Cisco ME 3400 Ethernet Access Switch Software Configuration Guide

Cisco IOS Release 12.2(58)SE April 2011

Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883

Text Part Number: OL-9639-10

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0711R) Cisco ME 3400 Ethernet Access Switch Software Configuration Guide © 2006-2011 Cisco Systems, Inc. All rights reserved.

CONTENTS
Preface
xli xli xli xlii xlii xliii

Audience Purpose Conventions

Related Publications

Obtaining Documentation and Submitting a Service Request
1

CHAPTER

Overview

1-1

Features 1-1 Performance Features 1-2 Management Options 1-3 Manageability Features 1-4 Availability Features 1-5 VLAN Features 1-6 Security Features 1-7 Subscriber Security 1-7 Switch Security 1-7 Network Security 1-8 Quality of Service and Class of Service Features Layer 2 Virtual Private Network Services 1-9 Layer 3 Features 1-10 Layer 3 VPN Services 1-11 Monitoring Features 1-11 Default Settings After Initial Switch Configuration

1-9

1-12

Network Configuration Examples 1-15 Multidwelling or Ethernet-to-the-Subscriber Network Layer 2 VPN Application 1-16 Multi-VRF CE Application 1-18 Where to Go Next
2
1-19

1-15

CHAPTER

Using the Command-Line Interface Understanding Command Modes Understanding the Help System

2-1 2-1 2-3 2-3

Understanding Abbreviated Commands

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10

iii

Contents

Understanding no and default Forms of Commands Understanding CLI Error Messages
2-4

2-4

Using Command History 2-4 Changing the Command History Buffer Size 2-5 Recalling Commands 2-5 Disabling the Command History Feature 2-5 Using Editing Features 2-6 Enabling and Disabling Editing Features 2-6 Editing Commands through Keystrokes 2-6 Editing Command Lines that Wrap 2-8 Searching and Filtering Output of show and more Commands
2-8

Accessing the CLI 2-9 Accessing the CLI through a Console Connection or through Telnet
3

2-9

CHAPTER

Assigning the Switch IP Address and Default Gateway Understanding the Boot Process
3-1

3-1

Assigning Switch Information 3-2 Default Switch Information 3-3 Understanding DHCP-Based Autoconfiguration 3-3 DHCP Client Request Process 3-3 Understanding DHCP-based Autoconfiguration and Image Update 3-5 DHCP Autoconfiguration 3-5 DHCP Auto-Image Update 3-5 Limitations and Restrictions 3-5 Configuring DHCP-Based Autoconfiguration 3-6 DHCP Server Configuration Guidelines 3-6 Configuring the TFTP Server 3-7 Configuring the DNS 3-7 Configuring the Relay Device 3-8 Obtaining Configuration Files 3-8 Example Configuration 3-9 Configuring the DHCP Auto Configuration and Image Update Features 3-11 Configuring DHCP Autoconfiguration (Only Configuration File) 3-11 Configuring DHCP Auto-Image Update (Configuration File and Image) 3-12 Configuring the Client 3-13 Manually Assigning IP Information 3-14 Checking and Saving the Running Configuration Configuring the NVRAM Buffer Size 3-17 Modifying the Startup Configuration
3-18 3-15

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide

iv

OL-9639-10

Contents

Default Boot Configuration 3-19 Automatically Downloading a Configuration File 3-19 Specifying the Filename to Read and Write the System Configuration Booting Manually 3-20 Booting a Specific Software Image 3-20 Controlling Environment Variables 3-21 Scheduling a Reload of the Software Image 3-23 Configuring a Scheduled Reload 3-23 Displaying Scheduled Reload Information 3-24
4

3-19

CHAPTER

Configuring Cisco IOS Configuration Engine

4-1

Understanding Cisco Configuration Engine Software 4-1 Configuration Service 4-2 Event Service 4-3 NameSpace Mapper 4-3 What You Should Know About the CNS IDs and Device Hostnames ConfigID 4-3 DeviceID 4-4 Hostname and DeviceID 4-4 Using Hostname, DeviceID, and ConfigID 4-4 Understanding Cisco IOS Agents 4-5 Initial Configuration 4-5 Incremental (Partial) Configuration Synchronized Configuration 4-6

4-3

4-6

Configuring Cisco IOS Agents 4-6 Enabling Automated CNS Configuration 4-6 Enabling the CNS Event Agent 4-7 Enabling the Cisco IOS CNS Agent 4-9 Enabling an Initial Configuration 4-9 Enabling a Partial Configuration 4-13 Upgrading Devices with Cisco IOS Image Agent 4-14 Prerequisites for the CNS Image Agent 4-14 Restrictions for the CNS Image Agent 4-14 Displaying CNS Configuration
5
4-15

CHAPTER

Administering the Switch

5-1

Managing the System Time and Date 5-1 Understanding the System Clock 5-2 Understanding Network Time Protocol 5-2
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10

v

Contents

Configuring NTP 5-4 Default NTP Configuration 5-4 Configuring NTP Authentication 5-4 Configuring NTP Associations 5-5 Configuring NTP Broadcast Service 5-6 Configuring NTP Access Restrictions 5-8 Configuring the Source IP Address for NTP Packets 5-10 Displaying the NTP Configuration 5-11 Configuring Time and Date Manually 5-11 Setting the System Clock 5-11 Displaying the Time and Date Configuration 5-12 Configuring the Time Zone 5-12 Configuring Summer Time (Daylight Saving Time) 5-13 Configuring a System Name and Prompt 5-14 Default System Name and Prompt Configuration Configuring a System Name 5-15 Understanding DNS 5-15 Default DNS Configuration 5-16 Setting Up DNS 5-16 Displaying the DNS Configuration 5-17 Creating a Banner 5-17 Default Banner Configuration 5-17 Configuring a Message-of-the-Day Login Banner Configuring a Login Banner 5-19
5-15

5-18

Suppressing the Power-Supply Alarm on an ME 3400G-12CS Switch Managing the MAC Address Table 5-20 Building the Address Table 5-21 MAC Addresses and VLANs 5-21 Default MAC Address Table Configuration 5-22 Changing the Address Aging Time 5-22 Removing Dynamic Address Entries 5-23 Configuring MAC Address Change Notification Traps 5-23 Configuring MAC Address Move Notification Traps 5-25 Configuring MAC Threshold Notification Traps 5-26 Adding and Removing Static Address Entries 5-27 Configuring Unicast MAC Address Filtering 5-28 Disabling MAC Address Learning on a VLAN 5-29 Displaying Address Table Entries 5-31 Managing the ARP Table
5-31

5-19

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide

vi

OL-9639-10

Contents

CHAPTER

6

Configuring SDM Templates

6-1

Understanding the SDM Templates 6-1 Dual IPv4 and IPv6 SDM Templates 6-2 Configuring the Switch SDM Template 6-3 Default SDM Template 6-3 SDM Template Configuration Guidelines Setting the SDM Template 6-4 Displaying the SDM Templates
7
6-5

6-4

CHAPTER

Configuring Switch-Based Authentication

7-1 7-1

Preventing Unauthorized Access to Your Switch

Protecting Access to Privileged EXEC Commands 7-2 Default Password and Privilege Level Configuration 7-2 Setting or Changing a Static Enable Password 7-3 Protecting Enable and Enable Secret Passwords with Encryption Disabling Password Recovery 7-5 Setting a Telnet Password for a Terminal Line 7-6 Configuring Username and Password Pairs 7-6 Configuring Multiple Privilege Levels 7-7 Setting the Privilege Level for a Command 7-8 Changing the Default Privilege Level for Lines 7-9 Logging into and Exiting a Privilege Level 7-9

7-3

Controlling Switch Access with TACACS+ 7-10 Understanding TACACS+ 7-10 TACACS+ Operation 7-12 Configuring TACACS+ 7-12 Default TACACS+ Configuration 7-13 Identifying the TACACS+ Server Host and Setting the Authentication Key 7-13 Configuring TACACS+ Login Authentication 7-14 Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services Starting TACACS+ Accounting 7-17 Establishing a Session with a Router if the AAA Server is Unreachable 7-17 Displaying the TACACS+ Configuration 7-17 Controlling Switch Access with RADIUS 7-18 Understanding RADIUS 7-18 RADIUS Operation 7-19 Configuring RADIUS 7-20 Default RADIUS Configuration 7-20 Identifying the RADIUS Server Host 7-20
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10

7-16

vii

Contents

Configuring RADIUS Login Authentication 7-23 Defining AAA Server Groups 7-25 Configuring RADIUS Authorization for User Privileged Access and Network Services 7-27 Starting RADIUS Accounting 7-28 Establishing a Session with a Router if the AAA Server is Unreachable 7-28 Configuring Settings for All RADIUS Servers 7-29 Configuring the Switch to Use Vendor-Specific RADIUS Attributes 7-29 Configuring the Switch for Vendor-Proprietary RADIUS Server Communication 7-30 Configuring RADIUS Server Load Balancing 7-31 Displaying the RADIUS Configuration 7-31 Controlling Switch Access with Kerberos 7-32 Understanding Kerberos 7-32 Kerberos Operation 7-34 Authenticating to a Boundary Switch 7-34 Obtaining a TGT from a KDC 7-35 Authenticating to Network Services 7-35 Configuring Kerberos 7-35 Configuring the Switch for Local Authentication and Authorization Configuring the Switch for Secure Shell 7-37 Understanding SSH 7-37 SSH Servers, Integrated Clients, and Supported Versions Limitations 7-38 Configuring SSH 7-38 Configuration Guidelines 7-38 Setting Up the Switch to Run SSH 7-39 Configuring the SSH Server 7-40 Displaying the SSH Configuration and Status 7-40 Configuring the Switch for Secure Copy Protocol Information About Secure Copy 7-41
8
7-41 7-36

7-37

CHAPTER

Configuring IEEE 802.1x Port-Based Authentication

8-1

Understanding IEEE 802.1x Port-Based Authentication 8-1 Device Roles 8-2 Authentication Initiation and Message Exchange 8-3 Ports in Authorized and Unauthorized States 8-4 802.1x Accounting 8-5 802.1x Accounting Attribute-Value Pairs 8-5 802.1x Host Mode 8-6 802.1x Readiness Check 8-7
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide

viii

OL-9639-10

Contents

802.1x with Port Security 8-7 802.1x with VLAN Assignment 8-8 802.1x User Distribution 8-9 802.1x User Distribution Configuration Guidelines 8-9 802.1x Supplicant and Authenticator Switches with Network Edge Access Topology (NEAT) Guidelines 8-11 Common Session ID 8-11 Configuring IEEE 802.1x Authentication 8-12 Default 802.1x Configuration 8-12 802.1x Configuration Guidelines 8-13 Maximum Number of Allowed Devices Per Port 8-14 Configuring 802.1x Authentication 8-14 Configuring the Switch-to-RADIUS-Server Communication 8-16 Configuring 802.1x Readiness Check 8-17 Configuring 802.1x Violation Modes 8-18 Configuring Periodic Re-Authentication 8-18 Manually Re-Authenticating a Client Connected to a Port 8-19 Changing the Quiet Period 8-19 Changing the Switch-to-Client Retransmission Time 8-20 Setting the Switch-to-Client Frame-Retransmission Number 8-21 Setting the Re-Authentication Number 8-22 Configuring the Host Mode 8-22 Resetting the 802.1x Configuration to the Default Values 8-23 Configuring 802.1x Accounting 8-23 Configuring 802.1x User Distribution 8-25 Configuring an Authenticator and a Supplicant Switch with NEAT 8-26 Configuring NEAT with ASP 8-27 Displaying 802.1x Statistics and Status
9
8-27

8-10

CHAPTER

Configuring Interfaces

9-1

Understanding Interface Types 9-1 UNI, NNI, and ENI Port Types 9-2 Port-Based VLANs 9-2 Switch Ports 9-3 Access Ports 9-4 Trunk Ports 9-4 Tunnel Ports 9-4 Routed Ports 9-5 Switch Virtual Interfaces 9-5

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10

ix

Contents

EtherChannel Port Groups 9-6 Dual-Purpose Ports 9-6 Connecting Interfaces 9-7 Using Interface Configuration Mode 9-8 Procedures for Configuring Interfaces 9-8 Configuring a Range of Interfaces 9-9 Configuring and Using Interface Range Macros

9-10

Configuring Ethernet Interfaces 9-12 Default Ethernet Interface Configuration 9-12 Configuring the Port Type 9-14 Configuring Interface Speed and Duplex Mode 9-15 Speed and Duplex Configuration Guidelines 9-15 Setting the Interface Speed and Duplex Parameters Configuring a Dual-Purpose Port 9-18 Configuring IEEE 802.3x Flow Control 9-20 Configuring Auto-MDIX on an Interface 9-21 Adding a Description for an Interface 9-22 Configuring Layer 3 Interfaces Configuring the System MTU
9-22 9-24

9-16

Monitoring and Maintaining the Interfaces 9-27 Monitoring Interface Status 9-27 Clearing and Resetting Interfaces and Counters 9-28 Shutting Down and Restarting the Interface 9-29
10

CHAPTER

Configuring Command Macros

10-1 10-1

Understanding Command Macros

Configuring Command Macros 10-1 Default Command Macro Configuration 10-2 Command Macro Configuration Guidelines 10-2 Creating Command Macros 10-3 Applying Command Macros 10-4 Displaying Command Macros
11
10-5

CHAPTER

Configuring VLANs

11-1

Understanding VLANs 11-1 Supported VLANs 11-3 Normal-Range VLANs 11-3 Extended-Range VLANs 11-4

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide

x

OL-9639-10

Contents

VLAN Port Membership Modes UNI-ENI VLANs 11-5

11-4

Creating and Modifying VLANs 11-7 Default Ethernet VLAN Configuration 11-7 VLAN Configuration Guidelines 11-8 Creating or Modifying an Ethernet VLAN 11-9 Assigning Static-Access Ports to a VLAN 11-11 Creating an Extended-Range VLAN with an Internal VLAN ID Configuring UNI-ENI VLANs 11-12 Configuration Guidelines 11-12 Configuring UNI-ENI VLANs 11-13 Displaying VLANs
11-14

11-12

Configuring VLAN Trunks 11-14 Trunking Overview 11-15 IEEE 802.1Q Configuration Considerations 11-15 Default Layer 2 Ethernet Interface VLAN Configuration 11-16 Configuring an Ethernet Interface as a Trunk Port 11-16 Interaction with Other Features 11-16 Configuring a Trunk Port 11-17 Defining the Allowed VLANs on a Trunk 11-18 Configuring the Native VLAN for Untagged Traffic 11-19 Configuring Trunk Ports for Load Sharing 11-19 Load Sharing Using STP Port Priorities 11-20 Load Sharing Using STP Path Cost 11-21 Configuring VMPS 11-23 Understanding VMPS 11-23 Dynamic-Access Port VLAN Membership 11-24 Default VMPS Client Configuration 11-25 VMPS Configuration Guidelines 11-25 Configuring the VMPS Client 11-25 Entering the IP Address of the VMPS 11-26 Configuring Dynamic-Access Ports on VMPS Clients 11-26 Reconfirming VLAN Memberships 11-27 Changing the Reconfirmation Interval 11-27 Changing the Retry Count 11-27 Monitoring the VMPS 11-28 Troubleshooting Dynamic-Access Port VLAN Membership 11-28 VMPS Configuration Example 11-28

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10

xi

Contents

CHAPTER

12

Configuring Private VLANs

12-1

Understanding Private VLANs 12-1 Types of Private VLANs and Private-VLAN Ports 12-1 IP Addressing Scheme with Private VLANs 12-4 Private VLANs across Multiple Switches 12-4 Private VLANs and Unicast, Broadcast, and Multicast Traffic Private VLANs and SVIs 12-5

12-5

Configuring Private VLANs 12-6 Tasks for Configuring Private VLANs 12-6 Default Private-VLAN Configuration 12-6 Private-VLAN Configuration Guidelines 12-6 Secondary and Primary VLAN Configuration 12-7 Private-VLAN Port Configuration 12-8 Limitations with Other Features 12-9 Configuring and Associating VLANs in a Private VLAN 12-10 Configuring a Layer 2 Interface as a Private-VLAN Host Port 12-11 Configuring a Layer 2 Interface as a Private-VLAN Promiscuous Port 12-12 Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface 12-13 Monitoring Private VLANs
13
12-15

CHAPTER

Configuring IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling Understanding 802.1Q Tunneling
13-1

13-1

Configuring 802.1Q Tunneling 13-4 Default 802.1Q Tunneling Configuration 13-4 802.1Q Tunneling Configuration Guidelines 13-4 Native VLANs 13-4 System MTU 13-5 802.1Q Tunneling and Other Features 13-5 Configuring an 802.1Q Tunneling Port 13-6 \Understanding Layer 2 Protocol Tunneling
13-7

Configuring Layer 2 Protocol Tunneling 13-10 Default Layer 2 Protocol Tunneling Configuration 13-11 Layer 2 Protocol Tunneling Configuration Guidelines 13-11 Configuring Layer 2 Protocol Tunneling 13-13 Configuring Layer 2 Tunneling for EtherChannels 13-14 Configuring the SP Edge Switch 13-14 Configuring the Customer Switch 13-16 Monitoring and Maintaining Tunneling and Mapping Status
13-18

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide

xii

OL-9639-10

Contents

CHAPTER

14

Configuring STP

14-1

Understanding Spanning-Tree Features 14-1 STP Overview 14-2 Spanning-Tree Topology and BPDUs 14-3 Bridge ID, Switch Priority, and Extended System ID 14-4 Spanning-Tree Interface States 14-4 Blocking State 14-6 Listening State 14-6 Learning State 14-7 Forwarding State 14-7 Disabled State 14-7 How a Switch or Port Becomes the Root Switch or Root Port 14-7 Spanning Tree and Redundant Connectivity 14-8 Spanning-Tree Address Management 14-9 Accelerated Aging to Retain Connectivity 14-9 Spanning-Tree Modes and Protocols 14-9 Supported Spanning-Tree Instances 14-10 Spanning-Tree Interoperability and Backward Compatibility 14-10 STP and IEEE 802.1Q Trunks 14-11 Configuring Spanning-Tree Features 14-11 Default Spanning-Tree Configuration 14-11 Spanning-Tree Configuration Guidelines 14-12 Enabling Spanning Tree on an ENI 14-13 Changing the Spanning-Tree Mode. 14-14 Disabling Spanning Tree 14-15 Configuring the Root Switch 14-15 Configuring a Secondary Root Switch 14-17 Configuring Port Priority 14-17 Configuring Path Cost 14-19 Configuring the Switch Priority of a VLAN 14-20 Configuring Spanning-Tree Timers 14-21 Configuring the Hello Time 14-21 Configuring the Forwarding-Delay Time for a VLAN 14-22 Configuring the Maximum-Aging Time for a VLAN 14-22 Displaying the Spanning-Tree Status
15
14-23

CHAPTER

Configuring MSTP

15-1

Understanding MSTP 15-2 Multiple Spanning-Tree Regions

15-2

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10

xiii

Contents

IST, CIST, and CST 15-2 Operations Within an MST Region 15-3 Operations Between MST Regions 15-3 IEEE 802.1s Terminology 15-5 Hop Count 15-5 Boundary Ports 15-6 IEEE 802.1s Implementation 15-6 Port Role Naming Change 15-7 Interoperation Between Legacy and Standard Switches Detecting Unidirectional Link Failure 15-8 Interoperability with IEEE 802.1D STP 15-8 Understanding RSTP 15-8 Port Roles and the Active Topology 15-9 Rapid Convergence 15-10 Synchronization of Port Roles 15-11 Bridge Protocol Data Unit Format and Processing 15-12 Processing Superior BPDU Information 15-13 Processing Inferior BPDU Information 15-13 Topology Changes 15-13 Configuring MSTP Features 15-14 Default MSTP Configuration 15-14 MSTP Configuration Guidelines 15-15 Specifying the MST Region Configuration and Enabling MSTP Configuring the Root Switch 15-17 Configuring a Secondary Root Switch 15-19 Configuring Port Priority 15-19 Configuring Path Cost 15-21 Configuring the Switch Priority 15-22 Configuring the Hello Time 15-23 Configuring the Forwarding-Delay Time 15-23 Configuring the Maximum-Aging Time 15-24 Configuring the Maximum-Hop Count 15-24 Specifying the Link Type to Ensure Rapid Transitions 15-25 Designating the Neighbor Type 15-25 Restarting the Protocol Migration Process 15-26 Displaying the MST Configuration and Status
15-27

15-7

15-16

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide

xiv

OL-9639-10

Contents

CHAPTER

16

Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Port Fast 16-2 Understanding BPDU Guard 16-3 Understanding BPDU Filtering 16-3 Understanding EtherChannel Guard 16-3 Understanding Root Guard 16-4 Understanding Loop Guard 16-5

16-1 16-1

Configuring Optional Spanning-Tree Features 16-5 Default Optional Spanning-Tree Configuration 16-5 Optional Spanning-Tree Configuration Guidelines 16-6 Enabling Port Fast 16-6 Enabling BPDU Guard 16-7 Enabling BPDU Filtering 16-8 Enabling EtherChannel Guard 16-9 Enabling Root Guard 16-10 Enabling Loop Guard 16-10 Displaying the Spanning-Tree Status
17
16-11

CHAPTER

Configuring Resilient Ethernet Protocol Understanding REP 17-1 Link Integrity 17-3 Fast Convergence 17-4 VLAN Load Balancing 17-4 Spanning Tree Interaction 17-6 REP Ports 17-6

17-1

Configuring REP 17-6 Default REP Configuration 17-7 REP Configuration Guidelines 17-7 Configuring the REP Administrative VLAN 17-8 Configuring REP Interfaces 17-9 Setting Manual Preemption for VLAN Load Balancing Configuring SNMP Traps for REP 17-13 Monitoring REP
17-14

17-13

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10

xv

Contents

CHAPTER

18

Configuring Flex Links and the MAC Address-Table Move Update Feature Understanding Flex Links and the MAC Address-Table Move Update Flex Links 18-1 VLAN Flex Link Load Balancing and Support 18-2 Flex Link Multicast Fast Convergence 18-3 Learning the Other Flex Link Port as the mrouter Port 18-3 Generating IGMP Reports 18-3 Leaking IGMP Reports 18-4 MAC Address-Table Move Update 18-6 Configuring Flex Links and MAC Address-Table Move Update 18-7 Default Configuration 18-7 Configuration Guidelines 18-8 Configuring Flex Links 18-8 Configuring VLAN Load Balancing on Flex Links 18-10 Configuring the MAC Address-Table Move Update Feature 18-12 Monitoring Flex Links and the MAC Address-Table Move Update
18-14 18-1

18-1

CHAPTER

19

Configuring DHCP Features and IP Source Guard Understanding DHCP Features 19-1 DHCP Server 19-2 DHCP Relay Agent 19-2 DHCP Snooping 19-2 Option-82 Data Insertion 19-3 Cisco IOS DHCP Server Database 19-6 DHCP Snooping Binding Database 19-6

19-1

Configuring DHCP Features 19-7 Default DHCP Configuration 19-8 DHCP Snooping Configuration Guidelines 19-8 Configuring the DHCP Server 19-9 Configuring the DHCP Relay Agent 19-10 Specifying the Packet Forwarding Address 19-10 Enabling DHCP Snooping and Option 82 19-11 Enabling DHCP Snooping on Private VLANs 19-13 Enabling the Cisco IOS DHCP Server Database 19-13 Enabling the DHCP Snooping Binding Database Agent 19-13 Displaying DHCP Snooping Information
19-15 19-15

Understanding DHCP Server Port-Based Address Allocation Configuring DHCP Server Port-Based Address Allocation

19-15

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide

xvi

OL-9639-10

Contents

Default Port-Based Address Allocation Configuration 19-16 Port-Based Address Allocation Configuration Guidelines 19-16 Enabling DHCP Server Port-Based Address Allocation 19-16 Displaying DHCP Server Port-Based Address Allocation Understanding IP Source Guard 19-19 Source IP Address Filtering 19-19 Source IP and MAC Address Filtering 19-20 IP Source Guard for Static Hosts 19-20 Configuring IP Source Guard 19-21 Default IP Source Guard Configuration 19-21 IP Source Guard Configuration Guidelines 19-21 Enabling IP Source Guard 19-21 Configuring IP Source Guard for Static Hosts 19-23 Configuring IP Source Guard for Static Hosts on a Layer 2 Access Port 19-23 Configuring IP Source Guard for Static Hosts on a Private VLAN Host Port 19-26 Displaying IP Source Guard Information
20
19-28 19-18

CHAPTER

Configuring Dynamic ARP Inspection

20-1

Understanding Dynamic ARP Inspection 20-1 Interface Trust States and Network Security 20-3 Rate Limiting of ARP Packets 20-4 Relative Priority of ARP ACLs and DHCP Snooping Entries Logging of Dropped Packets 20-4 Configuring Dynamic ARP Inspection 20-5 Default Dynamic ARP Inspection Configuration 20-5 Dynamic ARP Inspection Configuration Guidelines 20-6 Configuring Dynamic ARP Inspection in DHCP Environments Configuring ARP ACLs for Non-DHCP Environments 20-8 Limiting the Rate of Incoming ARP Packets 20-10 Performing Validation Checks 20-12 Configuring the Log Buffer 20-13 Displaying Dynamic ARP Inspection Information
21
20-14

20-4

20-7

CHAPTER

Configuring IGMP Snooping and MVR Understanding IGMP Snooping IGMP Versions 21-2 Joining a Multicast Group Leaving a Multicast Group Immediate Leave 21-5
21-1

21-1

21-3 21-5

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10

xvii

Contents

IGMP Configurable-Leave Timer 21-5 IGMP Report Suppression 21-5 Configuring IGMP Snooping 21-6 Default IGMP Snooping Configuration 21-6 Enabling or Disabling IGMP Snooping 21-7 Configuring a Multicast Router Port 21-7 Configuring a Host Statically to Join a Group 21-8 Enabling IGMP Immediate Leave 21-9 Configuring the IGMP Leave Timer 21-9 Configuring TCN-Related Commands 21-10 Controlling the Multicast Flooding Time After a TCN Event Recovering from Flood Mode 21-11 Disabling Multicast Flooding During a TCN Event 21-11 Configuring the IGMP Snooping Querier 21-12 Disabling IGMP Report Suppression 21-14 Displaying IGMP Snooping Information
21-14

21-10

Understanding Multicast VLAN Registration 21-15 Using MVR in a Multicast Television Application Configuring MVR 21-18 Default MVR Configuration 21-18 MVR Configuration Guidelines and Limitations Configuring MVR Global Parameters 21-19 Configuring MVR on Access Ports 21-21 Configuring MVR on Trunk Ports 21-22 Displaying MVR Information
21-23

21-16

21-18

Configuring IGMP Filtering and Throttling 21-24 Default IGMP Filtering and Throttling Configuration 21-24 Configuring IGMP Profiles 21-25 Applying IGMP Profiles 21-26 Setting the Maximum Number of IGMP Groups 21-27 Configuring the IGMP Throttling Action 21-27 Displaying IGMP Filtering and Throttling Configuration
22
21-29

CHAPTER

Configuring Port-Based Traffic Control

22-1

Configuring Storm Control 22-1 Understanding Storm Control 22-1 Default Storm Control Configuration 22-3 Configuring Storm Control and Threshold Levels Configuring Small-Frame Arrival Rate 22-5
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide

22-3

xviii

OL-9639-10

Contents

Configuring Protected Ports 22-6 Default Protected Port Configuration 22-6 Protected Port Configuration Guidelines 22-6 Configuring a Protected Port 22-7 Configuring Port Blocking 22-7 Default Port Blocking Configuration 22-8 Blocking Flooded Traffic on an Interface 22-8 Configuring Port Security 22-9 Understanding Port Security 22-9 Secure MAC Addresses 22-9 Security Violations 22-10 Default Port Security Configuration 22-11 Port Security Configuration Guidelines 22-11 Enabling and Configuring Port Security 22-12 Enabling and Configuring Port Security Aging 22-16 Port Security and Private VLANs 22-17 Displaying Port-Based Traffic Control Settings
23
22-18

CHAPTER

Configuring CDP

23-1 23-1

Understanding CDP

Configuring CDP 23-2 Default CDP Configuration 23-2 Configuring the CDP Characteristics 23-2 Disabling and Enabling CDP 23-3 Disabling and Enabling CDP on an Interface Monitoring and Maintaining CDP
24
23-5

23-4

CHAPTER

Configuring LLDP and LLDP-MED

24-1

Understanding LLDP and LLDP-MED 24-1 Understanding LLDP 24-1 Understanding LLDP-MED 24-2 Configuring LLDP and LLDP-MED 24-3 Default LLDP Configuration 24-3 Configuring LLDP Characteristics 24-4 Disabling and Enabling LLDP Globally 24-5 Disabling and Enabling LLDP on an Interface Configuring LLDP-MED TLVs 24-6 Monitoring and Maintaining LLDP and LLDP-MED

24-5

24-8

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10

xix

Contents

CHAPTER

25

Configuring UDLD

25-1

Understanding UDLD 25-1 Modes of Operation 25-1 Methods to Detect Unidirectional Links Configuring UDLD 25-3 Default UDLD Configuration 25-4 Configuration Guidelines 25-4 Enabling UDLD Globally 25-5 Enabling UDLD on an Interface 25-5 Resetting an Interface Disabled by UDLD Displaying UDLD Status
26
25-6

25-2

25-6

CHAPTER

Configuring SPAN and RSPAN

26-1

Understanding SPAN and RSPAN 26-1 Local SPAN 26-2 Remote SPAN 26-2 SPAN and RSPAN Concepts and Terminology 26-3 SPAN Sessions 26-3 Monitored Traffic 26-4 Source Ports 26-5 Source VLANs 26-6 VLAN Filtering 26-6 Destination Port 26-6 RSPAN VLAN 26-7 SPAN and RSPAN Interaction with Other Features 26-8 Configuring SPAN and RSPAN 26-9 Default SPAN and RSPAN Configuration 26-9 Configuring Local SPAN 26-10 SPAN Configuration Guidelines 26-10 Creating a Local SPAN Session 26-11 Creating a Local SPAN Session and Configuring Ingress Traffic 26-13 Specifying VLANs to Filter 26-15 Configuring RSPAN 26-16 RSPAN Configuration Guidelines 26-16 Configuring a VLAN as an RSPAN VLAN 26-17 Creating an RSPAN Source Session 26-17 Creating an RSPAN Destination Session 26-19 Creating an RSPAN Destination Session and Configuring Ingress Traffic Specifying VLANs to Filter 26-21
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide

26-20

xx

OL-9639-10

Contents

Displaying SPAN and RSPAN Status
27

26-22

CHAPTER

Configuring RMON

27-1 27-1

Understanding RMON

Configuring RMON 27-2 Default RMON Configuration 27-3 Configuring RMON Alarms and Events 27-3 Collecting Group History Statistics on an Interface 27-5 Collecting Group Ethernet Statistics on an Interface 27-5 Displaying RMON Status
28
27-6

CHAPTER

Configuring System Message Logging

28-1 28-1

Understanding System Message Logging

Configuring System Message Logging 28-2 System Log Message Format 28-2 Default System Message Logging Configuration 28-3 Disabling Message Logging 28-4 Setting the Message Display Destination Device 28-5 Synchronizing Log Messages 28-6 Enabling and Disabling Time Stamps on Log Messages 28-7 Enabling and Disabling Sequence Numbers in Log Messages 28-8 Defining the Message Severity Level 28-8 Limiting Syslog Messages Sent to the History Table and to SNMP 28-10 Enabling the Configuration-Change Logger 28-10 Configuring UNIX Syslog Servers 28-12 Logging Messages to a UNIX Syslog Daemon 28-12 Configuring the UNIX System Logging Facility 28-12 Displaying the Logging Configuration
29
28-13

CHAPTER

Configuring SNMP

29-1

Understanding SNMP 29-1 SNMP Versions 29-2 SNMP Manager Functions 29-3 SNMP Agent Functions 29-4 SNMP Community Strings 29-4 Using SNMP to Access MIB Variables 29-4 SNMP Notifications 29-5 SNMP ifIndex MIB Object Values 29-5 MIB Data Collection and Transfer 29-6
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10

xxi

Contents

Configuring SNMP 29-6 Default SNMP Configuration 29-7 SNMP Configuration Guidelines 29-7 Disabling the SNMP Agent 29-8 Configuring Community Strings 29-8 Configuring SNMP Groups and Users 29-10 Configuring SNMP Notifications 29-12 Setting the CPU Threshold Notification Types and Values 29-16 Setting the Agent Contact and Location Information 29-17 Limiting TFTP Servers Used Through SNMP 29-17 Configuring MIB Data Collection and Transfer 29-18 Configuring the Cisco Process MIB CPU Threshold Table 29-20 SNMP Examples 29-21 Displaying SNMP Status
30
29-23

CHAPTER

Configuring Embedded Event Manager

30-1

Understanding Embedded Event Manager 30-1 Event Detectors 30-2 Embedded Event Manager Actions 30-4 Embedded Event Manager Policies 30-4 Embedded Event Manager Environment Variables EEM 3.2 30-5

30-4

Configuring Embedded Event Manager 30-5 Registering and Defining an Embedded Event Manager Applet 30-6 Registering and Defining an Embedded Event Manager TCL Script 30-7 Displaying Embedded Event Manager Information
31
30-7

CHAPTER

Configuring Network Security with ACLs

31-1

Understanding ACLs 31-1 Supported ACLs 31-2 Port ACLs 31-3 Router ACLs 31-4 VLAN Maps 31-5 Handling Fragmented and Unfragmented Traffic Configuring IPv4 ACLs 31-6 Creating Standard and Extended IPv4 ACLs 31-7 IPv4 Access List Numbers 31-8 ACL Logging 31-8 Creating a Numbered Standard ACL 31-9
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide

31-5

xxii

OL-9639-10

Contents

Creating a Numbered Extended ACL 31-10 Resequencing ACEs in an ACL 31-14 Creating Named Standard and Extended ACLs 31-14 Using Time Ranges with ACLs 31-16 Including Comments in ACLs 31-18 Applying an IPv4 ACL to a Terminal Line 31-18 Applying an IPv4 ACL to an Interface 31-19 Hardware and Software Treatment of IP ACLs 31-20 Troubleshooting ACLs 31-21 IPv4 ACL Configuration Examples 31-22 Numbered ACLs 31-23 Extended ACLs 31-23 Named ACLs 31-24 Time Range Applied to an IP ACL 31-24 Commented IP ACL Entries 31-25 ACL Logging 31-25 Creating Named MAC Extended ACLs 31-26 Applying a MAC ACL to a Layer 2 Interface
31-28

Configuring VLAN Maps 31-29 VLAN Map Configuration Guidelines 31-29 Creating a VLAN Map 31-30 Examples of ACLs and VLAN Maps 31-31 Applying a VLAN Map to a VLAN 31-33 Using VLAN Maps in Your Network 31-33 Wiring Closet Configuration 31-33 Denying Access to a Server on Another VLAN

31-34

Using VLAN Maps with Router ACLs 31-35 VLAN Maps and Router ACL Configuration Guidelines 31-36 Examples of Router ACLs and VLAN Maps Applied to VLANs 31-37 ACLs and Switched Packets 31-37 ACLs and Routed Packets 31-37 ACLs and Multicast Packets 31-38 Displaying IPv4 ACL Configuration
32
31-39

CHAPTER

Configuring Control-Plane Security Understanding Control-Plane Security Configuring Control-Plane Security Monitoring Control-Plane Security

32-1 32-1 32-6 32-7

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10

xxiii

Contents

CHAPTER

33

Configuring QoS

33-1

Understanding QoS 33-1 Modular QoS CLI 33-3 Input and Output Policies 33-4 Input Policy Maps 33-4 Output Policy Maps 33-5 Classification 33-6 Class Maps 33-7 The match Command 33-7 Classification Based on Layer 2 CoS 33-8 Classification Based on IP Precedence 33-8 Classification Based on IP DSCP 33-8 Classification Comparisons 33-9 Classification Based on QoS ACLs 33-10 Classification Based on QoS Groups 33-11 Classification Based on VLAN IDs 33-12 Table Maps 33-14 Policing 33-15 Individual Policing 33-15 Aggregate Policing 33-16 Unconditional Priority Policing 33-18 Marking 33-18 QoS Treatment for Performance-Monitoring Protocols 33-19 Cisco IP-SLAs 33-20 Two-Way Active Measurement Protocol 33-20 QoS Treatment for IP-SLA and TWAMP Probes 33-20 Marking 33-20 Queuing 33-20 QoS Marking for CPU-Generated Traffic 33-20 QoS Queuing for CPU-Generated Traffic 33-21 Configuration Guidelines 33-22 Congestion Management and Scheduling 33-23 Traffic Shaping 33-24 Class-Based Weighted Fair Queuing 33-26 Priority Queuing 33-28 Congestion Avoidance and Queuing 33-30 Configuring QoS 33-33 Default QoS Configuration 33-33 QoS Configuration Guidelines 33-33

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide

xxiv

OL-9639-10

Contents Using ACLs to Classify Traffic 33-35 Creating IP Standard ACLs 33-35 Creating IP Extended ACLs 33-37 Creating Layer 2 MAC ACLs 33-38 Using Class Maps to Define a Traffic Class 33-39 Configuring Table Maps 33-41 Attaching a Traffic Policy to an Interface 33-42 Configuring Input Policy Maps 33-43 Configuring Input Policy Maps with Individual Policing 33-44 Configuring Input Policy Maps with Aggregate Policing 33-48 Configuring Input Policy Maps with Marking 33-50 Configuring Per-Port Per-VLAN QoS with Hierarchical Input Policy Maps 33-52 Configuring Output Policy Maps 33-57 Configuring Output Policy Maps with Class-Based-Weighted-Queuing 33-59 Configuring Output Policy Maps with Class-Based Shaping 33-61 Configuring Output Policy Maps with Port Shaping 33-62 Configuring Output Policy Maps with Class-Based Priority Queuing 33-63 Configuring Output Policy Maps with Weighted Tail Drop 33-67 Configuring QoS Marking and Queuing for CPU-Generated Traffic 33-70 Configuration Examples QoS Marking and Queuing for CPU-Generated Traffic 33-71 Displaying QoS Information 33-75 QoS Statistics 33-76 Configuration Examples for Policy Maps 33-76 QoS Configuration for Customer A 33-76 QoS Configuration for Customer B 33-78 Modifying Output Policies and Adding or Deleting Classification Criteria 33-79 Modifying Output Policies and Changing Queuing or Scheduling Parameters 33-80 Modifying Output Policies and Adding or Deleting Configured Actions 33-81 Modifying Output Policies and Adding or Deleting a Class 33-82 34 CHAPTER Configuring EtherChannels and Link-State Tracking Understanding EtherChannels 34-1 EtherChannel Overview 34-2 Port-Channel Interfaces 34-3 Port Aggregation Protocol 34-4 PAgP Modes 34-5 PAgP Interaction with Other Features Link Aggregation Control Protocol 34-6 LACP Modes 34-6 34-1 34-5 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 xxv .

Contents LACP Interaction with Other Features 34-7 EtherChannel On Mode 34-7 Load Balancing and Forwarding Methods 34-7 Configuring EtherChannels 34-9 Default EtherChannel Configuration 34-10 EtherChannel Configuration Guidelines 34-10 Configuring Layer 2 EtherChannels 34-11 Configuring Layer 3 EtherChannels 34-14 Creating Port-Channel Logical Interfaces 34-14 Configuring the Physical Interfaces 34-15 Configuring EtherChannel Load Balancing 34-17 Configuring the PAgP Learn Method and Priority 34-18 Configuring LACP Hot-Standby Ports 34-19 Configuring the LACP System Priority 34-20 Configuring the LACP Port Priority 34-21 Displaying EtherChannel. and LACP Status Understanding Link-State Tracking 34-22 34-22 Configuring Link-State Tracking 34-24 Default Link-State Tracking Configuration 34-24 Link-State Tracking Configuration Guidelines 34-24 Configuring Link-State Tracking 34-24 Displaying Link-State Tracking Status 35 34-25 CHAPTER Configuring IP Unicast Routing Understanding IP Routing 35-2 Types of Routing 35-2 Steps for Configuring Routing 35-1 35-3 Configuring IP Addressing 35-4 Default Addressing Configuration 35-4 Assigning IP Addresses to Network Interfaces 35-5 Use of Subnet Zero 35-5 Classless Routing 35-6 Configuring Address Resolution Methods 35-7 Define a Static ARP Cache 35-8 Set ARP Encapsulation 35-9 Enable Proxy ARP 35-9 Routing Assistance When IP Routing is Disabled 35-10 Proxy ARP 35-10 Default Gateway 35-10 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide xxvi OL-9639-10 . PAgP.

Contents ICMP Router Discovery Protocol (IRDP) 35-11 Configuring Broadcast Packet Handling 35-12 Enabling Directed Broadcast-to-Physical Broadcast Translation Forwarding UDP Broadcast Packets and Protocols 35-14 Establishing an IP Broadcast Address 35-14 Flooding IP Broadcasts 35-15 Monitoring and Maintaining IP Addressing 35-16 Enabling IPv4 Unicast Routing 35-17 35-13 Configuring RIP 35-18 Default RIP Configuration 35-18 Configuring Basic RIP Parameters 35-19 Configuring RIP Authentication 35-21 Configuring Split Horizon 35-21 Configuring Summary Addresses 35-22 Configuring OSPF 35-23 Default OSPF Configuration 35-24 Nonstop Forwarding Awareness 35-25 Configuring Basic OSPF Parameters 35-25 Configuring OSPF Interfaces 35-26 Configuring OSPF Network Types 35-28 Configuring OSPF for Nonbroadcast Networks 35-28 Configuring Network Types for OSPF Interfaces 35-28 Configuring OSPF Area Parameters 35-30 Configuring Other OSPF Parameters 35-32 Changing LSA Group Pacing 35-33 Configuring a Loopback Interface 35-34 Monitoring OSPF 35-35 Configuring EIGRP 35-35 Default EIGRP Configuration 35-37 Nonstop Forwarding Awareness 35-38 Configuring Basic EIGRP Parameters 35-38 Configuring EIGRP Interfaces 35-39 Configuring EIGRP Route Authentication 35-40 Configuring EIGRP Stub Routing 35-41 Monitoring and Maintaining EIGRP 35-42 Configuring BGP 35-43 Default BGP Configuration 35-45 Nonstop Forwarding Awareness Enabling BGP Routing 35-47 35-47 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 xxvii .

Contents Managing Routing Policy Changes 35-49 Configuring BGP Decision Attributes 35-51 Configuring BGP Filtering with Route Maps 35-53 Configuring BGP Filtering by Neighbor 35-53 Configuring Prefix Lists for BGP Filtering 35-55 Configuring BGP Community Filtering 35-56 Configuring BGP Neighbors and Peer Groups 35-57 Configuring Aggregate Addresses 35-59 Configuring Routing Domain Confederations 35-60 Configuring BGP Route Reflectors 35-60 Configuring Route Dampening 35-61 Monitoring and Maintaining BGP 35-62 Configuring ISO CLNS Routing 35-63 Configuring IS-IS Dynamic Routing 35-64 Default IS-IS Configuration 35-64 Nonstop Forwarding Awareness 35-65 Enabling IS-IS Routing 35-65 Configuring IS-IS Global Parameters 35-67 Configuring IS-IS Interface Parameters 35-70 Monitoring and Maintaining IS-IS 35-72 Configuring BFD 35-73 Default BFD Configuration 35-75 BFD Configuration Guidelines 35-75 Configuring BFD Session Parameters on an Interface Enabling BFD Routing Protocol Clients 35-77 Configuring BFD for OSPF 35-77 Configuring BFD for IS-IS 35-79 Configuring BFD for BGP 35-80 Configuring BFD for EIGRP 35-81 Configuring BFD for HSRP 35-81 Disabling BFD Echo Mode 35-82 Configuring Multi-VRF CE 35-83 Understanding Multi-VRF CE 35-83 Default Multi-VRF CE Configuration 35-85 Multi-VRF CE Configuration Guidelines 35-86 Configuring VRFs 35-86 Configuring VRF-Aware Services 35-87 User Interface for ARP 35-88 User Interface for PING 35-88 35-76 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide xxviii OL-9639-10 .

Contents User Interface for SNMP 35-88 User Interface for HSRP 35-89 User Interface for Syslog 35-89 User Interface for Traceroute 35-90 User Interface for FTP and TFTP 35-90 User Interface for VRF-Aware RADIUS 35-90 Configuring a VPN Routing Session 35-91 Configuring BGP PE to CE Routing Sessions 35-91 Multi-VRF CE Configuration Example 35-92 Displaying Multi-VRF CE Status 35-96 Configuring Protocol-Independent Features 35-96 Configuring Cisco Express Forwarding 35-97 Configuring the Number of Equal-Cost Routing Paths 35-98 Configuring Static Unicast Routes 35-98 Specifying Default Routes and Networks 35-100 Using Route Maps to Redistribute Routing Information 35-100 Configuring Policy-Based Routing 35-104 PBR Configuration Guidelines 35-105 Enabling PBR 35-106 Filtering Routing Information 35-107 Setting Passive Interfaces 35-107 Controlling Advertising and Processing in Routing Updates 35-108 Filtering Sources of Routing Information 35-109 Managing Authentication Keys 35-109 Monitoring and Maintaining the IP Network 36 35-111 CHAPTER Configuring IPv6 Unicast Routing 36-1 Understanding IPv6 36-1 IPv6 Addresses 36-2 Supported IPv6 Unicast Routing Features 36-2 128-Bit Unicast Addresses 36-3 DNS for IPv6 36-3 Path MTU Discovery for IPv6 Unicast 36-4 ICMPv6 36-4 Neighbor Discovery 36-4 Default Router Preference 36-4 IPv6 Stateless Autoconfiguration and Duplicate Address Detection IPv6 Applications 36-5 Dual IPv4 and IPv6 Protocol Stacks 36-5 36-4 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 xxix .

Contents DHCP for IPv6 Address Assignment 36-6 Static Routes for IPv6 36-6 RIP for IPv6 36-6 OSPF for IPv6 36-6 EIGRP IPv6 36-6 Multiprotocol BGP for IPv6 36-7 SNMP and Syslog Over IPv6 36-7 HTTP(S) Over IPv6 36-7 Unsupported IPv6 Unicast Routing Features 36-8 Limitations 36-8 Configuring IPv6 36-9 Default IPv6 Configuration 36-9 Configuring IPv6 Addressing and Enabling IPv6 Routing 36-10 Configuring Default Router Preference 36-12 Configuring IPv4 and IPv6 Protocol Stacks 36-12 Configuring DHCP for IPv6 Address Assignment 36-14 Default DHCPv6 Address Assignment Configuration 36-14 DHCPv6 Address Assignment Configuration Guidelines 36-14 Enabling the DHCPv6 Server Function 36-15 Enabling the DHCPv6 Client Function 36-17 Configuring IPv6 ICMP Rate Limiting 36-17 Configuring CEF for IPv6 36-18 Configuring Static Routing for IPv6 36-18 Configuring RIP for IPv6 36-20 Configuring OSPF for IPv6 36-21 Configuring EIGRP for IPv6 36-23 Configuring BGP for IPv6 36-23 Displaying IPv6 37 36-24 CHAPTER Configuring IPv6 MLD Snooping 37-1 Understanding MLD Snooping 37-1 MLD Messages 37-2 MLD Queries 37-3 Multicast Client Aging Robustness 37-3 Multicast Router Discovery 37-3 MLD Reports 37-4 MLD Done Messages and Immediate-Leave 37-4 Topology Change Notification Processing 37-5 Configuring IPv6 MLD Snooping 37-5 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide xxx OL-9639-10 .

Contents Default MLD Snooping Configuration 37-5 MLD Snooping Configuration Guidelines 37-6 Enabling or Disabling MLD Snooping 37-6 Configuring a Static Multicast Group 37-8 Configuring a Multicast Router Port 37-9 Enabling MLD Immediate Leave 37-9 Configuring MLD Snooping Queries 37-10 Disabling MLD Listener Message Suppression 37-11 Displaying MLD Snooping Information 38 37-12 CHAPTER Configuring IPv6 ACLs 38-1 Understanding IPv6 ACLs 38-2 Supported ACL Features 38-2 IPv6 ACL Limitations 38-3 Configuring IPv6 ACLs 38-3 Default IPv6 ACL Configuration 38-3 Interaction with Other Features and Switches Creating IPv6 ACLs 38-4 Applying an IPv6 ACL to an Interface 38-7 Displaying IPv6 ACLs 39 38-8 38-4 CHAPTER Configuring HSRP 39-1 Understanding HSRP 39-1 HSRP Versions 39-3 Multiple HSRP 39-4 Configuring HSRP 39-5 Default HSRP Configuration 39-5 HSRP Configuration Guidelines 39-5 Enabling HSRP 39-6 Configuring HSRP Priority 39-7 Configuring MHSRP 39-10 Configuring HSRP Authentication and Timers 39-10 Enabling HSRP Support for ICMP Redirect Messages Displaying HSRP Configurations 40 39-12 39-12 CHAPTER Configuring Cisco IOS IP SLAs Operations 40-1 Understanding Cisco IOS IP SLAs 40-2 Using Cisco IOS IP SLAs to Measure Network Performance IP SLAs Responder and IP SLAs Control Protocol 40-4 40-3 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 xxxi .

and E-LMI 42-1 Understanding Ethernet CFM 42-2 CFM Domain 42-2 Maintenance Associations and Maintenance Points CFM Messages 42-5 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 42-3 xxxii OL-9639-10 .Contents Response Time Computation for IP SLAs IP SLAs Operation Scheduling 40-5 IP SLAs Operation Threshold Monitoring 40-4 40-5 Configuring IP SLAs Operations 40-6 Default Configuration 40-6 Configuration Guidelines 40-6 Configuring the IP SLAs Responder 40-8 Analyzing IP Service Levels by Using the UDP Jitter Operation 40-8 Analyzing IP Service Levels by Using the ICMP Echo Operation 40-11 Monitoring IP SLAs Operations Understanding TWAMP 40-14 40-13 Configuring TWAMP 40-15 Configuring the TWAMP Server 40-15 Configuring the TWAMP Reflector 40-16 Troubleshooting TWAMP 40-17 41 CHAPTER Configuring Enhanced Object Tracking Understanding Enhanced Object Tracking 41-1 41-1 Configuring Enhanced Object Tracking Features 41-2 Default Configuration 41-2 Tracking Interface Line-Protocol or IP Routing State 41-2 Configuring a Tracked List 41-3 Configuring a Tracked List with a Boolean Expression 41-4 Configuring a Tracked List with a Weight Threshold 41-5 Configuring a Tracked List with a Percentage Threshold 41-6 Configuring HSRP Object Tracking 41-7 Configuring Other Tracking Characteristics 41-8 Configuring IP SLAs Object Tracking 41-8 Configuring Static Routing Support 41-10 Configuring a Primary Interface 41-10 Configuring a Cisco IP SLAs Monitoring Agent and Track Object Configuring a Routing Policy and Default Route 41-12 Monitoring Enhanced Object Tracking 42 41-12 41-11 CHAPTER Configuring Ethernet OAM. CFM.

Contents Crosscheck Function and Static Remote MEPs SNMP Traps and Fault Alarms 42-5 Configuration Error List 42-6 CFM Version Interoperability 42-6 IP SLAs Support for CFM 42-6 42-5 Configuring Ethernet CFM 42-7 Default Ethernet CFM Configuration 42-7 Ethernet CFM Configuration Guidelines 42-8 Configuring the CFM Domain 42-8 Configuring Ethernet CFM Crosscheck 42-11 Configuring Static Remote MEP 42-12 Configuring a Port MEP 42-14 Configuring SNMP Traps 42-15 Configuring Fault Alarms 42-16 Configuring IP SLAs CFM Operation 42-17 Manually Configuring an IP SLAs CFM Probe or Jitter Operation 42-18 Configuring an IP SLAs Operation with Endpoint Discovery 42-19 Configuring CFM on C-VLAN (Inner VLAN) 42-21 Feature Support and Behavior 42-22 Platform Restrictions and Limitations 42-22 Understanding CFM ITU-T Y.1731 Fault Management Y.1731 Terminology 42-23 Alarm Indication Signals 42-24 Ethernet Remote Defect Indication 42-24 Ethernet Locked Signal 42-25 Multicast Ethernet Loopback 42-25 Configuring Y.1731 Configuration 42-26 Configuring ETH-AIS 42-26 Configuring ETH-LCK 42-28 Using Multicast Ethernet Loopback 42-30 Managing and Displaying Ethernet CFM Information Understanding the Ethernet OAM Protocol OAM Features 42-33 OAM Messages 42-34 42-33 42-31 42-23 Setting Up and Configuring Ethernet OAM 42-35 Default Ethernet OAM Configuration 42-35 Ethernet OAM Configuration Guidelines 42-35 Enabling Ethernet OAM on an Interface 42-35 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 xxxiii .1731 Fault Management 42-25 Default Y.

Contents Enabling Ethernet OAM Remote Loopback 42-36 Configuring Ethernet OAM Link Monitoring 42-37 Configuring Ethernet OAM Remote Failure Indications Configuring Ethernet OAM Templates 42-40 Displaying Ethernet OAM Protocol Information 42-43 42-40 Understanding E-LMI 42-43 E-LMI Interaction with OAM Manager 42-44 CFM Interaction with OAM Manager 42-44 Configuring E-LMI 42-45 Default E-LMI Configuration 42-45 E-LMI and OAM Manager Configuration Guidelines 42-45 Configuring the OAM Manager 42-46 Enabling E-LMI 42-48 Ethernet OAM Manager Configuration Example 42-49 Provider-Edge Device Configuration 42-49 Customer-Edge Device Configuration 42-50 Displaying E-LMI and OAM Manager Information 42-50 Ethernet CFM and Ethernet OAM Interaction 42-51 Configuring Ethernet OAM Interaction with CFM 42-52 Configuring the OAM Manager 42-52 Enabling Ethernet OAM 42-53 Ethernet OAM and CFM Configuration Example 42-53 43 CHAPTER Configuring IP Multicast Routing 43-1 43-1 Understanding Cisco’s Implementation of IP Multicast Routing Understanding IGMP 43-2 IGMP Version 1 43-3 IGMP Version 2 43-3 Understanding PIM 43-3 PIM Versions 43-3 PIM Modes 43-4 PIM Stub Routing 43-5 IGMP Helper 43-5 Auto-RP 43-6 Bootstrap Router 43-6 Multicast Forwarding and Reverse Path Check 43-7 Configuring IP Multicast Routing 43-8 Default Multicast Routing Configuration 43-8 Multicast Routing Configuration Guidelines 43-9 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide xxxiv OL-9639-10 .

Contents PIMv1 and PIMv2 Interoperability 43-9 Auto-RP and BSR Configuration Guidelines 43-10 Configuring Basic Multicast Routing 43-10 Configuring PIM Stub Routing 43-12 PIM Stub Routing Configuration Guidelines 43-12 Enabling PIM Stub Routing 43-13 Configuring Source-Specific Multicast 43-14 SSM Components Overview 43-15 How SSM Differs from Internet Standard Multicast 43-15 SSM IP Address Range 43-15 SSM Operations 43-15 IGMPv3 Host Signalling 43-16 Configuration Guidelines 43-16 Configuring SSM 43-17 Monitoring SSM 43-18 Configuring Source Specific Multicast Mapping 43-18 Configuration Guidelines and Restrictions 43-18 SSM Mapping Overview 43-19 Configuring SSM Mapping 43-20 Monitoring SSM Mapping 43-23 Configuring a Rendezvous Point 43-23 Manually Assigning an RP to Multicast Groups 43-23 Configuring Auto-RP 43-25 Configuring PIMv2 BSR 43-29 Using Auto-RP and a BSR 43-33 Monitoring the RP Mapping Information 43-34 Troubleshooting PIMv1 and PIMv2 Interoperability Problems 43-34 Configuring Advanced PIM Features 43-34 Understanding PIM Shared Tree and Source Tree 43-34 Delaying the Use of PIM Shortest-Path Tree 43-36 Modifying the PIM Router-Query Message Interval 43-37 Configuring Optional IGMP Features 43-37 Default IGMP Configuration 43-38 Configuring the Switch as a Member of a Group 43-38 Controlling Access to IP Multicast Groups 43-39 Changing the IGMP Version 43-40 Modifying the IGMP Host-Query Message Interval 43-41 Changing the IGMP Query Timeout for IGMPv2 43-42 Changing the Maximum Query Response Time for IGMPv2 Configuring the Switch as a Statically Connected Member 43-42 43-43 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 xxxv .

Contents Configuring Optional Multicast Routing Features 43-44 Configuring sdr Listener Support 43-44 Enabling sdr Listener Support 43-44 Limiting How Long an sdr Cache Entry Exists 43-45 Configuring an IP Multicast Boundary 43-45 Monitoring and Maintaining IP Multicast Routing 43-47 Clearing Caches. Tables. and Databases 43-47 Displaying System and Network Statistics 43-47 Monitoring IP Multicast Routing 43-48 44 CHAPTER Configuring MSDP 44-1 Understanding MSDP 44-1 MSDP Operation 44-2 MSDP Benefits 44-3 Configuring MSDP 44-3 Default MSDP Configuration 44-3 Configuring a Default MSDP Peer 44-4 Caching Source-Active State 44-6 Requesting Source Information from an MSDP Peer 44-7 Controlling Source Information that Your Switch Originates 44-8 Redistributing Sources 44-8 Filtering Source-Active Request Messages 44-10 Controlling Source Information that Your Switch Forwards 44-11 Using a Filter 44-11 Using TTL to Limit the Multicast Data Sent in SA Messages 44-12 Controlling Source Information that Your Switch Receives 44-13 Configuring an MSDP Mesh Group 44-14 Shutting Down an MSDP Peer 44-15 Including a Bordering PIM Dense-Mode Region in MSDP 44-15 Configuring an Originating Address other than the RP Address 44-16 Monitoring and Maintaining MSDP 45 44-17 CHAPTER Troubleshooting 45-1 45-2 Recovering from Corrupted Software By Using the Xmodem Protocol Recovering from a Lost or Forgotten Password 45-3 Procedure with Password Recovery Enabled 45-5 Procedure with Password Recovery Disabled 45-6 Preventing Autonegotiation Mismatches SFP Module Security and Identification 45-8 45-8 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide xxxvi OL-9639-10 .

Displaying.Contents Monitoring SFP Module Status Monitoring Temperature 45-9 45-9 Using Ping 45-9 Understanding Ping 45-10 Using Ping 45-10 All Software Versions 45-10 Metro IP Access Image 45-11 Ping Responses 45-12 Summary 45-12 Using Layer 2 Traceroute 45-13 Understanding Layer 2 Traceroute 45-13 Layer 2 Traceroute Usage Guidelines 45-13 Displaying the Physical Path 45-14 Using IP Traceroute 45-14 Understanding IP Traceroute 45-14 Executing IP Traceroute 45-15 Using TDR 45-16 Understanding TDR 45-16 Running TDR and Displaying the Results 45-17 Using Debug Commands 45-17 Enabling Debugging on a Specific Feature 45-17 Enabling All-System Diagnostics 45-18 Redirecting Debug and Error Message Output 45-18 Using the show platform forward Command Using the crashinfo File A 45-21 45-19 APPENDIX Working with the Cisco IOS File System. and Software Images Working with the Flash File System A-1 Displaying Available File Systems A-2 Setting the Default File System A-3 Displaying Information about Files on a File System A-3 Changing Directories and Displaying the Working Directory Creating and Removing Directories A-4 Copying Files A-4 Deleting Files A-5 Creating. Configuration Files. and Extracting tar Files A-6 Creating a tar File A-6 Displaying the Contents of a tar File A-6 Extracting a tar File A-7 A-1 A-3 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 xxxvii .

com A-24 Copying Image Files By Using TFTP A-24 Preparing to Download or Upload an Image File By Using TFTP A-25 Downloading an Image File By Using TFTP A-26 Uploading an Image File By Using TFTP A-27 Copying Image Files By Using FTP A-28 Preparing to Download or Upload an Image File By Using FTP A-28 Downloading an Image File By Using FTP A-29 Uploading an Image File By Using FTP A-31 Copying Image Files By Using RCP A-32 Preparing to Download or Upload an Image File By Using RCP A-32 Downloading an Image File By Using RCP A-33 Uploading an Image File By Using RCP A-35 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide xxxviii OL-9639-10 .Contents Displaying the Contents of a File A-8 Working with Configuration Files A-8 Guidelines for Creating and Using Configuration Files A-9 Configuration File Types and Location A-9 Creating a Configuration File By Using a Text Editor A-10 Copying Configuration Files By Using TFTP A-10 Preparing to Download or Upload a Configuration File By Using TFTP A-10 Downloading the Configuration File By Using TFTP A-11 Uploading the Configuration File By Using TFTP A-11 Copying Configuration Files By Using FTP A-12 Preparing to Download or Upload a Configuration File By Using FTP A-13 Downloading a Configuration File By Using FTP A-13 Uploading a Configuration File By Using FTP A-14 Copying Configuration Files By Using RCP A-15 Preparing to Download or Upload a Configuration File By Using RCP A-16 Downloading a Configuration File By Using RCP A-17 Uploading a Configuration File By Using RCP A-18 Clearing Configuration Information A-18 Clearing the Startup Configuration File A-19 Deleting a Stored Configuration File A-19 Replacing and Rolling Back Configurations A-19 Understanding Configuration Replacement and Rollback A-19 Configuration Replacement and Rollback Guidelines A-20 Configuring the Configuration Archive A-21 Performing a Configuration Replacement or Rollback Operation A-22 Working with Software Images A-23 Image Location on the Switch A-23 tar File Format of Images on a Server or Cisco.

2(58)SE Access Control Lists B-1 Unsupported Privileged EXEC Commands B-1 Unsupported Global Configuration Commands B-1 ARP Commands B-1 Unsupported Global Configuration Commands B-1 Unsupported Interface Configuration Commands B-2 Boot Loader Commands B-2 Unsupported Privileged EXEC Command B-2 Unsupported Interface Configuration Command CGMP Commands B-2 Unsupported User EXEC Command B-2 Unsupported Global Configuration Command Debug Commands B-2 B-1 B-2 B-2 Embedded Event Manager B-3 Unsupported Privileged EXEC Commands B-3 Unsupported Global Configuration Commands B-3 Unsupported Commands in Applet Configuration Mode HSRP B-3 Unsupported Global Configuration Commands B-3 Unsupported Interface Configuration Commands B-4 IEEE 802.Contents APPENDIX B Unsupported Commands in Cisco IOS Release 12.1x B-4 Unsupported Global Configuration Command B-4 Unsupported Interface Configuration Commands B-4 Unsupported Privileged EXEC Commands B-4 Unsupported Global Configuration Command B-4 Unsupported Interface Configuration Commands B-4 IGMP Snooping Commands B-5 Unsupported Global Configuration Commands B-5 B-3 Interface Commands B-5 Unsupported Privileged EXEC Commands B-5 Unsupported Global Configuration Commands B-5 Unsupported Interface Configuration Commands B-5 IP Multicast Routing B-5 Unsupported Privileged EXEC Commands B-5 Unsupported Global Configuration Commands B-6 Unsupported Interface Configuration Commands B-6 IP Unicast Routing B-7 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 xxxix .

Contents Unsupported Privileged EXEC or User EXEC Commands B-7 Unsupported Global Configuration Commands B-7 Unsupported Interface Configuration Commands B-8 Unsupported BGP Router Configuration Commands B-8 Unsupported VPN Configuration Commands B-8 Unsupported Route Map Commands B-8 MAC Address B-9 Unsupported Privileged EXEC Commands B-9 Unsupported Global Configuration Commands B-9 Miscellaneous B-9 Unsupported User EXEC Commands B-9 Unsupported Privileged EXEC Commands B-10 Unsupported Global Configuration Commands B-10 Unsupported show platform Commands B-10 MSDP B-10 Unsupported Privileged EXEC Commands B-10 Unsupported Global Configuration Commands B-11 NetFlow B-11 Unsupported Global Configuration Commands QoS B-11 B-11 Unsupported Global Configuration Command B-11 Unsupported Interface Configuration Command B-11 Unsupported policy-map Class Police Configuration Mode Command RADIUS B-11 Unsupported Global Configuration Commands SNMP B-12 Unsupported Global Configuration Commands B-11 B-11 B-12 Spanning Tree B-12 Unsupported Global Configuration Command B-12 Unsupported Interface Configuration Command B-12 VLAN B-12 Unsupported Global Configuration Command B-12 Unsupported User EXEC Commands B-12 Unsupported VLAN Database Commands B-13 INDEX Cisco ME 3400 Ethernet Access Switch Software Configuration Guide xl OL-9639-10 .

see the Cisco ME 3400E. For information about the standard Cisco IOS commands. and IP multicast routing.html?mode=prod This guide does not describe system messages you might encounter or how to install your switch. see the Cisco ME 3400 Ethernet Access Switch Command Reference for this release. seminars. multiple VPN routing/forwarding on customer edge (multi-VRF-CE) devices. and ME 2400 Switch System Message Guide for this release and the Cisco ME 3400 Ethernet Access Switch Hardware Installation Guide.Preface Audience This guide is for the networking professional managing the Cisco Metro Ethernet (ME) 3400 Series Ethernet Access switch. We assume that you are familiar with the concepts and terminology of Ethernet and local area networking. learning opportunities including training courses. see the release notes for this release.1Q tunneling. hereafter referred to as the switch. It does not provide detailed information about these commands. For detailed information about these commands. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 xli .cisco. For more information. If you are interested in more training and education in these areas. Border Gateway Protocol (BGP). dynamic ARP inspection. The metro IP access image adds Layer 3 functionality such as IP routing support for Routing Information Protocol (RIP).cisco.html Purpose The switch ships with one of these software images installed: • • • The metro base image provides basic Metro Ethernet features.com/web/learning/index. Open Shortest Path First (OSPF) Protocol.com/cisco/web/psa/default. Layer 2 protocol tunneling. self-study options. and Enhanced Interior Gateway Routing Protocol (EIGRP). The metro access image includes additional features such as IEEE 802. and career certifications programs are available on the Cisco Training & Events web page: http://www. This guide provides procedures for using the commands that have been created or changed for use with the Cisco ME 3400 switch. see the Cisco IOS documentation available from this URL: http://www. and IP source guard. ME 3400. For the latest documentation updates.

Braces and vertical bars within square brackets ([{ | }]) mean a required choice within an optional element. cautions. are in angle brackets (< >). or upgrading the switch.cisco. ME 3400. see the “Configuring the Switch with the CLI-Based Setup Program” appendix in the hardware installation guide. and vertical bars ( | ) separate the alternative elements. In this situation. For upgrading information. see these documents: • • For initial configuration information. Arguments for which you supply values are in italic.Preface Conventions This publication uses these conventions to convey instructions and information: Command descriptions use these conventions: • • • • • Commands and keywords are in boldface text. Square brackets ([ ]) mean optional elements. Braces ({ }) group required choices. Nonprinting characters. and ME 2400 Switch System Message Guide Cisco ME 3400 Ethernet Access Switch Hardware Installation Guide Cisco ME 3400 Ethernet Access Switch Software Configuration Guide xlii OL-9639-10 . configuring.com/en/US/products/ps6580/tsd_products_support_series_home.com site: http://www. • • • • • Release Notes for the Cisco ME 3400 Ethernet Access Switch Cisco ME 3400 Ethernet Access Switch Software Configuration Guide Cisco ME 3400 Ethernet Access Switch Command Reference Cisco ME 3400E. Terminal sessions and system displays are in screen font. see the “Downloading Software” section in the release notes. Information you enter is in boldface screen font. such as passwords or tabs. Related Publications These documents provide complete information about the switch and are available from this Cisco. and timesavers use these conventions and symbols: Note Means reader take note. you might do something that could result in equipment damage or loss of data. Interactive examples use these conventions: • • • Notes. Notes contain helpful suggestions or references to materials not contained in this manual. Caution Means reader be careful.html Note Before installing.

cisco.com/en/US/products/hw/modules/ps5455/products_device_support_tables_list. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 xliii . The RSS feeds are a free service and Cisco currently supports RSS version 2. see the monthly What’s New in Cisco Product Documentation.com/en/US/docs/general/whatsnew/whatsnew.html Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. submitting a service request. at: http://www.Preface • • • • • Cisco ME 3400 and ME 2400 Ethernet Access Switches Getting Started Guide Regulatory Compliance and Safety Information for the Cisco ME 3400 and ME 2400 Ethernet Access Switches Cisco Small Form-Factor Pluggable Modules Installation Notes Cisco CWDM GBIC and CWDM SFP Installation Note These compatibility matrix documents are available from this Cisco. which also lists all new and revised Cisco technical documentation.html Obtaining Documentation and Submitting a Service Request For information on obtaining documentation.cisco.com site: – Cisco Gigabit Ethernet Transceiver Modules Compatibility Matrix – Cisco 100-Megabit Ethernet SFP Modules Compatibility Matrix – Cisco Small Form-Factor Pluggable Modules Compatibility Matrix – Compatibility Matrix for 1000BASE-T Small Form-Factor Pluggable Modules http://www.0. and gathering additional information.

Preface Cisco ME 3400 Ethernet Access Switch Software Configuration Guide xliv OL-9639-10 .

Open Shortest Path First (OSPF) Protocol.1Q tunneling. dynamic ARP inspection. IP refers to IP Version 4 (IPv4) unless otherwise specified as IPv6. multiple VPN routing/forwarding on customer edge (multi-VRF-CE) devices. Layer 2 protocol tunneling. page 1-15 Where to Go Next. Note Unless otherwise noted. see the release notes for this release. The metro access image includes additional features such as IEEE 802. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 1-1 . The metro IP access image adds Layer 3 functionality such as IP routing support for Routing Information Protocol (RIP). and Enhanced Interior Gateway Routing Protocol (EIGRP). You must obtain authorization to use this feature and to download the cryptographic version of the software from Cisco. page 1-1 Default Settings After Initial Switch Configuration. Border Gateway Protocol (BGP). and IP source guard. page 1-12 Network Configuration Examples.CH A P T E R 1 Overview This chapter provides these topics about the Cisco Metro Ethernet (ME) 3400 Series Ethernet Access switch software: • • • • Features. supports encryption) versions of the switch software image. and IP multicast routing. Features The switch ships with one of these software images installed: • • • The metro base image provides basic Metro Ethernet features. For more information. all features described in this chapter and in this guide are supported on all images. page 1-19 In this document. Some features noted in this chapter are available only on the cryptographic (that is.com.

page 1-2 Management Options. You can also configure enhanced network interfaces (ENIs). IEEE 802. page 1-9 Layer 3 Features. routers. Some features are supported only on one of these port types. page 1-6 Security Features. and EtherChannel Link Aggregation Control Protocol (LACP) or Port Aggregation Protocol (PAgP). An ENI is typically a user-network facing interface and has the same default configuration and functionality as UNIs. • • • • • • • • • • • Performance Features. and unicast storms Port blocking on forwarding unknown Layer 2 unknown unicast. page 1-10 (requires metro IP access image) Layer 3 VPN Services. page 1-4 (includes a feature requiring the cryptographic versions of the software) Availability Features. page 1-7 (includes a feature requiring the cryptographic versions of the switch software) Quality of Service and Class of Service Features. and for frames up to 2000 bytes that are bridged by software. for frames up to 9000 bytes that are bridged in hardware. multicast.Chapter 1 Features Overview The Cisco ME switch has two different types of interfaces by default: network node interfaces (NNIs) to connect to the service provider network and user network interfaces (UNIs) to connect to customer networks. multicast. page 1-5 VLAN Features. but can be configured to support protocol control packets for Cisco Discovery Protocol (CDP). page 1-3 Manageability Features. Link Layer Discovery Protocol (LLDP). page 1-9 Layer 2 Virtual Private Network Services. and servers Port Aggregation Protocol (PAgP) and Link Aggregation Control Protocol (LACP) for automatic creation of EtherChannel links (supported only on NNIs or ENIs) Forwarding of Layer 2 and Layer 3 packets at Gigabit line rate Per-port storm control for preventing broadcast.3x flow control on all ports (the switch does not send pause frames) EtherChannel for enhanced fault tolerance and for providing up to 8 Gbps (Gigabit EtherChannel) or 800 Mbps (Fast EtherChannel) full duplex of bandwidth between switches. Spanning-Tree Protocol (STP). and bridged broadcast traffic • • • • • • • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 1-2 OL-9639-10 . page 1-11 (requires metro IP access image) Monitoring Features. page 1-11 Performance Features • • • Configurable small-frame arrival threshold to prevent storm control when small frames (64 bytes or less) arrive on an interface at a specified rate (the threshold) Autosensing of port speed and autonegotiation of duplex mode on all switch ports for optimizing bandwidth Automatic-medium-dependent interface crossover (auto-MDIX) capability on 10/100 and 10/100/1000 Mbps interfaces and on 10/100/1000 BASE-T/TX small form-factor pluggable (SFP) module interfaces that enables the interface to automatically detect the required cable connection type (straight-through or crossover) and to configure the connection appropriately Support for routed frames up to 1998 bytes.

see Chapter 29. Support for configuration of an alternate MTU value to allow specific interfaces a different MTU than the global system MTU or jumbo MTU.” SNMP—SNMP management applications such as CiscoWorks2000 LAN Management Suite (LMS) and HP OpenView. and 3 for efficiently forwarding multimedia and multicast traffic IGMP report suppression for sending only one IGMP report per multicast router query to the multicast devices (supported only for IGMPv1 or IGMPv2 queries) IGMP snooping querier support to configure switch to generate periodic IGMP General Query messages IGMP Helper to allow the switch to forward a host request to join a multicast stream to a specific IP destination address (requires the metro IP access image) Multicast VLAN registration (MVR) to continuously send multicast streams in a multicast VLAN while isolating the streams from subscriber VLANs for bandwidth and security reasons with support for 512 multicast entries on a switch MVR over trunk port (MVRoT) support to allow you to configure a trunk port as an MVR receiver port IGMP filtering for controlling the set of multicast groups to which hosts on a switch port can belong IGMP throttling for configuring the action when the maximum number of entries is in the IGMP forwarding table IGMP configurable leave timer to configure the leave latency for the network. For more information about using SNMP.” Cisco Configuration Engine—The Cisco Configuration Engine is a network management device that works with embedded Cisco IOS CNS Agents in the switch software. and logging the results. • • • • • • • • Management Options • CLI—The Cisco IOS software supports desktop. “Configuring SNMP. including the dual-ipv4-and-ipv6 template for supporting IPv6 addresses RADIUS server load balancing to allow access and authentication requests to be distributed evenly across a server group. see Chapter 2. For more information about using Cisco IOS agents. You can automate initial configurations and configuration updates by generating switch-specific configuration changes. Multicast VLAN registration (MVR) enhancements include the ability to configure 2000 MVR groups when the switch is in dynamic MVR mode and a new command (mvr ringmode flood) to ensure that forwarding in a ring topology is limited to member ports.” • • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 1-3 .Chapter 1 Overview Features • • • • • Internet Group Management Protocol (IGMP) snooping for IGMP versions 1. sending them to the switch. see Chapter 4. You can access the CLI either by connecting your management station directly to the switch console port or by using Telnet from a remote management station. You can manage from an SNMP-compatible management station that is running platforms such as HP OpenView or SunNet Manager. The switch supports a comprehensive set of MIB extensions and four remote monitoring (RMON) groups. “Configuring Cisco IOS Configuration Engine. Switch Database Management (SDM) templates for allocating system resources to maximize support for user-selected features.and multilayer-switching features. For more information about the CLI. 2. “Using the Command-Line Interface. executing the configuration change.

not supported on UNIs) Link Layer Discovery Protocol (LLDP) and LLDP Media Endpoint Discovery (LLDP-MED) for interoperability with third-party IP phones (supported only on NNIs or ENIs. including IP address requests. CDP and LLDP enhancements for exchanging location information with video end points for dynamic location-based content distribution from servers Network Time Protocol (NTP) for providing a consistent time stamp to all switches from an external source Cisco IOS File System (IFS) for providing a single interface to all file systems that the switch uses In-band management access for up to 16 simultaneous Telnet connections for multiple CLI-based sessions over the network In-band management access for up to five simultaneous. In-band management access through SNMP Versions 1. from DHCP clients DHCP server for automatic assignment of IP addresses and other DHCP options to IP hosts DHCP-based autoconfiguration and image update to download a specified configuration a new image to a large number of switches DHCP server port-based address allocation for the preassignment of an IP address to a switch port Directed unicast requests to a DNS server for identifying a switch through its IP address and its corresponding hostname and to a TFTP server for administering software upgrades from a TFTP server Address Resolution Protocol (ARP) for identifying a switch through its IP address and its corresponding MAC address Unicast MAC address filtering to drop packets with specific source or destination MAC addresses Configurable MAC address scaling that allows disabling MAC address learning on a VLAN to limit the size of the MAC address table Cisco Discovery Protocol (CDP) Versions 1 and 2 for network topology discovery and mapping between the switch and other Cisco devices on the network (supported on NNIs by default.Chapter 1 Features Overview Manageability Features Note The encrypted Secure Shell (SSH) feature listed in this section is available only on the cryptographic versions of the switch software image. encrypted Secure Shell (SSH) connections for multiple CLI-based sessions over the network (requires the cryptographic versions of the switch software). and Domain Name System [DNS] and TFTP server names) DHCP relay for forwarding User Datagram Protocol (UDP) broadcasts. default gateway. hostname. can be enabled on ENIs. and 3 get and set requests Out-of-band management access through the switch console port to a directly attached terminal or to a remote terminal through a serial connection or a modem • • • • • • • • • • • • • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 1-4 OL-9639-10 . 2c. requires the metro IP access image or metro access image) Support for the LLDP-MED location TLV that provides location information from the switch to the endpoint device (requires the metro IP access or metro access image). • • • • • • Support for DHCP for configuration of switch information (such as IP address.

allowing listeners to connect to multicast sources dynamically and reducing dependencies on the application The HTTP client in Cisco IOS supports can send requests to both IPv4 and IPv6 HTTP servers. and IEEE 802. and site addressing changes. • • • • • • • • • • Availability Features • • UniDirectional Link Detection (UDLD) and aggressive UDLD for detecting and disabling unidirectional links on fiber-optic interfaces caused by incorrect fiber-optic wiring or port faults IEEE 802. Ethernet Line Management Interface (E-LMI) on customer-edge and provider-edge switches.1ap) MIB. Support for the IEEE CFM (IEEE 802. subnet. and to detect faults in a network. such as management of host and mobile IP addresses (requires the metro IP access image) IPv6 supports stateless autoconfiguration to manage link.1ag Connectivity Fault Management (CFM). administration. which can be used as a tool to trace paths. such as management of host and mobile IP addresses (requires the metro IP access image) CPU utilization threshold trap monitors CPU utilization.3ah Ethernet OAM discovery. CFM support on a customer VLAN (C-VLAN). remote fault detection.1D Spanning Tree Protocol (STP) for redundant backbone connections and loop-free networks (supported by default on NNIs. remote fault detection. can be enabled on ENIs. and maintenance (OAM) IEEE 802. subnet. link monitoring. This provides identical configuration files to be sent by using the DHCP protocol.Chapter 1 Overview Features • • User-defined command macros for creating custom switch configurations for simplified deployment across multiple switches Support for metro Ethernet operation.3ah Ethernet OAM discovery. and site addressing changes. and remote loopback. and remote loopback (requires the metro IP access or metro access image). link monitoring. to verify and to manage connectivity. Support for including a hostname in the option 12 field of DHCPDISCOVER packets. STP has these features: – Up to 128 supported spanning-tree instances – Per-VLAN spanning-tree plus (PVST+) for balancing load across VLANs – Rapid PVST+ for balancing load across VLANs and providing rapid convergence of spanning-tree instances Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 1-5 . Configuration replacement and rollback to replace the running configuration on a switch with any saved Cisco IOS configuration file Source Specific Multicast (SSM) mapping for multicast applications to provide a mapping of source to allowing IGMPv2 clients to utilize SSM. and the HTTP server in Cisco IOS can service HTTP requests from both IPv4 and IPv6 HTTP clients (requires the metro IP access image) IPv6 supports stateless autoconfiguration to manage link. DHCP Snooping enhancement to support the selection of a fixed string-based format for the circuit-id sub-option of the Option 82 DHCP field. which allows a customer to provision maintenance intermediate points (MIPs) and Up maintenance endpoints (MEPs) on a C-VLAN component to provide a customer with visibility to network traffic on the C-VLAN. and IEEE 802. not supported on UNIs).

adds.1w Rapid Spanning Tree Protocol (RSTP) for rapid convergence of the spanning tree by immediately transitioning root and designated port NNIs or spanning-tree enabled ENIs to the forwarding state Optional spanning-tree features available in PVST+. and network security by establishing VLAN groups for high-security users and network resources Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 1-6 OL-9639-10 . and to allow the failover of the server traffic to an operational link on another Cisco Ethernet switch (requires the metro IP access or metro access image).1s Multiple Spanning Tree Protocol (MSTP) on NNIs or ENIs for grouping VLANs into a spanning-tree instance and for providing multiple forwarding paths for data traffic and load balancing and rapid per-VLAN Spanning-Tree plus (rapid-PVST+) based on the IEEE 802. Support for Resilient Ethernet Protocol (REP) for improved convergence times and network loop prevention without the use of spanning tree (requires the metro IP access or metro access image).1Q standard VLAN Query Protocol (VQP) for dynamic VLAN membership IEEE 802. Support for REP edge ports when the neighbor port is not REP-capable HSRP for Layer 3 router redundancy (requires metro IP access image) Equal-cost routing for link-level and switch-level redundancy (requires metro IP access image) Shorter Resilient Ethernet Protocol (REP) hello: Changes the range of the REP link status layer (LSL) age timer from 3000 to 10000 ms in 500-ms intervals to 120 to 10000 ms in 40-ms intervals. rapid-PVST+. Flex Link Multicast Fast Convergence to reduce the multicast traffic convergence time after a Flex Link failure Link-state tracking to mirror the state of the ports that carry upstream traffic from connected hosts and servers. traffic patterns. and bandwidth Support for VLAN IDs in the full 1 to 4094 range allowed by the IEEE 802.Chapter 1 Features Overview • IEEE 802. and changes. also referred to as the MAC address-table move update feature (requires the metro IP access or metro access image). • • • • • • • • VLAN Features • • • • Support for up to 1005 VLANs for assigning users to VLANs associated with appropriate network resources. management and control of broadcast and multicast traffic. Counter and timer enhancements to REP support (requires the metro IP access or metro access image).1Q trunking encapsulation on all ports for network moves. and MSTP modes on NNIs and ENIs where spanning tree has been enabled: – Port Fast for eliminating the forwarding delay by enabling a spanning-tree port to immediately • transition from the blocking state to the forwarding state – Bridge protocol data unit (BPDU) guard for shutting down Port Fast-enabled ports that receive BPDUs – BPDU filtering for preventing a Port Fast-enabled ports from sending or receiving BPDUs – Root guard for preventing switches outside the network core from becoming the spanning-tree root – Loop guard for preventing alternate or root port NNIs or ENIs from becoming designated ports because of a failure that leads to a unidirectional link • Flex Link Layer 2 interfaces to back up one another as an alternative to STP for basic link redundancy in a nonloop network with preemptive switchover and bidirectional fast convergence.

notification. local switching is disabled among subscriber ports to ensure that subscribers are isolated. to provide a more controlled IP address allocation. or define which MAC addresses may be learned on a port VLAN Flex Link Load Balancing to provide Layer 2 redundancy without requiring Spanning Tree Protocol (STP). • • • • Security Features The switch provides security for the subscriber. • • Password-protected access (read-only and read-write access) to management interfaces for protection against unauthorized configuration changes Configuration file security so that only authenticated and authorized users have access to the configuration file. With this feature enabled. UNI-ENI isolated VLANs to isolate customer VLANs from VLANs of other customers on the same switch. the switch. A pair of interfaces configured as primary and backup links can load balance traffic based on VLAN. The switch CPU continues to send and receive control protocol frames. and to allow Layer 2 ports to be isolated from ports on other switches Port security on a PVLAN host to limit the number of MAC addresses learned on a port. Subscriber Security • • • • • By default. Private VLANs to address VLAN scalability problems.Chapter 1 Overview Features • VLAN 1 minimization for reducing the risk of spanning-tree loops or storms by allowing VLAN 1 to be disabled on any individual VLAN trunk link. no user traffic is sent or received on the trunk. DHCP snooping to filter untrusted DHCP messages between untrusted hosts and DHCP servers DHCP Snooping Statistics show and clear commands to display and remove DHCP snooping statistics in summary or detail form IP source guard to restrict traffic on nonrouted interfaces by filtering traffic based on the DHCP snooping database and IP source bindings Dynamic ARP inspection to prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN Switch Security Note The Kerberos feature listed in this section is only available on the cryptographic versions of the switch software. and resulting actions Port security option for limiting and identifying MAC addresses of the stations allowed to access the port Port security aging to set the aging time for secure addresses on a port • • • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 1-7 . and the network. Local switching does not occur among UNIs or ENIs on the switch that belong to the same UNI-ENI isolated VLAN. preventing users from accessing the configuration file by using the password recovery process Multilevel security for a choice of security level.

1x port-based authentication to prevent unauthorized devices (clients) from gaining access to the network. authorization. and accounting (AAA) services Kerberos security system to authenticate requests for network resources by using a trusted third party (requires the cryptographic versions of the switch software) • • • • • • Network Security • • • • • • • Static MAC addressing for ensuring security Standard and extended IP access control lists (ACLs) for defining security policies in both directions on routed interfaces (router ACLs) and VLANs and inbound on Layer 2 interfaces (port ACLs) IPv6 ACLs to be applied to interfaces to filter IPv6 traffic Extended MAC access control lists for defining security policies in the inbound direction on Layer 2 interfaces VLAN ACLs (VLAN maps) for providing intra-VLAN security by filtering traffic based on information in the MAC.1x switch supplicant. Authorized users are assigned to the least populated VLAN in the group. duplex. (LACP.Chapter 1 Features Overview • LLDP (Link Layer Discovery Protocol) and LLLDP-MED (Media Extensions)—Adds support for IEEE 802. and power settings with end devices such as IP Phones.1x User Distribution to allow deployments with multiple VLANs (for a group of users) to improve scalability of the network by load balancing users across different VLANs. Allows configuring of ENI protocol control packets for CDP. assigned by RADIUS server.1AB link layer discovery protocol for interoperability in multi-vendor networks. or PAgP. per-protocol basis. IEEE 802. STP.1x readiness check to determine the readiness of connected end hosts before configuring 802. and auto enablement to authenticate a switch outside a wiring closet as a supplicant to another switch • • Support for IP source guard on static hosts. UNI and ENI default port state is disabled Automatic control-plane protection to protect the CPU from accidental or malicious overload due to Layer 2 control traffic on UNIs or ENIs Configurable control plane security that provides service providers with the flexibility to drop customers control-plane traffic on a per-port. host authorization with Client Information Signalling Protocol (CISP). granting access to. These features are supported: – VLAN assignment for restricting 802. TACACS+. IP. a proprietary feature for managing network security through a TACACS server RADIUS for verifying the identity of. LLDP. Switches exchange speed.1x-authenticated users to a specified VLAN – Port security for controlling access to 802. and TCP/UDP headers Source and destination MAC-based ACLs for filtering non-IP traffic IEEE 802. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 1-8 OL-9639-10 .1x ports – 802.1x on the switch – Network Edge Access Topology (NEAT) with 802. and tracking the actions of remote users through authentication.1x accounting to track network usage – 802.

Differentiated Services Code Point (DSCP). Syslog. • IEEE 802. ACL lookup. CoS. per-VLAN QoS to control traffic carried on a user-specified VLAN for a given interface.2(25)SEG. • Quality of Service and Class of Service Features • • • Configurable control-plane queue assignment to assign control plane traffic for CPU-generated traffic to a specific egress queue. per-VLAN hierarchical policy maps to trunk ports.1p class of service (CoS) packet fields. and 256-bit Advanced Encryption Standard (AES) encryption algorithms to SNMPv3. Cisco modular quality of service (QoS) command-line (MQC) implementation Classification based on IP precedence. Beginning with IOS software release 12. 192-bit. This release adds support for the 168-bit Triple Data Encryption Standard (3DES) and the 128-bit. and HTTP as well as IPv6 MLD snooping.Chapter 1 Overview Features • Support for 3DES and AES with version 3 of the Simple Network Management Protocol (SNMPv3). or assigning a QoS label for output classification Policing – One-rate policing based on average rate and burst rate for a policer – Two-color policing that allows different actions for packets that conform to or exceed the rate – Aggregate policing for policers shared by multiple traffic classes • • • • Weighted tail drop (WTD) as the congestion-avoidance mechanism for managing the queue lengths and providing drop precedences for different traffic classifications Table maps for mapping DSCP. Additional IPv6 support to include IPv6 eBGP. you can use hierarchical policy maps for per-VLAN classification and apply the per-port. and IEEE 802. The option to disable CPU protection to increase the available QoS policers from 45 to 64 per port (63 on every fourth port) • Layer 2 Virtual Private Network Services Layer 2 virtual private network (VPN) features are only available when the switch is running the metro IP access or metro access image. IPv6 SNMP. and IP precedence values Queuing and Scheduling – Shaped round robin (SRR) traffic shaping to mix packets from all queues to minimize traffic burst – Class-based traffic shaping to specify a maximum permitted average rate for a traffic class – Port shaping to specify the maximum permitted average rate for a port – Class-based weighted queuing (CBWFQ) to control bandwidth to a traffic class – WTD to adjust queue size for a specified traffic class – Low-latency priority queuing to allow preferential treatment to certain traffic • Per-port.1Q tunneling enables service providers to offer multiple point Layer 2 VPN services to customers Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 1-9 .

from DHCP clients DHCP for IPv6 relay. including IP address requests.Chapter 1 Features Overview • Layer 2 protocol tunneling to enable customers to control protocols such as BPDU. which dynamically assigns responsibility for one or more virtual routers to the VRRP routers on a LAN. PIM dense mode (PIM-DM). such as video Multicast Source Discovery Protocol (MSDP) for connecting multiple PIM-SM domains DHCP relay for forwarding UDP broadcasts. RIP. allowing each VLAN to maintain its own autonomous data-link domain Policy-based routing (PBR) for configuring defined policies for traffic flows Static IP routing for manually building a routing table of network path information Equal-cost routing for load balancing and redundancy Internet Control Message Protocol (ICMP) and ICMP Router Discovery Protocol (IRDP) for using router advertisement and router solicitation messages to discover the addresses of routers on directly attached subnets Protocol-Independent Multicast (PIM) for multicast routing within the network. or HSRP routing protocols – Support for the BFD Protocol on SVIs • • • • • IP routing between VLANs (inter-VLAN routing) for full Layer 3 routing between two or more VLANs. or OSPF IPv6 default router preference (DRP) for improving the ability of a host to select an appropriate router • • • • • • • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 1-10 OL-9639-10 . client. VTP. and UDLD protocols to be tunneled across service-provider networks. IS-IS. Layer 3 Features Note Layer 3 features are only available when the switch is running the metro IP access image. Includes support for PIM sparse mode (PIM-SM). routed backbones: – RIP Versions 1 and 2 – OSPF – EIGRP – BGP Version 4 – IS-IS dynamic routing – BFD protocol Bidirectional Forwarding Detection (BFD) Protocol to detect forwarding-path • failures for OSPF. server address assignment and prefix delegation IPv6 unicast routing capability for forwarding IPv6 traffic through configured interfaces using static routing. • • HSRP Version 1 (HSRPv1) and HSRP Version 2 (HSRPv2) for Layer 3 router redundancy Support for the Virtual Router Redundancy Protocol (VRRP) for IPv4. IP routing protocols for load balancing and for constructing scalable. BGP. CDP. PAgP. allowing for devices in the network to receive the multicast feed requested and for switches not participating in the multicast to be pruned. allowing multiple routers on a multiaccess link to utilize the same virtual IP address. EIGRP. and PIM sparse-dense mode Support for the SSM PIM protocol to optimize multicast applications. LACP.

IP SLAs for Metro Ethernet using IEEE 802. Administration.1ag Ethernet Operation.Chapter 1 Overview Features • Support for EIGRP IPv6. EOT and IP SLAs EOT static route support to identify when a preconfigured static route or a DHCP route goes down (requires metro IP access or metro access image). alarms. and time-out events Layer 2 traceroute to identify the physical path that a packet takes from a source device to a destination device Time Domain Reflector (TDR) to diagnose and resolve cabling problems on copper Ethernet 10/100 ports SFP module diagnostic management interface to monitor physical or operational status of an SFP module Enhanced object tracking for HSRP clients (requires metro IP access image) IP Service Level Agreements (IP SLAs) support to measure network performance by using active traffic monitoring (requires metro IP access or metro access image). • • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 1-11 . repel. IP SLAs EOT to use the output from IP SLAs tracking operations triggered by an action such as latency. and report network security violations Four groups (history. statistics. and Maintenance (OAM) capability to validate connectivity. or packet loss for a standby router failover takeover (requires metro IP access or metro access image). and events) of embedded RMON agents for network monitoring and traffic analysis Syslog facility for logging system messages about authentication or authorization errors. and latency in a metro Ethernet network (requires metro IP access or metro access image). and advertises IPv6 routes Layer 3 VPN Services These features are available only when the switch is running the metro IP access image. resource issues. jitter. • Multiple VPN routing/forwarding (multi-VRF) instances in customer edge devices (multi-VRF CE) to allow service providers to support multiple virtual private networks (VPNs) and overlap IP addresses between VPNs Multicast virtual routing and forwarding (VRF) Lite for configuring multiple private routing domains for network virtualization and virtual private multicast networks VRF and EIGRP compatibility • • Monitoring Features • • • • • • • • • • • • Switch LEDs that provide port. which utilizes IPv6 transport. jitter. communicates with IPv6 peers.and switch-level status MAC address notification traps and RADIUS accounting for tracking users on a network by storing the MAC addresses that the switch has learned or removed Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) for traffic monitoring on any port or VLAN SPAN and RSPAN support of Intrusion Detection Systems (IDS) to monitor.

“Configuring IEEE 802.0. Support for the TWAMP standard for measuring round-trip network performance between any two devices that support the protocol. and MAC-Address-Table. you can change the interface-specific and system-wide settings. Table 1-1 Default Settings After Initial Switch Configuration Feature Switch IP address. and default gateway Domain name Passwords TACACS+ RADIUS System name and prompt NTP DNS IEEE 802. Chapter 3. see the hardware installation guide..Chapter 1 Default Settings After Initial Switch Configuration Overview • • • Embedded event manager (EEM) for device and system management to monitor key system events and then act on them though a policy (requires metro IP access or metro access image) Support for EEM 3.1x DHCP • • • Default Setting 0.0 None None defined Disabled Disabled Switch Enabled Enabled Disabled More information in. Default Settings After Initial Switch Configuration The switch is designed for plug-and-play operation. which introduces event detectors for Neighbor Discovery.2. “Assigning the Switch IP Address and Default Gateway” Chapter 19. the Cisco ME 3400 switch operates with the default settings shown in Table 1-1. “Administering the Switch” Chapter 8. subnet mask. Identity. “Assigning the Switch IP Address and Default Gateway” Chapter 5. you only need to assign basic IP information to the switch and connect it to the other devices in your network. If you do not configure the switch at all. If you have specific network needs.1x Port-Based Authentication” Chapter 3. Note For information about assigning an IP address by using the CLI-based setup program.0. “Configuring DHCP Features and IP Source Guard” DHCP client DHCP server DHCP relay agent Enabled Enabled if the device acting as a DHCP server is configured and is enabled Enabled (if the device is acting as a DHCP relay agent and is configured and enabled) Port parameters Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 1-12 OL-9639-10 ..

1Q Tunneling and Layer 2 Protocol Tunneling” Dynamic ARP inspection Tunneling • • 802. “Configuring Private VLANs” Chapter 20. “Configuring Interfaces” Port type Operating mode Port enable state Interface speed and duplex mode Auto-MDIX Flow control Command Macros VLANs • • • • Chapter 10. “Configuring Dynamic ARP Inspection” Chapter 13. “Configuring IEEE 802. can be Chapter 16. “Configuring Resilient Ethernet Protocol” Chapter 18. “Configuring Optional configured on ENIs) Spanning-Tree Features” Not configured Chapter 17. “Configuring STP” Disabled (not supported on UNIs.Chapter 1 Overview Default Settings After Initial Switch Configuration Table 1-1 Default Settings After Initial Switch Configuration (continued) Feature • • • • • • Default Setting Gigabit Ethernet: NNI. Fast Ethernet ports: UNI Layer 2 (switchport) Enabled for NNIs. “Configuring Flex Links and the MAC Address-Table Move Update Feature” Chapter 19. Chapter 9. “Configuring VLANs” Default VLAN VLAN interface mode VLAN type Private VLANs VLAN 1 Access UNI isolated None configured Disabled on all VLANs Chapter 12. “Configuring DHCP Features and IP Source Guard” Chapter 19. can be Chapter 15.1Q tunneling (requires metro Disabled IP access or metro access image) Layer 2 protocol tunneling Disabled (requires metro IP access or metro access image) STP MSTP Optional spanning-tree features Rapid PVST+ enabled on NNIs in VLAN 1 Spanning Tree Protocol • • • Chapter 14. disabled for UNIs and ENIs Autonegotiate Enabled Off None configured More information in. “Configuring MSTP” configured on ENIs) Disabled (not supported on UNIs.. “Configuring Command Macros” Chapter 11. “Configuring DHCP Features and IP Source Guard” Resilient Ethernet Protocol (requires metro IP access or metro access image) Flex Links (requires metro IP access or metro access image) DHCP snooping Not configured Disabled Disabled IP source guard Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 1-13 ..

multicast. “Configuring HSRP” Chapter 40. Version 1 None configured Not configured None configured Chapter 24. “Configuring LLDP and LLDP-MED” Chapter 25. not Chapter 23. “Configuring SPAN and RSPAN” Chapter 27. “Configuring UDLD” Chapter 26. “Configuring SNMP” Chapter 31. “Configuring RMON” Chapter 28. “Configuring Port-Based Traffic Control” Broadcast. disabled on ENIs. “Configuring EtherChannels and Link-State Tracking” Chapter 35. “Configuring QoS” Chapter 34. “Configuring IGMP Snooping and MVR” Chapter 22.. “Configuring IGMP Snooping and MVR” IGMP snooping IGMP filters IGMP querier MVR IGMP throttling Port-based Traffic Control • • • • Chapter 21. and unicast Disabled storm control Protected ports Unicast and multicast traffic flooding Secure ports None defined Not blocked None configured CDP LLDP UDLD SPAN and RSPAN RMON Syslog messages SNMP ACLs QoS EtherChannels IP unicast routing • Enabled on NNIs. “Configuring System Message Logging” Chapter 29. displayed on the console Enabled. “Configuring CDP” supported on UNIs Disabled (not supported on UNIs) Disabled Disabled Disabled Enabled. “Configuring Cisco IOS IP SLAs Operations” Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 1-14 OL-9639-10 ..Chapter 1 Default Settings After Initial Switch Configuration Overview Table 1-1 Default Settings After Initial Switch Configuration (continued) Feature IGMP snooping • • • • Default Setting Enabled None applied Disabled Disabled Deny More information in. “Configuring IP Unicast Routing” IP routing and routing protocols Disabled (requires metro IP access or metro access image) Multi-VRF-CE (requires metro IP Disabled access or metro access image) None configured Not configured • HSRP groups (requires metro IP access image) Cisco IOS IP SLAs Chapter 39. “Configuring Network Security with ACLs” Chapter 33. Chapter 21.

