Cisco WS-C3560E-12D-E Software Configuration Guide
Cisco WS-C3560E-12D-E - Catalyst Switch Manual
 |
UPC - 882658152597
View all Cisco WS-C3560E-12D-E manuals
Add to My Manuals
Save this manual to your list of manuals |
Cisco WS-C3560E-12D-E manual content summary:
- Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 1
Catalyst 3560 Switch Software Configuration Guide Cisco IOS Release 12.1(19)EA1 January 2004 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7816156= - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 2
MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco between Cisco and any other company. (0304R) Catalyst 3560 Switch Software Configuration Guide Copyright © 2004 Cisco Systems, - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 3
Documentation xxxv Cisco.com xxxv Switch Configuration 1-9 Network Configuration Examples 1-11 Design Concepts for Using the Switch 1-11 Small to Medium-Sized Network Using Catalyst 3560 Switches 1-13 Large Network Using Catalyst 3560 Switches Catalyst 3560 Switch Software Configuration Guide iii - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 4
and Browser Support 3-9 CMS Plug-In Requirements 3-9 Cross-Platform Considerations 3-10 HTTP Access to CMS 3-10 Specifying an HTTP Port (Nondefault Configuration Only) 3-10 Configuring an Authentication Method (Nondefault Configuration Only) 3-10 Catalyst 3560 Switch Software Configuration Guide iv - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 5
4-12 Booting Manually 4-13 Booting a Specific Software Image 4-13 Controlling Environment Variables 4-14 Scheduling a Reload of the Software Image 4-16 Configuring a Scheduled Reload 4-16 Displaying Scheduled Reload Information 4-17 78-16156-01 Catalyst 3560 Switch Software Configuration Guide v - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 6
Groups 5-11 Automatic Recovery of Cluster Configuration 5-12 IP Addresses 5-13 Host Names 5-13 Passwords 5-14 SNMP Community Strings 5-14 TACACS+ and RADIUS 5-14 Access Modes in CMS 5-15 LRE Profiles 5-15 Availability of Switch-Specific Features in Switch Clusters 5-15 Creating a Switch Cluster 5-16 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 7
the Switch 6-1 Managing the System Time and Date 6-1 Understanding the System Clock 6-2 Understanding Network Time Protocol 6-2 Configuring NTP 6-4 Default NTP Configuration 6-4 Configuring NTP Authentication 6-5 Configuring NTP Associations 6-6 Configuring NTP Broadcast Service 6-7 Configuring NTP - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 8
Authentication Key 8-13 Configuring TACACS+ Login Authentication 8-14 Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services 8-16 Starting TACACS+ Accounting 8-17 Displaying the TACACS+ Configuration 8-17 Catalyst 3560 Switch Software Configuration Guide viii 78-16156 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 9
Authentication 9-1 Understanding 802.1X Port-Based Authentication 9-1 Device Roles 9-2 Authentication Initiation and Message Exchange 9-3 Ports in Authorized and Unauthorized States 9-4 Supported Topologies 9-4 Using 802.1X with Port Security 9-5 Catalyst 3560 Switch Software Configuration Guide ix - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 10
Macros 10-9 Configuring Ethernet Interfaces 10-11 Default Ethernet Interface Configuration 10-11 Configuring Interface Speed and Duplex Mode 10-12 Configuration Guidelines 10-13 Setting the Interface Speed and Duplex Parameters 10-13 Catalyst 3560 Switch Software Configuration Guide x 78-16156 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 11
VLAN Database Configuration Mode 12-7 Saving VLAN Configuration 12-7 Default Ethernet VLAN Configuration 12-8 Creating or Modifying an Ethernet VLAN 12-8 Deleting a VLAN 12-10 Assigning Static-Access Ports to a VLAN 12-11 Contents 78-16156-01 Catalyst 3560 Switch Software Configuration Guide xi - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 12
VMPS Clients 12-30 Reconfirming VLAN Memberships 12-31 Changing the Reconfirmation Interval 12-31 Changing the Retry Count 12-32 Monitoring the VMPS 12-32 Troubleshooting Dynamic-Access Port VLAN Membership 12-33 VMPS Configuration Example 12-33 Catalyst 3560 Switch Software Configuration Guide xii - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 13
Voice VLAN Configuration Guidelines 14-3 Configuring a Port Connected to a Cisco 7960 IP Phone 14-4 Configuring IP Phone Voice Traffic 14-4 Configuring the Priority of Incoming Data Frames 14-5 Displaying Voice VLAN 14-6 Contents 78-16156-01 Catalyst 3560 Switch Software Configuration Guide xiii - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 14
15-11 Spanning-Tree Configuration Guidelines 15-12 Changing the Spanning-Tree Mode 15-13 Disabling Spanning Tree 15-14 Configuring the Root Switch 15-14 Configuring a Secondary Root Switch 15-16 Configuring Port Priority 15-17 Configuring Path Cost 15-18 Configuring the Switch Priority of a VLAN 15 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 15
-22 Displaying the MST Configuration and Status 16-23 Configuring Optional Spanning-Tree Features 17-1 Understanding Optional Spanning-Tree Features 17-1 Understanding Port Fast 17-2 Understanding BPDU Guard 17-3 Understanding BPDU Filtering 17-3 Catalyst 3560 Switch Software Configuration Guide xv - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 16
a Multicast Group 19-5 Immediate-Leave Processing 19-6 IGMP Report Suppression 19-6 Configuring IGMP Snooping 19-6 Default IGMP Snooping Configuration 19-7 Enabling or Disabling IGMP Snooping 19-7 Setting the Snooping Method 19-8 Catalyst 3560 Switch Software Configuration Guide xvi 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 17
Default Port Blocking Configuration 20-6 Blocking Flooded Traffic on an Interface 20-6 Configuring Port Security 20-7 Understanding Port Security 20-7 Secure MAC Addresses 20-8 Security Violations 20-9 Default Port Security Configuration 20-10 Catalyst 3560 Switch Software Configuration Guide xvii - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 18
-1 Understanding SPAN and RSPAN 23-1 Local SPAN 23-2 Remote SPAN 23-2 SPAN and RSPAN Concepts and Terminology 23-3 SPAN Sessions 23-3 Monitored Traffic 23-4 Source Ports 23-5 Source VLANs 23-6 VLAN Filtering 23-6 xviii Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 19
01 Destination Port 23-7 RSPAN VLAN 23-8 SPAN and RSPAN Interaction with Other Features 23-8 Configuring SPAN and RSPAN 23-9 Default SPAN and RSPAN Configuration 23-9 Configuring Local SPAN 23-10 SPAN Configuration Guidelines Severity Level 25-8 Catalyst 3560 Switch Software Configuration Guide xix - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 20
-14 Limiting TFTP Servers Used Through SNMP 26-15 SNMP Examples 26-15 Displaying SNMP Status 26-16 27 C H A P T E R Configuring Network Security with ACLs 27-1 Understanding ACLs 27-1 Supported ACLs 27-2 Port ACLs 27-3 Router ACLs 27-4 VLAN Maps 27-4 Handling Fragmented and Unfragmented Traffic 27 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 21
27-39 Displaying ACL Configuration 27-40 Configuring QoS 28-1 Understanding QoS 28-1 Basic QoS Model 28-3 Classification 28-4 Classification Based on QoS ACLs 28-7 Classification Based on Class Maps and Policy Maps 28-7 Policing and Marking 28-8 Catalyst 3560 Switch Software Configuration Guide xxi - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 22
DSCP Maps 28-47 Configuring the CoS-to-DSCP Map 28-47 Configuring the IP-Precedence-to-DSCP Map 28-48 Configuring the Policed-DSCP Map 28-49 Configuring the DSCP-to-CoS Map 28-50 Configuring the DSCP-to-DSCP-Mutation Map 28-51 Catalyst 3560 Switch Software Configuration Guide xxii 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 23
29-15 Configuring the PAgP Learn Method and Priority 29-16 Configuring LACP Hot-Standby Ports 29-17 Configuring the LACP System Priority 29-18 Configuring the LACP Port Priority 29-19 Displaying EtherChannel, PAgP, and LACP Status 29-20 Catalyst 3560 Switch Software Configuration Guide xxiii - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 24
IRDP) 30-12 Configuring Broadcast Packet Configuring Split Horizon 30-27 Configuring OSPF 30-28 Default OSPF Configuration 30-29 Configuring Basic OSPF Parameters 30-30 Configuring OSPF Interfaces 30-31 Configuring OSPF Area Parameters 30-32 xxiv Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 25
Unicast Routes 30-65 Specifying Default Routes and Networks 30-66 Using Route Maps to Redistribute Routing Information 30-67 Configuring Policy-Based Routing 30-71 PBR Configuration Guidelines 30-72 Enabling PBR 30-72 Contents 78-16156-01 Catalyst 3560 Switch Software Configuration Guide xxv - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 26
32-8 Default Multicast Routing Configuration 32-8 Multicast Routing Configuration Guidelines 32-8 PIMv1 and PIMv2 Interoperability 32-8 Auto-RP and BSR Configuration Guidelines 32-9 Configuring Basic Multicast Routing 32-10 xxvi Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 27
Rendezvous Point 32-11 Manually Assigning an RP to Multicast Groups 32-11 Configuring Auto-RP 32-13 Configuring PIMv2 BSR 32-17 Using Auto-RP and a BSR 32-21 Monitoring the RP Mapping Information 32-22 Troubleshooting PIMv1 and PIMv2 Interoperability Problems 32-22 Configuring Advanced PIM Features - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 28
Bridging Configuration Guidelines 34-3 Creating a Bridge Group 34-3 Adjusting Spanning-Tree Parameters 34-5 Changing the VLAN-Bridge Spanning-Tree Priority 34-6 Changing the Interface Priority 34-6 Assigning a Path Cost 34-7 xxviii Catalyst 3560 Switch Software Configuration Guide 78-16156 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 29
Switch Failure 35-8 Replacing a Failed Command Switch with a Cluster Member 35-8 Replacing a Failed Command Switch with Another Switch 35-10 Recovering from Lost Cluster Member Connectivity 35-11 Preventing Autonegotiation Mismatches 35-12 Troubleshooting Power over Ethernet Switch Ports 35-12 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 30
RCP B-16 Downloading a Configuration File By Using RCP B-17 Uploading a Configuration File By Using RCP B-18 Clearing Configuration Information B-19 Clearing the Startup Configuration File B-19 Deleting a Stored Configuration File B-19 Catalyst 3560 Switch Software Configuration Guide xxx 78-16156 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 31
Commands C-4 Unsupported Global Configuration Commands C-4 Interface Commands C-4 Unsupported Privileged EXEC Commands C-4 Unsupported Global Configuration Commands C-4 Unsupported Interface Configuration Commands C-5 Contents 78-16156-01 Catalyst 3560 Switch Software Configuration Guide xxxi - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 32
Interface Configuration Commands C-10 VLAN C-10 Unsupported vlan-config Commands C-10 Unsupported User EXEC Commands C-11 VTP C-11 Unsupported Privileged EXEC Commands C-11 Miscellaneous C-11 Unsupported Global Configuration Commands C-11 xxxii Catalyst 3560 Switch Software Configuration Guide 78 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 33
, hereafter referred to as the switch. Before using this guide, you should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of Ethernet and local area networking. Purpose The Catalyst 3560 switch is supported by either the standard multilayer - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 34
enter is in boldface screen font. • Nonprinting characters, such as passwords or tabs, are in angle brackets (< >). Notes, cautions, problem. The tips information might not be troubleshooting or even an action, but could be useful information. xxxiv Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 35
Notes for the Catalyst 3560 Switch (not orderable but available on Cisco.com) • Catalyst 3560 Switch Software Configuration Guide (order number DOC-7816156=) • Catalyst 3560 Switch Command Reference (order number DOC-7816155=) • Catalyst 3560 Switch System Message Guide (order number DOC-7816154 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 36
winning technical support services, online and over the phone. Cisco.com features the Cisco TAC website as an online starting point for technical assistance. If you do not hold a valid Cisco service contract, please contact your reseller. xxxvi Catalyst 3560 Switch Software Configuration Guide 78 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 37
hours to restore service to satisfactory levels. Priority 4 (P4)-You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide xxxvii - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 38
/ac123/ac147/about_cisco_the_internet_protocol_journal.html • Training-Cisco offers world-class networking training. Current offerings in network training are listed at this URL: http://www.cisco.com/en/US/learning/index.html xxxviii Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 39
, supports encryption) versions of the SMI and EMI. You must obtain authorization to use this feature and to download the cryptographic version of the software from Cisco.com. For more information, refer to the release notes for this release. 78-16156-01 Catalyst 3560 Switch Software Configuration - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 40
. - Monitoring real-time status of a switch or multiple switches from the LEDs on the front-panel images. The system, redundant power system (RPS), and port LED colors on the images are similar to those used on the physical LEDs. Catalyst 3560 Switch Software Configuration Guide 1-2 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 41
on a switch port can belong • IGMP throttling for configuring the action when the maximum number of entries is in the IGMP forwarding table • Switch Database Management (SDM) templates for allocating system resources to maximize support for user-selected features 78-16156-01 Catalyst 3560 Switch - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 42
In-band management access for up to five simultaneous, encrypted Secure Shell (SSH) connections for multiple CLI-based sessions over the network (requires the cryptographic [that is, supports encryption] versions of the SMI and EMI) Catalyst 3560 Switch Software Configuration Guide 1-4 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 43
to VLANs associated with appropriate network resources, traffic patterns, and bandwidth • Support for VLAN IDs in the full 1 to 4094 range allowed by the IEEE 802.1Q standard • VLAN Query Protocol (VQP) for dynamic VLAN membership 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 1-5 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 44
of the port - 802.1X with guest VLAN to provide limited services to non-802.1X-compliant users • Terminal Access Controller Access Control System Plus (TACACS+), a proprietary feature for managing network security through a TACACS server Catalyst 3560 Switch Software Configuration Guide 1-6 78 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 45
but limited to using a share of port bandwidth. Shared egress queues are also guaranteed a configured share of bandwidth, but can use more than the guarantee if other queues become empty and do not use their share of the bandwidth. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 1-7 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 46
7.7 W of power at the same time, up to a maximum switch power output of 370 W • Automatic detection and power budgeting; the switch maintains a power budget, monitors and tracks requests for power, and grants power only when it is available Catalyst 3560 Switch Software Configuration Guide 1-8 78 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 47
Disabled More information in... Chapter 4, "Assigning the Switch IP Address and Default Gateway" Chapter 5, "Clustering Switches" Chapter 6, "Administering the Switch" Chapter 9, "Configuring 802.1X Port-Based Authentication" 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 1-9 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 48
18, "Configuring DHCP Features" Chapter 19, "Configuring IGMP Snooping and MVR" Chapter 20, "Configuring Port-Based Traffic Control" Chapter 21, "Configuring CDP" Chapter 22, "Configuring UDLD" Chapter 23, "Configuring SPAN and RSPAN" 1-10 Catalyst 3560 Switch Software Configuration Guide 78 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 49
and the relative priority of the network applications they use. Table 1-2 describes what can cause network performance to degrade and how you can configure your network to increase the bandwidth available to your network users. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 1-11 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 50
) for cluster command switch and router redundancy. • Use VLAN trunks and BackboneFast for traffic-load balancing on the uplink ports so that the uplink port with a lower relative port cost is selected to carry the VLAN traffic. 1-12 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 51
port. The powered device, such as an IP phone, can receive redundant power when it is also connected to an AC power source. Powered devices not connected to Catalyst PoE switches must be connected to AC power sources to receive power. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 52
VLAN routing and other network services, the routers focus on firewall services, Network Address Translation (NAT) services, voice-over-IP (VoIP) gateway services, and WAN and Internet access. Figure 1-1 Catalyst 3560 Switches in a Collapsed Backbone Configuration Internet Cisco 2600 or 3700 routers - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 53
cam) Aironet wireless access points IP IP IP Cisco IP Phones with workstations IEEE 802.3af-compliant powered device (such as a web cam) Aironet wireless IP access points IP IP Cisco IP Phones with workstations 101389 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 1-15 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 54
Next Before configuring the switch, review these sections for startup information: • Chapter 2, "Using the Command-Line Interface" • Chapter 3, "Getting Started with CMS" • Chapter 4, "Assigning the Switch IP Address and Default Gateway" 1-16 Catalyst 3560 Switch Software Configuration Guide 78 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 55
CH A P T E R 2 Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your Catalyst 3560 switch. It contains these sections: • Understanding Command Modes, page 2-1 • Understanding the Help System, page 2-3 • Understanding - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 56
, enter the interface command (with a specific interface). Switch(config-if)# To exit to global Use this mode to configure configuration mode, parameters for the Ethernet enter exit. ports. To return to privileged EXEC mode, press Ctrl-Z or enter end. For information about defining interfaces - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 57
Commands You need to enter only enough characters for the switch to recognize the command as unique. This example shows how to enter the show configuration privileged EXEC command in an abbreviated form: Switch# show conf 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 2-3 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 58
some error messages that you might encounter while using the CLI to configure your switch. Table 2-3 Common CLI Error Messages Error Message Meaning How to (optional) • Disabling the Command History Feature, page 2-5 (optional) Catalyst 3560 Switch Software Configuration Guide 2-4 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 59
during the current terminal session, enter the terminal no history privileged EXEC command. To disable command history for the line, enter the no history line configuration command. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 2-5 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 60
character located at the cursor. Recall commands from the buffer and paste them in the command line. The switch provides a buffer with the last ten items that you deleted. Press Ctrl-Y. Recall the most recent entry in the buffer. Catalyst 3560 Switch Software Configuration Guide 2-6 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 61
Delete from the cursor to the end of the word. Capitalize or lowercase switch suddenly sends a message to your screen. Redisplay the current command line. 1. The arrow keys function only on ANSI-compatible terminals such as VT100s. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 62
expression protocol appears: Switch# show interfaces | include protocol Vlan1 is up, line protocol is up Vlan10 is up, line protocol is down GigabitEthernet0/1 is up, line protocol is down GigabitEthernet0/2 is up, line protocol is up Catalyst 3560 Switch Software Configuration Guide 2-8 78-16156 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 63
IP address of the switch or, if clustering, the command switch. When the Cisco Systems Access page appears, click Telnet to start a Telnet session. Enter the switch password. The user EXEC prompt appears on the management station. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 2-9 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 64
A password is not required to redisplay these pages, including the Cisco Systems Cisco Systems Access page. To prevent unauthorized access to the CLI or to the Cluster Management Suite (CMS), exit your browser to end the browser session. 2-10 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 65
of some complex configuration options • Two levels of access modes to the configuration options: read-write access for users who can change switch settings and read-only access for users who can only view switch settings 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 3-1 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 66
the Front Panel image of a specific set of switches in a cluster. From this view, you can select multiple ports or multiple switches and configure them with the same settings. For Help-Launch the online help. Figure 3-1 Menu Bar Catalyst 3560 Switch Software Configuration Guide 3-2 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 67
ports. Save the configuration of the cluster or a switch to Flash memory. Upgrade the software for the cluster or a switch. Display and configure port parameters on a switch. VLAN1 Display VLAN membership, assign ports session. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 3-3 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 68
Figure 3-2 Feature Bar and Search Window 1 Feature bar 2 Search window Note Only features supported by the devices in your cluster are displayed in the feature bar. You can search for see the "Privilege Levels" section on page 3-7. Catalyst 3560 Switch Software Configuration Guide 3-4 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 69
Guide Mode and then select a feature that supports it, CMS displays a specific parameter of that feature and information about the parameter. To configure the feature, you enter the information in each step until you click Finish in the last step. Clicking Cancel at any time ends the configuration - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 70
until you select another configuration option. Similar to guide mode, wizards provide a step-by-step approach for completing a specific configuration task. Unlike guide mode, a wizard see the "Privilege Levels" section on page 3-7. Catalyst 3560 Switch Software Configuration Guide 3-6 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 71
access to these member switches, some configuration windows for those switches display incomplete information: • Catalyst 2900 XL or Catalyst 3500 XL member switches running Cisco IOS Release 12.0(5)WC2 or earlier • Catalyst 2950 member switches running Cisco IOS Release 12.0(5)WC2 or earlier For - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 72
NT 4.01 Pentium 300 MHz Solaris 2.5.1 or higher SPARC 333 MHz 1. Service Pack 3 or higher is required. DRAM 128 MB 128 MB Number of Colors 65,536 Most colors for applications Resolution 1024 x 768 - Font Size Small Small (3) Catalyst 3560 Switch Software Configuration Guide 3-8 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 73
: http://www.cisco.com/pcgi-bin/tablebuild.pl/java On Solaris platforms, follow the instructions in the README_FIRST.txt file to install the Java plug-in. You need to close and restart your browser after installing a Java plug-in. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 3-9 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 74
. Refer to the documentation specific to the switch and its Cisco IOS release for descriptions of the CMS version. HTTP Access to CMS CMS uses the HTTP protocol (the default is port 80) and the default method of authentication (the enable password) to communicate with the switch through any of its - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 75
and password when prompted. If no username is configured on your switch (the default), enter only the enable password (if an enable password is configured) in the password field. The switch home page appears, as shown in Figure 3-4. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 76
privileged EXEC command • Help Resources-Provides links to the Cisco website, technical documentation, and the Cisco Technical Assistance Center (TAC) Click Cluster Management Suite to Report page appears, as shown in Figure 3-5. 3-12 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 77
-in and then upgrade your browser, the plug-in is not registered with the new browser. Note If your PC or workstation is correctly configured for CMS, you do not see the CMS Startup Report. When your PC or workstation is correctly configured, CMS launches. 78-16156-01 Catalyst 3560 Switch Software - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 78
them. You can right-click on a switch port to configure that port. Figure 3-7 Front Panel View and Port Popup Menu 1 2 98674 3 4 1 Cluster tree 2 Command switch 3 check boxes to show switches 4 Port configuration popup menu 3-14 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 79
Manager (also referred to as Switch Manager). Device Manager is for configuring an individual switch. When you select Device Manager for a specific switch in the cluster, you launch a separate CMS session. The Device Manager interface can vary among the Catalyst switch platforms. Topology View When - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 80
this release. The rest of this guide provides information about the command-line interface (CLI) procedures for the software features supported in this release. For CMS procedures and window descriptions, refer to the online help. 3-16 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 81
to follow the procedures in the hardware installation guide about installing and powering on the switch, and setting up the initial configuration (IP address, subnet mask, default gateway, secret and Telnet passwords, and so forth) of the switch. The normal boot process involves the operation of - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 82
page 35-4. Note You can disable password recovery. For more information, see the "Disabling Password Recovery" section on page 8-5. Before you can assign switch information, make sure you have connected a PC or terminal to the console port, and configured the PC or terminal-emulation software baud - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 83
connected LANs. A router does not forward broadcast packets, but it forwards packets based on the destination IP address in the received packet. DHCP-based autoconfiguration replaces the BOOTP client functionality on your switch. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 4-3 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 84
configuration file. Configuring DHCP-Based Autoconfiguration These sections describe how to configure DHCP-based autoconfiguration. • Configuring the DHCP Server, page 4-5 • Configuring the TFTP Server, page 4-5 • Configuring the DNS, page 4-6 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 85
as a DHCP server, refer to the "IP Addressing and Services" section in the Cisco IOS IP and IP Routing Configuration Guide for Cisco IOS Release 12.1 for additional information about configuring DHCP. Configuring the DHCP Server The switch can act as both the DHCP client and DHCP server. By default - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 86
: • The configuration file named in the DHCP reply (the actual switch configuration file). • The network-confg or the cisconet.cfg file (known as the default configuration files). • router(config-if)# ip helper-address 10.0.0.1 Catalyst 3560 Switch Software Configuration Guide 4-6 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 87
file and obtains its host name. If the host name is not found in the file, the switch uses the host name in the DHCP reply. If the host name is not specified in the DHCP reply, the switch uses the default Switch as its host name. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 4-7 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 88
DHCP-Based Autoconfiguration Network Example Switch A Switch B Switch C Switch D 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004 Cisco router 10.0.0.10 10.0.0.1 10.0.0.2 10.0.0.3 101401 DHCP server DNS server TFTP server (maritsu) Table 4-2 shows the configuration of the - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 89
mode. Enter interface configuration mode, and enter the VLAN to which the IP information is assigned. The range is 1 to 4094; do not enter leading zeros. Enter the IP address and subnet mask. Return to global configuration mode. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 4-9 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 90
Switch# show running-config Building configuration... Current configuration: 1363 bytes ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Switch 4-10 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 91
Specific Software Image, page 4-13 • Controlling Environment Variables, page 4-14 See also Appendix B, "Working with the Cisco IOS File System, Configuration Files, and Software Images," for information about switch configuration files. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 92
global configuration command changes the setting of the CONFIG_FILE environment variable. (Optional) Save your entries in the configuration file. To return to the default setting, use the no boot config-file global configuration command. 4-12 Catalyst 3560 Switch Software Configuration Guide 78 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 93
in the configuration file. To disable manual booting, use the no boot manual global configuration command. Booting a Specific Software Image By default, the switch attempts to . Filenames and directory names are case sensitive. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 4-13 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 94
enter the boot loader mode only through a switch console connection configured for 9600 bps. Unplug the switch power cord, and press the switch Mode button while reconnecting the power cord. You can release the Mode button a second or two after the LED above port 1 turns off. Then the boot loader - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 95
and write a nonvolatile copy of the system configuration. Specifies the filename that Cisco IOS uses to read and write a nonvolatile copy of the system configuration. This command changes the CONFIG_FILE environment variable. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 4-15 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 96
used less), or you can synchronize a reload network-wide (for example, to perform a software upgrade on all switches in the network). Note A scheduled reload must take place within approximately 24 days. Configuring a Scheduled Reload To configure your switch to reload the software image at a later - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 97
on the switch, use the show reload privileged EXEC command. It displays reload information including the time the reload is scheduled to occur and the reason for the reload (if it was specified when the reload was scheduled). 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 4-17 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 98
Scheduling a Reload of the Software Image Chapter 4 Assigning the Switch IP Address and Default Gateway 4-18 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 99
mixed with other cluster-capable Catalyst switches, but it does not provide complete descriptions of the cluster features for these other switches. For complete cluster information for a specific Catalyst platform, refer to the software configuration guide for that switch. This chapter consists of - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 100
the Catalyst 1900, Catalyst 2820, Catalyst 2900 XL, Catalyst 2950, and Catalyst 3500 XL switches. For complete information about these switches in a switch-cluster environment, refer to the software configuration guide for that specific switch. • Command-switch redundancy if a cluster command switch - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 101
switch or switch stack. If the switch cluster has a Catalyst 3750 switch or switch stack, that switch or switch stack must be the cluster command switch. Standby Cluster Command Switch Characteristics A standby cluster command switch must meet these requirements: • It is running Cisco IOS Release 12 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 102
-cluster environment, refer to the software configuration guide for that specific switch. This requirement does not apply if you have a Catalyst 2970, Catalyst 3550, Catalyst 3560, or Catalyst 3750 cluster command switch. Candidate and cluster member switches can connect through any VLAN in common - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 103
count is three. The cluster command switch discovers switches 11, 12, 13, and 14 because they are within three hops from the edge of the cluster. It does not discover switch 15 because it is four hops from the edge of the cluster. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 5-5 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 104
to a Catalyst 5000 switch. Figure 5-2 Discovery Through Non-CDP-Capable and Noncluster-Capable Devices Command switch Third-party hub (non-CDP-capable) Candidate switch Catalyst 5000 switch (noncluster-capable) Candidate switch 89377 Catalyst 3560 Switch Software Configuration Guide 5-6 78 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 105
the cluster command switch through their management VLAN. The default management VLAN is VLAN 1. Note If the switch cluster has a Catalyst 3750 switch or switch stack, that switch or switch stack must be the cluster command switch. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 5-7 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 106
62 but not the switch in VLAN 4. If the routed port path between the cluster command switch and cluster member switch 7 is lost, connectivity with cluster member switch 7 is maintained because of the redundant path through VLAN 9. Catalyst 3560 Switch Software Configuration Guide 5-8 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 107
port are assigned to management VLAN 16. Figure 5-6 Discovery of Newly Installed Switches Command switch VLAN 9 Switch A AP VLAN 9 New (out-of-box) candidate switch VLAN 16 Switch B AP VLAN 16 New (out-of-box) candidate switch 101325 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 108
These topics also provide more detail about standby cluster command switches: • Virtual IP Addresses, page 5-11 • Other Considerations for Cluster Standby Groups, page 5-11 • Automatic Recovery of Cluster Configuration, page 5-12 5-10 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 109
