Professional Documents
Culture Documents
2(5)E
(Catalyst 2960-X Switches)
First Published: 2016-07-28
Last Modified: 2016-11-28
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version
of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://
www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
iii
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
iv
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
v
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
vi
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
vii
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
viii
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
ix
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
x
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xi
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xii
Contents
How a Switch or Port Becomes the Root Switch or Root Port 203
Spanning Tree and Redundant Connectivity 203
Spanning-Tree Address Management 204
Accelerated Aging to Retain Connectivity 204
Spanning-Tree Modes and Protocols 205
Supported Spanning-Tree Instances 205
Spanning-Tree Interoperability and Backward Compatibility 206
STP and IEEE 802.1Q Trunks 206
VLAN-Bridge Spanning Tree 206
Spanning Tree and Switch Stacks 207
Default Spanning-Tree Configuration 207
How to Configure Spanning-Tree Features 208
Changing the Spanning-Tree Mode 208
Disabling Spanning Tree 210
Configuring the Root Switch 210
Configuring a Secondary Root Device 212
Configuring Port Priority 213
Configuring Path Cost 214
Configuring the Device Priority of a VLAN 215
Configuring the Hello Time 216
Configuring the Forwarding-Delay Time for a VLAN 217
Configuring the Maximum-Aging Time for a VLAN 218
Configuring the Transmit Hold-Count 219
Monitoring Spanning-Tree Status 220
Feature Information for STP 220
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xiii
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xiv
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xv
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xvi
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xvii
Contents
CHAPTER 20 Configuring Flex Links and the MAC Address-Table Move Update Feature 345
Finding Feature Information 345
Restrictions for Configuring Flex Links and MAC Address-Table Move Update 345
Information About Flex Links and MAC Address-Table Move Update 346
Flex Links 346
Flex Links Configuration 347
VLAN Flex Links Load Balancing and Support 347
Multicast Fast Convergence with Flex Links Failover 348
Learning the Other Flex Links Port as the mrouter Port 348
Generating IGMP Reports 348
Leaking IGMP Reports 349
MAC Address-Table Move Update 349
Flex Links VLAN Load Balancing Configuration Guidelines 351
MAC Address-Table Move Update Configuration Guidelines 351
Default Flex Links and MAC Address-Table Move Update Configuration 351
How to Configure Flex Links and the MAC Address-Table Move Update Feature 352
Configuring Flex Links 352
Configuring a Preemption Scheme for a Pair of Flex Links 353
Configuring VLAN Load Balancing on Flex Links 354
Configuring MAC Address-Table Move Update 355
Configuring a Switch to Obtain and Process MAC Address-Table Move Update
Messages 357
Monitoring Flex Links, Multicast Fast Convergence, and MAC Address-Table Move
Update 357
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xviii
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xix
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xx
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xxi
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xxii
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xxiii
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xxiv
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xxv
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xxvi
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xxvii
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xxviii
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xxix
Contents
CHAPTER 34 Controlling Switch Access with Passwords and Privilege Levels 693
Finding Feature Information 693
Restrictions for Controlling Switch Access with Passwords and Privileges 693
Information About Passwords and Privilege Levels 694
Default Password and Privilege Level Configuration 694
Additional Password Security 694
Password Recovery 695
Terminal Line Telnet Configuration 695
Username and Password Pairs 695
Privilege Levels 695
How to Control Switch Access with Passwords and Privilege Levels 696
Setting or Changing a Static Enable Password 696
Protecting Enable and Enable Secret Passwords with Encryption 698
Disabling Password Recovery 699
Setting a Telnet Password for a Terminal Line 700
Configuring Username and Password Pairs 702
Setting the Privilege Level for a Command 704
Changing the Default Privilege Level for Lines 705
Logging into and Exiting a Privilege Level 706
Monitoring Switch Access 707
Configuration Examples for Setting Passwords and Privilege Levels 707
Example: Setting or Changing a Static Enable Password 707
Example: Protecting Enable and Enable Secret Passwords with Encryption 707
Example: Setting a Telnet Password for a Terminal Line 708
Example: Setting the Privilege Level for a Command 708
Additional References 708
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xxx
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xxxi
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xxxii
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xxxiii
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xxxiv
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xxxv
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xxxvi
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xxxvii
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xxxviii
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xxxix
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xl
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xli
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xlii
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xliii
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xliv
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xlv
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xlvi
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xlvii
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xlviii
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
xlix
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
l
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
li
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
lii
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
liii
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
liv
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
lv
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
lvi
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
lvii
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
lviii
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
lix
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
lx
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
lxi
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
lxii
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
lxiii
Contents
PART XIV Working with the Cisco IOS File System, Configuration Files, and Software Images 1599
CHAPTER 72 Working with the Cisco IOS File System, Configuration Files, and Software Images 1601
Working with the Flash File System 1601
Information About the Flash File System 1601
Displaying Available File Systems 1602
Setting the Default File System 1604
Displaying Information About Files on a File System 1604
Changing Directories and Displaying the Working Directory 1605
Creating Directories 1606
Removing Directories 1606
Copying Files 1607
Copying Files from One Switch in a Stack to Another Switch in the Same
Stack 1607
Deleting Files 1608
Creating, Displaying and Extracting Files 1609
Working with Configuration Files 1611
Information on Configuration Files 1611
Guidelines for Creating and Using Configuration Files 1611
Configuration File Types and Location 1612
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
lxiv
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
lxv
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
lxvi
Contents
CHAPTER 74 Information About Writing EEM Policies Using the Cisco IOS CLI 1671
Finding Feature Information 1671
Prerequisites for Writing EEM Policies Using the Cisco IOS CLI 1671
Information About Writing EEM Policies Using the Cisco IOS CLI 1672
Embedded Event Manager Policies 1672
EEM Applet 1672
EEM Script 1672
Embedded Event Manager Built-In Environment Variables Used in EEM Applets 1673
How to Write EEM Policies Using the Cisco IOS CLI 1684
Registering and Defining an Embedded Event Manager Applet 1684
EEM Environment Variables 1685
Alphabetical Order of EEM Action Labels 1685
Troubleshooting Tips 1688
Registering and Defining an EEM Tcl Script 1688
Unregistering Embedded Event Manager Policies 1690
Suspending All Embedded Event Manager Policy Execution 1691
Displaying Embedded Event Manager History Data 1692
Displaying Embedded Event Manager Registered Policies 1694
Configuring Event SNMP Notification 1695
Configuring Multiple Event Support 1696
Setting the Event Configuration Parameters 1696
Configuring EEM Class-Based Scheduling 1698
Holding a Scheduled EEM Policy Event or Event Queue 1698
Resuming Execution of EEM Policy Events or Event Queues 1700
Clearing Pending EEM Policy Events or Event Queues 1701
Modifying the Scheduling Parameters of EEM Policy Events or Event Queues 1702
Verifying Class-Based Active EEM Policies 1703
Verifying Class-Based Active EEM Policies 1703
Verifying Pending EEM Policies 1704
Configuring EEM Applet (Interactive CLI) Support 1704
Reading and Writing Input from the Active Console for Synchronous EEM
Applets 1704
Reading Input from the Active Console 1705
Writing Input to the Active Console 1706
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
lxvii
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
lxviii
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
lxix
Contents
Configuration Examples for Writing Embedded Event Manager Policies Using Tcl 1778
Assigning a Username for a Tcl Session Examples 1778
EEM Event Detector Demo Examples 1779
Programming Policies with Tcl Sample Scripts Example 1787
Debugging Embedded Event Manager Policies Examples 1795
Tracing Tcl set Command Operations Example 1797
RPC Event Detector Example 1797
Additional References 1799
Feature Information for Writing EEM 4.0 Policies Using the Cisco IOS CLI 1800
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
lxx
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
lxxi
Contents
event_register_nf 1886
event_register_none 1890
event_register_oir 1892
event_register_process 1894
event_register_resource 1898
event_register_rf 1900
event_register_routing 1903
event_register_rpc 1906
event_register_snmp 1909
event_register_snmp_notification 1914
event_register_snmp_object 1917
event_register_syslog 1920
event_register_timer 1924
event_register_timer_subscriber 1929
event_register_track 1932
event_register_wdsysmon 1934
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
lxxii
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
lxxiii
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
lxxiv
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
lxxv
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
lxxvi
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
lxxvii
Contents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
lxxviii
Preface
This book describes configuration information and examples for Flexible NetFlow on the switch.
Document Conventions
This document uses the following conventions:
Convention Description
^ or Ctrl Both the ^ symbol and Ctrl represent the Control (Ctrl) key on a keyboard. For
example, the key combination ^D or Ctrl-D means that you hold down the Control
key while you press the D key. (Keys are indicated in capital letters but are not
case sensitive.)
bold font Commands and keywords and user-entered text appear in bold font.
Italic font Document titles, new or emphasized terms, and arguments for which you supply
values are in italic font.
Courier font Terminal sessions and information the system displays appear in courier font.
Bold Courier font Bold Courier font indicates text that the user must enter.
... An ellipsis (three consecutive nonbolded periods without spaces) after a syntax
element indicates that the element can be repeated.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
lxxix
Preface
Document Conventions
Convention Description
[x | y] Optional alternative keywords are grouped in brackets and separated by vertical
bars.
[x {y | z}] Nested set of square brackets or braces indicate optional or required choices
within optional or required elements. Braces and a vertical bar within square
brackets indicate a required choice within an optional element.
string A nonquoted set of characters. Do not use quotation marks around the string or
the string will include the quotation marks.
!, # An exclamation point (!) or a pound sign (#) at the beginning of a line of code
indicates a comment line.
Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the
manual.
Tip Means the following information will help you solve a problem.
Caution Means reader be careful. In this situation, you might do something that could result in equipment damage
or loss of data.
Timesaver Means the described action saves time. You can save time by performing the action described in the
paragraph.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
lxxx
Preface
Related Documentation
Related Documentation
Note Before installing or upgrading the switch, refer to the switch release notes.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
lxxxi
Preface
Obtaining Documentation and Submitting a Service Request
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
lxxxii
CHAPTER 1
Using the Command-Line Interface
• Information About Using the Command-Line Interface, page 1
• How to Use the CLI to Configure Features, page 5
Command Modes
The Cisco IOS user interface is divided into many different modes. The commands available to you depend
on which mode you are currently in. Enter a question mark (?) at the system prompt to obtain a list of commands
available for each command mode.
You can start a CLI session through a console connection, through Telnet, an SSH, or by using the browser.
When you start a session, you begin in user mode, often called user EXEC mode. Only a limited subset of
the commands are available in user EXEC mode. For example, most of the user EXEC commands are one-time
commands, such as show commands, which show the current configuration status, and clear commands,
which clear counters or interfaces. The user EXEC commands are not saved when the switch reboots.
To have access to all commands, you must enter privileged EXEC mode. Normally, you must enter a password
to enter privileged EXEC mode. From this mode, you can enter any privileged EXEC command or enter
global configuration mode.
Using the configuration modes (global, interface, and line), you can make changes to the running configuration.
If you save the configuration, these commands are stored and used when the switch reboots. To access the
various configuration modes, you must start at global configuration mode. From global configuration mode,
you can enter interface configuration mode and line configuration mode .
This table describes the main command modes, how to access each one, the prompt you see in that mode, and
how to exit the mode.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1
Using the Command-Line Interface
Command Modes
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
2
Using the Command-Line Interface
Understanding Abbreviated Commands
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
3
Using the Command-Line Interface
CLI Error Messages
% Incomplete command. You did not enter all of the Reenter the command followed by
keywords or values required by this a question mark (?) with a space
command. between the command and the
question mark.
The possible keywords that you can
enter with the command appear.
% Invalid input detected at You entered the command Enter a question mark (?) to display
‘^’ marker.
incorrectly. The caret (^) marks the all of the commands that are
point of the error. available in this command mode.
The possible keywords that you can
enter with the command appear.
Configuration Logging
You can log and view changes to the switch configuration. You can use the Configuration Change Logging
and Notification feature to track changes on a per-session and per-user basis. The logger tracks each
configuration command that is applied, the user who entered the command, the time that the command was
entered, and the parser return code for the command. This feature includes a mechanism for asynchronous
notification to registered applications whenever the configuration changes. You can choose to have the
notifications sent to the syslog.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
4
Using the Command-Line Interface
How to Use the CLI to Configure Features
Procedure
Example:
Switch# sh conf<tab>
Switch# show configuration
Example:
Switch> show ?
Example:
Switch(config)# cdp holdtime ?
<10-255> Length of time (in sec) that
receiver must keep this packet
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
5
Using the Command-Line Interface
Configuring the Command History
Procedure
Recalling Commands
To recall commands from the history buffer, perform one of the actions listed in this table. These actions are
optional.
Note The arrow keys function only on ANSI-compatible terminals such as VT100s.
Procedure
Step 2 Ctrl-N or use the down Returns to more recent commands in the history buffer after
arrow key recalling commands with Ctrl-P or the up arrow key. Repeat the
key sequence to recall successively more recent commands.
Step 3 show history Lists the last several commands that you just entered in privileged
EXEC mode. The number of commands that appear is controlled
Example: by the setting of the terminal history global configuration
Switch# show history command and the history line configuration command.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
6
Using the Command-Line Interface
Enabling and Disabling Editing Features
Procedure
Procedure
Step 2 terminal no editing Disables the enhanced editing mode for the current
terminal session in privileged EXEC mode.
Example:
Switch# terminal no editing
Note The arrow keys function only on ANSI-compatible terminals such as VT100s.
Ctrl-B or use the left arrow key Moves the cursor back one character.
Ctrl-F or use the right arrow key Moves the cursor forward one character.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
7
Using the Command-Line Interface
Enabling and Disabling Editing Features
Delete or Backspace key Erases the character to the left of the cursor.
Ctrl-U or Ctrl-X Deletes all characters from the cursor to the beginning
of the command line.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
8
Using the Command-Line Interface
Enabling and Disabling Editing Features
Note The arrow keys function only on ANSI-compatible terminals such as VT100s.
The following example shows how to wrap a command line that extends beyond a single line on the screen.
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
9
Using the Command-Line Interface
Searching and Filtering Output of show and more Commands
Procedure
Note We recommend using one CLI session when managing the switch stack.
If you want to configure a specific stack member port, you must include the stack member number in the CLI
command interface notation.
To debug the standby switch, use the session standby ios privileged EXEC command from the active switch
to access the IOS console of the standby switch. To debug a specific stack member, use the session switch
stack-member-number privileged EXEC command from the active switch to access the diagnostic shell of
the stack member. For more information about these commands, see the switch command reference.
To debug a specific stack member, you can start a CLI session from the stack master by using the session
stack-member-number privileged EXEC command. The stack member number is appended to the system
prompt. For example, Switch-2# is the prompt for stack member 2 where the system prompt for the stack
master is Switch. Only the show and debug commands are available in a CLI session to a specific stack
member. You can also use the remote command stack-member-number LINE privileged EXEC command
on the stack master to enable debugging on a member switch without first starting a session.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
10
Using the Command-Line Interface
Accessing the CLI Through a Console Connection or Through Telnet
After you connect through the console port, through the Ethernet management port, through a Telnet
session or through an SSH session, the user EXEC prompt appears on the management station.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
11
Using the Command-Line Interface
Accessing the CLI Through a Console Connection or Through Telnet
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
12
PART I
Interface and Hardware
• Configuring Interface Characteristics, page 15
• Configuring Auto-MDIX, page 43
• Configuring Ethernet Management Port, page 47
• Configuring LLDP, LLDP-MED, and Wired Location Service, page 53
• Configuring System MTU, page 71
• Configuring Boot Fast, page 75
• Configuring PoE, page 79
• Configuring 2-event Classification, page 95
• Configuring EEE, page 97
CHAPTER 2
Configuring Interface Characteristics
• Finding Feature Information, page 15
• Information About Configuring Interface Characteristics, page 15
• How to Configure Interface Characteristics, page 24
• Monitoring Interface Characteristics, page 35
• Configuration Examples for Interface Characteristics, page 37
• Additional References for the Interface Characteristics Feature, page 40
• Feature History and Information for Configuring Interface Characteristics, page 41
Interface Types
This section describes the different types of interfaces supported by the switch. The rest of the chapter describes
configuration procedures for physical interface characteristics.
Note The stack ports on the rear of the stacking-capable switches are not Ethernet ports and cannot be configured.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
15
Information About Configuring Interface Characteristics
Port-Based VLANs
A VLAN is a switched network that is logically segmented by function, team, or application, without regard
to the physical location of the users. Packets received on a port are forwarded only to ports that belong to the
same VLAN as the receiving port. Network devices in different VLANs cannot communicate with one another
without a Layer 3 device to route traffic between the VLANs.
VLAN partitions provide hard firewalls for traffic in the VLAN, and each VLAN has its own MAC address
table. A VLAN comes into existence when a local port is configured to be associated with the VLAN, when
the VLAN Trunking Protocol (VTP) learns of its existence from a neighbor on a trunk, or when a user creates
a VLAN. VLANs can be formed with ports across the stack.
To configure VLANs, use the vlan vlan-id global configuration command to enter VLAN configuration mode.
The VLAN configurations for normal-range VLANs (VLAN IDs 1 to 1005) are saved in the VLAN database.
If VTP is version 1 or 2, to configure extended-range VLANs (VLAN IDs 1006 to 4094), you must first set
VTP mode to transparent. Extended-range VLANs created in transparent mode are not added to the VLAN
database but are saved in the switch running configuration. With VTP version 3, you can create extended-range
VLANs in client or server mode. These VLANs are saved in the VLAN database.
In a switch stack, the VLAN database is downloaded to all switches in a stack, and all switches in the stack
build the same VLAN database. The running configuration and the saved configuration are the same for all
switches in a stack.
Add ports to a VLAN by using the switchport interface configuration commands:
• Identify the interface.
• For a trunk port, set trunk characteristics, and, if desired, define the VLANs to which it can belong.
• For an access port, set and define the VLAN to which it belongs.
Switch Ports
Switch ports are Layer 2-only interfaces associated with a physical port. Switch ports belong to one or more
VLANs. A switch port can be an access port or a trunk port. You can configure a port as an access port or
trunk port or let the Dynamic Trunking Protocol (DTP) operate on a per-port basis to set the switchport mode
by negotiating with the port on the other end of the link. switch ports are used for managing the physical
interface and associated Layer 2 protocols and do not handle routing or bridging.
Configure switch ports by using the switchport interface configuration commands.
Access Ports
An access port belongs to and carries the traffic of only one VLAN (unless it is configured as a voice VLAN
port). Traffic is received and sent in native formats with no VLAN tagging. Traffic arriving on an access port
is assumed to belong to the VLAN assigned to the port. If an access port receives a tagged packet (Inter-Switch
Link [ISL] or IEEE 802.1Q tagged), the packet is dropped, and the source address is not learned.
The types of access ports supported are:
• Static access ports are manually assigned to a VLAN (or through a RADIUS server for use with IEEE
802.1x.
• VLAN membership of dynamic access ports is learned through incoming packets. By default, a dynamic
access port is not a member of any VLAN, and forwarding to and from the port is enabled only when
the VLAN membership of the port is discovered. Dynamic access ports on the switch are assigned to a
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
16
Information About Configuring Interface Characteristics
VLAN by a VLAN Membership Policy Server (VMPS). The VMPS can be a Catalyst 6500 series switch;
the switch cannot be a VMPS server.
You can also configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and
another VLAN for data traffic from a device attached to the phone.
Trunk Ports
A trunk port carries the traffic of multiple VLANs and by default is a member of all VLANs in the VLAN
database.
The switch supports only IEEE 802.1Q trunk ports. An IEEE 802.1Q trunk port supports simultaneous tagged
and untagged traffic. An IEEE 802.1Q trunk port is assigned a default port VLAN ID (PVID), and all untagged
traffic travels on the port default PVID. All untagged traffic and tagged traffic with a NULL VLAN ID are
assumed to belong to the port default PVID. A packet with a VLAN ID equal to the outgoing port default
PVID is sent untagged. All other traffic is sent with a VLAN tag.
Although by default, a trunk port is a member of every VLAN known to the VTP, you can limit VLAN
membership by configuring an allowed list of VLANs for each trunk port. The list of allowed VLANs does
not affect any other port but the associated trunk port. By default, all possible VLANs (VLAN ID 1 to 4094)
are in the allowed list. A trunk port can become a member of a VLAN only if VTP knows of the VLAN and
if the VLAN is in the enabled state. If VTP learns of a new, enabled VLAN and the VLAN is in the allowed
list for a trunk port, the trunk port automatically becomes a member of that VLAN and traffic is forwarded
to and from the trunk port for that VLAN. If VTP learns of a new, enabled VLAN that is not in the allowed
list for a trunk port, the port does not become a member of the VLAN, and no traffic for the VLAN is forwarded
to or from the port.
SVIs provide IP host connectivity only to the system. SVIs are created the first time that you enter the vlan
interface configuration command for a VLAN interface. The VLAN corresponds to the VLAN tag associated
with data frames on an ISL or IEEE 802.1Q encapsulated trunk or the VLAN ID configured for an access
port. Configure a VLAN interface for each VLAN for which you want to route traffic, and assign it an IP
address.
Although the switch stack or switch supports a total of 1005 VLANs and SVIs, the interrelationship between
the number of SVIs and routed ports and the number of other features being configured might impact CPU
performance because of hardware limitations.
When you create an SVI, it does not become active until it is associated with a physical port.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
17
Information About Configuring Interface Characteristics
Note The protocol link state for VLAN interfaces come up when the first switchport belonging to the
corresponding VLAN link comes up and is in STP forwarding state.
The default action, when a VLAN has multiple ports, is that the SVI goes down when all ports in the VLAN
go down. You can use the SVI autostate exclude feature to configure a port so that it is not included in the
SVI line-state up-or-down calculation. For example, if the only active port on the VLAN is a monitoring port,
you might configure autostate exclude on that port so that the VLAN goes down when all other ports go down.
When enabled on a port, autostate exclude applies to all VLANs that are enabled on that port.
The VLAN interface is brought up when one Layer 2 port in the VLAN has had time to converge (transition
from STP listening-learning state to forwarding state). This prevents features such as routing protocols from
using the VLAN interface as if it were fully operational and minimizes other problems, such as routing black
holes.
A powered device can receive redundant power when it is connected to a PoE switch port and to an AC power
source. The device does not receive redundant power when it is only connected to the PoE port.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
18
Information About Configuring Interface Characteristics
Console output appears on devices connected to both ports, but console input is active on only one port at a
time. By default, the USB connector takes precedence over the RJ-45 connector.
Note Windows PCs require a driver for the USB port. See the hardware installation guide for driver installation
instructions.
Use the supplied USB Type A-to-USB mini-Type B cable to connect a PC or other device to the switch. The
connected device must include a terminal emulation application. When the switch detects a valid USB
connection to a powered-on device that supports host functionality (such as a PC), input from the RJ-45
console is immediately disabled, and input from the USB console is enabled. Removing the USB connection
immediately reenables input from the RJ-45 console connection. An LED on the switch shows which console
connection is in use.
switch-stack-1
*Mar 1 00:01:00.171: %USB_CONSOLE-6-MEDIA_RJ45: Console media-type is RJ45.
*Mar 1 00:01:00.431: %USB_CONSOLE-6-MEDIA_USB: Console media-type is USB.
switch-stack-2
*Mar 1 00:01:09.835: %USB_CONSOLE-6-MEDIA_RJ45: Console media-type is RJ45.
switch-stack-3
*Mar 1 00:01:10.523: %USB_CONSOLE-6-MEDIA_RJ45: Console media-type is RJ45.
When the USB cable is removed or the PC de-activates the USB connection, the hardware automatically
changes to the RJ-45 console interface:
switch-stack-1
Mar 1 00:20:48.635: %USB_CONSOLE-6-MEDIA_RJ45: Console media-type is RJ45.
You can configure the console type to always be RJ-45, and you can configure an inactivity timeout for the
USB connector.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
19
Information About Configuring Interface Characteristics
For information about configuring the switch to boot from a USB flash drive, refer to the Catalyst 2960-X
Switch System Management Configuration Guide.
For information about reading, writing, erasing, and copying files to or from the flash device, refer to the
Catalyst 2960-X Switch Managing Cisco IOS Image Files Configuration Guide.
Interface Connections
Devices within a single VLAN can communicate directly through any switch. Ports in different VLANs cannot
exchange data without going through a routing device.
In the following configuration example, when Host A in VLAN 20 sends data to Host B in VLAN 30, the
data must go from Host A to the switch, to the router, back to the switch, and then to Host B.
With a standard Layer 2 switch, ports in different VLANs have to exchange information through a router.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
20
Information About Configuring Interface Characteristics
• Stack member number—The number that identifies the switch within the stack. The range is 1 to 8 for
a stack of Catalyst 2960-X switches, and 1 to 4 for a mixed stack of Catalyst 2960-X and Catalyst 2960-S
switches. The switch number is assigned the first time the switch initializes. The default switch number,
before it is integrated into a switch stack, is 1. When a switch has been assigned a stack member number,
it keeps that number until another is assigned to it.
You can use the switch port LEDs in Stack mode to identify the stack member number of a switch.
• Module number—The module or slot number on the switch (always 0).
• Port number—The interface number on the switch. The 10/100/1000 port numbers always begin at 1,
starting with the far left port when facing the front of the switch, for example, gigabitethernet1/0/1 or
gigabitethernet1/0/8. For a switch with 10/100/1000 ports and SFP module ports, SFP module ports are
numbered consecutively following the 10/100/1000 ports.
You can identify physical interfaces by physically checking the interface location on the switch. You can also
use the show privileged EXEC commands to display information about a specific interface or all the interfaces
on the switch. The remainder of this chapter primarily provides physical interface configuration procedures.
These are examples of how to identify interfaces on a stacking-capable switch:
• To configure 10/100/1000 port 4 on a standalone switch, enter this command:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
21
Information About Configuring Interface Characteristics
Flow control Flow control is set to receive: off. It is always off for
sent packets.
Auto-MDIX Enabled.
Note The switch might not support a pre-standard
powered device—such as Cisco IP phones
and access points that do not fully support
IEEE 802.3af—if that powered device is
connected to the switch through a crossover
cable. This is regardless of whether
auto-MIDX is enabled on the switch port.
Power over Ethernet (PoE) Enabled (auto).
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
22
Information About Configuring Interface Characteristics
• If both ends of the line support autonegotiation, we highly recommend the default setting of auto
negotiation.
• If one interface supports autonegotiation and the other end does not, configure duplex and speed on both
interfaces; do not use the auto setting on the supported side.
• When STP is enabled and a port is reconfigured, the switch can take up to 30 seconds to check for loops.
The port LED is amber while STP reconfigures.
Caution Changing the interface speed and duplex mode configuration might shut down and re-enable the interface
during the reconfiguration.
Note The switch ports can receive, but not send, pause frames.
You use the flowcontrol interface configuration command to set the interface’s ability to receive pause frames
to on, off, or desired. The default state is off.
When set to desired, an interface can operate with an attached device that is required to send flow-control
packets or with an attached device that is not required to but can send flow-control packets.
These rules apply to flow control settings on the device:
• receive on (or desired): The port cannot send pause frames but can operate with an attached device that
is required to or can send pause frames; the port can receive pause frames.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
23
How to Configure Interface Characteristics
• receive off: Flow control does not operate in either direction. In case of congestion, no indication is
given to the link partner, and no pause frames are sent or received by either device.
Note For details on the command settings and the resulting flow control resolution on local and remote ports,
see the flowcontrol interface configuration command in the command reference for this release.
Configuring Interfaces
These general instructions apply to all interface configuration processes.
Procedure
Example:
Switch# configure terminal
Step 3 interface Identifies the interface type, the switch number (only on
stacking-capable switches), and the number of the connector.
Example: Note You do not need to add a space between the interface
Switch(config)# interface type and the interface number. For example, in the
gigabitethernet1/0/1 preceding line, you can specify either
Switch(config-if)# gigabitethernet 1/0/1, gigabitethernet1/0/1,
gi 1/0/1, or gi1/0/1.
Step 4 Follow each interface command Defines the protocols and applications that will run on the
with the interface configuration interface. The commands are collected and applied to the
commands that the interface interface when you enter another interface command or enter
requires. end to return to privileged EXEC mode.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
24
How to Configure Interface Characteristics
Procedure
Example:
Switch# configure terminal
Step 3 interface interface-id Specifies the interface for which you are
adding a description, and enter interface
Example: configuration mode.
Switch(config)# interface
gigabitethernet1/0/2
Example:
Switch(config-if)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
25
How to Configure Interface Characteristics
Procedure
Example:
Switch# configure terminal
Step 3 interface range {port-range | Specifies the range of interfaces (VLANs or physical ports)
macro macro_name} to be configured, and enter interface-range configuration
mode.
Example: • You can use the interface range command to configure
Switch(config)# interface up to five port ranges or a previously defined macro.
range macro
• The macro variable is explained in the Configuring
and Using Interface Range Macros, on page 27.
• In a comma-separated port-range, you must enter the
interface type for each entry and enter spaces before
and after the comma.
• In a hyphen-separated port-range, you do not need to
re-enter the interface type, but you must enter a space
before the hyphen.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
26
How to Configure Interface Characteristics
Example:
Switch(config)# end
Step 5 show interfaces [interface-id] Verifies the configuration of the interfaces in the range.
Example:
Switch# show interfaces
Step 6 copy running-config (Optional) Saves your entries in the configuration file.
startup-config
Example:
Switch# copy running-config
startup-config
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
27
How to Configure Interface Characteristics
Switch(config)# interface range You can now use the normal configuration commands
macro enet_list to apply the configuration to all interfaces in the defined
macro.
Example:
Switch(config)# end
Step 6 show running-config | include define Shows the defined interface range macro configuration.
Example:
Switch# show running-config |
include define
Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
28
How to Configure Interface Characteristics
Procedure
Example:
Switch# configure terminal
Step 4 speed {10 | 100 | 1000 | 2500 | 5000 | Enter the appropriate speed parameter for the interface:
10000 | auto [10 | 100 | 1000 | 2500 |
5000 | 10000] | nonegotiate} • Enter 10, 100, 1000 2500, 5000, or 10000 to set a
specific speed for the interface.
Example: • Enter auto to enable the interface to autonegotiate
speed with the connected device. If you specify a
Switch(config-if)# speed 10
speed and also set the auto keyword, the port
autonegotiates only at the specified speeds.
• The nonegotiate keyword is available only for SFP
module ports. SFP module ports operate only at
1000 Mb/s but can be configured to not negotiate
if connected to a device that does not support
autonegotiation.
Step 5 duplex {auto | full | half} This command is not available on a 10-Gigabit Ethernet
interface.
Example: Enter the duplex parameter for the interface.
Switch(config-if)# duplex half Enable half-duplex mode (for interfaces operating only
at 10 or 100 Mb/s). You cannot configure half-duplex
mode for interfaces operating at 1000 Mb/s.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
29
How to Configure Interface Characteristics
Example:
Switch(config-if)# end
Step 7 show interfaces interface-id Displays the interface speed and duplex mode
configuration.
Example:
Switch# show interfaces
gigabitethernet1/0/3
Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Procedure
Example:
Switch# configure terminal
Switch(config)# interface
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
30
How to Configure Interface Characteristics
Step 3 flowcontrol {receive} {on | off | desired} Configures the flow control mode for the
port.
Example:
Switch(config-if)# flowcontrol receive on
Example:
Switch(config-if)# end
Step 5 show interfaces interface-id Verifies the interface flow control settings.
Example:
Switch# show interfaces
gigabitethernet1/0/1
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
31
How to Configure Interface Characteristics
Switch(config)# interface
gigabitethernet1/0/2
Step 4 switchport autostate exclude Excludes the access or trunk port when defining
the status of an SVI line state (up or down)
Example:
Switch(config-if)# switchport
autostate exclude
Example:
Switch(config-if)# end
Step 6 show running config interface interface-id (Optional) Shows the running configuration.
Verifies the configuration.
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
32
How to Configure Interface Characteristics
Example:
Switch# configure terminal
Example:
Switch(config)# interface
gigabitethernet1/0/2
Example:
Switch(config-if)# shutdown
Example:
Switch(config-if)# no shutdown
Example:
Switch(config-if)# end
Example:
Switch# show running-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
33
How to Configure Interface Characteristics
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# end
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
34
Monitoring Interface Characteristics
Note The configured inactivity timeout applies to all switches in a stack. However, a timeout on one switch
does not cause a timeout on other switches in the stack.
Procedure
Example:
Switch# configure terminal
Switch(config-line)#
usb-inactivity-timeout 30
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
35
Monitoring Interface Characteristics
Command Purpose
show interfaces interface-number downshift Displays the downshift status details of the specified
modulemodule-number interfaces and modules.
show interfaces interface-id status [err-disabled] Displays interface status or a list of interfaces in the
error-disabled state.
show interface [interface-id] stats Displays the input and output packets by the switching
path for the interface.
show interfaces interface-id (Optional) Displays speed and duplex on the interface.
show interfaces [interface-id] [{transceiver Displays physical and operational status about an SFP
properties | detail}] module number] module.
show running-config interface [interface-id] Displays the running configuration in RAM for the
interface.
show controllers ethernet-controller interface-id Displays the operational state of the auto-MDIX
phy feature on the interface.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
36
Configuration Examples for Interface Characteristics
Command Purpose
clear counters [interface-id] Clears interface counters.
clear line [number | console 0 | vty number] Resets the hardware logic on an asynchronous serial
line.
Note The clear counters privileged EXEC command does not clear counters retrieved by using Simple Network
Management Protocol (SNMP), but only those seen with the show interface privileged EXEC command.
This example shows how to use a comma to add different interface type strings to the range to enable Gigabit
Ethernet ports 1 to 3 and 10-Gigabit Ethernet ports 1 and 2 to receive flow-control pause frames:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
37
Configuration Examples for Interface Characteristics
If you enter multiple configuration commands while you are in interface-range mode, each command is
executed as it is entered. The commands are not batched and executed after you exit interface-range mode. If
you exit interface-range configuration mode while the commands are being executed, some commands might
not be executed on all interfaces in the range. Wait until the command prompt reappears before exiting
interface-range configuration mode.
This example shows how to enter interface-range configuration mode for the interface-range macro enet_list:
This example shows how to delete the interface-range macro enet_list and to verify that it was deleted.
This example shows how to set the interface speed to 100 Mb/s on a 10/100/1000 Mb/s port:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
38
Configuration Examples for Interface Characteristics
This configuration terminates any active USB console media type in the stack. A log shows that this termination
has occurred. This example shows that the console on switch 1 reverted to RJ-45.
If there is no (input) activity on a USB console port for the configured number of minutes, the inactivity
timeout setting applies to the RJ-45 port, and a log shows this occurrence:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
39
Additional References for the Interface Characteristics Feature
Description Link
To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/
messages in this release, use the Error Message index.cgi
Decoder tool.
Standard/RFC Title
None --
MIBs
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
40
Feature History and Information for Configuring Interface Characteristics
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
41
Feature History and Information for Configuring Interface Characteristics
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
42
CHAPTER 3
Configuring Auto-MDIX
• Prerequisites for Auto-MDIX, page 43
• Restrictions for Auto-MDIX, page 43
• Information about Configuring Auto-MDIX, page 43
• How to Configure Auto-MDIX, page 44
• Example for Configuring Auto-MDIX, page 45
• Additional References, page 46
• Feature History and Information for Auto-MDIX, page 46
Auto-MDIX on an Interface
When automatic medium-dependent interface crossover (auto-MDIX) is enabled on an interface, the interface
automatically detects the required cable connection type (straight through or crossover) and configures the
connection appropriately. When connecting switches without the auto-MDIX feature, you must use
straight-through cables to connect to devices such as servers, workstations, or routers and crossover cables
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
43
How to Configure Auto-MDIX
to connect to other switches or repeaters. With auto-MDIX enabled, you can use either type of cable to connect
to other devices, and the interface automatically corrects for any incorrect cabling. For more information about
cabling requirements, see the hardware installation guide.
This table shows the link states that result from auto-MDIX settings and correct and incorrect cabling.
Local Side Auto-MDIX Remote Side Auto-MDIX With Correct Cabling With Incorrect Cabling
On On Link up Link up
Procedure
Example:
Switch(config)# interface
gigabitethernet1/0/1
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
44
Example for Configuring Auto-MDIX
Example:
Switch(config-if)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
45
Additional References
Additional References
Error Message Decoder
Description Link
To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/
messages in this release, use the Error Message index.cgi
Decoder tool.
MIBs
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
46
CHAPTER 4
Configuring Ethernet Management Port
• Finding Feature Information, page 47
• Prerequisites for Ethernet Management Ports, page 47
• Information about the Ethernet Management Port, page 47
• How to Configure the Ethernet Management Port, page 49
• Additional References, page 50
• Feature Information for Ethernet Management Ports, page 51
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
47
Information about the Ethernet Management Port
This figure displays how to connect the Ethernet management port to the PC for a switch or a standalone
switch.
Figure 2: Connecting a Switch to a PC
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
48
How to Configure the Ethernet Management Port
Caution Before enabling a feature on the Ethernet management port, make sure that the feature is supported. If
you try to configure an unsupported feature on the Ethernet Management port, the feature might not work
properly, and the switch might fail.
Procedure
Example:
Switch# configure terminal
Step 2 interface fastethernet0 Specifies the Ethernet management port in the CLI.
Example:
Switch(config)# interface
fastethernet0
Example:
Switch(config-if)# shutdown
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
49
Additional References
Example:
Switch(config-if)# no shutdown
Example:
Switch(config-if)# exit
What to Do Next
Proceed to manage or configure your switch using the Ethernet management port. Refer to the Catalyst 2960-X
Switch Network Management Configuration Guide.
Additional References
Related Documents
Bootloader commands
Catalyst 2960-X Switch System Management
Configuration Guide
Description Link
To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/
messages in this release, use the Error Message index.cgi
Decoder tool.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
50
Feature Information for Ethernet Management Ports
MIBs
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
51
Feature Information for Ethernet Management Ports
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
52
CHAPTER 5
Configuring LLDP, LLDP-MED, and Wired
Location Service
• Finding Feature Information, page 53
• LLDP, LLDP-MED, and Wired Location Service Overview, page 53
• How to Configure LLDP, LLDP-MED, and Wired Location Service, page 58
• Configuration Examples for LLDP, LLDP-MED, and Wired Location Service, page 68
• Monitoring and Maintaining LLDP, LLDP-MED, and Wired Location Service, page 68
• Additional References for LLDP, LLDP-MED, and Wired Location Service, page 70
• Feature Information for LLDP, LLDP-MED, and Wired Location Service, page 70
LLDP
The Cisco Discovery Protocol (CDP) is a device discovery protocol that runs over Layer 2 (the data link layer)
on all Cisco-manufactured devices (routers, bridges, access servers, switches, and controllers). CDP allows
network management applications to automatically discover and learn about other Cisco devices connected
to the network.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
53
LLDP, LLDP-MED, and Wired Location Service Overview
To support non-Cisco devices and to allow for interoperability between other devices, the switch supports the
IEEE 802.1AB Link Layer Discovery Protocol (LLDP). LLDP is a neighbor discovery protocol that is used
for network devices to advertise information about themselves to other devices on the network. This protocol
runs over the data-link layer, which allows two systems running different network layer protocols to learn
about each other.
These organizationally specific LLDP TLVs are also advertised to support LLDP-MED.
• Port VLAN ID TLV (IEEE 802.1 organizationally specific TLVs)
• MAC/PHY configuration/status TLV (IEEE 802.3 organizationally specific TLVs)
LLDP-MED
LLDP for Media Endpoint Devices (LLDP-MED) is an extension to LLDP that operates between endpoint
devices such as IP phones and network devices such as switches. It specifically provides support for voice
over IP (VoIP) applications and provides additional TLVs for capabilities discovery, network policy, Power
over Ethernet, inventory management and location information. By default, all LLDP-MED TLVs are enabled.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
54
LLDP, LLDP-MED, and Wired Location Service Overview
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
55
LLDP, LLDP-MED, and Wired Location Service Overview
Depending on the device capabilities, the switch obtains this client information at link down:
• Slot and port that was disconnected
• MAC address
• IP address
• 802.1X username if applicable
• Device category is specified as a wired station
• State is specified as delete
• Serial number, UDI
• Time in seconds since the switch detected the disassociation
When the switch shuts down, it sends an attachment notification with the state delete and the IP address before
closing the NMSP connection to the MSE. The MSE interprets this notification as disassociation for all the
wired clients associated with the switch.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
56
LLDP, LLDP-MED, and Wired Location Service Overview
If you change a location address on the switch, the switch sends an NMSP location notification message that
identifies the affected ports and the changed address information.
LLDP med-tlv-select Disabled to send all LLDP-MED TLVs. When LLDP is globally
enabled, LLDP-MED-TLV is also enabled.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
57
How to Configure LLDP, LLDP-MED, and Wired Location Service
Enabling LLDP
Procedure
Example:
Switch# configure terminal
Example:
Switch (config)# lldp run
Example:
Switch(config-if)# lldp transmit
Example:
Switch(config-if)# lldp receive
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
58
How to Configure LLDP, LLDP-MED, and Wired Location Service
Example:
Switch(config-if)# end
Example:
Switch# show lldp
Note Steps 2 through 5 are optional and can be performed in any order.
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
59
How to Configure LLDP, LLDP-MED, and Wired Location Service
Switch(config)# lldp holdtime 120 The range is 0 to 65535 seconds; the default is 120
seconds.
Step 4 lldp reinit delay (Optional) Specifies the delay time in seconds for
LLDP to initialize on an interface.
Example: The range is 2 to 5 seconds; the default is 2 seconds.
Switch(config)# lldp reinit 2
Step 5 lldp timer rate (Optional) Sets the sending frequency of LLDP
updates in seconds.
Example: The range is 5 to 65534 seconds; the default is 30
Switch(config)# lldp timer 30 seconds.
Step 7 interface interface-id Specifies the interface on which you are enabling
LLDP, and enter interface configuration mode.
Example:
Switch (config)# interface
gigabitethernet2/0/1
Example:
Switch (config-if)# end
Example:
Switch# show lldp
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
60
How to Configure LLDP, LLDP-MED, and Wired Location Service
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
61
How to Configure LLDP, LLDP-MED, and Wired Location Service
Example:
Switch(config-if)# lldp med-tlv-select
inventory management
Example:
Switch(config-if)# end
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
62
How to Configure LLDP, LLDP-MED, and Wired Location Service
Switch(config)# network-policy
profile 1
Example:
Switch(config)# exit
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
63
How to Configure LLDP, LLDP-MED, and Wired Location Service
Example:
Switch(config-if)# network-policy
1
Example:
Switch(config-if)# lldp
med-tlv-select network-policy
Example:
Switch(config)# end
Example:
Switch# show network-policy
profile
Step 11 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
64
How to Configure LLDP, LLDP-MED, and Wired Location Service
Procedure
Example:
Switch# configure terminal
Step 2 location {admin-tag string | civic-location Specifies the location information for an endpoint.
identifier {id | host} | elin-location string
identifier id | custom-location identifier {id • admin-tag—Specifies an administrative tag
| host} | geo-location identifier {id | host}} or site information.
• civic-location—Specifies civic location
Example: information.
Switch(config)# location civic-location • elin-location—Specifies emergency location
identifier 1 information (ELIN).
Switch(config-civic)# number 3550
Switch(config-civic)# primary-road-name • custom-location—Specifies custom location
"Cisco Way"
Switch(config-civic)# city "San Jose" information.
Switch(config-civic)# state CA
Switch(config-civic)# building 19 • geo-location—Specifies geo-spatial location
Switch(config-civic)# room C6 information.
Switch(config-civic)# county "Santa
Clara"
Switch(config-civic)# country US
• identifier id—Specifies the ID for the civic,
ELIN, custom, or geo location.
• host—Specifies the host civic, custom, or geo
location.
• string—Specifies the site or location
information in alphanumeric format.
Example:
Switch(config-civic)# exit
Step 4 interface interface-id Specifies the interface on which you are configuring
the location information, and enter interface
Example: configuration mode.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
65
How to Configure LLDP, LLDP-MED, and Wired Location Service
Example:
Switch(config-if)# end
Example:
Switch# show location admin-tag
or
or
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
66
How to Configure LLDP, LLDP-MED, and Wired Location Service
Procedure
Example:
Switch# configure terminal
Step 3 nmsp notification interval {attachment | Specifies the NMSP notification interval.
location} interval-seconds
attachment—Specifies the attachment notification
interval.
Example:
location—Specifies the location notification
Switch(config)# nmsp notification interval.
interval location 10
interval-seconds—Duration in seconds before the
switch sends the MSE the location or attachment
updates. The range is 1 to 30; the default is 30.
Example:
Switch(config)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
67
Configuration Examples for LLDP, LLDP-MED, and Wired Location Service
Example:
Switch# show network-policy profile
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
This example shows how to configure the voice application type for the native VLAN with priority tagging:
Command Description
clear lldp counters Resets the traffic counters to zero.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
68
Monitoring and Maintaining LLDP, LLDP-MED, and Wired Location Service
Command Description
show lldp Displays global information, such as frequency of
transmissions, the holdtime for packets being sent,
and the delay time before LLDP initializes on an
interface.
show lldp interface [interface-id] Displays information about interfaces with LLDP
enabled.
You can limit the display to a specific interface.
show lldp neighbors [interface-id] [detail] Displays information about neighbors, including
device type, interface type and number, holdtime
settings, capabilities, and port ID.
You can limit the display to neighbors of a specific
interface or expand the display for more detailed
information.
show location admin-tag string Displays the location information for the specified
administrative tag or site.
show location civic-location identifier id Displays the location information for a specific global
civic location.
show location elin-location identifier id Displays the location information for an emergency
location
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
69
Additional References for LLDP, LLDP-MED, and Wired Location Service
Description Link
To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/
messages in this release, use the Error Message index.cgi
Decoder tool.
MIBs
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
70
CHAPTER 6
Configuring System MTU
• Finding Feature Information, page 71
• Information about the MTU, page 71
• How to Configure MTU , page 72
• Configuration Examples for System MTU, page 73
• Additional References for System MTU, page 73
• Feature Information for System MTU, page 74
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
71
How to Configure MTU
Procedure
Example:
Switch# configure terminal
Step 2 system mtu bytes (Optional) Change the MTU size for all interfaces
on the switch stack that are operating at 10 or 100
Example: Mb/s.
Switch(config)# system mtu 2500
The range is 1500 to 1998 bytes; the default is
1500 bytes.
Step 3 system mtu jumbo bytes (Optional) Changes the MTU size for all Gigabit
Ethernet interfaces on the switch or the switch
Example: stack.
Switch(config)# system mtu jumbo
7500
The range is 1500 to 9198 bytes; the default is
1500 bytes.
Example:
Switch(config)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
72
Configuration Examples for System MTU
Example:
Switch# copy running-config
startup-config
Example:
Switch# reload
Example:
Switch# show system mtu
Description Link
To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/
messages in this release, use the Error Message index.cgi
Decoder tool.
MIBs
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
73
Feature Information for System MTU
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
74
CHAPTER 7
Configuring Boot Fast
• Finding Feature Information, page 75
• Configuring Boot Fast on the switch, page 75
Note When Fast boot is enabled, you can still run the POST tests manually from the command line interface,
once the switch has booted up, using diagnostic start command.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
75
Configuring Boot Fast on the switch
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# end
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
76
Configuring Boot Fast on the switch
Example:
Switch(config)# no boot fast
Example:
Switch(config)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
77
Configuring Boot Fast on the switch
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
78
CHAPTER 8
Configuring PoE
• Finding Feature Information, page 79
• Restrictions for PoE, page 79
• Information about PoE, page 80
• How to Configure PoE, page 85
• Monitoring Power Status, page 92
• Configuration Examples for Configuring PoE, page 93
• Additional References, page 93
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
79
Information about PoE
A powered device can receive redundant power when it is connected to a PoE switch port and to an AC power
source. The device does not receive redundant power when it is only connected to the PoE port.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
80
Information about PoE
receives CDP messages from the powered device and as the powered device negotiates power levels
with the switch through CDP power-negotiation messages, the initial power allocation might be adjusted.
• The switch classifies the detected IEEE device within a power consumption class. Based on the available
power in the power budget, the switch determines if a port can be powered. Table 10: IEEE Power
Classifications, on page 81 lists these levels.
1 4W
2 7W
3 15.4 W
The switch monitors and tracks requests for power and grants power only when it is available. The switch
tracks its power budget (the amount of power available on the switch for PoE). Theswitch performs
power-accounting calculations when a port is granted or denied power to keep the power budget up to date.
After power is applied to the port, the switch uses CDP to determine the CDP-specific power consumption
requirement of the connected Cisco powered devices, which is the amount of power to allocate based on the
CDP messages. The switch adjusts the power budget accordingly. This does not apply to third-party PoE
devices. The switch processes a request and either grants or denies power. If the request is granted, the switch
updates the power budget. If the request is denied, the switch ensures that power to the port is turned off,
generates a syslog message, and updates the LEDs. Powered devices can also negotiate with the switch for
more power.