CFM. video. enabled per interface Chapter 42.1Q trunks. so denial-of-service attacks are avoided. serving multitenant units by using Cisco ME 3400 Ethernet Access switches connected through 1000BASE-X SFP module ports. and E-LMI” Disabled globally Disabled on all interfaces Network Configuration Examples This section provides network configuration concepts and includes examples of using the switch to create dedicated network segments and interconnecting the segments through Fast Ethernet and Gigabit Ethernet connections.Chapter 1 Overview Network Configuration Examples Table 1-1 Default Settings After Initial Switch Configuration (continued) Feature Enhanced object tracking Default Setting No tracked objects or list configured More information in. Home access gateways are connected to the ME switches through UNIs or ENIs configured as 802. Chapter 41. “Configuring Enhanced Object Tracking” Chapter 43. “Configuring Ethernet OAM. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 1-15 . and Internet access services to metropolitan areas.3ah) Disabled globally. “Configuring IP Multicast Routing” Chapter 44. The Metro Ethernet user-facing provider edge (UPE) switches provide economical bandwidth and the security and the QoS needed for these services. the service providers have granular control of the types of traffic to enter the network. Cisco ME switches used as residential switches provide customers with high-speed connections to the service provider point-of presence (POP). UNIs also do not process control protocols from customers.. “Configuring MSDP” IP multicast routing (requires metro IP Disabled on all interfaces access image) MSDP (requires metro IP access image) Ethernet OAM • • • Disabled CFM E-LMI Ethernet OAM protocol (IEEE 802.. the subscribers are protected from each other. Figure 1-1 shows a Gigabit Ethernet ring for a residential location. The Cisco ME switch also provides mechanisms such as port security and IP Source Guard to protect against MAC or IP spoofing. Because the default behavior on these ports allows no local switching between the ports. • • • “Multidwelling or Ethernet-to-the-Subscriber Network” section on page 1-15 “Layer 2 VPN Application” section on page 1-16 “Multi-VRF CE Application” section on page 1-18 Multidwelling or Ethernet-to-the-Subscriber Network Metro Ethernet provides the access technology for service providers deploying voice. By using advanced access control lists.

With Ethernet in the WAN network. You can configure a policer on ingress UNIs to ensure that a customer can send only the amount of bandwidth paid for. or MQC. When an end station in one VLAN needs to communicate with an end station in another VLAN. voice-over-IP (VoIP) gateway services. and WAN and Internet access. Network Address Translation (NAT) services. mark. providing inter-VLAN routing. you can use four different queues to provide different levels of priority for different types of traffic. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 1-16 OL-9639-10 . the Cisco ME switch can identify. The Cisco modular QoS command-line interface (CLI). You can also configure a rate-limiter on the low-latency queues to prevent other queues from being deprived due to misconfiguration. but also the ability to extend their private network across the service provider’s shared infrastructure. On egress NNIs. service providers can meet the bandwidth requirements of enterprise customers and use VPN features to extend customers’ networks. police. a router or switch routes the traffic to the appropriate destination VLAN. One queue can be assigned as a low-latency queue to provide expedited service for latency sensitive traffic such as voice. and schedule traffic types based on Layer 2 to Layer 4 information. The routers also provide firewall services. VLAN access control lists (VLAN maps) provide intra-VLAN security and prevent unauthorized users from accessing critical pieces of the network. on Cisco ME switches provides an efficient method of QoS configuration.Chapter 1 Network Configuration Examples Overview To provide differential QoS treatment for different types of traffic. Figure 1-1 Cisco ME Switches in a Multidwelling Configuration Cisco routers Catalyst 6500 switches Service Provider POP Residential basement Si Cisco ME switches Home access gateways Residential location Set-top box Set-top box PC PC 92998 TV TV Layer 2 VPN Application Enterprise customers need not only high bandwidth.

” for more information on configuring these features. Layer 2 VPN lowers operational expenses by minimizing enterprise user-facing provider edge (UPE) switch configuration and management. “Configuring IEEE 802. In addition to data-plane separation. site 2 CPE VLAN 35-60 Corp B. the switch can encapsulate each customer’s control-plane traffic and send it transparently across the service-provider network. Cisco ME 3400 switches are used as UPEs in customer sites connected to customer-premises equipment (CPE) switches. and create virtual pipes across the service provider infrastructure. With Layer 2 protocol tunneling.1Q Tunneling and Layer 2 Protocol Tunneling. Figure 1-2 Layer 2 VPN Configuration Customer building Customer building CPE VLAN 50-120 CPE Customer VLAN 35-60 Corp A. By supporting double tags.Chapter 1 Overview Network Configuration Examples Enterprise customers can use Layer 2 VPN to transparently move any type of traffic across a service-provider network. The switches can tag customer traffic with the service-provider VLAN ID on top of the customer’s IEEE 802. site 3 Customer building 92997 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 1-17 . site 1 Customer building UPE = Cisco ME 3400 switch SP VLAN 8 UPE SP VLAN 8 CPE VLAN 50-120 Corp B. In contrast to Layer 3 VPN service. In Figure 1-2. See Chapter 13.1Q tag. the Cisco ME 3400 switch provides a virtual tunnel for each customer and prevents VLAN ID overlaps between customers. site 1 UPE SP VLAN 8 SP VLAN 5 UPE SP Metro core SP VLAN 5 Corp A. the Cisco ME 3400 switch can also tunnel the customer’s control protocols. site 2 UPE CPE Customer VLAN 50-120 Corp B. You can use Cisco ME 3400 switches to form Layer 2 VPNs so that customers at different locations can exchange information through a service-provider network without requiring dedicated connections.

for example. Provider routers or core routers are any routers in the service provider network that do not attach to CE devices. The PE is only required to maintain VPN routes for directly attached VPNs.Chapter 1 Network Configuration Examples Overview Multi-VRF CE Application A VPN is a collection of sites sharing a common routing table. The shared CE maintains separate VRF tables for each customer and switches or routes packets for each customer based on its own routing table. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 1-18 OL-9639-10 . Provider edge (PE) routers exchange routing information with CE devices by using static routing or a routing protocol such as BGP. small companies. Multi-VRF CE extends limited PE functionality to a CE device. RIPv2. Figure 1-3 shows a configuration using Cisco ME 3400 switches as multiple virtual CEs. This scenario is suited for customers who have low bandwidth requirements for their VPN service. called a VPN routing/forwarding (VRF) table. Figure 1-3 Multiple Virtual CEs VPN 1 CE1 PE1 Service provider PE2 CE2 VPN 1 VPN 2 CE = Customer-edge device PE = Provider-edge device VPN 2 101385 See the “Configuring Multi-VRF CE” section on page 35-82 for more information about Multi-VRF-CE. or EIGRP. • • With multi-VRF CE. OSPF. multiple customers can share one CE. multi-VRF CE support is required in the Cisco ME switches. each interface in a VRF must be a Layer 3 interface. and the service provider associates each interface with a VPN routing table. Multi-VRF CE includes these devices: • Customer edge (CE) devices provide customers access to the service-provider network over a data link to one or more provider edge routers. A customer site is connected to the service-provider network by one or more interfaces. It does not need to maintain all of the service-provider VPN routes. Because multi-VRF CE is a Layer 3 feature. and only one physical link is used between the CE and the PE. The CE device advertises the site’s local routes to the router and learns the remote VPN routes from the router. The Cisco ME 3400 switch can be a CE device. Multiple VPN routing/forwarding (multi-VRF) instances in customer edge (CE) devices (multi-VRF CE) allows a service provider to support two or more VPNs with overlapping IP addresses. In this case. giving it the ability to maintain separate VRF tables to extend the privacy and security of a VPN to the branch office. Each PE router maintains a VRF for each of its directly connected sites.

review these sections for startup information: • • • Chapter 2. “Using the Command-Line Interface” Chapter 3.Chapter 1 Overview Where to Go Next Where to Go Next Before configuring the switch. “Configuring Cisco IOS Configuration Engine” Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 1-19 . “Assigning the Switch IP Address and Default Gateway” Chapter 4.

Chapter 1 Where to Go Next Overview Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 1-20 OL-9639-10 .

you begin in user mode. The commands available to you depend on which mode you are currently in. To have access to all commands. and how to exit the mode. such as show commands. page 2-9 Understanding Command Modes The Cisco IOS user interface is divided into many different modes. The user EXEC commands are not saved when the switch reboots. Enter a question mark (?) at the system prompt to obtain a list of commands available for each command mode. which show the current configuration status. the prompt you see in that mode. these commands are stored and used when the switch reboots. Table 2-1 describes the main command modes. page 2-4 Using Command History. For example. page 2-1 Understanding the Help System. Normally. you can enter interface configuration mode and line configuration mode. page 2-3 Understanding no and default Forms of Commands. often called user EXEC mode.CH A P T E R 2 Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your Cisco ME 3400 Ethernet Access switch. you can enter any privileged EXEC command or enter global configuration mode. The examples in the table use the hostname Switch. From global configuration mode. you can make changes to the running configuration. which clear counters or interfaces. page 2-3 Understanding Abbreviated Commands. page 2-8 Accessing the CLI. Only a limited subset of the commands are available in user EXEC mode. how to access each one. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 2-1 . you must enter privileged EXEC mode. page 2-6 Searching and Filtering Output of show and more Commands. When you start a session on the switch. you must start at global configuration mode. page 2-4 Using Editing Features. From this mode. and clear commands. you must enter a password to enter privileged EXEC mode. most of the user EXEC commands are one-time commands. and line). interface. It contains these sections: • • • • • • • • • Understanding Command Modes. Using the configuration modes (global. If you save the configuration. page 2-4 Understanding CLI Error Messages. To access the various configuration modes.

To return to privileged EXEC mode. parameters for the Ethernet enter exit. ports. Change terminal settings. About This Mode Use this mode to • • • Begin a session with Switch> your switch. Ctrl-Z. For more detailed information on the command modes. press Ctrl-Z or enter end. Perform basic tests. Switch(config-if)# To exit to global Use this mode to configure configuration mode. While in global configuration mode. enter parameters that apply to the exit or end. While in privileged EXEC mode. see the “Configuring a Range of Interfaces” section on page 9-9. enter the enable command. VLAN configuration Switch(config-vlan)# Interface configuration While in global configuration mode. Display system information. enter the vlan vlan-id command. line. To return to privileged EXEC mode. or press entire switch. enter the exit command. Switch(config-line)# To exit to global Use this mode to configure configuration mode. To exit to global Use this mode to configure configuration mode. specify a line with the line vty or line console command. Use a password to protect access to this mode. Line configuration While in global configuration mode. press Ctrl-Z or enter end. enter the interface command (with a specific interface).Chapter 2 Understanding Command Modes Using the Command-Line Interface Table 2-1 Command Mode Summary Mode User EXEC Access Method Prompt Exit Method Enter logout or quit. Privileged EXEC While in user EXEC Switch# mode. VLAN parameters. Use this mode to verify commands that you have entered. parameters for the terminal enter exit. To return to privileged EXEC mode. enter the configure command. For information about defining interfaces. Switch(config)# Enter disable to exit. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 2-2 OL-9639-10 . see the “Using Interface Configuration Mode” section on page 9-8. To configure multiple interfaces with the same parameters. press Ctrl-Z or enter end. Global configuration To exit to privileged Use this mode to configure EXEC mode. see the command reference guide for this release.

Obtain a list of commands that begin with a particular character string.Chapter 2 Using the Command-Line Interface Understanding the Help System Understanding the Help System You can enter a question mark (?) at the system prompt to display a list of commands available for each command mode. For example: Switch> ? command ? List the associated keywords for a command. This example shows how to enter the show configuration privileged EXEC command in an abbreviated form: Switch# show conf Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 2-3 . For example: Switch# di? dir disable disconnect abbreviated-command-entry<Tab> Complete a partial command name. You can also obtain a list of associated keywords and arguments for any command. For example: Switch> show ? command keyword ? List the associated arguments for a keyword. as shown in Table 2-2. For example: Switch(config)# cdp holdtime ? <10-255> Length of time (in sec) that receiver must keep this packet Understanding Abbreviated Commands You need to enter only enough characters for the switch to recognize the command as unique. For example: Switch# sh conf<tab> Switch# show configuration ? List all commands available for a particular command mode. Table 2-2 Help Summary Command help abbreviated-command-entry? Purpose Obtain a brief description of the help system in any command mode.

You did not enter all the keywords or Re-enter the command followed by a question mark (?) values required by this command. Enter a question mark (?) to display all the commands that are available in this command mode. page 2-5 (optional) Disabling the Command History Feature. Configuration commands can also have a default form. The possible keywords that you can enter with the command appear. The command history feature is particularly useful for recalling long or complex commands or entries.Chapter 2 Understanding no and default Forms of Commands Using the Command-Line Interface Understanding no and default Forms of Commands Almost every configuration command also has a no form. For example. Table 2-3 Common CLI Error Messages Error Message % Ambiguous command: "show con" Meaning You did not enter enough characters for your switch to recognize the command. The caret (^) marks the point of the error. In these cases. use the no form to disable a feature or function or reverse the action of a command. % Incomplete command. Understanding CLI Error Messages Table 2-3 lists some error messages that you might encounter while using the CLI to configure your switch. the no shutdown interface configuration command reverses the shutdown of an interface. The possible keywords that you can enter with the command appear. You entered the command incorrectly. page 2-5 (optional) Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 2-4 OL-9639-10 . so the default form is the same as the no form. The possible keywords that you can enter with the command appear. % Invalid input detected at ‘^’ marker. However. some commands are enabled by default and have variables set to certain default values. You can customize this feature to suit your needs as described in these sections: • • • Changing the Command History Buffer Size. Use the command without the keyword no to re-enable a disabled feature or to enable a feature that is disabled by default. How to Get Help Re-enter the command followed by a question mark (?) with a space between the command and the question mark. The default form of a command returns the command setting to its default. the default command enables the command and sets variables to their default values. page 2-5 (optional) Recalling Commands. with a space between the command and the question mark. In general. Most commands are disabled by default. including access lists. Using Command History The software provides a history or record of commands that you have entered.

enter this command to change the number of command lines that the switch records during the current terminal session: Switch# terminal history [size number-of-lines] The range is from 0 to 256. list the last several commands that you just entered. perform one of the actions listed in Table 2-4. show history 1. To disable the feature during the current terminal session. Recalling Commands To recall commands from the history buffer. To disable command history for the line. enter the no history line configuration command. Result Recall commands in the history buffer. the switch records ten command lines in its history buffer. While in privileged EXEC mode. Table 2-4 Recalling Commands Action1 Press Ctrl-P or the up arrow key. You can alter this number for a current terminal session or for all sessions on a particular line. Beginning in line configuration mode. These procedures are optional. Repeat the key sequence to recall successively more recent commands. Repeat the key sequence to recall successively older commands. The arrow keys function only on ANSI-compatible terminals such as VT100s. enter this command to configure the number of command lines the switch records for all sessions on a particular line: Switch(config-line)# history [size number-of-lines] The range is from 0 to 256. Return to more recent commands in the history buffer after recalling commands with Ctrl-P or the up arrow key. These procedures are optional. You can disable it for the current terminal session or for the command line. Disabling the Command History Feature The command history feature is automatically enabled. beginning with the most recent command. These actions are optional.Chapter 2 Using the Command-Line Interface Using Command History Changing the Command History Buffer Size By default. The number of commands that appear is controlled by the setting of the terminal history global configuration command and the history line configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 2-5 . Press Ctrl-N or the down arrow key. Beginning in privileged EXEC mode. enter the terminal no history privileged EXEC command.

These keystrokes are optional. • • • Enabling and Disabling Editing Features. or press the Move the cursor back one character. paste them in the command line. page 2-8 (optional) Enabling and Disabling Editing Features Although enhanced editing mode is automatically enabled. re-enable it. Move the cursor to the beginning of the command line. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 2-6 OL-9639-10 . Move the cursor back one word. Press Ctrl-F. Recall the most recent entry in the buffer. To globally disable enhanced editing mode. enter this command in line configuration mode: Switch(config-line)# editing Editing Commands through Keystrokes Table 2-5 shows the keystrokes that you need to edit command lines. Keystroke1 Purpose Press Ctrl-B. left arrow key. Press Ctrl-E. you can disable it. Move the cursor to the end of the command line. Press Ctrl-A. or press the right arrow key. Press Esc B. Table 2-5 Editing Commands through Keystrokes Capability Move around the command line to make changes or corrections.Chapter 2 Using Editing Features Using the Command-Line Interface Using Editing Features This section describes the editing features that can help you manipulate the command line. These procedures are optional. Transpose the character to the left of the cursor with the character located at the cursor. or configure a specific line to have enhanced editing. Move the cursor forward one character. Press Esc F. Press Ctrl-T. page 2-6 (optional) Editing Commands through Keystrokes. The switch provides a buffer with the last ten items that you deleted. enter this command in line configuration mode: Switch (config-line)# no editing To re-enable the enhanced editing mode for the current terminal session. Recall commands from the buffer and Press Ctrl-Y. enter this command in privileged EXEC mode: Switch# terminal editing To reconfigure a specific line to have enhanced editing mode. page 2-6 (optional) Editing Command Lines that Wrap. Move the cursor forward one word.

Delete the character at the cursor. The buffer contains only the last 10 items that you have deleted or cut. If you press Esc Y more than ten times. Press Esc D. you cycle to the first buffer entry. Capitalize or lowercase words or capitalize a set of letters. Delete all characters from the cursor to the end of the command line. Scroll down one line. Capitalize at the cursor. Press Ctrl-K. Press Esc L. perhaps as a shortcut. Delete all characters from the cursor to the beginning of the command line. Redisplay the current command line. Backspace key. Press Ctrl-W. Delete from the cursor to the end of the word. Purpose Recall the next buffer entry. including show command output. Press Esc C. Press the Space bar. Press Esc U. Capitalize letters from the cursor to the end of the word. Designate a particular keystroke as Press Ctrl-V or Esc Q. Note Erase the character to the left of the cursor. an executable command. Press the Return key. The More prompt is used for any output that has more lines than can be displayed on the terminal screen. 1. Scroll down one screen.Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Keystroke1 Press Esc Y. Redisplay the current command line if the switch suddenly sends a message to your screen. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 2-7 . Press Ctrl-L or Ctrl-R. Press Ctrl-D. Change the word at the cursor to lowercase. Delete the word to the left of the cursor. You can use the Return and Space bar keystrokes whenever you see the More prompt. Scroll down a line or screen on displays that are longer than the terminal screen can display. The arrow keys function only on ANSI-compatible terminals such as VT100s. Delete entries if you make a mistake Press the Delete or or change your mind. Press Ctrl-U or Ctrl-X.

2. enter a show or more command followed by the pipe character (|). Using these commands is optional.255. Each time the cursor reaches the end of the line. if you enter | exclude output.255. Searching and Filtering Output of show and more Commands You can search and filter the output for show and more commands.108. When the cursor first reaches the end of the line. use the terminal width privileged EXEC command to set the width of your terminal.5 255.1.2. For example. but you can scroll back and check the syntax at the beginning of the command.25 $t tcp 131.108. This example shows how to include in the output display only lines where the expression protocol appears: Switch# show interfaces | include protocol Vlan1 is up. line protocol is up Vlan10 is up.2.5 255.1 $ 101 permit tcp 131.0 131.108.255. You cannot see the first ten characters of the line.255. Note The arrow keys function only on ANSI-compatible terminals such as VT100s.2.20 255. see the “Editing Commands through Keystrokes” section on page 2-6. the access-list global configuration command entry extends beyond one line. The keystroke actions are optional. but the lines that contain Output appear. Switch(config)# Switch(config)# Switch(config)# Switch(config)# access-list 101 permit tcp 131. When the cursor reaches the right margin.5 255. the line is shifted ten spaces to the left and redisplayed.255.108.108. press Ctrl-A to check the complete syntax before pressing the Return key to execute the command.0 131. In this example. one of the keywords begin.255. The dollar sign ($) shows that the line has been scrolled to the left.0 eq 45 After you complete the entry.255. To use this functionality. For information about recalling previous command entries. and an expression that you want to search for or filter out: command | {begin | include | exclude} regular-expression Expressions are case sensitive. line protocol is down GigabitEthernet0/1 is up. line protocol is up Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 2-8 OL-9639-10 .0 131. Use line wrapping with the command history feature to recall and modify previous complex command entries.108.255. or exclude.1$ The software assumes you have a terminal screen that is 80 columns wide.108. the line is again shifted ten spaces to the left. You can also press Ctrl-A to immediately move to the beginning of the line.255.0 131.255.Chapter 2 Searching and Filtering Output of show and more Commands Using the Command-Line Interface Editing Command Lines that Wrap You can use a wraparound feature for commands that extend beyond a single line on the screen.5 255. the command line shifts ten spaces to the left.2. the lines that contain output are not displayed.255. line protocol is down GigabitEthernet0/2 is up.20 255. To scroll back to the beginning of the command entry.255. If you have a width other than that. press Ctrl-B or the left arrow key repeatedly. This is useful when you need to sort through large amounts of output or if you want to exclude output that you do not need to see.20 255.255.0 131.0 eq $108.108. include.5 255.108.255.1. The dollar sign ($) appears at the end of the line to show that the line has been scrolled to the right: Switch(config)# access-list 101 permit tcp 131.1.

but your switch must first be configured for this type of access.” If your switch is already configured. You can use one of these methods to establish a connection with the switch: • • Connect the switch console port to a management station or dial-up modem. The switch supports up to five simultaneous secure SSH sessions. For information about configuring the switch for Telnet access. For more information. see Chapter 3. The switch must have network connectivity with the Telnet or SSH client. see the “Setting a Telnet Password for a Terminal Line” section on page 7-6. you can access the CLI through a local console connection or through a remote Telnet session. Then. After you connect through the console port. or by using the browser. see the switch hardware installation guide. through a Telnet session or through an SSH session.Chapter 2 Using the Command-Line Interface Accessing the CLI Accessing the CLI You can access the CLI through a console connection. see the “Setting a Telnet Password for a Terminal Line” section on page 7-6. For information about connecting to the console port. see the “Configuring the Switch for Secure Shell” section on page 7-37. Accessing the CLI through a Console Connection or through Telnet Before you can access the CLI. the user EXEC prompt appears on the management station. The switch supports up to 16 simultaneous Telnet sessions. For information about configuring the switch for SSH. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 2-9 . “Assigning the Switch IP Address and Default Gateway. to understand the boot process and the options available for assigning IP information. Use any Telnet TCP/IP or encrypted Secure Shell (SSH) package from a remote management station. Changes made by one Telnet user are reflected in all other Telnet sessions. you must connect a terminal or PC to the switch console port and power on the switch as described in the hardware installation guide that shipped with your switch. through Telnet. and the switch must have an enable secret password configured.

Chapter 2 Accessing the CLI Using the Command-Line Interface Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 2-10 OL-9639-10 .

page 3-23 Note Information in this chapter about configuring IP addresses and DHCP is specific to IP Version 4 (IPv4). The normal boot process involves the operation of the boot loader software. Command References.CH A P T E R 3 Assigning the Switch IP Address and Default Gateway This chapter describes how to create the initial switch configuration (for example. 12. its speed. subnet mask. It initializes the CPU registers. It also describes how to modify the switch startup configuration. its quantity. Understanding the Boot Process To start your switch. see the command reference for this release and to the Cisco IOS Software Documentation. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 3-1 . This chapter consists of these sections: • • • • • Understanding the Boot Process. which performs these functions: • • Performs low-level CPU initialization. page 3-15 Modifying the Startup Configuration.2 Mainline Release. page 3-18 Scheduling a Reload of the Software Image. page 3-2 Checking and Saving the Running Configuration. assigning the switch IP address and default gateway information) for the Cisco Metro Ethernet (ME) 3400 Ethernet Access switch by using a variety of automatic and manual methods. Note For complete syntax and usage information for the commands used in this chapter. page 3-1 Assigning Switch Information. secret and Telnet passwords. and so forth) of the switch. It tests the CPU DRAM and the portion of the flash device that makes up the flash file system. and so forth. default gateway. which control where physical memory is mapped. you need to follow the procedures in the hardware installation guide about installing and powering on the switch and setting up the initial configuration (IP address. Performs power-on self-test (POST) for the CPU subsystem. Volume 1 of 3: Addressing and Services.

the boot loader is not active until the next system reset or power-on. see the “Configuring the Switch with the CLI-Based Setup Program” appendix in the hardware installation guide. or manually. Data bits default is 8.Chapter 3 Assigning Switch Information Assigning the Switch IP Address and Default Gateway • • Initializes the flash file system on the system board. The trap-door mechanism provides enough access to the system so that if it is necessary. set the parity option to none. see the “Recovering from Corrupted Software By Using the Xmodem Protocol” section on page 45-2 and the “Recovering from a Lost or Forgotten Password” section on page 45-3. For more information about the setup program. you can format the flash file system. Note • • If the data bits option is set to 8. and finally restart the operating system. Stop bits default is 1. see the “Disabling Password Recovery” section on page 7-5. Loads a default operating system software image into memory and boots the switch. through a DHCP server. With this program. Normally. uncompress. Note You can disable password recovery. Parity settings default is none. and configured the PC or terminal-emulation software baud rate and character format to match these of the switch console port: • • Baud rate default is 9600. reinstall the operating system software image by using the XMODEM Protocol. Otherwise. do not respond to any of the questions in the setup program until the switch receives the dynamically assigned IP address and reads the configuration file. Use the switch setup program if you want to be prompted for specific IP information. use the setup program described previously. Use a DHCP server for centralized control and automatic assignment of IP information after the server is configured. For more information. manually configure the switch. The boot loader also provides trap-door access into the system if the operating system has problems serious enough that it cannot be used. For more information. recover from a lost or forgotten password. make sure you have connected a PC or terminal to the console port. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 3-2 OL-9639-10 . It gives you the option of assigning a Telnet password (to provide security during remote management). you can also configure a hostname and an enable secret password. and launch the operating system. Note If you are using DHCP. Before you can assign switch information. the boot loader is used only to load. After the boot loader gives the operating system control of the CPU. Assigning Switch Information You can assign IP information through the switch setup program. The boot loader provides access to the flash file system before the operating system is loaded. If you are an experienced user familiar with the switch configuration steps.

page 3-14 Default Switch Information Table 3-1 shows the default switch information. The switch can act as both a DHCP client and a DHCP server. DHCP is built on a client-server model. If you are using DHCP to relay the configuration file location on the network. the DHCP client is invoked and requests configuration information from a DHCP server when the configuration file is not present on the switch. in which designated DHCP servers allocate network addresses and deliver configuration parameters to dynamically configured devices. DHCP-based autoconfiguration replaces the BOOTP client functionality on your switch. The DHCP server for your switch can be on the same LAN or on a different LAN than the switch. No default gateway is defined. your switch (DHCP client) is automatically configured at startup with IP address information and a configuration file. no DHCP client-side configuration is needed on your switch. page 3-3 Manually Assigning IP Information.Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information These sections contain this configuration information: • • • Default Switch Information. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 3-3 . If the DHCP server is running on a different LAN. you might also need to configure a Trivial File Transfer Protocol (TFTP) server and a Domain Name System (DNS) server. If the configuration file is present and the configuration includes the ip address dhcp interface configuration command on specific routed interfaces. No password is defined. the DHCP client is invoked and requests the IP address information for those interfaces. With DHCP-based autoconfiguration. However. This protocol consists of two components: one for delivering configuration parameters from a DHCP server to a device and a mechanism for allocating network addresses to devices. DHCP Client Request Process When you boot your switch. A router does not forward broadcast packets. you should configure a DHCP relay device between your switch and the DHCP server. Table 3-1 Default Switch Information Feature IP address and subnet mask Default gateway Enable secret password Hostname Telnet password Default Setting No IP address or subnet mask are defined. During DHCP-based autoconfiguration. No password is defined. The factory-assigned default hostname is Switch. A relay device forwards broadcast traffic between two directly connected LANs. but it forwards packets based on the destination IP address in the received packet. you need to configure the DHCP server for various lease options associated with IP addresses. page 3-3 Understanding DHCP-Based Autoconfiguration. Understanding DHCP-Based Autoconfiguration DHCP provides configuration information to Internet hosts and internetworking devices.

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 3-4 OL-9639-10 . gateway IP address. the client accepts the DHCP hostname option and sets the flag to show that the system now has a hostname configured. the client and server are bound. subnet mask. For more information. The configuration files on all clients are identical except for their DHCP-obtained hostnames. the client returns a formal request for the offered configuration information to the DHCP server. A client (switch) includes in its DCHPDISCOVER message an option 12 field used to request a hostname and other configuration parameters from the DHCP server. see the “Configuring the TFTP Server” section on page 3-7. The DHCP server offers configuration parameters (such as an IP address. Switch A. if the client receives the DCHP hostname option from the DHCP interaction while acquiring an IP address for an interface. the switch broadcasts. and the client uses configuration information received from the server. the DHCP hostname option is not included in the packet when you enter the ip address dhcp interface configuration command. instead of unicasts. A DHCP client might receive offers from multiple DHCP or BOOTP servers and can accept any of the offers. With this message. broadcasts a DHCPDISCOVER message to locate a DHCP server. the client returns a DHCPDECLINE broadcast message to the DHCP server. In a DHCPREQUEST broadcast message. however. TFTP requests to obtain the switch configuration file. If the switch accepts replies from a BOOTP server and configures itself. which means that the offered configuration parameters have not been assigned. the server usually reserves the address until the client has had a chance to formally request the address. In this case.Chapter 3 Assigning Switch Information Assigning the Switch IP Address and Default Gateway Figure 3-1 shows the sequence of messages that are exchanged between the DHCP client and the DHCP server. The DHCP hostname option allows a group of switches to obtain hostnames and a standard configuration from the central management DHCP server. The amount of information the switch receives depends on how you configure the DHCP server. If the configuration parameters sent to the client in the DHCPOFFER unicast message are invalid (a configuration error exists). The DHCP server confirms that the IP address has been allocated to the client by returning a DHCPACK unicast message to the client. or that the client has been slow in responding to the DHCPOFFER message (the DHCP server assigned the parameters to another client). If a client has a default hostname (the hostname name global configuration command is not configured or the no hostname global configuration command is entered to remove the hostname). a lease for the IP address. the client usually accepts the first offer it receives. Figure 3-1 DHCP Client and Server Message Exchange DHCPDISCOVER (broadcast) Switch A DHCPOFFER (unicast) DHCPREQUEST (broadcast) 51807 DHCP server DHCPACK (unicast) The client. and so forth) to the client in a DHCPOFFER unicast message. The DHCP server sends the client a DHCPNAK denial broadcast message. that an error has occurred during the negotiation of the parameters. The offer from the DHCP server is not a guarantee that the IP address is allocated to the client. DNS IP address. however. The formal request is broadcast so that all other DHCP servers that received the DHCPDISCOVER broadcast message from the client can reclaim the IP addresses that they offered to the client.

Release 12. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 3-5 . and the new image is downloaded and installed on the switch. and option 125 (description of the file) settings. Limitations and Restrictions These are the limitations: • • • The DHCP-based autoconfiguration with a saved configuration process stops if there is not at least one Layer 3 interface in an up state without an assigned IP address in the network. It does not over write the bootup configuration saved in the flash. option 66 (the DHCP server hostname) option 150 (the TFTP server address). When you reboot the switch. see the “Configuring DHCP-Based Autoconfiguration” section on page 3-6 and the “Configuring DHCP” section of the “IP addressing and Services” section of the Cisco IOS IP Configuration Guide. If the new configuration is downloaded to a switch that already has a configuration. The auto-install process stops if a configuration file cannot be downloaded or it the configuration file is corrupted. The downloaded configuration file becomes the running configuration of the switch. until you reload the switch. For procedures to configure the switch as a DHCP server. DHCP Auto-Image Update You can use DHCP auto-image upgrade with DHCP autoconfiguration to download both a configuration and a new image to one or more switches in your network. This helps ensure that each new switch added to a network receives the same image and configuration. The switch (or switches) downloading the new configuration and the new image can be blank (or only have a default factory configuration loaded).Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Understanding DHCP-based Autoconfiguration and Image Update You can use the DHCP image upgrade features to configure a DHCP server to download both a new image and a new configuration file to one or more switches in a network. The downloaded configuration file is saved in the running configuration of the switch. After you install the switch in your network. There are two types of DHCP image upgrades: DHCP autoconfiguration and DHCP auto-image update. the configuration is stored in the saved configuration on the switch. the auto-image update feature starts. the TFTP server where the image and configuration files are located must be configured with the correct option 67 (the configuration filename). the DHCP-based autoconfiguration with a saved configuration feature tries indefinitely to download an IP address. (Any existing configuration is not overwritten by the downloaded one. the downloaded configuration is appended to the configuration file stored on the switch.2. DHCP Autoconfiguration DHCP autoconfiguration downloads a configuration file to one or more switches in your network from a DHCP server.) Note To enable a DHCP auto-image update on the switch. Unless you configure a timeout.

page 3-7 Configuring the Relay Device. page 3-8 Example Configuration. page 3-8 Obtaining Configuration Files. the configuration file. page 3-9 If your DHCP server is a Cisco device. or both. see the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide. the feature is not triggered during subsequent system restarts. If you want the switch to receive IP address information. page 3-7 Configuring the DNS. page 3-6 Configuring the TFTP Server. you must configure the DHCP server with these lease options: • • • TFTP server name (required) Boot filename (the name of the configuration file that the client needs) (recommended) Hostname (optional) Depending on the settings of the DHCP server. DHCP Server Configuration Guidelines Follow these guidelines if you are configuring a device as a DHCP server: You should configure the DHCP server with reserved leases that are bound to each switch by the switch hardware address. Release 12. you must configure the DHCP server with these lease options: • • • • IP address of the client (required) Subnet mask of the client (required) DNS server IP address (optional) Router IP address (default gateway address to be used by the switch) (required) If you want the switch to receive the configuration file from a TFTP server. Configuring DHCP-Based Autoconfiguration These sections contain this configuration information: • • • • • • DHCP Server Configuration Guidelines. Note that if the downloaded configuration is saved to the startup configuration.2 for additional information about configuring DHCP. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 3-6 OL-9639-10 .Chapter 3 Assigning Switch Information Assigning the Switch IP Address and Default Gateway Note The configuration file that is downloaded from TFTP is merged with the existing configuration in the running configuration but is not saved in the NVRAM unless you enter the write memory or copy running-configuration startup-configuration privileged EXEC command. the switch can receive IP address information.

com page under Documentation > Cisco IOS Software > 12. the switch might send broadcast. Normally.2 Mainline > Configuration Guides. You must configure the TFTP server name-to-IP address map on the DNS server. and configuration filename. Configuring the TFTP Server Based on the DHCP server configuration.255. If you configured the DHCP server to respond to the switch with all the options required for IP connectivity to the TFTP server. or if the configuration file could not be downloaded.255. The TFTP server contains the configuration files for the switch. these files are not accessed. The router-confg or the ciscortr. the TFTP server.Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information If you do not configure the DHCP server with the lease options described previously. You can enter up to two DNS server IP addresses in the lease database. the switch attempts to download the specified configuration file from the specified TFTP server.) If you specify the TFTP server name in the DHCP server-lease database. If your DHCP server is a Cisco device. the TFTP server must contain one or more configuration files in its base directory. the switch attempts to download one or more configuration files from the TFTP server. If the IP address and the subnet mask are not in the reply. These features are not operational. the switch is not configured.cfg. Configuring the DNS The DHCP server uses the DNS server to resolve the TFTP server name to an IP address. Unavailability of other lease options does not affect autoconfiguration.config. if the DHCP and TFTP servers are properly configured.cfg file (These files contain commands common to all switches. If the router IP address or the TFTP server name are not found. If you did not specify the configuration filename. the Cisco IOS DHCP server and relay agent features are enabled on your switch but are not configured. The switch can act as a DHCP server. The preferred solution is to configure the DHCP server with all the required information. the switch attempts to download a configuration file by using various combinations of filenames and TFTP server addresses. The TFTP server addresses used include the specified TFTP server address (if any) and the broadcast address (255. For the switch to successfully download a configuration file. cisconet. The files include the specified configuration filename (if any) and these files: network-config. or if it is to be accessed by the switch through the broadcast address (which occurs if the DHCP server response does not contain all the required information described previously). a relay must be configured to forward the TFTP packets to the TFTP server. address. and if you configured the DHCP server with a TFTP server name. it replies to client requests with only those parameters that are configured. or hostname. You can configure the IP addresses of the DNS servers in the lease database of the DHCP server from where the DHCP replies will retrieve them. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 3-7 . By default. The files can include these files: • • • The configuration file named in the DHCP reply (the actual switch configuration file). TFTP requests.cfg. For more information. instead of unicast. see the “Configuring the Relay Device” section on page 3-8. you must also configure the TFTP server name-to-IP-address mapping in the DNS-server database. The network-confg or the cisconet. where hostname is the switch’s current hostname. If the TFTP server to be used is on a different LAN from the switch.cfg file (known as the default configuration files). hostname. see the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide from the Cisco.255). for additional information about configuring DHCP.

If it is on a different LAN. TFTP packets.3 20.2 20.2 10. For more information.0.0. see the “Routed Ports” section on page 9-5 and the “Configuring Layer 3 Interfaces” section on page 9-22. Configuring the Relay Device You must configure a relay device.0. when a switch sends broadcast packets that require a response from a host on a different LAN.4 On interface 20. For example.0.0.0. the switch must be able to access it through a router.0. If the relay device is a Cisco router.0.0. configure the interface as a routed port.1 20.0.1 router(config-if)# ip helper-address 10. You must configure this relay device to forward received broadcast packets on an interface to the destination host.0. and configure helper addresses by using the ip helper-address interface configuration command. enable IP routing ( ip routing global configuration command).0. also referred to as a relay agent.0.2: router(config-if)# ip helper-address 20. configure the router interfaces as follows: On interface 10.0.1 Note If the switch is acting as the relay device. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 3-8 OL-9639-10 .0. in Figure 3-2.0.0.Chapter 3 Assigning Switch Information Assigning the Switch IP Address and Default Gateway The DNS server can be on the same or on a different LAN as the switch.4 49068 DHCP server TFTP server DNS server Obtaining Configuration Files Depending on the availability of the IP address and the configuration filename in the DHCP reserved lease.1 20. the switch obtains its configuration information in these ways: • The IP address and the configuration filename is reserved for the switch and provided in the DHCP reply (one-file read method).0.0.0.0. Examples of broadcast packets that the switch might send are DHCP.0.2 router(config-if)# ip helper-address 20.0.0. and in some cases.3 router(config-if)# ip helper-address 20. DNS. Figure 3-2 Relay Device Used in Autoconfiguration Switch (DHCP client) Cisco router (Relay) 10.

The switch fills its host table with the information in the file and obtains its hostname. the switch reads the configuration file that has the same name as its hostname (hostname-confg or hostname. it completes its boot-up process. or the hostname file. and the configuration filename from the DHCP server. subnet mask. it completes its boot-up process. Note The switch broadcasts TFTP server requests if the TFTP server is not obtained from the DHCP replies.cfg file.) The default configuration file contains the hostnames-to-IP-address mapping for the switch. If the cisconet. • Only the IP address is reserved for the switch and provided in the DHCP reply. and the configuration filename from the DHCP server. if all attempts to read the configuration file through unicast transmissions fail. If the switch cannot read the network-confg. The switch sends a unicast message to the TFTP server to retrieve the named configuration file from the base directory of the server and upon receipt. the switch uses the hostname in the DHCP reply. cisconet.cfg default configuration file. depending on whether network-confg or cisconet. it reads the router-confg file.cfg. The switch sends a broadcast message to a TFTP server to retrieve the named configuration file from the base directory of the server. subnet mask. The switch sends a unicast message to the TFTP server to retrieve the network-confg or cisconet.Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The switch receives its IP address. • The IP address and the configuration filename is reserved for the switch. the switch reads the cisconet.cfg file. the filename of the host is truncated to eight characters. but the TFTP server address is not provided in the DHCP reply (one-file read method). and upon receipt.cfg was read earlier) from the TFTP server. the switch uses the default Switch as its hostname. After obtaining its hostname from the default configuration file or the DHCP reply. and the TFTP server address from the DHCP server. If the switch cannot read the router-confg file. or if the TFTP server name cannot be resolved to an IP address. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 3-9 . The switch receives its IP address. The switch receives its IP address.cfg file is read. (If the network-confg file cannot be read. The configuration filename is not provided (two-file read method).cfg. TFTP server address. If the hostname is not specified in the DHCP reply. Example Configuration Figure 3-3 shows a sample network for retrieving IP information by using DHCP-based autoconfiguration. subnet mask. If the hostname is not found in the file. it reads the ciscortr.

TFTP Server Configuration (on UNIX) The TFTP server base directory is set to /tftpserver/work/.3.10 10.2 tftpserver or 10.10 10.0.10 10.3 switchb-confg switchb Switch C 00e0.0.0.0.0.0.0 10.0.2002 10.0.0.10 10.0.0.0 10.0.0.255.22 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 3-10 OL-9639-10 .2 tftpserver or 10.255.0.0.0. This file contains the hostname to be assigned to the switch based on its IP address.0.0.0.0.0.2003 10.255.0.1 10. Table 3-2 DHCP Server Configuration Switch A Binding key (hardware address) IP address Subnet mask Router address DNS server address TFTP server name Boot filename (configuration file) (optional) Hostname (optional) 00e0.0.0.0.255.255.0.2004 10.9f1e.9f1e.0.9f1e.21 ip host switchb 10.0.0.Chapter 3 Assigning Switch Information Assigning the Switch IP Address and Default Gateway Figure 3-3 DHCP-Based Autoconfiguration Network Example Switch 1 Switch 2 Switch 3 Switch 4 00e0.2001 00e0.0.2 10.0.0 10.3 switcha-confg switcha DNS Server Configuration Switch B 00e0.2002 00e0.10 10.3 switchd-confg switchd The DNS server maps the TFTP server name tftpserver to IP address 10.0 10. and so forth) as shown in this display: prompt> cd /tftpserver/work/ prompt> ls network-confg switcha-confg switchb-confg switchc-confg switchd-confg prompt> cat network-confg ip host switcha 10.0.0. The base directory also contains a configuration file for each switch ( switcha-confg.0.3 switchc-confg switchc 111394 Switch D 00e0.2001 10.0.0. This directory contains the network-confg file used in the two-file read method.0.9f1e.0.255.0.0.2003 00e0.2 tftpserver or 10.9f1e.255.255.2004 Cisco router 10.22 255.0.21 255.0.0.2 tftpserver or 10.0. switchb-confg.0.0.24 255.9f1e.23 255.9f1e.3 DHCP server DNS server TFTP server (tftpserver) Table 3-2 shows the configuration of the reserved leases on the DHCP server.9f1e.

0. It reads its host table by indexing its IP address 10.Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information ip host switchc 10. Switches B through D retrieve their configuration files and IP addresses in the same way. Specify the configuration file on the TFTP server. Step 5 Step 6 Step 7 Step 8 default-router address option 150 address exit tftp-server flash:filename.0. Switch A reads the network-confg file from the base directory of the TFTP server. The client switch is configured to download either a new configuration file or a new configuration file and a new image file. for example.0.23 ip host switchd 10. and enter DHCP pool configuration mode. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 3-11 . Configuration Explanation In Figure 3-3. Create a name for the DHCP Server address pool. Configuring DHCP Autoconfiguration (Only Configuration File) Beginning in privileged EXEC mode. If no configuration filename is given in the DHCP server reply.0.0. Command Step 1 Step 2 Step 3 Step 4 Purpose Enter global configuration mode. Specify the subnet network number and mask of the DHCP address pool. The prefix is an alternative way of specifying the network mask of the client. The prefix length must be preceded by a forward slash (/).21 from the DHCP server.0. Configuring the DHCP Auto Configuration and Image Update Features Using DHCP to download a new image and a new configuration to a switch requires that you configure at least two switches: One switch acts as a DHCP and TFTP server. Specify the name of the configuration file that is used as a boot image. it reads switch1-confg from the TFTP server. Specify the IP address of the TFTP server. It adds the contents of the network-confg file to its host table. Switch A reads its configuration file as follows: • • • • • It obtains its IP address 10. It reads the configuration file that corresponds to its hostname. Return to global configuration mode.24 DHCP Client Configuration No configuration file is present on Switch A through Switch D.0.0.text Specify the IP address of the default router for a DHCP client. Note configure terminal ip dhcp poolname bootfile filename network network-number mask prefix-length The prefix length specifies the number of bits that comprise the address prefix.21 to its hostname (switcha). follow these steps to configure DHCP autoconfiguration of the TFTP and DHCP settings on a new switch to download a new configuration file.

Put the interface into Layer 3 mode.0 255.10. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 3-12 OL-9639-10 .10. Create a name for the DHCP server address pool and enter DHCP pool configuration mode. Specify the name of the file that is used as a boot image. put the name of the image that you want to download.1 255. interface interface-id no switchport ip address address mask end copy running-config startup-config This example shows how to configure a switch as a DHCP server so that it will download a configuration file: Switch# configure terminal Switch(config)# ip dhcp pool pool1 Switch(dhcp-config)# network 10.text Switch(dhcp-config)# default-router 10. (Optional) Save your entries in the configuration file.10.Chapter 3 Assigning Switch Information Assigning the Switch IP Address and Default Gateway Command Step 9 Step 10 Step 11 Step 12 Step 13 Purpose Specify the address of the client that will receive the configuration file.255. Step 5 Step 6 Step 7 default-router address option 150 address option 125 hex Specify the IP address of the default router for a DHCP client.10.0 Switch(config-if)# end Configuring DHCP Auto-Image Update (Configuration File and Image) Beginning in privileged EXEC mode. This image must be a tar and not a bin file. Specify the path to the text file that describes the path to the image file. Note configure terminal ip dhcp pool name bootfile filename network network-number mask prefix-length The prefix length specifies the number of bits that comprise the address prefix. Command Step 1 Step 2 Step 3 Step 4 Purpose Enter global configuration mode. Note Before following the steps in this table. Specify the subnet network number and mask of the DHCP address pool. The prefix length must be preceded by a forward slash (/). autoinstall_dhcp) that will be uploaded to the switch. you must create a text file (for example.10.255. The prefix is an alternative way of specifying the network mask of the client. Specify the IP address and mask for the interface. In the text file. Return to privileged EXEC mode.10.1 Switch(dhcp-config)# exit Switch(config)# tftp-server flash:config-boot.10. Specify the IP address of the TFTP server.text Switch(config)# interface gigabitethernet1/0/4 Switch(config-if)# no switchport Switch(config-if)# ip address 10.1 Switch(dhcp-config)# option 150 10.0 Switch(dhcp-config)# bootfile config-boot.255. follow these steps to configure DHCP autoconfiguration to configure TFTP and DHCP settings on a new switch to download a new image and a new configuration file.10.255.

Step 4 banner config-save ^C warning-message ^C (Optional) Create warning messages to be displayed when you try to save the configuration file to NVRAM.255.0a05.SE. copy tftp flash filename.txt interface interface-id no switchport ip address address mask end copy running-config startup-config This example shows how to configure a switch as a DHCP server so it downloads a configuration file: Switch# config terminal Switch(config)# ip dhcp pool pool1 Switch(dhcp-config)# network 10.10.7461.255.tar tftp-server flash:filename. Specify the IP address and mask for the interface.0 255.255.6e73. follow these steps to configure a switch to download a configuration file and new image from a DHCP server: Command Step 1 Step 2 Step 3 Purpose Enter global configuration mode.122-44.1 Switch(dhcp-config)# option 125 hex 0000.10. Return to privileged EXEC mode. Specify the text file that contains the name of the image file to download Specify the address of the client that will receive the configuration file.686370 Switch(dhcp-config)# exit Switch(config)# tftp-server flash:config-boot.text Switch(dhcp-config)# default-router 10.10. Specify the image name on the TFTP server.3. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 3-13 .1 Switch(dhcp-config)# option 150 10. (Optional) Set the amount of time the system tries to download a configuration file.1 255.10.txt copy tftp flash imagename.7574.0009.tar Switch(config)# tftp-server flash:boot-config.tar exit tftp-server flash:config.10.255.5f64. (Optional) Save your entries in the configuration file.text tftp-server flash:imagename. Note configure terminal boot host dhcp boot host retry timeout timeout-value If you do not set a timeout the system will indefinitely try to obtain an IP address from the DHCP server.10. Upload the tarfile for the new image to the switch.text Switch(config)# tftp-server flash:-image-name-mz. Specify the Cisco IOS configuration file on the TFTP server.10. Put the interface into Layer 3 mode.6f69.08661. Return to global configuration mode.Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Command Step 8 Step 9 Step 10 Step 11 Step 12 Step 13 Step 14 Step 15 Step 16 Step 17 Step 18 Purpose Upload the text file to the switch.text Switch(config)# tftp-server flash: autoinstall_dhcp Switch(config)# interface gigabitEthernet1/0/4 Switch(config-if)# no switchport Switch(config-if)# ip address 10.0 Switch(config-if)# end Configuring the Client Beginning in privileged EXEC mode.0 Switch(dhcp-config)# bootfile config-boot.10.6c6c. Enable autoconfiguration with a saved configuration.

Saving Configuration File to NVRAM May Cause You to Nolonger Automatically Download Configuration Files at Reboot^C Switch(config)# vlan 99 Switch(config-vlan)# interface vlan 99 Switch(config-if)# no shutdown Switch(config-if)# end Switch# show boot BOOT path-list: Config file: flash:/config. Do not assign an IP address or DHCP-based autoconfiguration with a saved configuration.text Enable Break: no Manual Boot: no HELPER path-list: NVRAM/Config file buffer size: 32768 Timeout for Config Download: 300 seconds Config Download via DHCP: enabled (next boot: enabled) Switch# end show boot Note You should only configure and enable the Layer 3 interface. Enter the IP address and subnet mask. you can also manually assign IP information to a port if you first put the port into Layer 3 mode by using the no switchport command.text Private Config file: flash:/private-config. do not enter leading zeros. Enter interface configuration mode. configure terminal interface vlan vlan-id Step 3 Step 4 ip address ip-address subnet-mask exit Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 3-14 OL-9639-10 . follow these steps to manually assign IP information to a switch virtual interface (SVI). and enter the VLAN to which the IP information is assigned. Return to global configuration mode. If the switch is running the metro IP access image.Chapter 3 Assigning Switch Information Assigning the Switch IP Address and Default Gateway Command Step 5 Step 6 Purpose Return to privileged EXEC mode. Verify the configuration. This example uses a Layer 3 SVI interface on VLAN 99 to enable DHCP-based autoconfiguration with a saved configuration: Switch# configure terminal Switch(conf)# boot host dhcp Switch(conf)# boot host retry timeout 300 Switch(conf)# banner config-save ^C Caution . The range is 1 to 4094. Manually Assigning IP Information Beginning in privileged EXEC mode. Command Step 1 Step 2 Purpose Enter global configuration mode.

(Optional) Save your entries in the configuration file.2 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname 3400-3 ! enable password cisco ! no aaa new-model ip subnet-zero no ip domain-lookup ! table-map test default copy ! no file verify auto ! spanning-tree mode rapid-pvst spanning-tree extend system-id ! vlan internal allocation policy ascending Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 3-15 . it does not need to have a default gateway set. “Administering the Switch. Note ip default-gateway ip-address When your switch is configured to route with IP. protecting access to privileged EXEC commands. see Chapter 5. If you are removing the address through a Telnet session.Chapter 3 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration Command Step 5 Purpose Enter the IP address of the next-hop router interface that is directly connected to the switch where a default gateway is being configured. Once the default gateway is configured. For information on setting the switch system name. To remove the default gateway address.” Checking and Saving the Running Configuration You can check the configuration settings you entered or changes you made by entering this privileged EXEC command: Switch# show running-config Building configuration.. The default gateway receives IP packets with unresolved destination IP addresses from the switch. Step 6 Step 7 Step 8 Step 9 end show interfaces vlan vlan-id show ip redirects copy running-config startup-config Return to privileged EXEC mode. use the no ip address interface configuration command.. use the no ip default-gateway global configuration command. Current configuration : 2010 bytes ! version 12. and setting time and calendar services. your connection to the switch will be lost. Verify the configured default gateway. To remove the switch IP address. Verify the configured IP address. the switch has connectivity to the remote networks with which a host needs to communicate.

76 255.255.0 ! ip default-gateway 192.10 ! class-map match-all test1 class-map match-all class2 class-map match-all class1 ! ! policy-map test class class1 police cir percent 30 policy-map test2 class class2 police cir 8500 bc 1500 policy-map test3 ! ! interface FastEthernet0/1 ! interface FastEthernet0/2 shutdown ! interface FastEthernet0/3 shutdown ! interface FastEthernet0/4 shutdown ! interface FastEthernet0/5 shutdown ! interface FastEthernet0/6 shutdown ! interface FastEthernet0/7 shutdown <output truncated> interface GigabitEthernet0/1 port-type nni ! interface GigabitEthernet0/2 port-type nni ! interface Vlan1 no ip address no ip route-cache no ip mroute-cache shutdown ! interface Vlan10 ip address 192.168.168.1.1.255.3 no ip http server ip classless ! ! ! control-plane ! ! Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 3-16 OL-9639-10 .Chapter 3 Checking and Saving the Running Configuration Assigning the Switch IP Address and Default Gateway ! vlan 2.

Return to privileged EXEC mode. You can configure the size of the NVRAM buffer to support larger configuration files. Configuration Files. your configuration will be lost the next time you reload the system. In some cases. If you fail to do this. Note After you configure the NVRAM buffer size.. “Working with the Cisco IOS File System. reload the switch.Chapter 3 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration line con 0 session-timeout 120 exec-timeout 120 0 speed 115200 line vty 0 4 password cisco no login line vty 5 15 no login ! ! end To store the configuration or changes you have made to your startup configuration in flash memory. the configuration file might be too large to save to NVRAM. Verify the configuration. The valid range for size is from 4096 to 1048576. Beginning in privileged EXEC mode. enter this privileged EXEC command: Switch# copy running-config startup-config Destination filename [startup-config]? Building configuration. follow these steps to configure the NVRAM buffersize: Command Step 1 Step 2 Step 3 Step 4 Purpose Enter global configuration mode.. and Software Images. For more information about alternative locations from which to copy the configuration file. use the show startup-config or more startup-config privileged EXEC command. see Appendix A. To display information stored in the NVRAM section of flash memory. configure terminal boot buffersize size end show boot Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 3-17 .” Configuring the NVRAM Buffer Size The default NVRAM buffer size is 512 KB. Configure the NVRAM buffersize in KB. This command saves the configuration settings that you made.

Configuration Files.text Enable Break : no Manual Boot : no HELPER path-list : Auto upgrade : yes Auto upgrade path : NVRAM/Config file buffer size: 524288 Timeout for Config Download: 300 seconds Config Download via DHCP: enabled (next boot: enabled) Switch# Modifying the Startup Configuration • • • • • Default Boot Configuration. page 3-19 Automatically Downloading a Configuration File. and Software Images. one per line. page 3-20 Controlling Environment Variables. page 3-19 Booting Manually. page 3-20 Booting a Specific Software Image. Switch(config)# boot buffersize 524288 Switch(config)# end Switch# show boot BOOT path-list : Config file : flash:/config. page 3-21 See also Appendix A.text Private Config file : flash:/private-config. End with CNTL/Z.Chapter 3 Modifying the Startup Configuration Assigning the Switch IP Address and Default Gateway This example shows how to configure the NVRAM buffer size: Switch# configure terminal Enter configuration commands. “Working with the Cisco IOS File System.” for information about switch configuration files. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 3-18 OL-9639-10 .

each encountered subdirectory is completely searched before continuing the search in the original directory. The Cisco IOS image is stored in a directory that has the same name as the image file (excluding the . see the “Understanding DHCP-Based Autoconfiguration” section on page 3-3.text file stored on the system board in flash memory.Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Default Boot Configuration Table 3-3 shows the default boot configuration. Beginning in privileged EXEC mode. For file-url. which will be loaded during the next boot cycle. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 3-19 . For more information. Specifying the Filename to Read and Write the System Configuration By default. specify the path (directory) and the configuration filename. you can specify a different filename. However. The boot config-file global configuration command changes the setting of the CONFIG_FILE environment variable. Verify your entries. configure terminal boot config-file flash:/file-url Step 3 Step 4 end show boot Return to privileged EXEC mode. Filenames and directory names are case sensitive.text to read and write a nonvolatile copy of the system configuration. Configuration file Configured switches use the config. the switch attempts to load and execute the first executable image it can by performing a recursive. If the variable is not set. the Cisco IOS software uses the file config. Specify the configuration file to load during the next boot cycle.bin extension). Automatically Downloading a Configuration File You can automatically download a configuration file to your switch by using the DHCP-based autoconfiguration feature. A new switch has no configuration file. In a depth-first search of a directory. Table 3-3 Default Boot Configuration Feature Operating system software image Default Setting The switch attempts to automatically boot the system using information in the BOOT environment variable. follow these steps to specify a different configuration filename: Command Step 1 Step 2 Purpose Enter global configuration mode. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. depth-first search throughout the flash file system.

however. shown by the switch: prompt. Booting Manually By default. Return to privileged EXEC mode.Chapter 3 Modifying the Startup Configuration Assigning the Switch IP Address and Default Gateway To return to the default setting. depth-first search throughout the flash file system. To disable manual booting. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. each encountered subdirectory is completely searched before continuing the search in the original directory. • • configure terminal boot manual end show boot For filesystem:. To boot the system. The next time you reboot the system. However. the switch attempts to load and execute the first executable image it can by performing a recursive. the switch is in boot loader mode. use the no boot manual global configuration command. Enable the switch to manually boot during the next boot cycle. you can configure it to manually boot. the switch attempts to automatically boot the system using information in the BOOT environment variable. Booting a Specific Software Image By default. For file-url. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 3-20 OL-9639-10 . follow these steps to configure the switch to manually boot during the next boot cycle: Command Step 1 Step 2 Step 3 Step 4 Purpose Enter global configuration mode. the switch automatically boots. use flash: for the system board flash device. In a depth-first search of a directory. Filenames and directory names are case sensitive. specify the path (directory) and the name of the bootable image. If this variable is not set. Beginning in privileged EXEC mode. you can specify a specific image to boot. The boot manual global command changes the setting of the MANUAL_BOOT environment variable. Verify your entries. use the no boot config-file global configuration command. use the boot filesystem:/file-url boot loader command.

The switch boot loader software provides support for nonvolatile environment variables.cisco. Controlling Environment Variables With a normally operating switch. use the no boot system global configuration command. Verify your entries. the switch attempts to automatically boot the system using information in the BOOT environment variable. Boot loader environment variables are similar to environment variables that can be set on UNIX or DOS systems. Ctrl-C is the break key. To view this table. Cisco TAC has tabulated break keys for most common operating systems and provided an alternative break key sequence for terminal emulators that do not support the break keys. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. specify the path (directory) and the name of the bootable image. as shown in this example: ***** The system will autoboot in 5 seconds ***** Send a break key to prevent autobooting. On a PC running Windows 2000. Unplug and then reconnect the switch power cord. use flash: for the system board flash device. The boot loader prompts the user for a break key character during the boot-up sequence. you enter the boot loader mode only through a switch console connection configured for 9600 bps. Configure the switch to boot a specific image in flash memory during the next boot cycle. To return to the default setting. see: http://www. Filenames and directory names are case sensitive. follow these steps to configure the switch to boot a specific image during the next boot cycle: Command Step 1 Step 2 Purpose Enter global configuration mode. During the next boot cycle.html#how-to When you enter the break key.Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Beginning in privileged EXEC mode. the switch begins the autoboot process. Step 3 Step 4 end show boot Return to privileged EXEC mode. the boot loader switch: prompt appears.com/warp/public/701/61. The break key character is different for each operating system. which can be used to control how the boot loader. behaves. or any other software running on the system. • • On a SUN work station running UNIX. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 3-21 . • • configure terminal boot system filesystem:/file-url For filesystem:. For file-url. After the switch performs POST. Ctrl-Break is the break key. The boot system global command changes the setting of the BOOT environment variable. Environment variables that have values are stored in flash memory outside of the flash file system.

the name of a boot loader helper file. Table 3-4 describes the function of the most common environment variables. Valid values are 1. it is not necessary to alter the setting of the environment variables. the boot loader attempts to automatically boot the system... A semicolon-separated list of executable files to Specifies the Cisco IOS image to load during the try to load and execute when automatically next boot cycle. set. For example. If it is set to anything else. use the boot flash:filesystem:/file-url boot loader command. see the command reference for this release. For example.Chapter 3 Modifying the Startup Configuration Assigning the Switch IP Address and Default Gateway Each line in these files contains an environment variable name and an equal sign followed by the value of the variable. Under normal circumstances. 0. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 3-22 OL-9639-10 .. the system attempts to load and execute the first executable image it can find by using a recursive.. Many environment variables are predefined and have default values. which is responsible for reading the Cisco IOS configuration file. depth-first search through the flash file system. • You can change the settings of the environment variables by accessing the boot loader or by using Cisco IOS commands. The next time you reboot the system. To boot the system. Note For complete syntax and usage information for the boot loader commands and environment variables. which does not read the Cisco IOS configuration file. it has a value if it is listed in the file even if the value is a null string. CONFIG_FILE set CONFIG_FILE flash:/file-url boot manual Enables manually booting the switch during the next boot cycle and changes the setting of the MANUAL_BOOT environment variable. boot config-file flash:/file-url Changes the filename that Cisco IOS uses to read Specifies the filename that Cisco IOS uses to read and write a nonvolatile copy of the system and write a nonvolatile copy of the system configuration. which extends or patches the functionality of the boot loader can be stored as an environment variable. A variable that is set to a null string (for example. Environment variables store two kinds of data: • Data that controls code. you must manually boot the switch from the boot loader mode. and specify the name of the bootable image. the switch is in boot loader mode. Table 3-4 Environment Variables Variable BOOT Boot Loader Command set BOOT filesystem:/file-url . If the BOOT environment variable is not setting of the BOOT environment variable. the system attempts to boot the first bootable file that it can find in the flash file system. yes. and no. the name of the Cisco IOS configuration file can be stored as an environment variable. A variable has no value if it is not listed in this file. Cisco IOS Global Configuration Command boot system filesystem:/file-url . If it is set to no or 0. If the BOOT variable is set but the specified images cannot be loaded. Data that controls code. configuration. “ ”) is a variable with a value. MANUAL_BOOT set MANUAL_BOOT yes Decides whether the switch automatically or manually boots. This command changes the booting. This command changes the CONFIG_FILE environment variable.

Note A scheduled reload must take place within approximately 24 days. to perform a software upgrade on all switches in the network). or you can synchronize a reload network-wide (for example. The reload must take place within approximately 24 days. During the save operation.m: Switch# reload at 19:30 Reload scheduled for 19:30:00 UTC Wed Jun 5 1996 (in 2 hours and 25 minutes) Proceed with reload? [confirm] Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 3-23 . If the system is not set to manually boot. the reload takes place at the specified time on the current day (if the specified time is later than the current time) or on the next day (if the specified time is earlier than the current time). Note Use the at keyword only if the switch system clock has been set (through Network Time Protocol (NTP). Specifying 00:00 schedules the reload for midnight. The time is relative to the configured time zone on the switch. use one of these commands in privileged EXEC mode: • reload in [hh:]mm [text] This command schedules a reload of the software to take affect in the specified minutes or hours and minutes. If you modify your configuration file. You can specify the reason for the reload in a string up to 255 characters in length. the hardware calendar. The reload command halts the system. To schedule reloads across several switches to occur simultaneously. the switch prompts you to save the configuration before reloading. do not reload it from a virtual terminal. late at night or during the weekend when the switch is used less). the system enters setup mode upon reload. If you do not specify the month and day. If your switch is configured for manual booting. If you proceed in this situation. the time on each switch must be synchronized with NTP. • reload at hh:mm [month day | day month] [text] This command schedules a reload of the software to take place at the specified time (using a 24-hour clock). the system requests whether you want to proceed with the save if the CONFIG_FILE environment variable points to a startup configuration file that no longer exists. Use the reload command after you save the switch configuration information to the startup configuration (copy running-config startup-config). or manually). This restriction prevents the switch from entering the boot loader mode and thereby taking it from the remote user’s control. Configuring a Scheduled Reload To configure your switch to reload the software image at a later time. If you specify the month and day. the reload is scheduled to take place at the specified time and date.Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Scheduling a Reload of the Software Image You can schedule a reload of the software image to occur on the switch at a later time (for example. it reboots itself. This example shows how to reload the software on the switch on the current day at 7:30 p.

Displaying Scheduled Reload Information To display information about a previously scheduled reload or to find out if a reload has been scheduled on the switch.Chapter 3 Scheduling a Reload of the Software Image Assigning the Switch IP Address and Default Gateway This example shows how to reload the software on the switch at a future time: Switch# reload at 02:00 jun 20 Reload scheduled for 02:00:00 UTC Thu Jun 20 1996 (in 344 hours and 53 minutes) Proceed with reload? [confirm] To cancel a previously scheduled reload. It displays reload information including the time the reload is scheduled to occur and the reason for the reload (if it was specified when the reload was scheduled). use the reload cancel privileged EXEC command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 3-24 OL-9639-10 . use the show reload privileged EXEC command.

executing the configuration change. page 4-15 Understanding Cisco Configuration Engine Software The Cisco Configuration Engine is network management software that acts as a configuration service for automating the deployment and management of network devices and services (see Figure 4-1). Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 4-1 .cisco. no external directory or other data store is required. page 4-1 Understanding Cisco IOS Agents. the Configuration Engine supports the use of a user-defined external directory. go to the Cisco IOS Network Management Command Reference. file manager. page 4-5 Configuring Cisco IOS Agents. and namespace mapping server) Event service (event gateway) Data service directory (data models and schema) In standalone mode. and logging the results. page 4-6 Displaying CNS Configuration. sending them to the device.cisco.com/en/US/products/sw/netmgtsw/ps4617/tsd_products_support_series_home.4 at http://www. The Configuration Engine supports standalone and server modes and has these CNS components: • • • Configuration service (web server. Release 12.html For complete syntax and usage information for the commands used in this chapter. the Configuration Engine supports an embedded Directory Service. go to http://www.html This chapter consists of these sections: • • • • Understanding Cisco Configuration Engine Software. storing their configurations and delivering them as needed. The Configuration Engine automates initial configurations and configuration updates by generating device-specific configuration changes.CH A P T E R 4 Configuring Cisco IOS Configuration Engine This chapter describes how to configure the feature on the Cisco ME 3400 switch. In this mode. Each Configuration Engine manages a group of Cisco devices (switches and routers) and the services that they deliver. In server mode.com/en/US/docs/ios/netmgmt/command/reference/nm_book. Note For complete configuration information for the Cisco Configuration Engine.

The configuration server is a web server that uses configuration templates and the device-specific configuration information stored in the embedded (standalone mode) or remote (server mode) directory. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 4-2 141327 OL-9639-10 . In the templates. The Configuration Service uses the CNS Event Service to send and receive configuration change events and to send success and failure notifications. Switches receive their initial configuration from the Configuration Service when they start up on the network for the first time. page 4-2 Event Service. page 4-3 Configuration Service The Configuration Service is the core component of the Cisco Configuration Engine.Chapter 4 Understanding Cisco Configuration Engine Software Configuring Cisco IOS Configuration Engine Figure 4-1 Configuration Engine Architectural Overview Service provider network Configuration engine Data service directory Configuration server Event service Web-based user interface Order entry configuration management These sections contain this conceptual information: • • • Configuration Service. It consists of a configuration server that works with Cisco IOS CNS agents on the switch. variables are specified using Lightweight Directory Access Protocol (LDAP) URLs that reference the device-specific configuration information stored in a directory. The configuration agent can either apply configurations immediately or delay the application until receipt of a synchronization event from the configuration server. The Cisco IOS agent can perform a syntax check on received configuration files and publish events to show the success or failure of the syntax check. The Configuration Service delivers device and service configurations to the switch for initial configuration and mass reconfiguration by logical groups. page 4-3 What You Should Know About the CNS IDs and Device Hostnames. Configuration templates are text files containing static configuration information in the form of CLI commands.

which serves as the key into the Configuration Engine directory for the corresponding set of switch CLI attributes. NameSpace Mapper The Configuration Engine includes the NameSpace Mapper (NSM) that provides a lookup service for managing logical groups of devices based on application. The ConfigID defined on the switch must match the ConfigID for the corresponding switch definition on the Configuration Engine. even if the switch hostname is reconfigured. When you have populated your data store with your subject names. NSM changes your event subject-name strings to those known by Cisco IOS. The Event Service is a highly capable publish-and-subscribe communication method. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 4-3 . when given a unique group ID. uniform namespace for messages and their destinations. Within the scope of the event bus namespace. Cisco IOS devices recognize only event subject-names that match those configured in Cisco IOS software. no two configured switches can share the same value for ConfigID. The Configuration Engine intersects two namespaces. for a publisher. the term DeviceID is the CNS unique identifier for a device. the namespace mapping service returns a set of events to which to subscribe. Similarly. The ConfigID is fixed at startup time and cannot be changed until the device restarts. one for the event bus and the other for the configuration server. device ID. For a subscriber. Subject-based addressing conventions define a simple. Because the Configuration Engine uses both the event bus and the configuration server to provide configurations to devices. the term ConfigID is the unique identifier for a device.cns. the mapping service returns a set of events on which to publish. The event agent is on the switch and facilitates the communication between the switch and the event gateway on the Configuration Engine.config. and event.load. The event service uses namespace content for subject-based addressing of messages. no two configured switches can share the same value for DeviceID. Within the scope of the configuration server namespace. Within the scope of a single instance of the configuration server. device or group ID.Chapter 4 Configuring Cisco IOS Configuration Engine Understanding Cisco Configuration Engine Software Event Service The Cisco Configuration Engine uses the Event Service for receipt and generation of configuration events. ConfigID Each configured switch has a unique ConfigID. when given a unique device ID and event. The Event Service uses subject-based addressing to send messages to their destinations. for example. you must define both ConfigID and Device ID for each configured switch. What You Should Know About the CNS IDs and Device Hostnames The Configuration Engine assumes that a unique identifier is associated with each configured switch. Within the scope of a single instance of the event bus. cisco. You can use the namespace mapping service to designate events by using any desired naming convention. This unique identifier can take on multiple synonyms. and event. where each synonym is unique within a particular namespace.

com/en/US/products/sw/netmgtsw/ps4617/prod_installation_guides_list. In server mode. When the connection is re-established. and ConfigID In standalone mode. as originated on the switch. The switch declares its hostname to the event gateway immediately after the successful connection to the event gateway. If this attribute is not set. The event gateway represents the switch and its corresponding DeviceID to the event bus. The event gateway redefines the DeviceID to the new value. Using Hostname. the event is sent on the cn=<value> of the device. the unique DeviceID attribute is always used for sending an event on the bus. However. The event gateway couples the DeviceID value to the Cisco IOS hostname each time this connection is established. must match the DeviceID of the corresponding switch definition in the Configuration Engine. All switches configured with the cns config partial global configuration command must access the event bus.Chapter 4 Understanding Cisco Configuration Engine Software Configuring Cisco IOS Configuration Engine DeviceID Each configured switch participating on the event bus has a unique DeviceID. Otherwise. The event gateway caches this DeviceID value for the duration of its connection to the switch. subsequent cns config partial global configuration command operations malfunction. Enter the no cns event global configuration command followed by the cns event global configuration command. Therefore. Caution When using the Configuration Engine user interface. If the hostname has not been set. Note For more information about running the setup program on the Configuration Engine. the only way to refresh the DeviceID is to break the connection between the switch and the event gateway. the DeviceID. see the Configuration Engine setup and configuration guide at http://www.cisco. you must first set the DeviceID field to the hostname value that the switch acquires after–not before–you use the cns config initial global configuration command at the switch. when a hostname value is set for a switch.html Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 4-4 OL-9639-10 . The origin of the DeviceID is defined by the Cisco IOS hostname of the switch. These and other associated attributes (tag value pairs) are set when you run Setup on the Configuration Engine. the DeviceID variable and its usage reside within the event gateway adjacent to the switch. which in turn functions as a proxy on behalf of the switch. the switch sends its modified hostname to the event gateway. you cannot update the switch. the hostname is not used. DeviceID. The logical Cisco IOS termination point on the event bus is embedded in the event gateway. which is analogous to the switch source address so that the switch can be targeted as a specific destination on the bus. the configuration server uses the hostname as the DeviceID when an event is sent on hostname. Hostname and DeviceID The DeviceID is fixed at the time of the connection to the event gateway and does not change even when the switch hostname is reconfigured. In this mode. When changing the switch hostname on the switch.

The switch automatically configures the assigned IP address on interface VLAN 1 (the default) and downloads the bootstrap configuration file from the TFTP server. page 4-6 Initial Configuration When the switch first comes up. The Configuration Engine maps the Config ID to a template and downloads the full configuration file to the switch. it attempts to get an IP address by broadcasting a DHCP request on the network. Figure 4-2 Initial Configuration Overview TFTP server Configuration Engine V WAN DHCP server DHCP relay agent default gateway Distribution layer Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 141328 Access layer switches 4-5 . the distribution switch acts as a DHCP relay agent and forwards the request to the DHCP server. The DHCP relay agent forwards the reply to the switch. the DHCP server assigns an IP address to the new switch and includes the TFTP server IP address. page 4-6 Synchronized Configuration. The Cisco IOS agent feature supports the switch by providing these features: • • • Initial Configuration.Chapter 4 Configuring Cisco IOS Configuration Engine Understanding Cisco IOS Agents Understanding Cisco IOS Agents The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works with the Cisco IOS agent. Assuming there is no DHCP server on the subnet. The Cisco IOS agents initiate communication with the Configuration Engine by using the appropriate ConfigID and EventID. page 4-5 Incremental (Partial) Configuration. and the default gateway IP address in a unicast reply to the DHCP relay agent. Upon successful download of the bootstrap configuration file. Upon receiving the request. Figure 4-2 shows a sample network configuration for retrieving the initial bootstrap configuration file by using DHCP-based autoconfiguration. the path to the bootstrap configuration file. the switch loads the file in its running configuration.

see these sections for instructions: • • • Enabling the CNS Event Agent. The write-signal event tells the switch not to save the updated configuration into its NVRAM. When the full configuration file is loaded on your switch. At the setup prompt. page 4-9 Upgrading Devices with Cisco IOS Image Agent. it publishes an event showing an error status. If the syntax is correct. The actual configuration can be sent as an event payload by way of the event gateway (push operation) or as a signal event that triggers the switch to initiate a pull operation. the switch applies the incremental configuration and publishes an event that signals success to the configuration server. page 4-14 Enabling Automated CNS Configuration To enable automated CNS configuration of the switch. do nothing: The switch begins the initial configuration as described in the “Initial Configuration” section on page 4-5. The switch uses the updated configuration as its running configuration. power on the switch. When you complete them. If the switch does not apply the incremental configuration. Incremental (partial) configurations can be sent to the switch. The switch can check the syntax of the configuration before applying it. you need to do nothing else. Configuring Cisco IOS Agents The Cisco IOS agents embedded in the switch Cisco IOS software allow the switch to be connected and automatically configured as described in the “Enabling Automated CNS Configuration” section on page 4-6. If you want to change the configuration or install a custom configuration. new services can be added by using the Cisco IOS agent.Chapter 4 Configuring Cisco IOS Agents Configuring Cisco IOS Configuration Engine Incremental (Partial) Configuration After the network is running. When the switch has applied the incremental configuration. Synchronized Configuration When the switch receives a configuration. you must first complete the prerequisites in Table 4-1. This ensures that the switch configuration is synchronized with other network activities before saving the configuration in NVRAM for use at the next reboot. page 4-7 Enabling the Cisco IOS CNS Agent. it can defer application of the configuration upon receipt of a write-signal event. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 4-6 OL-9639-10 . it can write it to NVRAM or wait until signaled to do so.

Chapter 4 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Table 4-1 Prerequisites for Enabling Automatic Configuration Device Access switch Distribution switch Required Configuration Factory default (no configuration file) • • • IP helper address Enable DHCP relay agent IP routing (if used as default gateway) IP address assignment TFTP server IP address Path to bootstrap configuration file on the TFTP server Default gateway IP address A bootstrap configuration file that includes the CNS configuration commands that enable the switch to communicate with the Configuration Engine The switch configured to use either the switch MAC address or the serial number (instead of the default hostname) to generate the ConfigID and EventID The CNS event agent configured to push the configuration file to the switch DHCP server • • • • TFTP server • • • CNS Configuration Engine One or more templates for each type of device.cisco. Note For more information about running the setup program and creating templates on the Configuration Engine.5/installation_linux/guide/setup_ 1. 1.5 for Linux at http://www. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 4-7 . with the ConfigID of the device mapped to the template. see the Cisco Configuration Engine Installation and Setup Guide.com/en/US/docs/net_mgmt/configuration_engine/1.html Enabling the CNS Event Agent Note You must enable the CNS event agent on the switch before you enable the CNS configuration agent.

(Optional) For port number. Verify information about the event agent. The default for each is 0.Chapter 4 Configuring Cisco IOS Agents Configuring Cisco IOS Configuration Engine Beginning in privileged EXEC mode. enter how often the switch sends keepalive messages.) (Optional) For failover-time seconds. enter the port number for the event gateway. Switch(config)# cns event 10. enter the number of unanswered keepalive messages that the switch sends before the connection is terminated. (Optional) Enter backup to show that this is the backup gateway.1.27. enter how long the switch waits for the primary gateway route after the route to the backup gateway is established. the encrypt and the clock-timeout time keywords are not supported. use the no cns event {ip-address | hostname} global configuration command. (Optional) For reconnect time.1. The default port number is 11011. (Optional) Save your entries in the configuration file. • • • configure terminal cns event {hostname | ip-address} [port-number] [backup] [failover-time seconds] [keepalive seconds retry-count] [reconnect time] [source ip-address] For {hostname | ip-address}. and set 10 as the retry count. (If omitted. enter the source IP address of this device. This example shows how to enable the CNS event agent. (Optional) For source ip-address.180. follow these steps to enable the CNS event agent on the switch: Command Step 1 Step 2 Purpose Enter global configuration mode. (Optional) For keepalive seconds.180. Enable the event agent. To disable the CNS event agent. Verify your entries. and enter the gateway parameters. set the IP address gateway to 10. Though visible in the command-line help string. this is the primary gateway. For retry-count. enter the maximum time interval that the switch waits before trying to reconnect to the event gateway. • • • • Note Step 3 Step 4 Step 5 Step 6 end show cns event connections show running-config copy running-config startup-config Return to privileged EXEC mode. set 120 seconds as the keepalive interval.27 keepalive 120 10 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 4-8 OL-9639-10 . enter either the hostname or the IP address of the event gateway.

Repeat Steps 2 to 3 to configure another CNS connect template. The cns config partial global configuration command enables the Cisco IOS agent and initiates a partial configuration on the switch. You can then use the Configuration Engine to remotely send incremental configurations to the switch. (Optional) For retry-interval seconds. and define the profile parameters.Chapter 4 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Enabling the Cisco IOS CNS Agent After enabling the CNS event agent. The range is 1 to 30. The range is 10 to 2000 seconds. enter the amount of time before which the first connection attempt occurs. (Optional) For retries number. enter the amount of time after which the connection attempts end. (Optional) For timeout seconds. • • • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 4-9 . • • Enter the name of the CNS connect profile. and specify the name of the CNS connect template. The default is 0. The default is 10 seconds. The default is 3. You can enable the Cisco IOS agent with these commands: • • The cns config initial global configuration command enables the Cisco IOS agent and initiates an initial configuration on the switch. enter the interval between successive connection attempts to the Configuration Engine. The range is 0 to 250 seconds. start the Cisco IOS CNS agent on the switch. enter the number of connection retries. configure terminal cns template connect name cli config-text exit cns connect name [retries number] [retry-interval seconds] [sleep seconds] [timeout seconds] Return to global configuration mode. Repeat this step for each command line in the template. Enter CNS template connect configuration mode. The range is 1 to 40 seconds. specify the name of the CNS connect profile. The switch uses the CNS connect profile to connect to the Configuration Engine. (Optional) For sleep seconds. Enabling an Initial Configuration Beginning in privileged EXEC mode. The default is 120. follow these steps to enable the CNS configuration agent and initiate an initial configuration on the switch: Command Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Purpose Enter global configuration mode. Enter CNS connect configuration mode. Enter a command line for the CNS connect template.

. enter the controller type. • • Step 8 For interface [interface-type]. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 4-10 OL-9639-10 . (Optional) Establish a static route to the Configuration Engine whose IP address is network-number. name] Specify the list of CNS connect templates in the CNS connect profile to be applied to the switch configuration. • • discover {controller controller-type | dlci [subinterface subinterface-number] | interface [interface-type] | line line-type} For controller controller-type. enter the line type. Step 9 Step 10 Step 11 Step 12 exit hostname name ip route network-number Return to global configuration mode. template name [ . Enter the hostname for the switch. You can specify more than one template. specify the point-to-point subinterface number that is used to search for active DLCIs. For dlci. (Optional) For subinterface subinterface-number.Chapter 4 Configuring Cisco IOS Agents Configuring Cisco IOS Configuration Engine Command Step 7 Purpose Specify the interface parameters in the CNS connect profile.. For line line-type. enter the type of interface. enter the active data-link connection identifiers (DLCIs). Repeat Steps 7 to 8 to specify more interface parameters and CNS connect templates in the CNS connect profile.

enter an arbitrary text string for string string as the unique ID. or enter mac-address to use the MAC address as the unique ID. loopback. • • • Note • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 4-11 . group-async. enter dns-reverse to retrieve the hostname and assign it as the unique ID. If both the event and image keywords are omitted. the image-id value is used to identify the switch. enter hostname (the default) to select the switch hostname as the unique ID. For {hardware-serial | hostname| string string | udi}. or enter udi to set the unique device identifier (UDI) as the unique ID. • cns id interface num {dns-reverse | ipaddress | mac-address} [event] [image] or cns id {hardware-serial | hostname | string string | udi} [event] [image] For interface num. For {dns-reverse | ipaddress | mac-address}. enter the type of interface–for example. or virtual-template. ethernet. enter hardware-serial to set the switch serial number as the unique ID. (Optional) Enter event to set the ID to be the event-id value used to identify the switch. This setting specifies from which interface the IP or MAC address should be retrieved to define the unique ID. enter ipaddress to use the IP address. (Optional) Enter image to set the ID to be the image-id value used to identify the switch.Chapter 4 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Command Step 13 Purpose (Optional) Set the unique EventID or ConfigID used by the Configuration Engine.

The default port number is 80.0. status url. Switch(config)# cns template connect template-dhcp Switch(config-tmpl-conn)# cli ip address dhcp Switch(config-tmpl-conn)# exit Switch(config)# cns template connect ip-route Switch(config-tmpl-conn)# cli ip route 0. If the no-persist keyword is not entered. • • • • Note Step 15 Step 16 Step 17 end show cns config connections show running-config Return to privileged EXEC mode.Chapter 4 Configuring Cisco IOS Agents Configuring Cisco IOS Configuration Engine Command Step 14 Purpose Enable the Cisco IOS agent.1. The default is /Config/config/asp. failure. the encrypt. and initiate an initial configuration. To disable the CNS Cisco IOS agent. and inventory keywords are not supported. enter the hostname or the IP address of the configuration server. using the cns config initial command causes the resultant configuration to be automatically written to NVRAM. Though visible in the command-line help string.1 no-persist Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 4-12 OL-9639-10 . (Optional) Enable no-persist to suppress the automatic writing to NVRAM of the configuration pulled as a result of entering the cns config initial global configuration command. use the no cns config initial {ip-address | hostname} global configuration command. • • • cns config initial {hostname | ip-address} [port-number] [event] [no-persist] [page page] [source ip-address] [syntax-check] For {hostname | ip-address}. Verify information about the configuration agent.0.0 ${next-hop} Switch(config-tmpl-conn)# exit Switch(config)# cns connect dhcp Switch(config-cns-conn)# discover interface gigabitethernet Switch(config-cns-conn)# template template-dhcp Switch(config-cns-conn)# template ip-route Switch(config-cns-conn)# exit Switch(config)# hostname RemoteSwitch RemoteSwitch(config)# cns config initial 10. (Optional) Enable syntax-check to check the syntax when this parameter is entered. Verify your entries. This example shows how to configure an initial configuration on a remote switch when the switch configuration is unknown (the CNS Zero Touch feature).1.0. enter the port number of the configuration server. enter the web page of the initial configuration.0 0. (Optional) For port-number. (Optional) Enter source ip-address to use for source IP address. (Optional) For page page.0. (Optional) Enable event for configuration success. or warning messages when the configuration is finished.

Step 5 Step 6 Verify your entries.Chapter 4 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents This example shows how to configure an initial configuration on a remote switch when the switch IP address is known.22.11. (Optional) Enter source ip-address to use for the source IP address. • • • Note configure terminal cns config partial {ip-address | hostname} [port-number] [source ip-address] For {ip-address | hostname}. To cancel a partial configuration.22 no-persist Enabling a Partial Configuration Beginning in privileged EXEC mode. follow these steps to enable the Cisco IOS agent and to initiate a partial configuration on the switch: Command Step 1 Step 2 Purpose Enter global configuration mode.0.255 11.28.129.22 255. (Optional) Save your entries in the configuration file. Step 3 Step 4 end show cns config stats or show cns config outstanding show running-config copy running-config startup-config Return to privileged EXEC mode. The Configuration Engine IP address is 172. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 4-13 .0. Verify information about the configuration agent.0 0.255. Switch(config)# cns template connect template-dhcp Switch(config-tmpl-conn)# cli ip address dhcp Switch(config-tmpl-conn)# exit Switch(config)# cns template connect ip-route Switch(config-tmpl-conn)# cli ip route 0. To disable the Cisco IOS agent. the encrypt keyword is not supported.0 ${next-hop} Switch(config-tmpl-conn)# exit Switch(config)# cns connect dhcp Switch(config-cns-conn)# discover interface gigabitethernet Switch(config-cns-conn)# template template-dhcp Switch(config-cns-conn)# template ip-route Switch(config-cns-conn)# exit Switch(config)# hostname RemoteSwitch RemoteSwitch(config)# ip route 172. (Optional) For port-number.0. The default port number is 80. use the cns config cancel privileged EXEC command.0. Though visible in the command-line help string. use the no cns config partial {ip-address | hostname} global configuration command. Enable the configuration agent.129.28. enter the IP address or the hostname of the configuration server. and initiate a partial configuration.129.255.1 RemoteSwitch(config)# cns id ethernet 0 ipaddress RemoteSwitch(config)# cns config initial 172.28.11. enter the port number of the configuration server.

Chapter 4 Configuring Cisco IOS Agents Configuring Cisco IOS Configuration Engine Upgrading Devices with Cisco IOS Image Agent Administrators maintaining large networks of Cisco IOS devices need an automated mechanism to load image files onto large numbers of remote devices. Set up a file server to enable the networking devices to download the new images using the HTTPS protocol. Beginning in privileged EXEC mode. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 4-14 OL-9639-10 .2. Error messages can be sent to the CNS Event Bus or an HTTP or HTTPS URL. Boot options must also be configured to allow the Cisco IOS device to boot another image if the first image reload fails. follow these steps to initiate the image agent to check for a new image and upgrade a device: Command Step 1 Step 2 Step 3 Step 4 Purpose Enter global configuration mode Enter the IP address and the hostname of the event gateway. Specify a trusted server for CNS agent. These other restrictions apply to the image agent running on a the switch: • • • You can only download the tar image file. Determine how to handle error messages generated by image agent operations. • • Restrictions for the CNS Image Agent During automated image loading operations you must try to prevent the Cisco IOS device from losing connectivity with the file server that is providing the image. Image reloading is subject to memory issues and connection issues. For more details. The Destination field in the Associate Image with Device window is not supported. You can use image agent to download one or more devices. The CNS image agent enables the managed device to initiate a network connection and request an image download allowing devices behind firewalls to access the image server. You cannot schedule a download to occur at a specified date and time. configure terminal ip host {ip-address} {hostname} cns trusted-server all-agents {hostname} no cns aaa enable cns event {ip-address} {port number} Disable AAA authentication on the event gateway. Existing network management applications are useful to determine which images to run and how to manage images received from the Cisco online software center. The switches must have the image agent running on them. If the CNS Event Bus is to be used to store and distribute the images. see your CNS IE2100 documentation and see the “File Management” section of the Cisco IOS Configuration Fundamentals Configuration Guide. Prerequisites for the CNS Image Agent Confirm these prerequisites before upgrading one or more devices with image agent: • Determine where to store the Cisco IOS images on a file server to make the image available to the other networking devices. Other image distribution solutions do not scale to cover thousands of devices and cannot distribute images to devices behind a firewall. Downloading the bin image file is not supported. Release 12. Only the immediate download option is supported. the CNS event agent must be configured.

Table 4-2 Displaying CNS Configuration Command show cns config connections show cns config outstanding show cns config stats show cns event connections show cns event stats show cns event subject Purpose Displays the status of the CNS Cisco IOS agent connections.com Switch(config)# no cns aaa enable cns event 172.20.249.249.com 172.20. Displays a list of event agent subjects that are subscribed to by applications. cns image retry {number} cns image server {ip-address} status {ip-address} end Note This example shows how to upgrade a switch from a server with the address of 172. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 4-15 .249.249.cisco. Download the image from the server to the switch.20 Switch(config)# cns trusted-server all-agents cns-dsbu. Displays statistics about the Cisco IOS agent.Chapter 4 Configuring Cisco IOS Configuration Engine Displaying CNS Configuration Command Step 5 Step 6 Step 7 Purpose Specify the number of times to retry and download the image. Displays statistics about the CNS event agent.20:80/cns/HttpMsgDispatcher Switch(config)# end You can check the status of the image download by using the show cns image status user EXEC command. Displays information about incremental (partial) CNS configurations that have started but are not yet completed.20.20. Return to privileged EXEC mode.20 22022 Switch(config)# cns image retry 1 Switch(config)# cns image server http://172.20:80/cns/HttpMsgDispatcher status http://172. Displaying CNS Configuration You can use the privileged EXEC commands in Table 4-2 to display CNS configuration information.cisco.20: Switch(config)> configure terminal Switch(config)# ip host cns-dsbu.249. Displays the status of the CNS event agent connections.20.

Chapter 4 Displaying CNS Configuration Configuring Cisco IOS Configuration Engine Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 4-16 OL-9639-10 .

page 5-2 Understanding Network Time Protocol. Note For complete syntax and usage information for the commands used in this section. page 5-4 Configuring Time and Date Manually. or manual configuration methods. These sections contain this configuration information: • • • • Understanding the System Clock. page 5-14 Creating a Banner. page 5-31 Managing the System Time and Date You can manage the system time and date on your switch using automatic configuration.CH A P T E R 5 Administering the Switch This chapter describes how to perform one-time operations to administer the Cisco ME 3400 Ethernet Access switch. page 5-17 Suppressing the Power-Supply Alarm on an ME 3400G-12CS Switch. page 5-19 Managing the MAC Address Table. page 5-2 Configuring NTP. page 5-1 Configuring a System Name and Prompt.2. see the Cisco IOS Configuration Fundamentals Command Reference. Release 12. page 5-11 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 5-1 . This chapter consists of these sections: • • • • • • Managing the System Time and Date. such as the Network Time Protocol (NTP). page 5-20 Managing the ARP Table.

If it is not authoritative. The communications between devices running NTP (known as associations) are usually statically configured. The system clock keeps track of whether the time is authoritative or not (that is. and so on. in that case.Chapter 5 Managing the System Time and Date Administering the Switch Understanding the System Clock The heart of the time service is the system clock. This strategy effectively builds a self-organizing tree of NTP speakers. which runs over IP. NTP is extremely efficient. whether it has been set by a time source considered to be authoritative). You can configure information about the local time zone and summer time (daylight saving time) so that the time appears correctly for the local time zone. Understanding Network Time Protocol The NTP is designed to time-synchronize a network of devices. This clock runs from the moment the system starts up and keeps track of the date and time. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 5-2 OL-9639-10 . NTP then distributes this time across the network. NTP uses the concept of a stratum to describe how many NTP hops away a device is from an authoritative time source. An NTP network usually gets its time from an authoritative time source. NTP runs over User Datagram Protocol (UDP). NTP also compares the time reported by several devices and does not synchronize to a device whose time is significantly different than the others. This alternative reduces configuration complexity because each device can simply be configured to send or receive broadcast messages. a stratum 2 time server receives its time through NTP from a stratum 1 time server. in a LAN environment. information flow is one-way only. see the “Configuring Time and Date Manually” section on page 5-11. NTP can be configured to use IP broadcast messages instead. The system clock can then be set from these sources: • • NTP Manual configuration User show commands Logging and debugging messages The system clock can provide time to these services: • • The system clock keeps track of time internally based on Universal Time Coordinated (UTC). However. the time is available only for display purposes and is not redistributed. The time kept on a device is a critical resource. no more than one packet per minute is necessary to synchronize two devices to within a millisecond of one another. NTP is documented in RFC 1305. even if its stratum is lower. NTP avoids synchronizing to a device whose time might not be accurate by never synchronizing to a device that is not synchronized. Two mechanisms are available: an access list-based restriction scheme and an encrypted authentication mechanism. A device running NTP automatically chooses as its time source the device with the lowest stratum number with which it communicates through NTP. such as a radio clock or an atomic clock attached to a time server. also known as Greenwich Mean Time (GMT). A stratum 1 time server has a radio or atomic clock directly attached. you should use the security features of NTP to avoid the accidental or malicious setting of an incorrect time. However. For configuration information. Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an association. each device is given the IP address of all devices with which it should form associations.

when in fact it has learned the time by using other means. Other devices then synchronize to that device through NTP. Cisco’s implementation of NTP allows a device to act as if it is synchronized through NTP. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 101349 5-3 . and D configured in NTP server mode. C. Switch E is configured as an NTP peer to the upstream and downstream switches. When multiple sources of time are available. Figure 5-1 Typical NTP Network Configuration Switch A Local workgroup servers Switch B Switch C Switch D Switch E Workstations Switch F Workstations If the network is isolated from the Internet. NTP is always considered to be more authoritative.Chapter 5 Administering the Switch Managing the System Time and Date Cisco’s implementation of NTP does not support stratum 1 service. Figure 5-1 shows a typical network example using NTP. NTP time overrides the time set by any other method. in server association with Switch A. with Switches B. Switch A is the NTP master. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet. Switch B and Switch F. it is not possible to connect to a radio or atomic clock. This software allows host systems to be time-synchronized as well. and a publicly available version for systems running UNIX and its various derivatives is also available. Several manufacturers include NTP software for their host systems.

Enable the NTP authentication feature. configure terminal ntp authenticate Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 5-4 OL-9639-10 .Chapter 5 Managing the System Time and Date Administering the Switch Configuring NTP The switch does not have a hardware-supported clock and cannot function as an NTP master clock to which peers synchronize themselves when an external NTP source is not available. NTP is enabled on all interfaces by default. follow these steps to authenticate the associations (communications between devices running NTP that provide for accurate timekeeping) with other devices for security purposes: Command Step 1 Step 2 Purpose Enter global configuration mode. As a result. page 5-4 Configuring NTP Associations. All interfaces receive NTP packets. page 5-10 Displaying the NTP Configuration. Table 5-1 Default NTP Configuration Feature NTP authentication NTP peer or server associations NTP broadcast service NTP access restrictions NTP packet source IP address Default Setting Disabled. No access control is specified. Beginning in privileged EXEC mode. the information you configure in this procedure must be matched by the servers used by the switch to synchronize its time to the NTP server. These sections contain this configuration information: • • • • • • • Default NTP Configuration. page 5-5 Configuring NTP Broadcast Service. page 5-11 Default NTP Configuration Table 5-1 shows the default NTP configuration. The source address is set by the outgoing interface. None configured. page 5-6 Configuring NTP Access Restrictions. no interface sends or receives NTP broadcast packets. which is disabled by default. the ntp update-calendar and the ntp master global configuration commands are not available. page 5-4 Configuring NTP Authentication. Disabled. No authentication key is specified. Configuring NTP Authentication This procedure must be coordinated with the administrator of the NTP server. page 5-8 Configuring the Source IP Address for NTP Packets. The switch also has no hardware support for a calendar.

For value. specify the key defined in Step 3. or it can be a server association (meaning that only this switch synchronizes to the other device. use the no ntp authentication-key number global configuration command. To remove an authentication key. To disable authentication of the identity of a device. By default. use the no ntp authenticate global configuration command. For key-number. Verify your entries. This example shows how to configure the switch to synchronize only to devices providing authentication key 42 in the device’s NTP packets: Switch(config)# ntp authenticate Switch(config)# ntp authentication-key 42 md5 aNiceKey Switch(config)# ntp trusted-key 42 Configuring NTP Associations An NTP association can be a peer association (this switch can either synchronize to the other device or allow the other device to synchronize to it). none are defined. • • • ntp authentication-key number md5 value For number. md5 specifies that message authentication support is provided by using the message digest algorithm 5 (MD5). and the key number is specified by the ntp trusted-key key-number command. Step 5 Step 6 Step 7 end show running-config copy running-config startup-config Return to privileged EXEC mode. specify a key number. The range is 1 to 4294967295. enter an arbitrary string of up to eight characters for the key. (Optional) Save your entries in the configuration file. The switch does not synchronize to a device unless both have one of these authentication keys. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 5-5 . use the no ntp trusted-key key-number global configuration command. Step 4 ntp trusted-key key-number Specify one or more key numbers (defined in Step 3) that a peer NTP device must provide in its NTP packets for this switch to synchronize to it.Chapter 5 Administering the Switch Managing the System Time and Date Command Step 3 Purpose Define the authentication keys. This command provides protection against accidentally synchronizing the switch to a device that is not trusted. By default. and not the other way around). no trusted keys are defined. To disable NTP authentication.

NTP can be configured to use IP broadcast messages instead. specify either the IP address of the peer providing. If you are using the default NTP version (Version 3) and NTP synchronization does not occur. This alternative reduces configuration complexity because each device can simply be configured to send or receive broadcast messages. specify the interface from which to pick the IP source address. (Optional) For number.44 version 2 Configuring NTP Broadcast Service The communications between devices running NTP (known as associations) are usually statically configured. try using NTP Version 2.22. the other device can automatically establish the association. or configure terminal ntp peer ip-address [version number] [key keyid] [source interface] [prefer] or ntp server ip-address [version number] Configure the switch system clock to be synchronized by a time server [key keyid] [source interface] [prefer] (server association). This example shows how to configure the switch to synchronize its system clock with the clock of the peer at IP address 172. By default. the source IP address is taken from the outgoing interface. (Optional) Save your entries in the configuration file. specify the IP address of the time server providing the clock synchronization. (Optional) For interface. By default. each device is given the IP addresses of all devices with which it should form associations. the information flow is one-way only. the clock synchronization. • • • • Step 3 Step 4 Step 5 end show running-config copy running-config startup-config Return to privileged EXEC mode. Verify your entries.16. or being provided. (Optional) For keyid. You need to configure only one end of an association. specify the NTP version number. • For ip-address in a peer association. follow these steps to form an NTP association with another device: Command Step 1 Step 2 Purpose Enter global configuration mode.16. Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an association. use the no ntp peer ip-address or the no ntp server ip-address global configuration command. enter the authentication key defined with the ntp authentication-key global configuration command. To remove a peer or server association. However. (Optional) Enter the prefer keyword to make this peer or server the preferred one that provides synchronization. This keyword reduces switching back and forth between peers and servers.44 using NTP Version 2: Switch(config)# ntp server 172. For a server association. However.22. The range is 1 to 3.Chapter 5 Managing the System Time and Date Administering the Switch Beginning in privileged EXEC mode. No peer or server associations are defined by default. in a LAN environment. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 5-6 OL-9639-10 . Many NTP servers on the Internet run Version 2. Version 3 is selected. Configure the switch system clock to synchronize a peer or to be synchronized by a peer (peer association).

if necessary. The switch can send NTP broadcast packets to a peer so that the peer can synchronize to it. and network node interfaces (NNIs) are enabled. (Optional) Save your entries in the configuration file. and NNIs are enabled. Enable the port. This example shows how to configure a port to send NTP Version 2 packets: Switch(config)# interface gigabitethernet0/1 Switch(config-if)# ntp broadcast version 2 Beginning in privileged EXEC mode. and enter interface configuration mode. Specify the interface to receive NTP broadcast packets. configure terminal interface interface-id no shutdown Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 5-7 . The switch can also receive NTP broadcast packets to synchronize its own clock. and enter interface configuration mode. • • • (Optional) For number. By default. such as a router. If you do not specify a version. Enable the port. broadcasting time information on the network. Specify the interface to send NTP broadcast packets. follow these steps to configure the switch to send NTP broadcast packets to peers so that they can synchronize their clock to the switch: Command Step 1 Step 2 Step 3 Purpose Enter global configuration mode. To disable the interface from sending NTP broadcast packets. specify the IP address of the peer that is synchronizing its clock to this switch. this feature is disabled on all interfaces. follow these steps to configure the switch to receive NTP broadcast packets from connected peers: Command Step 1 Step 2 Step 3 Purpose Enter global configuration mode. Verify your entries. The range is 1 to 3. specify the authentication key to use when sending packets to the peer. UNIs and enhanced network interfaces (ENIs) are disabled. if necessary. Configure the connected peers to receive NTP broadcast packets as described in the next procedure. use the no ntp broadcast interface configuration command. This section provides procedures for both sending and receiving NTP broadcast packets. (Optional) For destination-address. Version 3 is used. specify the NTP version number. user network interfaces (UNIs) and enhanced network interfaces (ENIs) are disabled. (Optional) For keyid. [destination-address] By default.Chapter 5 Administering the Switch Managing the System Time and Date The switch can send or receive NTP broadcast packets on an interface-by-interface basis if there is an NTP broadcast server. Step 5 Step 6 Step 7 Step 8 end show running-config copy running-config startup-config Return to privileged EXEC mode. Beginning in privileged EXEC mode. configure terminal interface interface-id no shutdown Step 4 ntp broadcast [version number] [key keyid] Enable the interface to send NTP broadcast packets to a peer. By default.