the switch configuration guide of other cluster-capable switches for their requirements on standby cluster command switches. If your switch cluster has a Catalyst 3560 switch, it should be the cluster command switch unless the cluster has a Catalyst 3750 switch or switch stack. If the switch cluster - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 110
active cluster command switch fails and becomes active again, it does not discover any Catalyst 1900, Catalyst 2820, and Catalyst 2916M XL cluster member switches. You must again add these cluster member switches to the cluster. 5-12 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 111
is overwritten with the host name of the cluster command switch in the new cluster (such as mkg-cluster-5). If the switch member number changes in the new cluster (such as 3), the switch retains the previous name (eng-cluster-5). 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 5-13 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 112
Access to Your Switch" section on page 8-1. For password considerations specific to the Catalyst 1900 and Catalyst 2820 switches, refer to the installation and configuration guides for those switches. SNMP Community Strings A cluster member switch inherits the command-switch first read-only - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 113
cluster member switches running Cisco IOS Release 12.1(6)EA1 or earlier These switches do not support read-only mode on CMS: • Catalyst 1900 and Catalyst 2820 • Catalyst 2900 XL switches with 4-MB CPU DRAM In read-only mode, these switches appear as unavailable devices and cannot be configured from - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 114
the cluster has a Catalyst 3750 switch or switch stack. If the switch cluster has a Catalyst 3750 switch or switch stack, that switch or switch stack must be the cluster command switch. You can enable a cluster command switch, name the cluster, and assign an IP address and a password to the cluster - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 115
command-switch password. For more information about setting passwords, see the "Passwords" section on page 5-14. For additional authentication considerations in switch clusters, see the "TACACS+ and RADIUS" section on page 5-14. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 5-17 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 116
Cluster Device Manager... Properties... 3750G-24T Thin line means a connection to a candidate switch. Right-click a candidate switch to display the pop-up menu, and select Add to Cluster to add the switch to the cluster. 93335 5-18 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 117
the same type of switches as the cluster command switch. For example, if the cluster command switch is a Catalyst 3560 switch, the standby cluster command switches must also be Catalyst 3560 switches. Refer to the switch configuration guide of other cluster-capable switches for their requirements on - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 118
Cluster Figure 5-11 Standby Command Configuration Window Chapter 5 Clustering Switches stack10 (cisco WS-C3750-24TS, HC, .. TRS (cisco WS-C37xx-24, HC, ...) stack1 (cisco WS-3750-48, CC, 0) G-M-C3550-24 (cisco WS-C3550-24, H Active command switch. Standby command switch. Must be a valid IP - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 119
the same privilege level as on the cluster command switch. The Cisco IOS commands then operate as usual. For instructions on configuring the switch for a Telnet session, see the "Disabling Password Recovery" section on page 8-5. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 5-21 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 120
Enterprise Edition Software. For more information about the Catalyst 1900 and Catalyst 2820 switches, refer to the installation and configuration guides for those switches. Using SNMP to Manage Switch Clusters When you first power on the switch, SNMP is enabled if you enter the IP information - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 121
Chapter 5 Clustering Switches Using SNMP to Manage Switch Clusters Figure 5-13 SNMP Management for a Cluster SNMP Manager Command switch Trap 1, Trap 2, Trap 3 Trap Trap Member 1 Member 2 Member 3 Trap 33020 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 5-23 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 122
Using SNMP to Manage Switch Clusters Chapter 5 Clustering Switches 5-24 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 123
Release 12.1. This section contains this configuration information: • Understanding the System Clock, page 6-2 • Understanding Network Time Protocol, page 6-2 • Configuring NTP, page 6-4 • Configuring Time and Date Manually, page 6-11 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 124
the Switch Understanding the System Clock The heart of the time service is the system clock. This clock runs from the moment the system starts up and keeps track of the date and time. The system clock can then be set from these sources: • Network Time Protocol • Manual configuration The - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 125
Switch Managing the System Time and Date Cisco's implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network as well. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 6-3 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 126
control is specified. The source address is determined by the outgoing interface. NTP is enabled on all interfaces by default. All interfaces receive NTP packets. Catalyst 3560 Switch Software Configuration Guide 6-4 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 127
configure the switch to synchronize only to devices providing authentication key 42 in the device's NTP packets: Switch(config)# ntp authenticate Switch(config)# ntp authentication-key 42 md5 aNiceKey Switch(config)# ntp trusted-key 42 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 128
address global configuration command. This example shows how to configure the switch to synchronize its system clock with the clock of the peer at IP address 172.16.22.44 using NTP version 2: Switch(config)# ntp server 172.16.22.44 version 2 Catalyst 3560 Switch Software Configuration Guide 6-6 78 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 129
packets, use the no ntp broadcast interface configuration command. This example shows how to configure a port to send NTP version 2 packets: Switch(config)# interface gigabitethernet0/1 Switch(config-if)# ntp broadcast version 2 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 6-7 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 130
can control NTP access on two levels as described in these sections: • Creating an Access Group and Assigning a Basic IP Access List, page 6-9 • Disabling NTP Services on a Specific Interface, page 6-10 Catalyst 3560 Switch Software Configuration Guide 6-8 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 131
specified, all access types are granted to all devices. If any access groups are specified, only the specified access types are granted. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 6-9 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 132
list 42: Switch# configure terminal Switch(config)# ntp access-group peer 99 Switch(config)# ntp access-group serve-only 42 Switch(config)# access-list 99 permit 172.20.130.5 Switch(config)# access list 42 permit 172.20.130.6 Disabling NTP Services on a Specific Interface NTP services are enabled - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 133
detailed information about the fields in these displays, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. Configuring Time and Date Manually If no other source of time is available, you can manually configure the time and date after the system is restarted. The - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 134
to manually configure the time zone: Step 1 Step 2 Command configure terminal clock timezone zone hours-offset [minutes-offset] Step 3 Step 4 Step 5 end show to UTC, use the no clock timezone global configuration command. 6-12 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 135
shows how to specify that summer time starts on the first Sunday in April at 02:00 and ends on the last Sunday in October at 02:00: Switch(config)# clock summer-time PDT recurring 1 Sunday April 2:00 last Sunday October 2:00 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 6-13 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 136
-time global configuration command. This example shows how to set summer time to start on October 12, 2000, at 02:00, and end on April 26, 2001, at 02:00: Switch(config)# clock summer-time pdt date 12 October 2000 2:00 26 April 2001 2:00 6-14 Catalyst 3560 Switch Software Configuration Guide 78 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 137
system name: Step 1 Step 2 Step 3 Step 4 Step 5 Command configure terminal hostname name end show running-config copy running-config startup-config Purpose Enter global configuration mode. Manually configure a system name. The default setting is switch. The name must follow the rules for ARPANET - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 138
server that is present on your network, and enable the DNS. This section contains this configuration information: • Default DNS Configuration, page 6-17 • Setting Up DNS, page 6-17 • Displaying the DNS Configuration, page 6-18 6-16 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 139
end show running-config copy running-config startup-config Purpose Enter global configuration switch. This feature is enabled by default. If your network devices require connectivity with devices in networks configuration file. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 6-17 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 140
information: • Default Banner Configuration, page 6-18 • Configuring a Message-of-the-Day Login Banner, page 6-19 • Configuring a Login Banner, page 6-20 Default Banner Configuration The MOTD and login banners are not configured. 6-18 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 141
key. The delimiting character signifies the beginning and end of the banner text. Characters after the ending delimiter are discarded. For message, enter a For access, contact technical support. User Access Verification Password: 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 6-19 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 142
a login banner for the switch by using the dollar sign ($) symbol as the beginning and ending delimiter: Switch(config)# banner login $ Access for authorized users only. Please enter your username and password. $ Switch(config)# 6-20 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 143
Configuring Unicast MAC Address Filtering, page 6-26 • Displaying Address Table Entries, page 6-28 Building the Address Table With multiple MAC addresses supported on all ports, you can connect any port on the switch to individual workstations, repeaters, switches, routers, or other network devices - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 144
for example, could be forwarded to port 1 in VLAN 1 and ports 9, 10, and 1 in VLAN 5. Note Multiport static addresses are not supported. Each VLAN maintains its own logical Flooding results, which can impact switch performance. 6-22 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 145
for each hardware port for which the trap is enabled. MAC address notifications are generated for dynamic and secure MAC addresses; events are not generated for self addresses, multicast addresses, or other static addresses. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 6-23 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 146
informs to send SNMP informs to the host. • Specify the SNMP version to support. Version 1, the default, is not available with informs. • For community-string, removed from this interface. end Return to privileged EXEC mode. 6-24 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 147
configuration file. To disable the switch from sending MAC address notification traps, use the no snmp-server enable traps mac-notification global configuration command. To disable the MAC address notification traps on a specific 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 6-25 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 148
command, one of these messages appears: % Only unicast addresses can be configured to be dropped % CPU destined address cannot be configured as drop address • Packets that are forwarded to the CPU are also not supported. 6-26 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 149
switch adds the MAC address as a static address. You enable unicast MAC address filtering and configure the switch to drop packets with a specific is dropped: Switch(config)# mac address-table static c2f3.220a.12f4 vlan 4 drop 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 6-27 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 150
the network. Encapsulation of IP datagrams and ARP requests and replies on IEEE 802 networks manually to the table do not age and must be manually removed. For CLI procedures, refer to the Cisco IOS Release 12.1 documentation on Cisco.com. 6-28 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 151
SDM Templates, page 7-4 Understanding the SDM Templates You can use SDM templates to configure system resources in the switch to optimize support for specific features, depending on how the switch is used in the network. You can select a template to provide maximum system usage for some functions - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 152
not use the routing template if you do not have routing enabled on your switch. The sdm prefer routing global configuration command prevents other features from using the memory allocated to unicast routing in the routing template. Catalyst 3560 Switch Software Configuration Guide 7-2 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 153
in the switch to support this level of configuration command. This example shows how to configure a switch with the routing template. Switch(config)# sdm prefer routing Switch(config)# end Switch# reload Proceed with reload? [confirm] 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 154
is "desktop default" template. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs. number of unicast qos aces: 512 number of security aces: 1K Catalyst 3560 Switch Software Configuration Guide 7-4 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 155
from within the local network. To prevent unauthorized access into your switch, you should configure one or more of these security features: • At a minimum, you should configure passwords and privileges at each switch port. These passwords are locally stored on the switch. When users attempt to - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 156
level). The password is not encrypted in the configuration file. No password is defined. The default is level 15 (privileged EXEC level). The password is encrypted before it is written to the configuration file. No password is defined. Catalyst 3560 Switch Software Configuration Guide 8-2 78-16156 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 157
command. This example shows how to change the enable password to l1u2c3k4y5. The password is not encrypted and provides access to level 15 (traditional privileged EXEC mode access): Switch(config)# enable password l1u2c3k4y5 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 8-3 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 158
when the password is defined or when the configuration is written. Encryption prevents the password from being readable in the configuration file. Return to privileged EXEC mode. (Optional) Save your entries in the configuration file. Catalyst 3560 Switch Software Configuration Guide 8-4 78-16156 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 159
password recovery: Step 1 Step 2 Command configure terminal no service password-recovery Step 3 end Step 4 show version Purpose Enter global configuration mode. Disable password recovery. This setting is saved in an area of the Flash memory that is accessible by the boot loader and the Cisco IOS - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 160
recovery, use the service password-recovery global configuration command. Note Disabling password recovery will not work if you have set the switch to boot manually by using the boot manual global configuration command. This command produces the boot loader prompt (switch:) after the switch is power - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 161
. To disable username authentication for a specific user, use the no username name global configuration command. To disable password checking and allow connections without a password, use the no login line configuration command. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 8-7 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 162
to privileged EXEC mode. Verify your entries. The first command shows the password and access level configuration. The second command shows the privilege level configuration. (Optional) Save your entries in the configuration file. Catalyst 3560 Switch Software Configuration Guide 8-8 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 163
use that password to enable the higher privilege level. You might specify a high level or privilege level for your console line to restrict line usage. To return to the default line privilege level, use the no privilege level line configuration command. 78-16156-01 Catalyst 3560 Switch Software - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 164
service. Your switch can be a network access server along with other Cisco routers and access servers. A network access server provides connections to a single user, to a network or subnetwork, and to interconnected networks as shown in Figure 8-1. 8-10 Catalyst 3560 Switch Software Configuration - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 165
Access with TACACS+ Figure 8-1 Typical TACACS+ Network Configuration UNIX workstation (TACACS+ server 1) Catalyst 6500 series switch 171.20.10.7 UNIX workstation (TACACS+ server 2) 171.20.10.8 Workstations Configure the switches with the TACACS+ server addresses. Set an authentication key - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 166
or NETWORK session for that user and the services that the user can access: • Telnet, Secure Shell (SSH), rlogin, or privileged EXEC services • Connection parameters, including the host or client IP address, access list, and user timeouts 8-12 Catalyst 3560 Switch Software Configuration Guide 78 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 167
can group servers to select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list and contains the list of IP addresses of the selected server hosts. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 8-13 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 168
specific port before any of the defined authentication methods are performed. The only exception is the default method list (which, by coincidence, is named default). The default method list is automatically applied to all ports to 8-14 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 169
applied to all ports. • For list password global configuration command. • none-Do not use any authentication for login. Enter line configuration mode, and configure the lines to which you want to apply the authentication list. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 170
and network services: Step 1 Step 2 Command configure terminal aaa authorization network tacacs+ Step 3 aaa authorization exec tacacs+ Step 4 end Purpose Enter global configuration mode. Configure the switch for user TACACS+ authorization for all network-related service requests. Configure the - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 171
steps to enable TACACS+ accounting for each Cisco IOS privilege level and for network services: Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Command configure terminal aaa accounting network start-stop tacacs+ aaa accounting exec start-stop tacacs+ end show running-config copy running-config startup - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 172
RADIUS, page 8-20 • Displaying the RADIUS Configuration, page 8-31 Understanding RADIUS RADIUS is a distributed client/server system that secures networks against unauthorized access. RADIUS clients run on supported Cisco routers and switches. Clients send authentication requests to a central - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 173
additional data included with the ACCEPT or REJECT packets includes these items: • Telnet, SSH, rlogin, or privileged EXEC services • Connection parameters, including the host or client IP address, access list, and user timeouts 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 8-19 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 174
Access and Network Services, page 8-27 (optional) • Starting RADIUS Accounting, page 8-28 (optional) • Configuring Settings for All RADIUS Servers, page 8-29 (optional) • Configuring the Switch to Use Vendor-Specific RADIUS Attributes, page 8-29 (optional) • Configuring the Switch for Vendor - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 175
defined as RADIUS hosts providing a specific AAA service. This unique identifier enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address. If two different host entries on the same RADIUS server are configured for the same service-for example, accounting-the second - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 176
in which you specify them. Set the timeout, retransmit, and encryption key values to use with the specific RADIUS host. Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file. 8-22 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 177
specific port before any of the defined authentication methods are performed. The only exception is the default method list (which, by coincidence, is named default). The default method list is automatically applied to all ports . 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 8-23 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 178
automatically applied to all ports. • For list- password global configuration command. - none-Do not use any authentication for login. Enter line configuration mode, and configure the lines to which you want to apply the authentication list. 8-24 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 179
IP address and UDP port number), allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service. If you configure two different host entries the optional auth-port and acct-port keywords. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 8-25 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 180
port number is different. The switch software searches for hosts in the order in which you specify them. Set the timeout, retransmit, and encryption key values to use with the specific RADIUS EXEC mode. Verify your entries. 8-26 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 181
auth-port 1000 acct-port 1001 Switch(config-sg-radius)# exit Switch(config)# aaa group server radius group2 Switch(config-sg-radius)# server 172.20.0.1 auth-port 2000 acct-port 2001 Switch(config-sg-radius)# exit Configuring RADIUS Authorization for User Privileged Access and Network Services AAA - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 182
the end. Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file. To disable accounting, use the no aaa accounting {network | exec} {start-stop} method1... global configuration command. 8-28 Catalyst 3560 Switch Software Configuration Guide 78 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 183
-value (AV) pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and is * for optional attributes. The full set of features available for TACACS+ authorization can then be used for RADIUS. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 8-29 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 184
in the configuration file. For a complete list of RADIUS attributes or more information about vendor-specific attribute 26, refer to the "RADIUS Attributes" appendix in the Cisco IOS Security Configuration Guide for Release 12.1. 8-30 Catalyst 3560 Switch Software Configuration Guide 78-16156 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 185
vendor-proprietary information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes. As mentioned earlier, to configure RADIUS (whether vendor-proprietary or - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 186
/secur_r/srprt2/srdkerb.htm. Note In the Kerberos configuration examples and in the Cisco IOS Security Command Reference, Release 12.1, the trusted third party can be a Catalyst 3560 switch that supports Kerberos, that is configured as a network security server, and that can authenticate users by - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 187
uppercase characters. A daemon that is running on a network host. Users and network services register their identity with the Kerberos server. Network services query the Kerberos server to authenticate to other network services. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 8-33 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 188
services by using a Catalyst 3560 switch as a Kerberos server, remote users must follow these steps: 1. Authenticating to a Boundary Switch, page 8-35 2. Obtaining a TGT from a KDC, page 8-35 3. Authenticating to Network Services, page 8-35 8-34 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 189
to Network Services" section in the "Security Server Protocols" chapter of the Cisco IOS Security Configuration Guide, Release 12.1, at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt2/scdkerb.htm #xtocid154006. 78-16156-01 Catalyst 3560 Switch - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 190
the local user database authentication to all ports. Configure user AAA authorization, check the local database, and allow the user to run an EXEC shell. Configure user AAA authorization for all network-related service requests. 8-36 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 191
commands used in this section, refer to the command reference for this release and the command reference for Cisco IOS Release 12.2 at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 8-37 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 192
application. • The SSH server and the SSH client are supported only on DES (56-bit) and 3DES (168-bit) data encryption software. • The switch does not support the Advanced Encryption Standard (AES) symmetric encryption algorithm. 8-38 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 193
SSH server. Step 1 Step 2 Step 3 Command configure terminal hostname hostname ip domain-name domain_name Purpose Enter global configuration mode. Configure a host name for your switch. Configure a host domain for your switch. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 8-39 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 194
minutes. • Specify the number of times that a client can re-authenticate to the server. The default is 3; the range is 0 to 5. Repeat this step when configuring both parameters. Return to privileged EXEC mode. 8-40 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 195
in the "Other Security Features" chapter of the Cisco IOS Security Command Reference, Cisco IOS Release 12.2, at this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/fothercr/ srfssh.htm. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 8-41 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 196
Configuring the Switch for Secure Shell Chapter 8 Configuring Switch-Based Authentication 8-42 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 197
chapter describes how to configure IEEE 802.1X port-based authentication on the Catalyst 3560 switch. As LANs extend to hotels, airports, and corporate lobbies, creating insecure environments, 802.1X prevents unauthorized devices (clients) from gaining access to the network. Note For complete syntax - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 198
include the Catalyst 3750, Catalyst 3560, Catalyst 3550, Catalyst 2970, Catalyst 2955, Catalyst 2950, Catalyst 2940 switches, or a wireless access point. These devices must be running software that supports the RADIUS client and 802.1X. Catalyst 3560 Switch Software Configuration Guide 9-2 78 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 199
-start frame, which prompts the switch to request the client's identity. Note If 802.1X is not enabled or supported on the network access device, any EAPOL frames -Accept Port Authorized EAPOL-Logoff Port Unauthorized 101228 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 9-3 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 200
to access the network is uniquely identified by the switch by using the client port returns to the unauthorized state. Supported Topologies The 802.1X port-based authentication is supported in two topologies: • Point-to-point • Wireless LAN Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 201
host, the port becomes error-disabled and immediately shuts down. The port security violation modes determine the action for security violations. For more information, see the "Security Violations" section on page 20-9. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 9-5 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 202
configure the switch port. The RADIUS server database maintains the username-to-VLAN mappings, assigning the VLAN based on the username of the client connected to the switch port. You can use this feature to limit network access for certain users. Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 203
type 6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the 802.1X-authenticated user. For examples of tunnel attributes, see the "Configuring the Switch to Use Vendor-Specific RADIUS Attributes" section on page 8-29. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 9-7 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 204
applied to the outbound ACL by default. Because of limited support of Cisco IOS access lists on the switch, the Filter-Id attribute is supported only for IP ACLs numbered 1 to 199 and 1300 to 2699 (IP standard and IP extended ACLs). Catalyst 3560 Switch Software Configuration Guide 9-8 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 205
port. The maximum size of the per-user ACL is 4000 ASCII characters. For examples of vendor-specific attributes, see the "Configuring the Switch to Use Vendor-Specific RADIUS Attributes" section on page 8-29. For more information about configuring ACLs, see Chapter 27, "Configuring Network - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 206
• None specified. Disabled. Disabled (force-authorized). The port sends and receives normal traffic without 802.1X-based authentication switch waits for a reply before resending the response to the server. This setting is not configurable.) 9-10 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 207
guest VLAN feature is not supported on trunk ports; it is supported only on access ports. • When 802.1X is enabled on a port, you cannot configure a port VLAN that is equal configure the switch for all network-related service requests. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 208
dot1x default group radius Switch(config)# dot1x system-auth-control Switch(config)# interface gigabitethernet0/1 Switch(config)# switchport mode access Switch(config-if)# dot1x port-control auto Switch(config-if)# end 9-12 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 209
9 Configuring 802.1X Port-Based Authentication Configuring 802.1X Authentication Configuring the Switch-to-RADIUS-Server Communication RADIUS security servers are identified by their host name or IP address, host name and specific UDP port numbers, or IP address and specific UDP port numbers - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 210
-authentication, see the "Configuring Periodic Re-Authentication" section on page 9-14. This example shows how to manually re-authenticate the client connected to a port: Switch# dot1x re-authenticate interface gigabitethernet0/1 9-14 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 211
links or specific behavioral problems with certain clients and authentication servers. Beginning in privileged EXEC mode, follow these steps to change the amount of time that the switch waits for client notification. This procedure is optional. Step 1 Step 2 Step 3 Command configure terminal - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 212
max-req interface configuration command. This example shows how to set 5 as the number of times that the switch sends an EAP-request/identity request before restarting the authentication process: Switch(config-if)# dot1x max-req 5 9-16 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 213
interface configuration command. This example shows how to enable 802.1X and to allow multiple hosts: Switch(config)# interface gigabitethernet0/1 Switch(config-if)# dot1x port-control auto Switch(config-if)# dot1x host-mode multi-host 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 214
mode, and specify the port to be configured. Reset the configurable 802.1X parameters to the default values. Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file. 9-18 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 215
and operational status for a specific port, use the show dot1x interface interface-id privileged EXEC command. For detailed information about the fields in these displays, refer to the command reference for this release. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 9-19 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 216
Displaying 802.1X Statistics and Status Chapter 9 Configuring 802.1X Port-Based Authentication 9-20 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 217
release and the online Cisco IOS Interface Command Reference for Release 12.1. Understanding Interface Types This section describes the different types of interfaces supported by the switch with references to chapters that contain more detailed information about configuring these interface types - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 218
arriving on an access port is assumed to belong to the VLAN assigned to the port. If an access port receives a tagged packet (Inter-Switch Link [ISL] or 802.1Q tagged), the packet is dropped, and the source address is not learned. 10-2 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 219
Catalyst 6500 series switch; the Catalyst 3560 switch cannot be a VMPS server. You can also configure an access port with an attached Cisco the port. For more information about trunk ports, see Chapter 12, "Configuring VLANs." Routed Ports A routed port is a physical port that acts like a port on - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 220
32, "Configuring IP Multicast Routing,"and Chapter 34, "Configuring Fallback Bridging." Note The SMI supports static routing and RIP; for more advanced routing or for fallback bridging, you must have the EMI installed on the switch. 10-4 Catalyst 3560 Switch Software Configuration Guide 78-16156 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 221
over either single ports or aggregated switch ports and do not recognize the physical ports within the port group. Exceptions are the DTP, the Cisco Discovery Protocol (CDP), and the Port Aggregation Protocol (PAgP), which operate only on physical ports. When you configure an EtherChannel, you - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 222
