Software Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-Plus and 2960-C Switches)

First Published:2015-09-21

Americas Headquarters

Cisco Systems, Inc.

170 West Tasman Drive San Jose, CA 95134-1706 USA

http://www.cisco.com Tel: 408 526-4000

800 553-NETS (6387) Fax: 408 527-0883

C O N T E N T S

Preface lv P R E F A C E

Document Conventions lv Related Documentation lvi

Obtaining Documentation and Submitting a Service Request lvii

Using the Command-Line Interface 1 C H A P T E R 1

Information About Using the Command-Line Interface 1 Command Modes 1

Understanding Abbreviated Commands 3 No and Default Forms of Commands 3 CLI Error Messages 3

Configuration Logging 4 Using the Help System 4

How to Use the CLI to Configure Features 5 Configuring the Command History 5

Changing the Command History Buffer Size 6 Recalling Commands 6

Disabling the Command History Feature 7 Enabling and Disabling Editing Features 7

Editing Commands Through Keystrokes 7 Editing Command Lines That Wrap 8

Searching and Filtering Output of show and more Commands 10 Accessing the CLI Through a Console Connection or Through Telnet 10

Assigning the Switch IP Address and Default Gateway 11 P A R T I

Assigning the Switch IP Address and Default Gateway 13 C H A P T E R 2

Information About Performing Switch Setup Configuration 13 Understanding the Boot Process 13

Switches Information Assignment 14 Default Switch Information 15

DHCP-Based Autoconfiguration Overview 15 DHCP Client Request Process 15

DHCP-based Autoconfiguration and Image Update 16 Restrictions for DHCP-based Autoconfiguration 17 DHCP Autoconfiguration 17

DHCP Auto-Image Update 17

DHCP Server Configuration Guidelines 17 Purpose of the TFTP Server 18

Purpose of the DNS Server 19 Purpose of the Relay Device 19 How to Obtain Configuration Files 20

Example of DHCP-Based Autoconfiguration Network 21

Configuring the DHCP Auto Configuration and Image Update Features 22 Configuring DHCP Autoconfiguration (Only Configuration File) 23 Configuring DHCP Auto-Image Update (Configuration File and Image) 25 Configuring the Client to Download Files from DHCP Server 28

Manually Assigning IP Information to Multiple SVIs 29 Checking and Saving the Running Configuration 31 Configuring the NVRAM Buffer Size 31

Modifying the Switch Startup Configuration 33 Default Boot Configuration 33

Automatically Downloading a Configuration File 33

Specifying the Filename to Read and Write the System Configuration 33 Manually Booting the Switch 34

Booting a Specific Software Image On a Switch 35 Controlling Environment Variables 36

Scheduling a Reload of the Software Image 38

Boot Loader Upgrade and Image Verification for the FIPS Mode of Operation 39

Configuring Cisco IOS Configuration Engine 43 P A R T I I

Configuring Cisco IOS Configuration Engine 45 C H A P T E R 3

Finding Feature Information 45

Prerequisites for Configuring the Configuration Engine 45 Restrictions for Configuring the Configuration Engine 46 Information About Configuring the Configuration Engine 46

Cisco Configuration Engine Software 46 Configuration Service 47

Event Service 47 NameSpace Mapper 48

Cisco Networking Services IDs and Device Hostnames 48 ConfigID 48

DeviceID 48

Hostname and DeviceID 49

Hostname, DeviceID, and ConfigID 49 Cisco IOS CNS Agents 49

Initial Configuration 49

Incremental (Partial) Configuration 50 Synchronized Configuration 50 Automated CNS Configuration 50

How to Configure the Configuration Engine 51

Enabling Automated Cisco Networking Services (CNS) Configuration 51 Enabling the CNS Event Agent 53

Enabling the Cisco IOS CNS Agent 55

Enabling an Initial Configuration for Cisco IOS CNS Agent 56 Enabling a Partial Configuration for Cisco IOS CNS Agent 61 Monitoring CNS Configurations 62

Additional References 63

Feature History and Information for the Configuration Engine 64

Administering the Switch 65 P A R T I I I

Contents

Administering the Switch 67 C H A P T E R 4

Finding Feature Information 67

Information About Administering the Switch 67 System Time and Date Management 67 System Clock 67

Network Time Protocol 68 NTP Version 4 69

Configuring Time and Date Manually 70 Setting the System Clock 70

Displaying the Time and Date Configuration 71 Configuring the Time Zone 71

Configuring Summer Time (Daylight Saving Time) 72 System Name and Prompt 76

Default System Name and Prompt Configuration 76 Configuring a System Name 76

DNS 77 Login Banners 80

Default Banner Configuration 80

Configuring a Message-of-the-Day Login Banner 80 Configuring a Login Banner 81

Managing the MAC Address Table 83 MAC Address Table 83

MAC Address Table Creation 83 MAC Addresses and VLANs 83 Default MAC Address Table Settings 84 Changing the Address Aging Time 84 Removing Dynamic Address Entries 85

Configuring MAC Address Change Notification Traps 85 Configuring MAC Address Move Notification Traps 88 Configuring MAC Threshold Notification Traps 90 Adding and Removing Static Address Entries 91

Configuring Unicast MAC Address Filtering Guidelines 93 Configuring Unicast MAC Address Filtering 94

Disabling MAC Address Learning on a VLAN Guidelines 95 Disabling MAC Address Learning on a VLAN 95

Displaying Address Table Entries 97 ARP Table Management 98

Configuration Examples for Switch Administration 98 Example: Setting the System Clock 98

Examples: Configuring Summer Time 98 Example: Configuring a MOTD Banner 98 Example: Configuring a Login Banner 99

Example: Configuring MAC Address Change Notification Traps 99 Example: Configuring MAC Threshold Notification Traps 100 Example: Adding the Static Address to the MAC Address Table 100 Example: Configuring Unicast MAC Address Filtering 100

Additional References for Switch Administration 100 Troubleshooting Administering the Switch 101