Return to privileged EXEC mode. The default is 3000 microseconds. This example shows how to configure a port to receive NTP broadcast packets: Switch(config)# interface gigabitethernet0/1 Switch(config-if)# ntp broadcast client Configuring NTP Access Restrictions You can control NTP access on two levels as described in these sections: • • Creating an Access Group and Assigning a Basic IP Access List. no interfaces receive NTP broadcast packets. serve-only—Allows only time requests. and apply a basic IP access list. (Optional) Save your entries in the configuration file. the range is 1 to 999999. page 5-10 Creating an Access Group and Assigning a Basic IP Access List Beginning in privileged EXEC mode. By default. serve—Allows time requests and NTP control queries. use the no ntp broadcastdelay global configuration command. Return to global configuration mode. To change the estimated round-trip delay to the default. page 5-8 Disabling NTP Services on a Specific Interface. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 5-8 OL-9639-10 . peer—Allows time requests and NTP control queries and allows the switch to synchronize to the remote device. (Optional) Change the estimated round-trip delay between the switch and the NTP broadcast server. For access-list-number. The keywords have these meanings: • • • • configure terminal ntp access-group {query-only | serve-only | serve | peer} access-list-number query-only—Allows only NTP control queries. ntp broadcast client exit ntp broadcastdelay microseconds Step 5 Step 6 Step 7 Step 8 Step 9 end show running-config copy running-config startup-config To disable an interface from receiving NTP broadcast packets.Chapter 5 Managing the System Time and Date Administering the Switch Command Step 4 Purpose Enable the interface to receive NTP broadcast packets. use the no ntp broadcast client interface configuration command. Verify your entries. Create an access group. follow these steps to control access to NTP services by using access lists: Command Step 1 Step 2 Purpose Enter global configuration mode. enter a standard IP access list number from 1 to 99. but does not allow the switch to synchronize to the remote device.

enter the number specified in Step 2. query-only—Allows only NTP control queries from a device whose address passes the access list criteria. serve—Allows time requests and NTP control queries.130. all access types are granted to all devices. serve-only—Allows only time requests from a device whose address passes the access list criteria. This example shows how to configure the switch to allow itself to synchronize to a peer from access list 99. from least restrictive to most restrictive: 1. 4.Chapter 5 Administering the Switch Managing the System Time and Date Command Step 3 Purpose Create the access list. (Optional) For source-wildcard.20. the first type is granted. If any access groups are specified. • • • • Note access-list access-list-number permit source [source-wildcard] For access-list-number. If no access groups are specified. remember that. Enter the permit keyword to permit access if the conditions are matched. (Optional) Save your entries in the configuration file.6 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 5-9 . enter the wildcard bits to be applied to the source. 2. the switch restricts access to allow only time requests from access list 42: Switch# configure terminal Switch(config)# ntp access-group peer 99 Switch(config)# ntp access-group serve-only 42 Switch(config)# access-list 99 permit 172. enter the IP address of the device that is permitted access to the switch.5 Switch(config)# access list 42 permit 172. by default. the end of the access list contains an implicit deny statement for everything if it did not find a match before reaching the end. When creating an access list. However. If the source IP address matches the access lists for more than one access type. Verify your entries. only the specified access types are granted. The access group keywords are scanned in this order. For source. peer—Allows time requests and NTP control queries and allows the switch to synchronize itself to a device whose address passes the access list criteria. Step 4 Step 5 Step 6 end show running-config copy running-config startup-config Return to privileged EXEC mode. but does not allow the switch to synchronize itself to a device whose address passes the access list criteria. 3. use the no ntp access-group {query-only | serve-only | serve | peer} global configuration command.130. To remove access control to the switch NTP services.20.

Return to privileged EXEC mode. By default. The address is taken from the specified interface. configure terminal interface interface-id no shutdown ntp disable end show running-config copy running-config startup-config Step 5 Step 6 Step 7 To re-enable receipt of NTP packets on an interface. the source IP address is normally set to the address of the interface through which the NTP packet is sent. Enter interface configuration mode. Beginning in privileged EXEC mode. follow these steps to configure a specific interface from which the IP source address is to be taken: Command Step 1 Step 2 Purpose Enter global configuration mode. all interfaces receive NTP packets. Configuring the Source IP Address for NTP Packets When the switch sends an NTP packet. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 5-10 OL-9639-10 . Return to privileged EXEC mode. Disable NTP packets from being received on the interface. Verify your entries. By default. Beginning in privileged EXEC mode. and NNIs are enabled. and specify the interface to disable. Use the ntp source global configuration command when you want to use a particular source IP address for all NTP packets. use the no ntp disable interface configuration command. use the source keyword in the ntp peer or ntp server global configuration command as described in the “Configuring NTP Associations” section on page 5-5.Chapter 5 Managing the System Time and Date Administering the Switch Disabling NTP Services on a Specific Interface NTP services are enabled on all interfaces by default. if necessary. By default. (Optional) Save your entries in the configuration file. Specify the interface type and number from which the IP source address is taken. UNIs and enhanced network interfaces (ENIs) are disabled. This command is useful if the address on an interface cannot be used as the destination for reply packets. configure terminal ntp source type number Step 3 Step 4 Step 5 end show running-config copy running-config startup-config The specified interface is used for the source address for all packets sent to all destinations. Enable the port. the source address is set by the outgoing interface. Verify your entries. (Optional) Save your entries in the configuration file. follow these steps to disable NTP packets from being received on an interface: Command Step 1 Step 2 Step 3 Step 4 Purpose Enter global configuration mode. If a source address is to be used for a specific association.

These sections contain this configuration information: • • • • Setting the System Clock. specify the time in hours (24-hour format). and seconds. minutes. specify the year (no abbreviation).m. page 5-12 Configuring the Time Zone. 2001: Switch# clock set 13:32:00 23 July 2001 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 5-11 .2. page 5-13 Setting the System Clock If you have an outside source on the network that provides time services. Beginning in privileged EXEC mode. We recommend that you use manual configuration only as a last resort. If you have an outside source to which the switch can synchronize. For year. The time specified is relative to the configured time zone.Chapter 5 Administering the Switch Managing the System Time and Date Displaying the NTP Configuration You can use two privileged EXEC commands to display NTP information: • • show ntp associations [detail] show ntp status For detailed information about the fields in these displays. see the Cisco IOS Configuration Fundamentals Command Reference. The time remains accurate until the next system restart. on July 23. For month. specify the month by name. For day. such as an NTP server. specify the day by date in the month. follow these steps to set the system clock: Command Step 1 Purpose Manually set the system clock using one of these formats. you can manually configure the time and date after the system is restarted. page 5-11 Displaying the Time and Date Configuration. Configuring Time and Date Manually If no other source of time is available. • clock set hh:mm:ss day month year or clock set hh:mm:ss month day year For hh:mm:ss. Release 12. you do not need to manually set the system clock. page 5-12 Configuring Summer Time (Daylight Saving Time). you do not need to manually set the system clock. • • • This example shows how to manually set the system clock to 1:32 p.

5 means 50 percent. If the system clock has been set by a timing source such as NTP. The switch keeps internal time in universal time coordinated (UTC). If the time is not authoritative. Until the clock is authoritative and the authoritative flag is set. Step 3 Step 4 Step 5 end show running-config copy running-config startup-config Return to privileged EXEC mode. Verify your entries. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 5-12 OL-9639-10 . follow these steps to manually configure the time zone: Command Step 1 Step 2 Purpose Enter global configuration mode. For example. The minutes-offset variable in the clock timezone global configuration command is available for those cases where a local time zone is a percentage of an hour different from UTC. it is used only for display purposes. the flag is set. The default is UTC.Chapter 5 Managing the System Time and Date Administering the Switch Displaying the Time and Date Configuration To display the time and date configuration. use the show clock [detail] privileged EXEC command. For hours-offset. the time zone for some sections of Atlantic Canada (AST) is UTC-3. but NTP is not synchronized. . In this case. The system clock keeps an authoritative flag that shows whether the time is authoritative (believed to be accurate). enter the name of the time zone to be displayed when standard time is in effect. Configuring the Time Zone Beginning in privileged EXEC mode.5. the flag prevents peers from synchronizing to the clock when the peers’ time is invalid.—Time is authoritative. (Optional) For minutes-offset. (Optional) Save your entries in the configuration file. (blank)—Time is authoritative. so this command is used only for display purposes and when the time is manually set. enter the hours offset from UTC. To set the time to UTC. the necessary command is clock timezone AST -3 30. Set the time zone. where the 3 means 3 hours and . • • • configure terminal clock timezone zone hours-offset [minutes-offset] For zone. enter the minutes offset from UTC. use the no clock timezone global configuration command. The symbol that precedes the show clock display has this meaning: • • • *—Time is not authoritative.

Monday.. specify the name of the time zone (for example.. (Optional) For month. • • • • • • For zone. The end time is relative to summer time. specify the day of the week (Sunday. the system assumes that you are in the southern hemisphere. configure terminal clock summer-time zone recurring Configure summer time to start and end on the specified days every year. (Optional) For hh:mm. (Optional) For day. PDT) to be displayed when summer time is in effect. and the second part specifies when it ends.. Step 3 Step 4 Step 5 end show running-config copy running-config startup-config Return to privileged EXEC mode. If the starting month is after the ending month. follow these steps to configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year: Command Step 1 Step 2 Purpose Enter global configuration mode. (Optional) For offset. specify the month (January.). If you specify clock summer-time hh:mm [offset]] zone recurring without parameters. specify the number of minutes to add during summer time. (Optional) Save your entries in the configuration file. All times are relative to the local time zone. February. the summer time rules default to the United States rules. The start time is relative to standard time. The default is 60. The first part of the clock summer-time global configuration command specifies when summer time begins. Verify your entries. [week day month hh:mm week day month Summer time is disabled by default.Chapter 5 Administering the Switch Managing the System Time and Date Configuring Summer Time (Daylight Saving Time) Beginning in privileged EXEC mode. specify the week of the month (1 to 5 or last). specify the time (24-hour format) in hours and minutes.). (Optional) For week. This example shows how to specify that summer time starts on the first Sunday in April at 02:00 and ends on the last Sunday in October at 02:00: Switch(config)# clock summer-time PDT recurring 1 Sunday April 2:00 last Sunday October 2:00 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 5-13 ..

. February. A greater-than symbol [>] is appended. (Optional) For offset. The end time is relative to summer time.. (Optional) Save your entries in the configuration file. This example shows how to set summer time to start on October 12. specify the day of the week (Sunday.2 and the Cisco IOS IP Command Reference. The start time is relative to standard time. 2001. Verify your entries.Chapter 5 Configuring a System Name and Prompt Administering the Switch Beginning in privileged EXEC mode. If the starting month is after the ending month. specify the week of the month (1 to 5 or last). The first part of the clock summer-time global configuration command specifies when summer time begins. Volume 2 of 3: Routing Protocols. hh:mm [offset]] • (Optional) For day. PDT) to be displayed when summer time is in effect. specify the number of minutes to add during summer time. specify the month (January. at 02:00: Switch(config)# clock summer-time pdt date 12 October 2000 2:00 26 April 2001 2:00 Configuring a System Name and Prompt You configure the system name on the switch to identify it. see the Cisco IOS Configuration Fundamentals Command Reference. For complete syntax and usage information for the commands used in this section. or • For zone. follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events): Command Step 1 Step 2 Purpose Enter global configuration mode. If you have not configured a system prompt. Release 12. specify the name of the time zone (for example. (Optional) For hh:mm. specify the time (24-hour format) in hours and minutes. Release 12.).). All times are relative to the local time zone. configure terminal clock summer-time zone date [month Configure summer time to start on the first date and end on the second date year hh:mm month date year hh:mm date. use the no clock summer-time global configuration command. 2000. the system name and prompt are Switch. • • • (Optional) For month. The prompt is updated whenever the system name changes. the first 20 characters of the system name are used as the system prompt.. at 02:00. and end on April 26.. Monday. Step 3 Step 4 Step 5 end show running-config copy running-config startup-config Return to privileged EXEC mode. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 5-14 OL-9639-10 . clock summer-time zone date [date month year hh:mm date month year • (Optional) For week. and the second part specifies when it ends.2. The default is 60. the system assumes that you are in the southern hemisphere. To disable summer time. [offset]] Summer time is disabled by default. By default.

Understanding DNS The DNS protocol controls the Domain Name System (DNS).com. which holds a cache (or database) of names mapped to IP addresses. page 5-15 Configuring a System Name. Manually configure a system name. you must first identify the hostnames. Verify your entries. and have as interior characters only letters. the File Transfer Protocol (FTP) system is identified as ftp. The default setting is switch. use the no hostname global configuration command. The name must follow the rules for ARPANET hostnames. When you set the system name. For example. follow these steps to manually configure a system name: Command Step 1 Step 2 Purpose Enter global configuration mode. and hyphens. To map domain names to IP addresses. digits. specify the name server that is present on your network. end with a letter or digit.) as the delimiting characters. A specific device in this domain. so its domain name is cisco. such as ping. Domain names are pieced together with periods (. connect. and related Telnet support operations. Names can be up to 63 characters. page 5-15 Default System Name and Prompt Configuration The default switch system name and prompt is Switch. and enable the DNS. When you configure DNS on your switch. They must start with a letter. you can substitute the hostname for the IP address with all IP commands. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 5-15 . IP has defined the concept of a domain name server.Chapter 5 Administering the Switch Configuring a System Name and Prompt These sections contain this configuration information: • • • Default System Name and Prompt Configuration. page 5-15 Understanding DNS. To keep track of domain names. for example. To return to the default hostname. Configuring a System Name Beginning in privileged EXEC mode. configure terminal hostname name Step 3 Step 4 Step 5 end show running-config copy running-config startup-config Return to privileged EXEC mode. telnet. IP defines a hierarchical naming scheme that allows a device to be identified by its location or domain. (Optional) Save your entries in the configuration file. a distributed database with which you can map hostnames to IP addresses. it is also used as the system prompt.com.cisco. Cisco Systems is a commercial organization that IP identifies by a com domain name.

You can specify up to six name servers... (Optional) Enable DNS-based hostname-to-address translation on your switch. No name server addresses are configured. page 5-16 Setting Up DNS. however. The switch sends DNS queries to the primary server first. the backup servers are queried. Table 5-2 Default DNS Configuration Feature DNS enable state DNS default domain name DNS servers Default Setting Enabled. Separate each server address with a space. If that query fails. If your network devices require connectivity with devices in networks for which you do not control name assignment. This feature is enabled by default. configure terminal ip domain-name name Step 3 ip name-server server-address1 [server-address2 . None configured.Chapter 5 Configuring a System Name and Prompt Administering the Switch These sections contain this configuration information: • • • Default DNS Configuration. then the default domain name might be set by the BOOTP or DHCP server (if the servers were configured with this information). follow these steps to set up your switch to use the DNS: Command Step 1 Step 2 Purpose Enter global configuration mode. Step 4 ip domain-lookup Step 5 end Return to privileged EXEC mode. Setting Up DNS Beginning in privileged EXEC mode. Define a default domain name that the software uses to complete unqualified hostnames (names without a dotted-decimal domain name). page 5-17 Default DNS Configuration Table 5-2 shows the default DNS configuration. if the switch configuration comes from a BOOTP or Dynamic Host Configuration Protocol (DHCP) server. page 5-16 Displaying the DNS Configuration. At boot time. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 5-16 OL-9639-10 . Do not include the initial period that separates an unqualified name from the domain name. you can dynamically assign device names that uniquely identify your devices by using the global Internet naming scheme (DNS). server-address6] Specify the address of one or more name servers to use for name and address resolution. no domain name is configured. The first server specified is the primary server.

Displaying the DNS Configuration To display the DNS configuration information. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 5-17 .). The login banner also displays on all connected terminals.Chapter 5 Administering the Switch Creating a Banner Command Step 6 Step 7 Purpose Verify your entries. use the show running-config privileged EXEC command. use the no ip name-server server-address global configuration command. a period followed by the default domain name is appended to the hostname before the DNS query is made to map the name to an IP address. The default domain name is the value set by the ip domain-name global configuration command. page 5-19 Default Banner Configuration The MOTD and login banners are not configured. the Cisco IOS software looks up the IP address without appending any default domain name to the hostname. show running-config copy running-config startup-config If you use the switch IP address as its hostname. Creating a Banner You can configure a message-of-the-day (MOTD) and a login banner. To remove a name server address. Note For complete syntax and usage information for the commands used in this section. use the no ip domain-name name global configuration command.) in the hostname. To remove a domain name. The MOTD banner displays on all connected terminals at login and is useful for sending messages that affect all network users (such as impending system shutdowns). the IP address is used and no DNS query occurs.2. To disable DNS on the switch. page 5-17 Configuring a Message-of-the-Day Login Banner. page 5-18 Configuring a Login Banner. see the Cisco IOS Configuration Fundamentals Command Reference. It appears after the MOTD banner and before the login prompts. If there is a period (. Release 12. These sections contain this configuration information: • • • Default Banner Configuration. If you configure a hostname that contains no periods (. use the no ip domain-lookup global configuration command. (Optional) Save your entries in the configuration file.

This is a secure site. follow these steps to configure a MOTD login banner: Command Step 1 Step 2 Purpose Enter global configuration mode. # Switch(config)# This example shows the banner that appears from the previous configuration: Unix> telnet 172.4. Only authorized users are allowed. use the no banner motd global configuration command. For access. a pound sign (#). Specify the message of the day. Verify your entries.4 Trying 172.2.. (Optional) Save your entries in the configuration file. This example shows how to configure a MOTD banner for the switch by using the pound sign (#) symbol as the beginning and ending delimiter: Switch(config)# banner motd # This is a secure site. enter the delimiting character of your choice. for example. enter a banner message up to 255 characters.5. configure terminal banner motd c message c Step 3 Step 4 Step 5 end show running-config copy running-config startup-config Return to privileged EXEC mode.5. To delete the MOTD banner. Only authorized users are allowed.2. The delimiting character signifies the beginning and end of the banner text.5. and press the Return key. Beginning in privileged EXEC mode. For access. For message.. contact technical support. For c. contact technical support. Characters after the ending delimiter are discarded. User Access Verification Password: Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 5-18 OL-9639-10 .4.2.Chapter 5 Creating a Banner Administering the Switch Configuring a Message-of-the-Day Login Banner You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. You cannot use the delimiting character in the message. Escape character is '^]'. Connected to 172.

For message. Beginning in privileged EXEC mode. (Optional) Save your entries in the configuration file. Please enter your username and password. follow these steps to configure a login banner: Command Step 1 Step 2 Purpose Enter global configuration mode. You cannot use the delimiting character in the message. and MIB traps) when it detects that a power supply is not operating. and press the Return key. a pound sign (#). Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 5-19 . Note The no power-supply dual command is supported only on the Cisco ME 3400G-12CS switches. use the no banner login global configuration command. The delimiting character signifies the beginning and end of the banner text. enter the delimiting character of your choice. Verify your entries. This banner appears after the MOTD banner and before the login prompt. For c. When two power supplies are operating and you enter the no power-supply dual command. Characters after the ending delimiter are discarded. This example shows how to configure a login banner for the switch by using the dollar sign ($) symbol as the beginning and ending delimiter: Switch(config)# banner login $ Access for authorized users only. enter a login message up to 255 characters. When one power supply is operating. You can enter the no power-supply dual global configuration command to suppress the alarm when the switch is using a single power supply. for example. However. To delete the login banner. the switch can also operate with a single power supply. Specify the login message. alarms are suppressed on power supply 2. configure terminal banner login c message c Step 3 Step 4 Step 5 end show running-config copy running-config startup-config Return to privileged EXEC mode. MIB state. $ Switch(config)# Suppressing the Power-Supply Alarm on an ME 3400G-12CS Switch The Cisco ME 3400G-12CS switch has two power supplies and normally activates alarm indications (LED state. alarms are suppressed for the power supply that is not providing power.Chapter 5 Administering the Switch Suppressing the Power-Supply Alarm on an ME 3400G-12CS Switch Configuring a Login Banner You can configure a login banner to be displayed on all connected terminals.

page 5-23 Configuring MAC Address Change Notification Traps. Verify your setting. page 5-22 Removing Dynamic Address Entries. see the command reference for this release. Command Step 1 Step 2 Step 3 Step 4 Step 5 Purpose Enter global configuration mode.Chapter 5 Managing the MAC Address Table Administering the Switch Beginning in privileged EXEC mode. page 5-22 Changing the Address Aging Time. and port number associated with the address and the type (static or dynamic). configure terminal no power-supply dual end show env {all | power} copy running-config startup-config Enter the power-supply dual global configuration command to return to the default setting where alarms are sent if two power supplies are not supplying power. page 5-21 MAC Addresses and VLANs. page 5-27 Configuring Unicast MAC Address Filtering. Static address: a manually entered unicast address that does not age and that is not lost when the switch resets. the associated VLAN ID. This procedure is optional. Suppress alarms if a second power supply is not providing power. Managing the MAC Address Table The MAC address table contains address information that the switch uses to forward traffic between ports. page 5-26 Adding and Removing Static Address Entries. See the command reference for this release for more information on the commands. The address table lists the destination MAC address. follow these steps to suppress alarms on the second power supply. page 5-25 Configuring MAC Threshold Notification Traps. (Optional) Save your entries in the configuration file. All MAC addresses in the address table are associated with one or more ports. You can enter the show env power privileged EXEC command to see if the alarm is disabled for the second power supply. These sections contain this configuration information: • • • • • • • • • • Building the Address Table. page 5-21 Default MAC Address Table Configuration. page 5-28 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 5-20 OL-9639-10 . page 5-23 Configuring MAC Address Move Notification Traps. Return to privileged EXEC mode. Note For complete syntax and usage information for the commands used in this section. The address table includes these types of addresses: • • Dynamic address: a source MAC address that the switch learns and then ages when it is not in use.

and therefore which ports. An address can exist in more than one VLAN and have different destinations in each. and STP can accelerate the aging interval on a per-VLAN basis. As stations are added or removed from the network. based on the destination address of the received packet. for example. a MAC address learned in a private-VLAN secondary VLAN is replicated in the primary VLAN. the switch updates the address table. could be forwarded to port 1 in VLAN 1 and ports 1. you can disable MAC address learning on a per-VLAN basis. Using the MAC address table. switches. See the “Disabling MAC Address Learning on a VLAN” section on page 5-29 for more information. When you configure a static MAC address in a private VLAN primary or secondary VLAN. A known address in one VLAN is unknown in another until it is learned or statically associated with a port in the other VLAN. Each VLAN maintains its own logical address table. Unicast addresses. Static MAC addresses configured in a primary or secondary VLAN are not replicated in the associated VLANs. be sure that you are familiar with the network topology and the switch system configuration. Before you disable MAC address learning. can learn MAC addresses. Customers in a service provider network can tunnel a large number of MAC addresses through the network and fill up the available MAC address table space. and 10 in VLAN 5.Chapter 5 Administering the Switch Managing the MAC Address Table • • Disabling MAC Address Learning on a VLAN. repeaters. When private VLANs are configured. The switch always uses the store-and-forward method: complete packets are stored and checked for errors before transmission. the switch forwards the packet only to the port associated with the destination address. the switch maintains an address table for each VLAN. or other network devices. adding new dynamic addresses and aging out those that are not in use. For example. The aging interval is globally configured. page 5-29 Displaying Address Table Entries. 9. see Chapter 12. the packet is filtered and not forwarded. “Configuring Private VLANs. address learning depends on the type of MAC address: • Dynamic MAC addresses learned in one VLAN of a private VLAN are replicated in the associated VLANs. If the destination address is on the port that sent the packet. You can control MAC address learning on a VLAN and manage the MAC address table space that is available on the switch by controlling which VLANs. • For more information about private VLANs.” If the switch is running the metro IP access or metro access image. The switch sends packets between any combination of ports. The switch provides dynamic addressing by learning the source address of packets it receives on each port and adding the address and its associated port number to the address table. Disabling MAC address learning on a VLAN could cause flooding in the network. page 5-31 Building the Address Table With multiple MAC addresses supported on all ports. However. routers. MAC Addresses and VLANs All addresses are associated with a VLAN. you should also configure the same static MAC address in all associated VLANs. you can connect any port on the switch to individual workstations. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 5-21 .

configure terminal mac address-table aging-time [0 | 10-1000000] [vlan vlan-id] Step 3 Step 4 Step 5 end show mac address-table aging-time copy running-config startup-config Return to privileged EXEC mode. which disables aging. Setting too long an aging time can cause the address table to be filled with unused addresses. which can impact switch performance. To return to the default value. it floods the packet to all ports in the same VLAN as the receiving port. Beginning in privileged EXEC mode. Then when the switch receives a packet for an unknown destination. Static address entries are never aged or removed from the table. valid IDs are 1 to 4094.Chapter 5 Managing the MAC Address Table Administering the Switch Default MAC Address Table Configuration Table 5-3 shows the default MAC address table configuration. Verify your entries. use the no mac address-table aging-time global configuration command. For vlan-id. The range is 10 to 1000000 seconds. (Optional) Save your entries in the configuration file. The default is 300. Setting too short an aging time can cause addresses to be prematurely removed from the table. Table 5-3 Default MAC Address Table Configuration Feature Aging time Dynamic addresses Static addresses MAC address learning on VLANs Default Setting 300 seconds Automatically learned None configured Enabled Changing the Address Aging Time Dynamic addresses are source MAC addresses that the switch learns and then ages when they are not in use. which prevents new addresses from being learned. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 5-22 OL-9639-10 . Do not enter leading zeros. You can also enter 0. You can change the aging time setting for all VLANs or for a specified VLAN. Set the length of time that a dynamic entry remains in the MAC address table after the entry is used or updated. Flooding results. This unnecessary flooding can impact performance. follow these steps to configure the dynamic address table aging time: Command Step 1 Step 2 Purpose Enter global configuration mode.

Specify the SNMP version to support. You can also remove a specific MAC address (clear mac address-table dynamic address mac-address). or other static addresses. or remove all addresses on a specified VLAN (clear mac address-table dynamic vlan vlan-id). multicast addresses. use the clear mac address-table dynamic command in privileged EXEC mode. Notifications are not generated for self addresses. specify the name or address of the NMS. • • • Step 3 Step 4 snmp-server enable traps mac-notification change mac address-table notification change Enable the switch to send MAC address change notification traps to the NMS. an SNMP notification trap can be sent to the NMS. To verify that dynamic entries have been removed. MAC address change notifications are generated for dynamic and secure MAC addresses. specify the string to send with the notification operation. The MAC notification history table stores MAC address activity for each port for which the trap is set. you can set a trap-interval time to bundle the notification traps to reduce network traffic. the default. Configuring MAC Address Change Notification Traps MAC address change notification tracks users on a network by storing the MAC address change activity. Beginning in privileged EXEC mode. | 2c | 3}} community-string notification-type • For host-addr. Specify informs to send SNMP informs to the host.Chapter 5 Administering the Switch Managing the MAC Address Table Removing Dynamic Address Entries To remove all dynamic entries. is not available with informs. follow these steps to configure the switch to send MAC address change notification traps to an NMS host: Command Step 1 Step 2 Purpose Enter global configuration mode. For notification-type. • Specify traps (the default) to send SNMP traps to the host. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 5-23 . we recommend that you define this string by using the snmp-server community command before using the snmp-server host command. remove all addresses on the specified physical port or port channel (clear mac address-table dynamic interface interface-id). When the switch learns or removes a MAC address. use the show mac address-table dynamic privileged EXEC command. use the mac-notification keyword. Though you can set this string by using the snmp-server host command. Version 1. Enable the MAC address change notification feature. configure terminal snmp-server host host-addr {traps | informs} {version {1 Specify the recipient of the trap message. For community-string. If you have many users coming and going from the network.

specify the notification trap interval in seconds between each set of traps that are generated to the NMS. the default is 1. The range is 0 to 500. • • Step 7 snmp trap mac-notification change {added | removed} Enable the trap when a MAC address is added on this interface. the default is 1 second. To disable the MAC address-change notification traps on a specific interface. The range is 0 to 2147483647 seconds. use the no mac address-table notification change global configuration command. Switch(config)# snmp-server host 172. set the history-size to 100 entries. use the no snmp trap mac-notification change {added | removed} interface configuration command. (Optional) For history-size value. and specify the Layer 2 interface on which to enable the SNMP MAC address notification trap. Verify your entries.10. Enable the trap when a MAC address is removed from this interface. Enable the MAC address change notification trap on the interface.10 as the NMS. To disable the MAC address-change notification feature. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 5-24 OL-9639-10 . Step 10 To disable MAC address-change notification traps. use the no snmp-server enable traps mac-notification change global configuration command.20. set the interval time to 123 seconds. enable the MAC address-change notification feature. specify the maximum number of entries in the MAC notification history table.Chapter 5 Managing the MAC Address Table Administering the Switch Command Step 5 Purpose Enter the trap interval time and the history table size. • mac address-table notification change [interval value] [history-size value] (Optional) For interval value. Step 8 Step 9 end show mac address-table notification change interface show running-config copy running-config startup-config Return to privileged EXEC mode. and enable traps whenever a MAC address is added on the specified port. • Step 6 interface interface-id Enter interface configuration mode. (Optional) Save your entries in the configuration file. This example shows how to specify 172.20.10 traps private mac-notification Switch(config)# snmp-server enable traps mac-notification change Switch(config)# mac address-table notification change Switch(config)# mac address-table notification change interval 123 Switch(config)# mac address-table notification change history-size 100 Switch(config)# interface gigabitethernet0/2 Switch(config-if)# snmp trap mac-notification change added You can verify your settings by entering the show mac address-table notification change interface and the show mac address-table notification change privileged EXEC commands. enable the switch to send MAC address notification traps to the NMS.10.

an SNMP notification is generated and sent to the network management system whenever a MAC address moves from one port to another within the same VLAN.20. | 2c | 3}} community-string notification-type • For host-addr. (Optional) Save your entries in the configuration file. This example shows how to specify 172. Specify informs to send SNMP informs to the host. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 5-25 . Though you can set this string by using the snmp-server host command. Step 7 To disable MAC address-move notification traps.Chapter 5 Administering the Switch Managing the MAC Address Table Configuring MAC Address Move Notification Traps When you configure MAC-move notification.10 as the NMS. Switch(config)# snmp-server host 172. enable the MAC address move notification feature. use the no mac address-table notification mac-move global configuration command.10. use the mac-notification keyword. • • • Step 3 Step 4 Step 5 Step 6 snmp-server enable traps mac-notification move mac address-table notification mac-move end show mac address-table notification mac-move show running-config copy running-config startup-config Enable the switch to send MAC address move notification traps to the NMS. • Specify traps (the default) to send SNMP traps to the host. use the no snmp-server enable traps mac-notification move global configuration command. Return to privileged EXEC mode. configure terminal snmp-server host host-addr {traps | informs} {version {1 Specify the recipient of the trap message. For notification-type. Verify your entries.10 traps private mac-notification Switch(config)# snmp-server enable traps mac-notification move Switch(config)# mac address-table notification mac-move You can verify your settings by entering the show mac address-table notification mac-move privileged EXEC commands.10. For community-string. To disable the MAC address-move notification feature. follow these steps to configure the switch to send MAC address-move notification traps to an NMS host: Command Step 1 Step 2 Purpose Enter global configuration mode. we recommend that you define this string by using the snmp-server community command before using the snmp-server host command. specify the string to send with the notification operation. enable the switch to send MAC address move notification traps to the NMS. Specify the SNMP version to support. specify the name or address of the NMS. and enable traps when a MAC address moves from one port to another. Beginning in privileged EXEC mode. is not available with informs. Enable the MAC address move notification feature.20. the default. Version 1.

Though you can set this string by using the snmp-server host command. use the mac-notification keyword. the default. valid values are greater than or equal to 120 seconds. Version 1.Chapter 5 Managing the MAC Address Table Administering the Switch Configuring MAC Threshold Notification Traps When you configure MAC threshold notification. we recommend that you define this string by using the snmp-server community command before using the snmp-server host command. Specify the SNMP version to support. The default is 120 seconds. (Optional) For interval time. | 2c | 3}} community-string notification-type • For host-addr. (Optional) Save your entries in the configuration file. Verify your entries. specify the name or address of the NMS. specify the percentage of the MAC address table use. For community-string. an SNMP notification is generated and sent to the network management system when a MAC address table threshold limit is reached or exceeded. is not available with informs. • (Optional) For limit percentage. • Specify traps (the default) to send SNMP traps to the host. configure terminal snmp-server host host-addr {traps | informs} {version {1 Specify the recipient of the trap message. Specify informs to send SNMP informs to the host. Enter the threshold value for the MAC address threshold usage monitoring. valid values are from 1 to 100 percent. • Step 6 Step 7 Step 8 end show mac address-table notification threshold show running-config copy running-config startup-config Return to privileged EXEC mode. • • • Step 3 Step 4 Step 5 snmp-server enable traps mac-notification threshold mac address-table notification threshold mac address-table notification threshold [limit percentage] | [interval time] Enable the switch to send MAC threshold notification traps to the NMS. specify the time between notifications. For notification-type. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 5-26 OL-9639-10 . Enable the MAC address threshold notification feature. follow these steps to configure the switch to send MAC address table threshold notification traps to an NMS host: Command Step 1 Step 2 Purpose Enter global configuration mode. specify the string to send with the notification operation. Beginning in privileged EXEC mode. The default is 50 percent.

Adding and Removing Static Address Entries A static address has these characteristics: • • • It is manually entered in the address table and must be manually removed. the switch acquires the VLAN ID for the address from the ports that you specify. enable the MAC address threshold notification feature. The forwarding behavior defines how a port that receives a packet forwards it to another port for transmission. You can add and remove static addresses and define the forwarding behavior for them.” Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 5-27 . Packets received with this destination address are forwarded to the interface specified with the interface-id option. To disable the MAC address-threshold notification feature. A packet with a static address that arrives on a VLAN where it has not been statically entered is flooded to all ports and not learned. and set the limit to 78 per cent. This example shows how to specify 172. It does not age and is retained when the switch restarts.10 as the NMS. use the no mac address-table notification threshold global configuration command. For more information about private VLANs. Static MAC addresses configured in a private-VLAN primary or secondary VLAN are not replicated in the associated VLAN. see Chapter 12. use the no snmp-server enable traps mac-notification threshold global configuration command. you should also configure the same static MAC address in all associated VLANs.20. set the interval time to 123 seconds. Because all ports are associated with at least one VLAN.10.Chapter 5 Administering the Switch Managing the MAC Address Table To disable MAC address-threshold notification traps. You add a static address to the address table by specifying the destination MAC unicast address and the VLAN from which it is received. It can be a unicast or multicast address. When you configure a static MAC address in a private-VLAN primary or secondary VLAN.20.10 traps private mac-notification snmp-server enable traps mac-notification threshold mac address-table notification threshold mac address-table notification threshold interval 123 mac address-table notification threshold limit 78 You can verify your settings by entering the show mac address-table notification threshold privileged EXEC commands. “Configuring Private VLANs.10. You can specify a different list of destination ports for each source port. Switch(config)# Switch(config)# Switch(config)# Switch(config)# Switch(config)# snmp-server host 172.

This feature is disabled by default and only supports unicast static addresses. specify the destination MAC unicast address to add to the address table. follow these steps to add a static address: Command Step 1 Step 2 Purpose Enter global configuration mode. and router MAC addresses are not supported. For vlan-id.220a. do not enter leading zeros. (Optional) Save your entries in the configuration file. • configure terminal mac address-table static mac-addr vlan vlan-id interface interface-id For mac-addr. you can enter only one interface at a time. For interface-id. For static unicast addresses. Add a static address to the MAC address table. use the no mac address-table static mac-addr vlan vlan-id [interface interface-id] global configuration command. • • Step 3 Step 4 Step 5 end show mac address-table static copy running-config startup-config Return to privileged EXEC mode.12f4 vlan 4 interface gigabitethernet0/1 Configuring Unicast MAC Address Filtering When unicast MAC address filtering is enabled. For static multicast addresses. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 5-28 OL-9639-10 . you can enter multiple interface IDs. specify the VLAN for which the packet with the specified MAC address is received. Valid VLAN IDs are 1 to 4094. Follow these guidelines when using this feature: • Multicast MAC addresses.Chapter 5 Managing the MAC Address Table Administering the Switch Beginning in privileged EXEC mode. the packet is forwarded to the specified port: Switch(config)# mac address-table static c2f3. one of these messages appears: % Only unicast addresses can be configured to be dropped % CPU destined address cannot be configured as drop address • Packets that are forwarded to the CPU are also not supported. When a packet is received in VLAN 4 with this MAC address as its destination address. Verify your entries. Valid interfaces include physical ports or port channels. the switch drops packets with specific source or destination MAC addresses. broadcast MAC addresses. To remove static entries from the address table. but you can enter the command multiple times with the same MAC address and VLAN ID. Packets with this destination address received in the specified VLAN are forwarded to the specified interface. If you specify one of these addresses when entering the mac address-table static mac-addr vlan vlan-id drop global configuration command. specify the interface to which the received packet is forwarded. This example shows how to add the static address c2f3.220a.12f4 to the MAC address table.

the switch drops packets with the specified MAC address as a source or destination. Disabling MAC address learning on a VLAN could cause flooding in the network. Step 3 Step 4 Step 5 end show mac address-table static copy running-config startup-config Return to privileged EXEC mode. You enable unicast MAC address filtering and configure the switch to drop packets with a specific address by specifying the source or destination unicast MAC address and the VLAN from which it is received. • • configure terminal mac address-table static mac-addr vlan vlan-id drop For mac-addr. To disable unicast MAC address filtering. (Optional) Save your entries in the configuration file. use the no mac address-table static mac-addr vlan vlan-id global configuration command. You can control MAC address learning on a VLAN to manage the available MAC address table space by controlling which VLANs.220a. Beginning in privileged EXEC mode. the switch either adds the MAC address as a static address or drops packets with that MAC address.12f4 vlan 4 drop Disabling MAC Address Learning on a VLAN By default. can learn MAC addresses. the switch adds the MAC address as a static address. When a packet is received in VLAN 4 with this MAC address as its source or destination. For vlan-id. Valid VLAN IDs are 1 to 4094. specify the VLAN for which the packet with the specified MAC address is received. Packets with this MAC address are dropped. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 5-29 . the packet is dropped: Switch(config)# mac a ddress-table static c2f3. if you enter the mac address-table static mac-addr vlan vlan-id interface interface-id global configuration command followed by the mac address-table static mac-addr vlan vlan-id drop command. Before you disable MAC address learning be sure that you are familiar with the network topology and the switch system configuration. depending on which command was entered last. This example shows how to enable unicast MAC address filtering and to configure the switch to drop packets that have a source or destination address of c2f3. Verify your entries.12f4.220a. follow these steps to configure the switch to drop a source or destination unicast static address: Command Step 1 Step 2 Purpose Enter global configuration mode. MAC address learning is enabled on all VLANs on the switch. and therefore which ports. The second command that you entered overrides the first command. Enable unicast MAC address filtering and configure the switch to drop a packet with the specified source or destination unicast static address. specify a source or destination unicast MAC address. If you enter the mac address-table static mac-addr vlan vlan-id drop global configuration command followed by the mac address-table static mac-addr vlan vlan-id interface interface-id command.Chapter 5 Administering the Switch Managing the MAC Address Table • If you add a unicast MAC address as a static address and configure unicast MAC address filtering. For example.

MAC addresses are still learned on the secondary VLAN that belongs to the private VLAN and are then replicated on the primary VLAN. You can disable MAC address learning on a single VLAN ID from 1 to 4094 (for example. follow these steps to disable MAC address learning on a VLAN: Command Step 1 Step 2 Purpose Enter global configuration mode. MAC address learning occurs on the primary VLAN and is replicated on the secondary VLAN. the switch generates an error message and rejects the command. If you disable MAC address learning on a VLAN with more than two ports. the configured MAC address learning state is enabled. You can specify a single VLAN ID or a range of VLAN IDs separated by a hyphen or comma. It cannot be an internal VLAN. To reenable MAC address learning on a VLAN. use the default mac address-table learning vlan vlan-id global configuration command. 15). You cannot disable MAC address learning on an RSPAN VLAN. The switch then floods all IP packets in the Layer 2 domain. If you disable MAC address learning on a VLAN configured as a private-VLAN primary VLAN. The configuration is not allowed. Disable MAC address learning on the specified VLAN or VLANs. every packet entering the switch is flooded in that VLAN domain.Chapter 5 Managing the MAC Address Table Administering the Switch Follow these guidelines when disabling MAC address learning on a VLAN: • • • Disabling MAC address learning on a VLAN is supported only if the switch is running the metro IP access or metro access image. The first (default) command returns to a default condition and therefore does not appear in the output from the show running-config command. Use caution before disabling MAC address learning on a VLAN with a configured switch virtual interface (SVI). vlan-id] copy running-config startup-config (Optional) Save your entries in the configuration file. If you disable port security. separated by a hyphen or comma (for example. If the VLAN ID that you enter is an internal VLAN. If you disable MAC address learning on the secondary VLAN. no mac address-table learning vlan 223) or a range of VLAN IDs. Valid VLAN IDs 1 to 4094. If you disable MAC address learning on a VLAN that includes a secure port. • • • • • Beginning in privileged EXEC mode. MAC address learning is not disabled on that port. This example shows how to disable MAC address learning on VLAN 200: Switch(config)# no mac a ddress-table learning vlan 200 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 5-30 OL-9639-10 . Return to privileged EXEC mode. but not the primary VLAN of a private VLAN. You can also reenable MAC address learning on a VLAN by entering the mac address-table learning vlan vlan-id global configuration command. The second command causes the configuration to appear in the show running-config privileged EXEC command display. configure terminal no mac address-table learning vlan vlan-id Step 3 Step 4 Step 5 end show mac address-table learning [vlan Verify the configuration. You cannot disable MAC address learning on a VLAN that is used internally by the switch. enter the show vlan internal usage privileged EXEC command. We recommend that you disable MAC address learning only in VLANs with two ports. To view internal VLANs in use. no mac address-table learning vlan 1-10.

see the Cisco IOS Release 12. the IP-MAC address association is stored in an ARP cache for rapid retrieval. for example). For CLI procedures. Encapsulation of IP datagrams and ARP requests and replies on IEEE 802 networks other than Ethernet is specified by the Subnetwork Access Protocol (SNAP). standard Ethernet-style ARP encapsulation (represented by the arpa keyword) is enabled on the IP interface. Displays the aging time in all VLANs or the specified VLAN. Then the IP datagram is encapsulated in a link-layer frame and sent over the network. The Address Resolution Protocol (ARP) associates a host IP address with the corresponding media or MAC addresses and the VLAN ID. Displays the MAC address table information for the specified VLAN. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 5-31 . Displaying Address Table Entries You can display the MAC address table by using one or more of the privileged EXEC commands described in Table 5-4: Table 5-4 Commands for Displaying the MAC Address Table Command show ip igmp snooping groups show mac address-table address show mac address-table aging-time show mac address-table count show mac address-table dynamic show mac address-table interface show mac address-table learning show mac address-table notification show mac address-table static show mac address-table vlan Description Displays the Layer 2 multicast entries for all VLANs or the specified VLAN. Managing the ARP Table To communicate with a device (over Ethernet. Using an IP address.Chapter 5 Administering the Switch Managing the ARP Table You can display the MAC address learning status of all VLANs or a specified VLAN by entering the show mac-address-table learning [vlan vlan-id] privileged EXEC command. Displays MAC address table information for the specified MAC address. By default. ARP finds the associated MAC address. Displays the MAC address table information for the specified interface. ARP entries added manually to the table do not age and must be manually removed.2 documentation on Cisco. Displays the number of addresses present in all VLANs or the specified VLAN. Displays MAC address learning status of all VLANs or the specified VLAN. When a MAC address is found. The process of learning the local data link address from an IP address is called address resolution. Displays only dynamic MAC address table entries. Displays the MAC notification parameters and history table.com. Displays only static MAC address table entries. the software first must learn the 48-bit MAC address or the local data link address of that device.

Chapter 5 Managing the ARP Table Administering the Switch Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 5-32 OL-9639-10 .

Note For complete syntax and usage information for the commands used in this chapter. You should use this template when the switch is being used for Layer-2 forwarding. page 6-1 Configuring the Switch SDM Template. You can use the SDM templates for IP Version 4 (IPv4) and select the default template to balance system resources or select the layer-2 template to support only Layer 2 features in hardware. • The dual IPv4 and IPv6 templates also enable a dual stack environment. When you select the layer-2 template on a switch running the metro IP access image. This template is available only on switches running the metro IP access image. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 6-1 . Note Switches running the metro base or metro access image support only the layer-2 template • Layer-2—The layer-2 template maximizes system resources for Layer 2 functionality and does not support routing. Default—The default template gives balance to all functions: Layer 2 and Layer 3 (routing). which overloads the CPU and severely degrades routing performance. page 6-5 Understanding the SDM Templates If the switch is running the metro IP access image. SDM template configuration is supported only when the switch is running the metro IP access image.CH A P T E R 6 Configuring SDM Templates This chapter describes how to configure the Switch Database Management (SDM) templates on the Cisco ME 3400 Ethernet Access switch. • • • Understanding the SDM Templates. you can use SDM templates to optimize system resources in the switch to support specific features. If you do not use the default template when routing is enabled on the switch. The SDM templates allocate TCAM resources to support different features. any routing is done through software. any routing is done through software. depending on how the switch is used in the network. See the “Dual IPv4 and IPv6 SDM Templates” section on page 6-2. page 6-3 Displaying the SDM Templates. which overloads the CPU and severely degrades routing performance. see the command reference for this release.

If a section of a hardware resource is full. all processing overflow is sent to the CPU. and Layer 2.” For information about configuring IPv6 ACLs. and ACLs for IPv4. see Chapter 36. For more information about IPv6 and how to configure IPv6 routing. Dual IPv4 and IPv6 VLAN template—supports basic Layer 2. QoS.5 K 1K Directly connected IPv4 hosts Indirect IPv4 routes 2 IPv4 policy-based routing ACEs IPv4 or MAC QoS ACEs IPv4 or MAC security ACEs 1. The software supports IPv4 PBR only when the dual-ipv4-and-ipv6 routing template is configured. Using the dual stack templates results in less TCAM capacity allowed for each resource. The dual IPv4 and IPv6 templates allow the switch to be used in dual stack environments (supporting both IPv4 and IPv6). “Configuring IPv6 ACLs. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 6-2 OL-9639-10 .5 K 1K Dual IPv4 and IPv6 SDM Templates You can select SDM templates to support IP Version 6 (IPv6). or IPv6 Multicast Listener Discovery (MLD) snooping. routing (including policy-based routing). These SDM templates support IPv4 and IPv6 environments: • • • Dual IPv4 and IPv6 default template—supports Layer 2. multicast. Do not use them if you plan to forward only IPv4 traffic.” This software release does not support Policy-Based Routing (PBR) when forwarding IPv6 traffic. 2. and ACLs for IPv4. 0 0. Dual IPv4 and IPv6 routing template—supports Layer 2. multicast.5 K 0. Table 6-1 Approximate Number of Feature Resources Allowed by Each Template Resource Unicast MAC addresses IPv4 IGMP groups + multicast routes (default only) IP v4 IGMP groups (layer-2 only) IPv4 multicast routes (layer-2 only) IPv4 IGMP groups and multicast routes IPv4 unicast routes • • Layer-2 8K – 1K 0 1K 0 – – 1 Default 5K 1K – – – 9K 5K 4K 0. and Layer 2. seriously impacting switch performance.Chapter 6 Understanding the SDM Templates Configuring SDM Templates Table 6-1 shows the approximate number of each resource supported in each of the two IPv4 templates for a switch running the metro IP access image. QoS = Quality of service. The values in the template are based on eight routed interfaces and approximately 1024 VLANs and represent the approximate hardware boundaries set when a template is selected. IPv6 QoS. QoS. routing. and ACLs for IPv4. “Configuring IPv6 Unicast Routing. ACEs = Access control entries. and ACLs for IPv6 on the switch. and basic Layer 2 and ACLs for IPv6 on the switch This software release does not support IPv6 multicast routing. see Chapter 38. routing. routing. QoS. multicast. and ACLs for IPv6 on the switch.

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 6-3 . reducing the number of entries forwarded in hardware.5 K 0.75 K 0.5 K 0.5 K 0.75 K 1. Because of the hardware compression scheme used for IPv6. an IPv6 route can take more than one TCAM entry. Table 6-2 defines the approximate feature resources allocated by each dual template. page 6-4 Setting the SDM Template. The default (and only) template supported on switches running the metro base or metro access image is the layer-2 template.25 K 0.5 K 1. Template estimations are based on a switch with 8 routed interfaces and approximately 1000 VLANs.5 K 0. page 6-3 SDM Template Configuration Guidelines.5 K 1.5 K IPv4-and-IPv6 VLAN 8K 1K 0 0 0 1K 0 0 0 0 0. Configuring the Switch SDM Template • • • Default SDM Template.75 K 1K 0 0. Table 6-2 Approximate Feature Resources Allowed by Dual IPv4-IPv6 Templates Resource Unicast MAC addresses IPv4 IGMP groups and multicast routes Total IPv4 unicast routes: • • IPv4-and-IPv6 Default 2K 1K 3K 2K 1K 1K 3K 2K 1K 0 0.75 K 1.75 K 1K 0 0.25 K 0.5 K 1K 2.5 K Directly connected IPv4 hosts Indirect IPv4 routes IPv6 multicast groups Total IPv6 unicast routes: • • Directly connected IPv6 addresses Indirect IPv6 unicast routes IPv4 policy-based routing ACEs IPv4 or MAC QoS ACEs (total) IPv4 or MAC security ACEs (total) IPv6 policy-based routing ACEs IPv6 QoS ACEs IPv6 security ACEs 1. page 6-4 Default SDM Template The default template for a switch running the metro IP access image is the default template.Chapter 6 Configuring SDM Templates Configuring the Switch SDM Template Note An IPv4 route requires only one TCAM entry.5 K 1 IPv4-and-IPv6 Routing 1.25 K 0. IPv6 policy-based routing is not supported.25 K 1K 2.

The sdm prefer default global configuration command prevents other features from using the memory allocated to unicast routing in the routing template. a warning message is generated. – default—Balance IPv4 and IPv6 Layer 2 and Layer 3 functionality. If you enter the show sdm prefer command before you enter the reload privileged EXEC command. If you try to configure IPv6 features without first selecting a dual IPv4 and IPv6 template. Specify the SDM template to be used on the switch: The keywords have these meanings: • • configure terminal sdm prefer {default | dual-ipv4-and-ipv6 {default | routing | vlan} | layer-2} default—Balance all functions. which overloads the CPU and severely degrades routing performance. dual-ipv4-and-ipv6—Select a template that supports both IPv4 and IPv6 routing. – routing—Provide maximum usage for IPv4 and IPv6 routing. – vlan—Provide maximum usage for IPv4 and IPv6 VLANs. end reload Return to privileged EXEC mode. • Step 3 Step 4 layer-2—Support Layer 2 functionality and do not support routing on the switch. so do not use if you plan to forward only IPv4 traffic. including IPv4 policy-based routing. After the system reboots. select the layer-2 template. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 6-4 OL-9639-10 . Do not use the default template if you do not have routing enabled on your switch. follow these steps to use the SDM template to select a template on a switch running the metro IP access image: Command Step 1 Step 2 Purpose Enter global configuration mode. • • • Setting the SDM Template Beginning in privileged EXEC mode.Chapter 6 Configuring the Switch SDM Template Configuring SDM Templates SDM Template Configuration Guidelines Follow these guidelines when selecting and configuring SDM templates: • • • You must reload the switch for the configuration to take effect. If you are using the switch for Layer 2 features only. you can use the show sdm prefer privileged EXEC command to verify the new template configuration. the show sdm prefer command shows the template currently in use and the template that will become active after a reload. Reload the operating system. You should use the default template when you plan to enable routing on the switch. If you do not use the default template when routing is enabled. routing is done through software. Using the dual-stack templates results in less TCAM capacity allowed for each resource.

5K 1K Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 6-5 . template will be "layer-2" template. number of unicast mac addresses: number of IPv4 IGMP groups + multicast routes: number of IPv4 unicast routes: number of directly-connected IPv4 hosts: number of indirect IPv4 routes: number of IPv4 policy based routing aces: number of IPv4/MAC qos aces: number of IPv4/MAC security aces: 5K 1K 9K 5K 4K 0. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs. displaying the template in use: Switch# show sdm prefer The current template is "default" template. To return to the default template. Switch(config)# sdm prefer layer-2 Switch(config)# end Switch# reload Proceed with reload? [confirm] Displaying the SDM Templates Use the show sdm prefer privileged EXEC command with no parameters to display the active template. number of unicast mac addresses: 5K number of IPv4 IGMP groups + multicast routes: 1K number of IPv4 unicast routes: 9K number of directly-connected IPv4 hosts: 5K number of indirect IPv4 routes: 4K number of IPv4 policy based routing aces: 0.5K number of IPv4/MAC qos aces: 0.5K 0. This example shows how to configure a switch with the layer-2 template. This is an example of output from the show sdm prefer command. use the no sdm prefer global configuration command.Chapter 6 Configuring SDM Templates Displaying the SDM Templates This is an example of an output display when you have changed the template to the layer-2 template and have not reloaded the switch: Switch# show sdm prefer The current template is "default" template.5K number of IPv4/MAC security aces: 1K On next reload. Use the show sdm prefer [default | dual-ipv4-and-ipv6 {default | routing | vlan} | layer-2] privileged EXEC command to display the resource numbers supported by the specified template.

Chapter 6 Displaying the SDM Templates Configuring SDM Templates This is an example of output from the show sdm prefer layer-2 command: Switch# show sdm prefer layer-2 "layer-2" template: The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs.75K 1.5K 0.5K 1.25K 0.5K 1K This is an example of output from the show sdm prefer dual-ipv4-and-ipv6 routing command: Switch# show sdm prefer dual-ipv4-and-ipv6 routing "desktop IPv4 and IPv6 routing" template: The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs.5K 1K 2. number of unicast mac addresses: number of IPv4 IGMP groups + multicast routes: number of IPv4 unicast routes: number of directly-connected IPv4 hosts: number of indirect IPv4 routes: number of IPv6 multicast groups: number of directly-connected IPv6 addresses: number of indirect IPv6 unicast routes: number of IPv4 policy based routing aces: number of IPv4/MAC qos aces: number of IPv4/MAC security aces: number of IPv6 policy based routing aces: number of IPv6 qos aces: number of IPv6 security aces: 1. number number number number number number number of of of of of of of unicast mac addresses: IPv4 IGMP groups: IPv4 multicast routes: IPv4 unicast routes: IPv4 policy based routing aces: IPv4/MAC qos aces: IPv4/MAC security aces: 8K 1K 0 0 0 0.75K 0.125k 1.5K 0.5K 1.25K 0.25K 1.5K Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 6-6 OL-9639-10 .25K 0.

but you want to store them centrally on a server instead of locally. For more information. Multiple networking devices can then use the same database to obtain user authentication (and. • • • • • • • • Preventing Unauthorized Access to Your Switch. For an additional layer of security. you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair. These passwords are locally stored on the switch. For more information. authorization) information. To prevent unauthorized access into your switch. if necessary. see the “Configuring Username and Password Pairs” section on page 7-6. page 7-2 Controlling Switch Access with TACACS+. When users attempt to access the switch through a port or line. If you want to use username and password pairs. page 7-18 Controlling Switch Access with Kerberos. • • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 7-1 . page 7-41 Preventing Unauthorized Access to Your Switch You can prevent unauthorized users from reconfiguring your switch and viewing configuration information. which are locally stored on the switch. see the “Controlling Switch Access with TACACS+” section on page 7-10. page 7-32 Configuring the Switch for Local Authentication and Authorization. page 7-37 Configuring the Switch for Secure Copy Protocol. Typically. These pairs are assigned to lines or ports and authenticate each user before that user can access the switch. page 7-36 Configuring the Switch for Secure Shell. you can store them in a database on a security server. you should configure one or more of these security features: • At a minimum. you can also configure username and password pairs. you should configure passwords and privileges at each switch port. If you have defined privilege levels. page 7-1 Protecting Access to Privileged EXEC Commands. page 7-10 Controlling Switch Access with RADIUS. you want network administrators to have access to your switch while you restrict access to users who dial from outside the network through an asynchronous port. For more information. see the “Protecting Access to Privileged EXEC Commands” section on page 7-2.CH A P T E R 7 Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the Cisco ME 3400 switch. or connect through a terminal or workstation from within the local network. they must enter the password specified for the port or line before they can access the switch. connect from outside the network through a serial port.

page 7-6 Configuring Username and Password Pairs. see the Cisco IOS Security Command Reference. Note For complete syntax and usage information for the commands used in this section. Table 7-1 Default Password and Privilege Levels Feature Enable password and privilege level Enable secret password and privilege level Line password Default Setting No password is defined. The password is not encrypted in the configuration file. page 7-5 Setting a Telnet Password for a Terminal Line. The default is level 15 (privileged EXEC level). Release 12. page 7-7 Default Password and Privilege Level Configuration Table 7-1 shows the default password and privilege level configuration. page 7-2 Setting or Changing a Static Enable Password. The default is level 15 (privileged EXEC level). Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 7-2 OL-9639-10 .Chapter 7 Protecting Access to Privileged EXEC Commands Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands A simple way of providing terminal access control in your network is to use passwords and assign privilege levels. • • • • • • • Default Password and Privilege Level Configuration. page 7-6 Configuring Multiple Privilege Levels. The password is encrypted before it is written to the configuration file. page 7-3 Disabling Password Recovery.2. No password is defined. Password protection restricts access to a network or network device. Privilege levels define what commands users can enter after they have logged into a network device. No password is defined. page 7-3 Protecting Enable and Enable Secret Passwords with Encryption.

is case sensitive. you can simply enter abc?123 at the password prompt. Enter ?123. use the no enable password global configuration command. Beginning in privileged EXEC mode. to create the password abc?123. do this: Enter abc. When the system prompts you to enter the enable password. To remove the password. the two commands cannot be in effect simultaneously. This example shows how to change the enable password to l1u2c3k4y5. If you configure the enable secret command. Verify your entries. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 7-3 . Enter Crtl-v. and allows spaces but ignores leading spaces. It can contain the question mark (?) character if you precede the question mark with the key combination Crtl-v when you create the password. particularly for passwords that cross the network or that are stored on a Trivial File Transfer Protocol (TFTP) server. The enable password is not encrypted and can be read in the switch configuration file. Define a new password or change an existing password for access to privileged EXEC mode. For password. By default. you can use either the enable password or enable secret global configuration commands. for example. (Optional) Save your entries in the configuration file. you can establish an encrypted password that users must enter to access privileged EXEC mode (the default) or any privilege level you specify. follow these steps to set or change a static enable password: Command Step 1 Step 2 Purpose Enter global configuration mode. configure terminal enable password password Step 3 Step 4 Step 5 end show running-config copy running-config startup-config Return to privileged EXEC mode. that is. you need not precede the question mark with the Ctrl-v. no password is defined. it takes precedence over the enable password command.Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting or Changing a Static Enable Password The enable password controls access to the privileged EXEC mode. Both commands accomplish the same thing. The string cannot start with a number. specify a string from 1 to 25 alphanumeric characters. The password is not encrypted and provides access to level 15 (traditional privileged EXEC mode access): Switch(config)# enable password l1u2c3k4y5 Protecting Enable and Enable Secret Passwords with Encryption To provide an additional layer of security. We recommend that you use the enable secret command because it uses an improved encryption algorithm.

see the “Configuring Multiple Privilege Levels” section on page 7-7. specify a string from 1 to 25 alphanumeric characters. Encryption prevents the password from being readable in the configuration file. you must provide an encrypted password—an encrypted password that you copy from another switch configuration. Level 1 is normal user EXEC mode privileges. only type 5. By default. follow these steps to configure encryption for enable and enable secret passwords: Command Step 1 Step 2 Purpose Enter global configuration mode. • configure terminal enable password [level level] {password | encryption-type encrypted-password} or enable secret [level level] {password | encryption-type encrypted-password} (Optional) For level.Chapter 7 Protecting Access to Privileged EXEC Commands Configuring Switch-Based Authentication Beginning in privileged EXEC mode. Use the privilege level global configuration command to specify commands accessible at various levels. If you enable password encryption. or Define a secret password. is case sensitive. You cannot recover a lost encrypted password by any method. it applies to all passwords including username passwords. no password is defined. you can not re-enter privileged EXEC mode. Step 4 Step 5 end copy running-config startup-config Return to privileged EXEC mode. use the no enable password [level level] or no enable secret [level level] global configuration command. (Optional) Save your entries in the configuration file. is available. If you specify an encryption type and then enter a clear text password. • • Note Step 3 service password-encryption (Optional) Encrypt the password when the password is defined or when the configuration is written. a Cisco proprietary encryption algorithm. The string cannot start with a number. After you specify the level and set a password. To remove a password and level. users must enter the enable secret password. To disable password encryption. and allows spaces but ignores leading spaces. and console and virtual terminal line passwords. (Optional) For encryption-type. If you specify an encryption type. give the password only to users who need to have access at this level. Use the level keyword to define a password for a specific privilege level. which is saved using a nonreversible encryption method. the privileged command password. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 7-4 OL-9639-10 . authentication key passwords. For more information. If both the enable and enable secret passwords are defined. the range is from 0 to 15. Define a new password or change an existing password for access to privileged EXEC mode. use the no service password-encryption global configuration command. The default level is 15 (privileged EXEC mode privileges). For password.

When this feature is enabled. use the service password-recovery global configuration command. we recommend that you keep a backup copy of the configuration file on a secure server in case the end user interrupts the boot process and sets the system back to default values. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 7-5 . see the “Recovering from a Lost or Forgotten Password” section on page 45-3. When the switch is returned to the default system configuration. This setting is saved in an area of the flash memory that is accessible by the boot loader and the Cisco IOS image.text) and the VLAN database file (vlan. Note Disabling password recovery will not work if you have set the switch to boot manually by using the boot manual global configuration command.Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands This example shows how to configure the encrypted password $1$FaD0$Xyti5Rkls3LoyxzS8 for privilege level 2: Switch(config)# enable secret level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8 Disabling Password Recovery By default. We recommend that you also keep a backup copy of the VLAN database file on a secure server. follow these steps to disable password recovery: Command Step 1 Step 2 Purpose Enter global configuration mode. Disable password recovery. you can download the saved files to the switch by using the XMODEM protocol. Verify the configuration by checking the last few lines of the command output. configure terminal no service password-recovery Step 3 Step 4 end show version Return to privileged EXEC mode. For more information. the end user can interrupt the boot process only by agreeing to set the system back to the default configuration. Beginning in privileged EXEC mode. To re-enable password recovery. but it is not part of the file system and is not accessible by any user. The password-recovery disable feature protects access to the switch password by disabling part of this functionality. any end user with physical access to the switch can recover from a lost password by interrupting the boot process while the switch is powering on and then by entering a new password. Do not keep a backup copy of the configuration file on the switch.dat) are deleted. This command produces the boot loader prompt (switch:) after the switch is power cycled. you can still interrupt the boot process and change the password. With password recovery disabled. Note If you disable password recovery. but the configuration file (config.

If you did not configure this password during the setup program. Configure the number of Telnet sessions (lines). no password is defined. (Optional) Save your entries in the configuration file. The default data characteristics of the console port are 9600. Step 5 password password Enter a Telnet password for the line or lines. you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair. 1. Verify your entries. no parity. use the no password global configuration command. These pairs are assigned to lines or ports and authenticate each user before that user can access the switch. specify a string from 1 to 25 alphanumeric characters. Step 8 To remove the password. 8. For password. The 0 and 15 mean that you are configuring all 16 possible Telnet sessions. Step 6 Step 7 end show running-config copy running-config startup-config Return to privileged EXEC mode. you can configure it now through the command-line interface (CLI). The setup program also prompts you to configure your switch for Telnet access through a password. You might need to press the Return key several times to see the command-line prompt. There are 16 possible sessions on a command-capable switch. an automatic setup program runs to assign IP information and to create a default configuration for continued use. If you have defined privilege levels. and enter line configuration mode. and allows spaces but ignores leading spaces. follow these steps to configure your switch for Telnet access: Command Step 1 Purpose Attach a PC or workstation with emulation software to the switch console port. Beginning in privileged EXEC mode. This example shows how to set the Telnet password to let45me67in89: Switch(config)# line vty 10 Switch(config-line)# password let45me67in89 Configuring Username and Password Pairs You can configure username and password pairs. Enter global configuration mode. By default. The string cannot start with a number. The password is listed under the command line vty 0 15. is case sensitive. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 7-6 OL-9639-10 . Step 2 Step 3 Step 4 enable password password configure terminal line vty 0 15 Enter privileged EXEC mode. which are locally stored on the switch.Chapter 7 Protecting Access to Privileged EXEC Commands Configuring Switch-Based Authentication Setting a Telnet Password for a Terminal Line When you power-up your switch for the first time.

you can assign it level 2 security and distribute the level 2 password fairly widely. Return to privileged EXEC mode. Enter the username. You can configure up to 16 hierarchical levels of commands for each mode. page 7-9 Logging into and Exiting a Privilege Level. specify the user ID as one word. The range is 0 to 15. you can allow different sets of users to have access to specified commands. For example. (Optional) Save your entries in the configuration file. can contain embedded spaces. • • configure terminal username name [privilege level] {password encryption-type password} For name. page 7-8 Changing the Default Privilege Level for Lines. By configuring multiple passwords. For password. But if you want more restricted access to the configure command. Authentication is based on the username specified in Step 2. Level 15 gives privileged EXEC mode access. specify the privilege level the user has after gaining access. For encryption-type . Step 4 Step 5 Step 6 Step 7 login local end show running-config copy running-config startup-config Enable local password checking at login time. and configure the console port (line 0) or the VTY lines (line 0 to 15). page 7-9 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 7-7 . Spaces and quotation marks are not allowed. (Optional) For level. privilege level. you can assign it level 3 security and distribute that password to a more restricted group of users. Level 1 gives user EXEC mode access. Configuring Multiple Privilege Levels By default. Verify your entries. follow these steps to establish a username-based authentication system that requests a login username and a password: Command Step 1 Step 2 Purpose Enter global configuration mode. To disable password checking and allow connections without a password. The password must be from 1 to 25 characters. the Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. To disable username authentication for a specific user. and must be the last option specified in the username command. • • Step 3 line console 0 or line vty 0 15 Enter line configuration mode.Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Beginning in privileged EXEC mode. use the no username name global configuration command. and password for each user. use the no login line configuration command. enter 0 to specify that an unencrypted password will follow. specify the password the user must enter to gain access to the switch. if you want many users to have access to the clear line command. Enter 7 to specify that a hidden password will follow. These sections contain this configuration information: • • • Setting the Privilege Level for a Command.

exec for EXEC mode. use the no privilege mode level level command global configuration command. Verify your entries. Level 1 is for normal user EXEC mode privileges. Level 1 is for normal user EXEC mode privileges. For level. For password. is case sensitive. specify the command to which you want to restrict access. (Optional) Save your entries in the configuration file. and allows spaces but ignores leading spaces. By default. follow these steps to set the privilege level for a command mode: Command Step 1 Step 2 Purpose Enter global configuration mode. if you set the show ip traffic command to level 15. Level 15 is the level of access permitted by the enable password.Chapter 7 Protecting Access to Privileged EXEC Commands Configuring Switch-Based Authentication Setting the Privilege Level for a Command Beginning in privileged EXEC mode. • configure terminal privilege mode level level command For mode. For command. Set the privilege level for a command. or line for line configuration mode. To return to the default privilege for a given command. all commands whose syntax is a subset of that command are also set to that level. specify a string from 1 to 25 alphanumeric characters. the range is from 0 to 15. the show commands and show ip commands are automatically set to privilege level 15 unless you set them individually to different levels. no password is defined. the range is from 0 to 15. • • Step 3 enable password level level password Specify the enable password for the privilege level. The second command shows the privilege level configuration. • • Step 4 Step 5 end show running-config or show privilege Return to privileged EXEC mode. The first command shows the password and access level configuration. enter configure for global configuration mode. Step 6 copy running-config startup-config When you set a command to a privilege level. For example. interface for interface configuration mode. For level. The string cannot start with a number. This example shows how to set the configure command to privilege level 14 and define SecretPswd14 as the password users must enter to use level 14 commands: Switch(config)# privilege exec level 14 configure Switch(config)# enable password level 14 SecretPswd14 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 7-8 OL-9639-10 .

Logging into and Exiting a Privilege Level Beginning in privileged EXEC mode. Level 15 is the level of access permitted by the enable password. To return to the default line privilege level. they can use that password to enable the higher privilege level. Step 6 copy running-config startup-config Users can override the privilege level you set using the privilege level line configuration command by logging in to the line and enabling a different privilege level. use the no privilege level line configuration command. For level. the range is 0 to 15. The second command shows the privilege level configuration. follow these steps to log in to a specified privilege level and to exit to a specified privilege level: Command Step 1 Purpose Log in to a specified privilege level. enable level disable level Step 2 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 7-9 . Change the default privilege level for the line. If users know the password to a higher privilege level. You might specify a high level or privilege level for your console line to restrict line usage. follow these steps to change the default privilege level for a line: Command Step 1 Step 2 Step 3 Purpose Enter global configuration mode. Level 1 is for normal user EXEC mode privileges. Exit to a specified privilege level. Select the virtual terminal line on which to restrict access. For level. the range is 0 to 15. For level. The first command shows the password and access level configuration.Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Changing the Default Privilege Level for Lines Beginning in privileged EXEC mode. Verify your entries. the range is from 0 to 15. They can lower the privilege level by using the disable command. configure terminal line vty line privilege level level Step 4 Step 5 end show running-config or show privilege Return to privileged EXEC mode. (Optional) Save your entries in the configuration file.

authorization. authorization. Your switch can be a network access server along with other Cisco routers and access servers. page 7-10 TACACS+ Operation. see the Cisco IOS Security Command Reference. A network access server provides connections to a single user.Chapter 7 Controlling Switch Access with TACACS+ Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ This section describes how to enable and configure Terminal Access Controller Access Control System Plus (TACACS+). which provides detailed accounting information and flexible administrative control over authentication and authorization processes. authorization. TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each service—authentication. and accounting facilities. page 7-12 Displaying the TACACS+ Configuration. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 7-10 OL-9639-10 . and to interconnected networks as shown in Figure 7-1. You should have access to and should configure a TACACS+ server before the configuring TACACS+ features on your switch. page 7-17 Understanding TACACS+ TACACS+ is a security application that provides centralized validation of users attempting to gain access to your switch. Release 12. Each service can be tied into its own database to take advantage of other services available on that server or on the network. and accounting—independently.2. accounting (AAA) and can be enabled only through AAA commands. The goal of TACACS+ is to provide a method for managing multiple network access points from a single management service. depending on the capabilities of the daemon. Note For complete syntax and usage information for the commands used in this section. to a network or subnetwork. TACACS+ services are maintained in a database on a TACACS+ daemon typically running on a UNIX or Windows NT workstation. TACACS+ provides for separate and modular authentication. TACACS+ is facilitated through authentication. These sections contain this configuration information: • • • • Understanding TACACS+. page 7-12 Configuring TACACS+.

to challenge a user with several questions. session duration. Enable AAA. number of packets. a message could notify users that their passwords must be changed because of the company’s password aging policy. You can also enforce restrictions on what commands a user can execute with the TACACS+ authorization feature. Network managers can use the accounting facility to track user activity for a security audit or to provide information for user billing. You need a system running the TACACS+ daemon software to use TACACS+ on your switch. and it ensures confidentiality because all protocol exchanges between the switch and the TACACS+ daemon are encrypted. Create a login authentication method list. The TACACS+ authentication service can also send messages to user screens.7 UNIX workstation (TACACS+ server 2) 171.20. mother’s maiden name. and social security number). TACACS+. and reporting to the TACACS+ daemon. administered through the AAA security services. • The TACACS+ protocol provides authentication between the switch and the TACACS+ daemon.Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Figure 7-1 Typical TACACS+ Network Configuration UNIX workstation (TACACS+ server 1) Catalyst 6500 series switch 171. Apply the list to the terminal lines. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 101230 7-11 . access control. after a username and password are provided. or protocol support. auditing. such as home address. and number of bytes. For example. Accounting—Collects and sends information used for billing. and messaging support. • Authorization—Provides fine-grained control over user capabilities for the duration of the user’s session. Set an authentication key (also configure the same key on the TACACS+ servers).10. including but not limited to setting autocommands.10. executed commands (such as PPP). can provide these services: • Authentication—Provides complete control of authentication through login and password dialog.8 Workstations Configure the switches with the TACACS+ server addresses. service type. Accounting records include user identities. The authentication facility can conduct a dialog with the user (for example.20. start and stop times. Create an authorization and accounting Workstations method list as required. challenge and response.

Chapter 7 Controlling Switch Access with TACACS+

Configuring Switch-Based Authentication

TACACS+ Operation
When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process occurs:
1.

When the connection is established, the switch contacts the TACACS+ daemon to obtain a username prompt to show to the user. The user enters a username, and the switch then contacts the TACACS+ daemon to obtain a password prompt. The switch displays the password prompt to the user, the user enters a password, and the password is then sent to the TACACS+ daemon. TACACS+ allows a dialog between the daemon and the user until the daemon receives enough information to authenticate the user. The daemon prompts for a username and password combination, but can include other items, such as the user’s mother’s maiden name.

2.

The switch eventually receives one of these responses from the TACACS+ daemon:
• • •

ACCEPT—The user is authenticated and service can begin. If the switch is configured to require authorization, authorization begins at this time. REJECT—The user is not authenticated. The user can be denied access or is prompted to retry the login sequence, depending on the TACACS+ daemon. ERROR—An error occurred at some time during authentication with the daemon or in the network connection between the daemon and the switch. If an ERROR response is received, the switch typically tries to use an alternative method for authenticating the user. CONTINUE—The user is prompted for additional authentication information.

After authentication, the user undergoes an additional authorization phase if authorization has been enabled on the switch. Users must first successfully complete TACACS+ authentication before proceeding to TACACS+ authorization.
3.

If TACACS+ authorization is required, the TACACS+ daemon is again contacted, and it returns an ACCEPT or REJECT authorization response. If an ACCEPT response is returned, the response contains data in the form of attributes that direct the EXEC or NETWORK session for that user and the services that the user can access:
• •

Telnet, Secure Shell (SSH), rlogin, or privileged EXEC services Connection parameters, including the host or client IP address, access list, and user timeouts

Configuring TACACS+
This section describes how to configure your switch to support TACACS+. At a minimum, you must identify the host or hosts maintaining the TACACS+ daemon and define the method lists for TACACS+ authentication. You can optionally define method lists for TACACS+ authorization and accounting. A method list defines the sequence and methods to be used to authenticate, to authorize, or to keep accounts on a user. You can use method lists to designate one or more security protocols to be used, thus ensuring a backup system if the initial method fails. The software uses the first method listed to authenticate, to authorize, or to keep accounts on users; if that method does not respond, the software selects the next method in the list. This process continues until there is successful communication with a listed method or the method list is exhausted. The aaa authorization console global configuration command that allows you to enable AAA and TACACS+ to work on the console port. For information about the command, see this URL: http://www.cisco.com/en/US/docs/ios/12_1/security/command/reference/srdauth.html

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide

7-12

OL-9639-10

Chapter 7

Configuring Switch-Based Authentication Controlling Switch Access with TACACS+

These sections contain this configuration information:
• • • • •

Default TACACS+ Configuration, page 7-13 Identifying the TACACS+ Server Host and Setting the Authentication Key, page 7-13 Configuring TACACS+ Login Authentication, page 7-14 Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, page 7-16 Starting TACACS+ Accounting, page 7-17

Default TACACS+ Configuration
TACACS+ and AAA are disabled by default. To prevent a lapse in security, you cannot configure TACACS+ through a network management application. When enabled, TACACS+ can authenticate users accessing the switch through the CLI.

Note

Although TACACS+ configuration is performed through the CLI, the TACACS+ server authenticates HTTP connections that have been configured with a privilege level of 15.

Identifying the TACACS+ Server Host and Setting the Authentication Key
You can configure the switch to use a single server or AAA server groups to group existing server hosts for authentication. You can group servers to select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list and contains the list of IP addresses of the selected server hosts. Beginning in privileged EXEC mode, follow these steps to identify the IP host or host maintaining TACACS+ server and optionally set the encryption key: Command
Step 1 Step 2

Purpose Enter global configuration mode. Identify the IP host or hosts maintaining a TACACS+ server. Enter this command multiple times to create a list of preferred hosts. The software searches for hosts in the order in which you specify them.
• • •

configure terminal tacacs-server host hostname [port integer] [timeout integer] [key string]

For hostname, specify the name or IP address of the host. (Optional) For port integer, specify a server port number. The default is port 49. The range is 1 to 65535. (Optional) For timeout integer, specify a time in seconds the switch waits for a response from the daemon before it times out and declares an error. The default is 5 seconds. The range is 1 to 1000 seconds. (Optional) For key string, specify the encryption key for encrypting and decrypting all traffic between the switch and the TACACS+ daemon. You must configure the same key on the TACACS+ daemon for encryption to be successful.

Step 3

aaa new-model

Enable AAA.

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10

7-13

Chapter 7 Controlling Switch Access with TACACS+

Configuring Switch-Based Authentication

Command
Step 4

Purpose (Optional) Define the AAA server-group with a group name. This command puts the switch in a server group subconfiguration mode. (Optional) Associate a particular TACACS+ server with the defined server group. Repeat this step for each TACACS+ server in the AAA server group. Each server in the group must be previously defined in Step 2. Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file.

aaa group server tacacs+ group-name server ip-address

Step 5

Step 6 Step 7 Step 8

end show tacacs copy running-config startup-config

To remove the specified TACACS+ server name or address, use the no tacacs-server host hostname global configuration command. To remove a server group from the configuration list, use the no aaa group server tacacs+ group-name global configuration command. To remove the IP address of a TACACS+ server, use the no server ip-address server group subconfiguration command.

Configuring TACACS+ Login Authentication
To configure AAA authentication, you define a named list of authentication methods and then apply that list to various ports. The method list defines the types of authentication to be performed and the sequence in which they are performed; it must be applied to a specific port before any of the defined authentication methods are performed. The only exception is the default method list (which, by coincidence, is named default). The default method list is automatically applied to all ports except those that have a named method list explicitly defined. A defined method list overrides the default method list.

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide

7-14

OL-9639-10

Chapter 7

Configuring Switch-Based Authentication Controlling Switch Access with TACACS+

A method list describes the sequence and authentication methods to be queried to authenticate a user. You can designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails. The software uses the first method listed to authenticate users; if that method fails to respond, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted. If authentication fails at any point in this cycle—meaning that the security server or local username database responds by denying the user access—the authentication process stops, and no other authentication methods are attempted. Beginning in privileged EXEC mode, follow these steps to configure login authentication: Command
Step 1 Step 2 Step 3

Purpose Enter global configuration mode. Enable AAA. Create a login authentication method list.

configure terminal aaa new-model aaa authentication login {default | list-name} method1 [method2...]

To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all ports. For list-name, specify a character string to name the list you are creating. For method1..., specify the actual method the authentication algorithm tries. The additional methods of authentication are used only if the previous method returns an error, not if it fails. enable—Use the enable password for authentication. Before you can use this authentication method, you must define an enable password by using the enable password global configuration command. group tacacs+—Uses TACACS+ authentication. Before you can use this authentication method, you must configure the TACACS+ server. For more information, see the “Identifying the TACACS+ Server Host and Setting the Authentication Key” section on page 7-13. line—Use the line password for authentication. Before you can use this authentication method, you must define a line password. Use the password password line configuration command. local—Use the local username database for authentication. You must enter username information in the database. Use the username password global configuration command. local-case—Use a case-sensitive local username database for authentication. You must enter username information in the database by using the username name password global configuration command. none—Do not use any authentication for login.

• •

Select one of these methods:

• Step 4

line [console | tty | vty] line-number [ending-line-number]

Enter line configuration mode, and configure the lines to which you want to apply the authentication list.

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10

7-15

Chapter 7 Controlling Switch Access with TACACS+

Configuring Switch-Based Authentication

Command
Step 5

Purpose Apply the authentication list to a line or set of lines.
• •

login authentication {default | list-name}

If you specify default, use the default list created with the aaa authentication login command. For list-name, specify the list created with the aaa authentication login command.

Step 6 Step 7 Step 8

end show running-config copy running-config startup-config

Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file.

To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable TACACS+ authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.

Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services
AAA authorization limits the services available to a user. When AAA authorization is enabled, the switch uses information retrieved from the user’s profile, which is located either in the local user database or on the security server, to configure the user’s session. The user is granted access to a requested service only if the information in the user profile allows it. You can use the aaa authorization global configuration command with the tacacs+ keyword to set parameters that restrict a user’s network access to privileged EXEC mode. The aaa authorization exec tacacs+ local command sets these authorization parameters:
• •

Use TACACS+ for privileged EXEC access authorization if authentication was performed by using TACACS+. Use the local database if authentication was not performed by using TACACS+.

Note

Authorization is bypassed for authenticated users who log in through the CLI even if authorization has been configured. Beginning in privileged EXEC mode, follow these steps to specify TACACS+ authorization for privileged EXEC access and network services:

Command
Step 1 Step 2 Step 3

Purpose Enter global configuration mode. Configure the switch for user TACACS+ authorization for all network-related service requests. Configure the switch for user TACACS+ authorization if the user has privileged EXEC access. The exec keyword might return user profile information (such as autocommand information).

configure terminal aaa authorization network tacacs+ aaa authorization exec tacacs+

Step 4

end

Return to privileged EXEC mode.

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide

7-16

OL-9639-10

Chapter 7

Configuring Switch-Based Authentication Controlling Switch Access with TACACS+

Command
Step 5 Step 6

Purpose Verify your entries. (Optional) Save your entries in the configuration file.

show running-config copy running-config startup-config

To disable authorization, use the no aaa authorization {network | exec} method1 global configuration command.

Starting TACACS+ Accounting
The AAA accounting feature tracks the services that users are accessing and the amount of network resources that they are consuming. When AAA accounting is enabled, the switch reports user activity to the TACACS+ security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable TACACS+ accounting for each Cisco IOS privilege level and for network services: Command
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6

Purpose Enter global configuration mode. Enable TACACS+ accounting for all network-related service requests. Enable TACACS+ accounting to send a start-record accounting notice at the beginning of a privileged EXEC process and a stop-record at the end. Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file.

configure terminal aaa accounting network start-stop tacacs+ aaa accounting exec start-stop tacacs+ end show running-config copy running-config startup-config

To disable accounting, use the no aaa accounting {network | exec} {start-stop} method1... global configuration command.

Establishing a Session with a Router if the AAA Server is Unreachable
The aaa accounting system guarantee-first command guarantees system accounting as the first record, which is the default condition. In some situations, users might be prevented from starting a session on the console or terminal connection until after the system reloads, which can take more than 3 minutes. To establish a console or Telnet session with the router if the AAA server is unreachable when the router reloads, use the no aaa accounting system guarantee-first command.

Displaying the TACACS+ Configuration
To display TACACS+ server statistics, use the show tacacs privileged EXEC command.

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10

7-17

Chapter 7 Controlling Switch Access with RADIUS

Configuring Switch-Based Authentication

Controlling Switch Access with RADIUS
This section describes how to enable and configure the RADIUS, which provides detailed accounting information and flexible administrative control over authentication and authorization processes. RADIUS is facilitated through AAA and can be enabled only through AAA commands.

Note

For complete syntax and usage information for the commands used in this section, see the Cisco IOS Security Command Reference, Release 12.2. These sections contain this configuration information:
• • • •

Understanding RADIUS, page 7-18 RADIUS Operation, page 7-19 Configuring RADIUS, page 7-20 Displaying the RADIUS Configuration, page 7-31

Understanding RADIUS
RADIUS is a distributed client/server system that secures networks against unauthorized access. RADIUS clients run on supported Cisco routers and switches. Clients send authentication requests to a central RADIUS server, which contains all user authentication and network service access information. The RADIUS host is normally a multiuser system running RADIUS server software from Cisco (Cisco Secure Access Control Server Version 3.0), Livingston, Merit, Microsoft, or another software provider. For more information, see the RADIUS server documentation. Use RADIUS in these network environments that require access security:

Networks with multiple-vendor access servers, each supporting RADIUS. For example, access servers from several vendors use a single RADIUS server-based security database. In an IP-based network with multiple vendors’ access servers, dial-in users are authenticated through a RADIUS server that has been customized to work with the Kerberos security system. Turnkey network security environments in which applications support the RADIUS protocol, such as in an access environment that uses a smart card access control system. In one case, RADIUS has been used with Enigma’s security cards to validates users and to grant access to network resources. Networks already using RADIUS. You can add a Cisco switch containing a RADIUS client to the network. This might be the first step when you make a transition to a TACACS+ server. See Figure 7-2 on page 7-19. Network in which the user must only access a single service. Using RADIUS, you can control user access to a single host, to a single utility such as Telnet, or to the network through a protocol such as IEEE 802.1x. For more information about this protocol, see Chapter 8, “Configuring IEEE 802.1x Port-Based Authentication.” Networks that require resource accounting. You can use RADIUS accounting independently of RADIUS authentication or authorization. The RADIUS accounting functions allow data to be sent at the start and end of services, showing the amount of resources (such as time, packets, bytes, and so forth) used during the session. An Internet service provider might use a freeware-based version of RADIUS access control and accounting software to meet special security and billing needs.

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide

7-18

OL-9639-10

Chapter 7

Configuring Switch-Based Authentication Controlling Switch Access with RADIUS

RADIUS is not suitable in these network security situations:

Multiprotocol access environments. RADIUS does not support AppleTalk Remote Access (ARA), NetBIOS Frame Control Protocol (NBFCP), NetWare Asynchronous Services Interface (NASI), or X.25 PAD connections. Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication. RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device requires authentication. Networks using a variety of services. RADIUS generally binds a user to one service model.
Transitioning from RADIUS to TACACS+ Services

Figure 7-2

R1

RADIUS server RADIUS server TACACS+ server TACACS+ server

R2

T1

Remote PC

T2

Workstation

RADIUS Operation
When a user attempts to log in and authenticate to a switch that is access controlled by a RADIUS server, these events occur:
1. 2. 3.

The user is prompted to enter a username and password. The username and encrypted password are sent over the network to the RADIUS server. The user receives one of these responses from the RADIUS server:
a. ACCEPT—The user is authenticated. b. REJECT—The user is either not authenticated and is prompted to re-enter the username and

password, or access is denied.
c. CHALLENGE—A challenge requires additional data from the user. d. CHALLENGE PASSWORD—A response requests the user to select a new password.

The ACCEPT or REJECT response is bundled with additional data that is used for privileged EXEC or network authorization. Users must first successfully complete RADIUS authentication before proceeding to RADIUS authorization, if it is enabled. The additional data included with the ACCEPT or REJECT packets includes these items:
• •

Telnet, SSH, rlogin, or privileged EXEC services Connection parameters, including the host or client IP address, access list, and user timeouts

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10

86891

7-19

Chapter 7 Controlling Switch Access with RADIUS

Configuring Switch-Based Authentication

Configuring RADIUS
This section describes how to configure your switch to support RADIUS. At a minimum, you must identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS authentication. You can optionally define method lists for RADIUS authorization and accounting. A method list defines the sequence and methods to be used to authenticate, to authorize, or to keep accounts on a user. You can use method lists to designate one or more security protocols to be used (such as TACACS+ or local username lookup), thus ensuring a backup system if the initial method fails. The software uses the first method listed to authenticate, to authorize, or to keep accounts on users; if that method does not respond, the software selects the next method in the list. This process continues until there is successful communication with a listed method or the method list is exhausted. You should have access to and should configure a RADIUS server before configuring RADIUS features on your switch. These sections contain this configuration information:
• • • • • • • • • •

Default RADIUS Configuration, page 7-20 Identifying the RADIUS Server Host, page 7-20 (required) Configuring RADIUS Login Authentication, page 7-23 (required) Defining AAA Server Groups, page 7-25 (optional) Configuring RADIUS Authorization for User Privileged Access and Network Services, page 7-27 (optional) Starting RADIUS Accounting, page 7-28 (optional) Configuring Settings for All RADIUS Servers, page 7-29 (optional) Configuring the Switch to Use Vendor-Specific RADIUS Attributes, page 7-29 (optional) Configuring the Switch for Vendor-Proprietary RADIUS Server Communication, page 7-30 (optional) Configuring RADIUS Server Load Balancing, page 7-31 (optional)

Default RADIUS Configuration
RADIUS and AAA are disabled by default. To prevent a lapse in security, you cannot configure RADIUS through a network management application. When enabled, RADIUS can authenticate users accessing the switch through the CLI.

Identifying the RADIUS Server Host
Switch-to-RADIUS-server communication involves several components:
• • • • • •

Hostname or IP address Authentication destination port Accounting destination port Key string Timeout period Retransmission value

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide

7-20

OL-9639-10

Chapter 7

Configuring Switch-Based Authentication Controlling Switch Access with RADIUS

You identify RADIUS security servers by their hostname or IP address, hostname and specific UDP port numbers, or their IP address and specific UDP port numbers. The combination of the IP address and the UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service. This unique identifier enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address. If two different host entries on the same RADIUS server are configured for the same service—for example, accounting—the second host entry configured acts as a fail-over backup to the first one. Using this example, if the first host entry fails to provide accounting services, the switch tries the second host entry configured on the same device for accounting services. (The RADIUS host entries are tried in the order that they are configured.) A RADIUS server and the switch use a shared secret text string to encrypt passwords and exchange responses. To configure RADIUS to use the AAA security commands, you must specify the host running the RADIUS server daemon and a secret text (key) string that it shares with the switch. The timeout, retransmission, and encryption key values can be configured globally for all RADIUS servers, on a per-server basis, or in some combination of global and per-server settings. To apply these settings globally to all RADIUS servers communicating with the switch, use the three unique global configuration commands: radius-server timeout, radius-server retransmit, and radius-server key. To apply these values on a specific RADIUS server, use the radius-server host global configuration command. You can configure the switch to use AAA server groups to group existing server hosts for authentication. For more information, see the “Defining AAA Server Groups” section on page 7-25. Beginning in privileged EXEC mode, follow these steps to configure per-server RADIUS server communication. This procedure is required. Command
Step 1 Step 2

Purpose Enter global configuration mode. Enable AAA authentication.

configure terminal aaa new-model

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10

7-21

Chapter 7 Controlling Switch Access with RADIUS

Configuring Switch-Based Authentication

Command
Step 3

Purpose Specify the IP address or hostname of the remote RADIUS server host.
• • •

radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string]

(Optional) For auth-port port-number, specify the UDP destination port for authentication requests. (Optional) For acct-port port-number, specify the UDP destination port for accounting requests. (Optional) For timeout seconds, specify the time interval that the switch waits for the RADIUS server to reply before resending. The range is 1 to 1000. This setting overrides the radius-server timeout global configuration command setting. If no timeout is set with the radius-server host command, the setting of the radius-server timeout command is used. (Optional) For retransmit retries, specify the number of times a RADIUS request is resent to a server if that server is not responding or responding slowly. The range is 1 to 1000. If no retransmit value is set with the radius-server host command, the setting of the radius-server retransmit global configuration command is used. (Optional) For key string, specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server. The key is a text string that must match the encryption key used on the RADIUS server. Always configure the key as the last item in the radius-server host command. Leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks are part of the key.

Note

To configure the switch to recognize more than one host entry associated with a single IP address, enter this command as many times as necessary, making sure that each UDP port number is different. The switch software searches for hosts in the order in which you specify them. Set the timeout, retransmit, and encryption key values to use with the specific RADIUS host.
Step 4 Step 5 Step 6

end show running-config copy running-config startup-config

Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file.

To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command. This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting:
Switch(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1 Switch(config)# radius-server host 172.20.36.50 acct-port 1618 key rad2

This example shows how to configure host1 as the RADIUS server and to use the default ports for both authentication and accounting:
Switch(config)# radius-server host host1

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide

7-22

OL-9639-10

Chapter 7

Configuring Switch-Based Authentication Controlling Switch Access with RADIUS

Note

You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. For more information, see the RADIUS server documentation.

Configuring RADIUS Login Authentication
To configure AAA authentication, you define a named list of authentication methods and then apply that list to various ports. The method list defines the types of authentication to be performed and the sequence in which they are performed; it must be applied to a specific port before any of the defined authentication methods are performed. The only exception is the default method list (which, by coincidence, is named default). The default method list is automatically applied to all ports except those that have a named method list explicitly defined. A method list describes the sequence and authentication methods to be queried to authenticate a user. You can designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails. The software uses the first method listed to authenticate users; if that method fails to respond, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted. If authentication fails at any point in this cycle—meaning that the security server or local username database responds by denying the user access—the authentication process stops, and no other authentication methods are attempted. Beginning in privileged EXEC mode, follow these steps to configure login authentication. This procedure is required. Command
Step 1 Step 2

Purpose Enter global configuration mode. Enable AAA.

configure terminal aaa new-model

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10

7-23

Chapter 7 Controlling Switch Access with RADIUS

Configuring Switch-Based Authentication

Command
Step 3

Purpose Create a login authentication method list.

aaa authentication login {default | list-name} method1 [method2...]

To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all ports. For list-name, specify a character string to name the list you are creating. For method1..., specify the actual method the authentication algorithm tries. The additional methods of authentication are used only if the previous method returns an error, not if it fails. Select one of these methods:
– enable—Use the enable password for authentication. Before you

• •

can use this authentication method, you must define an enable password by using the enable password global configuration command.
– group radius—Use RADIUS authentication. Before you can use

this authentication method, you must configure the RADIUS server. For more information, see the “Identifying the RADIUS Server Host” section on page 7-20.
– line—Use the line password for authentication. Before you can

use this authentication method, you must define a line password. Use the password password line configuration command.
– local—Use the local username database for authentication. You

must enter username information in the database. Use the username name password global configuration command.
– local-case—Use a case-sensitive local username database for

authentication. You must enter username information in the database by using the username password global configuration command.
– none—Do not use any authentication for login. Step 4

line [console | tty | vty] line-number [ending-line-number]

Enter line configuration mode, and configure the lines to which you want to apply the authentication list.

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide

7-24

OL-9639-10

Chapter 7

Configuring Switch-Based Authentication Controlling Switch Access with RADIUS

Command
Step 5

Purpose Apply the authentication list to a line or set of lines.
• •

login authentication {default | list-name}

If you specify default, use the default list created with the aaa authentication login command. For list-name, specify the list created with the aaa authentication login command.

Step 6 Step 7 Step 8

end show running-config copy running-config startup-config

Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file.

To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable RADIUS authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.

Defining AAA Server Groups
You can configure the switch to use AAA server groups to group existing server hosts for authentication. You select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list, which lists the IP addresses of the selected server hosts. Server groups also can include multiple host entries for the same server if each entry has a unique identifier (the combination of the IP address and UDP port number), allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service. If you configure two different host entries on the same RADIUS server for the same service, (for example, accounting), the second configured host entry acts as a fail-over backup to the first one. You use the server group server configuration command to associate a particular server with a defined group server. You can either identify the server by its IP address or identify multiple host instances or entries by using the optional auth-port and acct-port keywords.

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10

7-25

Chapter 7 Controlling Switch Access with RADIUS

Configuring Switch-Based Authentication

Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it: Command
Step 1 Step 2

Purpose Enter global configuration mode. Specify the IP address or hostname of the remote RADIUS server host.
• • •

configure terminal radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string]

(Optional) For auth-port port-number, specify the UDP destination port for authentication requests. (Optional) For acct-port port-number, specify the UDP destination port for accounting requests. (Optional) For timeout seconds, specify the time interval that the switch waits for the RADIUS server to reply before resending. The range is 1 to 1000. This setting overrides the radius-server timeout global configuration command setting. If no timeout is set with the radius-server host command, the setting of the radius-server timeout command is used. (Optional) For retransmit retries, specify the number of times a RADIUS request is resent to a server if that server is not responding or responding slowly. The range is 1 to 1000. If no retransmit value is set with the radius-server host command, the setting of the radius-server retransmit global configuration command is used. (Optional) For key string, specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server. The key is a text string that must match the encryption key used on the RADIUS server. Always configure the key as the last item in the radius-server host command. Leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks are part of the key.

Note

To configure the switch to recognize more than one host entry associated with a single IP address, enter this command as many times as necessary, making sure that each UDP port number is different. The switch software searches for hosts in the order in which you specify them. Set the timeout, retransmit, and encryption key values to use with the specific RADIUS host.
Step 3 Step 4

aaa new-model aaa group server radius group-name server ip-address

Enable AAA. Define the AAA server-group with a group name. This command puts the switch in a server group configuration mode. Associate a particular RADIUS server with the defined server group. Repeat this step for each RADIUS server in the AAA server group. Each server in the group must be previously defined in Step 2. Return to privileged EXEC mode. Verify your entries.

