Home » Cisco Manuals » Hubs & Switches » Cisco NME-16ES-1G » Manual Viewer

Cisco NME-16ES-1G User Guide - Page 8

x Port-Based Authentication, EtherChannel Configuration Guidelines and Restrictions - p compatibility

UPC - 882658036101

Add to My Manuals
Save this manual to your list of manuals

Page 8 highlights

Feature Overview 16- and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series Use the option that provides the greatest variety in your configuration. For example, if the traffic on a channel is going only to a single MAC address, using the destination MAC address always chooses the same link in the channel; using source addresses or IP addresses may result in better load balancing. EtherChannel Configuration Guidelines and Restrictions If improperly configured, some EtherChannel interfaces are disabled automatically to avoid network loops and other problems. Follow these guidelines and restrictions to avoid configuration problems: • All Ethernet interfaces on all modules support EtherChannel (maximum of eight interfaces) with no requirement that interfaces be physically contiguous or on the same module. • Configure all interfaces in an EtherChannel to operate at the same speed and duplex mode. • Enable all interfaces in an EtherChannel. If you shut down an interface in an EtherChannel, it is treated as a link failure and its traffic is transferred to one of the remaining interfaces in the EtherChannel. • An EtherChannel will not form if one of the interfaces is a Switched Port Analyzer (SPAN) destination port. For Layer 2 EtherChannels: • Assign all interfaces in the EtherChannel to the same VLAN, or configure them as trunks. An EtherChannel supports the same allowed range of VLANs on all interfaces in a trunking Layer 2 EtherChannel. If the allowed range of VLANs is not the same, the interfaces do not form an EtherChannel. Interfaces with different Spanning Tree Protocol (STP) port path costs can form an EtherChannel as long they are otherwise compatibly configured. Setting different STP port path costs does not, by itself, make interfaces incompatible for the formation of an EtherChannel. After you configure an EtherChannel, configuration that you apply to the port-channel interface affects the EtherChannel. 802.1x Port-Based Authentication This section describes how to configure IEEE 802.1x port-based authentication to prevent unauthorized devices (clients) from gaining access to the network. As LANs extend to hotels, airports, and corporate lobbies, insecure environments could be created. Understanding 802.1x Port-Based Authentication The IEEE 802.1x standard defines a client/server-based access control and authentication protocol that restricts unauthorized devices from connecting to a LAN through publicly accessible ports. The authentication server authenticates each client connected to a switch port before making available any services offered by the switch or the LAN. Until the client is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port. Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ 8