Overview 101 Support Articles 101 Feedback Request 102 Disclaimer and Caution 102

Configuring Web-Based Authentication 103 P A R T I V

Configuring Web-Based Authentication 105 C H A P T E R 5

Finding Feature Information 105

Web-Based Authentication Overview 105 Device Roles 106

Host Detection 107 Session Creation 107 Authentication Process 108

Local Web Authentication Banner 108

Web Authentication Customizable Web Pages 111 Guidelines 111

Authentication Proxy Web Page Guidelines 112 Redirection URL for Successful Login Guidelines 113

Contents

Web-based Authentication Interactions with Other Features 113 Port Security 113

LAN Port IP 113 Gateway IP 113 ACLs 113

Context-Based Access Control 114 EtherChannel 114

Default Web-Based Authentication Configuration 114

Web-Based Authentication Configuration Guidelines and Restrictions 114 How to Configure Web-Based Authentication 116

Configuring the Authentication Rule and Interfaces 116 Configuring AAA Authentication 118

Configuring Switch-to-RADIUS-Server Communication 118 Configuring the HTTP Server 120

Customizing the Authentication Proxy Web Pages 121 Specifying a Redirection URL for Successful Login 123 Configuring Web-Based Authentication Parameters 123 Configuring a Web-Based Authentication Local Banner 124 Removing Web-Based Authentication Cache Entries 125 Monitoring Web-Based Authentication 126

Displaying Web-Based Authentication Status 126

Configuration Examples for Configuring Web-Based Authentication 127 Example: Configuring the Authentication Rule and Interfaces 127 Example: Customizing the Authentication Proxy Web Pages 127 Example: Specifying a Redirection URL for Successful Login 128

Auto Identity 129 P A R T V

Auto Identity 131 C H A P T E R 6

Auto Identity 131

Information About Auto Identity 131 Auto Identity Overview 131 Auto Identity Global Template 132 Auto Identity Interface Templates 132

Auto Identity Built-in Policies 133 Auto Identity Class Maps Templates 133 Auto Identity Parameter Maps 134 Auto Identity Service Templates 134 How to Configure Auto Identity 134

Configuring Auto Identity Globally 134

Configuring Auto Identity at an Interface Level 136 Configuration Examples for Auto Identity 137

Example: Configuring Auto Identity Globally 137

Example: Configuring Auto Identity at an Interface Level 137 Verifying Auto Identity 137

Feature Information for Auto Identity 141

Configuring Cisco TrustSec 143 P A R T V I

Configuring Cisco TrustSec 145 C H A P T E R 7

Finding Feature Information 145 Restrictions for Cisco TrustSec 145 Information about Cisco TrustSec 146

Cisco TrustSec Features 147 Additional References 148

Managing Switch Stacks 151 P A R T V I I

Managing Switch Stacks 153 C H A P T E R 8

Finding Feature Information 153 Prerequisites for Switch Stacks 153 Restrictions for Switch Stacks 153 Information About Switch Stacks 153

Switch Stack Overview 153 Switch Stack Membership 154 Master Election 155

Stack MAC Address 156 Member Numbers 156

Contents

Member Priority Values 157 Stack Offline Configuration 157

Stack Software Compatibility Recommendations 159 Stack Protocol Version 159

Major Stack Protocol Version Number Incompatibility Among Stack-Capable Switches 160 Minor Version Number Incompatibility Among Switches 160

Incompatible Software and Stack Member Image Upgrades 163 Switch Stack Configuration Files 163

Switch Stack Management Connectivity 164 Switch Stack Configuration Scenarios 165 How to Configure a Switch Stack 166

Default Switch Stack Configuration 166

Enabling the Persistent MAC Address Feature 167 Assigning Stack Member Information 169 Changing the Stack Membership 173

Accessing the CLI of a Specific Stack Member 173 Displaying Stack Information 173

Troubleshooting Stacks 174

Examples of Auto-Advise Messages 176 Examples of Auto-Advise Messages 178 Configuration Examples for Switch Stacks 179

Enabling the Persistent MAC Address Feature: Example 179 Provisioning a New Member for a Switch Stack: Example 180 show switch stack-ports summary Command Output: Example 180 Additional References for Switch Stacks 181

Troubleshooting Managing Switch Stacks 182 Overview 182

Support Articles 183 Feedback Request 183 Disclaimer and Caution 183

Clustering Switches 185 P A R T V I I I

Clustering Switches 187 C H A P T E R 9

Understanding Switch Clusters 187

Cluster Command Switch Characteristics 188

Standby Cluster Command Switch Characteristics 188

Candidate Switch and Cluster Member Switch Characteristics 189 Planning a Switch Cluster 189

Automatic Discovery of Cluster Candidates and Members 190 Discovery Through CDP Hops 190

Discovery Through Non-CDP-Capable and Noncluster-Capable Devices 190 Discovery Through Different VLANs 191

Discovery Through Different Management VLANs 192 Discovery of Newly Installed Switches 193

HSRP and Standby Cluster Command Switches 194 Virtual IP Addresses 194

Other Considerations for Cluster Standby Groups 195 Automatic Recovery of Cluster Configuration 196 IP Addresses 196

Hostnames 197 Passwords 197

SNMP Community Strings 197 TACACS+ and RADIUS 198 LRE Profiles 198

Using the CLI to Manage Switch Clusters 198

Catalyst 1900 and Catalyst 2820 CLI Considerations 198 Using SNMP to Manage Switch Clusters 199

Configuring SDM Templates 201 P A R T I X

Configuring SDM Templates 203 C H A P T E R 1 0

Finding Feature Information 203

Information About Configuring SDM Templates 203 Understanding the SDM Templates 203

Configuring the Switch SDM Template 203 Default SDM Template 203

SDM Template Configuration Guidelines 204

Contents

Setting the SDM Template 204 Displaying the SDM Templates 205 Configuration Examples for SDM Templates 205

Examples: Configuring SDM Templates 205 Examples: Displaying SDM Templates 205 Additional References for SDM Templates 206