Step 5

Step 6 Step 7

end show running-config

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide

7-26

OL-9639-10

Chapter 7

Configuring Switch-Based Authentication Controlling Switch Access with RADIUS

Command
Step 8 Step 9

Purpose (Optional) Save your entries in the configuration file. Enable RADIUS login authentication. See the “Configuring RADIUS Login Authentication” section on page 7-23. To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command. To remove a server group from the configuration list, use the no aaa group server radius group-name global configuration command. To remove the IP address of a RADIUS server, use the no server ip-address server group configuration command. In this example, the switch is configured to recognize two different RADIUS group servers (group1 and group2). Group1 has two different host entries on the same RADIUS server configured for the same services. The second host entry acts as a fail-over backup to the first entry.
Switch(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 Switch(config)# radius-server host 172.10.0.1 auth-port 1645 acct-port 1646 Switch(config)# aaa new-model Switch(config)# aaa group server radius group1 Switch(config-sg-radius)# server 172.20.0.1 auth-port 1000 acct-port 1001 Switch(config-sg-radius)# exit Switch(config)# aaa group server radius group2 Switch(config-sg-radius)# server 172.20.0.1 auth-port 2000 acct-port 2001 Switch(config-sg-radius)# exit

copy running-config startup-config

Configuring RADIUS Authorization for User Privileged Access and Network Services
AAA authorization limits the services available to a user. When AAA authorization is enabled, the switch uses information retrieved from the user’s profile, which is in the local user database or on the security server, to configure the user’s session. The user is granted access to a requested service only if the information in the user profile allows it. You can use the aaa authorization global configuration command with the radius keyword to set parameters that restrict a user’s network access to privileged EXEC mode. The aaa authorization exec radius local command sets these authorization parameters:
• •

Use RADIUS for privileged EXEC access authorization if authentication was performed by using RADIUS. Use the local database if authentication was not performed by using RADIUS.

Note

Authorization is bypassed for authenticated users who log in through the CLI even if authorization has been configured. Beginning in privileged EXEC mode, follow these steps to specify RADIUS authorization for privileged EXEC access and network services:

Command
Step 1 Step 2

Purpose Enter global configuration mode. Configure the switch for user RADIUS authorization for all network-related service requests.

configure terminal aaa authorization network radius

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10

7-27

Chapter 7 Controlling Switch Access with RADIUS

Configuring Switch-Based Authentication

Command
Step 3

Purpose Configure the switch for user RADIUS authorization if the user has privileged EXEC access. The exec keyword might return user profile information (such as autocommand information).

aaa authorization exec radius

Step 4 Step 5 Step 6

end show running-config copy running-config startup-config

Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file.

To disable authorization, use the no aaa authorization {network | exec} method1 global configuration command.

Starting RADIUS Accounting
The AAA accounting feature tracks the services that users are accessing and the amount of network resources that they are consuming. When AAA accounting is enabled, the switch reports user activity to the RADIUS security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing. Beginning in privileged EXEC mode, follow these steps to enable RADIUS accounting for each Cisco IOS privilege level and for network services: Command
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6

Purpose Enter global configuration mode. Enable RADIUS accounting for all network-related service requests. Enable RADIUS accounting to send a start-record accounting notice at the beginning of a privileged EXEC process and a stop-record at the end. Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file.

configure terminal aaa accounting network start-stop radius aaa accounting exec start-stop radius end show running-config copy running-config startup-config

To disable accounting, use the no aaa accounting {network | exec} {start-stop} method1... global configuration command.

Establishing a Session with a Router if the AAA Server is Unreachable
The aaa accounting system guarantee-first command guarantees system accounting as the first record, which is the default condition. In some situations, users might be prevented from starting a session on the console or terminal connection until after the system reloads, which can take more than 3 minutes. To establish a console or Telnet session with the router if the AAA server is unreachable when the router reloads, use the no aaa accounting system guarantee-first command.

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide

7-28

OL-9639-10

Chapter 7

Configuring Switch-Based Authentication Controlling Switch Access with RADIUS

Configuring Settings for All RADIUS Servers
Beginning in privileged EXEC mode, follow these steps to configure global communication settings between the switch and all RADIUS servers: Command
Step 1 Step 2

Purpose Enter global configuration mode. Specify the shared secret text string used between the switch and all RADIUS servers.
Note

configure terminal radius-server key string

The key is a text string that must match the encryption key used on the RADIUS server. Leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks are part of the key.

Step 3 Step 4

radius-server retransmit retries radius-server timeout seconds

Specify the number of times the switch sends each RADIUS request to the server before giving up. The default is 3; the range 1 to 1000. Specify the number of seconds a switch waits for a reply to a RADIUS request before resending the request. The default is 5 seconds; the range is 1 to 1000. Specify the number of minutes a RADIUS server, which is not responding to authentication requests, to be skipped, thus avoiding the wait for the request to timeout before trying the next configured server. The default is 0; the range is 1 to 1440 minutes. Return to privileged EXEC mode. Verify your settings. (Optional) Save your entries in the configuration file.

Step 5

radius-server deadtime minutes

Step 6 Step 7 Step 8

end show running-config copy running-config startup-config

To return to the default setting for the retransmit, timeout, and deadtime, use the no forms of these commands.

Configuring the Switch to Use Vendor-Specific RADIUS Attributes
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the switch and the RADIUS server by using the vendor-specific attribute (attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their own extended attributes not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option by using the format recommended in the specification. Cisco’s vendor-ID is 9, and the supported option has vendor-type 1, which is named cisco-avpair. The value is a string with this format:
protocol : attribute sep value *

Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and is * for optional attributes. The full set of features available for TACACS+ authorization can then be used for RADIUS. For example, this AV pair activates Cisco’s multiple named ip address pools feature during IP authorization (during PPP IPCP address assignment):
cisco-avpair= ”ip:addr-pool=first“

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10

7-29

Chapter 7 Controlling Switch Access with RADIUS

Configuring Switch-Based Authentication

This example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands:
cisco-avpair= ”shell:priv-lvl=15“

This example shows how to specify an authorized VLAN in the RADIUS server database:
cisco-avpair= ”tunnel-type(#64)=VLAN(13)” cisco-avpair= ”tunnel-medium-type(#65)=802 media(6)” cisco-avpair= ”tunnel-private-group-ID(#81)=vlanid”

This example shows how to apply an input ACL in ASCII format to an interface for the duration of this connection:
cisco-avpair= “ip:inacl#1=deny ip 10.10.10.10 0.0.255.255 20.20.20.20 255.255.0.0” cisco-avpair= “ip:inacl#2=deny ip 10.10.10.10 0.0.255.255 any” cisco-avpair= “mac:inacl#3=deny any any decnet-iv”

This example shows how to apply an output ACL in ASCII format to an interface for the duration of this connection:
cisco-avpair= “ip:outacl#2=deny ip 10.10.10.10 0.0.255.255 any”

Other vendors have their own unique vendor-IDs, options, and associated VSAs. For more information about vendor-IDs and VSAs, see RFC 2138, “Remote Authentication Dial-In User Service (RADIUS).” Beginning in privileged EXEC mode, follow these steps to configure the switch to recognize and use VSAs: Command
Step 1 Step 2

Purpose Enter global configuration mode. Enable the switch to recognize and use VSAs as defined by RADIUS IETF attribute 26.
• •

configure terminal radius-server vsa send [accounting | authentication]

(Optional) Use the accounting keyword to limit the set of recognized vendor-specific attributes to only accounting attributes. (Optional) Use the authentication keyword to limit the set of recognized vendor-specific attributes to only authentication attributes.

If you enter this command without keywords, both accounting and authentication vendor-specific attributes are used.
Step 3 Step 4 Step 5

end show running-config copy running-config startup-config

Return to privileged EXEC mode. Verify your settings. (Optional) Save your entries in the configuration file.

For a complete list of RADIUS attributes or more information about vendor-specific attribute 26, see the “RADIUS Attributes” appendix in the Cisco IOS Security Configuration Guide, Release 12.2.

Configuring the Switch for Vendor-Proprietary RADIUS Server Communication
Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide

7-30

OL-9639-10

Chapter 7

Configuring Switch-Based Authentication Controlling Switch Access with RADIUS

As mentioned earlier, to configure RADIUS (whether vendor-proprietary or IETF draft-compliant), you must specify the host running the RADIUS server daemon and the secret text string it shares with the switch. You specify the RADIUS host and secret text string by using the radius-server global configuration commands. Beginning in privileged EXEC mode, follow these steps to specify a vendor-proprietary RADIUS server host and a shared secret text string: Command
Step 1 Step 2

Purpose Enter global configuration mode. Specify the IP address or hostname of the remote RADIUS server host and identify that it is using a vendor-proprietary implementation of RADIUS. Specify the shared secret text string used between the switch and the vendor-proprietary RADIUS server. The switch and the RADIUS server use this text string to encrypt passwords and exchange responses.
Note

configure terminal radius-server host {hostname | ip-address} non-standard

Step 3

radius-server key string

The key is a text string that must match the encryption key used on the RADIUS server. Leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks are part of the key.

Step 4 Step 5 Step 6

end show running-config copy running-config startup-config

Return to privileged EXEC mode. Verify your settings. (Optional) Save your entries in the configuration file.

To delete the vendor-proprietary RADIUS host, use the no radius-server host {hostname | ip-address} non-standard global configuration command. To disable the key, use the no radius-server key global configuration command. This example shows how to specify a vendor-proprietary RADIUS host and to use a secret key of rad124 between the switch and the server:
Switch(config)# radius-server host 172.20.30.15 nonstandard Switch(config)# radius-server key rad124

Configuring RADIUS Server Load Balancing
This feature allows access and authentication requests to be evenly across all RADIUS servers in a server group. For more information, see the “RADIUS Server Load Balancing” chapter of the “Cisco IOS Security Configuration Guide”, Release 12.2: http://www.ciscosystems.com/en/US/docs/ios/12_2sb/feature/guide/sbrdldbl.html

Displaying the RADIUS Configuration
To display the RADIUS configuration, use the show running-config privileged EXEC command.

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10

7-31

Chapter 7 Controlling Switch Access with Kerberos

Configuring Switch-Based Authentication

Controlling Switch Access with Kerberos
This section describes how to enable and configure the Kerberos security system, which authenticates requests for network resources by using a trusted third party. To use this feature, the cryptographic (that is, supports encryption) version of the switch software must be installed on your switch. You must obtain authorization to use this feature and to download the cryptographic software files from Cisco.com. For more information, see the release notes for this release. These sections contain this information:
• • •

Understanding Kerberos, page 7-32 Kerberos Operation, page 7-34 Configuring Kerberos, page 7-35

For Kerberos configuration examples, see the “Kerberos Configuration Examples” section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.2, at this URL: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/fsecur_c.html For complete syntax and usage information for the commands used in this section, see the “Kerberos Commands” section in the “Security Server Protocols” chapter of the Cisco IOS Security Command Reference, Release 12.2, at this URL: http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/fsecur_r.html

Note

In the Kerberos configuration examples and in the Cisco IOS Security Command Reference, Release 12.2, the trusted third party can be a Cisco ME switch that supports Kerberos, that is configured as a network security server, and that can authenticate users by using the Kerberos protocol.

Understanding Kerberos
Kerberos is a secret-key network authentication protocol, which was developed at the Massachusetts Institute of Technology (MIT). It uses the Data Encryption Standard (DES) cryptographic algorithm for encryption and authentication and authenticates requests for network resources. Kerberos uses the concept of a trusted third party to perform secure verification of users and services. This trusted third party is called the key distribution center (KDC). Kerberos verifies that users are who they claim to be and the network services that they use are what the services claim to be. To do this, a KDC or trusted Kerberos server issues tickets to users. These tickets, which have a limited lifespan, are stored in user credential caches. The Kerberos server uses the tickets instead of usernames and passwords to authenticate users and network services.

Note

A Kerberos server can be a Cisco ME switch that is configured as a network security server and that can authenticate users by using the Kerberos protocol. The Kerberos credential scheme uses a process called single logon. This process authenticates a user once and then allows secure authentication (without encrypting another password) wherever that user credential is accepted. This software release supports Kerberos 5, which allows organizations that are already using Kerberos 5 to use the same Kerberos authentication database on the KDC that they are already using on their other network hosts (such as UNIX servers and PCs).

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide

7-32

OL-9639-10

Chapter 7

Configuring Switch-Based Authentication Controlling Switch Access with Kerberos

In this software release, Kerberos supports these network services:
• • •

Telnet rlogin rsh (Remote Shell Protocol)

Table 7-2 lists the common Kerberos-related terms and definitions:
Table 7-2 Kerberos Terms

Term Authentication

Definition A process by which a user or service identifies itself to another service. For example, a client can authenticate to a switch or a switch can authenticate to another switch. A means by which the switch identifies what privileges the user has in a network or on the switch and what actions the user can perform. A general term that refers to authentication tickets, such as TGTs1 and service credentials. Kerberos credentials verify the identity of a user or service. If a network service decides to trust the Kerberos server that issued a ticket, it can be used in place of re-entering a username and password. Credentials have a default lifespan of eight hours. An authorization level label for Kerberos principals. Most Kerberos principals are of the form user@REALM (for example, smith@EXAMPLE.COM). A Kerberos principal with a Kerberos instance has the form user/instance@REALM (for example, smith/admin@EXAMPLE.COM). The Kerberos instance can be used to specify the authorization level for the user if authentication is successful. The server of each network service might implement and enforce the authorization mappings of Kerberos instances but is not required to do so.
Note

Authorization Credential

Instance

The Kerberos principal and instance names must be in all lowercase characters. The Kerberos realm name must be in all uppercase characters.

Note

KDC2 Kerberized Kerberos realm

Key distribution center that consists of a Kerberos server and database program that is running on a network host. A term that describes applications and services that have been modified to support the Kerberos credential infrastructure. A domain consisting of users, hosts, and network services that are registered to a Kerberos server. The Kerberos server is trusted to verify the identity of a user or network service to another user or network service.
Note

The Kerberos realm name must be in all uppercase characters.

Kerberos server

A daemon that is running on a network host. Users and network services register their identity with the Kerberos server. Network services query the Kerberos server to authenticate to other network services.

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10

7-33

Chapter 7 Controlling Switch Access with Kerberos

Configuring Switch-Based Authentication

Table 7-2

Kerberos Terms (continued)

Term KEYTAB
3

Definition A password that a network service shares with the KDC. In Kerberos 5 and later Kerberos versions, the network service authenticates an encrypted service credential by using the KEYTAB to decrypt it. In Kerberos versions earlier than Kerberos 5, KEYTAB is referred to as SRVTAB4. Also known as a Kerberos identity, this is who you are or what a service is according to the Kerberos server.
Note

Principal

The Kerberos principal name must be in all lowercase characters.

Service credential

A credential for a network service. When issued from the KDC, this credential is encrypted with the password shared by the network service and the KDC. The password is also shared with the user TGT. A password that a network service shares with the KDC. In Kerberos 5 or later Kerberos versions, SRVTAB is referred to as KEYTAB. Ticket granting ticket that is a credential that the KDC issues to authenticated users. When users receive a TGT, they can authenticate to network services within the Kerberos realm represented by the KDC.

SRVTAB TGT

1. TGT = ticket granting ticket 2. KDC = key distribution center 3. KEYTAB = key table 4. SRVTAB = server table

Kerberos Operation
A Kerberos server can be a Cisco ME switch that is configured as a network security server and that can authenticate remote users by using the Kerberos protocol. Although you can customize Kerberos in a number of ways, remote users attempting to access network services must pass through three layers of security before they can access network services. To authenticate to network services by using a Cisco ME switch as a Kerberos server, remote users must follow these steps:
1. 2. 3.

Authenticating to a Boundary Switch, page 7-34 Obtaining a TGT from a KDC, page 7-35 Authenticating to Network Services, page 7-35

Authenticating to a Boundary Switch
This section describes the first layer of security through which a remote user must pass. The user must first authenticate to the boundary switch. This process then occurs:
1. 2. 3. 4.

The user opens an un-Kerberized Telnet connection to the boundary switch. The switch prompts the user for a username and password. The switch requests a TGT from the KDC for this user. The KDC sends an encrypted TGT that includes the user identity to the switch.

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide

7-34

OL-9639-10

Chapter 7

Configuring Switch-Based Authentication Controlling Switch Access with Kerberos

5.

The switch attempts to decrypt the TGT by using the password that the user entered.
• •

If the decryption is successful, the user is authenticated to the switch. If the decryption is not successful, the user repeats Step 2 either by re-entering the username and password (noting if Caps Lock or Num Lock is on or off) or by entering a different username and password.

A remote user who initiates a un-Kerberized Telnet session and authenticates to a boundary switch is inside the firewall, but the user must still authenticate directly to the KDC before getting access to the network services. The user must authenticate to the KDC because the TGT that the KDC issues is stored on the switch and cannot be used for additional authentication until the user logs on to the switch.

Obtaining a TGT from a KDC
This section describes the second layer of security through which a remote user must pass. The user must now authenticate to a KDC and obtain a TGT from the KDC to access network services. For instructions about how to authenticate to a KDC, see the “Obtaining a TGT from a KDC” section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.2, at this URL: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfkerb.html

Authenticating to Network Services
This section describes the third layer of security through which a remote user must pass. The user with a TGT must now authenticate to the network services in a Kerberos realm. For instructions about how to authenticate to a network service, see the “Authenticating to Network Services” section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.2, at this URL: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfkerb.html

Configuring Kerberos
So that remote users can authenticate to network services, you must configure the hosts and the KDC in the Kerberos realm to communicate and mutually authenticate users and network services. To do this, you must identify them to each other. You add entries for the hosts to the Kerberos database on the KDC and add KEYTAB files generated by the KDC to all hosts in the Kerberos realm. You also create entries for the users in the KDC database. When you add or create entries for the hosts and users, follow these guidelines:
• • •

The Kerberos principal name must be in all lowercase characters. The Kerberos instance name must be in all lowercase characters. The Kerberos realm name must be in all uppercase characters.

Note

A Kerberos server can be a Cisco ME switch that is configured as a network security server and that can authenticate users by using the Kerberos protocol. To set up a Kerberos-authenticated server-client system, follow these steps:

Configure the KDC by using Kerberos commands.

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10

7-35

specify the password the user must enter to gain access to the switch. The range is 0 to 15. specify the privilege level the user has after gaining access. check the local database. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 7-36 OL-9639-10 . The password must be from 1 to 25 characters. and establish a username-based authentication system. Enter the local database. Level 0 gives user EXEC mode access. Enter 7 to specify that a hidden password follows. Spaces and quotation marks are not allowed.2. (Optional) For level. Level 15 gives privileged EXEC mode access. • • Step 7 Step 8 Step 9 end show running-config copy running-config startup-config Return to privileged EXEC mode. Enable AAA. Beginning in privileged EXEC mode. Verify your entries. use the no aaa new-model global configuration command. • • configure terminal aaa new-model aaa authentication login default local Step 4 Step 5 Step 6 aaa authorization exec local aaa authorization network local username name [privilege level] {password encryption-type password} For name.html Configuring the Switch for Local Authentication and Authorization You can configure AAA to operate without a server by setting the switch to implement AAA in local mode.com/en/US/docs/ios/12_2/security/configuration/guide/scfkerb. Configure user AAA authorization for all network-related service requests. The switch then handles authentication and authorization. follow these steps to configure the switch for local AAA: Command Step 1 Step 2 Step 3 Purpose Enter global configuration mode. Configure user AAA authorization. To disable AAA. use the no aaa authorization {network | exec} method1 global configuration command. (Optional) Save your entries in the configuration file. For encryption-type. Release 12. For password.cisco. and must be the last option specified in the username command. For instructions. To disable authorization. and allow the user to run an EXEC shell. No accounting is available in this configuration. enter 0 to specify that an unencrypted password follows. Repeat this command for each user. The default keyword applies the local user database authentication to all ports. Set the login authentication to use the local username database. at this URL: http://www. can contain embedded spaces. specify the user ID as one word.Chapter 7 Configuring the Switch for Local Authentication and Authorization Configuring Switch-Based Authentication • Configure the switch to use the Kerberos protocol. see the “Kerberos Configuration Task List” section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide.

html Note For complete syntax and usage information for the commands used in this section. page 7-38 SSH Servers. see the “Controlling Switch Access with TACACS+” section on page 7-10) RADIUS (for more information. Cisco IOS Release 12. You must obtain authorization to use this feature and to download the cryptographic software files from Cisco. see the command reference for this release and the command reference for Cisco IOS Release 12. page 7-37 Limitations.2 at this URL: http://www. the Triple DES (3DES) encryption algorithm.Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Configuring the Switch for Secure Shell This section describes how to configure the Secure Shell (SSH) feature. This section consists of these topics: • • SSH Servers. The switch supports an SSHv1 or an SSHv2 server.com/en/US/docs/ios/12_2/security/configuration/guide/scfssh. For more information. Integrated Clients.com/en/US/docs/ios/12_2/security/command/reference/fsecur_r. SSH provides more security for remote connections than Telnet does by providing strong encryption when a device is authenticated. you must install the cryptographic (encrypted) software image on your switch. These sections contain this information: • • • Understanding SSH. page 7-40 For SSH configuration examples.html Understanding SSH SSH is a protocol that provides a secure. page 7-38 Displaying the SSH Configuration and Status. SSH also supports these user authentication methods: • • TACACS+ (for more information. Integrated Clients. You can use an SSH client to connect to a switch running the SSH server. see the “SSH Configuration Examples” section in the “Configuring Secure Shell” chapter of the Cisco IOS Security Configuration Guide. page 7-37 Configuring SSH. This software release supports SSH Version 1 (SSHv1) and SSH Version 2 (SSHv2). and Supported Versions The SSH feature has an SSH server and an SSH integrated client. and Supported Versions.com.cisco. The SSH client also works with the SSH server supported in this release and with non-Cisco SSH servers. The switch supports an SSHv1 client. see the release notes for this release. SSH supports the Data Encryption Standard (DES) encryption algorithm. The SSH server works with the SSH client supported in this release and with non-Cisco SSH clients.cisco. and password-based user authentication. which are applications that run on the switch. see the “Controlling Switch Access with RADIUS” section on page 7-18) Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 7-37 . remote connection to a device. at this URL: http://www. To use this feature.2.

you must configure an IP domain name by using the ip domain-name global configuration command. The SSH server and the SSH client are supported only on DES (56-bit) and 3DES (168-bit) data encryption software. make sure that AAA is disabled on the console. If you get CLI error messages after entering the crypto key generate rsa global configuration command. Limitations These limitations apply to SSH: • • • • The switch supports Rivest.Chapter 7 Configuring the Switch for Secure Shell Configuring Switch-Based Authentication • Local authentication and authorization (for more information. an RSA key pair has not been generated. • • • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 7-38 OL-9639-10 . Shamir. page 7-38 Setting Up the Switch to Run SSH. 192-bit key. or 256-bit key. When configuring the local authentication and authorization authentication method. For more information. symmetric cipher AES to encrypt the keys is not supported. If it does. see the “Setting Up the Switch to Run SSH” section on page 7-39. the message No domain specified might appear. the message No host name specified might appear. The switch supports the Advanced Encryption Standard (AES) encryption algorithm with a 128-bit key. Configuring SSH This section has this configuration information: • • • Configuration Guidelines. page 7-40 (required only if you are configuring the switch as an SSH server) Configuration Guidelines Follow these guidelines when configuring the switch as an SSH server or SSH client: • • An RSA key pair generated by a SSHv1 server can be used by an SSHv2 server. However. When generating the RSA key pair. see the “Configuring the Switch for Local Authentication and Authorization” section on page 7-36) Note This software release does not support IP Security (IPSec). page 7-39 (required) Configuring the SSH Server. SSH supports only the execution-shell application. and Adelman (RSA) authentication. and then enter the crypto key generate rsa command. you must configure a hostname by using the hostname global configuration command. If it does. When generating the RSA key pair. and the reverse. Reconfigure the hostname and domain.

Show the version and configuration information for your SSH server. This step is required. After the RSA key pair is deleted. Command Step 1 Step 2 Step 3 Step 4 Purpose Enter global configuration mode. When you generate RSA keys. Download the cryptographic software image from Cisco. use the crypto key zeroize rsa global configuration command. see the release notes for this release. but it takes longer to generate and to use. Configure a hostname and IP domain name for the switch. Follow this procedure only if you are configuring the switch as an SSH server.Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Setting Up the Switch to Run SSH Follow these steps to set up your switch to run SSH: 1. configure terminal hostname hostname ip domain-name domain_name crypto key generate rsa Step 5 Step 6 end show ip ssh or show ssh Return to privileged EXEC mode. Generate an RSA key pair for the switch.com. Configure a host domain for your switch. you are prompted to enter a modulus length. Step 7 copy running-config startup-config To delete the RSA key pair. Show the status of the SSH server on the switch. For more information. Beginning in privileged EXEC mode. see the “Configuring the Switch for Local Authentication and Authorization” section on page 7-36. Follow this procedure only if you are configuring the switch as an SSH server. 2. This step is required. (Optional) Save your entries in the configuration file. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 7-39 . We recommend that a minimum modulus size of 1024 bits. which automatically enables SSH. For more information. Enable the SSH server for local and remote authentication on the switch and generate an RSA key pair. the SSH server is automatically disabled. 4. Configure user authentication for local or remote access. A longer modulus length might be more secure. This procedure is required if you are configuring the switch as an SSH server. Configure a hostname for your switch. follow these steps to configure a hostname and an IP domain name and to generate an RSA key pair. 3.

the SSH server selects SSHv2. Shows the status of the SSH server. Step 4 Step 5 end show ip ssh or show ssh Return to privileged EXEC mode. Step 3 ip ssh {timeout seconds | authentication-retries number} Configure the SSH control parameters: • Specify the time-out value in seconds. For example. • Specify the number of times that a client can re-authenticate to the server. Show the status of the SSH server connections on the switch. 2—Configure the switch to run SSH Version 2. By default. use one or more of the privileged EXEC commands in Table 7-3: Table 7-3 Commands for Displaying the SSH Server Configuration and Status Command show ip ssh show ssh Purpose Shows the version and configuration information for the SSH server. Show the version and configuration information for your SSH server. the CLI-based session time-out value returns to the default of 10 minutes. The default is 3. After the connection is established. if the SSH client supports SSHv1 and SSHv2. the SSH server selects the latest SSH version supported by the SSH client.Chapter 7 Configuring the Switch for Secure Shell Configuring Switch-Based Authentication Configuring the SSH Server Beginning in privileged EXEC mode. After the execution shell starts. use the no ip ssh {timeout | authentication-retries} global configuration command. Step 6 copy running-config startup-config To return to the default SSH control parameters. Displaying the SSH Configuration and Status To display the SSH server configuration and status. (Optional) Configure the switch to run SSH Version 1 or SSH Version 2. follow these steps to configure the SSH server: Command Step 1 Step 2 Purpose Enter global configuration mode. the switch uses the default time-out values of the CLI-based sessions. Repeat this step when configuring both parameters. This parameter applies to the SSH negotiation phase. If you do not enter this command or do not specify a keyword. The range is 0 to 120 seconds. (Optional) Save your entries in the configuration file. the range is 0 to 5. up to five simultaneous. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 7-40 OL-9639-10 . • • configure terminal ip ssh version [1 | 2] 1—Configure the switch to run SSH Version 1. encrypted SSH connections for multiple CLI-based sessions over the network are available (session 0 to session 4). the default is 120 seconds.

SCP also requires that authentication. correct configuration is necessary.cisco. you cannot enter the password into the copy command.cisco. A user who has appropriate authorization can use SCP to copy any file in the Cisco IOS File System (IFS) to and from a switch by using the copy command. and authorization on the switch. except that SCP relies on SSH for security. Cisco IOS Release 12.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_secure_copy_ps6350 _TSD_Products_Configuration_Guide_Chapter.Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Copy Protocol For more information about these commands. Information About Secure Copy To configure the Secure Copy feature. the router must have an Rivest. • For information about how to configure and verify SCP. you should understand these concepts. an application and a protocol that provides a secure replacement for the Berkeley r-tools. You must enter the password when prompted. the switch needs an RSA public/private key pair. SCP relies on Secure Shell (SSH). and Adelman (RSA) key pair. and accounting (AAA) authorization be configured so the router can determine whether the user has the correct privilege level. Because SCP relies on SSH for its secure transport. authentication.html Configuring the Switch for Secure Copy Protocol The Secure Copy Protocol (SCP) feature provides a secure and authenticated method for copying switch configurations or switch image files.com/en/US/docs/ios/12_2/security/command/reference/srfpass. This is the same with SCP. • The behavior of SCP is similar to that of remote copy (rcp). For SSH to work. at this URL: http://www. see the "Secure Copy Protocol" section in the Cisco IOS Security Configuration Guide: Securing User Services. and SCP relies further on AAA authorization.html Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 7-41 . which relies on SSH for its secure transport. • • Before enabling SCP. Note When using SCP. which comes from the Berkeley r-tools suite. An authorized administrator can also do this from a workstation. Because SSH also relies on AAA authentication. see the “Secure Shell Commands” section in the “Other Security Features” chapter of the Cisco IOS Security Command Reference.2. authorization.4: http://www. you must correctly configure SSH. Shamir. Release 12.

Chapter 7 Configuring the Switch for Secure Copy Protocol Configuring Switch-Based Authentication Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 7-42 OL-9639-10 .

and corporate lobbies and create insecure environments.1x Statistics and Status. Until the client is authenticated.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL). You can enable CDP and STP on enhanced network interfaces (ENIs). page 8-12 Displaying 802.1x Authentication.1x standard defines a client-server-based access control and authentication protocol that prevents unauthorized clients from connecting to a LAN through publicly accessible ports unless they are properly authenticated.1x (dot1x) commands are visible on the switch but are not supported.” This chapter consists of these sections: • • • Understanding IEEE 802.2(58)SE.CH A P T E R 8 Configuring IEEE 802. Note Some IEEE 802. normal traffic can pass through the port. 802.1x prevents unauthorized devices (clients) from gaining access to the network. For a list of unsupported commands see Appendix B.1x port-based authentication on the Cisco ME 3400 Ethernet Access switch. The authentication server authenticates each client connected to a switch port before making available any services offered by the switch or the LAN. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 8-1 . Cisco Discovery Protocol (CDP). Note CDP and STP are supported by default on network node interfaces (NNIs). For complete syntax and usage information for the commands used in this chapter. User network nodes (UNIs) do not support CDP or STP. 802. see the command reference for this release. As LANs extend to hotels. and Spanning Tree Protocol (STP) traffic through the port to which the client is connected.1x Port-Based Authentication The IEEE 802. After authentication is successful.1x Port-Based Authentication This chapter describes how to configure IEEE 802. airports. page 8-27 Understanding IEEE 802. page 8-1 Configuring IEEE 802.1x Port-Based Authentication. “Unsupported Commands in Cisco IOS Release 12.

page 8-3 Ports in Authorized and Unauthorized States.1x Port-Based Authentication These sections describe 802.ASP Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 8-2 101229 OL-9639-10 . page 8-6 802. page 8-4 802.1x Host Mode.1x port-based authentication. read the Microsoft Knowledge Base article at this URL: http://support.1x Device Roles Authentication server (RADIUS) Workstations (clients) • Client—the device (workstation) that requests access to the LAN and switch services and responds to requests from the switch. page 8-8 802. the devices in the network have specific roles as shown in Figure 8-1. page 8-7 802.1x Port-Based Authentication Configuring IEEE 802. page 8-5 802. page 8-11 Device Roles With 802. page 8-7 802.1x User Distribution.1x specification.1x Readiness Check. page 8-5 802.1x port-based authentication: • • • • • • • • • • • • Device Roles.1x Supplicant and Authenticator Switches with Network Edge Access Topology (NEAT).1x Accounting Attribute-Value Pairs.1x with VLAN Assignment.Chapter 8 Understanding IEEE 802.) Note To resolve Windows XP network connectivity and 802.1x-compliant client software such as that offered in the Microsoft Windows XP operating system. page 8-10 Common Session ID.1x Accounting. (The client is the supplicant in the 802.1x authentication issues.microsoft. page 8-2 Authentication Initiation and Message Exchange. The workstation must be running 802. Figure 8-1 802.1x with Port Security.com/support/kb/articles/Q303/5/97. page 8-9 802.

Upon receipt of the frame. the client can initiate authentication by sending an EAPOL-start frame.1x Port-Based Authentication Understanding IEEE 802. Switch (edge switch or wireless access point)—controls the physical access to the network based on the authentication status of the client. the authentication service is transparent to the client. which is responsible for encapsulating and decapsulating the EAP frames and interacting with the authentication server. For more information. When the client supplies its identity. the Ethernet header is stripped. In this release. When the switch receives frames from the authentication server. the switch begins its role as the intermediary.1x is not enabled or supported on the network access device. The specific exchange of EAP frames depends on the authentication method being used. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 8-3 . the switch initiates authentication when the link state changes from down to up or periodically as long as the port remains up and unauthenticated. passing EAP frames between the client and the authentication server until authentication succeeds or fails. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients. Because the switch acts as the proxy. leaving the EAP frame. The switch sends an EAP-request/identity frame to the client to request its identity. the client does not receive an EAP-request/identity frame from the switch. the client responds with an EAP-response/identity frame.1x Port-Based Authentication • Authentication server—performs the actual authentication of the client. If you enable authentication on a port by using the dot1x port-control auto interface configuration command. The switch includes the RADIUS client. verifying that information with the authentication server. • Authentication Initiation and Message Exchange The switch or the client can initiate authentication. A port in the authorized state effectively means that the client has been successfully authenticated. if during bootup. the switch port becomes authorized. For more information. If the client does not receive an EAP-request/identity frame after three attempts to start authentication. requesting identity information from the client. and relaying a response to the client. see the “Ports in Authorized and Unauthorized States” section on page 8-4. the server’s frame header is removed. Note If 802. The EAP frames are not modified during encapsulation. Figure 8-2 shows a message exchange initiated by the client when the client uses the One-Time-Password (OTP) authentication method with a RADIUS server. When the switch receives EAPOL frames and relays them to the authentication server. and the remaining EAP frame is re-encapsulated in the RADIUS format. the client sends frames as if the port is in the authorized state. If the authentication succeeds. which is then encapsulated for Ethernet and sent to the client. see the “Ports in Authorized and Unauthorized States” section on page 8-4. any EAPOL frames from the client are dropped. The switch acts as an intermediary (proxy) between the client and the authentication server.Chapter 8 Configuring IEEE 802. It is available in Cisco Secure Access Control Server Version 3. However. the RADIUS security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server. The authentication server validates the identity of the client and notifies the switch whether or not the client is authorized to access the LAN and switch services. which prompts the switch to request the client’s identity. and the authentication server must support EAP within the native frame format.0 or later.

This is the default setting. The switch cannot provide authentication services to the client through the port. • • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 8-4 OL-9639-10 . the switch requests the client’s identity. the client initiates the authentication process by sending the EAPOL-start frame. and the client is not granted access to the network.Chapter 8 Understanding IEEE 802. the client begins sending frames as if the port is in the authorized state.1x-enabled client connects to a port that is not running the 802. The switch requests the identity of the client and begins relaying authentication messages between the client and the authentication server.1x authentication and causes the port to begin in the unauthorized state. The authentication process begins when the link state of the port changes from down to up or when an EAPOL-start frame is received. In this situation.1x port.1x authentication and causes the port to change to the authorized state without any authentication exchange required. Because no response is received. when an 802. The port sends and receives normal traffic without 802. the client sends the request for a fixed number of times.1x. allowing only EAPOL frames to be sent and received through the port.1x Port-Based Authentication Figure 8-2 Message Exchange Client Authentication server (RADIUS) EAPOL-Start EAP-Request/Identity EAP-Response/Identity EAP-Request/OTP EAP-Response/OTP EAP-Success RADIUS Access-Request RADIUS Access-Challenge RADIUS Access-Request RADIUS Access-Accept Port Authorized EAPOL-Logoff 101228 Port Unauthorized Ports in Authorized and Unauthorized States Depending on the switch port state. the port remains in the unauthorized state. allowing all traffic for the client to flow normally. the client does not respond to the request. Each client attempting to access the network is uniquely identified by the switch by using the client MAC address.1x Port-Based Authentication Configuring IEEE 802.1x connects to an unauthorized 802. While in this state. In contrast. When a client is successfully authenticated. The port starts in the unauthorized state. You control the port authorization state by using the dot1x port-control interface configuration command and these keywords: • force-authorized—disables 802. If a client that does not support 802. the switch can grant a client access to the network.1x-based authentication of the client. and STP packets. When no response is received.1x standard. the port disallows all incoming and outgoing traffic except for 802. CDP. the port changes to the authorized state. ignoring all attempts by the client to authenticate. auto—enables 802. force-unauthorized—causes the port to remain in the unauthorized state.

Table 8-1 lists the AV pairs that might be sent by the switch: Table 8-1 Accounting AV Pairs Attribute number Attribute[1] Attribute[4] Attribute[5] Attribute[6] Attribute[8] Attribute[25] Attribute[30] Attribute[31] AV pair name User-Name NAS-IP-Address NAS-Port NAS-Port-Type Framed-IP-Address Class Called-Station-ID Calling-Station-ID Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 8-5 .1x accounting. a billing application might require information that is contained within the Acct-Input-Octets or the Acct-Output-Octets of a packet.1x Port-Based Authentication Understanding IEEE 802.1x Accounting Attribute-Value Pairs The information sent to the RADIUS server is represented in the form of Attribute-Value (AV) pairs. Instead. the port state changes to authorized. Re-authentication successfully occurs. and all frames from the authenticated client are allowed through the port. causing the switch port to change to the unauthorized state. User logs off. or if an EAPOL-logoff frame is received.1x accounting information. Link-down occurs. You can enable 802. 802. (For example.1x standard defines how users are authorized and authenticated for network access but does not keep track of network usage. the port returns to the unauthorized state. the switch can resend the request. When a client logs off. which must be configured to log accounting messages. and network access is not granted. 802. but authentication can be retried. These are automatically sent by a switch that is configured for 802.1x accounting is disabled by default. 802.Chapter 8 Configuring IEEE 802.1x accounting to monitor this activity on 802. the port remains in the unauthorized state. it sends an EAPOL-logoff message. These AV pairs provide data for different applications. If the authentication server cannot be reached. it sends this information to the RADIUS server. authentication fails.) You do not need to configure AV pairs. If no response is received from the server after the specified number of attempts.1x-enabled ports: • • • • • User successfully authenticates. If the link state of a port changes from up to down. The switch does not log 802. Re-authentication fails. If the authentication fails.1x Accounting The 802.1x Port-Based Authentication If the client is successfully authenticated (receives an Accept frame from the authentication server).

1x Host Mode You can configure an 802. Figure 8-3 on page 8-7 shows 802.1x port for single-host or for multiple-hosts mode. only one client can be connected to the 802. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 8-6 OL-9639-10 .” for more information about AV pairs. In this mode. The switch detects the client by sending an EAPOL frame when the port link state changes to the up state.html See RFC 3580. and the port returns to the unauthorized state.1x to authenticate the port and port security to manage network access for all MAC addresses. With the multiple-hosts mode enabled. see the Cisco IOS Debug Command Reference.com/en/US/docs/ios/12_2/debug/command/reference/122debug. you can use 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines. the switch denies network access to all of the attached clients.1x-enabled port.1x-enabled switch port. the wireless access point is responsible for authenticating the clients attached to it.cisco. the switch changes the port link state to down. 802.Chapter 8 Understanding IEEE 802. If a client leaves or is replaced with another client. In single-host mode (see Figure 8-1 on page 8-2). Release 12. including that of the client. and it also acts as a client to the switch.2 at this URL: http://www.1x Port-Based Authentication Configuring IEEE 802. only one of the attached clients must be authorized for all clients to be granted network access. If the port becomes unauthorized (re-authentication fails or an EAPOL-logoff message is received). you can attach multiple hosts to a single 802. For more information about these commands. In this topology. In multiple-hosts mode. “IEEE 802.1x port-based authentication in a wireless LAN.1x Port-Based Authentication Table 8-1 Accounting AV Pairs (continued) Attribute number Attribute[40] Attribute[41] Attribute[42] Attribute[43] Attribute[44] Attribute[45] Attribute[46] Attribute[49] AV pair name Acct-Status-Type Acct-Delay-Time Acct-Input-Octets Acct-Output-Octets Acct-Session-ID Acct-Authentic Acct-Session-Time Acct-Terminate-Cause You can view the AV pairs that are being sent by the switch by enabling the debug radius accounting or debug aaa accounting privileged EXEC commands.

the client MAC address is added to the port security list of secure hosts. This feature only works if the supplicant on the client supports a query with the NOTIFY EAP notification packet. 802. its place in the secure host table can be taken by another host. it is guaranteed an entry in the secure host table (unless port security static aging has been enabled).1x port. The client must respond within the 802. You use an alternate authentication for the devices that do not support 802. (You also must configure port security on the port by using the switchport port-security interface configuration command. You can use this feature to determine if the devices connected to the switch ports are 802. For information on configuring the switch for the 802.) When you enable port security and 802. If the security violation is caused by the first authenticated host. This can happen if the maximum number of secure hosts has been statically configured or if the client ages out of the secure host table.1x timeout value. For more information.1x port with port security in either single-host or multiple-hosts mode.1x Port-Based Authentication Understanding IEEE 802.1x readiness check. If the client address is aged. When a client is authenticated and manually configured for port security.1x Readiness Check The 802.Chapter 8 Configuring IEEE 802.1x activity on all the switch ports and displays information about the devices connected to the ports that support 802.1x authenticates the port. including that of the client.1x. and port security manages network access for all MAC addresses.1x with Port Security You can configure an 802. The port security violation modes determine the action for security violations. You can then limit the number or group of clients that can access the network through an 802. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 101227 8-7 .1x readiness check monitors 802.1x-capable. and the port security table is not full. The port then proceeds to come up normally.1x Port-Based Authentication Figure 8-3 Multiple Host Mode Example Access point Wireless clients Authentication server (RADIUS) 802. the port becomes error-disabled and immediately shuts down.1x Readiness Check” section on page 8-17. These are some examples of the interaction between 802.1x functionality. but the port security table is full. see the “Configuring 802.1x on a port. A security violation occurs if the client is authenticated. 802.1x and port security on the switch: • When a client is authenticated. see the “Security Violations” section on page 22-10.

If the port is administratively shut down. The RADIUS server database maintains the username-to-VLAN mappings. If 802. Normal authentication then takes place.1x port. For more information see the “Maximum Number of Allowed Devices Per Port” section on page 8-14 and the command reference for this release. any change to the port access VLAN configuration does not take effect. it is put into the configured access VLAN. generates a syslog error. see the “Configuring Port Security” section on page 22-9.1x authorization is enabled and all information from the RADIUS server is valid. the port becomes unauthenticated. • • • • If 802. the port changes to an unauthenticated state.1x with VLAN assignment feature is not supported on trunk ports or with dynamic-access port assignment through a VLAN Membership Policy Server (VMPS).1x Port-Based Authentication Configuring IEEE 802. the unauthorized. 802. and all dynamic entries in the secure host table are cleared. If an 802. This prevents ports from appearing unexpectedly in an inappropriate VLAN because of a configuration error.1x authorization is disabled. If 802. it is returned to the configured access VLAN. all hosts are placed in the same VLAN (specified by the RADIUS server) as the first authenticated host. assigning the VLAN based on the username of the client connected to the switch port. the port is placed in the RADIUS server-assigned VLAN. When the port is in the force authorized. • • • For more information about enabling port security on your switch.Chapter 8 Understanding IEEE 802. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 8-8 OL-9639-10 . 802.1x and port security are enabled on a port. the port returns to the unauthorized state and remains in the configured access VLAN. the port is placed in the specified VLAN after authentication.1x with VLAN assignment has these characteristics: • • If no VLAN is supplied by the RADIUS server or if 802.1x with VLAN Assignment The RADIUS server sends the VLAN assignment to configure the switch port. You can configure the dot1x violation-mode interface configuration command so that a port shuts down.1x Port-Based Authentication • When you manually remove an 802. The 802. a malformed VLAN ID.1x port is authenticated and put in the RADIUS server-assigned VLAN.1x client by using the dot1x re-authenticate interface interface-id privileged EXEC command. or a nonexistent or internal (routed port) VLAN ID. If the multiple-hosts mode is enabled on an 802. you should re-authenticate the 802. If 802.1x client logs off. including the entry for the client.1x authorization is enabled but the VLAN information from the RADIUS server is not valid.1x-enabled port or when the maximum number of allowed devices have been authenticated. or the shutdown state. and all dynamic entries are removed from the secure host table. the force unauthorized.1x is disabled on the port. You can use this feature to limit network access for certain users. When configured on the switch and the RADIUS server. Configuration errors could include specifying a VLAN for a routed port. When an 802. or discards packets from a new device when it connects to an IEEE 802.1x client address from the port security table by using the no switchport port-security mac-address mac-address interface configuration command. the port is configured in its access VLAN after successful authentication.

You can modify the VLAN group by adding or deleting a VLAN. You can map more than one VLAN to a VLAN group. • Configure the RADIUS server to send more than one VLAN name for a user.1x. If the VLAN group name is found. • Note The RADIUS server can send the VLAN information in any combination of VLAN-IDs. none of the authenticated ports in the VLAN are cleared.1x user distribution tracks all the users in a particular VLAN and achieves load balancing by moving the authorized user to the least populated VLAN. the VLAN group is cleared. (The VLAN assignment feature is automatically enabled when you configure 802. 802.1x-authenticated user. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 8-9 . The 802. Attribute[65] must contain the value 802 (type 6). When you clear an existing VLAN from the VLAN group name. Enable 802.1x User Distribution You can configure 802. For examples of tunnel attributes. Configure the RADIUS server to send a VLAN group name for a user.1x User Distribution Configuration Guidelines • • • • • Confirm that at least one VLAN is mapped to the VLAN group. The VLAN group name can be sent as part of the response to the user. the corresponding VLANs under this VLAN group name are searched to find the least populated VLAN. 802. Assign vendor-specific tunnel attributes in the RADIUS server.Chapter 8 Configuring IEEE 802.1x Port-Based Authentication To configure VLAN assignment you need to perform these tasks: • • • Enable AAA authorization by using the network keyword to allow interface configuration from the RADIUS server.1x user distribution to load-balance users with the same group name across multiple different VLANs. but the mappings are removed from the existing VLAN group. The RADIUS server must return these attributes to the switch: – [64] Tunnel-Type = VLAN – [65] Tunnel-Medium-Type = 802 – [81] Tunnel-Private-Group-ID = VLAN name or VLAN ID Attribute[64] must contain the value VLAN (type 13). You can search for the selected VLAN group name among the VLAN group names that you configured by using the switch CLI. VLAN names.1x on an access port). The VLANs are either supplied by the RADIUS server or configured through the switch CLI under a VLAN group name. If you clear the last VLAN from the VLAN group name. The multiple VLAN names can be sent as part of the response to the user. Attribute[81] specifies the VLAN name or VLAN ID assigned to the 802. Load balancing is achieved by moving the corresponding authorized user to that VLAN. see the “Configuring the Switch to Use Vendor-Specific RADIUS Attributes” section on page 7-29.1x Port-Based Authentication Understanding IEEE 802. or VLAN groups.

802. it becomes the native VLAN for the trunk port after successful authentication.1x switch supplicant feature authenticates with the upstream switch for secure connectivity. If the access VLAN is configured on the authenticator switch. Multihost mode is not supported on the authenticator switch interface. (You can configure this under the group or the user settings. • You can enable MDA or multiauth mode on the authenticator switch interface that connects to one more supplicant switches.1x User Distribution” section on page 8-25.1x switch supplicant: You can configure a switch to act as a supplicant to another switch by using the 802. The switches use Client Information Signalling Protocol (CISP) to send the MAC addresses connecting to the supplicant switch to the authenticator switch. as shown in Figure 8-4.) Authenticator and Supplicant Switch using CISP • Figure 8-4 2 3 4 1 5 205718 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 8-10 OL-9639-10 . allowing user traffic from multiple VLANs coming from supplicant switches. Configure the cisco-av-pair as device-traffic-class=switch at the ACS. • 802. none of the ports or users that are in the authenticated state in any VLAN within the group are cleared. A switch configured with the 802. This allows any type of device to authenticate on the port.1x Port-Based Authentication • You can clear a VLAN group even when the active VLANs are mapped to the group.1x supplicant feature.1x Supplicant and Authenticator Switches with Network Edge Access Topology (NEAT) The Network Edge Access Topology (NEAT) feature extends identity to areas outside the wiring closet (such as conference rooms). Use the dot1x supplicant force-multicast global configuration command on the supplicant switch for Network Edge Access Topology (NEAT) to work in all host modes. When you clear a VLAN group. This configuration is helpful in a scenario. Once the supplicant switch authenticates successfully the port mode changes from access to trunk. a switch is outside a wiring closet and is connected to an upstream switch through a trunk port. Auto enablement: Automatically enables trunk configuration on the authenticator switch. For more information. for example. but the VLAN mappings to the VLAN group are cleared. • Host Authorization: Ensures that only traffic from authorized hosts (connecting to the switch with supplicant) is allowed on the network. where.Chapter 8 Understanding IEEE 802.1x Port-Based Authentication Configuring IEEE 802. see the “Configuring 802.

The ID appears automatically. The session ID in this example is 160000050000000B288508E5: Switch# show authentication sessions Interface MAC Address Method Domain Fa4/0/4 0000. This ID is used for all reporting purposes. see Chapter 10.0203) on Interface Fa4/0/4 AuditSessionID 160000050000000B288508E5 1w0d: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0000.0203) on Interface Fa4/0/4 AuditSessionID 160000050000000B288508E5 1w0d: %MAB-5-SUCCESS: Authentication successful for client (0000.0203) on Interface Fa4/0/4 AuditSessionID 160000050000000B288508E5 The session ID is used by the NAD. The session ID appears with all per-session syslog messages. The VSA changes the authenticator switch port mode from access to trunk and enables 802.0203 mab DATA Status Authz Success Session ID 160000050000000B288508E5 This is an example of how the session ID appears in the syslog output. This allows you to remove unsupported configurations on the authenticator switch port and to change the port mode from access to trunk. • • For more information. When the supplicant switch authenticates. see the “Configuring an Authenticator and a Supplicant Switch with NEAT” section on page 8-26.Chapter 8 Configuring IEEE 802.0000. The session ID includes: • • • The IP address of the Network Access Device (NAD) A monotonically increasing unique 32 bit integer The session start time stamp (a 32 bit integer) This example shows how the session ID appears in the output of the show authentication command. the AAA server. “Configuring Command Macros”. The session ID in this example is also160000050000000B288508E5: 1w0d: %AUTHMGR-5-START: Starting 'mab' for client (0000.1x Port-Based Authentication 1 3 5 Workstations (clients) Authenticator switch Trunk port 2 4 Supplicant switch (outside wiring closet) Access control server (ACS) Guidelines • You can configure NEAT ports with the same configurations as the other authentication ports.1x Port-Based Authentication Understanding IEEE 802.0000. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 8-11 . No configuration is required. VSA does not change any of the port configurations on the supplicant To change the host mode and the apply a standard port configuration on the authenticator switch port. the port mode is changed from access to trunk based on the switch vendor-specific attributes (VSAs). and other report-analyzing applications to identify the client.0000. Common Session ID Authentication manager uses a single session ID (referred to as a common session ID) for a client no matter which authentication method is used.0000.1x trunk encapsulation and the access VLAN if any would be converted to a native trunk VLAN. instead of the switch VSA. (device-traffic-class=switch). you can also use AutoSmart ports user-defined macros. For more information. such as the show commands and MIBs.

1812.1x Configuration.1x Authentication Configuring IEEE 802. Switch 802.1x Readiness Check.1x Accounting. page 8-25 (optional) Configuring an Authenticator and a Supplicant Switch with NEAT.1x enable state Disabled. page 8-23 (optional) Configuring 802. page 8-19 (optional) Changing the Quiet Period.1x Port-Based Authentication Configuring IEEE 802. page 8-12 802. The port sends and receives normal traffic without 802.1x Authentication These sections contain this configuration information: • • • • • • • • • • • • • • • • • Default 802. page 8-18 (optional) Manually Re-Authenticating a Client Connected to a Port. Disabled (force-authorized).1x enable state Per-port 802.1x User Distribution. • • • IP address UDP authentication port Key None specified. page 8-13 Configuring Periodic Re-Authentication. page 8-22 (optional) Configuring the Host Mode. Table 8-2 Default 802. page 8-18 (required) Configuring the Switch-to-RADIUS-Server Communication.1x Configuration to the Default Values. 3600 seconds. page 8-23 (optional) Configuring 802. page 8-18 (optional) Configuring Periodic Re-Authentication.1x Configuration Guidelines. page 8-20 (optional) Setting the Switch-to-Client Frame-Retransmission Number. page 8-26 (optional) Default 802. None specified. page 8-19 (optional) Changing the Switch-to-Client Retransmission Time. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 8-12 OL-9639-10 .1x Configuration Table 8-2 shows the default 802.1x Configuration Feature AAA RADIUS server • • • Default Setting Disabled.1x configuration. Periodic re-authentication Number of seconds between re-authentication attempts Disabled.Chapter 8 Configuring IEEE 802. page 8-22 (optional) Resetting the 802. page 8-17(optional) Configuring 802.1x-based authentication of the client.1x Violation Modes. page 8-16 (required) Configuring 802. page 8-21 (optional) Setting the Re-Authentication Number.

1x Authentication Table 8-2 Default 802. an error message appears.1x Port-Based Authentication Configuring IEEE 802. an error message appears.1x on an EtherChannel port.1x Configuration Guidelines These are the 802. and 802. but it is not supported on these port types: – Trunk port—If you try to enable 802. Single-host mode. 60 seconds (number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client).1x is not enabled.1x authentication configuration guidelines: • • When 802. an error message appears. an error message appears. If you try to enable 802.Chapter 8 Configuring IEEE 802. The 802.) 30 seconds (when relaying a response from the client to the authentication server. the amount of time the switch waits for a reply before resending the response to the server. and the port mode is not changed. ports are authenticated before any other Layer 2 or Layer 3 features are enabled.1x protocol is supported on Layer 2 static-access ports and Layer 3 routed ports.1x is not enabled. – Dynamic-access ports—If you try to enable 802.1x is enabled. and the VLAN configuration is not changed. 2 times (number of times that the switch will send an EAP-request/identity frame before restarting the authentication process).1x-enabled port to dynamic VLAN assignment. an error message appears.1x port.1x-enabled port to trunk.1x on a dynamic-access (VLAN Query Protocol [VQP]) port. 30 seconds (number of seconds that the switch should wait for a response to an EAP request/identity frame from the client before resending the request). Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 8-13 .1x on a trunk port. Quiet period Retransmission time Maximum retransmission number Host mode Client timeout period Authentication server timeout period 802.1x802.1x Configuration (continued) Feature Re-authentication number Default Setting 2 times (number of times that the switch restarts the authentication process before the port changes to the unauthorized state). the amount of time the switch waits for a response before resending the request to the client. If you try to change the mode of an 802.1x is not enabled. and 802. – EtherChannel port—Do not configure a port that is an active or a not-yet-active member of an EtherChannel as an 802. 30 seconds (when relaying a request from the authentication server to the client. and 802.) You can change this timeout period by using the dot1x timeout server-timeout interface configuration command. If you try to change an 802.

1x-enabled port: • In single-host mode. remove the EtherChannel configuration from the interfaces on which 802.1x authentication and MAB authentication. but do not configure 802. You can also filter verbose messages for 802.1x hosts are allowed on the access VLAN. you must enable authentication. Maximum Number of Allowed Devices Per Port This is the maximum number of devices allowed on an 802. The filtered content typically relates to authentication success. If the port is also configured with a voice VLAN. The no mab logging verbose global configuration command filters MAC authentication bypass (MAB) verbose messages For more information. authorization.Chapter 8 Configuring IEEE 802. you can filter out verbose system messages generated by the authentication manager. Authentication is performed. The no dot1x logging verbose global configuration command filters 802. • • • • You can configure any VLAN except an RSPAN VLAN or a private VLAN.1x with VLAN assignment feature is not supported on private-VLAN ports. • Configuring 802. only one device is allowed on the access VLAN. see the command reference for this release.1x Authentication To configure 802. trunk ports.1x supplicant is allowed on the port. but an unlimited number of non-802. There is a separate command for each authentication method: • • • The no authentication logging verbose global configuration command filters verbose messages from the authentication manager. and accounting (AAA) and specify the authentication method list. This is the 802.2(55)SE.1x authentication verbose messages.1x AAA process: Step 1 Step 2 A user connects to a port on the switch. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 8-14 OL-9639-10 .1x on a port that is a SPAN or RSPAN destination port.1x and EtherChannel are configured.1x port-based authentication. Before globally enabling 802. or ports with dynamic-access port assignment through a VMPS.1x on a switch by entering the dot1x system-auth-control global configuration command. The 802. You can enable 802. However. A method list describes the sequence and authentication method to be queried to authenticate a user.1x on a SPAN or RSPAN source port.1x with port security on private-VLAN ports. only one 802. In multihost mode. To allow VLAN assignment. you must enable AAA authorization to configure the switch for all network-related service requests.1x Port-Based Authentication – Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can enable 802. An unlimited number of devices are allowed on the voice VLAN. Beginning with Cisco IOS Release 12. an unlimited number of Cisco IP phones can send and receive traffic through the voice VLAN. 802.1x Authentication Configuring IEEE 802.1x is disabled until the port is removed as a SPAN or RSPAN destination port.1x on a private-VLAN port. You can configure 802.

enter the group radius keywords to use the list of all RADIUS servers for authentication. Return to privileged EXEC mode. follow these steps to configure 802. The switch sends an interim accounting update to the accounting server that is based on the result of re-authentication. based on the RADIUS server configuration. Step 8 Step 9 end show authentication or show dot1x Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file. Enable AAA. Step 4 Step 5 Step 6 Step 7 dot1x system-auth-control aaa authorization network {default} group radius interface interface-id authentication port-control auto or dot1x port-control auto Enable 802.Chapter 8 Configuring IEEE 802. Verify your entries. Specify the port connected to the client that is to be enabled for 802.1x authentication on the port. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 8-15 .1x authentication.1x Authentication Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 VLAN assignment is enabled. Create an 802. The default method list is automatically applied to all ports.1x port-based authentication: Command Step 1 Step 2 Step 3 Purpose Enter global configuration mode. as necessary. Note configure terminal aaa new-model aaa authentication dot1x {default} method1 Though other keywords are visible in the command-line help string. Re-authentication is performed.1x authentication method list. see the “802. The switch sends a stop message to the accounting server. The user disconnects from the port. Beginning in privileged EXEC mode. such as VLAN assignment. and enter interface configuration mode. The switch sends a start message to an accounting server. use the default keyword followed by the method that is to be used in default situations. For method1.1x authentication globally on the switch. (Optional) Configure the switch for user RADIUS authorization for all network-related service requests. To create a default list that is used when a named list is not specified in the authentication command. only the group radius keywords are supported. as appropriate.1x Configuration Guidelines” section on page 8-13.1x Port-Based Authentication Configuring IEEE 802. Enable 802. For feature interaction information.

specify the hostname or IP address of the string remote RADIUS server. To delete the specified RADIUS server. and the radius-server key global configuration commands. If you want to configure these options on a per-server basis. and to set the encryption key to rad123.39. specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server. This key must match the encryption used on the RADIUS daemon. which enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address. (Optional) Save your entries in the configuration file. If you want to use multiple RADIUS servers.1x Port-Based Authentication Configuring the Switch-to-RADIUS-Server Communication RADIUS security servers are identified by their hostname or IP address. or IP address and specific UDP port numbers. For more information. The default is 1812. to use port 1612 as the authorization port. specify the UDP destination port for authentication requests.Chapter 8 Configuring IEEE 802. For auth-port port-number. For key string. and encryption key values for all RADIUS servers by using the radius-server host global configuration command. The key is a text string that must match the encryption key used on the RADIUS server. This procedure is required. follow these steps to configure the RADIUS server parameters on the switch. authentication—the second host entry configured acts as the fail-over backup to the first one. Step 3 Step 4 Step 5 end show running-config copy running-config startup-config Return to privileged EXEC mode. see the “Configuring Settings for All RADIUS Servers” section on page 7-29. The range is 0 to 65536. hostname and specific UDP port numbers. If two different host entries on the same RADIUS server are configured for the same service—for example. ip-address} auth-port port-number key For hostname | ip-address. do not enclose the key in quotation marks unless the quotation marks are part of the key.39. but spaces within and at the end of the key are used. If you use spaces in the key.l20. Verify your entries. configure terminal radius-server host {hostname | Configure the RADIUS server parameters. This example shows how to specify the server with IP address 172.20. matching the key on the RADIUS server: Switch(config)# radius-server host 172. use the no radius-server host {hostname | ip-address} global configuration command.46 auth-port 1612 key rad123 You can globally configure the timeout. use the radius-server timeout. retransmission. Beginning in privileged EXEC mode. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 8-16 OL-9639-10 .46 as the RADIUS server.1x Authentication Configuring IEEE 802. re-enter this command. radius-server retransmit. Note Always configure the key as the last item in the radius-server host command syntax because leading spaces are ignored. Command Step 1 Step 2 Purpose Enter global configuration mode. The combination of the IP address and UDP port number creates a unique identifier. The RADIUS host entries are tried in the order that they were configured.

The 802.1x activity on all the switch ports and displays information about the devices connected to the ports that support 802. A syslog message is generated if the client responds within the timeout period. and the link comes up. all interfaces on the switch are tested.1x Authentication You also need to configure some settings on the RADIUS server.1x-capable. The range is from 1 to 65535 seconds.1x Readiness Check The 802. the client is not 802. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. You can use this feature to determine if the devices connected to the switch ports are 802. Note dot1x test eapol-capable [interface interface-id] If you omit the optional interface keyword. (Optional) For interface-id specify the port on which to check for IEEE 802. a PC that is connected to an IP phone). If the client does not respond to the query. It also shows the response received from the queried port verifying that the device connected to it is 802.1x readiness. A syslog message is generated for each of the clients that respond to the readiness check within the timer period. No syslog message is generated.1x-capable. it is 802. the port queries the connected client about its 802. follow these steps to enable the 802.1x readiness check monitors 802.1x-capable: switch# dot1x test eapol-capable interface gigabitethernet1/0/13 DOT1X_PORT_EAPOL_CAPABLE:DOT1X: MAC 00-01-02-4b-f1-a3 on gigabitethernet1/0/13 is EAPOL capable Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 8-17 . The readiness check is not available on a port that is configured as dot1x force-unauthorized.1x. all the ports on the switch stack are tested. (Optional) Return to privileged EXEC mode. This example shows how to enable a readiness check on a switch to query a port. • Beginning in privileged EXEC mode. see the RADIUS server documentation.1x readiness check on the switch: Command Step 1 Purpose Enable the 802. The default is 10 seconds.1x is enabled on the switch. The readiness check can be sent on a port that handles multiple hosts (for example.1x.1x-enabled port. For more information. (Optional) Verify your modified timeout values.1x readiness check on the switch.1x Port-Based Authentication Configuring IEEE 802.Chapter 8 Configuring IEEE 802. If you use the dot1x test eapol-capable privileged EXEC command without specifying an interface.1x-capable. Follow these guidelines to enable the readiness check on the switch: • • • The readiness check is typically used before 802.1x readiness check is allowed on all ports that can be configured for 802. Configuring 802. When you configure the dot1x test eapol-capable command on an 802. (Optional) Configure the timeout used to wait for EAPOL response.1x capability. When the client responds with a notification packet. Step 1 Step 2 Step 3 Step 4 configure terminal dot1x test timeout timeout end show running-config (Optional) Enter global configuration mode.

only the group radius keywords are supported. generates a syslog error. Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file. To create a default list that is used when a named list is not specified in the authentication command. For method1. If you do not specify a time period before enabling re-authentication. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 8-18 OL-9639-10 .1x authentication method list. Set the port to access mode. Step 7 Step 8 end show authentication or show dot1x Return to privileged EXEC mode. Verify your entries. Configure the violation mode. restrict–Generate a syslog error.1x client re-authentication and specify how often it occurs. the number of seconds between re-authentication attempts is 3600. enter the group radius keywords to use the list of all RADIUS servers for authentication. Beginning in privileged EXEC mode. or discards packets from a new device when: • • a device connects to an 802.Chapter 8 Configuring IEEE 802. Note configure terminal aaa new-model aaa authentication dot1x {default} method1 Though other keywords are visible in the command-line help string.1x authentication. The keywords have these meanings: • • • shutdown–Error disable the port. Create an 802. This procedure is optional. Enable AAA. and enter interface configuration mode.1x Violation Modes You can configure an 802. follow these steps to enable periodic re-authentication of the client and to configure the number of seconds between re-authentication attempts. Configuring Periodic Re-Authentication You can enable periodic 802.1x-enable port the maximum number of allowed about devices have been authenticated on the port Beginning in privileged EXEC mode. Step 4 Step 5 Step 6 interface interface-id switchport mode access authentication violation shutdown | restrict | protect} or dot1x violation-mode {shutdown | restrict | protect} Specify the port connected to the client that is to be enabled for IEEE 802. The default method list is automatically applied to all ports. protect–Drop packets from any new device that sends traffic to the port.1x Port-Based Authentication Configuring 802. follow these steps to configure the security violation actions on the switch: Command Step 1 Step 2 Step 3 Purpose Enter global configuration mode.1x port so that it shuts down.1x Authentication Configuring IEEE 802. use the default keyword followed by the method that is to be used in default situations.

If you want to enable or disable periodic re-authentication. A failed authentication of the client might occur because the client provided an invalid password. Specify the port to be configured. This example shows how to manually re-authenticate the client connected to a port: Switch# dot1x re-authenticate interface gigabitethernet0/1 Changing the Quiet Period When the switch cannot authenticate the client.1x Port-Based Authentication Configuring IEEE 802. use the no dot1x timeout reauth-period interface configuration command. Step 5 Step 6 Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. reauthenticate] [server | am]} {restart The range is 1 to 65535. the default is 3600 seconds. the switch remains idle for a set period of time and then tries again. Enable periodic re-authentication of the client. This example shows how to enable periodic re-authentication and set the number of seconds between re-authentication attempts to 4000: Switch(config-if)# dot1x reauthentication Switch(config-if)# dot1x timeout reauth-period 4000 Manually Re-Authenticating a Client Connected to a Port You can manually re-authenticate the client connected to a specific port at any time by entering the dot1x re-authenticate interface interface-id privileged EXEC command. To return to the default number of seconds between re-authentication attempts. Verify your entries. configure terminal interface interface-id authentication periodic or dot1x reauthentication Step 4 authentication timer {{[inactivity | Set the number of seconds between re-authentication attempts. and enter interface configuration mode. which is disabled by default. dot1x timeout reauth-period seconds end show authentication interface-id or how dot1x interface interface-id Return to privileged EXEC mode. value}} This command affects the behavior of the switch only if periodic or re-authentication is enabled. The dot1x timeout quiet-period interface configuration command controls the idle period. To disable periodic re-authentication.Chapter 8 Configuring IEEE 802. You can provide a faster response time to the user by entering a smaller number than the default. This step is optional. use the no dot1x reauthentication interface configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 8-19 .1x Authentication Command Step 1 Step 2 Step 3 Purpose Enter global configuration mode. see the “Configuring Periodic Re-Authentication” section on page 8-18.

and enter interface configuration mode. Beginning in privileged EXEC mode. Set the number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client. Command Step 1 Step 2 Step 3 Purpose Enter global configuration mode. The range is 1 to 65535 seconds. Command Step 1 Step 2 Step 3 Purpose Enter global configuration mode. To return to the default quiet time. Verify your entries. This procedure is optional.Chapter 8 Configuring IEEE 802. Return to privileged EXEC mode. This example shows how to set the quiet time on the switch to 30 seconds: Switch(config-if)# dot1x timeout quiet-period 30 Changing the Switch-to-Client Retransmission Time The client responds to the EAP-request/identity frame from the switch with an EAP-response/identity frame. The range is 1 to 65535 seconds. Note You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers. This procedure is optional. Specify the port to be configured. and enter interface configuration mode. Set the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request. it waits a set period of time (known as the retransmission time) and then resends the frame. Return to privileged EXEC mode. configure terminal interface interface-id dot1x timeout tx-period seconds Step 4 end Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 8-20 OL-9639-10 . configure terminal interface interface-id dot1x timeout quiet-period seconds Step 4 Step 5 end show authentication interface-id or show dot1x interface interface-id Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. use the no dot1x timeout quiet-period interface configuration command.1x Port-Based Authentication Beginning in privileged EXEC mode. the default is 60. the default is 30.1x Authentication Configuring IEEE 802. If the switch does not receive this response. follow these steps to change the amount of time that the switch waits for client notification. Specify the port to be configured. follow these steps to change the quiet period.

This procedure is optional. use the no dot1x max-req interface configuration command. This example shows how to set 5 as the number of times that the switch sends an EAP request before restarting the authentication process: Switch(config-if)# dot1x max-req 5 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 8-21 . follow these steps to set the switch-to-client frame-retransmission number. Note You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers. Command Step 1 Step 2 Step 3 Purpose Enter global configuration mode. Specify the port to be configured. and enter interface configuration mode. This example shows how to set 60 as the number of seconds that the switch waits for a response to an EAP-request/identity frame from the client before resending the request: Switch(config-if)# dot1x timeout tx-period 60 Setting the Switch-to-Client Frame-Retransmission Number In addition to changing the switch-to-client retransmission time.1x Port-Based Authentication Configuring IEEE 802. (Optional) Save your entries in the configuration file. The range is 1 to 10. Return to privileged EXEC mode.Chapter 8 Configuring IEEE 802. use the no dot1x timeout tx-period interface configuration command. To return to the default retransmission time. the default is 2. Beginning in privileged EXEC mode. you can change the number of times that the switch sends an EAP frame (assuming no response is received) to the client before restarting the authentication process. Set the number of times that the switch sends an EAP frame to the client before restarting the authentication process.1x Authentication Command Step 5 Purpose Verify your entries. configure terminal interface interface-id dot1x max-reauth-req count Step 4 Step 5 Step 6 end show dot1x interface interface-id copy running-config startup-config To return to the default retransmission number. Verify your entries. show authentication interface-id or show dot1xinterface interface-id Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.

This procedure is optional. and enter interface configuration mode. configure terminal interface interface-id dot1x max-reauth-req count Step 4 Step 5 end show authentication interface-id or show dot1x interface interface-id Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.1x Authentication Configuring IEEE 802. use the no dot1x max-reauth-req interface configuration command. Note You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers.1x-authorized port that has the dot1x port-control interface configuration command set to auto. follow these steps to set the re-authentication number.1x-authorized port. This procedure is optional. Make sure that the dot1x port-control interface configuration command set is set to auto for the specified interface. To return to the default re-authentication number. Command Step 1 Step 2 Step 3 Purpose Enter global configuration mode. Set the number of times that the switch restarts the authentication process before the port changes to the unauthorized state.1x Port-Based Authentication Setting the Re-Authentication Number You can also change the number of times that the switch restarts the authentication process before the port changes to the unauthorized state. The range is 1 to 10. Beginning in privileged EXEC mode. Verify your entries. Allow multiple hosts (clients) on an 802. configure terminal interface interface-id dot1x host-mode multi-host Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 8-22 OL-9639-10 . Command Step 1 Step 2 Step 3 Purpose Enter global configuration mode. Return to privileged EXEC mode. and enter interface configuration mode.Chapter 8 Configuring IEEE 802. the default is 2. Specify the port to which multiple hosts are indirectly attached. follow these steps to allow multiple hosts (clients) on an 802. Specify the port to be configured. This example shows how to set 4 as the number of times that the switch restarts the authentication process before the port changes to the unauthorized state: Switch(config-if)# dot1x max-reauth-req 4 Configuring the Host Mode Beginning in privileged EXEC mode.

use the no dot1x host-mode multi-host interface configuration command.1x and to allow multiple hosts: Switch(config)# interface gigabitethernet0/1 Switch(config-if)# dot1x port-control auto Switch(config-if)# dot1x host-mode multi-host Resetting the 802.1x configuration to the default values. Return to privileged EXEC mode. and specify the port to be configured. end show authentication interface-id or show dot1x interface interface-id Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.1x Configuration to the Default Values Beginning in privileged EXEC mode. This example shows how to enable 802. Enter the dot1x host-mode single-host interface configuration command to set the interface to allow a single host on the port.1x Port-Based Authentication Configuring IEEE 802. Command Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Purpose Enter global configuration mode. Verify your entries. configure terminal interface interface-id dot1x default end show dot1x interface interface-id copy running-config startup-config Configuring 802. Verify your entries.Chapter 8 Configuring IEEE 802. Reset the configurable 802. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 8-23 . Enter interface configuration mode. follow these steps to reset the 802. Configuring this command on an interface causes the interface to go into the error-disabled state.1x parameters to the default values.1x sessions are closed. To disable multiple hosts on the port. the dot1x host-mode multi-domain interface configuration command is not supported.1x Authentication Command Step 4 Step 5 Purpose Return to privileged EXEC mode. Note Although visible in the command-line interface help. (Optional) Save your entries in the configuration file.1x accounting allows system reload events to be sent to the accounting RADIUS server for logging.1x Accounting Enabling AAA system accounting with 802. This procedure is optional. The server can then infer that all active 802.

46 auth-port 1812 acct-port 1813 key rad123 Switch(config)# aaa accounting dot1x default start-stop group radius Switch(config)# aaa accounting system default start-stop group radius Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 8-24 OL-9639-10 . such as logging start. If the switch does not receive the accounting response message from the RADIUS server after a configurable number of retransmissions of an accounting request.201:1645. Return to privileged EXEc mode. accounting messages might be lost due to poor network conditions. Verify your entries.39.1x Authentication Configuring IEEE 802.246. and enter interface configuration mode. Next. (Optional) Saves your entries in the configuration file. Beginning in privileged EXEC mode. this message appears: 00:09:55: %RADIUS-4-RADIUS_DEAD: RADIUS server 172. When the stop message is not sent successfully.1x Port-Based Authentication Because RADIUS uses the unreliable UDP transport protocol.1646 is not responding.20. enable “CVS RADIUS Accounting” in your RADIUS server System Configuration tab.1x accounting. Command Step 1 Step 2 Step 3 Step 4 Purpose Enter global configuration mode.Chapter 8 Configuring IEEE 802. Specify the port to be configured. (Optional) Enables system accounting (using the list of all RADIUS servers) and generates system accounting reload event messages when the switch reloads. This procedure is optional.1x accounting after AAA is enabled on your switch.1x accounting using the list of all RADIUS servers. Note You must configure the RADIUS server to perform accounting tasks. this system message appears: Accounting message %s for session %s failed to receive Accounting Response. enable logging of “Update/Watchdog packets from this AAA client” in your RADIUS server Network Configuration tab. The first command configures the RADIUS server. and interim-update messages and time stamps. follow these steps to configure 802. specifying 1813 as the UDP port for accounting: Switch(config)# radius-server host 172. stop. This example shows how to configure 802. Enable 802.120. To turn on these functions. configure terminal interface interface-id aaa accounting dot1x default start-stop group radius aaa accounting system default start-stop group radius end show running-config copy running-config startup-config Step 5 Step 6 Step 7 Use the show radius statistics privileged EXEC command to display the number of RADIUS messages that do not receive the accounting response message.

to and verify the VLAN group configurations and mapping to the specified VLANs: switch(config)# vlan group eng-dept vlan-list 10 switch(config)# show vlan group group-name eng-dept Group Name Vlans Mapped -------------------------eng-dept 10 switch# show dot1x vlan-group all Group Name Vlans Mapped -------------------------eng-dept 10 hr-dept 20 This example shows how to add a VLAN to an existing VLAN group and to verify that the VLAN was added: switch(config)# vlan group eng-dept vlan-list 30 switch(config)# show vlan group eng-dept Group Name Vlans Mapped -------------------------eng-dept 10.30 This example shows how to remove a VLAN from a VLAN group: switch# no vlan group eng-dept vlan-list 10 This example shows that when all the VLANs are cleared from a VLAN group. vlan group vlan-group-name vlan-list vlan-list show vlan group all vlan-group-name no vlan group vlan-group-name vlan-list vlan-list This example shows how to configure the VLAN groups. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 8-25 .1x Authentication Configuring 802. Verify the configuration. the VLAN group is cleared: switch(config)# no vlan group eng-dept vlan-list 30 Vlan 30 is successfully cleared from vlan group eng-dept. to map the VLANs to the groups.Chapter 8 Configuring IEEE 802. and map a single VLAN or a range of VLANs to it.1x User Distribution Beginning in global configuration.1x Port-Based Authentication Configuring IEEE 802. switch(config)# show vlan group group-name eng-dept This example shows how to clear all the VLAN groups: switch(config)# no vlan group end-dept vlan-list all switch(config)# show vlan-group all For more information about these commands. see the Cisco IOS Security Command Reference. follow these steps to configure a VLAN group and to map a VLAN to it: Command Step 1 Step 2 Step 3 Purpose Configure a VLAN group. Clear the VLAN group configuration or elements of the VLAN group configuration.

This must be attached to the port that is configured as supplicant. follow these steps to configure a switch as a supplicant: Command Step 1 Step 2 Step 3 Step 4 Purpose Enter global configuration mode. Enable CISP. Note The cisco-av-pairs must be configured as device-traffic-class=switch on the ACS. follow these steps to configure a switch as an authenticator: Command Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Purpose Enter global configuration mode. (Optional) Save your entries in the configuration file. and enter interface configuration mode.1x Supplicant and Authenticator Switches with Network Edge Access Topology (NEAT)” section on page 8-10. configure terminal cisp enable dot1x credentials profile username suppswitch Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 8-26 OL-9639-10 . Enable Port Fast on an access port connected to a single workstation or server. Create 802.Chapter 8 Configuring IEEE 802. Enable CISP. Verify your configuration. Set the port mode to access.1x authenticator: Switch# configure terminal Switch(config)# cisp enable Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# switchport mode access Switch(config-if)# authentication port-control auto Switch(config-if)# dot1x pae authenticator Switch(config-if)# spanning-tree portfast trunk Beginning in privileged EXEC mode. Specify the port to be configured. see the “802.1x credentials profile.1x Authentication Configuring IEEE 802. Set the port-authentication mode to auto. configure terminal cisp enable interface interface-id switchport mode access authentication port-control auto dot1x pae authenticator spanning-tree portfast end show running-config interface interface-id copy running-config startup-config This example shows how to configure a switch as an 802. Create a username. Beginning in privileged EXEC mode. Configure the interface as a port access entity (PAE) authenticator. which sets the interface as a trunk after the supplicant is successfully authenticated. Return to privileged EXEC mode.1x Port-Based Authentication Configuring an Authenticator and a Supplicant Switch with NEAT Configuring this feature requires that one switch outside a wiring closet is configured as a supplicant and is connected to an authenticator switch. For overview information.

To display 802. Set the port to trunk mode. Configure the interface as a port access entity (PAE) supplicant. Attach the 802. password password dot1x supplicant force-multicast Step 7 Step 8 Step 9 Step 10 Step 11 Step 12 Step 13 Step 14 interface interface-id switchport trunk encapsulation dot1q switchport mode trunk dot1x pae supplicant dot1x credentials profile-name end show running-config interface interface-id copy running-config startup-config Specify the port to be configured. and enter interface configuration mode. For more information. use the show dot1x statistics interface interface-id privileged EXEC command.” Displaying 802. Force the switch to send only multicast EAPOL packets when it receives either unicast or multicast packets. use the show dot1x all statistics privileged EXEC command. “Configuring Command Macros.1x statistics for a specific port.1x credentials profile to the interface. This also allows NEAT to work on the supplicant switch in all host modes.1x Statistics and Status To display 802. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 8-27 . To display the 802. Configure the interface as a VLAN trunk port.1x administrative and operational status for a specific port.1x Statistics and Status Command Step 5 Step 6 Purpose Create a password for the new username.1x statistics for all ports. (Optional) Save your entries in the configuration file. see the Chapter 10.1x Port-Based Authentication Displaying 802. To display the 802. Verify your configuration. use the show dot1x all privileged EXEC command. use the show dot1x interface interface-id privileged EXEC command.1x administrative and operational status for the switch. Return to privileged EXEC mode.Chapter 8 Configuring IEEE 802. This example shows how to configure a switch as a supplicant: Switch# configure terminal Switch(config)# cisp enable Switch(config)# dot1x credentials test Switch(config)# username suppswitch Switch(config)# password myswitch Switch(config)# dot1x supplicant force-multicast Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# switchport trunk encapsulation dot1q Switch(config-if)# switchport mode trunk Switch(config-if)# dot1x pae supplicant Switch(config-if)# dot1x credentials test Switch(config-if)# end Configuring NEAT with ASP You can also use an AutoSmart Ports user-defined macro instead of the switch VSA to configure the authenticator switch.

you can use the no dot1x logging verbose global configuration command to filter verbose 802.1x Statistics and Status Configuring IEEE 802. see the command reference for this release. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 8-28 OL-9639-10 .1x authentication messages.2(55)SE.1x Port-Based Authentication Beginning with Cisco IOS Release 12. See the “802.Chapter 8 Displaying 802.1x Configuration Guidelines” section on page 8-13. For detailed information about the fields in these displays.

Release 12. see the switch command reference for this release and the online Cisco IOS Interface Command Reference. page 9-27 Note For complete syntax and usage information for the commands used in this chapter. page 9-1 Using Interface Configuration Mode. page 9-7 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 9-1 . page 9-6 Dual-Purpose Ports.CH A P T E R 9 Configuring Interfaces This chapter defines the types of interfaces on the Cisco ME 3400 Ethernet Access switch and describes how to configure them. page 9-24 Monitoring and Maintaining the Interfaces. page 9-12 Configuring Layer 3 Interfaces. page 9-2 Port-Based VLANs. NNI. and ENI Port Types. The rest of the chapter describes configuration procedures for physical interface characteristics. page 9-5 Switch Ports. page 9-3 Switch Virtual Interfaces. page 9-3 Routed Ports. page 9-2 Switch Ports. page 9-5 EtherChannel Port Groups. page 9-8 Configuring Ethernet Interfaces. • • • • • • • • • UNI. Understanding Interface Types This section describes the different types of interfaces supported by the switch with references to chapters that contain more detailed information about configuring these interface types. • • • • • • Understanding Interface Types. page 9-6 Connecting Interfaces. page 9-22 Configuring the System MTU.2.

and each VLAN has its own MAC address table.” Packets received on a port are forwarded only to ports that belong to the same VLAN as the receiving port. Traffic is not switched between these ports. If the UNI status is shut down. Network devices in different VLANs cannot communicate with one another without a Layer 3 device to route traffic between the VLANs. or ENI. only four ports on the switch can be configured as NNIs at one time. “Configuring VLANs.” for instructions on how to configure community VLANs. At any time. network node interfaces (NNIs). All ports on the switch can be configured as UNIs or ENIs. entering the default interface interface-id command changes the port to the enabled state. and all arriving traffic at UNIs or ENIs must leave on NNIs to prevent a user from gaining access to another user’s private network. NNIs are typically connected to a router or to another switch. without regard to the physical location of the users. Changing the port type from UNI to ENI does not affect the administrative state of the port. and enhanced network interfaces (ENIs). When you reconfigure a UNI or ENI to be an NNI. If it is appropriate for two or more UNIs or ENIs to exchange traffic within the switch. Note Even though the default state for a UNI or ENI is shutdown. all ports on the Cisco ME switch are either UNI. it inherits all the characteristics of that interface type. “Configuring VLANs. see Chapter 11. there is no limit to the number of NNIs that can be configured on the switch. No ports are ENIs by default. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 9-2 OL-9639-10 . By default. For more information about VLANs. See Chapter 11. Link Layer Discovery Protocol (LLDP). The default status for an NNI is administratively up to allow a service provider remote access to the switch during initial configuration. If the switch is running the metro base or metro access image. VLAN partitions provide hard firewalls for traffic in the VLAN. but can be configured to support protocol control packets for Cisco Discovery Protocol (CDP). UNIs are typically connected to a host. or application. team. Spanning-Tree Protocol (STP). it remains shut down when reconfigured as an ENI. and ENI Port Types The Cisco ME switch supports user-network interfaces (UNIs). NNI. A VLAN comes into existence when a local port is associated with the VLAN ID or when a user creates te VLAN ID. you must enable the port before it becomes active. The default state for a UNI or ENI is administratively down to prevent unauthorized users from gaining access to other ports as you configure the switch. and EtherChannel Link Aggregation Control Protocol (LACP) or Port Aggregation Protocol (PAgP). Port-Based VLANs A VLAN is a switched network that is logically segmented by function. the 10/100 ports and the dual-purpose ports on Cisco ME 3400-12CS and ME 3400-2CS switches are configured as UNIs. it remains in the no shutdown state. if the port is in a no shutdown state. such as a PC or a Cisco IP phone. When a port is reconfigured as another interface type.Chapter 9 Understanding Interface Types Configuring Interfaces UNI. the UNIs and ENIs can be assigned to a community VLAN. and the SFP-only module uplink ports are configured as NNIs. ENIs have the same functionality as UNIs. A port can be reconfigured from UNI to NNI or ENI and the reverse. If the switch is running the metro IP access image. NNI.

” Switch Ports Switch ports are Layer 2 only interfaces associated with a physical port. Note When you put an interface that is in Layer 3 mode into Layer 2 mode. See Chapter 13. (Only NNIs can be configured as promiscuous ports. There are two types of UNI-ENI VLANs: • UNI-ENI isolated VLAN—This is the default VLAN state for all VLANs created on the switch. A switch port can be an access port. For a trunk port. For an access port. the previous configuration information related to the affected interface might be lost. Because you can enable spanning tree on ENIs. Switch ports are used for managing the physical interface and associated Layer 2 protocols and do not handle routing or bridging. the Cisco ME switch uses UNI-ENI VLANs. UNI-ENI VLANs isolate user network interfaces (UNIs) or enhanced network interfaces (ENIs) on the switch from UNIs or ENIs that belong to other customer VLANs. you should use caution when configuring ENIs and UNIs in the same community VLAN.1Q trunk port. a private-VLAN port. and if desired. For a tunnel port. set and define the VLAN to which it belongs. and you want to switch packets between the ports. a trunk port. Add ports to a VLAN by using the switchport interface configuration commands: • • • • Identify the interface. “Configuring IEEE 802. set trunk characteristics. If UNIs or ENIs belong to the same customer. Extended-range VLANs (VLAN IDs 1006 to 4094) are not added to the VLAN database. you can configure the common VLAN as a UNI-ENI community VLAN.) You must manually configure tunnel ports as part of an asymmetric link connected to an IEEE 802. Use the switchport command with no keywords to put an interface that is in Layer 3 mode into Layer 2 mode. The VLAN configurations for VLAN IDs 1 to 1005 are saved in the VLAN database. or a tunnel port. and the interface is returned to its default configuration. • Note Local switching takes place between ENIs and UNIs in the same community VLAN. For more information about UNI VLANs. UNIs are always in the forwarding state. and you can save it in the switch startup configuration file by entering the copy running-config startup-config privileged EXEC command. UNI-ENI community VLAN—Local switching is allowed among UNIs and ENIs on the switch that belong to the same UNI community VLAN.Chapter 9 Configuring Interfaces Understanding Interface Types To isolate VLANs of different customers in a service-provider network. define the VLANs to which it can belong. You can configure a port as an access port or trunk port. VLAN configuration is saved in the switch running configuration.1Q Tunneling and Layer 2 Protocol Tunneling. Configure switch ports by using the switchport interface configuration commands. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 9-3 . set and define the VLAN ID for the customer-specific VLAN tag. use the vlan vlan-id global configuration command to enter VLAN configuration mode. You configure a private VLAN port as a host or promiscuous port that belongs to a private-VLAN primary or secondary VLAN. Local switching does not occur among UNIs or ENIs on the switch that belong to the same UNI-ENI isolated VLAN. but not on UNIs. Switch ports belong to one or more VLANs. To configure VLANs. see the “UNI-ENI VLANs” section on page 11-5.

Dynamic access ports for VMPS are only supported on UNIs and ENIs.1Q-tagged with the customer VLANs.1x can also be used for VLAN assignment.1Q tagged packet. All other traffic is sent with a VLAN tag. the Cisco ME switch cannot be a VMPS server. An IEEE 802.Chapter 9 Understanding Interface Types Configuring Interfaces For detailed information about configuring access port and trunk port characteristics. By default. By default.1Q trunk port carries the traffic of multiple VLANs and by default is a member of all VLANs in the VLAN database. all possible VLANs (VLAN ID 1 to 4094) are in the allowed list.” Tunnel Ports Tunnel ports are used in IEEE 802. a dynamic access port is a member of no VLAN. The list of allowed VLANs does not affect any other port but the associated trunk port.1Q trunk port on the customer switch. For more information about trunk ports.1Q Tunneling and Layer 2 Protocol Tunneling. “Configuring VLANs. If an access port receives an IEEE 802. the packet is dropped. Traffic is received and sent in native formats with no VLAN tagging. A packet with a VLAN ID equal to the outgoing port default PVID is sent untagged. and forwarding to and from the port is enabled only when the VLAN membership of the port is discovered. A trunk port can become a member of a VLAN only if the VLAN is in the enabled state. VLAN membership of dynamic access ports is learned through incoming packets. see Chapter 11. Traffic arriving on an access port is assumed to belong to the VLAN assigned to the port.1Q trunk port is assigned a default Port VLAN ID (PVID). you can limit VLAN membership by configuring an allowed list of VLANs for each trunk port.1Q tunneling to segregate the traffic of customers in a service-provider network from other customers who are using the same VLAN number. At the outbound interface. IEEE 802. “Configuring IEEE 802. All untagged traffic and tagged traffic with a NULL VLAN ID are assumed to belong to the port default PVID. Two types of access ports are supported: • • Static access ports are manually assigned to a VLAN. and all untagged traffic travels on the port default PVID. are encapsulated with another layer of an IEEE 802. UNIs begin forwarding packets as soon as they are enabled. “Configuring VLANs. and the original VLAN numbers from the customer network are retrieved.” Access Ports An access port belongs to and carries the traffic of only one VLAN. see Chapter 11. already IEEE 802. Packets entering the tunnel port on the edge switch.” For more information about tunnel ports. The VMPS can be a Catalyst 6500 series switch. A trunk port supports simultaneous tagged and untagged traffic. containing a VLAN ID unique in the service-provider network. the metro tag is removed.1Q tag (called the metro tag). for each customer. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 9-4 OL-9639-10 . You configure an asymmetric link from a tunnel port on a service-provider edge switch to an IEEE 802. Although by default a trunk port is a member of multiple VLANs. Dynamic access ports on the switch are assigned to a VLAN by a VLAN Membership Policy Server (VMPS). Trunk Ports An IEEE 802. The double-tagged packets go through the service-provider network keeping the original customer VLANs separate from those of other customers. also a tunnel port. see Chapter 13. and the source address is not learned.

“Configuring IP Multicast Routing. Routed ports can be configured with a Layer 3 routing protocol. and assign routing protocol characteristics by using the ip routing and router protocol global configuration commands. such as STP.” Note For full Layer 3 routing. which might generate messages on the device to which the interface is connected.Chapter 9 Configuring Interfaces Understanding Interface Types Note IEEE 802. Then assign an IP address to the port. it does not have to be connected to a router. except that it does not support VLAN subinterfaces.1Q Tunneling and Layer 2 Protocol Tunneling. “Configuring IEEE 802. A routed port is a Layer 3 interface only and does not support Layer 2 protocols. see Chapter 35. see Chapter 13. A routed port is not associated with a particular VLAN. Only one SVI can be associated with a VLAN. enable routing. Additional SVIs must be explicitly configured. A routed port behaves like a regular router interface. but you need to configure an SVI for a VLAN only when you wish to route between VLANs or to provide IP host connectivity to the switch. Note Entering a no switchport interface configuration command shuts down the interface and then re-enables it. For more information about IP unicast and multicast routing and routing protocols. By default. However.1Q tunneling is only supported when the switch is running the metro IP access or metro access image. For more information about tunnel ports. SVIs provide IP host connectivity only to the system. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 9-5 . “Configuring IP Unicast Routing” and Chapter 43. you can configure routing across SVIs. Configure routed ports by putting the interface into Layer 3 mode with the no switchport interface configuration command. the interrelationship between this number and the number of other features being configured might impact CPU performance because of hardware limitations. See the “Configuring Layer 3 Interfaces” section on page 9-22 for information about what happens when hardware resource limitations are reached. in Layer 3 mode. you must have the metro IP access image installed on the switch Switch Virtual Interfaces A switch virtual interface (SVI) represents a VLAN of switch ports as one interface to the routing or bridging function in the system. The number of routed ports that you can configure is not limited by software. When you put an interface that is in Layer 2 mode into Layer 3 mode. an SVI is created for the default VLAN (VLAN 1) to permit remote switch administration. the previous configuration information related to the affected interface might be lost. Tunnel ports cannot be trunk ports or access ports and must belong to a VLAN unique to each customer. as is an access port.” Routed Ports A routed port is a physical port that acts like a port on a router. Note You cannot delete interface VLAN 1.

see Chapter 35.1Q encapsulated trunk or the VLAN ID configured for an access port. If a link within the EtherChannel fails. see Chapter 34.” and Chapter 43. See the “Configuring Layer 3 Interfaces” section on page 9-22 for information about what happens when hardware resource limitations are reached. The VLAN corresponds to the VLAN tag associated with data frames on an IEEE 802. For more information. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 9-6 OL-9639-10 . use the channel-group interface configuration command to dynamically create the port-channel logical interface. For Layer 3 interfaces. Link Aggregation Control Protocol (LACP). These port groups act as a single logical port for high-bandwidth connections between switches or between switches and servers. “Configuring EtherChannels and Link-State Tracking. When you configure an EtherChannel. Configure a VLAN interface for each VLAN for which you want to route traffic. The dual front ends are not redundant interfaces. Then you manually assign an interface to the EtherChannel by using the channel-group interface configuration command. This command binds the physical and logical ports together. which operate only on physical NNI or ENI ports. group multiple tunnel ports into one logical tunnel port. the switch activates only one connector of the pair. see the “Manually Assigning IP Information” section on page 3-14. You can group multiple trunk ports into one logical trunk port. you manually create the logical interface by using the interface port-channel global configuration command. “Configuring IP Multicast Routing. Note When you create an SVI. EtherChannel Port Groups EtherChannel port groups treat multiple switch ports as one switch port. SVIs support routing protocols. it does not become active until it is associated with a physical port. For more information about configuring IP routing.” Note Routed ports (or SVIs) are supported only when the metro IP access image is installed on the switch. the interrelationship between the number of SVIs and routed ports and the number of other features being configured might impact CPU performance because of hardware limitations. Each dual-purpose port is considered as a single interface with dual front ends (an RJ-45 connector and an SFP module connector). traffic previously carried over the failed link changes to the remaining links. SVIs are created the first time that you enter the vlan interface configuration command for a VLAN interface. Exceptions are the Cisco Discovery Protocol (CDP). “Configuring IP Unicast Routing. and assign it an IP address. For more information. group multiple access ports into one logical access port. you create a port-channel logical interface and assign an interface to the EtherChannel. and the Port Aggregation Protocol (PAgP). For Layer 2 interfaces.” Dual-Purpose Ports Twelve ports on the ME 3400-12CS and two ports on the ME 3400-2CS switches are dual-purpose ports that can be configured as 10/100/100 ports or as small form-factor pluggable (SFP) module ports. or group multiple routed ports into one logical routed port.Chapter 9 Understanding Interface Types Configuring Interfaces Although the switch supports a total of 1005 VLANs (and SVIs). An EtherChannel balances the traffic load across the links in the channel. Most protocols operate over either single ports or aggregated switch ports and do not recognize the physical ports within the port group.

129. see the hardware installation guide. when you configure both VLAN 20 and VLAN 30 with an SVI to which an IP address is assigned. The switch routes only IP traffic. However. dual-purpose ports are user-network interfaces (UNIs) and SFP-only module ports are network node interfaces (NNIs).1 Host A Host B VLAN 20 VLAN 30 When the metro IP access image is running on the switch. Ports in different VLANs cannot exchange data without going through a routing device.Chapter 9 Configuring Interfaces Understanding Interface Types By default. forwarding is done by the switch hardware. only IP Version 4 packets with Ethernet II encapsulation can be routed in hardware.” Chapter 43. the Cisco ME switch provides VLAN isolation between UNIs or ENIs. and one shows the status of the RJ-45 port. “Configuring MSDP. “Configuring IP Multicast Routing. By default. For more information about the LEDs. see the “Configuring a Dual-Purpose Port” section on page 9-18.128.” and Chapter 44.1 SVI 1 SVI 2 172. When IP routing protocol parameters and address configuration are added to an SVI or routed port. For information about configuring a dual-purpose port. The routing function can be enabled on all SVIs and routed ports. the switch dynamically selects the dual-purpose port media type that first links up. ports in different VLANs have to exchange information through a router. However. Connecting Interfaces Devices within a single VLAN can communicate directly through any switch.20.” Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 101350 9-7 . Each dual-purpose port has two LEDs: one shows the status of the SFP module port. For more information. any IP traffic received from these ports is routed. UNIs and ENIs cannot exchange traffic unless they are changed to NNIs or assigned to a UNI-ENI community VLAN. Figure 9-1 Connecting VLANs with the Switch Layer 3 switch with routing enabled 172.20. see Chapter 35. “Configuring IP Unicast Routing. With a standard Layer 2 switch. routing can be enabled on the switch. packets can be sent from Host A to Host B directly through the switch with no need for an external router (Figure 9-1). By using the switch with routing enabled. Whenever possible. By default. you can use the media-type interface configuration command to manually select the RJ-45 connector or the SFP module connector. to maintain high performance. The port LED is on for whichever connector is active.

or fa0/1. You can also use the show privileged EXEC commands to display information about a specific interface or all the interfaces on the switch. fa 0/1. for example. The port numbers always begin at 1. To configure a physical interface (port). fastethernet 0/1 or gigabitethernet 0/1. Port number—The interface number on the switch. Gigabit Ethernet (gigabitethernet or gi) for 10/100/1000 Mb/s Ethernet ports. and enter interface configuration mode. and ENIs VLANs—switch virtual interfaces Port-channels—EtherChannel interfaces You can also configure a range of interfaces (see the “Configuring a Range of Interfaces” section on page 9-9). the port numbers restart with the second interface type: gigabitethernet 0/1. • Type—Fast Ethernet (fastethernet or fa) for 10/100 Mb/s Ethernet. in the preceding line. For example. specify the interface type. If there is more than one interface type (for example. The remainder of this chapter primarily provides physical interface configuration procedures. Step 3 If you are configuring a UNI or ENI. and the switch port number. End with CNTL/Z. Module number—The module or slot number on the switch (always 0 on the Cisco ME switch). NNIs. you can specify either fastethernet 0/1. Fast Ethernet port 1 is selected: Switch(config)# interface fastethernet0/1 Switch(config-if)# Note You do not need to add a space between the interface type and interface number. the module number. 10/100 ports and SFP module ports). or small form-factor pluggable (SFP) module Gigabit Ethernet interfaces. • • You can identify physical interfaces by physically checking the interface location on the switch. UNIs. fastethernet0/1. Step 1 Enter the configure terminal command at the privileged EXEC prompt: Switch# configure terminal Enter configuration commands. routed ports. Identify the interface type and the number of the connector.Chapter 9 Using Interface Configuration Mode Configuring Interfaces Using Interface Configuration Mode The switch supports these interface types: • • • Physical ports—switch ports. Procedures for Configuring Interfaces These general instructions apply to all interface configuration processes. one per line. In this example. Switch(config)# Step 2 Enter the interface global configuration command. enter the no shutdown interface configuration command to enable the interface: Switch(config-if)# no shutdown Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 9-8 OL-9639-10 . starting with the leftmost port when facing the front of the switch.