With PoE+, powered devices use IEEE 802.3at and LLDP power with media dependent interface (MDI) type,
length, and value descriptions (TLVs), Power-via-MDI TLVs, for negotiating power up to 30 W. Cisco
pre-standard devices and Cisco IEEE powered devices can use CDP or the IEEE 802.3at power-via-MDI
power negotiation mechanism to request power levels up to 30 W.
Note The initial allocation for Class 0, Class 3, and Class 4 powered devices is 15.4 W. When a device starts
up and uses CDP or LLDP to send a request for more than 15.4 W, it can be allocated up to the maximum
of 30 W.
Note The CDP-specific power consumption requirement is referred to as the actual power consumption
requirement in the software configuration guides and command references.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
81
Information about PoE
The PoE feature operates the same whether or not the switch is a stack member. The power budget is per
switch and independent of any other switch in the stack. Election of a new active switch does not affect PoE
operation. The active switch keeps track of the PoE status for all switches and ports in the stack and includes
the status in output displays.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
82
Information about PoE
For most situations, the default configuration (auto mode) works well, providing plug-and-play operation. No
further configuration is required. However, perform this task to configure a PoE port for a higher priority, to
make it data only, or to specify a maximum wattage to disallow high-power powered devices on a port.
Use the first or second method in the previous list to manually configure the cutoff-power value by entering
the power inline consumption default wattage or the power inline [auto | static max] max-wattage command.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
83
Information about PoE
You should use power inline consumption default wattage command to manually set the power level for a
port only in situations where CDP/LLDP power negotiations are not supported.
If you do not manually configure the cutoff-power value, the switch automatically determines it by using CDP
power negotiation or the device IEEE classification and LLDP power negotiation. If CDP or LLDP are not
enabled, the default value of 30 W is applied. However without CDP or LLDP, the switch does not allow
devices to consume more than 15.4 W of power because values from 15400 to 30000 mW are only allocated
based on CDP or LLDP requests. If a powered device consumes more than 15.4 W without CDP or LLDP
negotiation, the device might be in violation of the maximum current (Imax) limitation and might experience
an Icut fault for drawing more current than the maximum. The port remains in the fault state for a time before
attempting to power on again. If the port continuously draws more than 15.4 W, the cycle repeats.
Note When a powered device connected to a PoE+ port restarts and sends a CDP or LLDP packet with a power
TLV, the switch locks to the power-negotiation protocol of that first packet and does not respond to power
requests from the other protocol. For example, if the switch is locked to CDP, it does not provide power
to devices that send LLDP requests. If CDP is disabled after the switch has locked on it, the switch does
not respond to LLDP power requests and can no longer power on any accessories. In this case, you should
restart the powered device.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
84
How to Configure PoE
Note When you make PoE configuration changes, the port being configured drops power. Depending on the
new configuration, the state of the other PoE ports, and the state of the power budget, the port might not
be powered up again. For example, port 1 is in the auto and on state, and you configure it for static mode.
The switch removes power from port 1, detects the powered device, and repowers the port. If port 1 is in
the auto and on state and you configure it with a maximum wattage of 10 W, the switch removes power
from the port and then redetects the powered device. The switch repowers the port only if the powered
device is a class 1, class 2, or a Cisco-only powered device.
Procedure
Example:
Switch# configure terminal
Step 3 interface interface-id Specifies the physical port to be configured, and enters interface
configuration mode.
Example:
Switch(config)# interface
gigabitethernet2/0/1
Step 4 power inline {auto [max Configures the PoE mode on the port. The keywords have these
max-wattage] | never | static [max meanings:
max-wattage]}
• auto—Enables powered-device detection. If enough power
is available, automatically allocates power to the PoE port
Example: after device detection. This is the default setting.
Switch(config-if)# power
inline auto
• max max-wattage—Limits the power allowed on the port.
If no value is specified, the maximum is allowed.
• max max-wattage—Limits the power allowed on the port.
The range is 4000 to 30000 mW. If no value is specified,
the maximum is allowed.
• never —Disables device detection, and disable power to
the port.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
85
How to Configure PoE
Example:
Switch(config-if)# end
Step 6 show power inline [interface-id Displays PoE status for a switch or a switch stack, for the
| module switch-number] specified interface, or for a specified stack member.
The module switch-number keywords are supported only on
Example: stacking-capable switches.
Switch# show power inline
Step 7 copy running-config (Optional) Saves your entries in the configuration file.
startup-config
Example:
Switch# copy running-config
startup-config
Fast POE
Fast PoE - This feature remembers the last power drawn from a particular PSE port and switches on power
the moment AC power is plugged in (within 15 to 20 seconds of switching on power) without waiting for IOS
to boot up. When poe-ha is enabled on a particular port, the switch on a recovery after power failure, provides
power to the connected endpoint devices within short duration before even the IOS forwarding starts up.
This feature can be configured by the command poe-ha. If the user replaces the power device connected to a
port when the switch is powered off, then this new device will get the power which the previous device was
drawing.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
86
How to Configure PoE
Note You will need to configure the poe-ha command before connecting the PD, or you will need to manually
shut/unshut the port after configuring poe-ha.
Procedure
Example:
Switch# configure terminal
Example:
Switch(config-if)# power inline port
poe-ha
Example:
Switch(config-if)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
87
How to Configure PoE
By using the power inline consumption wattage interface configuration command or the power inline
consumption default wattage global configuration command, you can override the default power requirement
specified by the IEEE classification. The difference between what is mandated by the IEEE classification and
what is actually needed by the device is reclaimed into the global power budget for use by additional devices.
You can then extend the switch power budget and use it more effectively.
Caution You should carefully plan your switch power budget, enable the power monitoring feature, and make
certain not to oversubscribe the power supply.
Note When you manually configure the power budget, you must also consider the power loss over the cable
between the switch and the powered device.
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# no cdp run
Step 4 power inline consumption default wattage Configures the power consumption of powered
devices connected to each PoE port.
Example: The range for each device is 4000 to
Switch(config)# power inline
consumption default 5000
30000 mW (PoE+). The default is 30000 mW.
Note
Example:
Switch(config)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
88
How to Configure PoE
Example:
Switch# show power inline consumption
default
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# no cdp run
Step 5 power inline consumption wattage Configures the power consumption of a powered
device connected to a PoE port on the switch.
Example: The range for each device is 4000 to 30000 mW
Switch(config-if)# power inline
consumption 5000
(PoE+). The default is 30000 mW (PoE+).
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
89
How to Configure PoE
Example:
Switch(config-if)# end
Step 7 show power inline consumption Displays the power consumption data.
Example:
Switch# show power inline consumption
Procedure
Example:
Switch# configure terminal
Step 3 interface interface-id Specifies the physical port to be configured, and enter
interface configuration mode.
Example:
Switch(config)# interface
gigabitethernet2/0/1
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
90
How to Configure PoE
Example:
Switch(config-if)# exit
Step 6 Use one of the following: (Optional) Enables error recovery from the PoE
error-disabled state, and configures the PoE recover
• errdisable detect cause mechanism variables.
inline-power
By default, the recovery interval is 300 seconds.
• errdisable recovery cause
inline-power For interval interval, specifies the time in seconds to
recover from the error-disabled state. The range is 30 to
• errdisable recovery interval 86400.
interval
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
91
Monitoring Power Status
Example:
Switch(config)# errdisable detect
cause inline-power
Switch(config)# errdisable
recovery cause inline-power
Switch(config)# errdisable
recovery interval 100
Example:
Switch(config)# exit
Step 8 Use one of the following: Displays the power monitoring status, and verify the error
recovery settings.
• show power inline police
• show errdisable recovery
Example:
Switch# show power inline police
Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Command Purpose
show env power switch [switch-number] (Optional) Displays the status of the internal power
supplies for each switch in the stack or for the
specified switch.
The range is 1 to , depending on the switch member
numbers in the stack. These keywords are available
only on stacking-capable switches.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
92
Configuration Examples for Configuring PoE
Command Purpose
show power inline [interface-id | module Displays PoE status for a switch or switch stack, for
switch-number] an interface, or for a specific switch in the stack.
Additional References
Error Message Decoder
Description Link
To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/
messages in this release, use the Error Message index.cgi
Decoder tool.
MIBs
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
93
Additional References
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
94
CHAPTER 9
Configuring 2-event Classification
• Finding Feature Information, page 95
• Information about 2-event Classification, page 95
• Configuring 2-event Classification, page 95
• Example: Configuring 2-Event Classification, page 96
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
95
Example: Configuring 2-Event Classification
Procedure
Example:
Switch# configure terminal
Step 4 power inline port 2-event Configures 2-event classification on the switch.
Example:
Switch(config-if)# power inline port
2-event
Example:
Switch(config-if)# end
Related Topics
Example: Configuring 2-Event Classification, on page 96
Related Topics
Configuring 2-event Classification, on page 95
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
96
CHAPTER 10
Configuring EEE
• Finding Feature Information, page 97
• Information About EEE, page 97
• Restrictions for EEE, page 98
• How to Configure EEE, page 98
• Monitoring EEE, page 99
• Configuration Examples for Configuring EEE, page 99
• Additional References, page 100
• Feature History and Information for Configuring EEE, page 100
EEE Overview
Energy Efficient Ethernet (EEE) is an IEEE 802.3az standard that is designed to reduce power consumption
in Ethernet networks during idle periods.
EEE can be enabled on devices that support low power idle (LPI) mode. Such devices can save power by
entering LPI mode during periods of low utilization. In LPI mode, systems on both ends of the link can save
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
97
Restrictions for EEE
power by shutting down certain services. EEE provides the protocol needed to transition into and out of LPI
mode in a way that is transparent to upper layer protocols and applications.
Procedure
Example:
Switch# configure terminal
Step 3 power efficient-ethernet auto Enables EEE on the specified interface. When
EEE is enabled, the device advertises and
Example: autonegotiates EEE to its link partner.
Switch(config-if)# power
efficient-ethernet auto
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
98
Monitoring EEE
Example:
Switch(config-if)# no power
efficient-ethernet auto
Example:
Switch(config-if)# end
Monitoring EEE
Table 12: Commands for Displaying EEE Settings
Command Purpose
show eee capabilities interface interface-id Displays EEE capabilities for the specified interface.
show eee status interface interface-id Displays EEE status information for the specified interface.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
99
Additional References
Additional References
Error Message Decoder
Description Link
To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/
messages in this release, use the Error Message index.cgi
Decoder tool.
MIBs
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
100
PART II
IP Multicast Routing
• Configuring IGMP Snooping and Multicast VLAN Registration, page 103
CHAPTER 11
Configuring IGMP Snooping and Multicast VLAN
Registration
• Finding Feature Information, page 103
• Prerequisites for Configuring IGMP Snooping and MVR, page 103
• Restrictions for Configuring IGMP Snooping and MVR, page 104
• Information About IGMP Snooping and MVR, page 106
• How to Configure IGMP Snooping and MVR, page 116
• Monitoring IGMP Snooping and MVR, page 142
• Configuration Examples for IGMP Snooping and MVR, page 144
• Additional References, page 147
• Feature History and Information for IGMP Snooping, page 148
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
103
Restrictions for Configuring IGMP Snooping and MVR
• Configure an IP address on the VLAN interface. When enabled, the IGMP snooping querier uses the IP
address as the query source address.
• If there is no IP address configured on the VLAN interface, the IGMP snooping querier tries to use the
configured global IP address for the IGMP querier. If there is no global IP address specified, the IGMP
querier tries to use the VLAN switch virtual interface (SVI) IP address (if one exists). If there is no SVI
IP address, the switch uses the first available IP address configured on the switch. The first IP address
available appears in the output of the show ip interface privileged EXEC command. The IGMP snooping
querier does not generate an IGMP general query if it cannot find an available IP address on the switch.
• The IGMP snooping querier supports IGMP Versions 1 and 2.
• When administratively enabled, the IGMP snooping querier moves to the nonquerier state if it detects
the presence of a multicast router in the network.
• When it is administratively enabled, the IGMP snooping querier moves to the operationally disabled
state under these conditions:
◦IGMP snooping is disabled in the VLAN.
◦PIM is enabled on the SVI of the corresponding VLAN.
Related Topics
Configuring the IGMP Snooping Querier , on page 128
IGMP Snooping, on page 106
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
104
Restrictions for Configuring IGMP Snooping and MVR
The actual leave latency in the network is usually the configured leave time. However, the leave time
might vary around the configured time, depending on real-time CPU load conditions, network delays
and the amount of traffic sent through the interface.
• The IGMP throttling action restriction can be applied only to Layer 2 ports. You can use ip igmp
max-groups action replace interface configuration command on a logical EtherChannel interface but
cannot use it on ports that belong to an EtherChannel port group.
When the maximum group limitation is set to the default (no maximum), entering the ip igmp max-groups
action {deny | replace} command has no effect.
If you configure the throttling action and set the maximum group limitation after an interface has added
multicast entries to the forwarding table, the forwarding-table entries are either aged out or removed,
depending on the throttling action.
Related Topics
IGMP Versions, on page 107
Configuring IGMP Profiles , on page 135
Applying IGMP Profiles , on page 137
Setting the Maximum Number of IGMP Groups , on page 138
Configuring the IGMP Throttling Action , on page 140
IGMP Filtering and Throttling, on page 114
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
105
Information About IGMP Snooping and MVR
IGMP Snooping
Layer 2 switches can use IGMP snooping to constrain the flooding of multicast traffic by dynamically
configuring Layer 2 interfaces so that multicast traffic is forwarded to only those interfaces associated with
IP multicast devices. As the name implies, IGMP snooping requires the LAN switch to snoop on the IGMP
transmissions between the host and the router and to keep track of multicast groups and member ports. When
the switch receives an IGMP report from a host for a particular multicast group, the switch adds the host port
number to the forwarding table entry; when it receives an IGMP Leave Group message from a host, it removes
the host port from the table entry. It also periodically deletes entries if it does not receive IGMP membership
reports from the multicast clients.
Note For more information on IP multicast and IGMP, see RFC 1112 and RFC 2236.
The multicast router ) sends out periodic general queries to all VLANs. All hosts interested in this multicast
traffic send join requests and are added to the forwarding table entry. The switch creates one entry per VLAN
in the IGMP snooping IP multicast forwarding table for each group from which it receives an IGMP join
request.
The switch supports IP multicast group-based bridging, instead of MAC-addressed based groups. With
multicast MAC address-based groups, if an IP address being configured translates (aliases) to a previously
configured MAC address or to any reserved multicast MAC addresses (in the range 224.0.0.xxx), the command
fails. Because the switch uses IP multicast groups, there are no address aliasing issues.
The IP multicast groups learned through IGMP snooping are dynamic. However, you can statically configure
multicast groups by using the ip igmp snooping vlan vlan-id static ip_address interface interface-id global
configuration command. If you specify group membership for a multicast group address statically, your setting
supersedes any automatic manipulation by IGMP snooping. Multicast group membership lists can consist of
both user-defined and IGMP snooping-learned settings.
You can configure an IGMP snooping querier to support IGMP snooping in subnets without multicast interfaces
because the multicast traffic does not need to be routed.
If a port spanning-tree, a port group, or a VLAN ID change occurs, the IGMP snooping-learned multicast
groups from this port on the VLAN are deleted.
These sections describe IGMP snooping characteristics:
Related Topics
Configuring the IGMP Snooping Querier , on page 128
Prerequisites for IGMP Snooping, on page 103
Example: Setting the IGMP Snooping Querier Source Address, on page 145
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
106
Information About IGMP Snooping and MVR
Example: Setting the IGMP Snooping Querier Maximum Response Time, on page 145
Example: Setting the IGMP Snooping Querier Timeout, on page 146
Example: Setting the IGMP Snooping Querier Feature, on page 146
IGMP Versions
The switch supports IGMP version 1, IGMP version 2, and IGMP version 3. These versions are interoperable
on the switch. For example, if IGMP snooping is enabled and the querier's version is IGMPv2, and the switch
receives an IGMPv3 report from a host, then the switch can forward the IGMPv3 report to the multicast router.
An IGMPv3 switch can receive messages from and forward messages to a device running the Source Specific
Multicast (SSM) feature.
Related Topics
Restrictions for IGMP Snooping, on page 104
When a host connected to the switch wants to join an IP multicast group and it is an IGMP version 2 client,
it sends an unsolicited IGMP join message, specifying the IP multicast group to join. Alternatively, when the
switch receives a general query from the router, it forwards the query to all ports in the VLAN. IGMP version
1 or version 2 hosts wanting to join the multicast group respond by sending a join message to the switch. The
switch CPU creates a multicast forwarding-table entry for the group if it is not already present. The CPU also
adds the interface where the join message was received to the forwarding-table entry. The host associated
with that interface receives multicast traffic for that multicast group.
Figure 4: Initial IGMP Join Message
Router A sends a general query to the switch, which forwards the query to ports 2 through 5, all of which are
members of the same VLAN. Host 1 wants to join multicast group 224.1.2.3 and multicasts an IGMP
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
107
Information About IGMP Snooping and MVR
membership report (IGMP join message) to the group. The switch CPU uses the information in the IGMP
report to set up a forwarding-table entry that includes the port numbers connected to Host 1 and to the router.
The switch hardware can distinguish IGMP information packets from other packets for the multicast group.
The information in the table tells the switching engine to send frames addressed to the 224.1.2.3 multicast IP
address that are not IGMP packets to the router and to the host that has joined the group.
If another host (for example, Host 4) sends an unsolicited IGMP join message for the same group, the CPU
receives that message and adds the port number of Host 4 to the forwarding table. Because the forwarding
table directs IGMP messages only to the CPU, the message is not flooded to other ports on the switch. Any
known multicast traffic is forwarded to the group and not to the CPU.
Figure 5: Second Host Joining a Multicast Group
Related Topics
Configuring a Host Statically to Join a Group , on page 120
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
108
Information About IGMP Snooping and MVR
Immediate Leave
The switch uses IGMP snooping Immediate Leave to remove from the forwarding table an interface that sends
a leave message without the switch sending group-specific queries to the interface. The VLAN interface is
pruned from the multicast tree for the multicast group specified in the original leave message. Immediate
Leave ensures optimal bandwidth management for all hosts on a switched network, even when multiple
multicast groups are simultaneously in use.
Immediate Leave is only supported on IGMP version 2 hosts. IGMP version 2 is the default version for the
switch.
Note You should use the Immediate Leave feature only on VLANs where a single host is connected to each
port. If Immediate Leave is enabled on VLANs where more than one host is connected to a port, some
hosts may be dropped inadvertently.
Related Topics
Enabling IGMP Immediate Leave , on page 122
Example: Enabling IGMP Immediate Leave, on page 145
Related Topics
Configuring the IGMP Leave Timer , on page 123
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
109
Information About IGMP Snooping and MVR
Note IGMP report suppression is supported only when the multicast query has IGMPv1 and IGMPv2 reports.
This feature is not supported when the query includes IGMPv3 reports.
The switch uses IGMP report suppression to forward only one IGMP report per multicast router query to
multicast devices. When IGMP report suppression is enabled (the default), the switch sends the first IGMP
report from all hosts for a group to all the multicast routers. The switch does not send the remaining IGMP
reports for the group to the multicast routers. This feature prevents duplicate reports from being sent to the
multicast devices.
If the multicast router query includes requests only for IGMPv1 and IGMPv2 reports, the switch forwards
only the first IGMPv1 or IGMPv2 report from all hosts for a group to all the multicast routers.
If the multicast router query also includes requests for IGMPv3 reports, the switch forwards all IGMPv1,
IGMPv2, and IGMPv3 reports for a group to the multicast devices.
If you disable IGMP report suppression, all IGMP reports are forwarded to the multicast routers.
Related Topics
Disabling IGMP Report Suppression , on page 130
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
110
Information About IGMP Snooping and MVR
Related Topics
Enabling or Disabling IGMP Snooping on a Switch , on page 116
Enabling or Disabling IGMP Snooping on a VLAN Interface, on page 117
MVR assumes that subscriber ports subscribe and unsubscribe (join and leave) these multicast streams by
sending out IGMP join and leave messages. These messages can originate from an IGMP version-2-compatible
host with an Ethernet connection. Although MVR operates on the underlying method of IGMP snooping, the
two features operate independently of each other. One can be enabled or disabled without affecting the behavior
of the other feature. However, if IGMP snooping and MVR are both enabled, MVR reacts only to join and
leave messages from multicast groups configured under MVR. Join and leave messages from all other multicast
groups are managed by IGMP snooping.
The switch CPU identifies the MVR IP multicast streams and their associated IP multicast group in the switch
forwarding table, intercepts the IGMP messages, and modifies the forwarding table to include or remove the
subscriber as a receiver of the multicast stream, even though the receivers might be in a different VLAN from
the source. This forwarding behavior selectively allows traffic to cross between different VLANs.
Modes of Operation
You can set the switch for compatible or dynamic mode of MVR operation:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
111
Information About IGMP Snooping and MVR
• In compatible mode, multicast data received by MVR hosts is forwarded to all MVR data ports, regardless
of MVR host membership on those ports. The multicast data is forwarded only to those receiver ports
that MVR hosts have joined, either by IGMP reports or by MVR static configuration. IGMP reports
received from MVR hosts are never forwarded from MVR data ports that were configured in the switch.
• In dynamic mode, multicast data received by MVR hosts on the switch is forwarded from only those
MVR data and client ports that the MVR hosts have joined, either by IGMP reports or by MVR static
configuration. Any IGMP reports received from MVR hosts are also forwarded from all the MVR data
ports in the host. This eliminates using unnecessary bandwidth on MVR data port links, which occurs
when the switch runs in compatible mode.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
112
Information About IGMP Snooping and MVR
In this example configuration, DHCP assigns an IP address to the set-top box or the PC. When a subscriber
selects a channel, the set-top box or PC sends an IGMP report to Switch A to join the appropriate multicast.
If the IGMP report matches one of the configured IP multicast group addresses, the switch CPU modifies the
hardware address table to include this receiver port and VLAN as a forwarding destination of the specified
multicast stream when it is received from the multicast VLAN. Uplink ports that send and receive multicast
data to and from the multicast VLAN are called MVR source ports.
When a subscriber changes channels or turns off the television, the set-top box sends an IGMP leave message
for the multicast stream. The switch CPU sends a MAC-based general query through the receiver port VLAN.
If there is another set-top box in the VLAN still subscribing to this group, that set-top box must respond within
the maximum response time specified in the query. If the CPU does not receive a response, it eliminates the
receiver port as a forwarding destination for this group.
Without Immediate Leave, when the switch receives an IGMP leave message from a subscriber on a receiver
port, it sends out an IGMP query on that port and waits for IGMP group membership reports. If no reports
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
113
Information About IGMP Snooping and MVR
are received in a configured time period, the receiver port is removed from multicast group membership. With
Immediate Leave, an IGMP query is not sent from the receiver port on which the IGMP leave was received.
As soon as the leave message is received, the receiver port is removed from multicast group membership,
which speeds up leave latency. Enable the Immediate-Leave feature only on receiver ports to which a single
receiver device is connected.
MVR eliminates the need to duplicate television-channel multicast traffic for subscribers in each VLAN.
Multicast traffic for all channels is only sent around the VLAN trunk once—only on the multicast VLAN.
The IGMP leave and join messages are in the VLAN to which the subscriber port is assigned. These messages
dynamically register for streams of multicast traffic in the multicast VLAN on the Layer 3 device. The access
layer switch, Switch A, modifies the forwarding behavior to allow the traffic to be forwarded from the multicast
VLAN to the subscriber port in a different VLAN, selectively allowing traffic to cross between two VLANs.
IGMP reports are sent to the same IP multicast group address as the multicast data. The Switch A CPU must
capture all IGMP join and leave messages from receiver ports and forward them to the multicast VLAN of
the source (uplink) port, based on the MVR mode.
Mode Compatible
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
114
Information About IGMP Snooping and MVR
action permits access to the multicast group, the IGMP report from the port is forwarded for normal processing.
You can also set the maximum number of IGMP groups that a Layer 2 interface can join.
IGMP filtering controls only group-specific query and membership reports, including join and leave reports.
It does not control general IGMP queries. IGMP filtering has no relationship with the function that directs
the forwarding of IP multicast traffic. The filtering feature operates in the same manner whether CGMP or
MVR is used to forward the multicast traffic.
IGMP filtering applies only to the dynamic learning of IP multicast group addresses, not static configuration.
With the IGMP throttling feature, you can set the maximum number of IGMP groups that a Layer 2 interface
can join. If the maximum number of IGMP groups is set, the IGMP snooping forwarding table contains the
maximum number of entries, and the interface receives an IGMP join report, you can configure an interface
to drop the IGMP report or to replace the randomly selected multicast entry with the received IGMP report.
Note IGMPv3 join and leave messages are not supported on switches running IGMP filtering.
Related Topics
Configuring IGMP Profiles , on page 135
Applying IGMP Profiles , on page 137
Setting the Maximum Number of IGMP Groups , on page 138
Configuring the IGMP Throttling Action , on page 140
Restrictions for IGMP Snooping, on page 104
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
115
How to Configure IGMP Snooping and MVR
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# end
Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
116
How to Configure IGMP Snooping and MVR
Related Topics
Default IGMP Snooping Configuration, on page 110
Procedure
Example:
Switch# configure terminal
Step 3 ip igmp snooping vlan vlan-id Enables IGMP snooping on the VLAN interface. The
VLAN ID range is 1 to 1001 and 1006 to 4094.
Example: IGMP snooping must be globally enabled before you
Switch(config)# ip igmp snooping can enable VLAN snooping.
vlan 7
Note To disable IGMP snooping on a VLAN
interface, use the no ip igmp snooping vlan
vlan-id global configuration command for the
specified VLAN number.
Step 4 end Returns to privileged EXEC mode.
Example:
Switch(config)# end
Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Related Topics
Default IGMP Snooping Configuration, on page 110
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
117
How to Configure IGMP Snooping and MVR
You can configure the switch either to snoop on IGMP queries and PIM/DVMRP packets or to listen to CGMP
self-join or proxy-join packets. By default, the switch snoops on PIM/DVMRP packets on all VLANs. To
learn of multicast router ports through only CGMP packets, use the ip igmp snooping vlan vlan-id mrouter
learn cgmp global configuration command. When this command is entered, the router listens to only CGMP
self-join and CGMP proxy-join packets and to no other CGMP packets. To learn of multicast router ports
through only PIM-DVMRP packets, use the ip igmp snooping vlan vlan-id mrouter learn pim-dvmrp
global configuration command.
If you want to use CGMP as the learning method and no multicast routers in the VLAN are CGMP
proxy-enabled, you must enter the ip cgmp router-only command to dynamically access the router.
Procedure
Example:
Switch# configure terminal
Step 3 ip igmp snooping vlan vlan-id mrouter Specifies the multicast router learning method:
learn {cgmp | pim-dvmrp }
• cgmp—Listens for CGMP packets. This
method is useful for reducing control traffic.
Example:
Switch(config)# ip igmp snooping • pim-dvmrp—Snoops on IGMP queries and
vlan 1 mrouter learn cgmp
PIM-DVMRP packets. This is the default.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
118
How to Configure IGMP Snooping and MVR
Example:
Switch(config)# end
Example:
Switch# show ip igmp snooping
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
Note Static connections to multicast routers are supported only on switch ports.
Procedure
Example:
Switch# configure terminal
Step 3 ip igmp snooping vlan vlan-id mrouter Specifies the multicast router VLAN ID and the
interface interface-id interface to the multicast router.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
119
How to Configure IGMP Snooping and MVR
Example:
Switch(config)# end
Step 5 show ip igmp snooping mrouter [vlan Verifies that IGMP snooping is enabled on the
vlan-id] VLAN interface.
Example:
Switch# show ip igmp snooping
mrouter vlan 5
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
Related Topics
Example: Enabling a Static Connection to a Multicast Router, on page 144
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
120
How to Configure IGMP Snooping and MVR
Procedure
Example:
Switch# configure terminal
Step 3 ip igmp snooping vlan vlan-id static Statically configures a Layer 2 port as a member of a
ip_address interface interface-id multicast group:
• vlan-id is the multicast group VLAN ID. The
Example: range is 1 to 1001 and 1006 to 4094.
Switch(config)# ip igmp snooping
vlan 105 static 230.0.0.1 interface • ip-address is the group IP address.
gigabitethernet1/0/1
• interface-id is the member port. It can be a
physical interface or a port channel (1 to 128).
Example:
Switch(config)# end
Step 5 show ip igmp snooping groups Verifies the member port and the IP address.
Example:
Switch# show ip igmp snooping
groups
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
121
How to Configure IGMP Snooping and MVR
Related Topics
Joining a Multicast Group, on page 107
Example: Configuring a Host Statically to Join a Group, on page 145
Note Immediate Leave is supported only on IGMP Version 2 hosts. IGMP Version 2 is the default version for
the switch.
Procedure
Example:
Switch# configure terminal
Step 3 ip igmp snooping vlan vlan-id Enables IGMP Immediate Leave on the VLAN
immediate-leave interface.
Note To disable IGMP Immediate Leave on a
Example: VLAN, use the no ip igmp snooping
Switch(config)# ip igmp snooping vlan vlan vlan-id immediate-leave global
21 immediate-leave configuration command.
Example:
Switch(config)# end
Step 5 show ip igmp snooping vlan vlan-id Verifies that Immediate Leave is enabled on the
VLAN interface.
Example:
Switch# show ip igmp snooping vlan
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
122
How to Configure IGMP Snooping and MVR
Example:
Switch(config)# end
Related Topics
Immediate Leave , on page 109
Example: Enabling IGMP Immediate Leave, on page 145
Procedure
Example:
Switch# configure terminal
Step 3 ip igmp snooping Configures the IGMP leave timer globally. The range
last-member-query-interval time is 100 to 32767 milliseconds.
The default leave time is 1000 milliseconds.
Example:
Note To globally reset the IGMP leave timer to the
Switch(config)# ip igmp snooping default setting, use the no ip igmp snooping
last-member-query-interval 1000
last-member-query-interval global
configuration command.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
123
How to Configure IGMP Snooping and MVR
Example:
Switch(config)# end
Step 6 show ip igmp snooping (Optional) Displays the configured IGMP leave time.
Example:
Switch# show ip igmp snooping
Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Related Topics
IGMP Configurable-Leave Timer, on page 109
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
124
How to Configure IGMP Snooping and MVR
Procedure
Example:
Switch# configure terminal
Step 3 ip igmp snooping tcn flood query count Specifies the number of IGMP general queries for
count which the multicast traffic is flooded.
The range is 1 to 10. The default, the flooding query
Example: count is 2.
Switch(config)# ip igmp snooping tcn Note To return to the default flooding query
flood query count 3
count, use the no ip igmp snooping tcn
flood query count global configuration
command.
Step 4 end Returns to privileged EXEC mode.
Example:
Switch(config)# end
Example:
Switch# show ip igmp snooping
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
125
How to Configure IGMP Snooping and MVR
immediately sends general queries, which expedite the process of recovering from the flood mode during the
TCN event. Leaves are always sent if the switch is the spanning-tree root regardless of this configuration.
Follow these steps to enable sending of leave messages:
Procedure
Example:
Switch# configure terminal
Step 3 ip igmp snooping tcn query solicit Sends an IGMP leave message (global leave) to
speed the process of recovering from the flood mode
Example: caused during a TCN event. By default, query
solicitation is disabled.
Switch(config)# ip igmp snooping
tcn query solicit Note To return to the default query solicitation,
use the no ip igmp snooping tcn query
solicit global configuration command.
Step 4 end Returns to privileged EXEC mode.
Example:
Switch(config)# end
Example:
Switch# show ip igmp snooping
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
126
How to Configure IGMP Snooping and MVR
Procedure
Example:
Switch# configure terminal
Step 4 no ip igmp snooping tcn flood Disables the flooding of multicast traffic during a
spanning-tree TCN event.
Example: By default, multicast flooding is enabled on an
Switch(config-if)# no ip igmp interface.
snooping tcn flood
Note To re-enable multicast flooding on an
interface, use the ip igmp snooping tcn
flood interface configuration command.
Step 5 end Returns to privileged EXEC mode.
Example:
Switch(config)# end
Example:
Switch# show ip igmp snooping
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
127
How to Configure IGMP Snooping and MVR
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# ip igmp snooping
querier
Step 4 ip igmp snooping querier address (Optional) Specifies an IP address for the IGMP
ip_address snooping querier. If you do not specify an IP
address, the querier tries to use the global IP
Example: address configured for the IGMP querier.
Switch(config)# ip igmp snooping Note The IGMP snooping querier does not
querier address 172.16.24.1 generate an IGMP general query if it
cannot find an IP address on the switch.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
128
How to Configure IGMP Snooping and MVR
Example:
Switch(config)# ip igmp snooping
querier query-interval 30
Step 6 ip igmp snooping querier tcn query [count (Optional) Sets the time between Topology
count | interval interval] Change Notification (TCN) queries. The count
range is 1 to 10. The interval range is 1 to 255
Example: seconds.
Step 7 ip igmp snooping querier timer expiry (Optional) Sets the length of time until the IGMP
timeout querier expires. The range is 60 to 300 seconds.
Example:
Switch(config)# ip igmp snooping
querier timer expiry 180
Step 8 ip igmp snooping querier version version (Optional) Selects the IGMP version number that
the querier feature uses. Select 1 or 2.
Example:
Switch(config)# ip igmp snooping
querier version 2
Example:
Switch(config)# end
Step 10 show ip igmp snooping vlan vlan-id (Optional) Verifies that the IGMP snooping
querier is enabled on the VLAN interface. The
Example: VLAN ID range is 1 to 1001 and 1006 to 4094.
Step 11 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
129
How to Configure IGMP Snooping and MVR
Related Topics
IGMP Snooping, on page 106
Prerequisites for IGMP Snooping, on page 103
Example: Setting the IGMP Snooping Querier Source Address, on page 145
Example: Setting the IGMP Snooping Querier Maximum Response Time, on page 145
Example: Setting the IGMP Snooping Querier Timeout, on page 146
Example: Setting the IGMP Snooping Querier Feature, on page 146
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
130
How to Configure IGMP Snooping and MVR
Example:
Switch# show ip igmp snooping
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Related Topics
IGMP Report Suppression, on page 110
Note For complete syntax and usage information for the commands used in this section, see the command
reference for this release.
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
131
How to Configure IGMP Snooping and MVR
Example:
Switch (config)# mvr
Step 4 mvr group ip-address [count] Configures an IP multicast address on the switch or use the
count parameter to configure a contiguous series of MVR
Example: group addresses (the range for count is 1 to 256; the default
is 1). Any multicast data sent to this address is sent to all
Switch(config)# mvr group source ports on the switch and all receiver ports that have
228.1.23.4
elected to receive data on that multicast address. Each
multicast address would correspond to one television channel.
Note To return the switch to its default settings, use the
no mvr [mode | group ip-address | querytime |
vlan] global configuration commands.
Step 5 mvr querytime value (Optional) Defines the maximum time to wait for IGMP
report memberships on a receiver port before removing the
Example: port from multicast group membership. The value is in units
of tenths of a second. The range is 1 to 100, and the default
Switch(config)# mvr querytime is 5 tenths or one-half second.
10
Step 6 mvr vlan vlan-id (Optional) Specifies the VLAN in which multicast data is
received; all source ports must belong to this VLAN. The
Example: VLAN range is 1 to 1001 and 1006 to 4094. The default is
VLAN 1.
Switch(config)# mvr vlan 22
Step 7 mvr mode {dynamic | (Optional) Specifies the MVR mode of operation:
compatible}
• dynamic—Allows dynamic MVR membership on
source ports.
Example:
• compatible—Is compatible with Catalyst 3500 XL and
Switch(config)# mvr mode
dynamic Catalyst 2900 XL switches and does not support IGMP
dynamic joins on source ports.
Example:
Switch(config)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
132
How to Configure IGMP Snooping and MVR
Example:
Switch# show mvr
OR
Step 10 copy running-config (Optional) Saves your entries in the configuration file.
startup-config
Example:
Switch# copy running-config
startup-config
Procedure
Example:
Switch# configure terminal
Example:
Switch (config)# mvr
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
133
How to Configure IGMP Snooping and MVR
Step 5 mvr type {source | receiver} Configures an MVR port as one of these:
• source—Configures uplink ports that receive and send
Example: multicast data as source ports. Subscribers cannot be
Switch(config-if)# mvr type directly connected to source ports. All source ports
receiver on a switch belong to the single multicast VLAN.
• receiver—Configures a port as a receiver port if it is
a subscriber port and should only receive multicast
data. It does not receive data unless it becomes a
member of the multicast group, either statically or by
using IGMP leave and join messages. Receiver ports
cannot belong to the multicast VLAN.
Example:
Switch(config)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
134
How to Configure IGMP Snooping and MVR
Example:
Switch# show mvr interface
Port Type Status
Immediate Leave
---- ---- -------
---------------
Gi1/0/2 RECEIVER ACTIVE/DOWN
ENABLED
Step 10 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
135
How to Configure IGMP Snooping and MVR
Switch(config-igmp-profile)#
permit
Step 5 range ip multicast address Enters the IP multicast address or range of IP multicast
addresses to which access is being controlled. If entering a
Example: range, enter the low IP multicast address, a space, and the
high IP multicast address.
Switch(config-igmp-profile)#
range 229.9.9.0 You can use the range command multiple times to enter
multiple addresses or ranges of addresses.
Note To delete an IP multicast address or range of IP
multicast addresses, use the no range ip multicast
address IGMP profile configuration command.
Step 6 end Returns to privileged EXEC mode.
Example:
Switch(config)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
136
How to Configure IGMP Snooping and MVR
Example:
Switch# show ip igmp profile
3
Example:
Switch# show running-config
Step 9 copy running-config (Optional) Saves your entries in the configuration file.
startup-config
Example:
Switch# copy running-config
startup-config
Related Topics
IGMP Filtering and Throttling, on page 114
Restrictions for IGMP Snooping, on page 104
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
137
How to Configure IGMP Snooping and MVR
Example:
Switch# configure terminal
Step 3 interface interface-id Specifies the physical interface, and enters interface
configuration mode. The interface must be a Layer
Example: 2 port that does not belong to an EtherChannel port
group.
Switch(config)# interface
gigabitethernet1/0/1
Step 4 ip igmp filter profile number Applies the specified IGMP profile to the interface.
The range is 1 to 4294967295.
Example: Note To remove a profile from an interface, use
Switch(config-if)# ip igmp filter the no ip igmp filter profile number
321 interface configuration command.
Example:
Switch(config-if)# end
Example:
Switch# show running-config
Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
Related Topics
IGMP Filtering and Throttling, on page 114
Restrictions for IGMP Snooping, on page 104
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
138
How to Configure IGMP Snooping and MVR
Procedure
Example:
Switch# configure terminal
Step 4 ip igmp max-groups number Sets the maximum number of IGMP groups that the
interface can join. The range is 0 to 4294967294.
Example: The default is to have no maximum set.
Example:
Switch(config)# end
Example:
Switch# show running-config
interface gigabitethernet1/0/1
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
139
How to Configure IGMP Snooping and MVR
Related Topics
IGMP Filtering and Throttling, on page 114
Restrictions for IGMP Snooping, on page 104
Procedure
Example:
Switch# configure terminal
Step 3 interface interface-id Specifies the physical interface to be configured, and enters
interface configuration mode. The interface can be a Layer 2
Example: port that does not belong to an EtherChannel group or an
EtherChannel interface. The interface cannot be a trunk port.
Switch(config)# interface
gigabitethernet 1/0/1
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
140
How to Configure IGMP Snooping and MVR
Example:
Switch(config)# end
Example:
Switch# show running-config
interface
gigabitethernet1/0/1
Step 7 copy running-config (Optional) Saves your entries in the configuration file.
startup-config
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
141
Monitoring IGMP Snooping and MVR
Related Topics
IGMP Filtering and Throttling, on page 114
Restrictions for IGMP Snooping, on page 104
Command Purpose
show ip igmp snooping [vlan vlan-id Displays the snooping configuration information for all VLANs
[detail] ] on the switch or for a specified VLAN.
(Optional) Enter vlan vlan-id to display information for a single
VLAN. The VLAN ID range is 1 to 1001 and 1006 to 4094.
show ip igmp snooping groups [count Displays multicast table information for the switch or about a
|dynamic [count] | user [count]] specific parameter:
• count—Displays the total number of entries for the
specified command options instead of the actual entries.
• dynamic—Displays entries learned through IGMP
snooping.
• user—Displays only the user-configured multicast entries.
show ip igmp snooping groups vlan Displays multicast table information for a multicast VLAN or
vlan-id [ip_address | count | dynamic about a specific parameter for the VLAN:
[count] | user[count]]
• vlan-id—The VLAN ID range is 1 to 1001 and 1006 to
4094.
• count—Displays the total number of entries for the
specified command options instead of the actual entries.
• dynamic—Displays entries learned through IGMP
snooping.
• ip_address—Displays characteristics of the multicast
group with the specified group IP address.
• user—Displays only the user-configured multicast entries.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
142
Monitoring IGMP Snooping and MVR
Command Purpose
show ip igmp snooping mrouter [vlan Displays information on dynamically learned and manually
vlan-id] configured multicast router interfaces.
Note When you enable IGMP snooping, the switch
automatically learns the interface to which a multicast
router is connected. These are dynamically learned
interfaces.
(Optional) Enter the vlan vlan-id to display information for a
particular VLAN.
show ip igmp snooping querier [vlan Displays information about the IP address and receiving port
vlan-id] detail of the most-recently received IGMP query message in the
VLAN and the configuration and operational state of the IGMP
snooping querier in the VLAN.
Monitoring MVR
You can monitor MVR for the switch or for a specified interface by displaying the following MVR information.
Command Purpose
show mvr Displays MVR status and values for the switch—whether MVR is
enabled or disabled, the multicast VLAN, the maximum (256) and
current (0 through 256) number of multicast groups, the query
response time, and the MVR mode.
show mvr interface [interface-id] Displays all MVR interfaces and their MVR configurations.
[members [vlan vlan-id]] When a specific interface is entered, displays this information:
• Type—Receiver or Source
• Status—One of these:
◦Active means the port is part of a VLAN.
◦Up/Down means that the port is forwarding or
nonforwarding.
◦Inactive means that the port is not part of any VLAN.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
143
Configuration Examples for IGMP Snooping and MVR
Command Purpose
show mvr members [ip-address] Displays all receiver and source ports that are members of any IP
multicast group or the specified IP multicast group IP address.
Table 20: Commands for Displaying IGMP Filtering and Throttling Configuration
Command Purpose
show ip igmp profile [profile number] Displays the specified IGMP profile or all the
IGMP profiles defined on the switch.
Related Topics
Configuring a Multicast Router Port , on page 119
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
144
Configuration Examples for IGMP Snooping and MVR
Related Topics
Configuring a Host Statically to Join a Group , on page 120
Joining a Multicast Group, on page 107
Related Topics
Enabling IGMP Immediate Leave , on page 122
Immediate Leave , on page 109
Related Topics
Configuring the IGMP Snooping Querier , on page 128
IGMP Snooping, on page 106
Related Topics
Configuring the IGMP Snooping Querier , on page 128
IGMP Snooping, on page 106
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
145
Configuration Examples for IGMP Snooping and MVR
Related Topics
Configuring the IGMP Snooping Querier , on page 128
IGMP Snooping, on page 106
Related Topics
Configuring the IGMP Snooping Querier , on page 128
IGMP Snooping, on page 106
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
146
Additional References
Additional References
Related Documents
Cisco IOS commands Cisco IOS Master Commands List, All Releases
Standard/RFC Title
RFC 1112 Host Extensions for IP Multicasting
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
147
Feature History and Information for IGMP Snooping
MIBs
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
148
PART III
IPv6
• Configuring MLD Snooping, page 151
• Configuring IPv6 Unicast Routing, page 167
• Configuring IPv6 ACL, page 181
CHAPTER 12
Configuring MLD Snooping
This module contains details of configuring MLD snooping
Note To use IPv6, you must configure the dual IPv4 and IPv6 Switch Database Management (SDM) template
on the switch.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
151
Information About Configuring IPv6 MLD Snooping
Note For complete syntax and usage information for the commands used in this chapter, see the command
reference for this release or the Cisco IOS documentation referenced in the procedures.
The switch can snoop on both MLDv1 and MLDv2 protocol packets and bridge IPv6 multicast data based on
destination IPv6 multicast addresses.
Note The switch does not support MLDv2 enhanced snooping, which sets up IPv6 source and destination
multicast address-based forwarding.
MLD snooping can be enabled or disabled globally or per VLAN. When MLD snooping is enabled, a per-VLAN
IPv6 multicast address table is constructed in software and hardware. The switch then performs IPv6
multicast-address based bridging in hardware.
MLD Messages
MLDv1 supports three types of messages:
• Listener Queries are the equivalent of IGMPv2 queries and are either General Queries or
Multicast-Address-Specific Queries (MASQs).
• Multicast Listener Reports are the equivalent of IGMPv2 reports
• Multicast Listener Done messages are the equivalent of IGMPv2 leave messages.
MLDv2 supports MLDv2 queries and reports, as well as MLDv1 Report and Done messages.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
152
Information About Configuring IPv6 MLD Snooping
Message timers and state transitions resulting from messages being sent or received are the same as those of
IGMPv2 messages. MLD messages that do not have valid link-local IPv6 source addresses are ignored by
MLD routers and switches.
MLD Queries
The switch sends out MLD queries, constructs an IPv6 multicast address database, and generates MLD
group-specific and MLD group-and-source-specific queries in response to MLD Done messages. The switch
also supports report suppression, report proxying, Immediate-Leave functionality, and static IPv6 multicast
group address configuration.
When MLD snooping is disabled, all MLD queries are flooded in the ingress VLAN.
When MLD snooping is enabled, received MLD queries are flooded in the ingress VLAN, and a copy of the
query is sent to the CPU for processing. From the received query, MLD snooping builds the IPv6 multicast
address database. It detects multicast router ports, maintains timers, sets report response time, learns the querier
IP source address for the VLAN, learns the querier port in the VLAN, and maintains multicast-address aging.
Note When the IPv6 multicast router is a Catalyst 6500 switch and you are using extended VLANs (in the range
1006 to 4094), IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch
in order for the Catalyst 2960, 2960-S, 2960-C, 2960-X or 2960-CX switch to receive queries on the
VLAN. For normal-range VLANs (1 to 1005), it is not necessary to enable IPv6 MLD snooping on the
VLAN on the Catalyst 6500 switch.
When a group exists in the MLD snooping database, the switch responds to a group-specific query by sending
an MLDv1 report. When the group is unknown, the group-specific query is flooded to the ingress VLAN.
When a host wants to leave a multicast group, it can send out an MLD Done message (equivalent to IGMP
Leave message). When the switch receives an MLDv1 Done message, if Immediate- Leave is not enabled,
the switch sends an MASQ to the port from which the message was received to determine if other devices
connected to the port should remain in the multicast group.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
153
Information About Configuring IPv6 MLD Snooping
• Received IPv6 multicast router control packets are always flooded to the ingress VLAN, whether or not
MLD snooping is enabled on the switch.
• After the discovery of the first IPv6 multicast router port, unknown IPv6 multicast data is forwarded
only to the discovered router ports (before that time, all IPv6 multicast data is flooded to the ingress
VLAN).
MLD Reports
The processing of MLDv1 join messages is essentially the same as with IGMPv2. When no IPv6 multicast
routers are detected in a VLAN, reports are not processed or forwarded from the switch. When IPv6 multicast
routers are detected and an MLDv1 report is received, an IPv6 multicast group address is entered in the VLAN
MLD database. Then all IPv6 multicast traffic to the group within the VLAN is forwarded using this address.
When MLD snooping is disabled, reports are flooded in the ingress VLAN.
When MLD snooping is enabled, MLD report suppression, called listener message suppression, is automatically
enabled. With report suppression, the switch forwards the first MLDv1 report received by a group to IPv6
multicast routers; subsequent reports for the group are not sent to the routers. When MLD snooping is disabled,
report suppression is disabled, and all MLDv1 reports are flooded to the ingress VLAN.
The switch also supports MLDv1 proxy reporting. When an MLDv1 MASQ is received, the switch responds
with MLDv1 reports for the address on which the query arrived if the group exists in the switch on another
port and if the port on which the query arrived is not the last member port for the address.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
154
How to Configure IPv6 MLD Snooping
You set this value by using the ipv6 mld snooping tcn flood query count global configuration command.
The default is to send two queries. The switch also generates MLDv1 global Done messages with valid
link-local IPv6 source addresses when the switch becomes the STP root in the VLAN or when it is configured
by the user. This is same as done in IGMP snooping.