ports-including switch ports and routed ports • VLANs-switch virtual interfaces • Port-channels-EtherChannel of interfaces You can also configure a range of interfaces (see the "Configuring a Range of Interfaces" section on page 10-8). 10-6 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 223
use the Cisco IOS show privileged EXEC commands to display information about a specific interface or all the interfaces on the switch. The remainder of this chapter primarily provides physical interface configuration procedures. Procedures for Configuring Interfaces These general instructions apply - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 224
the interface vlan command. The show running-config privileged EXEC command displays the configured VLAN interfaces. VLAN interfaces not displayed by the show running-config command cannot be used with the interface range command. 10-8 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 225
configuration commands to apply the configuration to all interfaces in the defined macro. Return to privileged EXEC mode. Show the defined interface range macro configuration. (Optional) Save your entries in the configuration file. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 226
how to delete the interface-range macro enet_list and to verify that it was deleted. Switch# configure terminal Switch(config)# no define interface-range enet_list Switch(config)# end Switch# show run | include define Switch# 10-10 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 227
Ethernet ports. See Chapter 29, "Configuring EtherChannels." Port blocking (unknown multicast Disabled (not blocked) (Layer 2 interfaces only). See the and unknown unicast traffic) "Configuring Port Blocking" section on page 20-6. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 228
2 interfaces only). See the "Default Port Security Configuration" section on page 20-10. L2 Disabled. Disabled. Note The switch might not support a pre-standard powered device-such as Cisco IP phones and access points that do not fully support IEEE 802.3af-if that powered device is connected to the - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 229
. • If one interface supports autonegotiation and the other end does not, configure duplex and speed on both interfaces; do not use the auto setting on the supported side. • For 10/100/1000 Mbps ports, if both the speed and duplex mode are set to specific values, autonegotiation is disabled - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 230
Note Catalyst 3560 ports are capable of receiving, but not sending, pause frames. You use the flowcontrol interface configuration command to set the interface's ability to receive pause frames to on, off, or desired. The default state is off. 10-14 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 231
/100 Mbps interfaces and on 10/100/1000 BASE-T/TX SFP interfaces. It is not supported on 1000 BASE-SX or -LX SFP interfaces. Table 10-2 shows the link states that results from Auto-MDIX settings and correct and incorrect cabling. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 10-15 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 232
-MDIX on a port: Switch# configure terminal Switch(config)# interface fastethernet0/1 Switch(config-if)# speed auto Switch(config-if)# duplex auto Switch(config-if)# mdix auto Switch(config-if)# end Configuring Power over Ethernet on an Interface The switch supports both the Cisco pre-standard PoE - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 233
of the show power inline user EXEC command, refer to the command reference for this release. For more information about PoE-related commands, see the "Troubleshooting Power over Ethernet Switch Ports" section on page 35-12. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 10-17 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 234
a port and the response from the show power inline command for the interface when a Cisco IEEE-compliant IP Phone is being supplied with power: Switch# configure terminal Switch(config)# interface fastethernet0/1 Switch(config-if)# power inline auto Switch(config-if)# end Switch# show power inline - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 235
configuration mode. interface {{fastethernet | gigabitethernet} interface-id} Enter interface configuration mode, and enter the | {vlan vlan-id} | {port-channel port-channel-number} interface to be configured as a Layer 3 interface. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 236
command. This example shows how to configure a port as a routed port and to assign it an IP address: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet0/2 Switch(config-if)# no switchport Switch(config-if)# ip address 192 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 237
mtu 1800 Switch(config)# exit Switch# reload This example shows the response when you try to set Gigabit Ethernet interfaces to an out-of-range number: Switch(config)# system mtu jumbo 2500 ^ % Invalid input detected at '^' marker. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 10 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 238
-id phy show power inline [interface-id] Purpose Display the status and configuration of all interfaces or a specific interface. Display interface status or a list of interfaces in an error-disabled state. Display administrative and operational status of switching (nonrouting) ports. You can use - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 239
configuration command to restart the interface. To verify that an interface is disabled, enter the show interfaces privileged EXEC command. A disabled interface is shown as administratively down in the show interface command display. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 240
Monitoring and Maintaining the Interfaces Chapter 10 Configuring Interface Characteristics 10-24 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 241
the macro are configured on the interface. When the macro is applied to an interface, the existing interface configurations are not lost. The new commands are added to the interface and are saved in the running configuration file. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 11-1 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 242
on your switch: • Do not use exit or end commands when creating a macro. This could cause commands that follow exit or end to execute in a different command mode. • When creating a macro, all CLI commands should be interface configuration mode commands. • Some CLI commands are specific to certain - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 243
-id interface configuration command. Alternatively, you can create an anti-macro for an existing macro that contains the no form of all the corresponding commands in the original macro. Then apply the anti-macro to the interface. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 11-3 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 244
macro description [interface interface-id] Purpose Displays all configured macros. Displays a specific macro. Displays the configured macro names. Displays the macro description for all interfaces or for a specified interface. 11-4 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 245
, "Configuring STP." Note Before you create VLANs, you must decide whether to use VLAN Trunking Protocol (VTP) to maintain global VLAN configuration for your network. For more information on VTP, see Chapter 13, "Configuring VTP." 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 12-1 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 246
resources to support the maximum number of unicast MAC addresses. For more information on the SDM templates, see Chapter 7, "Configuring SDM Templates," or refer to the sdm prefer command in the command reference for this release. 12-2 Catalyst 3560 Switch Software Configuration Guide 78-16156 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 247
but not required. VTP maintains VLAN configuration consistency by managing the addition, deletion, and renaming of VLANs on a network-wide basis. VTP exchanges VLAN configuration messages with other switches over trunk links. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 12-3 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 248
define the port membership mode and to add and remove ports from VLANs. The results of these commands are written to the running-configuration file, and you can display the file by entering the show running-config privileged EXEC command. 12-4 Catalyst 3560 Switch Software Configuration Guide 78 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 249
Ethernet VLAN Configuration, page 12-8 • Creating or Modifying an Ethernet VLAN, page 12-8 • Deleting a VLAN, page 12-10 • Assigning Static-Access Ports to a VLAN, page 12-11 Token Ring VLANs Although the switch does not support Token Ring connections, a remote device such as a Catalyst 5000 series - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 250
mode by entering the vlan vlan-id global configuration command. • VLAN Configuration in VLAN Database Configuration Mode, page 12-7 You access VLAN database configuration mode by entering the vlan database privileged EXEC command. 12-6 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 251
use the VLAN database information Caution If the VLAN database configuration is used at startup and the startup configuration file contains extended-range VLAN configuration, this information is lost when the system boots up. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 12-7 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 252
Ethernet interfaces exclusively. Because FDDI and Token Ring VLANs are not locally supported, you only configure FDDI and Token Ring media-specific characteristics for VTP global advertisements to other switches. Table 12-2 Ethernet VLAN Defaults and Ranges Parameter VLAN ID VLAN name 802.10 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 253
test20 Switch(config-vlan)# end You can also create or modify Ethernet VLANs by using the VLAN database configuration mode. Note VLAN database configuration mode does not support RSPAN VLAN configuration or extended-range VLANs. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 12-9 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 254
VLAN 1 and FDDI or Token Ring VLANs 1002 to 1005. Caution When you delete a VLAN, any ports assigned to that VLAN become inactive. They remain associated with the VLAN (and thus inactive) until you assign them to a new VLAN. 12-10 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 255
entries in the Administrative Mode and the Access Mode VLAN fields of the display. copy running-config startup-config (Optional) Save your entries in the configuration file. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 12-11 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 256
See Table 12-2 on page 12-8 for the default configuration for Ethernet VLANs. You can change only the MTU size and remote SPAN configuration state on extended-range VLANs; all other characteristics must remain at the default state. 12-12 Catalyst 3560 Switch Software Configuration Guide 78-16156 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 257
-Range VLAN with an Internal VLAN ID" section on page 12-15. • Although the switch supports a total of 1005 (normal-range and extended-range) VLANs, the number of routed ports, SVIs, and other configured features affects the use of the switch hardware. If you try to create an extended-range VLAN - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 258
vlan vlan-id global configuration command. The procedure for assigning static-access ports to an extended-range VLAN is the same as for normal-range VLANs. See the "Assigning Static-Access Ports to a VLAN" section on page 12-11. 12-14 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 259
mode configuration and the extended-range VLAN configuration in the switch startup configuration file. Otherwise, if the switch resets, it will default to VTP server mode, and the extended-range VLAN IDs will not be saved. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 12-15 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 260
interfaces: • Inter-Switch Link (ISL)-ISL is Cisco-proprietary trunking encapsulation. • 802.1Q-802.1Q is industry-standard trunking encapsulation. Figure 12-2 shows a network of switches that are connected by ISL trunks. 12-16 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 261
supports autonegotiation of both ISL and 802.1Q trunks. Table 12-4 Layer 2 Interface Modes Mode switchport mode access switchport mode dynamic auto Function Puts the interface (access port Ethernet interfaces is dynamic auto. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 12-17 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 262
-tree information for each VLAN is maintained by Cisco switches separated by a cloud of non-Cisco 802.1Q switches. The non-Cisco 802.1Q cloud separating the Cisco switches is treated as a single trunk link between the switches. 12-18 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 263
configuration command. By default, trunks negotiate encapsulation. If the neighboring interface supports ISL and 802.1Q encapsulation and both interfaces are set to negotiate the encapsulation type, the trunk uses ISL encapsulation. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 12 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 264
to a trunk link even if the neighboring interface is not a trunk interface. (Optional) Specify the default VLAN, which is used if the interface stops trunking. 12-20 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 265
for a trunk port, the trunk port automatically becomes a member of the enabled VLAN. When VTP detects a new VLAN and the VLAN is not in the allowed list for a trunk port, the trunk port does not become a member of the new VLAN. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 12-21 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 266
by default. end Return to port: Step 1 Step 2 Command configure terminal interface interface-id Purpose Enter global configuration mode. Enter interface configuration mode, and select the trunk port for which VLANs should be pruned. 12-22 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 267
2 to 1001. end Return to privileged EXEC port. For vlan-id, the range is 1 to 4094. Return to privileged EXEC mode. Verify your entries in the Trunking Native Mode VLAN field. (Optional) Save your entries in the configuration file. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 12 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 268
over any trunk port. Figure 12-3 Load Sharing by Using STP Port Priorities Switch A Trunk 1 VLANs 8 - 10 (priority 16) VLANs 3 - 6 (priority 128) Switch B Trunk 2 VLANs 3 - 6 (priority 16) VLANs 8 - 10 (priority 128) 93370 12-24 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 269
mode, and define the interface to set the STP port priority. Assign the port priority of 10 for VLANs 3 through 6. Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 12-25 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 270
Steps 2 and 6 are configured as trunk ports. When the trunk links come up, Switch A receives the VTP information from the other switches. Verify that Switch A has learned the VLAN configuration. Enter global configuration mode. 12-26 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 271
based on this mapping and whether or not the server is in open or secure mode. In secure mode, the server shuts down the port when an illegal host is detected. In open mode, the server simply denies the host access to the port. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 12-27 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 272
they can connect to a network. A maximum of 20 MAC addresses are allowed per port on the switch. A dynamic-access port can belong to only one VLAN at a time, but the VLAN can change over time, depending on the MAC addresses seen. 12-28 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 273
be the same. • The VLAN configured on the VMPS server should not be a voice VLAN. Configuring the VMPS Client You configure dynamic VLANs by using the VMPS (server). The switch can be a VMPS client; it cannot be a VMPS server. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 12-29 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 274
the switch port that is connected to the end station. Set the port to access mode. Configure the port as eligible for dynamic VLAN membership. The dynamic-access port must be connected to an end station. Return to privileged EXEC mode. 12-30 Catalyst 3560 Switch Software Configuration Guide 78 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 275
reconfirmation status in the Reconfirm Interval field of the display. (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no vmps reconfirm global configuration command. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 12-31 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 276
command: Switch# show vmps VQP Client Status VMPS VQP Version: 1 Reconfirm Interval: 60 min Server Retry Count: 3 VMPS domain server: 172.20.128.86 (primary, current) 172.20.128.87 Reconfirmation status VMPS Action: other 12-32 Catalyst 3560 Switch Software Configuration Guide 78-16156 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 277
configuration command. VMPS Configuration Example Figure 12-5 shows a network with a VMPS server switch and VMPS client switches with dynamic-access ports. In this example, these assumptions apply: • The VMPS server and the VMPS client are separate switches. • The Catalyst 6500 series Switch - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 278
End station 2 Switch H Dynamic-access port Catalyst 6500 series Secondary VMPS Server 3 172.20.26.157 Client switch I 172.20.26.158 Trunk port 172.20.26.159 Switch J 101363t Ethernet segment (Trunk link) TFTP server Router 172.20.22.7 12-34 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 279
that can cause several problems, such as duplicate VLAN names, incorrect VLAN-type specifications, and security violations. Before you create VLANs, you must decide whether to use VTP in your network. Using VTP, you can make configuration changes centrally on one or more switches and have those - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 280
this mode are saved in the switch running configuration and can be saved to the switch startup configuration file. For domain name and password configuration guidelines, see the "VTP Configuration Guidelines" section on page 13-8. 13-2 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 281
at least one trunk port is configured on the switch and that this trunk port is connected to the trunk port of another switch. Otherwise, the switch cannot receive any VTP advertisements. For more information on trunk ports, see the "Configuring VLAN Trunks" section on page 12-16. VTP advertisements - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 282
D are assigned to the Red VLAN. If a broadcast is sent from the host connected to Switch A, Switch A floods the broadcast and every switch in the network receives it, even though Switches C, E, and F have no ports in the Red VLAN. 13-4 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 283
Chapter 13 Configuring VTP Figure 13-1 Flooding Traffic without VTP Pruning Switch D Port 2 Switch E Switch B Red VLAN Understanding VTP Switch F Switch C Port 1 Switch A 89240 Figure 13-2 shows a switched network with VTP pruning enabled. The broadcast traffic from Switch A is not - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 284
-2 shows the default VTP configuration. Table 13-2 Default VTP Configuration Feature VTP domain name VTP mode VTP version VTP password VTP pruning Default Setting Null. Server. Version 1 (version 2 is disabled). None. Disabled. 13-6 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 285
name and the mode (transparent) are saved in the switch running configuration, and you can save this information in the switch startup configuration file by entering the copy running-config startup-config privileged EXEC command. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 13-7 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 286
the applicable password has been configured on it. Caution When you configure a VTP domain password, the management domain does not function properly if you do not assign a management domain password to each switch in the domain. 13-8 Catalyst 3560 Switch Software Configuration Guide 78-16156 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 287
Token Ring networks in your environment, you must enable VTP version 2 for Token Ring VLAN switching to function properly. To run Token Ring and Token Ring-Net, disable VTP version 2. Configuration Requirements When you configure VTP, you must configure a trunk port so that the switch can send - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 288
the display. When you configure a domain name, it cannot be removed; you can only reassign a switch to a different domain. To return the switch to a no-password state, use the no vtp password VLAN database configuration command. 13-10 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 289
the switch to VTP server mode. To return the switch to a no-password state, use the no vtp password privileged EXEC command. When you configure a domain name, it cannot be removed; you can only reassign a switch to a different domain. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 290
database privileged EXEC command to enter VLAN database configuration mode and by entering the vtp transparent command, similar to the second procedure under the "Configuring a VTP Server" section on page 13-9. Use the no vtp 13-12 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 291
on switches in the same VTP domain. Every switch in the VTP domain must use the same VTP version. Do not enable VTP version 2 unless every switch in the VTP domain supports enable VTP pruning on a switch in VTP server mode. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 13-13 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 292
than 0, follow these steps: a. Write down the domain name. b. Write down the configuration revision number. c. Continue with the next steps to reset the switch configuration revision number. Enter global configuration mode. 13-14 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 293
VTP activity. Table 13-3 VTP Monitoring Commands Command show vtp status show vtp counters Purpose Display the VTP switch configuration information. Display counters about VTP messages that have been sent and received. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 13-15 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 294
Monitoring VTP Chapter 13 Configuring VTP 13-16 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 295
sent, the switch supports quality of service (QoS) based on IEEE 802.1P CoS. QoS uses classification and scheduling to send network traffic from the switch in a predictable manner. For more information on QoS, see Chapter 28, "Configuring QoS." The Cisco 7960 IP Phone is a configurable device, and - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 296
Layer 2 CoS value is 0. Untrusted mode is the default. Note Untagged traffic from the device attached to the Cisco IP Phone passes through the IP phone unchanged, regardless of the trust state of the access port on the IP phone. 14-2 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 297
not supported on trunk ports. You can only configure a voice VLAN on Layer 2 ports. Note Voice VLAN is only supported on access ports and not on trunk ports, even though the configuration is allowed. • The Power over Ethernet (PoE) switches are capable of automatically providing power to Cisco pre - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 298
phone requires additional MAC addresses. Configuring a Port Connected to a Cisco 7960 IP Phone Because a Cisco 7960 IP Phone also supports a connection to a PC or other device, a port connecting the switch to a Cisco IP Phone can carry mixed traffic. You can configure a port to determine how the IP - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 299
Cisco IP Phone. The PC can generate packets with an assigned CoS value. You can configure the Cisco IP Phone to not change (trust) or to override (not trust) the priority of frames arriving on the IP phone port from connected devices. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 300
if)# end To return the port to its default setting, use the no switchport priority extend interface configuration command. Displaying Voice VLAN To display voice VLAN configuration for an interface, use the show interfaces interface-id switchport privileged EXEC command. 14-6 Catalyst 3560 Switch - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 301
STP 15 C H A P T E R This chapter describes how to configure the Spanning Tree Protocol (STP) on port-based VLANs on the Catalyst 3560 switch. The switch uses the per-VLAN spanning-tree plus (PVST+) protocol based on the IEEE 802.1D standard and Cisco proprietary extensions, or it can use the - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 302
and which is put in the blocking state. The spanning-tree port priority value represents the location of a port in the network topology and how well it is located to pass traffic. The path cost value represents the media speed. 15-2 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 303
port through which the designated switch is attached to the LAN is called the designated port. All paths that are not needed to reach the root switch from anywhere in the switched network are placed in the spanning-tree blocking mode. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 304
in frame forwarding. • Forwarding-The interface forwards frames. • Disabled-The interface is not participating in spanning tree because of a shutdown port, no link on the port, or no spanning-tree instance running on the port. 15-4 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 305
switch learns end-station location information for the forwarding database. 4. When the forward-delay timer expires, spanning tree moves the interface to the forwarding state, where both learning and frame forwarding are enabled. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 15 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 306
with other switches. This exchange establishes which switch in the network is the root or root switch. If there is only one switch in the network, no Forwards frames switched from another interface • Learns addresses • Receives BPDUs 15-6 Catalyst 3560 Switch Software Configuration Guide 78-16156- - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 307
over the Gigabit Ethernet link. By changing the spanning-tree port priority on the Gigabit Ethernet port to a higher priority (lower numerical value) than the root port, the Gigabit Ethernet port becomes the new root port. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 15-7 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 308
speed link is always disabled. If the speeds are the same, the port priority and port ID are added together, and spanning tree disables the link with the lowest global configuration command) when the spanning tree reconfigures. 15-8 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 309
ports to the forwarding state. You cannot run MSTP without RSTP. The most common initial deployment of MSTP is in the backbone and distribution layers of a Layer 2 switched network. For more information, see Chapter 16, "Configuring MSTP." For information about the number of supported spanning - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 310
and no user configuration is required. The external spanning-tree behavior on access ports and Inter-Switch Link (ISL) trunk ports is not affected by PVST+. For more information on 802.1Q trunks, see Chapter 12, "Configuring VLANs." 15-10 Catalyst 3560 Switch Software Configuration Guide 78-16156 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 311
port priority (configurable on a per-interface basis) Default Setting Enabled on VLAN 1. For more information, see the "Supported Spanning-Tree Instances" section on page 15-9. PVST+. (Rapid PVST+ and MSTP are disabled.) 32768. 128. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 312
lists on the trunk ports of switches that have used up their allocation of spanning-tree instances. Setting up allowed lists is not necessary in many cases and can make it more labor-intensive to add another VLAN to the network. 15-12 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 313
If any port on the switch is connected to a port on a legacy 802.1D switch, restart the protocol migration process on the entire switch. This step is optional if the designated switch detects that this switch is running rapid PVST+. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 15 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 314
of the root switches for each VLAN. Because of the extended system ID support, the switch sets its own priority for the specified VLAN to 24576 if this value will cause this switch to become the root for the specified VLAN. 15-14 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 315
as shown in Table 15-1 on page 15-4.) Note The spanning-tree vlan vlan-id root global configuration command fails if the value necessary to be the root switch is less than 1. Note If your network consists of switches that both do and do not support the extended system ID, it is unlikely that the - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 316
When you configure a Catalyst 3560 switch as the secondary root, the switch priority is modified from the default value (32768) to 28672. The switch is then likely to become the root switch for the specified VLAN if the primary root switch fails. This is assuming that the other network switches use - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 317
interface interface-id privileged EXEC command displays information only if the port is in a link-up operative state. Otherwise, you can use the show running-config interface privileged EXEC command to confirm the configuration. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 15-17 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 318
default value is derived from the media speed of the interface. Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file. 15-18 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 319
spanning-tree path costs, see the "Configuring Trunk Ports for Load Sharing" section on page 12-24. Configuring the Switch Priority of a VLAN You can configure the switch priority and make it more likely that the switch will be chosen as the root switch. Note Exercise care when using this command - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 320
is 2. Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id hello-time global configuration command. 15-20 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 321
is 20. Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file. To return to the default setting, use the no spanning-tree vlan vlan-id max-age global configuration command. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 15-21 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 322
Displaying the Spanning-Tree Status Chapter 15 Configuring STP Displaying the Spanning-Tree Status To display the spanning-tree status, use one -tree privileged EXEC command, refer to the command reference for this release. 15-22 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 323
chapter describes how to configure the Cisco implementation of the IEEE 802.1S Multiple STP (MSTP) on the Catalyst 3560 switch. The MSTP enables multiple VLANs to be mapped to the same spanning-tree instance, thereby reducing the number of spanning-tree instances needed to support a large number of - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 324
bridge protocol data units (BPDUs). There is no limit to the number of MST regions in a network, but each region can support up to 16 spanning-tree instances. You can assign a VLAN to only one spanning-tree instance at a time. 16-2 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 325
by a switch to support multiple switches in the MST region must agree on the same IST master. Therefore, any two switches in the region synchronize their port roles for an MST instance only if they converge to a common IST master. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 326
) can be configured on both the CST instance and the MST instance. MSTP switches use version 3 RSTP BPDUs or 802.1D STP BPDUs to communicate with legacy 802.1D switches. MSTP switches use MSTP BPDUs to communicate with MSTP switches. 16-4 Catalyst 3560 Switch Software Configuration Guide 78-16156 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 327
only 802.1D BPDUs on that port. An MSTP switch also can detect that a port is at the boundary of a region when it receives a legacy BPDU, an MSTP BPDU (version 3) associated with a different region, or an RSTP BPDU (version 2). 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 16-5 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 328
. • Disabled port-Has no role within the operation of the spanning tree. A port with the root or a designated port role is included in the active topology. A port with the alternate or backup port role is excluded from the active topology. 16-6 Catalyst 3560 Switch Software Configuration Guide 78 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 329
Switch A also immediately transitions its designated port to the forwarding state. No loops in the network are formed because Switch B blocked all of its nonedge ports and because there is a point-to-point link between Switches A and B. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 330
to its root port. When the switches connected by a point-to-point link are in agreement about their port roles, the RSTP immediately transitions the port states to forwarding. The sequence of events is shown in Figure 16-3. 16-8 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 331
port role in the proposal message is always set to the designated port. The sending switch sets the agreement flag in the RSTP BPDU to accept the previous proposal. The port role in the agreement message is always set to the root port. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 332
a root port connected to an 802.1D switch and a configuration BPDU with the TCA bit set is received, the TC-while timer is reset. This behavior is only required to support 802.1D switches. The RSTP BPDUs never have the TCA bit set. 16-10 Catalyst 3560 Switch Software Configuration Guide 78-16156 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 333
MSTP Configuration, page 16-12 • MSTP Configuration Guidelines, page 16-12 • Specifying the MST Region Configuration and Enabling MSTP, page 16-13 (required) • Configuring the Root Switch, page 16-14 (optional) • Configuring a Secondary Root Switch, page 16-16 (optional) • Configuring Port Priority - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 334
the command-line interface (CLI) or through the SNMP support. • For load balancing across redundant paths in the network to work, all VLAN-to-instance mapping assignments must match; otherwise, all traffic flows on a single link. 16-12 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 335
contained within the MST cloud than a path through the PVST+ or rapid-PVST+ cloud. You might have to manually configure the switches in the clouds. • Partitioning the network into a large number of regions is not recommended. However, if this situation is unavoidable, we recommend that you partition - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 336