Section	Page
16- and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series	1
Feature Overview	2
Layer 2 Ethernet Interfaces	2
Switch Virtual Interfaces	5
Routed Ports	5
VLAN Trunk Protocol	5
EtherChannel	7
802.1x Port-Based Authentication	8
Spanning Tree Protocol	12
Cisco Discovery Protocol	24
Switched Port Analyzer	24
Network Security with ACLs	25
Quality of Service	29
Maximum Number of VLAN and Multicast Groups	35
IP Multicast Support	35
IGMP Snooping	35
Global Storm-Control	38
Per-Port Storm-Control	40
Port Security	40
Ethernet Switching in Cisco AVVID Architecture	40
Stacking	41
Flow Control	41
Using Flow-Control Keywords	41
Fallback Bridging	42
Benefits	43
Restrictions	43
Related Features and Technologies	44
Related Documents	44
Supported Platforms	45
Supported Standards, MIBs, and RFCs	45
Prerequisites	46
Configuration Tasks	46
Configuring Layer 2 Interfaces	47
Configuring a Range of Interfaces	47
Defining a Range Macro	48
Verifying Configuration of a Range of Interfaces	48
Configuring Layer 2 Optional Interface Features	48
Interface Speed and Duplex Configuration Guidelines	48
Configuring the Interface Speed	49
Configuring the Interface Duplex Mode	49
Verifying Interface Speed and Duplex Mode Configuration	49
Configuring a Description for an Interface	50
Configuring an Ethernet Interface as a Layer 2 Trunk	50
Verifying an Ethernet Interface as a Layer 2 Trunk	51
Configuring an Ethernet Interface as a Layer 2 Access	52
Verifying an Ethernet Interface as a Layer 2 Access	52
Configuring VLANs	52
Configuring VLANs	53
Verifying the VLAN Configuration.	53
Deleting a VLAN from the Database	53
Verifying VLAN Deletion	54
Configuring VLAN Trunking Protocol	54
Configuring the VTP Server	54
Configuring a VTP Client	55
Disabling VTP (VTP Transparent Mode)	55
Configuring VTP version 2	55
Verifying VTP	56
Configuring Layer 2 EtherChannels (Port-Channel Logical Interfaces)	56
Configuring Layer 2 EtherChannels (Port-Channel Logical Interfaces)	56
Verifying Layer 2 EtherChannels	57
Configuring EtherChannel Load Balancing	58
Verifying EtherChannel Load Balancing	58
Removing an Interface from an EtherChannel	59
Configuring Removing an EtherChannel	59
Verify Removing an EtherChannel	59
Configuring 802.1x Authentication	59
Understanding the Default 802.1x Configuration	60
Enabling 802.1x Authentication	61
Configuring the Switch-to-RADIUS-Server Communication	62
Enabling Periodic Reauthentication	63
Changing the Quiet Period	64
Changing the Switch-to-Client Retransmission Time	64
Setting the Switch-to-Client Frame-Retransmission Number	65
Enabling Multiple Hosts	66
Resetting the 802.1x Configuration to the Default Values	66
Displaying 802.1x Statistics and Status	66
Configuring Spanning Tree	67
Enabling Spanning Tree	67
Verify Spanning Tree	67
Configuring Spanning Tree Port Priority	68
Verify Spanning Tree Port Priority	68
Configuring Spanning Tree Port Cost	68
Verifying Spanning Tree Port Cost	69
Configuring the Bridge Priority of a VLAN	69
Verifying the Bridge Priority of a VLAN	70
Configuring the Hello Time	70
Configuring the Forward-Delay Time for a VLAN	70
Configuring the Maximum Aging Time for a VLAN	70
Configuring the Root Bridge	71
Configuring BackboneFast	71
Disabling Spanning Tree	72
Verifying that Spanning Tree is Disabled	72
Configuring MAC Table Manipulation - Port Security	72
Enabling Known MAC Address Traffic	73
Verifying the MAC Address Secure Configuration	73
Creating a Static or Dynamic Entry in the MAC Address Table	73
Verifying the MAC Address Table	74
Configuring Aging Timer-timer	74
Verifying the Aging Timer	74
Configuring Cisco Discovery Protocol	74
Enabling Cisco Discovery Protocol	75
Verifying the CDP Global Configuration	75
Enabling CDP on an Interface	75
Verifying the CDP Interface Configuration	75
Verifying CDP Neighbors	76
Monitoring and Maintaining CDP	76
Configuring Switched Port Analyzer	76
Specifying the Switched Port Analyzer Session	77
Configuring SPAN Destinations	77
Removing Sources or Destinations from a SPAN Session	77
Configuring Network Security with ACLs	78
Unsupported Features	78
Creating Standard and Extended IP ACLs	78
ACL Numbers	79
Creating a Numbered Standard ACL	80
Creating a Numbered Extended ACL	80
Creating Named Standard and Extended ACLs	83
Including Comments About Entries in ACLs	85
Applying the ACL to an Interface	85
Displaying ACLs	86
Configuring Quality of Service (QoS)	86
Understanding the Default QoS Configuration	87
Configuring Classification Using Port Trust States	87
Configuring the Trust State on Ports and SVIs within the QoS Domain	87
Configuring the CoS Value for an Interface	89
Configuring a QoS Policy	90
Classifying Traffic by Using ACLs	91
Classifying Traffic by Using Class Maps	93
Classifying, Policing, and Marking Traffic by Using Policy Maps	94
Configuring CoS Maps	96
Configuring the CoS-to-DSCP Map	96
Configuring the DSCP-to-CoS Map	96
Displaying QoS Information	97
Configuring Power Management on the Interface	98
Verifying Power Management on the Interface	98
Configuring IP Multicast Layer 3 Switching	98
Enabling IP Multicast Routing Globally	99
Enabling IP PIM on Layer 3 Interfaces	99
Verifying IP Multicast Layer 3 Hardware Switching Summary	100
Verifying the IP Multicast Routing Table	101
Configuring IGMP Snooping	102
Enabling or Disabling IGMP Snooping	102
Enabling IGMP Immediate-Leave Processing	103
Statically Configuring an Interface to Join a Group	103
Configuring a Multicast Router Port	104
Configuring Global Storm-Control	104
Enabling Global Storm-Control	105
Verifying Global Storm-Control	105
Configuring Per-Port Storm-Control	106
Enabling Per-Port Storm-Control	106
Disabling Per-Port Storm-Control	107
Configuring Separate Voice and Data Subnets	107
Voice Traffic and VVID	108
Configuring a Single Subnet for Voice and Data	108