MLD snooping (per VLAN) Enabled. MLD snooping must be globally enabled for VLAN
MLD snooping to take place.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
155
How to Configure IPv6 MLD Snooping
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
156
How to Configure IPv6 MLD Snooping
Example:
Switch(config)# ipv6 mld snooping
Example:
Switch(config)# end
Example:
Switch(config)# reload
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# ipv6 mld snooping
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
157
How to Configure IPv6 MLD Snooping
Example:
Switch(config)# ipv6 mld snooping
vlan 1
Procedure
Example:
Switch# configure terminal
Step 2 ipv6 mld snooping vlan vlan-id static Configures a multicast group with a Layer 2 port
ipv6_multicast_address interface as a member of a multicast group:
interface-id
• vlan-id is the multicast group VLAN ID. The
VLAN ID range is 1 to 1001 and 1006 to
Example: 4094.
Switch(config)# ipv6 mld snooping vlan
1 static FF12::3 interface • ipv6_multicast_address is the 128-bit group
gigabitethernet IPv6 address. The address must be in the
0/1 form specified in RFC 2373.
• interface-id is the member port. It can be a
physical interface or a port channel (1 to 48).
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
158
How to Configure IPv6 MLD Snooping
Example:
Switch(config)# end
Step 4 Use one of the following: Verifies the static member port and the IPv6
address.
• show ipv6 mld snooping address
• show ipv6 mld snooping address vlan
vlan-id
Example:
Switch# show ipv6 mld snooping address
or
Switch# show ipv6 mld snooping vlan 1
Note Static connections to multicast routers are supported only on switch ports.
Beginning in privileged EXEC mode, follow these steps to add a multicast router port to a VLAN:
Procedure
Example:
Switch# configure terminal
Step 2 ipv6 mld snooping vlan vlan-id mrouter Specifies the multicast router VLAN ID, and
interface interface-id specify the interface to the multicast router.
• The VLAN ID range is 1 to 1001 and 1006
Example: to 4094.
Switch(config)# ipv6 mld snooping vlan
1 mrouter interface gigabitethernet
• The interface can be a physical interface or
a port channel. The port-channel range is 1
to 48.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
159
How to Configure IPv6 MLD Snooping
Example:
Switch(config)# end
Step 4 show ipv6 mld snooping mrouter [ vlan Verifies that IPv6 MLD snooping is enabled on
vlan-id ] the VLAN interface.
Example:
Switch# show ipv6 mld snooping mrouter
vlan 1
Procedure
Example:
Switch# configure terminal
Step 2 ipv6 mld snooping vlan vlan-id Enables MLD Immediate Leave on the
immediate-leave VLAN interface.
Example:
Switch(config)# ipv6 mld snooping vlan 1
immediate-leave
Example:
Switch(config)# end
Step 4 show ipv6 mld snooping vlan vlan-id Verifies that Immediate Leave is enabled
on the VLAN interface.
Example:
Switch# show ipv6 mld snooping vlan 1
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
160
How to Configure IPv6 MLD Snooping
Procedure
Example:
Switch# configure terminal
Step 2 ipv6 mld snooping robustness-variable (Optional) Sets the number of queries that are sent
value before switch will deletes a listener (port) that does not
respond to a general query. The range is 1 to 3; the
Example: default is 2.
Switch(config)# ipv6 mld snooping
robustness-variable 3
Step 3 ipv6 mld snooping vlan vlan-id (Optional) Sets the robustness variable on a VLAN
robustness-variable value basis, which determines the number of general queries
that MLD snooping sends before aging out a multicast
Example: address when there is no MLD report response. The
Switch(config)# ipv6 mld snooping range is 1 to 3; the default is 0. When set to 0, the
vlan 1 robustness-variable 3 number used is the global robustness variable value.
Step 4 ipv6 mld snooping (Optional) Sets the number of MASQs that the switch
last-listener-query-count count sends before aging out an MLD client. The range is 1
to 7; the default is 2. The queries are sent 1 second
Example: apart.
Switch(config)# ipv6 mld snooping
last-listener-query-count 7
Step 5 ipv6 mld snooping vlan vlan-id (Optional) Sets the last-listener query count on a VLAN
last-listener-query-count count basis. This value overrides the value configured
globally. The range is 1 to 7; the default is 0. When set
Example: to 0, the global count value is used. Queries are sent 1
Switch(config)# ipv6 mld snooping second apart.
vlan 1 last-listener-query-count 7
Step 6 ipv6 mld snooping (Optional) Sets the maximum response time that the
last-listener-query-interval interval switch waits after sending out a MASQ before deleting
a port from the multicast group. The range is 100 to
Example: 32,768 thousands of a second. The default is 1000 (1
Switch(config)# ipv6 mld snooping second).
last-listener-query-interval 2000
Step 7 ipv6 mld snooping vlan vlan-id (Optional) Sets the last-listener query interval on a
last-listener-query-interval interval VLAN basis. This value overrides the value configured
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
161
How to Configure IPv6 MLD Snooping
Step 8 ipv6 mld snooping tcn query solicit (Optional) Enables topology change notification (TCN)
solicitation, which means that VLANs flood all IPv6
Example: multicast traffic for the configured number of queries
Switch(config)# ipv6 mld snooping before sending multicast data to only those ports
tcn query solicit requesting to receive it. The default is for TCN to be
disabled.
Step 9 ipv6 mld snooping tcn flood query count (Optional) When TCN is enabled, specifies the number
count of TCN queries to be sent. The range is from 1 to 10;
the default is 2.
Example:
Switch(config)# ipv6 mld snooping
tcn flood query count 5
Step 11 show ipv6 mld snooping querier [ vlan (Optional) Verifies that the MLD snooping querier
vlan-id] information for the switch or for the VLAN.
Example:
Switch(config)# show ipv6 mld
snooping querier vlan 1
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
162
Displaying MLD Snooping Information
Example:
Switch(config)# no ipv6 mld snooping
listener-message-suppression
Example:
Switch(config)# end
Step 4 show ipv6 mld snooping Verify that IPv6 MLD snooping report
suppression is disabled.
Example:
Switch# show ipv6 mld snooping
Command Purpose
show ipv6 mld snooping [ vlan vlan-id ] Displays the MLD snooping configuration
information for all VLANs on the switch or for a
specified VLAN.
(Optional) Enter vlan vlan-id to display information
for a single VLAN. The VLAN ID range is 1 to 1001
and 1006 to 4094.
show ipv6 mld snooping mrouter [ vlan vlan-id Displays information on dynamically learned and
] manually configured multicast router interfaces. When
you enable MLD snooping, the switch automatically
learns the interface to which a multicast router is
connected. These are dynamically learned interfaces.
(Optional) Enters vlan vlan-id to display information
for a single VLAN. The VLAN ID range is 1 to 1001
and 1006 to 4094.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
163
Configuration Examples for Configuring MLD Snooping
Command Purpose
show ipv6 mld snooping querier [ vlan vlan-id ] Displays information about the IPv6 address and
incoming port for the most-recently received MLD
query messages in the VLAN.
(Optional) Enters vlan vlan-id to display information
for a single VLAN.The VLAN ID range is 1 to 1001
and 1006 to 4094.
show ipv6 mld snooping address [ vlan vlan-id ] Displays all IPv6 multicast address information or
[ count | dynamic | user ] specific IPv6 multicast address information for the
switch or a VLAN.
• Enters count to show the group count on the
switch or in a VLAN.
• Enters dynamic to display MLD snooping
learned group information for the switch or for
a VLAN.
• Entesr user to display MLD snooping
user-configured group information for the
switch or for a VLAN.
show ipv6 mld snooping address vlan vlan-id [ Displays MLD snooping for the specified VLAN and
ipv6-multicast-address ] IPv6 multicast address.
1/0/1
Switch(config)# end
0/2
Switch(config)# exit
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
164
Configuration Examples for Configuring MLD Snooping
This example shows how to set the MLD snooping last-listener query count for a VLAN to 3:
This example shows how to set the MLD snooping last-listener query interval (maximum response time) to
2000 (2 seconds):
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
165
Configuration Examples for Configuring MLD Snooping
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
166
CHAPTER 13
Configuring IPv6 Unicast Routing
• Finding Feature Information, page 167
• Information About Configuring IPv6 Host Functions , page 167
• Configuration Examples for IPv6 Unicast Routing, page 178
Note To use IPv6 Host Functions, the switch must be running the LAN Base image.
For information about configuring IPv6 Multicast Listener Discovery (MLD) snooping, see Configuring MLD
Snooping.
To enable dual stack environments (supporting both IPv4 and IPv6) on a Catalyst 2960 switch, you must
configure the switch to use the a dual IPv4 and IPv6 switch database management (SDM) template. See the
"Dual IPv4 and IPv6 Protocol Stacks" section. This template is not required on Catalyst 2960-S switches.
Note For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS
documentation referenced in the procedures.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
167
Information About Configuring IPv6 Host Functions
Understanding IPv6
IPv4 users can move to IPv6 and receive services such as end-to-end security, quality of service (QoS), and
globally unique addresses. The IPv6 address space reduces the need for private addresses and Network Address
Translation (NAT) processing by border routers at network edges.
For information about how Cisco Systems implements IPv6, go to:
http://www.cisco.com/en/US/products/ps6553/products_ios_technology_home.html
For information about IPv6 and other features in this chapter
• See the Cisco IOS IPv6 Configuration Library.
• Use the Search field on Cisco.com to locate the Cisco IOS software documentation. For example, if you
want information about static routes, you can enter Implementing Static Routes for IPv6 in the search
field to learn about static routes.
IPv6 Addresses
The switch supports only IPv6 unicast addresses. It does not support site-local unicast addresses, or anycast
addresses.
The IPv6 128-bit addresses are represented as a series of eight 16-bit hexadecimal fields separated by colons
in the format: n:n:n:n:n:n:n:n. This is an example of an IPv6 address:
2031:0000:130F:0000:0000:09C0:080F:130B
For easier implementation, leading zeros in each field are optional. This is the same address without leading
zeros:
2031:0:130F:0:0:9C0:80F:130B
You can also use two colons (::) to represent successive hexadecimal fields of zeros, but you can use this short
version only once in each address:
2031:0:130F::09C0:080F:130B
For more information about IPv6 address formats, address types, and the IPv6 packet header, see the
“Implementing IPv6 Addressing and Basic Connectivity” chapter of Cisco IOS IPv6 Configuration Library
on Cisco.com.
In the "Implementing Addressing and Basic Connectivity" chapter, these sections apply to the Catalyst 2960,
2960-S, 2960-C, 2960-X, 2960-CX and 3560-CX switches:
• IPv6 Address Formats
• IPv6 Address Type: Multicast
• IPv6 Address Output Display
• Simplified IPv6 Packet Header
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
168
Information About Configuring IPv6 Host Functions
For more information, see the section about IPv6 unicast addresses in the “Implementing IPv6 Addressing
and Basic Connectivity” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.
ICMPv6
The Internet Control Message Protocol (ICMP) in IPv6 generates error messages, such as ICMP destination
unreachable messages, to report errors during processing and other diagnostic functions. In IPv6, ICMP
packets are also used in the neighbor discovery protocol and path MTU discovery.
Neighbor Discovery
The switch supports NDP for IPv6, a protocol running on top of ICMPv6, and static neighbor entries for IPv6
stations that do not support NDP. The IPv6 neighbor discovery process uses ICMP messages and solicited-node
multicast addresses to determine the link-layer address of a neighbor on the same network (local link), to
verify the reachability of the neighbor, and to keep track of neighboring routers.
The switch supports ICMPv6 redirect for routes with mask lengths less than 64 bits. ICMP redirect is not
supported for host routes or for summarized routes with mask lengths greater than 64 bits.
Neighbor discovery throttling ensures that the switch CPU is not unnecessarily burdened while it is in the
process of obtaining the next hop forwarding information to route an IPv6 packet. The switch drops any
additional IPv6 packets whose next hop is the same neighbor that the switch is actively trying to resolve. This
drop avoids further load on the CPU.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
169
Information About Configuring IPv6 Host Functions
IPv6 Applications
The switch has IPv6 support for these applications:
• Ping, traceroute, and Telnet
• Secure Shell (SSH) over an IPv6 transport
• HTTP server access over IPv6 transport
• DNS resolver for AAAA over IPv4 transport
• Cisco Discovery Protocol (CDP) support for IPv6 addresses
For more information about managing these applications, see the Cisco IOS IPv6 Configuration Library on
Cisco.com.
Use the dual IPv4 and IPv6 switch database management (SDM) template to enable IPv6 routing dual stack
environments (supporting both IPv4 and IPv6). For more information about the dual IPv4 and IPv6 SDM
template, see Configuring SDM Templates.
The dual IPv4 and IPv6 templates allow the switch to be used in dual stack environments.
• If you try to configure IPv6 without first selecting a dual IPv4 and IPv6 template, a warning message
appears.
• In IPv4-only environments, the switch routes IPv4 packets and applies IPv4 QoS and ACLs in hardware.
IPv6 packets are not supported.
• In dual IPv4 and IPv6 environments, the switch applies IPv4 QoS and ACLs in hardware .
• IPv6 QoS and ACLs are not supported.
• If you do not plan to use IPv6, do not use the dual stack template because this template results in less
hardware memory capacity for each resource.
For more information about IPv4 and IPv6 protocol stacks, see the “Implementing IPv6 Addressing and Basic
Connectivity” chapter of Cisco IOS IPv6 Configuration Library on Cisco.com.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
170
Information About Configuring IPv6 Host Functions
For support over IPv6, SNMP modifies the existing IP transport mapping to simultaneously support IPv4 and
IPv6. These SNMP actions support IPv6 transport management:
• Opens User Datagram Protocol (UDP) SNMP socket with default settings
• Provides a new transport mechanism called SR_IPV6_TRANSPORT
• Sends SNMP notifications over IPv6 transport
• Supports SNMP-named access lists for IPv6 transport
• Supports SNMP proxy forwarding using IPv6 transport
• Verifies SNMP Manager feature works with IPv6 transport
For information on SNMP over IPv6, including configuration procedures, see the “Managing Cisco IOS
Applications over IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.
For information about syslog over IPv6, including configuration procedures, see the “Implementing IPv6
Addressing and Basic Connectivity” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
171
Information About Configuring IPv6 Host Functions
address with an extended unique identifier (EUI) by using the ipv6 addressipv6-prefix/prefix length eui-64
interface configuration command, the address is based on the interface MAC address. See the "Configuring
IPv6 Addressing and Enabling IPv6 Host" section.
If you configure the persistent MAC address feature on the stack and the stack master changes, the stack MAC
address does not change for approximately 4 minutes. For more information, see the "Enabling Persistent
MAC Address" section in "Managing Switch Stacks."
To forward IPv6 traffic on an interface, you must configure a global IPv6 address on that interface. Configuring
an IPv6 address on an interface automatically configures a link-local address and activates IPv6 for the
interface. The configured interface automatically joins these required multicast groups for that link:
• solicited-node multicast group FF02:0:0:0:0:1:ff00::/104 for each unicast address assigned to the interface
(this address is used in the neighbor discovery process.)
• all-nodes link-local multicast group FF02::1
• all-routers link-local multicast group FF02::2
For more information about configuring IPv6 routing, see the “Implementing Addressing and Basic Connectivity
for IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.com.
Beginning in privileged EXEC mode, follow these steps to assign an IPv6 address to a Layer 3 interface and
enable IPv6 forwarding:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
172
Information About Configuring IPv6 Host Functions
Procedure
Example:
Switch# configure terminal
Step 2 sdm prefer dual-ipv4-and-ipv6 {default} Selects an SDM template that supports IPv4 and
IPv6.
Example: • default—Sets the switch to the default
Switch(config)# sdm prefer template to balance system resources.
dual-ipv4-and-ipv6 default
Example:
Switch(config)# end
Example:
Switch# reload
Step 5 configure terminal Enters global configuration mode after the switch
reloads.
Example:
Switch# configure terminal
Step 7 Use one of the following: • Specifies a global IPv6 address with an
extended unique identifier (EUI) in the
• ipv6 address ipv6-prefix/prefix length low-order 64 bits of the IPv6 address. Specify
eui-64 only the network prefix; the last 64 bits are
• ipv6 address ipv6-address/prefix automatically computed from the switch MAC
length address. This enables IPv6 processing on the
interface.
• ipv6 address ipv6-address link-local
• Manually configures an IPv6 address on the
• ipv6 enable interface.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
173
Information About Configuring IPv6 Host Functions
Example:
Switch(config-if)# exit
Example:
Switch(config)# end
Example:
Switch# show ipv6 interface
gigabitethernet 1/0/1
Step 11 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
174
Information About Configuring IPv6 Host Functions
Procedure
Example:
Switch# configure terminal
Step 2 ipv6 icmp error-interval interval Configures the interval and bucket size for IPv6
[bucketsize] ICMP error messages:
• interval—The interval (in milliseconds)
Example: between tokens being added to the bucket.
Switch(config)# ipv6 icmp The range is from 0 to 2147483647
error-interval 50 20 milliseconds.
• bucketsize—(Optional) The maximum
number of tokens stored in the bucket. The
range is from 1 to 200.
Example:
Switch(config)# end
Example:
Switch# show ipv6 interface
gigabitethernet 1/0/1
Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
175
Information About Configuring IPv6 Host Functions
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
176
Information About Configuring IPv6 Host Functions
Example:
Switch(config)# end
Step 4 Use one of the following: Verifies your entries by displaying the contents of the IPv6 routing
table.
• show ipv6 static [
ipv6-address | • interface interface-id—(Optional) Displays only those static
ipv6-prefix/prefix length ] routes with the specified interface as an egress interface.
[interface interface-id ]
[detail]][recursive] [detail] • recursive—(Optional) Displays only recursive static routes.
The recursive keyword is mutually exclusive with the
• show ipv6 route static interface keyword, but it can be used with or without the
[ updated ] IPv6 prefix included in the command syntax.
• detail—(Optional) Displays this additional information:
Example: ◦For valid recursive routes, the output path set, and
Switch# show ipv6 static maximum resolution depth.
2001:0DB8::/32 interface
gigabitethernet2/0/1 ◦For invalid routes, the reason why the route is not valid.
or
Switch# show ipv6 route
static
Step 5 copy running-config (Optional) Saves your entries in the configuration file.
startup-config
Example:
Switch# copy running-config
startup-config
Displaying IPv6
For complete syntax and usage information on these commands, see the Cisco IOS command reference
publications.
Command Purpose
show ipv6 access-list Displays a summary of access lists.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
177
Configuration Examples for IPv6 Unicast Routing
Command Purpose
show ipv6 interfaceinterface-id Displays IPv6 interface status and configuration.
show ipv6 protocols Displays a list of IPv6 routing protocols on the switch.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
178
Configuration Examples for IPv6 Unicast Routing
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
179
Configuration Examples for IPv6 Unicast Routing
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
180
CHAPTER 14
Configuring IPv6 ACL
• Finding Feature Information, page 181
• Information About Configuring IPv6 ACLs, page 181
• Configuring IPv6 ACLs, page 183
• Configuration Examples for IPv6 ACL, page 190
Note To use IPv6, you must configure the dual IPv4 and IPv6 Switch Database Management (SDM) template
on the switch. You select the template by entering the sdm prefer {default | dual-ipv4-and-ipv6} global
configuration command.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
181
Information About Configuring IPv6 ACLs
• IPv6 router ACLs - Supported on outbound or inbound traffic on Layer 3 interfaces, which can be routed
ports, switch virtual interfaces (SVIs), or Layer 3 EtherChannels. Applied to only IPv6 packets that are
routed.
• IPv6 port ACLs - Supported on inbound traffic on Layer 2 interfaces only. Applied to all IPv6 packets
entering the interface.
Note If you configure unsupported IPv6 ACLs, an error message appears and the configuration does not take
affect.
The switch does not support VLAN ACLs (VLAN maps) for IPv6 traffic.
You can apply both IPv4 and IPv6 ACLs to an interface.
As with IPv4 ACLs, IPv6 port ACLs take precedence over router ACLs:
• When an input router ACL and input port ACL exist in an SVI, packets received on ports to which a
port ACL is applied are filtered by the port ACL. Routed IP packets received on other ports are filtered
by the router ACL. Other packets are not filtered.
• When an output router ACL and input port ACL exist in an SVI, packets received on the ports to which
a port ACL is applied are filtered by the port ACL. Outgoing routed IPv6 packets are filtered by the
router ACL. Other packets are not filtered.
Note If any port ACL (IPv4, IPv6, or MAC) is applied to an interface, that port ACL is used to filter packets,
and any router ACLs attached to the SVI of the port VLAN are ignored.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
182
Configuring IPv6 ACLs
• IPv6 source and destination addresses-ACL matching is supported only on prefixes from /0 to /64 and
host addresses (/128) that are in the extended universal identifier (EUI)-64 format. The switch supports
only these host addresses with no loss of information:
-aggregatable global unicast addresses
-link local addresses
• The switch does not support matching on these keywords: flowlabel, routing header, and
undetermined-transport.
• The switch does not support reflexive ACLs (the reflect keyword).
• This release supports only port ACLs and router ACLs for IPv6; it does not support VLAN ACLs (VLAN
maps).
• The switch does not apply MAC-based ACLs on IPv6 frames.
• You cannot apply IPv6 port ACLs to Layer 2 EtherChannels.
• The switch does not support output port ACLs.
• Output router ACLs and input port ACLs for IPv6 are supported only on . Switches support only control
plane (incoming) IPv6 ACLs.
• When configuring an ACL, there is no restriction on keywords entered in the ACL, regardless of whether
or not they are supported on the platform. When you apply the ACL to an interface that requires hardware
forwarding (physical ports or SVIs), the switch checks to determine whether or not the ACL can be
supported on the interface. If not, attaching the ACL is rejected.
• If an ACL is applied to an interface and you attempt to add an access control entry (ACE) with an
unsupported keyword, the switch does not allow the ACE to be added to the ACL that is currently
attached to the interface.
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
183
Configuring IPv6 ACLs
• You cannot use MAC ACLs to filter IPv6 frames. MAC ACLs can only filter non-IP frames.
• If the hardware memory is full, for any additional configured ACLs, packets are dropped to the CPU,
and the ACLs are applied in software. When the hardware is full a message is printed to the console
indicating the ACL has been unloaded and the packets will be dropped on the interface.
Note Only packets of the same type as the ACL that could not be added (ipv4, ipv6, MAC)
will be dropped on the interface.
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
184
Configuring IPv6 ACLs
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
185
Configuring IPv6 ACLs
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
186
Configuring IPv6 ACLs
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
187
Configuring IPv6 ACLs
Example:
Switch(config)# end
Example:
show ipv6 access-list
Example:
Switch# show running-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
188
Configuring IPv6 ACLs
Procedure
Example:
Switch# configure terminal
Step 2 interface interface_id Identify a Layer 2 interface (for port ACLs) or Layer
3 interface (for router ACLs) on which to apply an
Example: access list, and enter interface configuration mode.
Switch# interface interface-id
Step 4 ipv6 address ipv6_address Configure an IPv6 address on a Layer 3 interface (for
router ACLs). This command is not required on Layer
Example: 2 interfaces or if the interface has already been
Switch# ipv6 address ipv6-address configured with an explicit IPv6 address.
Step 5 ipv6 traffic-filter access-list-name Apply the access list to incoming or outgoing traffic
on the interface. The out keyword is not supported for
Example: Layer 2 interfaces (port ACLs).
Switch# ipv6 traffic-filter
access-list-name {in | out}
Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
189
Configuration Examples for IPv6 ACL
Procedure
Step 2 show ipv6 access-list acl_name Displays all configured IPv6 access list or the
access list specified by name.
Example:
Switch# show ipv6 access-list
[access-list-name]
Switch(config-if)# no switchport
Switch(config-if)# ipv6 address 2001::/64 eui-64
Switch(config-if)# ipv6 traffic-filter CISCO out
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
190
Configuration Examples for IPv6 ACL
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
191
Configuration Examples for IPv6 ACL
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
192
PART IV
Layer 2
• Configuring Spanning Tree Protocol, page 195
• Configuring Multiple Spanning-Tree Protocol, page 221
• Configuring Optional Spanning-Tree Features, page 263
• Configuring EtherChannels, page 297
• Configuring Link-State Tracking, page 337
• Configuring Flex Links and the MAC Address-Table Move Update Feature, page 345
• Configuring UniDirectional Link Detection, page 365
CHAPTER 15
Configuring Spanning Tree Protocol
• Finding Feature Information, page 195
• Restrictions for STP, page 195
• Information About Spanning Tree Protocol, page 196
• How to Configure Spanning-Tree Features, page 208
• Monitoring Spanning-Tree Status, page 220
• Feature Information for STP, page 220
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
195
Information About Spanning Tree Protocol
Related Topics
Configuring the Root Switch , on page 210
Bridge ID, Device Priority, and Extended System ID, on page 198
Spanning-Tree Topology and BPDUs, on page 197
Accelerated Aging to Retain Connectivity, on page 204
The switch that has all of its ports as the designated role or as the backup role is the root switch. The switch
that has at least one of its ports in the designated role is called the designated switch.
Spanning tree forces redundant data paths into a standby (blocked) state. If a network segment in the spanning
tree fails and a redundant path exists, the spanning-tree algorithm recalculates the spanning-tree topology and
activates the standby path. Switches send and receive spanning-tree frames, called bridge protocol data units
(BPDUs), at regular intervals. The switches do not forward these frames but use them to construct a loop-free
path. BPDUs contain information about the sending switch and its ports, including switch and MAC addresses,
switch priority, port priority, and path cost. Spanning tree uses this information to elect the root switch and
root port for the switched network and the root port and designated port for each switched segment.
When two ports on a switch are part of a loop, the spanning-tree and path cost settings control which port is
put in the forwarding state and which is put in the blocking state. The spanning-tree port priority value
represents the location of a port in the network topology and how well it is located to pass traffic. The path
cost value represents the media speed.
Note By default, the switch sends keepalive messages (to ensure the connection is up) only on interfaces that
do not have small form-factor pluggable (SFP) modules. You can change the default for an interface by
entering the [no] keepalive interface configuration command with no keywords.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
196
Information About Spanning Tree Protocol
When the switches in a network are powered up, each functions as the root switch. Each switch sends a
configuration BPDU through all of its ports. The BPDUs communicate and compute the spanning-tree topology.
Each configuration BPDU contains this information:
• The unique bridge ID of the switch that the sending switch identifies as the root switch
• The spanning-tree path cost to the root
• The bridge ID of the sending switch
• Message age
• The identifier of the sending interface
• Values for the hello, forward delay, and max-age protocol timers
When a switch receives a configuration BPDU that contains superior information (lower bridge ID, lower
path cost, and so forth), it stores the information for that port. If this BPDU is received on the root port of the
switch, the switch also forwards it with an updated message to all attached LANs for which it is the designated
switch.
If a switch receives a configuration BPDU that contains inferior information to that currently stored for that
port, it discards the BPDU. If the switch is a designated switch for the LAN from which the inferior BPDU
was received, it sends that LAN a BPDU containing the up-to-date information stored for that port. In this
way, inferior information is discarded, and superior information is propagated on the network.
A BPDU exchange results in these actions:
• One switch in the network is elected as the root switch (the logical center of the spanning-tree topology
in a switched network). See the figure following the bullets.
For each VLAN, the switch with the highest switch priority (the lowest numerical priority value) is
elected as the root switch. If all switches are configured with the default priority (32768), the switch
with the lowest MAC address in the VLAN becomes the root switch. The switch priority value occupies
the most significant bits of the bridge ID, as shown in the following figure.
• A root port is selected for each switch (except the root switch). This port provides the best path (lowest
cost) when the switch forwards packets to the root switch.
• Only one outgoing port on the stack root switch is selected as the root port. The remaining switches in
the stack become its designated switches (Switch 2 and Switch 3) as shown in the following figure.
• The shortest distance to the root switch is calculated for each switch based on the path cost.
• A designated switch for each LAN segment is selected. The designated switch incurs the lowest path
cost when forwarding packets from that LAN to the root switch. The port through which the designated
switch is attached to the LAN is called the designated port.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
197
Information About Spanning Tree Protocol
One stack member is elected as the stack root switch. The stack root switch contains the outgoing root port
(Switch 1).
Figure 8: Spanning-Tree Port States in a Switch Stack
All paths that are not needed to reach the root switch from anywhere in the switched network are placed in
the spanning-tree blocking mode.
Related Topics
Configuring the Root Switch , on page 210
Restrictions for STP, on page 195
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
198
Information About Spanning Tree Protocol
Spanning tree uses the extended system ID, the switch priority, and the allocated spanning-tree MAC address
to make the bridge ID unique for each VLAN. Because the switch stack appears as a single switch to the rest
of the network, all switches in the stack use the same bridge ID for a given spanning tree. If the stack master
fails, the stack members recalculate their bridge IDs of all running spanning trees based on the new MAC
address of the new stack master.
Support for the extended system ID affects how you manually configure the root switch, the secondary root
switch, and the switch priority of a VLAN. For example, when you change the switch priority value, you
change the probability that the switch will be elected as the root switch. Configuring a higher value decreases
the probability; a lower value increases the probability.
If any root switch for the specified VLAN has a switch priority lower than 24576, the switch sets its own
priority for the specified VLAN to 4096 less than the lowest switch priority. 4096 is the value of the
least-significant bit of a 4-bit switch priority value as shown in the table.
Related Topics
Configuring the Root Switch , on page 210
Restrictions for STP, on page 195
Configuring the Root Switch , on page 243
Root Switch, on page 224
Specifying the MST Region Configuration and Enabling MSTP , on page 241
Related Topics
Configuring Port Priority , on page 213
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
199
Information About Spanning Tree Protocol
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
200
Information About Spanning Tree Protocol
When you power up the switch, spanning tree is enabled by default, and every interface in the switch, VLAN,
or network goes through the blocking state and the transitory states of listening and learning. Spanning tree
stabilizes each interface at the forwarding or blocking state.
When the spanning-tree algorithm places a Layer 2 interface in the forwarding state, this process occurs:
1 The interface is in the listening state while spanning tree waits for protocol information to move the
interface to the blocking state.
2 While spanning tree waits for the forward-delay timer to expire, it moves the interface to the learning state
and resets the forward-delay timer.
3 In the learning state, the interface continues to block frame forwarding as the switch learns end-station
location information for the forwarding database.
4 When the forward-delay timer expires, spanning tree moves the interface to the forwarding state, where
both learning and frame forwarding are enabled.
Blocking State
A Layer 2 interface in the blocking state does not participate in frame forwarding. After initialization, a BPDU
is sent to each switch interface. A switch initially functions as the root until it exchanges BPDUs with other
switches. This exchange establishes which switch in the network is the root or root switch. If there is only
one switch in the network, no exchange occurs, the forward-delay timer expires, and the interface moves to
the listening state. An interface always enters the blocking state after switch initialization.
An interface in the blocking state performs these functions:
• Discards frames received on the interface
• Discards frames switched from another interface for forwarding
• Does not learn addresses
• Receives BPDUs
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
201
Information About Spanning Tree Protocol
Listening State
The listening state is the first state a Layer 2 interface enters after the blocking state. The interface enters this
state when the spanning tree decides that the interface should participate in frame forwarding.
An interface in the listening state performs these functions:
• Discards frames received on the interface
• Discards frames switched from another interface for forwarding
• Does not learn addresses
• Receives BPDUs
Learning State
A Layer 2 interface in the learning state prepares to participate in frame forwarding. The interface enters the
learning state from the listening state.
An interface in the learning state performs these functions:
• Discards frames received on the interface
• Discards frames switched from another interface for forwarding
• Learns addresses
• Receives BPDUs
Forwarding State
A Layer 2 interface in the forwarding state forwards frames. The interface enters the forwarding state from
the learning state.
An interface in the forwarding state performs these functions:
• Receives and forwards frames received on the interface
• Forwards frames switched from another interface
• Learns addresses
• Receives BPDUs
Disabled State
A Layer 2 interface in the disabled state does not participate in frame forwarding or in the spanning tree. An
interface in the disabled state is nonoperational.
A disabled interface performs these functions:
• Discards frames received on the interface
• Discards frames switched from another interface for forwarding
• Does not learn addresses
• Does not receive BPDUs
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
202
Information About Spanning Tree Protocol
Switch A is elected as the root switch because the switch priority of all the switches is set to the default (32768)
and Switch A has the lowest MAC address. However, because of traffic patterns, number of forwarding
interfaces, or link types, Switch A might not be the ideal root switch. By increasing the priority (lowering the
numerical value) of the ideal switch so that it becomes the root switch, you force a spanning-tree recalculation
to form a new topology with the ideal switch as the root.
Figure 10: Spanning-Tree Topology
When the spanning-tree topology is calculated based on default parameters, the path between source and
destination end stations in a switched network might not be ideal. For instance, connecting higher-speed links
to an interface that has a higher number than the root port can cause a root-port change. The goal is to make
the fastest link the root port.
For example, assume that one port on Switch B is a Gigabit Ethernet link and that another port on Switch B
(a 10/100 link) is the root port. Network traffic might be more efficient over the Gigabit Ethernet link. By
changing the spanning-tree port priority on the Gigabit Ethernet port to a higher priority (lower numerical
value) than the root port, the Gigabit Ethernet port becomes the new root port.
Related Topics
Configuring Port Priority , on page 213
You can create a redundant backbone with spanning tree by connecting two switch interfaces to another device
or to two different devices. Spanning tree automatically disables one interface but enables it if the other one
fails. If one link is high-speed and the other is low-speed, the low-speed link is always disabled. If the speeds
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
203
Information About Spanning Tree Protocol
are the same, the port priority and port ID are added together, and spanning tree disables the link with the
highest value.
Figure 11: Spanning Tree and Redundant Connectivity
You can also create redundant links between switches by using EtherChannel groups.
Related Topics
Configuring the Root Switch , on page 210
Restrictions for STP, on page 195
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
204
Information About Spanning Tree Protocol
Related Topics
Changing the Spanning-Tree Mode , on page 208
Related Topics
Disabling Spanning Tree , on page 210
Default Spanning-Tree Configuration, on page 207
Default MSTP Configuration, on page 237
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
205
Information About Spanning Tree Protocol
Related Topics
Specifying the MST Region Configuration and Enabling MSTP , on page 241
MSTP Configuration Guidelines, on page 223
Multiple Spanning-Tree Regions, on page 225
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
206
Information About Spanning Tree Protocol
VLAN-bridge spanning tree allows the bridge groups to form a spanning tree on top of the individual VLAN
spanning trees to prevent loops from forming if there are multiple connections among VLANs. It also prevents
the individual spanning trees from the VLANs being bridged from collapsing into a single spanning tree.
To support VLAN-bridge spanning tree, some of the spanning-tree timers are increased. To use the fallback
bridging feature, you must have the IP services feature set enabled on your switch.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
207
How to Configure Spanning-Tree Features
Note Beginning in Cisco IOS Release 15.2(4)E, the default STP mode is Rapid PVST+.
Related Topics
Disabling Spanning Tree , on page 210
Supported Spanning-Tree Instances, on page 205
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
208
How to Configure Spanning-Tree Features
Example:
Switch# configure terminal
Step 5 spanning-tree link-type Specifies that the link type for this port is point-to-point.
point-to-point If you connect this port (local port) to a remote port
through a point-to-point link and the local port becomes
Example: a designated port, the switch negotiates with the remote
Switch(config-if)# spanning-tree port and rapidly changes the local port to the forwarding
link-type point-to-point state.
Example:
Switch(config-if)# end
Step 7 clear spanning-tree If any port on the switch is connected to a port on a legacy
detected-protocols IEEE 802.1D switch, this command restarts the protocol
migration process on the entire switch.
Example: This step is optional if the designated switch detects that
Switch# clear spanning-tree this switch is running rapid PVST+.
detected-protocols
Related Topics
Spanning-Tree Modes and Protocols, on page 205
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
209
How to Configure Spanning-Tree Features
Caution When spanning tree is disabled and loops are present in the topology, excessive traffic and indefinite
packet duplication can drastically reduce network performance.
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# no spanning-tree vlan
300
Example:
Switch(config)# end
Related Topics
Supported Spanning-Tree Instances, on page 205
Default Spanning-Tree Configuration, on page 207
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
210
How to Configure Spanning-Tree Features
VLAN. Because of the extended system ID support, the switch sets its own priority for the specified VLAN
to 24576 if this value will cause this switch to become the root for the specified VLAN.
Use the diameter keyword to specify the Layer 2 network diameter (that is, the maximum number of switch
hops between any two end stations in the Layer 2 network). When you specify the network diameter, the
switch automatically sets an optimal hello time, forward-delay time, and maximum-age time for a network
of that diameter, which can significantly reduce the convergence time. You can use the hello keyword to
override the automatically calculated hello time.
This procedure is optional.
Procedure
Example:
Switch# configure terminal
Step 3 spanning-tree vlan vlan-id root Configures a switch to become the root for the specified
primary [diameter net-diameter VLAN.
• For vlan-id, you can specify a single VLAN
Example: identified by VLAN ID number, a range of VLANs
Switch(config)# spanning-tree separated by a hyphen, or a series of VLANs
vlan 20-24 root primary diameter separated by a comma. The range is 1 to 4094.
4
• (Optional) For diameter net-diameter, specify the
maximum number of switches between any two
end stations. The range is 2 to 7.
Example:
Switch(config)# end
What to Do Next
After configuring the switch as the root switch, we recommend that you avoid manually configuring the hello
time, forward-delay time, and maximum-age time through the spanning-tree vlan vlan-id hello-time,
spanning-tree vlan vlan-id forward-time, and the spanning-tree vlan vlan-id max-age global configuration
commands.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
211
How to Configure Spanning-Tree Features
Related Topics
Bridge ID, Device Priority, and Extended System ID, on page 198
Spanning-Tree Topology and BPDUs, on page 197
Accelerated Aging to Retain Connectivity, on page 204
Restrictions for STP, on page 195
Procedure
Example:
Switch# configure terminal
Step 3 spanning-tree vlan vlan-id root Configures a switch to become the secondary root for the
secondary [diameter net-diameter specified VLAN.
• For vlan-id, you can specify a single VLAN identified
Example: by VLAN ID number, a range of VLANs separated
Switch(config)# spanning-tree by a hyphen, or a series of VLANs separated by a
vlan 20-24 root secondary comma. The range is 1 to 4094.
diameter 4
• (Optional) For diameter net-diameter, specify the
maximum number of switches between any two end
stations. The range is 2 to 7.
Use the same network diameter value that you used when
configuring the primary root switch.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
212
How to Configure Spanning-Tree Features
Example:
Switch(config)# end
Note If your switch is a member of a switch stack, you must use the spanning-tree [vlan vlan-id] cost cost
interface configuration command instead of the spanning-tree [vlan vlan-id] port-priority priority
interface configuration command to select an interface to put in the forwarding state. Assign lower cost
values to interfaces that you want selected first and higher cost values that you want selected last.
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
213
How to Configure Spanning-Tree Features
Example:
Switch(config-if)# end
Related Topics
Port Priority Versus Path Cost, on page 199
How a Switch or Port Becomes the Root Switch or Root Port, on page 203
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
214
How to Configure Spanning-Tree Features
Step 5 spanning-tree vlan vlan-id cost Configures the cost for a VLAN.
cost If a loop occurs, spanning tree uses the path cost when
selecting an interface to place into the forwarding state. A
Example: lower path cost represents higher-speed transmission.
Switch(config-if)# • For vlan-id, you can specify a single VLAN identified
spanning-tree vlan
10,12-15,20 cost 300 by VLAN ID number, a range of VLANs separated by
a hyphen, or a series of VLANs separated by a comma.
The range is 1 to 4094.
• For cost, the range is 1 to 200000000; the default value
is derived from the media speed of the interface.
Example:
Switch(config-if)# end
The show spanning-tree interface interface-id privileged EXEC command displays information only for
ports that are in a link-up operative state. Otherwise, you can use the show running-config privileged EXEC
command to confirm the configuration.
Related Topics
Port Priority Versus Path Cost, on page 199
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
215
How to Configure Spanning-Tree Features
Note Exercise care when using this command. For most situations, we recommend that you use the spanning-tree
vlan vlan-id root primary and the spanning-tree vlan vlan-id root secondary global configuration
commands to modify the switch priority.
Procedure
Example:
Switch# configure terminal
Example:
Switch(config-if)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
216
How to Configure Spanning-Tree Features
Procedure
Step 2 spanning-tree vlan vlan-id Configures the hello time of a VLAN. The hello time is the
hello-time seconds time interval between configuration messages generated and
sent by the root switch. These messages mean that the switch
Example: is alive.
Switch(config)# spanning-tree • For vlan-id, you can specify a single VLAN identified
vlan 20-24 hello-time 3 by VLAN ID number, a range of VLANs separated by
a hyphen, or a series of VLANs separated by a comma.
The range is 1 to 4094.
• For seconds, the range is 1 to 10; the default is 2.
Example:
Switch(config-if)# end
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
217
How to Configure Spanning-Tree Features
Switch(config)# spanning-tree • For vlan-id, you can specify a single VLAN identified
vlan 20,25 forward-time 18 by VLAN ID number, a range of VLANs separated
by a hyphen, or a series of VLANs separated by a
comma. The range is 1 to 4094.
• For seconds, the range is 4 to 30; the default is 15.
Example:
Switch(config)# end
Procedure
Example:
Switch# configure terminal
Step 3 spanning-tree vlan vlan-id Configures the maximum-aging time of a VLAN. The
max-age seconds maximum-aging time is the number of seconds a switch
waits without receiving spanning-tree configuration
Example: messages before attempting a reconfiguration.
Switch(config)# spanning-tree • For vlan-id, you can specify a single VLAN identified
vlan 20 max-age 30 by VLAN ID number, a range of VLANs separated
by a hyphen, or a series of VLANs separated by a
comma. The range is 1 to 4094.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
218
How to Configure Spanning-Tree Features
Example:
Switch(config-if)# end
Note Changing this parameter to a higher value can have a significant impact on CPU utilization, especially in
Rapid PVST+ mode. Lowering this value can slow down convergence in certain scenarios. We recommend
that you maintain the default setting.
Procedure
Example:
Switch# configure terminal
Step 3 spanning-tree transmit hold-count value Configures the number of BPDUs that can be sent
before pausing for 1 second.
Example: For value, the range is 1 to 20; the default is 6.
Switch(config)# spanning-tree
transmit hold-count 6
Example:
Switch(config)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
219
Monitoring Spanning-Tree Status
show spanning-tree vlan vlan-id Displays spanning-tree information for the specified VLAN.
show spanning-tree interface Displays spanning-tree information for the specified interface.
interface-id
show spanning-tree interface Displays spanning-tree portfast information for the specified
interface-id portfast interface.
show spanning-tree summary [totals] Displays a summary of interface states or displays the total lines
of the STP state section.
To clear spanning-tree counters, use the clear spanning-tree [interface interface-id] privileged EXEC
command.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
220
CHAPTER 16
Configuring Multiple Spanning-Tree Protocol
• Finding Feature Information, page 221
• Prerequisites for MSTP, page 221
• Restrictions for MSTP, page 222
• Information About MSTP, page 223
• How to Configure MSTP Features, page 241
• Examples, page 258
• Monitoring MST Configuration and Status, page 262
• Feature Information for MSTP, page 262
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
221
Restrictions for MSTP
• For load-balancing between a per-VLAN spanning tree plus (PVST+) and an MST cloud or between a
rapid-PVST+ and an MST cloud to work, all MST boundary ports must be forwarding. MST boundary
ports are forwarding when the internal spanning tree (IST) master of the MST cloud is the root of the
common spanning tree (CST). If the MST cloud consists of multiple MST regions, one of the MST
regions must contain the CST root, and all of the other MST regions must have a better path to the root
contained within the MST cloud than a path through the PVST+ or rapid-PVST+ cloud. You might have
to manually configure the switches in the clouds.
Related Topics
Specifying the MST Region Configuration and Enabling MSTP , on page 241
MSTP Configuration Guidelines, on page 223
Multiple Spanning-Tree Regions, on page 225
Table 29: PVST+, MSTP, and Rapid PVST+ Interoperability and Compatibility
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
222
Information About MSTP
Related Topics
Specifying the MST Region Configuration and Enabling MSTP , on page 241
MSTP Configuration Guidelines, on page 223
Multiple Spanning-Tree Regions, on page 225
Configuring the Root Switch , on page 243
Root Switch, on page 224
Specifying the MST Region Configuration and Enabling MSTP , on page 241
MSTP Configuration
MSTP, which uses RSTP for rapid convergence, enables multiple VLANs to be grouped into and mapped to
the same spanning-tree instance, reducing the number of spanning-tree instances needed to support a large
number of VLANs. The MSTP provides for multiple forwarding paths for data traffic, enables load balancing,
and reduces the number of spanning-tree instances required to support a large number of VLANs. It improves
the fault tolerance of the network because a failure in one instance (forwarding path) does not affect other
instances (forwarding paths).
Note The multiple spanning-tree (MST) implementation is based on the IEEE 802.1s standard.
The most common initial deployment of MSTP is in the backbone and distribution layers of a Layer 2 switched
network. This deployment provides the highly available network required in a service-provider environment.
When the switch is in the MST mode, the RSTP, which is based on IEEE 802.1w, is automatically enabled.
The RSTP provides rapid convergence of the spanning tree through explicit handshaking that eliminates the
IEEE 802.1D forwarding delay and quickly transitions root ports and designated ports to the forwarding state.
Both MSTP and RSTP improve the spanning-tree operation and maintain backward compatibility with
equipment that is based on the (original) IEEE 802.1D spanning tree, with existing Cisco-proprietary Multiple
Instance STP (MISTP), and with existing Cisco PVST+ and rapid per-VLAN spanning-tree plus (Rapid
PVST+).
A switch stack appears as a single spanning-tree node to the rest of the network, and all stack members use
the same switch ID.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
223
Information About MSTP
1 Gb/s 20,000
10 Gb/s 2,000
Related Topics
Specifying the MST Region Configuration and Enabling MSTP , on page 241
Prerequisites for MSTP, on page 221
Restrictions for MSTP, on page 222
Spanning-Tree Interoperability and Backward Compatibility, on page 206
Optional Spanning-Tree Configuration Guidelines
BackboneFast, on page 270
UplinkFast, on page 266
Root Switch
The switch maintains a spanning-tree instance for the group of VLANs mapped to it. A switch ID, consisting
of the switch priority and the switch MAC address, is associated with each instance. For a group of VLANs,
the switch with the lowest switch ID becomes the root switch.
When you configure a switch as the root, you modify the switch priority from the default value (32768) to a
significantly lower value so that the switch becomes the root switch for the specified spanning-tree instance.
When you enter this command, the switch checks the switch priorities of the root switches. Because of the
extended system ID support, the switch sets its own priority for the specified instance to 24576 if this value
will cause this switches to become the root for the specified spanning-tree instance.
If any root switch for the specified instance has a switch priority lower than 24576, the switch sets its own
priority to 4096 less than the lowest switch priority. (4096 is the value of the least-significant bit of a 4-bit
switch priority value. For more information, select "Bridge ID, Switch Priority, and Extended System ID"
link in Related Topics.
If your network consists of switches that support and do not support the extended system ID, it is unlikely
that the switch with the extended system ID support will become the root switch. The extended system ID
increases the switch priority value every time the VLAN number is greater than the priority of the connected
switches running older software.
The root switch for each spanning-tree instance should be a backbone or distribution switch. Do not configure
an access switch as the spanning-tree primary root.
Use the diameter keyword, which is available only for MST instance 0, to specify the Layer 2 network
diameter (that is, the maximum number of switch hops between any two end stations in the Layer 2 network).
When you specify the network diameter, the switch automatically sets an optimal hello time, forward-delay
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
224
Information About MSTP
time, and maximum-age time for a network of that diameter, which can significantly reduce the convergence
time. You can use the hello keyword to override the automatically calculated hello time.
Related Topics
Configuring the Root Switch , on page 243
Restrictions for MSTP, on page 222
Bridge ID, Device Priority, and Extended System ID, on page 198
Related Topics
Illustration of MST Regions, on page 228
Specifying the MST Region Configuration and Enabling MSTP , on page 241
Prerequisites for MSTP, on page 221
Restrictions for MSTP, on page 222
Spanning-Tree Interoperability and Backward Compatibility, on page 206
Optional Spanning-Tree Configuration Guidelines
BackboneFast, on page 270
UplinkFast, on page 266
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
225
Information About MSTP
All MST instances within the same region share the same protocol timers, but each MST instance has
its own topology parameters, such as root switch ID, root path cost, and so forth. By default, all VLANs
are assigned to the IST.
An MST instance is local to the region; for example, MST instance 1 in region A is independent of MST
instance 1 in region B, even if regions A and B are interconnected.
• A common and internal spanning tree (CIST), which is a collection of the ISTs in each MST region,
and the common spanning tree (CST) that interconnects the MST regions and single spanning trees.
The spanning tree computed in a region appears as a subtree in the CST that encompasses the entire
switched domain. The CIST is formed by the spanning-tree algorithm running among switches that
support the IEEE 802.1w, IEEE 802.1s, and IEEE 802.1D standards. The CIST inside an MST region
is the same as the CST outside a region.
Related Topics
Illustration of MST Regions, on page 228
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
226
Information About MSTP
related to the spanning-tree topology (for example, switch priority, port VLAN cost, and port VLAN priority)
can be configured on both the CST instance and the MST instance.
