destination IP address.
Page 816: Configuring Bgp Pe To Ce Routing Sessions
Use the no router ospf process-id vrf vrf-name global configuration command to disassociate the VPN forwarding table from the OSPF routing process. Configuring BGP PE to CE Routing Sessions Beginning in privileged EXEC mode, follow these steps to configure a BGP PE to CE routing session: Command Purpose...
Page 817: Multi-Vrf Ce Configuration Example
Figure 35-8. OSPF is the protocol used in VPN1, VPN2, and the global network. BGP is used in the CE to PE connections. The examples following the illustration show how to configure a Cisco ME 3400 switch as CE Switch A, and the VRF configuration for customer switches D and F.
Page 818 Configure the VLANs used on Switch A. VLAN 10 is used by VRF 11 between the CE and the PE. VLAN 20 is used by VRF 12 between the CE and the PE. VLANs 118 and 208 are used for the VPNs...
Page 819 Switch(config-router-af)# neighbor 38.0.0.3 activate Switch(config-router-af)# network 8.8.1.0 mask 255.255.255.0 Switch(config-router-af)# end Configuring Switch D Switch D belongs to VPN 1. Configure the connection to Switch A by using these commands. Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Page 820 Switch(config-router)# network 118.0.0.0 0.0.0.255 area 0 Switch(config-router)# end Configuring the PE Switch B On Switch B (the PE router), these commands configure only the connections to the CE device, Switch A. Router# configure terminal Enter configuration commands, one per line.
Page 821: Displaying Multi-Vrf Ce Status
CEF use the Forwarding Information Base (FIB) lookup table to perform destination-based switching of IP packets.
Page 822 FIB contains all known routes that exist in the routing table, CEF eliminates route cache maintenance, is more efficient for switching traffic, and is not affected by traffic patterns. Nodes in the network are said to be adjacent if they can reach each other with a single hop across a •...
Page 823: Configuring The Number Of Equal-Cost Routing Paths
The term parallel path is another way to see occurrences of equal-cost routes in a routing table. If a router has two or more equal-cost paths to a network, it can use them concurrently.
Page 824: Specifying Default Routes And Networks
0.0.0.0.s A router that is generating the default for a network also might need a default of its own. One way a router can generate its own default is to specify a static route to the network 0.0.0.0 through the appropriate device.
Page 825: Using Route Maps To Redistribute Routing Information
If this network appears in the routing table from any source, it is flagged as a possible choice for the default route. If the router has no interface on the default network, but does have a path to it, the network is considered as a possible candidate, and the gateway to the best default path becomes the gateway of last resort.
Page 826 Configuring IP Unicast Routing Configuring Protocol-Independent Features You can also identify route-map statements as permit or deny. If the statement is marked as a deny, the packets meeting the match criteria are sent back through the normal forwarding channels (destination-based routing). If the statement is marked as permit, set clauses are applied to packets meeting the match criteria.
Page 827 255, where 255 means 100 percent reliability and 0 means no reliability. loading— Effective bandwidth of the route expressed • as a number from 0 to 255 (255 is 100 percent loading). mtu—Minimum maximum transmission unit (MTU) • size of the route in bytes in the range 0 to 4294967295.
Page 828 (Optional) Save your entries in the configuration file. To delete an entry, use the no route-map map tag global configuration command or the no match or no set route-map configuration commands. You can distribute routes from one routing domain into another and control route distribution.
Page 829: Configuring Policy-Based Routing
You can apply a policy route map to an EtherChannel port channel in Layer 3 mode, but you cannot apply a policy route map to a physical interface that is a member of the EtherChannel. If you try to do so, the command is rejected. When a policy route map is applied to a physical interface, that interface cannot become a member of an EtherChannel.
Page 830: Enabling Pbr
By default, PBR is disabled on the switch. To enable PBR, you must create a route map that specifies the match criteria and the resulting action if all of the match clauses are met. Then, you must enable PBR for that route map on an interface. All packets arriving on the specified interface matching the match clauses are subject to PBR.
Page 831 (Optional)— Number that shows the • position of a new route map in the list of route maps already configured with the same name. Step 3 match ip address {access-list-number | Match the source and destination IP address that is permitted by access-list-name} [...access-list-number |...
Page 832: Filtering Routing Information
In networks with many interfaces, to avoid having to manually set them as passive, you can set all interfaces to be passive by default by using the passive-interface default router configuration command and manually setting interfaces where adjacencies are desired.
Page 833: Controlling Advertising And Processing In Routing Updates
Use a network monitoring privileged EXEC command such as show ip ospf interface to verify the interfaces that you enabled as passive, or use the show ip interface privileged EXEC command to verify the interfaces that you enabled as active.
Page 834: Filtering Sources Of Routing Information
To manage authentication keys, define a key chain, identify the keys that belong to the key chain, and specify how long each key is valid. Each key has its own key identifier (specified with the key number key chain configuration command), which is stored locally.
Page 835: Monitoring And Maintaining The Ip Network
To remove the key chain, use the no key chain name-of-chain global configuration command. Monitoring and Maintaining the IP Network You can remove all contents of a particular cache, table, or database. You can also display specific statistics. Use the privileged EXEC commands in...
Page 836 Chapter 35 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network Table 35-17 Commands to Clear IP Routes or Display Route Status (continued) Command Purpose show ip route supernets-only Display supernets. show ip cache Display the routing table used to switch IP traffic.
Page 837: Understanding Ipv6
Chapter 37, “Configuring IPv6 ACLs.” To use this feature, the switch must be running the metro IP access image. To enable IPv6 routing, you must configure the switch to use a dual IPv4 and IPv6 switch database management (SDM) template.
Page 838: C H A P T E R 36 Configuring Ipv6 Unicast Routing
For easier implementation, leading zeros in each field are optional. This is the same address without leading zeros: 2031:0:130F:0:0:9C0:80F:130B You can also use two colons (::) to represent successive hexadecimal fields of zeros, but you can use this short version only once in each address: 2031:0:130F::09C0:080F:130B For more information about IPv6 address formats, address types, and the IPv6 packet header, see the “Implementing IPv6 Addressing and Basic Connectivity”...
Page 839: Bit Unicast Addresses
The DNS AAAA resource record types support IPv6 addresses and are equivalent to an A address record in IPv4. The switch supports DNS resolution for IPv4 and IPv6. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide...
Page 840: Path Mtu Discovery For Ipv6 Unicast
MTU discovery. Path MTU discovery allows a host to dynamically discover and adjust to differences in the MTU size of every link along a given data path. In IPv6, if a link along the path is not large enough to accommodate the packet size, the source of the packet handles the fragmentation. The switch does not support path MTU discovery for multicast packets.
Page 841: Ipv6 Applications
IPv6” chapter and the “Implementing IPv6 Addressing and Basic Connectivity” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com. Dual IPv4 and IPv6 Protocol Stacks You must use the dual IPv4 and IPv6 template to allocate hardware memory usage to both IPv4 and IPv6 protocols. Figure 36-1 shows a router forwarding both IPv4 and IPv6 traffic through the same interface, based on the IP packet and destination addresses.
