Page 1 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide Cisco IOS Release 12.2(25)EX November 2005 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7817058=...
Page 2 OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the...
Page 3 Security Features Subscriber Security Switch Security Network Security Quality of Service and Class of Service Features Layer 2 Virtual Private Network Services Layer 3 Features Layer 3 VPN Services Monitoring Features Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 4: Table Of Contents
Understanding DHCP-Based Autoconfiguration DHCP Client Request Process Configuring DHCP-Based Autoconfiguration DHCP Server Configuration Guidelines Configuring the TFTP Server Configuring the DNS Configuring the Relay Device Obtaining Configuration Files Example Configuration Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 5 Enabling a Partial Configuration 4-11 Displaying CNS Configuration 4-12 Administering the Switch C H A P T E R Managing the System Time and Date Understanding the System Clock Understanding Network Time Protocol Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 6 Adding and Removing Static Address Entries 5-24 Configuring Unicast MAC Address Filtering 5-25 Disabling MAC Address Learning on a VLAN 5-26 Displaying Address Table Entries 5-28 Managing the ARP Table 5-28 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 7 Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services 7-16 Starting TACACS+ Accounting 7-17 Displaying the TACACS+ Configuration 7-17 Controlling Switch Access with RADIUS 7-18 Understanding RADIUS 7-18 RADIUS Operation 7-19 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 8 Ports in Authorized and Unauthorized States IEEE 802.1x Accounting IEEE 802.1x Accounting Attribute-Value Pairs IEEE 802.1x Host Mode Using IEEE 802.1x with Port Security Using IEEE 802.1x with VLAN Assignment Cisco ME 3400 Ethernet Access Switch Software Configuration Guide viii 78-17058-01...
Page 9 Configuring User Network and Network Node Interfaces 9-13 Configuring Interface Speed and Duplex Mode 9-14 Speed and Duplex Configuration Guidelines 9-15 Setting the Interface Speed and Duplex Parameters 9-15 Configuring IEEE 802.3x Flow Control 9-17 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 10 Creating an Extended-Range VLAN with an Internal VLAN ID 11-11 Configuring UNI VLANs 11-12 Configuration Guidelines 11-12 Configuring UNI VLANs 11-13 Displaying VLANs 11-14 Configuring VLAN Trunks 11-14 Trunking Overview 11-14 IEEE 802.1Q Configuration Considerations 11-15 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 11 Default Private-VLAN Configuration 12-6 Private-VLAN Configuration Guidelines 12-6 Secondary and Primary VLAN Configuration 12-7 Private-VLAN Port Configuration 12-8 Limitations with Other Features 12-9 Configuring and Associating VLANs in a Private VLAN 12-10 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 12 14-7 How a Switch or Port Becomes the Root Switch or Root Port 14-7 Spanning Tree and Redundant Connectivity 14-8 Spanning-Tree Address Management 14-8 Accelerated Aging to Retain Connectivity 14-9 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 13 Rapid Convergence 15-7 Synchronization of Port Roles 15-8 Bridge Protocol Data Unit Format and Processing 15-9 Processing Superior BPDU Information 15-10 Processing Inferior BPDU Information 15-10 Topology Changes 15-10 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide xiii 78-17058-01...
Page 14 16-5 Enabling Port Fast 16-5 Enabling BPDU Guard 16-6 Enabling BPDU Filtering 16-7 Enabling EtherChannel Guard 16-8 Enabling Root Guard 16-9 Enabling Loop Guard 16-9 Displaying the Spanning-Tree Status 16-10 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 15 Source IP and MAC Address Filtering 18-14 Configuring IP Source Guard 18-14 Default IP Source Guard Configuration 18-14 IP Source Guard Configuration Guidelines 18-15 Enabling IP Source Guard 18-15 Displaying IP Source Guard Information 18-16 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 16 20-11 Recovering from Flood Mode 20-11 Disabling Multicast Flooding During a TCN Event 20-12 Configuring the IGMP Snooping Querier 20-13 Disabling IGMP Report Suppression 20-14 Displaying IGMP Snooping Information 20-15 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 17 Default Port Security Configuration 21-10 Port Security Configuration Guidelines 21-10 Enabling and Configuring Port Security 21-11 Enabling and Configuring Port Security Aging 21-15 Displaying Port-Based Traffic Control Settings 21-17 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide xvii 78-17058-01...
Page 18 24-6 VLAN Filtering 24-6 Destination Port 24-7 RSPAN VLAN 24-8 SPAN and RSPAN Interaction with Other Features 24-8 Configuring SPAN and RSPAN 24-9 Default SPAN and RSPAN Configuration 24-10 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide xviii 78-17058-01...
Page 19 Limiting Syslog Messages Sent to the History Table and to SNMP 26-9 Configuring UNIX Syslog Servers 26-10 Logging Messages to a UNIX Syslog Daemon 26-10 Configuring the UNIX System Logging Facility 26-11 Displaying the Logging Configuration 26-12 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 20 Resequencing ACEs in an ACL 28-14 Creating Named Standard and Extended ACLs 28-14 Using Time Ranges with ACLs 28-16 Including Comments in ACLs 28-18 Applying an IPv4 ACL to a Terminal Line 28-18 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 21 Configuring QoS 30-1 C H A P T E R Understanding QoS 30-1 Modular QoS CLI 30-3 Input and Output Policies 30-4 Input Policy Maps 30-4 Output Policy Maps 30-5 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 22 Configuring Output Policy Maps with Class-Based Shaping 30-46 Configuring Output Policy Maps with Port Shaping 30-47 Configuring Output Policy Maps with Class-Based Priority Queuing 30-48 Configuring Output Policy Maps with Weighted Tail Drop 30-53 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide xxii 78-17058-01...
Page 23 Configuring the PAgP Learn Method and Priority 31-17 Configuring LACP Hot-Standby Ports 31-18 Configuring the LACP System Priority 31-19 Configuring the LACP Port Priority 31-20 Displaying EtherChannel, PAgP, and LACP Status 31-21 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide xxiii 78-17058-01...
Page 24 Configuring Basic OSPF Parameters 32-26 Configuring OSPF Interfaces 32-26 Configuring OSPF Area Parameters 32-27 Configuring Other OSPF Parameters 32-29 Changing LSA Group Pacing 32-30 Configuring a Loopback Interface 32-31 Monitoring OSPF 32-31 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide xxiv 78-17058-01...
Page 25 Configuring Static Unicast Routes 32-71 Specifying Default Routes and Networks 32-72 Using Route Maps to Redistribute Routing Information 32-73 Configuring Policy-Based Routing 32-76 PBR Configuration Guidelines 32-77 Enabling PBR 32-78 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 26 Configuring IP Multicast Routing 34-7 Default Multicast Routing Configuration 34-7 Multicast Routing Configuration Guidelines 34-7 PIMv1 and PIMv2 Interoperability 34-8 Auto-RP and BSR Configuration Guidelines 34-8 Configuring Basic Multicast Routing 34-9 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide xxvi 78-17058-01...
Page 27 35-2 MSDP Benefits 35-3 Configuring MSDP 35-4 Default MSDP Configuration 35-4 Configuring a Default MSDP Peer 35-4 Caching Source-Active State 35-6 Requesting Source Information from an MSDP Peer 35-8 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide xxvii 78-17058-01...
Page 28 36-13 Understanding Layer 2 Traceroute 36-13 Layer 2 Traceroute Usage Guidelines 36-14 Displaying the Physical Path 36-15 Using IP Traceroute 36-15 Understanding IP Traceroute 36-15 Executing IP Traceroute 36-16 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide xxviii 78-17058-01...
Page 29 A P P E N D I X MIB List Using FTP to Access the MIB Files Working with the Cisco IOS File System, Configuration Files, and Software Images A P P E N D I X Working with the Flash File System...
Page 30 Working with Software Images B-18 Image Location on the Switch B-19 tar File Format of Images on a Server or Cisco.com B-19 Copying Image Files By Using TFTP B-20 Preparing to Download or Upload an Image File By Using TFTP...
Page 31 Unsupported Privileged EXEC Commands Unsupported Global Configuration Commands NetFlow Commands Unsupported Global Configuration Commands Unsupported Global Configuration Commands Unsupported Interface Configuration Commands RADIUS Unsupported Global Configuration Commands SNMP Unsupported Global Configuration Commands Cisco ME 3400 Ethernet Access Switch Software Configuration Guide xxxi 78-17058-01...
Page 32 Contents Spanning Tree Unsupported Global Configuration Command Unsupported Interface Configuration Command VLAN C-10 Unsupported Global Configuration Commands C-10 Unsupported User EXEC Commands C-10 N D E X Cisco ME 3400 Ethernet Access Switch Software Configuration Guide xxxii 78-17058-01...
Page 33 This guide is for the networking professional managing the Cisco Metro Ethernet (ME) 3400 Series Ethernet Access switch, hereafter referred to as the switch. Before using this guide, you should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of Ethernet and local area networking.
Page 34: Related Publications
For upgrading information, see the “Downloading Software” section in the release notes. • You can order printed copies of documents with a DOC-xxxxxx= number from the Cisco.com sites and from the telephone numbers listed in the “Obtaining Documentation” section on page xxxv.
Page 35: Obtaining Documentation
Cisco products and to view technical documentation in HTML. With the DVD, you have access to the same documentation that is found on the Cisco website without being connected to the Internet. Certain products also have .pdf versions of the documentation available.
Page 36: Documentation Feedback
Register to receive security information from Cisco. • A current list of security advisories and notices for Cisco products is available at this URL: http://www.cisco.com/go/psirt If you prefer to see advisories and notices as they are updated in real time, you can access a Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL: http://www.cisco.com/en/US/products/products_psirt_rss_feed.html...
Page 37: Reporting Security Problems In Cisco Products
Obtaining Technical Assistance Reporting Security Problems in Cisco Products Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you might have identified a vulnerability in a Cisco product, contact PSIRT: Emergencies —...
Page 38: Submitting A Service Request
Cisco engineer. The TAC Service Request Tool is located at this URL: http://www.cisco.com/techsupport/servicerequest For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
Page 39: Obtaining Additional Publications And Information
Visit Cisco Marketplace, the company store, at this URL: http://www.cisco.com/go/marketplace/ Cisco Press publishes a wide range of general networking, training and certification titles. Both new • and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL: http://www.ciscopress.com...
Page 40 Preface Obtaining Additional Publications and Information Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 41 Cisco.com. For more information, see the release notes for this release. The Cisco ME switch has two different types of interfaces: network node interfaces (NNIs) to connect to the service provider network and user network interfaces (UNIs) to connect to customer networks.
Page 42: Performance Features
IGMP snooping querier support to configure switch to generate periodic IGMP General Query • messages Multicast VLAN registration (MVR) to continuously send multicast streams in a multicast VLAN • while isolating the streams from subscriber VLANs for bandwidth and security reasons Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 43: Management Options
• Cisco Configuration Engine—The Cisco Configuration Engine is a network management device that works with embedded Cisco IOS CNS Agents in the switch software. You can automate initial configurations and configuration updates by generating switch-specific configuration changes, sending them to the switch, executing the configuration change, and logging the results. For more information about using Cisco IOS agents, see Chapter 4, “Configuring Cisco IOS CNS Agents.”...
Page 44: Availability Features
Chapter 1 Overview Features • Cisco IOS File System (IFS) for providing a single interface to all file systems that the switch uses In-band management access for up to 16 simultaneous Telnet connections for multiple CLI-based • sessions over the network •...
Page 45: Vlan Features
The Kerberos feature listed in this section is only available on the cryptographic versions of the switch software. Password-protected access (read-only and read-write access) to management interfaces for • protection against unauthorized configuration changes Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 46: Network Security
IEEE 802.1x accounting to track network usage Quality of Service and Class of Service Features • Cisco modular quality of service (QoS) command-line (MQC) implementation • Classification based on IP precedence, Differentiated Services Code Point (DSCP), and IEEE 802.1p class of service (CoS) packet fields, ACL lookup, or assigning a QoS label for output classification •...
Page 47: Layer 2 Virtual Private Network Services
• Internet Control Message Protocol (ICMP) and ICMP Router Discovery Protocol (IRDP) for using router advertisement and router solicitation messages to discover the addresses of routers on directly attached subnets Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 48: Default Settings After Initial Switch Configuration
If you have specific network needs, you can change the interface-specific and system-wide settings. For information about assigning an IP address by using the CLI-based setup program, see the hardware Note installation guide. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 49 Private VLANs None configured Chapter 12, “Configuring Private VLANs” • Dynamic ARP inspection (requires Disabled on all VLANs Chapter 19, “Configuring Dynamic ARP metro IP access or metro access Inspection” image) Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 50 SPAN and RSPAN Disabled Chapter 24, “Configuring SPAN and RSPAN” RMON Disabled Chapter 25, “Configuring RMON” Syslog messages Enabled; displayed on the console Chapter 26, “Configuring System Message Logging” Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 1-10 78-17058-01...
Page 51: Network Configuration Examples
Gigabit Ethernet ring for a residential location, serving multitenant units by using Cisco ME 3400 Ethernet Access switches connected through 1000BASE-X SFP module ports. Cisco ME switches used as residential switches provide customers with high-speed connections to the service provider point-of presence (POP).
Page 52 To provide differential QoS treatment for different types of traffic, the Cisco ME switch can identify, police, mark, and schedule traffic types based on Layer 2 to Layer 4 information. The Cisco modular QoS command-line interface (CLI), or MQC, on Cisco ME switches provides an efficient method of QoS configuration.
Page 53: Layer 2 Vpn Application
VLAN ID on top of the customer’s IEEE 802.1Q tag. By supporting double tags, the Cisco ME 3400 switch provides a virtual tunnel for each customer and prevents VLAN ID overlaps between customers. In addition to data-plane separation, the Cisco ME 3400 switch can also tunnel the customer’s control protocols.
Page 54: Multi-Vrf Ce Application
• link to one or more provider edge routers. The CE device advertises the site’s local routes to the router and learns the remote VPN routes from the router. The Cisco ME 3400 switch can be a CE device. •...
Page 55: Where To Go Next
Before configuring the switch, review these sections for startup information: • Chapter 2, “Using the Command-Line Interface” Chapter 3, “Assigning the Switch IP Address and Default Gateway” • Chapter 4, “Configuring Cisco IOS CNS Agents” • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 1-15 78-17058-01...
Page 56 Chapter 1 Overview Where to Go Next Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 1-16 78-17058-01...
Page 57: Understanding Command Modes
C H A P T E R Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your Cisco ME 3400 Ethernet Access switch. It contains these sections: Understanding Command Modes, page 2-1 •...
Page 58 To return to console command. privileged EXEC mode, press Ctrl-Z or enter end. For more detailed information on the command modes, see the command reference guide for this release. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 59: Understanding The Help System
You need to enter only enough characters for the switch to recognize the command as unique. This example shows how to enter the show configuration privileged EXEC command in an abbreviated form: Switch# show conf Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 60: Understanding No And Default Forms Of Commands
You can customize this feature to suit your needs as described in these sections: Changing the Command History Buffer Size, page 2-5 (optional) • Recalling Commands, page 2-5 (optional) • Disabling the Command History Feature, page 2-5 (optional) • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 61: Changing The Command History Buffer Size
To disable the feature during the current terminal session, enter the terminal no history privileged EXEC command. To disable command history for the line, enter the no history line configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 62: Using Editing Features
Recall commands from the buffer and Press Ctrl-Y. Recall the most recent entry in the buffer. paste them in the command line. The switch provides a buffer with the last ten items that you deleted. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 63 Press Ctrl-L or Ctrl-R. Redisplay the current command line. if the switch suddenly sends a message to your screen. 1. The arrow keys function only on ANSI-compatible terminals such as VT100s. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 64: Editing Command Lines That Wrap
Switch# show interfaces | include protocol Vlan1 is up, line protocol is up Vlan10 is up, line protocol is down GigabitEthernet0/1 is up, line protocol is down GigabitEthernet0/2 is up, line protocol is up Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 65: Accessing The Cli
7-37. The switch supports up to five simultaneous secure SSH sessions. After you connect through the console port, through a Telnet session or through an SSH session, the user EXEC prompt appears on the management station. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 66 Chapter 2 Using the Command-Line Interface Accessing the CLI Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 2-10 78-17058-01...
Page 67: Chapter 3 Assigning The Switch Ip Address And Default Gateway
For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release and to the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2. This chapter consists of these sections: •...
Page 68: Assigning Switch Information
IP address and reads the configuration file. If you are an experienced user familiar with the switch configuration steps, manually configure the switch. Otherwise, use the setup program described previously. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 69: Default Switch Information
DHCP server when the configuration file is not present on the switch. If the configuration file is present and the configuration includes the ip address dhcp interface configuration command on specific routed interfaces, the DHCP client is invoked and requests the IP address information for those interfaces. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 70 If the switch accepts replies from a BOOTP server and configures itself, the switch broadcasts, instead of unicasts, TFTP requests to obtain the switch configuration file. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 71: Configuring Dhcp-Based Autoconfiguration
Example Configuration, page 3-8 • If your DHCP server is a Cisco device, see the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2 for additional information about configuring DHCP.
Page 72: Configuring The Dns
If the relay device is a Cisco router, enable IP routing (ip routing global configuration command), and configure helper addresses by using the ip helper-address interface configuration command.
Page 73: Obtaining Configuration Files
DHCP reply. If the hostname is not specified in the DHCP reply, the switch uses the default Switch as its hostname. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 74: Example Configuration
TFTP server name tftpserver or tftpserver or tftpserver or tftpserver or 10.0.0.3 10.0.0.3 10.0.0.3 10.0.0.3 Boot filename (configuration file) switcha-confg switchb-confg switchc-confg switchd-confg (optional) Hostname (optional) switcha switchb switchc switchd Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 75: Manually Assigning Ip Information
The range is 1 to 4094; do not enter leading zeros. Step 3 ip address ip-address subnet-mask Enter the IP address and subnet mask. Step 4 exit Return to global configuration mode. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 76: Checking And Saving The Running Configuration
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 3-10 78-17058-01...
Page 77 Vlan10 ip address 192.168.1.76 255.255.255.0 ip default-gateway 192.168.1.3 no ip http server ip classless control-plane line con 0 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 3-11 78-17058-01...
Page 78: Modifying The Startup Configuration
EXEC command. For more information about alternative locations from which to copy the configuration file, see Appendix B, “Working with the Cisco IOS File System, Configuration Files, and Software Images.” Modifying the Startup Configuration These sections describe how to modify the switch startup configuration: •...
Page 79: Default Boot Configuration
Specifying the Filename to Read and Write the System Configuration By default, the Cisco IOS software uses the file config.text to read and write a nonvolatile copy of the system configuration. However, you can specify a different filename, which will be loaded during the next boot cycle.
Page 80: Booting Manually
For filesystem:, use flash: for the system board flash device. • For file-url, specify the path (directory) and the name of the bootable image. Filenames and directory names are case sensitive. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 3-14 78-17058-01...
Page 81: Controlling Environment Variables
Environment variables store two kinds of data: • Data that controls code, which does not read the Cisco IOS configuration file. For example, the name of a boot loader helper file, which extends or patches the functionality of the boot loader can be stored as an environment variable.
Page 82: Scheduling A Reload Of The Software Image
Scheduling a Reload of the Software Image You can change the settings of the environment variables by accessing the boot loader or by using Cisco IOS commands. Under normal circumstances, it is not necessary to alter the setting of the environment variables.
Page 83: Configuring A Scheduled Reload
Reload scheduled for 02:00:00 UTC Thu Jun 20 1996 (in 344 hours and 53 minutes) Proceed with reload? [confirm] To cancel a previously scheduled reload, use the reload cancel privileged EXEC command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 3-17 78-17058-01...
Page 84: Displaying Scheduled Reload Information
EXEC command. It displays reload information including the time the reload is scheduled to occur and the reason for the reload (if it was specified when the reload was scheduled). Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 3-18 78-17058-01...
Page 85: Chapter 4 Configuring Cisco Ios Cns Agents
C H A P T E R Configuring Cisco IOS CNS Agents This chapter describes how to configure the Cisco IOS CNS agents on the Cisco ME 3400 switch. For complete configuration information for the Cisco Configuration Engine, see this URL on Cisco.com Note http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/tsd_products_support_series_home.html...
Page 86: Chapter 4 Configuring Cisco Io Cn Agent
URLs that reference the device-specific configuration information stored in a directory. The Cisco IOS agent can perform a syntax check on received configuration files and publish events to show the success or failure of the syntax check. The configuration agent can either apply configurations immediately or delay the application until receipt of a synchronization event from the configuration server.
Page 87: Event Service
Understanding Cisco Configuration Engine Software Event Service The Cisco Configuration Engine uses the Event Service for receipt and generation of configuration events. The event agent is on the switch and facilitates the communication between the switch and the event gateway on the Configuration Engine.
Page 88: Deviceid
Therefore, the DeviceID, as originated on the switch, must match the DeviceID of the corresponding switch definition in the Configuration Engine. The origin of the DeviceID is defined by the Cisco IOS hostname of the switch. However, the DeviceID variable and its usage reside within the event gateway adjacent to the switch.
Page 89: Understanding Cisco Ios Agents
Understanding Cisco IOS Agents The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works with the Cisco IOS agent. The Cisco IOS agent feature supports the switch by providing these features: •...
Page 90: Incremental (Partial) Configuration
NVRAM for use at the next reboot. Configuring Cisco IOS Agents The Cisco IOS agents embedded in the switch Cisco IOS software allow the switch to be connected and automatically configured as described in the “Enabling Automated CNS Configuration” section on page 4-6.
Page 91 For more information about running the setup program and creating templates on the Configuration Note Engine, see the Cisco Configuration Engine Installation and Setup Guide, 1.5 for Linux at this URL: http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/products_installation_and_configuration_ guide_book09186a00803b59db.html...
Page 92: Enabling The Cns Event Agent
This example shows how to enable the CNS event agent, set the IP address gateway to 10.180.1.27, set 120 seconds as the keepalive interval, and set 10 as the retry count. Switch(config)# cns event 10.180.1.27 keepalive 120 10 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 93: Enabling The Cisco Ios Cns Agent
Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Enabling the Cisco IOS CNS Agent After enabling the CNS event agent, start the Cisco IOS CNS agent on the switch. You can enable the Cisco IOS agent with these commands: •...
Page 94 ID, or enter an arbitrary text string for string string as the unique ID. Step 8 cns config initial {ip-address | hostname} Enable the Cisco IOS agent, and initiate an initial [port-number] [event] [no-persist] [page page] configuration. [source ip-address] [syntax-check] For {ip-address | hostname}, enter the IP address or •...
Page 95: Enabling A Partial Configuration
RemoteSwitch(config)# cns id Ethernet 0 ipaddress RemoteSwitch(config)# cns config initial 10.1.1.1 no-persist Enabling a Partial Configuration Beginning in privileged EXEC mode, follow these steps to enable the Cisco IOS agent and to initiate a partial configuration on the switch: Command...
Page 96: Displaying Cns Configuration
Displaying CNS Configuration Command Purpose show cns config connections Displays the status of the CNS Cisco IOS agent connections. show cns config outstanding Displays information about incremental (partial) CNS configurations that have started but are not yet completed. show cns config stats Displays statistics about the Cisco IOS agent.
Page 97 Chapter 4 Configuring Cisco IOS CNS Agents Displaying CNS Configuration Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 4-13 78-17058-01...
Page 98: Managing The System Time And Date
You can manage the system time and date on your switch using automatic configuration, such as the Network Time Protocol (NTP), or manual configuration methods. Note For complete syntax and usage information for the commands used in this section, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2. These sections contain this configuration information: •...
Page 99: Chapter 5 Administering The Switch
The time kept on a device is a critical resource; you should use the security features of NTP to avoid the accidental or malicious setting of an incorrect time. Two mechanisms are available: an access list-based restriction scheme and an encrypted authentication mechanism. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 100 Managing the System Time and Date Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet.
Page 101: Configuring Ntp
No access control is specified. NTP packet source IP address The source address is set by the outgoing interface. NTP is enabled on all interfaces by default. All interfaces receive NTP packets. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 102: Configuring Ntp Authentication
This example shows how to configure the switch to synchronize only to devices providing authentication key 42 in the device’s NTP packets: Switch(config)# ntp authenticate Switch(config)# ntp authentication-key 42 md5 aNiceKey Switch(config)# ntp trusted-key 42 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 103: Configuring Ntp Associations
This example shows how to configure the switch to synchronize its system clock with the clock of the peer at IP address 172.16.22.44 using NTP Version 2: Switch(config)# ntp server 172.16.22.44 version 2 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 104: Configuring Ntp Broadcast Service
To disable the interface from sending NTP broadcast packets, use the no ntp broadcast interface configuration command. This example shows how to configure a port to send NTP Version 2 packets: Switch(config)# interface gigabitethernet0/1 Switch(config-if)# ntp broadcast version 2 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 105: Configuring Ntp Access Restrictions
You can control NTP access on two levels as described in these sections: Creating an Access Group and Assigning a Basic IP Access List, page 5-9 • Disabling NTP Services on a Specific Interface, page 5-10 • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 106 If the source IP address matches the access lists for more than one access type, the first type is granted. If no access groups are specified, all access types are granted to all devices. If any access groups are specified, only the specified access types are granted. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 107: Configuring The Source Ip Address For Ntp Packets
Specify the interface type and number from which the IP source address is taken. By default, the source address is set by the outgoing interface. Step 3 Return to privileged EXEC mode. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 5-10 78-17058-01...
Page 108: Displaying The Ntp Configuration
[detail] show ntp status • For detailed information about the fields in these displays, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2. Configuring Time and Date Manually If no other source of time is available, you can manually configure the time and date after the system is restarted.
Page 109: Displaying The Time And Date Configuration
Atlantic Canada (AST) is UTC-3.5, where the 3 means 3 hours and .5 means 50 percent. In this case, the necessary command is clock timezone AST -3 30. To set the time to UTC, use the no clock timezone global configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 5-12 78-17058-01...
Page 110: Configuring Summer Time (Daylight Saving Time)
This example shows how to specify that summer time starts on the first Sunday in April at 02:00 and ends on the last Sunday in October at 02:00: Switch(config)# clock summer-time PDT recurring 1 Sunday April 2:00 last Sunday October 2:00 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 5-13 78-17058-01...
Page 111: Configuring A System Name And Prompt
A greater-than symbol [>] is appended. The prompt is updated whenever the system name changes. For complete syntax and usage information for the commands used in this section, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 and the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2.
Page 112: Default System Name And Prompt Configuration
Domain names are pieced together with periods (.) as the delimiting characters. For example, Cisco Systems is a commercial organization that IP identifies by a com domain name, so its domain name is cisco.com. A specific device in this domain, for example, the File Transfer Protocol (FTP) system is identified as ftp.cisco.com.
Page 113: Default Dns Configuration
Internet naming scheme (DNS). Step 5 Return to privileged EXEC mode. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 5-16 78-17058-01...
Page 114: Displaying The Dns Configuration
If there is a period (.) in the hostname, the Cisco IOS software looks up the IP address without appending any default domain name to the hostname.
Page 115: Configuring A Message-Of-The-Day Login Banner
Unix> telnet 172.2.5.4 Trying 172.2.5.4... Connected to 172.2.5.4. Escape character is '^]'. This is a secure site. Only authorized users are allowed. For access, contact technical support. User Access Verification Password: Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 5-18 78-17058-01...
Page 116: Configuring A Login Banner
(static or dynamic). For complete syntax and usage information for the commands used in this section, see the command Note reference for this release. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 5-19 78-17058-01...
Page 117: Building The Address Table
VLANs. When you configure a static MAC address in a private VLAN primary or secondary VLAN, you should also configure the same static MAC address in all associated VLANs. For more information about private VLANs, see Chapter 12, “Configuring Private VLANs.” Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 5-20 78-17058-01...
Page 118: Default Mac Address Table Configuration
VLAN as the receiving port. This unnecessary flooding can impact performance. Setting too long an aging time can cause the address table to be filled with unused addresses, which prevents new addresses from being learned. Flooding results, which can impact switch performance. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 5-21 78-17058-01...
Page 119: Removing Dynamic Address Entries
MAC address activity for each hardware port for which the trap is enabled. MAC address notifications are generated for dynamic and secure MAC addresses; events are not generated for self addresses, multicast addresses, or other static addresses. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 5-22 78-17058-01...
Page 120 Enable the MAC notification trap whenever a • MAC address is added on this interface. Enable the MAC notification trap whenever a • MAC address is removed from this interface. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 5-23 78-17058-01...
Page 121: Adding And Removing Static Address Entries
MAC address in all associated VLANs. Static MAC addresses configured in a private-VLAN primary or secondary VLAN are not replicated in the associated VLAN. For more information about private VLANs, see Chapter 12, “Configuring Private VLANs.” Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 5-24 78-17058-01...
Page 122: Configuring Unicast Mac Address Filtering
% Only unicast addresses can be configured to be dropped % CPU destined address cannot be configured as drop address Packets that are forwarded to the CPU are also not supported. • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 5-25 78-17058-01...
Page 123: Disabling Mac Address Learning On A Vlan
MAC address learning be sure that you are familiar with the network topology and the switch system configuration. Disabling MAC address learning on a VLAN could cause flooding in the network. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 5-26...
Page 124 200 You can display the MAC address learning status of all VLANs or a specified VLAN by entering the show mac-address-table learning [vlan vlan-id] privileged EXEC command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 5-27 78-17058-01...
Page 125: Displaying Address Table Entries
(represented by the arpa keyword) is enabled on the IP interface. ARP entries added manually to the table do not age and must be manually removed. For CLI procedures, see the Cisco IOS Release 12.2 documentation on Cisco.com. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide...
Page 126: Chapter 6 Configuring Sdm Templates
Configuring SDM Templates This chapter describes how to configure the Switch Database Management (SDM) templates on the Cisco ME 3400 Ethernet Access switch. SDM template configuration is supported only when the switch is running the metro IP access image. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.
Page 127: Configuring The Switch Sdm Template
Follow these guidelines when selecting and configuring SDM templates: • You must reload the switch for the configuration to take effect. • If you are using the switch for Layer 2 features only, select the layer-2 template. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 128: Setting The Sdm Template
IPv4/MAC qos aces: number of IPv4/MAC security aces: On next reload, template will be "layer-2" template. To return to the default template, use the no sdm prefer global configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 129: Displaying The Sdm Templates
IPv4 IGMP groups: number of IPv4 multicast routes: number of unicast IPv4 routes: number of IPv4 policy based routing aces: number of IPv4/MAC qos aces: number of IPv4/MAC security aces: Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 130: Chapter 7 Configuring Switch-Based Authentication