MSTP switches use Version 3 RSTP BPDUs or IEEE 802.1D STP BPDUs to communicate with legacy IEEE
802.1D switches. MSTP switches use MSTP BPDUs to communicate with MSTP switches.
Related Topics
Illustration of MST Regions, on page 228
CIST internal root path cost IST master path cost CIST internal path cost
CIST external root path cost Root path cost Root path cost
MSTI internal root path cost Root path cost Root path cost
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
227
Information About MSTP
Related Topics
Multiple Spanning-Tree Regions, on page 225
Operations Within an MST Region, on page 226
Operations Between MST Regions, on page 226
Hop Count
The IST and MST instances do not use the message-age and maximum-age information in the configuration
BPDU to compute the spanning-tree topology. Instead, they use the path cost to the root and a hop-count
mechanism similar to the IP time-to-live (TTL) mechanism.
By using the spanning-tree mst max-hops global configuration command, you can configure the maximum
hops inside the region and apply it to the IST and all MST instances in that region. The hop count achieves
the same result as the message-age information (triggers a reconfiguration). The root switch of the instance
always sends a BPDU (or M-record) with a cost of 0 and the hop count set to the maximum value. When a
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
228
Information About MSTP
switch receives this BPDU, it decrements the received remaining hop count by one and propagates this value
as the remaining hop count in the BPDUs it generates. When the count reaches zero, the switch discards the
BPDU and ages the information held for the port.
The message-age and maximum-age information in the RSTP portion of the BPDU remain the same throughout
the region, and the same values are propagated by the region designated ports at the boundary.
Boundary Ports
In the Cisco prestandard implementation, a boundary port connects an MST region to a single spanning-tree
region running RSTP, to a single spanning-tree region running PVST+ or rapid PVST+, or to another MST
region with a different MST configuration. A boundary port also connects to a LAN, the designated switch
of which is either a single spanning-tree switch or a switch with a different MST configuration.
There is no definition of a boundary port in the IEEE 802.1s standard. The IEEE 802.1Q-2002 standard
identifies two kinds of messages that a port can receive:
• internal (coming from the same region)
• external (coming from another region)
When a message is internal, the CIST part is received by the CIST, and each MST instance receives its
respective M-record.
When a message is external, it is received only by the CIST. If the CIST role is root or alternate, or if the
external BPDU is a topology change, it could have an impact on the MST instances.
An MST region includes both switches and LANs. A segment belongs to the region of its designated port.
Therefore, a port in a different region than the designated port for a segment is a boundary port. This definition
allows two ports internal to a region to share a segment with a port belonging to a different region, creating
the possibility of a port receiving both internal and external messages.
The primary change from the Cisco prestandard implementation is that a designated port is not defined as
boundary, unless it is running in an STP-compatible mode.
Note If there is a legacy STP switch on the segment, messages are always considered external.
The other change from the Cisco prestandard implementation is that the CIST regional root switch ID field
is now inserted where an RSTP or legacy IEEE 802.1Q switch has the sender switch ID. The whole region
performs like a single virtual switch by sending a consistent sender switch ID to neighboring switches. In this
example, switch C would receive a BPDU with the same consistent sender switch ID of root, whether or not
A or B is designated for the segment.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
229
Information About MSTP
Assume that A is a standard switch and B a prestandard switch, both configured to be in the same region. A
is the root switch for the CIST, and B has a root port (BX) on segment X and an alternate port (BY) on segment
Y. If segment Y flaps, and the port on BY becomes the alternate before sending out a single prestandard
BPDU, AY cannot detect that a prestandard switch is connected to Y and continues to send standard BPDUs.
The port BY is fixed in a boundary, and no load balancing is possible between A and B. The same problem
exists on segment X, but B might transmit topology changes.
Figure 13: Standard and Prestandard Switch Interoperation
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
230
Information About MSTP
Note We recommend that you minimize the interaction between standard and prestandard MST implementations.
This figure illustrates a unidirectional link failure that typically creates a bridging loop. Switch A is the root
switch, and its BPDUs are lost on the link leading to switch B. RSTP and MST BPDUs include the role and
state of the sending port. With this information, switch A can detect that switch B does not react to the superior
BPDUs it sends and that switch B is the designated, not root switch. As a result, switch A blocks (or keeps
blocking) its port, which prevents the bridging loop.
Figure 14: Detecting Unidirectional Link Failure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
231
Information About MSTP
When a stack member leaves the stack, spanning-tree reconvergence occurs within the stack (and possibly
outside the stack). The remaining stack member with the lowest stack port ID becomes the stack root.
If the stack master fails or leaves the stack, the stack members elect a new stack master, and all stack members
change their switch IDs of the spanning trees to the new master switch ID.
RSTP Overview
The RSTP takes advantage of point-to-point wiring and provides rapid convergence of the spanning tree.
Reconfiguration of the spanning tree can occur in less than 1 second (in contrast to 50 seconds with the default
settings in the IEEE 802.1D spanning tree).
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
232
Information About MSTP
A port with the root or a designated port role is included in the active topology. A port with the alternate or
backup port role is excluded from the active topology.
In a stable topology with consistent port roles throughout the network, the RSTP ensures that every root port
and designated port immediately transition to the forwarding state while all alternate and backup ports are
always in the discarding state (equivalent to blocking in IEEE 802.1D). The port state controls the operation
of the forwarding and learning processes.
Operational Status STP Port State RSTP Port State Is Port Included in the Active
(IEEE 802.1D) Topology?
Enabled Blocking Discarding No
To be consistent with Cisco STP implementations, this guide defines the port state as blocking instead of
discarding. Designated ports start in the listening state.
Rapid Convergence
The RSTP provides for rapid recovery of connectivity following the failure of a switch, a switch port, or a
LAN. It provides rapid convergence for edge ports, new root ports, and ports connected through point-to-point
links as follows:
• Edge ports—If you configure a port as an edge port on an RSTP switch by using the spanning-tree
portfast interface configuration command, the edge port immediately transitions to the forwarding state.
An edge port is the same as a Port Fast-enabled port, and you should enable it only on ports that connect
to a single end station.
• Root ports—If the RSTP selects a new root port, it blocks the old root port and immediately transitions
the new root port to the forwarding state.
• Point-to-point links—If you connect a port to another port through a point-to-point link and the local
port becomes a designated port, it negotiates a rapid transition with the other port by using the
proposal-agreement handshake to ensure a loop-free topology.
Switch A is connected to Switch B through a point-to-point link, and all of the ports are in the blocking
state. Assume that the priority of Switch A is a smaller numerical value than the priority of Switch B.
Switch A sends a proposal message (a configuration BPDU with the proposal flag set) to Switch B,
proposing itself as the designated switch.
After receiving the proposal message, Switch B selects as its new root port the port from which the
proposal message was received, forces all nonedge ports to the blocking state, and sends an agreement
message (a BPDU with the agreement flag set) through its new root port.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
233
Information About MSTP
After receiving Switch B’s agreement message, Switch A also immediately transitions its designated
port to the forwarding state. No loops in the network are formed because Switch B blocked all of its
nonedge ports and because there is a point-to-point link between Switches A and B.
When Switch C is connected to Switch B, a similar set of handshaking messages are exchanged. Switch
C selects the port connected to Switch B as its root port, and both ends immediately transition to the
forwarding state. With each iteration of this handshaking process, one more switch joins the active
topology. As the network converges, this proposal-agreement handshaking progresses from the root
toward the leaves of the spanning tree.
In a switch stack, the cross-stack rapid transition (CSRT) feature ensures that a stack member receives
acknowledgments from all stack members during the proposal-agreement handshaking before moving
the port to the forwarding state. CSRT is automatically enabled when the switch is in MST mode.
The switch learns the link type from the port duplex mode: a full-duplex port is considered to have a
point-to-point connection; a half-duplex port is considered to have a shared connection. You can override
the default setting that is controlled by the duplex setting by using the spanning-tree link-type interface
configuration command.
Figure 15: Proposal and Agreement Handshaking for Rapid Convergence
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
234
Information About MSTP
If a designated port is in the forwarding state and is not configured as an edge port, it transitions to the blocking
state when the RSTP forces it to synchronize with new root information. In general, when the RSTP forces a
port to synchronize with root information and the port does not satisfy any of the above conditions, its port
state is set to blocking.
After ensuring that all of the ports are synchronized, the switch sends an agreement message to the designated
switch corresponding to its root port. When the switches connected by a point-to-point link are in agreement
about their port roles, the RSTP immediately transitions the port states to forwarding.
Figure 16: Sequence of Events During Rapid Convergence
The RSTP BPDU format is the same as the IEEE 802.1D BPDU format except that the protocol version is
set to 2. A new 1-byte Version 1 Length field is set to zero, which means that no version 1 protocol information
is present.
Bit Function
0 Topology change (TC)
1 Proposal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
235
Information About MSTP
Bit Function
4 Learning
5 Forwarding
6 Agreement
The sending switch sets the proposal flag in the RSTP BPDU to propose itself as the designated switch on
that LAN. The port role in the proposal message is always set to the designated port.
The sending switch sets the agreement flag in the RSTP BPDU to accept the previous proposal. The port role
in the agreement message is always set to the root port.
The RSTP does not have a separate topology change notification (TCN) BPDU. It uses the topology change
(TC) flag to show the topology changes. However, for interoperability with IEEE 802.1D switches, the RSTP
switch processes and generates TCN BPDUs.
The learning and forwarding flags are set according to the state of the sending port.
Topology Changes
This section describes the differences between the RSTP and the IEEE 802.1D in handling spanning-tree
topology changes.
• Detection—Unlike IEEE 802.1D in which any transition between the blocking and the forwarding state
causes a topology change, only transitions from the blocking to the forwarding state cause a topology
change with RSTP (only an increase in connectivity is considered a topology change). State changes on
an edge port do not cause a topology change. When an RSTP switch detects a topology change, it deletes
the learned information on all of its nonedge ports except on those from which it received the TC
notification.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
236
Information About MSTP
• Notification—Unlike IEEE 802.1D, which uses TCN BPDUs, the RSTP does not use them. However,
for IEEE 802.1D interoperability, an RSTP switch processes and generates TCN BPDUs.
• Acknowledgement—When an RSTP switch receives a TCN message on a designated port from an IEEE
802.1D switch, it replies with an IEEE 802.1D configuration BPDU with the TCA bit set. However, if
the TC-while timer (the same as the topology-change timer in IEEE 802.1D) is active on a root port
connected to an IEEE 802.1D switch and a configuration BPDU with the TCA bit set is received, the
TC-while timer is reset.
This behavior is only required to support IEEE 802.1D switches. The RSTP BPDUs never have the TCA
bit set.
• Propagation—When an RSTP switch receives a TC message from another switch through a designated
or root port, it propagates the change to all of its nonedge, designated ports and to the root port (excluding
the port on which it is received). The switch starts the TC-while timer for all such ports and flushes the
information learned on them.
• Protocol migration—For backward compatibility with IEEE 802.1D switches, RSTP selectively sends
IEEE 802.1D configuration BPDUs and TCN BPDUs on a per-port basis.
When a port is initialized, the migrate-delay timer is started (specifies the minimum time during which
RSTP BPDUs are sent), and RSTP BPDUs are sent. While this timer is active, the switch processes all
BPDUs received on that port and ignores the protocol type.
If the switch receives an IEEE 802.1D BPDU after the port migration-delay timer has expired, it assumes
that it is connected to an IEEE 802.1D switch and starts using only IEEE 802.1D BPDUs. However, if
the RSTP switch is using IEEE 802.1D BPDUs on a port and receives an RSTP BPDU after the timer
has expired, it restarts the timer and starts using RSTP BPDUs on that port.
Related Topics
Restarting the Protocol Migration Process , on page 255
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
237
Information About MSTP
Spanning-tree port cost (configurable on a per-CIST port basis) 1000 Mb/s: 20000
100 Mb/s: 20000
10 Mb/s: 20000
1000 Mb/s: 20000
100 Mb/s: 20000
10 Mb/s: 20000
Related Topics
Supported Spanning-Tree Instances, on page 205
Specifying the MST Region Configuration and Enabling MSTP , on page 241
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
238
Information About MSTP
Note We recommend that you put the root bridge for all STP instances in the MST region.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
239
Information About MSTP
For example, in the figure below, Switch A is the root bridge and Switch B is the designated port. BPDUs
from Switch A are lost on the link leading to switch B.
Since Rapid PVST+ (802.1w) and MST BPDUs include the role and state of the sending port, Switch A detects
(from the inferior BPDU), that switch B does not react to the superior BPDUs it sends, because switch B has
the role of a designated port and not the root bridge. As a result, switch A blocks (or keeps blocking) its port,
thus preventing the bridging loop.
Note these guidelines and limitations relating to the dispute mechanism:
• It works only on switches running RSTP or MST (the dispute mechanism requires reading the role and
state of the port initiating BPDUs).
• It may result in loss of connectivity. For example, in the figure below, Bridge A cannot transmit on the
port it elected as a root port. As a result of this situation, there is loss of connectivity (r1 and r2 are
designated, a1 is root and a2 is alternate. There is only a one way connectivity between A and R).
• It may cause permanent bridging loops on shared segments. For example, in the figure below, suppose
that bridge R has the best priority, and that port b1 cannot receive any traffic from the shared segment
1 and sends inferior designated information on segment 1. Both r1 and a1 can detect this inconsistency.
However, with the current dispute mechanism, only r1 will revert to discarding while the root port a1
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
240
How to Configure MSTP Features
opens a permanent loop. However, this problem does not occur in Layer 2 switched networks that are
connected by point-to-point links.
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
241
How to Configure MSTP Features
Example:
Switch(config)# spanning-tree
mst configuration
Step 5 name name Specifies the configuration name. The name string has a
maximum length of 32 characters and is case sensitive.
Example:
Switch(config-mst)# name
region1
Step 6 revision version Specifies the configuration revision number. The range is
0 to 65535.
Example:
Switch(config-mst)# revision 1
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
242
How to Configure MSTP Features
Example:
Switch(config)# end
Related Topics
MSTP Configuration Guidelines, on page 223
Multiple Spanning-Tree Regions, on page 225
Prerequisites for MSTP, on page 221
Restrictions for MSTP, on page 222
Spanning-Tree Interoperability and Backward Compatibility, on page 206
Optional Spanning-Tree Configuration Guidelines
BackboneFast, on page 270
UplinkFast, on page 266
Default MSTP Configuration, on page 237
Configuring the Root Switch , on page 243
Restrictions for MSTP, on page 222
Bridge ID, Device Priority, and Extended System ID, on page 198
Configuring a Secondary Root Switch , on page 244
Configuring Port Priority , on page 246
Configuring Path Cost , on page 247
Configuring the Switch Priority , on page 249
Configuring the Hello Time , on page 250
Configuring the Forwarding-Delay Time , on page 251
Configuring the Maximum-Aging Time , on page 252
Configuring the Maximum-Hop Count , on page 252
Specifying the Link Type to Ensure Rapid Transitions , on page 253
Designating the Neighbor Type , on page 254
Restarting the Protocol Migration Process , on page 255
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
243
How to Configure MSTP Features
Procedure
Example:
Switch# configure terminal
Step 3 spanning-tree mst instance-id root Configures a switch as the root switch.
primary
• For instance-id, you can specify a single
instance, a range of instances separated by a
Example: hyphen, or a series of instances separated by a
Switch(config)# spanning-tree mst comma. The range is 0 to 4094.
0 root primary
Example:
Switch(config)# end
Related Topics
Root Switch, on page 224
Specifying the MST Region Configuration and Enabling MSTP , on page 241
Restrictions for MSTP, on page 222
Bridge ID, Device Priority, and Extended System ID, on page 198
Configuring a Secondary Root Switch , on page 244
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
244
How to Configure MSTP Features
the specified instance if the primary root switch fails. This is assuming that the other network switches use
the default switch priority of 32768 and therefore are unlikely to become the root switch.
You can execute this command on more than one switch to configure multiple backup root switches. Use the
same network diameter and hello-time values that you used when you configured the primary root switch
with the spanning-tree mst instance-id root primary global configuration command.
This procedure is optional.
Procedure
Example:
Switch# configure terminal
Step 3 spanning-tree mst instance-id root Configures a switch as the secondary root switch.
secondary
• For instance-id, you can specify a single
instance, a range of instances separated by a
Example: hyphen, or a series of instances separated by a
Switch(config)# spanning-tree mst comma. The range is 0 to 4094.
0 root secondary
Example:
Switch(config)# end
Related Topics
Specifying the MST Region Configuration and Enabling MSTP , on page 241
Configuring the Root Switch , on page 243
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
245
How to Configure MSTP Features
Note If the switch is a member of a switch stack, you must use the spanning-tree mst [instance-id] cost cost
interface configuration command instead of the spanning-tree mst [instance-id] port-priority priority
interface configuration command to select a port to put in the forwarding state. Assign lower cost values
to ports that you want selected first and higher cost values to ports that you want selected last. For more
information, see the path costs topic listed under Related Topics.
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
246
How to Configure MSTP Features
Example:
Switch(config-if)# end
The show spanning-tree mst interface interface-id privileged EXEC command displays information only
if the port is in a link-up operative state. Otherwise, you can use the show running-config interface privileged
EXEC command to confirm the configuration.
Related Topics
Specifying the MST Region Configuration and Enabling MSTP , on page 241
Configuring Path Cost , on page 247
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
247
How to Configure MSTP Features
Procedure
Example:
Switch# configure terminal
Example:
Switch(config-if)# end
The show spanning-tree mst interface interface-id privileged EXEC command displays information only
for ports that are in a link-up operative state. Otherwise, you can use the show running-config privileged
EXEC command to confirm the configuration.
Related Topics
Configuring Port Priority , on page 246
Specifying the MST Region Configuration and Enabling MSTP , on page 241
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
248
How to Configure MSTP Features
Note Exercise care when using this command. For normal network configurations, we recommend that you use
the spanning-tree mst instance-id root primary and the spanning-tree mst instance-id root secondary
global configuration commands to specify a switch as the root or secondary root switch. You should
modify the switch priority only in circumstances where these commands do not work.
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
249
How to Configure MSTP Features
Example:
Switch(config-if)# end
Related Topics
Specifying the MST Region Configuration and Enabling MSTP , on page 241
Procedure
Example:
Switch# configure terminal
Step 3 spanning-tree mst hello-time seconds Configures the hello time for all MST instances. The
hello time is the time interval between configuration
Example: messages generated and sent by the root switch. These
messages indicate that the switch is alive.
Switch(config)# spanning-tree mst
hello-time 4 For seconds, the range is 1 to 10; the default is 3.
Example:
Switch(config)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
250
How to Configure MSTP Features
Related Topics
Specifying the MST Region Configuration and Enabling MSTP , on page 241
Procedure
Example:
Switch# configure terminal
Step 3 spanning-tree mst forward-time Configures the forward time for all MST instances.
seconds The forwarding delay is the number of seconds a port
waits before changing from its spanning-tree learning
Example: and listening states to the forwarding state.
Switch(config)# spanning-tree mst For seconds, the range is 4 to 30; the default is 20.
forward-time 25
Example:
Switch(config)# end
Related Topics
Specifying the MST Region Configuration and Enabling MSTP , on page 241
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
251
How to Configure MSTP Features
Procedure
Example:
Switch# configure terminal
Step 3 spanning-tree mst max-age seconds Configures the maximum-aging time for all MST
instances. The maximum-aging time is the number of
Example: seconds a switch waits without receiving spanning-tree
configuration messages before attempting a
Switch(config)# spanning-tree mst reconfiguration.
max-age 40
For seconds, the range is 6 to 40; the default is 20.
Example:
Switch(config)# end
Related Topics
Specifying the MST Region Configuration and Enabling MSTP , on page 241
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
252
How to Configure MSTP Features
Procedure
Example:
Switch# configure terminal
Step 3 spanning-tree mst max-hops hop-count Specifies the number of hops in a region before the
BPDU is discarded, and the information held for a
Example: port is aged.
Switch(config)# spanning-tree mst For hop-count, the range is 1 to 255; the default is
max-hops 25 20.
Example:
Switch(config)# end
Related Topics
Specifying the MST Region Configuration and Enabling MSTP , on page 241
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
253
How to Configure MSTP Features
You must also know the specified MST instance ID and the interface used. This example uses 0 as the instance
ID and GigabitEthernet1/0/1 as the interface because that was the instance ID and interface set up by the
instructions listed under Related Topics.
Procedure
Example:
Switch# configure terminal
Step 4 spanning-tree link-type point-to-point Specifies that the link type of a port is
point-to-point.
Example:
Switch(config-if)# spanning-tree
link-type point-to-point
Example:
Switch(config-if)# end
Related Topics
Specifying the MST Region Configuration and Enabling MSTP , on page 241
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
254
How to Configure MSTP Features
Procedure
Example:
Switch# configure terminal
Switch(config)# interface
GigabitEthernet1/0/1
Step 4 spanning-tree mst pre-standard Specifies that the port can send only prestandard
BPDUs.
Example:
Switch(config-if)# spanning-tree mst
pre-standard
Example:
Switch(config-if)# end
Related Topics
Specifying the MST Region Configuration and Enabling MSTP , on page 241
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
255
How to Configure MSTP Features
Procedure
Step 2 Enter one of the following commands: The switch reverts to the MSTP mode,
and the protocol migration process
• clear spanning-tree detected-protocols restarts.
• clear spanning-tree detected-protocols interface
interface-id
Example:
Switch# clear spanning-tree detected-protocols
or
Switch# clear spanning-tree detected-protocols
interface GigabitEthernet1/0/1
What to Do Next
This procedure may need to be repeated if the switch receives more legacy IEEE 802.1D configuration BPDUs
(BPDUs with the protocol version set to 0).
Related Topics
Specifying the MST Region Configuration and Enabling MSTP , on page 241
Protocol Migration Process, on page 237
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
256
How to Configure MSTP Features
Procedure
Example:
Switch# configure terminal
Step 3 spanning-tree mst simulate pvst global Enables PVST+ simulation globally.
To prevent the switch from automatically
Example: interoperating with a connecting switch that is
Switch(config)# spanning-tree mst running Rapid PVST+, enter the no version of the
simulate pvst global command.
Example:
Switch(config)# end
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
257
Examples
Example:
Switch(config)# interface gi1/0/1
Step 4 spanning-tree mst simulate pvst Enables PVST+ simulation on the specified
interface.
Example: To prevent a specified interface from
Switch(config-if)# spanning-tree mst automatically interoperating with a connecting
simulate pvst switch that is not running MST, enter the
spanning-tree mst simulate pvst disable
command.
Example:
Switch(config)# end
Example:
Switch# show spanning-tree summary
Examples
This example shows how to prevent a port from automatically interoperating with a connecting device that
is running Rapid PVST+:
Switch(config)# interface1/0/1
Switch(config-if)# spanning-tree mst simulate pvst disable
The following sample output shows the system message you receive when a SSTP BPDU is received on a
port and PVST+ simulation is disabled:
Message
SPANTREE_PVST_PEER_BLOCK: PVST BPDU detected on port %s [port number].
Severity
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
258
Examples
Critical
Explanation
A PVST+ peer was detected on the specified interface on the switch. PVST+
simulation feature is disabled, as a result of which the interface was
moved to the spanning tree
Blocking state.
Action
Identify the PVST+ switch from the network which might be configured
incorrectly.
The following sample output shows the system message you receive when peer inconsistency on the interface
is cleared:
Message
SPANTREE_PVST_PEER_UNBLOCK: Unblocking port %s [port number].
Severity
Critical
Explanation
The interface specified in the error message has been restored to normal
spanning tree state.
Action
None.
This example shows the spanning tree status when port 1/0/1 has been configured to disable PVST+ simulation
and is currently in the peer type inconsistent state:
This example shows the spanning tree summary when PVST+ simulation is enabled in the MSTP mode:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
259
Examples
MST0 2 0 0 0 2
---------------------- -------- --------- -------- ---------- ----------
1 mst 2 0 0 0 2
This example shows the spanning tree summary when PVST+ simulation is disabled in any STP mode:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
260
Examples
This example shows the interface details when PVST+ simulation is globally disabled:
Switch# show spanning-tree interface1/0/1 detail
Port 269 (GigabitEthernet1/0/1) of VLAN0002 is forwarding
Port path cost 4, Port priority 128, Port Identifier 128.297.
Designated root has priority 32769, address 0013.5f20.01c0
Designated bridge has priority 32769, address 0013.5f20.01c0
Designated port id is 128.297, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point by default
PVST Simulation is disabled by default
BPDU: sent 132, received 1
This example shows the interface details when PVST+ simulation is explicitly enabled on the port:
Switch# show spanning-tree interface1/0/1 detail
Port 269 (GigabitEthernet1/0/1) of VLAN0002 is forwarding
Port path cost 4, Port priority 128, Port Identifier 128.297.
Designated root has priority 32769, address 0013.5f20.01c0
Designated bridge has priority 32769, address 0013.5f20.01c0
Designated port id is 128.297, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point by default
PVST Simulation is enabled
BPDU: sent 132, received 1
This example shows the interface details when the PVST+ simulation feature is disabled and a PVST Peer
inconsistency has been detected on the port:
This example shows the interface details when a dispute condition is detected:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
261
Monitoring MST Configuration and Status
show spanning-tree mst configuration Displays the MD5 digest included in the current MSTCI.
digest
show spanning-tree mst Displays MST information for the all instances.
Note This command displays information for ports in a link-up
operative state.
show spanning-tree mst instance-id Displays MST information for the specified instance.
Note This command displays information only if the port is
in a link-up operative state.
show spanning-tree mst interface Displays MST information for the specified interface.
interface-id
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
262
CHAPTER 17
Configuring Optional Spanning-Tree Features
• Finding Feature Information, page 263
• Restriction for Optional Spanning-Tree Features, page 263
• Information About Optional Spanning-Tree Features, page 264
• How to Configure Optional Spanning-Tree Features, page 278
• Examples, page 293
• Monitoring the Spanning-Tree Status, page 295
• Feature Information for Optional Spanning-Tree Features, page 296
Related Topics
Enabling PortFast , on page 278
PortFast, on page 264
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
263
Information About Optional Spanning-Tree Features
PortFast
PortFast immediately brings an interface configured as an access or trunk port to the forwarding state from a
blocking state, bypassing the listening and learning states.
You can use PortFast on interfaces connected to a single workstation or server to allow those devices to
immediately connect to the network, rather than waiting for the spanning tree to converge.
Figure 20: PortFast-Enabled Interfaces
Interfaces connected to a single workstation or server should not receive bridge protocol data units (BPDUs).
An interface with PortFast enabled goes through the normal cycle of spanning-tree status changes when the
switch is restarted.
You can enable this feature by enabling it on either the interface or on all nontrunking ports.
Related Topics
Enabling PortFast , on page 278
Restriction for Optional Spanning-Tree Features, on page 263
BPDU Guard
The Bridge Protocol Data Unit (BPDU) guard feature can be globally enabled on the switch or can be enabled
per port, but the feature operates with some differences.
When you enable BPDU guard at the global level on PortFast edge-enabled ports, spanning tree shuts down
ports that are in a PortFast edge-operational state if any BPDU is received on them. In a valid configuration,
PortFast edge-enabled ports do not receive BPDUs. Receiving a BPDU on a Port Fast edge-enabled port
means an invalid configuration, such as the connection of an unauthorized device, and the BPDU guard feature
puts the port in the error-disabled state. When this happens, the switch shuts down the entire port on which
the violation occurred.
When you enable BPDU guard at the interface level on any port without also enabling the PortFast edge
feature, and the port receives a BPDU, it is put in the error-disabled state.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
264
Information About Optional Spanning-Tree Features
The BPDU guard feature provides a secure response to invalid configurations because you must manually
put the interface back in service. Use the BPDU guard feature in a service-provider network to prevent an
access port from participating in the spanning tree.
Related Topics
Enabling BPDU Guard , on page 279
BPDU Filtering
The BPDU filtering feature can be globally enabled on the switch or can be enabled per interface, but the
feature operates with some differences.
Enabling BPDU filtering on PortFast edge-enabled interfaces at the global level keeps those interfaces that
are in a PortFast edge-operational state from sending or receiving BPDUs. The interfaces still send a few
BPDUs at link-up before the switch begins to filter outbound BPDUs. You should globally enable BPDU
filtering on a switch so that hosts connected to these interfaces do not receive BPDUs. If a BPDU is received
on a PortFast edge-enabled interface, the interface loses its PortFast edge-operational status, and BPDU
filtering is disabled.
Enabling BPDU filtering on an interface without also enabling the PortFast edge feature keeps the interface
from sending or receiving BPDUs.
Caution Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in
spanning-tree loops.
You can enable the BPDU filtering feature for the entire switch or for an interface.
Related Topics
Enabling BPDU Filtering , on page 281
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
265
Information About Optional Spanning-Tree Features
UplinkFast
Switches in hierarchical networks can be grouped into backbone switches, distribution switches, and access
switches. This complex network has distribution switches and access switches that each have at least one
redundant link that spanning tree blocks to prevent loops.
Figure 21: Switches in a Hierarchical Network
If a switch loses connectivity, it begins using the alternate paths as soon as the spanning tree selects a new
root port. You can accelerate the choice of a new root port when a link or switch fails or when the spanning
tree reconfigures itself by enabling UplinkFast. The root port transitions to the forwarding state immediately
without going through the listening and learning states, as it would with the normal spanning-tree procedures.
When the spanning tree reconfigures the new root port, other interfaces flood the network with multicast
packets, one for each address that was learned on the interface. You can limit these bursts of multicast traffic
by reducing the max-update-rate parameter (the default for this parameter is 150 packets per second). However,
if you enter zero, station-learning frames are not generated, so the spanning-tree topology converges more
slowly after a loss of connectivity.
Note UplinkFast is most useful in wiring-closet switches at the access or edge of the network. It is not appropriate
for backbone devices. This feature might not be useful for other types of applications.
UplinkFast provides fast convergence after a direct link failure and achieves load-balancing between redundant
Layer 2 links using uplink groups. An uplink group is a set of Layer 2 interfaces (per VLAN), only one of
which is forwarding at any given time. Specifically, an uplink group consists of the root port (which is
forwarding) and a set of blocked ports, except for self-looping ports. The uplink group provides an alternate
path in case the currently forwarding link fails.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
266
Information About Optional Spanning-Tree Features
This topology has no link failures. Switch A, the root switch, is connected directly to Switch B over link L1
and to Switch C over link L2. The Layer 2 interface on Switch C that is connected directly to Switch B is in
a blocking state.
Figure 22: UplinkFast Example Before Direct Link Failure
If Switch C detects a link failure on the currently active link L2 on the root port (a direct link failure), UplinkFast
unblocks the blocked interface on Switch C and transitions it to the forwarding state without going through
the listening and learning states. This change takes approximately 1 to 5 seconds.
Figure 23: UplinkFast Example After Direct Link Failure
Related Topics
Specifying the MST Region Configuration and Enabling MSTP , on page 241
MSTP Configuration Guidelines, on page 223
Multiple Spanning-Tree Regions, on page 225
Enabling UplinkFast for Use with Redundant Links , on page 282
Events That Cause Fast Convergence, on page 270
Cross-Stack UplinkFast
Cross-Stack UplinkFast (CSUF) provides a fast spanning-tree transition (fast convergence in less than 1 second
under normal network conditions) across a switch stack. During the fast transition, an alternate redundant link
on the switch stack is placed in the forwarding state without causing temporary spanning-tree loops or loss
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
267
Information About Optional Spanning-Tree Features
of connectivity to the backbone. With this feature, you can have a redundant and resilient network in some
configurations. CSUF is automatically enabled when you enable the UplinkFast feature.
CSUF might not provide a fast transition all the time; in these cases, the normal spanning-tree transition
occurs, completing in 30 to 40 seconds. For more information, see Related Topics.
Related Topics
Enabling UplinkFast for Use with Redundant Links , on page 282
Events That Cause Fast Convergence, on page 270
The stack-root port on Switch 1 provides the path to the root of the spanning tree. The alternate stack-root
ports on Switches 2 and 3 can provide an alternate path to the spanning-tree root if the current stack-root
switch fails or if its link to the spanning-tree root fails.
Link 1, the root link, is in the spanning-tree forwarding state. Links 2 and 3 are alternate redundant links that
are in the spanning-tree blocking state. If Switch 1 fails, if its stack-root port fails, or if Link 1 fails, CSUF
selects either the alternate stack-root port on Switch 2 or Switch 3 and puts it into the forwarding state in less
than 1 second.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
268
Information About Optional Spanning-Tree Features
When certain link loss or spanning-tree events occur (described in the following topic), the Fast Uplink
Transition Protocol uses the neighbor list to send fast-transition requests to stack members.
The switch sending the fast-transition request needs to do a fast transition to the forwarding state of a port
that it has chosen as the root port, and it must obtain an acknowledgment from each stack switch before
performing the fast transition.
Each switch in the stack decides if the sending switch is a better choice than itself to be the stack root of this
spanning-tree instance by comparing the root, cost, and bridge ID. If the sending switch is the best choice as
the stack root, each switch in the stack returns an acknowledgment; otherwise, it sends a fast-transition request.
The sending switch then has not received acknowledgments from all stack switches.
When acknowledgments are received from all stack switches, the Fast Uplink Transition Protocol on the
sending switch immediately transitions its alternate stack-root port to the forwarding state. If acknowledgments
from all stack switches are not obtained by the sending switch, the normal spanning-tree transitions (blocking,
listening, learning, and forwarding) take place, and the spanning-tree topology converges at its normal rate
(2 * forward-delay time + max-age time).
The Fast Uplink Transition Protocol is implemented on a per-VLAN basis and affects only one spanning-tree
instance at a time.
Related Topics
Enabling UplinkFast for Use with Redundant Links , on page 282
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
269
Information About Optional Spanning-Tree Features
Note The fast transition might not occur if multiple events occur simultaneously. For example,
if a stack member is powered off, and at the same time, the link connecting the stack
root to the spanning-tree root comes back up, the normal spanning-tree convergence
occurs.
Related Topics
Enabling UplinkFast for Use with Redundant Links , on page 282
UplinkFast, on page 266
Cross-Stack UplinkFast, on page 267
How Cross-Stack UplinkFast Works, on page 268
BackboneFast
BackboneFast detects indirect failures in the core of the backbone. BackboneFast is a complementary technology
to the UplinkFast feature, which responds to failures on links directly connected to access switches.
BackboneFast optimizes the maximum-age timer, which controls the amount of time the switch stores protocol
information received on an interface. When a switch receives an inferior BPDU from the designated port of
another switch, the BPDU is a signal that the other switch might have lost its path to the root, and BackboneFast
tries to find an alternate path to the root.
BackboneFast starts when a root port or blocked interface on a switch receives inferior BPDUs from its
designated switch. An inferior BPDU identifies a switch that declares itself as both the root bridge and the
designated switch. When a switch receives an inferior BPDU, it means that a link to which the switch is not
directly connected (an indirect link) has failed (that is, the designated switch has lost its connection to the root
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
270
Information About Optional Spanning-Tree Features
switch). Under spanning-tree rules, the switch ignores inferior BPDUs for the maximum aging time (default
is 20 seconds).
The switch tries to find if it has an alternate path to the root switch. If the inferior BPDU arrives on a blocked
interface, the root port and other blocked interfaces on the switch become alternate paths to the root switch.
(Self-looped ports are not considered alternate paths to the root switch.) If the inferior BPDU arrives on the
root port, all blocked interfaces become alternate paths to the root switch. If the inferior BPDU arrives on the
root port and there are no blocked interfaces, the switch assumes that it has lost connectivity to the root switch,
causes the maximum aging time on the root port to expire, and becomes the root switch according to normal
spanning-tree rules.
If the switch has alternate paths to the root switch, it uses these alternate paths to send a root link query (RLQ)
request. The switch sends the RLQ request on all alternate paths to learn if any stack member has an alternate
root to the root switch and waits for an RLQ reply from other switches in the network and in the stack. The
switch sends the RLQ request on all alternate paths and waits for an RLQ reply from other switches in the
network.
When a stack member receives an RLQ reply from a nonstack member on a blocked interface and the reply
is destined for another nonstacked switch, it forwards the reply packet, regardless of the spanning-tree interface
state.
When a stack member receives an RLQ reply from a nonstack member and the response is destined for the
stack, the stack member forwards the reply so that all the other stack members receive it.
If the switch discovers that it still has an alternate path to the root, it expires the maximum aging time on the
interface that received the inferior BPDU. If all the alternate paths to the root switch indicate that the switch
has lost connectivity to the root switch, the switch expires the maximum aging time on the interface that
received the RLQ reply. If one or more alternate paths can still connect to the root switch, the switch makes
all interfaces on which it received an inferior BPDU its designated ports and moves them from the blocking
state (if they were in the blocking state), through the listening and learning states, and into the forwarding
state.
This is an example topology with no link failures. Switch A, the root switch, connects directly to Switch B
over link L1 and to Switch C over link L2. The Layer 2 interface on Switch C that connects directly to Switch
B is in the blocking state.
Figure 25: BackboneFast Example Before Indirect Link Failure
If link L1 fails, Switch C cannot detect this failure because it is not connected directly to link L1. However,
because Switch B is directly connected to the root switch over L1, it detects the failure, elects itself the root,
and begins sending BPDUs to Switch C, identifying itself as the root. When Switch C receives the inferior
BPDUs from Switch B, Switch C assumes that an indirect failure has occurred. At that point, BackboneFast
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
271
Information About Optional Spanning-Tree Features
allows the blocked interface on Switch C to move immediately to the listening state without waiting for the
maximum aging time for the interface to expire. BackboneFast then transitions the Layer 2 interface on
Switch C to the forwarding state, providing a path from Switch B to Switch A. The root-switch election takes
approximately 30 seconds, twice the Forward Delay time if the default Forward Delay time of 15 seconds is
set. BackboneFast reconfigures the topology to account for the failure of link L1.
Figure 26: BackboneFast Example After Indirect Link Failure
If a new switch is introduced into a shared-medium topology, BackboneFast is not activated because the
inferior BPDUs did not come from the recognized designated switch (Switch B). The new switch begins
sending inferior BPDUs that indicate it is the root switch. However, the other switches ignore these inferior
BPDUs, and the new switch learns that Switch B is the designated switch to Switch A, the root switch.
Figure 27: Adding a Switch in a Shared-Medium Topology
Related Topics
Specifying the MST Region Configuration and Enabling MSTP , on page 241
MSTP Configuration Guidelines, on page 223
Multiple Spanning-Tree Regions, on page 225
Enabling BackboneFast , on page 284
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
272
Information About Optional Spanning-Tree Features
EtherChannel Guard
You can use EtherChannel guard to detect an EtherChannel misconfiguration between the switch and a
connected device. A misconfiguration can occur if the switch interfaces are configured in an EtherChannel,
but the interfaces on the other device are not. A misconfiguration can also occur if the channel parameters are
not the same at both ends of the EtherChannel.
If the switch detects a misconfiguration on the other device, EtherChannel guard places the switch interfaces
in the error-disabled state, and displays an error message.
Related Topics
Enabling EtherChannel Guard , on page 285
Root Guard
The Layer 2 network of a service provider (SP) can include many connections to switches that are not owned
by the SP. In such a topology, the spanning tree can reconfigure itself and select a customer switch as the root
switch. You can avoid this situation by enabling root guard on SP switch interfaces that connect to switches
in your customer’s network. If spanning-tree calculations cause an interface in the customer network to be
selected as the root port, root guard then places the interface in the root-inconsistent (blocked) state to prevent
the customer’s switch from becoming the root switch or being in the path to the root.
Figure 28: Root Guard in a Service-Provider Network
If a switch outside the SP network becomes the root switch, the interface is blocked (root-inconsistent state),
and spanning tree selects a new root switch. The customer’s switch does not become the root switch and is
not in the path to the root.
If the switch is operating in multiple spanning-tree (MST) mode, root guard forces the interface to be a
designated port. If a boundary port is blocked in an internal spanning-tree (IST) instance because of root
guard, the interface also is blocked in all MST instances. A boundary port is an interface that connects to a
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
273
Information About Optional Spanning-Tree Features
LAN, the designated switch of which is either an IEEE 802.1D switch or a switch with a different MST region
configuration.
Root guard enabled on an interface applies to all the VLANs to which the interface belongs. VLANs can be
grouped and mapped to an MST instance.
Caution Misuse of the root guard feature can cause a loss of connectivity.
Related Topics
Enabling Root Guard , on page 286
Loop Guard
You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure
that leads to a unidirectional link. This feature is most effective when it is enabled on the entire switched
network. Loop guard prevents alternate and root ports from becoming designated ports, and spanning tree
does not send BPDUs on root or alternate ports.
When the switch is operating in PVST+ or rapid-PVST+ mode, loop guard prevents alternate and root ports
from becoming designated ports, and spanning tree does not send BPDUs on root or alternate ports.
When the switch is operating in MST mode, BPDUs are not sent on nonboundary ports only if the interface
is blocked by loop guard in all MST instances. On a boundary port, loop guard blocks the interface in all MST
instances.
Related Topics
Enabling Loop Guard , on page 288
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
274
Information About Optional Spanning-Tree Features
Note If you configure a port connected to a Layer 2 switch or bridge as an edge port, you
might create a bridging loop.
• A PortFast network port—is connected only to a Layer 2 switch or bridge. Bridge Assurance is enabled
only on PortFast network ports. For more information, refer to Bridge Assurance.
Note If you configure a port that is connected to a Layer 2 host as a spanning tree network
port, the port will automatically move into the blocking state.
Note Beginning with Cisco IOS Release 15.2(4)E, or IOS XE 3.8.0E, if you enter the
spanning-tree portfast [trunk] command in the global or interface configuration mode,
the system automatically saves it as spanning-tree portfast edge [trunk].
Related Topics
Enabling PortFast Port Types, on page 289
Bridge Assurance
You can use Bridge Assurance to help prevent looping conditions that are caused by unidirectional links
(one-way traffic on a link or port), or a malfunction in a neighboring switch. Here a malfunction refers to a
switch that is not able to run STP any more, while still forwarding traffic (a brain dead switch).
BPDUs are sent out on all operational network ports, including alternate and backup ports, for each hello time
period. Bridge Assurance monitors the receipt of BPDUs on point-to-point links on all network ports. When
a port does not receive BPDUs within the alloted hello time period, the port is put into a blocked state (the
same as a port inconsistent state, which stops forwarding of frames). When the port resumes receipt of BPDUs,
the port resumes normal spanning tree operations.
Note Only Rapid PVST+ and MST spanning tree protocols support Bridge Assurance. PVST+ does not support
Bridge Assurance.
The following example shows how Bridge Assurance protects your network from bridging loops.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
275
Information About Optional Spanning-Tree Features
The following figure demonstrates a potential network problem when the device fails (brain dead) and Bridge
Assurance is not enabled on the network.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
276
Information About Optional Spanning-Tree Features
The following figure shows the network with Bridge Assurance enabled, and the STP topology progressing
normally with bidirectional BDPUs issuing from every STP network port.
The following figure shows how the potential network problem shown in figure Network Loop Due to a
Malfunctioning Switch does not occur when you have Bridge Assurance enabled on your network.
The system generates syslog messages when a port is block and unblocked. The following sample output
shows the log that is generated for each of these states:
BRIDGE_ASSURANCE_BLOCK
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
277
How to Configure Optional Spanning-Tree Features
Related Topics
Enabling Bridge Assurance, on page 292
Enabling PortFast
An interface with the PortFast feature enabled is moved directly to the spanning-tree forwarding state without
waiting for the standard forward-time delay.
If you enable the voice VLAN feature, the PortFast feature is automatically enabled. When you disable voice
VLAN, the PortFast feature is not automatically disabled.
You can enable this feature if your switch is running PVST+, Rapid PVST+, or MSTP.
Caution Use PortFast only when connecting a single end station to an access or trunk port. Enabling this feature
on an interface connected to a switch or hub could prevent spanning tree from detecting and disabling
loops in your network, which could cause broadcast storms and address-learning problems.
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
278
How to Configure Optional Spanning-Tree Features
Example:
Switch# configure terminal
Step 4 spanning-tree portfast [trunk] Enables PortFast on an access port connected to a single
workstation or server.
Example: By specifying the trunk keyword, you can enable PortFast
Switch(config-if)# on a trunk port.
spanning-tree portfast trunk
Note To enable PortFast on trunk ports, you must use
the spanning-tree portfast trunk interface
configuration command. The spanning-tree
portfast command will not work on trunk ports.
Make sure that there are no loops in the network
between the trunk port and the workstation or
server before you enable PortFast on a trunk port.
By default, PortFast is disabled on all interfaces.
Example:
Switch(config-if)# end
What to Do Next
You can use the spanning-tree portfast default global configuration command to globally enable the PortFast
feature on all nontrunking ports.
Related Topics
PortFast, on page 264
Restriction for Optional Spanning-Tree Features, on page 263
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
279
How to Configure Optional Spanning-Tree Features
Caution Configure PortFast edge only on ports that connect to end stations; otherwise, an accidental topology loop
could cause a data packet loop and disrupt switch and network operation.
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# spanning-tree portfast
edge bpduguard default
Switch(config)# interface
gigabitethernet1/0/2
Example:
Switch(config-if)# spanning-tree
portfast edge
Example:
Switch(config-if)# end
What to Do Next
To prevent the port from shutting down, you can use the errdisable detect cause bpduguard shutdown vlan
global configuration command to shut down just the offending VLAN on the port where the violation occurred.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
280
How to Configure Optional Spanning-Tree Features
You also can use the spanning-tree bpduguard enable interface configuration command to enable BPDU
guard on any port without also enabling the PortFast edge feature. When the port receives a BPDU, it is put
it in the error-disabled state.
Related Topics
BPDU Guard, on page 264
Caution Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in
spanning-tree loops.
You can enable the BPDU filtering feature if your switch is running PVST+, Rapid PVST+, or MSTP.
Caution Configure PortFast edge only on interfaces that connect to end stations; otherwise, an accidental topology
loop could cause a data packet loop and disrupt switch and network operation.
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# spanning-tree portfast
edge bpdufilter default
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
281
How to Configure Optional Spanning-Tree Features
Switch(config)# interface
gigabitethernet1/0/2
Step 5 spanning-tree portfast edge Enables the PortFast edge feature on the
specified interface.
Example:
Switch(config-if)# spanning-tree
portfast edge
Example:
Switch(config-if)# end
Related Topics
BPDU Filtering, on page 265
Note When you enable UplinkFast, it affects all VLANs on the switch or switch stack. You cannot configure
UplinkFast on an individual VLAN.
You can configure the UplinkFast or the Cross-Stack UplinkFast (CSUF) feature for Rapid PVST+ or for the
MSTP, but the feature remains disabled (inactive) until you change the spanning-tree mode to PVST+.
This procedure is optional. Follow these steps to enable UplinkFast and CSUF.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
282
How to Configure Optional Spanning-Tree Features
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# end
When UplinkFast is enabled, the switch priority of all VLANs is set to 49152. If you change the path cost to
a value less than 3000 and you enable UplinkFast or UplinkFast is already enabled, the path cost of all interfaces
and VLAN trunks is increased by 3000 (if you change the path cost to 3000 or above, the path cost is not
altered). The changes to the switch priority and the path cost reduce the chance that a switch will become the
root switch.
When UplinkFast is disabled, the switch priorities of all VLANs and path costs of all interfaces are set to
default values if you did not modify them from their defaults.
When you enable the UplinkFast feature using these instructions, CSUF is automatically globally enabled on
nonstack port interfaces.
Related Topics
UplinkFast, on page 266
Cross-Stack UplinkFast, on page 267
How Cross-Stack UplinkFast Works, on page 268
Events That Cause Fast Convergence, on page 270
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
283
How to Configure Optional Spanning-Tree Features
Disabling UplinkFast
This procedure is optional.
Follow these steps to disable UplinkFast and Cross-Stack UplinkFast (CSUF).
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# end
When UplinkFast is disabled, the switch priorities of all VLANs and path costs of all interfaces are set to
default values if you did not modify them from their defaults.
When you disable the UplinkFast feature using these instructions, CSUF is automatically globally disabled
on nonstack port interfaces.
Enabling BackboneFast
You can enable BackboneFast to detect indirect link failures and to start the spanning-tree reconfiguration
sooner.
You can configure the BackboneFast feature for Rapid PVST+ or for the MSTP, but the feature remains
disabled (inactive) until you change the spanning-tree mode to PVST+.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
284
How to Configure Optional Spanning-Tree Features
This procedure is optional. Follow these steps to enable BackboneFast on the switch.
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# spanning-tree
backbonefast
Example:
Switch(config)# end
Related Topics
BackboneFast, on page 270
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
285
How to Configure Optional Spanning-Tree Features
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# spanning-tree
etherchannel guard misconfig
Example:
Switch(config)# end
What to Do Next
You can use the show interfaces status err-disabled privileged EXEC command to show which switch ports
are disabled because of an EtherChannel misconfiguration. On the remote device, you can enter the show
etherchannel summary privileged EXEC command to verify the EtherChannel configuration.