Page 842: Dhcp For Ipv6 Address Assignment
Chapter 36 Configuring IPv6 Unicast Routing Understanding IPv6 If you do not plan to use IPv6, do not use the dual stack template because it results in less hardware • memory availability for each resource. For more information about IPv4 and IPv6 protocol stacks, see the “Implementing IPv6 Addressing and Basic Connectivity”...
Page 843: Http(S) Over Ipv6
16-bit values between colons. The accept socket call chooses an IPv4 or IPv6 address family. The accept socket is either an IPv4 or IPv6 socket. The listening socket waits for both IPv4 and IPv6 signals that indicate a connection. The IPv6 listening socket is bound to an IPv6 wildcard address.
Page 844: Configuring Ipv6
ICMPv6 redirect functionality is not supported for IPv6 host routes (routes used to reach a specific • host) or for IPv6 routes with masks greater than 64 bits. The switch cannot redirect hosts to a better first-hop router for a specific destination that is reachable through a host route or through a route with masks greater than 64 bits.
Page 845: Default Ipv6 Configuration
16-bit values between colons. The prefix-length variable (preceded by a slash [/]) is a decimal value that shows how many of the high-order contiguous bits of the address comprise the prefix (the network portion of the address).
Page 846 Chapter 36 Configuring IPv6 Unicast Routing Configuring IPv6 Beginning in privileged EXEC mode, follow these steps to assign an IPv6 address to a Layer 3 interface and enable IPv6 routing: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 847: Configuring Default Router Preference
This example shows how to enable IPv6 with both a link-local address and a global address based on the IPv6 prefix 2001:0DB8:c18:1::/64. The EUI-64 interface ID is used in the low-order 64 bits of both addresses.
Page 848: Configuring Ipv4 And Ipv6 Protocol Stacks
Connectivity” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com. Configuring IPv4 and IPv6 Protocol Stacks Before configuring IPv6 routing, you must select an SDM template that supports IPv4 and IPv6. If not already configured, use the sdm prefer dual-ipv4-and-ipv6 {default | routing | vlan} global configuration command to configure a template that supports IPv6.
Page 849: Configuring Dhcp For Ipv6 Address Assignment
(Optional) Save your entries in the configuration file. To disable IPv4 routing, use the no ip routing global configuration command. To disable IPv6 routing, use the no ipv6 unicast-routing global configuration command. To remove an IPv4 address from an interface, use the no ip address ip-address mask interface configuration command.
Page 850: Dhcpv6 Address Assignment Configuration Guidelines
Before configuring DHCPv6, you must select a Switch Database Management (SDM) template that • supports IPv4 and IPv6. The switch can act as a DHCPv6 client, server, or relay agent. The DHCPv6 client, server, and relay • function are mutually exclusive on an interface.
Page 851 (Optional) Save your entries in the configuration file. To delete a DHCPv6 pool, use the no ipv6 dhcp pool poolname global configuration command. Use the no form of the DHCP pool configuration mode commands to change the DHCPv6 pool characteristics.
Page 852: Enabling The Dhcpv6 Client Function
ICMP rate limiting is enabled by default with a default interval between error messages of 100 milliseconds and a bucket size (maximum number of tokens to be stored in a bucket) of 10. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide...
Page 853: Configuring Cef For Ipv6
Cisco Express Forwarding (CEF) is a Layer 3 IP switching technology, allowing more CPU processing power to be dedicated to packet forwarding. IPv4 CEF is enabled by default. IPv6 CEF is disabled by default, but automatically enabled when you configure IPv6 routing.
Page 854 Chapter 36 Configuring IPv6 Unicast Routing Configuring IPv6 Beginning in privileged EXEC mode, follow these steps to configure an IPv6 static route: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 route ipv6-prefix/prefix length Configure a static IPv6 route.
Page 855: Configuring Rip For Ipv6
To remove a configured static route, use the no ipv6 route ipv6-prefix/prefix length {ipv6-address | interface-id [ipv6-address]} [administrative distance] global configuration command. This example shows how to configure a floating static route to an interface. The route has an administrative distance of 130: Switch(config)# ipv6 route 2001:0DB8::/32 gigabitethernet0/1 130 For more information about configuring static IPv6 routing, see the “Implementing Static Routes for...
Page 856: Configuring Ospf For Ipv6
(Optional) Save your entries in the configuration file. To disable a RIP routing process, use the no ipv6 router rip name global configuration command. To disable the RIP routing process for an interface, use the no ipv6 rip name interface configuration command.
Page 857 (Optional) Save your entries in the configuration file. To disable an OSPF routing process, use the no ipv6 router ospf process-id global configuration command. To disable the OSPF routing process for an interface, use the no ipv6 ospf process-id area area-id interface configuration command.
Page 858: Configuring Eigrp For Ipv6
If EIGRP for IPv6 is not in shutdown mode, EIGRP might start running before you enter the EIRGP router-mode commands to configure the router and the interface. To set an explicit router ID, use the show ipv6 eigrp command to see the configured router IDs, and then use the router-id command.
Page 859 Display a list of the last 20 requests made by the HTTP client to the server. This is an example of the output from the show ipv6 interface privileged EXEC command: Switch# show ipv6 interface...
Page 860 Loopback10 3FFE:C000:16A:1:20B:46FF:FE2F:D900/128 receive <output truncated> This is an example of the output from the show ipv6 protocols privileged EXEC command: Switch# show ipv6 protocols IPv6 Routing Protocol is “connected” IPv6 Routing Protocol is “static” IPv6 Routing Protocol is “rip fer”...
Page 861 I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2...
Page 862 Chapter 36 Configuring IPv6 Unicast Routing Displaying IPv6 0 echo request, 0 echo reply 0 group query, 0 group report, 0 group reduce 0 router solicit, 9944 router advert, 0 redirects 84 neighbor solicit, 84 neighbor advert UDP statistics: Rcvd: 0 input, 0 checksum errors, 0 length errors...
Page 863: Understanding Ipv6 Acls
IP Version 6 (IPv6) traffic by creating IPv6 access control lists (ACLs) and applying them to interfaces similarly to the way that you create and apply IP Version 4 (IPv4) named ACLs. You can also create and apply input router ACLs to filter Layer 3 management traffic.
Page 864: Chapter 37 Configuring Ipv6 Acl
ACL is applied are filtered by the port ACL. Outgoing routed IPv6 packets are filtered by the router ACL. Other packets are not filtered. If any port ACL (IPv4, IPv6, or MAC) is applied to an interface, that port ACL filters packets, and any Note router ACLs attached to the SVI of the port VLAN are ignored.
Page 865: Default Ipv6 Acl Configuration
(physical ports or SVIs), the switch determines whether or not the ACL can be supported on the interface. If not, the ACL attachment is rejected. If an ACL is applied to an interface and you attempt to add an access control entry (ACE) with an •...
Page 866: Interaction With Other Features And Switches
Interaction with Other Features and Switches Configuring IPv6 ACLs has these interactions with other features or switch characteristics: If an IPv6 router ACL is configured to deny a packet, the packet is not routed. A copy of the packet •...
Page 867 • For protocol, enter the name or number of an Internet protocol: ahp, esp, [operator [port-number]] icmp, ipv6, pcp, stcp, tcp, or udp, or an integer in the range 0 to 255 {destination-ipv6-prefix/ representing an IPv6 protocol number. prefix-length | any |...
Page 868 Enter icmp for Internet Control Message Protocol. The ICMP parameters are any | host source-ipv6-address} the same as those described for most IP protocols in Step 3a, with the addition [operator [port-number]] of the ICMP message type and code parameters. These optional keywords have...
Page 869: Applying An Ipv6 Acl To An Interface