C H A P T E R Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the Cisco ME 3400 switch. This chapter consists of these sections: • Preventing Unauthorized Access to Your Switch, page 7-1 Protecting Access to Privileged EXEC Commands, page 7-2 •...
Page 131: Protecting Access To Privileged Exec Commands
Note For complete syntax and usage information for the commands used in this section, see the Cisco IOS Security Command Reference, Release 12.2. These sections contain this configuration information: •...
Page 132: Setting Or Changing A Static Enable Password
This example shows how to change the enable password to l1u2c3k4y5. The password is not encrypted and provides access to level 15 (traditional privileged EXEC mode access): Switch(config)# enable password l1u2c3k4y5 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 133: Protecting Enable And Enable Secret Passwords With Encryption
Encryption prevents the password from being readable in the configuration file. Step 4 Return to privileged EXEC mode. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 134: Disabling Password Recovery
Disable password recovery. This setting is saved in an area of the flash memory that is accessible by the boot loader and the Cisco IOS image, but it is not part of the file system and is not accessible by any user.
Page 135: Setting A Telnet Password For A Terminal Line
(Optional) Save your entries in the configuration file. To remove the password, use the no password global configuration command. This example shows how to set the Telnet password to let45me67in89: Switch(config)# line vty 10 Switch(config-line)# password let45me67in89 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 136: Configuring Username And Password Pairs
To disable username authentication for a specific user, use the no username name global configuration command. To disable password checking and allow connections without a password, use the no login line configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 137: Configuring Multiple Privilege Levels
Protecting Access to Privileged EXEC Commands Configuring Multiple Privilege Levels By default, the Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
Page 138: Changing The Default Privilege Level For Lines
You might specify a high level or privilege level for your console line to restrict line usage. To return to the default line privilege level, use the no privilege level line configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 139: Logging Into And Exiting A Privilege Level
(AAA) and can be enabled only through AAA commands. Note For complete syntax and usage information for the commands used in this section, see the Cisco IOS Security Command Reference, Release 12.2. These sections contain this configuration information: •...
Page 140 TACACS+ daemon are encrypted. You need a system running the TACACS+ daemon software to use TACACS+ on your switch. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 7-11 78-17058-01...
Page 141: Tacacs+ Operation
• Telnet, Secure Shell (SSH), rlogin, or privileged EXEC services • Connection parameters, including the host or client IP address, access list, and user timeouts Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 7-12 78-17058-01...
Page 142: Configuring Tacacs
You can group servers to select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list and contains the list of IP addresses of the selected server hosts. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 7-13 78-17058-01...
Page 143: Configuring Tacacs+ Login Authentication
You can designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails. The software uses the first method listed to Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 7-14...
Page 144 • Step 4 line [console | tty | vty] line-number Enter line configuration mode, and configure the lines to which you want [ending-line-number] to apply the authentication list. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 7-15 78-17058-01...
Page 145: Configuring Tacacs+ Authorization For Privileged Exec Access And Network Services
Configure the switch for user TACACS+ authorization if the user has privileged EXEC access. The exec keyword might return user profile information (such as autocommand information). Step 4 Return to privileged EXEC mode. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 7-16 78-17058-01...
Page 146: Starting Tacacs+ Accounting
(AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable TACACS+ accounting for each Cisco IOS privilege level and for network services:...
Page 147: Controlling Switch Access With Radius
RADIUS is facilitated through AAA and can be enabled only through AAA commands. Note For complete syntax and usage information for the commands used in this section, see the Cisco IOS Security Command Reference, Release 12.2. These sections contain this configuration information: •...
Page 148: Radius Operation
• Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication. RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device requires authentication. Networks using a variety of services. RADIUS generally binds a user to one service model.
Page 149: Configuring Radius
Identifying the RADIUS Server Host Switch-to-RADIUS-server communication involves several components: • Hostname or IP address Authentication destination port • Accounting destination port • Key string • • Timeout period Retransmission value • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 7-20 78-17058-01...
Page 150 Beginning in privileged EXEC mode, follow these steps to configure per-server RADIUS server communication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA authentication. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 7-21 78-17058-01...
Page 151 RADIUS host. Step 4 Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 7-22 78-17058-01...
Page 152: Configuring Radius Login Authentication
If authentication fails at any point in this cycle—meaning that the security server or local username database responds by denying the user access—the authentication process stops, and no other authentication methods are attempted. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 7-23 78-17058-01...
Page 153 – Step 4 line [console | tty | vty] line-number Enter line configuration mode, and configure the lines to which you want [ending-line-number] to apply the authentication list. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 7-24 78-17058-01...
Page 154: Defining Aaa Server Groups
You use the server group server configuration command to associate a particular server with a defined group server. You can either identify the server by its IP address or identify multiple host instances or entries by using the optional auth-port and acct-port keywords. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 7-25 78-17058-01...
Page 155 Repeat this step for each RADIUS server in the AAA server group. Each server in the group must be previously defined in Step 2. Step 6 Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 7-26 78-17058-01...
Page 156: Configuring Radius Authorization For User Privileged Access And Network Services
Use the local database if authentication was not performed by using RADIUS. • Authorization is bypassed for authenticated users who log in through the CLI even if authorization has Note been configured. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 7-27 78-17058-01...
Page 157: Starting Radius Accounting
(AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable RADIUS accounting for each Cisco IOS privilege level and for network services:...
Page 158: Configuring Settings For All Radius Servers
1, which is named cisco-avpair. The value is a string with this format: protocol : attribute sep value * Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and is * for optional attributes.
Page 159 Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS For example, this AV pair activates Cisco’s multiple named ip address pools feature during IP authorization (during PPP IPCP address assignment): cisco-avpair= ”ip:addr-pool=first“ This example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands: cisco-avpair= ”shell:priv-lvl=15“...
Page 160: Configuring The Switch For Vendor-Proprietary Radius Server Communication
Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
Page 161: Controlling Switch Access With Kerberos
Note A Kerberos server can be a Cisco ME switch that is configured as a network security server and that can authenticate users by using the Kerberos protocol. The Kerberos credential scheme uses a process called single logon. This process authenticates a user once and then allows secure authentication (without encrypting another password) wherever that user credential is accepted.
Page 162 A daemon that is running on a network host. Users and network services register their identity with the Kerberos server. Network services query the Kerberos server to authenticate to other network services. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 7-33 78-17058-01...
Page 163: Kerberos Operation
4. SRVTAB = server table Kerberos Operation A Kerberos server can be a Cisco ME switch that is configured as a network security server and that can authenticate remote users by using the Kerberos protocol. Although you can customize Kerberos in a number of ways, remote users attempting to access network services must pass through three layers of security before they can access network services.
Page 164: Authenticating To A Boundary Switch
KDC and obtain a TGT from the KDC to access network services. For instructions about how to authenticate to a KDC, see the “Obtaining a TGT from a KDC” section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.2, at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsecsp/scfkerb.ht...
Page 165: Configuring Kerberos
The Kerberos realm name must be in all uppercase characters. Note A Kerberos server can be a Cisco ME switch that is configured as a network security server and that can authenticate users by using the Kerberos protocol. To set up a Kerberos-authenticated server-client system, follow these steps: •...
Page 166: Configuring The Switch For Secure Shell
For complete syntax and usage information for the commands used in this section, see the command Note reference for this release and the command reference for Cisco IOS Release 12.2 at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide...
Page 167: Understanding Ssh
You can use an SSH client to connect to a switch running the SSH server. The SSH server works with the SSH client supported in this release and with non-Cisco SSH clients. The SSH client also works with the SSH server supported in this release and with non-Cisco SSH servers.
Page 168: Configuring Ssh
Setting Up the Switch to Run SSH Follow these steps to set up your switch to run SSH: Download the cryptographic software image from Cisco.com. This step is required. For more information, see the release notes for this release. Configure a hostname and IP domain name for the switch. Follow this procedure only if you are configuring the switch as an SSH server.
Page 169: Configuring The Ssh Server
Specify the number of times that a client can re-authenticate to the • server. The default is 3; the range is 0 to 5. Repeat this step when configuring both parameters. Step 4 Return to privileged EXEC mode. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 7-40 78-17058-01...
Page 170: Displaying The Ssh Configuration And Status
Shows the status of the SSH server. For more information about these commands, see the “Secure Shell Commands” section in the “Other Security Features” chapter of the Cisco IOS Security Command Reference, Cisco IOS Release 12.2, at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/fothercr/ srfssh.htm.
Page 171 Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 7-42 78-17058-01...
Page 172: Chapter 8 Configuring Ieee 802.1X Port-Based Authentication
Configuring IEEE 802.1x Port-Based Authentication This chapter describes how to configure IEEE 802.1x port-based authentication on the Cisco ME 3400 Ethernet Access switch. As LANs extend to hotels, airports, and corporate lobbies and create insecure environments, 802.1x prevents unauthorized devices (clients) from gaining access to the network.
Page 173: Device Roles
Authentication Protocol (EAP) extensions is the only supported authentication server. It is available in Cisco Secure Access Control Server Version 3.0 or later. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
Page 174: Authentication Initiation And Message Exchange
The specific exchange of EAP frames depends on the authentication method being used. Figure 8-2 shows a message exchange initiated by the client using the One-Time-Password (OTP) authentication method with a RADIUS server. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 175: Ports In Authorized And Unauthorized States
The switch requests the identity of the client and begins relaying authentication messages between the client and the authentication server. Each client attempting to access the network is uniquely identified by the switch by using the client MAC address. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 176: Ieee 802.1X Accounting
AV pairs that might be sent by the switch: Table 8-1 Accounting AV Pairs Attribute number AV pair name Attribute[1] User-Name Attribute[4] NAS-IP-Address Attribute[5] NAS-Port Attribute[6] NAS-Port-Type Attribute[8] Framed-IP-Address Attribute[25] Class Attribute[30] Called-Station-ID Attribute[31] Calling-Station-ID Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 177: Ieee 802.1X Host Mode
You can view the AV pairs that are being sent by the switch by enabling the debug radius accounting or debug aaa accounting privileged EXEC commands. For more information about these commands, see the Cisco IOS Debug Command Reference, Release 12.2 at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122sup/122debug/ See RFC 3580, “IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines,”...
Page 178: Using Ieee 802.1X With Port Security
If the port is administratively shut down, the port becomes unauthenticated, and all dynamic entries • are removed from the secure host table. For more information about enabling port security on your switch, see the “Configuring Port Security” section on page 21-8. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 179: Using Ieee 802.1X With Vlan Assignment
6). Attribute[81] specifies the VLAN name or VLAN ID assigned to the IEEE 802.1x-authenticated user. For examples of tunnel attributes, see the “Configuring the Switch to Use Vendor-Specific RADIUS Attributes” section on page 7-29. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 180: Configuring Ieee 802.1X Authentication
Number of seconds between 3600 seconds. re-authentication attempts Re-authentication number 2 times (number of times that the switch restarts the authentication process before the port changes to the unauthorized state). Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 181: Ieee 802.1X Configuration Guidelines
You can configure any VLAN except an RSPAN VLAN or a private VLAN. • The IEEE 802.1x with VLAN assignment feature is not supported on private-VLAN ports, trunk ports, or ports with dynamic-access port assignment through a VMPS. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 8-10 78-17058-01...
Page 182: Configuring Ieee 802.1X Authentication
Though other keywords are visible in the command-line help Note string, only the group radius keywords are supported. Step 4 dot1x system-auth-control Enable IEEE 802.1x authentication globally on the switch. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 8-11 78-17058-01...
Page 183: Configuring The Switch-To-Radius-Server Communication
This key must match the encryption used on the RADIUS daemon. If you want to use multiple RADIUS servers, re-enter this command. Step 3 Return to privileged EXEC mode. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 8-12 78-17058-01...
Page 184: Configuring Periodic Re-Authentication
To disable periodic re-authentication, use the no dot1x reauthentication interface configuration command. To return to the default number of seconds between re-authentication attempts, use the no dot1x timeout reauth-period interface configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 8-13 78-17058-01...
Page 185: Manually Re-Authenticating A Client Connected To A Port
To return to the default quiet time, use the no dot1x timeout quiet-period interface configuration command. This example shows how to set the quiet time on the switch to 30 seconds: Switch(config-if)# dot1x timeout quiet-period 30 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 8-14 78-17058-01...
Page 186: Changing The Switch-To-Client Retransmission Time
This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 8-15 78-17058-01...
Page 187: Setting The Re-Authentication Number
This example shows how to set 4 as the number of times that the switch restarts the authentication process before the port changes to the unauthorized state: Switch(config-if)# dot1x max-reauth-req 4 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 8-16 78-17058-01...
Page 188: Configuring The Host Mode
Step 4 Return to privileged EXEC mode. Step 5 show dot1x interface interface-id Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 8-17 78-17058-01...
Page 189: Configuring Ieee 802.1X Accounting
RADIUS server, specifying 1813 as the UDP port for accounting: Switch(config)# radius-server host 172.120.39.46 auth-port 1812 acct-port 1813 key rad123 Switch(config)# aaa accounting dot1x default start-stop group radius Switch(config)# aaa accounting system default start-stop group radius Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 8-18 78-17058-01...
Page 190: Displaying Ieee 802.1X Statistics And Status
EXEC command. To display the IEEE 802.1x administrative and operational status for a specific port, use the show dot1x interface interface-id privileged EXEC command. For detailed information about the fields in these displays, see the command reference for this release. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 8-19 78-17058-01...
Page 191 Chapter 8 Configuring IEEE 802.1x Port-Based Authentication Displaying IEEE 802.1x Statistics and Status Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 8-20 78-17058-01...
Page 192: Understanding Interface Types
C H A P T E R Configuring Interface Characteristics This chapter defines the types of interfaces on the Cisco ME 3400 Ethernet Access switch and describes how to configure them. The chapter consists of these sections: • Understanding Interface Types, page 9-1 Using Interface Configuration Mode, page 9-7 •...
Page 193: Understanding Interface Types
VLAN or when a user creates a VLAN. To isolate VLANs of different customers in a service-provider network, the Cisco ME switch uses UNI VLANs. UNI VLANs isolate user network interfaces (UNIs) on the switch from UNIs that belong to other customer VLANs: •...
Page 194: Uni And Nni Ports
User-network interfaces (UNIs) and network node interfaces (NNIs) are supported on the Cisco ME switch. UNIs are typically connected to a host, such as a PC or a Cisco IP phone. NNIs are typically connected to a router or to another switch. By default, the 10/100 ports on the Cisco ME switch are configured as UNIs, and the SFP module uplink ports are configured as NNIs.
Page 195: Trunk Ports
Dynamic access ports on the switch are assigned to a VLAN by a VLAN Membership Policy Server (VMPS). The VMPS can be a Catalyst 6500 series switch; the Cisco ME switch cannot be a VMPS server. Dynamic access ports for VMPS are only supported on UNIs.
Page 196: Switch Virtual Interfaces
Chapter 32, “Configuring IP Unicast Routing,” Chapter 34, “Configuring IP Multicast Routing.” Routed ports (or SVIs) are supported only when the metro IP access image is installed on the switch. Note Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 197: Etherchannel Port Groups
Most protocols operate over either single ports or aggregated switch ports and do not recognize the physical ports within the port group. Exceptions are the Cisco Discovery Protocol (CDP), Link Aggregation Control Protocol (LACP), and the Port Aggregation Protocol (PAgP), which operate only on physical NNI ports.
Page 198: Using Interface Configuration Mode
Type—Fast Ethernet (fastethernet or fa) for 10/100 Mbps Ethernet, Gigabit Ethernet (gigabitethernet or gi) for 10/100/1000 Mbps Ethernet ports, or small form-factor pluggable (SFP) module Gigabit Ethernet interfaces. Module number—The module or slot number on the switch (always 0 on the Cisco ME switch). • •...
Page 199: Configuring A Range Of Interfaces
Step 4 You can now use the normal configuration commands to apply the configuration parameters to all interfaces in the range. Step 5 Return to privileged EXEC mode. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 200 If you exit interface range configuration mode while the commands are being executed, some commands might not be executed on all interfaces in the range. Wait until the command prompt reappears before exiting interface range configuration mode. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 201: Configuring And Using Interface Range Macros
The VLAN interfaces must have been configured with the interface vlan command. The show running-config privileged EXEC command displays the configured VLAN interfaces. VLAN interfaces not displayed by the show running-config command cannot be used as interface-ranges. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 9-10 78-17058-01...
Page 202: Configuring Ethernet Interfaces
Configuring Interface Speed and Duplex Mode, page 9-14 • • Configuring IEEE 802.3x Flow Control, page 9-17 • Configuring Auto-MDIX on an Interface, page 9-18 • Adding a Description for an Interface, page 9-19 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 9-11 78-17058-01...
Page 203: Default Ethernet Interface Configuration
“Default Port Security Configuration” section on page 21-10. Port Fast Disabled. See the “Default Optional Spanning-Tree Configuration” section on page 16-5. Auto-MDIX Enabled. Cisco Discovery Protocol (CDP) Enabled. VMPS Not configured. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 9-12 78-17058-01...
Page 204: Configuring User Network And Network Node Interfaces
Enabled. Configuring User Network and Network Node Interfaces By default, all the 10/100 ports on the Cisco ME switch are configured as UNIs, and the SFP module ports are configured as NNIs. You can use the port-type interface configuration command to change the port types. At any one time, only four ports on the switch can be configured as NNIs, but every port on the switch can be configured as UNIs.
Page 205: Configuring Interface Speed And Duplex Mode
These sections describe how to configure the interface speed and duplex mode: • Speed and Duplex Configuration Guidelines, page 9-15 • Setting the Interface Speed and Duplex Parameters, page 9-15 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 9-14 78-17058-01...
Page 206: Speed And Duplex Configuration Guidelines
When STP is enabled and a port is reconfigured, the switch can take up to 30 seconds to check for • loops. The port LED is amber while STP reconfigures. On the Cisco ME switch, STP is supported only on NNIs.
Page 207 This command is not available on SFP module ports with these exceptions: • If a Cisco 1000BASE-T SFP module is inserted, you can configure duplex to auto or to full. • If a Cisco 100BASE-FX SFP module is inserted, you can configure duplex to full or to half.
Page 208: Configuring Ieee 802.3X Flow Control
To disable IEEE 802.3x flow control, use the flowcontrol receive off interface configuration command. This example shows how to enable IEEE 802.3x flow control on a port: Switch# configure terminal Switch(config)# interface gigabitethernet0/1 Switch(config-if)# flowcontrol receive on Switch(config-if)# end Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 9-17 78-17058-01...
Page 209: Configuring Auto-Mdix On An Interface
Auto-MDIX is supported on all 10/100 and 10/100/1000 Mbps interfaces and on Cisco 10/100/1000 BASE-T/TX SFP module interfaces. It is not supported on 1000 BASE-SX or -LX SFP module interfaces.
Page 210: Adding A Description For An Interface
End with CNTL/Z. Switch(config)# interface gigabitethernet0/2 Switch(config-if)# description Connects to Marketing Switch(config-if)# end Switch# show interfaces gigabitethernet0/2 description Interface Status Protocol Description Gi 0/2 admin down down Connects to Marketing Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 9-19 78-17058-01...
Page 211: Configuring Layer 3 Interfaces
Configuring Interface Characteristics Configuring Layer 3 Interfaces Configuring Layer 3 Interfaces The Cisco 3400 ME switch must be running the metro IP access image to support Layer 3 interfaces. The Cisco ME switch supports these types of Layer 3 interfaces: •...
Page 212: Configuring The System Mtu
(OSPF) protocol uses this MTU value before setting up an adjacency with a peer router. To view the MTU value for routed packets for a specific VLAN, use the show platform port-asic mvid privileged EXEC command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 9-21 78-17058-01...
Page 213: Monitoring And Maintaining The Interfaces
These sections contain interface monitoring and maintenance information: • Monitoring Interface Status, page 9-23 Clearing and Resetting Interfaces and Counters, page 9-24 • • Shutting Down and Restarting the Interface, page 9-24 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 9-22 78-17058-01...
Page 214: Monitoring Interface Status
(You can display the full list of show commands by using the show ? command at the privileged EXEC prompt.) These commands are fully described in the Cisco IOS Interface Command Reference, Release 12.2. Table 9-4...
Page 215: Clearing And Resetting Interfaces And Counters
Use the no shutdown interface configuration command to restart the interface. To verify that an interface is disabled, enter the show interfaces privileged EXEC command. A disabled interface is shown as administratively down in the display. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 9-24 78-17058-01...
Page 216: Chapter 10 Configuring Command Macros
C H A P T E R Configuring Command Macros This chapter describes how to configure and apply command macros on the Cisco 3400 ME switch. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.
Page 217: Configuring Command Macros
If a command fails because of a syntax error or a configuration error, the macro continues to apply the remaining commands. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 10-2 78-17058-01...
Page 218: Creating Command Macros
MAC addresses and also includes two help string keywords by using # macro keywords: Switch(config)# macro name test switchport access vlan $VLANID switchport port-security maximum $MAX #macro keywords $VLANID $MAX Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 10-3 78-17058-01...
Page 219: Applying Command Macros
Step 10 show parser macro description Verify that the macro is applied to the interface. [interface interface-id] Step 11 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 10-4 78-17058-01...
Page 220: Displaying Command Macros
Displays a specific macro. show parser macro brief Displays the configured macro names. show parser macro description [interface Displays the macro description for all interfaces or for a specified interface-id] interface. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 10-5 78-17058-01...
Page 221 Chapter 10 Configuring Command Macros Displaying Command Macros Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 10-6 78-17058-01...
Page 222: Chapter 11 Configuring Vlans
This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the Cisco ME 3400 Ethernet Access switch. It includes information about VLAN membership modes, VLAN configuration modes, VLAN trunks, and dynamic VLAN assignment from a VLAN Membership Policy Server (VMPS).
Page 223 This section includes these topics: • Supported VLANs, page 11-3 • Normal-Range VLANs, page 11-3 • Extended-Range VLANs, page 11-4 VLAN Port Membership Modes, page 11-4 • UNI VLANs, page 11-5 • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-2 78-17058-01...
Page 224: Supported Vlans
Ring VLANs and view the results in the vlan.dat file, but these parameters are not used. • VLAN state (active or suspended) • Maximum transmission unit (MTU) for the VLAN • Security Association Identifier (SAID) • Bridge identification number for TrBRF VLANs Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-3 78-17058-01...
Page 225: Extended-Range Vlans
For information about configuring trunk ports, see the “Configuring an Ethernet Interface as a Trunk Port” section on page 11-16. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-4 78-17058-01...
Page 226: Uni Vlans
A dynamic-access port can belong to one VLAN (VLAN ID 1 to 4094) and is dynamically assigned by a VMPS. The VMPS can be a Catalyst 5000 or Catalyst 6500 series switch, for example, but never a Cisco ME 3400 Ethernet Access switch. The Cisco ME 3400 switch is a VMPS client.
Page 227: Creating And Modifying Vlans
Fast Ethernet ports 6-10. The NNIs in both VLAN 10 and VLAN 20 can exchange packets with the UNIs in the same VLAN. Figure 11-2 UNI Isolated and Community VLANs in the Cisco ME Switch To service-provider network Gigabit Ether...
Page 228: Default Ethernet Vlan Configuration
Private VLANs none configured 2 to 1001, 1006 to 4094. UNI VLAN UNI isolated VLAN 2 to 1001, 1006 to 4094. VLAN 1 is always a UNI isolated VLAN. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-7 78-17058-01...
Page 229: Vlan Configuration Guidelines
SVIs, and other configured features affects the use of the switch hardware. If you try to create an extended-range VLAN and there are not enough hardware resources available, an error message is generated, and the extended-range VLAN is rejected. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-8 78-17058-01...
Page 230: Creating Or Modifying An Ethernet Vlan
{name vlan-name | id vlan-id} Verify your entries. The name option is only valid for VLAN IDs 1 to 1005. Step 7 copy running-config startup config (Optional) Save the configuration in the switch startup configuration file. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-9 78-17058-01...
Page 231: Assigning Static-Access Ports To A Vlan
Verify your entries in the Administrative Mode and the Access Mode VLAN fields of the display. Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-10 78-17058-01...
Page 232: Creating An Extended-Range Vlan With An Internal Vlan Id
Re-enable the routed port. It will be assigned a new internal VLAN ID. Step 10 Return to privileged EXEC mode. Step 11 copy running-config startup config (Optional) Save your entries in the switch startup configuration file. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-11 78-17058-01...
Page 233: Configuring Uni Vlans
If you attempt to add a UNI static access port to a UNI community VLAN that already has eight UNIs, the configuration is refused. If a UNI dynamic access port is added to a UNI community VLAN that already has eight UNIs, the port is error-disabled. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-12 78-17058-01...
Page 234: Configuring Uni Vlans
The show vlan and show vlan vlan-id privileged EXEC commands also display UNI VLAN information, but only UNI community VLANs appear. To display both isolated and community VLANs, use the show vlan uni-vlan type command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-13 78-17058-01...
Page 235: Displaying Vlans
11-4). You can set an interface as trunking or nontrunking. If you do not intend to trunk across links, use the switchport mode access interface configuration • command to disable trunking. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-14 78-17058-01...
Page 236: Ieee 802.1Q Configuration Considerations
VLAN allowed on the trunks. Non-Cisco devices might support one spanning-tree instance for all VLANs. When you connect a Cisco switch to a non-Cisco device through an IEEE 802.1Q trunk, the Cisco switch combines the spanning-tree instance of the VLAN of the trunk with the spanning-tree instance of the non-Cisco IEEE 802.1Q switch.
Page 237: Default Layer 2 Ethernet Interface Vlan Configuration
If you try to enable IEEE 802.1x on a trunk port, an error message appears, and IEEE 802.1x is not enabled. If you try to change the mode of an IEEE 802.1x-enabled port to trunk, the port mode is not changed. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-16 78-17058-01...
Page 238: Configuring A Trunk Port
VLANs from passing over the trunk. To restrict the traffic a trunk carries, use the switchport trunk allowed vlan remove vlan-list interface configuration command to remove specific VLANs from the allowed list. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-17 78-17058-01...
Page 239 Configuring VLAN Trunks Note VLAN 1 is the default VLAN on all trunk ports in all Cisco switches, and it has previously been a requirement that VLAN 1 always be enabled on every trunk link. The VLAN 1 minimization feature allows you to disable VLAN 1 on any individual VLAN trunk link so that no user traffic (including spanning-tree advertisements) is sent or received on VLAN 1.
Page 240: Configuring The Native Vlan For Untagged Traffic
STP path costs, each load-sharing link can be connected to the same switch or to two different switches. For more information about STP, see Chapter 14, “Configuring STP.” Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-19 78-17058-01...
Page 241: Load Sharing Using Stp Port Priorities
Assign the port priority of 16 for VLANs 8 through 10 on Trunk 1. Step 14 Return to privileged EXEC mode. Step 15 show interfaces gigabitethernet 0/1 Verify the port configuration. switchport Step 16 configure terminal Enter global configuration mode. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-20 78-17058-01...
Page 242: Load Sharing Using Stp Path Cost
VLANs 2 – 4 (path cost 30) VLANs 8 – 10 (path cost 30) VLANs 8 – 10 (path cost 19) VLANs 2 – 4 (path cost 19) Switch B Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-21 78-17058-01...
Page 243 Follow the same steps on Switch B to configure the trunk port for Trunk 1 with a path cost of 30 for VLANs 2 through 4, and configure the trunk port for Trunk 2 with a path cost of 30 for VLANs 8 through Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-22...
Page 244: Configuring Vmps
If the VLAN in the database does not match the current VLAN on the port and active hosts exist on • the port, the VMPS sends an access-denied or a port-shutdown response, depending on the secure mode of the VMPS. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-23 78-17058-01...
Page 245: Dynamic-Access Port Vlan Membership
Table 11-6 Default VMPS Client and Dynamic-Access Port Configuration Feature Default Setting VMPS domain server None VMPS reconfirm interval 60 minutes VMPS server retry count Dynamic-access ports None configured Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-24 78-17058-01...
Page 246: Vmps Configuration Guidelines
You must have IP connectivity to the VMPS for dynamic-access ports to work. You can test for IP connectivity by pinging the IP address of the VMPS and verifying that you get a response. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-25...
Page 247: Configuring Dynamic-Access Ports On Vmps Clients
VMPS: Command Purpose Step 1 vmps reconfirm Reconfirm dynamic-access port VLAN membership. Step 2 show vmps Verify the dynamic VLAN reconfirmation status. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-26 78-17058-01...
Page 248: Changing The Reconfirmation Interval
VMPS domain server—the IP address of the configured VLAN membership policy servers. The • switch sends queries to the one marked current. The one marked primary is the primary server. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-27 78-17058-01...
Page 249: Troubleshooting Dynamic-Access Port Vlan Membership
End stations are connected to the clients, Switch B and Switch I. • The database configuration file is stored on the TFTP server with the IP address 172.20.22.7. • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-28 78-17058-01...
Page 250 172.20.26.155 Switch F 172.20.26.156 Switch G 172.20.26.157 Switch H Client switch I Dynamic-access port 172.20.26.158 station 2 Trunk port 172.20.26.159 Catalyst 6500 series Secondary VMPS Switch J Server 3 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-29 78-17058-01...
Page 251 Chapter 11 Configuring VLANs Configuring VMPS Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-30 78-17058-01...
Page 252: Understanding Private Vlans
C H A P T E R Configuring Private VLANs This chapter describes how to configure private VLANs on the Cisco ME 3400 Ethernet Access switch. For complete syntax and usage information for the commands used in this chapter, see the command Note reference for this release.
Page 253: Chapter 12 Configuring Private Vlan
VLANs associated with the primary VLAN. Note Promiscuous ports must be network node interfaces (NNIs). UNIs cannot be configured as promiscuous ports. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 12-2 78-17058-01...
Page 254 VLANs to other devices that support private VLANs. To maintain the security of your private-VLAN configuration and to avoid other use of the VLANs configured as private VLANs, configure private VLANs on all intermediate devices, including devices that have no private-VLAN ports. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 12-3 78-17058-01...
Page 255: Ip Addressing Scheme With Private Vlans
VLAN association in some switches in the network, the Layer 2 databases in these switches are not merged. This can result in unnecessary flooding of private-VLAN traffic on those switches. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 12-4 78-17058-01...