After the configuration is corrected, enter the shutdown and no shutdown interface configuration commands
on the port-channel interfaces that were misconfigured.
Related Topics
EtherChannel Guard, on page 273
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
286
How to Configure Optional Spanning-Tree Features
Note You cannot enable both root guard and loop guard at the same time.
You can enable this feature if your switch is running PVST+, Rapid PVST+, or MSTP.
This procedure is optional.
Follow these steps to enable root guard on the switch.
Procedure
Example:
Switch# configure terminal
Example:
Switch(config-if)# end
Related Topics
Root Guard, on page 273
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
287
How to Configure Optional Spanning-Tree Features
Note You cannot enable both loop guard and root guard at the same time.
You can enable this feature if your switch is running PVST+, Rapid PVST+, or MSTP.
This procedure is optional. Follow these steps to enable loop guard on the switch.
Procedure
Example:
Switch# show spanning-tree active
or
Example:
Switch# configure terminal
Example:
Switch(config)# end
Related Topics
Loop Guard, on page 274
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
288
How to Configure Optional Spanning-Tree Features
Related Topics
STP PortFast Port Types, on page 274
Procedure
Example:
Switch# configure terminal
Step 3 spanning-tree portfast [edge | Configures the default state for all interfaces on the switch.
network | normal] default You have these options:
• (Optional) edge—Configures all interfaces as edge ports.
Example: This assumes all ports are connected to hosts/servers.
Switch(config)# spanning-tree
portfast default • (Optional) network—Configures all interfaces as
spanning tree network ports. This assumes all ports are
connected to switches and bridges. Bridge Assurance is
enabled on all network ports by default.
• (Optional) normal—Configures all interfaces normal
spanning tree ports. These ports can be connected to any
type of device.
• default—The default port type is normal.
Example:
Switch(config)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
289
How to Configure Optional Spanning-Tree Features
Note Because the purpose of this type of port is to minimize the time that access ports must wait for spanning
tree to converge, it is most effective when used on access ports. If you enable PortFast edge on a port
connecting to another switch, you risk creating a spanning tree loop.
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# interface
gigabitethernet 1/0/1 | port-channel
port_channel_number
Step 4 spanning-tree portfast edge [trunk] Enables edge behavior on a Layer 2 access port
connected to an end workstation or server.
Example: • (Optional) trunk—Enables edge behavior on
Switch(config-if)# spanning-tree a trunk port. Use this keyword if the link is a
portfast trunk trunk. Use this command only on ports that are
connected to end host devices that terminate
VLANs and from which the port should never
receive STP BPDUs. Such end host devices
include workstations, servers, and ports on
routers that are not configured to support
bridging.
• Use the no version of the command to disable
PortFast edge.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
290
How to Configure Optional Spanning-Tree Features
Example:
Switch(config-if)# end
Example:
Switch# show running interface
gigabitethernet 1/0/1| port-channel
port_channel_number
Note Bridge Assurance is enabled only on PortFast network ports. For more information, refer to Bridge
Assurance.
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# interface
gigabitethernet 1/0/1| port-channel
port_channel_number
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
291
How to Configure Optional Spanning-Tree Features
Example:
Switch(config-if)# end
Example:
Switch# show running interface
gigabitethernet 1/0/1 | port-channel
port_channel_number
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
292
Examples
Example:
Switch(config)# end
Step 5 show spanning-tree summary Displays spanning tree information and shows if
Bridge Assurance is enabled.
Example:
Switch# show spanning-tree summary
Related Topics
Bridge Assurance, on page 275
Examples
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
293
Examples
This example shows how you can display that port GigabitEthernet 1/0/1 is currently in the edge state:
Switch# show spanning-tree vlan 200
VLAN0200
Spanning tree enabled protocol rstp
Root ID Priority 2
Address 001b.2a68.5fc0
Cost 3
Port 125 (GigabitEthernet5/9)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 2 (priority 0 sys-id-ext 2)
Address 7010.5c9c.5200
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 0 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/0/1 Desg FWD 4 128.1 P2p Edge
VLAN0002
Spanning tree enabled protocol rstp
Root ID Priority 2
Address 7010.5c9c.5200
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Switch#
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
294
Monitoring the Spanning-Tree Status
Note The output shows the port type as network and *BA_Inc, indicating that the port is in an inconsistent state.
Switch#
Command Purpose
show spanning-tree active Displays spanning-tree information on active interfaces only.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
295
Feature Information for Optional Spanning-Tree Features
Command Purpose
show spanning-tree interface interface-id Displays spanning-tree information for the specified interface.
show spanning-tree mst interface Displays MST information for the specified interface.
interface-id
show spanning-tree summary [totals] Displays a summary of interface states or displays the total
lines of the spanning-tree state section.
show spanning-tree mst interface Displays spanning-tree portfast information for the specified
interface-id portfast edge interface.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
296
CHAPTER 18
Configuring EtherChannels
• Finding Feature Information, page 297
• Restrictions for EtherChannels, page 297
• Information About EtherChannels, page 298
• How to Configure EtherChannels, page 317
• Monitoring EtherChannel, PAgP, and LACP Status, page 330
• Configuration Examples for Configuring EtherChannels, page 331
• Additional References for EtherChannels, page 335
• Feature Information for EtherChannels, page 336
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
297
Information About EtherChannels
EtherChannel Overview
EtherChannel provides fault-tolerant high-speed links between switches, routers, and servers. You can use
the EtherChannel to increase the bandwidth between the wiring closets and the data center, and you can deploy
it anywhere in the network where bottlenecks are likely to occur. EtherChannel provides automatic recovery
for the loss of a link by redistributing the load across the remaining links. If a link fails, EtherChannel redirects
traffic from the failed link to the remaining links in the channel without intervention.
An EtherChannel consists of individual Ethernet links bundled into a single logical link.
The EtherChannel provides full-duplex bandwidth up to 8 Gb/s (Gigabit EtherChannel) or 80 Gb/s (10-Gigabit
EtherChannel) between your switch and another switch or host.
Each EtherChannel can consist of up to eight compatibly configured Ethernet ports.
The LAN Lite feature set supports up to six EtherChannels. The LAN Base feature set supports up to 24
EtherChannels.
Related Topics
Configuring Layer 2 EtherChannels , on page 317
EtherChannel Configuration Guidelines, on page 313
Default EtherChannel Configuration, on page 311
Layer 2 EtherChannel Configuration Guidelines, on page 314
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
298
Information About EtherChannels
EtherChannel Modes
You can configure an EtherChannel in one of these modes: Port Aggregation Protocol (PAgP), Link Aggregation
Control Protocol (LACP), or On. Configure both ends of the EtherChannel in the same mode:
• When you configure one end of an EtherChannel in either PAgP or LACP mode, the system negotiates
with the other end of the channel to determine which ports should become active. If the remote port
cannot negotiate an EtherChannel, the local port is put into an independent state and continues to carry
data traffic as would any other single link. The port configuration does not change, but the port does not
participate in the EtherChannel.
• When you configure an EtherChannel in the on mode, no negotiations take place. The switch forces all
compatible ports to become active in the EtherChannel. The other end of the channel (on the other switch)
must also be configured in the on mode; otherwise, packet loss can occur.
Related Topics
Configuring Layer 2 EtherChannels , on page 317
EtherChannel Configuration Guidelines, on page 313
Default EtherChannel Configuration, on page 311
Layer 2 EtherChannel Configuration Guidelines, on page 314
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
299
Information About EtherChannels
EtherChannel on Switches
You can create an EtherChannel on a switch, on a single switch in the stack, or on multiple switches in the
stack (known as cross-stack EtherChannel).
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
300
Information About EtherChannels
Related Topics
Configuring Layer 2 EtherChannels , on page 317
EtherChannel Configuration Guidelines, on page 313
Default EtherChannel Configuration, on page 311
Layer 2 EtherChannel Configuration Guidelines, on page 314
Related Topics
Configuring Layer 2 EtherChannels , on page 317
EtherChannel Configuration Guidelines, on page 313
Default EtherChannel Configuration, on page 311
Layer 2 EtherChannel Configuration Guidelines, on page 314
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
301
Information About EtherChannels
The channel-group command binds the physical port and the port-channel interface together. Each
EtherChannel has a port-channel logical interface numbered from 1 to 24. This port-channel interface number
corresponds to the one specified with the channel-group interface configuration command.
Figure 36: Relationship of Physical Ports, Channel Group and Port-Channel Interface
• With Layer 2 ports, use the channel-group interface configuration command to dynamically create the
port-channel interface.
You also can use the interface port-channel port-channel-number global configuration command to
manually create the port-channel interface, but then you must use the channel-group
channel-group-number command to bind the logical interface to a physical port. The
channel-group-number can be the same as the port-channel-number, or you can use a new number. If
you use a new number, the channel-group command dynamically creates a new port channel.
Related Topics
Creating Port-Channel Logical Interfaces
EtherChannel Configuration Guidelines, on page 313
Default EtherChannel Configuration, on page 311
Layer 2 EtherChannel Configuration Guidelines, on page 314
Configuring the Physical Interfaces
EtherChannel Configuration Guidelines, on page 313
Default EtherChannel Configuration, on page 311
Layer 2 EtherChannel Configuration Guidelines, on page 314
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
302
Information About EtherChannels
EtherChannels by exchanging PAgP packets between Ethernet ports. PAgP cannot be enabled on cross-stack
EtherChannels.
By using PAgP, the switch or switch stack learns the identity of partners capable of supporting PAgP and the
capabilities of each port. It then dynamically groups similarly configured ports (on a single switch in the stack)
into a single logical link (channel or aggregate port). Similarly configured ports are grouped based on hardware,
administrative, and port parameter constraints. For example, PAgP groups the ports with the same speed,
duplex mode, native VLAN, VLAN range, and trunking status and type. After grouping the links into an
EtherChannel, PAgP adds the group to the spanning tree as a single switch port.
PAgP Modes
PAgP modes specify whether a port can send PAgP packets, which start PAgP negotiations, or only respond
to PAgP packets received.
Mode Description
auto Places a port into a passive negotiating state, in which the port responds to PAgP packets
it receives but does not start PAgP packet negotiation. This setting minimizes the
transmission of PAgP packets.
This mode is not supported when the EtherChannel members are from different switches
in the switch stack (cross-stack EtherChannel).
desirable Places a port into an active negotiating state, in which the port starts negotiations with other
ports by sending PAgP packets. This mode is not supported when the EtherChannel members
are from different switches in the switch stack (cross-stack EtherChannel).
Switch ports exchange PAgP packets only with partner ports configured in the auto or desirable modes. Ports
configured in the on mode do not exchange PAgP packets.
Both the auto and desirable modes enable ports to negotiate with partner ports to form an EtherChannel based
on criteria such as port speed. and for Layer 2 EtherChannels, based on trunk state and VLAN numbers.
Ports can form an EtherChannel when they are in different PAgP modes as long as the modes are compatible.
For example:
• A port in the desirable mode can form an EtherChannel with another port that is in the desirable or
auto mode.
• A port in the auto mode can form an EtherChannel with another port in the desirable mode.
A port in the auto mode cannot form an EtherChannel with another port that is also in the auto mode because
neither port starts PAgP negotiation.
Related Topics
Configuring Layer 2 EtherChannels , on page 317
EtherChannel Configuration Guidelines, on page 313
Default EtherChannel Configuration, on page 311
Layer 2 EtherChannel Configuration Guidelines, on page 314
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
303
Information About EtherChannels
Silent Mode
If your switch is connected to a partner that is PAgP-capable, you can configure the switch port for nonsilent
operation by using the non-silent keyword. If you do not specify non-silent with the auto or desirable mode,
silent mode is assumed.
Use the silent mode when the switch is connected to a device that is not PAgP-capable and seldom, if ever,
sends packets. An example of a silent partner is a file server or a packet analyzer that is not generating traffic.
In this case, running PAgP on a physical port connected to a silent partner prevents that switch port from ever
becoming operational. However, the silent setting allows PAgP to operate, to attach the port to a channel
group, and to use the port for transmission.
Related Topics
Configuring Layer 2 EtherChannels , on page 317
EtherChannel Configuration Guidelines, on page 313
Default EtherChannel Configuration, on page 311
Layer 2 EtherChannel Configuration Guidelines, on page 314
Creating Port-Channel Logical Interfaces
EtherChannel Configuration Guidelines, on page 313
Default EtherChannel Configuration, on page 311
Layer 2 EtherChannel Configuration Guidelines, on page 314
Configuring the Physical Interfaces
EtherChannel Configuration Guidelines, on page 313
Default EtherChannel Configuration, on page 311
Layer 2 EtherChannel Configuration Guidelines, on page 314
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
304
Information About EtherChannels
You also can configure a single port within the group for all transmissions and use other ports for hot-standby.
The unused ports in the group can be swapped into operation in just a few seconds if the selected single port
loses hardware-signal detection. You can configure which port is always selected for packet transmission by
changing its priority with the pagp port-priority interface configuration command. The higher the priority,
the more likely that the port will be selected.
Note The switch supports address learning only on aggregate ports even though the physical-port keyword is
provided in the CLI. The pagp learn-method command and the pagp port-priority command have no
effect on the switch hardware, but they are required for PAgP interoperability with devices that only
support address learning by physical ports, such as the Catalyst 1900 switch.
When the link partner of the switch is a physical learner, we recommend that you configure the switch as
a physical-port learner by using the pagp learn-method physical-port interface configuration command.
Set the load-distribution method based on the source MAC address by using the port-channel load-balance
src-mac global configuration command. The switch then sends packets to the physcial learner using the
same port in the EtherChannel from which it learned the source address. Only use the pagp learn-method
command in this situation.
Related Topics
Configuring the PAgP Learn Method and Priority , on page 322
EtherChannel Configuration Guidelines, on page 313
Default EtherChannel Configuration, on page 311
Monitoring EtherChannel, PAgP, and LACP Status, on page 330
Layer 2 EtherChannel Configuration Guidelines, on page 314
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
305
Information About EtherChannels
In Layer 2 EtherChannels, the first port in the channel that comes up provides its MAC address to the
EtherChannel. If this port is removed from the bundle, one of the remaining ports in the bundle provides its
MAC address to the EtherChannel.
PAgP sends and receives PAgP PDUs only from ports that are up and have PAgP enabled for the auto or
desirable mode.
LACP Modes
LACP modes specify whether a port can send LACP packets or only receive LACP packets.
Mode Description
active Places a port into an active negotiating state in which the port starts negotiations with
other ports by sending LACP packets.
passive Places a port into a passive negotiating state in which the port responds to LACP packets
that it receives, but does not start LACP packet negotiation. This setting minimizes the
transmission of LACP packets.
Both the active and passive LACP modes enable ports to negotiate with partner ports to an EtherChannel
based on criteria such as port speed, and for Layer 2 EtherChannels, based on trunk state and VLAN numbers.
Ports can form an EtherChannel when they are in different LACP modes as long as the modes are compatible.
For example:
• A port in the active mode can form an EtherChannel with another port that is in the active or passive
mode.
• A port in the passive mode cannot form an EtherChannel with another port that is also in the passive
mode because neither port starts LACP negotiation.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
306
Information About EtherChannels
Related Topics
Configuring Layer 2 EtherChannels , on page 317
EtherChannel Configuration Guidelines, on page 313
Default EtherChannel Configuration, on page 311
Layer 2 EtherChannel Configuration Guidelines, on page 314
EtherChannel On Mode
EtherChannel on mode can be used to manually configure an EtherChannel. The on mode forces a port to
join an EtherChannel without negotiations. The on mode can be useful if the remote device does not support
PAgP or LACP. In the on mode, a usable EtherChannel exists only when the switches at both ends of the link
are configured in the on mode.
Ports that are configured in the on mode in the same channel group must have compatible port characteristics,
such as speed and duplex. Ports that are not compatible are suspended, even though they are configured in
the on mode.
Caution You should use care when using the on mode. This is a manual configuration, and ports on both ends of
the EtherChannel must have the same configuration. If the group is misconfigured, packet loss or
spanning-tree loops can occur.
Note Layer 3 Equal-cost multi path (ECMP) load balancing is based on source IP address, destination IP address,
source port, destination port, and layer 4 protocol. Fragmented packets will be treated on two different
links based on the algorithm calculated using these parameters. Any changes in one of these parameters
will result in load balancing.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
307
Information About EtherChannels
You configure the load-balancing and forwarding method by using the port-channel load-balance global
configuration command.
Related Topics
Configuring EtherChannel Load-Balancing
EtherChannel Configuration Guidelines, on page 313
Layer 2 EtherChannel Configuration Guidelines, on page 314
Default EtherChannel Configuration, on page 311
Related Topics
Configuring EtherChannel Load-Balancing
EtherChannel Configuration Guidelines, on page 313
Layer 2 EtherChannel Configuration Guidelines, on page 314
Default EtherChannel Configuration, on page 311
IP Address Forwarding
With source-IP address-based forwarding, packets are distributed across the ports in the EtherChannel based
on the source-IP address of the incoming packet. To provide load balancing, packets from different IP addresses
use different ports in the channel, and packets from the same IP address use the same port in the channel.
With destination-IP address-based forwarding, packets are distributed across the ports in the EtherChannel
based on the destination-IP address of the incoming packet. To provide load balancing, packets from the same
IP source address sent to different IP destination addresses could be sent on different ports in the channel.
Packets sent from different source IP addresses to the same destination IP address are always sent on the same
port in the channel.
With source-and-destination IP address-based forwarding, packets are distributed across the ports in the
EtherChannel based on both the source and destination IP addresses of the incoming packet. This forwarding
method, a combination of source-IP and destination-IP address-based forwarding, can be used if it is not clear
whether source-IP or destination-IP address-based forwarding is better suited on a particular switch. In this
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
308
Information About EtherChannels
method, packets sent from the IP address A to IP address B, from IP address A to IP address C, and from IP
address C to IP address B could all use different ports in the channel.
Related Topics
Configuring EtherChannel Load-Balancing
EtherChannel Configuration Guidelines, on page 313
Layer 2 EtherChannel Configuration Guidelines, on page 314
Default EtherChannel Configuration, on page 311
Load-Balancing Advantages
Different load-balancing methods have different advantages, and the choice of a particular load-balancing
method should be based on the position of the switch in the network and the kind of traffic that needs to be
load-distributed.
In the following figure, an EtherChannel of four workstations communicates with a router. Because the router
is a single MAC-address device, source-based forwarding on the switch EtherChannel ensures that the switch
uses all available bandwidth to the router. The router is configured for destination-based forwarding because
the large number of workstations ensures that the traffic is evenly distributed from the router EtherChannel.
Figure 37: Load Distribution and Forwarding Methods
Use the option that provides the greatest variety in your configuration. For example, if the traffic on a channel
is going only to a single MAC address, using the destination-MAC address always chooses the same link in
the channel. Using source addresses or IP addresses might result in better load-balancing.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
309
Information About EtherChannels
Related Topics
Configuring EtherChannel Load-Balancing
EtherChannel Configuration Guidelines, on page 313
Layer 2 EtherChannel Configuration Guidelines, on page 314
Default EtherChannel Configuration, on page 311
Note When you try to enable this feature on a stack member switch, the following message is displayed:
Load share deferral is supported only on stand-alone stack.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
310
Information About EtherChannels
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
311
Information About EtherChannels
LACP system ID LACP system priority and the switch or stack MAC
address.
Related Topics
Configuring Layer 2 EtherChannels , on page 317
EtherChannel Overview, on page 298
EtherChannel Modes, on page 299
EtherChannel on Switches, on page 300
EtherChannel Link Failover, on page 301
LACP Modes, on page 306
PAgP Modes , on page 303
Silent Mode, on page 304
Creating Port-Channel Logical Interfaces
Channel Groups and Port-Channel Interfaces, on page 301
PAgP Modes , on page 303
Silent Mode, on page 304
Configuring the Physical Interfaces
Channel Groups and Port-Channel Interfaces, on page 301
PAgP Modes , on page 303
Silent Mode, on page 304
Configuring EtherChannel Load-Balancing
Load-Balancing and Forwarding Methods, on page 307
MAC Address Forwarding, on page 308
IP Address Forwarding, on page 308
Load-Balancing Advantages, on page 309
Configuring the PAgP Learn Method and Priority , on page 322
PAgP Learn Method and Priority, on page 304
Configuring the LACP System Priority , on page 323
Configuring the LACP Port Priority , on page 324
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
312
Information About EtherChannels
Related Topics
Configuring Layer 2 EtherChannels , on page 317
EtherChannel Overview, on page 298
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
313
Information About EtherChannels
Related Topics
Configuring Layer 2 EtherChannels , on page 317
EtherChannel Overview, on page 298
EtherChannel Modes, on page 299
EtherChannel on Switches, on page 300
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
314
Information About EtherChannels
Auto-LAG
The auto-LAG feature provides the ability to auto create EtherChannels on ports connected to a switch. By
default, auto-LAG is disabled globally and is enabled on all port interfaces. The auto-LAG applies to a switch
only when it is enabled globally.
On enabling auto-LAG globally, the following scenarios are possible:
• All port interfaces participate in creation of auto EtherChannels provided the partner port interfaces have
EtherChannel configured on them. For more information, see the "The supported auto-LAG configurations
between the actor and partner devices" table below.
• Ports that are already part of manual EtherChannels cannot participate in creation of auto EtherChannels.
• When auto-LAG is disabled on a port interface that is already a part of an auto created EtherChannel,
the port interface will unbundle from the auto EtherChannel.
The following table shows the supported auto-LAG configurations between the actor and partner devices:
Table 39: The supported auto-LAG configurations between the actor and partner devices
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
315
Information About EtherChannels
On disabling auto-LAG globally, all auto created Etherchannels become manual EtherChannels.
You cannot add any configurations in an existing auto created EtherChannel. To add, you should first convert
it into a manual EtherChannel by executing the port-channel<channel-number>persistent.
Note Auto-LAG uses the LACP protocol to create auto EtherChannel. Only one EtherChannel can be
automatically created with the unique partner devices.
Related Topics
Configuring Auto-LAG Globally, on page 328
Configuring Auto LAG: Examples, on page 332
Configuring Auto-LAG on a Port Interface, on page 329
Configuring Persistence with Auto-LAG, on page 330
Auto-LAG Configuration Guidelines, on page 316
Related Topics
Configuring Auto-LAG Globally, on page 328
Configuring Auto LAG: Examples, on page 332
Configuring Auto-LAG on a Port Interface, on page 329
Configuring Persistence with Auto-LAG, on page 330
Auto-LAG, on page 315
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
316
How to Configure EtherChannels
Procedure
Example:
Switch# configure
terminal
Step 2 interface interface-id Specifies a physical port, and enters interface configuration mode.
Valid interfaces are physical ports.
Example:
For a PAgP EtherChannel, you can configure up to eight ports of the
Switch(config)# interface same type and speed for the same group.
gigabitethernet2/0/1
For a LACP EtherChannel, you can configure up to 16 Ethernet ports
of the same type. Up to eight ports can be active, and up to eight ports
can be in standby mode.
Step 3 switchport mode {access | Assigns all ports as static-access ports in the same VLAN, or
trunk} configure them as trunks.
If you configure the port as a static-access port, assign it to only one
Example: VLAN. The range is 1 to 4094.
Switch(config-if)#
switchport mode access
Step 4 switchport access vlan (Optional) If you configure the port as a static-access port, assign it
vlan-id to only one VLAN. The range is 1 to 4094.
Example:
Switch(config-if)#
switchport access vlan 22
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
317
How to Configure EtherChannels
Example:
Switch(config-if)# end
Related Topics
EtherChannel Overview, on page 298
EtherChannel Modes, on page 299
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
318
How to Configure EtherChannels
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
319
How to Configure EtherChannels
Example:
Switch(config)# end
Procedure
Example:
Switch# configure terminal
Step 3 port-channel load-defer seconds Configures the port load share deferral interval
for all port channels.
Example: • seconds—The time interval during which
Switch(config)# port-channel
load-defer 60 load sharing is initially 0 for deferred port
channels. The range is 1 to 1800 seconds;
the default is 120 seconds
Step 4 interface type number Configures a port channel interface and enters
interface configuration mode.
Example:
Switch(config)# interface port-channel
10
Step 5 port-channel load-defer Enables port load share deferral on the port
channel.
Example:
Switch(config-if)# port-channel
load-defer
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
320
How to Configure EtherChannels
Example:
Switch# show etherchannel 1
port-channel
Example:
Switch# show platform pm group-masks
Example
The following is sample output from the show etherchannel channel-group port-channel command. If the
channel-group argument is not specified; the command displays information about all channel groups are
displayed.
Switch# show etherchannel 1 port-channel
Port-channel: Po1
------------
The following is sample output from the show platform pm group-masks command. Deferred ports have
the group mask of 0xFFFF, when the defer timer is running.
Switch# show platform pm group-masks
====================================================================
Etherchannel members and group masks table
Group #ports group frame-dist slot port mask interface index
--------------------------------------------------------------------
1 0 1 src-mac
2 0 2 src-mac
3 0 3 src-mac
4 0 4 src-mac
5 0 5 src-mac
6 0 6 src-mac
7 0 7 src-mac
8 0 8 src-mac
9 0 9 src-mac
10 3 10 src-mac
1 12 0000 Gi1/0/12 3
1 10 FFFF Gi1/0/10 6
1 11 FFFF Gi1/0/11 7
11 0 11 src-mac
12 0 12 src-mac
13 0 13 src-mac
14 0 14 src-mac
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
321
How to Configure EtherChannels
15 0 15 src-mac
Procedure
Example:
Switch# configure terminal
Step 2 interface interface-id Specifies the port for transmission, and enters interface
configuration mode.
Example:
Switch(config)# interface
gigabitethernet 1/0/2
Step 4 pagp port-priority priority Assigns a priority so that the selected port is chosen for
packet transmission.
Example: For priority, the range is 0 to 255. The default is 128. The
Switch(config-if)# pagp higher the priority, the more likely that the port will be used
port-priority 200 for PAgP transmission.
Example:
Switch(config-if)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
322
How to Configure EtherChannels
Related Topics
PAgP Learn Method and Priority, on page 304
EtherChannel Configuration Guidelines, on page 313
Default EtherChannel Configuration, on page 311
Monitoring EtherChannel, PAgP, and LACP Status, on page 330
Layer 2 EtherChannel Configuration Guidelines, on page 314
In priority comparisons, numerically lower values have higher priority. The priority decides which ports
should be put in standby mode when there is a hardware limitation that prevents all compatible ports from
aggregating.
Determining which ports are active and which are hot standby is a two-step procedure. First the system with
a numerically lower system priority and system ID is placed in charge of the decision. Next, that system
decides which ports are active and which are hot standby, based on its values for port priority and port number.
The port priority and port number values for the other system are not used.
You can change the default values of the LACP system priority and the LACP port priority to affect how the
software selects active and standby links.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
323
How to Configure EtherChannels
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# end
Related Topics
EtherChannel Configuration Guidelines, on page 313
Default EtherChannel Configuration, on page 311
Layer 2 EtherChannel Configuration Guidelines, on page 314
Monitoring EtherChannel, PAgP, and LACP Status, on page 330
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
324
How to Configure EtherChannels
Note If LACP is not able to aggregate all the ports that are compatible (for example, the remote system might
have more restrictive hardware limitations), all the ports that cannot be actively included in the EtherChannel
are put in the hot-standby state and are used only if one of the channeled ports fails.
Follow these steps to configure the LACP port priority. This procedure is optional.
Procedure
Example:
Switch# configure terminal
Example:
Switch(config-if)# end
Related Topics
EtherChannel Configuration Guidelines, on page 313
Default EtherChannel Configuration, on page 311
Layer 2 EtherChannel Configuration Guidelines, on page 314
Monitoring EtherChannel, PAgP, and LACP Status, on page 330
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
325
How to Configure EtherChannels
Procedure
Example:
Switch# configure terminal
Step 4 port-channel min-links min-links-number Specifies the minimum number of member ports that
must be in the link-up state and bundled in the
Example: EtherChannel for the port channel interface to
transition to the link-up state.
Switch(config-if)# port-channel
min-links 3 For min-links-number , the range is 2 to 8.
Example:
Switch(config)# end
Related Topics
Configuring LACP Port Channel Min-Links: Examples, on page 333
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
326
How to Configure EtherChannels
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# interface
gigabitEthernet 2/1
Step 4 lacp rate {normal | fast} Configures the rate at which LACP control
packets are received by an LACP-supported
Example: interface.
Switch(config-if)# lacp rate fast • To reset the timeout rate to its default, use
the no lacp rate command.
Example:
Switch(config)# end
Example:
Switch# show lacp internal
Switch# show lacp counters
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
327
How to Configure EtherChannels
Related Topics
Example: Configuring LACP Fast Rate Timer, on page 334
Procedure
Example:
Switch# configure terminal
Step 3 [no] port-channel auto Enables the auto-LAG feature on a switch globally.
Use the no form of this command to disable the
Example: auto-LAG feature on the switch globally.
Switch(config)# port-channel auto
Note By default, the auto-LAG feature is enabled
on the port.
Step 4 end Returns to privileged EXEC mode.
Example:
Switch(config)# end
Example:
Switch# show etherchannel auto
Related Topics
Auto-LAG, on page 315
Auto-LAG Configuration Guidelines, on page 316
Configuring Auto LAG: Examples, on page 332
Configuring Auto-LAG on a Port Interface, on page 329
Configuring Persistence with Auto-LAG, on page 330
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
328
How to Configure EtherChannels
Procedure
Example:
Switch# configure terminal
Example:
Switch(config-if)# end
Example:
Switch# show etherchannel auto
What to Do Next
Related Topics
Configuring Auto-LAG Globally, on page 328
Auto-LAG, on page 315
Auto-LAG Configuration Guidelines, on page 316
Configuring Persistence with Auto-LAG, on page 330
Configuring Auto LAG: Examples, on page 332
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
329
Monitoring EtherChannel, PAgP, and LACP Status
Procedure
Step 2 port-channel channel-number persistent Converts the auto created EtherChannel into a
manual one and allows you to add configuration
Example: on the EtherChannel.
Switch# port-channel 1 persistent
Example:
Switch# show etherchannel summary
Related Topics
Configuring Auto-LAG Globally, on page 328
Auto-LAG, on page 315
Auto-LAG Configuration Guidelines, on page 316
Configuring Auto-LAG on a Port Interface, on page 329
Configuring Auto LAG: Examples, on page 332
Table 40: Commands for Monitoring EtherChannel, PAgP, and LACP Status
Command Description
clear lacp { channel-group-number counters | Clears LACP channel-group information and traffic
counters } counters.
clear pagp { channel-group-number counters | Clears PAgP channel-group information and traffic
counters } counters.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
330
Configuration Examples for Configuring EtherChannels
Command Description
show etherchannel [ channel-group-number { Displays EtherChannel information in a brief,
detail | load-balance | port | port-channel | detailed, and one-line summary form. Also displays
protocol | summary }] [detail | load-balance | the load-balance or frame-distribution scheme, port,
port | port-channel | protocol | auto | summary port-channel, protocol, and Auto-LAG information.
]
Related Topics
Configuring the PAgP Learn Method and Priority , on page 322
PAgP Learn Method and Priority, on page 304
Configuring the LACP System Priority , on page 323
Configuring the LACP Port Priority , on page 324
This example shows how to configure an EtherChannel on a single switch in the stack. It assigns two ports
as static-access ports in VLAN 10 to channel 5 with the LACP mode active:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
331
Configuration Examples for Configuring EtherChannels
This example shows how to configure a cross-stack EtherChannel. It uses LACP passive mode and assigns
two ports on stack member 1 and one port on stack member 2 as static-access ports in VLAN 10 to channel
5:
PoE or LACP negotiation errors may occur if you configure two ports from switch to the access point (AP).
This scenario can be avoided if the port channel configuration is on the switch side. For more details, see the
following example:
interface Port-channel1
switchport access vlan 20
switchport mode access
switchport nonegotiate
no port-channel standalone-disable <--this one
spanning-tree portfast
Note If the port reports LACP errors on port flap, you should include the following command as well: no
errdisable detect cause pagp-flap
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
332
Configuration Examples for Configuring EtherChannels
Related Topics
Configuring Auto-LAG Globally, on page 328
Auto-LAG, on page 315
Auto-LAG Configuration Guidelines, on page 316
Configuring Persistence with Auto-LAG, on page 330
Configuring Auto-LAG on a Port Interface, on page 329
When the minimum links requirement is not met in standalone switches, the port-channel is flagged and
assigned SM/SN or RM/RN state.
switch# show etherchannel 25 summary
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
333
Configuration Examples for Configuring EtherChannels
Related Topics
Configuring the LACP Port Channel Min-Links Feature , on page 326
The following is sample output from the show lacp internal command:
The following is sample output from the show lacp counters command:
Related Topics
Configuring LACP Fast Rate Timer, on page 327
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
334
Additional References for EtherChannels
Description Link
To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/
messages in this release, use the Error Message index.cgi
Decoder tool.
Standard/RFC Title
None —
MIBs
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
335
Feature Information for EtherChannels
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Cisco IOS 15.2(3)E2, Cisco IOS XE 3.7.2E Auto-LAG feature was introduced.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
336
CHAPTER 19
Configuring Link-State Tracking
• Finding Feature Information, page 337
• Restrictions for Configuring Link-State Tracking, page 337
• Understanding Link-State Tracking, page 338
• How to Configure Link-State Tracking , page 341
• Monitoring Link-State Tracking, page 342
• Configuring Link-State Tracking: Example, page 342
• Additional References for Link-State Tracking, page 342
• Feature Information for Link-State Tracking, page 343
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
337
Understanding Link-State Tracking
• Do not enable link-state tracking on individual interfaces that will part of a downstream EtherChannel
interface.
Related Topics
Understanding Link-State Tracking, on page 338
How to Configure Link-State Tracking , on page 341
Monitoring Link-State Tracking Status
Note An interface can be an aggregation of ports (an EtherChannel) or a single physical port in either access
or trunk mode .
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
338
Understanding Link-State Tracking
The configuration in this figure ensures that the network traffic flow is balanced.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
339
Understanding Link-State Tracking
◦Port 5 and port 6 are connected to distribution switch 1 through link-state group 1. Port 5 and port
6 are the upstream interfaces in link-state group 1.
In a link-state group, the upstream ports can become unavailable or lose connectivity because the distribution
switch or router fails, the cables are disconnected, or the link is lost. These are the interactions between the
downstream and upstream interfaces when link-state tracking is enabled:
• If any of the upstream interfaces are in the link-up state, the downstream interfaces can change to or
remain in the link-up state.
• If all of the upstream interfaces become unavailable, link-state tracking automatically puts the downstream
interfaces in the error-disabled state. Connectivity to and from the servers is automatically changed from
the primary server interface to the secondary server interface. For example, in the previous figure, if the
upstream link for port 6 is lost, the link states of downstream ports 1 and 2 do not change. However, if
the link for upstream port 5 is also lost, the link state of the downstream ports changes to the link-down
state. Connectivity to server 1 and server 2 is then changed from link-state group1 to link-state group
2. The downstream ports 3 and 4 do not change state because they are in link-group 2.
• If the link-state group is configured, link-state tracking is disabled, and the upstream interfaces lose
connectivity, the link states of the downstream interfaces remain unchanged. The server does not recognize
that upstream connectivity has been lost and does not failover to the secondary interface.
You can recover a downstream interface link-down condition by removing the failed downstream port from
the link-state group. To recover multiple downstream interfaces, disable the link-state group.
Related Topics
How to Configure Link-State Tracking , on page 341
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
340
How to Configure Link-State Tracking
Procedure
Example:
Switch# configure terminal
Step 2 link state track number Creates a link-state group and enables link-state
tracking. The group number can be 1 or 2; the default
Example: is 1.
Step 4 link state group [ number ]{upstream Specifies a link-state group and configures the interface
| downstream} as either an upstream or downstream interface in the
group.
Example:
Switch(config-if)# link state
group 2 upstream
Example:
Switch(config-if)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
341
Monitoring Link-State Tracking
Related Topics
Understanding Link-State Tracking, on page 338
Configuring Link-State Tracking: Example, on page 342
Restrictions for Configuring Link-State Tracking, on page 337
Command Description
show link state group [ number ] [detail] Displays the link-state group information.
Related Topics
Understanding Link-State Tracking, on page 338
How to Configure Link-State Tracking , on page 341
Monitoring Link-State Tracking Status
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
342
Feature Information for Link-State Tracking
Standard/RFC Title
None —
MIBs
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
343
Feature Information for Link-State Tracking
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
344
CHAPTER 20
Configuring Flex Links and the MAC
Address-Table Move Update Feature
• Finding Feature Information, page 345
• Restrictions for Configuring Flex Links and MAC Address-Table Move Update, page 345
• Information About Flex Links and MAC Address-Table Move Update, page 346
• How to Configure Flex Links and the MAC Address-Table Move Update Feature, page 352
• Monitoring Flex Links, Multicast Fast Convergence, and MAC Address-Table Move Update, page 357
• Configuration Examples for Flex Links, page 358
• Additional References for Flex Links and MAC Address-Table Move Update, page 362
• Feature Information for Flex Links and MAC Address-Table Move Update, page 364
Restrictions for Configuring Flex Links and MAC Address-Table Move Update
• This feature is supported only on the LAN Base image.
• Flex Links are supported only on Layer 2 ports and port channels.
• You can configure up to 16 backup links.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
345
Information About Flex Links and MAC Address-Table Move Update
• You can configure only one Flex Links backup link for any active link, and it must be a different interface
from the active interface.
• An interface can belong to only one Flex Links pair. An interface can be a backup link for only one
active link. An active link cannot belong to another Flex Links pair.
• Neither of the links can be a port that belongs to an EtherChannel. However, you can configure two port
channels (EtherChannel logical interfaces) as Flex Links, and you can configure a port channel and a
physical interface as Flex Links, with either the port channel or the physical interface as the active link.
• A backup link does not have to be the same type (Gigabit Ethernet or port channel) as the active link.
However, you should configure both Flex Links with similar characteristics so that there are no loops
or changes in behavior if the standby link begins to forward traffic.
• STP is disabled on Flex Links ports. A Flex Links port does not participate in STP, even if the VLANs
present on the port are configured for STP. When STP is not enabled, be sure that there are no loops in
the configured topology.
Related Topics
Configuring a Preemption Scheme for a Pair of Flex Links , on page 353
Configuring Flex Links , on page 352
Configuring Flex Links: Examples, on page 358
Configuring VLAN Load Balancing on Flex Links , on page 354
Configuring VLAN Load Balancing on Flex Links: Examples, on page 359
Configuring a Switch to Obtain and Process MAC Address-Table Move Update Messages , on page 357
Configuring MAC Address-Table Move Update , on page 355
Configuring the MAC Address-Table Move Update: Examples, on page 360
Flex Links
Flex Links are a pair of a Layer 2 interfaces (switch ports or port channels) where one interface is configured
to act as a backup to the other. The feature provides an alternative solution to the Spanning Tree Protocol
(STP). Users can disable STP and still retain basic link redundancy. Flex Links are typically configured in
service provider or enterprise networks where customers do not want to run STP on the switch. If the switch
is running STP, Flex Links are not necessary because STP already provides link-level redundancy or backup.
You configure Flex Links on one Layer 2 interface (the active link) by assigning another Layer 2 interface as
the Flex Links or backup link. On switches, the Flex Links can be on the same switch or on another switch
in the stack. When one of the links is up and forwarding traffic, the other link is in standby mode, ready to
begin forwarding traffic if the other link shuts down. At any given time, only one of the interfaces is in the
linkup state and forwarding traffic. If the primary link shuts down, the standby link starts forwarding traffic.
When the active link comes back up, it goes into standby mode and does not forward traffic. STP is disabled
on Flex Links interfaces.
Related Topics
Configuring a Preemption Scheme for a Pair of Flex Links , on page 353
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
346
Information About Flex Links and MAC Address-Table Move Update
If a primary (forwarding) link goes down, a trap notifies the network management stations. If the standby link
goes down, a trap notifies the users.
Flex Links are supported only on Layer 2 ports and port channels, not on VLANs or on Layer 3 ports.
Related Topics
Configuring a Preemption Scheme for a Pair of Flex Links , on page 353
Configuring Flex Links , on page 352
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
347
Information About Flex Links and MAC Address-Table Move Update
Related Topics
Configuring Multicast Fast Convergence with Flex Links Failover: Examples, on page 360
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
348
Information About Flex Links and MAC Address-Table Move Update
In the following figure, switch A is an access switch, and ports 1 and 2 on switch A are connected to uplink
switches B and D through a Flex Links pair. Port 1 is forwarding traffic, and port 2 is in the backup state.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
349
Information About Flex Links and MAC Address-Table Move Update
Traffic from the PC to the server is forwarded from port 1 to port 3. The MAC address of the PC has been
learned on port 3 of switch C. Traffic from the server to the PC is forwarded from port 3 to port 1.
Figure 41: MAC Address-Table Move Update Example
If the MAC address-table move update feature is not configured and port 1 goes down, port 2 starts forwarding
traffic. However, for a short time, switch C keeps forwarding traffic from the server to the PC through port
3, and the PC does not get the traffic because port 1 is down. If switch C removes the MAC address of the
PC on port 3 and relearns it on port 4, traffic can then be forwarded from the server to the PC through port 2.
If the MAC address-table move update feature is configured and enabled on the switches, and port 1 goes
down, port 2 starts forwarding traffic from the PC to the server. The switch sends a MAC address-table move
update packet from port 2. Switch C gets this packet on port 4 and immediately learns the MAC address of
the PC on port 4, which reduces the reconvergence time.
You can configure the access switch, switch A, to send MAC address-table move update messages. You can
also configure the uplink switches B, C, and D to get and process the MAC address-table move update
messages. When switch C gets a MAC address-table move update message from switch A, switch C learns
the MAC address of the PC on port 4. Switch C updates the MAC address table, including the forwarding
table entry for the PC.
Switch A does not need to wait for the MAC address-table update. The switch detects a failure on port 1 and
immediately starts forwarding server traffic from port 2, the new forwarding port. This change occurs in less
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
350
Information About Flex Links and MAC Address-Table Move Update
than 100 milliseconds (ms). The PC is directly connected to switch A, and the connection status does not
change. Switch A does not need to update the PC entry in the MAC address table.
Related Topics
Configuring a Switch to Obtain and Process MAC Address-Table Move Update Messages , on page 357
Configuring MAC Address-Table Move Update , on page 355
Configuring the MAC Address-Table Move Update: Examples, on page 360
Related Topics
Configuring VLAN Load Balancing on Flex Links , on page 354
Configuring VLAN Load Balancing on Flex Links: Examples, on page 359
Related Topics
Configuring a Preemption Scheme for a Pair of Flex Links , on page 353
Configuring Flex Links , on page 352
Configuring Flex Links: Examples, on page 358
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
351
How to Configure Flex Links and the MAC Address-Table Move Update Feature
How to Configure Flex Links and the MAC Address-Table Move Update Feature
Procedure
Example:
Switch# configure terminal
Step 3 switchport backup interface interface-id Configures a physical Layer 2 interface (or port
channel) as part of a Flex Links pair with the
Example: interface. When one link is forwarding traffic, the
other interface is in standby mode.
Switch(conf-if)# switchport backup
interface
gigabitethernet1/0/2
Example:
Switch(conf-if)# end
Related Topics
Flex Links, on page 346
Default Flex Links and MAC Address-Table Move Update Configuration, on page 351
Restrictions for Configuring Flex Links and MAC Address-Table Move Update, on page 345
Configuring Flex Links: Examples, on page 358
Flex Links Configuration, on page 347
Monitoring Flex Links, Multicast Fast Convergence, and MAC Address-Table Move Update, on page
357
Configuring Flex Links: Examples, on page 358
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
352
How to Configure Flex Links and the MAC Address-Table Move Update Feature
Procedure
Example:
Switch# configure terminal
Step 3 switchport backup interface interface-id Configures a physical Layer 2 interface (or port
channel) as part of a Flex Links pair with the
Example: interface. When one link is forwarding traffic, the
other interface is in standby mode.
Switch(conf-if)# switchport backup
interface gigabitethernet1/0/2
Step 4 switchport backup interface interface-id Configures a preemption mechanism and delay for
preemption mode [forced | bandwidth | off] a Flex Links interface pair. You can configure the
preemption as:
Example: • forced—(Optional) The active interface
Switch(conf-if)# switchport backup always preempts the backup.
interface gigabitethernet1/0/2
preemption mode forced • bandwidth—(Optional) The interface with
the higher bandwidth always acts as the active
interface.
• off—(Optional) No preemption occurs from
active to backup.
Step 5 switchport backup interface interface-id Configures the time delay until a port preempts
preemption delay delay-time another port.
Note Setting a delay time only works with
Example: forced and bandwidth modes.
Switch(conf-if)# switchport backup
interface gigabitethernet1/0/2
preemption delay 50
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
353
How to Configure Flex Links and the MAC Address-Table Move Update Feature
Example:
Switch(conf-if)# end
Example:
Switch# show interface
gigabitethernet1/0/2 switchport backup
Step 8 copy running-config startup config (Optional) Saves your entries in the switch startup
configuration file.
Example:
Switch# copy running-config startup
config
Related Topics
Flex Links, on page 346
Default Flex Links and MAC Address-Table Move Update Configuration, on page 351
Restrictions for Configuring Flex Links and MAC Address-Table Move Update, on page 345
Configuring Flex Links: Examples, on page 358
Flex Links Configuration, on page 347
Monitoring Flex Links, Multicast Fast Convergence, and MAC Address-Table Move Update, on page
357
Configuring Flex Links: Examples, on page 358
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
354
How to Configure Flex Links and the MAC Address-Table Move Update Feature
Step 3 switchport backup interface interface-id Configures a physical Layer 2 interface (or port
prefer vlan vlan-range channel) as part of a Flex Links pair with the
interface and specifies the VLANs carried on the
Example: interface. The VLAN ID range is 1 to 4094.
Example:
Switch (config-if)# end
Related Topics
Flex Links VLAN Load Balancing Configuration Guidelines, on page 351
Restrictions for Configuring Flex Links and MAC Address-Table Move Update, on page 345
Configuring VLAN Load Balancing on Flex Links: Examples, on page 359
Configuring VLAN Load Balancing on Flex Links: Examples, on page 359
Monitoring Flex Links, Multicast Fast Convergence, and MAC Address-Table Move Update, on page
357
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
355
How to Configure Flex Links and the MAC Address-Table Move Update Feature
Step 3 Use one of the following: Configures a physical Layer 2 interface (or port
channel), as part of a Flex Links pair with the interface.
• switchport backup interface The MAC address-table move update VLAN is the
interface-id lowest VLAN ID on the interface.
• switchport backup interface Configure a physical Layer 2 interface (or port channel)
interface-id mmu primary vlan and specifies the VLAN ID on the interface, which is
vlan-id used for sending the MAC address-table move update.
When one link is forwarding traffic, the other interface
is in standby mode.
Example:
Switch(config-if)# switchport
backup interface
gigabitethernet0/2 mmu primary vlan
2
Example:
Switch(config-if)# end
Step 5 mac address-table move update Enables the access switch to send MAC address-table
transmit move updates to other switches in the network if the
primary link goes down and the switch starts forwarding
Example: traffic through the standby link.
Switch(config)#
mac address-table move update
transmit
Example:
Switch(config)# end
Related Topics
Configuring the MAC Address-Table Move Update: Examples, on page 360
Monitoring Flex Links, Multicast Fast Convergence, and MAC Address-Table Move Update, on page
357
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
356
Monitoring Flex Links, Multicast Fast Convergence, and MAC Address-Table Move Update
Configuring a Switch to Obtain and Process MAC Address-Table Move Update Messages
Procedure
Example:
Switch# configure terminal
Step 2 mac address-table move update receive Enables the switch to obtain and processes
the MAC address-table move updates.
Example:
Switch (config)# mac address-table move
update receive
Example:
Switch (config)# end
Related Topics
Monitoring Flex Links, Multicast Fast Convergence, and MAC Address-Table Move Update, on page
357
Configuring the MAC Address-Table Move Update: Examples, on page 360
MAC Address-Table Move Update, on page 349
Restrictions for Configuring Flex Links and MAC Address-Table Move Update, on page 345
Configuring the MAC Address-Table Move Update: Examples, on page 360
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
357
Configuration Examples for Flex Links
Command Purpose
show ip igmp profile address-table Displays the specified IGMP profile or all the IGMP profiles
move update profile-id defined on the switch.
show mac address-table move update Displays the MAC address-table move update information on the
switch.