of the root switches. Because of the extended system ID support, the switch sets its own priority for the specified instance to 24576 if this value will cause this switch to become the root for the specified spanning-tree instance. 16-14 Catalyst 3560 Switch Software Configuration Guide 78-16156 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 337
to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst instance-id root global configuration command. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 16-15 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 338
Chapter 16 Configuring MSTP Configuring a Secondary Root Switch When you configure a Catalyst 3560 switch with the extended system ID support as the secondary root, the switch priority is modified from the default value (32768) to 28672. The switch is then likely to become the root switch for the - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 339
use the show running-config interface privileged EXEC command to confirm the configuration. To return the interface to its default setting, use the no spanning-tree mst instance-id port-priority interface configuration command. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 16-17 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 340
. Otherwise, you can use the show running-config privileged EXEC command to confirm the configuration. To return the interface to its default setting, use the no spanning-tree mst instance-id cost interface configuration command. 16-18 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 341
4 Step 5 end show spanning-tree mst instance-id copy running-config startup-config Purpose Enter global configuration mode. Configure the switch priority. • For secondary global configuration commands to modify the hello time. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 16-19 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 342
. Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst forward-time global configuration command. 16-20 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 343
is 20. Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst max-hops global configuration command. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 16-21 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 344
the clear spanning-tree detected-protocols privileged EXEC command. To restart the protocol migration process on a specific interface, use the clear spanning-tree detected-protocols interface interface-id privileged EXEC command. 16-22 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 345
for Displaying MST Status Command Purpose show spanning-tree mst configuration Displays the MST region configuration. show spanning-tree mst instance-id Displays MST information for the command reference for this release. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 16-23 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 346
Displaying the MST Configuration and Status Chapter 16 Configuring MSTP 16-24 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 347
BPDU Filtering, page 17-3 • Understanding UplinkFast, page 17-4 • Understanding BackboneFast, page 17-5 • Understanding Root Guard, page 17-7 • Understanding Loop Guard, page 17-8 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 17-1 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 348
portfast interface configuration or the spanning-tree portfast default global configuration command. Figure 17-1 Port Fast-Enabled Interfaces Port Fast-enabled ports Workstations Server Port Fast-enabled port Workstations 101225 17-2 Catalyst 3560 Switch Software Configuration Guide 78-16156 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 349
guard feature provides a secure response to invalid configurations because you must manually put the interface back in service. Use the BPDU guard feature in a service-provider network to prevent an access port from participating in the spanning tree. If your switch is running PVST+, rapid PVST+, or - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 350
time. Specifically, an uplink group consists of the root port (which is forwarding) and a set of blocked ports, except for self-looping ports. The uplink group provides an alternate path in case the currently forwarding link fails. 17-4 Catalyst 3560 Switch Software Configuration Guide 78-16156 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 351
global configuration command, starts when a root port or blocked interface on a switch receives inferior BPDUs from its designated switch. An inferior BPDU identifies a switch that declares itself as both the root bridge and 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 17 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 352
switch sends the RLQ request on all alternate paths and waits for an RLQ reply from other switches in the network. If the switch root switch, the switch makes all interfaces on which it received an inferior BPDU its designated ports and Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 353
the customer network to be selected as the root port, root guard then places the interface in the root-inconsistent (blocked) state to prevent the customer's switch from becoming the root switch or being in the path to the root. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 17-7 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 354
default global configuration command. When the switch is operating in PVST+ or rapid-PVST+ mode, loop guard prevents alternate and root ports from becoming designated ports, and spanning tree does not send BPDUs on root or alternate ports. 17-8 Catalyst 3560 Switch Software Configuration Guide 78 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 355
disabled. Globally disabled. Disabled on all interfaces. Disabled on all interfaces. Optional Spanning-Tree Configuration Guidelines The UplinkFast and BackboneFast features are not supported with the rapid PVST+ or the MSTP. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 17-9 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 356
-tree portfast default global configuration command to globally enable the Port Fast feature on all nontrunking ports. To disable the Port Fast feature, use the spanning-tree portfast disable interface configuration command. 17-10 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 357
feature in a service-provider network to prevent an access port from participating in the spanning tree. Caution Configure Port Fast only on interfaces that connect to end stations; otherwise, an accidental topology loop could cause a data packet loop and disrupt switch and network operation. You - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 358
Fast-operational status, and BPDU filtering is disabled. Caution Configure Port Fast only on interfaces that connect to end stations; otherwise, an accidental topology loop could cause a data packet loop and disrupt switch and network operation. You can also use the spanning-tree bpdufilter enable - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 359
-tree reconfiguration sooner. Note If you use BackboneFast, you must enable it on all switches in the network. BackboneFast is not supported on Token Ring VLANs. This feature is supported for use with third-party switches. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 17-13 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 360
mode. show running-config Verify your entries. copy running-config startup-config (Optional) Save your entries in the configuration file. To disable root guard, use the no spanning-tree guard interface configuration command. 17-14 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 361
or root ports from becoming designated ports because of a failure that leads to a unidirectional link. This feature is most effective when it is configured on the entire switched network. Loop of the spanning-tree state section. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 17-15 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 362
Displaying the Spanning-Tree Status Chapter 17 Configuring Optional Spanning-Tree Features You can clear spanning-tree counters by using the clear tree privileged EXEC command, refer to the command reference for this release. 17-16 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 363
this release, and refer to the "IP Addressing and Services" section in the Cisco IOS IP and IP Routing Command Reference for Release 12.1. This chapter consists of these sections: • Understanding DHCP Features, page 18-1 • Configuring DHCP Features, page 18-3 • Displaying DHCP Information, page 18 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 364
the same IP network or subnet, a DHCP relay agent (the Catalyst switch) is configured with a helper switch removes the option-82 field and forwards the packet to the switch port that connects to the DHCP client that sent the DHCP request. 18-2 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 365
, refer to the "IP Addressing and Services" section in the "Configuring DHCP" chapter of the Cisco IOS IP and IP Routing Configuration Guide for Release 12.1. Otherwise, refer to the documentation that shipped with the server. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 18-3 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 366
on a port: Switch(config)# ip dhcp snooping Switch(config)# ip dhcp snooping vlan 10 Switch(config)# ip dhcp snooping information option Switch(config)# interface gigabitethernet0/1 Switch(config-if)# ip dhcp snooping limit rate 100 18-4 Catalyst 3560 Switch Software Configuration Guide 78-16156 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 367
assigned from the DHCP server IP address lease time Binding type; dynamic binding learned by DHCP snooping or statically configured binding VLAN number of the client interface Interface that connects to the DHCP client host 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 18-5 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 368
42 Insertion of option 82 is enabled Interface Trusted Rate limit (pps) ------- gigabitethernet0/1 yes unlimited gigabitethernet0/2 no 5000 gigabitethernet0/3 yes unlimited gigabitethernet0/4 yes unlimited 18-6 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 369
in this chapter, refer to the switch command reference for this release and the Cisco IOS Release Network Protocols Command Reference, Part 1, for Release 12.1. This chapter consists of these sections: • Understanding IGMP Snooping, page 19-2 • Configuring IGMP Snooping, page 19-6 • Displaying IGMP - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 370
it receives an IGMP join request. The Catalyst 3560 switch supports IP multicast group-based bridging, rather than MAC-addressed based groups. With multicast MAC address-based groups, if an IP address being configured translates (aliases) to a previously configured MAC address or to any reserved - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 371
forward messages to a device running the Source Specific Multicast (SSM) feature. For more information, refer to the "Configuring IP Multicast Layer 3 Switching" chapter in the Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide, Cisco IOS Release 12.1(12c)EW at this URL: http://www - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 372
shown in Table 19-2. Note that because the forwarding table directs IGMP messages to only the CPU, the message is not flooded to other ports on the switch. Any known multicast traffic is forwarded to the group and not to the CPU. 19-4 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 373
Ports 1, 2, 5 Leaving a Multicast Group The router sends periodic multicast general queries, and the switch forwards these queries through all ports interested in traffic for the specific multicast group. The switch then updates the forwarding Catalyst 3560 Switch Software Configuration Guide 19-5 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 374
on a switched network, even when Configuring a Multicast Router Port, page 19-9 • Configuring a Host Statically to Join a Group, page 19-10 • Enabling IGMP Immediate-Leave Processing, page 19-10 • Disabling IGMP Report Suppression, page 19-11 19-6 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 375
1 Step 2 Command configure terminal ip igmp snooping vlan vlan-id Step 3 end Step 4 copy running-config startup-config Purpose Enter global configuration mode. Enable IGMP snooping ) Save your entries in the configuration file. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 19-7 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 376
for reducing control traffic. • pim-dvmrp-Snoop on IGMP queries and PIM-DVMRP packets. This is the default. Return to privileged EXEC mode. Verify the configuration. (Optional) Save your entries in the configuration file. 19-8 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 377
a port channel. The port channel range is 1 to 12. end Return configuration file. To remove a multicast router port from the VLAN, use the no ip igmp snooping vlan vlan-id mrouter interface interface-id global configuration command. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 378
processing, the switch immediately removes a port when it detects an IGMP version 2 leave message on that port. You should use the Immediate-Leave feature only when there is a single receiver present on every port in the VLAN. 19-10 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 379
to enable IGMP Immediate-Leave processing on VLAN 130: Switch# configure terminal Switch(config)# ip igmp snooping vlan 130 immediate-leave Switch(config)# end Disabling IGMP Report Suppression Note IGMP report suppression is supported only when the multicast query has IGMPv1 and IGMPv2 reports - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 380
version that an interface supports. (Optional) Enter vlan vlan-id to display information for a single VLAN. For more information about the keywords and options in these commands, refer to the command reference for this release. 19-12 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 381
bandwidth on MVR data port links, which occurs when the switch runs in compatible mode. Only Layer 2 ports take part in MVR. You must configure ports as MVR receiver ports. Only one MVR multicast VLAN per switch is supported. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 19-13 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 382
Multicast data Switch A RP1 RP2 RP3 RP4 RP5 RP6 RP7 Customer premises Hub IGMP join Set-top box TV data Set-top box PC 101364 TV RP = Receiver Port SP = Source Port TV Note: All source ports belong to the multicast VLAN. 19-14 Catalyst 3560 Switch Software Configuration Guide 78-16156 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 383
on receiver ports to configuration information: • Default MVR Configuration, page 19-16 • MVR Configuration Guidelines and Limitations, page 19-16 • Configuring MVR Global Parameters, page 19-17 • Configuring MVR Interfaces, page 19-18 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 384
MVR is cancelled, and you receive an error message. • MVR can coexist with IGMP snooping on a switch. • MVR data received on an MVR receiver port is not forwarded to MVR source ports. • MVR does not support IGMPv3 messages. 19-16 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 385
• compatible-Is compatible with Catalyst 3500 XL and Catalyst 2900 XL switches and does not support IGMP dynamic joins on source ports. The default is compatible mode. end Return to privileged EXEC mode. show mvr or show mvr members Verify the configuration. copy running-config startup-config - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 386
In compatible mode, this command applies to only receiver ports. In dynamic mode, it applies to receiver ports and source ports. Receiver ports can also dynamically join multicast groups by using IGMP join and leave messages. 19-18 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 387
Switch(config-if)# mvr vlan 22 group 228.1.23.4 Switch(config-if)# mvr immediate Switch(config)# end Switch# show mvr interface Port Type Status Immediate Leave ---- ---- ------- Gi0/2 RECEIVER ACTIVE/DOWN ENABLED 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 388
on some type of subscription or service plan. You might also want to limit the number of multicast groups to which a user on a switch port can belong. With the IGMP filtering feature, you can filter multicast joins on a per-port basis by configuring IP multicast profiles and associating them with - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 389
When the maximum number of groups is in forwarding table, the default IGMP throttling action is to deny the IGMP report. For configuration guidelines, see the "Configuring the IGMP Throttling Action" section on page 19-24. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 19-21 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 390
requests from a port. When you are in IGMP profile configuration mode, you configuration command. To delete an IP multicast address or range of IP multicast addresses, use the no range ip multicast address IGMP profile configuration command. 19-22 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 391
no ip igmp filter profile number interface configuration command. This example shows how to apply IGMP profile 4 to a port: Switch(config)# interface gigabitethernet0/2 Switch(config-if)# ip igmp filter 4 Switch(config-if)# end 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 19-23 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 392
but cannot use it on ports that belong to an EtherChannel port group. • When the maximum group limitation is set to the default (no maximum), entering the ip igmp max-groups action {deny | replace} command has no effect. 19-24 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 393
max-groups action interface configuration command. This example shows how to configure a port to remove a randomly Switch(config)# interface gigabitethernet0/1 Switch(config-if)# ip igmp max-groups action replace Switch(config-if)# end 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 394
the configuration of the specified interface or the configuration of all interfaces on the switch, including (if configured) the maximum number of IGMP groups to which an interface can belong and the IGMP profile applied to the interface. 19-26 Catalyst 3560 Switch Software Configuration Guide 78 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 395
-Based Traffic Control This chapter describes how to configure the port-based traffic control features on the Catalyst 3560 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release. This chapter consists - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 396
network performance. Errors in the protocol-stack implementation or in the network configuration of the port. The switch supports separate Cisco Discovery Protocol (CDP) frames, are blocked. However, the switch port is blocked. 20-2 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 397
from the configured level by several percentage points. Note Storm control is supported only on physical interfaces; it is not supported on EtherChannel port channels 0.0 means that all broadcast traffic on that port is blocked. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 20-3 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 398
50% 0.00% This example shows how to disable the multicast storm control on a port: Switch# configure terminal Switch(config)# interface gigabitethernet0/1 Switch(config-if)# no storm-control multicast level Switch(config-if)# end 20-4 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 399
to be a protected port. Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file. To disable protected port, use the no switchport protected interface configuration command. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 20-5 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 400
in the configuration file. To return the interface to the default condition where no traffic is blocked and normal forwarding occurs on the port, use the no switchport block {multicast | unicast} interface configuration commands. 20-6 Catalyst 3560 Switch Software Configuration Guide 78-16156 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 401
Port Security, page 20-11 • Enabling and Configuring Port Security Aging, page 20-14 Understanding Port Security This section contains information about these topics: • Secure MAC Addresses, page 20-8 • Security Violations, page 20-9 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 402
on an interface, the command is rejected. The switch supports these types of secure MAC addresses: • Static secure MAC addresses-These are manually configured by using the switchport port-security mac-address mac-address interface configuration command, stored in the address table, and added - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 403
addresses are dropped until you remove a sufficient number of secure MAC addresses. 2. The switch returns an error message if you manually configure an address that would cause a security violation. Shuts down port No No Yes 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 20-9 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 404
is less than the previous value and the number of configured secure addresses on the interface exceeds the new value, the command is rejected. • The switch does not support port security aging of sticky secure MAC addresses. 20-10 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 405
or trunk; an interface in the default mode (dynamic auto) cannot be configured as a secure port. Enable port security on the interface. (Optional) Set the maximum number of secure MAC VLANs, the per-VLAN maximum value is used. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 20-11 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 406
, and are added to the running configuration. Note If you do not enable sticky learning before this command is entered, an error message appears, and you cannot enter a sticky secure MAC address. Return to privileged EXEC mode. 20-12 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 407
on VLAN 3 on a port: Switch(config)# interface gigabitethernet0/2 Switch(config-if)# switchport mode trunk Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security mac-address 0000.02000.0004 vlan 3 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 20-13 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 408
on a port, use the no switchport port-security aging time interface configuration command. To disable aging for only statically configured secure addresses, use the no switchport port-security aging static interface configuration command. 20-14 Catalyst 3560 Switch Software Configuration Guide 78 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 409
all switch interfaces or on a specified interface with aging information for each address. show port-security interface interface-id vlan Displays the number of secure MAC addresses configured per VLAN on the specified interface. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 20 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 410
Displaying Port-Based Traffic Control Settings Chapter 20 Configuring Port-Based Traffic Control 20-16 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 411
the network. The switch uses CDP to find cluster candidates and maintain information about cluster members and other devices up to three cluster-enabled devices away from the command switch by default. The switch supports CDP version 2. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 412
configure terminal cdp timer seconds Step 3 cdp holdtime seconds Step 4 cdp advertise-v2 Step 5 end Purpose Enter global configuration Configure CDP to send version-2 advertisements. This is the default state. Return to privileged EXEC mode. 21-2 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 413
is enabled by default. Note Switch clusters and other Cisco devices (such as Cisco IP Phones) regularly exchange configure terminal no cdp run end Purpose Enter global configuration mode. Disable CDP. Return to privileged EXEC mode. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 414
in the configuration file. This example shows how to enable CDP on a port when it has been disabled. Switch# configure terminal Switch(config)# interface gigabitethernet0/1 Switch(config-if)# cdp enable Switch(config-if)# end 21-4 Catalyst 3560 Switch Software Configuration Guide 78-16156 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 415
and port ID. You can limit the display to neighbors of a specific interface or Switch# show cdp Global CDP information: Sending CDP packets every 50 seconds Sending a holdtime value of 120 seconds Sending CDPv2 advertisements is enabled 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 416
Monitoring and Maintaining CDP Chapter 21 Configuring CDP 21-6 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 417
down misconnected ports. When you enable both autonegotiation and UDLD, the Layer 1 and Layer 2 detections work together to prevent physical and logical unidirectional connections and the malfunctioning of other protocols. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 22-1 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 418
physical problem with ports affected by the configuration change. UDLD sends at least one message to inform the neighbors to flush the part of their caches affected by the status change. The message is intended to keep the caches synchronized. 22-2 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 419
Switch B on the same port. If UDLD is in aggressive mode, it detects the problem and disables the port. If UDLD is in normal mode, the logical link is considered undetermined, and UDLD does not disable the interface. Switch B 98648 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 420
supported on ATM ports. • A UDLD-capable port also cannot detect a unidirectional link if it is connected to a UDLD-incapable port of another switch. • When configuring the mode (normal or aggressive), make sure that the same mode is configured on both sides of the link. 22-4 Catalyst 3560 Switch - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 421
globally, use the no udld enable global configuration command to disable normal mode UDLD on all fiber-optic ports. Use the no udld aggressive global configuration command to disable aggressive mode UDLD on all fiber-optic ports. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 22-5 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 422
command enables the timer to automatically recover from the UDLD error-disabled state, and the errdisable recovery interval interval global configuration command specifies the time to recover from the UDLD error-disabled state. 22-6 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 423
the UDLD status for the specified port or for all ports, use the show udld [interface-id] privileged EXEC command. For detailed information about the fields in the command output, refer to the command reference for this release. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 22-7 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 424
Displaying UDLD Status Chapter 22 Configuring UDLD 22-8 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 425
a network security device. For example, if you connect a Cisco Intrusion Detection System (IDS) sensor appliance to a destination port, the IDS device can send TCP reset packets to close down the TCP session of a suspected attacker. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 23 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 426
of Local SPAN Configuration on a Single Switch Port 5 traffic mirrored 1 2 3 4 5 6 7 8 9 10 11 12 on Port 10 67 5 8 4 9 11 12 3 10 2 1 Network analyzer 43580 Remote SPAN RSPAN supports source ports, source VLANs, and destination ports on different switches, enabling remote monitoring - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 427
RSPAN VLAN. To configure an RSPAN destination session on another device, you associate the destination port with the RSPAN VLAN. The destination session collects all RSPAN VLAN traffic and sends it out the RSPAN destination port. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 23-3 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 428
generate large amounts of network traffic. • You can configure SPAN sessions on disabled ports; however, a SPAN session does not become active unless you enable the destination port and at least one source port or VLAN for that session. • The switch does not support a combination of local SPAN - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 429
cannot mix ports and VLANs in a single session. A source port has these characteristics: • It can be monitored in multiple SPAN sessions. • Each source port can be configured with a direction (ingress, egress, or both) to monitor. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 23-5 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 430
from other port types is not affected by VLAN filtering; that is, all VLANs are allowed on other ports. • VLAN filtering affects only traffic forwarded to the destination SPAN port and does not affect the switching of normal traffic. 23-6 Catalyst 3560 Switch Software Configuration Guide 78-16156 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 431
never learned or forwarded on a destination port. • If ingress traffic forwarding is enabled for a network security device, the destination port forwards traffic at Layer 2. • packets appear on the destination port as untagged. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 23-7 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 432
multiple RSPAN destination sessions throughout the network, monitoring the same RSPAN VLAN and port list. If the port is the only port in the EtherChannel group, because there are no longer any ports in the group, there is no data to monitor. 23-8 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 433
port) VLAN filtering RSPAN VLANs Default Setting Disabled. Both received and sent traffic (both). Native form (untagged packets). Disabled On a trunk interface used as a source port, all VLANs are monitored. None configured. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 434
a trunk port is being monitored, only traffic on the VLANs specified with this keyword is monitored. By default, all VLANs are monitored on a trunk port. • You cannot mix source VLANs and filter VLANs within a single SPAN session. 23-10 Catalyst 3560 Switch Software Configuration Guide 78-16156 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 435
port to monitor. Valid interfaces include physical interfaces and port-channel logical interfaces (port-channel port-channel-number). Valid port channel numbers are 1 to 12 multiple times to configure multiple source ports. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 23-11 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 436
gigabitethernet0/1 Switch(config)# end This example shows how to disable received traffic monitoring on port 1, which was configured for bidirectional monitoring: Switch(config)# no monitor session 1 source interface gigabitethernet0/1 rx 23-12 Catalyst 3560 Switch Software Configuration Guide 78 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 437
{interface interface-id | vlan vlan-id} [, | -] [both | rx | tx] Purpose Enter global configuration mode. Remove any existing SPAN configuration for the session. Specify the SPAN session and the source port (monitored port). 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 23-13 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 438
on the destination port and specify the Switch(config)# monitor session 2 source gigabitethernet0/1 rx Switch(config)# monitor session 2 destination interface gigabitethernet0/2 encapsulation replicate ingress dot1q vlan 6 Switch(config)# end 23-14 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 439
-config copy running-config startup-config (Optional) Save the configuration in the configuration file. To monitor all VLANs on the trunk port, use the no monitor session session_number filter global configuration command. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 23-15 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 440
to selectively filter or monitor specific packets. Specify these ACLs on the RSPAN VLAN in the RSPAN source switches. • For RSPAN configuration, you can distribute the source ports and the destination ports across multiple switches in your network. • RSPAN does not support BPDU packet monitoring or - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 441
across the network for VLAN IDs that are lower than 1005. Configuring a VLAN configuration command. This example shows how to create RSPAN VLAN 901. Switch(config)# vlan 901 Switch(config-vlan)# remote span Switch(config-vlan)# end 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 442
to monitor. Return to privileged EXEC mode. Verify the configuration. (Optional) Save the configuration in the configuration file. To delete a SPAN session, use the no monitor session session_number global configuration command. 23-18 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 443
port-channel 12 Switch(config)# monitor session 1 destination remote vlan 901 Switch(config)# end Creating an RSPAN Destination Session You configure the RSPAN destination session on a different switch; that is, not the switch . 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 23-19 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 444
has already been configured. Step 1 Step 2 Command configure terminal no monitor session {session_number | all | local | remote} Purpose Enter global configuration mode. Remove any existing SPAN configuration for the session. 23-20 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 445
on the interface with VLAN 6 as the default ingress VLAN. Switch(config)# monitor session 2 source remote vlan 901 Switch(config)# monitor session 2 destination interface gigabitethernet0/2 ingress vlan 6 Switch(config)# end 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 23-21 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 446
monitor session 2 Switch(config)# monitor session 2 source interface gigabitethernet0/2 rx Switch(config)# monitor session 2 filter vlan 1 - 5 , 9 Switch(config)# monitor session 2 destination remote vlan 902 Switch(config)# end 23-22 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 447
SPAN and RSPAN Status To display the current SPAN or RSPAN configuration, use the show monitor user EXEC command. You can also use the show running-config privileged EXEC command to display configured SPAN or RSPAN sessions. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 23-23 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 448
Displaying SPAN and RSPAN Status Chapter 23 Configuring SPAN and RSPAN 23-24 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 449
R This chapter describes how to configure Remote Network Monitoring (RMON) on the Catalyst 3560 switch. RMON is a standard monitoring specification that defines a set of statistics and functions that can be exchanged between RMON-compliant console systems and network probes. RMON provides you with - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 450
24-1 Remote Monitoring Example Network management station with generic RMON console application RMON alarms and events configured. SNMP configured. RMON history and statistic collection enabled. Chapter 24 Configuring RMON 101233 Workstations Workstations The switch supports these RMON groups - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 451