Page 256: Private Vlans And Unicast, Broadcast, And Multicast Traffic
Private-VLAN Configuration Guidelines, page 12-6 Configuring and Associating VLANs in a Private VLAN, page 12-10 • Configuring a Layer 2 Interface as a Private-VLAN Host Port, page 12-12 • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 12-5 78-17058-01...
Page 257: Tasks For Configuring Private Vlans
Guidelines for configuring private VLANs fall into these categories: Secondary and Primary VLAN Configuration, page 12-7 • Private-VLAN Port Configuration, page 12-8 • Limitations with Other Features, page 12-9 • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 12-6 78-17058-01...
Page 258: Secondary And Primary Vlan Configuration
You can configure VLAN maps on primary and secondary VLANs (see the “Configuring VLAN Maps” section on page 28-29). However, we recommend that you configure the same VLAN maps on private-VLAN primary and secondary VLANs. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 12-7 78-17058-01...
Page 259: Private-Vlan Port Configuration
UNIs, the configuration is not allowed. If you try to configure a VLAN that includes more than eight UNIs as a community private VLAN, the configuration is not allowed. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 12-8 78-17058-01...
Page 260: Limitations With Other Features
VLAN. When the original dynamic MAC address is deleted or aged out, the replicated addresses are removed from the MAC address table. Configure Layer 3 VLAN interfaces (SVIs) only for primary VLANs. • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 12-9 78-17058-01...
Page 261: Configuring And Associating Vlans In A Private Vlan
Return to privileged EXEC mode. Step 14 show vlan private-vlan [type] Verify the configuration. show interfaces status Step 15 copy running-config startup config (Optional) Save your entries in the switch startup configuration file. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 12-10 78-17058-01...
Page 262 Switch(config-vlan)# private-vlan community Switch(config-vlan)# exit Switch(config)# vlan 20 Switch(config-vlan)# private-vlan association 501-503 Switch(config-vlan)# end Switch(config)# show vlan private vlan Primary Secondary Type Ports ------- --------- ----------------- ------------------------------------------ isolated community community non-operational Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 12-11 78-17058-01...
Page 263: Configuring A Layer 2 Interface As A Private-Vlan Host Port
Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk private VLANs: none Operational private-vlan: 20 (VLAN0020) 25 (VLAN0025) <output truncated> Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 12-12 78-17058-01...
Page 264: Configuring A Layer 2 Interface As A Private-Vlan Promiscuous Port
Switch(config-if)# switchport private-vlan mapping 20 add 501-503 Switch(config-if)# end Use the show vlan private-vlan or the show interface status privileged EXEC command to display primary and secondary VLANs and private-VLAN ports on the switch. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 12-13 78-17058-01...
Page 265: Mapping Secondary Vlans To A Primary Vlan Layer 3 Vlan Interface
Switch# configure terminal Switch(config)# interface vlan 10 Switch(config-if)# private-vlan mapping 501-502 Switch(config-if)# end Switch# show interfaces private-vlan mapping Interface Secondary VLAN Type --------- -------------- ----------------- vlan10 isolated vlan10 community Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 12-14 78-17058-01...
Page 266: Monitoring Private Vlans
This is an example of the output from the show vlan private-vlan command: Switch(config)# show vlan private-vlan Primary Secondary Type Ports ------- --------- ----------------- ------------------------------------------ isolated Fa0/1, Gi0/1, Gi0/2 community Fa0/11, Fa0/12, Gi0/1 non-operational Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 12-15 78-17058-01...
Page 267 Chapter 12 Configuring Private VLANs Monitoring Private VLANs Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 12-16 78-17058-01...
Page 268: Chapter 13 Configuring Ieee 802.1Q And Layer 2 Protocol Tunneling
VLAN and Layer 2 protocol configurations of each customer without impacting the traffic of other customers. The Cisco ME 3400 Ethernet Access switch supports IEEE 802.1Q tunneling and Layer 2 protocol tunneling when it is running the metro access or metro IP access image.
Page 269 When the packet exits another trunk port on the same core switch, the same metro tag is again added to the packet. Figure 13-2 shows the tag structures of the double-tagged packets. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 13-2 78-17058-01...
Page 270 The priority field on the metro tag is set to the interface class of service (CoS) priority configured on the tunnel port. (The default is zero if none is configured.) Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 13-3...
Page 271: Configuring Ieee 802.1Q Tunneling
The packet carries only the VLAN 30 tag through the service-provider network to the trunk port of the egress-edge switch (Switch C) and is misdirected through the egress switch tunnel port to Customer Y. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 13-4 78-17058-01...
Page 272: System Mtu
Use ISL trunks between core switches in the service-provider network. Although customer interfaces connected to edge switches must be IEEE 802.1Q trunks, we recommend using ISL trunks for connecting switches in the core layer. The Cisco ME switch does not support ISL trunks. •...
Page 273: Ieee 802.1Q Tunneling And Other Features
When an NNI port is configured as an IEEE 802.1Q tunnel port, spanning-tree bridge protocol data unit (BPDU) filtering is automatically enabled on the interface, and Cisco Discovery Protocol (CDP) is automatically disabled on the interface. UNIs do not support BPDU filtering or CDP.
Page 274 Switch(config)# vlan dot1q tag native Switch(config)# end Switch# show dot1q-tunnel interface gigabitethernet0/2 dot1q-tunnel mode LAN Port(s) ----------------------------- Gi0/1 Switch# show vlan dot1q tag native dot1q native vlan tagging is enabled Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 13-7 78-17058-01...
Page 275: Understanding Layer 2 Protocol Tunneling
Cisco devices from local and remote sites. VLAN Trunking Protocol (VTP) must provide consistent VLAN configuration throughout all sites in the customer network that are participating in VTP. The Cisco ME 3400 switch does not support VTP; CDP and STP are supported only on NNIs. However, Note Layer 2 protocol tunneling is supported on all ports on the switch.
Page 276 When you enable protocol tunneling (PAgP or LACP) on the SP switch, remote customer switches receive the PDUs and can negotiate the automatic creation of EtherChannels. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 13-9 78-17058-01...
Page 277: Configuring Layer 2 Protocol Tunneling
When the Layer 2 PDUs that entered the service-provider inbound edge switch through a Layer 2 protocol-enabled port exit through the trunk port into the service-provider network, the switch overwrites the customer PDU-destination MAC address with a well-known Cisco proprietary multicast address (01-00-0c-cd-cd-d0). If IEEE 802.1Q tunneling is enabled, packets are also double-tagged; the outer tag is the customer metro tag, and the inner tag is the customer’s VLAN tag.
Page 278: Default Layer 2 Protocol Tunneling Configuration
If you also enable Layer 2 protocol tunneling on the egress trunk port, this behavior is bypassed, and the switch forwards control PDUs without any processing or modification. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 13-11 78-17058-01...
Page 279: Configuring Layer 2 Protocol Tunneling
Enable the port, if necessary. By default, UNIs are disabled, and NNIs are enabled. Step 4 switchport mode access Configure the interface as an access port or an IEEE 802.1Q tunnel port. The default switchport mode is access. switchport mode dot1q-tunnel Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 13-12 78-17058-01...
Page 280 Switch(config)# interface gigatethernet0/1 Switch(config-if)# l2protocol-tunnel cdp Switch(config-if)# l2protocol-tunnel stp Switch(config-if)# l2protocol-tunnel vtp Switch(config-if)# l2protocol-tunnel shutdown-threshold 1500 Switch(config-if)# l2protocol-tunnel drop-threshold 1000 Switch(config-if)# exit Switch(config)# l2protocol-tunnel cos 7 Switch(config)# end Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 13-13 78-17058-01...
Page 281: Configuring Layer 2 Tunneling For Etherchannels
Note If you also set a drop threshold on this interface, the shutdown-threshold value must be greater than or equal to the drop-threshold value. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 13-14 78-17058-01...
Page 282: Configuring The Customer Switch
Enable the port, if necessary. By default, UNIs are disabled and NNIs are enabled. Step 4 switchport mode trunk Enable trunking on the interface. Step 5 udld enable Enable UDLD in normal mode on the interface. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 13-15 78-17058-01...
Page 283 SP edge switch 2 configuration: Switch(config)# interface gigabitethernet0/1 Switch(config-if)# switchport access vlan 19 Switch(config-if)# switchport mode dot1q-tunnel Switch(config-if)# l2protocol-tunnel point-to-point pagp Switch(config-if)# l2protocol-tunnel point-to-point udld Switch(config-if)# l2protocol-tunnel drop-threshold point-to-point pagp 1000 Switch(config-if)# exit Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 13-16 78-17058-01...
Page 284 Switch(config)# interface fastethernet0/4 Switch(config-if)# no shutdown Switch(config-if)# switchport mode trunk Switch(config-if)# udld enable Switch(config-if)# channel-group 1 mode desirable Switch(config-if)# exit Switch(config)# interface port-channel 1 Switch(config-if)# shutdown Switch(config-if)# no shutdown Switch(config-if)# exit Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 13-17 78-17058-01...
Page 285: Monitoring And Maintaining Tunneling Status
Display only Layer 2 protocol summary information. show vlan dot1q tag native Display the status of native VLAN tagging on the switch. For detailed information about these displays, see the command reference for this release. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 13-18 78-17058-01...
Page 286: Configuring Stp
Cisco ME 3400 Ethernet Access switch. The switch uses the per-VLAN spanning-tree plus (PVST+) protocol based on the IEEE 802.1D standard and Cisco proprietary extensions, or it can use the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol based on the IEEE 802.1w standard. On the Cisco ME switch, STP is supported only on network node interfaces (NNIs).
Page 287: Chapter 14 Configuring Stp
On the Cisco ME 3400 switch, only NNIs participate in STP. Active UNIs are always in the forwarding Note state. In this overview, STP ports can be any interfaces on other switches, but only NNIs on a Cisco ME switch.
Page 288: Spanning-Tree Topology And Bpdus
Table 14-1 on page 14-4. A root port is selected for each switch (except the root switch). On the Cisco ME switch, this port • is always an NNI. This port provides the best path (lowest cost) when the switch forwards packets to the root switch.
Page 289: Bridge Id, Switch Priority, And Extended System Id
A designated switch for each LAN segment is selected. The designated switch incurs the lowest path cost when forwarding packets from that LAN to the root switch. The port through which the designated switch is attached to the LAN is called the designated port. For the Cisco ME switch, this only applies to NNIs.
Page 290 Chapter 14 Configuring STP Understanding Spanning-Tree Features Each Layer 2 interface on a switch using spanning tree (or on a Cisco ME switch, each Layer 2 NNI) exists in one of these states: • Blocking—The interface does not participate in frame forwarding.
Page 291: Blocking State
An interface in the learning state performs these functions: • Discards frames received on the interface Discards frames switched from another interface for forwarding • Learns addresses • Receives BPDUs • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 14-6 78-17058-01...
Page 292: Forwarding State
Figure 14-2 Spanning-Tree Topology RP = Root Port DP = Designated Port Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 14-7 78-17058-01...
Page 293: Spanning Tree And Redundant Connectivity
If spanning tree is enabled, the CPU on the switch receives packets destined for 0x0180C2000000 and 0x0180C2000010. If spanning tree is disabled, the switch forwards those packets as unknown multicast addresses. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 14-8 78-17058-01...
Page 294: Accelerated Aging To Retain Connectivity
IEEE 802.1w standard. This is the default spanning-tree mode for the Cisco ME switch NNIs. Rapid PVST+ is compatible with PVST+. To provide rapid convergence, the rapid PVST+ immediately deletes dynamically learned MAC address entries on a per-port basis upon receiving a topology change.
Page 295: Supported Spanning-Tree Instances
VLAN allowed on the trunks. When you connect a Cisco switch to a non-Cisco device through an IEEE 802.1Q trunk, the Cisco switch uses PVST+ to provide spanning-tree interoperability. If rapid PVST+ is enabled, the switch uses it instead of PVST+.
Page 296: Configuring Spanning-Tree Features
Spanning-tree VLAN port cost (configurable on a per-VLAN basis) 1000 Mbps: 4. 100 Mbps: 19. 10 Mbps: 100. Spanning-tree timers Hello time: 2 seconds. Forward-delay time: 15 seconds. Maximum-aging time: 20 seconds. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 14-11 78-17058-01...
Page 297: Spanning-Tree Configuration Guidelines
(For example, all VLANs run PVST+, all VLANs run rapid PVST+, or all VLANs run MSTP.) For information about the different spanning-tree modes and how they interoperate, see the “Spanning-Tree Interoperability and Backward Compatibility” section on page 14-10. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 14-12 78-17058-01...
Page 298: Changing The Spanning-Tree Mode
This step is optional if the designated switch detects that this switch is running rapid PVST+. Step 7 show spanning-tree summary Verify your entries. show spanning-tree interface interface-id Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 14-13 78-17058-01...
Page 299: Disabling Spanning Tree
4-bit switch priority value as shown in Table 14-1 on page 14-4.) The spanning-tree vlan vlan-id root global configuration command fails if the value necessary to be the Note root switch is less than 1. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 14-14 78-17058-01...
Page 300 Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id root global configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 14-15 78-17058-01...
Page 301: Configuring A Secondary Root Switch
(higher numerical values) to ones that you want selected last. If all NNIs have the same priority value, spanning tree puts the NNI with the lowest interface number in the forwarding state and blocks the other interfaces. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 14-16 78-17058-01...
Page 302 For information on how to configure load sharing on trunk ports by using spanning-tree port priorities, see the “Configuring Trunk Ports for Load Sharing” section on page 11-19. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 14-17 78-17058-01...
Page 303: Configuring Path Cost
The show spanning-tree interface interface-id privileged EXEC command displays information only for ports that are in a link-up operative state. Otherwise, you can use the show running-config privileged EXEC command to confirm the configuration. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 14-18 78-17058-01...
Page 304: Configuring The Switch Priority Of A Vlan
Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id priority global configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 14-19 78-17058-01...
Page 305: Configuring Spanning-Tree Timers
Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id hello-time global configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 14-20 78-17058-01...
Page 306: Configuring The Forwarding-Delay Time For A Vlan
Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id max-age global configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 14-21 78-17058-01...
Page 307: Displaying The Spanning-Tree Status
You can clear spanning-tree counters by using the clear spanning-tree [interface interface-id] privileged EXEC command. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 14-22 78-17058-01...
Page 308: Chapter 15 Configuring Mstp
This chapter describes how to configure the Cisco implementation of the IEEE 802.1s Multiple STP (MSTP) on the Cisco ME 3400 Ethernet Access switch. On the Cisco ME switch, STP is supported only on network node interfaces (NNIs). User network interfaces (UNIs) on the switch do not participate in STP and forward traffic immediately when they are brought up.
Page 309: Understanding Mstp
BPDUs. Because the MSTP BPDU carries information for all instances, the number of BPDUs that need to be processed by a switch to support multiple spanning-tree instances is significantly reduced. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 15-2 78-17058-01...
Page 310: Operations Within An Mst Region
1 (A) is also the CST root. The IST master for region 2 (B) and the IST master for region 3 (C) are the roots for their respective subtrees within the CST. The RSTP runs in all regions. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 15-3...
Page 311: Hop Count
(trigger a reconfiguration). The root switch of the instance always sends a BPDU (or M-record) with a cost of 0 and the hop count set to the Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 15-4...
Page 312: Boundary Ports
MST configuration.A boundary port also connects to a LAN, the designated switch of which is either a single spanning-tree switch or a switch with a different MST configuration. On the Cisco ME switch, only NNIs are MST ports. UNIs do not participate in STP. Note...
Page 313: Understanding Rstp
BPDUs” section on page 14-3. Then the RSTP assigns one of these port roles to individual ports. On the Cisco ME switch, only NNIs are RSTP ports. UNIs do not participate in STP. Note Root port—Provides the best path (lowest cost) when the switch forwards packets to the root switch.
Page 314: Rapid Convergence
Disabled Disabled Discarding To be consistent with Cisco STP implementations, this guide documents the port state as blocking instead of discarding. Designated ports start in the listening state. Rapid Convergence The RSTP provides for rapid recovery of connectivity following the failure of a switch, a switch port, or a LAN.
Page 315: Synchronization Of Port Roles
It is an edge port (a port configured to be at the edge of the network). If a designated port (NNI on the Cisco ME switch) is in the forwarding state and is not configured as an edge port, it transitions to the blocking state when the RSTP forces it to synchronize with new root information.
Page 316: Bridge Protocol Data Unit Format And Processing
The sending switch sets the agreement flag in the RSTP BPDU to accept the previous proposal. The port role in the agreement message is always set to the root port. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 15-9...
Page 317: Processing Superior Bpdu Information
802.1D switch and a configuration BPDU with the TCA bit set is received, the TC-while timer is reset. This behavior is only required to support IEEE 802.1D switches. The RSTP BPDUs never have the TCA bit set. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 15-10 78-17058-01...
Page 318: Configuring Mstp Features
• Configuring the Maximum-Hop Count, page 15-21 (optional) • Specifying the Link Type to Ensure Rapid Transitions, page 15-22 (optional) • Restarting the Protocol Migration Process, page 15-22 (optional) Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 15-11 78-17058-01...
Page 319: Default Mstp Configuration
MST cloud. For this to occur, the IST master of the MST cloud should also be the root of the CST. If the MST cloud consists of multiple MST regions, one Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 15-12...
Page 320: Specifying The Mst Region Configuration And Enabling Mstp
Specify the configuration revision number. The range is 0 to 65535. Step 6 show pending Verify your configuration by displaying the pending configuration. Step 7 exit Apply all changes, and return to global configuration mode. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 15-13 78-17058-01...
Page 321: Configuring The Root Switch
ID support, the switch sets its own priority for the specified instance to 24576 if this value will cause this switch to become the root for the specified spanning-tree instance. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 15-14...
Page 322 (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst instance-id root global configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 15-15 78-17058-01...
Page 323: Configuring A Secondary Root Switch
(Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst instance-id root global configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 15-16 78-17058-01...
Page 324: Configuring Port Priority
Otherwise, you can use the show running-config interface privileged EXEC command to confirm the configuration. To return the interface to its default setting, use the no spanning-tree mst instance-id port-priority interface configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 15-17 78-17058-01...
Page 325: Configuring Path Cost
Otherwise, you can use the show running-config privileged EXEC command to confirm the configuration. To return the interface to its default setting, use the no spanning-tree mst instance-id cost interface configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 15-18 78-17058-01...
Page 326: Configuring The Switch Priority
Exercise care when using this command. For most situations, we recommend that you use the Note spanning-tree mst instance-id root primary and the spanning-tree mst instance-id root secondary global configuration commands to modify the hello time. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 15-19 78-17058-01...
Page 327: Configuring The Forwarding-Delay Time
Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst forward-time global configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 15-20 78-17058-01...
Page 328: Configuring The Maximum-Aging Time
Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst max-hops global configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 15-21 78-17058-01...
Page 329: Specifying The Link Type To Ensure Rapid Transitions
To restart the protocol migration process (force the renegotiation with neighboring switches) on the switch, use the clear spanning-tree detected-protocols privileged EXEC command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 15-22 78-17058-01...
Page 330: Displaying The Mst Configuration And Status
Displays MST information for the specified interface. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 15-23 78-17058-01...
Page 331 Chapter 15 Configuring MSTP Displaying the MST Configuration and Status Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 15-24 78-17058-01...
Page 332: Understanding Optional Spanning-Tree Features
Multiple Spanning Tree Protocol (MSTP) or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol. On the Cisco ME switch, STP is supported only on network node interfaces (NNIs). User network interfaces (UNIs) on the switch do not participate in STP and forward traffic immediately when they are brought up.
Page 333: Understanding Port Fast
At the interface level, you enable BPDU guard on any NNI by using the spanning-tree bpduguard enable interface configuration command without also enabling the Port Fast feature. When the NNI receives a BPDU, it is put in the error-disabled state. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 16-2 78-17058-01...
Page 334: Understanding Bpdu Filtering
(blocked) state to prevent the customer’s switch from becoming the root switch or being in the path to the root. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 16-3 78-17058-01...
Page 335: Understanding Loop Guard
When the switch is operating in MST mode, BPDUs are not sent on nonboundary ports only if the interface is blocked by loop guard in all MST instances. On a boundary port, loop guard blocks the interface in all MST instances. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 16-4 78-17058-01...
Page 336: Default Optional Spanning-Tree Configuration
You can enable this feature if your switch is running PVST+, rapid PVST+, or MSTP. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 16-5 78-17058-01...
Page 337: Enabling Bpdu Guard
Use the BPDU guard feature in a service-provider network to prevent an access port from participating in the spanning tree. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 16-6 78-17058-01...
Page 338: Enabling Bpdu Filtering
Configure Port Fast only on NNIs that connect to end stations; otherwise, an accidental topology loop Caution could cause a data packet loop and disrupt switch and network operation. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 16-7 78-17058-01...
Page 339: Enabling Etherchannel Guard
Beginning in privileged EXEC mode, follow these steps to enable EtherChannel guard. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree etherchannel guard misconfig Enable EtherChannel guard. Step 3 Return to privileged EXEC mode. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 16-8 78-17058-01...
Page 340: Enabling Root Guard
This feature is most effective when it is configured on the entire switched network. Loop guard operates only on NNIs that are considered point-to-point by the spanning tree. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 16-9 78-17058-01...
Page 341: Displaying The Spanning-Tree Status
You can clear spanning-tree counters by using the clear spanning-tree [interface interface-id] privileged EXEC command. For information about other keywords for the show spanning-tree privileged EXEC command, see the command reference for this release. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 16-10 78-17058-01...
Page 342: Chapter 17 Configuring Flex Links
Configuring Flex Links This chapter describes how to configure Flex Links, a pair of interfaces on the Cisco ME 3400 switch that are used to provide a mutual backup. This feature is available only when the switch is running the metro IP access or metro access image.
Page 343: Configuring Flex Links
(EtherChannel logical interfaces) as Flex Links, and you can configure a port channel and a physical interface as Flex Links, with either the port channel or the physical interface as the active link. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 17-2 78-17058-01...
Page 344: Configuring Flex Links
Switch# show interface switchport backup Switch Backup Interface Pairs: Active Interface Backup Interface State ------------------------------------------------------------------------------------------ FastEthernet0/1 FastEthernet0/2 Active Up/Backup Standby FastEthernet0/3 FastEthernet0/4 Active Up/Backup Standby Port-channel1 GigabitEthernet0/1 Active Up/Backup Standby Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 17-3 78-17058-01...
Page 345: Monitoring Flex Links
Displays the Flex Link backup interface configured for an interface, or [interface-id] switchport displays all Flex Links configured on the switch and the state of each backup active and backup interface (up or standby mode). Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 17-4 78-17058-01...
Page 346: Understanding Dhcp Features
This chapter describes how to configure DHCP snooping and the option-82 data insertion features on the Cisco ME 3400 Ethernet Access witch. It also describes how to configure the IP source guard feature, which is supported on switches running the metro access and metro IP access images.
Page 347: C H A P T E R 18 Configuring Dhcp Features And Ip Source Guard
If the DHCP server cannot give the DHCP client the requested configuration parameters from its database, it can forward the request to one or more secondary DHCP servers defined by the network administrator. The Cisco ME switch cannot be a DHCP server. DHCP Relay Agent A DHCP relay agent is a Layer 3 device that forwards DHCP packets between clients and servers.
Page 348: Option-82 Data Insertion
The DHCP security features, such as dynamic ARP inspection or IP source guard on a Cisco ME 3400 switch running the metro access or metro IP access image, can still be enabled on the aggregation switch while the switch receives packets with option-82 information on ingress untrusted interfaces to which hosts are connected.
Page 349 Length of the circuit ID type • Remote ID suboption fields Suboption type – Length of the suboption type – Remote ID type – Length of the circuit ID type – Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 18-4 78-17058-01...
Page 350: Dhcp Snooping Binding Database
If the file is not updated in a specified time (set by the write-delay and abort-timeout values), the update stops. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 18-5...
Page 351: Configuring Dhcp Features
• Enabling DHCP Snooping and Option 82, page 18-10 • Enabling DHCP Snooping on Private VLANs, page 18-11 • • Enabling the DHCP Snooping Binding Database Agent, page 18-12 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 18-6 78-17058-01...
Page 352: Default Dhcp Configuration
• DHCP server and the DHCP relay agent are configured and enabled. When you globally enable DHCP snooping on the switch, these Cisco IOS commands are not • available until snooping is disabled. If you enter these commands, the switch returns an error message, and the configuration is not applied.
Page 353: Configuring The Dhcp Relay Agent
(Optional) Save your entries in the configuration file. To disable the DHCP relay agent, use the no service dhcp global configuration command. See the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2 for these procedures: Checking (validating) the relay agent information •...
Page 354: Specifying The Packet Forwarding Address
Step 12 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the DHCP packet forwarding address, use the no ip helper-address address interface configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 18-9 78-17058-01...
Page 355: Enabling Dhcp Snooping And Option 82
The default is to verify that the source MAC address matches the client hardware address in the packet. Step 12 Return to privileged EXEC mode. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 18-10 78-17058-01...
Page 356: Enabling Dhcp Snooping On Private Vlans
200. DHCP Snooping configuration on secondary vlan is derived from its primary vlan. The show ip dhcp snooping privileged EXEC command output shows all VLANs, including primary and secondary private VLANs, on which DHCP snooping is enabled. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 18-11 78-17058-01...
Page 357: Enabling The Dhcp Snooping Binding Database Agent
To delete binding entries from the DHCP snooping binding database, use the no ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface-id privileged EXEC command. Enter this command for each entry that you delete. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 18-12 78-17058-01...
Page 358: Displaying Dhcp Snooping Information
IP source guard with source IP address filtering or with source IP and MAC address filtering. These sections contain this information: Source IP Address Filtering, page 18-14 • Source IP and MAC Address Filtering, page 18-14 • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 18-13 78-17058-01...
Page 359: Source Ip Address Filtering
Default IP Source Guard Configuration, page 18-14 • IP Source Guard Configuration Guidelines, page 18-15 • Enabling IP Source Guard, page 18-15 • Default IP Source Guard Configuration By default, IP source guard is disabled. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 18-14 78-17058-01...
Page 360: Ip Source Guard Configuration Guidelines
Step 4 ip verify source Enable IP source guard with source IP address filtering. ip verify source port-security Enable IP source guard with source IP and MAC address filtering. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 18-15 78-17058-01...
Page 361: Displaying Ip Source Guard Information
Commands for Displaying IP Source Guard Information Command Purpose show ip source binding Display the IP source bindings on a switch. show ip verify source Display the IP source guard configuration on the switch. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 18-16 78-17058-01...
Page 362: Chapter 19 Configuring Dynamic Arp Inspection
This chapter describes how to configure dynamic Address Resolution Protocol inspection (dynamic ARP inspection) on the Cisco ME 3400 switch. This feature helps prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN.
Page 363 “Configuring ARP ACLs for Non-DHCP Environments” section on page 19-8. The switch logs dropped packets. For more information about the log buffer, see the “Logging of Dropped Packets” section on page 19-4. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 19-2 78-17058-01...
Page 364: Interface Trust States And Network Security
Switch B (and Host 2, if the link between the switches is configured as trusted). This condition can occur even though Switch B is running dynamic ARP inspection. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 19-3 78-17058-01...
Page 365: Rate Limiting Of Arp Packets
After the message is generated, the switch clears the entry from the log buffer. Each log entry contains flow information, such as the receiving VLAN, the port number, the source and destination IP addresses, and the source and destination MAC addresses. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 19-4 78-17058-01...
Page 366: Default Dynamic Arp Inspection Configuration
The number of entries in the log is 32. The number of system messages is limited to 5 per second. The logging-rate interval is 1 second. Per-VLAN logging All denied or dropped ARP packets are logged. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 19-5 78-17058-01...
Page 367: Dynamic Arp Inspection Configuration Guidelines
A high rate-limit on one VLAN can cause a denial-of-service attack to other VLANs when the software places the port in the error-disabled state. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 19-6 78-17058-01...
Page 368: Configuring Dynamic Arp Inspection In Dhcp Environments
For more information, see the “Configuring the Log Buffer” section on page 19-13. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 19-7 78-17058-01...
Page 369: Configuring Arp Acls For Non-Dhcp Environments
By default, no ARP access lists are defined. Note At the end of the ARP access list, there is an implicit deny ip any mac any command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 19-8 78-17058-01...
Page 370 Specify the Switch A interface that is connected to Switch B, and enter interface configuration mode. Step 7 no shutdown Enable the port, if necessary. By default, UNIs are disabled, and NNIs are enabled. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 19-9 78-17058-01...
Page 371: Limiting The Rate Of Incoming Arp Packets
If you enter the no ip arp inspection limit interface configuration command, the interface reverts to its default rate limit. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 19-10...
Page 372 To return to the default rate-limit configuration, use the no ip arp inspection limit interface configuration command. To disable error recovery for dynamic ARP inspection, use the no errdisable recovery cause arp-inspection global configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 19-11 78-17058-01...
Page 373: Performing Validation Checks
To disable checking, use the no ip arp inspection validate [src-mac] [dst-mac] [ip] global configuration command. To display statistics for forwarded, dropped, and MAC and IP validation failure packets, use the show ip arp inspection statistics privileged EXEC command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 19-12 78-17058-01...
Page 374: Configuring The Log Buffer
The logs and interval settings interact. If the logs number X is greater than interval seconds Y, X divided by Y (X/Y) system messages are sent every second. Otherwise, one system message is sent every Y divided by X (Y/X) seconds. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 19-13 78-17058-01...
Page 375: Displaying Dynamic Arp Inspection Information
ARP inspection for the specified VLAN. If no VLANs are specified or if a range is specified, displays information only for VLANs with dynamic ARP inspection enabled (active). Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 19-14 78-17058-01...
Page 376 Displays the configuration and contents of the dynamic ARP inspection log buffer. For more information about these commands, see the command reference for this release. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 19-15 78-17058-01...
Page 377 Chapter 19 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 19-16 78-17058-01...
Page 378: Understanding Igmp Snooping
For complete syntax and usage information for the commands used in this chapter, see the switch command reference for this release and the “IP Multicast Routing Commands” section in the Cisco IOS IP Command Reference, Volume 3 of 3:Multicast, Release 12.2.
Page 379: Chapter 20 Configuring Igmp Snooping And Mvr
BISS constrains the flooding of multicast traffic when your network includes IGMPv3 hosts. It constrains traffic to approximately the same set of ports as the IGMP snooping feature on IGMPv2 or IGMPv1 hosts. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 20-2 78-17058-01...
Page 380: Joining A Multicast Group