Step 3 Step 4 Step 5 Step 6 Step 7 no shutdown Enable the port. (Optional) Save your entries in the configuration file. Specify the range of interfaces (VLANs or physical ports) to be configured.{last port}. By default. Step 5 After you configure an interface. if necessary. Configuring a Range of Interfaces You can use the interface range global configuration command to configure multiple interfaces with the same configuration parameters. verify its status by using the show privileged EXEC commands listed in the “Monitoring and Maintaining the Interfaces” section on page 9-27. all command parameters that you enter are attributed to all interfaces within that range until you exit this mode. In a comma-separated port-range. The commands are collected and applied to the interface when you enter another interface command or enter end to return to privileged EXEC mode. UNIs and ENIs are disabled. You can also configure a range of interfaces by using the interface range or interface range macro global configuration commands. where the VLAN ID is 1 to 4094 – fastethernet module/{first port} . and enter interface range configuration mode. you do not need to re-enter the interface type. note these guidelines: • Valid entries for port-range: – vlan vlan-ID . When using the interface range global configuration command. Interfaces configured in a range must be the same type and must be configured with the same feature options. • • • configure terminal interface range {port-range} You can use the interface range command to configure up to five port ranges or a previously defined macro. but you must enter a space before the hyphen. When you enter the interface range configuration mode.vlan-ID. The commands that you enter define the protocols and applications that will run on the interface. end show interfaces [interface-id] copy running-config startup-config Return to privileged EXEC mode. You can now use the normal configuration commands to apply the configuration parameters to all interfaces in the range. Enter the show interfaces privileged EXEC command to see a list of all interfaces on or configured for the switch. follow these steps to configure a range of interfaces with the same parameters: Command Step 1 Step 2 Purpose Enter global configuration mode. Beginning in privileged EXEC mode. where the module is always 0 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 9-9 . and NNIs are enabled. you must enter the interface type for each entry and enter spaces before and after the comma. Verify the configuration of the interfaces in the range.Chapter 9 Configuring Interfaces Using Interface Configuration Mode Step 4 Follow each interface command with the interface configuration commands that the interface requires. In a hyphen-separated port-range. A report is provided for each interface that the device supports or for the specified interface.

The show running-config privileged EXEC command displays the configured VLAN interfaces. • This example shows how to use the interface range global configuration command to set the speed on ports 1 and 2 to 100 Mb/s: Switch# configure terminal Switch(config)# interface range fastethernet0/1 .2 Switch(config-if-range)# no shutdown Switch(config-if-range)# speed 100 This example shows how to use a comma to add different interface type strings to the range to enable Fast Ethernet ports 1 to 3 and Gigabit Ethernet ports 1 and 2 to receive IEEE 802. but you can enter multiple ranges in a command. all Gigabit Ethernet ports. or all VLANs). All interfaces defined as in a range must be the same type (all Fast Ethernet ports. Beginning in privileged EXEC mode. where the port-channel-number is 1 to 48 Note When you use the interface range command with port channels. gigabitethernet0/1 . the first and last port channel number must be active port channels. The commands are not batched together and executed after you exit interface range mode.Chapter 9 Using Interface Configuration Mode Configuring Interfaces – gigabitethernet module/{first port} .3. all EtherChannel ports.{last port}.3x flow control pause frames: Switch# configure terminal Switch(config)# interface range fastethernet0/1 . follow these steps to define an interface range macro: Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 9-10 OL-9639-10 . Before you can use the macro keyword in the interface range macro global configuration command string. Wait until the command prompt reappears before exiting interface range configuration mode.port-channel-number.2 Switch(config-if-range)# flowcontrol receive on If you enter multiple configuration commands while you are in interface range mode. some commands might not be executed on all interfaces in the range. where the module is always 0 – port-channel port-channel-number . Configuring and Using Interface Range Macros You can create an interface range macro to automatically select a range of interfaces for configuration. VLAN interfaces not displayed by the show running-config command cannot be used with the interface range command. • The interface range command only works with VLAN interfaces that have been configured with the interface vlan command. If you exit interface range configuration mode while the commands are being executed. you must use the define interface-range global configuration command to define the macro. each command is executed as it is entered.

For example. Use the no define interface-range macro_name global configuration command to delete a macro. (Optional) Save your entries in the configuration file. gigabitethernet0/1 . Show the defined interface range macro configuration. A macro can contain up to five comma-separated interface ranges. if necessary. Define the interface-range macro. UNIs and ENIs are disabled. • • • configure terminal define interface-range macro_name interface-range The macro_name is a 32-character maximum character string. Step 3 Step 4 no shutdown interface range macro macro_name Enable the port.{last port}. note these guidelines: • Valid entries for interface-range: – vlan vlan-ID . The VLAN interfaces must have been configured with the interface vlan command. By default. where the module is always 0 – port-channel port-channel-number . where the VLAN ID is 1 to 4094 – fastethernet module/{first port} . Step 5 Step 6 Step 7 end show running-config | include define copy running-config startup-config Return to privileged EXEC mode. Select the interface range to be configured using the values saved in the interface-range macro called macro_name. but you can combine multiple interface types in a macro.2 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 9-11 . and NNIs are enabled. When using the define interface-range global configuration command. Note When you use the interface ranges with port channels. or all VLANs). gigabitethernet0/1-2 is not a valid range. • • This example shows how to define an interface-range named enet_list to include ports 1 and 2 and to verify the macro configuration: Switch# configure terminal Switch(config)# define interface-range enet_list gigabitethernet0/1 . the first and last port channel number must be active port channels. VLAN interfaces not displayed by the show running-config command cannot be used as interface-ranges.Chapter 9 Configuring Interfaces Using Interface Configuration Mode Command Step 1 Step 2 Purpose Enter global configuration mode. Each interface-range must consist of the same port type.{last port}. all EtherChannel ports. where the module is always 0 – gigabitethernet module/{first port} . The show running-config privileged EXEC command displays the configured VLAN interfaces.2 is a valid range. where the port-channel-number is 1 to 48. You can now use the normal configuration commands to apply the configuration to all interfaces in the defined macro.port-channel-number. all Gigabit Ethernet ports. and save it in NVRAM. All interfaces defined as in a range must be the same type (all Fast Ethernet ports. • You must add a space between the first interface number and the hyphen when entering an interface-range.vlan-ID.

2 This example shows how to create a multiple-interface macro named macro1 and assign all of the interfaces in the range to a VLAN: Switch# configure terminal Switch(config)# define interface-range macro1 fastethernet0/1 .3x Flow Control. page 9-21 Adding a Description for an Interface. “Configuring VLANs. page 9-12 Configuring the Port Type. “Configuring Port-Based Traffic Control. page 9-22 Default Ethernet Interface Configuration Table 9-1 shows the Ethernet interface default configuration for NNIs. For more details on the VLAN parameters listed in the table. Switch# configure terminal Switch(config)# no define interface-range enet_list Switch(config)# end Switch# show run | include define Switch# Configuring Ethernet Interfaces • • • • • • • Default Ethernet Interface Configuration. see Chapter 22. see Chapter 11.2 Switch(config)# interface range macro macro1 Switch(config-if-range)# switchport access vlan 20 Switch(config-if-range)# no shut Switch(config-if-range)# end This example shows how to enter interface range configuration mode for the interface-range macro enet_list: Switch# configure terminal Switch(config)# interface range macro enet_list Switch(config-if-range)# This example shows how to delete the interface-range macro enet_list and to verify that it was deleted.” Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 9-12 OL-9639-10 . and Table 9-2 shows the Ethernet interface default configuration for UNIs and ENIs. gigabitethernet0/1 . page 9-14 Configuring Interface Speed and Duplex Mode.Chapter 9 Configuring Ethernet Interfaces Configuring Interfaces Switch(config)# end Switch# show running-config | include define define interface-range enet_list GigabitEthernet0/1 . page 9-20 Configuring Auto-MDIX on an Interface.” For details on controlling traffic to the port. page 9-18 Configuring IEEE 802.2. page 9-15 Configuring a Dual-Purpose Port.

None defined. Table 9-1 Default Ethernet Configuration for NNIs Feature Operating mode Allowed VLAN range Default VLAN (for access ports) Native VLAN (for IEEE 802. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 9-13 . VLAN 1 (Layer 2 interfaces only).1Q trunks) Default Setting Layer 2 or switching mode (switchport command). VLAN 1 (Layer 2 interfaces only). Table 9-2 Default Ethernet Configuration for UNIs and ENIs Feature Operating mode Allowed VLAN range Default VLAN (for access ports) Native VLAN (for IEEE 802. See Chapter 34. VLANs 1– 4094. “Configuring EtherChannels and Link-State Tracking. This shuts down the interface and then re-enables it. See the “Configuring Port Blocking” section on page 22-7. Disabled (only Layer 2 interfaces).” Disabled (not blocked) (only Layer 2 interfaces). Not configured. Switchport mode access (Layer 2 interfaces only). Disabled. you must enter the switchport interface configuration command without any parameters to put the interface into Layer 2 mode. and the interface is returned to its default configuration. Flow control is set to receive: off. Disabled on all Ethernet ports. Autonegotiate. VLANs 1– 4094. which might generate messages on the device to which the interface is connected.1Q trunks) VLAN trunking Port enable state Port description Speed Duplex mode IEEE 802. See the “Default Storm Control Configuration” section on page 22-3. and unicast storm control Port security Port Fast Auto-MDIX Cisco Discovery Protocol (CDP) VMPS Default Setting Layer 2 or switching mode (switchport command). Enabled. Enabled. Enabled. It is always off for sent packets. See the “Default Optional Spanning-Tree Configuration” section on page 16-5. See the “Default Port Security Configuration” section on page 22-11. Disabled. the previous configuration information related to the affected interface might be lost.Chapter 9 Configuring Interfaces Configuring Ethernet Interfaces Note To configure Layer 2 parameters. VLAN 1 (Layer 2 interfaces only). VLAN 1 (Layer 2 interfaces only). if the interface is in Layer 3 mode. multicast. When you put an interface that is in Layer 3 mode into Layer 2 mode.3x flow control EtherChannel Port blocking (unknown multicast and unknown unicast traffic) Broadcast. Autonegotiate.

See the “Default Port Security Configuration” section on page 22-11. “Configuring EtherChannels and Link-State Tracking.” Disabled (not blocked) (only Layer 2 interfaces). Autonegotiate. None defined. Disabled when no configuration file exists. CDP. multicast. For Layer 2 protocols.” When you change a port from NNI to UNI or ENI or the reverse. Disabled (only Layer 2 interfaces). If the switch is running the metro base or metro access image. You use the port-type interface configuration command to change the port types. Enabled. You can also configure the port type as ENI. Disabled. Configuring the Port Type By default. and Etherchannel LACP and PAgP. either in isolated or community mode. and unicast storm control Port security Auto-MDIX Default Setting Switchport mode access (Layer 2 interfaces only). See the “Configuring Port Blocking” section on page 22-7. any features exclusive to the port type revert to the default configuration. If you enter the keepalive command with no arguments. and LLDP. STP. the switch sends keepalive messages on UNI s and ENIs and does not send keepalive messages on NNIs. Changing the port type from UNI or ENI to NNI or from NNI to UNI or ENI has no effect on the keepalive status. Autonegotiate. Enabled. the default for UNIs and ENIs is disabled (although they can be enabled on ENIs) and the default for NNIs is enabled. only four ports on the switch can be configured as NNIs at one time. “Configuring VLANs. For more information about configuring UNI-ENI isolated and UNI-ENI community VLANs. An ENI has the same characteristics as a UNI. but it can be configured to support CDP. You can change the keepalive state from the default setting by entering the [no] keepalive interface configuration command. See Chapter 34. Disabled on all Ethernet ports. see Chapter 11. All ports on the switch can be configured as UNIs or ENIs. it inherits the configuration of the assigned VLAN. LLDP. all the 10/100 ports on the Cisco ME switch are configured as UNIs. When a port is changed from an NNI to a UNI or ENI. Note By default. Flow control is set to receive: off. and the SFP module ports are configured as NNIs.3x flow control EtherChannel Port blocking (unknown multicast and unknown unicast traffic) Broadcast. there is no limit to the number of NNIs that can be configured on the switch. It is always off for sent packets.Chapter 9 Configuring Ethernet Interfaces Configuring Interfaces Table 9-2 Default Ethernet Configuration for UNIs and ENIs (continued) Feature VLAN trunking Dynamic VLAN Port enable state Port description Speed Duplex mode IEEE 802.If the switch is running the metro IP access image. keepalive packets are sent with the default time interval (10 seconds) and number of retries (5). such as STP. See the “Default Storm Control Configuration” section on page 22-3. Entering the no keepalive command disables keepalive packets on the interface. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 9-14 OL-9639-10 .

which means that stations can either receive or send traffic. (Optional) Save your entries in the configuration file. note these guidelines: • You can configure interface speed on Fast Ethernet (10/100-Mb/s) and Gigabit Ethernet (10/100/1000-Mb/s) ports. and NNIs are enabled. or UNI. Enable the port. or 1000 Mb/s and in either full. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 9-15 . You can configure Fast Ethernet ports to full-duplex. page 9-16 Speed and Duplex Configuration Guidelines When configuring an interface speed and duplex mode. if necessary. two stations can send and receive traffic at the same time. Switch models include combinations of Fast Ethernet (10/100-Mb/s) ports.Chapter 9 Configuring Interfaces Configuring Ethernet Interfaces Beginning in privileged EXEC mode.or half-duplex mode. and small form-factor pluggable (SFP) module slots supporting SFP modules. End with CNTL/Z. This example shows how to change a port from a UNI to an NNI and save it to the running configuration. Verify the interface IEEE 802. UNIs and ENIs are disabled. or to autonegotiate mode. In full-duplex mode. Switch(config)# interface fastethernet0/1 Switch(config-if)# port-type nni Switch(config-if)# no shutdown 5d20h: %SYS-5-CONFIG_I: Configured from console by console Switch(config-if)# end Switch# copy running-config startup-config Configuring Interface Speed and Duplex Mode Ethernet interfaces on the switch operate at 10. Return to privileged EXEC mode. Normally. half-duplex. Gigabit Ethernet (10/100/1000-Mb/s) ports. These sections describe how to configure the interface speed and duplex mode: • • Speed and Duplex Configuration Guidelines. and enter interface configuration mode. Half-duplex mode is not supported on Gigabit Ethernet ports operating at 1000 Mb/s.3x flow control settings. 10-Mb/s ports operate in half-duplex mode. NNI. follow these steps to configure the port type on an interface: Command Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Purpose Enter global configuration mode Specify the interface to configure. By default. one per line. configure terminal interface interface-id no shutdown port-type {eni | nni | uni} end show interfaces interface-id copy running-config startup-config Entering the no port-type or default port-type interface configuration command returns the port to the default state: UNI for Fast Ethernet ports and NNI for Gigabit Ethernet ports. You can configure Gigabit Ethernet ports to full-duplex mode or to autonegotiate. Change a port to an ENI. Switch# configure terminal Enter configuration commands. You also can configure Gigabit Ethernet ports to half-duplex mode if the speed is 10 or 100 Mb/s. page 9-15 Setting the Interface Speed and Duplex Parameters. 100.

100. Enable the port. you can configure duplex • mode to auto or full. and NNIs are enabled. On the Cisco ME switch. they operate in full-duplex mode except in these situations: – When a Cisco1000BASE-T SFP module is in the SFP module slot. If one interface supports autonegotiation and the other end does not. if necessary. UNIs and ENIs are disabled. do not use the auto setting on the supported side. Setting the Interface Speed and Duplex Parameters Beginning in privileged EXEC mode. or auto. However. the switch can take up to 30 seconds to check for loops.Chapter 9 Configuring Ethernet Interfaces Configuring Interfaces • With the exception of when 1000BASE-T SFP modules are installed in the SFP module slots. • • • If both ends of the line support autonegotiation. By default. you cannot configure speed on SFP module ports. but not as nonegotiate. UNIs do not support STP. Caution Changing the interface speed and duplex mode configuration might shut down and re-enable the interface during the reconfiguration. On a 100BASE-FX SFP module. follow these steps to set the speed and duplex mode for a physical interface. Note On dual-purpose ports. changing the interface type by entering the media-type interface configuration command removes the speed and duplex configurations. – When a Cisco100BASE-FX SFP module is in the SFP module slot. When STP is enabled and a port is reconfigured. and enter interface configuration mode. Although the auto keyword is available. See the “Configuring a Dual-Purpose Port” section on page 9-18 for information about speed and duplex setting on these ports. but you can configure speed to not negotiate (nonegotiate) if connected to a device that does not support autonegotiation. when a 1000BASE-T SFP module is in the SFP module slot. Command Step 1 Step 2 Step 3 Purpose Enter global configuration mode. we highly recommend the default setting of auto negotiation. or 1000 Mb/s. You cannot configure duplex mode on SFP module ports. Specify the physical interface to be configured. it puts the interface in half-duplex mode (the default for this SFP module) because the 100BASE-FX SFP module does not support autonegotiation. Half-duplex mode is supported with the auto setting. STP is supported on NNIs by default and can be enabled on ENIs. you can configure duplex mode to half or full. you can configure speed as 10. you cannot configure the speed as nonegotiate. configure duplex and speed on both interfaces. The port LED is amber while STP reconfigures. configure terminal interface interface-id no shutdown Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 9-16 OL-9639-10 .

The 1000 keyword is available only for 10/100/1000 Mb/s ports or SFP module ports with a 1000BASE-T SFP module. This command is not available on SFP module ports with these exceptions: • • If a Cisco 1000BASE-T SFP module is inserted. the port autonegotiates only at the specified speeds. You can configure the duplex setting when the speed is set to auto. you can configure duplex to auto or to full. SFP module ports operate only at 1000 Mb/s but can be configured to not negotiate if connected to a device that does not support autonegotiation. Step 6 Step 7 Step 8 end show interfaces interface-id copy running-config startup-config Return to privileged EXEC mode. it puts the interface in half-duplex mode (the default). 100. Although the auto keyword is available. When a Cisco1000BASE-T SFP module is in the SFP module slot. 1000. You cannot configure half-duplex mode for interfaces operating at 1000 Mb/s. use the default interface interface-id interface configuration command. or the 1000 keywords with the auto keyword. Enable half-duplex mode (for interfaces operating only at 10 or 100 Mb/s). 100. (Optional) Save your entries in the configuration file. you can configure duplex to full or to half. This example shows how to set the interface speed to 10 Mb/s and the duplex mode to half on a 10/100 Mb/s port: Switch# configure terminal Switch(config)# interface fasttethernet0/3 Switch(config-if)# no shutdown Switch(config-if)# speed 10 Switch(config-if)# duplex half This example shows how to set the interface speed to 100 Mb/s on a 10/100/1000 Mb/s port: Switch# configure terminal Switch(config)# interface gigabitethernet0/2 Switch(config-if)# speed 100 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 9-17 . Use the no speed and no duplex interface configuration commands to return the interface to the default speed and duplex settings (autonegotiate). • • Note Step 5 duplex {auto | full | half} Enter the duplex parameter for the interface. The nonegotiate keyword is available only for SFP module ports. or 1000 to set a specific speed for the interface. If you use the 10. If a Cisco 100BASE-FX SFP module is inserted. Display the interface speed and duplex mode configuration.Chapter 9 Configuring Interfaces Configuring Ethernet Interfaces Command Step 4 Purpose Enter the appropriate speed parameter for the interface: • speed {10 | 100 | 1000 | auto [10 | 100 | 1000] | nonegotiate} Enter 10. 100. To return all interface settings to the defaults. Enter auto to enable the interface to autonegotiate speed with the connected device. but not to nonegotiate. the speed can be configured to 10. or to auto.

the switch gives preference to SFP mode if both copper and fiber-optic signals are simultaneously detected. In auto-select mode. you can use the media-type interface configuration command to manually select the RJ-45 connector or the SFP-module connector. By default. the dual-purpose ports (and the SFP-only module ports) use the frame size that is set with the system mtu jumbo global configuration command. if you want to configure a dual-purpose port as an NNI. Specify the dual-purpose port to be configured. Even when operating at 10 or 100 Mb/s. Each switch also has standard SFP-only module ports (gigabitethernet 0/13 through 0/16 on the Cisco ME 3400-12CS and 0/3 through 0/4 on the ME 3400-2CS switch). you can configure only four ports as NNIs. the dual-purpose ports are user-network interfaces (UNIs) and the SFP-only module ports are network node interfaces (NNIs). By default. This procedure is optional. Command Step 1 Step 2 Purpose Enter global configuration mode. and enter interface configuration mode. Note The dual-purpose ports are Gigabit Ethernet ports (gigabitethernet 0/1 through gigabitethernet 0/12 on the ME 3400-12CS and 0/1 and 0/2 on the ME 3400-2CS switch. If the switch is running the metro IP access image. you can configure any number of ports as NNIs. follow these steps to select which dual-purpose media type to activate. the switch activates only one connector of the pair. the switch dynamically selects the dual-purpose port media type that first links up. When running these images on an ME 3400-12CS switch. Each dual-purpose port is considered as a single interface with dual front ends (an RJ-45 connector and an SFP module connector). Beginning in privileged EXEC mode. Each dual-purpose port is considered as a single interface with dual front ends (an RJ-45 connector and an SFP module connector). The dual front ends are not redundant interfaces. configure terminal interface interface-id Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 9-18 OL-9639-10 . you must first change the port type of an SFP-only module port to UNI by entering the port-type uni interface configuration command so as not to exceed the switch maximum of four NNIs.Chapter 9 Configuring Ethernet Interfaces Configuring Interfaces Configuring a Dual-Purpose Port Some ports on the ME 3400-12CS and the ME 3400-2CS switches are dual-purpose ports that can be configured as 10/100/100 ports or as small form-factor pluggable (SFP) module ports. However. If the switch is running the metro base or metro access image.

When a linkup is achieved. even if there is a connector installed in that interface and no connector in the configured one. The switch configures both media types to autonegotiate speed and duplex (the default). Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 9-19 . the non-configured type is disabled. In auto-select mode. that interface is active and remains active until the media is removed or the switch is reloaded. use the no media-type interface configuration command. When the active link goes down. If you configure auto-select. Based on the type of installed SFP module. This is the default. it cannot attain a link even if the SFP side is down or if the SFP module is not present. you can configure the speed and duplex settings consistent with this interface type. If you connect a cable to the SFP port. You can configure the speed and duplex settings consistent with this interface type. the dual-purpose port behaves like a 10/100/1000BASE-TX interface. When the media type is auto-select. Verify your setting. Changing the interface type removes the speed and duplex configurations. If you install both types of media in an enabled dual-purpose port. If you connect a cable to the RJ-45 port. the switch uses these criteria to select the type: Note An SFP is not installed until it has a fiber-optic or copper cable plugged in. In this mode. To return to the default setting. the switch disables the other type until the active link goes down. rj45—The switch disables the SFP module interface. When you configure sfp or rj45 media type. the switch enables both types until one of them links up. The keywords have these meanings: • auto-select—The switch dynamically selects the media type. sfp—The switch disables the RJ-45 interface. it cannot attain a link even if the RJ-45 side is down or is not connected. • • Step 4 Step 5 Step 6 end show interfaces interface-id transceiver properties Return to privileged EXEC mode. the switch gives preference to the SFP module interface. See the media-type interface configuration command in the command reference for more information. • • • If only one connector is installed. and the switch is reloaded or the port is disabled and then reenabled through the shutdown and the no shutdown interface configuration commands. the switch selects the active link based on which type is installed first. the switch configures both types with autonegotiation of speed and duplex (the default).Chapter 9 Configuring Interfaces Configuring Ethernet Interfaces Command Step 3 Purpose media-type {auto-select | rj45 | sfp} Select the active interface and media type of a dual-purpose port. If both media are installed in the dual-purpose port. you cannot configure the speed and duplex interface configuration commands. copy running-config startup-config (Optional) Save your entries in the configuration file.

the port can receive pause frames. Note For details on the command settings and the resulting IEEE 802. By default. which prevents any loss of data packets during the congestion period. Note Ports can receive. use the flowcontrol receive off interface configuration command.3x flow control settings on the device: • • receive on (or desired): The port cannot send pause frames but can operate with an attached device that is required to or can send pause frames. Configure the IEEE 802. These rules apply to IEEE 802. You use the flowcontrol interface configuration command to set the interface’s ability to receive pause frames to on. or desired. pause frames.3x flow control. if necessary. it notifies the other port by sending a pause frame to stop sending until the condition clears. and NNIs are enabled. an interface can operate with an attached device that is required to send flow-control packets or with an attached device that is not required to but can send flow-control packets.3x flow control settings. configure terminal interface interface-id no shutdown flowcontrol {receive} {on | off | desired} end show interfaces interface-id copy running-config startup-config To disable IEEE 802.3x flow control on a port: Switch# configure terminal Switch(config)# interface gigabitethernet0/1 Switch(config-if)# flowcontrol receive on Switch(config-if)# end Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 9-20 OL-9639-10 . If one port experiences congestion and cannot receive any more traffic. Return to privileged EXEC mode. but not send.3x flow control enables connected Ethernet ports to control traffic rates during congestion by allowing congested nodes to pause link operation at the other end. Upon receipt of a pause frame.3x flow control on an interface: Command Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Purpose Enter global configuration mode Specify the physical interface to be configured. and no pause frames are sent or received by either device. In case of congestion. The default state is off. the sending device stops sending any data packets. Enable the port. and enter interface configuration mode. see the flowcontrol interface configuration command in the command reference for this release.3x flow control resolution on local and remote ports. When set to desired. UNIs and ENIs are disabled. Beginning in privileged EXEC mode. This example shows how to enable IEEE 802. (Optional) Save your entries in the configuration file.3x Flow Control IEEE 802.Chapter 9 Configuring Ethernet Interfaces Configuring Interfaces Configuring IEEE 802. off.3x flow control mode for the port.3x flow control does not operate in either direction. Verify the interface IEEE 802. follow these steps to configure IEEE 802. receive off: IEEE 802. no indication is given to the link partner.

Chapter 9 Configuring Interfaces Configuring Ethernet Interfaces Configuring Auto-MDIX on an Interface When automatic medium-dependent interface crossover (auto-MDIX) is enabled on an interface. This example shows how to enable auto-MDIX on a port: Switch# configure terminal Switch(config)# interface gigabitethernet0/1 Switch(config-if)# no shutdown Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 9-21 . configure terminal interface interface-id no shutdown speed auto duplex auto mdix auto end show controllers ethernet-controller Verify the operational state of the auto-MDIX feature on the interface. see the hardware installation guide. use the no mdix auto interface configuration command. UNIs and ENIs are disabled. It is not supported on 1000 BASE-SX or -LX SFP module interfaces. When connecting switches without the auto-MDIX feature. Table 9-3 shows the link states that result from auto-MDIX settings and correct and incorrect cabling. follow these steps to configure auto-MDIX on an interface: Command Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Purpose Enter global configuration mode Specify the physical interface to be configured. if necessary. you must use straight-through cables to connect to devices such as servers. Enable auto-MDIX on the interface. Auto-MDIX is enabled by default. With auto-MDIX enabled. When you enable auto-MDIX. and NNIs are enabled. To disable auto-MDIX. Enable the port. workstations. For more information about cabling requirements. Configure the interface to autonegotiate speed with the connected device. you must also set the speed and duplex on the interface to auto so that the feature operates correctly. Return to privileged EXEC mode. the interface automatically detects the required cable connection type (straight through or crossover) and configures the connection appropriately. you can use either type of cable to connect to other devices. By default. and the interface automatically corrects for any incorrect cabling. Configure the interface to autonegotiate duplex mode with the connected device. interface-id phy copy running-config startup-config (Optional) Save your entries in the configuration file. Table 9-3 Link Conditions and Auto-MDIX Settings Local Side Auto-MDIX On On Off Off Remote Side Auto-MDIX With Correct Cabling On Off On Off Link up Link up Link up Link up With Incorrect Cabling Link up Link up Link up Link down Beginning in privileged EXEC mode. and enter interface configuration mode. or routers and crossover cables to connect to other switches or repeaters. Auto-MDIX is supported on all 10/100 and 10/100/1000 Mb/s interfaces and on Cisco 10/100/1000 BASE-T/TX SFP module interfaces.

Chapter 9 Configuring Layer 3 Interfaces Configuring Interfaces Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# speed auto duplex auto mdix auto end Adding a Description for an Interface You can add a description about an interface to help you remember its function. show running-config. You cannot delete interface VLAN 1. Add a description (up to 240 characters) for an interface. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. End with CNTL/Z. SVIs are created when you enter a VLAN ID following the interface vlan global configuration command. Beginning in privileged EXEC mode. Return to privileged EXEC mode. use the no interface vlan global configuration command. To delete an SVI. Switch(config)# interface gigabitethernet0/2 Switch(config-if)# description Connects to Marketing Switch(config-if)# end Switch# show interfaces gigabitethernet0/2 description Interface Status Protocol Description Gi 0/2 admin down down Connects to Marketing Configuring Layer 3 Interfaces The switch must be running the metro IP access image to support Layer 3 interfaces. Specify the interface for which you are adding a description. configure terminal interface interface-id description string end or show running-config show interfaces interface-id description Verify your entry. follow these steps to add a description for an interface: Command Step 1 Step 2 Step 3 Step 4 Step 5 Purpose Enter global configuration mode. and show interfaces. The Cisco ME switch supports these types of Layer 3 interfaces: • SVIs: You should configure SVIs for any VLANs for which you want to route traffic. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 9-22 OL-9639-10 . Use the no description interface configuration command to delete the description. The description appears in the output of these privileged EXEC commands: show configuration. and enter interface configuration mode. This example shows how to add a description on a port and how to verify the description: Switch# config terminal Enter configuration commands. one per line.

and the interface is returned to its default configuration Beginning in privileged EXEC mode. Return to privileged EXEC mode. an error message is generated. no shutdown no switchport ip address ip_address subnet_mask no shutdown end Enable the port. Furthermore. “Configuring EtherChannels and Link-State Tracking.” A Layer 3 switch can have an IP address assigned to each routed port and SVI. and enter interface configuration mode. and the switch sends a message that this was due to insufficient hardware resources. see Chapter 11. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 9-23 . Layer 3 EtherChannel ports: EtherChannel interfaces made up of routed ports. the interrelationship between the number of SVIs and routed ports and the number of other features being configured might have an impact on CPU usage because of hardware limitations. and the extended-range VLAN is rejected. However. “Configuring VLANs. the switch generates a message that there are not enough resources to convert the interface to a routed port. This procedure shows how to configure an interface as a Layer 3 interface and how to assign an IP address to an interface.” • • Routed ports: Routed ports are physical ports configured to be in Layer 3 mode by using the no switchport interface configuration command. Entering a no switchport command disables and then re-enables the interface. it does not become active until it is associated with a physical port. configure terminal interface {{fastethernet | gigabitethernet} interface-id} Specify the interface to be configured as a Layer 3 | {vlan vlan-id} | {port-channel port-channel-number} interface. you must enter the no switchport interface configuration command to put the interface into Layer 3 mode. Enable the interface. the VLANs are created. If the switch attempts to boot up with a configuration that has more VLANs and routed ports than hardware can support. If the switch is using maximum hardware resources. if necessary. and the interface remains as a switch port. which might generate messages on the device to which the interface is connected. EtherChannel port interfaces are described in Chapter 34. If you try to create an extended-range VLAN. Note If the physical port is in Layer 2 mode (the default). but the routed ports are shut down. There is no defined limit to the number of SVIs and routed ports that can be configured in a switch. UNIs and ENIs are disabled. attempts to create a routed port or SVI have these results: • • • If you try to create a new routed port. follow these steps to configure a Layer 3 interface: Command Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Purpose Enter global configuration mode. when you put an interface that is in Layer 2 mode into Layer 3 mode. For information about assigning Layer 2 ports to VLANs. and NNIs are enabled. enter Layer 3 mode. By default.Chapter 9 Configuring Interfaces Configuring Layer 3 Interfaces Note When you create an SVI. Configure the IP address and IP subnet. For physical ports only. All Layer 3 interfaces require an IP address to route traffic. the previous configuration information related to the affected interface might be lost.

the routing MTU size automatically defaults to the new system MTU size. Note You cannot configure a routing MTU size that exceeds the system MTU size. you must reload the switch before the new configuration takes effect.Chapter 9 Configuring the System MTU Configuring Interfaces Command Step 8 Purpose Verify the configuration. use the no ip address interface configuration command. the configuration change is accepted.21 255. one per line.0 Configuring the System MTU The default maximum transmission unit (MTU) size for frames received and sent on all interfaces on the switch is 1500 bytes.135. The system mtu routing command does not require a switch reset to take effect. frames received on the interface that are greater than the configured size are dropped.2(55)SE. You can change the MTU size for routed ports by using the system mtu routing global configuration command. When the configuration change takes effect. You do not set the MTU size for an individual interface. You can configure an alternate MTU size for Fast Ethernet or Gigabit Ethernet interfaces. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 9-24 OL-9639-10 .255. You can define only one alternate MTU size on the switch. When you change the system MTU size. enter the system mtu alternate bytes global configuration command. but you can apply it to multiple interfaces. To define an alternate MTU size. You then apply the alternate size to specified interfaces by using the system mtu alternate interface interface-id global configuration command. You can increase the MTU size for all interfaces operating at 10 or 100 Mb/s by using the system mtu global configuration command. If you change the system MTU size to a value smaller than the currently configured routing MTU size. To remove an IP address from an interface. the setting of the system mtu command applies to all Gigabit Ethernet interfaces.255. Gigabit Ethernet ports MTU size is configured by the system mtu jumbo command.20. you set it for all 10/100 or all Gigabit Ethernet interfaces on the switch. but you cannot apply an alternate MTU size greater than 1998 bytes on a Fast Ethernet interface. show interfaces [interface-id] show ip interface [interface-id] show running-config interface [interface-id] Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file. but not applied until the next switch reset. Fast Ethernet ports are not affected by this command because jumbo frames are not supported on 10/100 interfaces. including 100BASE-FX and 100BASE-BX SFP modules. End with CNTL/Z. If you do not configure the system mtu jumbo command. Switch(config)# interface gigabitethernet0/2 Switch(config-if)# no switchport Switch(config-if)# ip address 192. you can set an alternate MTU size to be applied so specific interfaces by using the system mtu alternate global configuration command. The range of the alternate MTU is between the configured system mtu and system jumbo mtu sizes (1500 to 9000 bytes). This example shows how to configure a port as a routed port and to assign it an IP address: Switch# configure terminal Enter configuration commands. Starting with Cisco IOS Release 12. The alternate MTU size has no effect on the routing MTU size. When you apply an alternate MTU size to an interface. You can increase the MTU size to support jumbo frames on all Gigabit Ethernet interfaces by using the system mtu jumbo global configuration command.

Chapter 9 Configuring Interfaces Configuring the System MTU When you configure an alternate MTU size. the packet is dropped. (Optional) Change the MTU size for all Gigabit Ethernet interfaces on the switch. the Open Shortest Path First (OSPF) protocol uses this MTU value before setting up an adjacency with a peer router. Because the switch does not fragment packets. To view the MTU value for routed packets for a specific VLAN. the routed MTU is never greater than the system MTU for any VLAN. if you use TFTP to configure a new switch by using a backup configuration file and want the system MTU to be other than the default. Frames sizes that can be received by the switch CPU are limited to 1998 bytes. Telnet. Beginning in privileged EXEC mode. The MTU settings you enter with the system mtu and system mtu jumbo commands are not saved in the switch configuration file. follow these steps to change the MTU size for all 10/100 or Gigabit Ethernet interfaces and to set an alternate MTU size for specified interfaces: Command Step 1 Step 2 Purpose Enter global configuration mode. For example. jumbo frames received on a Layer 2 Gigabit Ethernet interface and sent on a Layer 2 10/100 interface are dropped. The default is 1500 bytes. even if you enter the copy running-config startup-config privileged EXEC command. you must reload the switch before the configuration takes effect. Note The system MTU setting is saved in the switch environmental variable in NVRAM and becomes effective when the switch reloads. use the show platform port-asic mvid privileged EXEC command. if the system mtu value is 1998 bytes and the system mtu jumbo value is 5000 bytes. Note If Layer 2 Gigabit Ethernet interfaces are configured to accept frames greater than the 10/100 interfaces. That is. such as traffic sent to control traffic. no matter what value you entered with the system mtu or system mtu jumbo commands. or routing protocols. However. The routing protocols use the system MTU value when negotiating adjacencies and the MTU of the link. Therefore. Although frames that are forwarded or routed are typically not received by the CPU. although a packet larger than 1998 bytes can be received on an interface operating at 1000 Mb/s. SNMP. The default is 1500 bytes. packets up to 5000 bytes can be received on interfaces operating at 1000 Mb/s. if its destination interface is operating at 10 or 100 Mb/s. configure terminal system mtu bytes Step 3 system mtu jumbo bytes Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 9-25 . The MTU value used for routed ports is derived from the configured system mtu value (not the system mtu jumbo value). (Optional) Change the MTU size for all interfaces on the switch that are operating at 10 or 100 Mb/s. it drops: • • switched packets larger than the packet size supported on the egress interface routed packets larger than the routing MTU value For example. The range is 1500 to 9000 bytes. in some cases packets are sent to the CPU. The range is 1500 to 1998 bytes. Routed packets are subjected to MTU checks on the sending ports. you must explicitly configure the system mtu and system mtu jumbo settings on the new switch and then reload the switch.

Changes are not applied until you reload the switch: Switch(config)# system mtu alternate interface range gigabitethernet 0/1-10 Changes to the Alternate MTU on interface(s) will not take effect until the next reload is done Switch(config)# exit Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 9-26 OL-9639-10 . to define an alternate MTU size of 1700 bytes and apply it to Gigabit Ethernet port 0/8. the value is not accepted. The range is 1500 to the system MTU value. If you enter a value that is outside the allowed range for the specific type of interface. This example shows how to set the maximum packet size for Gigabit Ethernet ports to 1800 bytes. To verify the MTU setting on an interface.Chapter 9 Configuring the System MTU Configuring Interfaces Command Step 4 Purpose (Optional) Set an alternate MTU size. The range is between the configured system MTU size and the configured jumbo MTU size (1500 to 9000 bytes). system mtu alternate bytes Step 5 Step 6 system mtu alternate interface {interface-id | range interface-range} system mtu routing bytes Step 7 Step 8 end reload Return to privileged EXEC mode. enter the show interface interface-id mtu. you can verify your settings by entering the show system mtu privileged EXEC command. This example shows how to set the maximum packet size for a Gigabit Ethernet port to 1800 bytes: Switch(config)# system mtu jumbo 1800 Switch(config)# exit Switch# reload This example shows the response when you try to set Gigabit Ethernet interfaces to an out-of-range number: Switch(config)# system mtu jumbo 25000 ^ % Invalid input detected at '^' marker. they cannot be routed. The default is 1500 bytes. Although larger packets can be accepted. (Optional) Apply the alternate MTU size to the specified interface or range of interfaces. (Optional) Change the system MTU for routed ports. Reload the operating system. Changes are not applied until you reload the switch: Switch(config)# system mtu jumbo 1800 Switch(config)# system mtu alternate 1700 Changes to the Alternate MTU will not take effect until the next reload is done Switch(config)# system mtu alternate interface gigabitethernet 0/8 Changes to the Alternate MTU on interface will not take effect until the next reload is done Switch(config)# exit Switch# reload This example shows how to apply the alternate MTU to Gigabit Ethernet interfaces 1 to 10. After the switch reloads. the maximum MTU that can be routed for all ports.

Chapter 9 Configuring Interfaces Monitoring and Maintaining the Interfaces Monitoring and Maintaining the Interfaces • • • Monitoring Interface Status. show interfaces [interface-id] description show ip interface [interface-id] show interface [interface-id] stats Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 9-27 . Display administrative and operational status of switching mode. (You can display the full list of show commands by using the show ? command at the privileged EXEC prompt. You can use this command to find out if a port is in routing or in switching mode. and statistics about the interfaces. including the versions of the software and the hardware. Display the MTU setting on an interface. Display the input and output packets by the switching path for the interface. page 9-27 Clearing and Resetting Interfaces and Counters. Table 9-4 lists some of these interface monitoring commands. page 9-29 Monitoring Interface Status Commands entered at the privileged EXEC prompt display information about the interface. Display the usability status of all interfaces configured for IP routing or the specified interface. page 9-28 Shutting Down and Restarting the Interface. the configuration. Release 12.) These commands are fully described in the Cisco IOS Interface Command Reference. Display interface status or a list of interfaces in an error-disabled state. Table 9-4 Show Commands for Interfaces Command show interfaces [interface-id] show interfaces interface-id status [err-disabled] show interfaces [interface-id] mtu show interfaces [interface-id] switchport Purpose Display the status and configuration of all interfaces or a specific interface. Display the description configured on an interface or all interfaces and the interface status.2.

To clear the interface counters shown by the show interfaces privileged EXEC command. • detail–(Optional) Display calibration properties. properties–(Optional) Display speed. The range is 1 to 9. Clearing and Resetting Interfaces and Counters Table 9-5 lists the privileged EXEC mode clear commands that you can use to clear counters and reset interfaces. Display the operational state of the auto-MDIX feature on the interface. and inline power settings on an interface threshold-table–(Optional) Display alarm and warning threshold table • • • • show interfaces [interface-id] [{transceiver properties | detail}] module number] show port-type [eni | nni | uni] show running-config interface [interface-id] show version show controllers ethernet-controller interface-id phy Display physical and operational status about an SFP module. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 9-28 OL-9639-10 . the names and sources of configuration files. including high and low numbers and any alarm information for any Digital Optical Monitoring (DoM)-capable transceiver if one is installed in the switch. module number–(Optional) Limit display to interfaces on module on the switch. dom-supported-list–(Optional) List all supported DoM transceivers. use the clear counters privileged EXEC command. software version. Reset the hardware logic on an asynchronous serial line.Chapter 9 Monitoring and Maintaining the Interfaces Configuring Interfaces Table 9-4 Show Commands for Interfaces (continued) Command Purpose show interfaces [interface-id] transceiver [detail | Display these physical and operational status about an SFP module: dom-supported-list | module number | properties | • interface-id–(Optional) Display configuration and status for a threshold-table] specified physical interface. The clear counters command clears all current interface counters from the interface unless you specify optional arguments that clear only a specific interface type from a specific interface number. Display the running configuration in RAM for the interface. duplex. and the boot images. Table 9-5 Clear Commands for Interfaces Command clear counters [interface-id] clear interface interface-id clear line [number | console 0 | vty number] Purpose Clear interface counters. Reset the hardware logic on an interface. Display the hardware configuration. This option is not available if you entered a specific interface ID. Display interface type information for the Cisco ME switch.

This information is communicated to other network servers through all dynamic routing protocols. Beginning in privileged EXEC mode. enter the show interfaces privileged EXEC command. A disabled interface is shown as administratively down in the display.Chapter 9 Configuring Interfaces Monitoring and Maintaining the Interfaces Note The clear counters privileged EXEC command does not clear counters retrieved by using Simple Network Management Protocol (SNMP). configure terminal interface {vlan vlan-id} | {{fastethernet | gigabitethernet} Select the interface to be configured. interface-id} | {port-channel port-channel-number} shutdown end show running-config Shut down an interface. Verify your entry. Shutting Down and Restarting the Interface Shutting down an interface disables all functions on the specified interface and marks the interface as unavailable on all monitoring command displays. Use the no shutdown interface configuration command to enable an interface. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 9-29 . Return to privileged EXEC mode. but only those seen with the show interface privileged EXEC command. The interface is not mentioned in any routing updates. follow these steps to shut down an interface: Command Step 1 Step 2 Step 3 Step 4 Step 5 Purpose Enter global configuration mode. To verify that an interface is disabled.

Chapter 9 Monitoring and Maintaining the Interfaces Configuring Interfaces Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 9-30 OL-9639-10 .

page 10-5 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 10-1 . The new commands are added to the interface and are saved in the running configuration file. When the macro is applied to an interface. page 10-2 Command Macro Configuration Guidelines. page 10-2 Creating Command Macros. Note For complete syntax and usage information for the commands used in this chapter. or to a range of interfaces. • • • • • Default Command Macro Configuration. page 10-3 Applying Command Macros. see the command reference for this release. Command macros do not contain new CLI commands. • • • Understanding Command Macros. page 10-5 Understanding Command Macros Command macros provide a convenient way to save and share common configurations.CH A P T E R 10 Configuring Command Macros This chapter describes how to configure and apply command macros on the Cisco ME 3400 switch. page 10-1 Displaying Command Macros. When you apply a command macro on an interface. to a switch interface. After you create the macro. Each command macro is a set of command-line interface (CLI) commands that you define. page 10-4 Displaying Command Macros. you can apply it globally to a switch. Configuring Command Macros You can create a new command macro or use an existing macro as a template to create a new macro that is specific to your application. page 10-1 Configuring Command Macros. You can use command macros to enable features and settings based on the location of a switch in the network and for mass configuration deployments across the network. they are simply a group of existing CLI commands. the existing interface configurations are not lost. the CLI commands within the macro are configured on the interface.

All matching occurrences of the keyword are replaced with the corresponding value. UNIs and ENIs are disabled by default. If a command fails because of a syntax error or a configuration error.Chapter 10 Configuring Command Macros Configuring Command Macros Default Command Macro Configuration There are no command macros enabled. it is still applied to the remaining interfaces. do not use the exit or end commands or change the command mode by using interface interface-id. • • • • • • • • • • • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 10-2 OL-9639-10 . Keyword matching is case sensitive. and the switch will return an error message. You can display the applied commands and macro names by using the show running-config user EXEC command. Command Macro Configuration Guidelines Follow these guidelines when configuring macros on your switch: • When creating a macro. end. You need to reapply the updated macro on the interface to apply the new or changed commands. If a macro is applied to an interface that does not accept the configuration. Some CLI commands are specific to certain interface types. When creating a macro that requires the assignment of unique values. If you modify a macro definition by adding or deleting commands. the macro name is automatically added to the switch or interface. you must first enable the port. For example. the macro is applied sequentially to each interface within the range. This is helpful when applying an incremental configuration. Any full match of a keyword. When you apply a macro to a user network interface (UNI) or enhanced network interface (ENI). the macro continues to apply the remaining commands. use the parameter value keywords to designate values specific to the interface. Some macros might contain keywords that require a parameter value. Applying a macro to an interface range is the same as applying a macro to a single interface. all existing configuration on the interface is retained. the macro will fail the syntax check or the configuration check. When you apply a macro to a switch or a switch interface. is considered a match and is replaced by the corresponding value. even if it is part of a larger string. or interface interface-id to execute in a different command mode. This could cause commands that follow exit. When a macro is applied globally to a switch or to a switch interface. the commands are invalid and are not applied. You can use the macro global trace macro-name global configuration command or the macro trace macro-name interface configuration command to apply and debug a macro to find any syntax or configuration errors. Macro names are case sensitive. When creating a macro. the commands macro name Sample-Macro and macro name sample-macro will result in two separate macros. You can use the macro global apply macro-name ? global configuration command or the macro apply macro-name ? interface configuration command to display a list of any required values in the macro. If you apply a macro without entering the keyword values. all CLI commands should be in the same configuration mode. the changes are not reflected on the interface where the original macro was applied. When you use an interface range. If a macro command fails on one interface.

For example. or interface interface-id to execute in a different command mode. the commands macro name Sample-Macro and macro name sample-macro will result in two separate macros. Macro names are case sensitive. Enter # macro keywords word to define the keywords that are available for use with the macro. end. For best results. The no form of the macro name global configuration command only deletes the macro definition. Create a macro definition. We recommend that you do not use the exit or end commands or change the command mode by using interface interface-id in a macro. Enter the macro commands with one command per line.Chapter 10 Configuring Command Macros Configuring Command Macros Creating Command Macros Beginning in privileged EXEC mode. and enter a macro name. all commands in a macro should be in the same configuration mode. configure terminal macro name macro-name Step 3 Step 4 end show parser macro name macro-name Return to privileged EXEC mode. Separated by a space. follow these steps to create a command macro: Command Step 1 Step 2 Purpose Enter global configuration mode. (Optional) You can define keywords within a macro by using a help string to specify the keywords. This example shows how to create a macro that defines the switchport access VLAN and the number of secure MAC addresses and also includes two help string keywords by using # macro keywords: Switch(config)# macro name test switchport access vlan $VLANID switchport port-security maximum $MAX #macro keywords $VLANID $MAX @ Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 10-3 . A macro definition can contain up to 3000 characters. Use the # character at the beginning of a line to enter comment text within the macro. It does not affect the configuration of those interfaces on which the macro is already applied. Use the @ character to end the macro. you can enter up to three help string keywords in a macro. Verify that the macro was created. This could cause any commands following exit.

the commands are invalid and are not applied. You can use the macro apply macro-name ? command to display a list of any required values in the macro. follow these steps to apply a command macro: Command Step 1 Step 2 Purpose Enter global configuration mode. Enable the port. Specify macro trace macro-name to apply and debug a macro to find any syntax or configuration errors. Apply each individual command defined in the macro to the switch by entering macro global apply macro-name. Return to privileged EXEC mode. if necessary. All matching occurrences of the keyword are replaced with the corresponding value. Some macros might contain keywords that require a parameter value. and specify the interface on which to apply the macro. Parameter keyword matching is case sensitive. Apply each individual command defined in the macro to the interface by entering macro apply macro-name. (Optional) Specify unique parameter values that are specific to the switch. (Optional) Specify unique parameter values that are specific to the interface. All matching occurrences of the keyword are replaced with the corresponding value. UNIs and enhanced network interfaces (ENIs) are disabled. (Optional) Save your entries in the configuration file. If you apply a macro without entering the keyword values. If you apply a macro without entering the keyword values. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 10-4 OL-9639-10 . configure terminal macro global {apply | trace} macro-name [parameter {value}] [parameter {value}] [parameter {value}] Step 3 Step 4 Step 5 macro global description text interface interface-id no shutdown (Optional) Enter a description about the macro that is applied to the switch. and network node interfaces (NNIs) are enabled. You can enter up to three keyword-value pairs.Chapter 10 Configuring Command Macros Configuring Command Macros Applying Command Macros Beginning in privileged EXEC mode. Verify that the macro is applied to the interface. Parameter keyword matching is case sensitive. the commands are invalid and are not applied. Specify macro global trace macro-name to apply and debug a macro to find any syntax or configuration errors. By default. You can enter up to three keyword-value pairs. Step 6 Step 7 default interface interface-id macro {apply | trace} macro-name [parameter {value}] [parameter {value}] [parameter {value}] Step 8 Step 9 Step 10 Step 11 macro description text end show parser macro description [interface interface-id] copy running-config startup-config (Optional) Enter a description about the macro that is applied to the interface. (Optional) Enter interface configuration mode. (Optional) Clear all configuration from the specified interface. Some macros might contain keywords that require a parameter value. You can use the macro global apply macro-name ? command to display a list of any required values in the macro.

and to set the IP precedence value to 7: Switch(config)# macro global apply snmp ADDRESS test-server VALUE 7 This example shows how to debug the user-created macro called snmp by using the macro global trace global configuration command to find any syntax or configuration errors in the macro when it is applied to the switch.. Table 10-1 Commands for Displaying Command Macros Command show parser macro show parser macro name macro-name show parser macro brief show parser macro description [interface interface-id] Purpose Displays all configured macros.. use one or more of the privileged EXEC commands in Table 10-1.. Displays a specific macro....‘snmp-server enable traps linkup’ Applying command.. You can delete a macro-applied configuration on an interface by entering the default interface interface-id interface configuration command.‘snmp-server enable traps port-security’ Applying command. Applying command. This example shows how to apply the user-created macro called snmp.Chapter 10 Configuring Command Macros Displaying Command Macros You can delete a global macro-applied configuration on a switch only by entering the no version of each command that is in the macro.‘snmp-server ip precedence 7’ This example shows how to apply the user-created macro called desktop-config and to verify the configuration... Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 10-5 .‘snmp-server host’ %Error Unknown error. Displays the configured macro names. Switch(config)# macro global trace snmp VALUE 7 Applying command.. Displays the macro description for all interfaces or for a specified interface. Switch(config)# interface gigabitethernet0/2 Switch(config-if)# macro apply desktop-config Switch(config-if)# end Switch# show parser macro description Interface Macro Description -------------------------------------------------------------Gi0/2 desktop-config -------------------------------------------------------------- This example shows how to apply the user-created macro called desktop-config and to replace all occurrences of VLAN 1 with VLAN 25: Switch(config-if)# macro apply desktop-config vlan 25 Displaying Command Macros To display the command macros.‘snmp-server enable traps linkdown’ Applying command. to set the hostname address to test-server.

Chapter 10 Displaying Command Macros Configuring Command Macros Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 10-6 OL-9639-10 .

It includes information about VLAN membership modes. as shown in Figure 11-1. and unicast. VLAN configuration modes. “Configuring STP. See Chapter 14. or application. Because a VLAN is considered a separate logical network.CH A P T E R 11 Configuring VLANs This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the Cisco ME 3400 Ethernet Access switch. page 11-23 Understanding VLANs A VLAN is a switched network that is logically segmented by function. page 11-7 Displaying VLANs.” Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 11-1 . • • • • • Understanding VLANs. page 11-1 Creating and Modifying VLANs. project team. Each VLAN is considered a logical network. without regard to the physical locations of the users. it contains its own bridge MIB information and can support its own implementation of spanning tree. and multicast packets are forwarded and flooded only to end stations in the VLAN. VLAN trunks. Any switch port can belong to a VLAN. page 11-14 Configuring VMPS. but you can group end stations even if they are not physically located on the same LAN segment. Note For complete syntax and usage information for the commands used in this chapter. see the command reference for this release. and packets destined for stations that do not belong to the VLAN must be forwarded through a router. page 11-14 Configuring VLAN Trunks. broadcast. VLANs have the same attributes as physical LANs. and dynamic VLAN assignment from a VLAN Membership Policy Server (VMPS).

all the end stations in a particular IP subnet belong to the same VLAN. Note The switch does not support VLAN Trunking Protocol (VTP). or static. For example. page 11-5 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-2 OL-9639-10 . Switches that are running the metro IP access image can route traffic between VLANs by using switch virtual interfaces (SVIs). Figure 11-1 VLANs as Logically Defined Networks Engineering VLAN Cisco router Marketing VLAN Accounting VLAN Floor 3 Gigabit Ethernet Floor 2 Floor 1 90571 VLANs are often associated with IP subnetworks. page 11-3 Normal-Range VLANs. see the “Switch Virtual Interfaces” section on page 9-5 and the “Configuring Layer 3 Interfaces” section on page 9-22. page 11-4 UNI-ENI VLANs.Chapter 11 Understanding VLANs Configuring VLANs Figure 11-1 shows an example of VLANs segmented into logically defined networks. VLAN membership. Interface VLAN membership on the switch is assigned manually on an interface-by-interface basis. page 11-3 Extended-Range VLANs. page 11-4 VLAN Port Membership Modes. This section includes these topics: • • • • • Supported VLANs. Traffic between VLANs must be routed. When you assign switch interfaces to VLANs by using this method. For more information. it is known as interface-based. an SVI must be explicitly configured and assigned an IP address. To route traffic between VLANs.

FDDI network entity title [NET].dat file. If you want to modify the VLAN configuration. or TrCRF. VLAN IDs 1002 through 1005 are reserved for Token Ring and FDDI VLANs. and other configured features affects the use of the switch hardware. TrBRF. See the “VLAN Configuration Guidelines” section on page 11-8 for more information about the number of spanning-tree instances and the number of VLANs. SVIs. Fiber Distributed Data Interface [FDDI]. Caution You can cause inconsistency in the VLAN database if you try to manually delete the vlan. The vlan. Token Ring. use the commands described in these sections and in the command reference for this release. Normal-Range VLANs Normal-range VLANs are VLANs with VLAN IDs 1 to 1005.dat file is stored in flash memory. The switch supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. and you can display them by entering the show vlan privileged EXEC command. You can set these parameters when you create a new normal-range VLAN or modify an existing VLAN in the VLAN database: • • • VLAN ID VLAN name VLAN type (Ethernet. Although the switch supports a total of 1005 (normal-range and extended-range) VLANs. modify or remove configurations for VLANs 2 to 1001 in the VLAN database. Note Network node interfaces (NNIs) support STP by default. You can add.Chapter 11 Configuring VLANs Understanding VLANs Supported VLANs VLANs are identified with a number from 1 to 4094. One spanning-tree instance is allowed per VLAN. VLAN IDs greater than 1005 are extended-range VLANs and are not stored in the VLAN database.dat file.) Configurations for VLAN IDs 1 to 1005 are written to the file vlan. Enhanced network interfaces (ENIs) can be configured to support STP. the number of routed ports. but these parameters are not used.1Q trunking for sending VLAN traffic over Ethernet ports. The switch supports IEEE 802. You can configure parameters for FDDI and Token Ring VLANs and view the results in the vlan. Token Ring-Net) Note The switch supports only Ethernet VLANs. VLAN state (active or suspended) Maximum transmission unit (MTU) for the VLAN Security Association Identifier (SAID) • • • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 11-3 . User network interfaces (UNIs) do not support STP and by default are always in a forwarding state.dat (VLAN database). (VLAN IDs 1 and 1002 to 1005 are automatically created and cannot be removed.

the actual number of VLANs supported is 1005.” UNI-ENI VLAN configuration • For extended-range VLANs.” Remote SPAN VLAN. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-4 OL-9639-10 . “Configuring Private VLANs. Configure the VLAN as the Remote Switched Port Analyzer (RSPAN) VLAN for a remote SPAN session. Note This chapter does not provide configuration details for most of these parameters. but they are stored in the switch running configuration file. remote SPAN VLAN. For more information on remote SPAN. Extended-range VLAN configurations are not stored in the VLAN database. see Chapter 26. Extended-Range VLANs You can create extended-range VLANs (in the range 1006 to 4094) to enable service providers to extend their infrastructure to a greater number of customers. For information about private VLANs. Table 11-1 lists the membership modes and characteristics. Note Although the switch supports 4094 VLAN IDs. and UNI-ENI VLAN parameters. VLAN Port Membership Modes You configure a port to belong to a VLAN by assigning a membership mode that specifies the kind of traffic that the port carries and the number of VLANs to which it can belong. “Configuring SPAN and RSPAN. you can configure only MTU. see the command reference for this release. For complete information on the commands and parameters that control VLAN configuration. Configure the VLAN as a primary or secondary private VLAN. private VLAN. and you can save the configuration in the startup configuration file by using the copy running-config startup-config privileged EXEC command.Chapter 11 Understanding VLANs Configuring VLANs • • • • • • • Bridge identification number for TrBRF VLANs Ring number for FDDI and TrCRF VLANs Parent VLAN number for TrCRF VLANs Spanning Tree Protocol (STP) type for TrCRF VLANs VLAN number to use when translating from one VLAN type to another Private VLAN. The extended-range VLAN IDs are allowed for any switchport commands that allow VLAN IDs. see Chapter 12.

see Chapter 12. Note Only UNIs or ENIs can be dynamic-access ports. When a port belongs to a VLAN. When customer traffic enters or leaves the service-provider network. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 11-5 . see Table 11-4 on page 11-15. but membership can be limited by configuring the allowed-VLAN list. the switch learns and manages the addresses associated with the port on a per-VLAN basis. Private VLAN A private VLAN port is a host or promiscuous port that belongs to a private VLAN primary or secondary VLAN. this isolation occurs by default by using UNI-ENI VLANs. but never a Cisco ME 3400 Ethernet Access switch. including extended-range VLANs. For more information about tunnel ports. creating an assymetric link. For information about private VLANs. the customer VLAN ID must be isolated from other customers’ VLAN IDs. A trunk port is a member of all VLANs by default. with user network interfaces (UNIs) and enhanced interface interfaces (ENIs) connected to the customer side of the network. For more information. “Configuring IEEE 802. Dynamic-access A dynamic-access port can belong to one VLAN (VLAN ID 1 to 4094) and is dynamically assigned by a VMPS. On the Cisco ME switch. but you must connect the dynamic-access port to an end station or hub and not to another switch. see the “Configuring Dynamic-Access Ports on VMPS Clients” section on page 11-26.1Q tunneling to maintain customer VLAN integrity across a service-provider network. Only NNIs can be configured as promiscuous ports. The Cisco ME 3400 switch is a VMPS client.” For more detailed definitions of access and trunk modes and their functions.Chapter 11 Configuring VLANs Understanding VLANs Table 11-1 Port Membership Modes Membership Mode Static-access Trunk (IEEE 802. A tunnel port belongs to a single VLAN that is dedicated to tunneling.1Q) VLAN Membership Characteristics A static-access port can belong to one VLAN and is manually assigned to that VLAN.1Q Tunneling and Layer 2 Protocol Tunneling. The VMPS can be a Catalyst 5000 or Catalyst 6500 series switch. You can have dynamic-access ports and trunk ports on the same switch. You can achieve this isolation by several methods. see Chapter 13. For more information. For information about configuring trunk ports. For configuration information. Tunneling is supported only when the switch is running the metro access or metro IP access image. see the “Configuring an Ethernet Interface as a Trunk Port” section on page 11-16. including using private VLANs. for example. UNI-ENI VLANs The Cisco ME switch is the boundary between customer networks and the service-provider network. You configure a tunnel port on an edge switch in the service-provider network and connect it to an IEEE 802.” Tunnel (dot1q-tunnel) Tunnel ports are used for IEEE 802.1Q trunk port on a customer interface. see the “Managing the MAC Address Table” section on page 5-20. see the “Assigning Static-Access Ports to a VLAN” section on page 11-11. “Configuring Private VLANs.

you should use caution when configuring ENIs and UNIs in the same community VLAN. It can also be a member of an EtherChannel. The NNIs in both VLAN 10 and VLAN 20 can exchange packets with the UNIs or ENIs in the same VLAN. but not on UNIs. and you want to switch packets between the ports.1Q tunnel port. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-6 OL-9639-10 . Because you can enable spanning tree on ENIs. if VLAN 10 is a UNI-ENI isolated VLAN and VLAN 20 is a UNI-ENI community VLAN. Local switching does not occur among UNIs or ENIs on the switch that belong to the same UNI-ENI isolated VLAN. Figure 11-2 UNI -ENI Isolated and Community VLANs in the Cisco ME Switch To service-provider network Gigabit Ethernet port 1 NNIs Gigabit Ethernet port 2 92914 VLAN 10: (UNI-ENI isolated VLAN) VLAN 20: (UNI-ENI community VLAN) Fast Ethernet ports 1 – 4 UNIs or ENIs Customer-facing ports Fast Ethernet ports 6 – 10 A UNI or ENI can be an access port. a private VLAN port. If UNIs or ENIs belong to the same customer. a trunk port. There is no restriction to the number of UNIs and ENIs that you can add to a community VLAN or private VLAN. UNIs are always in the forwarding state. or an IEEE 802. UNI-ENI community VLAN—Local switching is allowed among UNIs and ENIs on the switch that belong to the same community VLAN. There is no local switching between the ports in a UNI-ENI community VLAN and ports outside of the VLAN. Network node interfaces (NNIs) are not affected by the type of UNI-ENI VLAN to which they belong. but local switching can occur between Fast Ethernet ports 6-10. regardless of VLAN type.Chapter 11 Understanding VLANs Configuring VLANs There are two types of UNI-ENI VLANs: • UNI-ENI isolated VLAN—This is the default VLAN state for all VLANs created on the switch. you can configure the common VLAN as a UNI-ENI community VLAN. switching is allowed among UNIs or ENIs on different switches even though they belong to the same UNI-ENI isolated VLAN. Switching can occur between NNIs and other NNIs or UNIs or ENIs on the switch or other switches that are part of the same VLAN. • Note Local switching takes place between ENIs and UNIs in the same community VLAN. local switching does not take place among Fast Ethernet ports 1-4. However. This configuration is designed for cases when different customers are connected to UNIs or ENIs on the same switch. In the configuration in Figure 11-2.

All other characteristics must remain at the default conditions. The results of these commands are written to the running-configuration file. page 11-8 Creating or Modifying an Ethernet VLAN. accessed by entering the vlan global configuration command to create VLANs and to modify some parameters. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 11-7 . Other access ports and other VLANs on the trunk port are isolated because they belong to different VLANs.Chapter 11 Configuring VLANs Creating and Modifying VLANs When a UNI or ENI configured as an IEEE 802. and you can display the file by entering the show running-config privileged EXEC command. and the UNI-ENI VLAN configuration. In this case. you can control which VLANs learn MAC addresses by disabling MAC address learning on specific VLANs. the VLAN on the trunk is isolated from the same VLAN ID on a different trunk port or an access port. Note On extended-range VLANs.1Q trunk port belongs to a UNI-ENI isolated VLAN. the remote SPAN. and so on). for more efficient management of the MAC address table space available on the switch. See the “Disabling MAC Address Learning on a VLAN” section on page 5-29 for more information. page 11-12 Configuring UNI-ENI VLANs. Other VLANs on the trunk port can be of different types (private VLAN. ENIs. UNIs. the private VLAN. and NNIs are always isolated from ports on different VLANs. page 11-7 VLAN Configuration Guidelines. These sections contain VLAN configuration information: • • • • • • Default Ethernet VLAN Configuration. UNI-ENI community VLAN. page 11-11 Creating an Extended-Range VLAN with an Internal VLAN ID. Table 11-2 shows the default configuration for Ethernet VLANs. a UNI access port and one VLAN on a UNI trunk port can belong to the same UNI-ENI isolated VLAN. Creating and Modifying VLANs You use VLAN configuration mode. page 11-12 If the switch is running the metro IP access or metro access image. You use the interface configuration mode to define the port membership mode and to add and remove ports from VLANs. For example. page 11-9 Assigning Static-Access Ports to a VLAN. Default Ethernet VLAN Configuration The switch supports only Ethernet interfaces. isolation occurs between the UNI access port and the VLAN on the UNI trunk port. you can change only the MTU size.

IEEE 802. where xxxx No range represents four numeric digits (including leading zeros) equal to the VLAN ID number 100001 (100000 plus the VLAN ID) 1500 0 0 active disabled none configured UNI-ENI isolated VLAN 1 to 4294967294 1500 to 9198 0 to1005 0 to1005 active. The switch does not forward FDDI. Extended-range VLANs are not saved in the VLAN database. The switch does not support Token Ring or FDDI media. 1006 to 4094.10 SAID MTU size Translational bridge 1 Translational bridge 2 VLAN state Remote SPAN Private VLANs UNI-ENI VLAN VLAN Configuration Guidelines Follow these guidelines when creating and modifying VLANs in your network: • • • • • The switch supports 1005 VLANs. FDDI-Net. disabled 2 to 1001. VLAN name VLANxxxx. Configuration options for VLAN IDs 1006 through 4094 (extended-range VLANs) are limited to MTU. or TrBRF traffic. 2 to 1001. VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs. 1006 to 4094. RSPAN VLAN. and UNI-ENI VLAN. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-8 OL-9639-10 . Normal-range Ethernet VLANs are identified with a number between 1 and 1001.Chapter 11 Creating and Modifying VLANs Configuring VLANs Table 11-2 Ethernet VLAN Defaults and Ranges Parameter VLAN ID Default 1 Range 1 to 4094. VLAN 1 is always a UNI-ENI isolated VLAN. TrCRF. Note Extended-range VLANs (VLAN IDs 1006 to 4094) are not saved in the VLAN database. VLAN configurations for VLANs 1 to 1005 are always saved in the VLAN database and in the switch running configuration file. private VLAN. suspend enabled.

If you try to create an extended-range VLAN with a VLAN ID that is already allocated as an internal VLAN. and the extended-range VLAN is rejected. which then uses another VLAN as its internal VLAN. enter the show vlan internal usage privileged EXEC command to see which VLANs have been allocated as internal VLANs. You can configure STP on ENIs. – Before configuring extended-range VLANs. we recommend that you configure the IEEE 802. the number of routed ports. Note Extended-range VLANs use the default Ethernet VLAN characteristics and the MTU. an error message is generated.1s Multiple STP (MSTP) on your switch to map multiple VLANs to a single spanning-tree instance. we recommend that you create extended-range VLANs beginning from the highest number (4094) and moving to the lowest (1006) to reduce the possibility of using an internal VLAN ID. see Chapter 15. You can prevent this possibility by setting allowed lists on the trunk ports of switches that have used up their allocation of spanning-tree instances. Enter a new VLAN ID to create a VLAN. You can use the default VLAN configuration (Table 11-2) or enter commands to configure the VLAN. If you try to create an extended-range VLAN and there are not enough hardware resources available. NNIs and ENIs in the same VLAN are in the same spanning-tree instance. and the internal VLAN ID cannot be used for an extended-range VLAN. an error message is generated. which frees up the internal VLAN. spanning tree can be enabled on 128 VLANs and is disabled on the remaining VLANs. If a switch has more active VLANs than supported spanning-tree instances. particularly if there are several adjacent switches that all have run out of spanning-tree instances. and the UNI-ENI VLAN configurations are the only parameters you can change. adding another VLAN creates a VLAN on that switch that is not running spanning tree. If you have the default allowed list on the trunk ports of that switch (which is to allow all VLANs). The switch supports 128 spanning-tree instances. and then create the extended-range VLAN and re-enable the port. – If necessary. Each routed port on the switch creates an internal VLAN for its use. and other configured features affects the use of the switch hardware. enter the vlan global configuration command with a VLAN ID. the RSPAN. Depending on the topology of the network. SVIs. – Because internal VLAN IDs are in the lower part of the extended range. Creating or Modifying an Ethernet VLAN To access VLAN configuration mode. “Configuring MSTP. If you have already used all available spanning-tree instances on a switch. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 11-9 . this could create a loop in the new VLAN that would not be broken. or enter an existing VLAN ID to modify that VLAN. the new VLAN is carried on all trunk ports. and the command is rejected.Chapter 11 Configuring VLANs Creating and Modifying VLANs • Spanning Tree Protocol (STP) is enabled by default for only NNIs on all VLANs. • Although the switch supports a total of 1005 (normal-range and extended-range) VLANs. you can shut down the routed port assigned to the internal VLAN. These internal VLANs use extended-range VLAN numbers. If the number of VLANs on the switch exceeds the number of supported spanning-tree instances. See the “Creating an Extended-Range VLAN with an Internal VLAN ID” section on page 11-12. For more information about MSTP. the private VLAN.” Note • MSTP is supported only on NNIs on ENIs on which STP has been enabled.

Step 4 Step 5 Step 6 Step 7 mtu mtu-size end show vlan {name vlan-name | id vlan-id} Verify your entries. use the no name or no mtu VLAN configuration command. Caution When you delete a VLAN. and enter VLAN configuration mode. by default the VLAN is a UNI-ENI isolated VLAN. They remain associated with the VLAN (and thus inactive) until you assign them to a new VLAN. Extended-range VLANs are not saved in the VLAN database. To return the VLAN name to the default settings. any ports assigned to that VLAN become inactive. VLAN0004 is a default VLAN name for VLAN 4. The available VLAN ID range for this command is 1 to 4094. copy running-config startup config (Optional) Save the configuration in the switch startup configuration file. Enter a new VLAN ID to create a VLAN. Note configure terminal vlan vlan-id When you create a new VLAN. If no name is entered for the VLAN. they are saved in the switch running configuration file. enter the show vlan privileged EXEC command. You can save the VLAN configuration in the switch startup configuration file by using the copy running-config startup-config privileged EXEC command. To display the VLAN configuration. follow these steps to create or modify an Ethernet VLAN: Command Step 1 Step 2 Purpose Enter global configuration mode. or enter an existing VLAN ID to modify that VLAN. use the no vlan vlan-id global configuration command. you must exit VLAN configuration mode for the configuration to take effect. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-10 OL-9639-10 . The name option is only valid for VLAN IDs 1 to 1005. Return to privileged EXEC mode. Enter a VLAN ID. Note Before you create an extended-range VLAN. The configurations of VLAN IDs 1 to 1005 are always saved in the VLAN database (vlan.Chapter 11 Creating and Modifying VLANs Configuring VLANs For more information about commands available in this mode. You cannot delete VLAN 1 or VLANs 1002 to 1005. To delete a VLAN. see the vlan command description in the command reference for this release. go to the “Creating an Extended-Range VLAN with an Internal VLAN ID” section on page 11-12 before creating the extended-range VLAN. Beginning in privileged EXEC mode. If the VLAN ID is used internally and you want to release it. (Optional) Change the MTU size. When you have finished the configuration. the default in the VLAN database is to append the vlan-id with leading zeros to the word VLAN. you can verify that the VLAN ID is not used internally by entering the show vlan internal usage privileged EXEC command. Step 3 name vlan-name (Optional and supported on normal-range VLANs only) Enter a name for the VLAN.dat file) with a VLAN number and name and in the switch running configuration file. For example.

Return to privileged EXEC mode. Verify your entries in the Administrative Mode and the Access Mode VLAN fields of the display. and NNIs are enabled. if necessary. Switch(config)# interface fastethernet0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 2 Switch(config-if)# end End with CNTL/Z. configure terminal interface interface-id no shutdown switchport mode access switchport access vlan vlan-id end show running-config interface interface-id show interfaces interface-id switchport copy running-config startup-config To return an interface to its default configuration. (Optional) Save your entries in the configuration file. (See the “Creating or Modifying an Ethernet VLAN” section on page 11-9. By default. Note If you assign an interface to a VLAN that does not exist. name it test20. and add it to the VLAN database: Switch# configure terminal Switch(config)# vlan 20 Switch(config-vlan)# name test20 Switch(config-vlan)# end This example shows how to create a new extended-range VLAN with all default characteristics. use the default interface interface-id interface configuration command. Define the VLAN membership mode for the port (Layer 2 access port). the new VLAN is created. Enable the port. follow these steps to assign a port to a VLAN in the VLAN database: Command Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Purpose Enter global configuration mode Enter the interface to be added to the VLAN. Verify the VLAN membership mode of the interface. Assign the port to a VLAN. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 11-11 .Chapter 11 Configuring VLANs Creating and Modifying VLANs This example shows how to create Ethernet VLAN 20. UNIs and ENIs are disabled.) Beginning in privileged EXEC mode. Valid VLAN IDs are 1 to 4094. and save the new VLAN in the switch startup configuration file: Switch(config)# vlan 2000 Switch(config-vlan)# end Switch# copy running-config startup config Assigning Static-Access Ports to a VLAN You can assign a static-access port to a VLAN. This example shows how to configure a port as an access port in VLAN 2: Switch# configure terminal Enter configuration commands. enter config-vlan mode. one per line.

the display shows the routed port that is using the VLAN ID. and return to global configuration mode. you must temporarily shut down the routed port that is using the internal VLAN ID. and enter interface configuration mode. an error message appears. and enter interface configuration mode. Specify the interface ID for the routed port that you shut down in Step 4. You can also change the configuration of one of these VLANs to the default of a UNI-ENI isolated VLAN. Enter global configuration mode. Specify the interface ID for the routed port that is using the VLAN ID. Re-enable the routed port. first enter the vlan vlan-id global configuration command to enter VLAN configuration mode: – To change a VLAN from UNI-ENI isolated VLAN to a private VLAN. Exit from config-vlan mode. If the VLAN ID that you want to use is an internal VLAN. and the extended-range VLAN is rejected. and enter config-vlan mode.Chapter 11 Creating and Modifying VLANs Configuring VLANs Creating an Extended-Range VLAN with an Internal VLAN ID If you enter an extended-range VLAN ID that is already assigned to an internal VLAN. Configuration Guidelines These are the guidelines for UNI-ENI VLAN configuration: • • • UNI-ENI isolated VLANs have no effect on NNI ports. A UNI-ENI community VLAN is like a traditional VLAN except that it can include no more than a combination of eight UNIs and ENIs. Return to privileged EXEC mode. a private VLAN. (Optional) Save your entries in the switch startup configuration file. To manually release an internal VLAN ID. Return to global configuration mode. enter the private-vlan VLAN configuration command. show vlan internal usage Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 configure terminal interface interface-id shutdown exit vlan vlan-id exit interface interface-id no shutdown end copy running-config startup config Configuring UNI-ENI VLANs By default. or an RSPAN VLAN. Enter the new extended-range VLAN ID. every VLAN configured on the switch is a UNI-ENI isolated VLAN. Shut down the port to release the internal VLAN ID. Enter that port number in Step 3. To change a VLAN type. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-12 OL-9639-10 . follow these steps to release a VLAN ID that is assigned to an internal VLAN and to create an extended-range VLAN with that ID: Command Step 1 Purpose Display the VLAN IDs being used internally by the switch. You can change VLAN configuration to that of a UNI-ENI community VLAN. Beginning in privileged EXEC mode. It will be assigned a new internal VLAN ID.

If a UNI or ENI dynamic access port is added to a UNI-ENI community VLAN that has eight UNIs or ENIs. – To change an RSPAN VLAN to a UNI-ENI VLAN. VLAN 1 is always a UNI-ENI isolated VLAN. Enter community to change from the default to a UNI-ENI community VLAN. every VLAN created on the switch is a UNI-ENI isolated VLAN. and enter VLAN configuration mode. the configuration is refused. You cannot configure a VLAN as a UNI-ENI community VLAN if more than eight UNIs and ENIs belong to the VLAN. enter the rspan-vlan VLAN configuration command. The reserved VLANs 1002 to 1005 are not Ethernet VLANs. By default. “Configuring SPAN and RSPAN. Then enter the private-vlan VLAN configuration command. If you attempt to add a UNI or ENI static access port to a UNI-ENI community VLAN that has a combination of eight UNIs and ENIs. For procedures for configuring private VLANs or RSPAN VLANs. follow these steps to change the type of a UNI-ENI VLAN: Command Step 1 Step 2 Purpose Enter global configuration mode.” Beginning in privileged EXEC mode. Enter isolated to return to the default UNI-ENI isolated VLAN. the VLAN is a UNI-ENI isolated VLAN. Then enter the rspan-vlan VLAN configuration command. • • Note Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 11-13 . you cannot configure VLAN 1 as a UNI-ENI community VLAN. Note configure terminal vlan vlan-id The available VLAN ID range for this command is 1 to 4094. Enter a new VLAN ID to create a VLAN. you must first remove the private VLAN type by entering the no private-vlan VLAN configuration command. – To change a UNI-ENI community VLAN to an RSPAN VLAN. Use caution when configuring ENIs and UNIs in the same community VLAN. – To change a private VLAN to a UNI-ENI VLAN. you must first remove the community VLAN type by entering the no uni-vlan VLAN configuration command. Step 3 uni-vlan {community | isolated} Configure the UNI-ENI VLAN type. • Configuring UNI-ENI VLANs By default.Chapter 11 Configuring VLANs Creating and Modifying VLANs – To change a UNI-ENI community VLAN to a private VLAN. “Configuring Private VLANs” and Chapter 26. you must first remove the community VLAN type by entering the no uni-vlan VLAN configuration command. Enter a VLAN ID. you must first remove the RSPAN VLAN type by entering the no rspan-vlan VLAN configuration command. Then enter the uni-vlan VLAN configuration command • • The switch supports a total of eight UNIs and ENIs in a community VLAN. – To change a VLAN from a UNI-ENI isolated VLAN to an RSPAN VLAN. Then enter the uni-vlan VLAN configuration command. the port is error-disabled. You can change the configuration to UNI-ENI community VLAN or to a private VLAN or RSPAN VLAN. see Chapter 12. or enter an existing VLAN ID to modify that VLAN. Local switching takes place between the ENIs and UNIs in the community VLAN and ENIs can support spanning tree while UNIs do not.

(Optional) Save the configuration in the switch startup configuration file. To display both isolated and community VLANs.Chapter 11 Displaying VLANs Configuring VLANs Command Step 4 Step 5 Step 6 Purpose Return to privileged EXEC mode. Entering uni-vlan isolated command has the same effect as entering the no uni-vlan VLAN configuration command. but only UNI-ENI community VLANs appear. Display UNI-ENI isolated and UNI-ENI community VLANs on the switch by VLAN ID. Displaying VLANs Use the show vlan privileged EXEC command to display a list of all VLANs on the switch. Display parameters for all VLANs or the specified VLAN on the switch. The show vlan and show vlan vlan-id privileged EXEC commands also display UNI-ENI VLAN information. For more details about the show command options and explanations of output fields. Configuring VLAN Trunks • • • • Trunking Overview. Table 11-3 VLAN Monitoring Commands Command show interfaces [vlan vlan-id] show vlan [id vlan-id] show vlan [vlan-name] uni-vlan type show vlan uni-vlan show vlan uni-vlan type Purpose Display characteristics for all interfaces or for the specified VLAN configured on the switch. Display UNI-ENI community VLANs and associated ports on the switch. Display UNI-ENI isolated or UNI-ENI community VLANs by VLAN name. page 11-15 Default Layer 2 Ethernet Interface VLAN Configuration. Enter type (optional) to see only the VLAN ID and type of UNI-ENI VLAN. Table 11-3 lists other privileged EXEC commands for monitoring VLANs. see the command reference for this release. end show vlan uni-vlan [type] copy running-config startup config Use the no uni-vlan VLAN configuration command to return to the default (UNI-ENI isolated VLAN). and configuration information. page 11-16 Configuring Trunk Ports for Load Sharing. use the show vlan uni-vlan type command. page 11-19 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-14 OL-9639-10 . page 11-16 Configuring an Ethernet Interface as a Trunk Port. including extended-range VLANs. ports. Display UNI-ENI VLAN information. The display includes VLAN status.

You can configure a trunk on a single Ethernet interface or on an EtherChannel bundle. For information about private VLANs. “Configuring EtherChannels and Link-State Tracking.” for more information on tunnel ports. The interface becomes a trunk interface even if the neighboring interface is not a trunk interface. For more information about EtherChannels. When you connect a Cisco switch to a non-Cisco device through an IEEE 802. “Configuring IEEE 802. use the switchport mode access interface configuration command to disable trunking.1Q tunneling is used to maintain customer VLAN integrity across a service provider network. To enable trunking.1Q industry-standard trunking encapsulation. the Cisco switch combines the spanning-tree instance of the VLAN of the trunk with the spanning-tree instance of the non-Cisco IEEE 802. “Configuring Private VLANs. Non-Cisco devices might support one spanning-tree instance for all VLANs. the switches maintain one spanning-tree instance for each VLAN allowed on the trunks. This is the default mode. use the switchport mode trunk interface configuration command to change the interface to a trunk.1Q trunks impose these limitations on the trunking strategy for a network: • In a network of Cisco switches connected through IEEE 802. Configure the interface as a private VLAN host or promiscuous port (only NNIs can be configured as promiscuous ports). Ethernet trunks carry the traffic of multiple VLANs over a single link.1Q Tunneling and Layer 2 Protocol Tunneling.1Q Configuration Considerations The IEEE 802. See Chapter 13. The switch supports the IEEE 802.1Q trunk.1Q switches.1Q cloud separating the Cisco switches is treated as a single trunk link between the switches. Puts the interface into permanent trunking mode and negotiates to convert the neighboring link into a trunk link. You can set an interface as trunking or nontrunking.” switchport mode trunk switchport mode dot1q-tunnel switchport mode private-vlan IEEE 802. However. • • If you do not intend to trunk across links. see Chapter 34.” Ethernet interfaces support different trunking modes (see Table 11-4).Chapter 11 Configuring VLANs Configuring VLAN Trunks Trunking Overview A trunk is a point-to-point link between one or more Ethernet switch interfaces and another networking device such as a router or a switch. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 11-15 . see Chapter 12.1Q trunk port. The IEEE 802. Configures the interface as a tunnel (nontrunking) port to be connected in an asymmetric link with an IEEE 802. spanning-tree information for each VLAN is maintained by Cisco switches separated by a cloud of non-Cisco IEEE 802. Table 11-4 Layer 2 Interface Modes Mode switchport mode access Function Puts the interface (access port) into permanent nontrunking mode and negotiates to convert the link into a nontrunk link. The interface becomes a nontrunk interface regardless of whether or not the neighboring interface is a trunk interface.1Q switch. and you can extend the VLANs across an entire network. The non-Cisco IEEE 802.1Q trunks.

Make sure that your network is loop-free before disabling spanning tree.Chapter 11 Configuring VLAN Trunks Configuring VLANs • Make sure that the native VLAN for an IEEE 802. page 11-19 Interaction with Other Features Trunking interacts with other features in these ways: • • • A trunk port cannot be a secure port. – STP port priority for each VLAN. page 11-18 Configuring the Native VLAN for Untagged Traffic. A trunk port cannot be a tunnel port. If you change the configuration of one of these parameters. page 11-19 Configuring the Native VLAN for Untagged Traffic. page 11-16 Defining the Allowed VLANs on a Trunk. Trunk ports can be grouped into EtherChannel port groups. If the native VLAN on one end of the trunk is different from the native VLAN on the other end. – STP Port Fast setting. Table 11-5 Default Layer 2 Ethernet Interface VLAN Configuration Feature Interface mode Allowed VLAN range Default VLAN (for access ports) Default Setting switchport mode access VLANs 1 to 4094 VLAN 1 Native VLAN (for IEEE 802. spanning-tree loops might result. Disabling spanning tree on the native VLAN of an IEEE 802.1Q trunk or disable spanning tree on every VLAN in the network.1Q trunk without disabling spanning tree on every VLAN in the network can potentially cause spanning-tree loops. the switch propagates the setting that you entered to all ports in the group: – allowed-VLAN list. When a group is first created. We recommend that you leave spanning tree enabled on the native VLAN of an IEEE 802.1Q trunks) VLAN 1 Configuring an Ethernet Interface as a Trunk Port • • • • Interaction with Other Features. all ports follow the parameters set for the first port to be added to the group. but all trunks in the group must have the same configuration. • Default Layer 2 Ethernet Interface VLAN Configuration Table 11-5 shows the default Layer 2 Ethernet interface VLAN configuration.1Q trunk is the same on both ends of the trunk link. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-16 OL-9639-10 .

and IEEE 802. • If you try to enable IEEE 802. To reset all trunking characteristics of a trunking interface to the defaults.1Q trunk with VLAN 33 as the native VLAN: Switch# configure terminal Enter configuration commands. but must be enabled on ENIs. STP is not supported on UNIs. Return to privileged EXEC mode. To return an interface to its default configuration. Enable the port. show interfaces interface-id trunk copy running-config startup-config Display the trunk configuration of the interface. By default. configure terminal interface interface-id no shutdown switchport mode trunk switchport access vlan vlan-id switchport trunk native vlan vlan-id end show interfaces interface-id switchport Display the switchport configuration of the interface in the Administrative Mode field of the display. all ports cease to be trunks.1x-enabled port to trunk. Specify the port to be configured for trunking. Configuring a Trunk Port Beginning in privileged EXEC mode. if necessary. (Optional) Save your entries in the configuration file. use the switchport mode access interface configuration command to configure the port as a static-access port. use the no switchport trunk interface configuration command. the port mode is not changed.1Q trunks.1x on a trunk port.1Q trunk port: Command Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Purpose Enter global configuration mode. UNIs and ENIs are disabled.1x is not enabled. which is used if the interface stops trunking. Switch(config)# interface fastethernet0/2 Switch(config-if)# switchport mode trunk Switch(config-if)# switchport trunk native vlan 33 Switch(config-if)# end Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 11-17 . This example shows how to configure a port as an IEEE 802. and NNIs are enabled. an error message appears. (Optional) Specify the default VLAN. If you try to change the mode of an IEEE 802. one per line. Configure the interface as a Layer 2 trunk. Specify the native VLAN for IEEE 802. – trunk status: if one port in a port group ceases to be a trunk. follow these steps to configure a port as an IEEE 802. and enter interface configuration mode.Chapter 11 Configuring VLANs Configuring VLAN Trunks Note STP is supported by default on NNIs. use the default interface interface-id interface configuration command. To disable trunking. End with CNTL/Z.

Enable the port. UNIs and ENIs are disabled. Specify the port to be configured. If a trunk port with VLAN 1 disabled is converted to a nontrunk port. regardless of the switchport trunk allowed setting. To reduce the risk of spanning-tree loops or storms. (Optional) Save your entries in the configuration file. Note VLAN 1 is the default VLAN on all trunk ports in all Cisco switches. However. the lower one first. and remove keywords. and Link Aggregation Control Protocol (LACP) in VLAN 1. 1 to 4094. you can disable VLAN 1 on any individual VLAN trunk port by removing VLAN 1 from the allowed list. If the access VLAN is set to 1. the port is added to VLAN 1. and enter interface configuration mode. The vlan-list parameter is either a single VLAN number from 1 to 4094 or a range of VLANs described by two VLAN numbers. separated by a hyphen. it is added to the access VLAN. except. use the switchport trunk allowed vlan remove vlan-list interface configuration command to remove specific VLANs from the allowed list. (Optional) Configure the list of VLANs allowed on the trunk. Cisco Discovery Protocol (CDP). and NNIs are enabled. a trunk port sends traffic to and receives traffic from all VLANs. By default. see the command reference for this release. follow these steps to modify the allowed list of an IEEE 802. preventing traffic from those VLANs from passing over the trunk. Do not enter any spaces between comma-separated VLAN parameters or in hyphen-specified ranges.Chapter 11 Configuring VLAN Trunks Configuring VLANs Defining the Allowed VLANs on a Trunk By default. Configure the interface as a VLAN trunk port. Beginning in privileged EXEC mode. if necessary. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-18 OL-9639-10 . A trunk port can become a member of a VLAN if the VLAN is enabled and if the VLAN is in the allowed list for the port. The VLAN 1 minimization feature allows you to disable VLAN 1 on any individual VLAN trunk link so that no user traffic (including spanning-tree advertisements) is sent or received on VLAN 1. you can remove VLANs from the allowed list. are allowed on each trunk. All VLANs are allowed by default.1Q trunk: Command Step 1 Step 2 Step 3 Step 4 Step 5 Purpose Enter global configuration mode. When you remove VLAN 1 from a trunk port. all. All VLAN IDs. configure terminal interface interface-id no shutdown switchport mode trunk switchport trunk allowed vlan {add | all | except | remove} vlan-list Step 6 Step 7 Step 8 end copy running-config startup-config Return to privileged EXEC mode. and it has previously been a requirement that VLAN 1 always be enabled on every trunk link. show interfaces interface-id switchport Verify your entries in the Trunking VLANs Enabled field of the display. Port Aggregation Protocol (PAgP). You do this by removing VLAN 1 from the allowed VLAN list. for example. the interface continues to send and receive management traffic. For explanations about using the add. The same is true for any VLAN that has been disabled on the port. To restrict the traffic a trunk carries.

The native VLAN is VLAN 1 by default.1Q trunk. VLAN 1. you divide the traffic between the links according to the VLAN to which the traffic belongs. follow these steps to configure the native VLAN on an IEEE 802. Verify your entries in the Trunking Native Mode VLAN field. the range is 1 to 4094. UNIs and ENIs are disabled and NNIs are enabled.1Q configuration issues. Configuring Trunk Ports for Load Sharing Load sharing divides the bandwidth supplied by parallel trunks that connect switches. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 11-19 . the switch forwards untagged traffic in the native VLAN configured for the port. For information about IEEE 802. Note The native VLAN can be assigned any VLAN ID.1Q tagging can receive both tagged and untagged traffic. if necessary. Return to privileged EXEC mode. use the no switchport trunk native vlan interface configuration command. By default. This example shows how to remove VLAN 2 from the allowed VLAN list on a port: Switch(config)# interface fastethernet0/1 Switch(config-if)# switchport trunk allowed vlan remove 2 Switch(config-if)# end Configuring the Native VLAN for Untagged Traffic A trunk port configured with IEEE 802. otherwise. If a packet has a VLAN ID that is the same as the sending port native VLAN ID. STP normally blocks all but one parallel link between switches.Chapter 11 Configuring VLANs Configuring VLAN Trunks To return to the default allowed VLAN list of all VLANs. Beginning in privileged EXEC mode. the packet is sent untagged. the switch sends the packet with a tag. Enable the port. Configure the VLAN that is sending and receiving untagged traffic on the trunk port. use the no switchport trunk allowed vlan interface configuration command. configure terminal interface interface-id no shutdown switchport trunk native vlan vlan-id Step 5 Step 6 Step 7 end show interfaces interface-id switchport copy running-config startup-config To return to the default native VLAN. see the “IEEE 802. Using load sharing. For vlan-id.1Q Configuration Considerations” section on page 11-15. (Optional) Save your entries in the configuration file. Define the interface that is configured as the IEEE 802. To avoid loops. By default. and enter interface configuration mode.1Q trunk: Command Step 1 Step 2 Step 3 Step 4 Purpose Enter global configuration mode.

Command Step 8 Step 9 Step 10 Step 11 Purpose Verify that the referenced VLANs exist on Switch A. VLANs 3 through 6 retain the default port priority of 128 on Trunk 1. In this example. those shown are examples only. and Trunk 2 carries traffic for VLANs 3 through 6. the switches are configured as follows: • • • • VLANs 8 through 10 are assigned a port priority of 16 on Trunk 1. VLANs 3 through 6 are assigned a port priority of 16 on Trunk 2. each load-sharing link can be connected to the same switch or to two different switches. follow these steps to configure the network shown in Figure 11-3. If the active trunk fails. For load sharing using STP path costs. No duplication of traffic occurs over any trunk port. “Configuring STP. the switch uses the STP port priority to decide which port is enabled and which port is in a blocking state. One trunk port sends or receives all traffic for the VLAN.” Load Sharing Using STP Port Priorities When two ports on the same switch form a loop. Note that you can use any interface numbers. The trunk port with the lower priority (higher values) for the same VLAN remains in a blocking state for that VLAN. the trunk with the lower priority takes over and carries the traffic for all of the VLANs.Chapter 11 Configuring VLAN Trunks Configuring VLANs You configure load sharing on trunk ports that have STP enabled by using STP port priorities or STP path costs. both load-sharing links must be connected to the same switch. you must also enable STP on the port by entering the spanning-tree interface configuration command. If you configure the port as an ENI. create the VLANs by entering the VLAN IDs. For load sharing using STP port priorities. show vlan configure terminal interface gigabitethernet 0/1 port-type {nni | eni} Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-20 OL-9639-10 . Configure the interface as an NNI or ENI. If not. In this way. The trunk port with the higher priority (lower values) for a VLAN is forwarding traffic for that VLAN. UNIs do not support STP. Enter global configuration mode. see Chapter 14. Figure 11-3 Load Sharing by Using STP Port Priorities Switch A Trunk 1 VLANs 8 – 10 (priority 16) VLANs 3 – 6 (priority 128) Trunk 2 VLANs 3 – 6 (priority 16) VLANs 8 – 10 (priority 128) 93370 Switch B Beginning in privileged EXEC mode on Switch A. You can set the priorities on a parallel STP trunk port so that the port carries all the traffic for a given VLAN. VLANs 8 through 10 retain the default port priority of 128 on Trunk 2. Trunk 1 carries traffic for VLANs 8 through 10. For more information about STP. and enter interface configuration mode. Define the interface to be configured as the Trunk 1 interface. Figure 11-3 shows two trunks connecting supported switches.

and the configure trunk port for Trunk 2 with a spanning-tree port priority of 16 for VLANs 3 through 6. (Optional) Save your entries in the configuration file. Assign the port priority of 16 for VLANs 3 through 6 on Trunk 2. blocking different ports for different VLANs. The VLANs keep the traffic separate and maintain redundancy in the event of a lost link. and enter interface configuration mode. Return to privileged EXEC mode. These VLAN path costs are assigned: • • • • VLANs 2 through 4 are assigned a path cost of 30 on Trunk port 1. Configure the interface as an NNI or ENI.Chapter 11 Configuring VLANs Configuring VLAN Trunks Command Step 12 Step 13 Step 14 Step 15 Step 16 Step 17 Step 18 Purpose Configure the port as a trunk port. Verify the port configuration. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 11-21 . you must also enable STP on the port by entering the spanning-tree interface configuration command. Assign the port priority of 16 for VLANs 8 through 10 on Trunk 1. Configure the port as a trunk port. Return to privileged EXEC mode. Load Sharing Using STP Path Cost You can configure parallel trunks to share VLAN traffic by setting different path costs on a trunk and associating the path costs with different sets of VLANs. VLANs 8 through 10 retain the default 100Base-T path cost on Trunk port 1 of 19. VLANs 2 through 4 retain the default 100Base-T path cost on Trunk port 2 of 19. If you configure the port as an ENI. Define the interface to be configured as the Trunk 2 interface. UNIs do not support STP. Trunk ports 1 and 2 are configured as 100Base-T ports. Verify the port configuration. In Figure 11-4. Verify your entries. Enter global configuration mode. VLANs 8 through 10 are assigned a path cost of 30 on Trunk port 2. switchport mode trunk spanning-tree vlan 8-10 port-priority 16 end show interfaces gigabitethernet 0/1 switchport configure terminal interface gigabitethernet 0/2 port-type {nni | eni} Step 19 Step 20 Step 21 Step 22 Step 23 Step 24 switchport mode trunk spanning-tree vlan 3-6 port-priority 16 end show interfaces gigabitethernet 0/2 switchport show running-config copy running-config startup-config Follow the same steps on Switch B to configure the trunk port for Trunk 1 with a spanning-tree port priority of 16 for VLANs 8 through 10.

Return to global configuration mode. Configure the port as a trunk port. Return to privileged EXEC mode. Configure the interface as an NNI or ENI. UNIs do not support STP. you must also enable STP on the port by entering the spanning-tree interface configuration command. UNIs do not support STP. create these VLANs. In the display. Enter interface configuration mode for Trunk port 2. Configure the port as a trunk port. configure terminal interface fastethernet0/1 port-type {nni | eni} Step 4 Step 5 Step 6 Step 7 switchport mode trunk exit interface fastethernet0/2 port-type {nni | eni} Step 8 Step 9 Step 10 Step 11 Step 12 Step 13 Step 14 Step 15 Step 16 Step 17 Step 18 switchport mode trunk end show running-config show vlan configure terminal interface fastethernet0/1 spanning-tree vlan 2-4 cost 30 exit interface fastethernet0/2 spanning-tree vlan 8-10 cost 30 exit Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-22 OL-9639-10 . If not. you must also enable STP on the port by entering the spanning-tree interface configuration command. Define the interface to be configured as Trunk port 2. If you configure the port as an ENI. Enter interface configuration mode for Trunk port 2. Configure the interface as an NNI or ENI. Return to global configuration mode. follow these steps to configure the network shown in Figure 11-4: Command Step 1 Step 2 Step 3 Purpose Enter global configuration mode on Switch A. If you configure the port as an ENI. Return to global configuration mode. make sure that the interfaces configured in Steps 2 and 7 are configured as trunk ports. Verify that VLANs 2 through 4 and 8 through 10 are configured on Switch A. and enter interface configuration mode. Verify your entries. Set the spanning-tree path cost to 30 for VLANs 2 through 4. Enter global configuration mode. and enter interface configuration mode. Set the spanning-tree path cost to 30 for VLANs 2 through 4.Chapter 11 Configuring VLAN Trunks Configuring VLANs Figure 11-4 Load-Sharing Trunks with Traffic Distributed by Path Cost Switch A Trunk port 1 VLANs 2 – 4 (path cost 30) VLANs 8 – 10 (path cost 19) Trunk port 2 VLANs 8 – 10 (path cost 30) VLANs 2 – 4 (path cost 19) 90573 Switch B Beginning in privileged EXEC mode. Define the interface to be configured as Trunk port 1.

Follow the same steps on Switch B to configure the trunk port for Trunk 1 with a path cost of 30 for VLANs 2 through 4. the server shuts down the port when an illegal host is detected. • • • • • • • “Understanding VMPS” section on page 11-23 “Default VMPS Client Configuration” section on page 11-25 “VMPS Configuration Guidelines” section on page 11-25 “Configuring the VMPS Client” section on page 11-25 “Monitoring the VMPS” section on page 11-28 “Troubleshooting Dynamic-Access Port VLAN Membership” section on page 11-28 “VMPS Configuration Example” section on page 11-28 Understanding VMPS Each time the client switch receives the MAC address of a new host. Configuring VMPS The VLAN Query Protocol (VQP) supports dynamic-access ports. and set the spanning-tree path cost to 30 for VLANs 8. and configure the trunk port for Trunk 2 with a path cost of 30 for VLANs 8 through 10. Each time an unknown MAC address is seen. In open mode. When the VMPS receives this query. Note Only UNIs and ENIs can be configured as dynamic-access ports. the server simply denies the host access to the port. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 11-23 . The switch cannot be a VMPS server but can act as a client to the VMPS and communicate with it through VQP. In the display. and 10. NNIs cannot take part in VQP. Step 20 Step 21 Step 22 exit show running-config copy running-config startup-config Return to privileged EXEC mode. the switch sends a VQP query to a remote VMPS. it sends a VQP query to the VMPS. In secure mode. The VMPS responds with a VLAN assignment for the port. which are not permanently assigned to a VLAN. verify that the path costs are set correctly for both trunk interfaces. Verify your entries. the query includes the newly seen MAC address and the port on which it was seen. it searches its database for a MAC-address-to-VLAN mapping. (Optional) Save your entries in the configuration file. The server response is based on this mapping and whether or not the server is in open or secure mode. 9.Chapter 11 Configuring VLANs Configuring VMPS Command Step 19 Purpose Repeat Steps 9 through 11 on the other configured trunk interface on Switch A. but give VLAN assignments based on the MAC source addresses seen on the port.