configured. Only RMON 1 is supported on the switch. Configuring RMON Alarms and Events You can configure your switch for RMON by using the command-line interface (CLI) or an SNMP-compatible network specify the owner of the alarm. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 24-3 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 452
owns the row that is created in the event table by this command. This example also generates an SNMP trap when the event is triggered. Switch(config)# rmon event 1 log trap eventtrap description "High ifOutErrors" owner jjones 24-4 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 453
your entries. Display the contents of the switch history table. (Optional) Save your entries in the configuration file. To disable history collection, use the no rmon collection history index interface configuration command. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 24-5 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 454
the RMON event table. Displays the RMON history table. Displays the RMON statistics table. For information about the fields in these displays, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. 24-6 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 455
This chapter describes how to configure system message logging on the Catalyst 3560 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. This chapter consists of these - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 456
and so forth). For a list of supported facilities, see Table 25-4 on page 25-12. severity Single-digit code from 0 to 7 that is the severity of the message. For a description of the severity levels, see Table 25-3 on page 25-9. 25-2 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 457
example shows a partial switch system message: 00:00:46: %LINK-3-UPDOWN: Interface Port-channel1, changed state configured. Local7 (see Table 25-4 on page 25-12). Informational (and numerically lower levels; see Table 25-3 on page 25-9). 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 458
configuration command. Setting the Message Display Destination Device If message logging is enabled, you can send messages to specific switch. However, this value is the maximum available, and the buffer size should not be set to this amount. 25-4 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 459
use the clear logging privileged EXEC command. Use the logging event power-inline-status interface configuration command to enable and to disable logging of Power over Ethernet (PoE) events on specific PoE-capable ports. Logging on these ports is enabled by default. To disable logging to the console - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 460
) Save your entries in the configuration file. To disable synchronization of unsolicited messages and debug output, use the no logging synchronous [level severity-level | all] [limit number-of-buffers] line configuration command. 25-6 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 461
end show running-config copy running-config startup-config Purpose Enter global configuration mode. Enable sequence numbers. Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 462
to syslog servers, use the no logging trap global configuration command. Table 25-3 describes the level keywords. It also lists the corresponding UNIX syslog definitions from the most severe level to the least severe level. 25-8 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 463
sent to an SNMP network management station by using the snmp-server enable trap global configuration command, you can change the level of messages sent and stored in the switch history table. You also syslog traps are not enabled. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 25-9 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 464
syslog packets from the network. If this is the case with your system, use the UNIX man syslogd command to decide what options must be added to or removed from the syslog command line to enable logging of remote syslog messages. 25-10 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 465
file. To remove a syslog server, use the no logging host global configuration command, and specify the syslog server IP address. To disable logging to syslog servers, enter the no logging trap global configuration command. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 25-11 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 466
and the contents of the log buffer, use the show logging privileged EXEC command. For information about the fields in this display, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. 25-12 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 467
Simple Network Management Protocol (SNMP) on the Catalyst 3560 switch. Note For complete syntax and usage information for the commands used in this chapter, refer to the switch command reference for this release and to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. This - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 468
supports these SNMP versions: • SNMPv1-The Simple Network Management Protocol, a Full Internet Standard, defined in RFC 1157. • SNMPv2C replaces an IP address access control list and password. SNMPv2C includes a bulk retrieval mechanism Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 469
with multiple managers, you can configure the software to support communications using SNMPv1, and SNMPv2C set-request sent by an NMS. set-request Stores a value in a specific variable. trap An unsolicited message sent by an SNMP agent to an Catalyst 3560 Switch Software Configuration Guide 26-3 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 470
when a port or switch number (@esN, where N is the switch number) to the first configured RW and RO community strings on the command switch and propagates them to the member switches. For more information, see Chapter 5, "Clustering Switches." 26-4 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 471
uses the switch MIB variables to set device variables and to poll devices on the network for specific information. The results of a poll can be displayed as a graph and analyzed to troubleshoot internetworking problems, increase network performance, verify the configuration of devices, monitor - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 472
SNMP Groups and Users, page 26-9 • Configuring SNMP Notifications, page 26-11 • Setting the Agent Contact and Location Information, page 26-14 • Limiting TFTP Servers Used Through SNMP, page 26-15 • SNMP Examples, page 26-15 26-6 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 473
all users associated with that group. Refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1 for information about when you should configure notify views. • To configure a remote user, specify the IP address or port number for the remote SNMP agent of the device where - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 474
the device. No specific IOS command exists to enable SNMP. The first snmp-server global configuration command that you enter enables all versions of SNMP. Configuring Community Strings You numbered from 1 to 99 and 1300 to 1999. 26-8 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 475
remove a specific community string, use the no snmp-server community string global configuration command. switch. You can configure an SNMP server group that maps SNMP users to SNMP views, and you can add new users to the SNMP group. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 476
, specify the ip-address of the device that contains the remote copy of SNMP and the optional UDP port on the remote device. The default is 162. snmp-server group groupname {v1 | v2c | v3 that is the name of the access list. 26-10 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 477
switch traps (notification types). You can enable any or all of these traps and configure a trap manager to receive them. Note Although visible in the command-line interface (CLI) online help, the fru-ctrl keyword is not supported. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 478
-line help string, the fru-ctrl and flash insertion and removal keywords are not supported. You can use the snmp-server host global configuration command to a specific host to receive the notification types listed in Table 26-5. 26-12 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 479
the switch to send traps or informs to a host: Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Command configure terminal snmp-server engineID remote ip-address engineid-string snmp-server user username groupname remote host [udp-port port] {v1 | v2c | v3 [auth {md5 | sha} auth-password - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 480
host informs global configuration command. To disable a specific trap type, use the no snmp-server enable traps notification-types global configuration command. Setting the (Optional) Save your entries in the configuration file. 26-14 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 481
public Switch(config)# snmp-server enable traps vtp Switch(config)# snmp-server host 192.180.1.27 version 2c public Switch(config)# snmp-server host 192.180.1.111 version 1 public Switch(config)# snmp-server host 192.180.1.33 public 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 26 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 482
command is not supported. To enable the sending of SNMP inform notifications, use the snmp-server enable traps global configuration command combined with the snmp-server host host-addr informs global configuration command. 26-16 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 483
with ACLs This chapter describes how to configure network security on the Catalyst 3560 switch by using access control lists (ACLs the "Configuring IP Services" section of the Cisco IOS IP and IP Routing Configuration Guide and the Cisco IOS IP and IP Routing Command Reference for IOS Release 12.1. - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 484
ACL and input port ACL exist in an SVI, incoming packets received on the ports to which a port ACL is applied are filtered by the port ACL. Outgoing routed IP packets are filtered by the router ACL. Other packets are not filtered. 27-2 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 485
direction. Figure 27-1 Using ACLs to Control Traffic to a Network 78-16156-01 Host A Host B Human Resources network Research & Development network = ACL denying traffic from Host B and permitting traffic from Host A = Packet 101365 Catalyst 3560 Switch Software Configuration Guide 27-3 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 486
or denied, based on the action specified in the map. Figure 27-2 illustrates how a VLAN map is applied to deny a specific type of traffic from Host A in VLAN 10 from being forwarded. You can apply only one VLAN map to a VLAN. 27-4 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 487
specific type of traffic from Host A = Packet 101353 Handling Fragmented and Unfragmented Traffic IP packets can be fragmented as they cross the network though they do not contain the SMTP port information, because the first ACE only checks Catalyst 3560 Switch Software Configuration Guide 27-5 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 488
to the "Configuring IP Services" chapter in the Cisco IP and IP Routing Configuration Guide for IOS Release 12.1. For detailed information about the commands, refer to Cisco IOS IP and IP Routing Command Reference for IOS Release 12.1. The switch does not support these Cisco IOS router ACL-related - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 489
list IPX standard access list IPX extended access list IPX SAP access list Extended 48-bit MAC address access list IPX summary address access list Supported Yes Yes No No No No No No No No No No No 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 27-7 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 490
to be sent to the console. end Return to privileged EXEC mode. show access-lists [number | name] Show the access list configuration. copy running-config startup-config (Optional) Save your entries in the configuration file. 27-8 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 491
a match for before reaching the end. With standard access lists, if you omit the mask from an associated IP host address ACL specification, 0.0.0.0 is assumed to be the VLANs (see the "Configuring VLAN Maps" section on page 27-29). 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 27-9 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 492
more details on the specific keywords relative to each protocol, refer to Cisco IP and IP Routing Command Reference for IOS Release 12.1. Note The switch does not support dynamic or reflexive access lists. It also does not support filtering based on the type of service (ToS) minimize-monetary-cost - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 493
specific parameters for TCP, UDP, ICMP, and IGMP, see steps 2b through 2e. The source is the number of the network internet (6), network (7). • fragments-Enter to check non-initial fragments. • tos-Enter to match by type of service level, Catalyst 3560 Switch Software Configuration Guide 27-11 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 494
a decimal number (from 0 to 65535) or the name of a TCP port. To see TCP port names, use the ? or refer to "Configuring IP Services" section of Cisco IOS IP and IP Routing Command Reference for IOS Release 12.1. Use only TCP port numbers or names when filtering TCP. The additional optional keywords - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 495
"Configuring IP Services" section of Cisco IOS IP and IP Routing Command Reference for IOS Release 12.1. end of the access list contains an implicit deny statement for all packets if it did not find a match before reaching the end. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 496
in the supported range of configuration. copy running-config startup-config (Optional) Save your entries in the configuration file. To remove a named standard ACL, use the no ip access-list standard name global configuration command. 27-14 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 497
find a match before reaching the end. For standard ACLs, if you omit the mask from an associated IP host address access list specification, 0.0.0.0 is assumed to be VLANs (see the "Configuring VLAN Maps" section on page 27-29). 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 27-15 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 498
address/mask pair and a port number). • You can configuration. copy running-config startup-config (Optional) Save your entries in the configuration file. Repeat the steps if you have multiple items that you want in effect at different times. 27-16 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 499
(inactive) absolute start 00:00 22 November 2003 end 23:59 23 November 2003 time-range entry: workhours (inactive) periodic weekdays 8:00 to 12:00 periodic weekdays 13:00 to 17:00 To time-range workhours (inactive) 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 27-17 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 500
IP ACLs Chapter 27 Configuring Network Security with ACLs Including Comments in ACLs You can use the remark Interface" section on page 27-19. For applying ACLs to VLANs, see the "Configuring VLAN Maps" section on page 27-29. 27-18 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 501
) unreachable messages when a packet is denied by an access group. These access-group denied packets are not dropped in hardware but are bridged to the switch CPU so that it can generate the ICMP-unreachable message. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 27-19 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 502
command. When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied to the interface and permits all packets. Remember this behavior if you use undefined ACLs for network security. 27-20 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 503
about compiling ACLs, refer to the Security Configuration Guide and the "IP Services" chapter of the Cisco IOS IP and IP Routing Configuration Guide for IOS Release 12.1. Figure 27-3 shows a small networked office environment with routed Port 2 connected to Server A, containing benefits and other - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 504
ip any 172.20.128.64 0.0.0.31 Switch(config)# end Switch# show access-lists Extended IP access list 106 permit ip any 172.20.128.64 0.0.0.31 Switch(config)# interface gigabitethernet0/1 Switch(config-if)# ip access-group 106 in 27-22 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 505
in from the Internet have a destination port of 25. Outbound packets have the port numbers reversed. Because the secure system of the network always accepts mail connections on port 25, the incoming and outgoing services are separately controlled. The ACL must be configured as an input ACL on the - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 506
deny tcp any any eq www time-range no-http Switch(config-ext-nacl)# permit udp any any time-range udp-yes ! Switch(config-ext-nacl)# exit Switch(config)# interface gigabitethernet0/1 Switch(config-if)# ip access-group strict in 27-24 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 507
problems 00:09:34:%SEC-6-IPACCESSLOGS:list stan1 permitted 0.0.0.0 1 packet 00:09:59:%SEC-6-IPACCESSLOGS:list stan1 denied 10.1.1.15 1 packet 00:10:11:%SEC-6-IPACCESSLOGS:list stan1 permitted 0.0.0.0 1 packet 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 508
, refer to the command reference for this release. Note Though visible in the command-line help strings, appletalk is not supported as a matching condition for the deny and permit MAC access-list configuration mode commands. 27-26 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 509
extended mac1 Switch(config-ext-macl)# deny any any decnet-iv Switch(config-ext-macl)# permit any any Switch(config-ext-macl)# end Switch # show access-lists Extended MAC access list mac1 deny any any decnet-iv permit any any 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 27-27 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 510
packet, the switch discards it. When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied and permits all packets. Remember this behavior if you use undefined ACLs for network security. 27-28 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 511
into the switch is tested against the first entry in the VLAN map. If it matches, the action specified for that part of the VLAN map is taken. If there is no match, the packet is tested against the next entry in the map. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 27-29 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 512
. Use the no vlan access-map name number global configuration command to delete a single sequence entry from within the map. Use the no action access-map configuration command to enforce the default action, which is to forward. 27-30 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 513
10 Switch(config-access-map)# match ip address 101 Switch(config-access-map)# action forward Switch(config-access-map)# exit Switch(config)# vlan access-map drop-ip-default 20 Switch(config-access-map)# match ip address igmp-match 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 27 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 514
tcp-match Switch(config-access-map)# action forward Switch(config-access-map)# exit Switch(config)# vlan access-map drop-all-default 20 Switch(config-access-map)# match mac address good-hosts Switch(config-access-map)# action forward 27-32 Catalyst 3560 Switch Software Configuration Guide 78 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 515
closet switches A and C. Traffic from Host X to Host Y is eventually being routed by Switch B, a Layer 3 switch with routing enabled. Traffic from Host X to Host Y can be access-controlled at the traffic entry point, Switch A. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 27 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 516
-nacl)# exit Switch(config)# vlan access-map map2 20 Switch(config-access-map)# match ip address match_all Switch(config-access-map)# action forward Then, apply VLAN access map map2 to VLAN 1. Switch(config)# vlan filter map2 vlan 1 27-34 Catalyst 3560 Switch Software Configuration Guide 78-16156 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 517
-map)# action drop Switch(config)# vlan access-map SERVER1_MAP 20 Switch(config-access-map)# action forward Switch(config-access-map)# exit Apply the VLAN map to VLAN 10. Switch(config)# vlan filter SERVER1_MAP vlan-list 10. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 27-35 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 518
Using VLAN Maps with Router ACLs Chapter 27 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs To access control both bridged and ... permit... deny ip any any or deny... deny... deny... permit ip any any 27-36 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 519
Configuring Network protocol ports). It end of Switched Packets VLAN 10 map Input router ACL Output router ACL VLAN 20 map Frame Host A (VLAN 10) Host C (VLAN 10) VLAN 10 Routing function or fallback bridge Packet VLAN 20 101357 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 520
Using VLAN Maps with Router ACLs Chapter 27 Configuring Network Security with ACLs ACLs and Bridged Packets Figure 27-7 shows how an ACL is applied input VLAN 2. Input router ACL 3. Output router ACL 4. VLAN map for output VLAN 27-38 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 521
27 Configuring Network Security with routed has two different kinds of filters applied: one for destinations that are other ports in the input VLAN and another for each of the destinations that are in Packet VLAN 20 101360 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 27-39 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 522
). Display the contents of all current IP access lists or a specific IP access list (numbered or named). Display detailed configuration and status of an interface. If IP is enabled on the a specified VLAN or VLAN access map. 27-40 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 523
is based on the Differentiated Services (Diff-Serv) architecture, an emerging standard from the Internet Engineering Task Force (IETF). This architecture specifies that each packet is classified upon entry into the network. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 28-1 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 524
Switch Link (ISL) frame headers have a 1-byte User field that carries an IEEE 802.1P class of service (CoS) value in the three least-significant bits. On ports configured Services Code Point (DSCP) value. QoS supports switch. 46974 28-2 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 525
robin (SRR) weights. One of the ingress queues is the priority queue, and SRR services it for its configured share before servicing the other queue. For more information, see the "SRR Shaping and Sharing" section on page 28-12. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 28-3 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 526
the packet. Then service the queues according to the configured weights. Queueing and scheduling port basis. No support exists for classifying packets at the VLAN or the switch virtual interface level. During classification, the switch Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 527
information on port trust states, see the "Configuring Classification Using Port Trust States" section on page 28-30. After classification, the packet is sent to the policing, marking, and the ingress queueing and scheduling stages. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 28 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 528
default port CoS and generate a DSCP from the CoS-to-DSCP map. Assign the DSCP or CoS as specified by ACL action to generate the QoS label. Assign the default DSCP (0). Generate the DSCP by using the CoS-to-DSCP map. Done Done 86834 28-6 Catalyst 3560 Switch Software Configuration Guide 78 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 529
is shared among many ports. When you enter the class-map command, the switch enters the class-map configuration mode. In this mode, you define the match criterion for the traffic by using the match class-map configuration command. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 28-7 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 530
, you attach it to a port by using the service-policy interface configuration command. For more information, see the "Policing configuration command. In this way, the aggregate policer is shared by multiple classes of traffic within a policy map. 28-8 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 531
an ingress port by using the service-policy interface configuration command. For configuration information, configured for this policer. Mark Drop Drop packet. Modify DSCP according to the policed-DSCP map. Generate a new QoS label. Done 86835 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 532
network. The default DSCP-to-DSCP-mutation map and the default policed-DSCP map are null maps; they map an incoming DSCP value to the same DSCP value. The DSCP-to-DSCP-mutation map is the only map you apply to a specific port. All other maps apply to the entire switch. For configuration information - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 533
switch fabric. Because multiple ingress ports can simultaneously send packets to an egress port and cause congestion, egress queues are located after the internal ring. Weighted threshold will be exceeded, so the switch drops it. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 28-11 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 534
Allocating Bandwidth Between the Ingress Queues" section on page 28-55, the "Configuring SRR Shaped Weights on Egress Queues" section on page 28-60, and the "Configuring SRR Shared Weights on Egress Queues" section on page 28-62. 28-12 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 535
the queue according to the SRR weights. Drop packet. Send packet to the internal ring. 90564 Note SRR services the priority queue for its configured share before servicing the other queue. The switch supports two configurable ingress queues, which are serviced by SRR in shared mode only. Table - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 536
"Weighted Tail servicing the queue more frequently, and by adjusting queue thresholds so that packets with lower priorities are dropped. For configuration information, see the "Configuring Ingress Queue Characteristics" section on page 28-52. 28-14 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 537
on the label. Are thresholds Yes being exceeded? No Queue the packet. Service the queue according to the SRR weights. Drop packet. Rewrite DSCP and/or CoS value as appropriate. Send the packet out the port. 90565 Done Each port supports four egress queues, one of which (queue 1) can be the - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 538
port from consuming all the buffers and depriving other queues, and to control whether to grant buffer space to a requesting queue. The switch that flows through the switch to a queue and to a threshold. Specifically, you map DSCP or Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 539
services each queue-set in shared or shaped mode. You map a port to a queue-set by using the queue-set qset-id interface configuration command. You assign shared or shaped weights to the port queueing and scheduling decisions. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 28-17 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 540
switch uses the resulting classification to choose the appropriate egress queue. You use auto-QoS commands to identify ports connected to Cisco IP Phones and to identify ports - STP BPDU Traffic - 7 - All Other Traffic - - - 28-18 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 541
. When a Cisco IP Phone is absent, the ingress classification is set to not trust the QoS label in the packet. The switch configures ingress and egress queues on the port according to the settings in Table 28-3 and Table 28-4. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 28-19 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 542
QoS • When you enter the auto qos voip trust interface configuration command on a port connected to the interior of the network, the switch trusts the CoS value for nonrouted ports or the DSCP value for routed ports in ingress packets (the assumption is that traffic has already been classified - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 543
or shared) on the egress queues mapped to the port. Switch(config)# mls qos queue-set output 1 buffers 20 20 20 40 Switch(config-if)# srr-queue bandwidth shape 10 0 0 0 Switch(config-if)# srr-queue bandwidth share 10 10 60 20 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 28-21 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 544
is enabled on all ports. For auto-QoS to function properly, do not disable the CDP. • Policing is not enabled with auto-QoS. You can manually enable policing, as described in the "Configuring a QoS Policy" section on page 28-36. 28-22 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 545
qos voip {cisco-phone | trust} Step 4 end Step 5 show auto qos interface interface-id Purpose Enter global configuration mode. Specify the port that is connected to a Cisco IP Phone or the uplink port that is connected to another switch or router in the interior of the network, and enter interface - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 546
to IP phones IP Cisco IP phones 101234 Figure 28-10 shows a network in which the VoIP traffic is prioritized over all other traffic. Auto-QoS is enabled on the switches in the wiring closets at the edge of the QoS domain. 28-24 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 547
that might be affected by auto-QoS, see the "Displaying Auto-QoS Information" section on page 26-12. Save the auto qos voip interface configuration commands and the generated auto-QoS configuration in the configuration file. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 28-25 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 548
points in the network. These sections describe how to configure QoS on your switch: • Default Standard QoS Configuration, page 28-27 • Standard QoS Configuration Guidelines, page 28-29 • Enabling QoS Globally, page 28-30 (required) • Configuring Classification Using Port Trust States, page - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 549
policing. No policy maps are configured. The default port trust state on all ports is untrusted. The default ingress and is the priority queue. SRR services the priority queue for its configured share before servicing the other queue. Table 28 Catalyst 3560 Switch Software Configuration Guide 28-27 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 550
SRR Shaped Weights 25 0 0 (absolute) 1 SRR Shared Weights 2 25 25 25 1. A shaped weight of zero 3-1 4-1 1-1 4-1 Default Mapping Table Configuration The default CoS-to-DSCP map is shown in Table 28-12 on page 28-47. The default IP Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 551
Chapter 28 Configuring QoS Configuring Standard QoS Standard QoS Configuration Guidelines Before beginning the QoS configuration, you should be aware of this information: • You configure QoS only on physical ports; there is no support for it on the VLAN or switch virtual interface level. • It is - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 552
, page 28-31 • Configuring the CoS Value for an Interface, page 28-33 • Configuring a Trusted Boundary to Ensure Port Security, page 28-34 • Configuring the DSCP Trust State on a Port Bordering Another QoS Domain, page 28-35 28-30 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 553
switch within the QoS domain. Figure 28-11 shows a sample network topology. Figure 28-11 Port Trusted States within the QoS Domain Trusted interface Trunk Traffic classification performed here P3 P1 IP Trusted boundary 101236 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 554
change the default CoS value, see the "Configuring the CoS Value for an Interface" section on page 28-33. For information on how to configure the CoS-to-DSCP map, see the "Configuring the CoS-to-DSCP Map" section on page 28-47. 28-32 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 555
port. Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file. To return to the default setting, use the no mls qos cos {default-cos | override} interface configuration command. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 556
QoS Chapter 28 Configuring QoS Configuring a Trusted Boundary to Ensure Port Security In a typical network, you connect a Cisco IP Phone to a switch port, as shown in Figure 28-11 on page 28-31, and cascade devices that generate data packets from the back of the telephone. The Cisco IP Phone - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 557
. The DSCP range is 0 to 63. Specify the port to be trusted, and enter interface configuration mode. Valid interfaces include physical ports. Configure the ingress port as a DSCP-trusted port. By default, the port is not trusted. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 28-35 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 558
12 13 to 30 Switch(config)# interface gigabitethernet0/2 Switch(config-if)# mls qos trust dscp Switch(config-if)# mls qos dscp-mutation gi0/2-mutation Switch(config-if)# end Configuring a QoS Policy Configuring , page 28-45 28-36 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 559
the network or Switch(config)# access-list 1 permit 192.5.255.0 0.0.0.255 Switch(config)# access-list 1 permit 128.88.0.0 0.0.255.255 Switch(config)# access-list 1 permit 36.0.0.0 0.0.0.255 ! (Note: all other access implicitly denied) 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 560
• For source, enter the network or host from which the end. Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration Switch(config)# access-list 102 permit pim any 224.0.0.2 dscp 32 28-38 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 561
the end of the access list contains Switch(config-ext-macl)# permit 0001.0000.0001 0.0.0 0002.0000.0001 0.0.0 Switch(config-ext-macl)# permit 0001.0000.0002 0.0.0 0002.0000.0002 0.0.0 xns-idp ! (Note: all other access implicitly denied) 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 562
neither the match-all or match-any keyword is specified, the default is match-all. Note Because only one match command per class map is supported, the match-all and match-any keywords function the same. 28-40 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 563
one match criterion per class map is supported, and only one ACL per class map is supported. • For access-group acl-index- Switch(config)# class-map class3 Switch(config-cmap)# match ip precedence 5 6 7 Switch(config-cmap)# end Switch# 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 564
-map class configuration mode. By default, no policy map class-maps are defined. If a traffic class has already been defined by using the class-map global configuration command, specify its name for class-map-name in this command. 28-42 Catalyst 3560 Switch Software Configuration Guide 78-16156 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 565
value by using the received or default port CoS value and the CoS-to-DSCP on the number of policers supported, see the "Standard QoS Configuration Guidelines" section on page Configuring the Policed-DSCP Map" section on page 28-49. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 28-43 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 566