(IGMP join message) to the group. The switch CPU uses the information in the IGMP report to set up a forwarding-table entry, as shown in Table 20-1, that includes the port numbers connected to Host 1 and the router. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 20-3 78-17058-01...
Page 381 • Snooping on IGMP queries and Protocol Independent Multicast (PIM) packets • Statically connecting to a multicast router port with the ip igmp snooping mrouter global configuration command Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 20-4 78-17058-01...
Page 382: Leaving A Multicast Group
100 to 5000 milliseconds. The timer can be set either globally or on a per-VLAN basis. The VLAN configuration of the leave time overrides the global configuration. For configuration steps, see the “Configuring the IGMP Leave Timer” section on page 20-10. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 20-5 78-17058-01...
Page 383: Igmp Report Suppression
IGMP snooping configuration. Table 20-3 Default IGMP Snooping Configuration Feature Default Setting IGMP snooping Enabled globally and per VLAN Multicast routers None configured Multicast router learning (snooping) method Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 20-6 78-17058-01...
Page 384: Enabling Or Disabling Igmp Snooping
(Optional) Save your entries in the configuration file. To disable IGMP snooping on a VLAN interface, use the no ip igmp snooping vlan vlan-id global configuration command for the specified VLAN number. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 20-7 78-17058-01...
Page 385: Configuring A Multicast Router Port
Configuring a Host Statically to Join a Group Hosts or Layer 2 ports normally join multicast groups dynamically, but you can also statically configure a host on an interface. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 20-8 78-17058-01...
Page 386: Enabling Igmp Immediate Leave
Verify that Immediate Leave is enabled on the VLAN interface. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 20-9 78-17058-01...
Page 387: Configuring The Igmp Leave Timer
IGMP leave timer to the default setting. Use the no ip igmp snooping vlan vlan-id last-member-query-interval global configuration command to remove the configured IGMP leave-time setting from the specified VLAN. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 20-10 78-17058-01...
Page 388: Configuring Tcn-Related Commands
TCN event. Leaves are always sent if the switch is the spanning-tree root regardless of this configuration command. By default, query solicitation is disabled. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 20-11 78-17058-01...
Page 389: Disabling Multicast Flooding During A Tcn Event
Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To re-enable multicast flooding on an interface, use the ip igmp snooping tcn flood interface configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 20-12 78-17058-01...
Page 390: Configuring The Igmp Snooping Querier
(Optional) Verify that the IGMP snooping querier is enabled on the VLAN interface. The VLAN ID range is 1 to 1001 and 1006 to 4094. Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 20-13 78-17058-01...
Page 391: Disabling Igmp Report Suppression
Verify that IGMP report suppression is disabled. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To re-enable IGMP report suppression, use the ip igmp snooping report-suppression global configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 20-14 78-17058-01...
Page 392: Displaying Igmp Snooping Information
Display information about the IP address and incoming port of the detail most-recently received IGMP query message in the VLAN,and the configuration and operational state of the IGMP snooping querier in the VLAN. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 20-15 78-17058-01...
Page 393: Understanding Multicast Vlan Registration
IGMP report to Switch A to join the appropriate multicast. If the IGMP report matches one of the configured IP multicast group addresses, the switch CPU modifies the hardware address table to include Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 20-16...
Page 394 With Immediate Leave, an IGMP query is not sent from the receiver port on which the Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 20-17...
Page 395: Configuring Mvr
None configured Query response time 0.5 second Multicast VLAN VLAN 1 Mode Compatible Interface (per port) default Neither a receiver nor a source port Immediate Leave Disabled on all ports Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 20-18 78-17058-01...
Page 396: Mvr Configuration Guidelines And Limitations
1 to 256; the default is 1). Any multicast data sent to this address is sent to all source ports on the switch and all receiver ports that have elected to receive data on that multicast address. Each multicast address would correspond to one television channel. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 20-19 78-17058-01...
Page 397: Configuring Mvr Interfaces
Specify the Layer 2 port to configure, and enter interface configuration mode. Step 4 no shutdown Enable the port, if necessary. By default, UNIs are disabled, and NNIs are enabled. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 20-20 78-17058-01...
Page 398 Switch(config-if)# mvr type receiver Switch(config-if)# mvr vlan 22 group 228.1.23.4 Switch(config-if)# mvr immediate Switch(config)# end Switch# show mvr interface Port Type Status Immediate Leave ---- ---- ------- --------------- Gi0/2 RECEIVER ACTIVE/DOWN ENABLED Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 20-21 78-17058-01...
Page 399: Displaying Mvr Information
It does not control general IGMP queries. IGMP filtering has no relationship with the function that directs the forwarding of IP multicast traffic. The filtering feature operates in the same manner whether IGMP or MVR is used to forward the multicast traffic. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 20-22 78-17058-01...
Page 400: Default Igmp Filtering And Throttling Configuration
• deny: Specifies that matching addresses are denied; this is the default. exit: Exits from igmp-profile configuration mode. • no: Negates a command or returns to its defaults. • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 20-23 78-17058-01...
Page 401 Switch(config)# ip igmp profile 4 Switch(config-igmp-profile)# permit Switch(config-igmp-profile)# range 229.9.9.0 Switch(config-igmp-profile)# end Switch# show ip igmp profile 4 IGMP Profile 4 permit range 229.9.9.0 229.9.9.0 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 20-24 78-17058-01...
Page 402: Applying Igmp Profiles
SVIs. You also can use this command on a logical EtherChannel interface but cannot use it on ports that belong to an EtherChannel port group. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 20-25 78-17058-01...
Page 403: Configuring The Igmp Throttling Action
If you configure the throttling action as replace, the entries that were previously in the forwarding table are removed. When the maximum number of entries is in the forwarding table, the switch replaces a randomly selected entry with the received IGMP report. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 20-26 78-17058-01...
Page 404 IGMP group to the forwarding table when the maximum number of entries is in the table. Switch(config)# interface gigabitethernet0/1 Switch(config-if)# ip igmp max-groups action replace Switch(config-if)# end Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 20-27 78-17058-01...
Page 405: Displaying Igmp Filtering And Throttling Configuration
Displays the configuration of the specified interface or the configuration of all interfaces interface-id] on the switch, including (if configured) the maximum number of IGMP groups to which an interface can belong and the IGMP profile applied to the interface. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 20-28 78-17058-01...
Page 406: Configuring Storm Control
C H A P T E R Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on the Cisco ME 3400 Ethernet Access switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Page 407 When the storm control threshold for multicast traffic is reached, all multicast traffic except control traffic, such as bridge protocol data unit (BDPU) and Cisco Discovery Protocol (CDP) frames, are blocked. However, the switch does not differentiate between routing updates, such as OSPF, and regular multicast data traffic, so both types of traffic are blocked.
Page 408: C H A P T E R 21 Configuring Port-Based Traffic Control
Specify the interface to be configured, and enter interface configuration mode. Step 3 no shutdown Enable the port, if necessary. By default, user network interfaces (UNIs) are disabled, and network node interfaces (NNIs) are enabled. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 21-3 78-17058-01...
Page 409 If you do not enter a traffic type, broadcast storm control settings are displayed. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 21-4 78-17058-01...
Page 410: Configuring Protected Ports
Default Protected Port Configuration, page 21-5 • Protected Port Configuration Guidelines, page 21-6 • Configuring a Protected Port, page 21-6 • Default Protected Port Configuration The default is to have no protected ports defined. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 21-5 78-17058-01...
Page 411: Protected Port Configuration Guidelines
Switch(config)# interface fastethernet 0/1 Switch(config-if)# port-type NNI Switch(config-if)# no shutdown Switch(config-if)# switchport protected Switch(config-if)# end There can only be four NNIs on the Cisco ME switch at the same time. Note Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 21-6 78-17058-01...
Page 412: Configuring Port Blocking
To return the interface to the default condition where no traffic is blocked and normal forwarding occurs on the port, use the no switchport block {multicast | unicast} interface configuration commands. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 21-7...
Page 413: Configuring Port Security
Static secure MAC addresses—These are manually configured by using the switchport • port-security mac-address mac-address interface configuration command, stored in the address table, and added to the switch running configuration. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 21-8 78-17058-01...
Page 414: Security Violations
In this mode, you are notified that a security violation has occurred. An SNMP trap is sent, a syslog message is logged, and the violation counter increments. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 21-9 78-17058-01...
Page 415: Default Port Security Configuration
A secure port cannot be a destination port for Switched Port Analyzer (SPAN). • A secure port cannot belong to a Fast EtherChannel or a Gigabit EtherChannel port group. • • A secure port cannot be a private-VLAN port. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 21-10 78-17058-01...
Page 416: Enabling And Configuring Port Security
Set the interface switchport mode as access or trunk; an interface in the default mode (dynamic auto) cannot be configured as a secure port. Step 5 switchport port-security Enable port security on the interface. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 21-11 78-17058-01...
Page 417 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 21-12 78-17058-01...
Page 418 VLAN as an access VLAN. Step 11 Return to privileged EXEC mode. Step 12 show port-security Verify your entries. Step 13 copy running-config (Optional) Save your entries in the configuration file. startup-config Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 21-13 78-17058-01...
Page 419 This example shows how to configure a static secure MAC address on VLAN 3 on a port: Switch(config)# interface gigabitethernet0/2 Switch(config-if)# switchport mode trunk Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security mac-address 0000.02000.0004 vlan 3 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 21-14 78-17058-01...
Page 420: Enabling And Configuring Port Security Aging
Specify the interface to be configured, and enter interface configuration mode. Step 3 no shutdown Enable the port, if necessary. By default, UNIs are disabled, and NNIs are enabled. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 21-15 78-17058-01...
Page 421 Switch(config-if)# switchport port-security aging time 2 Switch(config-if)# switchport port-security aging type inactivity Switch(config-if)# switchport port-security aging static You can verify the previous commands by entering the show port-security interface interface-id privileged EXEC command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 21-16 78-17058-01...
Page 422: Displaying Port-Based Traffic Control Settings
Displays the number of secure MAC addresses configured per VLAN on the specified interface. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 21-17 78-17058-01...
Page 423 Chapter 21 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 21-18 78-17058-01...
Page 424: Chapter 22 Configuring Cdp
• Understanding CDP CDP is a device discovery protocol that runs over Layer 2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access servers, and switches) and allows network management applications to discover Cisco devices that are neighbors of already known devices. With CDP, network management applications can learn the device type and the Simple Network Management Protocol (SNMP) agent address of neighboring devices running lower-layer, transparent protocols.
Page 425: Configuring Cdp
The range is 10 to 255 seconds; the default is 180 seconds. Step 4 cdp advertise-v2 (Optional) Configure CDP to send Version-2 advertisements. This is the default state. Step 5 Return to privileged EXEC mode. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 22-2 78-17058-01...
Page 426: Disabling And Enabling Cdp
CDP is enabled by default on NNIs. Note Cisco devices (such as Cisco IP Phones) regularly exchange CDP messages with connected devices. Disabling CDP can interrupt device connectivity. Beginning in privileged EXEC mode, follow these steps to disable the CDP device discovery capability:...
Page 427: Disabling And Enabling Cdp On An Interface
(Optional) Save your entries in the configuration file. This example shows how to enable CDP on a port when it has been disabled. Switch# configure terminal Switch(config)# interface gigabitethernet0/1 Switch(config-if)# cdp enable Switch(config-if)# end Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 22-4 78-17058-01...
Page 428: Monitoring And Maintaining Cdp
You can limit the display to neighbors of a specific interface or expand the display to provide more detailed information. show cdp traffic Display CDP counters, including the number of packets sent and received and checksum errors. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 22-5 78-17058-01...
Page 429 Chapter 22 Configuring CDP Monitoring and Maintaining CDP Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 22-6 78-17058-01...
Page 430: Chapter 23 Configuring Udld
A unidirectional link occurs whenever traffic sent by a local device is received by its neighbor but traffic from the neighbor is not received by the local device. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 23-1 78-17058-01...
Page 431: Methods To Detect Unidirectional Links
UDLD sends at least one message to inform the neighbors to flush the part of their caches affected by the status change. The message is intended to keep the caches synchronized. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 23-2...
Page 432 If UDLD is in normal mode, the logical link is considered undetermined, and UDLD does not disable the interface. Switch B Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 23-3 78-17058-01...
Page 433: Configuring Udld
A UDLD-capable port cannot detect a unidirectional link if it is connected to a UDLD-incapable port of another switch. • When configuring the mode (normal or aggressive), make sure that the same mode is configured on both sides of the link. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 23-4 78-17058-01...
Page 434: Enabling Udld Globally
Specify the port to be enabled for UDLD, and enter interface configuration mode. Step 3 no shutdown Enable the port, if necessary. By default, UNIs are disabled, and NNIs are enabled. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 23-5 78-17058-01...
Page 435: Resetting An Interface Disabled By Udld
To display the UDLD status for the specified port or for all ports, use the show udld [interface-id] privileged EXEC command. For detailed information about the fields in the command output, see the command reference for this release. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 23-6 78-17058-01...
Page 436: Chapter 24 Configuring Span And Rspan
You can use the SPAN or RSPAN destination port to inject traffic from a network security device. For example, if you connect a Cisco Intrusion Detection System (IDS) sensor appliance to a destination port, the IDS device can send TCP reset packets to close down the TCP session of a suspected attacker.
Page 437: Local Span
VLAN to a destination session monitoring the RSPAN VLAN. Each RSPAN source switch must have either ports or VLANs as RSPAN sources. The destination is always a physical port, as shown on Switch C in the figure. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 24-2 78-17058-01...
Page 438: Span And Rspan Concepts And Terminology
RSPAN VLAN. To configure an RSPAN destination session on another device, you associate the destination port with the RSPAN VLAN. The destination session collects all RSPAN VLAN traffic and sends it out the RSPAN destination port. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 24-3 78-17058-01...
Page 439: Monitored Traffic
SPAN; the destination port receives a copy of the packet even if the actual incoming packet is dropped. These features include IP standard and extended input access control lists (ACLs), ingress QoS policing, VLAN ACLs and egress QoS policing. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 24-4 78-17058-01...
Page 440: Source Ports
The default configuration for local SPAN session ports is to send all packets untagged. SPAN also does not normally monitor bridge protocol data unit (BPDU) packets and Layer 2 protocols, such as Cisco Discovery Protocol (CDP), Spanning Tree Protocol (STP), and Port Aggregation Protocol (PAgP).
Page 441: Source Vlans
SPAN traffic coming from other port types is not affected by VLAN filtering; that is, all VLANs are • allowed on other ports. VLAN filtering affects only traffic forwarded to the destination SPAN port and does not affect the • switching of normal traffic. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 24-6 78-17058-01...
Page 442: Destination Port
For RSPAN, the original VLAN ID is lost because it is overwritten by the RSPAN VLAN • identification. Therefore, all packets appear on the destination port as untagged. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 24-7 78-17058-01...
Page 443: Rspan Vlan
SPAN destination configuration. Changes in VLAN membership or trunk settings for a source port immediately take effect, and the respective SPAN sessions automatically adjust accordingly. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 24-8 78-17058-01...
Page 444: Configuring Span And Rspan
Configuring SPAN and RSPAN These sections contain this configuration information: • Default SPAN and RSPAN Configuration, page 24-10 • Configuring Local SPAN, page 24-10 • Configuring RSPAN, page 24-16 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 24-9 78-17058-01...
Page 445: Default Span And Rspan Configuration
You can configure a disabled port to be a source or destination port, but the SPAN function does not • start until the destination port and at least one source port or source VLAN are enabled. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 24-10 78-17058-01...
Page 446 This is the default. • rx—Monitor received traffic. tx—Monitor sent traffic. • You can use the monitor session session_number source Note command multiple times to configure multiple source ports. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 24-11 78-17058-01...
Page 447 Switch(config)# end This example shows how to disable received traffic monitoring on port 1, which was configured for bidirectional monitoring: Switch(config)# no monitor session 1 source interface gigabitethernet0/1 rx Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 24-12 78-17058-01...
Page 448 Beginning in privileged EXEC mode, follow these steps to create a SPAN session, to specify the source ports or VLANs and the destination ports, and to enable ingress traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance). See the “Creating a Local SPAN Session”...
Page 449 IEEE 802.1Q encapsulation and VLAN 6 as the default ingress VLAN. Switch(config)# no monitor session 2 Switch(config)# monitor session 2 source gigabitethernet0/1 rx Switch(config)# monitor session 2 destination interface gigabitethernet0/2 encapsulation replicate ingress dot1q vlan 6 Switch(config)# end Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 24-14 78-17058-01...
Page 450: Specifying Vlans To Filter
(Optional) Save the configuration in the configuration file. To monitor all VLANs on the trunk port, use the no monitor session session_number filter global configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 24-15 78-17058-01...
Page 451: Configuring Rspan
MAC address learning is not disabled on the RSPAN VLAN. • We recommend that you configure an RSPAN VLAN before you configure an RSPAN source or a destination session. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 24-16 78-17058-01...
Page 452: Creating An Rspan Source Session
For session_number, the range is 1 to 66. Specify all to remove all RSPAN sessions, local to remove all local sessions, or remote to remove all remote SPAN sessions. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 24-17 78-17058-01...
Page 453 Switch(config)# monitor session 1 source interface gigabitethernet0/1 tx Switch(config)# monitor session 1 source interface gigabitethernet0/2 rx Switch(config)# monitor session 1 source interface port-channel 12 Switch(config)# monitor session 1 destination remote vlan 901 Switch(config)# end Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 24-18 78-17058-01...
Page 454: Creating An Rspan Destination Session
To remove a destination port from the SPAN session, use the no monitor session session_number destination interface interface-id global configuration command. To remove the RSPAN VLAN from the session, use the no monitor session session_number source remote vlan vlan-id. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 24-19 78-17058-01...
Page 455: Creating An Rspan Destination Session And Configuring Ingress Traffic
Beginning in privileged EXEC mode, follow these steps to create an RSPAN destination session, to specify the source RSPAN VLAN and the destination port, and to enable ingress traffic on the destination port for a network security device (such as a Cisco IDS Sensor Appliance). Note For details about the keywords not related to ingress traffic, see the “Creating an RSPAN Destination...
Page 456: Specifying Vlans To Filter
(Optional) Use a comma (,) to specify a series of VLANs or use a hyphen (-) to specify a range of VLANs. Enter a space before and after the comma; enter a space before and after the hyphen. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 24-21 78-17058-01...
Page 457: Displaying Span And Rspan Status
To display the current SPAN or RSPAN configuration, use the show monitor user EXEC command. You can also use the show running-config privileged EXEC command to display configured SPAN or RSPAN sessions. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 24-22 78-17058-01...
Page 458: Chapter 25 Configuring Rmon
C H A P T E R Configuring RMON This chapter describes how to configure Remote Network Monitoring (RMON) on the Cisco ME 3400 Ethernet Access switch. RMON is a standard monitoring specification that defines a set of statistics and functions that can be exchanged between RMON-compliant console systems and network probes.
Page 459: Configuring Rmon
Configuring RMON Alarms and Events, page 25-3 (required) • Collecting Group History Statistics on an Interface, page 25-5 (optional) • • Collecting Group Ethernet Statistics on an Interface, page 25-6 (optional) Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 25-2 78-17058-01...
Page 460: Default Rmon Configuration
(Optional) For event-number, specify the event number to trigger when the rising or falling threshold exceeds its limit. (Optional) For owner string, specify the owner • of the alarm. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 25-3 78-17058-01...
Page 461 This example also generates an SNMP trap when the event is triggered. Switch(config)# rmon event 1 log trap eventtrap description "High ifOutErrors" owner jjones Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 25-4 78-17058-01...
Page 462: Collecting Group History Statistics On An Interface
Display the contents of the switch history table. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable history collection, use the no rmon collection history index interface configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 25-5 78-17058-01...
Page 463: Collecting Group Ethernet Statistics On An Interface
Displays the RMON statistics table. For information about the fields in these displays, see the “System Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 25-6...
Page 464: Chapter 26 Configuring System Message Logging
This chapter describes how to configure system message logging on the Cisco ME 3400 Ethernet Access switch. Note For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2. This chapter consists of these sections: •...
Page 465: Configuring System Message Logging
Table 26-4 on page 26-11. severity Single-digit code from 0 to 7 that is the severity of the message. For a description of the severity levels, see Table 26-3 on page 26-9. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 26-2 78-17058-01...
Page 466: Default System Message Logging Configuration
Message logging is enabled by default. It must be enabled to send messages to any destination other than the console. When enabled, log messages are sent to a logging process, which logs messages to designated locations asynchronously to the processes that generated the messages. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 26-3 78-17058-01...
Page 467: Setting The Message Display Destination Device
EXEC command to view the free processor memory on the switch. However, this value is the maximum available, and the buffer size should not be set to this amount. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 26-4 78-17058-01...
Page 468: Synchronizing Log Messages
Unsolicited messages and debug command output appears on the console after the prompt for user input Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 26-5...
Page 469 (Optional) Save your entries in the configuration file. To disable synchronization of unsolicited messages and debug output, use the no logging synchronous [level severity-level | all] [limit number-of-buffers] line configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 26-6 78-17058-01...
Page 470: Enabling And Disabling Time Stamps On Log Messages
Enable sequence numbers. Step 3 Return to privileged EXEC mode. Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 26-7 78-17058-01...
Page 471: Defining The Message Severity Level
To disable logging to syslog servers, use the no logging trap global configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 26-8...
Page 472: Limiting Syslog Messages Sent To The History Table And To Snmp
Change the default level of syslog messages stored in the history file and sent to the SNMP server. Table 26-3 on page 26-9 for a list of level keywords. By default, warnings, errors, critical, alerts, and emergencies messages are sent. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 26-9 78-17058-01...
Page 473: Configuring Unix Syslog Servers
Create the log file by entering these commands at the UNIX shell prompt: Step 2 cisco.log $ touch /var/log/ cisco.log $ chmod 666 /var/log/ Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 26-10 78-17058-01...
Page 474: Configuring The Unix System Logging Facility
UNIX operating system. Table 26-4 Logging Facility-Type Keywords Facility Type Keyword Description auth Authorization system cron Cron facility daemon System daemon kern Kernel local0-7 Locally defined messages Line printer system Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 26-11 78-17058-01...
Page 475: Displaying The Logging Configuration
Displaying the Logging Configuration To display the logging configuration and the contents of the log buffer, use the show logging privileged EXEC command. For information about the fields in this display, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Page 476: Understanding Snmp
Cisco ME 3400 Ethernet Access switch. Note For complete syntax and usage information for the commands used in this chapter, see the switch command reference for this release and to the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2. This chapter consists of these sections: Understanding SNMP, page 27-1 •...
Page 477: Chapter 27 Configuring Snmp
A combination of the security level and the security model determine which security mechanism is used when handling an SNMP packet. Available security models are SNMPv1, SNMPv2C, and SNMPv3. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 27-2 78-17058-01...
Page 478: Snmp Manager Functions
1. With this operation, an SNMP manager does not need to know the exact variable name. A sequential search is performed to find the needed variable from within a table. 2. The get-bulk command only works with SNMPv2 or later. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 27-3 78-17058-01...
Page 479: Snmp Agent Functions
SNMP Network Get-request, Get-next-request, Network device Get-bulk, Set-request Get-response, traps SNMP Agent SNMP Manager For information on supported MIBs and how to access them, see Appendix A, “Supported MIBs.” Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 27-4 78-17058-01...
Page 480: Snmp Notifications
Physical (such as Gigabit Ethernet or SFP -module interfaces) 10000–14500 Null 14501 1. SVI = switch virtual interface 2. SFP = small form-factor pluggable The switch might not use sequential values within a range. Note Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 27-5 78-17058-01...
Page 481: Configuring Snmp
An SNMP group is a table that maps SNMP users to SNMP views. An SNMP user is a member of an SNMP group. An SNMP host is the recipient of an SNMP trap operation. An SNMP engine ID is a name for the local or remote SNMP engine. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 27-6 78-17058-01...
Page 482: Disabling The Snmp Agent
The no snmp-server global configuration command disables all running versions (Version 1, Version 2C, and Version 3) on the device. No specific Cisco IOS command exists to enable SNMP. The first snmp-server global configuration command that you enter enables all versions of SNMP.
Page 483: Configuring Community Strings
Recall that the access list is always terminated by an implicit deny statement for everything. Step 4 Return to privileged EXEC mode. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 27-8 78-17058-01...
Page 484: Configuring Snmp Groups And Users
If you select remote, specify the ip-address of the device that • contains the remote copy of SNMP and the optional User Datagram Protocol (UDP) port to use for storing data on the remote device. The default is 162. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 27-9 78-17058-01...
Page 485 64 characters) that is the name of the view in which you specify a notify, inform, or trap. (Optional) Enter access access-list with a string (not to exceed • 64 characters) that is the name of the access list. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 27-10 78-17058-01...
Page 486: Configuring Snmp Notifications
A trap manager is a management station that receives and processes traps. Traps are system alerts that the switch generates when certain events occur. By default, no trap manager is defined, and no traps are sent. Switches running this Cisco IOS release can have an unlimited number of trap managers. Note Many commands use the word traps in the command syntax.
Page 487 Generates a trap for Open Shortest Path First (OSPF) changes. You can enable any or all of these traps: Cisco specific, errors, link-state advertisement, rate limit, retransmit, and state changes. Generates a trap for Protocol-Independent Multicast (PIM) changes. You can enable any or all of these traps: invalid PIM messages, neighbor changes, and rendezvous point (RP)-mapping changes.
Page 488 When version 3 is specified, enter the SNMPv3 username. • (Optional) For notification-type, use the keywords listed in Table 27-5 on page 27-12. If no type is specified, all notifications are sent. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 27-13 78-17058-01...
Page 489: Setting The Agent Contact And Location Information
Building 3/Room 222 Step 4 Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 27-14 78-17058-01...
Page 490: Limiting Tftp Servers Used Through Snmp
Switch(config)# snmp-server community public Switch(config)# snmp-server enable traps mac-notification Switch(config)# snmp-server host 192.180.1.27 version 2c public Switch(config)# snmp-server host 192.180.1.111 version 1 public Switch(config)# snmp-server host 192.180.1.33 public Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 27-15 78-17058-01...
Page 491: Displaying Snmp Status
Switch(config)# snmp-server enable traps entity Switch(config)# snmp-server host cisco.com restricted entity This example shows how to enable the switch to send all traps to the host myhost.cisco.com using the community string public: Switch(config)# snmp-server enable traps Switch(config)# snmp-server host myhost.cisco.com public...
Page 492: Chapter 28 Configuring Network Security With Acls
C H A P T E R Configuring Network Security with ACLs This chapter describes how to configure network security on the Cisco ME 3400 Ethernet Access switch by using access control lists (ACLs), which are also referred to in commands and tables as access lists.
Page 493: Supported Acls
ACL is applied are filtered by the port ACL. Outgoing routed IPv4 packets are filtered by the router ACL. Other packets are not filtered. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 28-2 78-17058-01...
Page 494: Port Acls
Layer 2 input would allow Host A to access the Human Resources network, but prevent Host B from accessing the same network. Port ACLs can only be applied to Layer 2 interfaces in the inbound direction. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 28-3 78-17058-01...
Page 495: Router Acls
• Standard IP access lists use source addresses for matching operations. • Extended IP access lists use source and destination addresses and optional protocol type information for matching operations. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 28-4 78-17058-01...
Page 496: Vlan Maps
Layer 4 information, such as TCP or UDP port numbers, ICMP type and code, and so on. All other fragments are missing this information. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 28-5...
Page 497: Configuring Ipv4 Acls
ACEs were checking different hosts. Configuring IPv4 ACLs Configuring IP v4ACLs on the switch is the same as configuring IPv4 ACLs on other Cisco switches and routers. The process is briefly described here. For more detailed information on configuring ACLs, see the “Configuring IP Services”...
Page 498: Creating Standard And Extended Ipv4 Acls
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs The switch does not support these Cisco IOS router ACL-related features: • Non-IP protocol ACLs (see Table 28-1 on page 28-8) or bridge-group ACLs • IP accounting • Inbound and outbound rate limiting (except with QoS ACLs) Reflexive ACLs or dynamic ACLs •...
Page 499: Ipv4 Access List Numbers
Because routing is done in hardware and logging is done in software, if a large number of packets match a permit or deny ACE containing a log keyword, the software might not be able to match the hardware processing rate, and not all packets will be logged. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 28-8 78-17058-01...
Page 500: Creating A Numbered Standard Acl
With standard access lists, if you omit the mask from an associated IP host address ACL specification, 0.0.0.0 is assumed to be the mask. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 28-9 78-17058-01...
Page 501: Creating A Numbered Extended Acl
For more details on the specific keywords for each protocol, see these command references: • Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 • Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2 •...
Page 502 DSCP value specified by a number • from 0 to 63, or use the question mark (?) to see a list of available values. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 28-11 78-17058-01...
Page 503 TCP port. To see TCP port names, use the ? or see the “Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2. Use only TCP port numbers or names when filtering TCP.
Page 504 ICMP message type and code name. To see a list of ICMP message type names and code names, use the ?, or see the “Configuring IP Services” section of the Cisco IOS IP Configuration Guide, Release 12.2. Step 2e access-list access-list-number (Optional) Define an extended IGMP access list and the access conditions.
Page 505: Resequencing Aces In An Acl
Define a standard IPv4 access list using a name, and enter access-list configuration mode. Note The name can be a number from 1 to 99. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 28-14 78-17058-01...
Page 506 After you create an ACL, any additions are placed at the end of the list. You cannot selectively add ACL entries to a specific ACL. However, you can use no permit and no deny access-list configuration mode commands to remove entries from a named ACL. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 28-15 78-17058-01...