The switch continues to monitor the packets directed to the port and sends a query to the VMPS when it identifies a new host address. The VMPS verifies that the domain name in the packet matches its own domain name before accepting the request and responds to the client with the assigned VLAN number for the client. A dynamic-access port can belong to only one VLAN at a time. When the link comes up. but the VLAN can change over time. or they can connect to a network. If the client switch was not previously configured. If the switch receives a port-shutdown response from the VMPS. If the port already has a VLAN assignment. it uses the domain name from the first VTP packet it receives on its trunk port from the VMPS. the port returns to an isolated state and does not belong to a VLAN. Dynamic-Access Port VLAN Membership A dynamic-access port can belong to only one VLAN with an ID from 1 to 4094. however. If the client switch was previously configured. the VMPS sends an access-denied response. it includes its domain name in the query packet to the VMPS to obtain its VLAN number. Dynamic-access ports can be used for direct host connections. depending on the MAC addresses seen. The port must be manually re-enabled by using the CLI or SNMP. it disables the port. the VMPS sends the VLAN number for that port. the switch does not forward traffic to or from this port until the VMPS provides the VLAN assignment. Multiple hosts (MAC addresses) can be active on a dynamic-access port if they are all in the same VLAN. the VMPS sends an success response. the VMPS provides one of these responses: • • • If the host is allowed on the port. the VMPS provides one of these responses: • • If the switch receives an access-denied response from the VMPS. If the link goes down on a dynamic-access port. If there is no match. If the VLAN is not allowed on the port and the VMPS is in secure mode. The VMPS receives the source MAC address from the first packet of a new host connected to the dynamic-access port and attempts to match the MAC address to a VLAN in the VMPS database. Note Only UNIs or ENIs can be dynamic-access ports. depending on the secure mode of the VMPS.Chapter 11 Configuring VMPS Configuring VLANs If the port is currently unassigned (that is. the VMPS shuts down a dynamic-access port if more than 20 hosts are active on the port. the VMPS sends a port-shutdown response. If there is a match. the VMPS either denies the request or shuts down the port (depending on the VMPS secure mode setting). Any hosts that come online through the port are checked again through the VQP with the VMPS before the port is assigned to a VLAN. it does not yet have a VLAN assignment). it continues to block traffic to and from the host MAC address. the VMPS sends the client a vlan-assignment response containing the assigned VLAN name and allowing access to the host. A maximum of 20 MAC addresses are allowed per port on the switch. If the VLAN in the database matches the current VLAN on the port. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-24 OL-9639-10 . allowing access to the host. If the host is not allowed on the port and the VMPS is in open mode. If the VLAN in the database does not match the current VLAN on the port and active hosts exist on the port. the VMPS sends an access-denied or a port-shutdown response.

an error message appears.1x-enabled port to dynamic VLAN assignment. Dynamic-access ports cannot be monitor ports. • • • • • • Configuring the VMPS Client You configure dynamic VLANs by using the VMPS (server). it cannot be a VMPS server. Dynamic-access ports cannot be members of an EtherChannel group. but you can enter the switchport access vlan dynamic interface configuration command for a trunk port. The switch can be a VMPS client. You must turn off trunking on the port before the dynamic-access setting takes effect. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 11-25 .1x on a dynamic-access (VQP) port. If you try to change an IEEE 802.1x ports cannot be configured as dynamic-access ports. You must disable port security on a port before it becomes dynamic. and the VLAN configuration is not changed. Table 11-6 Default VMPS Client and Dynamic-Access Port Configuration Feature VMPS domain server VMPS reconfirm interval VMPS server retry count Dynamic-access ports Default Setting None 60 minutes 3 None configured VMPS Configuration Guidelines These guidelines and restrictions apply to dynamic-access port VLAN membership: • • You should configure the VMPS before you configure ports as dynamic-access ports.Chapter 11 Configuring VLANs Configuring VMPS Default VMPS Client Configuration Table 11-6 shows the default VMPS and dynamic-access port configuration on client switches.1x is not enabled. and IEEE 802. In this case. an error message appears. Secure ports cannot be dynamic-access ports. Trunk ports cannot be dynamic-access ports. Private VLAN ports cannot be dynamic-access ports. IEEE 802. If you try to enable IEEE 802. Port channels cannot be configured as dynamic-access ports. the switch retains the setting and applies it if the port is later configured as an access port.

Configuring Dynamic-Access Ports on VMPS Clients Caution Dynamic-access port VLAN membership is for end stations or hubs connected to end stations. Verify your entries in the Operational Mode field of the display. Return to privileged EXEC mode. follow these steps to configure a dynamic-access port on a VMPS client switch: Command Step 1 Step 2 Step 3n Step 4 Step 5 Step 6 Purpose Enter global configuration mode. You can enter up to three secondary server addresses. The dynamic-access port must be connected to an end station. configure terminal interface interface-id no shutdown port-type {uni | eni} switchport mode access switchport access vlan dynamic end show interfaces interface-id switchport copy running-config startup-config Step 7 Step 8 Step 9 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-26 OL-9639-10 . Return to privileged EXEC mode. Enter the IP address of the switch acting as the primary VMPS server. and enter interface configuration mode. (Optional) Save your entries in the configuration file. Configure the port as eligible for dynamic VLAN membership.Chapter 11 Configuring VMPS Configuring VLANs Entering the IP Address of the VMPS You must first enter the IP address of the server to configure the switch as a client. (Optional) Save your entries in the configuration file. You can test for IP connectivity by pinging the IP address of the VMPS and verifying that you get a response. Set the port to access mode. Enable the port. Beginning in privileged EXEC mode. Verify your entries in the VMPS Domain Server field of the display. Beginning in privileged EXEC mode. configure terminal vmps server ipaddress primary vmps server ipaddress Step 4 Step 5 Step 6 end show vmps copy running-config startup-config Note You must have IP connectivity to the VMPS for dynamic-access ports to work. follow these steps to enter the IP address of the VMPS: Command Step 1 Step 2 Step 3 Purpose Enter global configuration mode. (Optional) Enter the IP address of the switch acting as a secondary VMPS server. Specify the switch port that is connected to the end station. Connecting dynamic-access ports to other switches can cause a loss of connectivity. Configure the port as a UNI or ENI. The port must be a UNI or an ENI.

To reset the access mode to the default VLAN for the switch. Enter the number of minutes between reconfirmations of the dynamic VLAN membership. use the no vmps retry global configuration command. follow these steps to confirm the dynamic-access port VLAN membership assignments that the switch has received from the VMPS: Command Step 1 Step 2 Purpose Reconfirm dynamic-access port VLAN membership. Verify the dynamic VLAN reconfirmation status. configure terminal vmps retry count end show vmps copy running-config startup-config To return the switch to its default setting. use the default interface interface-id interface configuration command. follow these steps to change the reconfirmation interval: Command Step 1 Step 2 Step 3 Step 4 Step 5 Purpose Enter global configuration mode. Change the retry count. The default is 60 minutes. the default is 3.Chapter 11 Configuring VLANs Configuring VMPS To return an interface to its default configuration. Verify your entry in the Server Retry Count field of the display. Return to privileged EXEC mode. Return to privileged EXEC mode. Verify the dynamic VLAN reconfirmation status in the Reconfirm Interval field of the display. use the no switchport access vlan interface configuration command. Beginning in privileged EXEC mode. The retry range is 1 to 10. Changing the Retry Count Beginning in privileged EXEC mode. follow these steps to change the number of times that the switch attempts to contact the VMPS before querying the next server: Command Step 1 Step 2 Step 3 Step 4 Step 5 Purpose Enter global configuration mode. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 11-27 . use the no vmps reconfirm global configuration command. configure terminal vmps reconfirm minutes end show vmps copy running-config startup-config To return the switch to its default setting.You can set the number of minutes after which reconfirmation occurs. (Optional) Save your entries in the configuration file. vmps reconfirm show vmps Changing the Reconfirmation Interval VMPS clients periodically reconfirm the VLAN membership information received from the VMPS. (Optional) Save your entries in the configuration file. Reconfirming VLAN Memberships Beginning in privileged EXEC mode. The range is 1 to 120.

enter the shutdown interface configuration command followed by the no shutdown interface configuration command. The one marked primary is the primary server. If no response is received after this many tries. these assumptions apply: • • • The VMPS server and the VMPS client are separate switches.128. The switch displays this information about the VMPS: • • • • • VMPS VQP Version—the version of VQP used to communicate with the VMPS. This is an example of output for the show vmps privileged EXEC command: Switch# show vmps VQP Client Status: -------------------VMPS VQP Version: 1 Reconfirm Interval: 60 min Server Retry Count: 3 VMPS domain server: 172. More than 20 active hosts reside on a dynamic-access port. Server Retry Count—the number of times VQP resends a query to the VMPS. The VMPS shuts down the port to prevent the host from connecting to the network. A reconfirmation attempt can occur automatically when the reconfirmation interval expired. The switch queries the VMPS that is using VQP Version 1. To disable and re-enable a disabled dynamic-access port.Chapter 11 Configuring VMPS Configuring VLANs Monitoring the VMPS You can display information about the VMPS by using the show vmps privileged EXEC command. VMPS Action—the result of the most recent reconfirmation attempt.20. or you can force it by entering the vmps reconfirm privileged EXEC command. VMPS Configuration Example Figure 11-5 shows a network with a VMPS server switch and VMPS client switches with dynamic-access ports. The switch sends queries to the one marked current.20.86 (primary. In this example. VMPS domain server—the IP address of the configured VLAN membership policy servers. The Catalyst 6500 series Switch A is the primary VMPS server. the switch starts to query the secondary VMPS. current) 172. The Catalyst 6500 series Switch C and Switch J are secondary VMPS servers. Reconfirm Interval—the number of minutes the switch waits before reconfirming the VLAN-to-MAC-address assignments.87 Reconfirmation status --------------------VMPS Action: other Troubleshooting Dynamic-Access Port VLAN Membership The VMPS shuts down a dynamic-access port under these conditions: • • The VMPS is in secure mode.128. and it does not allow the host to connect to the port. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-28 OL-9639-10 .

26.20.20.154 Switch F 172.153 Ethernet segment (Trunk link) Switch E 172.158 Trunk port 172.20.7 172.159 101363t End station 2 Catalyst 6500 series Secondary VMPS Server 3 Switch J Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 11-29 .20.155 Switch G 172.20.20.156 Switch H Dynamic-access port 172. The database configuration file is stored on the TFTP server with the IP address 172.26.26.Chapter 11 Configuring VLANs Configuring VMPS • • End stations are connected to the clients.20.26.26.7.20.20.26.26.26.152 Router TFTP server 172.157 Client switch I 172.20.20. Switch B and Switch I.22.22.20.26.151 Trunk port Switch C Catalyst 6500 series Secondary VMPS Server 2 Switch D 172.150 Client switch B End station 1 Dynamic-access port 172.26. Dynamic Port VLAN Membership Configuration Figure 11-5 Catalyst 6500 series switch A Primary VMPS Server 1 172.

Chapter 11 Configuring VMPS Configuring VLANs Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-30 OL-9639-10 .

Note For complete syntax and usage information for the commands used in this chapter. page 12-6 Monitoring Private VLANs. Using private VLANs addresses the scalability problem and provides IP address management benefits for service providers and Layer 2 security for customers. and Multicast Traffic. page 12-4 Private VLANs and Unicast. The secondary VLAN ID differentiates one subdomain from another. • • • Understanding Private VLANs. All VLAN pairs in a private VLAN share the same primary VLAN. See Figure 12-1. page 12-5 Private VLANs and SVIs. These sections describe how private VLANs work: • • • • • Types of Private VLANs and Private-VLAN Ports. A subdomain is represented by a pair of VLANs: a primary VLAN and a secondary VLAN. A private VLAN can have multiple VLAN pairs. page 12-15 Understanding Private VLANs The private-VLAN feature addresses two problems that service providers face when using VLANs: • • Scalability: The switch supports up to 1005 active VLANs. page 12-4 Private VLANs across Multiple Switches. page 12-1 IP Addressing Scheme with Private VLANs. this limits the numbers of customers that the service provider can support. To enable IP routing. which can waste the unused IP addresses and cause IP address management problems. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 12-1 . page 12-5 Types of Private VLANs and Private-VLAN Ports Private VLANs partition a regular VLAN domain into subdomains. Broadcast. each VLAN is assigned a subnet address space or a block of addresses. If a service provider assigns one VLAN per customer.CH A P T E R 12 Configuring Private VLANs This chapter describes how to configure private VLANs on the Cisco ME 3400 Ethernet Access switch. see the command reference for this release. page 12-1 Configuring Private VLANs. one pair for each subdomain.

Private-VLAN ports are access ports that are one of these types: • Promiscuous—A promiscuous port belongs to the primary VLAN and can communicate with all interfaces. UNIs or ENIs cannot be configured as promiscuous ports. including the community and isolated host ports that belong to the secondary VLANs associated with the primary VLAN. Traffic received from an isolated port is forwarded only to promiscuous ports. Private VLANs provide Layer 2 isolation between ports within the same private VLAN. A community VLAN can include a combination of no more than eight user network interfaces (UNIs) and enhanced network interfaces (ENIs).Chapter 12 Understanding Private VLANs Configuring Private VLANs Figure 12-1 Private-VLAN Domain Private VLAN domain Subdomain Primary VLAN Subdomain Secondary community VLAN Secondary isolated VLAN There are two types of secondary VLANs: • • Isolated VLANs—Ports within an isolated VLAN cannot communicate with each other at the Layer 2 level. Note Promiscuous ports must be network node interfaces (NNIs). • Isolated—An isolated port is a host port that belongs to an isolated secondary VLAN. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. It has complete Layer 2 separation from other ports within the same private VLAN. Community VLANs—Ports within a community VLAN can communicate with each other but cannot communicate with ports in other communities at the Layer 2 level. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 12-2 116083 OL-9639-10 . except for the promiscuous ports.

backup servers) as promiscuous ports to allow all end stations access to a default gateway. Traffic is not switched among UNIs and ENIs on a switch that belong to a UNI-ENI isolated VLAN. it is by default a UNI-ENI isolated VLAN. You can use private VLANs to control access to end stations in these ways: • Configure selected interfaces connected to end stations as isolated ports to prevent any communication at Layer 2. Every port in a private VLAN is a member of the primary VLAN. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 12-3 . Note Trunk ports carry traffic from regular VLANs and also from primary. Each community VLAN can include a combination of no more than eight UNIs and ENIs. For more information on UNI-ENI VLANs. Primary and secondary VLANs have these characteristics: • Primary VLAN—A private VLAN has only one primary VLAN. You can configure multiple community VLANs in a private VLAN. With a promiscuous port.Chapter 12 Configuring Private VLANs Understanding Private VLANs • Community—A community port is a host port that belongs to a community secondary VLAN. No more than eight UNIs and ENIs can be community ports in the same community VLAN. if the end stations are servers. including devices that have no private-VLAN ports. and community VLANs. configure private VLANs on all intermediate devices. The primary VLAN carries unidirectional traffic downstream from the promiscuous ports to the (isolated and community) host ports and to other promiscuous ports. For example. you can assign an individual private VLAN and associated IP subnet to each individual or common group of end stations. isolated. In a switched environment. For example. Configure NNIs connected to default gateways and selected end stations (for example. • • Note The switch also supports UNI-ENI isolated VLANs and UNI-ENI community VLANs. These interfaces are isolated at Layer 2 from all other interfaces in other communities and from isolated ports within their private VLAN. • You can extend private VLANs across multiple devices by trunking the primary. isolated. you can use a promiscuous port to monitor or back up all the private-VLAN servers from an administration workstation. this configuration prevents Layer 2 communication between the servers. Community ports communicate with other ports in the same community VLAN and with promiscuous ports. Layer 3 gateways are typically connected to the switch through a promiscuous port. When a VLAN is created. “Configuring VLANs.” A promiscuous port can serve only one primary VLAN. To maintain the security of your private-VLAN configuration and to avoid other use of the VLANs configured as private VLANs. Isolated VLAN —A private VLAN has only one isolated VLAN. and community VLANs to other devices that support private VLANs. The end stations need to communicate only with a default gateway to communicate outside the private VLAN. see Chapter 11. An isolated VLAN is a secondary VLAN that carries unidirectional traffic upstream from the hosts toward the promiscuous ports and the gateway. one isolated VLAN. you can connect a wide range of devices as access points to a private VLAN. Community VLAN—A community VLAN is a secondary VLAN that carries upstream traffic from the community ports to the promiscuous port gateways and to other host ports in the same community. and multiple community VLANs.

201. private VLANs can span multiple switches. which is allocated to the primary VLAN. When new devices are added. Hosts are connected to secondary VLANs. but in the same primary VLAN. Private VLANs across Multiple Switches As with regular VLANs. the Layer 2 databases in these switches are not merged. and the DHCP server assigns them IP addresses from the block of addresses allocated to the primary VLAN. The trunk port treats the private VLAN as any other VLAN. A trunk port carries the primary VLAN and secondary VLANs to a neighboring switch. Figure 12-2 Private VLANs across Switches Trunk ports VLAN 100 Switch A Switch B VLAN 100 VLAN 201 VLAN 202 VLAN 201 Carries VLAN 100. Subsequent IP addresses can be assigned to customer devices in different secondary VLANs. and 202 traffic VLAN 202 116084 VLAN 100 = Primary VLAN VLAN 201 = Secondary isolated VLAN VLAN 202 = Secondary community VLAN You must manually configure private VLANs on all switches in the Layer 2 network. the DHCP server assigns them the next available address from a large pool of subnet addresses. This can result in unnecessary flooding of private-VLAN traffic on those switches.Chapter 12 Understanding Private VLANs Configuring Private VLANs IP Addressing Scheme with Private VLANs Assigning a separate VLAN to each customer creates an inefficient IP addressing scheme: • • Assigning a block of addresses to a customer VLAN can result in unused IP addresses. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 12-4 OL-9639-10 . where all members in the private VLAN share a common address space. A feature of private VLANs across multiple switches is that traffic from an isolated port in switch A does not reach an isolated port on Switch B. These problems are reduced by using private VLANs. If you do not configure the primary and secondary VLAN associations in some switches in the network. the number of assigned address might not be large enough to accommodate them. If the number of devices in the VLAN increases. See Figure 12-2.

If the SVI is not mapped at Layer 3. if you assign an IP subnet to the primary VLAN SVI. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 12-5 . Private VLANs and SVIs In a Layer 3 switch (a switch running the metro IP access image). a switch virtual interface (SVI) represents the Layer 3 interface of a VLAN. but devices connected to interfaces in different VLANs must communicate at the Layer 3 level. this subnet is the IP subnet address of the entire private VLAN. Because the secondary VLAN is associated to the primary VLAN. and Multicast Traffic In regular VLANs. broadcasts are forwarded to all ports in that VLAN. Configure Layer 3 VLAN interfaces only for primary VLANs. and community ports). A community port sends a broadcast to all promiscuous ports. For example. Broadcast. the SVI is created. and ports in the same community VLAN. the configuration is not allowed until you disable the SVI. trunk ports. members of the these VLANs can communicate with each other at the Layer 2 level. Layer 3 devices communicate with a private VLAN only through the primary VLAN and not through secondary VLANs. Multicast traffic is not forwarded between ports in the same isolated VLAN or between ports in different secondary VLANs. devices in the same VLAN can communicate with each other at the Layer 2 level. the promiscuous ports are members of the primary VLAN. When the primary VLAN is associated with and mapped to the secondary VLAN. any configuration on the primary VLAN is propagated to the secondary VLAN SVIs. and an error is returned. the SVI is not created. while the host ports belong to secondary VLANs. If you try to create an SVI on a VLAN that is configured as a secondary VLAN and the secondary VLAN is already mapped at Layer 3. In a regular VLAN.Chapter 12 Configuring Private VLANs Understanding Private VLANs Private VLANs and Unicast. You cannot configure Layer 3 VLAN interfaces for secondary VLANs. trunk ports. but it is automatically shut down. A promiscuous port (only NNI) sends a broadcast to all ports in the private VLAN (other promiscuous ports. Private-VLAN broadcast forwarding depends on the port sending the broadcast: • • • An isolated port sends a broadcast only to the promiscuous ports or trunk ports. SVIs for secondary VLANs are inactive while the VLAN is configured as a secondary VLAN. • • If you try to configure a VLAN with an active SVI as a secondary VLAN. isolated ports. In private VLANs. Multicast traffic is routed or bridged across private-VLAN boundaries and within a single community VLAN.

If inter-VLAN routing will be used. Private-VLAN Configuration Guidelines Guidelines for configuring private VLANs fall into these categories: • • • Secondary and Primary VLAN Configuration. page 12-6 Private-VLAN Configuration Guidelines. Configure NNIs as promiscuous ports. and map the promiscuous ports to the primary-secondary VLAN pair. See the “Configuring a Layer 2 Interface as a Private-VLAN Host Port” section on page 12-11. page 12-9 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 12-6 OL-9639-10 . See the “Configuring a Layer 2 Interface as a Private-VLAN Promiscuous Port” section on page 12-12. page 12-12 Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface. page 12-6 Configuring and Associating VLANs in a Private VLAN. and assign VLAN membership to the host port. page 12-8 Limitations with Other Features. the private-VLAN configuration process creates it. Note Step 2 Step 3 If the VLAN is not created already. page 12-10 Configuring a Layer 2 Interface as a Private-VLAN Host Port. Newly created VLANs are UNI-ENI isolated VLANs. configure the primary SVI. See the “Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface” section on page 12-13.Chapter 12 Configuring Private VLANs Configuring Private VLANs Configuring Private VLANs • • • • • • • Tasks for Configuring Private VLANs. page 12-6 Default Private-VLAN Configuration. Configure interfaces to be isolated or community host ports. page 12-13 Tasks for Configuring Private VLANs To configure a private VLAN. follow these steps: Step 1 Create the primary and secondary VLANs and associate them. Verify private-VLAN configuration. page 12-7 Private-VLAN Port Configuration. and map secondary VLANs to the primary. page 12-11 Configuring a Layer 2 Interface as a Private-VLAN Promiscuous Port. See the “Configuring and Associating VLANs in a Private VLAN” section on page 12-10. Step 4 Step 5 Default Private-VLAN Configuration No private VLANs are configured.

Although a private VLAN contains more than one VLAN. Extended VLANs (VLAN IDs 1006 to 4094) can belong to private VLANs A primary VLAN can have one isolated VLAN and multiple community VLANs associated with it. For more information about VLAN configuration. isolated. enter the private-vlan VLAN configuration command. When you enable DHCP snooping on the primary VLAN. – To change a UNI-ENI community VLAN to a private VLAN. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 12-7 . see the “Creating and Modifying VLANs” section on page 11-7. – To change a UNI-ENI isolated VLAN (the default) to a private VLAN. • You can configure VLAN maps on primary and secondary VLANs (see the “Configuring VLAN Maps” section on page 31-29). we recommend that you configure the same VLAN maps on private-VLAN primary and secondary VLANs. – The ip sticky-arp global configuration command is supported only on SVIs belonging to • • • • private VLANs. see the command reference for this release. When a secondary VLAN is associated with the primary VLAN. However. for sticky ARP – Sticky ARP entries are those learned on SVIs and Layer 3 interfaces. and community VLANs. • • • You cannot configure VLAN 1 or VLANs 1002 to 1005 as primary or secondary VLANs. You can apply different quality of service (QoS) configurations to primary. A private VLAN cannot be a UNI-ENI VLAN. You must configure private VLANs on each device where you want private-VLAN ports. only one Spanning Tree Protocol (STP) instance runs for the entire private VLAN. it is propagated to the secondary VLANs. – The ip sticky-arp interface configuration command is only supported on Layer 3 interfaces SVIs belonging to normal VLANs SVIs belonging to private VLANs For more information about using the ip sticky-arp global configuration and the ip sticky-arp interface configuration commands. If you configure DHCP on a secondary VLAN. you must first enter the no uni-vlan VLAN configuration command to return to the default UNI isolated VLAN configuration.Chapter 12 Configuring Private VLANs Configuring Private VLANs Secondary and Primary VLAN Configuration Follow these guidelines when configuring private VLANs: • • • You use VLAN configuration mode to configure private VLANs. The entries do not age out. the configuration does not take effect if the primary VLAN is already configured. the STP parameters of the primary VLAN are propagated to the secondary VLAN. this overwrites the default isolated VLAN configuration. An isolated or community VLAN can have only one primary VLAN associated with it. you must enable DHCP snooping on the primary VLAN. You can enable DHCP snooping on private VLANs. If the switch is running the metro access or metro IP access image and you enable IP source guard on private-VLAN ports. When the switch is running the metro IP access image.

Although private VLANs provide host isolation at Layer 2. – For frames going downstream from a promiscuous port to a host port. isolated. the private-VLAN map is applied at the receiving side. – You can use VLAN-based SPAN (VSPAN) on primary. the configuration is not allowed. A community private VLAN can include no more than eight UNIs and ENIs. The ACL is applied to both primary and secondary VLAN Layer 3 traffic. • • • • • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 12-8 OL-9639-10 . Use only the private-VLAN configuration commands to assign ports to primary. Do not enable Port Fast and BPDU guard on promiscuous ports. or community VLANs. you should apply the VLAN map to both the primary and secondary VLANs. Layer 2 trunk interfaces remain in the STP forwarding state.Chapter 12 Configuring Private VLANs Configuring Private VLANs • When a frame is forwarded through Layer 2 within a private VLAN. Do not configure NNI ports that belong to a Port Aggregation Protocol (PAgP) or Link Aggregation Control Protocol (LACP) EtherChannel as private-VLAN ports. Private VLANs support these Switched Port Analyzer (SPAN) features: – You can configure a private-VLAN port as a SPAN source port. When a frame is routed from inside a private VLAN to an external port. the VLAN map configured on the secondary VLAN is applied. you can apply router ACLs only on the primary-VLAN SVIs. If you delete a VLAN used in the private-VLAN configuration. the configuration is not allowed. To filter out specific IP traffic for a private VLAN. If you try to configure a VLAN that includes a combination of more than eight UNIs and ENIs as a community private VLAN. the same VLAN map is applied at the receiving and sending sides. the private-VLAN ports associated with the VLAN become inactive. Layer 2 access ports assigned to the VLANs that you configure as primary. If you try to add more than eight. and community VLANs or use SPAN on only one VLAN to separately monitor sent or received traffic. Private-VLAN ports can be on different network devices if the devices are trunk-connected and the primary and secondary VLANs have not been removed from the trunk. the VLAN map configured on the primary VLAN is applied. – For frames going upstream from a host port to a promiscuous port. UNIs and ENIs cannot be configured as promiscuous ports. isolated. “Configuring Optional Spanning-Tree Features”). any EtherChannel configuration for it is inactive. or community VLANs are inactive while the VLAN is part of the private-VLAN configuration. Private-VLAN Port Configuration Follow these guidelines when configuring private-VLAN ports: • • Promiscuous ports must be NNIs. When enabled. STP applies the BPDU guard feature to all Port Fast-configured Layer 2 LAN ports. isolated. • • • If the switch is running the metro IP access image. hosts can communicate with each other at Layer 3. Enable Port Fast and BPDU guard on NNI isolated and community host ports to prevent STP loops due to misconfigurations and to speed up STP convergence (see Chapter 16. While a port is part of the private-VLAN configuration.

1x with port security on private-VLAN ports. “Configuring VLANs. For more information about SPAN.1x port-based authentication on a private-VLAN port. If you configure a static MAC address on a promiscuous port in the primary VLAN. A private-VLAN host or promiscuous port cannot be a SPAN destination port. see Chapter 11. • Configure Layer 3 VLAN interfaces only for primary VLANs. If you configure a SPAN destination port as a private-VLAN port. When the original dynamic MAC address is deleted or aged out. see Chapter 26. but do not configure IEEE 802. the configuration is accepted with no error messages. remember these limitations with other features: Note In some cases. a MAC address learned in a secondary VLAN is replicated in the primary VLAN. the replicated addresses are removed from the MAC address table. you must remove all instances of the configured MAC address from the private VLAN. When you delete a static MAC address from a private-VLAN port. For more information about UNI-ENI VLANs. If you configure a static MAC address on a host port in a secondary VLAN. • • • • When IGMP snooping is enabled on the switch (the default). the switch supports no more than 20 private-VLAN domains.” Do not configure private-VLAN ports on interfaces configured for these other features: – dynamic-access port VLAN membership – PAgP (only NNIs or ENIs) – LACP (only NNIs or ENIs) – Multicast VLAN Registration (MVR) • • • You can configure 802.” Do not configure a remote SPAN (RSPAN) VLAN as a private-VLAN primary or secondary VLAN. but the commands have no effect. Note Dynamic MAC addresses learned in one VLAN of a private VLAN are replicated in the associated VLANs. the port becomes inactive. you must add the same static MAC address to the associated primary VLAN. For example. “Configuring SPAN and RSPAN.Chapter 12 Configuring Private VLANs Configuring Private VLANs Limitations with Other Features When configuring private VLANs. A private VLAN cannot be a UNI-ENI isolated or UNI-ENI community VLAN. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 12-9 . you must add the same static address to all associated secondary VLANs.

Enter VLAN configuration mode for the primary VLAN designated in Step 3. Each item can be a single private-VLAN ID or a hyphenated range of private-VLAN IDs. Verify the configuration. Step 3 Step 4 Step 5 private-vlan primary exit vlan vlan-id Designate the VLAN as the primary VLAN. The VLAN ID range is 2 to 1001 and 1006 to 4094. you must enter the no uni-vlan VLAN configuration command before configuring a private VLAN. The VLAN ID range is 2 to 1001 and 1006 to 4094. Enter VLAN configuration mode and designate or create a VLAN that will be the primary VLAN. Note configure terminal vlan vlan-id If the VLAN has been configured as a UNI-ENI community VLAN. note this syntax information: • The secondary_vlan_list parameter cannot contain spaces. Command Step 1 Step 2 Purpose Enter global configuration mode. Associate the secondary VLANs with the primary VLAN. Return to global configuration mode. Return to privileged EXEC mode. (Optional) Enter VLAN configuration mode and designate or create a VLAN that will be an isolated VLAN. you must enter the no uni-vlan VLAN configuration command before configuring a private VLAN. follow these steps to configure a private VLAN: Note The private-vlan commands do not take effect until you exit VLAN configuration mode. Step 9 private-vlan community Designate the VLAN as a community VLAN. Return to global configuration mode. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 12-10 OL-9639-10 . Step 10 exit Step 11 vlan vlan-id Step 12 private-vlan association [add | remove] secondary_vlan_list Step 13 end Step 14 show vlan private-vlan [type] or show interfaces status Step 15 copy running-config startup config (Optional) Save your entries in the switch startup configuration file. Note Step 6 Step 7 Step 8 private-vlan isolated exit vlan vlan-id If the VLAN has been configured as a UNI-ENI community VLAN. The VLAN ID range is 2 to 1001 and 1006 to 4094. Designate the VLAN as an isolated VLAN. When you associate secondary VLANs with a primary VLAN. Return to global configuration mode. (Optional) Enter VLAN configuration mode and designate or create a VLAN that will be a community VLAN. It can contain multiple comma-separated items.Chapter 12 Configuring Private VLANs Configuring Private VLANs Configuring and Associating VLANs in a Private VLAN Beginning in privileged EXEC mode.

This example shows how to configure VLAN 20 as a primary VLAN. VLAN 501 as an isolated VLAN.Chapter 12 Configuring Private VLANs Configuring Private VLANs • • • • The secondary_vlan_list parameter can contain multiple community VLAN IDs but only one isolated VLAN ID. It assumes that VLANs 502 and 503 have previously been configured as UNI-ENI community VLANs: Switch# configure terminal Switch(config)# vlan 20 Switch(config-vlan)# private-vlan primary Switch(config-vlan)# exit Switch(config)# vlan 501 Switch(config-vlan)# private-vlan isolated Switch(config-vlan)# exit Switch(config)# vlan 502 Switch(config-vlan)# no-uni vlan Switch(config-vlan)# private-vlan community Switch(config-vlan)# exit Switch(config)# vlan 503 Switch(config-vlan)# no-uni vlan Switch(config-vlan)# private-vlan community Switch(config-vlan)# exit Switch(config)# vlan 20 Switch(config-vlan)# private-vlan association 501-503 Switch(config-vlan)# end Switch(config)# show vlan private vlan Primary Secondary Type Ports ------. Command Step 1 Step 2 Purpose Enter global configuration mode. Enter a secondary_vlan_list.--------. Use the remove keyword with a secondary_vlan_list to clear the association between secondary VLANs and a primary VLAN. The private-vlan association VLAN configuration command does not take effect until you exit VLAN configuration mode. to associate them in a private VLAN.-----------------------------------------20 501 isolated 20 502 community 20 503 community 20 504 non-operational Configuring a Layer 2 Interface as a Private-VLAN Host Port Beginning in privileged EXEC mode. follow these steps to configure a Layer 2 interface as a private-VLAN host port and to associate it with primary and secondary VLANs: Note Isolated and community VLANs are both secondary VLANs. Enter interface configuration mode for the Layer 2 interface to be configured. configure terminal interface interface-id Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 12-11 . or use the add keyword with a secondary_vlan_list to associate secondary VLANs with a primary VLAN. and to verify the configuration.----------------. and VLANs 502 and 503 as community VLANs.

(Optional) Save your entries in the switch startup configuration file. if necessary. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 12-12 OL-9639-10 . Associate the Layer 2 port with a private VLAN.Chapter 12 Configuring Private VLANs Configuring Private VLANs Command Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Purpose Enable the port. no shutdown switchport mode private-vlan host switchport private-vlan host-association primary_vlan_id secondary_vlan_id end show interfaces [interface-id] switchport copy running-config startup config This example shows how to configure an interface as a private-VLAN host port. By default. UNIs and ENIs are disabled. associate it with a private-VLAN pair. Return to privileged EXEC mode. follow these steps to configure a Layer 2 interface as a private-VLAN promiscuous port and map it to primary and secondary VLANs: Note Isolated and community VLANs are both secondary VLANs. and verify the configuration: Switch# configure terminal Switch(config)# interface fastethernet0/22 Switch(config-if)# no shutdown Switch(config-if)# switchport mode private-vlan host Switch(config-if)# switchport private-vlan host-association 20 501 Switch(config-if)# end Switch# show interfaces fastethernet0/22 switchport Name: Fa0/22 Switchport: Enabled Administrative Mode: private-vlan host Operational Mode: private-vlan host Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: native Negotiation of Trunking: Off Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Administrative private-vlan host-association: 20 501 Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk private VLANs: none Operational private-vlan: 20 501 <output truncated> Configuring a Layer 2 Interface as a Private-VLAN Promiscuous Port You can configure only NNIs as promiscuous ports. Verify the configuration. Configure the Layer 2 port as a private-VLAN host port. and NNIs are enabled. Beginning in privileged EXEC mode.

(Optional) Save your entries in the switch startup configuration file. Note Isolated and community VLANs are both secondary VLANs. Step 3 Step 4 Step 5 Step 6 Step 7 switchport mode private-vlan promiscuous switchport private-vlan mapping primary_vlan_id {add | remove} secondary_vlan_list end show interfaces [interface-id] switchport copy running-config startup config Configure the Layer 2 NNI port as a private-VLAN promiscuous port. The interface is a member of primary VLAN 20 and secondary VLANs 501 to 503 are mapped to it. This example shows how to configure an NNI as a private-VLAN promiscuous port and map it to a private VLAN. Return to privileged EXEC mode. Verify the configuration. Map the private-VLAN promiscuous port to a primary VLAN and to selected secondary VLANs. When you configure a Layer 2 interface as a private-VLAN promiscuous port. Use the remove keyword with a secondary_vlan_list to clear the mapping between secondary VLANs and the private-VLAN promiscuous port. or use the add keyword with a secondary_vlan_list to map the secondary VLANs to the private-VLAN promiscuous port. It can contain multiple comma-separated items. note this syntax information: • • • The secondary_vlan_list parameter cannot contain spaces. Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface If the switch is running the metro IP access image and the private VLAN will be used for inter-VLAN routing. Switch# configure terminal Switch(config)# interface gigabitethernet0/1 Switch(config-if)# switchport mode private-vlan promiscuous Switch(config-if)# switchport private-vlan mapping 20 add 501-503 Switch(config-if)# end Use the show vlan private-vlan or the show interface status privileged EXEC command to display primary and secondary VLANs and private-VLAN ports on the switch. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 12-13 . The interface must be an NNI. you configure an SVI for the primary VLAN and map secondary VLANs to the SVI. Each item can be a single private-VLAN ID or a hyphenated range of private-VLAN IDs. Enter interface configuration mode for the Layer 2 interface to be configured. Enter a secondary_vlan_list. you must enter the port-type nni interface configuration command before configuring it as a promiscuous port.Chapter 12 Configuring Private VLANs Configuring Private VLANs Command Step 1 Step 2 Purpose Enter global configuration mode. Note configure terminal interface interface-id If the interface is a UNI or ENI.

configure terminal interface vlan primary_vlan_id Step 3 private-vlan mapping [add | remove] secondary_vlan_list end show interface private-vlan mapping copy running-config startup config Step 4 Step 5 Step 6 Note The private-vlan mapping interface configuration command only affects private-VLAN traffic that is switched through Layer 3. Enter a secondary_vlan_list. note this syntax information: • • • The secondary_vlan_list parameter cannot contain spaces.----------------vlan10 501 isolated vlan10 502 community Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 12-14 OL-9639-10 . follow these steps to map secondary VLANs to the SVI of a primary VLAN to allow Layer 3 switching of private-VLAN traffic: Command Step 1 Step 2 Purpose Enter global configuration mode. Use the remove keyword with a secondary_vlan_list to clear the mapping between secondary VLANs and the primary VLAN. (Optional) Save your entries in the switch startup configuration file. When you map secondary VLANs to the Layer 3 VLAN interface of a primary VLAN. or use the add keyword with a secondary_vlan_list to map the secondary VLANs to the primary VLAN. and configure the VLAN as an SVI. Map the secondary VLANs to the Layer 3 VLAN interface of a primary VLAN to allow Layer 3 switching of private-VLAN incoming traffic. It can contain multiple comma-separated items. The VLAN ID range is 2 to 1001 and 1006 to 4094. which permits routing of secondary VLAN incoming traffic from private VLANs 501 to 502: Switch# configure terminal Switch(config)# interface vlan 10 Switch(config-if)# private-vlan mapping 501-502 Switch(config-if)# end Switch# show interfaces private-vlan mapping Interface Secondary VLAN Type --------. This example shows how to map the interfaces of VLANs 501 and 502 to primary VLAN 10. Verify the configuration.-------------. Enter interface configuration mode for the primary VLAN. Return to privileged EXEC mode. Each item can be a single private-VLAN ID or a hyphenated range of private-VLAN IDs.Chapter 12 Configuring Private VLANs Configuring Private VLANs Beginning in privileged EXEC mode.

Gi0/1. Gi0/2 10 502 community Fa0/11.Chapter 12 Configuring Private VLANs Monitoring Private VLANs Monitoring Private VLANs Table 12-1 shows the privileged EXEC commands for monitoring private-VLAN activity. This is an example of the output from the show vlan private-vlan command: Switch(config)# show vlan private-vlan Primary Secondary Type Ports ------.-----------------------------------------10 501 isolated Fa0/1. Display the private-VLAN information for the switch.----------------. including the VLANs to which they belong. Display the private-VLAN configuration on interfaces.--------. Fa0/12. Table 12-1 Private VLAN Monitoring Commands Command show interfaces status show vlan private-vlan [type] show interface switchport show interface private-vlan mapping Purpose Displays the status of interfaces. Gi0/1 10 503 non-operational Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 12-15 . Display information about the private-VLAN mapping for VLAN interfaces.

Chapter 12 Monitoring Private VLANs Configuring Private VLANs Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 12-16 OL-9639-10 .

Using 802. page 13-18 Understanding 802.1Q Tunneling and Layer 2 Protocol Tunneling Virtual private networks (VPNs) provide enterprise-scale connectivity on a shared infrastructure.1Q tunneling expands VLAN space by using a VLAN-in-VLAN hierarchy and retagging the tagged packets. with the same security. and traffic of customers through the infrastructure might be mixed.1Q Tunneling. often Ethernet-based.1Q specification. The Cisco ME 3400 Ethernet Access switch supports IEEE 802. Using the 802. service providers can use a single VLAN to support customers who have multiple VLANs. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 13-1 .CH A P T E R 13 Configuring IEEE 802.1Q tunneling and Layer 2 protocol tunneling when it is running the metro access or metro IP access image. A port configured to support 802. page 13-4 \Understanding Layer 2 Protocol Tunneling. even when they appear to be in the same VLAN. The VLAN ranges required by different customers in the same service-provider network might overlap. When you configure tunneling. you assign a tunnel port to a VLAN ID that is dedicated to tunneling. Tunneling is a feature designed for service providers who carry traffic of multiple customers across their networks and are required to maintain the VLAN and Layer 2 protocol configurations of each customer without impacting the traffic of other customers. page 13-7 Configuring Layer 2 Protocol Tunneling. Assigning a unique range of VLAN IDs to each customer would restrict customer configurations and could easily exceed the VLAN limit (4096) of the 802. and traffic from different customers is segregated within the service-provider network.1Q Tunneling. page 13-1 Configuring 802. The metro base image does not support tunneling.1Q Tunneling Business customers of service providers often have specific requirements for VLAN IDs and the number of VLANs to be supported. see the command reference for this release. prioritization.1Q tunneling is called a tunnel port. • • • • • Understanding 802. and manageability requirements of private networks.1Q tunneling (QinQ) feature. Note For complete syntax and usage information for the commands used in this chapter. page 13-10 Monitoring and Maintaining Tunneling and Mapping Status. reliability. Customer VLAN IDs (C-VLANs) are preserved.

Therefore. When the packet exits another trunk port on the same core switch.1Q 802. For more information about UNI-ENI VLANs. When the double-tagged packet enters another trunk port in a service-provider core switch.1Q Tunneling Configuring IEEE 802.1Q-tagged with the appropriate VLAN ID.1Q trunk port.1Q trunk port 74016 802.” Figure 13-1 802. the same metro tag is again added to the packet.1Q tunneling on a tunnel port is referred to as traditional QinQ.1Q trunk port Tunnel port VLAN 30 Customer B VLANs 1 to 200 Trunk Asymmetric link Customer B VLANs 1 to 200 Packets coming from the customer trunk port into the tunnel port on the service-provider edge switch are normally 802. and the inner VLAN ID being that of the incoming traffic.1Q trunk trunk port port Tunnel port VLAN 30 Tunnel port VLAN 30 Trunk ports Tunnel port VLAN 40 802. local switching occurs between these ports. You assign the tunnel port interface to an access VLAN ID that is unique to each customer. “Configuring VLANs. The link between the customer device and the edge switch is asymmetric because one end is configured as an 802. Note By default. If you use the uni-vlan community VLAN configuration command to change a VLAN to a UNI-ENI community VLAN. but that VLAN ID supports all of the customer’s VLANs.1Q tag is preserved in the encapsulated packet.1Q trunk port Trunk ports Tunnel port VLAN 40 802. see Chapter 11. In a UNI-ENI isolated VLAN.1Q trunk port 802. The the tagged packets remain intact inside the switch and when they exit the trunk port into the service-provider network. and the other end is configured as a tunnel port. packets entering the service-provider network are double-tagged. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 13-2 OL-9639-10 .1Q tag (called the metro tag) that contains the VLAN ID that is unique to the customer. Configuring 802. the outer tag is stripped as the switch processes the packet.1Q trunk port 802. 802.1Q trunk port on the customer device and into a tunnel port on the service-provider edge switch. Customer traffic tagged in the normal way with appropriate VLAN IDs comes from an 802. The original customer 802.1Q Tunneling and Layer 2 Protocol Tunneling Each customer requires a separate service-provider VLAN ID (S-VLAN). with the outer (metro) tag containing the customer’s access VLAN ID. VLANs configured on the switch are user network interface-enhanced network interface (UNI-ENI) isolated VLANs.1Q trunk port 802.Chapter 13 Understanding 802. See Figure 13-1.1Q Tunnel Ports in a Service-Provider Network Customer A VLANs 1 to 100 Customer A VLANs 1 to 100 802.1Q tunneled access ports on the switch are isolated from each other. Figure 13-2 shows the tag structures of the double-tagged packets. they are encapsulated with another layer of an 802.1Q trunk port Service provider 802.

1Q. The outgoing encapsulated VTP (CDP and STP) packets are dropped on that trunk. All packets entering the service-provider network through a tunnel port on an edge switch are treated as untagged packets.1Q Tunneling and Layer 2 Protocol Tunneling Understanding 802. with the outer tag containing VLAN ID 30 or 40. and the inner tag containing the original VLAN number. for example. the outer tag is again stripped as the switch internally processes the packet.1Q-tagged frame to preserve the original VLAN numbers in the customer network. If traffic coming from a customer network is not tagged (native VLAN frames). At the outbound tunnel port. The priority field on the metro tag is set to the interface class of service (CoS) priority configured on the tunnel port. but the switch supports only one level in this release. the original VLAN numbers on the customer’s network are recovered. the metro tag is not added when the packet is sent out the tunnel port on the edge switch into the customer network.1Q tags are double-tagged when they enter the service-provider network. these packets are bridged or routed as normal packets. which is independent of the VLAN numbering space used by other customers and the VLAN numbering space used by the service-provider network. The packets are encapsulated with the metro tag VLAN ID (set to the access VLAN of the tunnel port) when they are sent through the service-provider network on an 802. The packet is sent as a normal 802.1Q headers. and Customer B was assigned VLAN 40. whether they are untagged or already tagged with 802.1Q Tunneling Note Remove the Layer 2 protocol configuration from a trunk port because incoming encapsulated packets change that trunk port to error disabled. VLAN 100. Each customer controls its own VLAN numbering space. Customer A was assigned VLAN 30.) Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 13-3 74072 . In Figure 13-1. Packets entering the edge switch tunnel ports with 802. Even if both Customers A and B have VLAN 100 in their networks. appropriately.1Q frame from customer network DA SA Etype Tag Etype Tag Len/Etype Data FCS Double-tagged frame in service provider infrastructure When the packet enters the trunk port of the service-provider egress switch. It is possible to have multiple levels of tunneling and tagging.1Q trunk port. However. 802.Chapter 13 Configuring IEEE 802. the traffic remains segregated within the service-provider network because the outer tag is different. (The default is zero if none is configured. and Double-Tagged Ethernet Packet Formats Source address Destination Length/ address EtherType DA SA Len/Etype Data Frame Check Sequence FCS Original Ethernet frame DA SA Etype Tag Len/Etype Data FCS IEE 802. Figure 13-2 Original (Normal).

1Q trunk ports for sending packets into the service-provider network. page 13-6 Default 802.1Q trunks. you must use 802. 802.Chapter 13 Configuring 802. Assign tunnel ports only to VLANs that are used for tunneling. The packet carries only the VLAN 30 tag through the service-provider network to the trunk port of the egress-edge switch (Switch C) and is misdirected through the egress switch tunnel port to Customer Y.1Q tunneling is disabled because the default switchport mode is access. page 13-4 802. the native VLANs of the 802. 802. we recommend using ISL trunks for connecting switches in the core layer. These are some ways to solve this problem: • Use ISL trunks between core switches in the service-provider network.1Q Tunneling Configuring IEEE 802. Switch A of Customer X sends a tagged packet on VLAN 30 to the ingress tunnel port of Switch B in the service-provider network. are tagged.1Q Tunneling Configuration By default.1Q Tunneling Port.1Q tunneling on an edge switch. or nontrunking links. Configuration requirements for native VLANs and for and maximum transmission units (MTUs) are explained in these next sections. The Cisco ME switch does not support ISL trunks. packets going through the core of the service-provider network can be carried through 802. the metro tag is not added to tagged packets received from the tunnel port.1Q Tunneling Configuration. VLANs on the switch are UNI-ENI isolated VLANs.1Q Tunneling Configuration Guidelines.1Q trunk port and the edge switch port configured as a tunnel port.1Q Tunneling • • • • Default 802. When 802.1Q tunneling. ISL trunks. • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 13-4 OL-9639-10 . which belongs to access VLAN 40.1Q trunks. Native VLANs When configuring 802. If the switch is configured to tag native VLAN packets on all 802.1Q Tunneling Configuration Guidelines When you configure 802. Because the access VLAN of the tunnel port (VLAN 40) is the same as the native VLAN of the edge-switch trunk port (VLAN 40).1Q native VLAN packets on all 802. However. page 13-4 802.1Q Tunneling and Other Features. By default.1Q sending trunk port. VLAN 40 is configured as the native VLAN for the 802.1Q trunk. but sends only tagged packets. Tagging of 802.1Q trunks must not match any native VLAN of the nontrunking (tunneling) port on the same switch because traffic on the native VLAN would not be tagged on the 802. See Figure 13-3. page 13-5 Configuring an 802.1Q trunk ports is also disabled. including the native VLAN.1Q trunks. you should always use an asymmetrical link between the customer device and the edge switch.1Q trunk port from Customer X at the ingress edge switch in the service-provider network (Switch B).1Q Tunneling and Layer 2 Protocol Tunneling Configuring 802. Use the vlan dot1q tag native global configuration command to configure the edge switch so that all packets going out an 802.1Q trunks are used in these core switches. the switch accepts untagged packets. Although customer interfaces connected to edge switches must be 802. with the customer device port configured as an 802.

802. if the trunk port carries traffic of VLANs 100 to 200.1Q trunk port VLANs 30-40 Native VLAN 40 Trunk Asymmetric link Correct path for traffic Incorrect path for traffic due to misconfiguration of native VLAN by sending port on Switch B Q = 802. You can configure Gigabit Ethernet ports to support frames larger than 1500 bytes by using the system mtu jumbo global configuration command.1Q Tunneling • Ensure that the native VLAN ID on the edge-switch trunk port is not within the customer VLAN range. For example.1Q Tunneling and Other Features Although 802. You can configure Fast Ethernet ports to support frames larger than 1500 bytes by using the system mtu global configuration command. you must configure all switches in the service-provider network to be able to process maximum frames by increasing the switch system MTU size to at least 1504 bytes.1Q Tunneling and Native VLANs Figure 13-3 Tag not added for VLAN 40 Service provider Tag removed Switch D Customer X VLANs 30-40 Native VLAN 40 Tunnel port Switch B Packet tagged for VLAN 30 Switch A Customer X Q Tunnel port Access VLAN 40 VLANs 5-50 Native VLAN 40 Q Tunnel port Access VLAN 30 Switch C VLAN 40 802. assign the native VLAN a number outside that range. Potential Problem with 802.1Q tunneling works well for Layer 2 packet switching. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 101820 13-5 . Note Layer 3 switching is supported only when the metro IP access image is running on the switch. the maximum system MTU for Fast Ethernet interfaces is 1998 bytes.1Q tunneling feature increases the frame size by 4 bytes when the metro tag is added. Because the 802.1Q trunk ports Switch E Customer Y System MTU The default system MTU for traffic on the switch is 1500 bytes.1Q Tunneling and Layer 2 Protocol Tunneling Configuring 802. there are incompatibilities between some Layer 2 features and Layer 3 switching.Chapter 13 Configuring IEEE 802. The maximum allowable system MTU for Gigabit Ethernet interfaces is 9000 bytes.

IP routing is not supported on a VLAN that includes 802. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 13-6 OL-9639-10 . UNIs do not support BPDU filtering. “Configuring VLANs. Enable the port. and the Cisco Discovery Protocol (CDP) and the Layer Link Discovery Protocol (LLDP) are automatically disabled on the interface. UniDirectional Link Detection (UDLD) is supported on 802. CDP. follow these steps to configure a port as an 802. This should be the edge port in the service-provider network that connects to the customer switch. 802. Return to global configuration mode. untagged IP packets received from the tunnel port are recognized and routed by the switch. This VLAN ID is specific to the particular customer. Valid interfaces include physical interfaces and port-channel logical interfaces (port channels 1 to 48).1Q configuration is consistent within an EtherChannel port group.1Q tunnel ports. local switching does not occur between UNIs and ENIs on the switch.1Q tunneled access ports are isolated from each other. but in a UNI-ENI community VLAN. Tunnel ports do not support IP access control lists (ACLs). if necessary. MAC-based QoS is supported on tunnel ports. and NNIs are enabled. If this access is not needed. Packets received from a tunnel port are forwarded based only on Layer 2 information.Chapter 13 Configuring 802. By default.1Q Tunneling Configuring IEEE 802. EtherChannel port groups are compatible with tunnel ports as long as the 802. spanning-tree bridge protocol data unit (BPDU) filtering is automatically enabled on the interface. Enter interface configuration mode for the interface to be configured as a tunnel port. If the VLAN is a UNI-ENI community VLAN. If routing is enabled on a switch virtual interface (SVI) that includes tunnel ports. which is used if the interface stops trunking. you should not configure SVIs on VLANs that include tunnel ports. see Chapter 11. UNIs and ENIs are disabled. For more information about UNI-ENI VLANs.1Q Tunneling Port Beginning in privileged EXEC mode.1Q tunnel port. Port Aggregation Protocol (PAgP) and Link Aggregation Control Protocol (LACP) are supported only on 802. Step 5 Step 6 switchport mode dot1q-tunnel exit Set the interface as an 802. or LLDP. local switching occurs between these ports. Loopback detection is supported on 802.1Q tunnel ports.1Q tunnel port: Command Step 1 Step 2 Purpose Enter global configuration mode.” • • • • • • • • Configuring an 802. local switching is allowed. Customers can access the internet through its native VLAN. UNIs do not support PAgP and LACP. In a UNI-ENI isolated VLAN.1Q Tunneling and Layer 2 Protocol Tunneling • • A tunnel port cannot be a routed port.1Q tunnel ports that are network node interfaces (NNIs) or enhanced network interfaces (ENIs).1Q tunnel port.1Q tunnel ports. When an NNI or ENI port is configured as an 802. Layer 3 quality of service (QoS) ACLs and other QoS features related to Layer 3 information are not supported on tunnel ports. Note configure terminal interface interface-id Step 3 Step 4 no shutdown switchport access vlan vlan-id If the VLAN is a UNI-ENI isolated VLAN. Specify the default VLAN.

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 13-7 . and verify the configuration. and a customer VLAN ID is the same as the native VLAN. Note The Cisco ME switch does not support VTP. When not set. the trunk port does not apply a metro tag. STP must run properly.Chapter 13 Configuring IEEE 802. as well as the local sites. VLAN Trunking Protocol (VTP) must provide consistent VLAN configuration throughout all sites in the customer network that are participating in VTP. In this configuration. Display the ports that are in tunnel mode. the VLAN ID for the customer connected to Gigabit Ethernet interface 2 is VLAN 22. Creating vlan 22 Switch(config-if)# switchport mode dot1q-tunnel Switch(config-if)# exit Switch(config)# vlan dot1q tag native Switch(config)# end Switch# show dot1q-tunnel interface gigabitethernet0/2 dot1q-tunnel mode LAN Port(s) ----------------------------Gi0/1 Switch# show vlan dot1q tag native dot1q native vlan tagging is enabled \ Understanding Layer 2 Protocol Tunneling Customers at different sites connected across a service-provider network need to use various Layer 2 protocols to scale their topologies to include all remote sites. vlan dot1q tag native Step 8 Step 9 end show running-config show dot1q-tunnel show vlan dot1q tag native copy running-config startup-config Step 10 Step 11 Use the no switchport mode dot1q-tunnel interface configuration command to return the port to the default state of access. Switch(config)# interface gigabitethernet0/2 Switch(config-if)# switchport access vlan 22 % Access VLAN does not exist. However. enable tagging of native VLAN packets. This example shows how to configure an interface as a tunnel port. (Optional) Save your entries in the configuration file. and every VLAN should build a proper spanning tree that includes the local site and all remote sites across the service-provider network. CDP and STP are supported by default on NNIs and can be enabled on ENIs. Display 802.1Q tunneling. and packets could be sent to the wrong destination.1Q native VLAN tagging status. This VLAN is by default a UNI-ENI isolated VLAN. Layer 2 protocol tunneling is supported on all ports on the switch.1Q Tunneling and Layer 2 Protocol Tunneling \Understanding Layer 2 Protocol Tunneling Command Step 7 Purpose (Optional) Set the switch to enable tagging of native VLAN packets on all 802. Use the no vlan dot1q tag native global configuration command to disable tagging of native VLAN packets.1Q trunk ports. Display the ports configured for 802. Return to privileged EXEC mode. Cisco Discovery Protocol (CDP) must discover neighboring Cisco devices from local and remote sites.

STP for a VLAN on a switch in Customer X. will build a spanning tree on the switches at that site without considering convergence parameters based on Customer X’s switch in Site 2. Layer 2 protocols within each customer’s network are totally separate from those running within the service-provider network. For example. switches on the far ends of the network cannot properly run STP. Layer 2 protocol tunneling can be used independently or can enhance 802. Site 1. If the network does not tunnel PDUs.1Q tunneling. or VTP cross the service-provider network and are delivered to customer switches on the outbound side of the service-provider network. For example. and VTP. and every VLAN can build a correct spanning tree based on parameters from all sites and not just from the local site. and VTP. you can use the Layer 2 protocol-tunnel bypass feature. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 13-8 OL-9639-10 . CDP. When Layer 2 protocol tunneling is enabled on the trunk port. STP. If 802.1Q tunneling achieve complete knowledge of the customer’s VLAN. VTP provides consistent VLAN configuration throughout the customer network. If protocol tunneling is not enabled on 802. that are connected through the service-provider network. Identical packets are received by all customer ports on the same VLANs with these results: • • • Users on each of a customer’s sites can properly run STP. the encapsulated tunnel MAC address is removed and the protocol packets have their normal MAC address. You implement bypass mode by enabling Layer 2 protocol tunneling on the egress trunk port. This could result in the topology shown in Figure 13-5. edge switches on the inbound side of the service-provider network encapsulate Layer 2 protocol packets with a special MAC address and send them across the service-provider network. Customer switches on different sites that send traffic through the service-provider network with 802. When protocol tunneling is enabled. in Figure 13-4. you can still enable Layer 2 protocol tunneling by connecting to the customer switch through access or trunk ports and enabling tunneling on the service-provider access or trunk port. propagating to all switches through the service provider that support VTP.Chapter 13 \Understanding Layer 2 Protocol Tunneling Configuring IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling When protocol tunneling is enabled.1Q tunneling is not used. CDP. Bypass mode transparently forwards control PDUs to vendor switches that have different ways of controlling protocol tunneling. Layer 2 protocol data units (PDUs) for CDP. Customer X has four switches in the same VLAN. CDP discovers and shows information about the other Cisco devices connected through the service-provider network. Note To provide interoperability with third-party vendors. remote switches at the receiving end of the service-provider network do not receive the PDUs and cannot properly run STP.1Q tunneling ports. Core switches in the network do not process these packets but forward them as normal packets.

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 101821 13-9 .1Q Tunneling and Layer 2 Protocol Tunneling \Understanding Layer 2 Protocol Tunneling Figure 13-4 Layer 2 Protocol Tunneling Customer X Site 1 VLANs 1 to 100 Customer X Site 2 VLANs 1 to 100 VLAN 30 VLAN 30 Trunk ports Switch A Switch B Trunk ports VLAN 40 Service provider VLAN 30 Trunk ports Switch C Switch D Trunk ports VLAN 40 101822 Customer Y Site 1 VLANs 1 to 200 Trunk Asymmetric link Customer Y Site 2 VLANs 1 to 200 Figure 13-5 Layer 2 Network Topology without Proper Convergence Customer X virtual network VLANs 1 to 100 In an SP network. When you enable protocol tunneling (PAgP or LACP) on the SP switch.Chapter 13 Configuring IEEE 802. you can use Layer 2 protocol tunneling to enhance the creation of EtherChannels by emulating a point-to-point network topology. remote customer switches receive the PDUs and can negotiate the automatic creation of EtherChannels.

LACP. it also supports PAgP. Caution PAgP. When the network tunnels PDUs. and trunk ports in the same metro VLAN. switches on the far ends of the network can negotiate the automatic creation of EtherChannels without needing dedicated lines. tunnel ports. the outer tag is the customer metro tag. and UDLD protocol tunneling is only intended to emulate a point-to-point topology. tunnel ports. You can enable Layer 2 protocol tunneling on ports that are configured as access ports. Edge-switch access ports are connected to customer access ports. Figure 13-6 Layer 2 Protocol Tunneling for EtherChannels EtherChannel 1 Customer A Site 1 VLAN 17 VLAN 18 VLAN 19 VLAN 20 Switch B Switch A Service Provider VLAN 17 Switch C VLAN 18 VLAN 19 Switch D VLAN 20 EtherChannel 1 Customer A Site 2 Trunk Asymmetric link Configuring Layer 2 Protocol Tunneling You can enable Layer 2 protocol tunneling (by protocol) on the ports that are connected to the customer in the edge switches of the service-provider network. For emulated point-to-point network topologies.1Q trunk ports.1Q tunneling is enabled. packets are also double-tagged. the switch overwrites the customer PDU-destination MAC address with a well-known Cisco proprietary multicast address (01-00-0c-cd-cd-d0). The switch supports Layer 2 protocol tunneling for CDP. and the inner tag is the customer’s VLAN tag. The core switches ignore the inner tags and forward the packet to all trunk ports in the same metro VLAN. The service-provider edge switches connected to the customer switch perform the tunneling process. The edge switches on the outbound side restore the proper Layer 2 protocol and MAC address information and forward the packets to all Layer 2 protocol-enabled access ports. If 802. LACP. See the “Configuring Layer 2 Tunneling for EtherChannels” section on page 13-14 for instructions. STP. and UDLD protocols. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 13-10 OL-9639-10 101844 . the Layer 2 PDUs remain intact and are delivered across the service-provider infrastructure to the other side of the customer network. in Figure 13-6. Therefore. and VTP.1Q Tunneling and Layer 2 Protocol Tunneling For example.Chapter 13 Configuring Layer 2 Protocol Tunneling Configuring IEEE 802. When the Layer 2 PDUs that entered the service-provider inbound edge switch through a Layer 2 protocol-enabled port exit through the trunk port into the service-provider network. The switch does not support Layer 2 protocol tunneling for LLDP. Customer A has two switches in the same VLAN that are connected through the SP network. The edge switches connected to the customer switch perform the tunneling process. Edge-switch tunnel ports are connected to customer 802. An erroneous configuration that sends tunneled packets to many ports could lead to a network failure. or trunk ports.

VLAN 100). If no CoS value is configured at the interface level. You can also enable Layer 2 protocol tunneling on access ports on the edge switch connected to access or trunk ports on the customer switch. page 13-13 Configuring Layer 2 Tunneling for EtherChannels. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 13-11 . page 13-11 Configuring Layer 2 Protocol Tunneling. as well as an inner VLAN tag (for example. Protocol tunneling is disabled by default but can be enabled for the individual protocols on 802. including multiple STP (MSTP). None set. These double-tagged packets have the metro VLAN tag of 40. and the packet is sent to Customer Y on Site 2 as a single-tagged frame in VLAN 100. In this case. or trunk ports. page 13-11 Layer 2 Protocol Tunneling Configuration Guidelines. access ports. The single tag is the customer-specific access VLAN tag.1Q Tunneling and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling See Figure 13-4. except that the packets are not double-tagged in the service-provider network. When the double-tagged packets enter Switch D.Chapter 13 Configuring IEEE 802. that value is used to set the BPDU CoS value for Layer 2 protocol tunneling. the outer VLAN tag 40 is removed. page 13-14 Default Layer 2 Protocol Tunneling Configuration Table 13-1 shows the default Layer 2 protocol tunneling configuration. with Customer X and Customer Y in access VLANs 30 and 40. STP. Table 13-1 Default Layer 2 Ethernet Interface VLAN Configuration Feature Layer 2 protocol tunneling Shutdown threshold Drop threshold CoS value Default Setting Disabled. The Layer 2 PDUs (for example. the encapsulation and decapsulation process is the same as described in the previous paragraph. Layer 2 Protocol Tunneling Configuration Guidelines These are some configuration guidelines and operating characteristics of Layer 2 protocol tunneling: • The switch supports tunneling of CDP. None set. This does not apply to data traffic. the well-known MAC address is replaced with the respective Layer 2 protocol MAC address. the default value for CoS marking of L2 protocol tunneling BPDUs is 5.1Q tunnel ports. Asymmetric links connect the customers in Site 1 to edge switches in the service-provider network. respectively. If a CoS value is configured on the interface. These sections contain this configuration information: • • • • Default Layer 2 Protocol Tunneling Configuration. BPDUs) coming into Switch B from Customer Y in Site 1 are forwarded to the infrastructure as double-tagged packets with the well-known MAC address as the destination MAC address. and VTP.

or trunk ports. drop threshold for the PDUs generated by the customer network. Bypass mode transparently forwards control PDUs to vendor switches that have different ways of controlling protocol tunneling. the operation is retried after a specified time interval. The spanning-tree instance running on the service-provider network does not forward BPDUs to tunnel ports. the port shuts down. and trunk ports in the same metro VLAN. You can also limit BPDU rate by using QoS ACLs and policy maps on a tunnel port. If the limit is exceeded. If you also enable Layer 2 protocol tunneling on the egress trunk port. If the limit is exceeded. the port drops PDUs until the rate at which it receives them is below the drop threshold. or UDLD packets. you can set a per-protocol. Loopback detection is not supported on Layer 2 protocol tunneling of PAgP. the switch supports a Layer 2 protocol-tunnel bypass feature. you can give PDUs higher priority within the service-provider network than data packets received from the same tunnel port. access ports. When protocol tunneling is enabled on an interface. CDP packets are not forwarded from tunnel ports. LACP. EtherChannel port groups are compatible with tunnel ports when the 802. and the switch forwards control PDUs without any processing or modification. The switch supports PAgP. LACP. By default. If errdisable recovery is enabled. When protocol tunneling is enabled on an interface. Protocol tunneling is disabled by default but can be enabled for the individual protocols on 802. shutdown threshold for the PDUs generated by the customer network. the tunnel port is shut down to prevent loops. you can set a per-protocol. the PDUs use the same CoS value as data packets. • • • • • • • • • • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 13-12 OL-9639-10 . Because tunneled PDUs (especially STP BPDUs) must be delivered to all remote sites so that the customer virtual network operates properly. this behavior is bypassed.1Q tunnel ports. You can manually re-enable the port (by entering a shutdown and a no shutdown command sequence). For interoperability with third-party vendor switches.1Q configuration is consistent within an EtherChannel port group. we recommend that you also enable UDLD on the interface for faster link-failure detection. The port also shuts down when a configured shutdown threshold for the protocol is reached. per-port. egress trunk ports forward the tunneled packets with a special encapsulation. per-port. access. If an encapsulated PDU (with the proprietary destination MAC address) is received from a tunnel port or access or trunk port with Layer 2 tunneling enabled. and UDLD tunneling for emulated point-to-point network topologies. Only decapsulated PDUs are forwarded to the customer network.When Layer 2 protocol tunneling is enabled on ingress ports on a switch. If you enable PAgP or LACP tunneling.1Q Tunneling and Layer 2 Protocol Tunneling • The edge switches on the outbound side of the service-provider network restore the proper Layer 2 protocol and MAC address information and forward the packets to all Layer 2 protocol-enabled tunnel.Chapter 13 Configuring Layer 2 Protocol Tunneling Configuring IEEE 802.

The range is 1 to 4096. tunneling is enabled for all three Layer 2 protocols. if necessary. the drop-threshold value must be less than or equal to the shutdown-threshold value. the threshold applies to each of the tunneled Layer 2 protocol types. Valid interfaces can be physical interfaces and port-channel logical interfaces (port channels 1 to 48). If no protocol option is specified. l2protocol-tunnel cos value (Optional) Configure the CoS value for all tunneled Layer 2 PDUs. Enter interface configuration mode. configure terminal interface interface-id Step 3 Step 4 no shutdown switchport mode access or switchport mode dot1q-tunnel or switchport mode trunk Step 5 Step 6 l2protocol-tunnel [cdp | stp | vtp] l2protocol-tunnel shutdown-threshold [cdp | stp | vtp] value Enable protocol tunneling for the desired protocol. By default. If you also set a shutdown threshold on this interface. The default is to have no threshold configured. This should be the edge port in the service-provider network that connects to the customer switch. and enter the interface to be configured as a tunnel port. errdisable recovery cause l2ptguard (Optional) Configure the recovery mechanism from a Layer 2 maximum-rate error so that the interface is re-enabled and can try again. Enable the port. the shutdown-threshold value must be greater than or equal to the drop-threshold value. Step 8 Step 9 exit Return to global configuration mode. If none is configured.1Q Tunneling and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Beginning in privileged EXEC mode.Chapter 13 Configuring IEEE 802. The interface is disabled if the configured threshold is exceeded. Return to privileged EXEC mode. The range is 0 to 7. (Optional) Configure the threshold for packets-per-second accepted for encapsulation. the default is the default CoS value for the interface. Step 10 Step 11 end Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 13-13 . an 802. Step 7 l2protocol-tunnel drop-threshold [cdp | stp | vtp] value (Optional) Configure the threshold for packets-per-second accepted for encapsulation. The interface drops packets if the configured threshold is exceeded. Note If you also set a drop threshold on this interface.1Q tunnel port or a trunk port. and NNIs are enabled. the default is 5. the default time interval is 300 seconds. the threshold applies to each of the tunneled Layer 2 protocol types. If no protocol option is specified. UNIs and ENIs are disabled. If no keyword is entered. Errdisable recovery is disabled by default. follow these steps to configure a port for Layer 2 protocol tunneling: Command Step 1 Step 2 Purpose Enter global configuration mode. The default is to have no threshold configured. Configure the interface as an access port. when enabled. The default switchport mode is access. The range is 1 to 4096.

--------. configure terminal interface interface-id Step 3 Step 4 no shutdown switchport mode dot1q-tunnel Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 13-14 OL-9639-10 . Enable the port. follow these steps to configure a SP edge switch for Layer 2 protocol tunneling for EtherChannels: Command Step 1 Step 2 Purpose Enter global configuration mode. (Optional) Save your entries in the configuration file. UNIs and ENIs are disabled. if necessary. Use the no l2protocol-tunnel shutdown-threshold [cdp | stp | vtp] and the no l2protocol-tunnel drop-threshold [cdp | stp | vtp] commands to return the shutdown and drop thresholds to the default settings.------------. Switch(config)# interface gigatethernet0/1 Switch(config-if)# l2protocol-tunnel cdp Switch(config-if)# l2protocol-tunnel stp Switch(config-if)# l2protocol-tunnel vtp Switch(config-if)# l2protocol-tunnel shutdown-threshold 1500 Switch(config-if)# l2protocol-tunnel drop-threshold 1000 Switch(config-if)# exit Switch(config)# l2protocol-tunnel cos 7 Switch(config)# end Switch# show l2protocol COS for Encapsulated Packets: 7 Port Protocol Shutdown Drop Encapsulation Decapsulation Drop Threshold Threshold Counter Counter Counter -------------. Valid interfaces are physical interfaces. you need to configure both the SP edge switch and the customer switch.1Q tunnel port. including the protocols configured.------------.--------. By default. This example shows how to configure Layer 2 protocol tunneling for CDP. Configuring the SP Edge Switch Beginning in privileged EXEC mode. Configure the interface as an 802. and enter the interface to be configured as a tunnel port.Chapter 13 Configuring Layer 2 Protocol Tunneling Configuring IEEE 802. show l2protocol copy running-config startup-config Use the no l2protocol-tunnel [cdp | stp | vtp] interface configuration command to disable protocol tunneling for one of the Layer 2 protocols or for all three. and VTP and to verify the configuration. the thresholds. This should be the edge port in the SP network that connects to the customer switch.1Q Tunneling and Layer 2 Protocol Tunneling Command Step 12 Step 13 Purpose Display the Layer 2 tunnel ports on the switch. and NNIs are enabled.0 0 0 Configuring Layer 2 Tunneling for EtherChannels To configure Layer 2 point-to-point tunneling to facilitate the creation of EtherChannels.0 0 0 udld ------. and the counters. Enter interface configuration mode. STP.0 0 0 lacp ------.------------Gi 0/1 cdp 1500 1000 2288 2282 0 stp 1500 1000 116 13 0 vtp 1500 1000 3 67 0 pagp ------.

Display the Layer 2 tunnel ports on the switch.1Q Tunneling and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Command Step 5 Purpose (Optional) Enable point-to-point protocol tunneling for the desired protocol. The range is 0 to 7. including the protocols configured.Chapter 13 Configuring IEEE 802. or UDLD packets. The interface drops packets if the configured threshold is exceeded. Return to privileged EXEC mode. The default is to have no threshold configured. Note If you also set a drop threshold on this interface. (Optional) Save your entries in the configuration file. disable CDP on the interface. The range is 1 to 4096. the default is the default CoS value for the interface. If none is configured. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 13-15 . LACP. Step 6 l2protocol-tunnel shutdown-threshold [point-to-point [pagp | lacp | udld]] value (Optional) Configure the threshold for packets-per-second accepted for encapsulation. the thresholds. and the counters. If the interface is an NNI or ENI. errdisable recovery cause l2ptguard (Optional) Configure the recovery mechanism from a Layer 2 maximum-rate error so that the interface is re-enabled and can try again. If no protocol option is specified. the threshold applies to each of the tunneled Layer 2 protocol types. the shutdown-threshold value must be greater than or equal to the drop-threshold value. the default is 5. Step 8 Step 9 Step 10 Step 11 no cdp enable spanning-tree bpdufilter enable exit If the interface is an NNI. the threshold applies to each of the tunneled Layer 2 protocol types. The range is 1 to 4096. l2protocol-tunnel cos value (Optional) Configure the CoS value for all tunneled Layer 2 PDUs. If no protocol option is specified. Return to global configuration mode. the default time interval is 300 seconds. CDP is disabled by default on ENIs. Step 12 Step 13 Step 14 Step 15 end show l2protocol copy running-config startup-config Use the no l2protocol-tunnel [point-to-point [pagp | lacp | udld]] interface configuration command to disable point-to-point protocol tunneling for one of the Layer 2 protocols or for all three. If no keyword is entered. Note If you also set a shutdown threshold on this interface. UNIs do not support CDP. The interface is disabled if the configured threshold is exceeded. make sure that the network is a point-to-point topology before you enable tunneling for PAgP. Errdisable recovery is disabled by default. Use the no l2protocol-tunnel shutdown-threshold [point-to-point [pagp | lacp | udld]] and the no l2protocol-tunnel drop-threshold [[point-to-point [pagp | lacp | udld]] commands to return the shutdown and drop thresholds to the default settings. the drop-threshold value must be less than or equal to the shutdown-threshold value. UNIs do not support STP PBDU filtering. The default is to have no threshold configured. l2protocol-tunnel point-to-point [pagp | lacp | udld] Caution To avoid a network failure. tunneling is enabled for all three protocols. when enabled. Step 7 l2protocol-tunnel drop-threshold [point-to-point [pagp | lacp | udld]] value (Optional) Configure the threshold for packets-per-second accepted for encapsulation. enable BPDU filtering on the interface.

Chapter 13 Configuring Layer 2 Protocol Tunneling Configuring IEEE 802. and Fast Ethernet interface 3 is a trunk port. Enter the interface configuration mode. the drop threshold is 1000. Enable trunking on the interface. SP edge switch 1 configuration: Switch(config)# interface gigabitethernet0/1 Switch(config-if)# switchport access vlan 17 Switch(config-if)# switchport mode dot1q-tunnel Switch(config-if)# l2protocol-tunnel point-to-point Switch(config-if)# l2protocol-tunnel point-to-point Switch(config-if)# l2protocol-tunnel drop-threshold Switch(config-if)# exit Switch(config)# interface gigabitethernet0/2 Switch(config-if)# switchport access vlan 18 Switch(config-if)# switchport mode dot1q-tunnel Switch(config-if)# l2protocol-tunnel point-to-point pagp udld point-to-point pagp 1000 pagp Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 13-16 OL-9639-10 .1Q Tunneling and Layer 2 Protocol Tunneling Configuring the Customer Switch After configuring the SP edge switch. UNIs and ENIs are disabled and NNIs are enabled. For EtherChannels. Step 7 Step 8 Step 9 Step 10 Step 11 Step 12 Step 13 Use the no switchport mode trunk. and specify desirable for the PAgP mode desirable mode if the interface is an NNI or ENI. “Configuring EtherChannels and Link-State Tracking. and 20 are the access VLANs. Display the Layer 2 tunnel ports on the switch. For more information about configuring EtherChannels. see Chapter 34. including the protocols configured. the thresholds. (See Figure 13-6 on page 13-10. and the counters. By default. and the no channel group channel-group-number mode desirable interface configuration commands to return the interface to the default settings. 18. 19. begin in privileged EXEC mode and follow these steps to configure a customer switch for Layer 2 protocol tunneling for EtherChannels: Command Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Purpose Enter global configuration mode. Return to privileged EXEC mode. configure terminal interface interface-id no shutdown switchport mode trunk udld enable channel-group channel-group-number Assign the interface to a channel group. you need to configure both the SP edge switches and the customer switches for Layer 2 protocol tunneling. Enable UDLD in normal mode on the interface.” exit interface port-channel port-channel number shutdown no shutdown end show l2protocol copy running-config startup-config Return to global configuration mode. Shut down the interface.) This example shows how to configure the SP edge switch 1 and edge switch 2. Enable the interface. Gigabit Ethernet interfaces 1 and 2 are point-to-point tunnel ports with PAgP and UDLD enabled. the no udld enable. (Optional) Save your entries in the configuration file. VLANs 17. This should be the customer switch port. Enable the port. Enter port-channel interface mode. if necessary.

UDLD is enabled.Chapter 13 Configuring IEEE 802. and the port channel is shut down and then enabled to activate the EtherChannel configuration. 2. Switch(config)# interface fastethernet0/1 Switch(config-if)# no shutdown Switch(config-if)# switchport mode trunk Switch(config-if)# udld enable Switch(config-if)# channel-group 1 mode desirable Switch(config-if)# exit Switch(config)# interface fastethernet0/2 Switch(config-if)# no shutdown Switch(config-if)# switchport mode trunk Switch(config-if)# udld enable Switch(config-if)# channel-group 1 mode desirable Switch(config-if)# exit Switch(config)# interface fastethernet0/3 Switch(config-if)# no shutdown Switch(config-if)# switchport mode trunk Switch(config-if)# udld enable Switch(config-if)# channel-group 1 mode desirable Switch(config-if)# exit Switch(config)# interface fastethernet0/4 Switch(config-if)# no shutdown Switch(config-if)# switchport mode trunk Switch(config-if)# udld enable Switch(config-if)# channel-group 1 mode desirable Switch(config-if)# exit Switch(config)# interface port-channel 1 Switch(config-if)# shutdown Switch(config-if)# no shutdown Switch(config-if)# exit Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 13-17 .1Q Tunneling and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Switch(config-if)# l2protocol-tunnel point-to-point udld Switch(config-if)# l2protocol-tunnel drop-threshold point-to-point pagp 1000 Switch(config-if)# exit Switch(config)# interface fastethernet0/3 Switch(config-if)# no shutdown Switch(config-if)# switchport mode trunk SP edge switch 2 configuration: Switch(config)# interface gigabitethernet0/1 Switch(config-if)# switchport access vlan 19 Switch(config-if)# switchport mode dot1q-tunnel Switch(config-if)# l2protocol-tunnel point-to-point Switch(config-if)# l2protocol-tunnel point-to-point Switch(config-if)# l2protocol-tunnel drop-threshold Switch(config-if)# exit Switch(config)# interface gigabitethernet0/2 Switch(config-if)# switchport access vlan 20 Switch(config-if)# switchport mode dot1q-tunnel Switch(config-if)# l2protocol-tunnel point-to-point Switch(config-if)# l2protocol-tunnel point-to-point Switch(config-if)# l2protocol-tunnel drop-threshold Switch(config-if)# exit Switch(config)# interface fastethernet0/3 Switch(config-if)# no shutdown Switch(config-if)# switchport mode trunk pagp udld point-to-point pagp 1000 pagp udld point-to-point pagp 1000 This example shows how to configure the customer switch at Site 1. 3. Fast Ethernet interfaces 1. EtherChannel group 1 is enabled.1Q trunking. and 4 are set for 802.

Verify if a specific interface is a tunnel port. Display only Layer 2 protocol summary information.1Q tunnel ports on the switch. For detailed information about these displays. Display information about a specific Layer 2 protocol tunneling port. Display 802.1Q Tunneling and Layer 2 Protocol Tunneling Monitoring and Maintaining Tunneling and Mapping Status Table 13-2 shows the privileged EXEC commands for monitoring and maintaining 802. see the command reference for this release. Display information about Layer 2 protocol tunneling ports. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 13-18 OL-9639-10 .1Q and Layer 2 protocol tunneling and VLAN mapping. Table 13-2 Commands for Monitoring and Maintaining Tunneling Command clear l2protocol-tunnel counters show dot1q-tunnel show dot1q-tunnel interface interface-id show l2protocol-tunnel show errdisable recovery show l2protocol-tunnel interface interface-id show l2protocol-tunnel summary show vlan dot1q tag native Purpose Clear the protocol counters on Layer 2 protocol tunneling ports. Verify if the recovery timer from a Layer 2 protocol-tunnel error disable state is enabled.Chapter 13 Monitoring and Maintaining Tunneling and Mapping Status Configuring IEEE 802. Display the status of native VLAN tagging on the switch.

see the command reference for this release.” Note For complete syntax and usage information for the commands used in this chapter. on enhanced network interfaces (ENIs).CH A P T E R 14 Configuring STP This chapter describes how to configure the Spanning Tree Protocol (STP) on port-based VLANs on the Cisco ME 3400 Ethernet Access switch.” For information about other spanning-tree features such as Port Fast. page 14-2 Spanning-Tree Topology and BPDUs. page 14-8 Spanning-Tree Address Management. It is disabled by default. and so forth. page 14-3 Bridge ID. page 14-1 Configuring Spanning-Tree Features. The switch can use the per-VLAN spanning-tree plus (PVST+) protocol based on the IEEE 802. “Configuring MSTP. see Chapter 16. page 14-23 Understanding Spanning-Tree Features • • • • • • • • STP Overview. page 14-11 Displaying the Spanning-Tree Status. On the Cisco ME switch. page 14-9 Accelerated Aging to Retain Connectivity. or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol based on the IEEE 802. page 14-4 Spanning-Tree Interface States.1D standard and Cisco proprietary extensions. page 14-4 How a Switch or Port Becomes the Root Switch or Root Port. page 14-7 Spanning Tree and Redundant Connectivity. Switch Priority. UNIs and ENIs on which STP is not enabled immediately forward traffic when they are brought up. and Extended System ID. STP is enabled by default on network node interfaces (NNIs). For information about the Multiple Spanning Tree Protocol (MSTP) and how to map multiple VLANs to the same spanning-tree instance. page 14-9 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 14-1 . “Configuring Optional Spanning-Tree Features. see Chapter 15.1w standard. but can be enabled. root guard. User network interfaces (UNIs) on the switch do not participate in STP. This chapter consists of these sections: • • • Understanding Spanning-Tree Features.

page 14-9 Supported Spanning-Tree Instances. only one active path can exist between any two stations. In this overview.Chapter 14 Understanding Spanning-Tree Features Configuring STP • • • • Spanning-Tree Modes and Protocols. The spanning-tree port priority value represents the location of a port in the network topology and how well it is located to pass traffic. page 14-10 STP and IEEE 802. end stations might receive duplicate messages. called bridge protocol data units (BPDUs). port priority. page 14-11 For configuration information. “Configuring Optional Spanning-Tree Features. The switches do not forward these frames but use them to construct a loop-free path. Spanning tree forces redundant data paths into a standby (blocked) state. Spanning-tree operation is transparent to end stations. Active UNIs and ENIs on which STP is not enabled are always in the forwarding state. When two ports on a switch are part of a loop. the spanning-tree algorithm recalculates the spanning-tree topology and activates the standby path. The switch that has at least one of its ports in the designated role is called the designated switch. The algorithm calculates the best loop-free path through a switched Layer 2 network by assigning a role to each port based on the role of the port in the active topology: • • • • Root—A forwarding port elected for the spanning-tree topology Designated—A forwarding port elected for every switched LAN segment Alternate—A blocked port providing an alternate path to the root bridge in the spanning tree Backup—A blocked port in a loopback configuration Note On the Cisco ME 3400 switch. If a loop exists in the network. For information about optional spanning-tree features. see the “Configuring Spanning-Tree Features” section on page 14-11.1Q Trunks. Switches send and receive spanning-tree frames. Switches might also learn end-station MAC addresses on multiple Layer 2 interfaces. Spanning tree uses this information to elect the root switch and root port for the switched network and the root port and designated port for each switched segment. see Chapter 16. These conditions result in an unstable network. only NNIs and ENIs on which STP has been enabled participate in STP. The STP uses a spanning-tree algorithm to select one switch of a redundantly connected network as the root of the spanning tree. Multiple active paths among end stations cause loops in the network. switch priority. including switch and MAC addresses. STP ports can be any interfaces on other switches. For a Layer 2 Ethernet network to function properly. but only NNIs or STP-enabled ENIs on a Cisco ME switch. The switch that has all of its ports as the designated role or the backup role is the root switch. page 14-10 Spanning-Tree Interoperability and Backward Compatibility. The path cost value represents the media speed. which cannot detect whether they are connected to a single LAN segment or a switched LAN of multiple segments. and path cost. If a network segment in the spanning tree fails and a redundant path exists.” STP Overview STP is a Layer 2 link management protocol that provides path redundancy while preventing loops in the network. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 14-2 OL-9639-10 . at regular intervals. BPDUs contain information about the sending switch and its ports. the spanning-tree port priority and path cost settings control which port is put in the forwarding state and which is put in the blocking state.

If this BPDU is received on the root port of the switch. only through the STP-enabled ports. the switch also forwards it with an updated message to all attached LANs for which it is the designated switch. Each configuration BPDU contains this information: • • • • • • The unique bridge ID of the switch that the sending switch identifies as the root switch The spanning-tree path cost to the root The bridge ID of the sending switch Message age The identifier of the sending interface Values for the hello. A BPDU exchange results in these actions: • One switch in the network is elected as the root switch (the logical center of the spanning-tree topology in a switched network). If all switches are configured with the default priority (32768). and superior information is propagated on the network. The spanning-tree path cost to the root switch. or on the Cisco ME switch. it sends that LAN a BPDU containing the up-to-date information stored for that port. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 14-3 . and max-age protocol timers When a switch receives a configuration BPDU that contains superior information (lower bridge ID. This port provides the best path (lowest cost) when the switch forwards packets to the root switch. each functions as the root switch. Spanning-Tree Topology and BPDUs The stable. If the switch is a designated switch for the LAN from which the inferior BPDU was received.Chapter 14 Configuring STP Understanding Spanning-Tree Features Note The switch sends keepalive messages (to ensure the connection is up) only on interfaces that do not have small form-factor pluggable (SFP) modules. inferior information is discarded. For each VLAN. it discards the BPDU. forward delay. Each switch sends a configuration BPDU through all of its ports. it stores the information for that port. If a switch receives a configuration BPDU that contains inferior information to that currently stored for that port. When the switches in a network are powered up. and so forth). The port identifier (port priority and MAC address) associated with each Layer 2 STP-enabled interface. In this way. active spanning-tree topology of a switched network is controlled by these elements: • • • The unique bridge ID (switch priority and MAC address) associated with each VLAN on each switch. as shown in Table 14-1 on page 14-4. the switch with the lowest MAC address in the VLAN becomes the root switch. The BPDUs communicate and compute the spanning-tree topology. the switch with the highest switch priority (the lowest numerical priority value) is elected as the root switch. lower path cost. • A root port is selected for each switch (except the root switch). The switch priority value occupies the most significant bits of the bridge ID.

For more information. When an STP port transitions directly from nonparticipation in the spanning-tree topology to the forwarding state. a lower value increases the probability. all while maintaining the uniqueness of the bridge ID. you change the probability that the switch will be elected as the root switch. the same switch must have as many different bridge IDs as VLANs configured on it. As shown in Table 14-1. and some of the bits previously used for the switch priority are now used as the VLAN identifier. They must allow the frame lifetime to expire for forwarded frames that have used the old topology. The port through which the designated switch is attached to the LAN is called the designated port. topology changes can take place at different times and at different places in a switched network. and the “Configuring the Switch Priority of a VLAN” section on page 14-20. see the “Configuring the Root Switch” section on page 14-15. As a result. For example. the two bytes previously used for the switch priority are reallocated into a 4-bit priority value and a 12-bit extended system ID value equal to the VLAN ID. Spanning-Tree Interface States Propagation delays can occur when protocol information passes through a switched LAN. Interfaces must wait for new topology information to propagate through the switched LAN before starting to forward frames. Configuring a higher value decreases the probability. the “Configuring a Secondary Root Switch” section on page 14-17. A designated switch for each LAN segment is selected. Table 14-1 Switch Priority Value and Extended System ID Switch Priority Value Bit 16 32768 Bit 15 16384 Bit 14 8192 Bit 13 4096 Extended System ID (Set Equal to the VLAN ID) Bit 12 2048 Bit 11 1024 Bit 10 512 Bit 9 256 Bit 8 128 Bit 7 64 Bit 6 32 Bit 5 16 Bit 4 8 Bit 3 4 Bit 2 2 Bit 1 1 Spanning tree uses the extended system ID. Each VLAN on the switch has a unique 8-byte bridge ID. Because each VLAN is considered as a different logical bridge with PVST+ and rapid PVST+. the switch priority. The designated switch incurs the lowest path cost when forwarding packets from that LAN to the root switch. All paths that are not needed to reach the root switch from anywhere in the switched network are placed in the spanning-tree blocking mode. which controls the selection of the root switch. and Extended System ID The IEEE 802. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 14-4 OL-9639-10 . The switch supports the IEEE 802. and the switch priority of a VLAN. The two most-significant bytes are used for the switch priority. and the remaining six bytes are derived from the switch MAC address. it can create temporary data loops. the secondary root switch.1t spanning-tree extensions.1D standard requires that each switch has an unique bridge identifier (bridge ID). when you change the switch priority value. Bridge ID. For the Cisco ME switch. Switch Priority. and a larger range of VLAN IDs can be supported. The result is that fewer MAC addresses are reserved for the switch.Chapter 14 Understanding Spanning-Tree Features Configuring STP • • The shortest distance to the root switch is calculated for each switch based on the path cost. this only applies to NNIs or to ENIs on which STP has been specifically enabled. Support for the extended system ID affects how you manually configure the root switch. and the allocated spanning-tree MAC address to make the bridge ID unique for each VLAN.

Spanning tree stabilizes each interface at the forwarding or blocking state. ENIs in the default STP mode (disabled) are also in forwarding state. Disabled—The interface is not participating in spanning tree because of a shutdown port. and every NNI in the Cisco ME switch (and every ENI on which STP has been enabled). spanning tree is enabled by default. Figure 14-1 Spanning-Tree Interface States Power-on initialization Blocking state Listening state Learning state Forwarding state Disabled state When you power up the switch. Listening—The first transitional state after the blocking state when the spanning tree determines that the interface should participate in frame forwarding. Forwarding—The interface forwards frames. no link on the port. or no spanning-tree instance running on the port. Note On a Cisco ME switch. goes through the blocking state and the transitory states of listening and learning. as well as any other port in other switches in the VLAN or network that are participating in spanning tree. A port participating in spanning tree moves through these states: • • • • • From initialization to blocking From blocking to listening or to disabled From listening to learning or to disabled From learning to forwarding or to disabled From forwarding to disabled Figure 14-1 illustrates how an interface moves through the states.Chapter 14 Configuring STP Understanding Spanning-Tree Features Each Layer 2 interface on a switch using spanning tree exists in one of these states: • • • • • Blocking—The interface does not participate in frame forwarding. UNIs are always in the forwarding state. Learning—The interface prepares to participate in frame forwarding. but you can enable STP on an ENI. 43569 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 14-5 .

If there is only one switch in the network. When the forward-delay timer expires.Chapter 14 Understanding Spanning-Tree Features Configuring STP Note UNIs are shut down by default. where both learning and frame forwarding are enabled. This exchange establishes which switch in the network is the root or root switch. or to each switch STP port. 3. After initialization. and the interface moves to the listening state. this process occurs: 1. 4. spanning tree moves the interface to the forwarding state. An interface participating in spanning tree always enters the blocking state after switch initialization. A switch initially functions as the root until it exchanges BPDUs with other switches. a BPDU is sent to each switch interface. While spanning tree waits the forward-delay timer to expire. they immediately start forwarding traffic. ENIs act the same as UNIs unless you have specifically enabled STP on the port. Blocking State A Layer 2 interface in the blocking state does not participate in frame forwarding. An interface in the blocking state performs these functions: • • • • Discards frames received on the interface Discards frames switched from another interface for forwarding Does not learn addresses Receives BPDUs Listening State The listening state is the first state a Layer 2 interface enters after the blocking state. The interface enters this state when the spanning tree decides that the interface should participate in frame forwarding. In the learning state. An interface in the listening state performs these functions: • • • • Discards frames received on the interface Discards frames switched from another interface for forwarding Does not learn addresses Receives BPDUs Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 14-6 OL-9639-10 . 2. When the spanning-tree algorithm places a Layer 2 spanning-tree interface in the forwarding state. the forward-delay timer expires. and when they are brought up. it moves the interface to the learning state and resets the forward-delay timer. the interface continues to block frame forwarding as the switch learns end-station location information for the forwarding database. no exchange occurs. The interface is in the listening state while spanning tree waits for protocol information to transition the interface to the blocking state.

An interface in the forwarding state performs these functions: • • • • Receives and forwards frames received on the interface Forwards frames switched from another interface Learns addresses Receives BPDUs Disabled State A Layer 2 interface in the disabled state does not participate in frame forwarding or in the spanning tree.Chapter 14 Configuring STP Understanding Spanning-Tree Features Learning State A Layer 2 interface in the learning state prepares to participate in frame forwarding. A disabled interface performs these functions: • • • • Discards frames received on the interface Discards frames switched from another interface for forwarding Does not learn addresses Does not receive BPDUs How a Switch or Port Becomes the Root Switch or Root Port If all switches in a network are enabled with default spanning-tree settings. you force a spanning-tree recalculation to form a new topology with the ideal switch as the root. By increasing the priority (lowering the numerical value) of the ideal switch so that it becomes the root switch. However. Switch A might not be the ideal root switch. Switch A is elected as the root switch because the switch priority of all the switches is set to the default (32768) and Switch A has the lowest MAC address. because of traffic patterns. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 14-7 . or link types. In Figure 14-2. the switch with the lowest MAC address becomes the root switch. The interface enters the forwarding state from the learning state. number of forwarding interfaces. An interface in the learning state performs these functions: • • • • Discards frames received on the interface Discards frames switched from another interface for forwarding Learns addresses Receives BPDUs Forwarding State A Layer 2 interface in the forwarding state forwards frames. The interface enters the learning state from the listening state. An interface in the disabled state is nonoperational.

For instance. assume that one port on Switch B is a Gigabit Ethernet link and that another port on Switch B (a 10/100 link) is the root port. If one link is high-speed and the other is low-speed. “Configuring EtherChannels and Link-State Tracking. By changing the spanning-tree port priority on the Gigabit Ethernet port to a higher priority (lower numerical value) than the root port. For example. see Chapter 34. Spanning Tree and Redundant Connectivity You can create a redundant backbone with spanning tree by connecting two switch interfaces that are participating in spanning tree to another device or to two different devices.” Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 14-8 101226 Active link Blocked link OL-9639-10 . For more information. and spanning tree disables the link with the lowest value. Spanning tree automatically disables one interface but enables it if the other one fails. Figure 14-3 Spanning Tree and Redundant Connectivity Workstations You can also create redundant links between switches by using EtherChannel groups. the low-speed link is always disabled.Chapter 14 Understanding Spanning-Tree Features Configuring STP Figure 14-2 Spanning-Tree Topology DP DP DP RP B RP = Root Port DP = Designated Port RP C A DP RP DP 86475 D When the spanning-tree topology is calculated based on default parameters. the path between source and destination end stations in a switched network might not be ideal. The goal is to make the fastest link the root port. the Gigabit Ethernet port becomes the new root port. Network traffic might be more efficient over the Gigabit Ethernet link. the port priority and port ID are added together. as shown in Figure 14-3. connecting higher-speed links to an interface that has a higher number than the root port can cause a root-port change. If the speeds are the same.