TCP port number greater than 5000. The second deny entry denies packets that have a source UDP port number less than 5000. The second deny also logs all matches to the console. The first permit entry in the list permits all ICMP packets. The second permit entry in the list permits all other traffic.
Page 870: Displaying Ipv6 Acls
Configuring IPv6 ACLs Displaying IPv6 ACLs Displaying IPv6 ACLs You can display information about all configured access lists, all IPv6 access lists, or a specific access list by using one or more of the privileged EXEC commands in Table 37-1.
Page 871: Understanding Hsrp
The virtual router does not exist; it represents the common target for routers that are configured to provide backup to each other. One of the routers is selected to be the active router and another to be the standby router, which assumes control of the group MAC address and IP address should the designated active router fail.
Page 872: Chapter 38 Configuring Hsrp
IP address of Router A, you configure them with the IP address of the virtual router as their default router. When Host C sends packets to Host B, it sends them to the MAC address of the virtual router. If for any reason, Router A stops transferring packets, Router B responds to the virtual IP address and virtual MAC address and becomes the active router, assuming the active router duties.
Page 873: Hsrp Versions
HSRPv2—Version 2 of the HSRP has these features: • To match the HSRP group number to the VLAN ID of a subinterface, HSRPv2 can use a group – number from 0 to 4095 and a MAC address from 0000.0C9F.F000 to 0000.0C9F.FFFF.
Page 874: Multiple Hsrp
Routers A and B establishes two HSRP groups. For group 1, Router A is the default active router because it has the assigned highest priority, and Router B is the standby router. For group 2, Router B is the default active router because it has the assigned highest priority, and Router A is the standby router.
Page 875: Configuring Hsrp
• In the procedures, the specified interface must be one of these Layer 3 interfaces: • Routed port: a physical port configured as a Layer 3 port by entering the no switchport – interface configuration command. SVI: a VLAN interface created by using the interface vlan vlan_id global configuration –...
Page 876: Enabling Hsrp
The version of an HSRP group can be changed from HSRPv2 to HSRPv1 only if the group number is less than 256. • If you change the HSRP version on an interface, each HSRP group resets because it now has a new virtual MAC address. Enabling HSRP The standby ip interface configuration command activates HSRP on the configured interface.
Page 877: Configuring Hsrp Priority
Use the no standby [group-number] ip [ip-address] interface configuration command to disable HSRP. This example shows how to activate HSRP for group 1 on an interface. The IP address used by the hot standby group is learned by using HSRP.
Page 878 If tracked interfaces that were not configured with priority values fail, the default decrement is 10, and it is noncumulative. When routing is first enabled for the interface, it does not have a complete routing table. If it is •...
Page 879 Use the no standby [group-number] track type number [interface-priority] interface configuration command to remove the tracking. This example activates a port, sets an IP address and a priority of 120 (higher than the default value), and waits for 300 seconds (5 minutes) before attempting to become the active router:...
Page 880: Configuring Mhsrp
Router A is configured as the active router for group 1, and Router B is configured as the active router for group 2. The HSRP interface for Router A has an IP address of 10.0.0.1 with a group 1 standby priority of 110 (the default is 100).
Page 881 Switch(config-if)# standby 1 authentication word Switch(config-if)# end This example shows how to set the timers on standby group 1 with the time between hello packets at 5 seconds and the time after which a router is considered down to be 15 seconds:...
Page 882: Enabling Hsrp Support For Icmp Redirect Messages
When the switch is running HSRP, make sure hosts do not discover the interface (or real) MAC addresses of routers in the HSRP group. If a host is redirected by ICMP to the real MAC address of a router and that router later fails, packets from the host are lost.
Page 883: Understanding Cisco Ios Ip Slas
Cisco IOS IP SLAs generates and analyzes traffic either between Cisco IOS devices or from a Cisco IOS device to a remote IP device such as a network application server. Measurements provided by the various Cisco IOS IP SLAs operations can be used for troubleshooting, for problem analysis, and for designing network topologies.
Page 884: C H A P T E R 39 Configuring Cisco Ios Ip Slas Operations
Because Cisco IP SLAs is Layer 2 transport independent, you can configure end-to-end operations over disparate networks to best reflect the metrics that an end user is likely to experience. IP SLAs collects a unique subset of these performance metrics: •...
Page 885: Using Cisco Ios Ip Slas To Measure Network Performance
After the destination device receives the packet, depending on the type of IP SLAs operation, it responds with time-stamp information for the source to make the calculation on performance metrics. An IP SLAs operation performs a network measurement from the source device to a destination in the network using a specific protocol such as UDP.
Page 886: Ip Slas Responder And Ip Slas Control Protocol
This delta value is then subtracted from the overall round-trip time. Notice that the same principle is applied by IP SLAs on the source router where the incoming time stamp 4 (TS4) is also taken at the interrupt level to allow for greater accuracy.
Page 887: Ip Slas Operation Scheduling
You can schedule an operation to start immediately or to start at a certain month, day, and hour. You can use the pending option to set the operation to start at a later time. The pending option is an internal state of the operation that is visible through SNMP. The pending state is also used when an operation is a reaction (threshold) operation waiting to be triggered.
Page 888: Configuring Ip Slas Operations
Determining the type of threshold and the level to set can be complex, and depends on the type of IP service being used in the network. For more details on using thresholds with Cisco IOS IP SLAs operations, see the “IP SLAs—Proactive Threshold Monitoring”...
Page 889: Configuring The Ip Slas Responder
The IP SLAs responder is available only on Cisco IOS software-based devices, including some Layer 2 switches that do not support full IP SLAs functionality, such as the Catalyst 2960 or the Cisco ME 2400 switch or a Cisco ME 3400 switch running the metro base image. Beginning in privileged EXEC mode,...
Page 890: Analyzing Ip Service Levels By Using The Udp Jitter Operation
(Optional) Save your entries in the configuration file. To disable the IP SLAs responder, enter the no ip sla responder global configuration command. This example shows how to configure the device as a responder for the UDP jitter IP SLAs operation in the next procedure: Switch(config)# ip sla responder udp-echo 172.29.139.134 5000...
Page 891 Chapter 39 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations Beginning in privileged EXEC mode, follow these steps to configure UDP jitter operation on the source device: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip sla operation-number Create an IP SLAs operation, and enter IP SLAs configuration mode.
Page 892 (Optional) Save your entries in the configuration file. startup-config To disable the IP SLAs operation, enter the no ip sla operation-number global configuration command. This example shows how to configure a UDP jitter IP SLAs operation: Switch(config)# ip sla 10 Switch(config-ip-sla)# udp-jitter 172.29.139.134 5000...
Page 893: Analyzing Ip Service Levels By Using The Icmp Echo Operation
ICMP-based operations, in-house ping testing, or ping-based dedicated probes for response time measurements between the source IP SLAs device and the destination IP device. The IP SLAs ICMP echo operation conforms to the same specifications as ICMP ping testing, and the two methods result in the same response times.