Configuring Switch-Based Authentication 209 P A R T X

Configuring Switch-Based Authentication 211 C H A P T E R 1 1

Finding Feature Information 212 Preventing Unauthorized Access 212 Finding Feature Information 213

Restrictions for Controlling Switch Access with Passwords and Privileges 213 Information About Passwords and Privilege Levels 213

Default Password and Privilege Level Configuration 213 Additional Password Security 214

Password Recovery 214

Terminal Line Telnet Configuration 214 Username and Password Pairs 215 Privilege Levels 215

How to Control Switch Access with Passwords and Privilege Levels 216 Setting or Changing a Static Enable Password 216

Protecting Enable and Enable Secret Passwords with Encryption 217 Disabling Password Recovery 219

Setting a Telnet Password for a Terminal Line 220 Configuring Username and Password Pairs 222 Setting the Privilege Level for a Command 224 Changing the Default Privilege Level for Lines 225 Logging into and Exiting a Privilege Level 227 Monitoring Switch Access 227

Configuration Examples for Setting Passwords and Privilege Levels 227 Example: Setting or Changing a Static Enable Password 227

Example: Protecting Enable and Enable Secret Passwords with Encryption 228

Example: Setting a Telnet Password for a Terminal Line 228 Example: Setting the Privilege Level for a Command 228 Additional References 228

Finding Feature Information 229 Prerequisites for TACACS+ 229 Information About TACACS+ 230

TACACS+ and Switch Access 230 TACACS+ Overview 231

TACACS+ Operation 232

TACACS+ Configuration Options 233 TACACS+ Login Authentication 233

TACACS+ Authorization for Privileged EXEC Access and Network Services 233 TACACS+ Accounting 233

Default TACACS+ Configuration 234 How to Configure TACACS+ 234

Identifying the TACACS+ Server Host and Setting the Authentication Key 234 Configuring TACACS+ Login Authentication 235

Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services 238 Starting TACACS+ Accounting 239

Establishing a Session with a Router if the AAA Server is Unreachable 241 Monitoring TACACS+ 241

Additional References for TACACS+ 242 Feature Information for TACACS+ 242 Finding Feature Information 243

Prerequisites for Configuring RADIUS 243 Restrictions for Configuring RADIUS 244 Information about RADIUS 244

RADIUS and Switch Access 244 RADIUS Overview 245

RADIUS Operation 246

RADIUS Change of Authorization 246 Change-of-Authorization Requests 248 CoA Request Response Code 249 CoA Request Commands 251

Contents

RADIUS Server Host 253

RADIUS Login Authentication 254 AAA Server Groups 254

AAA Authorization 254 RADIUS Accounting 255

Vendor-Specific RADIUS Attributes 255

Vendor-Proprietary RADIUS Server Communication 266 Default RADIUS Configuration 266

How to Configure RADIUS 267

Identifying the RADIUS Server Host 267 Configuring RADIUS Login Authentication 269 Defining AAA Server Groups 272

Configuring RADIUS Authorization for User Privileged Access and Network Services 273 Starting RADIUS Accounting 275

Configuring Settings for All RADIUS Servers 276

Configuring the Switch to Use Vendor-Specific RADIUS Attributes 278

Configuring the Switch for Vendor-Proprietary RADIUS Server Communication 279 Configuring CoA on the Switch 281

Monitoring CoA Functionality 283

Configuration Examples for Controlling Switch Access with RADIUS 284 Examples: Identifying the RADIUS Server Host 284

Example: Using Two Different RADIUS Group Servers 284

Examples: Configuring the Switch to Use Vendor-Specific RADIUS Attributes 284

Example: Configuring the Switch for Vendor-Proprietary RADIUS Server Communication 285 Additional References for RADIUS 285

Feature Information for RADIUS 286 Finding Feature Information 287

How to Configure Local Authentication and Authorization 287

Configuring the Switch for Local Authentication and Authorization 287 Monitoring Local Authentication and Authorization 290

Additional References 290 Finding Feature Information 291

Prerequisites for Configuring Secure Shell 291 Restrictions for Configuring Secure Shell 291

Information About SSH 292 SSH and Device Access 292

SSH Servers, Integrated Clients, and Supported Versions 292 SSH Configuration Guidelines 293

Secure Copy Protocol Overview 293 Secure Copy Protocol 294

Information About Configuring Secure Shell 294 How to Configure SSH 294

Setting Up the Switch to Run SSH 294 Configuring the SSH Server 296

Monitoring the SSH Configuration and Status 298 Additional References for Secure Shell 298 Finding Feature Information 298

Information about Secure Sockets Layer (SSL) HTTP 299 Secure HTTP Servers and Clients Overview 299 Certificate Authority Trustpoints 299

CipherSuites 300

Default SSL Configuration 301 SSL Configuration Guidelines 302

How to Configure Secure HTTP Servers and Clients 302 Configuring a CA Trustpoint 302

Configuring the Secure HTTP Server 304 Configuring the Secure HTTP Client 308

Monitoring Secure HTTP Server and Client Status 309 Additional References for Configuring Secure Shell 309

X.509v3 Certificates for SSH Authentication 311 P A R T X I

X.509v3 Certificates for SSH Authentication 313 C H A P T E R 1 2

X.509v3 Certificates for SSH Authentication 313

Prerequisites for X.509v3 Certificates for SSH Authentication 313 Restrictions for X.509v3 Certificates for SSH Authentication 313 Information About X.509v3 Certificates for SSH Authentication 314

X.509v3 Certificates for SSH Authentication Overview 314

Contents

Server and User Authentication Using X.509v3 314 OCSP Response Stapling 314

How to Configure X.509v3 Certificates for SSH Authentication 315 Configuring Digital Certificates for Server Authentication 315 Configuring Digital Certificates for User Authentication 316

Verifying the Server and User Authentication Using Digital Certificates 318 Configuration Examples for X.509v3 Certificates for SSH Authentication 322