Related Topics
Configuring a Preemption Scheme for a Pair of Flex Links , on page 353
Configuring Flex Links , on page 352
This example shows how to verify the configuration after you configure the preemption mode as forced for
a backup interface pair:
Related Topics
Configuring a Preemption Scheme for a Pair of Flex Links , on page 353
Configuring Flex Links , on page 352
Flex Links, on page 346
Default Flex Links and MAC Address-Table Move Update Configuration, on page 351
Restrictions for Configuring Flex Links and MAC Address-Table Move Update, on page 345
Configuring a Preemption Scheme for a Pair of Flex Links , on page 353
Configuring Flex Links , on page 352
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
358
Configuration Examples for Flex Links
When both interfaces are up, Gi2/0/8 forwards traffic for VLANs 60 and 100 to 120 and Gi2/0/6 forwards
traffic for VLANs 1 to 50.
When a Flex Links interface goes down (LINK_DOWN), VLANs preferred on this interface are moved to
the peer interface of the Flex Links pair. In this example, if interface Gi2/0/6 goes down, Gi2/0/8 carries all
VLANs of the Flex Links pair.
When a Flex Links interface comes up, VLANs preferred on this interface are blocked on the peer interface
and moved to the forwarding state on the interface that has just come up. In this example, if interface Gi2/0/6
comes up, VLANs preferred on this interface are blocked on the peer interface Gi2/0/8 and forwarded on
Gi2/0/6.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
359
Configuration Examples for Flex Links
Related Topics
Configuring VLAN Load Balancing on Flex Links , on page 354
Flex Links VLAN Load Balancing Configuration Guidelines, on page 351
Restrictions for Configuring Flex Links and MAC Address-Table Move Update, on page 345
Configuring VLAN Load Balancing on Flex Links , on page 354
Switch-ID : 010b.4630.1780
Dst mac-address : 0180.c200.0010
Vlans/Macs supported : 1023/8320
Default/Current settings: Rcv Off/On, Xmt Off/On
Max packets per min : Rcv 40, Xmt 60
Rcv packet count : 5
Rcv conforming packet count : 5
Rcv invalid packet count : 0
Rcv packet count this min : 0
Rcv threshold exceed count : 0
Rcv last sequence# this min : 0
Rcv last interface : Po2
Rcv last src-mac-address : 000b.462d.c502
Rcv last switch-ID : 0403.fd6a.8700
Xmt packet count : 0
Xmt packet count this min : 0
Xmt threshold exceed count : 0
Xmt pak buf unavail cnt : 0
Xmt last interface : None
Related Topics
Configuring MAC Address-Table Move Update , on page 355
Configuring a Switch to Obtain and Process MAC Address-Table Move Update Messages , on page 357
Configuring a Switch to Obtain and Process MAC Address-Table Move Update Messages , on page 357
Configuring MAC Address-Table Move Update , on page 355
MAC Address-Table Move Update, on page 349
Restrictions for Configuring Flex Links and MAC Address-Table Move Update, on page 345
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
360
Configuration Examples for Flex Links
This output shows a querier for VLANs 1 and 401, with their queries reaching the switch through
GigabitEthernet1/0/11:
This example is output for the show ip igmp snooping mrouter command for VLANs 1 and 401:
Vlan ports
---- -----
1 Gi1/0/11(dynamic), Gi1/0/12(dynamic)
401 Gi1/0/11(dynamic), Gi1/0/12(dynamic)
Similarly, both Flex Links ports are part of learned groups. In this example, GigabitEthernet2/0/11 is a
receiver/host in VLAN 1, which is interested in two multicast groups:
When a host responds to the general query, the switch forwards this report on all the mrouter ports. In this
example, when a host sends a report for the group 228.1.5.1, it is forwarded only on GigabitEthernet1/0/11,
because the backup port GigabitEthernet1/0/12 is blocked. When the active link, GigabitEthernet1/0/11, goes
down, the backup port, GigabitEthernet1/0/12, begins forwarding.
As soon as this port starts forwarding, the switch sends proxy reports for the groups 228.1.5.1 and 228.1.5.2
on behalf of the host. The upstream router learns the groups and starts forwarding multicast data. This is the
default behavior of Flex Links. This behavior changes when the user configures fast convergence using the
switchport backup interface gigabitEthernet 1/0/12 multicast fast-convergence command. This example
shows turning on this feature:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
361
Additional References for Flex Links and MAC Address-Table Move Update
This output shows a querier for VLAN 1 and 401 with their queries reaching the switch through
GigabitEthernet1/0/11:
This is output for the show ip igmp snooping mrouter command for VLAN 1 and 401:
Vlan ports
---- -----
1 Gi1/0/11(dynamic), Gi1/0/12(dynamic)
401 Gi1/0/11(dynamic), Gi1/0/12(dynamic)
Similarly, both the Flex Links ports are a part of the learned groups. In this example, GigabitEthernet2/0/11
is a receiver/host in VLAN 1, which is interested in two multicast groups:
Whenever a host responds to the general query, the switch forwards this report on all the mrouter ports. When
you turn on this feature through the command-line port, and when a report is forwarded by the switch on
GigabitEthernet1/0/11, it is also leaked to the backup port GigabitEthernet1/0/12. The upstream router learns
the groups and starts forwarding multicast data, which is dropped at the ingress because GigabitEthernet1/0/12
is blocked. When the active link, GigabitEthernet1/0/11, goes down, the backup port, GigabitEthernet1/0/12,
begins forwarding. You do not need to send any proxy reports as the multicast data is already being forwarded
by the upstream router. By leaking reports to the backup port, a redundant multicast path has been set up, and
the time taken for the multicast traffic convergence is very minimal.
Related Topics
Multicast Fast Convergence with Flex Links Failover, on page 348
Additional References for Flex Links and MAC Address-Table Move Update
Related Documents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
362
Additional References for Flex Links and MAC Address-Table Move Update
Description Link
To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/
messages in this release, use the Error Message index.cgi
Decoder tool.
Standard/RFC Title
None —
MIBs
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
363
Feature Information for Flex Links and MAC Address-Table Move Update
Feature Information for Flex Links and MAC Address-Table Move Update
Release Modification
Cisco IOS 15.0(2)EX This feature was introduced.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
364
CHAPTER 21
Configuring UniDirectional Link Detection
• Finding Feature Information, page 365
• Restrictions for Configuring UDLD, page 365
• Information About UDLD, page 366
• How to Configure UDLD, page 369
• Monitoring and Maintaining UDLD, page 371
• Additional References for UDLD, page 371
• Feature Information for UDLD, page 372
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
365
Information About UDLD
Caution Loop guard works only on point-to-point links. We recommend that each end of the link has a directly
connected device that is running STP.
Modes of Operation
UDLD supports two modes of operation: normal (the default) and aggressive. In normal mode, UDLD can
detect unidirectional links due to misconnected ports on fiber-optic connections. In aggressive mode, UDLD
can also detect unidirectional links due to one-way traffic on fiber-optic and twisted-pair links and to
misconnected ports on fiber-optic links.
In normal and aggressive modes, UDLD works with the Layer 1 mechanisms to learn the physical status of
a link. At Layer 1, autonegotiation takes care of physical signaling and fault detection. UDLD performs tasks
that autonegotiation cannot perform, such as detecting the identities of neighbors and shutting down
misconnected ports. When you enable both autonegotiation and UDLD, the Layer 1 and Layer 2 detections
work together to prevent physical and logical unidirectional connections and the malfunctioning of other
protocols.
A unidirectional link occurs whenever traffic sent by a local device is received by its neighbor but traffic from
the neighbor is not received by the local device.
Normal Mode
In normal mode, UDLD detects a unidirectional link when fiber strands in a fiber-optic port are misconnected
and the Layer 1 mechanisms do not detect this misconnection. If the ports are connected correctly but the
traffic is one way, UDLD does not detect the unidirectional link because the Layer 1 mechanism, which is
supposed to detect this condition, does not do so. In this case, the logical link is considered undetermined,
and UDLD does not disable the port.
When UDLD is in normal mode, if one of the fiber strands in a pair is disconnected, as long as autonegotiation
is active, the link does not stay up because the Layer 1 mechanisms detects a physical problem with the link.
In this case, UDLD does not take any action and the logical link is considered undetermined.
Related Topics
Enabling UDLD Globally , on page 369
Enabling UDLD on an Interface , on page 370
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
366
Information About UDLD
Aggressive Mode
In aggressive mode, UDLD detects a unidirectional link by using the previous detection methods. UDLD in
aggressive mode can also detect a unidirectional link on a point-to-point link on which no failure between the
two devices is allowed. It can also detect a unidirectional link when one of these problems exists:
• On fiber-optic or twisted-pair links, one of the ports cannot send or receive traffic.
• On fiber-optic or twisted-pair links, one of the ports is down while the other is up.
• One of the fiber strands in the cable is disconnected.
Related Topics
Enabling UDLD Globally , on page 369
Enabling UDLD on an Interface , on page 370
Related Topics
Enabling UDLD Globally , on page 369
Enabling UDLD on an Interface , on page 370
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
367
Information About UDLD
Related Topics
Enabling UDLD Globally , on page 369
Enabling UDLD on an Interface , on page 370
Related Topics
Enabling UDLD Globally , on page 369
Enabling UDLD on an Interface , on page 370
UDLD per-port enable state for fiber-optic media Disabled on all Ethernet fiber-optic ports
UDLD per-port enable state for twisted-pair (copper) Disabled on all Ethernet 10/100 and 1000BASE-TX
media ports
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
368
How to Configure UDLD
Related Topics
Enabling UDLD Globally , on page 369
Enabling UDLD on an Interface , on page 370
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
369
How to Configure UDLD
Example:
Switch(config)# end
Related Topics
Monitoring and Maintaing UDLD
Aggressive Mode, on page 367
Normal Mode, on page 366
Methods to Detect Unidirectional Links, on page 367
Event-Driven Detection and Echoing, on page 368
UDLD Reset Options, on page 368
Default UDLD Configuration, on page 368
Procedure
Example:
Switch# configure terminal
Step 2 interface interface-id Specifies the port to be enabled for UDLD, and enters
interface configuration mode.
Example:
Switch(config)# interface
gigabitethernet 1/0/1
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
370
Monitoring and Maintaining UDLD
Example:
Switch(config-if)# end
Related Topics
Monitoring and Maintaing UDLD
Aggressive Mode, on page 367
Normal Mode, on page 366
Methods to Detect Unidirectional Links, on page 367
Event-Driven Detection and Echoing, on page 368
UDLD Reset Options, on page 368
Default UDLD Configuration, on page 368
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
371
Feature Information for UDLD
Description Link
To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/
messages in this release, use the Error Message index.cgi
Decoder tool.
Standard/RFC Title
None —
MIBs
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
372
Feature Information for UDLD
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
373
Feature Information for UDLD
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
374
PART V
Network Management
• Configuring Cisco IOS Configuration Engine, page 377
• Configuring the Cisco Discovery Protocol, page 399
• Configuring Simple Network Management Protocol, page 411
• Configuring SPAN and RSPAN, page 437
CHAPTER 22
Configuring Cisco IOS Configuration Engine
• Finding Feature Information, page 377
• Prerequisites for Configuring the Configuration Engine, page 377
• Restrictions for Configuring the Configuration Engine, page 378
• Information About Configuring the Configuration Engine, page 378
• How to Configure the Configuration Engine, page 384
• Monitoring CNS Configurations, page 395
• Additional References, page 396
• Feature History and Information for the Configuration Engine, page 397
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
377
Restrictions for Configuring the Configuration Engine
Related Topics
Cisco Networking Services IDs and Device Hostnames, on page 380
DeviceID, on page 381
Related Topics
Cisco Networking Services IDs and Device Hostnames, on page 380
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
378
Information About Configuring the Configuration Engine
In standalone mode, the Cisco Configuration Engine supports an embedded directory service. In this mode,
no external directory or other data store is required. In server mode, the Cisco Configuration Engine supports
the use of a user-defined external directory.
Configuration Service
The Configuration Service is the core component of the Cisco Configuration Engine. It consists of a
Configuration Server that works with Cisco IOS CNS agents on the switch. The Configuration Service delivers
device and service configurations to the switch for initial configuration and mass reconfiguration by logical
groups. Switches receive their initial configuration from the Configuration Service when they start up on the
network for the first time.
The Configuration Service uses the CNS Event Service to send and receive configuration change events and
to send success and failure notifications.
The Configuration Server is a web server that uses configuration templates and the device-specific configuration
information stored in the embedded (standalone mode) or remote (server mode) directory.
Configuration templates are text files containing static configuration information in the form of CLI commands.
In the templates, variables are specified by using Lightweight Directory Access Protocol (LDAP) URLs that
reference the device-specific configuration information stored in a directory.
The Cisco IOS agent can perform a syntax check on received configuration files and publish events to show
the success or failure of the syntax check. The configuration agent can either apply configurations immediately
or delay the application until receipt of a synchronization event from the configuration server.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
379
Information About Configuring the Configuration Engine
Event Service
The Cisco Configuration Engine uses the Event Service for receipt and generation of configuration events.
The Event Service consists of an event agent and an event gateway. The event agent is on the switch and
facilitates the communication between the switch and the event gateway on the Cisco Configuration Engine.
The Event Service is a highly capable publish-and-subscribe communication method. The Event Service uses
subject-based addressing to send messages to their destinations. Subject-based addressing conventions define
a simple, uniform namespace for messages and their destinations.
Related Topics
Enabling the CNS Event Agent, on page 384
NameSpace Mapper
The Cisco Configuration Engine includes the NameSpace Mapper (NSM) that provides a lookup service for
managing logical groups of devices based on application, device or group ID, and event.
Cisco IOS devices recognize only event subject-names that match those configured in Cisco IOS software;
for example, cisco.cns.config.load. You can use the namespace mapping service to designate events by using
any desired naming convention. When you have populated your data store with your subject names, NSM
changes your event subject-name strings to those known by Cisco IOS.
For a subscriber, when given a unique device ID and event, the namespace mapping service returns a set of
events to which to subscribe. Similarly, for a publisher, when given a unique group ID, device ID, and event,
the mapping service returns a set of events on which to publish.
Related Topics
Prerequisites for Configuring the Configuration Engine, on page 377
Restrictions for Configuring the Configuration Engine, on page 378
ConfigID
Each configured switch has a unique ConfigID, which serves as the key into the Cisco Configuration Engine
directory for the corresponding set of switch CLI attributes. The ConfigID defined on the switch must match
the ConfigID for the corresponding switch definition on the Cisco Configuration Engine.
The ConfigID is fixed at startup time and cannot be changed until the device restarts, even if the switch
hostname is reconfigured.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
380
Information About Configuring the Configuration Engine
DeviceID
Each configured switch participating on the event bus has a unique DeviceID, which is analogous to the switch
source address so that the switch can be targeted as a specific destination on the bus.
The origin of the DeviceID is defined by the Cisco IOS hostname of the switch. However, the DeviceID
variable and its usage reside within the event gateway adjacent to the switch.
The logical Cisco IOS termination point on the event bus is embedded in the event gateway, which in turn
functions as a proxy on behalf of the switch. The event gateway represents the switch and its corresponding
DeviceID to the event bus.
The switch declares its hostname to the event gateway immediately after the successful connection to the
event gateway. The event gateway couples the DeviceID value to the Cisco IOS hostname each time this
connection is established. The event gateway retains this DeviceID value for the duration of its connection to
the switch.
Related Topics
Prerequisites for Configuring the Configuration Engine, on page 377
Caution When using the Cisco Configuration Engine user interface, you must first set the DeviceID field to the
hostname value that the switch acquires after, not before, and you must reinitialize the configuration for
your Cisco IOS CNS agent. Otherwise, subsequent partial configuration command operations may
malfunction.
Related Topics
Refreshing DeviceIDs, on page 392
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
381
Information About Configuring the Configuration Engine
Related Topics
Enabling the Cisco IOS CNS Agent, on page 386
Initial Configuration
When the switch first comes up, it attempts to get an IP address by broadcasting a Dynamic Host Configuration
Protocol (DHCP) request on the network. Assuming there is no DHCP server on the subnet, the distribution
switch acts as a DHCP relay agent and forwards the request to the DHCP server. Upon receiving the request,
the DHCP server assigns an IP address to the new switch and includes the Trivial File Transfer Protocol
(TFTP) server Internet Protocol (IP) address, the path to the bootstrap configuration file, and the default
gateway IP address in a unicast reply to the DHCP relay agent. The DHCP relay agent forwards the reply to
the switch.
The switch automatically configures the assigned IP address on interface VLAN 1 (the default) and downloads
the bootstrap configuration file from the TFTP server. Upon successful download of the bootstrap configuration
file, the switch loads the file in its running configuration.
The Cisco IOS CNS agents initiate communication with the Configuration Engine by using the appropriate
ConfigID and EventID. The Configuration Engine maps the Config ID to a template and downloads the full
configuration file to the switch.
The following figure shows a sample network configuration for retrieving the initial bootstrap configuration
file by using DHCP-based autoconfiguration.
Related Topics
Enabling an Initial Configuration for Cisco IOS CNS Agent, on page 387
Monitoring CNS Configurations, on page 395
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
382
Information About Configuring the Configuration Engine
Related Topics
Enabling a Partial Configuration for Cisco IOS CNS Agent, on page 393
Monitoring CNS Configurations, on page 395
Synchronized Configuration
When the switch receives a configuration, it can defer application of the configuration upon receipt of a
write-signal event. The write-signal event tells the switch not to save the updated configuration into its
NVRAM. The switch uses the updated configuration as its running configuration. This ensures that the switch
configuration is synchronized with other network activities before saving the configuration in NVRAM for
use at the next reboot.
Distribution switch
• IP helper address
• Enable DHCP relay agent2
• IP routing (if used as default gateway)
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
383
How to Configure the Configuration Engine
TFTP server
• A bootstrap configuration file that includes the
CNS configuration commands that enable the
switch to communicate with the Configuration
Engine
• The switch configured to use either the switch
MAC address or the serial number (instead of
the default hostname) to generate the ConfigID
and EventID
• The CNS event agent configured to push the
configuration file to the switch
CNS Configuration Engine One or more templates for each type of device, with
the ConfigID of the device mapped to the template.
2 A DHCP Relay is needed only when the DHCP Server is on a different subnet from the client.
Note You must enable the CNS event agent on the switch before you enable the CNS configuration agent.
Follow these steps to enable the CNS event agent on the switch.
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
384
How to Configure the Configuration Engine
Example:
Switch# configure terminal
Step 3 cns event {hostname | ip-address} Enables the event agent, and enters the gateway parameters.
[port-number] [ [keepalive seconds
retry-count] [failover-time seconds • For {hostname | ip-address}, enter either the hostname
or the IP address of the event gateway.
] [reconnect-time time] | backup]
• (Optional) For port number, enter the port number for
Example: the event gateway. The default port number is 11011.
Switch(config)# cns event • (Optional) For keepalive seconds, enter how often the
10.180.1.27 keepalive 120 10 switch sends keepalive messages. For retry-count, enter
the number of unanswered keepalive messages that the
switch sends before the connection is terminated. The
default for each is 0.
• (Optional) For failover-time seconds, enter how long
the switch waits for the primary gateway route after the
route to the backup gateway is established.
• (Optional) For reconnect-time time, enter the maximum
time interval that the switch waits before trying to
reconnect to the event gateway.
• (Optional) Enter backup to show that this is the backup
gateway. (If omitted, this is the primary gateway.)
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
385
How to Configure the Configuration Engine
What to Do Next
To verify information about the event agent, use the show cns event connections command in privileged
EXEC mode.
To disable the CNS event agent, use the no cns event { ip-address | hostname } global configuration command.
Related Topics
Event Service, on page 380
Procedure
Example:
Switch# configure terminal
Step 3 cns config initial {hostname | Enables the Cisco IOS CNS agent, and enters the
ip-address} [port-number] configuration server parameters.
• For {hostname | ip-address}, enter either the
Example: hostname or the IP address of the configuration
Switch(config)# cns config initial server.
10.180.1.27 10
• (Optional) For port number, enter the port number
for the configuration server.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
386
How to Configure the Configuration Engine
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
What to Do Next
You can now use the Cisco Configuration Engine to remotely send incremental configurations to the switch.
Related Topics
Cisco IOS CNS Agents, on page 382
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
387
How to Configure the Configuration Engine
Procedure
Example:
Switch# configure terminal
Step 3 cns template connect name Enters CNS template connect configuration mode, and
specifies the name of the CNS connect template.
Example:
Switch(config)# cns template
connect template-dhcp
Step 4 cli config-text Enters a command line for the CNS connect template. Repeat
this step for each command line in the template.
Example:
Switch(config-tmpl-conn)# cli
ip address dhcp
Example:
Switch(config)# exit
Step 7 cns connect name [retries number] Enters CNS connect configuration mode, specifies the name
[retry-interval seconds] [sleep of the CNS connect profile, and defines the profile parameters.
seconds] [timeout seconds] The switch uses the CNS connect profile to connect to the
Configuration Engine.
Example: • Enter the name of the CNS connect profile.
Switch(config)# cns connect
dhcp • (Optional) For retries number, enter the number of
connection retries. The range is 1 to 30. The default is 3.
• (Optional) For retry-interval seconds, enter the interval
between successive connection attempts to the
Configuration Engine. The range is 1 to 40 seconds. The
default is 10 seconds.
• (Optional) For sleep seconds, enter the amount of time
before which the first connection attempt occurs. The
range is 0 to 250 seconds. The default is 0.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
388
How to Configure the Configuration Engine
Step 8 discover {controller Specifies the interface parameters in the CNS connect profile.
controller-type | dlci [subinterface
subinterface-number] | interface • For controller controller-type, enter the controller type.
[interface-type] | line line-type} • For dlci, enter the active data-link connection identifiers
(DLCIs).
Example: (Optional) For subinterface subinterface-number,
Switch(config-cns-conn)# specify the point-to-point subinterface number that is
discover interface used to search for active DLCIs.
gigabitethernet
• For interface [interface-type], enter the type of interface.
• For line line-type, enter the line type.
Step 9 template name [... name] Specifies the list of CNS connect templates in the CNS connect
profile to be applied to the switch configuration. You can
Example: specify more than one template.
Switch(config-cns-conn)#
template template-dhcp
Example:
Switch(config-cns-conn)# exit
Example:
Switch(config)# hostname
device1
Step 14 cns id interface num {dns-reverse (Optional) Sets the unique EventID or ConfigID used by the
| ipaddress | mac-address} [event] Configuration Engine. If you enter this command, do not enter
[image] the cns id {hardware-serial | hostname | string string | udi}
[event] [image] command.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
389
How to Configure the Configuration Engine
Step 16 cns config initial {hostname | Enables the Cisco IOS agent, and initiates an initial
ip-address} [port-number] [event] configuration.
[no-persist] [page page] [source
ip-address] [syntax-check] • For {hostname | ip-address}, enter the hostname or the
IP address of the configuration server.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
390
How to Configure the Configuration Engine
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 19 copy running-config (Optional) Saves your entries in the configuration file.
startup-config
Example:
Switch# copy running-config
startup-config
What to Do Next
To verify information about the configuration agent, use the show cns config connections command in
privileged EXEC mode.
To disable the CNS Cisco IOS agent, use the no cns config initial { ip-address | hostname } global configuration
command.
Related Topics
Initial Configuration, on page 382
Monitoring CNS Configurations, on page 395
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
391
How to Configure the Configuration Engine
Refreshing DeviceIDs
Follow these steps to refresh a DeviceID when changing the hostname on the switch.
Procedure
Step 2 show cns config connections Displays whether the CNS event agent is
connecting to the gateway, connected, or active,
Example: and the gateway used by the event agent, its IP
address and port number.
Switch# show cns config connections
Step 3 Make sure that the CNS event agent is Examine the output of show cns config
properly connected to the event gateway. connections for the following:
• Connection is active.
• Connection is using the currently configured
switch hostname. The DeviceID will be
refreshed to correspond to the new
hostname configuration using these
instructions.
Step 4 show cns event connections Displays the event connection information for
your switch.
Example:
Switch# show cns event connections
Example:
Switch# configure terminal
Step 7 no cns event ip-address port-number Specifies the IP address and port number that you
recorded in Step 5 in this command.
Example: This command breaks the connection between
Switch(config)# no cns event
172.28.129.22 2012
the switch and the event gateway. It is necessary
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
392
How to Configure the Configuration Engine
Step 8 cns event ip-address port-number Specifies the IP address and port number that you
recorded in Step 5 in this command.
Example: This command reestablishes the connection
Switch(config)# cns event 172.28.129.22
2012
between the switch and the event gateway.
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 12 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
Related Topics
Hostname and DeviceID, on page 381
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
393
How to Configure the Configuration Engine
Procedure
Example:
Switch# configure terminal
Step 3 cns config partial {ip-address | Enables the configuration agent, and initiates a partial
hostname} [port-number] [source configuration.
ip-address]
• For {ip-address | hostname}, enter the IP address
or the hostname of the configuration server.
Example:
• (Optional) For port-number, enter the port
Switch(config)# cns config partial
172.28.129.22 2013
number of the configuration server. The default
port number is 80.
• (Optional) Enter source ip-address to use for
the source IP address.
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
394
Monitoring CNS Configurations
What to Do Next
To verify information about the configuration agent, use either the show cns config stats or the show cns
config outstanding command in privileged EXEC mode.
To disable the Cisco IOS agent, use the no cns config partial { ip-address | hostname } global configuration
command. To cancel a partial configuration, use the cns config cancel global configuration command.
Related Topics
Incremental (Partial) Configuration, on page 383
Monitoring CNS Configurations, on page 395
Command Purpose
show cns config connections Displays the status of the CNS Cisco IOS CNS agent
connections.
Switch# show cns config connections
show cns config outstanding Displays information about incremental (partial) CNS
configurations that have started but are not yet
Switch# show cns config outstanding completed.
show cns config stats Displays statistics about the Cisco IOS CNS agent.
show cns event connections Displays the status of the CNS event agent
connections.
Switch# show cns event connections
show cns event gateway Displays the event gateway information for your
switch.
Switch# show cns event gateway
show cns event stats Displays statistics about the CNS event agent.
show cns event subject Displays a list of event agent subjects that are
subscribed to by applications.
Switch# show cns event subject
Related Topics
Enabling a Partial Configuration for Cisco IOS CNS Agent, on page 393
Incremental (Partial) Configuration, on page 383
Enabling an Initial Configuration for Cisco IOS CNS Agent, on page 387
Initial Configuration, on page 382
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
395
Additional References
Additional References
Related Documents
Description Link
To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/
messages in this release, use the Error Message index.cgi
Decoder tool.
Standard/RFC Title
None -
MIBs
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
396
Feature History and Information for the Configuration Engine
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
397
Feature History and Information for the Configuration Engine
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
398
CHAPTER 23
Configuring the Cisco Discovery Protocol
• Finding Feature Information, page 399
• Information About CDP, page 399
• How to Configure CDP, page 400
• Monitoring and Maintaining CDP, page 408
• Additional References, page 409
• Feature History and Information for Cisco Discovery Protocol, page 410
CDP Overview
CDP is a device discovery protocol that runs over Layer 2 (the data-link layer) on all Cisco-manufactured
devices (routers, bridges, access servers, controllers, and switches) and allows network management applications
to discover Cisco devices that are neighbors of already known devices. With CDP, network management
applications can learn the device type and the Simple Network Management Protocol (SNMP) agent address
of neighboring devices running lower-layer, transparent protocols. This feature enables applications to send
SNMP queries to neighboring devices.
CDP runs on all media that support Subnetwork Access Protocol (SNAP). Because CDP runs over the data-link
layer only, two systems that support different network-layer protocols can learn about each other.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
399
How to Configure CDP
Each CDP-configured device sends periodic messages to a multicast address, advertising at least one address
at which it can receive SNMP messages. The advertisements also contain time-to-live, or holdtime information,
which is the length of time a receiving device holds CDP information before discarding it. Each device also
listens to the messages sent by other devices to learn about neighboring devices.
On the switch, CDP enables Network Assistant to display a graphical view of the network. The switch uses
CDP to find cluster candidates and maintain information about cluster members and other devices up to three
cluster-enabled devices away from the command switch by default.
Related Topics
Configuring CDP Characteristics, on page 400
Monitoring and Maintaining CDP, on page 408
Related Topics
Enabling CDP, on page 403
Disabling CDP, on page 402
Enabling CDP on an Interface, on page 406
Disabling CDP on an Interface, on page 405
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
400
How to Configure CDP
Note Steps 3 through 5 are all optional and can be performed in any order.
Procedure
Example:
Switch# configure terminal
Step 3 cdp timer seconds (Optional) Sets the transmission frequency of CDP
updates in seconds.
Example: The range is 5 to 254; the default is 60 seconds.
Switch(config)# cdp timer 20
Step 4 cdp holdtime seconds (Optional) Specifies the amount of time a receiving
device should hold the information sent by your
Example: device before discarding it.
Switch(config)# cdp holdtime 60 The range is 10 to 255 seconds; the default is 180
seconds.
Example:
Switch(config)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
401
How to Configure CDP
Example:
Switch# show running-config
Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
What to Do Next
Use the no form of the CDP commands to return to the default settings.
Related Topics
CDP Overview, on page 399
Monitoring and Maintaining CDP, on page 408
Disabling CDP
CDP is enabled by default.
Note Switch clusters and other Cisco devices (such as Cisco IP Phones) regularly exchange CDP messages.
Disabling CDP can interrupt cluster discovery and device connectivity.
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
402
How to Configure CDP
Example:
Switch# configure terminal
Example:
Switch(config)# no cdp run
Example:
Switch(config)# end
Example:
Switch# show running-config
What to Do Next
You must reenable CDP to use it.
Related Topics
Enabling CDP, on page 403
Default CDP Configuration, on page 400
Enabling CDP
CDP is enabled by default.
Note Switch clusters and other Cisco devices (such as Cisco IP Phones) regularly exchange CDP messages.
Disabling CDP can interrupt cluster discovery and device connectivity.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
403
How to Configure CDP
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# cdp run
Example:
Switch(config)# end
Example:
Switch# show running-config
What to Do Next
Use the show run all command to show that CDP has been enabled. If you enter only show run, the enabling
of CDP may not be displayed.
Related Topics
Default CDP Configuration, on page 400
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
404
How to Configure CDP
Note Switch clusters and other Cisco devices (such as Cisco IP Phones) regularly exchange CDP messages.
Disabling CDP can interrupt cluster discovery and device connectivity.
Note CDP bypass is not supported and may cause a port go into err-disabled state.
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
405
How to Configure CDP
Example:
Switch# show running-config
Related Topics
Enabling CDP on an Interface, on page 406
Default CDP Configuration, on page 400
Note Switch clusters and other Cisco devices (such as Cisco IP Phones) regularly exchange CDP messages.
Disabling CDP can interrupt cluster discovery and device connectivity.
Note CDP bypass is not supported and may cause a port go into err-disabled state.
Follow these steps to enable CDP on a port on which it has been disabled.
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
406
How to Configure CDP
Example:
Switch# configure terminal
Example:
Switch(config-if)# cdp enable
Example:
Switch(config)# end
Example:
Switch# show running-config
Related Topics
Default CDP Configuration, on page 400
Disabling CDP on an Interface, on page 405
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
407
Monitoring and Maintaining CDP
Command Description
clear cdp counters Resets the traffic counters to zero.
clear cdp table Deletes the CDP table of information about neighbors.
show cdp entry entry-name [version] Displays information about a specific neighbor.
[protocol] You can enter an asterisk (*) to display all CDP neighbors, or
you can enter the name of the neighbor about which you want
information.
You can also limit the display to information about the protocols
enabled on the specified neighbor or information about the version
of software running on the device.
show cdp interface [interface-id] Displays information about interfaces where CDP is enabled.
You can limit the display to the interface about which you want
information.
show cdp neighbors [interface-id] Displays information about neighbors, including device type,
[detail] interface type and number, holdtime settings, capabilities,
platform, and port ID.
You can limit the display to neighbors of a specific interface or
expand the display to provide more detailed information.
show cdp traffic Displays CDP counters, including the number of packets sent
and received and checksum errors.
Related Topics
Configuring CDP Characteristics, on page 400
CDP Overview, on page 399
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
408
Additional References
Additional References
Related Documents
Description Link
To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/
messages in this release, use the Error Message index.cgi
Decoder tool.
Standard/RFC Title
None -
MIBs
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
409
Feature History and Information for Cisco Discovery Protocol
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
410
CHAPTER 24
Configuring Simple Network Management
Protocol
• Finding Feature Information, page 411
• Prerequisites for SNMP, page 411
• Restrictions for SNMP, page 414
• Information About SNMP, page 414
• How to Configure SNMP, page 418
• Monitoring SNMP Status, page 432
• SNMP Examples, page 433
• Additional References, page 434
• Feature History and Information for Simple Network Management Protocol, page 435
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
411
Prerequisites for SNMP
• SNMPv2C replaces the Party-based Administrative and Security Framework of SNMPv2Classic with
the community-string-based Administrative Framework of SNMPv2C while retaining the bulk retrieval
and improved error handling of SNMPv2Classic. It has these features:
◦SNMPv2—Version 2 of the Simple Network Management Protocol, a Draft Internet Standard,
defined in RFCs 1902 through 1907.
◦SNMPv2C—The community-string-based Administrative Framework for SNMPv2, an Experimental
Internet Protocol defined in RFC 1901.
Both SNMPv1 and SNMPv2C use a community-based form of security. The community of managers able to
access the agent’s MIB is defined by an IP address access control list and password.
SNMPv2C includes a bulk retrieval function and more detailed error message reporting to management
stations. The bulk retrieval function retrieves tables and large quantities of information, minimizing the number
of round-trips required. The SNMPv2C improved error-handling includes expanded error codes that distinguish
different kinds of error conditions; these conditions are reported through a single error code in SNMPv1. Error
return codes in SNMPv2C report the error type.
SNMPv3 provides for both security models and security levels. A security model is an authentication strategy
set up for a user and the group within which the user resides. A security level is the permitted level of security
within a security model. A combination of the security level and the security model determine which security
method is used when handling an SNMP packet. Available security models are SNMPv1, SNMPv2C, and
SNMPv3.
The following table identifies characteristics and compares different combinations of security models and
levels:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
412
Prerequisites for SNMP
You must configure the SNMP agent to use the SNMP version supported by the management station. Because
an agent can communicate with multiple managers, you can configure the software to support communications
using SNMPv1, SNMPv2C, or SNMPv3.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
413
Restrictions for SNMP
SNMP Overview
SNMP is an application-layer protocol that provides a message format for communication between managers
and agents. The SNMP system consists of an SNMP manager, an SNMP agent, and a management information
base (MIB). The SNMP manager can be part of a network management system (NMS) such as Cisco Prime
Infrastructure. The agent and MIB reside on the switch. To configure SNMP on the switch, you define the
relationship between the manager and the agent.
The SNMP agent contains MIB variables whose values the SNMP manager can request or change. A manager
can get a value from an agent or store a value into the agent. The agent gathers data from the MIB, the repository
for information about device parameters and network data. The agent can also respond to a manager's requests
to get or set data.
An agent can send unsolicited traps to the manager. Traps are messages alerting the SNMP manager to a
condition on the network. Traps can mean improper user authentication, restarts, link status (up or down),
MAC address tracking, closing of a TCP connection, loss of connection to a neighbor, or other significant
events.
Operation Description
get-request Retrieves a value from a specific variable.
get-next-request Retrieves a value from a variable within a table.3
get-bulk-request4 Retrieves large blocks of data, such as multiple rows in a table, that would otherwise
require the transmission of many small blocks of data.
get-response Replies to a get-request, get-next-request, and set-request sent by an NMS.
set-request Stores a value in a specific variable.
trap An unsolicited message sent by an SNMP agent to an SNMP manager when some event
has occurred.
3 With this operation, an SNMP manager does not need to know the exact variable name. A sequential search is performed to find the needed variable from
within a table.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
414
Information About SNMP
The SNMP agent also sends unsolicited trap messages to notify an NMS that a significant event has occurred
on the agent. Examples of trap conditions include, but are not limited to, when a port or module goes up or
down, when spanning-tree topology changes occur, and when authentication failures occur.
Related Topics
Disabling the SNMP Agent, on page 418
Monitoring SNMP Status, on page 432
Setting the Agent Contact and Location Information, on page 429
Related Topics
Configuring Community Strings, on page 419
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
415
Information About SNMP
As shown in the figure, the SNMP agent gathers data from the MIB. The agent can send traps, or notification
of certain events, to the SNMP manager, which receives and processes the traps. Traps alert the SNMP manager
to a condition on the network such as improper user authentication, restarts, link status (up or down), MAC
address tracking, and so forth. The SNMP agent also responds to MIB-related queries sent by the SNMP
manager in get-request, get-next-request, and set-request format.
SNMP Notifications
SNMP allows the switch to send notifications to SNMP managers when particular events occur. SNMP
notifications can be sent as traps or inform requests. In command syntax, unless there is an option in the
command to select either traps or informs, the keyword traps refers to either traps or informs, or both. Use
the snmp-server host command to specify whether to send SNMP notifications as traps or informs.
Traps are unreliable because the receiver does not send an acknowledgment when it receives a trap, and the
sender cannot determine if the trap was received. When an SNMP manager receives an inform request, it
acknowledges the message with an SNMP response protocol data unit (PDU). If the sender does not receive
a response, the inform request can be sent again. Because they can be resent, informs are more likely than
traps to reach their intended destination.
The characteristics that make informs more reliable than traps also consume more resources in the switch and
in the network. Unlike a trap, which is discarded as soon as it is sent, an inform request is held in memory
until a response is received or the request times out. Traps are sent only once, but an inform might be resent
or retried several times. The retries increase traffic and contribute to a higher overhead on the network.
Therefore, traps and informs require a trade-off between reliability and resources. If it is important that the
SNMP manager receive every notification, use inform requests. If traffic on the network or memory in the
switch is a concern and notification is not required, use traps.
Related Topics
Configuring SNMP Notifications, on page 424
Monitoring SNMP Status, on page 432
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
416
Information About SNMP
7
This is the default when the switch starts and the startup configuration does not have any snmp-server global configuration commands.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
417
How to Configure SNMP
• To configure a remote user, specify the IP address or port number for the remote SNMP agent of the
device where the user resides.
• Before you configure remote users for a particular agent, configure the SNMP engine ID, using the
snmp-server engineID global configuration command with the remote option. The remote agent's
SNMP engine ID and user password are used to compute the authentication and privacy digests. If you
do not configure the remote engine ID first, the configuration command fails.
• When configuring SNMP informs, you need to configure the SNMP engine ID for the remote agent in
the SNMP database before you can send proxy requests or informs to it.
• If a local user is not associated with a remote host, the switch does not send informs for the auth
(authNoPriv) and the priv (authPriv) authentication levels.
• Changing the value of the SNMP engine ID has significant results. A user's password (entered on the
command line) is converted to an MD5 or SHA security digest based on the password and the local
engine ID. The command-line password is then destroyed, as required by RFC 2274. Because of this
deletion, if the value of the engine ID changes, the security digests of SNMPv3 users become invalid,
and you need to reconfigure SNMP users by using the snmp-server user username global configuration
command. Similar restrictions require the reconfiguration of community strings when the engine ID
changes.
Related Topics
Configuring SNMP Groups and Users, on page 422
Monitoring SNMP Status, on page 432
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
418
How to Configure SNMP
Example:
Switch# configure terminal
Example:
Switch(config)# no snmp-server
Example:
Switch(config)# end
Example:
Switch# show running-config
Related Topics
SNMP Agent Functions, on page 415
Monitoring SNMP Status, on page 432
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
419
How to Configure SNMP
Procedure
Example:
Switch# configure terminal
Step 4 access-list access-list-number (Optional) If you specified an IP standard access list number in
{deny | permit} source Step 3, then create the list, repeating the command as many times
[source-wildcard] as necessary.
• For access-list-number, enter the access list number
Example: specified in Step 3.
Switch(config)# access-list
4 deny any • The deny keyword denies access if the conditions are
matched. The permit keyword permits access if the
conditions are matched.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
420
How to Configure SNMP
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 7 copy running-config (Optional) Saves your entries in the configuration file.
startup-config
Example:
Switch# copy running-config
startup-config
What to Do Next
To disable access for an SNMP community, set the community string for that community to the null string
(do not enter a value for the community string).
To remove a specific community string, use the no snmp-server community string global configuration
command.
You can specify an identification name (engine ID) for the local or remote SNMP server engine on the switch.
You can configure an SNMP server group that maps SNMP users to SNMP views, and you can add new users
to the SNMP group.
Related Topics
SNMP Community Strings, on page 415
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
421
How to Configure SNMP
Procedure
Example:
Switch> enable
Example:
Switch# configure terminal
Step 3 snmp-server engineID {local Configures a name for either the local or remote copy of SNMP.
engineid-string | remote
ip-address [udp-port • The engineid-string is a 24-character ID string with the name
of the copy of SNMP. You need not specify the entire
port-number] engineid-string}
24-character engine ID if it has trailing zeros. Specify only
the portion of the engine ID up to the point where only zeros
Example: remain in the value. The Step Example configures an engine
Switch(config)# snmp-server ID of 123400000000000000000000.
engineID local 1234
• If you select remote, specify the ip-address of the device
that contains the remote copy of SNMP and the optional User
Datagram Protocol (UDP) port on the remote device. The
default is 162.
Step 4 snmp-server group group-name Configures a new SNMP group on the remote device.
{v1 | v2c | v3 {auth | noauth | For group-name, specify the name of the group.
priv}} [read readview] [write
writeview] [notify notifyview] Specify one of the following security models:
[access access-list] • v1 is the least secure of the possible security models.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
422
How to Configure SNMP
Step 5 snmp-server user username Adds a new user for an SNMP group.
group-name {remote host [ The username is the name of the user on the host that connects to
udp-port port]} {v1 [access the agent.
access-list] | v2c [access
access-list] | v3 [encrypted] The group-name is the name of the group to which the user is
[access access-list] [auth {md5 associated.
| sha} auth-password] } [priv Enter remote to specify a remote SNMP entity to which the user
{des | 3des | aes {128 | 192 | belongs and the hostname or IP address of that entity with the
256}} priv-password] optional UDP port number. The default is 162.
Enter the SNMP version number (v1, v2c, or v3). If you enter v3,
Example: you have these additional options:
Switch(config)# snmp-server
user Pat public v2c • encrypted specifies that the password appears in encrypted
format. This keyword is available only when the v3 keyword
is specified.
• auth is an authentication level setting session that can be
either the HMAC-MD5-96 (md5) or the HMAC-SHA-96
(sha) authentication level and requires a password string
auth-password (not to exceed 64 characters).
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
423
How to Configure SNMP
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 8 copy running-config (Optional) Saves your entries in the configuration file.
startup-config
Example:
Switch# copy running-config
startup-config
Related Topics
SNMP Configuration Guidelines, on page 417
Monitoring SNMP Status, on page 432
Note Many commands use the word traps in the command syntax. Unless there is an option in the command
to select either traps or informs, the keyword traps refers to traps, informs, or both. Use the snmp-server
host global configuration command to specify whether to send SNMP notifications as traps or informs.
You can use the snmp-server host global configuration command for a specific host to receive the notification
types listed in the following table. You can enable any or all of these traps and configure a trap manager to
receive them.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
424
How to Configure SNMP
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
425
How to Configure SNMP
rtr Generates a trap for the SNMP Response Time Reporter (RTR).
snmp Generates a trap for SNMP-type notifications for authentication,
cold start, warm start, link up or link down.
storm-control Generates a trap for SNMP storm-control. You can also set a
maximum trap rate per minute. The range is from 0 to 1000; the
default is 0 (no limit is imposed; a trap is sent at every occurrence).
stpx Generates SNMP STP Extended MIB traps.
syslog Generates SNMP syslog traps.
tty Generates a trap for TCP connections. This trap is enabled by default.
vlan-membership Generates a trap for SNMP VLAN membership changes.
vlancreate Generates SNMP VLAN created traps.
vlandelete Generates SNMP VLAN deleted traps.
vtp Generates a trap for VLAN Trunking Protocol (VTP) changes.
Follow these steps to configure the switch to send traps or informs to a host.
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
426
How to Configure SNMP
Example:
Switch(config)# snmp-server
engineID remote 192.180.1.27
00000063000100a1c0b4011b
Step 4 snmp-server user username group-name Configures an SNMP user to be associated with the
{remote host [ udp-port port]} {v1 remote host created in Step 3.
[access access-list] | v2c [access Note You cannot configure a remote user for an
access-list] | v3 [encrypted] [access address without first configuring the engine ID
access-list] [auth {md5 | sha} for the remote host. Otherwise, you receive an
auth-password] } error message, and the command is not
executed.
Example:
Switch(config)# snmp-server user
Pat public v2c
Example:
Switch(config)# snmp-server group
public v2c access lmnop
Step 6 snmp-server host host-addr [informs | Specifies the recipient of an SNMP trap operation.
traps] [version {1 | 2c | 3 {auth | noauth For host-addr, specify the name or Internet address of
| priv}}] community-string the host (the targeted recipient).
[notification-type]
(Optional) Specify traps (the default) to send SNMP
Example:
traps to the host.
Switch(config)# snmp-server host (Optional) Specify informs to send SNMP informs to
203.0.113.1 comaccess snmp
the host.
(Optional) Specify the SNMP version (1, 2c, or 3).
SNMPv1 does not support informs.
(Optional) For Version 3, select authentication level
auth, noauth, or priv.
Note The priv keyword is available only when the
cryptographic software image is installed.
For community-string, when version 1 or version 2c is
specified, enter the password-like community string sent
with the notification operation. When version 3 is
specified, enter the SNMPv3 username.
The @ symbol is used for delimiting the context
information. Avoid using the @ symbol as part of the
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
427
How to Configure SNMP
Step 7 snmp-server enable traps Enables the switch to send traps or informs and specifies
notification-types the type of notifications to be sent. For a list of
notification types, see the table above, or enter
Example: snmp-server enable traps ?
Switch(config)# snmp-server enable
traps snmp To enable multiple types of traps, you must enter a
separate snmp-server enable traps command for each
trap type.
Note When you configure a trap by using the
notification type port-security, configure the
port security trap first, and then configure the
port security trap rate:
1 snmp-server enable traps port-security
2 snmp-server enable traps port-security
trap-rate rate
Step 8 snmp-server trap-source interface-id (Optional) Specifies the source interface, which provides
the IP address for the trap message. This command also
Example: sets the source IP address for informs.
Switch(config)# snmp-server
trap-source GigabitEthernet1/0/1
Step 9 snmp-server queue-length length (Optional) Establishes the message queue length for each
trap host. The range is 1 to 1000; the default is 10.
Example:
Switch(config)# snmp-server
queue-length 20
Step 10 snmp-server trap-timeout seconds (Optional) Defines how often to resend trap messages.
The range is 1 to 1000; the default is 30 seconds.
Example:
Switch(config)# snmp-server
trap-timeout 60
Example:
Switch(config)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
428
How to Configure SNMP
Example:
Switch# show running-config
Step 13 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
What to Do Next
The snmp-server host command specifies which hosts receive the notifications. The snmp-server enable
traps command globally enables the method for the specified notification (for traps and informs). To enable
a host to receive an inform, you must configure an snmp-server host informs command for the host and
globally enable informs by using the snmp-server enable traps command.
To remove the specified host from receiving traps, use the no snmp-server host host global configuration
command. The no snmp-server host command with no keywords disables traps, but not informs, to the host.
To disable informs, use the no snmp-server host informs global configuration command. To disable a specific
trap type, use the no snmp-server enable traps notification-types global configuration command.
Related Topics
SNMP Notifications, on page 416
Monitoring SNMP Status, on page 432
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
429
How to Configure SNMP
Example:
Switch# configure terminal
Example:
Switch(config)# snmp-server contact Dial
System Operator at beeper 21555
Example:
Switch(config)# snmp-server location
Building 3/Room 222
Example:
Switch(config)# end
Example:
Switch# show running-config
Related Topics
SNMP Agent Functions, on page 415
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
430
How to Configure SNMP
Procedure
Example:
Switch# configure terminal
Step 3 snmp-server tftp-server-list Limits the TFTP servers used for configuration file copies
access-list-number through SNMP to the servers in the access list.
For access-list-number, enter an IP standard access list
Example: numbered from 1 to 99 and 1300 to 1999.
Switch(config)# snmp-server
tftp-server-list 44
Step 4 access-list access-list-number {deny | Creates a standard access list, repeating the command as
permit} source [source-wildcard] many times as necessary.
For access-list-number, enter the access list number
Example: specified in Step 3.
Switch(config)# access-list 44
permit 10.1.1.2 The deny keyword denies access if the conditions are
matched. The permit keyword permits access if the
conditions are matched.
For source, enter the IP address of the TFTP servers that
can access the switch.
(Optional) For source-wildcard, enter the wildcard bits,
in dotted decimal notation, to be applied to the source.
Place ones in the bit positions that you want to ignore.
The access list is always terminated by an implicit deny
statement for everything.
Example:
Switch(config)# end
Example:
Switch# show running-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
431
Monitoring SNMP Status
Example:
Switch# copy running-config
startup-config
Command Purpose
show snmp Displays SNMP statistics.
show snmp group Displays information on each SNMP group on the network.
show snmp user Displays information on each SNMP user name in the SNMP
users table.