Page 894 (Optional) Save your entries in the configuration file. startup-config To disable the IP SLAs operation, enter the no ip sla operation-number global configuration command. This example shows how to configure an ICMP echo IP SLAs operation: Switch(config)# ip sla 12 Switch(config-ip-sla)# icmp-echo 172.29.139.134...
Page 895: Monitoring Ip Slas Operations
Number of history Lives kept: 0 Number of history Buckets kept: 15 History Filter Type: None Enhanced History: Monitoring IP SLAs Operations Use the User EXEC or Privileged EXEC commands in Table 39-1 to display IP SLAs operations configuration and results. Table 39-1...
Page 896 Chapter 39 Configuring Cisco IOS IP SLAs Operations Monitoring IP SLAs Operations Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 39-14 OL-9639-07...
Page 897: Understanding Enhanced Object Tracking
Boolean “AND” function requires that each object in the list be in an up state for the tracked object to be up. A tracked list with a Boolean “OR” function needs only one object in the list to be in the up state for the tracked object to be up.
Page 898: C H A P T E R 40 Configuring Enhanced Object Tracking
Tracking Interface Line-Protocol or IP Routing State You can track either the interface line protocol state or the interface IP routing state. When you track the IP routing state, these three conditions are required for the object to be up: IP routing must be enabled and active on the interface.
Page 899: Configuring A Tracked List
You can configure a tracked list of objects with a Boolean expression, a weight threshold, or a percentage threshold. A tracked list contains one or more objects. An object must exist before it can be added to the tracked list.
Page 900: Configuring A Tracked List With A Boolean Expression
For example, when tracking two interfaces using the “AND” operator, up means that both interfaces are up, and down means that either interface is down. Beginning in privileged EXEC mode, follow these steps to configure a tracked list of objects with a Boolean expression:...
Page 901: Configuring A Tracked List With A Weight Threshold
The example configures track list 4 to track by weight threshold. If object 1 and object 2 are down, then track list 4 is up because object 3 satisfies the up threshold value of up 30. But if object 3 is down, both objects 1 and 2 must be up in order to satisfy the threshold weight.
Page 902: Configuring A Tracked List With A Percentage Threshold
To track by percentage threshold, configure a tracked list of objects, specify that a percentage will be used as the threshold, and specify a percentage for all objects in the list. The state of the list is determined by comparing the assigned percentage of each object to the list.
Page 903: Configuring Hsrp Object Tracking
Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Configuring HSRP Object Tracking Beginning in privileged EXEC mode, follow these steps to configure a standby HSRP group to track an object and change the HSRP priority based on the object state: Command...
Page 904: Configuring Other Tracking Characteristics
(Optional) Save your entries in the configuration file. Configuring Other Tracking Characteristics You can also use the enhanced object tracking for tracking other characteristics. You can track the reachability of an IP route by using the track ip route reachability global • configuration command.
Page 905 IP SLAs operation: state and reachability. For state, if the return code is OK, the track state is up; if the return code is not OK, the track state is down. For reachability, if the return code is OK or OverThreshold, reachability is up;...
Page 906: Configuring Static Routing Support
Step 1 Configure a primary interface for static routing or for DHCP. Step 2 Configure an IP SLAs agent to ping an IP address using a primary interface and a track object to monitor the state of the agent. Step 3 Configure a default static default route using a secondary interface.
Page 907: Configuring A Cisco Ip Slas Monitoring Agent And Track Object
Chapter 40 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Beginning in privileged EXEC mode, follow these steps to configure a primary interface for DHCP: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Select a primary or secondary interface and enter interface configuration mode.
Page 908: Configuring A Routing Policy And Default Route
Configuring a Routing Policy and Default Route Beginning in privileged EXEC mode, follow these steps to configure a routing policy for backup static routing by using object tracking. For more details about the commands in the procedure, see this URL: http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html...
Page 909 [object-number] [brief] route Display information about tracked IP-route objects. show track resolution Display the resolution of tracked parameters. show track timers Display tracked polling interval timers. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 40-13 OL-9639-07...
Page 910 Chapter 40 Configuring Enhanced Object Tracking Monitoring Enhanced Object Tracking Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 40-14 OL-9639-07...
Page 911 Level Agreements (SLAs) for CFM. Ethernet OAM manager controls the interworking between any two of the protocols (CFM, E-LMI, and OAM). The Cisco ME 3400 switch must be running the metro IP access or metro access image to support Note Ethernet OAM functions.
Page 912: C H A P T E R 41 Configuring Ethernet Oam, Cfm, And E-Lmi
A CFM maintenance domain is a management space on a network that is owned and operated by a single entity and defined by a set of ports internal to it, but at its boundary. You assign a unique maintenance level (from 0 to 7) to define the hierarchical relationship between domains. The larger the domain, the higher the level.
Page 913: Maintenance Points
CFM frames through the relay function. It drops all CFM frames of its level or lower that come from the wire side. For CFM frames from the relay side, it processes the frames at its level and drops frames at a lower level. The MEP transparently forwards all CFM frames at a higher level, regardless of whether they are received from the relay or wire side.
Page 914: Cfm Messages
Configuring Ethernet OAM, CFM, and E-LMI Understanding Ethernet CFM A UNI in the context of CFM and OAM manager is not the same as a UNI port type. The CFM Note UNI can be a UNI, an enhanced network interface (ENI), or a network node interface (NNI) port type.
Page 915: Ip Slas Support For Cfm
Default Ethernet CFM Configuration CFM is globally disabled. CFM is enabled on all interfaces. A port can be configured as a flow point (MIP/MEP), a transparent port, or disabled (CFM disabled). By default, ports are transparent ports until configured as MEP, MIP, or disabled.
Page 916: Ethernet Cfm Configuration Guidelines
CFM is supported on EtherChannel port channels. You can configure an EtherChannel port channel • as MEP or MIP. However, CFM is not supported on individual ports that belong to an EtherChannel and you cannot add a CFM port to an EtherChannel group.
Page 917: Configuring Ethernet Cfm Service
(Optional) Save your entries in the configuration file. Use the no versions of the commands to remove the configuration or return to the default configurations. Configuring Ethernet CFM Service Beginning in privileged EXEC mode, follow these steps to set up service for Ethernet CFM:...
Page 918: Configuring Ethernet Cfm Crosscheck
(Optional) Save your entries in the configuration file. Use the no form of each command to remove a configuration or to return to the default settings. Configuring Ethernet CFM Crosscheck Beginning in privileged EXEC mode, follow these steps to configure Ethernet CFM crosscheck:...
Page 919: Configuring Ip Slas Cfm Operation
(Optional) Save your entries in the configuration file. Use the no form of each command to remove a configuration or to return to the default settings. Configuring IP SLAs CFM Operation You can manually configure an individual IP SLAs Ethernet ping or jitter echo operation or you can configure IP SLAs Ethernet operation with endpoint discovery.
Page 920: Manually Configuring An Ip Slas Cfm Probe Or Jitter Operation
Configuring an IP SLAs Operation with Endpoint Discovery, page 41-12 • Manually Configuring an IP SLAs CFM Probe or Jitter Operation Beginning in privileged EXEC mode, follow these steps to manually configure an IP SLAs Ethernet echo (ping) or jitter operation: Command...