Example: Configuring Digital Certificates for Server Authentication 322 Example: Configuring Digital Certificate for User Authentication 322 Additional References for X.509v3 Certificates for SSH Authentication 323 Feature Information for X.509v3 Certificates for SSH Authentication 323

Configuring IEEE 802.1x Port-Based Authentication 325 P A R T X I I

Configuring IEEE 802.1x Port-Based Authentication 327 C H A P T E R 1 3

Information About 802.1x Port-Based Authentication 327 Port-Based Authentication Process 328

Port-Based Authentication Initiation and Message Exchange 330 Authentication Manager for Port-Based Authentication 331

Port-Based Authentication Methods 331 Per-User ACLs and Filter-Ids 332

Port-Based Authentication Manager CLI Commands 333 Ports in Authorized and Unauthorized States 334

Port-Based Authentication and Switch Stacks 335 802.1x Host Mode 336

802.1x Multiple Authentication Mode 336 Multi-auth Per User VLAN assignment 337 MAC Move 338

MAC Replace 339 802.1x Accounting 339

802.1x Accounting Attribute-Value Pairs 340 802.1x Readiness Check 341

Switch-to-RADIUS-Server Communication 341 802.1x Authentication with VLAN Assignment 341

802.1x Authentication with Per-User ACLs 343

802.1x Authentication with Downloadable ACLs and Redirect URLs 344 Cisco Secure ACS and Attribute-Value Pairs for the Redirect URL 345 Cisco Secure ACS and Attribute-Value Pairs for Downloadable ACLs 346 VLAN ID-Based MAC Authentication 346

802.1x Authentication with Guest VLAN 346 802.1x Authentication with Restricted VLAN 347

802.1x Authentication with Inaccessible Authentication Bypass 348

Inaccessible Authentication Bypass Support on Multiple-Authentication Ports 349 Inaccessible Authentication Bypass Authentication Results 349

Inaccessible Authentication Bypass Feature Interactions 349 802.1x Critical Voice VLAN 350

802.1x User Distribution 351

802.1x User Distribution Configuration Guidelines 351 IEEE 802.1x Authentication with Voice VLAN Ports 352 IEEE 802.1x Authentication with Port Security 352 IEEE 802.1x Authentication with Wake-on-LAN 352

IEEE 802.1x Authentication with MAC Authentication Bypass 353 Network Admission Control Layer 2 IEEE 802.1x Validation 354 Flexible Authentication Ordering 355

Open1x Authentication 355 Multidomain Authentication 356 Limiting Login for Users 357

802.1x Supplicant and Authenticator Switches with Network Edge Access Topology (NEAT) 357 Voice Aware 802.1x Security 359

Common Session ID 359

How to Configure 802.1x Port-Based Authentication 360 Default 802.1x Authentication Configuration 360 802.1x Authentication Configuration Guidelines 361

802.1x Authentication 361

VLAN Assignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication Bypass 362 MAC Authentication Bypass 363

Maximum Number of Allowed Devices Per Port 363 Configuring 802.1x Readiness Check 364

Contents

Configuring Voice Aware 802.1x Security 365 Configuring 802.1x Violation Modes 367 Configuring 802.1x Authentication 369 Configuring the Host Mode 370

Configuring Periodic Re-Authentication 371 Changing the Quiet Period 372

Changing the Switch-to-Client Retransmission Time 373 Setting the Switch-to-Client Frame-Retransmission Number 375 Setting the Re-Authentication Number 376

Enabling MAC Move 377 Disabling MAC Move 378 Enabling MAC Replace 379 Configuring 802.1x Accounting 380 Configuring a Guest VLAN 382 Configuring a Restricted VLAN 383

Configuring Number of Authentication Attempts on a Restricted VLAN 385 Configuring 802.1x Authentication with WoL 386

Configuring MAC Authentication Bypass 387

Formatting a MAC Authentication Bypass Username and Password 388 Configuring 802.1x User Distribution 390

Example of Configuring VLAN Groups 390 Configuring NAC Layer 2 802.1x Validation 391 Configuring Limiting Login for Users 393

Configuring an Authenticator Switch with NEAT 394 Configuring a Supplicant Switch with NEAT 396

Configuring 802.1x Authentication with Downloadable ACLs and Redirect URLs 399 Configuring Downloadable ACLs 399

Configuring a Downloadable Policy 401

Configuring VLAN ID-based MAC Authentication 403 Configuring Flexible Authentication Ordering 404 Configuring Open1x 405

Disabling 802.1x Authentication on the Port 407

Resetting the 802.1x Authentication Configuration to the Default Values 408 Monitoring 802.1x Statistics and Status 409

Additional References for IEEE 802.1x Port-Based Authentication 410

Configuring Interface Characteristics 413 P A R T X I I I

Configuring Interface Characteristics 415 C H A P T E R 1 4

Finding Feature Information 415

Information About Configuring Interface Characteristics 415 Interface Types 415

Port-Based VLANs 415 Switch Ports 416

Switch Virtual Interfaces 417 EtherChannel Port Groups 417 Power over Ethernet Ports 417 Interface Connections 418 Interface Configuration Mode 418

Default Ethernet Interface Configuration 419 Interface Speed and Duplex Mode 420

Speed and Duplex Configuration Guidelines 420 IEEE 802.3x Flow Control 421

How to Configure Interface Characteristics 422 Configuring Interfaces 422

Adding a Description for an Interface 423 Configuring a Range of Interfaces 424

Configuring and Using Interface Range Macros 425 Configuring Ethernet Interfaces 427

Setting the Interface Speed and Duplex Parameters 427 Configuring IEEE 802.3x Flow Control 428

Monitoring Interface Characteristics 430 Monitoring Interface Status 430

Shutting Down and Restarting the Interface 431 Clearing and Resetting Interfaces and Counters 432 Configuration Examples for Interface Characteristics 432