Note You must use this command to display SNMPv3
configuration information for auth | noauth | priv mode.
This information is not displayed in the show
running-config output.
Related Topics
Disabling the SNMP Agent, on page 418
SNMP Agent Functions, on page 415
Configuring SNMP Groups and Users, on page 422
SNMP Configuration Guidelines, on page 417
Configuring SNMP Notifications, on page 424
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
432
SNMP Examples
SNMP Examples
This example shows how to enable all versions of SNMP. The configuration permits any SNMP manager to
access all objects with read-only permissions using the community string public. This configuration does not
cause the switch to send any traps.
Switch(config)# snmp-server community public
This example shows how to permit any SNMP manager to access all objects with read-only permission using
the community string public. The switch also sends VTP traps to the hosts 192.180.1.111 and 192.180.1.33
using SNMPv1 and to the host 192.180.1.27 using SNMPv2C. The community string public is sent with the
traps.
Switch(config)# snmp-server community public
Switch(config)# snmp-server enable traps vtp
Switch(config)# snmp-server host 192.180.1.27 version 2c public
Switch(config)# snmp-server host 192.180.1.111 version 1 public
Switch(config)# snmp-server host 192.180.1.33 public
This example shows how to allow read-only access for all objects to members of access list 4 that use the
comaccess community string. No other SNMP managers have access to any objects. SNMP Authentication
Failure traps are sent by SNMPv2C to the host cisco.com using the community string public.
Switch(config)# snmp-server community comaccess ro 4
Switch(config)# snmp-server enable traps snmp authentication
Switch(config)# snmp-server host cisco.com version 2c public
This example shows how to send Entity MIB traps to the host cisco.com. The community string is restricted.
The first line enables the switch to send Entity MIB traps in addition to any traps previously enabled. The
second line specifies the destination of these traps and overwrites any previous snmp-server host commands
for the host cisco.com.
Switch(config)# snmp-server enable traps entity
Switch(config)# snmp-server host cisco.com restricted entity
This example shows how to enable the switch to send all traps to the host myhost.cisco.com using the community
string public:
Switch(config)# snmp-server enable traps
Switch(config)# snmp-server host myhost.cisco.com public
This example shows how to associate a user with a remote host and to send auth (authNoPriv)
authentication-level informs when the user enters global configuration mode:
Switch(config)# snmp-server engineID remote 192.180.1.27 00000063000100a1c0b4011b
Switch(config)# snmp-server group authgroup v3 auth
Switch(config)# snmp-server user authuser authgroup remote 192.180.1.27 v3 auth md5 mypassword
Switch(config)# snmp-server user authuser authgroup v3 auth md5 mypassword
Switch(config)# snmp-server host 192.180.1.27 informs version 3 auth authuser config
Switch(config)# snmp-server enable traps
Switch(config)# snmp-server inform retries 0
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
433
Additional References
Additional References
Related Documents
Description Link
To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/
messages in this release, use the Error Message index.cgi
Decoder tool.
Standard/RFC Title
None -
MIBs
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
434
Feature History and Information for Simple Network Management Protocol
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
435
Feature History and Information for Simple Network Management Protocol
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
436
CHAPTER 25
Configuring SPAN and RSPAN
• Finding Feature Information, page 437
• Prerequisites for SPAN and RSPAN, page 437
• Restrictions for SPAN and RSPAN, page 438
• Information About SPAN and RSPAN, page 439
• How to Configure SPAN and RSPAN, page 450
• Monitoring SPAN and RSPAN Operations, page 466
• SPAN and RSPAN Configuration Examples, page 466
• Additional References, page 468
• Feature History and Information for SPAN and RSPAN, page 469
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
437
Restrictions for SPAN and RSPAN
RSPAN
• We recommend that you configure an RSPAN VLAN before you configure an RSPAN source or a
destination session.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
438
Information About SPAN and RSPAN
• SPAN sessions do not interfere with the normal operation of the switch. However, an oversubscribed
SPAN destination, for example, a 10-Mb/s port monitoring a 100-Mb/s port, can result in dropped or
lost packets.
• When SPAN or RSPAN is enabled, each packet being monitored is sent twice, once as normal traffic
and once as a monitored packet. Monitoring a large number of ports or VLANs could potentially generate
large amounts of network traffic.
• You can configure SPAN sessions on disabled ports; however, a SPAN session does not become active
unless you enable the destination port and at least one source port or VLAN for that session.
• The switch does not support a combination of local SPAN and RSPAN in a single session.
◦An RSPAN source session cannot have a local destination port.
◦An RSPAN destination session cannot have a local source port.
◦An RSPAN destination session and an RSPAN source session that are using the same RSPAN
VLAN cannot run on the same switch or switch stack.
RSPAN
The restrictions for RSPAN are as follows:
• RSPAN does not support BPDU packet monitoring or other Layer 2 switch protocols.
• The RSPAN VLAN is configured only on trunk ports and not on access ports. To avoid unwanted traffic
in RSPAN VLANs, make sure that the VLAN remote-span feature is supported in all the participating
switches.
• RSPAN VLANs are included as sources for port-based RSPAN sessions when source trunk ports have
active RSPAN VLANs. RSPAN VLANs can also be sources in SPAN sessions. However, since the
switch does not monitor spanned traffic, it does not support egress spanning of packets on any RSPAN
VLAN identified as the destination of an RSPAN source session on the switch.
• If you enable VTP and VTP pruning, RSPAN traffic is pruned in the trunks to prevent the unwanted
flooding of RSPAN traffic across the network for VLAN IDs that are lower than 1005.
• To use RSPAN, the switch must be running the LAN Base image.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
439
Information About SPAN and RSPAN
being monitored, traffic that gets routed from another VLAN to the source VLAN cannot be monitored;
however, traffic that is received on the source VLAN and routed to another VLAN can be monitored.
You can use the SPAN or RSPAN destination port to inject traffic from a network security device. For example,
if you connect a Cisco Intrusion Detection System (IDS) sensor appliance to a destination port, the IDS device
can send TCP reset packets to close down the TCP session of a suspected attacker.
Local SPAN
Local SPAN supports a SPAN session entirely within one switch; all source ports or source VLANs and
destination ports are in the same switch or switch stack. Local SPAN copies traffic from one or more source
ports in any VLAN or from one or more VLANs to a destination port for analysis.
All traffic on port 5 (the source port) is mirrored to port 10 (the destination port). A network analyzer on port
10 receives all network traffic from port 5 without being physically attached to port 5.
Figure 45: Example of Local SPAN Configuration on a Single Device
This is an example of a local SPAN in a switch stack, where the source and destination ports reside on different
stack members.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
440
Information About SPAN and RSPAN
Related Topics
Creating a Local SPAN Session, on page 450
Creating a Local SPAN Session and Configuring Incoming Traffic, on page 452
Example: Configuring Local SPAN, on page 466
Remote SPAN
RSPAN supports source ports, source VLANs, and destination ports on different switches (or different switch
stacks), enabling remote monitoring of multiple switches across your network.
The figure below shows source ports on Switch A and Switch B. The traffic for each RSPAN session is carried
over a user-specified RSPAN VLAN that is dedicated for that RSPAN session in all participating switches.
The RSPAN traffic from the source ports or VLANs is copied into the RSPAN VLAN and forwarded over
trunk ports carrying the RSPAN VLAN to a destination session monitoring the RSPAN VLAN. Each RSPAN
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
441
Information About SPAN and RSPAN
source switch must have either ports or VLANs as RSPAN sources. The destination is always a physical port,
as shown on Switch C in the figure.
Figure 47: Example of RSPAN Configuration
Related Topics
Creating an RSPAN Source Session, on page 458
Creating an RSPAN Destination Session, on page 461
Creating an RSPAN Destination Session and Configuring Incoming Traffic, on page 464
Examples: Creating an RSPAN VLAN, on page 467
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
442
Information About SPAN and RSPAN
SPAN Sessions
SPAN sessions (local or remote) allow you to monitor traffic on one or more ports, or one or more VLANs,
and send the monitored traffic to one or more destination ports.
A local SPAN session is an association of a destination port with source ports or source VLANs, all on a
single network device. Local SPAN does not have separate source and destination sessions. Local SPAN
sessions gather a set of ingress and egress packets specified by the user and form them into a stream of SPAN
data, which is directed to the destination port.
RSPAN consists of at least one RSPAN source session, an RSPAN VLAN, and at least one RSPAN destination
session. You separately configure RSPAN source sessions and RSPAN destination sessions on different
network devices. To configure an RSPAN source session on a device, you associate a set of source ports or
source VLANs with an RSPAN VLAN. The output of this session is the stream of SPAN packets that are
sent to the RSPAN VLAN. To configure an RSPAN destination session on another device, you associate the
destination port with the RSPAN VLAN. The destination session collects all RSPAN VLAN traffic and sends
it out the RSPAN destination port.
An RSPAN source session is very similar to a local SPAN session, except for where the packet stream is
directed. In an RSPAN source session, SPAN packets are relabeled with the RSPAN VLAN ID and directed
over normal trunk ports to the destination switch.
An RSPAN destination session takes all packets received on the RSPAN VLAN, strips off the VLAN tagging,
and presents them on the destination port. The session presents a copy of all RSPAN VLAN packets (except
Layer 2 control packets) to the user for analysis.
More than one source session and more than one destination session can be active in the same RSPAN VLAN.
Intermediate switches also can separate the RSPAN source and destination sessions. These switches are unable
to run RSPAN, but they must respond to the requirements of the RSPAN VLAN.
Traffic monitoring in a SPAN session has these restrictions:
• Sources can be ports or VLANs, but you cannot mix source ports and source VLANs in the same session.
• You can run both a local SPAN and an RSPAN source session in the same switch or switch stack. The
switch or switch stack supports a total of 66 source and RSPAN destination sessions.
• You can configure two separate SPAN or RSPAN source sessions with separate or overlapping sets of
SPAN source ports and VLANs. Both switched and routed ports can be configured as SPAN sources
and destinations.
• You can have multiple destination ports in a SPAN session, but no more than 64 destination ports per
switch stack.
• SPAN sessions do not interfere with the normal operation of the switch. However, an oversubscribed
SPAN destination, for example, a 10-Mb/s port monitoring a 100-Mb/s port, can result in dropped or
lost packets.
• When SPAN or RSPAN is enabled, each packet being monitored is sent twice, once as normal traffic
and once as a monitored packet. Therefore monitoring a large number of ports or VLANs could potentially
generate large amounts of network traffic.
• You can configure SPAN sessions on disabled ports; however, a SPAN session does not become active
unless you enable the destination port and at least one source port or VLAN for that session.
• The switch does not support a combination of local SPAN and RSPAN in a single session.
◦An RSPAN source session cannot have a local destination port.
◦An RSPAN destination session cannot have a local source port.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
443
Information About SPAN and RSPAN
◦An RSPAN destination session and an RSPAN source session that are using the same RSPAN
VLAN cannot run on the same switch or switch stack.
Related Topics
Creating a Local SPAN Session, on page 450
Creating a Local SPAN Session and Configuring Incoming Traffic, on page 452
Example: Configuring Local SPAN, on page 466
Monitored Traffic
SPAN sessions can monitor these traffic types:
• Receive (Rx) SPAN—Receive (or ingress) SPAN monitors as much as possible all of the packets received
by the source interface or VLAN before any modification or processing is performed by the switch. A
copy of each packet received by the source is sent to the destination port for that SPAN session.
Packets that are modified because of routing or Quality of Service (QoS)—for example, modified
Differentiated Services Code Point (DSCP)—are copied before modification.
Features that can cause a packet to be dropped during receive processing have no effect on ingress SPAN;
the destination port receives a copy of the packet even if the actual incoming packet is dropped. These
features include IP standard and extended input Access Control Lists (ACLs), ingress QoS policing,
VLAN ACLs, and egress QoS policing.
• Transmit (Tx) SPAN—Transmit (or egress) SPAN monitors as much as possible all of the packets sent
by the source interface after all modification and processing is performed by the switch. A copy of each
packet sent by the source is sent to the destination port for that SPAN session. The copy is provided
after the packet is modified.
Packets that are modified because of routing (for example, with modified time-to-live (TTL), MAC
address, or QoS values) are duplicated (with the modifications) at the destination port.
Features that can cause a packet to be dropped during transmit processing also affect the duplicated copy
for SPAN. These features include IP standard and extended output ACLs and egress QoS policing.
• Both—In a SPAN session, you can also monitor a port or VLAN for both received and sent packets.
This is the default.
The default configuration for local SPAN session ports is to send all packets untagged. SPAN also does not
normally monitor bridge protocol data unit (BPDU) packets and Layer 2 protocols, such as Cisco Discovery
Protocol (CDP), VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol (DTP), Spanning Tree Protocol
(STP), and Port Aggregation Protocol (PAgP). However, when you enter the encapsulation replicate keywords
when configuring a destination port, these changes occur:
• Packets are sent on the destination port with the same encapsulation (untagged or IEEE 802.1Q) that
they had on the source port.
• Packets of all types, including BPDU and Layer 2 protocol packets, are monitored.
Therefore, a local SPAN session with encapsulation replicate enabled can have a mixture of untagged and
IEEE 802.1Q tagged packets appear on the destination port.
Switch congestion can cause packets to be dropped at ingress source ports, egress source ports, or SPAN
destination ports. In general, these characteristics are independent of one another. For example:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
444
Information About SPAN and RSPAN
• A packet might be forwarded normally but dropped from monitoring due to an oversubscribed SPAN
destination port.
• An ingress packet might be dropped from normal forwarding, but still appear on the SPAN destination
port.
• An egress packet dropped because of switch congestion is also dropped from egress SPAN.
In some SPAN configurations, multiple copies of the same source packet are sent to the SPAN destination
port. For example, a bidirectional (both Rx and Tx) SPAN session is configured for the Rx monitor on port
A and Tx monitor on port B. If a packet enters the switch through port A and is switched to port B, both
incoming and outgoing packets are sent to the destination port. Both packets are the same unless a Layer 3
rewrite occurs, in which case the packets are different because of the packet modification.
Source Ports
A source port (also called a monitored port) is a switched or routed port that you monitor for network traffic
analysis.
In a local SPAN session or RSPAN source session, you can monitor source ports or VLANs for traffic in one
or both directions.
The switch supports any number of source ports (up to the maximum number of available ports on the switch)
and any number of source VLANs (up to the maximum number of VLANs supported).
However, the switch supports a maximum of four sessions (two sessions if switch is in a stack with Catalyst
2960-S switches) (local or RSPAN) with source ports or VLANs. You cannot mix ports and VLANs in a
single session.
A source port has these characteristics:
• It can be monitored in multiple SPAN sessions.
• Each source port can be configured with a direction (ingress, egress, or both) to monitor.
• It can be any port type (for example, EtherChannel, Gigabit Ethernet, and so forth).
• For EtherChannel sources, you can monitor traffic for the entire EtherChannel or individually on a
physical port as it participates in the port channel.
• It can be an access port, trunk port, routed port, or voice VLAN port.
• It cannot be a destination port.
• Source ports can be in the same or different VLANs.
• You can monitor multiple source ports in a single session.
Source VLANs
VLAN-based SPAN (VSPAN) is the monitoring of the network traffic in one or more VLANs. The SPAN
or RSPAN source interface in VSPAN is a VLAN ID, and traffic is monitored on all the ports for that VLAN.
VSPAN has these characteristics:
• All active ports in the source VLAN are included as source ports and can be monitored in either or both
directions.
• On a given port, only traffic on the monitored VLAN is sent to the destination port.
• If a destination port belongs to a source VLAN, it is excluded from the source list and is not monitored.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
445
Information About SPAN and RSPAN
• If ports are added to or removed from the source VLANs, the traffic on the source VLAN received by
those ports is added to or removed from the sources being monitored.
• You cannot use filter VLANs in the same session with VLAN sources.
• You can monitor only Ethernet VLANs.
VLAN Filtering
When you monitor a trunk port as a source port, by default, all VLANs active on the trunk are monitored.
You can limit SPAN traffic monitoring on trunk source ports to specific VLANs by using VLAN filtering.
• VLAN filtering applies only to trunk ports or to voice VLAN ports.
• VLAN filtering applies only to port-based sessions and is not allowed in sessions with VLAN sources.
• When a VLAN filter list is specified, only those VLANs in the list are monitored on trunk ports or on
voice VLAN access ports.
• SPAN traffic coming from other port types is not affected by VLAN filtering; that is, all VLANs are
allowed on other ports.
• VLAN filtering affects only traffic forwarded to the destination SPAN port and does not affect the
switching of normal traffic.
Destination Port
Each local SPAN session or RSPAN destination session must have a destination port (also called a monitoring
port) that receives a copy of traffic from the source ports or VLANs and sends the SPAN packets to the user,
usually a network analyzer.
A destination port has these characteristics:
• For a local SPAN session, the destination port must reside on the same switch or switch stack as the
source port. For an RSPAN session, it is located on the switch containing the RSPAN destination session.
There is no destination port on a switch or switch stack running only an RSPAN source session.
• When a port is configured as a SPAN destination port, the configuration overwrites the original port
configuration. When the SPAN destination configuration is removed, the port reverts to its previous
configuration. If a configuration change is made to the port while it is acting as a SPAN destination port,
the change does not take effect until the SPAN destination configuration had been removed.
Note When QoS is configured on the SPAN destination port, QoS takes effect immediately.
• If the port was in an EtherChannel group, it is removed from the group while it is a destination port. If
it was a routed port, it is no longer a routed port.
• It can be any Ethernet physical port.
• It cannot be a secure port.
• It cannot be a source port.
• It can participate in only one SPAN session at a time (a destination port in one SPAN session cannot be
a destination port for a second SPAN session).
• When it is active, incoming traffic is disabled. The port does not transmit any traffic except that required
for the SPAN session. Incoming traffic is never learned or forwarded on a destination port.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
446
Information About SPAN and RSPAN
• If ingress traffic forwarding is enabled for a network security device, the destination port forwards traffic
at Layer 2.
• It does not participate in any of the Layer 2 protocols (STP, VTP, CDP, DTP, PagP).
• A destination port that belongs to a source VLAN of any SPAN session is excluded from the source list
and is not monitored.
• The maximum number of destination ports in a switch or switch stack is 64.
Local SPAN and RSPAN destination ports function differently with VLAN tagging and encapsulation:
• For local SPAN, if the encapsulation replicate keywords are specified for the destination port, these
packets appear with the original encapsulation (untagged, ISL, or IEEE 802.1Q). If these keywords are
not specified, packets appear in the untagged format. Therefore, the output of a local SPAN session with
encapsulation replicate enabled can contain a mixture of untagged, ISL, or IEEE 802.1Q-tagged packets.
• For RSPAN, the original VLAN ID is lost because it is overwritten by the RSPAN VLAN identification.
Therefore, all packets appear on the destination port as untagged.
RSPAN VLAN
The RSPAN VLAN carries SPAN traffic between RSPAN source and destination sessions. RSPAN VLAN
has these special characteristics:
• All traffic in the RSPAN VLAN is always flooded.
• No MAC address learning occurs on the RSPAN VLAN.
• RSPAN VLAN traffic only flows on trunk ports.
• RSPAN VLANs must be configured in VLAN configuration mode by using the remote-span VLAN
configuration mode command.
• STP can run on RSPAN VLAN trunks but not on SPAN destination ports.
• An RSPAN VLAN cannot be a private-VLAN primary or secondary VLAN.
For VLANs 1 to 1005 that are visible to VLAN Trunking Protocol (VTP), the VLAN ID and its associated
RSPAN characteristic are propagated by VTP. If you assign an RSPAN VLAN ID in the extended VLAN
range (1006 to 4094), you must manually configure all intermediate switches.
It is normal to have multiple RSPAN VLANs in a network at the same time with each RSPAN VLAN defining
a network-wide RSPAN session. That is, multiple RSPAN source sessions anywhere in the network can
contribute packets to the RSPAN session. It is also possible to have multiple RSPAN destination sessions
throughout the network, monitoring the same RSPAN VLAN and presenting traffic to the user. The RSPAN
VLAN ID separates the sessions.
Related Topics
Creating an RSPAN Source Session, on page 458
Creating an RSPAN Destination Session, on page 461
Creating an RSPAN Destination Session and Configuring Incoming Traffic, on page 464
Examples: Creating an RSPAN VLAN, on page 467
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
447
Information About SPAN and RSPAN
• Routing—SPAN does not monitor routed traffic. VSPAN only monitors traffic that enters or exits the
switch, not traffic that is routed between VLANs. For example, if a VLAN is being Rx-monitored and
the switch routes traffic from another VLAN to the monitored VLAN, that traffic is not monitored and
not received on the SPAN destination port.
• STP—A destination port does not participate in STP while its SPAN or RSPAN session is active. The
destination port can participate in STP after the SPAN or RSPAN session is disabled. On a source port,
SPAN does not affect the STP status. STP can be active on trunk ports carrying an RSPAN VLAN.
• CDP—A SPAN destination port does not participate in CDP while the SPAN session is active. After
the SPAN session is disabled, the port again participates in CDP.
• VTP—You can use VTP to prune an RSPAN VLAN between switches.
• VLAN and trunking—You can modify VLAN membership or trunk settings for source or destination
ports at any time. However, changes in VLAN membership or trunk settings for a destination port do
not take effect until you remove the SPAN destination configuration. Changes in VLAN membership
or trunk settings for a source port immediately take effect, and the respective SPAN sessions automatically
adjust accordingly.
• EtherChannel—You can configure an EtherChannel group as a source port a SPAN destination port.
When a group is configured as a SPAN source, the entire group is monitored.
If a physical port is added to a monitored EtherChannel group, the new port is added to the SPAN source
port list. If a port is removed from a monitored EtherChannel group, it is automatically removed from
the source port list.
A physical port that belongs to an EtherChannel group can be configured as a SPAN source port and
still be a part of the EtherChannel. In this case, data from the physical port is monitored as it participates
in the EtherChannel. However, if a physical port that belongs to an EtherChannel group is configured
as a SPAN destination, it is removed from the group. After the port is removed from the SPAN session,
it rejoins the EtherChannel group. Ports removed from an EtherChannel group remain members of the
group, but they are in the inactive or suspended state.
If a physical port that belongs to an EtherChannel group is a destination port and the EtherChannel group
is a source, the port is removed from the EtherChannel group and from the list of monitored ports.
• Multicast traffic can be monitored. For egress and ingress port monitoring, only a single unedited packet
is sent to the SPAN destination port. It does not reflect the number of times the multicast packet is sent.
• A private-VLAN port cannot be a SPAN destination port.
• A secure port cannot be a SPAN destination port.
For SPAN sessions, do not enable port security on ports with monitored egress when ingress forwarding
is enabled on the destination port. For RSPAN source sessions, do not enable port security on any ports
with monitored egress.
• An IEEE 802.1x port can be a SPAN source port. You can enable IEEE 802.1x on a port that is a SPAN
destination port; however, IEEE 802.1x is disabled until the port is removed as a SPAN destination.
For SPAN sessions, do not enable IEEE 802.1x on ports with monitored egress when ingress forwarding
is enabled on the destination port. For RSPAN source sessions, do not enable IEEE 802.1x on any ports
that are egress monitored.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
448
Information About SPAN and RSPAN
Source port traffic to monitor Both received and sent traffic (both).
VLAN filtering On a trunk interface used as a source port, all VLANs are
monitored.
Configuration Guidelines
Related Topics
Creating a Local SPAN Session, on page 450
Creating a Local SPAN Session and Configuring Incoming Traffic, on page 452
Example: Configuring Local SPAN, on page 466
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
449
How to Configure SPAN and RSPAN
Related Topics
Creating an RSPAN Source Session, on page 458
Creating an RSPAN Destination Session, on page 461
Creating an RSPAN Destination Session and Configuring Incoming Traffic, on page 464
Examples: Creating an RSPAN VLAN, on page 467
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
450
How to Configure SPAN and RSPAN
Step 4 monitor session session_number Specifies the SPAN session and the source port (monitored port).
source {interface interface-id |
vlan vlan-id} [, | -] [both | rx | tx] • For session_number, the range is 1 to 66.
• For interface-id, specify the source port to monitor. Valid
Example: interfaces include physical interfaces and port-channel
logical interfaces (port-channel port-channel-number).
Switch(config)# monitor
session 1 source interface
Valid port-channel numbers are 1 to 48.
gigabitethernet1/0/1
• For vlan-id, specify the source VLAN to monitor. The
range is 1 to 4094 (excluding the RSPAN VLAN).
Note A single session can include multiple sources
(ports or VLANs) defined in a series of
commands, but you cannot combine source ports
and source VLANs in one session.
• (Optional) [, | -] Specifies a series or range of interfaces.
Enter a space before and after the comma; enter a space
before and after the hyphen.
• (Optional) both | rx | tx—Specifies the direction of traffic
to monitor. If you do not specify a traffic direction, the
source interface sends both sent and received traffic.
◦both—Monitors both received and sent traffic.
◦rx—Monitors received traffic.
◦tx—Monitors sent traffic.
Note You can use the monitor session
session_number source command multiple
times to configure multiple source ports.
Step 5 monitor session session_number Specifies the SPAN session and the destination port (monitoring
destination {interface interface-id port).
[, | -] [encapsulation replicate]} Note For local SPAN, you must use the same session number
for the source and destination interfaces.
Example:
• For session_number, specify the session number entered
Switch(config)# monitor in step 4.
session 1 destination
interface
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
451
How to Configure SPAN and RSPAN
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 8 copy running-config (Optional) Saves your entries in the configuration file.
startup-config
Example:
Switch# copy running-config
startup-config
Related Topics
Local SPAN, on page 440
SPAN Sessions, on page 443
SPAN Configuration Guidelines, on page 449
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
452
How to Configure SPAN and RSPAN
Procedure
Example:
Switch# configure terminal
Step 3 no monitor session {session_number | Removes any existing SPAN configuration for the
all | local | remote} session.
• For session_number, the range is 1 to 66.
Example:
• all—Removes all SPAN sessions.
Switch(config)# no monitor session
all • local—Removes all local sessions.
• remote—Removes all remote SPAN sessions.
Step 4 monitor session session_number source Specifies the SPAN session and the source port
{interface interface-id | vlan vlan-id} [, (monitored port).
| -] [both | rx | tx]
Example:
Switch(config)# monitor session 2
source gigabitethernet1/0/1 rx
Step 5 monitor session session_number Specifies the SPAN session, the destination port, the
destination {interface interface-id [, | packet encapsulation, and the ingress VLAN and
-] [encapsulation replicate] [ingress encapsulation.
{dot1q vlan vlan-id | untagged vlan
• For session_number, specify the session number
vlan-id | vlan vlan-id}]}
entered in Step 4.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
453
How to Configure SPAN and RSPAN
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Related Topics
Local SPAN, on page 440
SPAN Sessions, on page 443
SPAN Configuration Guidelines, on page 449
Example: Configuring Local SPAN, on page 466
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
454
How to Configure SPAN and RSPAN
Procedure
Example:
Switch# configure terminal
Step 3 no monitor session {session_number Removes any existing SPAN configuration for the session.
| all | local | remote}
• For session_number, the range is 1 to 66.
Example: • all—Removes all SPAN sessions.
Switch(config)# no monitor • local—Removes all local sessions.
session all
• remote—Removes all remote SPAN sessions.
Step 4 monitor session session_number Specifies the characteristics of the source port (monitored
source interface interface-id port) and SPAN session.
• For session_number, the range is 1 to 66.
Example:
• For interface-id, specify the source port to monitor.
Switch(config)# monitor session
2 source interface
The interface specified must already be configured
gigabitethernet1/0/2 rx as a trunk port.
Step 5 monitor session session_number filter Limits the SPAN source traffic to specific VLANs.
vlan vlan-id [, | -]
• For session_number, enter the session number
specified in Step 4.
Example:
• For vlan-id, the range is 1 to 4094.
Switch(config)# monitor session
2 filter vlan 1 - 5 , 9 • (Optional) Use a comma (,) to specify a series of
VLANs, or use a hyphen (-) to specify a range of
VLANs. Enter a space before and after the comma;
enter a space before and after the hyphen.
Step 6 monitor session session_number Specifies the SPAN session and the destination port
destination {interface interface-id [, | (monitoring port).
-] [encapsulation replicate]}
• For session_number, specify the session number
entered in Step 4.
Example:
• For interface-id, specify the destination port. The
Switch(config)# monitor session
destination interface must be a physical port; it
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
455
How to Configure SPAN and RSPAN
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
456
How to Configure SPAN and RSPAN
Example:
Switch# configure terminal
Example:
Switch(config-vlan)# remote-span
Example:
Switch(config-vlan)# end
Example:
Switch# show running-config
Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
What to Do Next
You must create the RSPAN VLAN in all switches that will participate in RSPAN. If the RSPAN VLAN-ID
is in the normal range (lower than 1005) and VTP is enabled in the network, you can create the RSPAN VLAN
in one switch, and VTP propagates it to the other switches in the VTP domain. For extended-range VLANs
(greater than 1005), you must configure RSPAN VLAN on both source and destination switches and any
intermediate switches.
Use VTP pruning to get an efficient flow of RSPAN traffic, or manually delete the RSPAN VLAN from all
trunks that do not need to carry the RSPAN traffic.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
457
How to Configure SPAN and RSPAN
To remove the remote SPAN characteristic from a VLAN and convert it back to a normal VLAN, use the no
remote-span VLAN configuration command.
To remove a source port or VLAN from the SPAN session, use the no monitor session session_number
source {interface interface-id | vlan vlan-id} global configuration command. To remove the RSPAN VLAN
from the session, use the no monitor session session_number destination remote vlan vlan-id.
Procedure
Example:
Switch# configure terminal
Step 3 no monitor session {session_number Removes any existing SPAN configuration for the session.
| all | local | remote}
• For session_number, the range is 1 to 66.
Example: • all—Removes all SPAN sessions.
Switch(config)# no monitor • local—Removes all local sessions.
session 1
• remote—Removes all remote SPAN sessions.
Step 4 monitor session session_number Specifies the RSPAN session and the source port (monitored
source {interface interface-id | vlan port).
vlan-id} [, | -] [both | rx | tx]
• For session_number, the range is 1 to 66.
Example: • Enter a source port or source VLAN for the RSPAN
session:
Switch(config)# monitor session
1 source interface ◦For interface-id, specifies the source port to
gigabitethernet1/0/1 tx
monitor. Valid interfaces include physical
interfaces and port-channel logical interfaces
(port-channel port-channel-number). Valid
port-channel numbers are 1 to 48.
◦For vlan-id, specifies the source VLAN to
monitor. The range is 1 to 4094 (excluding the
RSPAN VLAN).
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
458
How to Configure SPAN and RSPAN
Step 5 monitor session session_number Specifies the RSPAN session, the destination RSPAN VLAN,
destination remote vlan vlan-id and the destination-port group.
• For session_number, enter the number defined in Step
Example: 4.
Switch(config)# monitor session
1 destination remote vlan 100 • For vlan-id, specify the source RSPAN VLAN to
monitor.
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
459
How to Configure SPAN and RSPAN
Related Topics
Remote SPAN, on page 441
RSPAN VLAN, on page 447
RSPAN Configuration Guidelines, on page 450
Procedure
Example:
Switch# configure terminal
Step 3 no monitor session {session_number | Removes any existing SPAN configuration for the
all | local | remote} session.
• For session_number, the range is 1 to 66.
Example:
• all—Removes all SPAN sessions.
Switch(config)# no monitor session
2 • local—Removes all local sessions.
• remote—Removes all remote SPAN sessions.
Step 4 monitor session session_number source Specifies the characteristics of the source port
interface interface-id (monitored port) and SPAN session.
• For session_number, the range is 1 to 66.
Example:
• For interface-id, specify the source port to
Switch(config)# monitor session 2
source interface
monitor. The interface specified must already be
gigabitethernet1/0/2 rx configured as a trunk port.
Step 5 monitor session session_number filter Limits the SPAN source traffic to specific VLANs.
vlan vlan-id [, | -]
• For session_number, enter the session number
specified in step 4.
Example:
• For vlan-id, the range is 1 to 4094.
Switch(config)# monitor session 2
filter vlan 1 - 5 , 9
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
460
How to Configure SPAN and RSPAN
Step 6 monitor session session_number Specifies the RSPAN session and the destination remote
destination remote vlan vlan-id VLAN (RSPAN VLAN).
• For session_number, enter the session number
Example: specified in Step 4.
Switch(config)# monitor session 2
destination remote vlan 902 • For vlan-id, specify the RSPAN VLAN to carry
the monitored traffic to the destination port.
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
461
How to Configure SPAN and RSPAN
Procedure
Example:
Switch# configure terminal
Step 3 vlan vlan-id Specifies the VLAN ID of the RSPAN VLAN created
from the source switch, and enters VLAN configuration
Example: mode.
Switch(config)# vlan 901 If both switches are participating in VTP and the RSPAN
VLAN ID is from 2 to 1005, Steps 3 through 5 are not
required because the RSPAN VLAN ID is propagated
through the VTP network.
Example:
Switch(config-vlan)# remote-span
Example:
Switch(config-vlan)# exit
Step 6 no monitor session {session_number Removes any existing SPAN configuration for the
| all | local | remote} session.
• For session_number, the range is 1 to 66.
Example:
• all—Removes all SPAN sessions.
Switch(config)# no monitor
session 1 • local—Removes all local sessions.
• remote—Removes all remote SPAN sessions.
Step 7 monitor session session_number Specifies the RSPAN session and the source RSPAN
source remote vlan vlan-id VLAN.
• For session_number, the range is 1 to 66.
Example:
• For vlan-id, specify the source RSPAN VLAN to
Switch(config)# monitor session
1 source remote vlan 901
monitor.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
462
How to Configure SPAN and RSPAN
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 11 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Related Topics
Remote SPAN, on page 441
RSPAN VLAN, on page 447
RSPAN Configuration Guidelines, on page 450
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
463
How to Configure SPAN and RSPAN
Procedure
Example:
Switch# configure terminal
Step 3 no monitor session {session_number Removes any existing SPAN configuration for the session.
| all | local | remote}
• For session_number, the range is 1 to 66.
Example: • all—Removes all SPAN sessions.
Switch(config)# no monitor • local—Removes all local sessions.
session 2
• remote—Removes all remote SPAN sessions.
Step 4 monitor session session_number Specifies the RSPAN session and the source RSPAN VLAN.
source remote vlan vlan-id
• For session_number, the range is 1 to 66.
Example: • For vlan-id, specify the source RSPAN VLAN to
monitor.
Switch(config)# monitor session
2 source remote vlan 901
Step 5 monitor session session_number Specifies the SPAN session, the destination port, the packet
destination {interface interface-id encapsulation, and the incoming VLAN and encapsulation.
[, | -] [ingress {dot1q vlan vlan-id |
untagged vlan vlan-id | vlan • For session_number, enter the number defined in Step
5.
vlan-id}]}
In an RSPAN destination session, you must use the
Example: same session number for the source RSPAN VLAN
and the destination port.
Switch(config)# monitor session
2 destination interface • For interface-id, specify the destination interface. The
gigabitethernet1/0/2 ingress destination interface must be a physical interface.
vlan 6
• Though visible in the command-line help string,
encapsulation replicate is not supported for RSPAN.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
464
How to Configure SPAN and RSPAN
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Related Topics
Remote SPAN, on page 441
RSPAN VLAN, on page 447
RSPAN Configuration Guidelines, on page 450
Examples: Creating an RSPAN VLAN, on page 467
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
465
Monitoring SPAN and RSPAN Operations
Command Purpose
show monitor Displays the current SPAN, RSPAN, FSPAN,
or FRSPAN configuration.
Switch> enable
Switch# configure terminal
Switch(config)# no monitor session 1
Switch(config)# monitor session 1 source interface gigabitethernet1/0/1
Switch(config)# monitor session 1 destination interface gigabitethernet1/0/2
encapsulation replicate
Switch(config)# end
This example shows how to remove port 1 as a SPAN source for SPAN session 1:
Switch> enable
Switch# configure terminal
Switch(config)# no monitor session 1 source interface gigabitethernet1/0/1
Switch(config)# end
This example shows how to disable received traffic monitoring on port 1, which was configured for bidirectional
monitoring:
Switch> enable
Switch# configure terminal
Switch(config)# no monitor session 1 source interface gigabitethernet1/0/1 rx
The monitoring of traffic received on port 1 is disabled, but traffic sent from this port continues to be monitored.
This example shows how to remove any existing configuration on SPAN session 2, configure SPAN session
2 to monitor received traffic on all ports belonging to VLANs 1 through 3, and send it to destination Gigabit
Ethernet port 2. The configuration is then modified to also monitor all traffic on all ports belonging to VLAN
10.
Switch> enable
Switch# configure terminal
Switch(config)# no monitor session 2
Switch(config)# monitor session 2 source vlan 1 - 3 rx
Switch(config)# monitor session 2 destination interface gigabitethernet1/0/2
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
466
SPAN and RSPAN Configuration Examples
This example shows how to remove any existing configuration on SPAN session 2, configure SPAN session
2 to monitor received traffic on Gigabit Ethernet source port 1, and send it to destination Gigabit Ethernet
port 2 with the same egress encapsulation type as the source port, and to enable ingress forwarding with IEEE
802.1Q encapsulation and VLAN 6 as the default ingress VLAN:
Switch> enable
Switch# configure terminal
Switch(config)# no monitor session 2
Switch(config)# monitor session 2 source gigabitethernet1/0/1 rx
Switch(config)# monitor session 2 destination interface gigabitethernet1/0/2 encapsulation
replicate ingress dot1q vlan 6
Switch(config)# end
This example shows how to remove any existing configuration on SPAN session 2, configure SPAN session
2 to monitor traffic received on Gigabit Ethernet trunk port 2, and send traffic for only VLANs 1 through 5
and VLAN 9 to destination Gigabit Ethernet port 1:
Switch> enable
Switch# configure terminal
Switch(config)# no monitor session 2
Switch(config)# monitor session 2 source interface gigabitethernet1/0/2 rx
Switch(config)# monitor session 2 filter vlan 1 - 5 , 9
Switch(config)# monitor session 2 destination interface gigabitethernet1/0/1
Switch(config)# end
Related Topics
Creating a Local SPAN Session and Configuring Incoming Traffic, on page 452
Local SPAN, on page 440
SPAN Sessions, on page 443
SPAN Configuration Guidelines, on page 449
Switch> enable
Switch# configure terminal
Switch(config)# vlan 901
Switch(config-vlan)# remote span
Switch(config-vlan)# end
This example shows how to remove any existing RSPAN configuration for session 1, configure RSPAN
session 1 to monitor multiple source interfaces, and configure the destination as RSPAN VLAN 901:
Switch> enable
Switch# configure terminal
Switch(config)# no monitor session 1
Switch(config)# monitor session 1 source interface gigabitethernet1/0/1 tx
Switch(config)# monitor session 1 source interface gigabitethernet1/0/2 rx
Switch(config)# monitor session 1 source interface port-channel 2
Switch(config)# monitor session 1 destination remote vlan 901
Switch(config)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
467
Additional References
This example shows how to remove any existing configuration on RSPAN session 2, configure RSPAN
session 2 to monitor traffic received on trunk port 2, and send traffic for only VLANs 1 through 5 and 9 to
destination RSPAN VLAN 902:
Switch> enable
Switch# configure terminal
Switch(config)# no monitor session 2
Switch(config)# monitor session 2 source interface gigabitethernet1/0/2 rx
Switch(config)# monitor session 2 filter vlan 1 - 5 , 9
Switch(config)# monitor session 2 destination remote vlan 902
Switch(config)# end
This example shows how to configure VLAN 901 as the source remote VLAN and port 1 as the destination
interface:
Switch> enable
Switch# configure terminal
Switch(config)# monitor session 1 source remote vlan 901
Switch(config)# monitor session 1 destination interface gigabitethernet2/0/1
Switch(config)# end
This example shows how to configure VLAN 901 as the source remote VLAN in RSPAN session 2, to
configure Gigabit Ethernet source port 2 as the destination interface, and to enable forwarding of incoming
traffic on the interface with VLAN 6 as the default receiving VLAN:
Switch> enable
Switch# configure terminal
Switch(config)# monitor session 2 source remote vlan 901
Switch(config)# monitor session 2 destination interface gigabitethernet1/0/2 ingress vlan 6
Switch(config)# end
Related Topics
Creating an RSPAN Destination Session and Configuring Incoming Traffic, on page 464
Remote SPAN, on page 441
RSPAN VLAN, on page 447
RSPAN Configuration Guidelines, on page 450
Additional References
Related Documents
Description Link
To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/
messages in this release, use the Error Message index.cgi
Decoder tool.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
468
Feature History and Information for SPAN and RSPAN
Standard/RFC Title
None -
MIBs
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
469
Feature History and Information for SPAN and RSPAN
Release Modification
Cisco IOS 15.0(2)EX SPAN destination port support on
EtherChannels: Provides the ability
to configure a SPAN destination
port on an EtherChannel.
This feature was introduced.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
470
PART VI
Cisco Flexible NetFlow
• Configuring Flexible NetFlow, page 473
CHAPTER 26
Configuring Flexible NetFlow
• Finding Feature Information, page 473
• Prerequisites for Flexible NetFlow, page 473
• Restrictions for Flexible NetFlow, page 474
• Information About Flexible Netflow, page 476
• How to Configure Flexible Netflow, page 487
• Monitoring Flexible NetFlow, page 499
• Configuration Examples for Flexible NetFlow, page 500
• Additional References for NetFlow, page 500
• Feature Information for Flexible NetFlow, page 501
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
473
Restrictions for Flexible NetFlow
◦Port—Monitor attachment is only supported on physical interfaces and not on logical interfaces,
such as EtherChannels. The physical interface could be a routed port or a switched port.
◦VLAN—Monitor attachment is supported on VLAN interfaces only (SVI) and not on a Layer 2
VLAN.
• You are familiar with the Flexible NetFlow key fields as they are defined in the following commands:
◦match datalink—Datalink (layer2) fields
◦match ipv4—IPv4 fields
◦match ipv6—IPv6 fields
◦match transport—Transport layer fields
• You are familiar with the Flexible NetFlow non key fields as they are defined in the following commands:
◦collect counter—Counter fields
◦collect flow—Flow identifying fields
◦collect interface—Interface fields
◦collect timestamp—Timestamp fields
◦collect transport—Transport layer fields
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
474
Restrictions for Flexible NetFlow
When a flow monitor has the collect interface output configured as the collect field in the flow record,
the output interface is detected based on the destination IP address on the device. For the different flow
monitors, you must configure the following commands:
◦IPv4 flow monitor--Configure the match ip destination address command.
◦IPv6 flow monitor--Configure the match ipv6 destination address command.
◦Datalink flow monitor--Configure the match datalink mac output command.
Monitor Restrictions:
• Monitor attachment is only supported in the ingress direction.
• One monitor per interface is supported, although multiple exporters per interface are supported.
• Only permanent and normal cache is supported for the monitor; immediate cache is not supported.
• Changing any monitor parameter will not be supported when it is applied on any of the interfaces or
VLANs.
• When both the port and VLANs have monitors attached, then VLAN monitor will overwrite the port
monitor for traffic coming on the port.
• Flow monitor type and traffic type (type means IPv4, IPv6, and data link) should be same for the flows
to be created.
• You cannot attach an IP and a port-based monitor to an interface. A 48-port device supports a maximum
of 48 monitors (IP or port-based) and for 256 SVIs, you can configure up to 256 monitors (IP or
port-based).
• When running the show flow monitor flow_name cache command, the device displays cache information
from an earlier switch software version (Catalyst 2960-S) with all fields entered as zero. Ignore these
fields, as they are inapplicable to the switch.
Sampler Restrictions:
• For both port and VLANS, a total of only 4 samplers (random or deterministic) are supported on the
device.
• The sampling minimum rate for both modes is 1 out of 32 flows, and the sampling maximum rate for
both modes is 1 out of 1022 flows.
• Use the ip flow monitor monitor_name sampler sampler_name input command to associate a sample
with a monitor while attaching it to an interface.
• When you attach a monitor using a deterministic sampler, every attachment with the same sampler uses
one new free sampler from the switch (hardware) out of the 4 available samplers. You are not allowed
to attach a monitor with any sampler, beyond 4 attachments.
When you attach a monitor using a random sampler, only the first attachment uses a new sampler from
the switch (hardware). The remainder of all of the attachments using the same sampler, share the same
sampler.
Because of this behavior, when using a deterministic sampler, you can always make sure that the correct
number of flows are sampled by comparing the sampling rate and what the device sends. If the same
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
475
Information About Flexible Netflow
random sampler is used with multiple interfaces, flows from any interface can always be sampled, and
flows from other interfaces can always be skipped.
Stacking Restrictions:
• Each device in a stack (hardware) can support the creation of a maximum of 16,000 flows at any time.
But as the flows are periodically pushed to the software cache, the software cache can hold a much larger
amount of flows (1048 Kb flows). From the hardware flow cache, every 20 seconds (termed as poll
timer), 200 flows (termed as poll entries) are pushed to software.
◦Use the remote command all show platform hulc-fnf poll command to report on the current
NetFlow polling parameters of each switch.
◦Use the show platform hulc-fnf poll command to report on the current NetFlow polling parameters
of the master switch.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
476
Information About Flexible Netflow
• A comprehensive IP accounting feature that can be used to replace many accounting features, such as
IP accounting, Border Gateway Protocol (BGP) Policy Accounting, and persistent caches.
Flexible NetFlow allows you to understand network behavior with more efficiency, with specific flow
information tailored for various services used in the network. The following are some example applications
for a Flexible NetFlow feature:
• Flexible NetFlow enhances Cisco NetFlow as a security monitoring tool. For instance, new flow keys
can be defined for packet length or MAC address, allowing users to search for a specific type of attack
in the network.
• Flexible NetFlow allows you to quickly identify how much application traffic is being sent between
hosts by specifically tracking TCP or UDP applications by the class of service (CoS) in the packets.
• The accounting of traffic entering a Multiprotocol Label Switching (MPLS) or IP core network and its
destination for each next hop per class of service. This capability allows the building of an edge-to-edge
traffic matrix.
The figure below is an example of how Flexible NetFlow might be deployed in a network.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
477
Information About Flexible Netflow
traffic at different rates on different interfaces. The following sections provide more information on Flexible
NetFlow components:
Flow Records
In Flexible NetFlow a combination of key and nonkey fields is called a record. Flexible NetFlow records are
assigned to Flexible NetFlow flow monitors to define the cache that is used for storing flow data.
A flow record defines the keys that Flexible NetFlow uses to identify packets in the flow, as well as other
fields of interest that Flexible NetFlow gathers for the flow. You can define a flow record with any combination
of keys and fields of interest. The switch supports a rich set of keys. A flow record also defines the types of
counters gathered per flow. You can configure 64-bit packet or byte counters. The switch enables the following
match fields as the defaults when you create a flow record:
• match datalink—Layer 2 attributes
• match ipv4—IPv4 attributes
• match ipv6—IPv6 attributes
• match transport—Transport layer fields
• match wireless—Wireless fields
User-Defined Records
Flexible NetFlow enables you to define your own records for a Flexible NetFlow flow monitor cache by
specifying the key and nonkey fields to customize the data collection to your specific requirements. When
you define your own records for a Flexible NetFlow flow monitor cache, they are referred to as user-defined
records. The values in nonkey fields are added to flows to provide additional information about the traffic in
the flows. A change in the value of a nonkey field does not create a new flow. In most cases the values for
nonkey fields are taken from only the first packet in the flow. Flexible NetFlow enables you to capture counter
values such as the number of bytes and packets in a flow as nonkey fields.
Flexible NetFlow adds a new Version 9 export format field type for the header and packet section types.
Flexible NetFlow will communicate to the NetFlow collector the configured section sizes in the corresponding
Version 9 export template fields. The payload sections will have a corresponding length field that can be used
to collect the actual size of the collected section.
Flow Exporters
Flow exporters export the data in the flow monitor cache to a remote system, such as a server running NetFlow
collector, for analysis and storage. Flow exporters are created as separate entities in the configuration. Flow
exporters are assigned to flow monitors to provide data export capability for the flow monitors. You can create
several flow exporters and assign them to one or more flow monitors to provide several export destinations.
You can create one flow exporter and apply it to several flow monitors.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
478
Information About Flexible Netflow
• Third-party business partners who produce applications that provide collector or display services for
NetFlow do not have to recompile their applications each time a new NetFlow feature is added. Instead,
they should be able to use an external data file that documents the known template formats.
• New features can be added to NetFlow quickly without breaking current implementations.
• NetFlow is “future-proofed” against new or developing protocols because the Version 9 format can be
adapted to provide support for them.
The Version 9 export format consists of a packet header followed by one or more template flow or data flow
sets. A template flow set provides a description of the fields that will be present in future data flow sets. These
data flow sets may occur later within the same export packet or in subsequent export packets. Template flow
and data flow sets can be intermingled within a single export packet, as illustrated in the figure below.