Verifying Switchport Configuration	109
Configuring Ethernet Ports to Support Cisco IP Phones with Multiple Ports	109
IP Addressing	109
Managing the Ethernet Switch Network Module	109
Adding Trap Managers	110
Verifying Trap Managers	110
Configuring IP Information	110
Assigning IP Information to the Switch	110
Specifying a Domain Name and Configuring the DNS	111
Configuring Voice Ports	112
Configuring a Port to Connect to a Cisco 7960 IP phone	113
Disabling Inline Power on a Ethernet switch network module	113
Verifying Inline Power Configuration	114
Enabling Switch Port Analyzer	114
Managing the ARP Table	114
Managing the MAC Address Tables	115
Understanding MAC Addresses and VLANs	115
Changing the Address Aging Time	116
Configuring the Aging Time	116
Verifying Aging-Time Configuration	116
Removing Dynamic Addresses	116
Verifying Dynamic Addresses	117
Adding Secure Addresses	117
Verifying Secure Addresses	117
Configuring Static Addresses	118
Verifying Static Addresses	118
Clearing all MAC Address Tables	119
Configuring Intrachassis Stacking	119
Verifying Intra-chassis Stacking	119
Configuring Flow Control on Gigabit Ethernet Ports	119
Configuring Layer 3 Interfaces	120
Configuring Fallback Bridging	121
Understanding the Default Fallback Bridging Configuration	121
Creating a Bridge Group	121
Preventing the Forwarding of Dynamically Learned Stations	122
Configuring the Bridge Table Aging Time	123
Filtering Frames by a Specific MAC Address	124
Adjusting Spanning-Tree Parameters	124
Monitoring and Maintaining the Network	129
Configuration Examples for the 16- and 36-Port Ethernet Switch Module	130
Range of Interface Examples	130
Single Range Configuration Example	130
Multiple Range Configuration Example	131
Range Macro Definition Example	131
Optional Interface Feature Examples	131
Interface Speed Example	132
Setting the Interface Duplex Mode Example	132
Adding a Description for an Interface Example	132
Configuring an Ethernet Interface as a Layer 2 Trunk Example	132
VLAN Configuration Example	132
VTP Examples	133
VTP Server Example	133
VTP Client Example	133
Disabling VTP (VTP Transparent Mode) Example	133
VTP version 2 Example	133
EtherChannel Load Balancing Example	134
Layer 2 EtherChannels Example	134
EtherChannel Load Balancing Example	134
Removing an EtherChannel Example	134
802.1x Authentication Examples	134
Enabling 802.1x Authentication Example	135
Configuring the Switch-to-RADIUS-Server Communication Example	135
Enabling Periodic Re-Authentication Example	135
Changing the Quiet Period Example	135
Changing the Switch-to-Client Retransmission Time Example	135
Setting the Switch-to-Client Frame-Retransmission Number Example	135
Enabling Multiple Hosts Example	135
Spanning Tree Examples	136
Spanning-Tree Interface and Spanning-Tree Port Priority Example	136
Spanning-Tree Port Cost Example	136
Bridge Priority of a VLAN	137
Hello Time Example	137
Forward-Delay Time for a VLAN Example	137
Maximum Aging Time for a VLAN Example	137
BackboneFast Example	138
Spanning Tree Examples	138
Spanning Tree Root Example	138
Mac Table Manipulation Examples	138
Cisco Discovery Protocol (CDP) Example	138
Switched Port Analyzer (SPAN) Source Examples	139
SPAN Source Configuration Example	139
SPAN Destinations Example	139
Removing Sources or Destinations from a SPAN Session Example	139
Network Security and ACL Configuration Examples	139
Creating Numbered Standard and Extended ACLs Example	139
Creating Named Standard and Extended ACLs Example	140
Including Comments About Entries in ACLs Example	141
Applying the ACL to an Interface Example	141
Displaying Standard and Extended ACLs Example	141
Displaying Access Groups Example	142
Compiling ACLs Example	143
QoS Configuration Examples	144
Classifying Traffic by Using ACL Example	144
Classifying Traffic by Using Class Maps Example	144
Classifying, Policing, and Marking Traffic by Using Policy Maps Example	144
Configuring the CoS-to-DSCP Map Example	145
Configuring the DSCP-to-CoS Map Example	145
Displaying QoS Information Example	145
IGMP Snooping Example	145
Storm-Control Example	147
Ethernet Switching Examples	148
Subnets for Voice and Data Example	148
Inter-VLAN Routing Example	148
Single Subnet Configuration Example	149
Ethernet Ports on IP Phones with Multiple Ports Example	149
Intrachassis Stacking Example	150
Flow Control on Gigabit Ethernet Ports Example	151
Configuring Layer 3 Interfaces Example	153
Fallback Bridging Example	155
Creating a Bridge Group Example	155
Preventing the Forwarding of Dynamically Learned Stations Example	155
Configuring the Bridge Table Aging Time Example	155
Filtering Frames by a Specific MAC Address Example	155
Adjusting Spanning-Tree Parameters Examples	155
Command Reference	157
aaa authentication dot1x	159
class	161
class-map	163
debug dot1x	165
debug eswilp	166
debug ip igmp snooping	167
debug spanning-tree	168
deny (access-list configuration)	170
dot1x default	173
dot1x max-req	174
dot1x multiple-hosts	175
dot1x port-control	176
dot1x re-authenticate	178
dot1x re-authentication	179
dot1x timeout quiet-period	180
dot1x timeout re-authperiod	181
dot1x timeout tx-period	182
ip access-group	183
ip access-list	185
ip igmp snooping	187
ip igmp snooping vlan	189
ip igmp snooping vlan immediate-leave	190
ip igmp snooping vlan mrouter	192
ip igmp snooping vlan static	194
match (class-map configuration)	196
mls qos cos	198
mls qos map	200
mls qos trust	202
permit (access-list configuration)	204
police	207
policy-map	209
service-policy	211
show access-lists	212
show class-map	214
show dot1x	216
show ip access-lists	220
show ip igmp snooping	222
show ip igmp snooping mrouter	224
show mls masks	225
show mls qos interface	227
show mls qos maps	228
show policy-map	230
show spanning-tree	232
show storm-control	235
spanning-tree backbonefast	237
storm-control	238
switchport	240