Page 921 Show the configured IP SLAs operation. Step 16 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove an IP SLAs operation, enter the no ip sla operation-number global configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 41-11 OL-9639-07...
Page 922: Configuring An Ip Slas Operation With Endpoint Discovery
Configuring an IP SLAs Operation with Endpoint Discovery Beginning in privileged EXEC mode, follow these steps to use IP SLAs to automatically discover the CFM endpoints for a domain and VLAN ID. You can configure ping or jitter operations to the discovered endpoints.
Page 923: Displaying Ethernet Cfm Information
Step 14 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove an IP SLAs operation, enter the no ip sla operation-number global configuration command. Displaying Ethernet CFM Information You can use the privileged EXEC commands in Table 41-1 to display Ethernet CFM information.
Page 924: Understanding The Ethernet Oam Protocol
The Ethernet OAM protocol for installing, monitoring, and troubleshooting Metro Ethernet networks and Ethernet WANs relies on an optional sublayer in the data link layer of the OSI model. Normal link operation does not require Ethernet OAM. You can implement Ethernet OAM on any full-duplex point-to-point or emulated point-to-point Ethernet link for a network or part of a network (specified interfaces).
Page 925: Oam Features
In this mode, when the switch receives a frame that is not an OAM PDU or a pause frame, it sends it back on the same port. The link appears to the user to be in the up state. You can use the returned loopback acknowledgement to test delay, jitter, and throughput.
Page 926: Setting Up And Configuring Ethernet Oam
The PDU includes a reason code to indicate why it was sent.The switch can respond to, but not generate, Dying Gasp PDUs based on loss of power.
Page 927: Enabling Ethernet Oam Remote Loopback
Enter the no ethernet oam interface configuration command to disable Ethernet OAM on the interface. Enabling Ethernet OAM Remote Loopback You must enable Ethernet OAM remote loopback on an interface for the local OAM client to initiate OAM remote loopback operations. Changing this setting causes the local OAM client to exchange configuration information with its remote peer.
Page 928: Configuring Ethernet Oam Link Monitoring
You can configure high and low thresholds for link-monitoring features. If no high threshold is configured, the default is none —no high threshold is set. If you do not set a low threshold, it defaults to a value lower than the high threshold.
Page 929 This is the default. Enter threshold low low-frames to set a low threshold • in number of frames. The range is 0 to 65535. The default is 1. • Enter window milliseconds to set the a window and period of time during which error frames are counted.
Page 930 {low-frames}} | window milliseconds} command is visible on the switch and you are allowed to enter it, but it is not supported.Enter the no form of the commands to disable the configuration. Use the no form of each command to disable the threshold setting.
Page 931: Configuring Ethernet Oam Remote Failure Indications
You can configure an error-disable action to occur on an interface if one of the high thresholds is exceeded, if the remote link goes down, if the remote device is rebooted, or if the remote device disables Ethernet OAM on the interface.
Page 932 Chapter 41 Configuring Ethernet OAM, CFM, and E-LMI Setting Up and Configuring Ethernet OAM Beginning in privileged EXEC mode, follow these steps to configure an Ethernet OAM template and to associate it with an interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 933 • threshold. Enter threshold low low-frames to set a low threshold • in number of frames. The range is 1 to 900. The default is 1. Enter window frames to set the a polling window size • in number of frames. The range is 100 to 9000; each value is a multiple of 100 milliseconds.
Page 934: Displaying Ethernet Oam Protocol Information
{threshold {high {high-frames | none} | low {low-frames}} | window milliseconds} command is visible on the switch and you can enter it, but it is not supported. Use the no form of each command to remove the option from the template. Use the no source-template template-name to remove the source template association.
Page 935: E-Lmi Interaction With Oam Manager
CFM Interaction with OAM Manager When there is a change in the number of active UNIs or remote UNI ID for a given S-VLAN or domain, CFM asynchronously notifies the OAM manager. A change in the number of UNIs might (or might not) cause a change in EVC status.
Page 936: Configuring E-Lmi
(EFPs), and E-LMI customer VLAN mapping. Most of the configuration occurs on the PE switch on the interfaces connected to the CE device. On the CE switch, you only need to enable E-LMI on the connecting interface. Note that you must configure some OAM parameters, for example, EVC definitions, on PE devices on both sides of a metro network.
Page 937: Configuring The Oam Manager
Chapter 41 Configuring Ethernet OAM, CFM, and E-LMI Configuring E-LMI Configuring the OAM Manager Beginning in privileged EXEC mode, follow these steps to configure OAM manager on a PE switch: Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 938 UNIs that are part of a given customer service instance and can be up to 64 characters in length. When a UNI id is configured on a port, that ID is used as the default name for all MEPs configured on the port, unless a name is explicitly configured for a given MEP.
Page 939: Enabling E-Lmi
Enabling E-LMI You can enable E-LMI globally or on an interface and you can configure the switch as a PE or a CE device. Beginning in privileged EXEC mode, follow these steps to enable for E-LMI on the switch or on an interface.
Page 940: Ethernet Oam Manager Configuration Example
Ethernet OAM Manager Configuration Example This is a simple example of configuring CFM and E-LMI with OAM manager on a PE device and on a CE device. You can configure the switch as either the PE device or the CE device.
Page 941: Customer-Edge Device Configuration
Switch(config)# ethernet lmi ce Switch(config)# exit For E-LMI to work, any VLANs used on the PE device must also be created on the CE device. Create a Note VLAN by entering the vlan vlan-id global configuration command on the CE device, where the vlan-ids match those on the PE device and configure these VLANs as allowed VLANs by entering the switchport trunk allowed vlan vlan-ids interface configuration command.
Page 942: Ethernet Cfm And Ethernet Oam Interaction
Ethernet OAM informs CFM of the state of the interface. Interaction is unidirectional from the Ethernet OAM to the CFM Protocol, and the only information exchanged is the user network interface port status. The Ethernet OAM Protocol notifies CFM when these conditions occur: •...
Page 943: Configuring Ethernet Oam Interaction With Cfm
Configuring Ethernet OAM Interaction with CFM For Ethernet OAM to function with CFM, you must configure an Ethernet Virtual Circuit (EVC) and the OAM manager, and associate the EVC with CFM. You must use an inward facing MEP for interaction with the OAM manager.
Page 944: Enabling Ethernet Oam
Chapter 41 Configuring Ethernet OAM, CFM, and E-LMI Ethernet CFM and Ethernet OAM Interaction Enabling Ethernet OAM Beginning in privileged EXEC mode, follow these steps to enable Ethernet OAM on an interface. Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 945 Total Remote MEPs: 1 This example shows the outputs when you start remote loopback on CE1 (or PE1). The port state on the remote PE switch shows as Test and the remote CE switch goes into error-disable mode. Switch# ethernet oam remote-loopback start interface gigabitEthernet 0/1 This is a intrusive loopback.
Page 946 TEST Gi1/1/1 blue Total Remote MEPs: 1 In addition, if you shut down the CE1 interface that connects to PE1, the remote PE2 port will show a PortState of Down. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 41-36...
Page 947: Understanding Cisco's Implementation Of Ip Multicast Routing
IP multicast packets out all interfaces that lead to members of the multicast group. Any host, regardless of whether it is a member of a group, can sent to a group. However, only the members of a group receive the message.