policy map, and enter interface configuration mode. Valid interfaces include physical ports. Step 11 service-policy input policy-map-name Specify the policy-map name, and apply it to an ingress port. Only one policy map per ingress port is supported. Step 12 end Return to privileged EXEC mode - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 567
the number of policers supported, see the "Standard QoS Configuration Guidelines" section on page configuration mode. For more information, see the "Classifying, Policing, and Marking Traffic by Using Policy Maps" section on page 28-42. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 568
police aggregate transmit1 Switch(config-pmap-c)# exit Switch(config-pmap)# class ipclass2 Switch(config-pmap-c)# set ip dscp 56 Switch(config-pmap-c)# police aggregate transmit1 Switch(config-pmap-c)# exit Switch(config-pmap)# exit 28-46 Catalyst 3560 Switch Software Configuration Guide 78-16156 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 569
. The DSCP range is 0 to 63. Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file. To return to the default map, use the no mls qos cos-dscp global configuration command. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 28-47 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 570
IP-precedence-to-DSCP map: Switch(config)# mls qos map ip-prec-dscp 10 15 20 25 30 35 40 45 Switch(config)# end Switch# show mls qos maps ip-prec-dscp IpPrecedence-dscp map: ipprec: 0 1 2 3 4 5 6 7 dscp: 10 15 20 25 30 35 40 45 28-48 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 571
54 55 56 57 to 0 Switch(config)# end Switch# show mls qos maps policed-dscp Policed-dscp map: d1 : d2 0 1 2 3 4 5 6 7 8 9 0 : 00 01 02 03 04 05 06 07 08 09 1 : 10 11 12 13 14 15 16 17 18 to a marked-down DSCP value of 0. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 28-49 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 572
3 4 5 6 7 If these values are not appropriate for your network, you need to modify them. Beginning in privileged EXEC mode, follow 4 Step 5 Command configure terminal mls qos map dscp-cos dscp-list to cos end show mls qos maps dscp Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 573
Step 2. Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file. To return to the default map, use the no mls qos dscp-mutation dscp-mutation-name global configuration command. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 28-51 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 574
DSCP value of 12 corresponds to a mutated value of 10. Configuring Ingress Queue Characteristics Depending on the complexity of your network and your QoS (optional) • Configuring the Ingress Priority Queue, page 28-56 (optional) 28-52 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 575
-queue input cos-map or the no mls qos srr-queue input dscp-map global configuration command. To return to the default WTD threshold percentages, use the no mls qos srr-queue input threshold queue-id global configuration command. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 28-53 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 576
buffers global configuration command. This example shows how to allocate 60 percent of the buffer space to ingress queue 1 and 40 percent of the buffer space to ingress queue 2: Switch(config)# mls qos srr-queue input buffers 60 40 28-54 Catalyst 3560 Switch Software Configuration Guide 78-16156 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 577
value with a space. SRR services the priority queue for its configured weight as specified by the bandwidth Switch(config)# mls qos srr-queue input priority-queue 2 bandwidth 0 Switch(config)# mls qos srr-queue input bandwidth 25 75 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 578
to reduce the delay and jitter under heavy network traffic on an oversubscribed ring (when there is more traffic than the backplane can carry, and the queues are full and dropping frames). SRR services the priority queue for its configured weight as specified by the bandwidth keyword in the - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 579
Configuring QoS Configuring Standard QoS Configuring Egress Queue Characteristics Depending on the complexity of your network queues per port), and how weights are not configured, SRR services configuration command. The queues use WTD to support Catalyst 3560 Switch Software Configuration Guide 28-57 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 580
specific port of the outbound traffic, and enter interface configuration mode. Map the port to a queue-set. For qset-id, enter the ID of the queue-set specified in Step 2. The range is 1 to 2. The default is 1. Return to privileged EXEC mode. 28-58 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 581
the no mls qos queue-set output qset-id threshold [queue-id] global configuration command. This example shows how to map a port to queue-set 2. It allocates 40 percent of the buffer space to egress ID. This procedure is optional. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 28-59 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 582
id cos1...cos8 end show mls qos maps copy running-config startup-config Purpose Enter global configuration mode. Map 12. For information about shared weights, see the "Configuring SRR Shared Weights on Egress Queues" section on page 28-62. 28-60 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 583
2, 3, and 4 are set to 0, these queues operate in shared mode. The bandwidth weight for queue 1 is 1/8, which is 12.5 percent: Switch(config)# interface gigabitethernet0/1 Switch(config-if)# srr-queue bandwidth shape 8 0 0 0 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 28-61 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 584
4 has four times the bandwidth of queue 1, twice the bandwidth of queue 2, and one-and-a-third times the bandwidth of queue 3. Switch(config)# interface gigabitethernet0/1 Switch(config-if)# srr-queue bandwidth share 1 2 3 4 28-62 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 585
configuration mode. Enable QoS on a switch. Specify the egress port, and enter interface configuration mode. Enable the egress expedite queue, which is disabled by default. When you configure this command, the SRR weight solution. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 28-63 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 586
port. This procedure is optional. Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Command configure terminal interface interface-id srr-queue bandwidth limit weight1 end ip-prec-dscp | policed-dscp] Display QoS mapping information. 28-64 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 587
Note Do not use the show policy-map interface privileged EXEC command to display classification information for incoming traffic. The interface keyword is not supported, and the statistics shown in the display should be ignored. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 28-65 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 588
Displaying Standard QoS Information Chapter 28 Configuring QoS 28-66 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 589
EtherChannels work: • EtherChannel Overview, page 29-2 • Port-Channel Interfaces, page 29-3 • Port Aggregation Protocol, page 29-4 • Link Aggregation Control Protocol, page 29-5 • Load Balancing and Forwarding Methods, page 29-6 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 29-1 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 590
between your switch and another switch or host. Each EtherChannel can consist of up to eight compatibly configured Ethernet ports. All ports in each EtherChannel must be configured as either Layer 2 or Layer 3 ports. For Catalyst 3560 switches, the number of EtherChannels is limited to 12. For more - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 591
the configuration. To change the parameters of all ports in an EtherChannel, apply configuration commands to the port-channel interface, for example, spanning-tree commands or commands to configure a Layer 2 EtherChannel as a trunk. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 29 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 592
Understanding EtherChannels Chapter 29 Configuring EtherChannels Port Aggregation Protocol The Port Aggregation Protocol (PAgP) is a Cisco-proprietary protocol that can be run only on Cisco switches and on those switches licensed by vendors to support PAgP. PAgP facilitates the automatic creation - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 593
, LACP groups the ports with the same speed, duplex mode, native VLAN, VLAN range, and trunking status and type. After grouping the links into an EtherChannel, LACP adds the group to the spanning tree as a single switch port. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 29-5 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 594
source and destination addresses. The selected mode applies to all EtherChannels configured on the switch. You configure the load balancing and forwarding method by using the port-channel load-balance global configuration command. 29-6 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 595
different ports in the channel. Different load-balancing methods have different advantages, and the choice of a particular load-balancing method should be based on the position of the switch in the network and load balancing. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 29-7 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 596
changes applied to the port-channel interface apply to all the physical ports assigned to the port-channel interface, and configuration changes applied to the physical port affect only the port where you apply the configuration. 29-8 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 597
, some EtherChannel ports are automatically disabled to avoid network loops and other problems. Follow these guidelines to avoid configuration problems: • More than 12 EtherChannels cannot be configured on a Catalyst 3560 switch. • Configure a PAgP EtherChannel with up to eight Ethernet ports of the - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 598
up to eight ports can be in standby mode. Assign all ports as static-access ports in the same VLAN, or configure them as trunks. If you configure the port as a static-access port, assign it to only one VLAN. The range is 1 to 4094. 29-10 Catalyst 3560 Switch Software Configuration Guide 78-16156 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 599
-config Verify your entries. copy running-config startup-config (Optional) Save your entries in the configuration file. To remove a port from the EtherChannel group, use the no channel-group interface configuration command. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 29-11 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 600
enter interface configuration mode. For port-channel-number, the range is 1 to 12. Put the interface into Layer 3 mode. Assign an IP address and subnet mask to the EtherChannel. Return to privileged EXEC mode. Verify your entries. 29-12 Catalyst 3560 Switch Software Configuration Guide 78-16156 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 601
can configure up to 16 Ethernet ports of the same type. Up to eight ports can be active, and up to eight ports can be in standby mode. Ensure that there is no IP address assigned to the physical port. Put the port into Layer 3 mode. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 29 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 602
on page 29-4 and the "LACP Modes" section on page 29-6. end Return to privileged EXEC mode. show running-config Verify your entries. copy running-config startup-config (Optional) Save your entries in the configuration file. 29-14 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 603
EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file. To return EtherChannel load balancing to the default configuration, use the no port-channel load-balance global configuration command. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 29-15 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 604
that only support address learning by physical ports, such as the Catalyst 1900 switch. When the link partner to the Catalyst 3560 switch is a physical learner (such as a Catalyst 1900 series switch), we recommend that you configure the Catalyst 3560 switch as a physical-port learner by using - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 605
. The learning method must be configured the same at both ends of the link. Assign a priority so that the selected port is chosen for packet transmission. priority and the switch MAC address) • LACP port priority • Port number 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 29-17 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 606
Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file. To return the LACP system priority to the default value, use the no lacp system-priority global configuration command. 29-18 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 607
. Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file. To return the LACP port priority to the default value, use the no lacp port-priority interface configuration command. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 29-19 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 608
Command show etherchannel [channel-group-number {detail | port | port-channel | protocol | summary}] {detail | load-balance | port | port-channel | protocol | summary} show pagp [channel to the command reference for this release. 29-20 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 609
routing protocols, you must have the enhanced multilayer image installed on the switch. Note For more detailed IP unicast configuration information, refer to the Cisco IOS IP and IP Routing Configuration Guide for Release 12.1. For complete syntax and usage information for the commands used in this - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 610
from predetermined ports through a single path into and out of a network. Static network, such as link failures, and therefore, might result in unreachable destinations. As networks grow, static routing becomes a labor-intensive liability. 30-2 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 611
to the Cisco IOS IP and IP Routing Configuration Guide for Release 12.1. In the following procedures, the specified interface must be one of these Layer 3 interfaces: • A routed port: a physical port configured as a Layer 3 port by using the no switchport interface configuration command. • A switch - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 612
of several main procedures: • To support VLAN interfaces, create and configure VLANs on the switch, and assign VLAN membership to Layer 2 interfaces. For more information, see Chapter 12, "Configuring VLANs." • Configure Layer 3 interfaces. • Enable IP routing on the switch. • Assign IP addresses to - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 613
specify the Layer 3 interface to configure. Remove the interface from Layer 2 configuration mode (if it is a physical interface). Configure the IP address and IP subnet mask. Enable the interface. Return to privileged EXEC mode. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 30-5 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 614
the packet, the router forwards it to the best supernet route. If you disable classless routing and a router receives packets destined for a subnet of a network with no network default route, the router discards the packet. 30-6 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 615
to 120.20.4.1, because there is no network default route, the router discards the packet configure terminal no ip classless end Purpose Enter global configuration mode. Disable classless routing behavior. Return to privileged EXEC mode. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 616
Cisco IOS Configuration Fundamentals Configuration Guide for Release 12.1. You can perform these tasks to configure address resolution: • Define a Static ARP Cache, page 30-9 • Set ARP Encapsulation, page 30-10 • Enable Proxy ARP, page 30-10 30-8 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 617
a specific interface. View the contents of the ARP cache. (Optional) Save your entries in the configuration file. configuration command. To remove all nonstatic entries from the ARP cache, use the clear arp-cache privileged EXEC command. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 618
EXEC mode. Verify the configuration on the interface or all interfaces. (Optional) Save your entries in the configuration file. To disable proxy ARP on the interface, use the no ip proxy-arp interface configuration command. 30-10 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 619
EXEC mode. Display the address of the default gateway router to verify the setting. (Optional) Save your entries in the configuration file. Use the no ip default-gateway global configuration command to disable this function. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 30-11 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 620
be sent out as multicasts. Many implementations cannot receive these multicasts; ensure end-host ability before using this command. (Optional) Set the IRDP period for values. (Optional) Save your entries in the configuration file. 30-12 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 621
, or you can configure the way the switch responds to network broadcasts. A broadcast is a data packet destined for all hosts on a physical network. The switch supports two kinds of broadcasting: • A directed broadcast packet is sent to a specific network or series of networks. A directed broadcast - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 622
The description for the ip forward-protocol interface configuration command in the Cisco IOS IP and IP Routing Command Reference for Release 12.1 lists the ports that are forwarded by default if you do not specify any UDP ports. 30-14 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 623
packets to specific addresses. Use the no ip forward-protocol global configuration command to remove a protocol or port. Establishing an IP Broadcast Address The most popular IP broadcast address (and the default) is an address consisting of all ones (255.255.255.255). However, the switch can be - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 624
the network. configure terminal ip forward-protocol spanning-tree end show running-config copy running-config startup-config Purpose Enter global configuration supported over Ethernet interfaces configured for ARP encapsulation. 30-16 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 625
masks used for network addresses and the number of subnets using each mask. Display the address of a default gateway. Display the current state of the routing table. Display the current state of the routing table in summary form. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 30-17 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 626
, such as specifying the networks to route with the network (RIP) router configuration command. For information on specific protocols, refer to sections later in this chapter and to the Cisco IOS IP and IP Routing Configuration Guide for Release 12.1. Note The SMI supports only RIP as a routing - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 627
version router configuration command. IP RIP send version According to the version router configuration command. IP RIP triggered According to the version router configuration command. IP split horizon Varies with media. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 30-19 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 628
step allows routing updates from RIP (normally a broadcast protocol) to reach nonbroadcast networks. (Optional) Apply an offset list to routing metrics to increase incoming and outgoing are postponed. The default is 240 seconds. 30-20 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 629
to configure RIP authentication on an interface: Step 1 Step 2 Command configure terminal interface interface-id Purpose Enter global configuration mode. Enter interface configuration mode, and specify the interface to configure. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 30 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 630
Disable split horizon on the interface. end Return to privileged EXEC mode. show ip interface interface-id Verify your entries. copy running-config startup-config (Optional) Save your entries in the configuration file. 30-22 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 631
a better route for a packet and the destination is not a connected network. If the AS has more than one connection to an external network, different routers can choose different exterior routers as the gateway of last resort. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 30-23 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 632
Feature IP split horizon Metric holddown Metric maximum-hops Neighbor Network Offset-list Set metric Default Setting Varies with media. Disabled. 100 hops. None defined. None specified. Disabled. None set in route map. 30-24 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 633
balancing occurrences, but ensure that the dynamics of the network remain stable. These general rules apply to IGRP unequal-cost configuration command to control distribution of traffic among multiple routes of unequal cost. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 634
Cisco IOS IP and IP Routing Configuration Guide for Release 12.1. Configuring Basic IGRP Parameters Beginning in privileged EXEC mode, follow these steps to configure IGRP. Configuring reach nonbroadcast network. metric weights tos k1 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 635
12 traffic-share {balanced | min} Step 13 Step 14 Step 15 end show ip protocols copy running-config startup-config Purpose (Optional) Disable the IGRP hold-down period. The route to a network , especially when links are broken. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 30-27 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 636
Cisco IOS IP and IP Routing Command Reference for Release 12.1. Note OSPF classifies different media into broadcast, nonbroadcast, and point-to-point networks. The Catalyst 3560 switch supports broadcast (Ethernet, Token Ring, and FDDI) and point-to-point networks (Ethernet interfaces configured - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 637
interval: 10 seconds. Dead interval: 4 times the hello interval. No authentication. No password specified. MD5 authentication disabled. Authentication type: 0 (no authentication). Default cost: 1. route type default is Type 2. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 30-29 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 638
mode. Enable OSPF routing, and enter router configuration mode. The process ID is an internally used identification parameter that is locally assigned and can be any positive integer. Each OSPF routing process has a unique value. 30-30 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 639
is 1. (Optional) Set the number of seconds between hello packets sent on an OSPF interface. The value must be the same for all nodes on a network. The range is 1 to 65535 seconds. The default is 10 seconds. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 30-31 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 640
EXEC mode, follow these steps to configure area parameters: Step 1 Step 2 Command configure terminal router ospf process-id Purpose Enter global configuration mode. Enable OSPF routing, and enter router configuration mode. 30-32 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 641
. Configuration information includes the identity of the other virtual endpoint (the other ABR) and the nonbackbone link that the two routers have in common (the transit area). Virtual links cannot be configured through a stub area. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 30 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 642
• Default route: When you specifically configure redistribution of routes into an represent only one network segment, to prevent OSPF from sending hello packets for the sending interface, you must configure the sending device . 30-34 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 643
changes. Step 12 end Return to privileged EXEC mode. Step 13 show ip ospf [process-id [area-id]] database Display lists of information related to the OSPF database for a specific router. address among all loopback interfaces. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 30-35 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 644
configuration file. Use the no interface loopback 0 global configuration command to disable the loopback interface. Monitoring OSPF You can display specific Cisco IOS IP and IP Routing Command Reference for Release 12 database [network] Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 645
forwarding that has a least-cost path to a destination that is guaranteed not to be part of a routing loop. When there are no 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 30-37 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 646
avoid unnecessary recomputation. • The protocol-dependent modules are responsible for network layer protocol-specific tasks. An example is the IP EIGRP module, which is responsible the route in bytes. 0 or any positive integer. 30-38 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 647
autonomous-system Purpose Enter global configuration mode. Enable an EIGRP routing process, and enter router configuration mode. The AS number identifies the routes to other EIGRP routers and is used to tag routing information. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 30-39 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 648
the percentage of bandwidth that can be used by EIGRP on an interface. The default is 50 percent. (Optional) Configure a summary aggregate address for a specified interface (not usually necessary if auto-summary is enabled). 30-40 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 649
mode. Identify a key chain and enter key-chain configuration mode. Match the name configured in Step 4. In key-chain configuration mode, identify the key number. In key-chain key configuration mode, identify the key string. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 30-41 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 650
1, 1993. The default end-time and duration is infinite. Step 10 send-lifetime start-time {infinite | end-time | duration (Optional) display, refer to the Cisco IOS IP and IP Routing Command Reference for Release 12.1. Table 30-9 IP Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 651
Routing Configuration Guide. Note For details about BGP commands and keywords, refer to the Cisco IOS IP and IP Routing Command Reference for Release 12.1. For a list of BGP commands that are visible but not supported by the switch, see Appendix C, "Unsupported Commands in Cisco IOS Release 12.1(19 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 652
of BGP configuration, refer to the "Configuring BGP" chapter in the Cisco IOS IP and IP Routing Configuration Guide. For details about specific commands, refer to the Cisco IOS IP and IP Routing Command Reference for Release 12.1. 30-44 Catalyst 3560 Switch Software Configuration Guide 78-16156 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 653
are visible but not supported by the switch, see Appendix C, "Unsupported Commands in Cisco IOS Release 12.1(19)EA1." Default BGP Configuration Table 30-10 shows the basic default BGP configuration. For the defaults for all characteristics, refer to the specific commands in the Cisco IOS IP and IP - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 654
hop for BGP neighbor): Disabled. • Password: Disabled. • Peer group: None Weight: Routes learned through BGP peer: 0; routes sourced by the local router: 32768. None configured. Enabled. Disabled. Keepalive: 60 seconds; holdtime: 180 seconds. 30-46 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 655
switch supports the use of private AS numbers, usually assigned by service providers and given to systems whose routes are not advertised to external neighbors. The private AS numbers are from 64512 to 65535. You can configure the network had Catalyst 3560 Switch Software Configuration Guide 30-47 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 656
between advertisement runs is 30 seconds Received 2828 messages, 0 notifications, 0 in queue Sent 2826 messages, 0 notifications, 0 in queue Connections established 11; dropped 10 30-48 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 657
Configuration Guide. For details about specific commands, refer to the Cisco IOS IP and IP Routing Command Reference for Release 12.1. See Appendix C, "Unsupported Commands in Cisco IOS Release 12.1(19)EA1," for a list of BGP commands that are visible but not supported by the switch. Managing - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 658
that path in the IP routing table. If BGP multipath support is enabled and the EBGP paths are learned from the same weight are preferred. You can use access lists, route maps, or the neighbor weight router configuration command to set weights. 30-50 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 659
neighbor by entering a specific IP address to be used instead of the next-hop address. neighbor {ip-address | peer-group-name} weight weight (Optional) Assign a weight to a neighbor connection lowest value is the most desirable. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 30-51 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 660
disable next-hop processing: Step 1 Step 2 Command configure terminal route-map map-tag [[permit | deny] | sequence-number]] Purpose Enter global configuration mode. Create a route map, and enter route-map configuration mode. 30-52 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 661
prefix-list router configuration command to filter updates, but you cannot use both commands to configure the same BGP peer. (Optional) Apply a route map to filter an incoming or outgoing route. Return to privileged EXEC mode. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 30-53 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 662
the Cisco IOS Dial Services weight weight} end show ip bgp neighbors [paths regular-expression] copy running-config startup-config Purpose Enter global configuration mode. Define a BGP-related access list. Enter BGP router configuration Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 663
number to the entry. end Return to privileged EXEC mode. show ip prefix list [detail | summary] name Verify the configuration by displaying information about a prefix list [network/len] [seq seq-num local autonomous system. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 30-55 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 664
bytes long. The Cisco default community format end Return to privileged EXEC mode. Step 9 show ip bgp community Verify the configuration. Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file. 30-56 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 665
12 neighbor {ip-address | peer-group-name} local-as number neighbor {ip-address | peer-group-name} advertisement-interval seconds Purpose Enter global configuration mode. Enter BGP router configuration BGP routing updates. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 30-57 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 666
list-number {in | out | weight weight} (Optional) Establish a BGP filter configuration command. To enable a previously existing neighbor or neighbor peer group that had been disabled, use the no neighbor shutdown router configuration command. 30-58 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 667
have EBGP sessions, they exchange routing information as if they were IBGP peers. Specifically, the next hop, MED, and local preference information is preserved. You can then use a single IGP for all of the autonomous systems. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 30-59 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 668
end Return to privileged EXEC mode. show ip bgp neighbor Verify the configuration. show ip bgp network copy running-config startup-config (Optional) Save your entries in the configuration file. Configuring nonclient peers. 30-60 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 669
configuration mode. bgp dampening Enable BGP route dampening. bgp dampening half-life reuse suppress max-suppress [route-map map] (Optional) Change the default values of route dampening factors. end they are suppressed. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 30-61 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 670
network. Table 30-9 lists the privileged EXEC commands for clearing and displaying BGP. For explanations of the display fields, refer to the Cisco IOS IP and IP Routing Command Reference for Release 12.1. Table 30-12 table. 30-62 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 671
-71 • Filtering Routing Information, page 30-74 • Managing Authentication Keys, page 30-76 Configuring Cisco Express Forwarding Cisco Express Forwarding (CEF) is a Layer 3 IP switching technology used to optimize network performance. CEF implements an advanced IP look-up and forwarding algorithm to - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 672
has two or more equal-cost paths to a network, it can use them concurrently. Parallel paths provide configures equal-cost routes, you can control the maximum number of parallel paths supported by an IP routing protocol in its routing table. 30-64 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 673
paths maximum Step 4 Step 5 Step 6 end show ip protocols copy running-config startup-config Purpose Enter global configuration mode. Enter router configuration mode. Set the maximum number of parallel of the dynamic protocol. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 30-65 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 674
route. A router that is generating the default for a network also might need a default of its own. One way a router can generate its own default is to specify a static route to the network 0.0.0.0 through the appropriate device. 30-66 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 675
network as the static default route: Step 1 Step 2 Step 3 Step 4 Command configure terminal ip default-network network number end can instruct the switch to and set route-map configuration commands are specific to a particular protocol Catalyst 3560 Switch Software Configuration Guide 30-67 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 676
that indicates the position a new route map is to have in the list of route maps already configured with the same name. Step 3 match as-path path-list-number Match a BGP AS path (Type 1 or Type 2) or EIGRP external routes. 30-68 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 677
internal Step 21 set weight Step 22 end Step 23 show route- configuration command or the no match or no set route-map configuration commands. You can distribute routes from one routing domain into another and control route distribution. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 678
create routing loops and seriously degrade network operation. If you have not defined a default redistribution metric that replaces metric conversion, some automatic metric other routing protocols if a default mode is in effect. 30-70 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 679