Page 507: Using Time Ranges With Acls
Assign a meaningful name (for example, workhours) to the time range to be created, and enter time-range configuration mode. The name cannot contain a space or quotation mark and must begin with a letter. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 28-16 78-17058-01...
Page 508 Switch(config)# access-list 188 permit tcp any any time-range workhours Switch(config)# end Switch# show access-lists Extended IP access list 188 10 deny tcp any any time-range new_year_day_2006 (inactive) 20 permit tcp any any time-range workhours (inactive) Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 28-17 78-17058-01...
Page 509: Including Comments In Acls
For procedures for applying ACLs to interfaces, see the “Applying an IPv4 ACL to an Interface” section on page 28-19. For applying ACLs to VLANs, see the “Configuring VLAN Maps” section on page 28-29. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 28-18 78-17058-01...
Page 510: Applying An Ipv4 Acl To An Interface
These access-group denied packets are not dropped in hardware but are bridged to the switch CPU so that it can generate the ICMP-unreachable message. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 28-19...
Page 511 When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied to the interface and permits all packets. Remember this behavior if you use undefined ACLs for network security. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 28-20 78-17058-01...
Page 512: Hardware And Software Treatment Of Ip Acls
This section provides examples of configuring and applying IPv4 ACLs. For detailed information about compiling ACLs, see the Cisco IOS Security Configuration Guide, Release 12.2 and to the Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2.
Page 513 Switch(config)# access-list 106 permit ip any 172.20.128.64 0.0.0.31 Switch(config)# end Switch# show access-lists Extended IP access list 106 10 permit ip any 172.20.128.64 0.0.0.31 Switch(config)# interface gigabitethernet0/1 Switch(config-if)# ip access-group 106 in Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 28-22 78-17058-01...
Page 514: Numbered Acls
This example creates a standard ACL named internet_filter and an extended ACL named marketing_group. The internet_filter ACL allows all traffic from the source address 1.2.3.4. Switch(config)# ip access-list standard Internet_filter Switch(config-ext-nacl)# permit 1.2.3.4 Switch(config-ext-nacl)# exit Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 28-23 78-17058-01...
Page 515: Time Range Applied To An Ip Acl
Switch(config)# access-list 100 deny host 171.69.3.85 any eq www Switch(config)# access-list 100 remark Do not allow Smith to browse the web Switch(config)# access-list 100 deny host 171.69.3.13 any eq www Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 28-24 78-17058-01...
Page 516: Acl Logging
0.0.0.255 and denies all UDP packets. Switch(config)# ip access-list extended ext1 Switch(config-ext-nacl)# permit icmp any 10.1.1.0 0.0.0.255 log Switch(config-ext-nacl)# deny udp any any log Switch(config-std-nacl)# exit Switch(config)# interface gigabitethernet0/2 Switch(config-if)# ip access-group ext1 in Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 28-25 78-17058-01...
Page 517: Creating Named Mac Extended Acls
Beginning in privileged EXEC mode, follow these steps to create a named MAC extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac access-list extended name Define an extended MAC access list using a name. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 28-26 78-17058-01...
Page 518 Switch(config-ext-macl)# deny any any decnet-iv Switch(config-ext-macl)# permit any any Switch(config-ext-macl)# end Switch # show access-lists Extended MAC access list mac1 10 deny any any decnet-iv 20 permit any any Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 28-27 78-17058-01...
Page 519: Applying A Mac Acl To A Layer 2 Interface
ACL to an interface, the switch acts as if the ACL has not been applied and permits all packets. Remember this behavior if you use undefined ACLs for network security. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 28-28...
Page 520: Configuring Vlan Maps
VLAN Map Configuration Guidelines, page 28-30 • Creating a VLAN Map, page 28-31 • Applying a VLAN Map to a VLAN, page 28-33 • • Using VLAN Maps in Your Network, page 28-34 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 28-29 78-17058-01...
Page 521: Vlan Map Configuration Guidelines
“Using VLAN Maps in Your Network” section on page 28-34 for configuration examples. • For information about using both router ACLs and VLAN maps, see the “VLAN Maps and Router ACL Configuration Guidelines” section on page 28-36. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 28-30 78-17058-01...
Page 522: Creating A Vlan Map
IP packet that does not match any of the match clauses. Switch(config)# ip access-list extended ip1 Switch(config-ext-nacl)# permit tcp any any Switch(config-ext-nacl)# exit Switch(config)# vlan access-map map_1 10 Switch(config-access-map)# match ip address ip1 Switch(config-access-map)# action drop Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 28-31 78-17058-01...
Page 523 • Drop all other non-IP packets • • Forward all IP packets Switch(config)# mac access-list extended good-hosts Switch(config-ext-macl)# permit host 000.0c00.0111 any Switch(config-ext-macl)# permit host 000.0c00.0211 any Switch(config-ext-nacl)# exit Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 28-32 78-17058-01...
Page 524: Applying A Vlan Map To A Vlan
To remove the VLAN map, use the no vlan filter mapname vlan-list list global configuration command. This example shows how to apply VLAN map 1 to VLANs 20 through 22: Switch(config)# vlan filter map 1 vlan-list 20-22 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 28-33 78-17058-01...
Page 525: Using Vlan Maps In Your Network
Next, create VLAN access map map2 so that traffic that matches the http access list is dropped and all other IP traffic is forwarded. Switch(config)# vlan access-map map2 10 Switch(config-access-map)# match ip address http Switch(config-access-map)# action drop Switch(config-access-map)# exit Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 28-34 78-17058-01...
Page 526: Denying Access To A Server On Another Vlan
Define the IP ACL that will match the correct packets. Switch(config)# ip access-list extended SERVER1_ACL Switch(config-ext-nacl))# permit ip 10.1.2.0 0.0.0.255 host 10.1.1.100 Switch(config-ext-nacl))# permit ip host 10.1.1.4 host 10.1.1.100 Switch(config-ext-nacl))# permit ip host 10.1.1.8 host 10.1.1.100 Switch(config-ext-nacl))# exit Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 28-35 78-17058-01...
Page 527: Using Vlan Maps With Router Acls
If you must configure a router ACL and a VLAN map on the same VLAN, use these guidelines for both router ACL and VLAN map configuration: • You can configure only one VLAN map and one router ACL in each direction (input/output) on a VLAN interface. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 28-36 78-17058-01...
Page 528: Examples Of Router Acls And Vlan Maps Applied To Vlans
ACL is applied on packets that are switched within a VLAN. Packets switched within the VLAN without being routed or forwarded are only subject to the VLAN map of the input VLAN. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 28-37 78-17058-01...
Page 529: Acls And Routed Packets
Applying ACLs on Routed Packets Input Output VLAN 10 router router VLAN 20 Frame Host A Host B (VLAN 10) (VLAN 20) Routing function VLAN 10 VLAN 20 Packet Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 28-38 78-17058-01...
Page 530: Acls And Multicast Packets
(numbered or named). show ip access-lists [number | name] Displays the contents of all current IP access lists or a specific IP access list (numbered or named). Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 28-39 78-17058-01...
Page 531 Shows information about all VLAN access-maps or the specified access map. show vlan filter [access-map name | vlan vlan-id] Shows information about all VLAN filters or about a specified VLAN or VLAN access map. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 28-40 78-17058-01...
Page 532: Chapter 29 Configuring Control-Plane Security
Monitoring Control-Plane Security, page 29-5 Understanding Control-Plane Security The Cisco ME switch can have no more than four ports configured as network node interfaces (NNIs) that connect to the service-provider network. The switch communicates with the rest of the network through these ports, exchanging protocol control packets as well as regular traffic.
Page 533 (BPDUs). – Control packets that are dropped by default but can be enabled or tunneled, such as Cisco Discovery Protocol (CDP), Spanning-Tree Protocol (STP), VLAN Trunking Protocol (VTP), UniDirectional Link Detection (UDLD) protocol, Link Aggregation Control Protocol (LACP), and Port Aggregation Protocol (PAgP) packets.
Page 534 Switch# show platform policer cpu interface fastethernet 0/1 Policers assigned for CPU protection ========================================================= Feature Policer Physical Index Policer ========================================================= Fa0/1 LACP 8021X RSVD_STP PVST_PLUS UDLD PAGP CISCO_L2 KEEPALIVE SWITCH_MAC SWITCH_ROUTER_MAC SWITCH_IGMP SWITCH_L2PT Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 29-3 78-17058-01...
Page 535: Configuring Control-Plane Security
Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default threshold rate, use the no policer cpu uni global configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 29-4 78-17058-01...
Page 536: Monitoring Control-Plane Security
Displays CPU policer information for the switch. rate} drop [policer-number]—show the number of dropped frames for all • policer numbers or the specified policer number. rate—show the configured threshold rate for CPU policers. • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 29-5 78-17058-01...
Page 537: Monitoring Control-Plane Security
Chapter 29 Configuring Control-Plane Security Monitoring Control-Plane Security Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 29-6 78-17058-01...
Page 538: Chapter 30 Configuring Qos
This chapter describes how to configure quality of service (QoS) by using the modular QoS command-line interface (CLI), or MQC, commands on the Cisco ME 3400 Ethernet Access switch. With QoS, you can provide preferential treatment to certain types of traffic at the expense of others. When QoS is not configured, the switch offers best-effort service to each packet, regardless of the packet contents or size.
Page 539 Classification, page 30-5 • Table Maps, page 30-11 • Policing, page 30-12 Marking, page 30-16 • Congestion Management and Scheduling, page 30-18 • Congestion Avoidance and Queuing, page 30-24 • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-2 78-17058-01...
Page 540: Modular Qos Cli
To configure more than one match criterion for packets, you can associate multiple traffic classes with a single traffic policy. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-3...
Page 541: Input And Output Policies
Input policy maps do not support queuing and scheduling commands, such as bandwidth, queue-limit, priority, and shape average. You can configure a maximum of 32 total classes in an input policy. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-4 78-17058-01...
Page 542: Output Policy Maps
Layer 3 IP packets can carry either an IP precedence value or a DSCP value. QoS supports the use of either value because DSCP values are backward-compatible with IP precedence values. IP precedence values range from 0 to 7. DSCP values range from 0 to 63. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-5 78-17058-01...
Page 543: Class Maps
After a packet is matched against the class-map criteria, it is acted on by the associated action specified in a policy map. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-6...
Page 544: The Match Command
You can use the match command to classify Layer 2 traffic based on the CoS value, which ranges from 0 to 7. Note A match cos command is supported only on Layer 2 IEEE 802.1Q trunk ports. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-7 78-17058-01...
Page 545: Classification Based On Ip Precedence
Match packets with CS1(precedence 1) dscp (001000) Match packets with CS2(precedence 2) dscp (010000) Match packets with CS3(precedence 3) dscp (011000) Match packets with CS4(precedence 4) dscp (100000) Match packets with CS5(precedence 5) dscp (101000) Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-8 78-17058-01...
Page 546: Classification Comparisons
Less than best-effort data—noncritical, bandwidth-intensive data traffic given the least preference. This is the first traffic type to be dropped. Level 1 Level 2 Level 3 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-9 78-17058-01...
Page 547: Classification Based On Qos Acls
You can also use QoS groups to identify traffic entering a particular interface if the traffic must be treated differently at the output based on the input interface. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-10 78-17058-01...
Page 548: Table Maps
CoS values to a DSCP value of 63. Switch(config)# table-map cos-dscp-tablemap Switch(config-tablemap)# map from 5 to 46 Switch(config-tablemap)# map from 6 to 56 Switch(config-tablemap)# map from 7 to 57 Switch(config-tablemap)# default 63 Switch(config-tablemap)# exit Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-11 78-17058-01...
Page 549: Policing
Queuing, Receive to the committed Classify scheduling, information rate (CIR) and shaping Packets that exceed the CIR An exceed-action at this Drop point results in dropped or reclassified packets. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-12 78-17058-01...
Page 550: Individual Policing
CoS, DSCP, or IP precedence to a value defined in a table map and then send the packet. Table maps list specific traffic attributes and map (or convert) them to other attributes. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-13...
Page 551: Aggregate Policing
IP classification, the from–type action in the table map must be either dscp or precedence. If the class map represents a non-IP classification, the from–type action in the table map must be cos. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-14 78-17058-01...
Page 552: Unconditional Priority Policing
Maps with Class-Based Priority Queuing” section on page 30-48. Note You cannot configure a policer committed burst size for an unconditional priority policer. Any configured burst size is ignored. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-15 78-17058-01...
Page 553: Marking
If the class map represents a non-IP classification, the from-type action in the table map must be cos. After you create a table map, you configure a policy map to use the table map. See the “Congestion Management and Scheduling” section on page 30-18. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-16 78-17058-01...
Page 554 Flow Chart for Marking Traffic Start Create a class map Using a Create a table map table map? Create a policy map Create additional policy maps? Attach policy map(s) to interface Finish Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-17 78-17058-01...
Page 555: Congestion Management And Scheduling
In this case, you can configure the other traffic classes with bandwidth or shape average, depending on requirements. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-18 78-17058-01...
Page 556: Traffic Shaping
The switch supports separate queues for three classes of traffic. The fourth queue is always the default queue for class class-default, unclassified traffic. In the Cisco ME switch, configuring traffic shaping also automatically sets the minimum bandwidth Note guarantee or committed information rate (CIR) of the queue to the same value as the PIR.
Page 557 This is an example of a parent-child configuration: Switch(config)# policy-map parent Switch(config-pmap)# class class-default Switch(config-pmap-c)# shape average 50000000 Switch(config-pmap-c)# service-policy child Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface fastethernet0/1 Switch(config-if)# service-policy output parent Switch(config-if)# exit Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-20 78-17058-01...
Page 558: Class-Based Weighted Fair Queuing
Switch(config)# policy-map out-policy Switch(config-pmap)# class outclass1 Switch(config-pmap-c)# bandwidth 50000 Switch(config-pmap-c)# exit Switch(config-pmap)# class outclass2 Switch(config-pmap-c)# bandwidth 20000 Switch(config-pmap-c)# exit Switch(config-pmap)# class outclass3 Switch(config-pmap-c)# bandwidth 10000 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-21 78-17058-01...
Page 559: Priority Queuing
Using this combination of commands configures a maximum rate on the priority queue, and you can use the bandwidth and shape average policy-map commands for other classes to allocate traffic rates on other queues. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-22 78-17058-01...
Page 560 Switch(config-pmap)# class out-class2 Switch(config-pmap-c)# bandwidth percent 50 Switch(config-pmap-c)# exit Switch(config-pmap)# class out-class3 Switch(config-pmap-c)# bandwidth percent 20 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface gigabitethernet 0/1 Switch(config-if)# service-policy output policy1 Switch(config-if)# exit Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-23 78-17058-01...
Page 561: Congestion Avoidance And Queuing
You cannot configure queue size by using the queue-limit policy map class command without first configuring a scheduling action (bandwidth, shape average, or priority). For more information, see the “Configuring Output Policy Maps with Class-Based-Weighted-Queuing” section on page 30-44. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-24 78-17058-01...
Page 562 However, there is no limit to the number of qualifiers that you can map to these thresholds. You can configure a third threshold value to set the maximum queue by using the queue-limit command with no qualifiers. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-25 78-17058-01...
Page 563: Configuring Qos
Configuring Table Maps, page 30-33 • Attaching a Traffic Policy to an Interface, page 30-35 • • Configuring Input Policy Maps, page 30-35 Configuring Output Policy Maps, page 30-43 • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-26 78-17058-01...
Page 564: Default Qos Configuration
These sections describe how to create QoS ACLs: “Creating IP Standard ACLs” section on page 30-28 • • “Creating IP Extended ACLs” section on page 30-29 • “Creating Layer 2 MAC ACLs” section on page 30-30 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-27 78-17058-01...
Page 565: Creating Ip Standard Acls
Switch(config)# access-list 1 permit 192.5.255.0 0.0.0.255 Switch(config)# access-list 1 permit 128.88.0.0 0.0.255.255 Switch(config)# access-list 1 permit 36.0.0.0 0.0.0.255 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-28 78-17058-01...
Page 566: Creating Ip Extended Acls
The name can be a number from 100 to 199. In access-list configuration mode, enter permit protocol {source source-wildcard destination destination-wildcard} [precedence precedence] [tos tos] [dscp dscp] as defined in Step 2. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-29 78-17058-01...
Page 567: Creating Layer 2 Mac Acls
Step 4 Return to privileged EXEC mode. Step 5 show access-lists [access-list-number | Verify your entries. access-list-name] Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-30 78-17058-01...
Page 568: Using Class Maps To Define A Traffic Class
In an output policy map, no two class maps can have the same classification criteria; that is, the same • match qualifiers and values. The maximum number of class maps on the switch is 256. • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-31 78-17058-01...
Page 569 For qos-group value, specify the QoS group number. The range is • 0 to15. Matching of QoS groups is supported only in output policy maps. Step 4 Return to privileged EXEC mode. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-32 78-17058-01...
Page 570: Configuring Table Maps
The switch supports a maximum of 256 unique table maps. The maximum number of map statements within a table map is 64. • Table maps cannot be used in output policy maps. • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-33 78-17058-01...
Page 571 Switch(config-tablemap)# map from 3 to 1 Switch(config-tablemap)# map from 4 to 2 Switch(config-tablemap)# map from 5 to 2 Switch(config-tablemap)# map from 6 to 3 Switch(config-tablemap)# default 4 Switch(config-tablemap)# end Switch# show table-map dscp-to-cos Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-34 78-17058-01...
Page 572: Attaching A Traffic Policy To An Interface
You can add or delete classification criteria, add or delete classes, add or delete actions, or change the parameters of the configured actions (policers, rates, mapping, marking, and so on). • You cannot configure hierarchical policy maps as input policy maps. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-35 78-17058-01...
Page 573: Configuring Input Policy Maps With Individual Policing
Step 3 class class-map-name Enter a class-map name and enter policy-map class configuration mode. You must have already created the class map by using the class-map global configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-36 78-17058-01...
Page 574 Step 11 Return to privileged EXEC mode. Step 12 show policy-map [policy-map-name [class Verify your entries. class-map-name]] Step 13 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-37 78-17058-01...
Page 575 Switch(config-pmap-c)# police cir 23000 bc 10000 Switch(config-pmap-c-police)# conform-action set-dscp-transmit 48 Switch(config-pmap-c-police)# conform-action set-cos-transmit 5 Switch(config-pmap-c-police)# exceed-action drop Switch(config-pmap-c-police)# exit Switch(config-pmap)# exit Switch(config)# interface fastethernet0/1 Switch(config-if)# service-policy input map1 Switch(config-if)# exit Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-38 78-17058-01...
Page 576: Configuring Input Policy Maps With Aggregate Policing
If the associated class map represents a non-IP classification, the map from type of action that references the table map must be cos. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-39 78-17058-01...
Page 577 (Optional) Save your entries in the configuration file. After you have created an aggregate policer, you attach it to an ingress port. See the “Attaching a Traffic Policy to an Interface” section on page 30-35. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-40 78-17058-01...
Page 578: Configuring Input Policy Maps With Marking
Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 policy-map policy-map-name Create a policy map by entering the policy map name, and enter policy-map configuration mode. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-41 78-17058-01...
Page 579 Switch(config-pmap)# class class-default Switch(config-pmap-c)# set ip dscp 1 Switch(config-pmap-c)# exit Switch(config-pmap)# class AF31-AF33 Switch(config-pmap-c)# set ip dscp 3 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface fastethernet0/1 Switch(config-if)# service-policy input Example Switch(config-if)# exit Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-42 78-17058-01...
Page 580: Configuring Output Policy Maps
If an output policy-map is configured on a port that is set for autonegotiation and the speed autonegotiates to a value that invalidates the policy, the port is put in the error-disabled state. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-43...
Page 581: Configuring Output Policy Maps With Class-Based-Weighted-Queuing
Create a policy map by entering the policy map name, and enter policy-map configuration mode. Step 3 class class-map-name Enter a class-map name, and enter policy-map class configuration mode. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-44 78-17058-01...
Page 582 Switch(config)# policy-map gold_policy Switch(config-pmap)# class out_class-1 Switch(config-pmap-c)# bandwidth percent 25 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface gigabitethernet0/1 Switch(config-if)# service-policy output gold_policy Switch(config-if)# exit Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-45 78-17058-01...
Page 583: Configuring Output Policy Maps With Class-Based Shaping
Configuring a queue for traffic shaping sets the maximum bandwidth or peak information rate (PIR) of the queue. In the Cisco ME switch, configuring traffic shaping automatically also sets the minimum bandwidth guarantee or CIR of the queue to the same value as the PIR.
Page 584: Configuring Output Policy Maps With Port Shaping
Step 9 service-policy output policy-map-name Attach the parent policy map (created in Step 2) to the egress interface. Step 10 Return to privileged EXEC mode. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-47 78-17058-01...
Page 585: Configuring Output Policy Maps With Class-Based Priority Queuing
This command does not guarantee the allocated bandwidth, but does ensure the rate of distribution. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-48 78-17058-01...
Page 586 Use the no form of the appropriate command to delete an existing policy map or class map or to cancel strict priority queuing for the priority class or the bandwidth setting for the other classes. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-49...
Page 587 Step 5 priority Configure this class as the priority class. Note Only one unique class map on the switch can be associated with a priority command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-50 78-17058-01...
Page 588 Exit policy-map class configuration mode for the priority class. Step 10 class class-map-name Enter the name of the first nonpriority class, and enter policy-map class configuration mode for that class. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-51 78-17058-01...
Page 589 Switch(config-pmap)# class out-class2 Switch(config-pmap-c)# bandwidth percent 50 Switch(config-pmap-c)# exit Switch(config-pmap)# class out-class3 Switch(config-pmap-c)# bandwidth percent 20 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface gigabitethernet0/1 Switch(config-if)# service-policy output policy1 Switch(config-if)# exit Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-52 78-17058-01...
Page 590: Configuring Output Policy Maps With Weighted Tail Drop
30-46, the “Configuring Output Policy Maps with priority Port Shaping” section on page 30-47, or the “Configuring Output Policy Maps with Class-Based Priority Queuing” section on page 30-48. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-53 78-17058-01...
Page 591 Switch(config-pmap-c)# bandwidth percent 50 Switch(config-pmap-c)# queue-limit 112 Switch(config-pmap-c)# queue-limit dscp 30 48 Switch(config-pmap-c)# queue-limit dscp 10 32 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface gigabitethernet0/1 Switch(config-if)# service-policy output gold-policy Switch(config-if)# exit Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-54 78-17058-01...
Page 592: Displaying Qos Information
This count includes the total number of packets that are sent and dropped for that class. You can use the same command to view the per-class tail drop statistics. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-55 78-17058-01...
Page 593: Configuration Examples For Policy Maps
Configuration Examples for Policy Maps Configuration Examples for Policy Maps This section includes configuration examples for configuring QoS policies on the Cisco ME switch, including configuration limitations and restrictions. The sections are broken into different configurations actions that a customer might do. Each section provides the exact sequence of steps that you must follow for successful configuration or modification.
Page 594 Switch(config)# policy-map output-g1-2 Switch(config-pmap)# class gold-out Switch(config-pmap-c)# priority Switch(config-pmap-c)# police 50000000 Switch(config-pmap-c)# exit Switch(config-pmap)# class silver-out Switch(config-pmap-c)# shape average 200000 Switch(config-pmap-c)# exit Switch(config-pmap)# class bronze-out Switch(config-pmap-c)# bandwidth percent 10 Switch(config-pmap-c)# exit Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-57 78-17058-01...
Page 595: Qos Configuration For Customer B
You must assign an action to each class; that is, there can be no empty class. • Each class configuration must be based on the classification/marking done in the input policy-map. • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-58 78-17058-01...
Page 596: Modifying Output Policies And Adding Or Deleting Classification Criteria
Switch(config)# class-map match-any silver-out Switch(config-cmap)# match ip dscp af21 Switch(config-cmap)# match ip dscp cs5 Switch(config-cmap)# exit You should use the same procedure when deleting a match statement associated with a configured class. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-59 78-17058-01...
Page 597: Modifying Output Policies And Changing Queuing Or Scheduling Parameters
Shut down all active ports carrying the policy to be modified. • Detach the output policy from all ports to which it is attached. Make modifications to the output policy. • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-60 78-17058-01...
Page 598: Modifying Output Policies And Adding Or Deleting A Class
In the initial configuration, Fast Ethernet ports 1 through 12 are UNIs and are active. Fast Ethernet ports 13 through 24 are UNIs and are shut down. Gigabit Ethernet ports 1 and 2 are NNIs and are enabled by default. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-61 78-17058-01...
Page 599 Switch(config)# interface range fastethernet0/1-8 Switch(config-if-range)# service-policy output output1-8 Switch(config-if-range)# exit Switch(config)# interface range fastethernet0/9-12 Switch(config-if-range)# service-policy output output9-12 Switch(config-if-range)# exit Switch(config)# interface range gigabitethernet0/1-2 Switch(config-if-range)# service-policy output output9-12 Switch(config-if-range)# exit Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-62 78-17058-01...
Page 600 Ethernet port 2 might be reordered if a flow splits across more than one queue. You can avoid this problem by leaving ports in a shut-down state until an output policy is attached. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-63...
Page 601 Chapter 30 Configuring QoS Configuration Examples for Policy Maps Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-64 78-17058-01...
Page 602: Chapter 31 Configuring Etherchannels
C H A P T E R Configuring EtherChannels This chapter describes how to configure EtherChannels on Layer 2 and Layer 3 ports on the Cisco ME 3400 Ethernet Access switch. EtherChannel provides fault-tolerant high-speed links between switches, routers, and servers. You can use it to increase the bandwidth between the wiring closets and the data center, and you can deploy it anywhere in the network where bottlenecks are likely to occur.
Page 603: Etherchannel Overview
Layer 3 mode by using the no switchport interface configuration command. For more information, see the Chapter 9, “Configuring Interface Characteristics.” Note The switch must be running the metro IP access image to support Layer 3 ports. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 31-2 78-17058-01...
Page 604: Port-Channel Interfaces
The switch must be running the metro IP access image to support Layer 3 ports. Note Each EtherChannel has a port-channel logical interface numbered from 1 to 48. This port-channel interface number corresponds to the one specified with the channel-group interface configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 31-3 78-17058-01...
Page 605: Port Aggregation Protocol
EtherChannel, apply the configuration commands to the port-channel interface. Port Aggregation Protocol The Port Aggregation Protocol (PAgP) is a Cisco-proprietary protocol that can be run only on Cisco switches and on those switches licensed by vendors to support PAgP. PAgP facilitates the automatic creation of EtherChannels by exchanging PAgP packets between Ethernet ports.
Page 606: Pagp Modes
PAgP Interaction with Other Features Cisco Discovery Protocol (CDP) sends and receives packets over the physical ports in the EtherChannel. Trunk ports send and receive PAgP protocol data units (PDUs) on the lowest numbered VLAN.
Page 607: Link Aggregation Control Protocol
Understanding EtherChannels Link Aggregation Control Protocol The LACP is defined in IEEE 802.3ad standard and enables Cisco switches to manage Ethernet channels between switches that conform to the standard. LACP facilitates the automatic creation of EtherChannels by exchanging LACP packets between Ethernet ports.
Page 608: Etherchannel On Mode
Therefore, to provide load-balancing, packets from different IP addresses use different ports in the channel, but packets from the same IP address use the same port in the channel. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 31-7 78-17058-01...
Page 609 Using source addresses or IP addresses might result in better load balancing. Figure 31-3 Load Distribution and Forwarding Methods Switch with source-based forwarding enabled EtherChannel Cisco router with destination-based forwarding enabled Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 31-8 78-17058-01...
Page 610: Configuring Etherchannels
32768. LACP system ID LACP system priority and the switch MAC address. Load balancing Load distribution on the switch is based on the source-MAC address of the incoming packet. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 31-9 78-17058-01...
Page 611: Etherchannel Configuration Guidelines
If EtherChannels are configured on switch interfaces, remove the EtherChannel configuration from the interfaces before globally enabling 802.1x on a switch by using the dot1x system-auth-control global configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 31-10 78-17058-01...
Page 612: Configuring Layer 2 Etherchannels
If you configure the port as a static-access port, assign it to only one VLAN. The range is 1 to 4094. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 31-11 78-17058-01...
Page 613 Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove a port from the EtherChannel group, use the no channel-group interface configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 31-12 78-17058-01...
Page 614: Configuring Layer 3 Etherchannels
NNIs are enabled. Step 4 no switchport Put the interface into Layer 3 mode. Step 5 ip address ip-address mask Assign an IP address and subnet mask to the EtherChannel. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 31-13 78-17058-01...
Page 615: Configuring The Physical Interfaces
PAgP or LACP. Step 3 no ip address Ensure that there is no IP address assigned to the physical port. Step 4 no switchport Put the port into Layer 3 mode. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 31-14 78-17058-01...
Page 616 “LACP Modes” section on page 31-6. Step 6 Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 31-15 78-17058-01...
Page 617: Configuring Etherchannel Load Balancing
Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return EtherChannel load balancing to the default configuration, use the no port-channel load-balance global configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 31-16 78-17058-01...
Page 618: Configuring The Pagp Learn Method And Priority
PAgP interoperability with devices that only support address learning by physical ports. When the link partner to the switch is a physical learner, we recommend that you configure the Cisco ME switch as a physical-port learner by using the pagp learn-method physical-port interface configuration command.
Page 619: Configuring Lacp Hot-Standby Ports
16 ports. Only eight LACP links can be active at one time. The software places any additional links in a hot-standby mode. If one of the active links becomes inactive, a link that is in the hot-standby mode becomes active in its place. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 31-18 78-17058-01...
Page 620: Configuring The Lacp System Priority
Step 3 Return to privileged EXEC mode. Step 4 show running-config Verify your entries. show lacp sys-id Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 31-19 78-17058-01...
Page 621: Configuring The Lacp Port Priority
(Optional) Save your entries in the configuration file. To return the LACP port priority to the default value, use the no lacp port-priority interface configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 31-20 78-17058-01...
Page 622: Displaying Etherchannel, Pagp, And Lacp Status
You can clear LACP channel-group information and traffic counters by using the clear lacp {channel-group-number counters | counters} privileged EXEC command. For detailed information about the fields in the displays, see the command reference for this release. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 31-21 78-17058-01...
Page 623 Chapter 31 Configuring EtherChannels Displaying EtherChannel, PAgP, and LACP Status Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 31-22 78-17058-01...
Page 624: Chapter 32 Configuring Ip Unicast Routing
C H A P T E R Configuring IP Unicast Routing This chapter describes how to configure IP Version 4 (IPv4) unicast routing on the Cisco ME 3400 Ethernet Access switch. Note Routing is supported only on switches that are running the metro IP access image.
Page 625: Understanding Ip Routing
Distance-vector protocols use one or a series of metrics for calculating the best routes. These protocols are easy to configure and use. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-2...
Page 626: Steps For Configuring Routing