Adding a Description to an Interface: Example 432

Identifying Interfaces on a Stack-Capable Switch: Examples 432

Contents

Configuring a Range of Interfaces: Examples 433

Configuring and Using Interface Range Macros: Examples 433 Setting Interface Speed and Duplex Mode: Example 434 Additional References 434

Configuring Auto-MDIX 435 C H A P T E R 1 5

Prerequisites for Auto-MDIX 435 Restrictions for Auto-MDIX 435

Information About Configuring Auto-MDIX 435 Auto-MDIX on an Interface 435

How to Configure Auto-MDIX 436

Configuring Auto-MDIX on an Interface 436 Example for Configuring Auto-MDIX 437 Additional References 438

Configuring System MTU 439 C H A P T E R 1 6

Finding Feature Information 439 Restrictions for System MTU 439 Information About the MTU 439

System MTU Values 440 How to Configure MTU 440

Configuring the System MTU 440

Configuration Examples for System MTU 441 Additional References for System MTU 441

Configuring Power over Ethernet 443 C H A P T E R 1 7

Finding Feature Information 443 Information About PoE 443

Power over Ethernet Ports 443

Supported Protocols and Standards 444

Powered-Device Detection and Initial Power Allocation 444 Power Management Modes 445

Budgeting Power for Devices Connected to a PoE Port 446 How to Configure PoE 447

Configuring a Power Management Mode on a PoE Port 447 Budgeting Power to All PoE ports 448

Budgeting Power to a Specific PoE Port 450 Configuration Examples for Configuring PoE 451

Budgeting Power: Example 451 Additional References 451

Configuring VLANs, VTP, and Voice VLANs 453 P A R T X I V

Configuring VLANs 455 C H A P T E R 1 8

Finding Feature Information 455 Prerequisites for VLANs 455 Restrictions for VLANs 456 Information About VLANs 456

Logical Networks 456 Supported VLANs 457

VLAN Port Membership Modes 457 VLAN Configuration Files 458

Normal-Range VLAN Configuration Guidelines 458 Extended-Range VLAN Configuration Guidelines 459 Default Ethernet VLAN Configuration 460

How to Configure VLANs 461

How to Configure Normal-Range VLANs 461 Creating or Modifying an Ethernet VLAN 461 Deleting a VLAN 463

Assigning Static-Access Ports to a VLAN 464 How to Configure Extended-Range VLANs 466

Creating an Extended-Range VLAN 466 Where to Go Next 468

Additional References 468

Configuring VMPS 471 C H A P T E R 1 9

Finding Feature Information 471 Prerequisites for VMPS 471

Contents

Restrictions for VMPS 471 Information About VMPS 472

Dynamic VLAN Assignments 472

Dynamic-Access Port VLAN Membership 473 Default VMPS Client Configuration 474 How to Configure VMPS 474

Entering the IP Address of the VMPS 474

Configuring Dynamic-Access Ports on VMPS Clients 475 Reconfirming VLAN Memberships 477

Changing the Reconfirmation Interval 478 Changing the Retry Count 479

Troubleshooting Dynamic-Access Port VLAN Membership 480 Monitoring the VMPS 480

Configuration Example for VMPS 481 Example: VMPS Configuration 481 Where to Go Next 482

Additional References 483

Configuring VLAN Trunks 485 C H A P T E R 2 0

Finding Feature Information 485 Prerequisites for VLAN Trunks 485 Restrictions for VLAN Trunks 486 Information about VLAN Trunks 486

Trunking Overview 486 Trunking Modes 487 Layer 2 Interface Modes 487 Allowed VLANs on a Trunk 488 Load Sharing on Trunk Ports 488

Network Load Sharing Using STP Priorities 488 Network Load Sharing Using STP Path Cost 488

Default Layer 2 Ethernet Interface VLAN Configuration 488 How to Configure VLAN Trunks 489

Configuring an Ethernet Interface as a Trunk Port 489 Configuring a Trunk Port 489

Defining the Allowed VLANs on a Trunk 491 Changing the Pruning-Eligible List 493

Configuring the Native VLAN for Untagged Traffic 494 Configuring Trunk Ports for Load Sharing 496

Configuring Load Sharing Using STP Port Priorities 496 Configuring Load Sharing Using STP Path Cost 499 Configuration Examples for VLAN Trunking 502

Example: Configuring a Trunk Port 502 Example: Removing a VLAN from a Port 502 Where to Go Next 502

Additional References 503

Configuring VTP 505 C H A P T E R 2 1

Finding Feature Information 505 Prerequisites for VTP 505 Restrictions for VTP 506 Information About VTP 506

VTP 506

VTP Domain 506 VTP Modes 507

VTP Advertisements 508 VTP Version 2 509 VTP Version 3 509 VTP Pruning 510

VTP Configuration Guidelines 511 VTP Configuration Requirements 511 VTP Settings 512

Domain Names for Configuring VTP 512 Passwords for the VTP Domain 512 VTP Version 513

How to Configure VTP 514 Configuring VTP Mode 514

Configuring a VTP Version 3 Password 516 Configuring a VTP Version 3 Primary Server 517

Contents

Enabling the VTP Version 518 Enabling VTP Pruning 520

Configuring VTP on a Per-Port Basis 521

Adding a VTP Client Switch to a VTP Domain 522 Monitoring VTP 524

Configuration Examples for VTP 525

Example: Configuring a Switch as the Primary Server 525 Where to Go Next 525

Additional References 526

Configuring Voice VLANs 527 C H A P T E R 2 2

Finding Feature Information 527 Prerequisites for Voice VLANs 527 Restrictions for Voice VLANs 528 Information About Voice VLAN 528

Voice VLANs 528

Cisco IP Phone Voice Traffic 528 Cisco IP Phone Data Traffic 529

Voice VLAN Configuration Guidelines 529 How to Configure Voice VLAN 530

Default Voice VLAN Configuration 530 Configuring Cisco IP Phone Voice Traffic 530