stock or an end station. Cisco IOS IP and IP Routing Command Reference for Release 12.1. For a list of PBR commands that are visible but not supported by the switch, see Appendix C, "Unsupported Commands in Cisco IOS Release 12.1(19)EA1." 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 680
policy-routed. When you globally enable local PBR on the switch, all packets that originate on the switch are subject to local PBR. Local PBR is disabled by default. Note To enable PBR, the switch must be running the EMI. 30-72 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 681
by the switch and not to incoming packets. Return to privileged EXEC mode. (Optional) Display all route maps configured or only the one specified to verify configuration. (Optional) Display policy route maps attached to interfaces. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 30 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 682
that need to have adjacencies sent. (Optional) Specify the list of networks for the routing process. The network-address is an IP address. Return to privileged EXEC mode. (Optional) Save your entries in the configuration file. 30-74 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 683
router configuration command. The default keyword is useful in Internet service provider and large enterprise networks where many network has its own requirements, there are no general guidelines for assigning administrative distances. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 684
2 Command configure terminal key chain name-of-chain Step 3 key number Purpose Enter global configuration mode. Identify a key chain, and enter key chain configuration mode. Identify the key number. The range is 0 to 2147483647. 30-76 Catalyst 3560 Switch Software Configuration Guide 78-16156 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 685
state of the routing table. Display the current state of the routing table in summary form. Display supernets. Display the routing table used to switch IP traffic. Display all route maps configured or only the one specified. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 30-77 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 686
Monitoring and Maintaining the IP Network Chapter 30 Configuring IP Unicast Routing 30-78 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 687
group MAC address and IP address should the designated active router fail. Note Routers in an HSRP group can be any router interface that supports HSRP, including Catalyst 3560 routed ports and switch virtual interfaces (SVIs). 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 31-1 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 688
B to provide uninterrupted service to users on Host C's segment that need to communicate with users on Host B's segment and also continues to perform its normal function of handling packets between the Host A segment and Host B. 31-2 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 689
configuration information: • Default HSRP Configuration, page 31-4 • HSRP Configuration Guidelines, page 31-4 • Enabling HSRP, page 31-5 • Configuring HSRP Group Attributes, page 31-6 • Configuring HSRP Groups and Clustering, page 31-9 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 690
group. For more information, see the "Configuring Layer 3 EtherChannels" section on page 29-12. • All Layer 3 interfaces must have IP addresses assigned to them. See the "Configuring Layer 3 Interfaces" section on page 10-19. 31-4 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 691
minimum number of steps required to enable HSRP. Switch# configure terminal Switch(config)# interface gigabitethernet0/1 Switch(config-if)# no switchport Switch(config-if)# standby 1 ip Switch(config-if)# end Switch# show standby 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 31-5 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 692
table. If it is configured to preempt, it becomes the active router, even though it is unable to provide adequate routing services. To solve this problem, configure a delay time to allow the router to update its routing table. 31-6 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 693
up. The default value is 10. end Return to privileged EXEC mode. show running-config Verify the configuration of the standby groups. copy running-config startup-config (Optional) Save your entries in the configuration file. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 31-7 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 694
track type number [interface-priority] interface configuration command to remove the tracking. This example activates a port, sets an IP address and a string is cisco. (Optional) group-number-The group number to which the command applies. 31-8 Catalyst 3560 Switch Software Configuration Guide 78- - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 695
standby group to be used for command switch and routing redundancy. If you create a cluster with the same HSRP standby group name without entering the routing-redundancy keyword, HSRP standby routing is disabled for the group. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 31-9 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 696
-group my_hsrp routing-redundancy Switch(config)# end Displaying HSRP Configurations From privileged EXEC mode, use this command to display HSRP settings: show standby [interface-id [group]] [brief] [detail] You can display HSRP information for the whole switch, for a specific interface, for an HSRP - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 697
IP Multicast Routing This chapter describes how to configure IP multicast routing on the Catalyst 3560 switch. IP multicasting is a more efficient way to use network resources, especially for bandwidth-intensive services such as audio and video. IP multicast routing enables a host (source - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 698
32 Configuring IP Multicast Routing Understanding Cisco's Implementation of IP Multicast Routing The Cisco IOS software supports these protocols to implement IP multicast routing: • Internet Group Management Protocol (IGMP) is used among hosts on a LAN and the routers (and multilayer switches) on - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 699
network Specification • Protocol Independent Multicast (PIM), Sparse Mode Protocol Specification • draft-ietf-idmr-igmp-v2-06.txt, Internet Group Management Protocol, Version 2 • draft-ietf-pim-v2-dm-03.txt, PIM Version 2 Dense Mode 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 700
Cisco's Implementation of IP Multicast Routing Chapter 32 Configuring A more flexible hello packet format replaces the query packet to encode current network. In PIM SM, a router or multilayer switch assumes that other routers or switches Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 701
are no longer needed. Auto-RP This proprietary feature eliminates the need to manually configure the RP information in every router and multilayer switch in the network. For Auto-RP to work, you configure a Cisco router or multilayer switch as the mapping agent. It uses IP multicast to learn which - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 702
. Gigabit Ethernet 0/2 Gigabit Ethernet 0/4 101242 Table 32-1 Routing Table Example for an RPF Check Network 151.10.0.0/16 198.14.32.0/32 204.1.16.0/24 Port Gigabit Ethernet 0/1 Gigabit Ethernet 0/3 Gigabit Ethernet 0/4 32-6 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 703
serves as a CGMP server for devices that do not support IGMP snooping but have CGMP-client functionality. CGMP is a protocol used on Cisco routers and multilayer switches connected to Layer 2 Catalyst switches to perform tasks similar to those performed by IGMP. CGMP permits Layer 2 group membership - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 704
-RP and BSR Configuration Guidelines, page 32-9 PIMv1 and PIMv2 Interoperability The Cisco PIMv2 implementation provides interoperability and transition between Version 1 and Version 2, although there might be some minor problems. 32-8 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 705
and multilayer switches, both Auto-RP and a BSR are required. We recommend that a Cisco PIMv2 device be both the Auto-RP mapping agent and the BSR. For more information, see the "Using Auto-RP and a BSR" section on page 32-21. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 32-9 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 706
flooded in a dense-mode fashion. If the multicast traffic from a specific source is sufficient, the receiver's first-hop router might send join upgraded. For more information, see the "PIMv1 and PIMv2 Interoperability" section on page 32-8. 32-10 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 707
your network. For more information, see the "PIMv1 and PIMv2 Interoperability" section on page 32-8 and the "Auto-RP and BSR Configuration Guidelines" section on page 32-9. Manually Assigning multicast sources and group members. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 32-11 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 708
to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file. To remove an RP address, use the no ip pim rp-address ip-address [access-list-number] [override] global configuration command. 32-12 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 709
. • It avoids inconsistent, manual RP configurations on every router and multilayer switch in a PIM network, which can cause connectivity problems. Note If you configure PIM in sparse mode or cloud. This procedure is optional. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 32-13 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 710
ports, port channels, and VLANs. • For scope ttl, specify the time-to-live value in hops. Enter a hop count that is high enough so that the RP-announce messages reach all mapping agents in the network statement for everything. 32-14 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 711
configured, another ip pim accept-rp command accepting the RP must be configured as follows: Switch(config)# ip pim accept-rp 172.10.20.1 1 Switch(config)# access-list 1 permit 224.0.1.39 Switch(config)# access-list 1 permit 224.0.1.40 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 712
Save your entries in the configuration file. To remove a filter on incoming RP announcement messages, use the no ip pim rp-announce-filter rp-list access-list-number [group-list access-list-number] global configuration command. 32-16 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 713
the network. instructs the switch to neither send or receive PIMv2 BSR messages on this interface as shown in Figure 32-3. Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 714
be configured, and enter interface configuration mode. Configure the boundary, specifying the access list you created in Step 2. Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file. 32-18 Catalyst 3560 Switch Software Configuration Guide 78 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 715
a priority of 10. Switch(config)# interface gigabitethernet0/2 Switch(config-if)# ip address 172.21.24.18 255.255.255.0 Switch(config-if)# ip pim sparse-dense-mode Switch(config-if)# ip pim bsr-candidate gigabitethernet0/2 30 10 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 32-19 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 716
devices should be RPs, consider these options: • In a network of Cisco routers and multilayer switches where only Auto-RP is used, any device can be configured as an RP. • In a network that includes only Cisco PIMv2 routers and multilayer switches and with routers from other vendors, any device can - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 717
(no routers from other vendors), there is no need to configure a BSR. Configure Auto-RP in a network that is running both PIMv1 and PIMv2. If you have non-Cisco PIMv2 routers that need to interoperate with Cisco PIMv1 routers and multilayer switches, both Auto-RP and a BSR are required. We recommend - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 718
] displays how the switch learns of the RP (through the BSR or the Auto-RP mechanism). Troubleshooting PIMv1 and PIMv2 Interoperability Problems When debugging interoperability problems between PIMv1 and PIMv2 to the shared tree. 32-22 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 719
for the group. Multiple sources sending to groups use the shared tree. You can configure the PIM device to stay on the shared tree. For more information, see the "Delaying the Use of PIM Shortest-Path Tree" section on page 32-24. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 32-23 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 720
shared tree, never switching to the source tree. • (Optional) For group-list access-list-number, specify the access list created in Step 2. If the value is 0 or if the group-list is not used, the threshold applies to all groups. 32-24 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 721
configure terminal interface interface-id Step 3 ip pim query-interval seconds Step 4 Step 5 Step 6 end configuration file. To return to the default setting, use the no ip pim query-interval [seconds] interface configuration command. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 722
Configuring the Switch as a Member of a Group You can configure the switch as a member of a multicast group and discover multicast reachability in a network. If all the multicast-capable routers and multilayer switches address. 32-26 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 723
on the subnet serviced by an interface can join. By default, all groups are allowed on an interface. For access-list-number, specify an IP standard access list number. The range is 1 to 99. Return to global configuration mode. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 32-27 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 724
the IGMP version that the switch uses. Note If you change to Version 1, you cannot configure the ip igmp query-interval or the ip igmp query-max-response-time interface configuration commands. Return to privileged EXEC mode. 32-28 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 725
1. The switch sends host-query messages to refresh its knowledge of memberships present on the network. If, after configuration file. To return to the default setting, use the no ip igmp query-interval interface configuration command. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 726
Step 1 Step 2 Command configure terminal interface interface-id Step 3 ip igmp querier-timeout seconds Step 4 Step 5 Step 6 end show ip igmp interface [interface entries. (Optional) Save your entries in the configuration file. 32-30 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 727
set up: - Enabling CGMP Server Support, page 32-32 (optional) - Configuring sdr Listener Support, page 32-33 (optional) • Features that control bandwidth utilization: - Configuring an IP Multicast Boundary, page 32-34 (optional) 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 32-31 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 728
devices are connected to a switched network and the ip cgmp proxy command is needed, we recommend that all devices be configured with the same CGMP option and have precedence for becoming the IGMP querier over non-Cisco routers. 32-32 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 729
address and port for Session support. Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file. To disable sdr support, use the no ip sdr listen interface configuration command. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 730
however, TTL thresholds are not supported by the switch. You should use multicast networks. This boundary prevents multicast traffic in the range of 239.128.0.0 through 239.128.255.255 from entering or leaving their respective networks. 32-34 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 731
configured, and enter interface configuration mode. Configure the boundary, specifying the access list you created in Step 2. Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 732
are advertised and what metrics are used by configuring the ip dvmrp metric interface configuration command. You can also direct all sources learned through a particular unicast routing process to be advertised into DVMRP. 32-36 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 733
enter the number of the network or host from which the the configured metric or filtered. end configuration command) instead of an access list. You subject unicast routes to route-map conditions before they are injected into DVMRP. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 734
DVMRP summarization The software does not advertise subnets through the tunnel if the tunnel has a different network number from the subnet. In this case, the software advertises only the network number through the tunnel. 32-38 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 735
distance] neighbor-list access-list-number Step 10 end Purpose Enter global configuration mode. Create a standard access list, repeating the matched. • For source, enter the number of the network or host from which the packet is being sent. • Catalyst 3560 Switch Software Configuration Guide 32-39 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 736
mrouted version 3.6 machines. The keywords have these meanings: • originate-Specifies that other routes more specific than 0.0.0.0 can also be advertised. • only-Specifies that no DVMRP routes other than 0.0.0.0 are advertised. 32-40 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 737
a DVMRP Nonpruning Neighbor, page 32-42 (optional) • Controlling Route Exchanges, page 32-45 (optional) For information on basic DVMRP features, see the "Configuring Basic DVMRP Interoperability Features" section on page 32-36. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 32-41 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 738
as peers, regardless of their DVMRP capability. However, some non-Cisco devices run old versions of DVMRP that cannot prune, so they continuously receive forwarded packets, wasting bandwidth. Figure 32-6 shows this scenario. 32-42 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 739
connected to the nonpruning machine as shown in Figure 32-7. In this case, when the switch receives DVMRP probe or report message without the prune-capable flag set, the switch logs a syslog message and discards the message. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 32-43 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 740
DVMRP neighbors. Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file. To disable this function, use the no ip dvmrp reject-non-pruners interface configuration command. 32-44 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 741
Step 2 Command configure terminal ip dvmrp route-limit count Step 3 Step 4 Step 5 end show running-config copy running-config startup-config Purpose Enter global configuration mode. Change the number of routes into the MBONE. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 32-45 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 742
you configure the ip dvmrp summary-address command on the Cisco router tunnel interface. As a result, the Cisco router sends only a single summarized Class B advertisement for network 176.32.0.0.16 from the unicast routing table. 32-46 Catalyst 3560 Switch Software Configuration Guide 78-16156 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 743
privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file. To remove the summary address, use the no ip dvmrp summary-address address mask [metric value] interface configuration command. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 32-47 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 744
to use the path through switch B because it is a faster path, you can apply a metric offset to the route learned by switch A to make it larger than the metric learned by switch B, and you can choose the path through switch B. 32-48 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 745
These sections describe how to monitor and maintain IP multicast routing: • Clearing Caches, Tables, and Databases, page 32-50 • Displaying System and Network Statistics, page 32-50 • Monitoring IP Multicast Routing, page 32-51 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 32-49 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 746
table. Display the multicast groups that are directly connected to the switch and that were learned through IGMP. Display multicast-related information about an interface. Display the contents of the IP fast-switching cache. 32-50 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 747
switch about which neighboring multicast devices are peering with it. Display IP multicast packet rate and loss information. Trace the path from a source to a destination branch for a multicast distribution tree for a given group. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 748
Monitoring and Maintaining IP Multicast Routing Chapter 32 Configuring IP Multicast Routing 32-52 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 749
MSDP 33 C H A P T E R This chapter describes how to configure the Multicast Source Discovery Protocol (MSDP) on the Catalyst 3560 switch. The MSDP connects multiple Protocol-Independent Multicast sparse-mode (PIM-SM) domains. MSDP is not fully supported in this software release because of a lack - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 750
MSDP peers other than the RPF peer. For information on how to configure an MSDP peer when BGP and MBGP are not supported, see the "Configuring a Default MSDP Peer" section on page 33-4. If the MSDP remote domain to the receiver. 33-2 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 751
Chapter 33 Configuring MSDP Figure 33-1 MSDP Running Between RP Peers Understanding MSDP RP + MSDP peer MSDP peer MSDP advertising group membership. • Global source multicast routing table state is not required, saving memory. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 33-3 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 752
. If a single MSDP peer is configured, the switch always accepts all SA messages from that peer. Figure 33-2 shows a network in which default MSDP peers might be used. In Figure 33-2, a customer who owns Switch B is connected to the Internet through two Internet service providers (ISPs), one owning - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 753
Network Configuring MSDP Router C Default MSDP peer SA SA SA Router A Default MSDP peer ISP C PIM domain 10.1.1.1 Switch a service provider configured default peer accepts all SA messages. This syntax is typically used at a stub site. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 754
delay is known as join latency. If you want to sacrifice some memory in exchange for reducing the latency of the source information, you can configure the switch to cache SA messages. 33-6 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 755
name. • For source, enter the number of the network or host from which the packet is being sent. • Switch(config)# ip msdp cache-sa-state 100 Switch(config)# access-list 100 permit ip 171.69.0.0 0.0.255.255 224.2.0.0 0.0.255.255 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 756
the no ip msdp sa-request {ip-address | name} global configuration command. This example shows how to configure the switch to send SA request messages to the MSDP peer at 171.69.1.1: Switch(config)# ip msdp sa-request 171.69.1.1 33-8 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 757
access list number in the range 1 to 199. This access list number must also be configured in the ip as-path access-list command. The switch advertises (S,G) pairs according to the access list or autonomous system path access list. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 33-9 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 758
as the protocol name. • For source, enter the number of the network or host from which the packet is being sent. • For source-wildcard configuration file. To remove the filter, use the no ip msdp redistribute global configuration command. 33-10 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 759
messages from sources on network 192.4.22.0 pass access list 1 and are accepted; all others are ignored. Switch(config)# ip msdp filter sa-request 171.69.2.2 list 1 Switch(config)# access-list 1 permit 192.4.22.0 0.0.0.255 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 33-11 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 760
the route map map-tag. If all match criteria are true, a permit from the route map passes routes through the filter. A deny filters routes. 33-12 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 761
network Switch(config)# ip msdp peer switch.cisco.com connect-source gigabitethernet0/1 Switch(config)# ip msdp sa-filter out switch.cisco.com list 100 Switch(config)# access-list 100 permit ip 171.69.0.0 0.0.255.255 224.20 0 0.0.255.255 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 762
is 0 to 255. end Return to privileged EXEC mode. show running-config Verify your entries. copy running-config startup-config (Optional) Save your entries in the configuration file. To return to match criteria in a route map 33-14 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 763
• For source, enter the number of the network or host from which the packet is being switch.cisco.com: Switch(config)# ip msdp peer switch.cisco.com connect-source gigabitethernet0/1 Switch(config)# ip msdp sa-filter in switch.cisco.com 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 764
down the peer, configure it, and later bring it up. When a peer is shut down, the TCP connection is terminated and is not restarted. You can also shut down an MSDP session without losing configuration information for the peer. 33-16 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 765
field in the SA message. Configure which (S,G) entries from the multicast routing table are advertised in SA messages. For more information, see the "Redistributing Sources" section on page 33-9. Return to privileged EXEC mode. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 33-17 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 766
configure terminal ip msdp originator-id interface-id Step 3 Step 4 Step 5 end show running-config copy running-config startup-config Purpose Enter global configuration mode. Configures -id global configuration command. 33-18 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 767
from each autonomous system. The ip msdp cache-sa-state command must be configured for this command to produce any output. show ip msdp peer [peer- sources for a specific group, or all entries for a specific source/group pair. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 33-19 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 768
Monitoring and Maintaining MSDP Chapter 33 Configuring MSDP 33-20 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 769
domains and routed ports. To use this feature, the switch must be running the enhanced multilayer image (EMI). Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Bridging and IBM Networking Command Reference for Release 12.1. This chapter - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 770
different VLANs. Another port is configured as a routed port with its own IP address. If all three of these ports are assigned to the same bridge group, non-IP protocol frames can be forwarded among the end stations connected to the switch even though they are on different networks and in different - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 771
distinct) network connected to the switch. Creating a Bridge Group To configure fallback bridging for a set of SVIs or routed ports, port on a switch to another protected port on the same switch if the ports are in different VLANs. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 772
to assign the port to the bridge group: Switch(config)# bridge 10 protocol vlan-bridge Switch(config)# interface gigabitethernet0/1 Switch(config-if)# no switchport Switch(config-if)# no shutdown Switch(config-if)# bridge-group 10 34-4 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 773
impact on performance. A good source on switching is the IEEE 802.1D specification. For more information, refer to the "References and Recommended Reading" appendix in the Cisco IOS Configuration Fundamentals Command Reference. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 34-5 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 774
range is 1 to 255. • For number, enter a number from 0 to 255 in increments of 4. The lower the number, the more likely that the port on the switch will be chosen as the root. The default is 128. Return to privileged EXEC mode. 34-6 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 775
-group path-cost interface configuration command. This example shows how to change the path cost to 20 on a port in bridge group 10: Switch(config)# interface gigabitethernet0/1 Switch(config-if)# bridge-group 10 path-cost 20 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 34-7 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 776
To return to the default setting, use the no bridge bridge-group hello-time global configuration command. This example shows how to change the hello interval to 5 seconds in bridge group 10: Switch(config)# bridge 10 hello-time 5 34-8 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 777
return to the default setting, use the no bridge bridge-group max-age global configuration command. This example shows how to change the maximum-idle interval to 30 seconds in bridge group 10: Switch(config)# bridge 10 max-age 30 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 34-9 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 778
interface-id | Displays MAC addresses learned in the bridge group. mac-address | verbose] For information about the fields in these displays, refer to the Cisco IOS Bridging and IBM Networking Command Reference for Release 12.1. 34-10 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 779
from Lost Cluster Member Connectivity, page 35-11 Note Recovery procedures require that you have physical access to the switch. • Preventing Autonegotiation Mismatches, page 35-12 • Troubleshooting Power over Ethernet Switch Ports, page 35-12 • SFP Module Security and Identification, page 35 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 780
3970586 Nov 21 12:00 2003 c3560-i5-mz.121.19-EA1/c3560-i5-mz.121.19-EA1.bin -rw-r--r-- 9658/25 391 Nov 21 13:20 2003 c3560-i5-mz.121.19-EA1/info -rw-r--r-- 9658/25 98 Nov 18 16:46 2003 info 35-2 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 781
to download the software image to the switch. Use the reload privileged EXEC command to restart the switch and to verify that the new software image is operating properly. Delete the flash:image_filename.bin file from the switch. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 35-3 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 782
35 Troubleshooting Recovering from a Lost or Forgotten Password The default configuration for the switch allows an end user with physical access to the switch to recover from a lost password by interrupting the boot process during power-on and by entering a new password. These recovery procedures - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 783
: Continue with the configuration dialog? [yes/no]: N At the switch prompt, enter privileged EXEC mode: Switch> enable Rename the configuration file to its original name: Switch# rename flash:config.text.old flash:config.text 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 35-5 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 784
interface. With the switch in interface configuration mode, enter the no shutdown command. Step 14 Reload the switch: Switch# reload Procedure with Password Recovery Disabled If the password-recovery mechanism is disabled, this message appears: The password-recovery mechanism has been triggered - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 785
secret password The secret password can be from 1 to 25 alphanumeric characters, can start with a number, is case sensitive, and allows spaces but ignores leading spaces. Return to privileged EXEC mode: Switch (config)# exit Switch# 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 786
from a Command Switch Failure Chapter 35 Troubleshooting Step 9 Write the running configuration to the startup configuration file: Switch# copy running-config startup-config The new password is now in the startup configuration. Note This procedure is likely to leave your switch virtual interface - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 787
port, refer to the switch hardware installation guide. At the switch prompt, enter privileged EXEC mode: Switch> enable Switch# Step 5 Step 6 Enter the password of the failed command switch. Enter global configuration mode. Switch# configure terminal Enter configuration commands, one per line. End - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 788
For details about using the console port, refer to the switch hardware installation guide. At the switch prompt, enter privileged EXEC mode: Switch> enable Switch# Enter the password of the failed command switch. Use the setup program to configure the switch IP information. This program prompts you - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 789
2970, Catalyst 2950, Catalyst 3500 XL, Catalyst 2900 XL, Catalyst 2820, and Catalyst 1900 switch) connected to the command switch through a secured port can lose connectivity if the port is disabled because of a security violation. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 35 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 790
If a remote device does not autonegotiate, configure the duplex settings on the two ports to match. The speed parameter can adjust itself even if the connected port does not autonegotiate. Troubleshooting Power over Ethernet Switch Ports If a powered device (such as a Cisco IP Phone 7910) that is - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 791
Chapter 35 Troubleshooting Using Ping If you are using a non-Cisco approved SFP module, remove the SFP module from the switch, and replace it with a Cisco-approved module. After inserting a Cisco-approved SFP module, use the errdisable recovery cause gbic-invalid global configuration command to - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 792
. The switch can only identify the path from the source device to the destination device. It cannot identify the path that a packet takes from source host to the source device or from the destination device to the destination host. 35-14 Catalyst 3560 Switch Software Configuration Guide 78-16156 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 793
a port), the Layer 2 traceroute feature is not supported. When more than one CDP neighbor is detected on a port, the Layer 2 path is not identified, and an error message appears. • This feature is not supported in Token Ring VLANs. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 35 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 794
, it sends an ICMP port unreachable error to the source. Because all errors except port unreachable errors come from intermediate hops, the receipt of a port unreachable error means this message was sent by the destination. 35-16 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 795
. Port unreachable. To terminate a trace in progress, enter the escape sequence (Ctrl-^ X by default). You enter the default by simultaneously pressing and releasing the Ctrl, Shift, and 6 keys, and then by pressing the X key. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 35 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 796