Steps for Configuring Routing By default, IPv4 routing is disabled on the switch, and you must enable it before routing can take place. For detailed IP routing configuration information, see the Cisco IOS IP Configuration Guide, Release 12.2 In the following procedures, the specified interface must be one of these Layer 3 interfaces: •...
Page 627: Configuring Ip Addressing
If a helper address is defined or User Datagram Protocol (UDP) flooding is configured, UDP forwarding is enabled on default ports. Any-local-broadcast: Disabled. Turbo-flood: Disabled. IP helper address Disabled. IP host Disabled. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-4 78-17058-01...
Page 628: Assigning Ip Addresses To Network Interfaces
Step 7 show interfaces [interface-id] Verify your entries. show ip interface [interface-id] show running-config interface [interface-id] Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-5 78-17058-01...
Page 629: Use Of Subnet Zero
Figure 32-2 IP Classless Routing 128.0.0.0/8 128.20.4.1 IP classless 128.20.0.0 128.20.1.0 128.20.3.0 128.20.2.0 128.20.4.1 Host Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-6 78-17058-01...
Page 630: Configuring Address Resolution Methods
Ethernet, the software must learn the MAC address of the device. The process of learning the MAC address from an IP address is called address resolution. The process of learning the IP address from the MAC address is called reverse address resolution. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-7 78-17058-01...
Page 631: Define A Static Arp Cache
RARP requires a RARP server on the same network segment as the router interface. Use the ip rarp-server address interface configuration command to identify the server. For more information on RARP, see the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2.
Page 632: Set Arp Encapsulation
Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable an encapsulation type, use the no arp arpa or no arp snap interface configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-9 78-17058-01...
Page 633: Enable Proxy Arp
Proxy ARP is enabled by default. To enable it after it has been disabled, see the “Enable Proxy ARP” section on page 32-10. Proxy ARP works as long as other routers support it. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-10 78-17058-01...
Page 634: Default Gateway
Step 3 no shutdown Enable the interface if necessary. By default, UNIs are disabled and NNIs are enabled. Step 4 ip irdp Enable IRDP processing on the interface. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-11 78-17058-01...
Page 635: Configuring Broadcast Packet Handling
You can also limit broadcast, unicast, and multicast traffic on Layer 2 interfaces by using the Note storm-control interface configuration command to set traffic suppression levels. For more information, Chapter 21, “Configuring Port-Based Traffic Control.” Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-12 78-17058-01...
Page 636: Enabling Directed Broadcast-To-Physical Broadcast Translation
{udp [port] | nd | sdns} Specify which protocols and ports the router forwards when forwarding broadcast packets. • udp—Forward UPD datagrams. port: (Optional) Destination port that controls which UDP services are forwarded. • nd—Forward ND datagrams. • sdns—Forward SDNS datagrams Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-13 78-17058-01...
Page 637: Forwarding Udp Broadcast Packets And Protocols
By default, both UDP and ND forwarding are enabled if a helper address has been defined for an interface. The description for the ip forward-protocol interface configuration command in the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 lists the ports that are forwarded by default if you do not specify any UDP ports.
Page 638: Establishing An Ip Broadcast Address
Packets that are forwarded to a single network address using the IP helper-address mechanism can be flooded. Only one copy of the packet is sent on each network segment. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-15 78-17058-01...
Page 639 Verify your entry. Step 5 copy running-config startup-config (Optional) Save your entry in the configuration file. To disable this feature, use the no ip forward-protocol turbo-flood global configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-16 78-17058-01...
Page 640: Monitoring And Maintaining Ip Addressing
Beginning in privileged EXEC mode, follow these steps to enable IP routing: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip routing Enable IP routing. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-17 78-17058-01...
Page 641: Configuring Rip
Protocol (UDP) data packets to exchange routing information. The protocol is documented in RFC 1058. You can find detailed information about RIP in IP Routing Fundamentals, published by Cisco Press. Using RIP, the switch sends routing information updates (advertisements) every 30 seconds. If a router does not receive an update from another router for 180 seconds or more, it marks the routes served by that router as unusable.
Page 642: Default Rip Configuration
Receives RIP Version 1 and 2 packets; sends Version 1 packets. Configuring Basic RIP Parameters To configure RIP, you enable RIP routing for a network and optionally configure other parameters. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-19 78-17058-01...
Page 643 If you are sending packets to a lower-speed device, you can add an interpacket delay in the range of 8 to 50 milliseconds. Step 12 Return to privileged EXEC mode. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-20 78-17058-01...
Page 644: Configuring Rip Authentication
This feature usually optimizes communication among multiple routers, especially when links are broken. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-21 78-17058-01...
Page 645 Switch(config-if)# ip address 10.1.5.1 255.255.255.0 Switch(config-if)# ip summary-address rip 10.2.0.0 255.255.0.0 Switch(config-if)# no ip split-horizon Switch(config-if)# exit Switch(config)# router rip Switch(config-router)# network 10.0.0.0 Switch(config-router)# neighbor 2.2.2.2 peer-group mygroup Switch(config-router)# end Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-22 78-17058-01...
Page 646: Configuring Split Horizon
This feature can optimize communication among multiple routers, especially when links are broken. In general, Cisco does not recommend disabling split horizon unless you are certain that your application Note requires it to properly advertise routes.
Page 647: Default Ospf Configuration
Chapter 32 Configuring IP Unicast Routing Configuring OSPF The Cisco implementation conforms to the OSPF Version 2 specifications with these key features: • Definition of stub areas is supported. • Routes learned through any IP routing protocol can be redistributed into another IP routing protocol.
Page 648 No area ID or router ID defined. Hello interval: 10 seconds. Retransmit interval: 5 seconds. Transmit delay: 1 second. Dead interval: 40 seconds. Authentication key: no key predefined. Message-digest key (MD5): no key predefined. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-25 78-17058-01...
Page 649: Configuring Basic Ospf Parameters
Enter interface configuration mode, and specify the Layer 3 interface to configure. Step 3 no shutdown Enable the interface if necessary. By default, UNIs are disabled and NNIs are enabled. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-26 78-17058-01...
Page 650: Configuring Ospf Area Parameters
(ABR) generates a default external route into the stub area for destinations outside the autonomous system (AS). An NSSA does not flood all LSAs from the core into the area, but can import AS external routes within the area by redistribution. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-27 78-17058-01...
Page 651 (Optional) Save your entries in the configuration file. Use the no form of these commands to remove the configured parameter value or to return to the default value. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-28 78-17058-01...
Page 652: Configuring Other Ospf Parameters
Enable OSPF routing, and enter router configuration mode. Step 3 summary-address address mask (Optional) Specify an address and IP subnet mask for redistributed routes so that only one summary route is advertised. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-29 78-17058-01...
Page 653: Changing Lsa Group Pacing
Beginning in privileged EXEC mode, follow these steps to configure OSPF LSA pacing: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router ospf process-id Enable OSPF routing, and enter router configuration mode. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-30 78-17058-01...
Page 654: Configuring A Loopback Interface
EXEC commands for displaying statistics. For more show ip ospf database privileged EXEC command options and for explanations of fields in the resulting display, see the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide...
Page 655: Configuring Eigrp
Display OSPF-related virtual links information. Configuring EIGRP Enhanced IGRP (EIGRP) is a Cisco proprietary enhanced version of the IGRP. EIGRP uses the same distance vector algorithm and distance information as IGRP; however, the convergence properties and the operating efficiency of EIGRP are significantly improved.
Page 656 Neighbor discovery and recovery is achieved with low overhead by periodically sending small hello packets. As long as hello packets are received, the Cisco IOS software can learn that a neighbor is alive and functioning. When this status is determined, the neighboring routers can exchange routing information.
Page 657: Default Eigrp Configuration
None specified. Offset-list Disabled. Router EIGRP Disabled. Set metric No metric set in the route map. Traffic-share Distributed proportionately to the ratios of the metrics. Variance 1 (equal-cost load balancing). Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-34 78-17058-01...
Page 658: Configuring Basic Eigrp Parameters
(Optional) Save your entries in the configuration file. Use the no forms of these commands to disable the feature or return the setting to the default value. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-35 78-17058-01...
Page 659: Configuring Eigrp Interfaces
(Optional) Save your entries in the configuration file. Use the no forms of these commands to disable the feature or return the setting to the default value. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-36 78-17058-01...
Page 660: Configuring Eigrp Route Authentication
(Optional) Save your entries in the configuration file. Use the no forms of these commands to disable the feature or to return the setting to the default value. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-37 78-17058-01...
Page 661: Monitoring And Maintaining Eigrp
You can delete neighbors from the neighbor table. You can also display various EIGRP routing statistics. Table 32-8 lists the privileged EXEC commands for deleting neighbors and displaying statistics. For explanations of fields in the resulting display, see the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. Table 32-8...
Page 662 AS-level policy decisions. A router or switch running Cisco IOS does not select or use an IBGP route unless it has a route available to the next-hop router and it has received synchronization from an IGP (unless IGP synchronization is disabled).
Page 663: Default Bgp Configuration
Protocols” part of the Cisco IOS IP Configuration Guide, Release 12.2. For details about specific commands, see the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. For a list of BGP commands that are visible but not supported by the switch, see Appendix C, “Unsupported Commands in Cisco IOS Release 12.2(25)EX.”...
Page 664 Always compare: Disabled. Does not compare MEDs for paths from neighbors in • different autonomous systems. Best path compare: Disabled. • MED missing as worst path: Disabled. • Deterministic MED comparison is disabled. • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-41 78-17058-01...
Page 665: Enabling Bgp Routing
External neighbors are usually adjacent to each other and share a subnet, but internal neighbors can be anywhere in the same AS. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-42 78-17058-01...
Page 666 Return to privileged EXEC mode. Step 11 show ip bgp network network-number Verify the configuration. show ip bgp neighbor Step 12 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-43 78-17058-01...
Page 667 EIGRP, which also use the network command to specify where to send updates. For detailed descriptions of BGP configuration, see the “IP Routing Protocols” part of the Cisco IOS IP Configuration Guide, Release 12.2. For details about specific commands, see the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2.
Page 668: Managing Routing Policy Changes
BGP sessions so that the configuration changes take effect. There are two types of reset, hard reset and soft reset. Cisco IOS Releases 12.1 and later support a soft reset without any prior configuration. To use a soft reset without preconfiguration, both BGP peers must support the soft route refresh capability, which is advertised in the OPEN message sent when the peers establish a TCP session.
Page 669: Configuring Bgp Decision Attributes
Prefer the path with the largest weight (a Cisco proprietary parameter). The weight attribute is local to the router and not propagated in routing updates. By default, the weight attribute is 32768 for paths that the router originates and zero for other paths.
Page 670 Step 10 bgp deterministic med (Optional) Configure the switch to consider the MED variable when choosing among routes advertised by different peers in the same AS. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-47 78-17058-01...
Page 671: Configuring Bgp Filtering With Route Maps
(Optional) Save your entries in the configuration file. Use the no route-map map-tag command to delete the route map. Use the no set ip next-hop ip-address command to re-enable next-hop processing. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-48 78-17058-01...
Page 672: Configuring Bgp Filtering By Neighbor
BGP autonomous system paths. Each filter is an access list based on regular expressions. (See the “Regular Expressions” appendix in the Cisco IOS Dial Technologies Command Reference, Release 12.2 for more information on forming regular expressions.) To use this method, define an autonomous system path access list, and apply it to updates to and from particular neighbors.
Page 673: Configuring Prefix Lists For Bgp Filtering
| (Optional) Add an entry to a prefix list, and assign a sequence permit network/len [ge ge-value] [le le-value] number to the entry. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-50 78-17058-01...
Page 674: Configuring Bgp Community Filtering
By default, no COMMUNITIES attribute is sent to a neighbor. You can specify that the COMMUNITIES attribute be sent to the neighbor at an IP address by using the neighbor send-community router configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-51 78-17058-01...
Page 675: Configuring Bgp Neighbors And Peer Groups
(Optional) Display and parse BGP communities in the format AA:NN. A BGP community is displayed in a two-part format 2 bytes long. The Cisco default community format is in the format NNAA. In the most recent RFC for BGP, a community takes the form AA:NN, where the first part is the AS number and the second part is a 2-byte number.
Page 676 (Optional) Apply a route map to incoming or outgoing routes. route-map map-name {in | out} Step 17 neighbor {ip-address | peer-group-name} (Optional) Specify that the COMMUNITIES attribute be sent to send-community the neighbor at this IP address. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-53 78-17058-01...
Page 677: Configuring Aggregate Addresses
Create an aggregate entry in the BGP routing table. The aggregate route is advertised as coming from the AS, and the atomic aggregate attribute is set to indicate that information might be missing. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-54 78-17058-01...
Page 678: Configuring Routing Domain Confederations
Specify the autonomous systems that belong to the [autonomous-system ...] confederation and that will be treated as special EBGP peers. Step 5 Return to privileged EXEC mode. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-55 78-17058-01...
Page 679: Configuring Bgp Route Reflectors
However, if the clients are fully meshed, the route reflector does not need to reflect routes to clients. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-56 78-17058-01...
Page 680: Configuring Route Dampening
To disable flap dampening, use the no bgp dampening router configuration command without keywords. To set dampening factors back to the default values, use the no bgp dampening router configuration command with values. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-57 78-17058-01...
Page 681: Monitoring And Maintaining Bgp
Table 32-8 lists the privileged EXEC commands for clearing and displaying BGP. For explanations of the display fields, see the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. Table 32-11 IP BGP Clear and Show Commands...
Page 682: Configuring Multi-Vrf Ce
The CE device advertises the site’s local routes to the router and learns the remote VPN routes from it. The Cisco ME 3400 switch can be a CE. Provider edge (PE) routers exchange routing information with CE devices by using static routing or •...
Page 683 VPN service, for example, small companies. In this case, multi-VRF CE support is required in the Cisco ME switches. Because multi-VRF CE is a Layer 3 feature, each interface in a VRF must be a Layer 3 interface.
Page 684: Default Multi-Vrf Ce Configuration
A switch with multi-VRF CE is shared by multiple customers, and each customer has its own routing table. • Because customers use different VRF tables, the same IP addresses can be reused. Overlapped IP addresses are allowed in different VPNs. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-61 78-17058-01...
Page 685: Configuring Vrfs
Beginning in privileged EXEC mode, follow these steps to configure one or more VRFs. For complete syntax and usage information for the commands, refer to the switch command reference for this release and the Cisco IOS Switching Services Command Reference, Release 12.2. Command...
Page 686: Configuring A Vpn Routing Session
Return to privileged EXEC mode. Step 7 show ip ospf process-id Verify the configuration of the OSPF network. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-63 78-17058-01...
Page 687: Configuring Bgp Pe To Ce Routing Sessions
32-5. OSPF is the protocol used in VPN1, VPN2, and the global network. BGP is used in the CE to PE connections. The examples following the illustration show how to configure a Cisco ME 3400 switch as CE Switch A, and the VRF configuration for customer switches D and F. Commands for configuring CE Switch C and the other customer switches are not included but would be similar.
Page 688 Switch(config)# interface loopback1 Switch(config-if)# ip vrf forwarding v11 Switch(config-if)# ip address 8.8.1.8 255.255.255.0 Switch(config-if)# exit Switch(config)# interface loopback2 Switch(config-if)# ip vrf forwarding v12 Switch(config-if)# ip address 8.8.2.8 255.255.255.0 Switch(config-if)# exit Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-65 78-17058-01...
Page 689 Switch(config)# router bgp 800 Switch(config-router)# address-family ipv4 vrf vl2 Switch(config-router-af)# redistribute ospf 2 match internal Switch(config-router-af)# neighbor 83.0.0.3 remote-as 100 Switch(config-router-af)# neighbor 83.0.0.3 activate Switch(config-router-af)# network 8.8.2.0 mask 255.255.255.0 Switch(config-router-af)# exit Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-66 78-17058-01...
Page 690 Router(config)# ip vrf v1 Router(config-vrf)# rd 100:1 Router(config-vrf)# route-target export 100:1 Router(config-vrf)# route-target import 100:1 Router(config-vrf)# exit Router(config)# ip vrf v2 Router(config-vrf)# rd 100:2 Router(config-vrf)# route-target export 100:2 Router(config-vrf)# route-target import 100:2 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-67 78-17058-01...
Page 691: Displaying Multi-Vrf Ce Status
[brief | detail | interfaces] [vrf-name] Display information about the defined VRF instances. For more information about the information in the displays, refer to the Cisco IOS Switching Services Command Reference, Release 12.2. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide...
Page 692: Configuring Protocol-Independent Features
Managing Authentication Keys, page 32-82 Configuring Cisco Express Forwarding Cisco Express Forwarding (CEF) is a Layer 3 IP switching technology used to optimize network performance. CEF implements an advanced IP look-up and forwarding algorithm to deliver maximum Layer 3 switching performance. CEF is less CPU-intensive than fast switching route caching, allowing more CPU processing power to be dedicated to packet forwarding.
Page 693: Configuring The Number Of Equal-Cost Routing Paths
Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router {bgp | rip | ospf | eigrp} Enter router configuration mode. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-70 78-17058-01...
Page 694: Configuring Static Unicast Routes
Table 32-14 Dynamic Routing Protocol Default Administrative Distances Route Source Default Distance Connected interface Static route Enhanced IRGP summary route External BGP Internal Enhanced IGRP IGRP Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-71 78-17058-01...
Page 695: Specifying Default Routes And Networks
Display the selected default route in the gateway of last resort display. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no ip default-network network number global configuration command to remove the route. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-72 78-17058-01...
Page 696: Using Route Maps To Redistribute Routing Information
The system periodically scans its routing table to choose the optimal default network as its default route. In IGRP networks, there might be several candidate networks for the system default. Cisco routers use administrative distance and metric information to set the default route or the gateway of last resort.
Page 697 EIGRP external routes. Step 12 set dampening halflife reuse suppress Set BGP route dampening factors. max-suppress-time Step 13 set local-preference value Assign a value to a local BGP path. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-74 78-17058-01...
Page 698 To delete an entry, use the no route-map map tag global configuration command or the no match or no set route-map configuration commands. You can distribute routes from one routing domain into another and control route distribution. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-75 78-17058-01...
Page 699: Configuring Policy-Based Routing
For example, you could transfer stock records to a corporate office on a high-bandwidth, high-cost link for a short time while transmitting routine application data such as e-mail over a low-bandwidth, low-cost link. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-76 78-17058-01...
Page 700: Pbr Configuration Guidelines
For details about PBR commands and keywords, see the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. For a list of PBR commands that are visible but not supported by the switch, see Appendix C, “Unsupported Commands in Cisco IOS Release 12.2(25)EX.”...
Page 701: Enabling Pbr
Enter interface configuration mode, and specify the interface to configure. Step 7 no shutdown Enable the interface if necessary. By default, UNIs are disabled and NNIs are enabled. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-78 78-17058-01...
Page 702: Filtering Routing Information
In networks with many interfaces, to avoid having to manually set them as passive, you can set all interfaces to be passive by default by using the passive-interface default router configuration command and manually setting interfaces where adjacencies are desired. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-79 78-17058-01...
Page 703: Controlling Advertising And Processing In Routing Updates
[interface-name | routing updates, depending upon the action listed in the access list. process | autonomous-system-number] Step 4 distribute-list {access-list-number | Suppress processing in routes listed in updates. access-list-name} in [type-number] Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-80 78-17058-01...
Page 704: Filtering Sources Of Routing Information
Display the default administrative distance for a specified routing process. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove a distance definition, use the no distance router configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-81 78-17058-01...
Page 705: Managing Authentication Keys
Display authentication key information. Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the key chain, use the no key chain name-of-chain global configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-82 78-17058-01...
Page 706: Monitoring And Maintaining The Ip Network
Display supernets. show ip cache Display the routing table used to switch IP traffic. show route-map [map-name] Display all route maps configured or only the one specified. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-83 78-17058-01...
Page 707 Chapter 32 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-84 78-17058-01...
Page 708: Chapter 33 Configuring Hsrp
C H A P T E R Configuring HSRP This chapter describes how to use Hot Standby Router Protocol (HSRP) on the Cisco ME 3400 Ethernet Access switch to provide routing redundancy for routing IP traffic without being dependent on the availability of any single router.
Page 709 Host C’s segment that need to communicate with users on Host B’s segment and also continues to perform its normal function of handling packets between the Host A segment and Host B. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 33-2 78-17058-01...
Page 710: Multiple Hsrp
For MHSRP, you need to enter the standby preempt interface configuration command on the HSRP Note interfaces so that if a router fails and then comes back up, preemption occurs and restores load sharing Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 33-3 78-17058-01...
Page 711: Configuring Hsrp
Default HSRP Configuration Feature Default Setting HSRP groups None configured Standby group number Standby MAC address System assigned as: 0000.0c07.acXX, where XX is the HSRP group number Standby priority Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 33-4 78-17058-01...
Page 712: Hsrp Configuration Guidelines
HSRP. Step 3 no shutdown Enable the port, if necessary. By default, user network interfaces (UNIs) are disabled, and network node interfaces (NNIs) are enabled. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 33-5 78-17058-01...
Page 713: Configuring Hsrp Priority
Assigning priority helps select the active and standby routers. If preemption is enabled, the router • with the highest priority becomes the designated active router. If priorities are equal, the primary IP addresses are compared, and the higher IP address has priority. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 33-6 78-17058-01...
Page 714 The range is 0 to 3600(1 hour); the default is 0 (no delay before taking over). Use the no form of the command to restore the default values. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 33-7 78-17058-01...
Page 715 300 seconds (5 minutes) before attempting to become the active router: Switch# configure terminal Switch(config)# interface gigabitethernet0/1 Switch(config-if)# no switchport Switch(config-if)# standby ip 172.20.128.3 Switch(config-if)# standby priority 120 preempt delay 300 Switch(config-if)# end Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 33-8 78-17058-01...
Page 716: Configuring Mhsrp
• All routers in a Hot Standby group should use the same timer values. Normally, the holdtime is greater than or equal to 3 times the hellotime. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 33-9 78-17058-01...
Page 717 15 seconds: Switch# configure terminal Switch(config)# interface gigabitethernet0/1 Switch(config-if)# no switchport Switch(config-if)# standby 1 ip Switch(config-if)# standby 1 timers 5 15 Switch(config-if)# end Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 33-10 78-17058-01...
Page 718: Enabling Hsrp Support For Icmp Redirect Messages
HSRP group. If a host is redirected by ICMP to the real MAC address of a router and that router later fails, packets from the host are lost. For more information, see the Cisco IOS IP Configuration Guide, Release 12.2. Displaying HSRP Configurations...
Page 719 Chapter 33 Configuring HSRP Displaying HSRP Configurations Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 33-12 78-17058-01...
Page 720: Chapter 34 Configuring Ip Multicast Routing
To use this feature, the switch must be running the metro IP access image. For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS IP Note Command Reference, Volume 3 of 3: Multicast, Release 12.2.
Page 721: Understanding Cisco's Implementation Of Ip Multicast Routing
IGMP Version 2 (IGMPv2) leave messages are destined to the address 224.0.0.2 (all-multicast-routers on a subnet). In some old host IP stacks, leave messages might be destined to the group IP address rather than to the all-routers address. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 34-2 78-17058-01...
Page 722: Igmp Version 1
Register messages to an RP specify whether they are sent by a border router or a designated router. PIM packets are no longer inside IGMP packets; they are standalone packets. • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 34-3 78-17058-01...
Page 723: Pim Modes
This proprietary feature eliminates the need to manually configure the RP information in every router and multilayer switch in the network. For Auto-RP to work, you configure a Cisco router or multilayer switch as the mapping agent. It uses IP multicast to learn which routers or switches in the network are possible candidate RPs to receive candidate RP announcements.
Page 724: Bootstrap Router
(which might not be all interfaces on the router). If the RPF check fails, the packet is discarded. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 34-5 78-17058-01...
Page 725 (S,G) joins (which are source-tree states) are sent toward the source. • (*,G) joins (which are shared-tree states) are sent toward the RP. Dense-mode PIM uses only source trees and use RPF as previously described. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 34-6 78-17058-01...
Page 726: Configuring Ip Multicast Routing
To avoid misconfiguring multicast routing on your switch, review the information in these sections: PIMv1 and PIMv2 Interoperability, page 34-8 • • Auto-RP and BSR Configuration Guidelines, page 34-8 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 34-7 78-17058-01...
Page 727: Pimv1 And Pimv2 Interoperability
If you have a network that includes non-Cisco routers, configure the Auto-RP mapping agent and • the BSR on a Cisco PIMv2 router or multilayer switch. Ensure that no PIMv1 device is on the path between the BSR and a non-Cisco PIMv2 router.
Page 728: Configuring Basic Multicast Routing
Configuring IP Multicast Routing • If you have non-Cisco PIMv2 routers that need to interoperate with Cisco PIMv1 routers and multilayer switches, both Auto-RP and a BSR are required. We recommend that a Cisco PIMv2 device be both the Auto-RP mapping agent and the BSR. For more information, see the “Using...
Page 729: Configuring A Rendezvous Point
For more information, see the “PIMv1 and PIMv2 Interoperability” section on page 34-8 and the “Auto-RP and BSR Configuration Guidelines” section on page 34-8. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 34-10 78-17058-01...
Page 730: Manually Assigning An Rp To Multicast Groups
Place ones in the bit positions that you want to ignore. Recall that the access list is always terminated by an implicit deny statement for everything. Step 4 Return to privileged EXEC mode. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 34-11 78-17058-01...
Page 731: Configuring Auto-Rp
Switch(config)# ip pim rp-address 147.106.6.22 1 Configuring Auto-RP Auto-RP uses IP multicast to automate the distribution of group-to-RP mappings to all Cisco routers and multilayer switches in a PIM network. It has these benefits: It is easy to use multiple RPs within a network to serve different group ranges.
Page 732 Place ones in the bit positions that you want to ignore. Recall that the access list is always terminated by an implicit deny statement for everything. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 34-13 78-17058-01...
Page 733 RP must be configured as follows: Switch(config)# ip pim accept-rp 172.10.20.1 1 Switch(config)# access-list 1 permit 224.0.1.39 Switch(config)# access-list 1 permit 224.0.1.40 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 34-14 78-17058-01...
Page 734 (Optional) Save your entries in the configuration file. To remove a filter on incoming RP announcement messages, use the no ip pim rp-announce-filter rp-list access-list-number [group-list access-list-number] global configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 34-15 78-17058-01...
Page 735: Configuring Pimv2 Bsr
PIM domains. This command instructs the switch to neither send or receive PIMv2 BSR messages on this interface as shown in Figure 34-2. Step 5 Return to privileged EXEC mode. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 34-16 78-17058-01...
Page 736 Specify the interface to be configured, and enter interface configuration mode. Step 4 no shutdown Enable the port, if necessary. By default, UNIs are disabled, and NNIs are enabled. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 34-17 78-17058-01...
Page 737 Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove this device as a candidate BSR, use the no ip pim bsr-candidate global configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 34-18 78-17058-01...
Page 738 IP multicast address space or a portion of it. Candidate RPs send candidate RP advertisements to the BSR. When deciding which devices should be RPs, consider these options: In a network of Cisco routers and multilayer switches where only Auto-RP is used, any device can •...
Page 739: Using Auto-Rp And A Bsr
Switch(config)# access-list 4 permit 239.0.0.0 0.255.255.255 Using Auto-RP and a BSR If there are only Cisco devices in you network (no routers from other vendors), there is no need to configure a BSR. Configure Auto-RP in a network that is running both PIMv1 and PIMv2.
Page 740: Monitoring The Rp Mapping Information
RP. Figure 34-3 shows this type of shared-distribution tree. Data from senders is delivered to the RP for distribution to group members joined to the shared tree. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 34-21 78-17058-01...
Page 741 Multiple sources sending to groups use the shared tree. You can configure the PIM device to stay on the shared tree. For more information, see the “Delaying the Use of PIM Shortest-Path Tree” section on page 34-23. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 34-22 78-17058-01...
Page 742: Delaying The Use Of Pim Shortest-Path Tree
(Optional) For group-list access-list-number, specify the access list created in Step 2. If the value is 0 or if the group-list is not used, the threshold applies to all groups. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 34-23 78-17058-01...
Page 743: Modifying The Pim Router-Query Message Interval
Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no ip pim query-interval [seconds] interface configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 34-24 78-17058-01...
Page 744: Configuring Optional Igmp Features
Another example is the multicast trace-route tools provided in the software. Performing this procedure might impact the CPU performance because the CPU will receive all data Caution traffic for the group address. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 34-25 78-17058-01...
Page 745: Controlling Access To Ip Multicast Groups
Specify the multicast groups that hosts on the subnet serviced by an interface can join. By default, all groups are allowed on an interface. For access-list-number, specify an IP standard access list number. The range is 1 to 99. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 34-26 78-17058-01...
Page 746: Changing The Igmp Version
Specify the interface to be configured, and enter interface configuration mode. Step 3 no shutdown Enable the port, if necessary. By default, UNIs are disabled, and NNIs are enabled. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 34-27 78-17058-01...
Page 747: Modifying The Igmp Host-Query Message Interval
Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no ip igmp query-interval interface configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 34-28 78-17058-01...
Page 748: Changing The Igmp Query Timeout For Igmpv2
Step 4 ip igmp query-max-response-time Change the maximum query response time advertised in IGMP queries. seconds The default is 10 seconds. The range is 1 to 25. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 34-29 78-17058-01...
Page 749: Configuring The Switch As A Statically Connected Member
(Optional) Save your entries in the configuration file. To remove the switch as a member of the group, use the no ip igmp static-group group-address interface configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 34-30 78-17058-01...
Page 750: Configuring Optional Multicast Routing Features
Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable sdr support, use the no ip sdr listen interface configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 34-31 78-17058-01...
Page 751: Limiting How Long An Sdr Cache Entry Exists
Similarly, the engineering and marketing departments have an administratively-scoped boundary of 239.128.0.0/16 around the perimeter of their networks. This boundary prevents multicast traffic in the range of 239.128.0.0 through 239.128.255.255 from entering or leaving their respective networks. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 34-32 78-17058-01...