Configuring the Priority of Incoming Data Frames 532 Monitoring Voice VLAN 534

Where to Go Next 534 Additional References 534

Configuring STP and MSTP 537 P A R T X V

Configuring Spanning Tree Protocol 539 C H A P T E R 2 3

Finding Feature Information 539 Restrictions for STP 539

Information About Spanning Tree Protocol 540 Spanning Tree Protocol 540

Spanning-Tree Topology and BPDUs 540

Bridge ID, Device Priority, and Extended System ID 541 Spanning-Tree Interface States 542

How a Switch or Port Becomes the Root Switch or Root Port 545 Spanning Tree and Redundant Connectivity 545

Spanning-Tree Address Management 546 Accelerated Aging to Retain Connectivity 546 Spanning-Tree Modes and Protocols 546 Supported Spanning-Tree Instances 547

Spanning-Tree Interoperability and Backward Compatibility 547 STP and IEEE 802.1Q Trunks 548

How to Configure Spanning-Tree Features 548 Default Spanning-Tree Configuration 548 Spanning-Tree Configuration Guidelines 549 Changing the Spanning-Tree Mode 550 Disabling Spanning Tree 551

Configuring the Root Switch 552

Configuring a Secondary Root Device 554 Configuring Port Priority 555

Configuring Path Cost 556

Configuring the Device Priority of a VLAN 558 Configuring Spanning-Tree Timers 559

Configuring the Hello Time 559

Configuring the Forwarding-Delay Time for a VLAN 560 Configuring the Maximum-Aging Time for a VLAN 561 Configuring the Transmit Hold-Count 562

Monitoring Spanning-Tree Status 563

Additional References for Spanning-Tree Protocol 563

Configuring Multiple Spanning-Tree Protocol 565 C H A P T E R 2 4

Finding Feature Information 565 Prerequisites for MSTP 565 Restrictions for MSTP 566 Information About MSTP 566

Contents

MSTP Configuration 566

MSTP Configuration Guidelines 567 Root Switch 567

Multiple Spanning-Tree Regions 568 IST, CIST, and CST 568

Operations Within an MST Region 569 Operations Between MST Regions 569 IEEE 802.1s Terminology 569

Illustration of MST Regions 570 Hop Count 570

Boundary Ports 571

IEEE 802.1s Implementation 571 Port Role Naming Change 572

Interoperation Between Legacy and Standard Switches 572 Detecting Unidirectional Link Failure 573

MSTP and Device Stacks 573

Interoperability with IEEE 802.1D STP 573 RSTP Overview 574

Port Roles and the Active Topology 574 Rapid Convergence 575

Synchronization of Port Roles 576

Bridge Protocol Data Unit Format and Processing 577 Topology Changes 578

Protocol Migration Process 579 Default MSTP Configuration 579

About MST-to-PVST+ Interoperability (PVST+ Simulation) 580 About Detecting Unidirectional Link Failure 581

How to Configure MSTP Features 582

Specifying the MST Region Configuration and Enabling MSTP 582 Configuring the Root Switch 584

Configuring a Secondary Root Switch 585 Configuring Port Priority 587

Configuring Path Cost 588

Configuring the Switch Priority 590

Configuring the Hello Time 591

Configuring the Forwarding-Delay Time 592 Configuring the Maximum-Aging Time 593 Configuring the Maximum-Hop Count 594

Specifying the Link Type to Ensure Rapid Transitions 595 Designating the Neighbor Type 596

Restarting the Protocol Migration Process 597 Configuring PVST+ Simulation 598

Enabling PVST+ Simulation on a Port 599 Examples 600

Examples: PVST+ Simulation 600

Examples: Detecting Unidirectional Link Failure 604 Monitoring MST Configuration and Status 604

Additional References for MSTP 605

Configuring Optional Spanning-Tree Features 607 C H A P T E R 2 5

Finding Feature Information 607

Restriction for Optional Spanning-Tree Features 607 Information About Optional Spanning-Tree Features 608

PortFast 608 BPDU Guard 608 BPDU Filtering 609 UplinkFast 609

Cross-Stack UplinkFast 611

How Cross-Stack UplinkFast Works 611 Events That Cause Fast Convergence 612 BackboneFast 613

EtherChannel Guard 615 Root Guard 616

Loop Guard 616

STP PortFast Port Types 617 Bridge Assurance 618

How to Configure Optional Spanning-Tree Features 620 Enabling PortFast 620

Contents

Enabling BPDU Guard 621 Enabling BPDU Filtering 623

Enabling UplinkFast for Use with Redundant Links 624 Disabling UplinkFast 625

Enabling BackboneFast 626 Enabling EtherChannel Guard 627 Enabling Root Guard 628

Enabling Loop Guard 630 Enabling PortFast Port Types 631

Configuring the Default Port State Globally 631 Configuring PortFast Edge on a Specified Interface 632

Configuring a PortFast Network Port on a Specified Interface 633 Enabling Bridge Assurance 634

Examples 635

Examples: Configuring PortFast Edge on a Specified Interface 635

Examples: Configuring a PortFast Network Port on a Specified Interface 636 Example: Configuring Bridge Assurance 637

Monitoring the Spanning-Tree Status 638

Additional References for Optional Spanning Tree Features 638

Configuring Flex Links and the MAC Address-Table Move Update 641 P A R T X V I

Configuring Flex Links and the MAC Address-Table Move Update Feature 643 C H A P T E R 2 6

Finding Feature Information 643

Restrictions for Configuring Flex Links and MAC Address-Table Move Update 643 Information About Flex Links and MAC Address-Table Move Update 644

Flex Links 644

Flex Links Configuration 644

VLAN Flex Links Load Balancing and Support 645 Multicast Fast Convergence with Flex Links Failover 645

Learning the Other Flex Links Port as the mrouter Port 645 Generating IGMP Reports 646

Leaking IGMP Reports 646

MAC Address-Table Move Update 646

Flex Links VLAN Load Balancing Configuration Guidelines 648 MAC Address-Table Move Update Configuration Guidelines 648

Default Flex Links and MAC Address-Table Move Update Configuration 648 How to Configure Flex Links and the MAC Address-Table Move Update Feature 648