Page 948: C H A P T E R 42 Configuring Ip Multicast Routing
There is no restriction on the location or number of members in a multicast group. A host can be a member of more than one multicast group at a time. How active a multicast group is and what members it has can vary from group to group and from time to time.
Page 949: Igmp Version 1
(have one or more hosts interested in a multicast group) on the local subnet. IGMPv1 has other processes that enable a host to join and leave a multicast group. For more information, see RFC 1112.
Page 950: Pim Modes
(designated router [DR]) to complete the shared tree path from the source to the receiver. When using a shared tree, sources must send their traffic to the RP so that the traffic reaches all receivers.
Page 951: Pim Stub Routing
The PIM stub routing feature reduces resource usage by moving routed traffic closer to the end user. In a network using PIM stub routing, the only allowable route for IP traffic to the user is through a switch that is configured with PIM stub routing. PIM passive interfaces are connected to Layer 2 access domains, such as VLANs, or to interfaces that are connected to other Layer 2 devices.
Page 952: Auto-Rp
For Auto-RP to work, you configure a Cisco router or multilayer switch as the mapping agent. It uses IP multicast to learn which routers or switches in the network are possible candidate RPs to receive candidate RP announcements. Candidate RPs periodically send multicast RP-announce messages to a particular group or group range to announce their availability.
Page 953: Multicast Forwarding And Reverse Path Check
1, not port 2. Because the RPF check fails, the multilayer switch discards the packet. Another multicast packet from source 151.10.3.21 is received on port 1, and the routing table shows this port is on the reverse path to the source.
Page 954: Configuring Ip Multicast Routing
42-4). The RPF check is performed differently for each: If a PIM router or multilayer switch has a source-tree state (that is, an (S,G) entry is present in the • multicast routing table), it performs the RPF check against the IP address of the source of the multicast packet.
Page 955: Multicast Routing Configuration Guidelines
PIMv2 BSR that is also an Auto-RP mapping agent automatically advertises the RP elected by Auto-RP. That is, Auto-RP sets its single RP on every router or multilayer switch in the group. Not all routers and switches in the domain use the PIMv2 hash function to select multiple RPs.
Page 956: Auto-Rp And Bsr Configuration Guidelines
If you have a network that includes non-Cisco routers, configure the Auto-RP mapping agent and • the BSR on a Cisco PIMv2 router or multilayer switch. Ensure that no PIMv1 device is on the path between the BSR and a non-Cisco PIMv2 router.
Page 957 Configuring IP Multicast Routing from a LAN, sparse-mode operation occurs if there is an RP known for the group. If so, the packets are encapsulated and sent toward the RP. When no RP is known, the packet is flooded in a dense-mode fashion.
Page 958: Configuring Pim Stub Routing
The PIM Stub routing feature supports multicast routing between the distribution layer and the access layer. It supports two types of PIM interfaces, uplink PIM interfaces, and PIM passive interfaces. A routed interface configured with the PIM passive mode does not pass or forward PIM control traffic, it only passes and forwards IGMP traffic.
Page 959: Configuring Source-Specific Multicast
Configuring IP Multicast Routing Configuring IP Multicast Routing In this example, IP multicast routing is enabled, Switch A PIM uplink port 25 is configured as a routed uplink port with spare-dense-mode enabled. PIM stub routing is enabled on the VLAN 100 interfaces...
Page 960: Ssm Components Overview
The ISM service consists of the delivery of IP datagrams from any source to a group of receivers called the multicast host group. The datagram traffic for the multicast host group consists of datagrams with an arbitrary IP unicast source address S and the multicast group address G as the IP destination address.
Page 961: Igmpv3 Host Signalling
SSM range for many independent applications, this situation can lead to decreased traffic filtering in a switched network. For this reason, it is important to use random IP addresses from the SSM range for an application to minimize the chance for re-use of a single address within the SSM range between different applications.
Page 962: Configuring Ssm
G) subscriptions are on the interfaces. Therefore, as long as receivers send (S, G) subscriptions, the shortest path tree (SPT) state from the receivers to the source is maintained, even if the source does not send traffic for longer periods of time (or even never).
Page 963: Configuring Source Specific Multicast Mapping
Before you can configure and use SSM mapping with DNS lookups, you must be able to add records • to a running DNS server. If you do not already have a DNS server running, you need to install one. You can use a product such as Cisco Network Registrar. Go to this URL for more information: http://www.cisco.com/warp/public/cc/pd/nemnsw/nerr/index.shtml...
Page 964 IGMPv3 report and continues as if it had received an IGMPv3 report. The router then sends PIM joins and continues to be joined to these groups as long as it continues to receive the IGMPv1 or IGMPv2 membership reports, and the SSM mapping for the group remains the same.
Page 965: Configuring Ssm Mapping
Thus, the server-side switchover mechanism ensures that only one of the servers is actively sending video traffic for the TV channel. To look up one or more source addresses for a group that includes G1, G2, G3, and G4, you must configure these DNS records on the DNS server: G4.G3.G2.G1 [multicast-domain] [timeout]IN A source-address-1...
Page 966 Configuring DNS-Based SSM Mapping To configure DNS-based SSM mapping, you need to create a DNS server zone or add records to an existing zone. If the routers that are using DNS-based SSM mapping are also using DNS for other purposes, you should use a normally configured DNS server.
Page 967 (Optional) Save your entries in the configuration file. Configuring Static Traffic Forwarding with SSM Mapping Use static traffic forwarding with SSM mapping to statically forward SSM traffic for certain groups. Beginning in privileged EXEC mode, follow these steps to configure static traffic forwarding with SSM...
Page 968: Monitoring Ssm Mapping
Configuring a Rendezvous Point You must have an RP if the interface is in sparse-dense mode and if you want to treat the group as a sparse group. You can use several methods, as described in these sections: Manually Assigning an RP to Multicast Groups, page 42-22 •...
Page 969 Chapter 42 Configuring IP Multicast Routing Configuring IP Multicast Routing Beginning in privileged EXEC mode, follow these steps to manually configure the address of the RP. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Page 970: Configuring Auto-Rp
42-6. Setting up Auto-RP in a New Internetwork If you are setting up Auto-RP in a new internetwork, you do not need a default RP because you configure all the interfaces for sparse-dense mode. Follow the process described in the “Adding Auto-RP to an...
Page 971 Chapter 42 Configuring IP Multicast Routing Configuring IP Multicast Routing Beginning in privileged EXEC mode, follow these steps to deploy Auto-RP in an existing sparse-mode cloud. This procedure is optional. Command Purpose Step 1 show running-config Verify that a default RP is already configured on all PIM devices and the RP in the sparse-mode network.
Page 972 This example shows how to send RP announcements out all PIM-enabled interfaces for a maximum of 31 hops. The IP address of port 1 is the RP. Access list 5 describes the group for which this switch serves as RP: Switch(config)# ip pim send-rp-announce gigabitethernet0/1 scope 31 group-list 5 Switch(config)# access-list 5 permit 224.0.0.0 15.255.255.255...
Page 973 Configuring IP Multicast Routing Filtering Incoming RP Announcement Messages You can add configuration commands to the mapping agents to prevent a maliciously configured router from masquerading as a candidate RP and causing problems. Beginning in privileged EXEC mode, follow these steps to filter incoming RP announcement messages.