Page 752 Enable the port, if necessary. By default, UNIs are disabled, and NNIs are enabled. Step 5 ip multicast boundary Configure the boundary, specifying the access list you created in Step 2. access-list-number Step 6 Return to privileged EXEC mode. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 34-33 78-17058-01...
Page 753: Monitoring And Maintaining Ip Multicast Routing
Displaying System and Network Statistics You can display specific statistics, such as the contents of IP routing tables, caches, and databases. This release does not support per-route statistics. Note Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 34-34 78-17058-01...
Page 754: Monitoring Ip Multicast Routing
Display IP multicast packet rate and loss information. mtrace source [destination] [group] Trace the path from a source to a destination branch for a multicast distribution tree for a given group. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 34-35 78-17058-01...
Page 755 Chapter 34 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 34-36 78-17058-01...
Page 756: Chapter 35 Configuring Msdp
MSDP can operate with if MBGP is not running. To use this feature, the switch must be running the metro IP access image. For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS IP Note Command Reference, Volume 3 of 3: Multicast, Release 12.2.
Page 757: Msdp Operation
Multicast traffic can now flow from the source across the source tree to the RP and then down the shared tree in the remote domain to the receiver. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 35-2...
Page 758: Msdp Benefits
This increases security because you can prevent your sources from being known outside your domain. Domains with only receivers can receive data without globally advertising group membership. • Global source multicast routing table state is not required, saving memory. • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 35-3 78-17058-01...
Page 759: Configuring Msdp
The ISP probably uses a prefix list to define which prefixes it accepts from the customer’s router. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 35-4...
Page 760 SA messages. If that peer fails, the next configured default peer accepts all SA messages. This syntax is typically used at a stub site. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 35-5 78-17058-01...
Page 761: Caching Source-Active State
This delay is known as join latency. If you want to sacrifice some memory in exchange for reducing the latency of the source information, you can configure the switch to cache SA messages. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 35-6 78-17058-01...
Page 762 This example shows how to enable the cache state for all sources in 171.69.0.0/16 sending to groups 224.2.0.0/16: Switch(config)# ip msdp cache-sa-state 100 Switch(config)# access-list 100 permit ip 171.69.0.0 0.0.255.255 224.2.0.0 0.0.255.255 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 35-7 78-17058-01...
Page 763: Requesting Source Information From An Msdp Peer
Receivers of source information (based on knowing the requestor) • For more information, see the “Redistributing Sources” section on page 35-9 and the “Filtering Source-Active Request Messages” section on page 35-11. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 35-8 78-17058-01...
Page 764: Redistributing Sources
1 to 199. This access list number must also be configured in the ip as-path access-list command. The switch advertises (S,G) pairs according to the access list or autonomous system path access list. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 35-9 78-17058-01...
Page 765 Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the filter, use the no ip msdp redistribute global configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 35-10 78-17058-01...
Page 766: Filtering Source-Active Request Messages
171.69.2.2. SA request messages from sources on network 192.4.22.0 pass access list 1 and are accepted; all others are ignored. Switch(config)# ip msdp filter sa-request 171.69.2.2 list 1 Switch(config)# access-list 1 permit 192.4.22.0 0.0.0.255 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 35-11 78-17058-01...
Page 767: Controlling Source Information That Your Switch Forwards
If all match criteria are true, a permit from the route map passes routes through the filter. A deny filters routes. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 35-12 78-17058-01...
Page 768 Switch(config)# ip msdp peer switch.cisco.com connect-source gigabitethernet0/1 Switch(config)# ip msdp sa-filter out switch.cisco.com list 100 Switch(config)# access-list 100 permit ip 171.69.0.0 0.0.255.255 224.20 0 0.0.255.255 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 35-13 78-17058-01...
Page 769: Using Ttl To Limit The Multicast Data Sent In Sa Messages
Filter all incoming SA messages from an MSDP peer • Specify an IP extended access list to pass certain source/group pairs • Filter based on match criteria in a route map Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 35-14 78-17058-01...
Page 770 To remove the filter, use the no ip msdp sa-filter in {ip-address | name} [list access-list-number] [route-map map-tag] global configuration command. This example shows how to filter all SA messages from the peer named switch.cisco.com: Switch(config)# ip msdp peer switch.cisco.com connect-source gigabitethernet0/1 Switch(config)# ip msdp sa-filter in switch.cisco.com...
Page 771: Configuring An Msdp Mesh Group
When a peer is shut down, the TCP connection is terminated and is not restarted. You can also shut down an MSDP session without losing configuration information for the peer. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 35-16 78-17058-01...
Page 772: Including A Bordering Pim Dense-Mode Region In Msdp
Configure which (S,G) entries from the multicast routing table are access-list-name] [asn advertised in SA messages. aspath-access-list-number] [route-map For more information, see the “Redistributing Sources” section on map] page 35-9. Step 4 Return to privileged EXEC mode. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 35-17 78-17058-01...
Page 773: Configuring An Originating Address Other Than The Rp Address
RP. To prevent the RP address from being derived in this way, use the no ip msdp originator-id interface-id global configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 35-18 78-17058-01...
Page 774: Monitoring And Maintaining Msdp
[group-address | name] Clears the SA cache entries for all entries, all sources for a specific group, or all entries for a specific source/group pair. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 35-19 78-17058-01...
Page 775 Chapter 35 Configuring MSDP Monitoring and Maintaining MSDP Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 35-20 78-17058-01...
Page 776: Chapter 36 Troubleshooting
C H A P T E R Troubleshooting This chapter describes how to identify and resolve software problems related to the Cisco IOS software on the Cisco ME 3400 switch. You can use the command-line interface (CLI) to identify and solve problems.
Page 777: Recovering From Corrupted Software By Using The Xmodem Protocol
From your PC, download the software image tar file (image_filename.tar) from Cisco.com . The Cisco IOS image is stored as a bin file in a directory in the tar file. For information about locating the software image files on Cisco.com, see the release notes Step 2 Extract the bin file from the tar file.
Page 778: Recovering From A Lost Or Forgotten Password
Disabling password recovery provides configuration file security by preventing unauthorized users from accessing the configuration file. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 36-3 78-17058-01...
Page 779 Chapter 36 Troubleshooting Recovering from a Lost or Forgotten Password The Cisco ME switch boot loader uses break-key detection to stop the automatic boot sequence for the password recovery purpose. Note The break key character is different for each operating system.
Page 780: Procedure With Password Recovery Enabled
Boot the system: Step 6 switch: boot You are prompted to start the setup program. Enter N at the prompt: Continue with the configuration dialog? [yes/no]: N Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 36-5 78-17058-01...
Page 781 VLAN ID of the shutdown interface. With the switch in interface configuration mode, enter the no shutdown command. Reload the switch: Step 14 Switch# reload Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 36-6 78-17058-01...
Page 782: Procedure With Password Recovery Disabled
You are prompted to start the setup program. To continue with password recovery, enter N at the prompt: Continue with the configuration dialog? [yes/no]: N Step 5 At the switch prompt, enter privileged EXEC mode: Switch> enable Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 36-7 78-17058-01...
Page 783: Preventing Autonegotiation Mismatches
If a remote device does not autonegotiate, configure the duplex settings on the two ports to match. The Note speed parameter can adjust itself even if the connected port does not autonegotiate. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 36-8 78-17058-01...
Page 784: Sfp Module Security And Identification
If you are using a non-Cisco SFP module, remove the SFP module from the switch, and replace it with a Cisco module. After inserting a Cisco SFP module, use the errdisable recovery cause gbic-invalid global configuration command to verify the port status, and enter a time interval for recovering from the error-disabled state.
Page 785: Using Ping
• Understanding Ping The Cisco ME switch supports IP ping, which you can use to test connectivity to remote hosts. Ping sends an echo request packet to an address and waits for a reply. The Cisco ME switch also provides the Control Plane Security feature, which by default drops ping response packets received on user network interfaces (UNIs).
Page 786: All Software Versions
Using Ping All Software Versions For all software images for the Cisco ME switch, you can use a Layer 3 service policy to enable pings from the switch to a host connected to a UNI. For a switch running the metro IP access image, IP routing is not enabled by default and does not have Note to be enabled to use a Layer 3 service policy.
Page 787: Ping Responses
Switch# ping 72.20.52.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echoes to 172.20.52.3, timeout is 2 seconds: ..Success rate is 0 percent (0/5) Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 36-12 78-17058-01...
Page 788: Summary
The switch can only identify the path from the source device to the destination device. It cannot identify the path that a packet takes from source host to the source device or from the destination device to the destination host. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 36-13 78-17058-01...
Page 789: Layer 2 Traceroute Usage Guidelines
Layer 2 Traceroute Usage Guidelines These are the Layer 2 traceroute usage guidelines: • Cisco Discovery Protocol (CDP) must be enabled on all the devices in the network. For Layer 2 traceroute to function properly, do not disable CDP. Note CDP is available only on NNIs.
Page 790: Displaying The Physical Path
When a host receives a datagram destined to itself containing a destination port number that is unused locally, it sends an ICMP Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 36-15...
Page 791: Executing Ip Traceroute
The probe timed out. Unknown packet type. Administratively unreachable. Usually, this output means that an access list is blocking traffic. Host unreachable. Network unreachable. Protocol unreachable. Source quench. Port unreachable. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 36-16 78-17058-01...
Page 792: Using Tdr
TDR, a local device sends a signal through a cable and compares the reflected signal to the initial signal. TDR is supported only on the copper Ethernet 10/100 ports on the Cisco ME switch. TDR can detect these cabling problems: •...
Page 793: Using Debug Commands
For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. It is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
Page 794: Enabling All-System Diagnostics
Most of the information in the output from the command is useful mainly for technical support personnel, who have access to detailed information about the switch ASICs. However, packet forwarding information can also be helpful in troubleshooting. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 36-19 78-17058-01...
Page 795 Src Real Vlan Id:5, Mapped Vlan Id:5 Ingress: Lookup Key-Used Index-Hit A-Data InptACL 40_0D020202_0D010101-00_40000014_000A0000 01FFA 03000000 L2Local 80_00050009_43A80145-00_00000000_00000000 00086 02010197 Station Descriptor:F0050003, DestIndex:F005, RewriteIndex:0003 ========================================== Egress:Asic 3, switch 1 Output Packets: Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 36-20 78-17058-01...
Page 796 Station Descriptor:F0070007, DestIndex:F007, RewriteIndex:0007 ========================================== Egress:Asic 3, switch 1 Output Packets: ------------------------------------------ Packet 1 Lookup Key-Used Index-Hit A-Data OutptACL 50_10010A05_0A010505-00_40000014_000A0000 01FFE 03000000 Port Vlan SrcMac DstMac Dscpv Gi0/2 0007 XXXX.XXXX.0246 0009.43A8.0147 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 36-21 78-17058-01...
Page 797: Using The Crashinfo File
Cisco IOS image to fail (crash). The switch writes the crash information to the console at the time of the failure, and the file is created the next time you boot the Cisco IOS image after the failure (instead of while the system is failing).
Page 798: Appendix
• CISCO-ENTITY-VENDORTYPE-OID-MIB CISCO-ENVMON-MIB • • CISCO-ETHERNET-ACCESS-MIB CISCO-FLASH-MIB (Flash memory on all switches is modeled as removable flash memory.) • • CISCO-FTP-CLIENT-MIB CISCO-HSRP-MIB • Layer 3 MIBs are available only when the metro IP access image is running on the switch.
Page 799: Appendix A Supported Mib
IF-MIB (In and out counters for VLANs are not supported.) • IGMP-MIB • INET-ADDRESS-MIB • IPMROUTE-MIB OLD-CISCO-CHASSIS-MIB • OLD-CISCO-FLASH-MIB • OLD-CISCO-INTERFACES-MIB • • OLD-CISCO-IP-MIB • OLD-CISCO-SYS-MIB • OLD-CISCO-TCP-MIB • OLD-CISCO-TS-MIB PIM-MIB • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 800: Using Ftp To Access The Mib Files
• • TCP-MIB • UDP-MIB You can also use this URL for a list of supported MIBs for the Cisco ME switch: Note ftp://nm-tac.cisco.com/pub/mib_repo/ You can access other information about MIBs and Cisco products on the Cisco web site: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml...
Page 801 Appendix A Supported MIBs Using FTP to Access the MIB Files Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 802: Appendix
Working with the Cisco IOS File System, Configuration Files, and Software Images This appendix describes how to manipulate the Cisco ME 3400 Ethernet Access switch flash file system, how to copy configuration files, and how to archive (upload and download) software images to a switch.
Page 803: Displaying Available File Systems
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Displaying Available File Systems To display the available file systems on your switch, use the show file systems privileged EXEC command as shown in this example.
Page 804: A P P E N D I X B Working With The Cisco Ios File System, Configuration Files, And Software Images
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Setting the Default File System You can specify the file system or directory that the system uses as the default file system by using the cd filesystem: privileged EXEC command.
Page 805: Creating And Removing Directories
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating and Removing Directories Beginning in privileged EXEC mode, follow these steps to create and remove a directory: Command Purpose...
Page 806: Deleting Files
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Some invalid combinations of source and destination exist. Specifically, you cannot copy these combinations: • From a running configuration to a running configuration •...
Page 807: Creating A Tar File
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating a tar File To create a tar file and write files into it, use this privileged EXEC command: archive tar /create destination-url flash:/file-url For destination-url, specify the destination URL alias for the local or network file system and the name of the tar file to create.
Page 808: Extracting A Tar File
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System This example shows how to display the contents of a switch tar file that is in flash memory: Switch# archive tar /table flash:me340x-metrobase-tar.122-25.EX.tar info (219 bytes) me340x-metrobase-mz.122-25.EX/ (directory)
Page 809: Working With Configuration Files
This section describes how to create, load, and maintain configuration files. Configuration files contain commands entered to customize the function of the Cisco IOS software. A way to create a basic configuration file is to use the setup program or to enter the setup privileged EXEC command.
Page 810 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Note The copy {ftp: | rcp: | tftp:} system:running-config privileged EXEC command loads the configuration files on the switch as if you were entering the commands at the command line. The switch does not erase the existing running configuration before adding the commands.
Page 811: Preparing To Download Or Upload A Configuration File By Using Tftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Copying Configuration Files By Using TFTP You can configure the switch by using configuration files you create, download from another switch, or download from a TFTP server.
Page 812: Copying Configuration Files By Using Ftp
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Step 3 Log into the switch through the console port or a Telnet session. Step 4 Download the configuration file from the TFTP server to configure the switch.
Page 813: Preparing To Download Or Upload A Configuration File By Using Ftp
Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files When you copy a configuration file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list: •...
Page 814 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Downloading a Configuration File By Using FTP Beginning in privileged EXEC mode, follow these steps to download a configuration file by using FTP:...
Page 815 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Uploading a Configuration File By Using FTP Beginning in privileged EXEC mode, follow these steps to upload a configuration file by using FTP:...
Page 816: Copying Configuration Files By Using Rcp
The RCP requires a client to send a remote username with each RCP request to a server. When you copy a configuration file from the switch to a server, the Cisco IOS software sends the first valid username in this list: •...
Page 817 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files • When you upload a file to the RCP server, it must be properly configured to accept the RCP write request from the user on the switch. For UNIX systems, you must add an entry to the .rhosts file for the remote user on the RCP server.
Page 818 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files This example shows how to specify a remote username of netadmin1. Then it copies the configuration file host2-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.101...
Page 819: Clearing Configuration Information
Depending on the setting of the file prompt global configuration command, you might be prompted for confirmation before you delete a file. By default, the switch prompts for confirmation on destructive file operations. For more information about the file prompt command, see the Cisco IOS Command Reference for Release 12.2.
Page 820: Image Location On The Switch
Image Location on the Switch The Cisco IOS image is stored as a .bin file in a directory that shows the version number. A subdirectory contains the files needed for web management. The image is stored on the system board flash memory (flash:).
Page 821: Copying Image Files By Using Tftp
Cisco IOS image total_image_file_size Specifies the size of all the images (the Cisco IOS image and the web management files) in the tar file, which is an approximate measure of how much flash memory is required to hold them...
Page 822 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Preparing to Download or Upload an Image File By Using TFTP Before you begin downloading or uploading an image file by using TFTP, do these tasks: Ensure that the workstation acting as the TFTP server is properly configured.
Page 823 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 3 archive download-sw /overwrite /reload Download the image file from the TFTP server to the switch, and tftp:[[//location]/directory]/image-name.tar overwrite the current image.
Page 824: Copying Image Files By Using Ftp
The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the tar file format.
Page 825 The FTP protocol requires a client to send a remote username and password on each FTP request to a server. When you copy an image file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list: The username specified in the archive download-sw or archive upload-sw privileged EXEC •...
Page 826 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Downloading an Image File By Using FTP You can download a new image file and overwrite the current image or keep the current image.
Page 827 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 8 archive download-sw /leave-old-sw /reload Download the image file from the FTP server to the switch, ftp:[[//username[:password]@location]/directory] and keep the current image.
Page 828: Uploading An Image File By Using Ftp
The archive upload-sw command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the tar file format.
Page 829: Copying Image Files By Using Rcp
RCP requires a client to send a remote username on each RCP request to a server. When you copy an image from the switch to a server by using RCP, the Cisco IOS software sends the first valid username in this list: •...
Page 830 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Before you begin downloading or uploading an image file by using RCP, do these tasks: • Ensure that the workstation acting as the RCP server supports the remote shell (rsh).
Page 831 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 6 archive download-sw /overwrite /reload Download the image file from the RCP server to the switch, rcp:[[[//[username@]location]/directory]/image-na and overwrite the current image.
Page 832 Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The algorithm installs the downloaded image onto the system board flash device (flash:). The image is placed into a new directory named with the software version string, and the BOOT environment variable is updated to point to the newly installed image.
Page 833 The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the tar file format.
Page 834: Appendix
This appendix lists some of the command-line interface (CLI) commands that appear when you enter the question mark (?) at the Cisco Metro Ethernet (ME) 3400 Ethernet Access switch prompt but are not supported in this release, either because they are not tested or because of switch hardware limitations.
Page 835: A P P E N D I X C Unsupported Commands In Cisco Ios Release 12.2(25)Ex
Group-Async interface Lex interface Multilink interface Virtual-Template interface Virtual-Tokenring Unsupported Interface Configuration Commands standby mac-refresh seconds standby use-bia IGMP Snooping Commands Unsupported Global Configuration Commands ip igmp snooping source-only-learning Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 836: Interface Commands
CPU. If the route is hardware-switched, the command has no effect because the CPU does not receive the packet and cannot display it. show ip pim vc [group-address | name] [type number] show ip rtp header-compression [type number] [detail] Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 837: Unsupported Global Configuration Commands
Unsupported Privileged EXEC or User EXEC Commands clear ip accounting [checkpoint] clear ip bgp address flap-statistics clear ip bgp prefix-list debug ip cef stats show cef [drop | not-cef-switched] show ip accounting [checkpoint] [output-packets | access-violations] Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 838: Unsupported Global Configuration Commands
Unsupported Interface Configuration Commands ip accounting ip load-sharing [per-packet] ip mtu bytes ip verify ip unnumbered type number All ip security commands Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 839: Unsupported Bgp Router Configuration Commands
[interface-id..] set ip default next-hop ip-address [ip-address..] set ip destination ip-address mask set ip precedence value set ip qos-group set metric-type internal set origin set metric-type internal set tag tag-value Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 840: Mac Address Commands
Miscellaneous Unsupported Global Configuration Commands errdisable detect cause dhcp-rate-limit errdisable recovery cause dhcp-rate-limit errdisable recovery cause unicast flood l2protocol-tunnel global drop-threshold service compress-config stack-mac persistent timer Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 841: Unsupported Privileged Exec Commands
| name [prefix-list list] (Because BGP/MBGP is not supported, use the ip msdp peer command instead of this command.) NetFlow Commands Unsupported Global Configuration Commands ip flow-aggregation cache ip flow-cache entries ip flow-export Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 842: Qos
SNMP Unsupported Global Configuration Commands snmp-server enable informs snmp-server ifindex persist Spanning Tree Unsupported Global Configuration Command spanning-tree pathcost method {long | short} Unsupported Interface Configuration Command spanning-tree stack-port Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01...
Page 843: Unsupported Global Configuration Commands
Unsupported Commands in Cisco IOS Release 12.2(25)EX VLAN VLAN Unsupported Global Configuration Commands vlan internal allocation policy {ascending | descending} Unsupported User EXEC Commands show running-config vlan show vlan ifindex Cisco ME 3400 Ethernet Access Switch Software Configuration Guide C-10 78-17058-01...
Page 844: I N D E X
ACLs creating 28-7 ACEs 28-2 matching criteria 28-7 any keyword 28-12, 30-29 named 28-14 numbers 28-8 terminal lines, setting on 28-18 unsupported features 28-7 Layer 4 information in 28-37 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-1 78-17058-01...
Page 845 MSTP 15-21 default aging 14-9 for STP 14-21 defined 5-19 alarms, RMON 25-3 learning 5-20 allowed-VLAN list 11-17 removing 5-22 area border routers MAC, discovering 5-28 See ABRs Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-2 78-17058-01...
Page 846 32-54 with TACACS+ 7-11, 7-16 CIDR 32-54 authorized ports with 802.1x clear commands 32-58 autoconfiguration community filtering 32-51 configuring neighbors 32-53 default configuration 32-40 described 32-39 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-3 78-17058-01...
Page 847 3-15 disabling for routing device 22-3 to 22-4 prompt 3-15 enabling and disabling trap-door mechanism on an interface 22-4 bootstrap router (BSR), described 34-5 on a switch 22-3 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-4 78-17058-01...
Page 848 See CIDR described classless routing 32-6 enabling automated configuration class map enabling configuration agent match-all option enabling event agent 30-7 match-any option command-line interface 30-7 class-map command 30-3 See CLI Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-5 78-17058-01...
Page 849 30-27 deleting a stored configuration B-18 QoS class maps 30-31 described strict priority queuing 30-48 unconditional priority policing 30-50 VLANs 11-8 30-53 configuration settings, saving 3-10 configure terminal command Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-6 78-17058-01...
Page 850 12-6 default commands 30-27 default configuration RADIUS 7-20 banners 5-17 32-19 32-40 RMON 25-3 booting 3-13 RSPAN 24-10 22-2 SDM template DHCP 18-7 SNMP 27-6 DHCP option 82 18-7 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-7 78-17058-01...
Page 851 DHCP snooping binding database for IP address information adding bindings 18-12 for receiving the configuration file binding entries, displaying 18-13 overview binding file relationship to BOOTP format 18-6 location 18-5 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-8 78-17058-01...
Page 852 DUAL finite state machine, EIGRP 32-33 default configuration 5-16 duplex mode, configuring 9-15 displaying the configuration 5-17 dynamic access ports overview characteristics 5-15 11-5 setting up configuring 5-16 11-26 support for defined Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-9 78-17058-01...
Page 853 19-3 enable password priority of ARP ACLs and DHCP snooping entries 19-4 enable secret password encryption for passwords Enhanced IGRP See EIGRP Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-10 78-17058-01...
Page 854 31-7, 31-16 11-1 logical interfaces, described 31-3 extended system ID MSTP 15-14 14-4, 14-14 Extensible Authentication Protocol over LAN external BGP See EBGP external neighbors, BGP 32-42 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-11 78-17058-01...
Page 855 Layer 3 interfaces 9-20 configuring 17-3 hello time default configuration 17-2 MSTP 15-19 description 17-1 14-20 monitoring 17-4 help, for the command line flooded traffic, blocking 21-7 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-12 78-17058-01...
Page 856 34-25 traceroute and 36-15 statically connected member 34-30 unreachable messages 28-19 controlling access to groups 34-26 unreachables and ACLs 28-21 default configuration 34-25 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-13 78-17058-01...
Page 857 20-23 configuration guidelines 30-36 default configuration 20-23 configuring 30-36 described initial configuration 20-22 monitoring defaults 20-28 support for See also getting started and hardware installation guides Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-14 78-17058-01...
Page 858 9-10 IP multicast routing interface types addresses all-hosts 34-2 all-multicast-routers 34-2 Interior Gateway Protocol host group address range 34-2 See IGP administratively-scoped boundaries, described 34-32 and IGMP snooping 20-1 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-15 78-17058-01...
Page 859 34-10 See also PIM group-to-RP mappings IP packets, classification 30-5 Auto-RP 34-4 IP precedence 34-5 classification 30-8 values 30-5 IP protocols in ACLs 28-11 routing IP routes, monitoring 32-83 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-16 78-17058-01...
Page 860 MAC address and IP address 32-7 adding 18-15 passive interfaces 32-79 deleting protocols 18-16 IP traceroute distance-vector 32-2 executing 36-16 dynamic 32-2 overview link-state 36-15 32-3 proxy ARP 32-8 redistribution 32-73 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-17 78-17058-01...
Page 861 20-3 30-5 Layer 2 protocol tunneling configuring 13-10 configuring for EtherChannels 13-14 default configuration 13-11 defined 13-8 described 7-32 guidelines 13-11 See also Kerberos layer-2 template keepalive messages 14-3 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-18 78-17058-01...
Page 862 Layer 2 interfaces 28-28 with TACACS+ 7-14 configuring for QoS 30-30 login banners 5-17 creating 28-26 log messages defined 28-26 See system message logging macros See Smartports macros manageability features Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-19 78-17058-01...
Page 863 SNMP interaction with 27-4 30-55 supported RP mapping information 34-21 mirroring traffic for analysis SFP status 24-1 1-8, 9-23, 36-9 mismatches, autonegotiation source-active messages 36-8 35-19 speed and duplex mode 9-16 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-20 78-17058-01...
Page 864 15-19 peer-RPF flooding link type for rapid convergence 35-2 15-22 maximum aging time 15-21 maximum hop count 15-21 MST region 15-13 path cost 15-18 port priority 15-17 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-21 78-17058-01...
Page 865 See MVR CIST Multiple HSRP 15-3 configuring 15-13 See MHSRP described 15-2 multiple VPN routing/forwarding in customer edge devices hop-count mechanism 15-4 See multi-VRF CE 15-2 supported spanning-tree instances 15-2 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-22 78-17058-01...
Page 866 11-19 creating an access group default 11-19 disabling NTP services per interface 5-10 neighbor discovery/recovery, EIGRP 32-33 source IP address, configuring 5-10 neighbors, BGP 32-53 stratum support for Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-23 78-17058-01...
Page 867 30-5 MSTP 15-18 configuration guidelines 30-43 14-18 configuring 30-43 displaying statistics 30-55 defined 32-76 enabling 32-78 fast-switched policy-based routing 32-79 local policy-based routing 32-79 peers, BGP 32-53 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-24 78-17058-01...
Page 868 8-17 policers manual re-authentication of a client 8-14 configuring for more than one traffic class periodic re-authentication 30-39 8-13 described quiet period 30-2 8-14 RADIUS server 8-13 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-25 78-17058-01...
Page 869 VMPS 11-23 described preferential treatment of traffic port blocking 1-2, 21-7 See QoS port-channel prefix lists, BGP 32-50 See EtherChannel preventing unauthorized access primary links 17-1 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-26 78-17058-01...
Page 870 ARP 12-3 isolated VLANs configuring 12-2, 12-3 32-10 mapping 12-14 definition 32-8 monitoring 12-15 with IP routing disabled 32-10 PVST+ 802.1Q trunking interoperability 14-10 described 14-9 instances supported 14-10 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-27 78-17058-01...
Page 871 30-27 marking, described 30-2 individual policers 30-36 match command 30-7 input policy maps 30-35 output policy maps marking 30-41 configuring 30-44 output policy maps 30-43 described 30-5 overview 30-1 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-28 78-17058-01...
Page 872 30-24 of interfaces QoS groups rapid convergence 15-7 classification 30-10 rapid per-VLAN spanning-tree plus described 30-5, 30-10 See rapid PVST+ QoS information, displaying 30-55 quality of service See QoS Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-29 78-17058-01...
Page 873 27-2 Remote Copy Protocol 2475, DSCP 30-9 See RCP 2597, AF per-hop behavior 30-9 Remote Network Monitoring 2598, EF 30-9 See RMON Remote SPAN See RSPAN remote SPAN 24-2 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-30 78-17058-01...
Page 874 IP addresses on specifying monitored ports 9-20, 32-3 24-17 route-map command 32-78 with ingress traffic enabled 24-20 route maps source ports 24-5 transmitted traffic 32-48 24-5 policy-based routing VLAN-based 32-77 24-6 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-31 78-17058-01...
Page 875 30-41 described set-request operation 27-4 templates severity levels, defining in system messages 26-8 configuring SFPs number of monitoring status of 1-8, 9-23, 36-9 security and identification 36-9 status, displaying Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-32 78-17058-01...
Page 876 27-1, 27-4 described types of 27-4 27-11 disabling 27-7 users 27-6, 27-9 authentication level 27-10 versions supported 27-2 community strings SNMPv1 27-2 configuring SNMPv2C 27-8 27-2 overview 27-4 SNMPv3 27-2 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-33 78-17058-01...
Page 877 24-13 configuring 32-71 source ports 24-5 static routing 32-2 transmitted traffic 24-5 static VLAN membership 11-2 VLAN-based 24-6 spanning tree and native VLANs 11-15 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-34 78-17058-01...
Page 878 14-10 root switch 14-14 load sharing secondary root switch 14-16 overview 11-19 spanning-tree mode using path costs 14-13 11-21 switch priority using port priorities 14-19 11-20 counters, clearing 14-22 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-35 78-17058-01...
Page 879 5-11 stub areas, OSPF 32-27 summer time 5-13 subdomains, private VLAN time zones 12-1 5-12 subnet mask displaying the time and date 32-5 5-12 subnet zero 32-6 overview Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-36 78-17058-01...
Page 880 5-14 to 5-15 displaying the contents of system resources, optimizing extracting image file format B-19 Telnet accessing management interfaces number of connections setting a password Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-37 78-17058-01...
Page 881 36-14 26-1 multicast traffic 36-14 with traceroute 36-15 multiple devices on a port 36-14 trunking encapsulation unicast traffic trunk ports 36-13 usage guidelines configuring 36-14 11-17 defined 9-4, 11-4 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-38 78-17058-01...
Page 882 FTP B-14 link-detection mechanism 23-1 using RCP B-17 neighbor database 23-2 using TFTP B-11 overview 23-1 resetting an interface 23-6 status, displaying 23-6 support for UDP, configuring 32-14 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-39 78-17058-01...
Page 883 VLAN Management Policy Server illustrated 11-2 See VMPS internal 11-8 VLAN map entries, order of 28-30 limiting source traffic with RSPAN 24-21 limiting source traffic with SPAN 24-15 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-40 78-17058-01...
Page 884 11-27 configuring routing in 32-63 forwarding 32-61 in service provider networks 32-59 routes 1-14, 32-59 VPN routing and forwarding table See VRF 1-5, 11-23 defining 32-61 tables 1-14, 32-59 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-41 78-17058-01...
Page 885 Index Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-42 78-17058-01...