system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. It is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 797
mainly for technical support personnel, who have access to detailed information about the switch application-specific integrated circuits (ASICs). However, packet forwarding information can also be helpful in troubleshooting. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 35-19 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 798
-00_40000014_000A0000 01FFA 03000000 L2Local 80_00050009_43A80145-00_00000000_00000000 00086 02010197 Station Descriptor:F0050003, DestIndex:F005, RewriteIndex:0003 Egress:Asic 3, switch 1 Output Packets: 35-20 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 799
Asic 3, switch 1 Output Packets: Packet 1 Lookup Key-Used OutptACL 50_10010A05_0A010505-00_40000014_000A0000 Index-Hit A-Data 01FFE 03000000 Port Gi0/2 Vlan SrcMac DstMac Cos Dscpv 0007 XXXX.XXXX.0246 0009.43A8.0147 78-16156-01 Catalyst 3560 Switch Software Configuration Guide 35-21 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 800
the end of its filename) by entering the show stacks or the show tech-support privileged EXEC command. You also can access the file by using any command that can copy or display files, such as the more or the copy privileged EXEC command. 35-22 Catalyst 3560 Switch Software Configuration Guide 78 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 801
all switches is modeled as removable Flash memory.) • CISCO-FTP-CLIENT-MIB • CISCO-HSRP-MIB • CISCO-HSRP-EXT-MIB (partial support) • CISCO-IGMP-FILTER-MIB • CISCO-IMAGE-MIB • CISCO IP-STAT-MIB • CICSO-L2L3-INTERFACE-MIB • CISCO-LACP-MIB 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 802
-TCP-MIB • OLD-CISCO-TS-MIB • PIM-MIB • RFC1213-MIB (Functionality is as per the agent capabilities specified in the CISCO-RFC1213-CAPABILITY.my.) • RFC1253-MIB (OSPF-MIB) • RMON-MIB • RMON2-MIB • SNMP-FRAMEWORK-MIB • SNMP-MPD-MIB Catalyst 3560 Switch Software Configuration Guide A-2 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 803
a list of supported MIBs for the Catalyst 3560 switch: ftp://ftp.cisco.com/pub/mibs/ password. At the ftp> prompt, change directories to /pub/mibs/v1 and /pub/mibs/v2. Use the get MIB_filename command to obtain a copy of the MIB file. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 804
Using FTP to Access the MIB Files Appendix A Supported MIBs Catalyst 3560 Switch Software Configuration Guide A-4 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 805
chapter, refer to the switch command reference for this release and the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1. This appendix consists of Files, page B-5 • Displaying the Contents of a File, page B-8 78-16156-01 Catalyst 3560 Switch Software Configuration Guide B-1 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 806
the running configuration. tftp:-Trivial File Transfer Protocol (TFTP) network server. xmodem:-Obtain the file from a network machine by using the XMODEM protocol. ymodem:-Obtain the file from a network machine by using the YMODEM protocol. Catalyst 3560 Switch Software Configuration Guide B-2 78 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 807
Working with the Cisco IOS File System, Configuration Files, and Software about each of the files on a file system. Display information about a specific file. Display a list of open file descriptors. File descriptors are the internal 78-16156-01 Catalyst 3560 Switch Software Configuration Guide B-3 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 808
username [:password]@location]/directory]/filename • Remote Copy Protocol (RCP)-rcp:[[//username@location]/directory]/filename • Trivial File Transfer Protocol (TFTP)-tftp:[[//location]/directory]/filename Local writable file systems include flash:. Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 809
Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Some invalid combinations of source and destination exist. Specifically, you cannot copy these combinations: • From a running configuration to a running configuration • From a startup configuration - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 810
Cisco IOS File System, Configuration supported: • For the local Flash file system, the syntax is flash: • For the File Transfer Protocol (FTP), the syntax is ftp:[[//username[:password network file system. These options are supported: Catalyst 3560 Switch Software Configuration Guide B-6 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 811
supported: • For the local Flash file system, the syntax is flash: • For the File Transfer Protocol (FTP), the syntax is ftp:[[//username[:password]@ . Switch# archive tar /xtract tftp:/172.20.10.30/saved.tar flash:/new-configs 78-16156-01 Catalyst 3560 Switch Software Configuration Guide B-7 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 812
Editor, page B-10 • Copying Configuration Files By Using TFTP, page B-10 • Copying Configuration Files By Using FTP, page B-12 • Copying Configuration Files By Using RCP, page B-16 • Clearing Configuration Information, page B-19 Catalyst 3560 Switch Software Configuration Guide B-8 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 813
you are accessing the switch through a network connection instead of through a direct connection to the console port, keep in mind that some configuration changes (such as changing the switch IP address or disabling ports) can cause a loss of connectivity to the switch. • If no password has been set - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 814
that the switch has a route to the TFTP server. The switch and the TFTP server must be in the same subnetwork if you do not have a router to route traffic between subnets. Check connectivity to the TFTP server by using the ping command. B-10 Catalyst 3560 Switch Software Configuration Guide 78 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 815
2 Verify that the TFTP server is properly configured by referring to the "Preparing to Download or Upload a Configuration File By Using TFTP" section on page B-10. Log into the switch through the console port or a Telnet session. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide B-11 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 816
an FTP server. The FTP protocol requires a client to send a remote username and password on each FTP request to a server. When you copy a configuration file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list: • The username specified in the - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 817
global configuration mode on the switch. This step is required only if you override the default remote username or password (see Steps 4, 5, and 6). (Optional) Change the default remote username. (Optional) Change the default password. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 818
Files Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Step 6 Step 7 Command Purpose end Return to privileged EXEC mode. copy Using FTP, copy the configuration file from a network ftp:[[[//[username[:password]@]location]/directory] server to the - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 819
ip ftp password mypass Switch(config)# end Switch# copy nvram:startup-config ftp: Remote host[]? 172.16.101.101 Name of configuration file to write [switch2-confg]? Write file switch2-confg on host 172.16.101.101?[confirm] ![OK] 78-16156-01 Catalyst 3560 Switch Software Configuration Guide B-15 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 820
for you. The RCP requires a client to send a remote username with each RCP request to a server. When you copy a configuration file from the switch to a server, the Cisco IOS software sends the first valid username in this list: • The username specified in the copy command if a username is specified - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 821
system:running-config Configure using host1-confg from 172.16.101.101? [confirm] Connected to 172.16.101.101 Loading 1112 byte file host1-confg:![OK] Switch# %SYS-5-CONFIG: Configured from host1-config by rcp from 172.16.101.101 78-16156-01 Catalyst 3560 Switch Software Configuration Guide B-17 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 822
address of 172.16.101.101: Switch# copy system:running-config rcp://[email protected]/switch2-confg Write file switch-confg on host 172.16.101.101?[confirm] Building configuration...[OK] Connected to 172.16.101.101 Switch# B-18 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 823
switch prompts for confirmation on destructive file operations. For more information about the file prompt command, refer to the Cisco IOS Command Reference for Release 12.1. Caution You cannot restore a file after it has been deleted. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 824
a switch image file from a TFTP, FTP, or RCP server to upgrade the switch software. You can replace the the supported upgrade paths, refer to the release notes that shipped with your switch. Image Location on the Switch The Cisco IOS image Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 825
approximate measure of how much Flash memory is required to hold just the Cisco IOS image Specifies the size of all the images (the Cisco IOS image and the HTML files) in the tar file, which is an the software can be installed 78-16156-01 Catalyst 3560 Switch Software Configuration Guide B-21 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 826
with the Cisco IOS File System, Configuration Files, and Software Images Copying Image Files By Using TFTP You can download a switch image from a TFTP server or upload the image from the switch to a TFTP server. You download a switch image file from a server to upgrade the switch software. You - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 827
Cisco IOS File System, Configuration TFTP You can download a new image file and replace the current image or keep the current image. switch through the console port or a Telnet session. Download the image file from the TFTP server to the switch Catalyst 3560 Switch Software Configuration Guide B-23 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 828
: info, the Cisco IOS image, and the HTML files. After these files are uploaded, the upload algorithm creates the tar file format. Caution For the download and upload algorithms to operate properly, do not rename image names. B-24 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 829
ip ftp password commands to specify a username and password for all copies. Include the username in the archive download-sw or archive upload-sw privileged EXEC command if you want to specify a username only for that operation. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide B-25 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 830
. This step is required only if you override the default remote username or password (see Steps 4, 5, and 6). (Optional) Change the default remote username. (Optional) Change the default password. Return to privileged EXEC mode. B-26 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 831
the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Step 7 Step 8 Command Purpose archive download-sw /overwrite /reload ftp:[[//username[:password]@location]/directory] /image-name.tar Download the image file from the FTP server to the switch, and - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 832
the Cisco IOS File System, Configuration Files, switch through the console port or a Telnet session. configure terminal Enter global configuration mode. This step is required only if you override the default remote username or password Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 833
support rsh.) Because you are copying a file from one place to another, you must have read permission on the source file and write permission on the destination file. If the destination file does not exist, RCP creates it for you. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 834
Images Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images RCP requires a client to send a remote username on each RCP request to a server. When you copy an image from the switch to a server by using RCP, the Cisco IOS software sends the first valid username - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 835
the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Downloading an Image File By Using RCP You can download a new image file and replace or and image names are case sensitive. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide B-31 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 836
files in the directory and the directory are removed. Caution For the download and upload algorithms to operate properly, do not rename image names. B-32 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 837
: info, the Cisco IOS image, and the HTML files. After these files are uploaded, the upload algorithm creates the tar file format. Caution For the download and upload algorithms to operate properly, do not rename image names. 78-16156-01 Catalyst 3560 Switch Software Configuration Guide B-33 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 838
Working with Software Images Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images B-34 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 839
A P P E N D I X Unsupported Commands in Cisco IOS Release 12.1(19)EA1 This appendix lists some of the command-line interface (CLI) commands that appear when you enter the question mark (?) at the Catalyst 3560 switch prompt but are not supported in this release, either because they are not tested or - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 840
bridge bridge-group address mac-address {forward | discard} [interface-id] bridge bridge-group aging-time seconds bridge bridge-group bitswap_l3_addresses bridge bridge-group bridge ip Catalyst 3560 Switch Software Configuration Guide C-2 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 841
C Unsupported Commands in Cisco IOS Release 12.1(19)EA1 bridge bridge- service-filtering frame-relay map bridge dlci broadcast interface bvi bridge-group x25 map bridge x.121-address broadcast [options-keywords] FallBack Bridging 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 842
Unsupported Commands in Cisco IOS Release 12.1(19)EA1 HSRP Unsupported Global Configuration Commands interface Async | precedence | irb | random-detect | rate-limit | shape] Unsupported Global Configuration Commands interface tunnel Catalyst 3560 Switch Software Configuration Guide C-4 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 843
Appendix C Unsupported Commands in Cisco IOS Release 12.1(19)EA1 IP Multicast Routing Unsupported Interface Configuration Commands switchport broadcast level switchport multicast level switchport unicast level Note These commands have been replaced by the storm-control {broadcast | multicast | - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 844
cef [drop | not-cef-switched] show ip accounting [checkpoint] [output-packets | access-violations] show ip bgp dampened-paths show ip bgp inconsistent-as show ip bgp regexp regular expression show ip prefix-list regular expression Catalyst 3560 Switch Software Configuration Guide C-6 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 845
Cisco IOS Release 12.1(19)EA1 Unsupported Global Configuration Configuration Commands ip accounting ip load-sharing [per-packet] ip mtu bytes ip route-cache ip verify ip unnumbered type number All ip security commands IP Unicast Routing 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 846
Cisco IOS Release 12.1(19)EA1 Unsupported BGP Router Configuration Commands address-family vpnv4 default-information originate neighbor advertise-map neighbor allowas-in neighbor default-originate neighbor description network -value Catalyst 3560 Switch Software Configuration Guide C-8 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 847
show ip nat statistics show ip nat translations Unsupported Global Configuration Commands ip nat inside destination ip nat inside source ip nat outside source ip nat pool Unsupported Interface Configuration Commands ip nat 78-16156-01 Catalyst 3560 Switch Software Configuration Guide C-9 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 848
Global Configuration Commands spanning-tree etherchannel guard misconfig spanning-tree pathcost method {long | short} Unsupported Interface Configuration Commands spanning-tree stack-port VLAN Unsupported vlan-config Commands private-vlan C-10 Catalyst 3560 Switch Software Configuration Guide 78 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 849
been replaced by the vtp global configuration command. Miscellaneous Unsupported Global Configuration Commands errdisable detect cause dhcp-rate-limit errdisable recovery cause dhcp-rate-limit errdisable recovery cause unicast flood service compress-config 78-16156-01 Catalyst 3560 Switch Software - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 850
Miscellaneous Appendix C Unsupported Commands in Cisco IOS Release 12.1(19)EA1 C-12 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 851
in switch clusters 5-9 accounting with RADIUS 8-28 with TACACS+ 8-11, 8-17 ACEs and QoS 28-7 defined 27-2 Ethernet 27-2 IP 27-2 ACLs ACEs 27-2 any keyword 27-12 applying on bridged packets 27-38 on multicast packets 27-39 on routed packets 27-38 Catalyst 3560 Switch Software Configuration Guide IN - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 852
28-29 numbers 27-7 IN-2 Catalyst 3560 Switch Software Configuration Guide ACLs (continued) port 27-2 precedence of 27-2 QoS 28-7, 28-37 router 27-2 standard IP configuring for QoS classification 28-37 creating 27-8 matching criteria 27-7 supported features 27-21 support for 1-6 time ranges 27-16 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 853
device 5-8 brand new switches 5-9 connectivity 5-5 different VLANs 5-7 management VLANs 5-7 non-CDP-capable devices 5-6 non-cluster-capable devices 5-6 routed ports 5-8 creating a cluster standby group 5-19 in switch clusters 5-5 See also CDP Catalyst 3560 Switch Software Configuration Guide IN-3 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 854
4-2 boot process 4-1 manually 4-13 specific image 4-13 boot loader accessing 4-14 described 4-2 environment variables 4-14 prompt 4-14 trap-door mechanism 4-2 bootstrap router (BSR), described 32-5 Border Gateway Protocol See BGP IN-4 Catalyst 3560 Switch Software Configuration Guide 78-16156-01 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 855
support of 1-3 CIDR 30-59 Cisco 7960 IP Phone 14-1 Cisco Discovery Protocol See CDP Cisco Express Forwarding See CEF Cisco Group Management Protocol See CGMP Cisco IOS File System See IFS CiscoWorks 2000 1-4, 26-5 classless interdomain routing See CIDR Catalyst 3560 Switch Software Configuration - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 856
recovery 5-10 CLI 5-21 host names 5-13 IP addresses 5-13 LRE profiles 5-15 passwords 5-14 RADIUS 5-14 SNMP 5-14, 5-22 switch-specific features 5-15 TACACS+ 5-14 redundancy 5-19 troubleshooting 5-21 verifying 5-20 See also candidate switch, command switch, cluster standby group, member switch - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 857
configuration conflicts 35-11 defined 5-2 enabling 5-16 passive (PC) 5-10, 5-19 password privilege levels 5-22 priority 5-10 recovery from command-switch failure 5-10 from failure 35-8 from lost member connectivity 35-11 redundant 5-10, 5-19 78-16156-01 Index command switch (continued) replacing - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 858
2-2, 12-7 conflicts, configuration 35-11 connections, secure remote 8-38 connectivity problems 35-13, 35-14, 35-16 consistency checks in VTP version 2 13-4 console port, connecting to 2-9 conventions command xxxiv for examples xxxiv publication xxxiv text xxxiv corrupted software, recovery steps - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 859
18-2 Differentiated Services architecture, QoS 28-1 Differentiated Services Code Point 28-2 Diffusing Update Algorithm (DUAL) 30-37 directed unicast requests 1-4 directories changing B-3 creating and removing B-4 displaying the working B-3 Catalyst 3560 Switch Software Configuration Guide IN-9 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 860
IN-10 Catalyst 3560 Switch Software Configuration Guide downloading (continued configuring 10-12 DVMRP autosummarization configuring a summary address 32-46 disabling 32-48 connecting PIM domain to DVMRP router 32-38 enabling unicast routing 32-42 interoperability with Cisco devices 32-36 with IOS - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 861
interfaces 29-13 Layer 3 port-channel logical interfaces 29-12 configuring Layer 2 interfaces 29-10 default configuration 29-9 described 29-2 displaying status 29-20 forwarding methods 29-6, 29-15 interaction with STP 29-9 with VLANs 29-10 Catalyst 3560 Switch Software Configuration Guide IN-11 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 862
port groups 10-5 support for 1-3 Ethernet VLANs adding 12-8 defaults and ranges 12-8 modifying 12-8 events, RMON 24-3 examples conventions for xxxiv network configuration 1-11 expedite queue for QoS configuring 28-63 expert mode 3-6 IN-12 Catalyst 3560 Switch Software Configuration Guide Express - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 863
STP 34-2 support for 1-8 SVIs and routed ports 34-1 VLAN-bridge local file system names B-1 network file system names B-4 setting A-3 configuration files downloading B-13 overview B-12 preparing configuration mode 2-2 guest VLAN and 802.1X 9-8 Catalyst 3560 Switch Software Configuration Guide IN-13 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 864
recovery 5-12 binding to cluster group 31-9 cluster standby group considerations 5-11 command-switch redundancy 1-1, 1-5 configuring 31-3 default configuration 31-4 definition 31-1 guidelines 31-4 monitoring 31-10 overview 31-1 priority 31-6 IN-14 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 865
30-25 unequal-cost load balancing 30-25 Immediate-Leave, IGMP 19-6 initial configuration defaults 1-9 Express Setup 1-9 See also hardware installation guide setup (CLI) program 1-9 interface number 10-7 range macros 10-9 interface command 10-7 Catalyst 3560 Switch Software Configuration Guide IN-15 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 866
Message Protocol See ICMP Internet Group Management Protocol See IGMP Inter-Switch Link See ISL inter-VLAN routing 1-8, 30-2 IN-16 Catalyst 3560 Switch Software Configuration Guide Intrusion Detection System See IDS inventory, cluster 5-20 IOS File System See IFS ip access group command 27-20 IP - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 867
system and network 32-50 See also CGMP See also DVMRP See also IGMP See also PIM IP phones and QoS 14-1 automatic classification and queueing 28-18 configuring 14-4 ensuring port security with QoS 28-34 trusted boundary for QoS 28-34 Catalyst 3560 Switch Software Configuration Guide IN-17 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 868
30-18 EtherChannel Layer 3 interface 30-3 IGP 30-28 inter-VLAN 30-2 IN-18 Catalyst 3560 Switch Software Configuration Guide IP unicast routing (continued) IP addressing classes 30-5 configuring 30-4 IRDP 30-12 Layer 3 interfaces 30-3 MAC address and IP address 30-8 passive interfaces 30-74 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 869
switch 8-35 KDC 8-35 network services 8-35 configuration examples 8-32 configuring 8-36 credentials 8-32 cryptographic software image 8-32 described 8-32 KDC 8-32 operation 8-34 realm 8-33 server 8-33 support for 1-7 switch port 35-15 unicast traffic 35-14 usage guidelines 35-15 Layer 2 trunks 12-17 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 870
28-5 macros See SmartPort macros manageability features 1-4 IN-20 Catalyst 3560 Switch Software Configuration Guide management access in-band browser session 1-4 CLI session 1-4 SNMP 1-5 out-of-band console port connection 1-5 management options benefits clustering 1-3 CMS 1-2 CLI 2-1 overview - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 871
switch 33-9 received by switch 33-14 default configuration 33-4 dense-mode regions sending SA messages to 33-17 specifying the originating address 33-18 filtering incoming SA messages 33-14 SA messages to a peer 33-12 SA requests from a peer 33-11 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 872
33-9 support for 1-8 MSTP boundary ports configuration guidelines 16-13 described 16-5 BPDU filtering described 17-3 enabling 17-12 BPDU guard described 17-3 enabling 17-11 CIST, described 16-3 configuration guidelines 16-12, 17-9 IN-22 Catalyst 3560 Switch Software Configuration Guide MSTP - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 873
services 1-12 small to medium-sized network 1-13 network design performance 1-12 services 1-12 network management CDP 21-1 RMON 24-1 SNMP 26-1 Network Time Protocol See NTP no commands 2-4 non-IP traffic filtering 27-26 nontrunking mode 12-17 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 874
devices 6-6 time services 6-2 synchronizing 6-2 O Open Shortest Path First See OSPF optimizing system resources 7-1 options, management 1-4 OSPF area parameters, configuring 30-32 configuring 30-30 default configuration IN-24 Catalyst 3560 Switch Software Configuration Guide OSPF (continued - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 875
interoperability 32-8 troubleshooting interoperability problems 32-22 v2 improvements 32-4 78-16156-01 Index PIM-DVMRP, as snooping method 19-8 ping character output description 35-14 executing 35-13 overview 35-13 PoE configuring 10-16 support for 1-8 troubleshooting 35-12 poison-reverse updates - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 876
per-user ACLs AAA authorization 9-11 configuration tasks 9-9 described 9-8 RADIUS server attributes 9-8 IN-26 Catalyst 3560 Switch Software Configuration Guide port-based authentication (continued) ports authorization state and dot1x port-control command 9-4 authorized and unauthorized 9-4 voice - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 877
15-10 described 15-9 instances supported 15-9 Q QoS auto-QoS categorizing traffic 28-18 configuration and defaults display 28-26 configuration guidelines 28-22 described 28-18 disabling 28-23 displaying generated commands 28-23 Catalyst 3560 Switch Software Configuration Guide IN-27 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 878
ACLs 28-37 IN-28 Catalyst 3560 Switch Software Configuration Guide QoS (continued) MAC ACLs 28-39 policy maps 28-42 port trust states within the domain 57 buffer allocation scheme, described 28-16 configuring shaped weights for SRR 28-60 configuring shared weights for SRR 28-62 described 28-4 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 879
8-31 identifying the server 8-21 in clusters 5-14 limiting the services to the user 8-27 method list, defined 8-20 operation of 8-19 overview 8-18 suggested network environments 8-18 support for 1-7 tracking services accessed by user 8-28 Catalyst 3560 Switch Software Configuration Guide IN-29 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 880
15-8 path cost 12-26 port priority 12-24 redundant clusters See cluster standby group redundant links and UplinkFast 17-13 reliable transport protocol, EIGRP 30-37 reloading software 4-16 IN-30 Catalyst 3560 Switch Software Configuration Guide Remote Authentication Dial-In User Service See RADIUS - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 881
23-8 configuration guidelines 23-16 default configuration 23-9 destination ports 23-7 displaying status 23-23 interaction with other features 23-8 monitored ports 23-5 monitoring ports 23-7 overview 1-9, 23-1 received traffic 23-4 Catalyst 3560 Switch Software Configuration Guide IN-31 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 882
See SSH security, port 20-7 security features 1-6 sequence numbers in log messages 25-7 server mode, VTP 13-3 service-provider network MSTP and RSTP 16-1 set-request operation 26-5 setup (CLI) program 1-9 See also hardware installation guide setup program failed command switch replacement 35-8, 35 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 883
location in Flash B-20 recovery procedures 35-2 scheduling reloads 4-16 tar file format, described B-21 See also downloading and uploading source addresses, in ACLs 27-11 source-and-destination-IP address based forwarding, EtherChannel 29-7 Catalyst 3560 Switch Software Configuration Guide IN-33 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 884
on egress queues 28-60 shared weights on egress queues 28-62 shared weights on ingress queues 28-55 IN-34 Catalyst 3560 Switch Software Configuration Guide SRR (continued) described 28-12 shaped mode 28-12 shared mode 28-12 support for 1-7 SSH configuring 8-39 cryptographic software image 8-37 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 885
15-5, 15-6 learning 15-6 listening 15-6 overview 15-4 interoperability and compatibility among modes 15-10 limitations with 802.1Q trunks 15-10 load sharing overview 12-24 Catalyst 3560 Switch Software Configuration Guide IN-35 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 886
port 17-3 status, displaying 15-22 superior BPDU 15-3 timers, described 15-20 UplinkFast described 17-4 enabling 17-13 VLAN-bridge 15-11 IN-36 Catalyst 3560 Switch Software Configuration Guide stratum, NTP 6-2 stub areas, OSPF 30-32 subnet mask 30-5 subnet zero 30-6 success response, VMPS 12 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 887
1-4 setting a password 8-6 templates, SDM 7-1 Terminal Access Controller Access Control System Plus See TACACS+ terminal lines, setting a password 8-6 TFTP configuration files downloading B-11 preparing the server B-10 uploading B-11 Catalyst 3560 Switch Software Configuration Guide IN-37 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 888
fragmented 27-5 unfragmented 27-5 IN-38 Catalyst 3560 Switch Software Configuration Guide traffic policing 1-7 traffic suppression 20-2 transparent mode, VTP 13-3, 13-12 trap-door mechanism 4-2 traps configuring MAC address notification 6-23 configuring managers 26-11 defined 26-3 enabling 6-23 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 889
support for 1-5 uploading configuration files preparing B-10, B-13, B-16 reasons for B-8 using FTP B-15 using RCP B-18 using TFTP B-11 image files preparing B-22, B-25, B-29 reasons for B-20 using FTP B-28 using RCP B-33 using TFTP B-24 78-16156-01 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 890
-7 VLAN filtering, and SPAN 23-6 vlan global configuration command 12-7 VLAN ID, discovering 6-28 VLAN management domain 13-2 VLAN Management Policy Server See VMPS VLAN map entries, order of 27-29 IN-40 Catalyst 3560 Switch Software Configuration Guide VLAN maps applying 27-33 common uses for 27 - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 891
-7 configuration mode options 13-7 configuration requirements 13-9 configuration revision number guideline 13-14 resetting 13-15 configuring client mode 13-11 server mode 13-9 transparent mode 13-12 consistency checks 13-4 default configuration 13-6 Catalyst 3560 Switch Software Configuration Guide - Cisco WS-C3560E-12D-E | Software Configuration Guide - Page 892
13-9 disabling 13-13 enabling 13-13 overview 13-4 W weighted tail drop See WTD wizards 1-2, 3-6 WTD described 28-11 setting thresholds egress queue-sets 28-57 ingress queues 28-53 support for 1-7 X XMODEM protocol 35-2 IN-42 Catalyst 3560 Switch Software Configuration Guide 78-16156-01
-
1 -
2 -
3 -
4 -
5 -
6 -
7 -
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
-
241
-
242
-
243
-
244
-
245
-
246
-
247
-
248
-
249
-
250
-
251
-
252
-
253
-
254
-
255
-
256
-
257
-
258
-
259
-
260
-
261
-
262
-
263
-
264
-
265
-
266
-
267
-
268
-
269
-
270
-
271
-
272
-
273
-
274
-
275
-
276
-
277
-
278
-
279
-
280
-
281
-
282
-
283
-
284
-
285
-
286
-
287
-
288
-
289
-
290
-
291
-
292
-
293
-
294
-
295
-
296
-
297
-
298
-
299
-
300
-
301
-
302
-
303
-
304
-
305
-
306
-
307
-
308
-
309
-
310
-
311
-
312
-
313
-
314
-
315
-
316
-
317
-
318
-
319
-
320
-
321
-
322
-
323
-
324
-
325
-
326
-
327
-
328
-
329
-
330
-
331
-
332
-
333
-
334
-
335
-
336
-
337
-
338
-
339
-
340
-
341
-
342
-
343
-
344
-
345
-
346
-
347
-
348
-
349
-
350
-
351
-
352
-
353
-
354
-
355
-
356
-
357
-
358
-
359
-
360
-
361
-
362
-
363
-
364
-
365
-
366
-
367
-
368
-
369
-
370
-
371
-
372
-
373
-
374
-
375
-
376
-
377
-
378
-
379
-
380
-
381
-
382
-
383
-
384
-
385
-
386
-
387
-
388
-
389
-
390
-
391
-
392
-
393
-
394
-
395
-
396
-
397
-
398
-
399
-
400
-
401
-
402
-
403
-
404
-
405
-
406
-
407
-
408
-
409
-
410
-
411
-
412
-
413
-
414
-
415
-
416
-
417
-
418
-
419
-
420
-
421
-
422
-
423
-
424
-
425
-
426
-
427
-
428
-
429
-
430
-
431
-
432
-
433
-
434
-
435
-
436
-
437
-
438
-
439
-
440
-
441
-
442
-
443
-
444
-
445
-
446
-
447
-
448
-
449
-
450
-
451
-
452
-
453
-
454
-
455
-
456
-
457
-
458
-
459
-
460
-
461
-
462
-
463
-
464
-
465
-
466
-
467
-
468
-
469
-
470
-
471
-
472
-
473
-
474
-
475
-
476
-
477
-
478
-
479
-
480
-
481
-
482
-
483
-
484
-
485
-
486
-
487
-
488
-
489
-
490
-
491
-
492
-
493
-
494
-
495
-
496
-
497
-
498
-
499
-
500
-
501
-
502
-
503
-
504
-
505
-
506
-
507
-
508
-
509
-
510
-
511
-
512
-
513
-
514
-
515
-
516
-
517
-
518
-
519
-
520
-
521
-
522
-
523
-
524
-
525
-
526
-
527
-
528
-
529
-
530
-
531
-
532
-
533
-
534
-
535
-
536
-
537
-
538
-
539
-
540
-
541
-
542
-
543
-
544
-
545
-
546
-
547
-
548
-
549
-
550
-
551
-
552
-
553
-
554
-
555
-
556
-
557
-
558
-
559
-
560
-
561
-
562
-
563
-
564
-
565
-
566
-
567
-
568
-
569
-
570
-
571
-
572
-
573
-
574
-
575
-
576
-
577
-
578
-
579
-
580
-
581
-
582
-
583
-
584
-
585
-
586
-
587
-
588
-
589
-
590
-
591
-
592
-
593
-
594
-
595
-
596
-
597
-
598
-
599
-
600
-
601
-
602
-
603
-
604
-
605
-
606
-
607
-
608
-
609
-
610
-
611
-
612
-
613
-
614
-
615
-
616
-
617
-
618
-
619
-
620
-
621
-
622
-
623
-
624
-
625
-
626
-
627
-
628
-
629
-
630
-
631
-
632
-
633
-
634
-
635
-
636
-
637
-
638
-
639
-
640
-
641
-
642
-
643
-
644
-
645
-
646
-
647
-
648
-
649
-
650
-
651
-
652
-
653
-
654
-
655
-
656
-
657
-
658
-
659
-
660
-
661
-
662
-
663
-
664
-
665
-
666
-
667
-
668
-
669
-
670
-
671
-
672
-
673
-
674
-
675
-
676
-
677
-
678
-
679
-
680
-
681
-
682
-
683
-
684
-
685
-
686
-
687
-
688
-
689
-
690
-
691
-
692
-
693
-
694
-
695
-
696
-
697
-
698
-
699
-
700
-
701
-
702
-
703
-
704
-
705
-
706
-
707
-
708
-
709
-
710
-
711
-
712
-
713
-
714
-
715
-
716
-
717
-
718
-
719
-
720
-
721
-
722
-
723
-
724
-
725
-
726
-
727
-
728
-
729
-
730
-
731
-
732
-
733
-
734
-
735
-
736
-
737
-
738
-
739
-
740
-
741
-
742
-
743
-
744
-
745
-
746
-
747
-
748
-
749
-
750
-
751
-
752
-
753
-
754
-
755
-
756
-
757
-
758
-
759
-
760
-
761
-
762
-
763
-
764
-
765
-
766
-
767
-
768
-
769
-
770
-
771
-
772
-
773
-
774
-
775
-
776
-
777
-
778
-
779
-
780
-
781
-
782
-
783
-
784
-
785
-
786
-
787
-
788
-
789
-
790
-
791
-
792
-
793
-
794
-
795
-
796
-
797
-
798
-
799
-
800
-
801
-
802
-
803
-
804
-
805
-
806
-
807
-
808
-
809
-
810
-
811
-
812
-
813
-
814
-
815
-
816
-
817
-
818
-
819
-
820
-
821
-
822
-
823
-
824
-
825
-
826
-
827
-
828
-
829
-
830
-
831
-
832
-
833
-
834
-
835
-
836
-
837
-
838
-
839
-
840
-
841
-
842
-
843
-
844
-
845
-
846
-
847
-
848
-
849
-
850
-
851
-
852
-
853
-
854
-
855
-
856
-
857
-
858
-
859
-
860
-
861
-
862
-
863
-
864
-
865
-
866
-
867
-
868
-
869
-
870
-
871
-
872
-
873
-
874
-
875
-
876
-
877
-
878
-
879
-
880
-
881
-
882
-
883
-
884
-
885
-
886
-
887
-
888
-
889
-
890
-
891
-
892
 |
 |
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Catalyst 3560 Switch
Software Configuration Guide
Cisco IOS Release 12.1(19)EA1
January 2004
Customer Order Number: DOC-7816156=
Text Part Number: 78-16156-01