It is the default spanning-tree mode used on most Ethernet port-based VLANs. The accelerated aging is the same as the forward-delay parameter value (spanning-tree vlan vlan-id forward-time seconds global configuration command) when the spanning tree reconfigures. the switch accelerates aging on a per-VLAN basis. The PVST+ runs on each VLAN on the switch up to the maximum supported. • Rapid PVST+—This spanning-tree mode is the same as PVST+ except that is uses a rapid convergence based on the IEEE 802. this process ensures that the network topology is maintained. Rapid PVST+ is compatible with PVST+. ranging from 0x00180C2000000 to 0x0180C2000010.1w standard. the CPU on the switch receives packets destined for 0x0180C2000000 and 0x0180C2000010. the address-aging time is accelerated so that station addresses can be dropped from the address table and then relearned. If spanning tree is disabled. the rapid PVST+ immediately deletes dynamically learned MAC address entries on a per-port basis upon receiving a topology change. You can create different logical topologies by using the VLANs on your network to ensure that all of your links are used but that no one link is oversubscribed. to be used by different bridge protocols. each switch receives but does not forward packets destined for addresses between 0x0180C2000000 and 0x0180C200000F. If spanning tree is enabled.1D standard and Cisco proprietary extensions. However. This is the default spanning-tree mode for the Cisco ME switch NNIs. To provide rapid convergence. Because these stations could be unreachable for 5 minutes or more during a reconfiguration. The PVST+ provides Layer 2 load balancing for the VLAN on which it runs. the default setting of the mac address-table aging-time global configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 14-9 . ensuring that each has a loop-free path through the network. Because each switch has the same information about the network. Accelerated Aging to Retain Connectivity The default for aging dynamic addresses is 5 minutes. the switch forwards those packets as unknown multicast addresses. Regardless of the spanning-tree state. These addresses are static addresses that cannot be removed. This root switch propagates the spanning-tree information associated with that VLAN to all other switches in the network.Chapter 14 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Address Management IEEE 802. Each instance of PVST+ on a VLAN has a single root switch.1D specifies 17 multicast addresses. Spanning-Tree Modes and Protocols The switch NNIs and ENIs with STP enabled support these spanning-tree modes and protocols: • PVST+—This spanning-tree mode is based on the IEEE 802. By contrast. PVST+ uses a short aging time for dynamically learned MAC address entries. Because each VLAN is a separate spanning-tree instance. a spanning-tree reconfiguration can cause many station locations to change. Dynamic addresses on other VLANs can be unaffected and remain subject to the aging interval entered for the switch. A spanning-tree reconfiguration on one VLAN can cause the dynamic addresses learned on that VLAN to be subject to accelerated aging.

the root switch must be a PVST+ switch. In the PVST+ instances. which reduces the number of spanning-tree instances required to support a large number of VLANs. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 14-10 OL-9639-10 .Chapter 14 Understanding Spanning-Tree Features Configuring STP The rapid PVST+ uses the same configuration as PVST+ (except where noted). and the switch needs only minimal extra configuration. The number of VLANs that can be mapped to a particular MST instance is unlimited. The most common initial deployment of MSTP is in the backbone and distribution layers of a Layer 2 switched network. You can map multiple VLANs to the same spanning-tree instance. The benefit of rapid PVST+ is that you can migrate a large PVST+ install base to rapid PVST+ without having to learn the complexities of the MSTP configuration and without having to reprovision your network. the common spanning-tree (CST) root must be inside the MST backbone.1w). Table 14-2 PVST+. each VLAN runs its own spanning-tree instance up to the maximum supported. see the next section. the root switch must be a rapid-PVST+ switch. The PVST+ switches should be at the edge of the network.” For information about the number of supported spanning-tree instances. Supported Spanning-Tree Instances In PVST+ or rapid-PVST+ mode. Spanning-Tree Interoperability and Backward Compatibility Table 14-2 lists the interoperability and compatibility among the supported spanning-tree modes in a network. The MSTP runs on top of the RSTP (based on IEEE 802.1s standard. “Configuring MSTP. we recommend that the rapid-PVST+ switches and PVST+ switches be configured for different spanning-tree instances. When a network contains switches running rapid PVST+ and switches running PVST+. In rapid-PVST+ mode. and a PVST+ switch cannot connect to multiple MST regions. For more information. MSTP . In MSTP mode. and Rapid-PVST+ Interoperability PVST+ PVST+ MSTP Rapid PVST+ Yes Yes (with restrictions) Yes (reverts to PVST+) MSTP Yes (with restrictions) Yes Yes (reverts to PVST+) Rapid PVST+ Yes (reverts to PVST+) Yes (reverts to PVST+) Yes In a mixed MSTP and PVST+ network. which provides for rapid convergence of the spanning tree by eliminating the forward delay and by quickly transitioning root ports and designated ports to the forwarding state. the switch supports up to 65 MST instances. see Chapter 15. the switch supports up to 128 spanning-tree instances. In the rapid-PVST+ spanning-tree instances. You cannot run MSTP without RSTP. • MSTP—This spanning-tree mode is based on the IEEE 802.

all PVST+ or rapid-PVST+ information is maintained by Cisco switches separated by a cloud of non-Cisco 802.” Configuring Spanning-Tree Features • • • • • • • • • • Default Spanning-Tree Configuration.1Q trunks. However.Chapter 14 Configuring STP Configuring Spanning-Tree Features STP and IEEE 802. and no user configuration is required.1Q switches. the switches maintain one spanning-tree instance for each VLAN allowed on the trunks. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 14-11 . If rapid PVST+ is enabled. page 14-15 (optional) Configuring a Secondary Root Switch. page 14-17 (optional) Configuring Path Cost. in a network of Cisco switches connected through IEEE 802. page 14-19 (optional) Configuring the Switch Priority of a VLAN. The switch combines the spanning-tree instance of the IEEE 802. page 14-20 (optional) Configuring Spanning-Tree Timers.1Q Trunks The IEEE 802. However.1Q standard for VLAN trunks imposes some limitations on the spanning-tree strategy for a network. PVST+ is automatically enabled on IEEE 802.1Q cloud separating the Cisco switches is treated as a single trunk link between the switches. The external spanning-tree behavior on access ports is not affected by PVST+. The non-Cisco 802. For more information on IEEE 802.1Q trunk. page 14-15 (optional) Configuring the Root Switch.1Q VLAN of the trunk with the spanning-tree instance of the non-Cisco 802.1Q trunks. page 14-21 (optional) Default Spanning-Tree Configuration Table 14-3 shows the default spanning-tree configuration. The standard requires only one spanning-tree instance for all VLANs allowed on the trunks. see Chapter 11. “Configuring VLANs.1Q trunks. When you connect a Cisco switch to a non-Cisco device through an IEEE 802. page 14-12 Enabling Spanning Tree on an ENI. the Cisco switch uses PVST+ to provide spanning-tree interoperability. page 14-13 (required) Disabling Spanning Tree. the switch uses it instead of PVST+.1Q switch. page 14-17 (optional) Configuring Port Priority. page 14-11 Spanning-Tree Configuration Guidelines.

1000 Mbps: 4. “Configuring MSTP. Spanning-tree VLAN port priority (configurable on a per-VLAN 128. However. Spanning-Tree Configuration Guidelines If more VLANs are defined than there are spanning-tree instances. For more information. Therefore.” If 128 instances of spanning tree are already in use. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 14-12 OL-9639-10 . basis) Spanning-tree VLAN port cost (configurable on a per-VLAN basis) 1000 Mbps: 4. 100 Mbps: 19. see Chapter 15. and use the spanning-tree vlan vlan-id global configuration command to enable spanning tree on the desired VLAN. Switch priority Spanning-tree port cost (configurable on a per-interface basis) 32768. However. Caution Switches that are not running spanning tree still forward BPDUs that they receive so that the other switches on the VLAN that have a running spanning-tree instance can break loops. for example. see the “Supported Spanning-Tree Instances” section on page 14-10. Spanning-tree timers Hello time: 2 seconds. an incautious change to the network that introduces another loop into the VLAN can result in a broadcast storm. if you are running spanning tree only on a minimal set of switches. MSTP is disabled. 100 Mbps: 19. Spanning-tree port priority (configurable on a per-interface basis) 128. The remaining VLANs operate with spanning tree disabled. It is not absolutely necessary to run spanning tree on all switches in the VLAN. Maximum-aging time: 20 seconds. Spanning-tree mode Rapid PVST+ Rapid PVST+ interoperates with PVST and PVST+. spanning tree must be running on enough switches to break all the loops in the network. (Not supported on UNIs) For more information. you can disable spanning tree on STP ports in one of the VLANs and then enable it on the VLAN where you want it to run.Chapter 14 Configuring Spanning-Tree Features Configuring STP Table 14-3 Default Spanning-Tree Configuration Feature Enable state Default Setting Enabled on NNIs in VLAN 1. Forward-delay time: 15 seconds. Disabled on ENIs. 10 Mbps: 100. you can enable PVST+ or rapid PVST+ on STP ports s in only 128 VLANs on the switch. Use the no spanning-tree vlan vlan-id global configuration command to disable spanning tree on a specific VLAN. 10 Mbps: 100. you can map multiple VLANs to the same spanning-tree instances by using MSTP. at least one switch on each loop in the VLAN must be running spanning tree.

By default. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 14-13 .) For information about the different spanning-tree modes and how they interoperate. adding another VLAN creates a VLAN that is not running spanning tree on that switch. these parameters are applied when the spanning-tree instance is created. Verify your entries. You can configure switch and port parameters before a spanning-tree instance is created. The spanning-tree instance is removed when the last port is moved to another VLAN. Setting up allowed lists is not necessary in many cases and can make it more labor-intensive to add another VLAN to the network. Enabling Spanning Tree on an ENI By default. all VLANs run PVST+. We recommend that each end of the link has a directly connected device that is running STP. follow these steps to enable spanning tree an ENI: Command Step 1 Step 2 Step 3 Step 4 Step 5 Purpose Enter global configuration mode. To disable spanning tree on an ENI. if necessary. You can prevent this possibility by setting up allowed lists on the trunk ports of switches that have used up their allocation of spanning-tree instances. particularly if there are several adjacent switches that have all run out of spanning-tree instances. Note configure terminal interface interface-id no shutdown port-type eni spanning-tree This command is visible only on ENIs. and enter interface configuration mode. Depending on the topology of the network. the new VLAN is carried on all trunk ports. The switch supports PVST+. spanning tree is enabled on all NNIs on the switch and disabled on ENIs. Spanning-tree commands control the configuration of VLAN spanning-tree instances. Step 6 Step 7 Step 8 end show spanning-tree interface interface-id copy running-config startup-config Return to privileged EXEC mode.Chapter 14 Configuring STP Configuring Spanning-Tree Features If you have already used all available spanning-tree instances on your switch. enter the no spanning-tree interface command. Caution Loop guard works only on point-to-point links. rapid PVST+. or all VLANs run MSTP. see the “Spanning-Tree Interoperability and Backward Compatibility” section on page 14-10. The interface will belong to the switch spanning tree instance along with NNIs in the VLAN. Beginning in privileged EXEC mode. this could create a loop in the new VLAN that will not be broken. all VLANs run rapid PVST+. Specify a UNI or ENI interface to configure. and MSTP. Enable spanning tree on the interface. (Optional) Save your entries in the configuration file. Configure the port as an ENI (if not already configured). (For example. Enable the port. but only one version can be active at any time. You create a spanning-tree instance when you assign an STP port (an NNI or ENI with STP enabled) to a VLAN. If you have the default allowed list on the trunk ports of that switch. UNIs and ENIs are disabled.

(Recommended only for rapid-PVST+ mode) If any port on the switch running spanning tree is connected to a port on a legacy IEEE 802. VLANs. For more configuration steps. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 14-14 OL-9639-10 . Step 3 interface interface-id (Recommended only for rapid-PVST+ mode) Specify an STP port to configure. Step 7 show spanning-tree summary and show spanning-tree interface interface-id Verify your entries. This step is optional if the designated switch detects that this switch is running rapid PVST+. all members of the port channel must be NNIs or ENIs with spanning tree enabled. this procedure is required. If the interface is a port channel.Chapter 14 Configuring Spanning-Tree Features Configuring STP Changing the Spanning-Tree Mode. The switch supports three spanning-tree modes: PVST+. Configure a spanning-tree mode on STP ports on the switch. • • • configure terminal spanning-tree mode {pvst | mst | rapid-pvst} Select pvst to enable PVST+. Command Step 1 Step 2 Purpose Enter global configuration mode. “Configuring MSTP. The port-channel range is 1 to 48. the switch negotiates with the remote port and rapidly changes the local port to the forwarding state. you must enter the port-type nni interface configuration command or configure the port as an ENI and enable spanning tree on the port. rapid PVST+. The VLAN ID range is 1 to 4094. If the interface is a VLAN. and enter interface configuration mode. and NNI or ENI port channels. Valid interfaces include physical NNIs or ENIs with spanning tree enabled. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. see Chapter 15. Note If a physical interface is a UNI. restart the protocol migration process on the entire switch.” Select rapid-pvst to enable rapid PVST+ (the default setting). or MSTP. follow these steps to change the spanning-tree mode. By default. Step 4 spanning-tree link-type point-to-point (Recommended only for rapid-PVST+ mode) Specify that the link type for this port is point-to-point. only ports with spanning tree enabled in the VLAN will run spanning tree.1D switch. If you want to enable a mode that is different from the default mode. If you connect this port to a remote port through a point-to-point link and the local port becomes a designated port. See “Enabling Spanning Tree on an ENI” section on page 14-13. Select mst to enable MSTP (and RSTP). Beginning in privileged EXEC mode. the switch runs the rapid PVST+ protocol on all NNIs and ENIs on which spanning tree is enabled. Step 5 Step 6 end clear spanning-tree detected-protocols Return to privileged EXEC mode. before attempting to configure it as a spanning-tree link.

(4096 is the value of the least-significant bit of a 4-bit switch priority value as shown in Table 14-1 on page 14-4. use the spanning-tree vlan vlan-id root global configuration command to modify the switch priority from the default value (32768) to a significantly lower value. (Optional) Save your entries in the configuration file. use the no spanning-tree mode global configuration command.) Note The spanning-tree vlan vlan-id root global configuration command fails if the value necessary to be the root switch is less than 1. A bridge ID. the switch sets its own priority for the specified VLAN to 4096 less than the lowest switch priority. configure terminal no spanning-tree vlan vlan-id end show spanning-tree vlan vlan-id copy running-config startup-config To re-enable spanning-tree. use the no spanning-tree link-type interface configuration command. When you enter this command. use the spanning-tree vlan vlan-id global configuration command. the switch sets its own priority for the specified VLAN to 24576 if this value will cause this switch to become the root for the specified VLAN. Configuring the Root Switch The switch maintains a separate spanning-tree instance for each active VLAN configured on it. the software checks the switch priority of the root switches for each VLAN. Because of the extended system ID support. Spanning tree is disabled on ENIs on the switch but can be enabled on a per-interface basis. This procedure is optional.Chapter 14 Configuring STP Configuring Spanning-Tree Features To return to the default setting. If any root switch for the specified VLAN has a switch priority lower than 24576. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 14-15 . Return to privileged EXEC mode. To return the port to its default spanning-tree mode setting. Caution When spanning tree is disabled and loops are present in the topology. is associated with each instance. the range is 1 to 4094. For vlan-id. Beginning in privileged EXEC mode. To configure a switch to become the root for the specified VLAN. Command Step 1 Step 2 Step 3 Step 4 Step 5 Purpose Enter global configuration mode. Disabling Spanning Tree Spanning tree is enabled by default on all NNIs in VLAN 1 and in all newly created VLANs up to the spanning-tree limit specified in the “Supported Spanning-Tree Instances” section on page 14-10. Verify your entries. follow these steps to disable spanning-tree on a per-VLAN basis. For each VLAN. the switch with the lowest bridge ID becomes the root switch for that VLAN. excessive traffic and indefinite packet duplication can drastically reduce network performance. consisting of the switch priority and the switch MAC address. Disable spanning tree only if you are sure there are no loops in the network topology.

a range of VLANs separated by a hyphen. which can significantly reduce the convergence time. follow these steps to configure a switch to become the root for the specified VLAN. • • Step 3 Step 4 Step 5 end show spanning-tree detail copy running-config startup-config Return to privileged EXEC mode. it is unlikely that the switch with the extended system ID support will become the root switch. specify the interval in seconds between the generation of configuration messages by the root switch. Note The root switch for each spanning-tree instance should be a backbone or distribution switch. Note After configuring the switch as the root switch. we recommend that you avoid manually configuring the hello time. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 14-16 OL-9639-10 . the switch automatically sets an optimal hello time. Beginning in privileged EXEC mode. Verify your entries. forward-delay time. and maximum-age time through the spanning-tree vlan vlan-id hello-time. Use the diameter keyword to specify the Layer 2 network diameter (that is. specify the maximum number of switches between any two end stations. • configure terminal spanning-tree vlan vlan-id root primary [diameter net-diameter [hello-time seconds]] For vlan-id. The range is 1 to 10. When you specify the network diameter. and the spanning-tree vlan vlan-id max-age global configuration commands. (Optional) For diameter net-diameter.Chapter 14 Configuring Spanning-Tree Features Configuring STP If your network consists of switches that both do and do not support the extended system ID. the default is 2. This procedure is optional. use the no spanning-tree vlan vlan-id root global configuration command. The range is 1 to 4094. The range is 2 to 7. The extended system ID increases the switch priority value every time the VLAN number is greater than the priority of the connected switches running older software. and maximum-age time for a network of that diameter. Command Step 1 Step 2 Purpose Enter global configuration mode. To return to the default setting. Configure a switch to become the root for the specified VLAN. (Optional) For hello-time seconds. You can use the hello keyword to override the automatically calculated hello time. forward-delay time. spanning-tree vlan vlan-id forward-time. you can specify a single VLAN identified by VLAN ID number. the maximum number of switch hops between any two end stations in the Layer 2 network). or a series of VLANs separated by a comma. Do not configure an access switch as the spanning-tree primary root. (Optional) Save your entries in the configuration file.

you can specify a single VLAN identified by VLAN ID number. Verify your entries. The range is 1 to 10. (Optional) Save your entries in the configuration file. a range of VLANs separated by a hyphen. the switch priority is modified from the default value (32768) to 28672. Configuring Port Priority If a loop occurs. • configure terminal spanning-tree vlan vlan-id root secondary [diameter net-diameter [hello-time seconds]] For vlan-id. To return to the default setting. Use the same network diameter and hello-time values that you used when you configured the primary root switch with the spanning-tree vlan vlan-id root primary global configuration command. (Optional) For hello-time seconds. The switch is then likely to become the root switch for the specified VLAN if the primary root switch fails.Chapter 14 Configuring STP Configuring Spanning-Tree Features Configuring a Secondary Root Switch When you configure a switch as the secondary root. follow these steps to configure a switch to become the secondary root for the specified VLAN. This is assuming that the other network switches use the default switch priority of 32768 and therefore are unlikely to become the root switch. You can execute this command on more than one switch to configure multiple backup root switches. or a series of VLANs separated by a comma. Step 3 Step 4 Step 5 end show spanning-tree detail copy running-config startup-config Return to privileged EXEC mode. Beginning in privileged EXEC mode. Configure a switch to become the secondary root for the specified VLAN. This procedure is optional. The range is 2 to 7. the default is 2. specify the interval in seconds between the generation of configuration messages by the root switch. • • Use the same network diameter and hello-time values that you used when configuring the primary root switch. (Optional) For diameter net-diameter. You can assign higher priority values (lower numerical values) to ports that you want selected first and lower priority values (higher numerical values) to ones that you want selected last. If all spanning-tree ports have the same priority value. See the “Configuring the Root Switch” section on page 14-15. The range is 1 to 4094. spanning tree puts the port with the lowest interface number in the forwarding state and blocks the other interfaces. specify the maximum number of switches between any two end stations. use the no spanning-tree vlan vlan-id root global configuration command. Command Step 1 Step 2 Purpose Enter global configuration mode. spanning tree uses the port priority when selecting a spanning-tree port to put into the forwarding state. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 14-17 .

If the interface is a port channel. and 240. See “Enabling Spanning Tree on an ENI” section on page 14-13. The range is 1 to 4094. 80. 176. If the interface is a VLAN. 16. The lower the number. follow these steps to configure the port priority of a spanning-tree port. or a series of VLANs separated by a comma. 96. • Step 5 Step 6 end show spanning-tree interface interface-id or show spanning-tree vlan vlan-id Return to privileged EXEC mode. Otherwise. in increments of 16. 224. 224. the higher the priority. the higher the priority. a range of VLANs separated by a hyphen. 64. All other values are rejected. 112. Note The show spanning-tree interface interface-id privileged EXEC command displays information only if the port is in a link-up operative state. 32. in increments of 16. For priority. 64. The lower the number. Step 3 spanning-tree port-priority priority Configure the port priority for the spanning-tree port. 160. This procedure is optional. Note configure terminal interface interface-id If a physical interface is a UNI. and enter interface configuration mode. you can use the show running-config interface privileged EXEC command to confirm the configuration.Chapter 14 Configuring Spanning-Tree Features Configuring STP Beginning in privileged EXEC mode. the default is 128. Valid values are 0. Specify an interface to configure. 144. all members of the port channel must be NNIs or ENIs with spanning tree enabled. 208. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 14-18 OL-9639-10 . 160. 192. 208. 128. Verify your entries. 144. 16. Command Step 1 Step 2 Purpose Enter global configuration mode. 32. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. 48. the range is 0 to 240. only ports with spanning tree enabled in the VLAN will run spanning tree. and 240. before attempting to configure it as a spanning-tree link. Step 4 spanning-tree vlan vlan-id port-priority priority Configure the port priority for a VLAN. you must enter the port-type nni interface configuration command or configure the port as an ENI and enable spanning tree on the port. the range is 0 to 240. 96. 192. 48. 128. the default is 128. you can specify a single VLAN identified by VLAN ID number. 112. 176. Valid values are 0. 80. All other values are rejected. • For vlan-id. For priority.

A lower path cost represents higher-speed transmission. the default value is derived from the media speed of the interface. Configure the cost for an interface. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 14-19 . • For vlan-id. If a loop occurs. or a series of VLANs separated by a comma. Configuring Path Cost The spanning-tree path cost default value is derived from the media speed of an interface (port running spanning tree or port channel of multiple ports running spanning tree). The range is 1 to 4094. use the no spanning-tree [vlan vlan-id] port-priority interface configuration command. spanning tree uses the path cost when selecting an interface to place into the forwarding state. If a loop occurs. This procedure is optional. Verify your entries. follow these steps to configure the cost of an interface. If a loop occurs. • Step 5 Step 6 end show spanning-tree interface interface-id or show spanning-tree vlan vlan-id Return to privileged EXEC mode. Beginning in privileged EXEC mode. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. configure terminal interface interface-id Step 3 spanning-tree cost cost Step 4 spanning-tree vlan vlan-id cost cost Configure the cost for a VLAN.Chapter 14 Configuring STP Configuring Spanning-Tree Features To return to the default spanning-tree setting. and enter interface configuration mode. the range is 1 to 200000000. spanning tree uses cost when selecting an interface to put in the forwarding state. the default value is derived from the media speed of the interface. Command Step 1 Step 2 Purpose Enter global configuration mode. the range is 1 to 200000000. see the “Configuring Trunk Ports for Load Sharing” section on page 11-19. you can specify a single VLAN identified by VLAN ID number. A lower path cost represents higher-speed transmission. spanning tree uses the path cost when selecting a spanning-tree port to place into the forwarding state. Valid interfaces include physical NNIs or ENIs with STP enabled and port-channel logical interfaces (port-channel port-channel-number) that contain only NNIs or STP-enabled ENIs. For cost. For information on how to configure load sharing on trunk ports by using spanning-tree port priorities. a range of VLANs separated by a hyphen. Specify an interface to configure. If all NNIs (or port channels) have the same cost value. For cost. spanning tree puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces.

(Optional) Save your entries in the configuration file. To return to the default setting. the default is 32768. Configuring the Switch Priority of a VLAN You can configure the switch priority and make it more likely that the switch will be chosen as the root switch. All other values are rejected. 12288. Command Step 1 Step 2 Purpose Enter global configuration mode. 16384. • configure terminal spanning-tree vlan vlan-id priority priority For vlan-id. For priority. 40960. see the “Configuring Trunk Ports for Load Sharing” section on page 11-19. Beginning in privileged EXEC mode. use the no spanning-tree [vlan vlan-id] cost interface configuration command. The range is 1 to 4094. 28672. Valid priority values are 4096. To return to the default setting. a range of VLANs separated by a hyphen. use the no spanning-tree vlan vlan-id priority global configuration command. 32768. 49152.Chapter 14 Configuring Spanning-Tree Features Configuring STP Note The show spanning-tree interface interface-id privileged EXEC command displays information only for ports that are in a link-up operative state. you can specify a single VLAN identified by VLAN ID number. the range is 0 to 61440 in increments of 4096. 57344. the more likely the switch will be chosen as the root switch. • Step 3 Step 4 Step 5 end show spanning-tree vlan vlan-id copy running-config startup-config Return to privileged EXEC mode. 20480. 53248. Configure the switch priority of a VLAN. Verify your entries. you can use the show running-config privileged EXEC command to confirm the configuration. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 14-20 OL-9639-10 . For information on how to configure load sharing on trunk ports by using spanning-tree path costs. 24576. Otherwise. follow these steps to configure the switch priority of a VLAN. or a series of VLANs separated by a comma. we recommend that you use the spanning-tree vlan vlan-id root primary and the spanning-tree vlan vlan-id root secondary global configuration commands to modify the switch priority. and 61440. 36864. Note Exercise care when using this command. This procedure is optional. 45056. 8192. For most situations. The lower the number.

use the no spanning-tree vlan vlan-id hello-time global configuration command. the range is 1 to 10. (Optional) Save your entries in the configuration file. Command Step 1 Step 2 Purpose Enter global configuration mode. These messages mean that the switch is alive. • Step 3 Step 4 Step 5 end show spanning-tree vlan vlan-id copy running-config startup-config Return to privileged EXEC mode. Configure the hello time of a VLAN. you can specify a single VLAN identified by VLAN ID number. Verify your entries. a range of VLANs separated by a hyphen. we recommend that you use the spanning-tree vlan vlan-id root primary and the spanning-tree vlan vlan-id root secondary global configuration commands to modify the hello time. Note Exercise care when using this command. the default is 2. Configuring the Hello Time You can configure the interval between the generation of configuration messages by the root switch by changing the hello time. follow these steps to configure the hello time of a VLAN. Beginning in privileged EXEC mode. For seconds. The hello time is the interval between the generation of configuration messages by the root switch. This procedure is optional. To return to the default setting. For most situations. The range is 1 to 4094. Controls how long each of the listening and learning states last before the STP port begins forwarding. or a series of VLANs separated by a comma. • configure terminal spanning-tree vlan vlan-id hello-time seconds For vlan-id.Chapter 14 Configuring STP Configuring Spanning-Tree Features Configuring Spanning-Tree Timers Table 14-4 describes the timers that affect the entire spanning-tree performance. Controls the amount of time the switch stores protocol information received on an STP port. Table 14-4 Spanning-Tree Timers Variable Hello timer Forward-delay timer Maximum-age timer Description Controls how often the switch broadcasts hello messages to other switches. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 14-21 . The sections that follow provide the configuration steps.

This procedure is optional. or a series of VLANs separated by a comma. Configuring the Maximum-Aging Time for a VLAN Beginning in privileged EXEC mode. you can specify a single VLAN identified by VLAN ID number. (Optional) Save your entries in the configuration file. The maximum-aging time is the number of seconds a switch waits without receiving spanning-tree configuration messages before attempting a reconfiguration. The forward delay is the number of seconds a spanning-tree port waits before changing from its spanning-tree learning and listening states to the forwarding state. • configure terminal spanning-tree vlan vlan-id forward-time seconds For vlan-id. use the no spanning-tree vlan vlan-id max-age global configuration command. For seconds. Verify your entries. the range is 6 to 40. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 14-22 OL-9639-10 . a range of VLANs separated by a hyphen. • Step 3 Step 4 Step 5 end show spanning-tree vlan vlan-id copy running-config startup-config Return to privileged EXEC mode. • Step 3 Step 4 Step 5 end show spanning-tree vlan vlan-id copy running-config startup-config Return to privileged EXEC mode. the default is 20. To return to the default setting. use the no spanning-tree vlan vlan-id forward-time global configuration command. a range of VLANs separated by a hyphen. you can specify a single VLAN identified by VLAN ID number. Configure the maximum-aging time of a VLAN. For seconds. Command Step 1 Step 2 Purpose Enter global configuration mode. The range is 1 to 4094. (Optional) Save your entries in the configuration file. The range is 1 to 4094. To return to the default setting. or a series of VLANs separated by a comma. Verify your entries. Command Step 1 Step 2 Purpose Enter global configuration mode. the default is 15. Configure the forward time of a VLAN. follow these steps to configure the forwarding-delay time for a VLAN. This procedure is optional.Chapter 14 Configuring Spanning-Tree Features Configuring STP Configuring the Forwarding-Delay Time for a VLAN Beginning in privileged EXEC mode. • configure terminal spanning-tree vlan vlan-id max-age seconds For vlan-id. the range is 4 to 30. follow these steps to configure the maximum-aging time for a VLAN.

Displays a detailed summary of interface information. use one or more of the privileged EXEC commands in Table 14-5: Table 14-5 Commands for Displaying Spanning-Tree Status Command show spanning-tree active show spanning-tree detail show spanning-tree interface interface-id show spanning-tree summary [totals] Purpose Displays spanning-tree information only on active spanning-tree interfaces. see the command reference for this release. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 14-23 . You can clear spanning-tree counters by using the clear spanning-tree [interface interface-id] privileged EXEC command.Chapter 14 Configuring STP Displaying the Spanning-Tree Status Displaying the Spanning-Tree Status To display the spanning-tree status. Displays spanning-tree information for the specified spanning-tree interface. Displays a summary of interface states or displays the total lines of the STP state section. For information about other keywords for the show spanning-tree privileged EXEC command.

Chapter 14 Displaying the Spanning-Tree Status Configuring STP Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 14-24 OL-9639-10 .

“Configuring Optional Spanning-Tree Features. The most common initial deployment of MSTP is in the backbone and distribution layers of a Layer 2 switched network. It is based on the draft version of the IEEE standard. see the command reference for this release. page 15-8 Configuring MSTP Features. see Chapter 16.1s Multiple STP (MSTP) on the Cisco ME 3400 Ethernet Access switch. page 15-14 Displaying the MST Configuration and Status. On the Cisco ME switch. • • • • Understanding MSTP. with existing Cisco-proprietary Multiple Instance STP (MISTP). the Rapid Spanning Tree Protocol (RSTP).CH A P T E R 15 Configuring MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802. “Configuring STP.1D forwarding delay and quickly transitions root ports and designated ports to the forwarding state. user network interfaces (UNIs) on the switch do not participate in STP and immediately forward traffic when they are brought up. the interface always forwards traffic. It improves the fault tolerance of the network because a failure in one instance (forwarding path) does not affect other instances (forwarding paths). If STP is not enabled on an ENI. see Chapter 14. The RSTP provides rapid convergence of the spanning tree through explicit handshaking that eliminates the IEEE 802. page 15-27 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 15-1 . is automatically enabled.” For information about other spanning-tree features such as Port Fast. This deployment provides the highly available network required in a service-provider environment. and can be also be enabled on enhanced network interfaces (ENIs). which is based on IEEE 802. For information about PVST+ and rapid PVST+. root guard. Note The multiple spanning-tree (MST) implementation is a pre-standard implementation.” Note For complete syntax and usage information for the commands used in this chapter. Both MSTP and RSTP improve the spanning-tree operation and maintain backward compatibility with equipment that is based on the (original) 802.1w. UplinkFast.1D spanning tree. When the switch is in the MST mode. STP is enabled by default on network node interfaces (NNIs). The MSTP provides for multiple forwarding paths for data traffic and enables load balancing. thereby reducing the number of spanning-tree instances needed to support a large number of VLANs. and so forth. and with existing Cisco per-VLAN spanning-tree plus (PVST+) and rapid per-VLAN spanning-tree plus (rapid PVST+). page 15-2 Understanding RSTP. The MSTP enables multiple VLANs to be mapped to the same spanning-tree instance.

• • • • • • Multiple Spanning-Tree Regions. Multiple Spanning-Tree Regions For switches to participate in multiple spanning-tree (MST) instances. A collection of interconnected switches that have the same MST configuration comprises an MST region as shown in Figure 15-1 on page 15-4. You configure the switch for a region by using the spanning-tree mst configuration global configuration command. each member must be capable of processing RSTP bridge protocol data units (BPDUs). page 15-6 “Interoperability with IEEE 802. All other MST instances are numbered from 1 to 4094. the MSTP maintains multiple spanning-tree instances. The configuration includes the name of the region. enables load balancing.1s Implementation.1D STP” section on page 15-8 For configuration information. CIST. You can assign a VLAN to only one spanning-tree instance at a time. the MSTP establishes and maintains two types of spanning trees: • An internal spanning tree (IST). The MST configuration controls to which MST region each switch belongs. Because the MSTP BPDU carries information for all instances. with each instance having a spanning-tree topology independent of other spanning-tree instances. IST. you can map VLANs to an MST instance by using the instance MST configuration command. and CST Unlike PVST+ and rapid PVST+ in which all the spanning-tree instances are independent. page 15-6 IEEE 802. which uses RSTP for rapid convergence. A region can have one member or multiple members with the same MST configuration. page 15-2 IST. From this mode. enables VLANs to be grouped into a spanning-tree instance. see the “Configuring MSTP Features” section on page 15-14. you must consistently configure the switches with the same MST configuration information. which are encapsulated within MSTP BPDUs. the revision number.Chapter 15 Understanding MSTP Configuring MSTP Understanding MSTP MSTP. Within each MST region. and the MST VLAN-to-instance assignment map. after which the switch enters the MST configuration mode. and set the revision number by using the revision MST configuration command. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 15-2 OL-9639-10 . page 15-5 Boundary Ports. the number of BPDUs that need to be processed by a switch to support multiple spanning-tree instances is significantly reduced. The IST is the only spanning-tree instance that sends and receives BPDUs. page 15-2 Hop Count. There is no limit to the number of MST regions in a network. Instance 0 is a special instance for a region. but each region can support up to 65 spanning-tree instances. This architecture provides multiple forwarding paths for data traffic. known as the internal spanning tree (IST). specify the region name by using the name MST configuration command. and CST. CIST. and reduces the number of spanning-tree instances required to support a large number of VLANs. all of the other spanning-tree instance information is contained in M-records. which is the spanning tree that runs in an MST region.

and IEEE 802. Thus all subregions shrink.1s standard changes some of the terminology associated with MST implementations.1D switches within the network. Therefore. which is a collection of the ISTs in each MST region. each with its own IST master. which is the switch within the region with the lowest bridge ID and path cost to the CST root. any two switches in the region synchronize their port roles for an MST instance only if they converge to a common IST master. but each MST instance has its own topology parameters. The CIST inside an MST region is the same as the CST outside a region. By default. all switches in the MST region must agree on the same IST master. all VLANs are assigned to the IST. During initialization. An MST instance is local to the region. a region might have many subregions. even if regions A and B are interconnected. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 15-3 . The switch also initializes all of its MST instances and claims to be the root for all of them. Note The implementation of the IEEE 802.1w. If the CST root is outside the region. except for the one that contains the true IST master. For a summary of these changes. see Table 15-1 on page 15-5. one of the MSTP switches at the boundary of the region is selected as the IST master. which includes all MST regions and all legacy STP switches in the network. The IST connects all the MSTP switches in the region and appears as a subtree in the CST that encompasses the entire switched domain. When an MSTP switch initializes. The MST region appears as a virtual switch to adjacent STP switches and MST regions. such as root switch ID. for example. and the common spanning tree (CST) that interconnects the MST regions and single spanning trees. The spanning tree computed in a region appears as a subtree in the CST that encompasses the entire switched domain. and so forth) than currently stored for the port. it relinquishes its claim as the IST master. • A common and internal spanning tree (CIST). As switches receive superior IST information. If the switch receives superior MST root information (lower bridge ID. The IST master also is the CST root if there is only one region within the network. When the IST converges. Operations Within an MST Region The IST connects all the MSTP switches in a region. the root of the IST becomes the IST master (shown in Figure 15-1 on page 15-4). For more information. see the “Operations Within an MST Region” section on page 15-3 and the “Operations Between MST Regions” section on page 15-3.1s. with both of the path costs to the CST root and to the IST master set to zero. IEEE 802. they leave their old subregions and join the new subregion that might contain the true IST master. it sends BPDUs claiming itself as the root of the CST and the IST master. MST instance 1 in region A is independent of MST instance 1 in region B. For correct operation. lower path cost. Operations Between MST Regions If there are multiple regions or legacy IEEE 802. The MST instances combine with the IST at the boundary of the region to become the CST. root path cost. MSTP establishes and maintains the CST.1D protocols. The CIST is formed as a result of the spanning-tree algorithm running between switches that support the IEEE 802.Chapter 15 Configuring MSTP Understanding MSTP All MST instances within the same region share the same protocol timers. with the root of the subtree being the IST master. and so forth.

max-age. The RSTP runs in all regions. MSTP switches use MSTP BPDUs to communicate with MSTP switches.1D MST Region 1 B IST master C IST master Figure 15-1 does not show additional MST instances for each region. hello time. The IST master for region 2 (B) and the IST master for region 3 (C) are the roots for their respective subtrees within the CST. IST Masters. forward time. Because of this. Only the CST instance sends and receives BPDUs. Note that the topology of MST instances can be different from that of the IST for the same region. the spanning-tree parameters related to BPDU transmission (for example.1D STP BPDUs to communicate with legacy IEEE 802. The IST master for region 1 (A) is also the CST root. and MST instances add their spanning-tree information into the BPDUs to interact with neighboring switches and compute the final spanning-tree topology. Figure 15-1 MST Regions.1D switch (D). port VLAN priority) can be configured on both the CST instance and the MST instance. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 15-4 OL-9639-10 88762 MST Region 2 MST Region 3 . and the CST Root A IST master and CST root D Legacy 802. switch priority. port VLAN cost. Parameters related to the spanning-tree topology (for example.1D switches.Chapter 15 Understanding MSTP Configuring MSTP Figure 15-1 shows a network with three MST regions and a legacy IEEE 802. MSTP switches use Version 3 RSTP BPDUs or 802. and max-hops) are configured only on the CST instance but affect all MST instances.

When the count reaches zero. Otherwise. The root switch of the instance always sends a BPDU (or M-record) with a cost of 0 and the hop count set to the maximum value. When a switch receives this BPDU. only the CIST parameters require the external rather than the internal or regional qualifiers. you can configure the maximum hops inside the region and apply it to the IST and all MST instances in that region.1s Terminology Some MST naming conventions used in Cisco’s prestandard implementation have been changed to identify some internal or regional parameters. the switch discards the BPDU and ages the information held for the port. the CIST regional root is the closest switch to the CIST root in the region. • • Table 15-1 compares the IEEE standard and the Cisco prestandard terminology. This cost is left unchanged within an MST region. Instead. These parameters are significant only within an MST region. Table 15-1 Prestandard and Standard Terminology IEEE Standard CIST regional root CIST internal root path cost CIST external root path cost MSTI regional root MSTI internal root path cost Cisco Prestandard IST master IST master path cost Root path cost Instance root Root path cost Cisco Standard CIST regional root CIST internal path cost Root path cost Instance root Root path cost Hop Count The IST and MST instances do not use the message-age and maximum-age information in the configuration BPDU to compute the spanning-tree topology. This cost is only relevant to the IST. the CIST regional root is the CIST root. instance 0. The hop count achieves the same result as the message-age information (trigger a reconfiguration). The CIST external root path cost is the cost to the CIST root. If the CIST root is in the region. The message-age and maximum-age information in the RSTP portion of the BPDU remain the same throughout the region. and the same values are propagated by the region’s designated ports at the boundary. as opposed to external parameters that are relevant to the whole network. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 15-5 . The CIST regional root acts as a root switch for the IST. The CIST internal root path cost is the cost to the CIST regional root in a region. Because the CIST is the only spanning-tree instance that spans the whole network. • • The CIST root is the root switch for the unique instance that spans the whole network. Remember that an MST region looks like a single switch for the CIST. The CIST external root path cost is the root path cost calculated between these virtual switches and switches that do not belong to any region. By using the spanning-tree mst max-hops global configuration command. it decrements the received remaining hop count by one and propagates this value as the remaining hop count in the BPDUs it generates.Chapter 15 Configuring MSTP Understanding MSTP IEEE 802. the CIST. The CIST regional root was called the IST master in the prestandard implementation. they use the path cost to the root and a hop-count mechanism similar to the IP time-to-live (TTL) mechanism.

This definition allows two ports internal to a region to share a segment with a port belonging to a different region.1s standard. Note If there is a legacy STP switch on the segment. switch C would receive a BPDU with the same consistent sender switch ID of root. A segment belongs to the region of its designated port. If the CIST role is root or alternate. creating the possibility of receiving both internal and external messages on a port. the designated switch of which is either a single spanning-tree switch or a switch with a different MST configuration. the CIST part is received by the CIST. There is no definition of a boundary port in the IEEE 802.1Q switch has the sender switch ID. This means a port cannot receive a mix of internal and external messages. When a message is internal. or to another MST region with a different MST configuration. or if the external BPDU is a topology change. it is received only by the CIST. IEEE 802. The whole region performs like a single virtual switch by sending a consistent sender switch ID to neighboring switches. messages are always considered external. The primary change from the Cisco prestandard implementation is that a designated port is not defined as boundary. The other change from the prestandard implementation is that the CIST regional root switch ID field is now inserted where an RSTP or legacy IEEE 802. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 15-6 OL-9639-10 . Therefore. The IEEE 802. An MST region includes both switches and LANs. In the example in Figure 15-1. unless it is running in an STP-compatible mode.1Q-2002 standard identifies two kinds of messages that a port can receive: internal (coming from the same region) and external. it could have an impact on the MST instances. A boundary port also connects to a LAN.Chapter 15 Understanding MSTP Configuring MSTP Boundary Ports In the Cisco prestandard implementation. a boundary port connects an MST region to a single spanning-tree region running RSTP.1s Implementation The Cisco implementation of the IEEE MST standard includes features required to meet the standard. When a message is external. UNIs do not participate in STP. The Cisco prestandard implementation treats a port that receives an external message as a boundary port. whether or not A or B is designated for the segment. a port in a different region than the designated port for a segment is a boundary port. only NNIs or STP-enabled ENIs can be MST ports. and each MST instance receives its respective M-record. as well as some of the desirable prestandard functionality that is not yet incorporated into the published standard. to a single spanning-tree region running PVST+ or rapid PVST+. Note On the Cisco ME switch.

Figure 15-2 illustrates this scenario. The standard provides less information. The boundary port is not the root port of the CIST regional root—The MSTI ports follow the state and role of the CIST port. The MSTI ports now have a special master role. you can use an interface configuration command to identify prestandard ports. The CLI displays different flags depending on the port configuration when a port receives prestandard BPDUs. and the port on BY becomes the alternate before sending out a single prestandard BPDU. both configured to be in the same region. If segment Y flaps. • Interoperation Between Legacy and Standard Switches Because automatic detection of prestandard switches can fail. although the boundary role no longer exists. and it might be difficult to understand why an MSTI port can be alternately blocking when it receives no BPDUs (MRecords). The same problem exists on segment X. an MST instance port at a boundary of the region might not follow the state of the corresponding CIST port. A region cannot be formed between a standard and a prestandard switch. Assume that A is a standard switch and B a prestandard switch. A is the root switch for the CIST. but they can interoperate by using the CIST. Only the capability of load balancing over different instances is lost in that particular case. the show commands identify a port as boundary in the type column of the output. AY cannot detect that a prestandard switch is connected to Y and continues to send standard BPDUs. Two cases exist now: • The boundary port is the root port of the CIST regional root—When the CIST instance port is proposed and is in sync. However. it can send back an agreement and move to the forwarding state only after all the corresponding MSTI ports are in sync (and thus forwarding). Figure 15-2 Standard and Prestandard Switch Interoperation Segment X MST Region Switch A Switch B Segment Y Note We recommend that you minimize the interaction between standard and prestandard MST implementations. and thus B has a root port (BX) on segment X and an alternate port (BY) on segment Y.Chapter 15 Configuring MSTP Understanding MSTP Port Role Naming Change The boundary role is no longer in the final MST standard. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 92721 15-7 . In this case. and no load balancing is possible between A and B. The port BY is thus fixed in a boundary. A syslog message also appears the first time a switch receives a prestandard BPDU on a port that has not been configured for prestandard BPDU transmission. but this boundary concept is maintained in Cisco’s implementation. but B might transmit topology changes.

but it is included in this Cisco IOS release. However. When a designated port detects a conflict. Reconfiguration of the spanning tree can occur in less than 1 second (in contrast to 50 seconds with the default settings in the IEEE 802. Also. but reverts to discarding state because disrupting connectivity in case of inconsistency is preferable to opening a bridging loop. switch A can detect that switch B does not react to the superior BPDUs it sends and that switch B is the designated. The software checks the consistency of the port role and state in the received BPDUs to detect unidirectional link failures that could cause bridging loops. To restart the protocol migration process (force the renegotiation with neighboring switches).1D BPDUs on that port. use the clear spanning-tree detected-protocols privileged EXEC command. If this switch receives a legacy IEEE 802. As a result.Chapter 15 Understanding RSTP Configuring MSTP Detecting Unidirectional Link Failure This feature is not yet present in the IEEE MST standard. Switch A is the root switch. Therefore. and its BPDUs are lost on the link leading to switch B. Designated + Learning bit set Interoperability with IEEE 802. it keeps its role. MSTP switches send either a Version 0 configuration and TCN BPDUs or Version 3 MSTP BPDUs on a boundary port. Figure 15-3 illustrates a unidirectional link failure that typically creates a bridging loop. which is critical for networks carrying delay-sensitive traffic such as voice and video. With this information. RSTP and MST BPDUs include the role and state of the sending port. An MSTP switch also can detect that a port is at the boundary of a region when it receives a legacy BPDU. the designated switch of which is either a single spanning-tree switch or a switch with a different MST configuration. switch A blocks (or keeps blocking) its port. Figure 15-3 Detecting Unidirectional Link Failure Switch A Superior BPDU Switch B Inferior BPDU. an MSTP BPDU (Version 3) associated with a different region.1D STP A switch running MSTP supports a built-in protocol migration mechanism that enables it to interoperate with legacy IEEE 802. A boundary port connects to a LAN. it sends only IEEE 802. If all the legacy switches on the link are RSTP switches. a switch might continue to assign a boundary role to a port when the switch to which this switch is connected has joined the region. the switch does not automatically revert to the MSTP mode if it no longer receives IEEE 802. or an RSTP BPDU (Version 2).1D configuration BPDU (a BPDU with the protocol version set to 0).1D BPDUs because it cannot detect whether the legacy switch has been removed from the link unless the legacy switch is the designated switch. not root switch. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 15-8 92722 OL-9639-10 . thus preventing the bridging loop. they can process MSTP BPDUs as if they are RSTP BPDUs. Understanding RSTP The RSTP takes advantage of point-to-point wiring and provides rapid convergence of the spanning tree.1D spanning tree).1D switches.

page 15-10 Synchronization of Port Roles. page 15-11 Bridge Protocol Data Unit Format and Processing. The port through which the designated switch is attached to the LAN is called the designated port. A port with the alternate or backup port role is excluded from the active topology. • • Root port—Provides the best path (lowest cost) when the switch forwards packets to the root switch. Disabled port—Has no role within the operation of the spanning tree. Note On the Cisco ME switch. In a stable topology with consistent port roles throughout the network.1D STP to select the switch with the highest switch priority (lowest numerical priority value) as the root switch as described in the “Spanning-Tree Topology and BPDUs” section on page 14-3.Chapter 15 Configuring MSTP Understanding RSTP • • • • Port Roles and the Active Topology. the RSTP ensures that every root port and designated port immediately transition to the forwarding state while all alternate and backup ports are always in the discarding state (equivalent to blocking in 802. Backup port—Acts as a backup for the path provided by a designated port toward the leaves of the spanning tree. UNIs do not participate in STP. page 15-12 For configuration information. page 15-9 Rapid Convergence.1D) RSTP Port State Blocking Listening Learning Forwarding Disabled Discarding Discarding Learning Forwarding Discarding Is Port Included in the Active Topology? No No Yes Yes No Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 15-9 . A backup port can exist only when two ports are connected together in a loopback by a point-to-point link or when a switch has two or more connections to a shared LAN segment. which incurs the lowest path cost when forwarding packets from that LAN to the root switch. Table 15-2 Port State Comparison Operational Status Enabled Enabled Enabled Enabled Disabled STP Port State (IEEE 802.1D). • • • A port with the root or a designated port role is included in the active topology. Table 15-2 provides a comparison of IEEE 802. only NNIs or STP-enabled ENIs can be RSTP ports.1D and RSTP port states. Designated port—Connects to the designated switch. Then the RSTP assigns one of these port roles to individual ports. The port state controls the operation of the forwarding and learning processes. Alternate port—Offers an alternate path toward the root switch to that provided by the current root port. see the “Configuring MSTP Features” section on page 15-14. The RSTP builds upon the IEEE 802. Port Roles and the Active Topology The RSTP provides rapid convergence of the spanning tree by assigning port roles and by learning the active topology.

Chapter 15 Understanding RSTP Configuring MSTP To be consistent with Cisco STP implementations. • • Note On the Cisco ME switch. With each iteration of this handshaking process. Switch B selects as its new root port the port from which the proposal message was received. No loops in the network are formed because Switch B blocked all of its nonedge ports and because there is a point-to-point link between Switches A and B. After receiving Switch B’s agreement message. and both ends immediately transition to the forwarding state. Point-to-point links—If you connect a port to another port through a point-to-point link and the local port becomes a designated port. Assume that the priority of Switch A is a smaller numerical value than the priority of Switch B. one more switch joins the active topology. Switch A is connected to Switch B through a point-to-point link. Designated ports start in the listening state. the edge port immediately transitions to the forwarding state. and all of the ports are in the blocking state. As shown in Figure 15-4. these ports are always NNIs or STP-enabled ENIs. When Switch C is connected to Switch B. It provides rapid convergence for edge ports. forces all nonedge ports to the blocking state. it negotiates a rapid transition with the other port by using the proposal-agreement handshake to ensure a loop-free topology. You can override the default setting that is controlled by the duplex setting by using the spanning-tree link-type interface configuration command. Switch A also immediately transitions its designated port to the forwarding state. or a LAN. a switch port. proposing itself as the designated switch. Rapid Convergence The RSTP provides for rapid recovery of connectivity following the failure of a switch. a similar set of handshaking messages are exchanged. Switch A sends a proposal message (a configuration BPDU with the proposal flag set) to Switch B. this proposal-agreement handshaking progresses from the root toward the leaves of the spanning tree. An edge port is the same as a Port Fast-enabled port. and sends an agreement message (a BPDU with the agreement flag set) through its new root port. After receiving the proposal message. new root ports. a half-duplex port is considered to have a shared connection. Root ports—If the RSTP selects a new root port. and ports connected through point-to-point links as follows: • Edge ports—If you configure a port as an edge port on an RSTP switch by using the spanning-tree portfast interface configuration command. Switch C selects the port connected to Switch B as its root port. it blocks the old root port and immediately transitions the new root port to the forwarding state. this guide documents the port state as blocking instead of discarding. The switch learns the link type from the port duplex mode: a full-duplex port is considered to have a point-to-point connection. and you should enable it only on ports that connect to a single end station. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 15-10 OL-9639-10 . As the network converges.

The sequence of events is shown in Figure 15-5. The switch is synchronized with superior root information received on the root port if all other ports are synchronized. it transitions to the blocking state when the RSTP forces it to synchronize with new root information. when the RSTP forces a port to synchronize with root information and the port does not satisfy any of the above conditions. the RSTP immediately transitions the port states to forwarding. the RSTP forces all other ports to synchronize with the new root information. its port state is set to blocking. After ensuring all of the ports are synchronized. When the switches connected by a point-to-point link are in agreement about their port roles. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 88760 15-11 .Chapter 15 Configuring MSTP Understanding RSTP Figure 15-4 Proposal and Agreement Handshaking for Rapid Convergence Switch A Proposal Switch B Root F DP Root F DP Root F DP Agreement Designated switch F RP Designated switch F RP Designated switch F RP F DP Switch C Proposal Agreement F RP DP = designated port RP = root port F = forwarding Synchronization of Port Roles When the switch receives a proposal message on one of its ports and that port is selected as the new root port. the switch sends an agreement message to the designated switch corresponding to its root port. An individual port on the switch is synchronized if • • That port is in the blocking state. It is an edge port (a port configured to be at the edge of the network). In general. If a designated STP port is in the forwarding state and is not configured as an edge port.

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 15-12 OL-9639-10 . Forward Edge port 2. Forward 8. which means that no version 1 protocol information is present. Forward 3. The port role in the proposal message is always set to the designated port. Agreement 88761 Bridge Protocol Data Unit Format and Processing The RSTP BPDU format is the same as the IEEE 802. Block 9. Proposal 7.1D BPDU format except that the protocol version is set to 2. A new one-byte Version 1 Length field is set to zero. Proposal 5. Proposal Root port Designated port 10. Agreement 6. The sending switch sets the agreement flag in the RSTP BPDU to accept the previous proposal. Table 15-3 RSTP BPDU Flags Bit 0 1 2–3: 00 01 10 11 4 5 6 7 Function Topology change (TC) Proposal Port role: Unknown Alternate port Root port Designated port Learning Forwarding Agreement Topology change acknowledgement (TCA) The sending switch sets the proposal flag in the RSTP BPDU to propose itself as the designated switch on that LAN. Table 15-3 shows the RSTP flag fields. Block 11. Agreement 1. The port role in the agreement message is always set to the root port.Chapter 15 Understanding RSTP Configuring MSTP Figure 15-5 Sequence of Events During Rapid Convergence 4.

for interoperability with 802. This behavior is only required to support IEEE 802. which uses TCN BPDUs. the TC-while timer is reset. RSTP sets the port to the blocking state but does not send the agreement message. The new root port requires twice the forward-delay time to transition to the forwarding state.1D switch. it replies with an 802. The learning and forwarding flags are set according to the state of the sending port. If the BPDU received is an RSTP BPDU with the proposal flag set. the switch does not set the proposal flag and starts the forward-delay timer for the port.Chapter 15 Configuring MSTP Understanding RSTP The RSTP does not have a separate topology change notification (TCN) BPDU. it propagates the change to all of its nonedge. lower path cost. the switch sends an agreement message after all of the other ports are synchronized. Processing Inferior BPDU Information If a designated port receives an inferior BPDU (higher bridge ID. However.1D in which any transition between the blocking and the forwarding state causes a topology change. • Detection—Unlike IEEE 802. only transitions from the blocking to the forwarding state cause a topology change with RSTP (only an increase in connectivity is considered a topology change). an RSTP switch processes and generates TCN BPDUs.1D configuration BPDU with the TCA bit set.1D) is active on a root port connected to an 802. it immediately replies with its own information. RSTP forces all the other ports to synchronize. If the BPDU is an 802. the RSTP switch processes and generates TCN BPDUs. If the port is proposed and is selected as the new root port. Processing Superior BPDU Information If a port receives superior root information (lower bridge ID. the RSTP triggers a reconfiguration. and so forth) than currently stored for the port. Acknowledgement—When an RSTP switch receives a TCN message on a designated port from an IEEE 802.1D interoperability. The designated port continues sending BPDUs with the proposal flag set until the forward-delay timer expires. However.1D switches. at which time the port transitions to the forwarding state. The switch starts the TC-while timer for all such ports and flushes the information learned on them. It uses the topology change (TC) flag to show the topology changes. the RSTP does not use them.1D switch and a configuration BPDU with the TCA bit set is received.1D BPDU. The RSTP BPDUs never have the TCA bit set.1D. • • • Propagation—When an RSTP switch receives a TC message from another switch through a designated or root port. Topology Changes This section describes the differences between the RSTP and the IEEE 802. designated ports and to the root port (excluding the port on which it is received). Notification—Unlike IEEE 802. State changes on an edge port do not cause a topology change. If the superior information received on the port causes the port to become a backup or alternate port. When an RSTP switch detects a topology change. higher path cost. for 802. if the TC-while timer (the same as the topology-change timer in 802.1D switches. However. and so forth than currently stored for the port) with a designated port role. it flushes the learned information on all of its nonedge ports except on those from which it received the TC notification.1D in handling spanning-tree topology changes. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 15-13 .

page 15-25 (optional) Designating the Neighbor Type. page 15-19 (optional) Configuring Port Priority.1D switches. 1000 Mbps: 4. it assumes that it is connected to an IEEE 802. 10 Mbps: 100. page 15-22 (optional) Configuring the Hello Time. page 15-14 MSTP Configuration Guidelines. While this timer is active.1D switch and starts using only IEEE 802.1D BPDUs on a port and receives an RSTP BPDU after the timer has expired. page 15-25 (optional) Restarting the Protocol Migration Process. page 15-23 (optional) Configuring the Maximum-Aging Time. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 15-14 OL-9639-10 . page 15-26 (optional) Default MSTP Configuration Table 15-4 shows the default MSTP configuration.Chapter 15 Configuring MSTP Features Configuring MSTP • Protocol migration—For backward compatibility with IEEE 802. RSTP selectively sends IEEE 802. 100 Mbps: 19. page 15-23 (optional) Configuring the Forwarding-Delay Time. Configuring MSTP Features • • • • • • • • • • • • • • • Default MSTP Configuration. page 15-16 (required) Configuring the Root Switch. if the RSTP switch is using IEEE 802. However. If the switch receives an IEEE 802.1D BPDUs. page 15-24 (optional) Configuring the Maximum-Hop Count. it restarts the timer and starts using RSTP BPDUs on that port.1D configuration BPDUs and TCN BPDUs on a per-port basis. 128. page 15-17 (optional) Configuring a Secondary Root Switch. Table 15-4 Default MSTP Configuration Feature Spanning-tree mode Switch priority (configurable on a per-CIST port basis) Spanning-tree port priority (configurable on a per-CIST port basis) Spanning-tree port cost (configurable on a per-CIST port basis) Default Setting Rapid PVST+ (PVST+ and MSTP are disabled).1D BPDU after the port’s migration-delay timer has expired. page 15-24 (optional) Specifying the Link Type to Ensure Rapid Transitions. page 15-15 Specifying the MST Region Configuration and Enabling MSTP. the switch processes all BPDUs received on that port and ignores the protocol type. page 15-21 (optional) Configuring the Switch Priority. the migrate-delay timer is started (specifies the minimum time during which RSTP BPDUs are sent). and RSTP BPDUs are sent. When a port is initialized. 32768. page 15-19 (optional) Configuring Path Cost.

20 hops. and VLAN-to-instance mapping) on each switch within the MST region by using the command-line interface (CLI) or through the SNMP support. all traffic flows on a single link. see the “Supported Spanning-Tree Instances” section on page 14-10. RSTP is automatically enabled. and the same name. For two or more switches to be in the same MST region. When you enable MST by using the spanning-tree mode mst global configuration command. UNIs do not participate in MSTP. if this situation is unavoidable. one of the MST regions must contain the CST root. and MSTP are supported. For this to occur. they must have the same VLAN-to-instance map. You can manually configure the MST configuration (region name. revision number. The switch supports up to 65 MST instances. 15 seconds. You might have to manually configure the switches in the clouds. 20 seconds. or all VLANs run MSTP. You enable STP on an ENI by entering the spanning-tree interface configuration command. MSTP Configuration Guidelines • On the Cisco ME switch.) For more information. rapid PVST+. the same configuration revision number. we recommend that you partition the switched LAN into smaller LANs interconnected by routers or non-Layer 2 devices. and all of the other MST regions must have a better path to the root contained within the MST cloud than a path through the PVST+ or rapid-PVST+ cloud. For information about the supported number of spanning-tree instances. the IST master of the MST cloud should also be the root of the CST. However. • • • • • • • • Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 15-15 . but only one version can be active at any time. If the MST cloud consists of multiple MST regions.Chapter 15 Configuring MSTP Configuring MSTP Features Table 15-4 Default MSTP Configuration (continued) Feature Hello time Forward-delay time Maximum-aging time Maximum hop count Default Setting 2 seconds. see the “Interaction with Other Features” section on page 11-16. All MST boundary ports must be forwarding for load balancing between a PVST+ and an MST cloud or between a rapid-PVST+ and an MST cloud. all VLANs run PVST+. For information on the recommended trunk port configuration. all VLAN-to-instance mapping assignments must match. see the “Spanning-Tree Interoperability and Backward Compatibility” section on page 14-10. PVST+. (For example. otherwise. all VLANs run rapid PVST+. MSTP is supported only on NNIs or ENIs on which STP has been enabled. The number of VLANs that can be mapped to a particular MST instance is unlimited. Partitioning the network into a large number of regions is not recommended. For load balancing across redundant paths in the network to work.

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 15-16 OL-9639-10 . Apply all changes. follow these steps to specify the MST region configuration and enable MSTP. To specify a VLAN range. Command Step 1 Step 2 Step 3 Purpose Enter global configuration mode. the same configuration revision number. To specify a VLAN series. With the long path-cost calculation method. the mapping is incremental. Verify your configuration by displaying the pending configuration. each member must be capable of processing RSTP BPDUs. 20. This procedure is required. The name string has a maximum length of 32 characters and is case sensitive. Step 4 Step 5 Step 6 Step 7 name name revision version show pending exit Specify the configuration name. instance 1 vlan 1-63 maps VLANs 1 through 63 to MST instance 1. You can assign a VLAN to only one spanning-tree instance at a time. The range is 0 to 65535. Specify the configuration revision number.Chapter 15 Configuring MSTP Features Configuring MSTP • When the switch is in MST mode. these path cost values are supported: Speed 10 Mb/s 100 Mb/s 1 Gb/s 10 Gb/s 100 Gb/s Path Cost Value 2. use a hyphen. and the same name. When you map VLANs to an MST instance. and 30 to MST instance 1. and the VLANs specified in the command are added to or removed from the VLANs that were previously mapped. There is no limit to the number of MST regions in a network. 30 maps VLANs 10. they must have the same VLAN-to-instance mapping. Enter MST configuration mode. A region can have one member or multiple members with the same MST configuration. and return to global configuration mode. Map VLANs to an MST instance. instance 1 vlan 10. for example. the range is 0 to 4094.000. 20. but each region can support up to 65 spanning-tree instances. it uses the long path-cost calculation method (32 bits) to compute the path cost values. Beginning in privileged EXEC mode.000 20. For vlan vlan-range.000 2.000 200. for example. • • configure terminal spanning-tree mst configuration instance instance-id vlan vlan-range For instance-id. the range is 1 to 4094. use a comma.000 200 Specifying the MST Region Configuration and Enabling MSTP For two or more switches to be in the same MST region.

use the no name MST configuration command. When you enter this command. the switch checks the switch priorities of the root switches. use the spanning-tree mst instance-id root global configuration command to modify the switch priority from the default value (32768) to a significantly lower value so that the switch becomes the root switch for the specified spanning-tree instance. A bridge ID. use the no spanning-tree mode or the spanning-tree mode pvst global configuration command. Because of the extended system ID support. (Optional) Save your entries in the configuration file. To return to the default revision number. Verify your entries. To return to the default name. consisting of the switch priority and the switch MAC address. To re-enable rapid PVST+. You cannot run both MSTP and rapid PVST+ or both MSTP and PVST+ at the same time. the switch with the lowest bridge ID becomes the root switch. Step 9 Step 10 Step 11 end show running-config copy running-config startup-config Return to privileged EXEC mode. To return to the default VLAN-to-instance map. This example shows how to enter MST configuration mode. map VLANs 10 to 20 to MST instance 1. name the region region1. apply the changes. and return to global configuration mode: Switch(config)# spanning-tree mst configuration Switch(config-mst)# instance 1 vlan 10-20 Switch(config-mst)# name region1 Switch(config-mst)# revision 1 Switch(config-mst)# show pending Pending MST configuration Name [region1] Revision 1 Instance Vlans Mapped -------. set the configuration revision to 1. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 15-17 . To return to the default MST region configuration.Chapter 15 Configuring MSTP Configuring MSTP Features Command Step 8 Purpose Enable MSTP.21-4094 1 10-20 ------------------------------Switch(config-mst)# exit Switch(config)# Configuring the Root Switch The switch maintains a spanning-tree instance for the group of VLANs mapped to it. RSTP is also enabled. use the no instance instance-id [vlan vlan-range] MST configuration command. the switch sets its own priority for the specified instance to 24576 if this value will cause this switch to become the root for the specified spanning-tree instance. spanning-tree mode mst Caution Changing spanning-tree modes can disrupt traffic because all spanning-tree instances are stopped for the previous mode and restarted in the new mode. is associated with each instance. To configure a switch to become the root.--------------------0 1-9. For a group of VLANs. use the no spanning-tree mst configuration global configuration command. display the pending configuration. use the no revision MST configuration command.

The range is 1 to 10 seconds. forward-delay time. The range is 2 to 7. it is unlikely that the switch with the extended system ID support will become the root switch. which can significantly reduce the convergence time. The range is 0 to 4094. follow these steps to configure a switch as the root switch. (Optional) For hello-time seconds.) If your network consists of switches that both do and do not support the extended system ID. specify the interval in seconds between the generation of configuration messages by the root switch. and maximum-age time through the spanning-tree mst hello-time. You can use the hello keyword to override the automatically calculated hello time. (Optional) For diameter net-diameter. specify the maximum number of switches between any two end stations. you can specify a single instance. • • Step 3 Step 4 Step 5 end show spanning-tree mst instance-id copy running-config startup-config Return to privileged EXEC mode. use the no spanning-tree mst instance-id root global configuration command. This keyword is available only for MST instance 0. When you specify the network diameter. spanning-tree mst forward-time. the switch sets its own priority to 4096 less than the lowest switch priority. a range of instances separated by a hyphen. Use the diameter keyword. Verify your entries. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 15-18 OL-9639-10 . The root switch for each spanning-tree instance should be a backbone or distribution switch.Chapter 15 Configuring MSTP Features Configuring MSTP If any root switch for the specified instance has a switch priority lower than 24576. Beginning in privileged EXEC mode. To return the switch to its default setting. the switch automatically sets an optimal hello time. to specify the Layer 2 network diameter (that is. we recommend that you avoid manually configuring the hello time. Configure a switch as the root switch. The extended system ID increases the switch priority value every time the VLAN number is greater than the priority of the connected switches running older software. (Optional) Save your entries in the configuration file. forward-delay time. Do not configure an access switch as the spanning-tree primary root. Note After configuring the switch as the root switch. (4096 is the value of the least-significant bit of a 4-bit switch priority value as shown in Table 14-1 on page 14-4. This procedure is optional. or a series of instances separated by a comma. the default is 2 seconds. and maximum-age time for a network of that diameter. Command Step 1 Step 2 Purpose Enter global configuration mode. • configure terminal spanning-tree mst instance-id root primary [diameter net-diameter [hello-time seconds]] For instance-id. which is available only for MST instance 0. the maximum number of switch hops between any two end stations in the Layer 2 network). and the spanning-tree mst max-age global configuration commands.

(Optional) For hello-time seconds. The switch is then likely to become the root switch for the specified instance if the primary root switch fails. the switch priority is modified from the default value (32768) to 28672. you can specify a single instance. This keyword is available only for MST instance 0. The range is 1 to 10 seconds. specify the maximum number of switches between any two end stations. The range is 0 to 4094. or a series of instances separated by a comma. follow these steps to configure a switch as the secondary root switch. Verify your entries. use the no spanning-tree mst instance-id root global configuration command. the MSTP puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces. (Optional) For diameter net-diameter. Use the same network diameter and hello-time values that you used when you configured the primary root switch with the spanning-tree mst instance-id root primary global configuration command. Configure a switch as the secondary root switch. Command Step 1 Step 2 Purpose Enter global configuration mode.Chapter 15 Configuring MSTP Configuring MSTP Features Configuring a Secondary Root Switch When you configure a switch with the extended system ID support as the secondary root. • configure terminal spanning-tree mst instance-id root secondary [diameter net-diameter [hello-time seconds]] For instance-id. You can execute this command on more than one switch to configure multiple backup root switches. Configuring Port Priority If a loop occurs. You can assign higher priority values (lower numerical values) to STP ports that you want selected first and lower priority values (higher numerical values) that you want selected last. The range is 2 to 7. the MSTP uses the port priority when selecting an STP port to put into the forwarding state. Beginning in privileged EXEC mode. the default is 2 seconds. (Optional) Save your entries in the configuration file. If all interfaces have the same priority value. a range of instances separated by a hyphen. Step 3 Step 4 Step 5 end show spanning-tree mst instance-id copy running-config startup-config Return to privileged EXEC mode. To return the switch to its default setting. This is assuming that the other network switches use the default switch priority of 32768 and therefore are unlikely to become the root switch. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 15-19 . This procedure is optional. • • Use the same network diameter and hello-time values that you used when configuring the primary root switch. See the “Configuring the Root Switch” section on page 15-17. specify the interval in seconds between the generation of configuration messages by the root switch.

64. For priority. or a series of instances separated by a comma. 128. 160. follow these steps to configure the MSTP port priority of an interface. before attempting to configure MST port priority. 112. Step 3 spanning-tree mst instance-id port-priority priority Configure the port priority. you must enter the port-type nni interface configuration command or configure the port as an ENI and enable spanning tree on the port. For instance-id. 176. 192. The range is 0 to 4094. you can use the show running-config interface privileged EXEC command to confirm the configuration. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 15-20 OL-9639-10 . all members of the port channel must be NNIs or ENIs with spanning tree enabled. 96. and enter interface configuration mode. The default is 128. To return the interface to its default setting. the higher the priority. the range is 0 to 240 in increments of 16. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. If the interface is a VLAN. The VLAN ID range is 1 to 4094. • • Step 4 Step 5 end show spanning-tree mst interface interface-id or show spanning-tree mst instance-id Return to privileged EXEC mode. 32. 224. The lower the number.Chapter 15 Configuring MSTP Features Configuring MSTP Beginning in privileged EXEC mode. Valid interfaces include physical NNIs or ENIs with spanning tree enabled. Otherwise. Specify an interface to configure. All other values are rejected. 48. Note configure terminal interface interface-id If a physical interface is a UNI. use the no spanning-tree mst instance-id port-priority interface configuration command. and 240. 16. This procedure is optional. 80. Note The show spanning-tree mst interface interface-id privileged EXEC command displays information only if the port is in a link-up operative state. VLANs. only ports with spanning tree enabled in the VLAN will run spanning tree. and NNI or ENI port channels. The port-channel range is 1 to 48. Command Step 1 Step 2 Purpose Enter global configuration mode. See “Enabling Spanning Tree on an ENI” section on page 14-13. Verify your entries. 208. 144. If the interface is a port channel. a range of instances separated by a hyphen. you can specify a single instance. The priority values are 0.

If the interface is a port channel. only ports with spanning tree enabled in the VLAN will run spanning tree. A lower path cost represents higher-speed transmission. If a loop occurs. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. If a loop occurs. and enter interface configuration mode. you must enter the port-type nni interface configuration command or configure the port as an ENI and enable spanning tree on the port. or a series of instances separated by a comma. • For instance-id. Valid interfaces include physical NNIs or ENIs with spanning tree enabled. follow these steps to configure the MSTP cost of an interface. If the interface is a VLAN. a range of instances separated by a hyphen. You can assign lower cost values to STP ports that you want selected first and higher cost values that you want selected last. and NNI or ENI port channels. all members of the port channel must be NNIs or ENIs with spanning tree enabled. Command Step 1 Step 2 Purpose Enter global configuration mode. Verify your entries. Beginning in privileged EXEC mode. Specify an interface to configure. For cost. the range is 1 to 200000000. The VLAN ID range is 1 to 4094. the MSTP uses the path cost when selecting an interface to place into the forwarding state. Note configure terminal interface interface-id If a physical interface is a UNI. before attempting to configure MST port priority. See “Enabling Spanning Tree on an ENI” section on page 14-13. If all interfaces have the same cost value. The range is 0 to 4094. This procedure is optional.Chapter 15 Configuring MSTP Configuring MSTP Features Configuring Path Cost The MSTP path cost default value is derived from the media speed of an STP port. Step 3 spanning-tree mst instance-id cost cost Configure the cost. the MSTP uses cost when selecting an interface to put in the forwarding state. you can specify a single instance. VLANs. the default value is derived from the media speed of the interface. The port-channel range is 1 to 48. the MSTP puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces. • Step 4 Step 5 end show spanning-tree mst interface interface-id or show spanning-tree mst instance-id Return to privileged EXEC mode. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 15-21 .

Configuring the Switch Priority You can configure the switch priority and make it more likely that the switch will be chosen as the root switch. 53248. • configure terminal spanning-tree mst instance-id priority priority For instance-id. you can specify a single instance. Otherwise. a range of instances separated by a hyphen. and 61440. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 15-22 OL-9639-10 . 57344. 32768. 40960. Command Step 1 Step 2 Purpose Enter global configuration mode. Priority values are 0. Beginning in privileged EXEC mode. Verify your entries. 49152. the default is 32768. 16384. 20480. 4096. All other values are rejected. 45056. Note Exercise care when using this command. To return the switch to its default setting. 36864. For priority. 12288.Chapter 15 Configuring MSTP Features Configuring MSTP Note The show spanning-tree mst interface interface-id privileged EXEC command displays information only for ports that are in a link-up operative state. For most situations. 24576. • Step 3 Step 4 Step 5 end show spanning-tree mst instance-id copy running-config startup-config Return to privileged EXEC mode. the range is 0 to 61440 in increments of 4096. we recommend that you use the spanning-tree mst instance-id root primary and the spanning-tree mst instance-id root secondary global configuration commands to modify the switch priority. (Optional) Save your entries in the configuration file. To return the interface to its default setting. you can use the show running-config privileged EXEC command to confirm the configuration. 28672. This procedure is optional. use the no spanning-tree mst instance-id cost interface configuration command. or a series of instances separated by a comma. 8192. The range is 0 to 4094. Configure the switch priority. the more likely the switch will be chosen as the root switch. follow these steps to configure the switch priority. The lower the number. use the no spanning-tree mst instance-id priority global configuration command.

Return to privileged EXEC mode. Note Exercise care when using this command. Configure the forward time for all MST instances. These messages mean that the switch is alive. the range is 4 to 30. Beginning in privileged EXEC mode. The forward delay is the number of seconds a port waits before changing from its spanning-tree learning and listening states to the forwarding state.Chapter 15 Configuring MSTP Configuring MSTP Features Configuring the Hello Time You can configure the interval between the generation of configuration messages by the root switch by changing the hello time. For seconds. Configure the hello time for all MST instances. This procedure is optional. Configuring the Forwarding-Delay Time Beginning in privileged EXEC mode. configure terminal spanning-tree mst hello-time seconds Step 3 Step 4 Step 5 end show spanning-tree mst copy running-config startup-config To return the switch to its default setting. The hello time is the interval between the generation of configuration messages by the root switch. we recommend that you use the spanning-tree mst instance-id root primary and the spanning-tree mst instance-id root secondary global configuration commands to modify the hello time. For most situations. the range is 1 to 10. use the no spanning-tree mst hello-time global configuration command. follow these steps to configure the forwarding-delay time for all MST instances. the default is 15. Verify your entries. configure terminal spanning-tree mst forward-time seconds Step 3 Step 4 Step 5 end show spanning-tree mst copy running-config startup-config Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 15-23 . This procedure is optional. (Optional) Save your entries in the configuration file. (Optional) Save your entries in the configuration file. For seconds. follow these steps to configure the hello time for all MST instances. Verify your entries. Return to privileged EXEC mode. Command Step 1 Step 2 Purpose Enter global configuration mode. Command Step 1 Step 2 Purpose Enter global configuration mode. the default is 2.

Chapter 15 Configuring MSTP Features Configuring MSTP To return the switch to its default setting. Verify your entries. Return to privileged EXEC mode. For seconds. (Optional) Save your entries in the configuration file. (Optional) Save your entries in the configuration file. and the information held for a port is aged. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 15-24 OL-9639-10 . the default is 20. This procedure is optional. Configuring the Maximum-Aging Time Beginning in privileged EXEC mode. Specify the number of hops in a region before the BPDU is discarded. follow these steps to configure the maximum-aging time for all MST instances. follow these steps to configure the maximum-hop count for all MST instances. Return to privileged EXEC mode. the default is 20. configure terminal spanning-tree mst max-hops hop-count Step 3 Step 4 Step 5 end show spanning-tree mst copy running-config startup-config To return the switch to its default setting. This procedure is optional. the range is 1 to 255. Command Step 1 Step 2 Purpose Enter global configuration mode. use the no spanning-tree mst max-age global configuration command. use the no spanning-tree mst forward-time global configuration command. configure terminal spanning-tree mst max-age seconds Step 3 Step 4 Step 5 end show spanning-tree mst copy running-config startup-config To return the switch to its default setting. For hop-count. Command Step 1 Step 2 Purpose Enter global configuration mode. Configure the maximum-aging time for all MST instances. the range is 6 to 40. Verify your entries. Configuring the Maximum-Hop Count Beginning in privileged EXEC mode. The maximum-aging time is the number of seconds a switch waits without receiving spanning-tree configuration messages before attempting a reconfiguration. use the no spanning-tree mst max-hops global configuration command.

If the interface is a port channel. Note configure terminal interface interface-id If a physical interface is a UNI. and NNI or ENI port channels. you can override the default setting of the link type and enable rapid transitions to the forwarding state. This procedure is optional. Return to privileged EXEC mode. follow these steps to override the default link-type setting. To return the port to its default setting. use the no spanning-tree link-type interface configuration command. Step 3 Step 4 Step 5 Step 6 spanning-tree link-type point-to-point end show spanning-tree mst interface interface-id copy running-config startup-config Specify that the link type of a port is point-to-point. If you have a half-duplex link physically connected point-to-point to a single port on a remote switch running MSTP. Verify your entries. the link type is controlled from the duplex mode of the interface: a full-duplex port is considered to have a point-to-point connection. Designating the Neighbor Type A topology could contain both prestandard and IEEE 802. before attempting to configure MST port priority. Valid interfaces include physical NNIs or ENIs with spanning tree enabled. the RSTP negotiates a rapid transition with the other port by using the proposal-agreement handshake to ensure a loop-free topology as described in the “Rapid Convergence” section on page 15-10.1s standard compliant devices. If the interface is a VLAN. VLANs. and enter interface configuration mode. Specify an interface to configure. only the CIST runs on the interface. By default. Beginning in privileged EXEC mode. Command Step 1 Step 2 Purpose Enter global configuration mode. By default. but they can still receive both standard and prestandard BPDUs. (Optional) Save your entries in the configuration file. ports can automatically detect prestandard devices. The VLAN ID range is 1 to 4094. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 15-25 . all members of the port channel must be NNIs or ENIs with spanning tree enabled. See “Enabling Spanning Tree on an ENI” section on page 14-13. a half-duplex port is considered to have a shared connection. only ports with spanning tree enabled in the VLAN will run spanning tree. you must enter the port-type nni interface configuration command or configure the port as an ENI and enable spanning tree on the port.Chapter 15 Configuring MSTP Configuring MSTP Features Specifying the Link Type to Ensure Rapid Transitions If you connect an STP port to another STP port through a point-to-point link and the local port becomes a designated port. When there is a mismatch between a device and its neighbor. The port-channel range is 1 to 48.

If this switch receives a legacy 802. To return the port to its default setting.1D switches. it sends only 802. Restarting the Protocol Migration Process A switch running MSTP supports a built-in protocol migration mechanism that enables it to interoperate with legacy 802. However. The port-channel range is 1 to 48. Valid interfaces include physical NNIs or ENIs with spanning tree enabled. Verify your entries. use the no spanning-tree mst prestandard interface configuration command. or an RST BPDU (Version 2). and NNI or ENI port channels. Beginning in privileged EXEC mode. The prestandard flag appears in all the show commands.1D BPDUs on that port. and enter interface configuration mode.Chapter 15 Configuring MSTP Features Configuring MSTP You can choose to set a port to send only prestandard BPDUs. Return to privileged EXEC mode.1D BPDUs because it cannot detect whether the legacy switch has been removed from the link unless the legacy switch is the designated switch. Note configure terminal interface interface-id If a physical interface is a UNI. use the clear spanning-tree detected-protocols interface interface-id privileged EXEC command. use the clear spanning-tree detected-protocols privileged EXEC command. VLANs. an MST BPDU (Version 3) associated with a different region. An MSTP switch also can detect that a port is at the boundary of a region when it receives a legacy BPDU. the switch does not automatically revert to the MSTP mode if it no longer receives 802. only ports with spanning tree enabled in the VLAN will run spanning tree.1D configuration BPDU (a BPDU with the protocol version set to 0). If the interface is a VLAN. A switch also might continue to assign a boundary role to a port when the switch to which it is connected has joined the region. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 15-26 OL-9639-10 . To restart the protocol migration process on a specific interface. (Optional) Save your entries in the configuration file. you must enter the port-type nni interface configuration command or configure the port as an ENI and enable spanning tree on the port. This procedure is optional. before attempting to configure MST port priority. Command Step 1 Step 2 Purpose Enter global configuration mode. Specify an interface to configure. The VLAN ID range is 1 to 4094. all members of the port channel must be NNIs or ENIs with spanning tree enabled. If the interface is a port channel. follow these steps to override the default link-type setting. See “Enabling Spanning Tree on an ENI” section on page 14-13. To restart the protocol migration process (force the renegotiation with neighboring switches) on the switch. Step 3 Step 4 Step 5 Step 6 spanning-tree mst pre-standard end show spanning-tree mst interface interface-id copy running-config startup-config Specify that the port can send only prestandard BPDUs. even if the port is in STP compatibility mode.

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 15-27 . show spanning-tree mst interface interface-id Displays MST information for the specified interface. Displays MST information for the specified instance. see the command reference for this release. use one or more of the privileged EXEC commands in Table 15-5: Table 15-5 Commands for Displaying MST Status Command show spanning-tree mst configuration show spanning-tree mst configuration digest show spanning-tree mst instance-id Purpose Displays the MST region configuration.Chapter 15 Configuring MSTP Displaying the MST Configuration and Status Displaying the MST Configuration and Status To display the spanning-tree status. Displays the MD5 digest included in the current MSTCI. For information about other keywords for the show spanning-tree privileged EXEC command.

Chapter 15 Displaying the MST Configuration and Status Configuring MSTP Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 15-28 OL-9639-10 .

For information on configuring the PVST+ and rapid PVST+. “Configuring STP. page 16-3 Understanding Root Guard. on enhanced network interfaces (ENIs). You can configure only the noted features when your switch is running the Multiple Spanning Tree Protocol (MSTP) or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol. You can configure all of these features when your switch is running per-VLAN spanning-tree plus (PVST+). page 16-5 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 16-1 . see Chapter 14. see the command reference for this release. STP is enabled by default on network node interfaces (NNIs). User network interfaces (UNIs) on the switch do not participate in STP. but can be enabled. On the Cisco ME switch. page 16-1 Configuring Optional Spanning-Tree Features. page 16-4 Understanding Loop Guard. page 16-2 Understanding BPDU Guard. page 16-5 Displaying the Spanning-Tree Status.CH A P T E R 16 Configuring Optional Spanning-Tree Features This chapter describes how to configure optional spanning-tree features on the Cisco ME 3400 Ethernet Access switch. “Configuring MSTP.” For information about the Multiple Spanning Tree Protocol (MSTP) and how to map multiple VLANs to the same spanning-tree instance. • • • Understanding Optional Spanning-Tree Features. page 16-3 Understanding BPDU Filtering.” Note For complete syntax and usage information for the commands used in this chapter. UNIs and ENIs on which STP is not enabled immediately forward traffic when they are brought up. page 16-3 Understanding EtherChannel Guard. see Chapter 15. page 16-11 Understanding Optional Spanning-Tree Features • • • • • • Understanding Port Fast. It is disabled by default.

For ENIs. Note Exercise caution when enabling STP on a customer-facing ENI. An STP port with Port Fast enabled goes through the normal cycle of spanning-tree status changes when the switch is restarted. you then need to enter the spanning-tree interface configuration command to configure the port as an STP port. STP ports connected to a single workstation or server should not receive bridge protocol data units (BPDUs). you risk creating a spanning-tree loop. to allow those devices to immediately connect to the network. as shown in Figure 16-1. A customer-facing ENI with STP enabled participates in the same spanning tree as the service-provider facing NNI.Chapter 16 Understanding Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Understanding Port Fast Port Fast immediately brings an STP port configured as an access or trunk port to the forwarding state from a blocking state. However. the ENI could become the spanning tree root port unless you configure root guard on the port. Note Because the purpose of Port Fast is to minimize the time interfaces must wait for spanning tree to converge. rather than waiting for the spanning tree to converge. bypassing the listening and learning states. If a port is a UNI. If you enable Port Fast on an interface connecting to another switch. Figure 16-1 Port Fast-Enabled Interfaces Server Port Fast-enabled ports Workstations Workstations Port Fast-enabled port Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 16-2 101225 OL-9639-10 . UNIs do not support STP. STP is enabled on NNIs and disabled on ENIs. Note By default. if you configure a customer-facing port as an ENI and enable spanning tree. you can configure it as an STP port by changing the port type to NNI or ENI and entering the port-type {nni | eni} interface configuration command. UNIs are typically customer-facing ports and do not participate in the spanning tree of the service provider. See the “Understanding Root Guard” section on page 16-4. You can enable this feature by using the spanning-tree portfast interface configuration or the spanning-tree portfast default global configuration command. it is effective only when used on STP ports connected to end stations. You can use Port Fast on STP ports connected to a single workstation or server.

Understanding BPDU Filtering The BPDU filtering feature can be globally enabled on the switch or can be enabled per interface. A misconfiguration can occur if the switch STP ports are configured in an EtherChannel. Port Fast-enabled STP ports do not receive BPDUs. When the STP port receives a BPDU. If a BPDU is received on a Port Fast-enabled STP port. you enable BPDU guard on any STP port by using the spanning-tree bpduguard enable interface configuration command without also enabling the Port Fast feature. Spanning tree shuts down STP ports that are in a Port Fast-operational state if any BPDU is received on those ports. The BPDU guard feature provides a secure response to invalid configurations because you must manually put the interface back in service. you can enable BPDU filtering on Port Fast-enabled STP ports by using the spanning-tree portfast bpdufilter default global configuration command. At the global level. You can enable the BPDU filtering feature for the entire switch or for an STP port. Use the BPDU guard feature in a service-provider network to prevent an access port from participating in the spanning tree. This command prevents the interface from sending or receiving BPDUs. You should globally enable BPDU filtering on a switch so that hosts connected to these ports do not receive BPDUs. but the feature operates with some differences. This command prevents interfaces that are in a Port Fast-operational state from sending or receiving BPDUs. but the feature operates with some differences. you enable BPDU guard on Port Fast-enabled STP ports by using the spanning-tree portfast bpduguard default global configuration command. see the “EtherChannel Configuration Guidelines” section on page 34-10. you can enable BPDU filtering on any STP port by using the spanning-tree bpdufilter enable interface configuration command without also enabling the Port Fast feature. In a valid configuration. For EtherChannel configuration guidelines. At the interface level. The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs. but the interfaces on the other device are not. Receiving a BPDU on a Port Fast-enabled port signals an invalid configuration. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 16-3 . such as the connection of an unauthorized device. Understanding EtherChannel Guard You can use EtherChannel guard to detect an EtherChannel misconfiguration between the switch and a connected device. A misconfiguration can also occur if the channel parameters are not the same at both ends of the EtherChannel. the interface loses its Port Fast-operational status. Caution Enabling BPDU filtering on an STP port is the same as disabling spanning tree on it and can result in spanning-tree loops. At the global level. and the BPDU guard feature puts the interface in the error-disabled state. You can enable the BPDU guard feature for the entire switch or for an interface. At the interface level.Chapter 16 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding BPDU Guard The BPDU guard feature can be globally enabled on the switch or can be enabled per interface. it is put in the error-disabled state. and BPDU filtering is disabled.

the spanning tree can reconfigure itself and select a customer switch as the root switch. and spanning tree selects a new root switch.Chapter 16 Understanding Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features If the switch detects a misconfiguration on the other device. root guard then places the interface in the root-inconsistent (blocked) state to prevent the customer’s switch from becoming the root switch or being in the path to the root. If spanning-tree calculations cause an interface in the customer network to be selected as the root port. If a switch outside the SP network becomes the root switch. EtherChannel guard places the switch STP ports in the error-disabled state. Root guard enabled on an interface applies to all the VLANs to which the interface belongs. Understanding Root Guard The Layer 2 network of a service provider (SP) can include many connections to switches that are not owned by the SP. You can avoid this situation by enabling root guard on SP switch interfaces that connect to switches in your customer’s network. the interface is blocked (root-inconsistent state). Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 16-4 OL-9639-10 101232 . The customer’s switch does not become the root switch and is not in the path to the root. VLANs can be grouped and mapped to an MST instance. as shown in Figure 16-2. the interface also is blocked in all MST instances. and displays an error message. Caution Misuse of the root-guard feature can cause a loss of connectivity. If the switch is operating in multiple spanning-tree (MST) mode.1D switch or a switch with a different MST region configuration. the designated switch of which is either an 802. You can enable this feature by using the spanning-tree guard root interface configuration command. In such a topology. A boundary port is an interface that connects to a LAN. You can enable this feature by using the spanning-tree etherchannel guard misconfig global configuration command. If a boundary port is blocked in an internal spanning-tree (IST) instance because of root guard. Figure 16-2 Root Guard in a Service-Provider Network Customer network Potential spanning-tree root without root guard enabled Service-provider network Desired root switch Enable the root-guard feature on these interfaces to prevent switches in the customer network from becoming the root switch or being in the path to the root. root guard forces the interface to be a designated port.

BPDU guard EtherChannel guard Root guard Loop guard Default Setting Globally disabled (unless they are individually configured per STP port). page 16-8 (optional) Enabling EtherChannel Guard. BPDUs are not sent on nonboundary ports only if the interface is blocked by loop guard in all MST instances. Loop guard prevents alternate and root ports from becoming designated ports. This feature is most effective when it is enabled on the entire switched network. and spanning tree does not send BPDUs on root or alternate ports. Only NNIs or ENIs with STP enabled participate in STP on the switch.Chapter 16 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Understanding Loop Guard You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link. page 16-6 Enabling Port Fast. BPDU filtering. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 16-5 . When the switch is operating in PVST+ or rapid-PVST+ mode. When the switch is operating in MST mode. Disabled on all STP ports. page 16-7 (optional) Enabling BPDU Filtering. Disabled on all STP ports. loop guard blocks the interface in all MST instances. page 16-9 (optional) Enabling Root Guard. You can enable this feature by using the spanning-tree loopguard default global configuration command. page 16-10 (optional) Enabling Loop Guard. loop guard prevents alternate and root ports from becoming designated ports. Globally enabled. Table 16-1 Default Optional Spanning-Tree Configuration Feature Port Fast. page 16-6 (optional) Enabling BPDU Guard. On a boundary port. and spanning tree does not send BPDUs on root or alternate ports. page 16-5 Optional Spanning-Tree Configuration Guidelines. UNIs and ENIs that have not been configured for STP are always in the forwarding state. Configuring Optional Spanning-Tree Features • • • • • • • • Default Optional Spanning-Tree Configuration. page 16-10 (optional) Default Optional Spanning-Tree Configuration Table 16-1 shows the default optional spanning-tree configuration.

rapid PVST+. By specifying the trunk keyword. BPDU guard. you must use the spanning-tree portfast trunk interface configuration command. Specify an STP interface to configure. This procedure is optional. before you enable Port Fast. follow these steps to enable Port Fast. Command Step 1 Step 2 Purpose Enter global configuration mode. which could cause broadcast storms and address-learning problems. you can enable Port Fast on a trunk port. Note To enable Port Fast on trunk ports. and enter interface configuration mode. EtherChannel guard. Enabling Port Fast An STP port with the Port Fast feature enabled is moved directly to the spanning-tree forwarding state without waiting for the standard forward-time delay. Optional spanning-tree configuration commands are not supported on UNIs or on ENIs on which STP has not been enabled. root guard. Step 3 spanning-tree portfast [trunk] Enable Port Fast on an access port connected to a single workstation or server. you must change the port type to NNI or ENI to enable STP: • • configure terminal interface interface-id Enter the port-type nni interface configuration command to change the port to an NNI with STP enabled by default. If the interface is a UNI. Or enter the port-type eni and spanning-tree interface configuration commands to configure the port as an ENI STP port. Caution Use Port Fast only when connecting a single end station to an access or trunk port. You can enable this feature if your switch is running PVST+. or loop guard if your switch is running PVST+. The spanning-tree portfast command does not work on trunk ports. or MSTP. or MSTP. By default. Step 4 end Return to privileged EXEC mode. Enabling this feature on an interface connected to a switch or hub could prevent spanning tree from detecting and disabling loops in your network. Port Fast is disabled on all STP ports. BPDU filtering. rapid PVST+.Chapter 16 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Optional Spanning-Tree Configuration Guidelines You can configure PortFast. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 16-6 OL-9639-10 . Beginning in privileged EXEC mode. Caution Make sure that there are no loops in the network between the trunk port and the workstation or server before you enable Port Fast on a trunk port.

You also can use the spanning-tree bpduguard enable interface configuration command to enable BPDU guard on any STP port without also enabling the Port Fast feature. To disable the Port Fast feature. Caution Configure Port Fast only on STP ports that connect to end stations.Chapter 16 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Command Step 5 Step 6 Purpose Verify your entries. Use the BPDU guard feature in a service-provider network to prevent an access port from participating in the spanning tree. They remain up unless they receive a BPDU. follow these steps to globally enable the BPDU guard feature. Beginning in privileged EXEC mode. it is put in the error-disabled state. Port Fast-enabled interfaces do not receive BPDUs. This procedure is optional. You can enable the BPDU guard feature if your switch is running PVST+. rapid PVST+. Command Step 1 Step 2 Purpose Enter global configuration mode. use the spanning-tree portfast disable interface configuration command. When the interface receives a BPDU. or MSTP. the command has no effect on ports that are not running STP. Enabling BPDU Guard When you globally enable BPDU guard on ports that are Port Fast-enabled (the ports are in a Port Fast-operational state). (Optional) Save your entries in the configuration file. otherwise. The BPDU guard feature provides a secure response to invalid configurations because you must manually put the interface back in service. Globally enable BPDU guard.) Note configure terminal spanning-tree portfast bpduguard default Globally enabling BPDU guard enables it only on STP ports. an accidental topology loop could cause a data packet loop and disrupt switch and network operation. show spanning-tree interface interface-id portfast copy running-config startup-config Note You can use the spanning-tree portfast default global configuration command to globally enable the Port Fast feature on all nontrunking STP ports. such as the connection of an unauthorized device. BPDU guard is disabled. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 16-7 . In a valid configuration. Receiving a BPDU on a Port Fast-enabled interface signals an invalid configuration. spanning tree continues to run on the ports. (By default. and the BPDU guard feature puts the interface in the error-disabled state.

Caution Enabling BPDU filtering on an STP port is the same as disabling spanning tree on it and can result in spanning-tree loops. Step 4 Step 5 Step 6 Step 7 spanning-tree portfast end show running-config copy running-config startup-config Enable the Port Fast feature. Or enter the port-type eni and spanning-tree interface configuration commands to configure the port as an ENI STP port. and enter interface configuration mode. If the interface is a UNI. The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs. Caution Configure Port Fast only on STP ports that connect to end stations. and BPDU filtering is disabled. before you enable Port Fast. or MSTP. an accidental topology loop could cause a data packet loop and disrupt switch and network operation. Enabling BPDU Filtering When you globally enable BPDU filtering on Port Fast-enabled STP ports.Chapter 16 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Command Step 3 Purpose Specify the interface connected to an end station. you must change the port type to NNI or ENI to enable STP: • • interface interface-id Enter the port-type nni interface configuration command to change the port to an NNI with STP enabled by default. (Optional) Save your entries in the configuration file. If a BPDU is received on a Port Fast-enabled STP port. the interface loses its Port Fast-operational status. This command prevents the STP port from sending or receiving BPDUs. otherwise. Return to privileged EXEC mode. rapid PVST+. use the no spanning-tree portfast bpduguard default global configuration command. You can enable the BPDU filtering feature if your switch is running PVST+. To disable BPDU guard. You can override the setting of the no spanning-tree portfast bpduguard default global configuration command by using the spanning-tree bpduguard enable interface configuration command on an STP port. You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs. You can also use the spanning-tree bpdufilter enable interface configuration command to enable BPDU filtering on any STP port without also enabling the Port Fast feature. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 16-8 OL-9639-10 . Verify your entries. it prevents interfaces that are in a Port Fast-operational state from sending or receiving BPDUs.

Command Step 1 Step 2 Purpose Enter global configuration mode. follow these steps to globally enable the BPDU filtering feature. configure terminal spanning-tree etherchannel guard misconfig end show spanning-tree summary copy running-config startup-config Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 16-9 . follow these steps to enable EtherChannel guard. Or enter the port-type eni and spanning-tree interface configuration commands to configure the port as an ENI STP port. (Optional) Save your entries in the configuration file. use the no spanning-tree portfast bpdufilter default global configuration command. You can override the setting of the no spanning-tree portfast bpdufilter default global configuration command by using the spanning-tree bpdufilter enable interface configuration command on an STP port. Enabling EtherChannel Guard You can enable EtherChannel guard to detect an EtherChannel misconfiguration if your switch is running PVST+. you must change the port type to NNI or ENI to enable STP: • • Enter the port-type nni interface configuration command to change the port to an NNI with STP enabled by default. or MSTP.Chapter 16 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Beginning in privileged EXEC mode. and enter interface configuration mode. Step 4 Step 5 Step 6 Step 7 spanning-tree portfast end show running-config copy running-config startup-config Enable the Port Fast feature. (By default. Command Step 1 Step 2 Step 3 Step 4 Step 5 Purpose Enter global configuration mode. before you enable Port Fast. Step 3 interface interface-id Specify the interface connected to an end station. Enable EtherChannel guard. If the interface is a UNI. BPDU filtering is disabled. To disable BPDU filtering. Globally enable BPDU filtering. (Optional) Save your entries in the configuration file. Return to privileged EXEC mode. This procedure is optional. Beginning in privileged EXEC mode. This procedure is optional. Verify your entries. Verify your entries.) Note configure terminal spanning-tree portfast bpdufilter default Globally enabling BPDU filtering enables it only on STP ports. rapid PVST+. Return to privileged EXEC mode. the command has no effect on UNIs or ENIs on which STP is not enabled.

Or enter the port-type eni and spanning-tree interface configuration commands to configure the port as an ENI STP port. On the remote device. By default. Verify your entries. follow these steps to enable root guard on an interface. you can enter the show etherchannel summary privileged EXEC command to verify the EtherChannel configuration. rapid PVST+. Return to privileged EXEC mode. If the interface is a UNI. you must change the port type to NNI or ENI to enable STP: • • configure terminal interface interface-id Enter the port-type nni interface configuration command to change the port to an NNI with STP enabled by default. You can enable this feature if your switch is running PVST+. or MSTP. use the no spanning-tree etherchannel guard misconfig global configuration command. Step 4 Step 5 Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Command Step 1 Step 2 Purpose Enter global configuration mode. root guard is disabled on all interfaces. This feature is most effective when it is configured on the entire switched network. You can use the show interfaces status err-disabled privileged EXEC command to show which switch STP ports are disabled because of an EtherChannel misconfiguration. Enabling Root Guard Root guard enabled on an STP port applies to all the VLANs to which the port belongs. Enabling Loop Guard You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link. before you enable root guard. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 16-10 OL-9639-10 . enter the shutdown and no shutdown interface configuration commands on the port-channel interfaces that were misconfigured. Loop guard operates only on STP ports that are considered point-to-point by the spanning tree.Chapter 16 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features To disable the EtherChannel guard feature. Step 3 spanning-tree guard root end show running-config Enable root guard on the STP port. Beginning in privileged EXEC mode. and enter interface configuration mode. use the no spanning-tree guard interface configuration command. This procedure is optional. To disable root guard. Note You cannot enable both root guard and loop guard at the same time. Specify an interface to configure. After the configuration is corrected.

see the command reference for this release. or MSTP. use one or more of the privileged EXEC commands in Table 16-2: Table 16-2 Commands for Displaying the Spanning-Tree Status Command show spanning-tree active show spanning-tree detail show spanning-tree interface interface-id show spanning-tree mst interface interface-id show spanning-tree summary [totals] Purpose Displays spanning-tree information on active interfaces only. loop guard is disabled. You can override the setting of the no spanning-tree loopguard default global configuration command by using the spanning-tree guard loop interface configuration command on an NNI. Displays a detailed summary of interface information. use the no spanning-tree loopguard default global configuration command. follow these steps to enable loop guard. Displays a summary of interface states or displays the total lines of the spanning-tree state section. Verify your entries. By default. You can enable this feature if your switch is running PVST+. show spanning-tree active or show spanning-tree mst Step 2 Step 3 Step 4 Step 5 Step 6 configure terminal spanning-tree loopguard default end show running-config copy running-config startup-config Enter global configuration mode. Displays MST information for the specified interface. Enable loop guard. To globally disable loop guard. For information about other keywords for the show spanning-tree privileged EXEC command. Return to privileged EXEC mode. rapid PVST+. Beginning in privileged EXEC mode. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 16-11 . Displaying the Spanning-Tree Status To display the spanning-tree status. This procedure is optional. Displays spanning-tree information for the specified interface. Command Step 1 Purpose Verify which interfaces are alternate or root ports. (Optional) Save your entries in the configuration file.Chapter 16 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Note You cannot enable both loop guard and root guard at the same time. You can clear spanning-tree counters by using the clear spanning-tree [interface interface-id] privileged EXEC command.