Match case Limit results 1 per page

16- and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series

Feature Overview

Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ

Use the option that provides the greatest variety in your configuration. For example, if the traffic on a

channel is going only to a single MAC address, using the destination MAC address always chooses the

same link in the channel; using source addresses or IP addresses may result in better load balancing.

EtherChannel Configuration Guidelines and Restrictions

If improperly configured, some EtherChannel interfaces are disabled automatically to avoid network

loops and other problems. Follow these guidelines and restrictions to avoid configuration problems:

•

All Ethernet interfaces on all modules support EtherChannel (maximum of eight interfaces) with no

requirement that interfaces be physically contiguous or on the same module.

•

Configure all interfaces in an EtherChannel to operate at the same speed and duplex mode.

•

Enable all interfaces in an EtherChannel. If you shut down an interface in an EtherChannel, it is

treated as a link failure and its traffic is transferred to one of the remaining interfaces in the

EtherChannel.

•

An EtherChannel will not form if one of the interfaces is a Switched Port Analyzer (SPAN)

destination port.

For Layer 2 EtherChannels:

•

Assign all interfaces in the EtherChannel to the same VLAN, or configure them as trunks.

An EtherChannel supports the same allowed range of VLANs on all interfaces in a trunking Layer 2

EtherChannel. If the allowed range of VLANs is not the same, the interfaces do not form an

EtherChannel.

Interfaces with different Spanning Tree Protocol (STP) port path costs can form an EtherChannel as long

they are otherwise compatibly configured. Setting different STP port path costs does not, by itself, make

interfaces incompatible for the formation of an EtherChannel.

After you configure an EtherChannel, configuration that you apply to the port-channel interface affects

the EtherChannel.

802.1x Port-Based Authentication

This section describes how to configure IEEE 802.1x port-based authentication to prevent unauthorized

devices (clients) from gaining access to the network. As LANs extend to hotels, airports, and corporate

lobbies, insecure environments could be created.

Understanding 802.1x Port-Based Authentication

The IEEE 802.1x standard defines a client/server-based access control and authentication protocol that

restricts unauthorized devices from connecting to a LAN through publicly accessible ports. The

authentication server authenticates each client connected to a switch port before making available any

services offered by the switch or the LAN.

Until the client is authenticated, 802.1x access control allows only Extensible Authentication Protocol

over LAN (EAPOL) traffic through the port to which the client is connected. After authentication is

successful, normal traffic can pass through the port.