Configuring Flex Links 648

Configuring a Preemption Scheme for a Pair of Flex Links 649 Configuring VLAN Load Balancing on Flex Links 651

Configuring MAC Address-Table Move Update 651

Configuring a Switch to Obtain and Process MAC Address-Table Move Update Messages 653 Monitoring Flex Links, Multicast Fast Convergence, and MAC Address-Table Move Update 654 Configuration Examples for Flex Links 654

Configuring Flex Links: Examples 654

Configuring VLAN Load Balancing on Flex Links: Examples 655 Configuring the MAC Address-Table Move Update: Examples 656

Configuring Multicast Fast Convergence with Flex Links Failover: Examples 656

Configuring DHCP and IP Source Guard 659 P A R T X V I I

Configuring DHCP 661 C H A P T E R 2 7

Finding Feature Information 661

Prerequisites for Configuring DHCP Snooping and Option 82 661 Port-Based Address Allocation Configuration Guidelines 663 Information About DHCP 663

DHCP Server 663 DHCP Relay Agent 663 DHCP Snooping 663 Option-82 Data Insertion 665

Cisco IOS DHCP Server Database 667 DHCP Snooping Binding Database 668 DHCP Snooping and Switch Stacks 669 DHCP Server and Switch Stacks 669

DHCP Server Port-Based Address Allocation 669 Default DHCP Snooping Configuration 670

Default Port-Based Address Allocation Configuration 671

Contents

How to Configure DHCP 671

Configuring the DHCP Relay Agent 671 Enabling DHCP Snooping and Option 82 672

Enabling the DHCP Snooping Binding Database Agent 674 Enabling DHCP Server Port-Based Address Allocation 676 Preassigning IP Addresses 678

Monitoring DHCP 680

Monitoring DHCP Snooping Information 680

Monitoring DHCP Server Port-Based Address Allocation 681 Configuration Examples for DHCP 681

Enabling DHCP Server Port-Based Address Allocation: Examples 681 Feature Information for DHCP Snooping and Option 82 682

Configuring IP Source Guard 683 C H A P T E R 2 8

Finding Feature Information 683

IP Source Guard Configuration Guidelines 683 Information About IP Source Guard 684

IP Source Guard 684

Source IP Address Filtering 684

Source IP and MAC Address Filtering 685 IP Source Guard for Static Hosts 685 Default IP Source Guard Configuration 686 How to Configure IP Source Guard 686

Enabling IP Source Guard 686

Configuring IP Source Guard for Static Hosts on a Layer 2 Access Port 688 Configuration Examples for Configuring IP Source Guard for Static Hosts 689

Configuring IP Source Guard for Static Hosts on a Layer 2 Access Port 689 Monitoring IP Source Guard 691

Configuring Dynamic ARP Inspection 693 P A R T X V I I I

Configuring Dynamic ARP Inspection 695 C H A P T E R 2 9

Restrictions for Dynamic ARP Inspection 695 Understanding Dynamic ARP Inspection 696

Interface Trust States and Network Security 698 Rate Limiting of ARP Packets 699

Relative Priority of ARP ACLs and DHCP Snooping Entries 699 Logging of Dropped Packets 699

Dynamic ARP Inspection Log Buffer 699

Default Dynamic ARP Inspection Configuration 700 How to Configure Dynamic ARP Inspection 700

Configuring Dynamic ARP Inspection in DHCP Environments 700 Configuring ARP ACLs for Non-DHCP Environments 703 Limiting the Rate of Incoming ARP Packets 705

Performing Dynamic ARP Inspection Validation Checks 708 Configuring Dynamic ARP Inspection Log Buffer 709 Verifying the DAI Configuration 711

Monitoring DAI 712

Configuration Examples for Dynamic ARP Inspection 712

Example: Configuring ARP ACLs for Non-DHCP Environments 712

Configuring Port-Based Traffic Control 713 P A R T X I X

Configuring Port-Based Traffic Control 715 C H A P T E R 3 0

Overview of Port-Based Traffic Control 715 Configuring Storm Control 715

Information About Storm Control 715 Storm Control 715

How Traffic Activity is Measured 716 Traffic Patterns 716

How to Configure Storm Control 717

Configuring Storm Control and Threshold Levels 717 Configuring Small-Frame Arrival Rate 719

Configuration Examples for Configuring Storm Control 722 Example: Configuring Storm Control and Threshold Levels 722 Configuring Protected Ports 722

Information About Protected Ports 722 Protected Ports 722

Contents

Default Protected Port Configuration 722 Protected Ports Guidelines 722

How to Configure Protected Ports 723 Configuring a Protected Port 723 Configuring Port Blocking 724

Information About Port Blocking 724 Port Blocking 724

How to Configure Port Blocking 725

Blocking Flooded Traffic on an Interface 725 Configuring Port Security 726

Prerequisites for Port Security 726 Restrictions for Port Security 727 Information About Port Security 727

Port Security 727

Types of Secure MAC Addresses 727 Sticky Secure MAC Addresses 727 Security Violations 728

Default Port Security Configuration 729 Port Security Configuration Guidelines 729 Port Security Aging 731

Port Security and Switch Stacks 731 How to Configure Port Security 731

Enabling and Configuring Port Security 731 Enabling and Configuring Port Security Aging 736 Configuration Examples for Configuring Port Security 738

Example: Enabling and Configuring Port Security 738 Example: Enabling and Configuring Port Security Aging 739 Configuring Protocol Storm Protection 739

Information About Protocol Storm Protection 739 Protocol Storm Protection 739

Default Protocol Storm Protection Configuration 739 How to Configure Protocol Storm Protection 740

Enabling Protocol Storm Protection 740 Enabling Protocol Storm Protection 741

Monitoring Protocol Storm Protection 742

Configuring UniDirectional Link Detection 743 P A R T X X

Configuring UniDirectional Link Detection 745 C H A P T E R 3 1

Finding Feature Information 745 Restrictions for Configuring UDLD 745 Information About UDLD 746