Page 974: Configuring Pimv2 Bsr
As IP multicast becomes more widespread, the chance of one PIMv2 domain bordering another PIMv2 domain is increasing. Because these two domains probably do not share the same set of RPs, BSR, candidate RPs, and candidate BSRs, you need to constrain PIMv2 BSR messages from flowing into or out of the domain.
Page 975 Defining the IP Multicast Boundary You define a multicast boundary to prevent Auto-RP messages from entering the PIM domain. You create an access list to deny packets destined for 224.0.1.39 and 224.0.1.40, which carry Auto-RP information. Beginning in privileged EXEC mode, follow these steps to define a multicast boundary. This procedure is optional.
Page 976 Switch(config-if)# ip multicast boundary 1 Configuring Candidate BSRs You can configure one or more candidate BSRs. The devices serving as candidate BSRs should have good connectivity to other devices and be in the backbone portion of the network. Beginning in privileged EXEC mode, follow these steps to configure your switch as a candidate BSR.
Page 977 You can configure one or more candidate RPs. Similar to BSRs, the RPs should also have good connectivity to other devices and be in the backbone portion of the network. An RP can serve the entire IP multicast address space or a portion of it. Candidate RPs send candidate RP advertisements to the BSR.
Page 978: Using Auto-Rp And A Bsr
To remove this device as a candidate RP, use the no ip pim rp-candidate interface-id global configuration command. This example shows how to configure the switch to advertise itself as a candidate RP to the BSR in its PIM domain. Standard access list number 4 specifies the group prefix associated with the RP that has the address identified by a port.
Page 979: Monitoring The Rp Mapping Information
RP that was selected for the specified group. • show ip pim rp [group-name | group-address | mapping] displays how the switch learns of the RP • (through the BSR or the Auto-RP mechanism).
Page 980 The RP puts a link to Router C in its outgoing interface list. A source sends data; Router A encapsulates the data in a register message and sends it to the RP. The RP forwards the data down the shared tree to Router C and sends a join message toward the source.
Page 981: Delaying The Use Of Pim Shortest-Path Tree
You can specify to which groups the shortest-path tree threshold applies by using a group list (a standard access list). If a value of 0 is specified or if the group list is not used, the threshold applies to all groups.
Page 982: Modifying The Pim Router-Query Message Interval
LAN. With PIM DM operation, the DR has meaning only if IGMPv1 is in use. IGMPv1 does not have an IGMP querier election process, so the elected DR functions as the IGMP querier. With PIM SM operation, the DR is the device that is directly connected to the multicast source.
Page 983: Default Igmp Configuration
Configuring the Switch as a Member of a Group You can configure the switch as a member of a multicast group and discover multicast reachability in a network. If all the multicast-capable routers and multilayer switches that you administer are members of a multicast group, pinging that group causes all these devices to respond.
Page 984: Controlling Access To Ip Multicast Groups
The switch then forwards to these group members all packets addressed to the multicast group. You can place a filter on each interface to restrict the multicast groups that hosts on the subnet serviced by the interface can join.
Page 985: Changing The Igmp Version
All systems on the subnet must support the same version. The switch does not automatically detect Version 1 systems and switch to Version 1. You can mix Version 1 and Version 2 hosts on the subnet because Version 2 routers or switches always work correctly with IGMPv1 hosts.
Page 986: Modifying The Igmp Host-Query Message Interval
The switch elects a PIM designated router (DR) for the LAN (subnet). The DR is the router or multilayer switch with the highest IP address for IGMPv2. For IGMPv1, the DR is elected according to the multicast routing protocol that runs on the LAN.
Page 987: Changing The Igmp Query Timeout For Igmpv2
Changing the IGMP Query Timeout for IGMPv2 If you are using IGMPv2, you can specify the period of time before the switch takes over as the querier for the interface. By default, the switch waits twice the query interval controlled by the ip igmp query-interval interface configuration command.
Page 988: Configuring The Switch As A Statically Connected Member
Configuring the Switch as a Statically Connected Member Sometimes there is either no group member on a network segment or a host cannot report its group membership by using IGMP. However, you might want multicast traffic to go to that network segment.
Page 989: Configuring Optional Multicast Routing Features
(audio, video, and so forth) are required on your workstation. The MBONE Session Directory Version 2 (sdr) tool provides this information.
Page 990: Limiting How Long An Sdr Cache Entry Exists
Limiting How Long an sdr Cache Entry Exists By default, entries are never deleted from the sdr cache. You can limit how long the entry remains active so that if a source stops advertising SAP information, old advertisements are not needlessly kept.
Page 991 You can define an administratively-scoped boundary on a routed interface for multicast group addresses. A standard access list defines the range of addresses affected. When a boundary is defined, no multicast data packets are allowed to flow across the boundary from either direction. The boundary allows the same multicast group address to be reused in different administrative domains.
Page 992: Monitoring And Maintaining Ip Multicast Routing
• Clearing Caches, Tables, and Databases You can remove all contents of a particular cache, table, or database. Clearing a cache, table, or database might be necessary when the contents of the particular structure are or suspected to be invalid.
Page 993: Monitoring Ip Multicast Routing
Display IP multicast packet rate and loss information. mtrace source [destination] [group] Trace the path from a source to a destination branch for a multicast distribution tree for a given group. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide...
Page 994 Chapter 42 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 42-48 OL-9639-07...
Page 995: Understanding Msdp
MSDP allows multicast sources for a group to be known to all rendezvous points (RPs) in different domains. Each PIM-SM domain uses its own RPs and does not depend on RPs in other domains. An RP runs MSDP over the Transmission Control Protocol (TCP) to discover multicast sources in other domains.
Page 996: Chapter 43 Configuring Msdp
(RPF). The MSDP device examines the BGP or MBGP routing table to discover which peer is the next hop toward the originating RP of the SA message. Such a peer is called an RPF peer (reverse-path forwarding peer). The MSDP device forwards the message to all MSDP peers other than the RPF peer.
Page 997: Msdp Benefits
Configuring MSDP join reaches the source’s DR, a branch of the source tree has been built from the source to the RP in the remote domain. Multicast traffic can now flow from the source across the source tree to the RP and then down the shared tree in the remote domain to the receiver.
Page 998 Router C. This is the default behavior without a prefix list. If you specify a prefix list, the peer is a default peer only for the prefixes in the list. You can have multiple active default peers when you have a prefix list associated with each. When you do not have any prefix lists, you can configure multiple default peers, but only the first one is the active default peer as long as the router has connectivity to this peer and the peer is alive.
Page 999 Figure 43-2) who use default peering (no BGP or MBGP). In that case, they might have similar configurations. That is, they accept SAs only from a default peer if the SA is permitted by the corresponding prefix list. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide...
Page 1000: Caching Source-Active State
MSDP SA information, it does not store it in memory. Therefore, if a member joins a group soon after a SA message is received by the local RP, that member needs to wait until the next SA message to hear about the source.