This manual is also suitable for:

Me-3400-24ts-a Me-3400-24ts-d Me-3400g-12cs-d Me 3400 series

Cisco ME 3400G-2CS - Ethernet Access Switch Software Configuration Manual

Chapter 2 Using the Command-Line Interface

Chapter 3 Assigning the Switch IP Address and Default Gateway

Chapter 4 Configuring Cisco IOS CNS Agents

Chapter 5 Administering the Switch

Configuring NTP Authentication

Configuring NTP Associations

Configuring NTP Broadcast Service

Configuring NTP Access Restrictions

Configuring the Source IP Address for NTP Packets

Displaying the NTP Configuration

Table

Default MAC Address Table Configuration

Changing the Address Aging Time

Removing Dynamic Address Entries

Configuring MAC Address Notification Traps

Adding and Removing Static Address Entries

Configuring Unicast MAC Address Filtering

Disabling MAC Address Learning on a VLAN

Displaying Address Table Entries

Chapter 6 Configuring SDM Templates

Chapter 7 Configuring Switch-Based Authentication

Chapter 8 Configuring IEEE 802.1X Port-Based Authentication

Authentication Initiation and Message Exchange

Ports in Authorized and Unauthorized States

IEEE 802.1X Accounting

IEEE 802.1X Accounting Attribute-Value Pairs

IEEE 802.1X Host Mode

Using IEEE 802.1X with Port Security

Default IEEE 802.1X Configuration

IEEE 802.1X Configuration Guidelines

Configuring IEEE 802.1X Authentication

Configuring the Switch-To-RADIUS-Server Communication

Configuring Periodic Re-Authentication

Manually Re-Authenticating a Client Connected to a Port

Changing the Quiet Period

Changing the Switch-To-Client Retransmission Time

Setting the Switch-To-Client Frame-Retransmission Number

Setting the Re-Authentication Number

Configuring the Host Mode

Resetting the IEEE 802.1X Configuration to the Default Values

Configuring IEEE 802.1X Accounting

CHAPTER 9 Configuring Interface Characteristics

Default Ethernet Interface Configuration

Configuring User Network and Network Node Interfaces

Configuring Interface Speed and Duplex Mode

Configuring IEEE 802.3X Flow Control

Configuring Auto-MDIX on an Interface

Adding a Description for an Interface

Chapter 10 Configuring Command Macros

Chapter 11 Configuring Vlans

Default Ethernet VLAN Configuration

VLAN Configuration Guidelines

Creating or Modifying an Ethernet VLAN

Assigning Static-Access Ports to a VLAN

Creating an Extended-Range VLAN with an Internal VLAN ID

Configuring UNI Vlans

Table

Quick Links

Troubleshooting

Related Manuals for Cisco ME 3400G-2CS - Ethernet Access Switch

Summary of Contents for Cisco ME 3400G-2CS - Ethernet Access Switch