Modes of Operation 746 Normal Mode 746 Aggressive Mode 746

Methods to Detect Unidirectional Links 747 Neighbor Database Maintenance 747 Event-Driven Detection and Echoing 748 UDLD Reset Options 748

Default UDLD Configuration 748 How to Configure UDLD 749

Enabling UDLD Globally 749 Enabling UDLD on an Interface 750 Monitoring and Maintaining UDLD 751 Additional References for UDLD 751

Configuring Cisco Discovery Protocol 753 P A R T X X I

Configuring the Cisco Discovery Protocol 755 C H A P T E R 3 2

Finding Feature Information 755 Information About CDP 755

Cisco Discovery Protocol Overview 755

Default Cisco Discovery Protocol Configuration 756 How to Configure CDP 756

Configuring Cisco Discovery Protocol Characteristics 756 Disabling Cisco Discovery Protocol 758

Enabling Cisco Discovery Protocol 759

Disabling Cisco Discovery Protocol on an Interface 761

Contents

Enabling Cisco Discovery Protocol on an Interface 762 Monitoring and Maintaining Cisco Discovery Protocol 764 Additional References 764

Feature History and Information for Cisco Discovery Protocol 765

Configuring LLDP, LLDP-MED, and Wired Location Service 767 P A R T X X I I

Configuring LLDP, LLDP-MED, and Wired Location Service 769 C H A P T E R 3 3

Finding Feature Information 769 Restrictions for LLDP 769

Information About LLDP, LLDP-MED, and Wired Location Service 770 LLDP 770

LLDP Supported TLVs 770 LLDP and Cisco Switch Stacks 770 LLDP and Cisco Medianet 770 LLDP-MED 771

LLDP-MED Supported TLVs 771 Wired Location Service 772

Default LLDP Configuration 773

How to Configure LLDP, LLDP-MED, and Wired Location Service 773 Enabling LLDP 773

Configuring LLDP Characteristics 775 Configuring LLDP-MED TLVs 777 Configuring Network-Policy TLV 778

Configuring Location TLV and Wired Location Service 781 Enabling Wired Location Service on the Switch 783

Configuration Examples for LLDP, LLDP-MED, and Wired Location Service 785 Configuring Network-Policy TLV: Examples 785

Monitoring and Maintaining LLDP, LLDP-MED, and Wired Location Service 785 Additional References for LLDP, LLDP-MED, and Wired Location Service 786

Configuring SPAN and RSPAN 789 P A R T X X I I I

Configuring SPAN and RSPAN 791 C H A P T E R 3 4

Finding Feature Information 791 Prerequisites for SPAN and RSPAN 791 Restrictions for SPAN and RSPAN 792 Information About SPAN and RSPAN 793

SPAN and RSPAN 793 Local SPAN 794 Remote SPAN 795

SPAN and RSPAN Concepts and Terminology 796 SPAN and RSPAN Interaction with Other Features 801 Default SPAN and RSPAN Configuration 802

Configuration Guidelines 803

SPAN Configuration Guidelines 803 RSPAN Configuration Guidelines 803 How to Configure SPAN and RSPAN 804

Creating a Local SPAN Session 804

Creating a Local SPAN Session and Configuring Incoming Traffic 806 Specifying VLANs to Filter 808

Configuring a VLAN as an RSPAN VLAN 810 Creating an RSPAN Source Session 812 Creating an RSPAN Destination Session 814

Creating an RSPAN Destination Session and Configuring Incoming Traffic 816 Specifying VLANs to Filter 818

Monitoring SPAN and RSPAN Operations 820 SPAN and RSPAN Configuration Examples 820

Example: Configuring Local SPAN 820 Examples: Creating an RSPAN VLAN 821

Feature History and Information for SPAN and RSPAN 823

Configuring RMON 825 P A R T X X I V

Configuring RMON 827 C H A P T E R 3 5

Finding Feature Information 827 Information About RMON 827

Understanding RMON 827

Contents

How to Configure RMON 828 Default RMON Configuration 828

Configuring RMON Alarms and Events 829

Collecting Group History Statistics on an Interface 831 Collecting Group Ethernet Statistics on an Interface 832 Monitoring RMON Status 834

Additional References 834

Configuring System Message Logging and Smart Logging 837 P A R T X X V

Configuring System Message Logging and Smart Logging 839 C H A P T E R 3 6

Finding Feature Information 839

Information About System Message Logging 839 System Message Logging Process 839

How to Configure System Message Logging 840 Configuring System Message Logging 840 System Log Message Format 840

Default System Message Logging Configuration 841 Disabling Message Logging 842

Setting the Message Display Destination Device 843 Synchronizing Log Messages 846

Enabling and Disabling Time Stamps on Log Messages 848 Enabling and Disabling Sequence Numbers in Log Messages 849 Defining the Message Severity Level 850

Limiting Syslog Messages Sent to the History Table and to SNMP 852 Enabling the Configuration-Change Logger 854

Configuring UNIX Syslog Servers 856

Logging Messages to a UNIX Syslog Daemon 856 Configuring the UNIX System Logging Facility 857 Examples of System Message Logging 859

How to Configure Smart Logging 860 Configuring Smart Logging 860 Enabling Smart Logging 860

Enabling Smart Logging for DHCP Snooping Violations 861

Enabling Smart Logging for Dynamic ARP Inspection Violations 863 Enabling Smart Logging for IP Source Guard Violations 864

Enabling Smart Logging for Port ACL Deny or Permit Actions 865 Monitoring Logging Information 866

Monitoring Logging Information 866 Additional References 866

Configuring SNMP 869 P A R T X X V I

Configuring SNMP 871 C H A P T E R 3 7

Finding Feature Information 871 Prerequisites for SNMP 871 Restrictions for SNMP 873 Information About SNMP 874

SNMP Overview 874

SNMP Manager Functions 874 SNMP Agent Functions 874 SNMP Community Strings 875<