Cisco ME 3400 Software Configuration Manual

Chapter 1 Overview

CHAPTER 2 Using the Command-Line Interface

CHAPTER 3 Assigning the Switch IP Address and Default Gateway

CHAPTER 4 Configuring Cisco IOS Configuration Engine

Managing the System Time and Date

Chapter 5 Administering the Switch

Understanding the System Clock

Understanding Network Time Protocol

Configuring NTP

Configuring Time and Date Manually

Step 1

Configure Terminal

Copy Running-Config Startup-Config

Enter Global Configuration Mode

Return to Privileged EXEC Mode

(Optional) Save Your Entries in the Configuration File

Changing the Address Aging Time

Removing Dynamic Address Entries

Configuring MAC Address Notification Traps

Adding and Removing Static Address Entries

Configuring Unicast MAC Address Filtering

Disabling MAC Address Learning on a VLAN

Displaying Address Table Entries

Configuring SDM Templates

Chapter 6 Configuring SDM Template

Chapter 7 Configuring Switch-Based Authentication

Default RADIUS Configuration

Identifying the RADIUS Server Host

Configuring RADIUS Login Authentication

Defining AAA Server Groups

Configuring RADIUS Authorization for User Privileged Access and Network Services

Starting RADIUS Accounting

Configuring Settings for All RADIUS Servers

Configuring the Switch to Use Vendor-Specific RADIUS Attributes

Configuring the Switch for Vendor-Proprietary RADIUS Server Communication

Configuring RADIUS Server Load Balancing

CHAPTER 8 Configuring IEEE 802.1X Port-Based Authentication

Authentication Initiation and Message Exchange

Ports in Authorized and Unauthorized States

IEEE 802.1X Accounting

IEEE 802.1X Accounting Attribute-Value Pairs

IEEE 802.1X Host Mode

Using 802.1X Readiness Check

Using IEEE 802.1X with Port Security

Using IEEE 802.1X with VLAN Assignment

Switch Supplicant with Network Edge Access Topology (NEAT)

IEEE 802.1X Configuration Guidelines

Configuring IEEE 802.1X Authentication

Configuring the Switch-To-RADIUS-Server Communication

Configuring Periodic Re-Authentication

Manually Re-Authenticating a Client Connected to a Port

Changing the Quiet Period

Changing the Switch-To-Client Retransmission Time

Setting the Switch-To-Client Frame-Retransmission Number

Setting the Re-Authentication Number

Configuring the Host Mode

Configuring IEEE 802.1X Accounting

Resetting the IEEE 802.1X Configuration to the Default Values

Configuring 802.1X Switch Supplicant with NEAT

Chapter 9 Configuring Interface

Configuring the Port Type

Configuring Interface Speed and Duplex Mode

Configuring a Dual-Purpose Port

Configuring IEEE 802.3X Flow Control

Configuring Auto-MDIX on an Interface

Adding a Description for an Interface

Configuring Command Macros

Chapter 10 Configuring Command Macro

Configuring Command Macros

Default Command Macro Configuration

Command Macro Configuration Guidelines

Creating Command Macros

Applying Command Macros

Displaying Command Macros

Configuring Vlans

Chapter 11 Configuring VLAN

Quick Links

Troubleshooting

Related Manuals for Cisco ME 3400