Chapter 16 Displaying the Spanning-Tree Status Configuring Optional Spanning-Tree Features Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 16-12 OL-9639-10 .

page 17-1 Configuring REP. a single port is blocked. Each segment consists of standard (nonedge) segment ports and two user-configured edge ports. REP provides a basis for constructing more complex networks and supports VLAN load balancing. as shown in the diagram on the right. and to improve convergence time. A switch can have only two ports belonging to the same segment. Ports E1 and E2 are configured as edge ports.CH A P T E R 17 Configuring Resilient Ethernet Protocol This chapter describes how to use Resilient Ethernet Protocol (REP) on the Cisco ME 3400 Ethernet Access switch. but on any link. A segment can go through a shared medium. to respond to link failures. When there is a network failure. and responds to link failures within the segment. and each segment port can have only one external neighbor. REP is supported only on Layer 2 trunk interfaces. Figure 17-1 shows an example of a segment consisting of six ports spread across four switches. shown by the diagonal line. page 17-6 Monitoring REP. ensures that the segment does not create any bridging loops. REP controls a group of ports connected in a segment. the blocked port returns to the forwarding state to minimize network disruption. only two ports can belong to the same segment. The switch supports REP only when it is running the metro IP access or metro access image. When all ports are operational (as in the segment on the left). This chapter includes these sections: • • • Understanding REP. page 17-14 Understanding REP A REP segment is a chain of ports connected to each other and configured with a segment ID. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 17-1 . REP is a Cisco proprietary protocol that provides an alternative to Spanning Tree Protocol (STP) to control network loops.

with both edge ports located on the same switch. there is connectivity between the edge ports through the segment. If VLAN load balancing is configured. The REP segment cannot cause a bridging loop. REP unblocks all ports to ensure that connectivity is available through the other gateway. If a host cannot access its usual gateway because of a failure. In this configuration. If one or more ports in a segment is not operational. All hosts connected to switches inside the segment have two possible connections to the rest of the network through the edge ports. two ports in the segment control the blocked state of VLANs. When the failed link comes back up. there is no connectivity between the two edge ports. The segment shown in Figure 17-2. and you can safely connect the segment edges to any network. you can create a redundant connection between any two switches in the segment. a logically blocked port per VLAN is selected with minimal disruption to the network. is a ring segment. causing a link failure. all ports forward traffic on all VLANs to ensure connectivity. Figure 17-2 REP Ring Segment E1 E2 REP segments have these characteristics: • • • • If all ports in the segment are operational. In case of a link failure. With this configuration. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 17-2 201889 201888 OL-9639-10 . the alternate ports are unblocked as quickly as possible.Chapter 17 Understanding REP Configuring Resilient Ethernet Protocol Figure 17-1 REP Open Segments E1 Edge port Blocked port Link failure E1 E2 E1 E2 The segment shown in Figure 17-1 is an open segment. one port (referred to as the alternate port) is in the blocked state for each VLAN. but only one connection is accessible at any time.

including configuring them to send STP or REP topology change notices to the aggregation switch. Figure 17-3 Edge No-Neighbor Ports E1 REP not supported E1 and E2 are configured as edge no-neighbor ports E2 REP ports REP has these limitations: • • • You must configure each segment port. You should configure REP only in networks with redundancy. controlled by the primary edge port but occurring at any port in the segment. and you can configure them the same as any edge port. Configuring REP in a network without redundancy causes loss of connectivity. REP determines which neighbor port should become the alternate port and which ports should forward traffic. you can configure the non-REP facing ports (E1 and E2) as edge no-neighbor ports. associated to a MAC address (unique in the network). Link Integrity REP does not use an end-to-end polling mechanism between edge ports to verify link integrity. multiple port failures within the REP segment cause loss of network connectivity. In this case the STP topology change notice (TCN) that is sent is a multiple spanning-tree (MST) STP message. its LSL starts sending packets that include the segment ID and the port ID. These ports inherit all properties of edge ports.Chapter 17 Configuring Resilient Ethernet Protocol Understanding REP You can construct almost any type of network based on REP segments. REP also supports VLAN load-balancing. The REP Link Status Layer (LSL) detects its REP-aware neighbor and establishes connectivity within the segment. The port is declared operational after it performs a three-way handshake with a neighbor in the same segment. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 273792 17-3 . an incorrect configuration can cause forwarding loops in the networks. as shown in Figure 17-3. REP can manage only a single failed port within the segment. All VLANs are blocked on an interface until it detects the neighbor. It implements local link failure detection. In this case. Each port in a segment has a unique port ID. When a segment port is coming up. In access ring topologies. the neighboring switch might not support REP. After the neighbor is identified. The port ID format is similar to that used by the spanning tree algorithm: a port number (unique on the bridge).

Chapter 17 Understanding REP Configuring Resilient Ethernet Protocol A segment port does not become operational if: • • • No neighbor has the same segment ID. The primary edge port has an offset number of 1. By default. The neighbor does not acknowledge the local port as a peer. which identifies the downstream neighbor port of an edge port. More than one neighbor has the same segment ID. The estimated convergence recovery time on fiber interfaces is less than 200 ms for the local segment with 200 VLANs configured. you can specify the alternate port in one of three ways: • • Enter the port ID of the interface. The packets are dropped by devices not running REP. REP packets are sent to a BPDU class MAC address. REP also allows some packets to be flooded to a regular multicast address. a value of 0 is invalid. Each port creates an adjacency with its immediate neighbor. Note You configure offset numbers on the primary edge port by identifying the downstream position from the primary (or secondary) edge port. When you configure VLAN load balancing. the other as the secondary edge port. only one hello message is required for all VLANs. VLAN Load Balancing One edge port in the REP segment acts as the primary edge port. the alternate port. These messages operate at the hardware flood layer (HFL) and are flooded to the whole network. The neighbor offset number range is –256 to +256. Convergence for VLAN load balancing is 300 ms or less. The packets can also be sent to the Cisco multicast address. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 17-4 OL-9639-10 . You would never enter an offset value of 1 because that is the offset number of the primary edge port itself. We recommend that you create VLANs consistently on all switches in a given segment and configure the same allowed VLANs on the REP trunk ports. After the neighbor adjacencies are created. Fast Convergence Because REP runs on a physical link basis and not a per-VLAN basis. which is used only to send blocked port advertisement (BPA) messages when there is a failure in the segment. To identify the port ID of a port in the segment. enter the show interface rep detail interface configuration command for the port. REP VLAN balancing is achieved by blocking some VLANs at a configured alternate port and all other VLANs at the primary edge port. The primary edge port always participates in VLAN load balancing in the segment. the ports negotiate to determine one blocked port for the segment. reducing the load on the protocol. Negative numbers identify the secondary edge port (offset number -1) and its downstream neighbors. To avoid the delay introduced by relaying messages in software. positive numbers above 1 identify downstream neighbors of the primary edge port. Enter the neighbor offset number of a port in the segment. All other ports become unblocked. not just the REP segment. You can control flooding of these messages by configuring a dedicated administrative VLAN for the whole domain. Switches that do not belong to the segment treat them as data traffic.

the primary edge port sends a message to alert all interfaces in the segment about the preemption. Configure a preempt delay time by entering the rep preempt delay seconds interface configuration command. The red numbers inside the ring are numbers offset from the primary edge port. If E2 became the primary edge port. it is reflected into the network to notify the alternate port to block the set of VLANs specified in the message and to notify the primary edge port to block the remaining VLANs. After a link failure and recovery. Configuring a new edge port might cause a new topology configuration. the existing VLAN load balancing status does not change. Neighbor Offset Numbers in a Segment Figure 17-4 -1 E1 1 E2 10 E1 = Primary edge port E2 = Secondary edge port 9 -2 Offset numbers from the primary edge port Offset numbers from the secondary edge port (negative numbers) -9 2 -8 3 4 -7 -6 5 6 -5 7 8 -3 -4 When the REP segment is complete. its offset number would then be 1. and E1 would be -1. When the secondary port receives the message. it does not start working until triggered by either manual intervention or a link failure and recovery. • By entering the preferred keyword to select the port that you previously configured as the preferred alternate port with the rep segment segment-id preferred interface configuration command. You can also configure a particular port in the segment to block all VLANs. the black numbers outside the ring show the offset numbers from the secondary edge port. When VLAN load balancing is triggered. which is not possible if the segment is not terminated by an edge port on each end. all VLANs are blocked. Only the primary edge port initiates VLAN load balancing. Note When VLAN load balancing is configured. Reconfigure the primary edge port to reconfigure load balancing.Chapter 17 Configuring Resilient Ethernet Protocol Understanding REP Figure 17-4 shows neighbor offset numbers for a segment where E1 is the primary edge port and E2 is the secondary edge port. the primary edge port again waits for the rep preempt segment command or for the configured preempt delay period after a port failure and recovery before executing the new configuration. The primary edge port determines the local VLAN load balancing configuration. Note that you can identify all ports (except the primary edge port) by either a positive offset number (downstream position from the primary edge port) or a negative offset number (downstream position from the secondary edge port). When you change the load balancing configuration. When you configure VLAN load balancing. If you change an edge port to a regular segment port. you must also configure triggers in one of two ways: • • Manually trigger VLAN load balancing at any time by entering the rep preempt segment segment-id privileged EXEC command on the switch that has the primary edge port. Note that the delay timer restarts if another port fails before the time has elapsed. VLAN load balancing begins after the configured preemption time period elapses. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 201890 17-5 .

• • A port configured as a regular segment port starts as a failed port. page 17-7 REP Configuration Guidelines. When the alternate port receives the failure notification. When a failure occurs in a link. Configuring REP A segment is a collection of ports connected one to the other in a chain and configured with a segment ID. VLAN load balancing is not implemented unless it has been configured. for example ports on different switches. or Alternate. you configure the REP administrative VLAN (or use the default VLAN 1) and then add the ports to the segment using interface configuration mode.Chapter 17 Configuring REP Configuring Resilient Ethernet Protocol Spanning Tree Interaction REP does not interact with STP or with the Flex Link feature. If PortFast is configured or if STP is disabled. or an edge port converted to a regular segment port. • • • • • • Default REP Configuration. begin by configuring a single port in the ring as part of the segment. You should configure two edge ports in the segment. If you convert an edge port into a regular segment port. and all other ports become open ports. one blocked port remains in the alternate role. A segment port that is reconfigured as a spanning tree port restarts according the spanning tree configuration. does not always result in a topology change. To configure REP segments. the REP selects one to serve as the segment primary edge port. Each segment always contains a blocked port. page 17-8 Configuring REP Interfaces. • A regular segment port converted to an edge port. and continue by configuring contiguous ports to minimize the number of segments. one as the primary edge port and the other. After the neighbor adjacencies are determined. but can coexist with both. By default. For VLAN load balancing. blocking all VLANs on the interface. Blocked port negotiations occur and when the segment settles. page 17-13 Configuring SNMP Traps for REP. A port that belongs to a segment is removed from spanning tree control and STP BPDUs are not accepted or sent from segment ports. by default. Open. page 17-9 Setting Manual Preemption for VLAN Load Balancing. this is a designated blocking port. REP Ports Ports in REP segments are Failed. You can also optionally configure where to send segment topology change notices (STCNs) and VLAN load balancing messages. A segment has only one primary edge port. you then configure the edge ports. the port changes to alternate port state. forwarding all VLANs. When the segment has been configured in both directions to the edge ports. If you configure two ports in a segment as the primary edge port. page 17-7 Configuring the REP Administrative VLAN. page 17-13 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 17-6 OL-9639-10 . so multiple segments means multiple blocked ports and a potential loss of connectivity. the port goes into the forwarding state. you must configure two edge ports in the segment. it changes to the open state. To migrate from an STP ring configuration to REP segment configuration. the secondary edge port. all ports move to the open state.

the Port Role for the other failed port shows as Fail No Ext Neighbor. the edge port is treated as a regular segment port. You must configure all trunk ports in the segment with the same set of allowed VLANs. When VLAN load balancing is enabled. An edge port and regular segment port on a switch cannot belong to the same segment. the default is manual preemption with the delay timer disabled. the ports go through the alternate port state transitions and eventually go to an open state or remain as the alternate port. REP ports follow these rules: – There is no limit to the number of REP ports on a switch. be sure that the connection is at the segment edge. REP ports must be Layer 2 trunk ports. When enabled. the Port Role for this port shows as Fail Logical Open.Chapter 17 Configuring Resilient Ethernet Protocol Configuring REP Default REP Configuration REP is disabled on all interfaces. – If only one port on a switch is configured in a segment. REP Configuration Guidelines Follow these guidelines when configuring REP: • • We recommend that you begin by configuring one port and then configure the contiguous ports to minimize the number of segments and the number of blocked ports. the default after manual preemption is to block all VLANs at the primary edge port. – If two ports on a switch belong to the same segment and one is configured as an edge port and one as a regular segment port (a misconfiguration). Because REP blocks all VLANs until another REP interface sends a message to unblock the VLAN. all VLANs are blocked. the port should be an edge port. only two ports on a switch • • • • • • can belong to the same REP segment. you might lose connectivity to the switch if you enable REP in a Telnet session that accesses the switch through the REP interface. When REP is enabled. the interface is a regular segment port unless it is configured as an edge port. and the administrative VLAN is VLAN 1. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 17-7 . When the external neighbors for the failed ports are configured. or a misconfiguration occurs. Be careful when configuring REP through a Telnet connection. the sending of segment topology change notices (STCNs) is disabled. In the show rep interface privileged EXEC command output. All STP BPDUs are dropped at REP interfaces. – If two ports on a switch belong to the same segment. If you connect an STP network to the REP segment. however. An STP connection that is not at the edge could cause a bridging loop because STP does not run on REP segments. or one regular port and one edge no-neighbor port. both regular segment ports. You cannot run REP and STP or REP and Flex Links on the same segment or interface. You need to be aware of this to avoid sudden connection losses. • REP interfaces come up and remain in a blocked state until notified that it is safe to unblock. If more than two ports in a segment fail when no external neighbors are configured. based on the alternate port election mechanism. they must be both edge ports. If VLAN load balancing is not configured. one port goes into a forwarding state for the data path to help maintain connectivity during configuration.

The BPA message sent to the Cisco multicast address is sent on the administration VLAN. the default is VLAN 1. The range is 2 to 4094. You can use the rep lsl-age-timer value interface configuration command to set the time from 120 ms to 10000 ms. you must use the shorter time range because the device will not accept values out of the previous range. The default is VLAN 1. the LSL age-timer range changed from 3000 to 10000 ms in 500-ms increments to 120 ms to 10000 ms in 40-ms increments. Configuring the REP Administrative VLAN To avoid the delay introduced by relaying messages in software for link-failure or VLAN-blocking notification during load balancing. follow these steps to configure the REP administrative VLAN: Command Step 1 Step 2 Purpose Enter global configuration mode. – In Cisco IOS Release 12. configure terminal rep admin vlan vlan-id Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 17-8 OL-9639-10 . not just the REP segment. If the REP neighbor device is not running Cisco IOS Release 12. Specify the administrative VLAN. To set the admin VLAN to 1. REP floods packets at the hardware flood layer (HFL) to a regular multicast address. you receive an error message and the command is rejected. which is VLAN 1 by default.Chapter 17 Configuring REP Configuring Resilient Ethernet Protocol • • REP sends all LSL PDUs in untagged frames on the native VLAN. REP is supported on EtherChannels. User-network interfaces (UNIs) or enhanced network interfaces (ENIs) cannot be REP ports. The administrative VLAN cannot be the RSPAN VLAN.2(52)SE.2(52)SE or later. Beginning in privileged EXEC mode. Follow these guidelines when configuring the REP administrative VLAN: • • • If you do not configure an administrative VLAN. three LSL hellos are sent before the age timer on the peer switch expires and searches for hello messages. There is a maximum of 64 REP segments per switch. this is not enforced by software. However. You can control flooding of these messages by configuring an administrative VLAN for the whole domain. If you try to configure a value less than 1000 ms on a port channel. • REP ports cannot be configured as one of these port types: – SPAN destination port – Private VLAN port – Tunnel port – Access port • • • REP ports must be network node interfaces (NNI). enter the no rep admin vlan global configuration command. but not on an individual port that belongs to an EtherChannel. – EtherChannel port channel interfaces do not support LSL age-timer values less than 1000 ms. You can configure how long a REP interface remains up without receiving a hello from a neighbor. There can be only one administrative VLAN on a switch and on a segment. These messages are flooded to the whole network. In normal operation. The LSL hello timer is then set to the age-timer value divided by three.

You must also configure a primary and secondary edge port on each segment. Configure the interface as a Layer 2 trunk port. (Optional) Save your entries in the switch startup configuration file. tx: 0 EPA-ELECTION TLV rx: 118. Beginning in privileged EXEC mode. Specify the interface.Chapter 17 Configuring Resilient Ethernet Protocol Configuring REP Command Step 3 Step 4 Step 5 Purpose Return to privileged EXEC mode. This step is required and must be done before other REP configuration. LSL) TLV rx: 0. follow these steps to enable and configure REP on an interface: Command Step 1 Step 2 Purpose Enter global configuration mode. Configure the port as a network node interface (NNI). All other steps are optional. tx: 4190 Configuring REP Interfaces For REP operation. tx: 0 BPA (STCN. tx: 5 BPA TLV rx: 16849. tx: 508 BPA (STCN. and enter interface configuration mode. tx: 0 EPA-INFO TLV rx: 4214. HFL) TLV rx: 0. you need to enable it on each segment interface and to identify the segment ID. configure terminal interface interface-id Step 3 Step 4 port-type nni switchport mode trunk Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 17-9 . Verify the configuration on one of the REP interfaces. tx: 118 EPA-COMMAND TLV rx: 0. end show interface [interface-id] rep detail copy running-config startup config This example shows how to configure the administrative VLAN as VLAN 100 and to verify the configuration by entering the show interface rep detail command on one of the REP interfaces: Switch# configure terminal Switch (conf)# rep admin vlan 100 Switch (conf-if)# end Switch# show interface gigabitethernet0/1 rep detail GigabitEthernet0/1 REP enabled Segment-id: 2 (Edge) PortID: 00010019E7144680 Preferred flag: No Operational Link Status: TWO_WAY Current Key: 0002001121A2D5800E4D Port Role: Open Blocked Vlan: <empty> Admin-vlan: 100 Preempt Delay Timer: disabled LSL Ageout Timer: 5000 ms Configured Load-balancing Block Port: none Configured Load-balancing Block VLAN: none STCN Propagate to: none LSL PDU rx: 3322. tx: 1722 HFL PDU rx: 32. The interface can be a physical Layer 2 interface or a port channel (logical interface). The port-channel range is 1 to 48.

REP selects only one of these ports as the segment primary edge port. (Optional) On an edge port.Chapter 17 Configuring REP Configuring Resilient Ethernet Protocol Command Step 5 Purpose rep segment segment-id [edge [no-neighbor] Enable REP on the interface. The [primary]] [preferred] segment ID range is from 1 to 1024. it merely gives it a slight edge among equal contenders. The alternate port is usually a previously failed port. and you can configure them the same as any edge port. You can identify the primary edge port for a segment by entering the show rep topology privileged EXEC command. Note You must configure two edge ports. the port on which you can configure VLAN load balancing. Although each segment can have only one primary edge port. and identify a segment number. These optional keywords are available. • • • Note • Note Step 6 rep stcn {interface interface-id | segment id-list | stp} (Optional) Configure the edge port to send segment topology change notices (STCNs). if you configure edge ports on two different switches and enter the primary keyword on both switches. Enter segment id-list to identify one or more segments to receive STCNs. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 17-10 OL-9639-10 . The range is 1 to 1024. (Optional) Enter preferred to set the port as the preferred alternate port or the preferred port for VLAN load balancing. However. • • • Enter interface interface-id to designate a physical interface or port channel to receive STCNs. Enter edge without the primary keyword to configure the port as the secondary edge port. Enter stp to send STCNs to STP networks. The port inherits all properties of edge ports. Enter edge to configure the port as an edge port. including one primary edge port for each segment. the configuration is allowed. enter primary to configure the port as the primary edge port. Each segment has only two edge ports. Configuring a port as preferred does not guarantee that it becomes the alternate port. (Optional) Enter no-neighbor to configure a port with no external REP neighbors as an edge port.

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 17-11 . A value of 0 is invalid. Enter vlan vlan-list to block one VLAN or a range of VLANs. You can view interface port IDs by entering the show interface interface-id rep [detail] privileged EXEC command. Note If the neighbor device is not running Cisco IOS Release 12. Enter vlan all to block all VLANs.2(52)SE or later. Enter this command only on the REP primary edge port. Enter -1 to identify the secondary edge port as the alternate port. EtherChannel port channel interfaces do not support LSL age-timer values less than 1000 ms. The time delay range is 15 to 300 seconds. • Enter the id port-id to identify the alternate port by port ID. The range is from –256 to 256. Because you enter this command at the primary edge port (offset number 1). The default is manual preemption with no time delay. Enter a neighbor_offset number to identify the alternate port as a downstream neighbor from an edge port. Enter the show rep topology privileged EXEC command to see which port in the segment is the primary edge port. Step 10 end Step 11 show interface [interface-id] rep [detail] Step 12 copy running-config startup config Return to privileged EXEC mode. it will only accept values from 3000 to 10000 ms in 500 ms increments. Step 9 rep lsl-age-timer value (Optional) Configure a time (in milliseconds) for which the REP interface remains up without receiving a hello from a neighbor. See Figure 17-4 on page 17-5 for an example of neighbor offset numbering. you would never enter an offset value of 1 to identify an alternate port. Verify the REP interface configuration. Enter the no form of each command to return to the default configuration. (Optional) Save your entries in the switch startup configuration file. The range is from 120 to 10000 ms in 40-ms increments. Note Enter this command only on the REP primary edge port. • Note • • • Note Step 8 rep preempt delay seconds (Optional) You must enter this command and configure a preempt time delay if you want VLAN load balancing to automatically trigger after a link failure and recovery. identify the REP alternate port. the default is 5000 ms (5 seconds). Enter preferred to select the regular segment port previously identified as the preferred alternate port for VLAN load balancing.Chapter 17 Configuring Resilient Ethernet Protocol Configuring REP Command Step 7 Purpose rep block port {id port-id | neighbor_offset | (Optional) Configure VLAN load balancing on the primary edge preferred} vlan {vlan-list | all} port. with negative numbers identifying the downstream neighbor from the secondary edge port. The port ID is automatically generated for each port in the segment. and configure the VLANs to be blocked on the alternate port.

to send STCNs to segments 2 through 5. VLANs 100 to 200 are blocked at this port.Chapter 17 Configuring REP Configuring Resilient Ethernet Protocol This example shows how to configure an interface as the primary edge port for segment 1. The interface is configured to remain up for 6000 milliseconds without receiving a hello from a neighbor. Switch# configure terminal Switch (conf)# interface gigabitethernet0/1 Switch (conf-if)# rep segment 1 edge primary Switch (conf-if)# rep block port 4 vlan 100-200 Switch (conf-if)# end Figure 17-5 Example of VLAN Blocking Primary edge port E1 blocks all VLANs except VLANs 100-200 E1 E2 4 Alternate port (offset 4) blocks VLANs 100-200 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 17-12 201891 OL-9639-10 . and to configure the alternate port as the port with port ID 0009001818D68700 to block all VLANs after a preemption delay of 60 seconds after a segment port failure and recovery. After manual preemption. and all other VLANs are blocked at the primary edge port E1 (Gigabit Ethernet port 0/1). The alternate port is the neighbor with neighbor offset number 4. Switch# configure terminal Switch (conf)# interface gigabitethernet0/1 Switch (conf-if)# rep segment 1 edge primary Switch (conf-if)# rep stcn segment 2-5 Switch (conf-if)# rep block port 0009001818D68700 vlan all Switch (conf-if)# rep preempt delay 60 Switch (conf-if)# rep lsl-age-timer 6000 Switch (conf-if)# end This example shows how to configure the same configuration when the interface has no external REP neighbor: Switch# configure terminal Switch (conf)# interface gigabitethernet0/1 Switch (conf-if)# rep segment 1 edge no-neighbor primary Switch (conf-if)# rep stcn segment 2-5 Switch (conf-if)# rep block port 0009001818D68700 vlan all Switch (conf-if)# rep preempt delay 60 Switch (conf-if)# rep lsl-age-timer 6000 This example shows how to configure the VLAN blocking configuration shown in Figure 17-5.

follow these steps on the switch that has the segment primary edge port to manually trigger VLAN load balancing on a segment: Command Step 1 Purpose Manually trigger VLAN load balancing on the segment. Beginning in privileged EXEC mode. a confirmation message appears before the command is executed because preemption can cause network disruption. a trap is sent at every occurrence). View REP topology information. The default is 0 (no limit imposed. Verify the REP trap configuration. You need to confirm the command before it is executed. Enable the switch to send REP traps. the default is to manually trigger VLAN load balancing on the segment. rep preempt segment segment-id show rep topology Step 2 Configuring SNMP Traps for REP You can configure the switch to send REP-specific traps to notify the SNMP server of link operational status changes and port role changes. follow these steps to configure REP traps: Command Step 1 Step 2 Purpose Enter global configuration mode. (Optional) Save your entries in the switch startup configuration file. The range is from 0 to 1000. enter the no snmp mib rep trap-rate global configuration command. Beginning in privileged EXEC mode. Be sure to complete all other segment configuration before manually preempting VLAN load balancing. This example configures the switch to send REP traps at a rate of 10 per second: Switch(config)# snmp mib rep trap-rate 10 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 17-13 .Chapter 17 Configuring Resilient Ethernet Protocol Configuring REP Setting Manual Preemption for VLAN Load Balancing If you do not enter the rep preempt delay seconds interface configuration command on the primary edge port to configure a preemption time delay. and set the number of traps sent per second. When you enter the rep preempt segment segment-id command. configure terminal snmp mib rep trap-rate value Step 3 Step 4 Step 5 end show running-config copy running-config startup config To remove the trap. Return to privileged EXEC mode.

Chapter 17 Monitoring REP Configuring Resilient Ethernet Protocol Monitoring REP Use the privileged EXEC commands in Table 17-1to monitor REP. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 17-14 OL-9639-10 . Table 17-1 REP Monitoring Commands Command show interface [interface-id] rep [detail] show rep topology [segment segment_id] [archive] [detail] Purpose Displays REP configuration and status for a specified interface or for all interfaces. including the primary and secondary edge ports in the segment. Displays REP topology information for a segment or for all segments.

page 18-1 Configuring Flex Links and MAC Address-Table Move Update. It also describes how to configure the MAC address-table move update feature. allowing users to turn off STP and still provide basic link redundancy. page 18-3 MAC Address-Table Move Update. page 18-2 Flex Link Multicast Fast Convergence. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 18-1 . Flex Links are typically configured in service provider or enterprise networks where customers do not want to run STP on the switch. The chapter consists of these sections: • • • Understanding Flex Links and the MAC Address-Table Move Update.CH A P T E R 18 Configuring Flex Links and the MAC Address-Table Move Update Feature This chapter describes how to configure Flex Links. where one interface is configured to act as a backup to the other. page 18-14 Understanding Flex Links and the MAC Address-Table Move Update • • • • Flex Links. a pair of interfaces on the Cisco ME 3400 switch that are used to provide a mutual backup. If the switch is running STP. page 18-7 Monitoring Flex Links and the MAC Address-Table Move Update. These features are available only when the switch is running the metro IP access or metro access image. The feature provides an alternative solution to the Spanning Tree Protocol (STP). also referred to as the Flex Links bidirectional fast convergence feature. see the command reference for this release. page 18-1 VLAN Flex Link Load Balancing and Support. page 18-6 Flex Links Flex Links are a pair of a Layer 2 interfaces (switchports or port channels). it is not necessary to configure Flex Links because STP already provides link-level redundancy or backup. Note For complete syntax and usage information for the commands used in this chapter.

This way. When port 1 comes back up. For example. If port 1 goes down. the traffic of the first 50 VLANs can be forwarded on one port and the rest on the other port. If port 1 is the active link. it goes into standby mode and does not forward traffic. STP is disabled on Flex Link interfaces. Also. Flex Links are supported only on Layer 2 ports and port channels. a trap notifies the users. only one of the interfaces is in the linkup state and forwarding traffic. VLAN Flex Link Load Balancing and Support VLAN Flex Link load-balancing allows users to configure a Flex Link pair so that both ports simultaneously forward the traffic for some mutually exclusive VLANs. apart from providing the redundancy. the standby link starts forwarding traffic. for example. Figure 18-1 Flex Links Configuration Example Uplink switch B Uplink switch C Port 1 Switch A Port 2 116082 If a primary (forwarding) link goes down. Because they are configured as Flex Links. STP is not supported on user network interfaces (UNIs). and port 2 becomes the standby. You do this by entering the interface configuration switchport backup interface preemption mode bandwidth and switchport backup interface preemption delay commands. if Flex Link ports are configured for 1-100 VLANs. ports 1 and 2 on switch A are connected to uplink switches B and C. In Figure 18-1. If the standby link goes down. port 1 begins forwarding after 60 seconds. If the primary link shuts down. a trap notifies the network management stations. specifying the preferred port for forwarding traffic. the link between port 2 (the backup link) and switch C is not forwarding traffic. it begins forwarding traffic between port 1 and switch B. ready to begin forwarding traffic if the other link shuts down. port 2 continues forwarding traffic. not on VLANs or Layer 3 ports. this Flex Link pair can be used for load balancing. In Figure 18-1. you can configure the Flex Link pair with preemption mode so that after port 1 comes back up in the scenario. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 18-2 OL-9639-10 . You can also choose to configure a preemption mechanism. it resumes forwarding traffic in the preferred vlans. the other link is in standby mode. When the active link comes back up. At any given time. it goes into standby mode and does not forward traffic. the other is in standby mode. if it has greater bandwidth than port 2. You configure Flex Links on one Layer 2 interface (the active link) by assigning another Layer 2 interface as the Flex Link or backup link. port 2 comes up and starts forwarding traffic to switch C. only one of the interfaces is forwarding traffic.Chapter 18 Understanding Flex Links and the MAC Address-Table Move Update Configuring Flex Links and the MAC Address-Table Move Update Feature Note STP is enabled by default on network node interfaces (NNIs). but you can enable it. When the failed port comes back up. It is disabled on enhanced network interfaces (ENIs). If one of the ports fail. Flex Link VLAN load-balancing does not impose any restrictions on uplink switches. When one of the links is up and forwarding traffic. the other active port forwards all the traffic.

The other Flex Link port is then learned as the mrouter port. After changeover. page 18-4 Learning the Other Flex Link Port as the mrouter Port In a typical multicast network. Though both Flex Link ports are part of the groups in normal operation mode. A switch deployed at the edge of a network has one of its Flex Link ports receiving queries. The reports are sent by hosts when a general query is received. In this case. which occurs only after it receives reports. and a general query is sent within 60 seconds in normal scenarios. is not part of any multicast group. So the normal multicast data flow is not affected by the addition of the backup port as an mrouter port. When the backup link starts forwarding. because the port on the upstream router. A port that receives queries is added as an mrouter port on the switch. Flex Link ports are also always forwarding at any given time. Both Flex Link ports are always part of multicast groups.Chapter 18 Configuring Flex Links and the MAC Address-Table Move Update Feature Understanding Flex Links and the MAC Address-Table Move Update Figure 18-2 VLAN Flex Links Load Balancing Configuration Example Uplink switch B Forwarding (1-50) gi2/0/6 Switch A Forwarding (51-100) gi2/0/8 Uplink switch C Flex Link Multicast Fast Convergence Flex Link Multicast Fast Convergence reduces the multicast traffic convergence time after a Flex Link failure. page 18-3 Generating IGMP Reports. allowing the traffic to flow. the downstream switch immediately sends proxy reports for all the learned groups on this port without waiting for a general query. queries are received by the other Flex Link port. An mrouter port is part of all the multicast groups learned by the switch. multicast traffic then flows through the other Flex Link port. the upstream new distribution switch does not start forwarding multicast data. This is implemented by a combination of these solutions: • • • Learning the Other Flex Link Port as the mrouter Port. both Flex Link ports are learned as mrouter ports whenever either Flex Link port is learned as the mrouter port. To achieve faster convergence of traffic. page 18-3 Leaking IGMP Reports. After a changeover. The reports for the multicast groups were not forwarded by the downstream switch because the backup link is blocked. which is connected to the blocked Flex Link port. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 201398 18-3 . there is a querier for each VLAN. all traffic on the backup port is blocked. When the changeover happens. The data does not flow on this port. until it learns the multicast groups. Generating IGMP Reports When the backup link comes up after the changeover. the upstream multicast data flows as soon as the backup port is unblocked. the backup port is unblocked. to achieve faster convergence of multicast data.

with their queries reaching the switch through GigabitEthernet 0/11: Switch# show ip igmp snooping querier Vlan IP Address IGMP Version Port ------------------------------------------------------------1 1.1. Configuration Examples This configuration example shows learning the other Flex Link port as the mrouter port when Flex Link is configured on GigabitEthernet 0/11 and GigabitEthernet 0/12. the switch does not generate the proxy reports on the backup port.Chapter 18 Understanding Flex Links and the MAC Address-Table Move Update Configuring Flex Links and the MAC Address-Table Move Update Feature Leaking IGMP Reports To achieve multicast traffic convergence with minimal loss. which became the forwarding port.41. When this feature has been enabled at changeover. This feature is disabled by default and can be configured by using the switchport backup interface interface-id multicast fast-convergence command. The example shows the output for the show interfaces switchport backup command: Switch# configure terminal Switch(config)# interface gigabitEthernet0/11 Switch(config-if)# switchport trunk encapsulation dot1q Switch(config-if)# switchport mode trunk Switch(config-if)# switchport backup interface Gi0/12 Switch(config-if)# exit Switch(config)# interface GigabitEthernet0/12 Switch(config-if)# switchport trunk encapsulation dot1q Switch(config-if)# switchport mode trunk Switch(config-if)# end Switch# show interfaces switchport backup detail Switch Backup Interface Pairs: Active Interface Backup Interface State GigabitEthernet0/11 GigabitEthernet0/12 Active Up/Backup Standby Preemption Mode : off Multicast Fast Convergence : Off Bandwidth : 100000 Kbit (Gi0/11). This can be achieved by leaking only IGMP report packets on the Flex Link backup link. These leaked IGMP report messages are processed by upstream distribution routers. Because all incoming traffic on the backup interface is dropped at the ingress of the access switch. a redundant data path must be set up before the Flex Link active link goes down.41.1. the access switch starts accepting traffic from the backup link immediately. The only disadvantage of this scheme is that it consumes bandwidth on the link between the distribution switches and on the backup link between the distribution and access switches. so multicast data traffic gets forwarded to the backup interface.1 v2 Gi0/11 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 18-4 OL-9639-10 . 100000 Kbit (Gi0/12) Mac Address Move Update Vlan : auto This output shows a querier for VLANs 1 and 401. When the Flex Link active link fails. no duplicate multicast traffic is received by the host.1 v2 Gi0/11 401 41.

1.5.1 igmp v2 Gi0/11. As soon as this port starts forwarding.2 on behalf of the host.1 v2 Gi0/11 401 41. Gi0/12. one per line.Chapter 18 Configuring Flex Links and the MAC Address-Table Move Update Feature Understanding Flex Links and the MAC Address-Table Move Update This is output for the show ip igmp snooping mrouter command for VLANs 1 and 401: Switch# Vlan ---1 401 show ip igmp snooping mrouter ports ----Gi1/0/11(dynamic).5. both Flex Link ports are part of learned groups. the switch forwards this report on all the mrouter ports.1. because the backup port GigabitEthernet 0/12 is blocked. when a host sends a report for the group 228.41. End with CNTL/Z. In this example.1.1. This is the default behavior of Flex Link. When the active link.5. it is forwarded only on GigabitEthernet 0/11. 100000 Kbit (Gi0/12) Mac Address Move Update Vlan : auto This output shows a querier for VLAN 1 and 401 with their queries reaching the switch through GigabitEthernet 0/11: Switch# show ip igmp snooping querier Vlan IP Address IGMP Version Port ------------------------------------------------------------1 1.1 v2 Gi0/11 This is output for the show ip igmp snooping mrouter command for VLAN 1 and 401: Switch# show ip igmp snooping mrouter Vlan ports -------1 Gi0/11(dynamic). Gi0/10 1 228. GigabitEthernet 0/12.1. In this example.1. This behavior changes when the user configures fast convergence using the switchport backup interface gigabitEthernet 0/12 multicast fast-convergence command. Gi0/12(dynamic) 401 Gi0/11(dynamic).5. This example shows turning on this feature: Switch# configure terminal Enter configuration commands. Gi0/12(dynamic) Gi1/0/11(dynamic). which is interested in two multicast groups: Switch# show ip igmp snooping groups Vlan Group Type Version Port List ----------------------------------------------------------------------1 228. Gi0/12. The upstream router learns the groups and starts forwarding multicast data. Gi0/12(dynamic) Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 18-5 . GigabitEthernet 0/11. begins forwarding.5. Gi0/12(dynamic) Similarly. the backup port. goes down.2 igmp v2 Gi0/11. Gi0/10 When a host responds to the general query.1. GigabitEthernet 0/10 is a receiver/host in VLAN 1. Switch(config)# interface gigabitEthernet0/11 Switch(config-if)# switchport backup interface gigabitEthernet0/12 multicast fast-convergence Switch(config-if)# exit Switch# show interfaces switchport backup detail Switch Backup Interface Pairs: Active Interface Backup Interface State -----------------------------------------------------------------------GigabitEthernet0/11 GigabitEthernet0/12 Active Up/Backup Standby Preemption Mode : off Multicast Fast Convergence : On Bandwidth : 100000 Kbit (Gi0/11). the switch sends proxy reports for the groups 228.1 and 228.41.1.

GigabitEthernet 0/11. including the forwarding table entry for the PC.5. The MAC address of the PC has been learned on port 3 of switch C. The PC is directly connected to switch A. Traffic from the PC to the server is forwarded from port 1 to port 3.1. You can also configure the uplink switches B. You can configure the access switch. This change occurs in 100 milliseconds (ms). a redundant multicast path has been set up. The switch sends a MAC address-table move update packet from port 2. If the MAC address-table move update feature is configured and enabled on the switches in Figure 18-3 and port 1 goes down. MAC Address-Table Move Update The MAC address-table move update feature allows the switch to provide rapid bidirectional convergence when a primary (forwarding) link goes down and the standby link begins forwarding traffic. C. By leaking reports to the backup port. In this example.2 igmp v2 Gi1/0/11.Chapter 18 Understanding Flex Links and the MAC Address-Table Move Update Configuring Flex Links and the MAC Address-Table Move Update Feature Similarly. port 2 starts forwarding traffic. the backup port. the switch forwards this report on all the mrouter ports. and D to get and process the MAC address-table move update messages. which reduces the reconvergence time. it is also leaked to the backup port GigabitEthernet 0/12. Gi0/12. and the time taken for the multicast traffic convergence is very minimal. The switch detects a failure on port 1 and immediately starts forwarding server traffic from port 2. Switch A does not need to wait for the MAC address-table update. GigabitEthernet 0/10 is a receiver/host in VLAN 1. switch C learns the MAC address of the PC on port 4. Gigabitethernet t0/12. and the PC does not get the traffic because port 1 is down. Gi0/12.1 igmp v2 Gi0/11. goes down. begins forwarding. Switch C updates the MAC address table. In Figure 18-3. If switch C removes the MAC address of the PC on port 3 and relearns it on port 4. Switch C gets this packet on port 4 and immediately learns the MAC address of the PC on port 4. for a short time. Gi0/10 Whenever a host responds to the general query. You do not need to send any proxy reports as the multicast data is already being forwarded by the upstream router. Switch A does not need to update the PC entry in the MAC address table. When switch C gets a MAC address-table move update message from switch A. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 18-6 OL-9639-10 . which is dropped at the ingress because GigabitEthernet 0/12 is blocked. When the active link. both the Flex Link ports are a part of the learned groups. Port 1 is forwarding traffic. to send MAC address-table move update messages. switch A is an access switch. port 2 starts forwarding traffic from the PC to the server. However. The upstream router learns the groups and starts forwarding multicast data. traffic can then be forwarded from the server to the PC through port 2. switch C keeps forwarding traffic from the server to the PC through port 3. the new forwarding port.5. If the MAC address-table move update feature is not configured and port 1 goes down. When you turn on this feature through the command-line port. Traffic from the server to the PC is forwarded from port 3 to port 1. and port 2 is in the backup state. which is interested in two multicast groups: Switch# show ip igmp snooping groups Vlan Group Type Version Port List ----------------------------------------------------------------------1 228. Gi0/10 1 228. switch A. and when a report is forwarded by the switch on GigabitEthernet 0/11. and ports 1 and 2 on switch A are connected to uplink switches B and D through a Flex Link pair. and the connection status does not change.1.

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 141223 18-7 . page 18-8 Configuring Flex Links. The preemption delay is 35 seconds. page 18-10 Configuring the MAC Address-Table Move Update Feature. page 18-12 Default Configuration The Flex Links are not configured. page 18-7 Configuration Guidelines.Chapter 18 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Figure 18-3 MAC Address-Table Move Update Example Server Switch C Port 3 Port 4 Switch B Switch D Port 1 Port 2 Switch A PC Configuring Flex Links and MAC Address-Table Move Update • • • • • Default Configuration. The MAC address-table move update feature is not configured on the switch. Flex Link VLAN load-balancing is not configured. and there are no backup interfaces defined. The preemption mode is off. page 18-8 Configuring VLAN Load Balancing on Flex Links.

Neither of the links can be a port that belongs to an EtherChannel. and you can configure a port channel and a physical interface as Flex Links. By default. With STP not running. However. An interface can belong to only one Flex Link pair.Chapter 18 Configuring Flex Links and MAC Address-Table Move Update Configuring Flex Links and the MAC Address-Table Move Update Feature Configuration Guidelines Follow these guidelines to configure Flex Links: • • • • You can configure up to 16 backup links. follow these steps to configure a pair of Flex Links: Command Step 1 Step 2 Purpose Enter global configuration mode. Follow these guidelines to configure MAC address-table move update feature: • • Configuring Flex Links Beginning in privileged EXEC mode. you can configure two port channels (EtherChannel logical interfaces) as Flex Links. if necessary. Flex Links do not participate in STP in all VLANs in which STP is configured. You can enable and configure this feature on the uplink switches to get the MAC address-table move updates. Follow these guidelines to configure VLAN load balancing on the Flex Links feature: • • For Flex Link VLAN load balancing. An active link cannot belong to another Flex Link pair. with either the port channel or the physical interface as the active link. Gigabit Ethernet. and it must be a different interface from the active interface. The port-channel range is 1 to 48. and network NNIs are enabled. The interface can be a physical Layer 2 interface or a port channel (logical interface). UNIs and ENIs are disabled. you should configure both Flex Links with similar characteristics so that there are no loops or changes in behavior if the standby link begins to forward traffic. If STP is configured on the switch. Specify the interface. You can enable and configure this feature on the access switch to send the MAC address-table move updates. You cannot configure a preemption mechanism and VLAN load balancing for the same Flex Links pair. configure terminal interface interface-id Step 3 no shutdown Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 18-8 OL-9639-10 . An interface can be a backup link for only one active link. and enter interface configuration mode. you must choose the preferred VLANs on the backup interface. be sure that there are no loops in the configured topology. However. • • Note STP is available only on NNIs or ENIs. or port channel) as the active link. A backup link does not have to be the same type (Fast Ethernet. Enable the port. You can configure only one Flex Link backup link for any active link. STP is disabled on Flex Link ports.

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 18-9 . the other interface is in standby mode. and NNIs are enabled. Return to privileged EXEC mode. The interface can be a physical Layer 2 interface or a port channel (logical interface).Chapter 18 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Command Step 4 Purpose Configure a physical Layer 2 interface (or port channel) as part of a Flex Link pair with the interface. follow these steps to configure a preemption scheme for a pair of Flex Links: Command Step 1 Step 2 Purpose Enter global configuration mode. Verify the configuration. Enable the port. When one link is forwarding traffic. When one link is forwarding traffic. By default. Specify the interface. (Optional) Save your entries in the switch startup configuration file. You can configure the preemption as: • • • configure terminal interface interface-id Step 3 Step 4 no shutdown switchport backup interface interface-id Step 5 switchport backup interface interface-id preemption mode {forced | bandwidth | off} forced—the active interface always preempts the backup. the other interface is in standby mode. switchport backup interface interface-id Step 5 Step 6 Step 7 end show interface [interface-id] switchport backup copy running-config startup config This example shows how to configure an interface with a backup interface and to verify the configuration: Switch# configure terminal Switch(conf)# interface fastethernet0/1 Switch(conf-if)# no shutdown Switch(conf-if)# switchport backup interface fastethernet0/2 Switch(conf-if)# end Switch# show interface switchport backup Switch Backup Interface Pairs: Active Interface Backup Interface State -----------------------------------------------------------------------------------------FastEthernet0/1 FastEthernet0/2 Active Up/Backup Standby FastEthernet0/3 FastEthernet0/4 Active Up/Backup Standby Port-channel1 GigabitEthernet0/1 Active Up/Backup Standby Beginning in privileged EXEC mode. and enter interface configuration mode. bandwidth—the interface with the higher bandwidth always acts as the active interface. Configure a preemption mechanism and delay for a Flex Link interface pair. off—no preemption happens from active to backup. The port-channel range is 1 to 48. Configure a physical Layer 2 interface (or port channel) as part of a Flex Link pair with the interface. if necessary. UNIs and ENIs are disabled.

Verify the configuration. 100000 Kbit (Gi0/2) Mac Address Move Update Vlan : auto Configuring VLAN Load Balancing on Flex Links Beginning in privileged EXEC mode. Note switchport backup interface interface-id preemption delay delay-time Setting a delay time only works with forced and bandwidth modes. (Optional) Save your entries in the switch startup configuration file. The port-channel range is 1 to 48. This example shows how to configure the preemption mode as forced for a backup interface pair and to verify the configuration: Switch# configure terminal Switch(conf)# interface gigabitethernet0/1 Switch(conf-if)# switchport backup interface gigabitethernet0/2 preemption mode forced Switch(conf-if)# switchport backup interface gigabitethernet0/2 preemption delay 50 Switch(conf-if)# end Switch# show interface switchport backup detail Active Interface Backup Interface State -----------------------------------------------------------------------GigabitEthernet0/21 GigabitEthernet0/2 Active Up/Backup Standby Interface Pair : Gi0/1. Return to privileged EXEC mode. Specify the interface. Step 7 Step 8 Step 9 end show interface [interface-id] switchport backup copy running-config startup config Return to privileged EXEC mode. and NNIs are enabled. configure terminal interface interface-id Step 3 Step 4 no shutdown switchport backup interface interface-id prefer vlan vlan-range Step 5 end Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 18-10 OL-9639-10 .Chapter 18 Configuring Flex Links and MAC Address-Table Move Update Configuring Flex Links and the MAC Address-Table Move Update Feature Command Step 6 Purpose Configure the time delay until a port preempts another port. The VLAN ID range is 1 to 4094. follow these steps to configure VLAN load balancing on Flex Links: Command Step 1 Step 2 Purpose Enter global configuration mode. The interface can be a physical Layer 2 interface or a port channel (logical interface). and enter interface configuration mode. if necessary. UNIs and ENIs are disabled. Configure a physical Layer 2 interface (or port channel) as part of a Flex Links pair with the interface. and specify the VLANs carried on the interface. Enable the port. By default. Gi0/2 Preemption Mode : forced Preemption Delay : 50 seconds Bandwidth : 100000 Kbit (Gi0/1).

(Optional) Save your entries in the switch startup configuration file. VLANs 1 to 50. 100-120 When a Flex Link interface goes down (LINK_DOWN). In this example. if interface gigabitethernet port 0/6 goes down.100-120 When both interfaces are up. gigabitethernet port 0/8 forwards traffic for VLANs 60 and 100 to 120 and gigabitethernet port 0/6 forwards traffic for VLANs 1 to 50. if interface 0/6 comes up. VLANs preferred on this interface are blocked on the peer interface and moved to the forwarding state on the interface that has just come up. 60. and 100 to 120 are configured on the switch: Switch(config)# interface gigabitEthernet 0/6 Switch(config-if)# switchport backup interface gigabitEthernet 0/8 prefer vlan 60. VLANs preferred on this interface are moved to the peer interface of the Flex Link pair. Switch# show interfaces switchport backup Switch Backup Interface Pairs: Active Interface Backup Interface State -----------------------------------------------------------------------GigabitEthernet0/6 GigabitEthernet0/8 Active Down/Backup Up Vlans Preferred on Active Interface: 1-50 Vlans Preferred on Backup Interface: 60. show interfaces [interface-id] switchport backup copy running-config startup config In the following example. Switch# show interfaces switchport backup Switch Backup Interface Pairs: Active Interface Backup Interface State -----------------------------------------------------------------------GigabitEthernet0/6 GigabitEthernet0/8 Active Up/Backup Standby Vlans Preferred on Active Interface: 1-50 Vlans Preferred on Backup Interface: 60. gigabitethernet port 0/8 carries all VLANs of the Flex Link pair. Switch# show interfaces switchport backup Switch Backup Interface Pairs: Active Interface Backup Interface State -----------------------------------------------------------------------GigabitEthernet0/6 GigabitEthernet0/8 Active Up/Backup Standby Vlans Preferred on Active Interface: 1-50 Vlans Preferred on Backup Interface: 60. In this example.Chapter 18 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Command Step 6 Step 7 Purpose Verify the configuration. 100-120 When a Flex Link interface comes up. 100-120 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 18-11 . VLANs preferred on this interface are blocked on the peer interface 0/8 and forwarded on 0/6.

The interface can be a physical Layer 2 interface or a port channel (logical interface). By default.Chapter 18 Configuring Flex Links and MAC Address-Table Move Update Configuring Flex Links and the MAC Address-Table Move Update Feature Switch# show interfaces switchport backup detail Switch Backup Interface Pairs: Active Interface Backup Interface State -----------------------------------------------------------------------FastEthernet 0/3 FastEthernet 0/4 Active Down/Backup Up Vlans Preferred on Active Interface: 1-2. which is used for sending the MAC address-table move update. Step 7 Step 8 Step 9 end show mac address-table move update copy running-config startup config Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 18-12 OL-9639-10 . Configure a physical Layer 2 interface (or port channel). configure terminal interface interface-id Step 3 Step 4 no shutdown switchport backup interface interface-id or switchport backup interface interface-id mmu primary vlan vlan-id Step 5 Step 6 end mac address-table move update transmit Return to global configuration mode. 100000 Kbit (Fa0/4) Mac Address Move Update Vlan : auto Configuring the MAC Address-Table Move Update Feature This section contains this information: • • Configuring a switch to send MAC address-table move updates Configuring a switch to get MAC address-table move updates Beginning in privileged EXEC mode. the other interface is in standby mode. The port-channel range is 1 to 48. as part of a Flex Link pair with the interface. Return to privileged EXEC mode. Configure a physical Layer 2 interface (or port channel) and specify the VLAN ID on the interface.5-4094 Vlans Preferred on Backup Interface: 3-4 Preemption Mode : off Bandwidth : 10000 Kbit (Fa 0/3). Specify the interface. if necessary. and NNIs are enabled. When one link is forwarding traffic. UNIs and ENIs are disabled. Enable the port. and enter interface configuration mode. Enable the access switch to send MAC address-table move updates to other switches in the network if the primary link goes down and the switch starts forwarding traffic through the standby link. The MAC address-table move update VLAN is the lowest VLAN ID on the interface. (Optional) Save your entries in the switch startup configuration file. follow these steps to configure an access switch to send MAC address-table move updates: Command Step 1 Step 2 Purpose Enter global configuration mode. Verify the configuration.

use the show mac address-table move update privileged EXEC command.c502 Rcv last switch-ID : 0403.8700 Xmt packet count : 0 Xmt packet count this min : 0 Xmt threshold exceed count : 0 Xmt pak buf unavail cnt : 0 Xmt last interface : None Beginning in privileged EXEC mode.Chapter 18 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update To disable the MAC address-table move update feature.1780 Dst mac-address : 0180. use the show mac address-table move update privileged EXEC command. This example shows how to configure an access switch to send MAC address-table move update messages: Switch# configure terminal Switch(conf)# interface gigabitethernet0/1 Switch(conf-if)# switchport backup interface gigabitethernet0/2 mmu primary vlan 2 Switch(conf-if)# exit Switch(conf)# mac address-table move update transmit Switch(conf)# end This example shows how to verify the configuration: Switch# show mac-address-table move update Switch-ID : 010b. Verify the configuration. (Optional) Save your entries in the switch startup configuration file. configure terminal mac address-table move update receive end show mac address-table move update copy running-config startup config To disable the MAC address-table move update feature. Enable the switch to get and process the MAC address-table move updates. Xmt 60 Rcv packet count : 5 Rcv conforming packet count : 5 Rcv invalid packet count : 0 Rcv packet count this min : 0 Rcv threshold exceed count : 0 Rcv last sequence# this min : 0 Rcv last interface : Po2 Rcv last src-mac-address : 000b. To display the MAC address-table move update information.c200. Return to privileged EXEC mode.462d. use the no mac address-table move update transmit interface configuration command.4630. follow these steps to configure a switch to get and process MAC address-table move update messages: Command Step 1 Step 2 Step 3 Step 4 Step 5 Purpose Enter global configuration mode. Xmt Off/On Max packets per min : Rcv 40. This example shows how to configure a switch to get and process MAC address-table move update messages: Switch# configure terminal Switch(conf)# mac address-table move update receive Switch(conf)# end Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 18-13 . use the no mac address-table move update receive configuration command.fd6a.0010 Vlans/Macs supported : 1023/8320 Default/Current settings: Rcv Off/On. To display the MAC address-table move update information.

or displays backup all Flex Links configured on the switch and the state of each active and backup interface (up or standby mode). show mac address-table move update Displays the MAC address-table move update information on the switch. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 18-14 OL-9639-10 . Table 18-1 Flex Link Monitoring Command Command Purpose show interface [interface-id] switchport Displays the Flex Link backup interface configured for an interface.Chapter 18 Monitoring Flex Links and the MAC Address-Table Move Update Configuring Flex Links and the MAC Address-Table Move Update Feature Monitoring Flex Links and the MAC Address-Table Move Update Table 18-1 shows the privileged EXEC command for monitoring Flex Link configuration.

• • • • • • • • • Understanding DHCP Features. • • • • • • DHCP Server.2. page 19-6 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 19-1 . page 19-7 Displaying DHCP Snooping Information. page 19-6 DHCP Snooping Binding Database. page 19-2 Option-82 Data Insertion. page 19-15 Understanding DHCP Server Port-Based Address Allocation. page 19-21 Displaying IP Source Guard Information. Note For complete syntax and usage information for the commands used in this chapter. page 19-1 Configuring DHCP Features. page 19-15 Configuring DHCP Server Port-Based Address Allocation. page 19-19 Configuring IP Source Guard. page 19-2 DHCP Snooping. page 19-2 DHCP Relay Agent. page 19-28 Understanding DHCP Features DHCP is widely used in LAN environments to dynamically assign host IP addresses from a centralized server. and see the “DHCP Commands” section in the Cisco IOS IP Command Reference. It also describes how to configure the IP source guard feature. see the command reference for this release. page 19-18 Understanding IP Source Guard. page 19-15 Displaying DHCP Server Port-Based Address Allocation. DHCP also helps conserve the limited IP address space because IP addresses no longer need to be permanently assigned to hosts. and the DHCP server port-based address allocation features on the Cisco ME 3400 Ethernet Access switch. Release 12. only those hosts that are connected to the network consume IP addresses.CH A P T E R 19 Configuring DHCP Features and IP Source Guard This chapter describes how to configure DHCP snooping and option-82 data insertion. Volume 1 of 3: Addressing and Services. which significantly reduces the overhead of administration of IP addresses. page 19-3 Cisco IOS DHCP Server Database.

If the DHCP server cannot give the DHCP client the requested configuration parameters from its database. the switch forwards the packet. Release 12. When you use DHCP snooping in a service-provider environment. the VLAN number. see the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide. in which IP datagrams are switched transparently between networks. The DHCP snooping binding database has the MAC address. For more information about this database. DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. also referred to as a DHCP snooping binding table.2. and the interface information that corresponds to the local untrusted interfaces of a switch. it can forward the request to one or more secondary DHCP servers defined by the network administrator. If the addresses do not match. DHCP Server The DHCP server assigns IP addresses from specified address pools on a switch or router to DHCP clients and manages them. such as a customer’s switch. the lease time. If the addresses match (the default). the binding type. a trusted interface is connected to a port on a device in the same network. Relay agents forward requests and replies between clients and servers when they are not on the same physical subnet. In a service-provider network. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 19-2 OL-9639-10 . DHCP Snooping DHCP snooping is a DHCP security feature that provides network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding database. DHCP Relay Agent A DHCP relay agent is a Layer 3 device that forwards DHCP packets between clients and servers. all DHCP servers must be connected to the switch through trusted interfaces. the switch drops the packet. When a switch receives a packet on an untrusted interface and the interface belongs to a VLAN in which DHCP snooping is enabled. It does not have information regarding hosts interconnected with a trusted interface. an untrusted message is sent from a device that is not in the service-provider network. the switch compares the source MAC address and the DHCP client hardware address. Relay agents receive DHCP messages and generate new DHCP messages to send on egress interfaces. see the “Displaying DHCP Snooping Information” section on page 19-15. Relay agent forwarding is different from the normal Layer 2 forwarding. Note For DHCP snooping to function properly. the IP address.Chapter 19 Understanding DHCP Features Configuring DHCP Features and IP Source Guard For information about the DHCP client. An untrusted DHCP message is a message that is received from outside the network or firewall. An untrusted interface is connected to an untrusted interface in the network or to an interface on a device that is not in the network. Messages from unknown devices are untrusted because they can be sources of traffic attacks. You use DHCP snooping to differentiate between untrusted interfaces connected to the end user and trusted interfaces connected to the DHCP server or another switch.

the aggregation switch accepts packets with option-82 information from the edge switch. but the interface information in the binding database does not match the interface on which the message was received. the aggregation switch does not learn the DHCP snooping bindings for connected devices and cannot build a complete DHCP snooping binding database.0. Figure 19-1 is an example of a metropolitan Ethernet network in which a centralized DHCP server assigns IP addresses to subscribers connected to the switch at the access layer. DHCPACK. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 19-3 .0.Chapter 19 Configuring DHCP Features and IP Source Guard Understanding DHCP Features The switch drops a DHCP packet when one of these situations occurs: • • • A packet from a DHCP server. Note The DHCP option-82 feature is supported only when DHCP snooping is globally enabled and on the VLANs to which subscriber devices using this feature are assigned. such as a DHCPOFFER. If DHCP snooping is enabled and packets are received on a trusted port. A packet is received on an untrusted interface. can still be enabled on the aggregation switch while the switch receives packets with option-82 information on ingress untrusted interfaces to which hosts are connected. a subscriber device is identified by the switch port through which it connects to the network (in addition to its MAC address). When an aggregation switch can be connected to an edge switch through an untrusted interface and you enter the ip dhcp snooping information option allowed-trust global configuration command. the switch drops packets with option-82 information when packets are received on an untrusted interface. DHCP can centrally manage the IP address assignments for a large number of subscribers. Option-82 Data Insertion In residential. such as dynamic ARP inspection or IP source guard. Multiple hosts on the subscriber LAN can be connected to the same port on the access switch and are uniquely identified. When the DHCP option-82 feature is enabled on the switch. The switch receives a DHCPRELEASE or DHCPDECLINE broadcast message that has a MAC address in the DHCP snooping binding database. DHCPNAK. a DHCP relay agent (the Cisco ME switch) is configured with a helper address to enable broadcast forwarding and to transfer DHCP messages between the clients and the server. Because the DHCP clients and their associated DHCP server do not reside on the same IP network or subnet.0. or the relay agent forwards a packet that includes option-82 information to an untrusted port. The DHCP security features. or DHCPLEASEQUERY packet. The port on the edge switch that connects to the aggregation switch must be configured as a trusted interface. metropolitan Ethernet-access environments. and the source MAC address and the DHCP client hardware address do not match. • If the switch is an aggregation switch supporting DHCP snooping and is connected to an edge switch that is inserting DHCP option-82 information. The aggregation switch learns the bindings for hosts connected through an untrusted switch interface. is received from outside the network or firewall. A DHCP relay agent forwards a DHCP packet that includes a relay-agent IP address that is not 0.

• • • • In the default suboption configuration. the values in these fields in Figure 19-2 do not change: • Circuit ID suboption fields – Suboption type – Length of the suboption type – Circuit ID type – Length of the circuit ID type • Remote ID suboption fields – Suboption type – Length of the suboption type – Remote ID type – Length of the circuit ID type Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 19-4 OL-9639-10 . vlan-mod-port. If the server is option-82-capable.Chapter 19 Understanding DHCP Features Configuring DHCP Features and IP Source Guard Figure 19-1 DHCP Relay Agent in a Metropolitan Ethernet Network DHCP server Cisco ME switch (DHCP relay agent) Access layer VLAN 10 Host A (DHCP client) Subscribers Host B (DHCP client) 92999 When you enable the DHCP snooping information option 82 on the switch. The switch verifies that it originally inserted the option-82 data by inspecting the remote ID and possibly the circuit ID fields. this sequence of events occurs: • • The host (DHCP client) generates a DHCP request and broadcasts it on the network. When the switch receives the DHCP request. the remote-ID suboption is the switch MAC address. from which the packet is received. it can use the remote ID. the switch adds this IP address in the DHCP packet. it adds the option-82 information in the packet. By default. such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID. The switch removes the option-82 field and forwards the packet to the switch port that connects to the DHCP client that sent the DHCP request. see the “Enabling DHCP Snooping and Option 82” section on page 19-11. For information on configuring these suboptions. If the IP address of the relay agent is configured. or both to assign IP addresses and implement policies. The DHCP server unicasts the reply to the switch if the request was relayed to the server by the switch. Then the DHCP server echoes the option-82 field in the DHCP reply. The DHCP server receives the packet. the circuit ID. You can also configure the remote ID and circuit ID. and the circuit-ID suboption is the port identifier. The switch forwards the DHCP request that includes the option-82 field to the DHCP server. when the described sequence of events occurs.

depending on the length of the string that you configure. depending on the length of the string that you configure. – The length values are variable. – The length values are variable. port 4 is the Fast Ethernet 0/2 port.Chapter 19 Configuring DHCP Features and IP Source Guard Understanding DHCP Features In the port field of the circuit ID suboption. For example. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 19-5 . • Remote-ID suboption fields – The remote-ID type is 1. Figure 19-2 shows the packet formats for the remote ID suboption and the circuit ID suboption when the default suboption configuration is used. the port numbers start at 3. and so forth. Figure 19-2 Suboption Packet Formats Circuit ID Suboption Frame Format Suboption Circuit type ID type Length Length 1 6 0 4 VLAN 2 bytes Module Port 1 byte 1 byte 1 byte 1 byte 1 byte 1 byte Remote ID Suboption Frame Format Suboption Remote type ID type Length Length 2 8 0 6 MAC address 6 bytes 116300 1 byte 1 byte 1 byte 1 byte Figure 19-3 shows the packet formats for user-configured remote-ID and circuit-ID suboptions The switch uses these packet formats when you globally enable DHCP snooping and enter the ip dhcp snooping information option format remote-id global configuration command and the ip dhcp snooping vlan information option format-type circuit-id string interface configuration command. The switch uses the packet formats when DHCP snooping is globally enabled and when the ip dhcp snooping information option global configuration command is entered. port 3 is the Fast Ethernet 0/1 port. The values for these fields in the packets change from the default values when you configure the remote-ID and circuit-ID suboptions: • Circuit-ID suboption fields – The circuit-ID type is 1. and so forth. on a switch with 24 10/100 ports and small form-factor pluggable (SFP) module slots. Port 27 is the SFP module slot 0/1.

The database agent stores the bindings in a file at a configured location. For more information about manual and automatic address bindings. An address binding is a mapping between an IP address and a MAC address of a host in the Cisco IOS DHCP server database. the switch loses its connectivity. but DHCP snooping might not prevent DHCPP spoofing attacks. The database can have up to 8192 bindings. To keep the bindings when the switch reloads. and the DHCP snooping binding database has dynamic bindings. You can manually assign the client IP address. such as the boot file. the interface to which the binding applies. Each entry is 72 bytes. the switch does not lose its connectivity. If the agent is disabled. Each database entry (binding) has an IP address.2. the lease time (in hexadecimal format). and configuration parameters. The switch keeps the file current by updating it when the database changes. or the DHCP server can allocate an IP address from a DHCP address pool. and the VLAN to which the interface belongs. dynamic ARP inspection or IP source guard is enabled. address bindings. you must use the DHCP snooping database agent. followed by a space and then the checksum value. the switch reads the binding file to build the DHCP snooping binding database.Chapter 19 Understanding DHCP Features Configuring DHCP Features and IP Source Guard Figure 19-3 User-Configured Suboption Packet Formats Circuit ID Suboption Frame Format (for user-configured string): Suboption Circuit type ID type Length Length 1 N+2 1 N ASCII Circuit ID string N bytes (N = 3-63) 1 byte 1 byte 1 byte 1 byte Remote ID Suboption Frame Format (for user-configured string): Suboption Remote type ID type Length Length 2 N+2 1 N ASCII Remote ID string or hostname N bytes (N = 1-63) 145774 1 byte 1 byte 1 byte 1 byte Cisco IOS DHCP Server Database During the DHCP-based autoconfiguration process. DHCP Snooping Binding Database When DHCP snooping is enabled. see the “Configuring DHCP” chapter of the Cisco IOS IP Configuration Guide. If the agent is disabled and only DHCP snooping is enabled. the switch uses the DHCP snooping binding database to store information about untrusted interfaces. At the end of each entry is a checksum value that accounts for all the bytes associated with the entry. an associated MAC address. Release 12. the designated DHCP server uses the Cisco IOS DHCP server database. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 19-6 OL-9639-10 . It has IP addresses. When reloading.

c52f 2BB648EB Fa1/0/4 1bdb223f 192.c91f 2BB6488E Fa1/0/4 21ae5fbb 192..168. page 19-9 Configuring the DHCP Relay Agent. If the file is not updated in a specified time (set by the write-delay and abort-timeout values). The entry and the ones following it are ignored. page 19-11 Enabling DHCP Snooping on Private VLANs.2 3 0003.Chapter 19 Configuring DHCP Features and IP Source Guard Configuring DHCP Features When a switch learns of new bindings or when it loses bindings.c8f1 2BB648AB Fa1/0/4 584a38f0 END When the switch starts and the calculated checksum value equals the stored checksum value.1 3 0003.44d6. the update stops. . This is an example of a binding file: 2bb4c2a1 TYPE DHCP-SNOOPING VERSION 1 BEGIN 192.1. page 19-8 Configuring the DHCP Server. the switch reads entries from the binding file and adds the bindings to its DHCP snooping binding database. An entry has an expired lease time (the switch might not remove a binding entry when the lease time expires).3 3 0003. page 19-13 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 19-7 . This is the format of the file that has the bindings: <initial-checksum> TYPE DHCP-SNOOPING VERSION 1 BEGIN <entry-1> <checksum-1> <entry-2> <checksum-1-2> . page 19-10 Enabling DHCP Snooping and Option 82. The interface is a routed interface or a DHCP snooping-trusted interface.-n> END Each entry in the file is tagged with a checksum value that the switch uses to verify the entries when it reads the file.47d9.168. page 19-8 DHCP Snooping Configuration Guidelines. The interface in the entry no longer exists on the system.. and the updates are batched. Configuring DHCP Features • • • • • • • Default DHCP Configuration.1.1. The switch also updates the entries in the binding file. <entry-n> <checksum-1-2-.. The frequency at which the file is updated is based on a configurable delay. the switch immediately updates the entries in the database.47d8. The switch ignores an entry when one of these situations occurs: • • • • The switch reads the entry and the calculated checksum value does not equal the stored checksum value.168. The initial-checksum entry on the first line distinguishes entries associated with the latest file update from entries associated with a previous file update... page 19-10 Specifying the Packet Forwarding Address.

requires configuration. page 19-13 Enabling the DHCP Snooping Binding Database Agent. or you must configure DHCP options for these devices. requires configuration. 2. you must specify the IP addresses that the DHCP server can assign or exclude. 1. DHCP snooping binding database agent Enabled in Cisco IOS software. Note The switch gets network addresses and configuration parameters only from a device configured as a DHCP server. Table 19-1 Default DHCP Configuration Feature DHCP server DHCP relay agent DHCP packet forwarding address Checking the relay agent information DHCP relay agent forwarding policy DHCP snooping enabled globally DHCP snooping information option DHCP snooping option to accept packets on untrusted ingress interfaces3 DHCP snooping limit rate DHCP snooping trust DHCP snooping VLAN DHCP snooping MAC address verification Cisco IOS DHCP server binding database Default Setting Enabled in Cisco IOS software.Chapter 19 Configuring DHCP Features Configuring DHCP Features and IP Source Guard • • Enabling the Cisco IOS DHCP Server Database. Before globally enabling DHCP snooping on the switch. The switch responds to DHCP requests only if it is configured as a DHCP server. The switch relays DHCP packets only if the IP address of the DHCP server is configured on the SVI of the DHCP client. For example. 3. DHCP Snooping Configuration Guidelines • • • • You must globally enable DHCP snooping on the switch. page 19-13 Default DHCP Configuration Table 19-1 shows the default DHCP configuration. be sure to configure the device that is acting as the DHCP server. make sure that the devices acting as the DHCP server and the DHCP relay agent are configured and enabled. Before configuring the DHCP snooping information option on your switch. This feature is operational only when a destination is configured. requires configuration1 Enabled2 None configured Enabled (invalid messages are dropped)2 Replace the existing relay agent information2 Disabled Enabled Disabled None configured Untrusted Disabled Enabled Enabled in Cisco IOS software. Use this feature when the switch is an aggregation switch that receives packets with option-82 information from an edge switch. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 19-8 OL-9639-10 . DHCP snooping is not active until DHCP snooping is enabled on a VLAN.

Before configuring the DHCP relay agent on your switch. the Cisco IOS DHCP server and relay agent features are enabled on your switch but are not configured. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 19-9 . These features are not operational. – To ensure that the lease time in the database is accurate. see the “Configuring NTP” section on page 5-4. If a switch port is connected to a DHCP client. the switch writes binding changes to the binding file only when the switch system clock is synchronized with NTP. some TFTP servers cannot be configured this way. and you can clear the snooping statistics counters by entering the clear ip dhcp snooping statistics privileged EXEC command. consider the impact of lengthy character strings on the NVRAM or the flash memory. configure DHCP options for devices. you must create an empty file at the configured URL before the switch can write bindings to the binding file at that URL. If a switch port is connected to a DHCP server. we recommend that NTP is enabled and configured. the DHCP option-82 data insertion feature is not supported. or set up the DHCP database agent. If DHCP snooping is enabled on RSPAN VLANs. Configuring the DHCP Server The switch can act as a DHCP server. exceed the capacity of the NVRAM or the flash memory. • Note Do not enable Dynamic Host Configuration Protocol (DHCP) snooping on RSPAN VLANs. If you enter this command. an untrusted device might spoof the option-82 information. an error message appears.Chapter 19 Configuring DHCP Features and IP Source Guard Configuring DHCP Features • When configuring a large number of circuit IDs on a switch. By default. make sure to configure the device that is acting as the DHCP server. DHCP packets might not reach the RSPAN destination port.2. we recommend that • • • • • you store the binding file on a TFTP server. you must specify the IP addresses that the DHCP server can assign or exclude. For more information. configure a port as trusted by entering the ip dhcp snooping trust interface configuration command. For procedures to configure the switch as a DHCP server. You can display DHCP snooping statistics by entering the show ip dhcp snooping statistics user EXEC command. If the circuit-ID configurations. – For network-based URLs (such as TFTP and FTP). See the documentation for your TFTP server to determine whether you must first create an empty file on the server. For example. If the DHCP relay agent is enabled but DHCP snooping is disabled. – If NTP is configured. combined with other data. • Do not enter the ip dhcp snooping information option allowed-untrusted command on an aggregation switch to which an untrusted device is connected. see the “Configuring DHCP” section of the “IP addressing and Services” section of the Cisco IOS IP Configuration Guide. configure a port as untrusted by entering the no ip dhcp snooping trust interface configuration command. Follow these guidelines when configuring the DHCP snooping binding database: – Because both NVRAM and the flash memory have limited storage capacity. Release 12.

Release 12. you must configure the switch with the ip helper-address address interface configuration command. you can configure one helper address for each server. follow these steps to specify the packet forwarding address: Command Step 1 Step 2 Step 3 Step 4 Purpose Enter global configuration mode. follow these steps to enable the DHCP relay agent on the switch: Command Step 1 Step 2 Step 3 Step 4 Step 5 Purpose Enter global configuration mode. and enter interface configuration mode. Beginning in privileged EXEC mode. See the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide. By default. or it can be the network address if other DHCP servers are on the destination network segment. Return to privileged EXEC mode. Verify your entries.Chapter 19 Configuring DHCP Features Configuring DHCP Features and IP Source Guard Configuring the DHCP Relay Agent Beginning in privileged EXEC mode. (Optional) Save your entries in the configuration file. Using the network address enables other servers to respond to DHCP requests. configure terminal service dhcp end show running-config copy running-config startup-config To disable the DHCP relay agent. The general rule is to configure the command on the Layer 3 interface closest to the client. or it can be the network address if other DHCP servers are on the destination network segment. The helper address can be a specific DHCP server address.2 for these procedures: • • Checking (validating) the relay agent information Configuring the relay agent forwarding policy Specifying the Packet Forwarding Address If the DHCP server and the DHCP clients are on different networks or subnets and the switch is running the metro IP access image. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 19-10 OL-9639-10 . this feature is enabled. use the no service dhcp global configuration command. configure terminal interface vlan vlan-id ip address ip-address subnet-mask ip helper-address address Step 5 exit Return to global configuration mode. Configure the interface with an IP address and an IP subnet. If you have multiple servers. Using the network address enables any DHCP server to respond to requests. The address used in the ip helper-address command can be a specific DHCP server IP address. Create a switch virtual interface by entering a VLAN ID. Specify the DHCP packet forwarding address. Enable the DHCP relay agent on your switch.

and enter interface configuration mode. Verify your entries. if necessary. Define the VLAN membership mode for the port. Enable DHCP snooping globally. Assign the ports to the same VLAN as configured in Step 2. or a range of VLAN IDs separated by entering the starting and ending VLAN IDs separated by a space. a range of VLAN IDs separated by hyphens. (Optional) Save your entries in the configuration file. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 19-11 . use the no ip helper-address address interface configuration command. This is the default setting. interface range port-range or interface interface-id Step 7 no shutdown Step 8 Step 9 Step 10 Step 11 Step 12 switchport mode access switchport access vlan vlan-id end show running-config copy running-config startup-config To remove the DHCP packet forwarding address. user network interfaces (UNIs) and enhanced network interfaces (ENIs) are disabled and network node interfaces (NNIs) are enabled. By default. configure terminal ip dhcp snooping ip dhcp snooping vlan vlan-range Step 4 ip dhcp snooping information option Enable the switch to insert and remove DHCP relay information (option-82 field) in forwarded DHCP request messages to the DHCP server. or Configure a single physical port that is connected to the DHCP client. Return to privileged EXEC mode. a series of VLAN IDs separated by commas. Enabling DHCP Snooping and Option 82 Beginning in privileged EXEC mode. The range is 1 to 4094. Enable DHCP snooping on a VLAN or range of VLANs. follow these steps to enable DHCP snooping on the switch: Command Step 1 Step 2 Step 3 Purpose Enter global configuration mode. Enable the interface(s).Chapter 19 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Command Step 6 Purpose Configure multiple physical ports that are connected to the DHCP clients. You can enter a single VLAN ID identified by VLAN ID number. and enter interface range configuration mode.

(Optional) Configure the number of DHCP packets per second that an interface can receive. option format-type circuit-id string Specify the VLAN and port identifier. you might need to increase the rate limit if the port is a trunk port assigned to more than one VLAN on which DHCP snooping is enabled. it is truncated to 63 characters in the remote-ID configuration. using a VLAN ID in the range of 1 [override] ASCII-string to 4094. The range is 1 to 2048. The default is disabled. if necessary. in the format vlan-mod-port. and enter interface configuration mode. The default circuit ID is the port identifier. If you configure rate limiting for trusted interfaces. Step 14 end Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 19-12 OL-9639-10 . You can use the no keyword to configure an interface to receive messages from an untrusted client. Step 12 Step 13 exit ip dhcp snooping verify mac-address Return to global configuration mode. The default remote ID is the switch MAC address. enable the switch to accept incoming DHCP snooping packets with option-82 information from the edge switch. UNIs and ENIs are disabled and NNIs are enabled. By default. Note Step 11 ip dhcp snooping limit rate rate We recommend an untrusted rate limit of not more than 100 packets per second. no rate limit is configured. Step 7 Step 8 Step 9 interface interface-id no shutdown Specify the interface to be configured. ip dhcp snooping vlan vlan information (Optional) Configure the circuit-ID suboption for the specified interface. The default is untrusted. (Optional) Use the override keyword when you do not want the circuit-ID suboption inserted in TLV format to define subscriber information. Enable the port. You can configure the circuit ID to be a string of 3 to 63 ASCII characters (no spaces). By default. Step 6 ip dhcp snooping information option allowed-untrusted (Optional) If the switch is an aggregation switch connected to an edge switch. format remote-id [string ASCII-string | You can configure the remote ID to be: hostname] • String of up to 63 ASCII characters (no spaces) • Note Configured hostname for the switch If the hostname is longer than 63 characters. The default is to verify that the source MAC address matches the client hardware address in the packet. Note You must enter this command only on aggregation switches that are connected to trusted devices. (Optional) Configure the switch to verify that the source MAC address in a DHCP packet that is received on untrusted ports matches the client hardware address in the packet. Return to privileged EXEC mode. Step 10 ip dhcp snooping trust (Optional) Configure the interface as trusted or untrusted.Chapter 19 Configuring DHCP Features Configuring DHCP Features and IP Source Guard Command Step 5 Purpose ip dhcp snooping information option (Optional) Configure the remote-ID suboption.

Chapter 19 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Command Step 15 Step 16 Purpose Verify your entries. including primary and secondary private VLANs. see the “DHCP Configuration Task List” section in the “Configuring DHCP” chapter of the Cisco IOS IP Configuration Guide. If DHCP snooping is enabled on the primary VLAN. To disable the insertion and removal of the option-82 field. If DHCP snooping is enabled. If DHCP snooping is not configured on the primary VLAN. the configuration is propagated to both a primary VLAN and its associated secondary VLANs. use the no ip dhcp snooping global configuration command. the configuration for the secondary VLAN does not take effect. DHCP Snooping configuration on secondary vlan is derived from its primary vlan.2. If DHCP snooping is already configured on the primary VLAN and you configure DHCP snooping with different settings on a secondary VLAN. follow these steps to enable and configure the DHCP snooping binding database agent on the switch: Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 19-13 . Release 12. show running-config copy running-config startup-config To disable DHCP snooping. You must configure DHCP snooping on the primary VLAN. Enabling the DHCP Snooping Binding Database Agent Beginning in privileged EXEC mode. such as VLAN 200: 2w5d:%DHCP_SNOOPING-4-DHCP_SNOOPING_PVLAN_WARNING:DHCP Snooping configuration may not take effect on secondary vlan 200. To configure an aggregation switch to drop incoming DHCP snooping packets with option-82 information from an edge switch. To disable DHCP snooping on a VLAN or range of VLANs. on which DHCP snooping is enabled. (Optional) Save your entries in the configuration file. The show ip dhcp snooping privileged EXEC command output shows all VLANs. use the no ip dhcp snooping information option global configuration command. use the no ip dhcp snooping vlan vlan-range global configuration command. Enabling the Cisco IOS DHCP Server Database For procedures to enable and configure the Cisco IOS DHCP server database. This example shows how to enable DHCP snooping globally and on VLAN 10 and to configure a rate limit of 100 packets per second on a port: Switch(config)# ip dhcp snooping Switch(config)# ip dhcp snooping vlan 10 Switch(config)# ip dhcp snooping information option Switch(config)# interface gigabitethernet0/1 Switch(config-if)# ip dhcp snooping limit rate 100 Enabling DHCP Snooping on Private VLANs You can enable DHCP snooping on private VLANs. use the no ip dhcp snooping information option allowed-untrusted global configuration command. it is also configured on the secondary VLANs. this message appears when you are configuring DHCP snooping on the secondary VLAN.

To stop using the database agent and binding files. use the renew ip dhcp snooping database privileged EXEC command. Step 7 Step 8 show ip dhcp snooping database [detail] copy running-config startup-config Display the status and statistics of the DHCP snooping binding database agent. ip dhcp snooping binding mac-address (Optional) Add binding entries to the DHCP snooping binding database. The default is 300 seconds (5 minutes). To clear the statistics of the DHCP snooping binding database agent.tar | rcp://user@host/filename}| tftp://host/filename flash:/filename ftp://user:password@host/filename http://[[username:password]@]{hostname | host-ip}[/directory] /image-name. To delete binding entries from the DHCP snooping binding database. Note Use this command when you are testing or debugging the switch.Chapter 19 Configuring DHCP Features Configuring DHCP Features and IP Source Guard Command Step 1 Step 2 Purpose Enter global configuration mode. To renew the database. use the no ip dhcp snooping database global configuration command.To reset the timeout or delay values. use the no ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface-id privileged EXEC command. (Optional) Save your entries in the configuration file. The range is from 15 to 86400 seconds. use the ip dhcp snooping database timeout seconds or the ip dhcp snooping database write-delay seconds global configuration command. The default is 300 seconds (5 minutes). The range is from 0 to 86400. Enter this command for each entry that you add. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 19-14 OL-9639-10 . Specify the URL for the database agent or the binding file by using one of these forms: • • • • • configure terminal ip dhcp snooping database {flash:/filename | ftp://user:password@host/filename | http://[[username:password]@]{hostna me | host-ip}[/directory] /image-name. The seconds range is from 1 to interface-id expiry seconds 4294967295.tar rcp://user@host/filename tftp://host/filename Step 3 ip dhcp snooping database timeout seconds Specify when to stop the database transfer process after the binding database changes. use the clear ip dhcp snooping database statistics privileged EXEC command. Enter this command for each entry that you delete. Step 4 ip dhcp snooping database write-delay Specify the duration for which the transfer should be delayed after the seconds binding database changes. vlan vlan-id ip-address interface The vlan-id range is from 1 to 4904. Step 5 Step 6 end Return to privileged EXEC mode. Use 0 for an infinite duration.

The DHCP server port-based address allocation feature is only supported on a Cisco IOS DHCP server and not a third-party server. Control. they offer connectivity to the directly connected devices. becomes the client identifier. the switch does not delete the manually configured bindings. Clients that do not include the client identifier option are identified by the client hardware address. When you configure this feature. The DHCP protocol recognizes DHCP clients by the client identifier option in the DHCP packet. Configuring DHCP Server Port-Based Address Allocation • • • Default Port-Based Address Allocation Configuration. such as on a factory floor. and other software expect a stable IP address associated with each device. use one or more of the privileged EXEC commands in Table 19-2: Table 19-2 Commands for Displaying DHCP Information Command show ip dhcp snooping show ip dhcp snooping binding show ip dhcp snooping database show ip dhcp snooping statistics show ip source binding Purpose Displays the DHCP snooping configuration for a switch Displays only the dynamically configured bindings in the DHCP snooping binding database. With the current DHCP implementation. Understanding DHCP Server Port-Based Address Allocation DHCP server port-based address allocation is a feature that enables DHCP to maintain the same IP address on an Ethernet switch port regardless of the attached device client identifier or client hardware address. page 19-16 Port-Based Address Allocation Configuration Guidelines. page 19-16 Enabling DHCP Server Port-Based Address Allocation.Chapter 19 Configuring DHCP Features and IP Source Guard Displaying DHCP Snooping Information Displaying DHCP Snooping Information To display the DHCP snooping information. the replacement device must be working immediately in the existing network. also referred to as a binding table. In some environments. if a device fails. When configured. 1. In all cases. monitoring. the address assignment should remain stable even though the DHCP client has changed. Display the dynamically and statically configured bindings. page 19-16 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 19-15 . the switch port. by connecting the Ethernet cable to the same port. there is no guarantee that DHCP would offer the same IP address to the replacement device.1 Displays the DHCP snooping binding database status and statistics. the same IP address is allocated through DHCP to the attached device. the port name of the interface overrides the client identifier or hardware address and the actual point of connection. If DHCP snooping is enabled and an interface changes to the down state. If a device is replaced. When Ethernet switches are deployed in the network. the DHCP server port-based address allocation feature ensures that the same IP address is always offered to the same connected port even as the client identifier or client hardware address changes in the DHCP messages received on that port. Displays the DHCP snooping statistics in summary or detail form.

Configure the DHCP server to use the subscriber identifier as the client identifier on all incoming DHCP messages on the interface. configure terminal ip dhcp use subscriber-id client-id Step 3 ip dhcp subscriber-id interface-name Step 4 Step 5 interface interface-id ip dhcp server use subscriber-id client-id Specify the interface to be configured. follow these steps to globally enable port-based address allocation and to automatically generate a subscriber identifier on an interface. and enter interface configuration mode. A subscriber identifier configured on a specific interface takes precedence over this command.Chapter 19 Configuring DHCP Server Port-Based Address Allocation Configuring DHCP Features and IP Source Guard Default Port-Based Address Allocation Configuration By default. To restrict assignments from the DHCP pool to preconfigured reservations (unreserved addresses are not offered to the client and other clients are not served by the pool). Verify your entries. (Optional) Save your entries in the configuration file. • Enabling DHCP Server Port-Based Address Allocation Beginning in privileged EXEC mode. Preassigned addresses are automatically excluded from normal dynamic IP address assignment. Configure the DHCP server to globally use the subscriber identifier as the client identifier on all incoming DHCP messages. Automatically generate a subscriber identifier based on the short name of the interface. Return to privileged EXEC mode. Command Step 1 Step 2 Purpose Enter global configuration mode. but there can be multiple preassigned addresses per DHCP address pool. Preassigned addresses cannot be used in host pools. DHCP server port-based address allocation is disabled. Port-Based Address Allocation Configuration Guidelines These are the configuration guidelines for DHCP port-based address allocation: • • • Only one IP address can be assigned per port. Step 6 Step 7 Step 8 end show running config copy running-config startup-config Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 19-16 OL-9639-10 . you can enter the reserved-only DHCP pool configuration command. Reserved addresses (preassigned) cannot be cleared by using the clear ip dhcp binding global configuration command.

Enter DHCP pool configuration mode. Step 6 Step 7 Step 8 end show ip dhcp pool copy running-config startup-config To disable DHCP port-based address allocation. The default is to not restrict pool addresses. use the no ip dhcp subscriber-id interface-name global configuration command. By entering this command. Beginning in privileged EXEC mode follow these steps to preassign an IP address and to associate it to a client identified by the interface name. Verify DHCP pool configuration. users can configure a group of switches with DHCP pools that share a common IP subnet and that ignore requests from clients of other switches. To change the address pool to nonrestricted. (Optional) Save your entries in the configuration file. enter the no reserved-only DHCP pool configuration command. use the ip dhcp pool global configuration command to preassign IP addresses and to associate them to clients. and define the name for the DHCP pool. Specify the subnet network number and mask of the DHCP address pool. use the no ip dhcp server use subscriber-id client-id interface configuration command. use the no address ip-address client-id string DHCP pool configuration command. The pool name can be a symbolic string (such as Engineering) or an integer (such as 0). Unreserved addresses that are part of the network or on pool ranges are not offered to the client. Command Step 1 Step 2 Purpose Enter global configuration mode. and other clients are not served by the pool. To remove an IP address reservation from a DHCP pool. you can enter the reserved-only DHCP pool configuration command. Return to privileged EXEC mode. Reserve an IP address for a DHCP client identified by the interface name. use the no ip dhcp use subscriber-id client-id global configuration command. configure terminal ip dhcp pool poolname Step 3 Step 4 network network-number [mask | /prefix-length] address ip-address client-id string [ascii] Step 5 reserved-only (Optional) Use only reserved addresses in the DHCP address pool. string—can be an ASCII value or a hexadecimal value. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 19-17 . To disable the subscriber identifier on an interface. To disable the automatic generation of a subscriber identifier.Chapter 19 Configuring DHCP Features and IP Source Guard Configuring DHCP Server Port-Based Address Allocation After enabling DHCP port-based address allocation on the switch. To restrict assignments from the DHCP pool to preconfigured reservations.

1.7 client-id “Et1/0” ascii <output truncated> This example shows that the preassigned address was correctly reserved in the DHCP pool: Switch# show ip dhcp pool dhcppool Pool dhcp pool: Utilization mark (high/low) : 100 / 0 Subnet size (first/next) : 0 / 0 Total addresses : 254 Leased addresses : 0 Excluded addresses : 4 Pending event : none 1 subnet is currently in the pool: Current index IP address range Leased/Excluded/Total 10.255.1 10.1.com.1 .Chapter 19 Displaying DHCP Server Port-Based Address Allocation Configuring DHCP Features and IP Source Guard In this example.1 10.10.1.0 255..1.1.1. use one or more of the privileged EXEC commands in Table 19-3: Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 19-18 OL-9639-10 . Current configuration : 4899 bytes ! version 12.1. go to Cisco..0 address 10.7 Et1/0 For more information about configuring the DHCP server port-based address allocation feature.7. The subscriber identifier is based on the short name of the interface and the client preassigned IP address 10.1. and enter Cisco IOS IP Addressing Services in the Search field to access the Cisco IOS software documentation.1.1. and the DHCP server ignores any client identifier fields in the DHCP messages and uses the subscriber identifier instead.1. You can also access the documentation here: http://www.html Displaying DHCP Server Port-Based Address Allocation To display the DHCP server port-based address allocation information.2 ! hostname switch ! no aaa new-model clock timezone EST 0 ip subnet-zero ip dhcp relay information policy removal pad no ip dhcp use vrf connected ip dhcp use subscriber-id client-id ip dhcp subscriber-id interface-name ip dhcp excluded-address 10.1.1.1.255.1.1. switch# show running config Building configuration.254 0 / 4 / 254 1 reserved address is currently in the pool Address Client 10.1.1. a subscriber identifier is automatically generated.com/en/US/docs/ios/ipaddr/command/reference/iad_book.cisco.3 ! ip dhcp pool dhcppool network 10.

The IP source binding table has bindings that are learned by DHCP snooping or are manually configured (static IP source bindings). The switch forwards IP traffic when the source IP address matches an entry in the DHCP snooping binding database or a binding in the IP source binding table. the switch modifies the port ACL using the IP source binding changes. and its associated VLAN number. the switch creates and applies a port ACL that denies all IP traffic on the interface. Display address bindings on the Cisco IOS DHCP server. Note The port ACL takes precedence over any router ACLs or VLAN maps that affect the same interface. After IPSG is enabled on an interface. the switch blocks all IP traffic received on the interface except for DHCP packets allowed by DHCP snooping. These sections contain this information: • • • Source IP Address Filtering. A port access control list (ACL) is applied to the interface. its associated MAC address. the switch removes the port ACL from the interface. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 19-19 . IP source guard is supported only on Layer 2 ports. The switch uses the IP source binding table only when IP source guard is enabled. and re-applies the port ACL to the interface. You can enable IP source guard when DHCP snooping is enabled on an untrusted interface. page 19-20 IP Source Guard for Static Hosts. or deleted on an interface. If you disable IP source guard. You can use IP source guard to prevent traffic attacks if a host tries to use the IP address of its neighbor. An entry in this table has an IP address. If you enable IP source guard on an interface on which IP source bindings (dynamically learned by DHCP snooping or manually configured) are not configured. Understanding IP Source Guard IPSG is a security feature that restricts IP traffic on nonrouted. page 19-19 Source IP and MAC Address Filtering. including access and trunk ports. The port ACL allows only IP traffic with a source IP address in the IP source binding table and denies all other traffic. page 19-20 Source IP Address Filtering When IP source guard is enabled with this option. Display the DHCP address pools. Layer 2 interfaces by filtering traffic based on the DHCP snooping binding database and on manually configured IP source bindings. changed.Chapter 19 Configuring DHCP Features and IP Source Guard Understanding IP Source Guard Table 19-3 Commands for Displaying DHCP Port-Based Address Allocation Information Command show interface interface id show ip dhcp pool show ip dhcp binding Purpose Display the status and configuration of a specific interface.You can configure IP source guard with source IP address filtering or with source IP and MAC address filtering. When a DHCP snooping binding or static IP source binding is added. IP traffic is filtered based on the source IP address.

IPSG for static hosts initially learns IP or MAC bindings dynamically through an ACL-based snooping mechanism. Multiple bindings are established on a port that is connected to both DHCP and static hosts. the hardware drops any packet with a new IP address. IP traffic is filtered based on the source IP and MAC addresses. IP Source Guard for Static Hosts Note Do not use IPSG (IP source guard) for static hosts on uplink ports or trunk ports. the switch filters IP and non-IP traffic. IPSG for static hosts extends the IPSG capability to non-DHCP and static environments. Any traffic received from a host without a valid DHCP binding entry is dropped. The switch forwards traffic only when the source IP and MAC addresses match an entry in the IP source binding table. The switch creates static entries based on ARP requests or other IP packets to maintain the list of valid hosts for a given port. the same entry is learned by the IP device tracking table. When the number of IP addresses that have been dynamically learned or statically configured on a given port reaches a maximum. To resolve hosts that have moved or gone away for any reason. If a dynamic host receives a DHCP-assigned IP address that is available in the IP DHCP snooping table. The invalid packets can cause IPSG for static hosts to connect to the host. to learn the invalid IP or MAC address bindings. This is equivalent to port security at Layer 3. The invalid packets contain the IP or MAC address for another network interface of the host as the source address. This security feature restricts IP traffic on nonrouted Layer 2 interfaces. the switch forwards the packet. IPSG for static hosts leverages IP device tracking to age out dynamically learned IP address bindings. The interface can shut down when a port-security violation occurs. Note Some IP hosts with multiple network interfaces can inject some invalid packets into a network interface. For example. The previous version of IPSG required a DHCP environment for IPSG to work. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 19-20 OL-9639-10 . IPSG for static hosts also supports dynamic hosts. IPSG for static hosts relies on IP device tracking-table entries to install port ACLs. IPSG for static hosts allows IPSG to work without DHCP. The switch drops all other types of packets except DHCP packets. It filters traffic based on the DHCP snooping binding database and on manually configured IP source bindings. You can also specify the number of hosts allowed to send traffic to a given port. Consult the vender of the corresponding operating system and the network interface to prevent the host from injecting invalid packets. This feature can be used with DHCP snooping. If the source MAC address of an IP or non-IP packet matches a valid IP source binding. When IP source guard with source IP and MAC address filtering is enabled. the IP device tracking table displays the entries as ACTIVE. They are stored in the device tracking database. The previous IPSG used the entries created by DHCP snooping to validate the hosts connected to a switch. IP or MAC bindings are learned from static hosts by ARP and IP packets. bindings are stored in both the device tracking database as well as in the DHCP snooping binding database. When you enter the show ip device tracking all EXEC command. The switch uses port security to filter source MAC addresses.Chapter 19 Understanding IP Source Guard Configuring DHCP Features and IP Source Guard Source IP and MAC Address Filtering When IP source guard is enabled with this option. and to reject the valid bindings.

follow these steps to enable and configure IP source guard on an interface. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 19-21 . You must also enter the ip dhcp snooping information option global configuration command and ensure that the DHCP server supports option 82. IP Source Guard Configuration Guidelines These are the configuration guides for IP source guard: • You can configure static IP bindings only on nonrouted ports. If you are enabling IP source guard on a trunk interface with multiple VLANs and DHCP snooping is enabled on all the VLANs. page 19-21 Enabling IP Source Guard. You can enable this feature when IEEE 802. When forwarding packets from the server to the host. If the number of ternary content addressable memory (TCAM) entries exceeds the maximum available. IP source guard is disabled. port security is not supported. DHCP snooping must be enabled on the access VLAN to which the interface belongs. page 19-21 IP Source Guard Configuration Guidelines. If you enter the ip source binding mac-address vlan vlan-id ip-address interface interface-id global configuration command on a routed interface. When IP source guard is enabled with MAC address filtering. • If you enable IP source guard with source IP and MAC address filtering. the CPU usage increases. this error message appears: Static IP source binding can only be configured on switch port. IP source guard is not supported on EtherChannels. DHCP snooping and port security must be enabled on the interface. the source IP address filter is applied on all the VLANs. DHCP snooping uses option-82 data to identify the host port. page 19-21 Default IP Source Guard Configuration By default.1x port-based authentication is enabled. When configuring IP source guard on interfaces on which a private VLAN is configured. • • When IP source guard with source IP filtering is enabled on an interface. • • • • Enabling IP Source Guard Beginning in privileged EXEC mode. the DHCP host MAC address is not learned until the host is granted a lease.Chapter 19 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard Configuring IP Source Guard • • • Default IP Source Guard Configuration. Note If IP source guard is enabled and you enable or disable DHCP snooping on a VLAN on the trunk interface. the switch might not properly filter traffic.

0. Return to privileged EXEC mode. Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# ip verify source port-security Switch(config-if)# exit Switch(config)# ip source binding 0100. Enable IP source guard with source IP and MAC address filtering. Note configure terminal interface interface-id no shutdown ip verify source or ip verify source port-security When you enable both IP Source Guard and Port Security by using the ip verify source port-security interface configuration command. Display the IP source bindings on the switch.0010 vlan 10 10.0.0022. By default. or on a specific interface. or the client is not assigned an IP address. To delete a static IP source binding entry. Enter this command for each static binding. (Optional) Save your entries in the configuration file.4 interface gigabitethernet0/1 Switch(config)# end Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 19-22 OL-9639-10 .Chapter 19 Configuring IP Source Guard Configuring DHCP Features and IP Source Guard Command Step 1 Step 2 Step 3 Step 4 Purpose Enter global configuration mode.0230.0002 vlan 11 10. Step 5 Step 6 exit ip source binding mac-address vlan vlan-id ip-address inteface interface-id end show ip verify source [interface interface-id] show ip source binding [ip-address] [mac-address] [dhcp-snooping | static] [inteface interface-id] [vlan vlan-id] copy running-config startup-config Return to global configuration mode. there are two caveats: • • The DHCP server must support option 82. on a specific VLAN.2 interface gigabitethernet0/1 Switch(config)# ip source binding 0100. Enable the port. Display the IP source guard configuration for all interfaces or for a specific interface. use the no ip source global configuration command. This example shows how to enable IP source guard with source IP and MAC filtering on VLANs 10 and 11: Switch# configure terminal Enter configuration commands. and enter interface configuration mode. The MAC address in the DHCP packet is not learned as a secure address. End with CNTL/Z. use the no ip verify source interface configuration command. if necessary. The MAC address of the DHCP client is learned as a secure address only when the switch receives non-DHCP data traffic.0. Add a static IP source binding. Enable IP source guard with source IP address filtering. Specify the interface to be configured. one per line.0. UNIs and ENIs are disabled and NNIs are enabled. Step 7 Step 8 Step 9 Step 10 To disable IP source guard with source IP address filtering.

This requirement also applies to IPSG with static hosts on a private VLAN host port. The MAC address of the DHCP client is learned as a secure address only when the switch receives non-DHCP data traffic. (Optional) Establish a maximum of MAC addresses for this port. IPSG with static hosts rejects all the IP traffic from that interface. Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL-9639-10 19-23 . The range is 1to 10. Return to privileged EXEC mode. If you only configure this command on a port without enabling IP device tracking globally or by setting an IP device tracking maximum on that interface. Enter interface configuration mode.Chapter 19 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard Configuring IP Source Guard for Static Hosts • • Configuring IP Source Guard for Static Hosts on a Layer 2 Access Port. Beginning in privileged EXEC mode: Command Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Purpose Enter global configuration mode. The maximum number is 10. Step 7 ip device tracking maximum number Establish a maximum limit for the number of static IPs that the IP device tracking table allows on the port. The MAC address in the DHCP packet is not learned as a secure address. and globally enable IP device tracking. Note You must configure the ip device tracking maximum limit-number interface configuration command. Enable IPSG for static hosts with MAC address filtering. Note configure terminal ip device tracking interface interface-id switchport mode access switchport access vlan vlan-id