NetFlow Version 9 will periodically export the template data so the NetFlow collector will understand what
data is to be sent and also export the data flow set for the template. The key advantage to Flexible NetFlow
is that the user configures a flow record, which is effectively converted to a Version 9 template and then
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
479
Information About Flexible Netflow
forwarded to the collector. The figure below is a detailed example of the NetFlow Version 9 export format,
including the header, template flow, and data flow sets.
For more information on the Version 9 export format, refer to the white paper titled Cisco IOS NetFlow
Version 9 Flow-Record Format, available at this URL: http://www.cisco.com/en/US/tech/tk648/tk362/
technologies_white_paper09186a00800a3db9.shtml.
Flow Monitors
Flow monitors are the Flexible NetFlow component that is applied to interfaces to perform network traffic
monitoring.
Flow data is collected from the network traffic and added to the flow monitor cache during the monitoring
process based on the key and nonkey fields in the flow record.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
480
Information About Flexible Netflow
Flexible NetFlow can be used to perform different types of analysis on the same traffic. In the figure below,
packet 1 is analyzed using a record designed for standard traffic analysis on the input interface and a record
designed for security analysis on the output interface.
Figure 51: Example of Using Two Flow Monitors to Analyze the Same Traffic
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
481
Information About Flexible Netflow
The figure below shows a more complex example of how you can apply different types of flow monitors with
custom records.
Figure 52: Complex Example of Using Multiple Types of Flow Monitors with Custom Records
Normal
The default cache type is “normal”. In this mode, the entries in the cache are aged out according to the timeout
active and timeout inactive settings. When a cache entry is aged out, it is removed from the cache and exported
via any exporters configured.
Flow Samplers
Flow samplers are created as separate components in a router’s configuration. Flow samplers are used to
reduce the load on the device that is running Flexible NetFlow by limiting the number of packets that are
selected for analysis.
Samplers use random sampling techniques (modes); that is, a randomly selected sampling position is used
each time a sample is taken.
Flow sampling exchanges monitoring accuracy for router performance. When you apply a sampler to a flow
monitor, the overhead load on the router of running the flow monitor is reduced because the number of packets
that the flow monitor must analyze is reduced. The reduction in the number of packets that are analyzed by
the flow monitor causes a corresponding reduction in the accuracy of the information stored in the flow
monitor’s cache.
Samplers are combined with flow monitors when they are applied to an interface with the ip flow monitor
command.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
482
Information About Flexible Netflow
Note If the packet has a VLAN field, then that length is not accounted for.
Field Layer 2 In Layer 2 Out IPv4 In IP v4 Out IPv6 In IPv6 Out Notes
Key Fields
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
483
Information About Flexible Netflow
Field Layer 2 In Layer 2 Out IPv4 In IP v4 Out IPv6 In IPv6 Out Notes
Flow Yes Yes Yes Yes Yes Yes
direction
MAC — — — — — —
source
address
output
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
484
Information About Flexible Netflow
Field Layer 2 In Layer 2 Out IPv4 In IP v4 Out IPv6 In IPv6 Out Notes
IPv4 — — Yes Yes Yes Yes Must use if
protocol any of
src/dest
port, ICMP
code/type,
IGMP type
or TCP
flags are
used.
Field Layer 2 In Layer 2 Out IPv4 In IP v4 Out IPv6 In IPv6 Out Notes
Key Fields
continued
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
485
Information About Flexible Netflow
Field Layer 2 In Layer 2 Out IPv4 In IP v4 Out IPv6 In IPv6 Out Notes
IPv6 source — — — — Yes Yes
address
Field Layer 2 In Layer 2 Out IPv4 In IP v4 Out IPv6 In IPv6 Out Notes
Collect
Fields
Bytes long Yes Yes Yes Yes Yes Yes Packet size
= (Ethernet
frame size
including
FCS - 18
bytes)
Recommended:
Avoid this
field and
use Bytes
layer2 long.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
486
How to Configure Flexible Netflow
Field Layer 2 In Layer 2 Out IPv4 In IP v4 Out IPv6 In IPv6 Out Notes
Timestamp Yes Yes Yes Yes Yes Yes
absolute
last
TCP flags Yes Yes Yes Yes Yes Yes Collects all
flags.
Default Settings
The following table lists the Flexible NetFlow default settings for the switch.
Setting Default
Flow active timeout 1800 seconds
Note The default value for this setting may be too
high for your specific Flexible NetFlow
configuration. You may want to consider
changing it to a lower value of 180 or 300
seconds.
Flow timeout inactive Enabled, 30 seconds
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
487
How to Configure Flexible Netflow
Procedure
Example:
Device# configure terminal
Step 3 flow record record-name Creates a flow record and enters Flexible
NetFlow flow record configuration mode.
Example: • This command also allows you to modify
Device(config)# flow record an existing flow record.
FLOW-RECORD-1
Step 5 match {ip | ipv6} {destination | source} Note This example configures the IPv4
address destination address as a key field for
the record. For information about the
Example: other key fields available for the
match ipv4 command, and the other
Device(config-flow-record)# match ipv4 match commands that are available to
destination address
configure key fields.
Step 6 Repeat Step 5 as required to configure —
additional key fields for the record.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
488
How to Configure Flexible Netflow
Example:
Device(config-flow-record)# collect
counter bytes
Device(config-flow-record)# end
Step 10 show flow record record-name (Optional) Displays the current status of the
specified flow record.
Example:
Device# show flow record FLOW_RECORD-1
Step 11 show running-config flow record (Optional) Displays the configuration of the
record-name specified flow record.
Example:
Device# show running-config flow record
FLOW_RECORD-1
Note Each flow exporter supports only one destination. If you want to export the data to multiple destinations,
you must configure multiple flow exporters and assign them to the flow monitor.
You can export to a destination using IPv4 address.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
489
How to Configure Flexible Netflow
Procedure
Example:
Switch# configure terminal
Step 2 flow exporter name Creates a flow exporter and enters flow exporter
configuration mode.
Example:
Switch(config)# flow exporter
ExportTest
Step 4 destination {ipv4-address} [ vrf vrf-name] Sets the IPv4 destination address or hostname
for this exporter.
Example:
Switch(config-flow-exporter)#
destination 192.0.2.1 (IPv4
destination)
Switch(config-flow-exporter)# dscp 0
Step 6 source { source type |} (Optional) Specifies the interface to use to reach
the NetFlow collector at the configured
Example: destination. The following interfaces can be
configured as source:
Switch(config-flow-exporter)# source
gigabitEthernet1/0/1 \
Step 7 transport udp number (Optional) Specifies the UDP port to use to reach
the NetFlow collector. The range is from 1 to
Example: 65536
Switch(config-flow-exporter)#
transport udp 200
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
490
How to Configure Flexible Netflow
Example:
Switch(config-flow-record)# end
Step 11 show flow exporter [name record-name] (Optional) Displays information about NetFlow
flow exporters.
Example:
Switch# show flow exporter ExportTest
Step 12 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
What to Do Next
Define a flow monitor based on the flow record and flow exporter.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
491
How to Configure Flexible Netflow
Note You must use the no ip flow monitor command to remove a flow monitor from all of the interfaces to
which you have applied it before you can modify the parameters for the record command on the flow
monitor.
Procedure
Example:
Switch# configure terminal
Step 3 flow monitor monitor-name Creates a flow monitor and enters Flexible NetFlow
flow monitor configuration mode.
Example: • This command also allows you to modify an
Switch(config)# flow monitor existing flow monitor.
FLOW-MONITOR-1
Step 4 description description (Optional) Creates a description for the flow monitor.
Example:
Switch(config-flow-monitor)#
description Used for basic ipv4
traffic analysis
Step 5 record {record-name} Specifies the record for the flow monitor.
Example:
Switch(config-flow-monitor)# record
FLOW-RECORD-1
Step 6 cache {entries number | timeout {active (Optional) Modifies the flow monitor cache
| inactive | update} seconds | { normal } parameters such as timeout values, number of cache
entries, and the cache type.
Example: • timeout active seconds—Configure the active
flow timeout. This defines the granularity of
the traffic analysis. The range is from 1 to
604800 seconds. The default is 1800. Typical
values are 60 or 300 seconds. See the
Configuring Data Export for Cisco IOS Flexible
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
492
How to Configure Flexible Netflow
Step 10 show flow monitor [[name] monitor-name (Optional) Displays the status for a Flexible NetFlow
[cache [format {csv | record | table}]] ] flow monitor.
Note To sort by CTS flow source or destination
Example: tags, enter the show flow monitor
Switch# show flow monitor monitor-name cache sort flow cts {source
FLOW-MONITOR-2 cache | destination} group-tag format {csv |
record | table} command.
Step 11 show running-config flow monitor (Optional) Displays the configuration of the specified
monitor-name flow monitor.
Example:
Switch# show running-config flow
monitor FLOW_MONITOR-1
Step 12 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
Creating a Sampler
You can create a sampler to define the NetFlow sampling rate for a flow.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
493
How to Configure Flexible Netflow
Procedure
Example:
Switch# configure terminal
Step 2 sampler name Creates a sampler and enters flow sampler configuration mode.
Example:
Switch(config)# sampler
SampleTest
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
494
How to Configure Flexible Netflow
Example:
Switch(config-flow-sampler)#
end
Step 6 show sampler [name] (Optional) Displays information about NetFlow samplers.
Example:
Switch show sample SampleTest
Step 7 copy running-config (Optional) Saves your entries in the configuration file.
startup-config
Example:
Switch# copy running-config
startup-config
What to Do Next
Apply the flow monitor to a source interface or a VLAN.
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
495
How to Configure Flexible Netflow
Example:
Switch(config-flow-monitor)#
end
Step 5 show flow interface [interface-type (Optional) Displays information about NetFlow on an
number] interface.
Example:
Switch# show flow interface
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
496
How to Configure Flexible Netflow
Procedure
Example:
Switch# configure terminal
Step 3 interface vlan vlan-id Specifies the SVI for the configuration.
Example:
Switch(config)# interface vlan 30
Step 4 ip flow monitor monitor name [sampler sampler Associates a flow monitor and an optional
name] {input | output} sampler to the VLAN for input or output
packets.
Example:
Switch(config-vlan-config)# ip flow monitor
MonitorTest input
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
497
How to Configure Flexible Netflow
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# flow record L2_record
Switch(config-flow-record)#
Step 3 match datalink {ethertype | mac {destination Specifies the Layer 2 attribute as a key. In
{address input} | source {address input}}} this example, the keys are the source and
destination MAC addresses from the packet
Example: at input.
Step 4 match { ipv4 {destination | protocol | source | Specifies additional Layer 2 attributes as a
tos} | ipv6 {destination | flow-label | protocol | key. In this example, the keys are IPv4
source | traffic-class} | transport protocol and ToS.
{destination-port | source-port}}
Example:
Switch(config-flow-record)# match ipv4
protocol
Switch(config-flow-record)# match ipv4 tos
Example:
Switch(config-flow-record)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
498
Monitoring Flexible NetFlow
Command Purpose
show flow exporter [broker | export-ids | name | Displays information about NetFlow flow exporters
name | statistics | templates] and statistics.
show flow exporter [ name exporter-name] Displays information about NetFlow flow exporters
and statistics.
show flow monitor [ name exporter-name] Displays information about NetFlow flow monitors
and statistics.
show flow monitor statistics Displays the statistics for the flow monitor
show flow monitor cache format {table | record | Displays the contents of the cache for the flow
csv} monitor, in the format specified.
show flow record [ name record-name] Displays information about NetFlow flow records.
show sampler [broker | name | name] Displays information about NetFlow samplers.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
499
Configuration Examples for Flexible NetFlow
Standard/RFC Title
RFC 3954 Cisco Systems NetFlow Services Export Version 9
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
500
Feature Information for Flexible NetFlow
MIBs
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
501
Feature Information for Flexible NetFlow
Flexible NetFlow Lite Cisco IOS Release 15.0(2)EX In Cisco IOS Release 15.0(2)EX,
this feature was introduced on
Cisco Catalyst 2960-X Series
Switches.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
502
PART VII
Openflow
• OpenFlow, page 505
CHAPTER 27
OpenFlow
• Finding Feature Information, page 505
• Prerequisites for OpenFlow, page 505
• Restrictions for OpenFlow, page 506
• Information About Open Flow, page 507
• Configuring OpenFlow, page 512
• Monitoring OpenFlow, page 516
• Configuration Examples for OpenFlow, page 516
Note Note: Release notes for Cisco Catalyst 2960X/XR Series Switches
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
505
Restrictions for OpenFlow
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
506
Information About Open Flow
Overview of OpenFlow
OpenFlow is a standard communications interface defined between the control and forwarding plane for direct
access to and manipulation of the forwarding plane of network devices such as switches and routers from
multiple vendors.
OpenFlow Switch Specification Version 1.0.1 (Wire Protocol 0x01), referred to as OpenFlow 1.0, and
OpenFlow Switch Specification Version 1.3.0 (Wire Protocol 0x04), referred to as OpenFlow 1.3, are based
on the concept of an Ethernet switch with an internal flow table and standardized interface to allow traffic
flows on a device to be added or removed. OpenFlow 1.3 defines the communication channel between
OpenFlow and controllers.
A generic OpenFlow controller will interact with an specialized OpenFlow agent that translates the OpenFlow
configuration into IOS configurations and configures the data plane.
Support of OpenFlow on catalyst 2960X/XR is limited to only software forwarding (due to ASIC limitations).
The software forwarding of flows will happen at the OpenFlow agent with support of 12 tuples matches
consisting of single table with both L2 and L3 fields together. The match criteria can be match on all 12 tuple
fields or any of the 12 tuple fields.
The corresponding actions to the matching criteria can be:
• Push / Pop of Vlan
• Output the packet to port
• Drop the packet
• Set/Decrement IP TTL value
• Modify of L2/L3/L4 fields of Ethernet frame
The Physical ports can be configured as OpenFlow ports or as normal port. The flows in the flow table will
be installed based on the priority of the flow.
Cisco supports a subset of OpenFlow 1.0 and OpenFlow 1.3 functions. A controller can be Extensible Network
Controller (XNC) 1.0, or any controller compliant with OpenFlow 1.3.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
507
Information About Open Flow
Feature Notes
Configuration of physical interfaces as OpenFlow Bridge domain, Virtual LANs and Virtual Routing
logical switch ports and Forwarding (VRF), and port-channel interfaces
are not supported.
Only L2 interfaces can be OpenFlow logical switch
ports.
Asynchronous messages:
• Packet-In
• Flow Removed
• Port Status
• Error
Symmetric messages:
• Hello
• Echo Request
• Echo Reply
• Vendor
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
508
Information About Open Flow
Feature Notes
Multiple actions If multiple actions are associated with a flow, they
are processed in the order specified. The output action
should be the last action in the action list. Any action
after the output action is not supported, and can cause
the flow to fail and return an error to the controller.
Flows defined on the controller must follow the these
guidelines:
• The flow can have only one output action.
• Some action combinations which are not
supported may be rejected at flow programming
time.
• The flow should not have an
output–to–controller action in combination with
other rewrite actions.
Supported OpenFlow counters Per Table—Active entries, packet lookups, and packet
matches.
Per Flow—Received Packets, Received bytes,
Duration (seconds), Duration (milliseconds).
Per Port—Received or transmitted packets, and bytes.
Per Controller— Flow addition, modification,
deletion, error messages, echo requests or replies,
barrier requests or replies, connection attempts,
successful connections, packet in or packet out.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
509
Information About Open Flow
Feature Notes
Pipelines Pipelines are mandatory for logical switch. The logical
switch supports only pipeline 1.
The logical switch supports only table 0.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
510
Information About Open Flow
Feature Notes
Forwarding Table Match Criteria:
• Input Port
• Ethernet type
• Source Mac Address
• Dest Mac Address
• VLAN ID
• IP TOS (DSCP bits)
• IP Protocol (except for lower 8 bits of ARP
code)
• IPv4 Source Address
• IPv4 Destination Address
• Layer 4 Source Port
• Layer 4 Destination Port
• IPv6 Source Address
• IPv6 Destination Address
Action Criteria:
• Forward: Controller
• Forward: Port
• Forward: Drop
• Forward: Controller + Port
• Set VLAN ID
• New VLAN ID
• Replace VLAN ID
• Strip VLAN Header
• Modify Source MAC
• Modify Destination MAC
• Modify IPv4 Source Address
• Modify IPv4 Destination Address
• Modify IPv4 TOS bits
• Modify L4 source port
• Modify L4 destination port
• Decrement TTL
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
511
Configuring OpenFlow
Feature Notes
Number of flows 1000
Configuring OpenFlow
To configure OpenFlow logical switch and the IP address of a controller, perform this task:
Procedure
Example:
Switch# configure terminal
Step 3 feature openflow Enables Open Flow Agent support on the switch.
Example:
Switch(config)# feature
openflow
Example:
Switch(config)# openflow
Step 5 switch logical-switch-id pipeline Specifies an ID for a logical switch that is used for OpenFlow
logical-id switching and enters logical switch configuration mode.
The only logical switch ID supported is 1.
Example:
Configures a pipeline.
Switch(config-ofa-switch)#
switch 1 pipeline 1 This step is mandatory for a logical switch configuration. The
only pipeline ID supported is 1.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
512
Configuring OpenFlow
Step 7 of-port interface interface-name Adds interfaces to the logical switch configuration.
Observe these guidelines:
Example:
• Do not abbreviate the interface type. Ensure that the
Switch(config-ofa-switch)# interface type is spelled out completely and is as shown
of-port interface
GigabitEthernet1/0/23 in the examples.
Switch(config-ofa-switch)#
of-port interface • If the keyword is abbreviated, the interface is not
TenGigabitEthernet1/1/2 configured.
• The interface must be designated for the OpenFlow
logical switch only.
Step 8 default-miss Configures the action to be taken for packets that do not match
action-for-unmatched-flows any of the flow defined. The supported options are:
• forward the packets using the normal routing tables
Example:
• forward the packets to the controller
Switch(config-ofa-switch)#
default-miss • drop the packets
continue-controller
Step 9 protocol-version {1.1 | 1.3 | Configures the protocol version. Supported values are:
negotiate}
• 1.0—Configures device to connect to 1.0 controllers
only.
Example:
• 1.3—Configures device to connect to 1.3 controllers
Switch(config-ofa-switch)#
protocol-version negotiate only..
• negotiate—Negotiates the protocol version with the
controller. Device uses 1.3 for negotiation.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
513
Configuring OpenFlow
Step 12 tls trust-point local (Optional) Specifies the local and remote TLS trustpoints to
local-trust-point remote be used for the controller connection.
remote-trust-point
Example:
Switch(config-ofa-switch)# tls
trust-point local myCA remote
myCA
Step 13 probe-interval probe-interval (Optional) Configures the interval (in seconds) at which the
controller is probed.
Example: After the configured interval of time passes, if the switch has
Switch(config-ofa-switch)# not received any messages from the controller, the switch
probe-interval 7 sends an echo request (echo_request) to the controller. It
should normally receive an echo reply (echo_reply). If no
message is seen for the duration of another probe interval, the
switch presumes that the controller is down and disconnects
the controller connection. The switch tries to reconnect
periodically.
The default value is 5 seconds; the range is from 5 to 65535
seconds.
Step 14 rate-limit packet_in (Optional) Configures the maximum packet rate sent to the
controllet-packet-rate burst controller and the maximum packets burst sent to the
maximum-packets-to-controller controller in a second.
The default value is zero, that is, an indefinite packet rate and
Example: packet burst is permitted.
Switch(config-ofa-switch)# This rate limit is for OpenFlow. It is not related to the rate
rate-limit packet_in 300 burst
50
limit of the device (data plane) configured by COPP.
Step 15 max-backoff backoff-timer (Optional) Configures the duration (in seconds) for which the
device must wait before attempting to initiate a connection
Example: with the controller.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
514
Configuring OpenFlow
Step 17 statistics collection-interval Configures the statistics collection interval (in seconds) for
interval all configured flows of OpenFlow. Observe these guidelines:
• The default interval value is 7 seconds.
Example:
• The minimum interval is 7 seconds; the maximum is 82
Switch(config-ofa-switch)#
statistics collection-interval seconds.
7
• You can also specify a value of 0, this disables statistics
collection.
• Flows with an idle timeout value less than 2 * interval
are rejected.
Step 19 copy running-config (Optional) Saves your entries in the configuration file.
startup-config
Example:
Switch# copy running-config
startup-config
Related Topics
Information About Open Flow, on page 507
Monitoring OpenFlow, on page 516
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
515
Monitoring OpenFlow
Monitoring OpenFlow
You can monitor OpenFlow parameters using the following commands:
Commands Description
show openflow switch switch-id Displays information related to OpenFlow on the
logical switch.
show openflow switch switch-id controllers [ stats Displays information related to the connection status
] between an OpenFlow logical switch and connected
Controllers.
show openflow switch switch-id ports Displays the mapping between physical device
interfaces and ports of OpenFlow logical switch.
show openflow switch-id flows Displays flows defined for the device by controllers.
show openflow switch switch-id stats Displays send and receive statistics for each port
defined for an OpenFlow logical switch.
Related Topics
Configuring OpenFlow, on page 512
Information About Open Flow, on page 507
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
516
Configuration Examples for OpenFlow
Controller: 1
address : tcp:10.106.253.118:6653
connection attempts : 9
successful connection attempts : 1
flow adds : 1
flow mods : 0
flow deletes : 0
flow removals : 0
flow errors : 0
flow unencodable errors : 0
total errors : 0
echo requests : rx: 0, tx:0
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
517
Configuration Examples for OpenFlow
Flow: 1
Match:
Actions: drop
Priority: 0
Table: 0
Cookie: 0x0
Duration: 4335.022s
Number of packets: 18323
Number of bytes: 1172672
Flow: 2
Match: ipv6
Actions: output:2
Priority: 1
Table: 0
Cookie: 0x0
Duration: 727.757s
Number of packets: 1024
Number of bytes: 131072
-----------------------------------------------------------------------------------------------------
This example shows how you can view the send and receive statistics for each port defined for an OpenFlow
logical switch.
Switch#show openflow switch 1 stats
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
518
Configuration Examples for OpenFlow
Number of lookups = 0
Number of matches = 0
-----------------------------------------------------------------------------------------------------
This example shows how you can view configurations made for OpenFlow.
Switch#show running-config | section openflow
feature openflow
mode openflow
mode openflow
openflow
switch 1 pipeline 1
controller ipv4 10.106.253.118 port 6653 security none
of-port interface GigabitEthernet1/0/1
of-port interface GigabitEthernet1/0/2
datapath-id 0x251
-----------------------------------------------------------------------------------------------------
This example shows how you can view OpenFlow hardware configurations.
Switch#show openflow hardware capabilities
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
519
Configuration Examples for OpenFlow
Related Topics
Configuring OpenFlow, on page 512
Information About Open Flow, on page 507
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
520
PART VIII
QoS
• Configuring QoS, page 523
• Configuring Auto-QoS, page 621
CHAPTER 28
Configuring QoS
• Finding Feature Information, page 523
• Prerequisites for QoS, page 523
• Restrictions for QoS, page 525
• Information About QoS, page 526
• How to Configure QoS, page 555
• Monitoring Standard QoS, page 608
• Configuration Examples for QoS, page 608
• Where to Go Next, page 619
• Additional References, page 619
• Feature History and Information for QoS, page 620
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
523
Prerequisites for QoS
Related Topics
Creating an IP Standard ACL for IPv4 Traffic, on page 567
Creating an IP Extended ACL for IPv4 Traffic, on page 568
Creating an IPv6 ACL for IPv6 Traffic, on page 569
Creating a Layer 2 MAC ACL for Non-IP Traffic, on page 572
Policing Guidelines
Note To use policing, the switch must be running the LAN Base image.
• The port ASIC device, which controls more than one physical port, supports 256 policers (255
user-configurable policers plus 1 policer reserved for system internal use). The maximum number of
user-configurable policers supported per port is 63. Policers are allocated on demand by the software
and are constrained by the hardware and ASIC boundaries.
You cannot reserve policers per port; there is no guarantee that a port will be assigned to any policer.
• Only one policer is applied to a packet on an ingress port. Only the average rate and committed burst
parameters are configurable.
• On a port configured for QoS, all traffic received through the port is classified, policed, and marked
according to the policy map attached to the port. On a trunk port configured for QoS, traffic in all VLANs
received through the port is classified, policed, and marked according to the policy map attached to the
port.
• If you have EtherChannel ports configured on your switch, you must configure QoS classification,
policing, mapping, and queueing on the individual physical ports that comprise the EtherChannel. You
must decide whether the QoS configuration should match on all ports in the EtherChannel.
• If you need to modify a policy map of an existing QoS policy, first remove the policy map from all
interfaces, and then modify or copy the policy map. After you finish the modification, apply the modified
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
524
Restrictions for QoS
policy map to the interfaces. If you do not first remove the policy map from all interfaces, high CPU
usage can occur, which, in turn, can cause the console to pause for a very long time.
Running these features with 8 egress queue enabled in a single configuration is not supported on the
switch.
• You can configure QoS only on physical ports. VLAN-based QoS is not supported. You configure the
QoS settings, such as classification, queueing, and scheduling, and apply the policy map to a port. When
configuring QoS on a physical port, you apply a nonhierarchical policy map to a port.
• If the switch is running the LAN Lite image you can:
◦Configure ACLs, but you cannot attach them to physical interfaces. You can attach them to VLAN
interfaces to filter traffic to the CPU.
◦Enable only cos trust at interface level.
◦Enable SRR shaping and sharing at interface level.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
525
Information About QoS
• The switch must be running the LAN Base image to use the following QoS features:
◦Policy maps
◦Policing and marking
◦Mapping tables
◦WTD
QoS Implementation
Typically, networks operate on a best-effort delivery basis, which means that all traffic has equal priority and
an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an equal chance
of being dropped.
When you configure the QoS feature, you can select specific network traffic, prioritize it according to its
relative importance, and use congestion-management and congestion-avoidance techniques to provide
preferential treatment. Implementing QoS in your network makes network performance more predictable and
bandwidth utilization more effective.
The QoS implementation is based on the Differentiated Services (Diff-Serv) architecture, a standard from the
Internet Engineering Task Force (IETF). This architecture specifies that each packet is classified upon entry
into the network.
The classification is carried in the IP packet header, using 6 bits from the deprecated IP type of service (ToS)
field to carry the classification (class) information. Classification can also be carried in the Layer 2 frame.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
526
Information About QoS
The special bits in the Layer 2 frame or a Layer 3 packet are shown in the following figure:
Figure 53: QoS Classification Layers in Frames and Packets
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
527
Information About QoS
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
528
Information About QoS
• Marking evaluates the policer and configuration information for the action to be taken when a packet is
out of profile and determines what to do with the packet (pass through a packet without modification,
marking down the QoS label in the packet, or dropping the packet).
Note Queueing and scheduling are only supported at egress and not at ingress on the switch.
Classification Overview
Classification is the process of distinguishing one kind of traffic from another by examining the fields in the
packet. Classification is enabled only if QoS is globally enabled on the switch. By default, QoS is globally
disabled, so no classification occurs.
During classification, the switch performs a lookup and assigns a QoS label to the packet. The QoS label
identifies all QoS actions to be performed on the packet and from which queue the packet is sent.
The QoS label is based on the DSCP or the CoS value in the packet and decides the queuing and scheduling
actions to perform on the packet. The label is mapped according to the trust setting and the packet type as
shown in the Classification Flowchart.
You specify which fields in the frame or packet that you want to use to classify incoming traffic.
Related Topics
Ingress Port Activity
Egress Port Activity
Configuring a QoS Policy, on page 566
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
529
Information About QoS
Trust the DSCP or trust IP precedence value Trust the DSCP or trust IP precedence value in the incoming
frame. These configurations are meaningless for non-IP
traffic. If you configure a port with either of these options
and non-IP traffic is received, the switch assigns a CoS value
and generates an internal DSCP value from the CoS-to-DSCP
map. The switch uses the internal DSCP value to generate
a CoS value representing the priority of the traffic.
Perform classification based on configured Perform the classification based on a configured Layer 2
Layer 2 MAC ACL MAC access control list (ACL), which can examine the
MAC source address, the MAC destination address, and
other fields. If no ACL is configured, the packet is assigned
0 as the DSCP and CoS values, which means best-effort
traffic. Otherwise, the policy-map action specifies a DSCP
or CoS value to assign to the incoming frame.
After classification, the packet is sent to the policing and marking stages.
IP Traffic Classification
The following table describes the IP traffic classification options for your QoS configuration.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
530
Information About QoS
Trust the CoS value Trust the CoS value (if present) in the incoming packet, and generate a
DSCP value for the packet by using the CoS-to-DSCP map. If the CoS
value is not present, use the default port CoS value.
IP standard or an extended ACL Perform the classification based on a configured IP standard or an extended
ACL, which examines various fields in the IP header. If no ACL is
configured, the packet is assigned 0 as the DSCP and CoS values, which
means best-effort traffic. Otherwise, the policy-map action specifies a
DSCP or CoS value to assign to the incoming frame.
Override configured CoS Override the configured CoS of incoming packets, and apply the default
port CoS value to them. For IPv6 packets, the DSCP value is rewritten by
using the CoS-to-DSCP map and by using the default CoS of the port. You
can do this for both IPv4 and IPv6 traffic.
After classification, the packet is sent to the policing and marking stages.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
531
Information About QoS
Classification Flowchart
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
532
Information About QoS
• If a match with a permit action is encountered (first-match principle), the specified QoS-related action
is taken.
• If a match with a deny action is encountered, the ACL being processed is skipped, and the next ACL is
processed.
• If no match with a permit action is encountered and all the ACEs have been examined, no QoS processing
occurs on the packet, and the switch offers best-effort service to the packet.
• If multiple ACLs are configured on a port, the lookup stops after the packet matches the first ACL with
a permit action, and QoS processing begins.
Note When creating an access list, note that by default the end of the access list contains an
implicit deny statement for everything if it did not find a match before reaching the end.
After a traffic class has been defined with the ACL, you can attach a policy to it. A policy might contain
multiple classes with actions specified for each one of them. A policy might include commands to classify
the class as a particular aggregate (for example, assign a DSCP) or rate-limit the class. This policy is then
attached to a particular port on which it becomes effective.
You implement IP ACLs to classify IP traffic by using the access-list global configuration command; you
implement Layer 2 MAC ACLs to classify non-IP traffic by using the mac access-list extended global
configuration command.
Related Topics
Creating an IP Standard ACL for IPv4 Traffic, on page 567
Creating an IP Extended ACL for IPv4 Traffic, on page 568
Creating an IPv6 ACL for IPv6 Traffic, on page 569
Creating a Layer 2 MAC ACL for Non-IP Traffic, on page 572
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
533
Information About QoS
You can configure a default class by using the class class-default policy-map configuration command.
Unclassified traffic (traffic specified in the other traffic classes configured on the policy-map) is treated as
default traffic.
You create and name a policy map by using the policy-map global configuration command. When you enter
this command, the switch enters the policy-map configuration mode. In this mode, you specify the actions to
take on a specific traffic class by using the class, trust, or set policy-map configuration and policy-map class
configuration commands.
The policy map can contain the police and police aggregate policy-map class configuration commands, which
define the policer, the bandwidth limitations of the traffic, and the action to take if the limits are exceeded.
To enable the policy map, you attach it to a port by using the service-policy interface configuration command.
Note All traffic, regardless of whether it is bridged or routed, is subjected to a policer, if one is configured. As
a result, bridged packets might be dropped or might have their DSCP or CoS fields modified when they
are policed and marked.
You can configure policing on a physical port. After you configure the policy map and policing actions, attach
the policy to a port by using the service-policy interface configuration command.
Related Topics
Ingress Port Activity
Class Maps
Policy Maps
Configuring a QoS Policy, on page 566
Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps, on page 578
Classifying, Policing, and Marking Traffic on SVIs by Using Hierarchical Policy Maps
Classifying, Policing, and Marking Traffic by Using Aggregate Policers, on page 582
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
534
Information About QoS
• Aggregate—QoS applies the bandwidth limits specified in an aggregate policer cumulatively to all
matched traffic flows. You configure this type of policer by specifying the aggregate policer name within
a policy map by using the police aggregate policy-map class configuration command. You specify the
bandwidth limits of the policer by using the mls qos aggregate-policer global configuration command.
In this way, the aggregate policer is shared by multiple classes of traffic within a policy map.
Policing uses a token-bucket algorithm. As each frame is received by the switch, a token is added to the bucket.
The bucket has a hole in it and leaks at a rate that you specify as the average traffic rate in bits per second.
Each time a token is added to the bucket, the switch verifies that there is enough room in the bucket. If there
is not enough room, the packet is marked as nonconforming, and the specified policer action is taken (dropped
or marked down).
How quickly the bucket fills is a function of the bucket depth (burst-byte), the rate at which the tokens are
removed (rate-bps), and the duration of the burst above the average rate. The size of the bucket imposes an
upper limit on the burst length and limits the number of frames that can be transmitted back-to-back. If the
burst is short, the bucket does not overflow, and no action is taken against the traffic flow. However, if a burst
is long and at a higher rate, the bucket overflows, and the policing actions are taken against the frames in that
burst.
You configure the bucket depth (the maximum burst that is tolerated before the bucket overflows) by using
the burst-byte option of the police policy-map class configuration command or the mls qos aggregate-policer
global configuration command. You configure how fast (the average rate) that the tokens are removed from
the bucket by using the rate-bps option of the police policy-map class configuration command or the mls qos
aggregate-policer global configuration command.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
535
Information About QoS
Related Topics
Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps, on page 578
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
536
Information About QoS
Policing During policing stage, QoS can assign another DSCP value to an IP or a non-IP packet
(if the packet is out of profile and the policer specifies a marked-down value). This
configurable map is called the policed-DSCP map.
You configure this map by using the mls qos map policed-dscp global configuration
command.
Pre-scheduling Before the traffic reaches the scheduling stage, QoS stores the packet in an egress
queue according to the QoS label. The QoS label is based on the DSCP or the CoS
value in the packet and selects the queue through the DSCP output queue threshold
maps or through the CoS output queue threshold maps. In addition to an egress queue,
the QOS label also identifies the WTD threshold value.
You configure these maps by using the mls qos srr-queue { output} dscp-map and
the mls qos srr-queue { output} cos-map global configuration commands.
The CoS-to-DSCP, DSCP-to-CoS, and the IP-precedence-to-DSCP maps have default values that might or
might not be appropriate for your network.
The default DSCP-to-DSCP-mutation map and the default policed-DSCP map are null maps; they map an
incoming DSCP value to the same DSCP value. The DSCP-to-DSCP-mutation map is the only map you apply
to a specific port. All other maps apply to the entire switch.
Related Topics
Configuring DSCP Maps, on page 585
Queueing and Scheduling on Ingress Queues, on page 540
Queueing and Scheduling on Egress Queues
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
537
Information About QoS
Note The switch supports 4 egress queues by default and there is an option to enable a total of 8 egress queues.
The 8 egress queue configuration is only supported on a standalone switch.
The following figure shows an example of WTD operating on a queue whose size is 1000 frames. Three drop
percentages are configured: 40 percent (400 frames), 60 percent (600 frames), and 100 percent (1000 frames).
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
538
Information About QoS
These percentages indicate that up to 400 frames can be queued at the 40-percent threshold, up to 600 frames
at the 60-percent threshold, and up to 1000 frames at the 100-percent threshold.
Figure 58: WTD and Queue Operation
In the example, CoS values 6 and 7 have a greater importance than the other CoS values, and they are assigned
to the 100-percent drop threshold (queue-full state). CoS values 4 and 5 are assigned to the 60-percent threshold,
and CoS values 0 to 3 are assigned to the 40-percent threshold.
Suppose the queue is already filled with 600 frames, and a new frame arrives. It contains CoS values 4 and
5 and is subjected to the 60-percent threshold. If this frame is added to the queue, the threshold will be exceeded,
so the switch drops it.
Related Topics
Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds, on page 592
Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set, on page 597
Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID, on page 600
WTD Thresholds, on page 542
Queues and WTD Thresholds, on page 546
Related Topics
Ingress Port Activity
Allocating Bandwidth Between the Ingress Queues, on page 595
Configuring SRR Shaped Weights on Egress Queues, on page 601
Configuring SRR Shared Weights on Egress Queues, on page 603
Shaped or Shared Mode, on page 546
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
539
Information About QoS
The following figure shows queueing and scheduling flowcharts for ingress ports on Catalyst 3750-E and
3750-X switches.
Figure 59: Queueing and Scheduling Flowchart for Ingress Ports on Catalyst 3750-E and 3750-X Switches
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
540
Information About QoS
The following figure shows queueing and scheduling flowcharts for ingress ports on Catalyst 3560-E and
3560-X switches.
Figure 60: Queueing and Scheduling Flowchart for Ingress Ports on Catalyst 3560-E and 3560-X Switches
Note SRR services the priority queue for its configured share before servicing the other queue.
Related Topics
Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds, on page 592
Allocating Buffer Space Between the Ingress Queues, on page 593
Examples: Configuring Ingress Queue Characteristics, on page 617
Allocating Bandwidth Between the Ingress Queues, on page 595
Examples: Configuring Ingress Queue Characteristics, on page 617
Configuring the Ingress Priority Queue
Examples: Configuring Ingress Queue Characteristics, on page 617
Configuring the Ingress Priority Queue
Mapping Tables Overview, on page 536
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
541
Information About QoS
Note The switch also uses two nonconfigurable queues for traffic that are essential for proper network and stack
operation.
Queue Function
Type
Normal User traffic that is considered to be normal priority.
You can configure three different thresholds to differentiate among the flows.
Use the following global configuration commands:
• mls qos srr-queue input threshold
• mls qos srr-queue input dscp-map
• mls qos srr-queue input cos-map
Expedite High-priority user traffic such as differentiated services (DF) expedited forwarding or voice
traffic.
You can configure the bandwidth required for this traffic as a percentage of the total traffic or
total stack traffic on the switches by using the mls qos srr-queue input priority-queue global
configuration command.
The expedite queue has guaranteed bandwidth.
You assign each packet that flows through the switch to a queue and to a threshold. Specifically, you map
DSCP or CoS values to an ingress queue and map DSCP or CoS values to a threshold ID. You use the mls
qos srr-queue input dscp-map queue queue-id {dscp1...dscp8 | threshold threshold-id dscp1...dscp8} or
the mls qos srr-queue input cos-map queue queue-id {cos1...cos8 | threshold threshold-id cos1...cos8}
global configuration command. You can display the DSCP input queue threshold map and the CoS input
queue threshold map by using the show mls qos maps privileged EXEC command.
WTD Thresholds
The queues use WTD to support distinct drop percentages for different traffic classes. Each queue has three
drop thresholds: two configurable (explicit) WTD thresholds and one nonconfigurable (implicit) threshold
preset to the queue-full state.
You assign the two explicit WTD threshold percentages for threshold ID 1 and ID 2 to the ingress queues by
using the mls qos srr-queue input threshold queue-id threshold-percentage1 threshold-percentage2 global
configuration command. Each threshold value is a percentage of the total number of allocated buffers for the
queue. The drop threshold for threshold ID 3 is preset to the queue-full state, and you cannot modify it.
Related Topics
Weighted Tail Drop, on page 538
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
542
Information About QoS
Priority Queueing
You can configure one ingress queue as the priority queue by using the mls qos srr-queue input priority-queue
queue-id bandwidth weight global configuration command. The priority queue should be used for traffic
(such as voice) that requires guaranteed delivery because this queue is guaranteed part of the bandwidth
regardless of the load on the stack or internal ring.
SRR services the priority queue for its configured weight as specified by the bandwidth keyword in the mls
qos srr-queue input priority-queue queue-id bandwidth weight global configuration command. Then, SRR
shares the remaining bandwidth with both ingress queues and services them as specified by the weights
configured with the mls qos srr-queue input bandwidth weight1 weight2 global configuration command.
You can combine the above commands to prioritize traffic by placing packets with particular DSCPs or CoSs
into certain queues, by allocating a large queue size or by servicing the queue more frequently, and by adjusting
queue thresholds so that packets with lower priorities are dropped.
Related Topics
Configuring Ingress Queue Characteristics, on page 591
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
543
Information About QoS
Figure 61: Queueing and Scheduling Flowchart for Egress Ports on the Switch
Note If the expedite queue is enabled, SRR services it until it is empty before servicing the other three queues.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
544
Information About QoS
Note If the expedite queue is enabled, SRR services it until it is empty before servicing the other three queues.
The buffer space is divided between the common pool and the reserved pool. The switch uses a buffer allocation
scheme to reserve a minimum amount of buffers for each egress queue, to prevent any queue or port from
consuming all the buffers and depriving other queues, and to control whether to grant buffer space to a
requesting queue. The switch detects whether the target queue has not consumed more buffers than its reserved
amount (under-limit), whether it has consumed all of its maximum buffers (over limit), and whether the
common pool is empty (no free buffers) or not empty (free buffers). If the queue is not over-limit, the switch
can allocate buffer space from the reserved pool or from the common pool (if it is not empty). If there are no
free buffers in the common pool or if the queue is over-limit, the switch drops the frame.
Figure 62: Egress Queue Buffer Allocation
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
545
Information About QoS
are reserved for it by setting a maximum threshold. The switch can allocate the needed buffers from the
common pool if the common pool is not empty.
Note The switch supports 4 egress queues by default, although there is an option to enable a total of 8 egress
queues. Use the mls qos srr-queue output queues 8 global configuration command to enable all 8 egress
queues. Once 8 egress queues are enabled, you are able to configure thresholds and buffers for all 8 queues.
The 8 egress queue configuration is only supported on a standalone switch.
Note The switch supports 4 egress queues by default, although there is an option to enable a total of 8 egress
queues. Use the mls qos srr-queue output queues 8 global configuration command to enable all 8 egress
queues. Once 8 egress queues are enabled, you are able to configure thresholds and buffers for all 8 queues.
The 8 egress queue configuration is only supported on a standalone switch.
Related Topics
Weighted Tail Drop, on page 538
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
546
Information About QoS
Note The egress queue default settings are suitable for most situations. You should change them only when you
have a thorough understanding of the egress queues and if these settings do not meet your QoS solution.
Note The switch supports 4 egress queues by default, although there is an option to enable a total of 8 egress
queues. Use the mls qos srr-queue output queues 8 global configuration command to enable all 8 egress
queues. Once 8 egress queues are enabled, you are able to configure thresholds, buffers, bandwidth share
weights, and bandwidth shape weights for all 8 queues. The 8 egress queue configuration is only supported
on a standalone switch.
Related Topics
Configuring Egress Queue Characteristics, on page 596
SRR Shaping and Sharing, on page 539
Packet Modification
A packet is classified, policed, and queued to provide QoS. The following packet modifications can occur
during the process to provide QoS:
• For IP and non-IP packets, classification involves assigning a QoS label to a packet based on the DSCP
or CoS of the received packet. However, the packet is not modified at this stage; only an indication of
the assigned DSCP or CoS value is carried along.
• During policing, IP and non-IP packets can have another DSCP assigned to them (if they are out of
profile and the policer specifies a markdown DSCP). Once again, the DSCP in the packet is not modified,
but an indication of the marked-down value is carried along. For IP packets, the packet modification
occurs at a later stage; for non-IP packets the DSCP is converted to CoS and used for queueing and
scheduling decisions.
• Depending on the QoS label assigned to a frame and the mutation chosen, the DSCP and CoS values of
the frame are rewritten. If you do not configure a table map and if you configure the port to trust the
DSCP of the incoming frame, the DSCP value in the frame is not changed, but the CoS is rewritten
according to the DSCP-to-CoS map. If you configure the port to trust the CoS of the incoming frame
and it is an IP packet, the CoS value in the frame is not changed, but the DSCP might be changed
according to the CoS-to-DSCP map.
The input mutation causes the DSCP to be rewritten depending on the new value of DSCP chosen. The
set action in a policy map also causes the DSCP to be rewritten.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
547
Information About QoS
When QoS is enabled using the mls qos global configuration command and all other QoS settings are at their
defaults, traffic is classified as best effort (the DSCP and CoS value is set to 0) without any policing. No
policy maps are configured. The default port trust state on all ports is untrusted.
Related Topics
Enabling QoS Globally, on page 555
Default Egress Queue Configuration, on page 549
Default Ingress Queue Configuration, on page 548
Bandwidth allocation 4 4
The following table shows the default CoS input queue threshold map when QoS is enabled.
5 2–1
6, 7 1–1
The following table shows the default DSCP input queue threshold map when QoS is enabled.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
548
Information About QoS
40–47 2–1
48–63 1–1
Related Topics
Enabling QoS Globally, on page 555
Standard QoS Default Configuration, on page 547
Note The switch supports 4 egress queues by default, although there is an option to enable a total of 8 egress
queues. Use the mls qos srr-queue output queues 8 global configuration command to enable all 8 egress
queues. Once 8 egress queues are enabled, you are able to configure thresholds and buffers for all 8 queues.
The 8 egress queue configuration is only supported on a standalone switch.
The following table shows the default egress queue configuration for each queue-set when QoS is enabled.
All ports are mapped to queue-set 1. The port bandwidth limit is set to 100 percent and rate unlimited. Note
that for the SRR shaped weights (absolute) feature, a shaped weight of zero indicates that the queue is operating
in shared mode. Note that for the SRR shared weights feature, one quarter of the bandwidth is allocated to
each queue.
WTD drop threshold 1 100 percent 200 percent 100 percent 100 percent
WTD drop threshold 2 100 percent 200 percent 100 percent 100 percent
Maximum threshold 400 percent 400 percent 400 percent 400 percent
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
549
Information About QoS
The following table shows the default CoS output queue threshold map when QoS is enabled.
2, 3 3–1
4 4–1
5 1–1
6, 7 4–1
The following table shows the default DSCP output queue threshold map when QoS is enabled.
16–31 3–1
32–39 4–1
40–47 1–1
48–63 4–1
The following table displays the default egress queue configuration when the 8 egress queue configuration is
enabled using the mls qos srr-queue output queues 8 command.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
550
Information About QoS
SRR 25 0 0 0 0 0 0 0
shaped
weights
SRR 25 25 25 25 25 25 25 25
shared
weights
The following table displays the default CoS output queue threshold map when QoS is enabled and the 8
egress queue configuration is enabled using the mls qos srr-queue output queues 8 command.
1 3 1 2
2 4 1 3
3 5 1 3
4 6 1 4
5 1 1 1
6 7 1 4
7 8 1 4
The following table displays the default DSCP output queue threshold map when QoS is enabled and the 8
egress queue configuration is enabled using the mls qos srr-queue output queues 8 command.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
551
Information About QoS
8-15 3 1 2
16-23 4 1 3
24-31 5 1 3
32-39 6 1 4
40-47 1 1 1
48-55 7 1 4
56-63 8 1 4
Related Topics
Enabling QoS Globally, on page 555
Standard QoS Default Configuration, on page 547
Related Topics
Default CoS-to-DSCP Map, on page 552
Default IP-Precedence-to-DSCP Map, on page 553
Default DSCP-to-CoS Map, on page 554
DSCP Maps
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
552
Information About QoS
1 8
2 16
3 24
4 32
5 40
6 48
7 56
Related Topics
Default Mapping Table Configuration, on page 552
Configuring the CoS-to-DSCP Map, on page 585
Configuring the Policed-DSCP Map, on page 587
1 8
2 16
3 24
4 32
5 40
6 48
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
553
Information About QoS
Related Topics
Default Mapping Table Configuration, on page 552
Configuring the IP-Precedence-to-DSCP Map, on page 586
Configuring the Policed-DSCP Map, on page 587
8–15 1
16–23 2
24–31 3
32–39 4
40–47 5
48–55 6
56–63 7
Related Topics
Default Mapping Table Configuration, on page 552
Configuring the DSCP-to-CoS Map, on page 588
Configuring the Policed-DSCP Map, on page 587
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
554
How to Configure QoS
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# end
Example:
Switch# show mls qos
Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
Related Topics
Standard QoS Default Configuration, on page 547
Default Egress Queue Configuration, on page 549
Default Ingress Queue Configuration, on page 548
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
555
How to Configure QoS
Procedure
Example:
Switch# configure terminal
Step 2 interface interface-id Specifies the physical port, and enter interface
configuration mode.
Example:
Switch(config)# interface
gigabitethernet 1/0/1
Example:
Switch(config-if)# end
Step 5 show mls qos interface interface-id Verifies if VLAN-based QoS is enabled on the
physical port.
Example:
Switch# show mls qos interface
gigabitethernet 1/0/1
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
556
How to Configure QoS
Note Depending on your network configuration, you must perform one or more of these tasks in this module
or one or more of the tasks in the Configuring a QoS Policy.
Figure 63: Port Trusted States on Ports Within the QoS Domain
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
557
How to Configure QoS
Procedure
Example:
Switch# configure terminal
Step 2 interface interface-id Specifies the port to be trusted, and enters interface
configuration mode. Valid interfaces are physical ports.
Example:
Switch(config)# interface
gigabitethernet 1/0/2
Step 3 mls qos trust [cos | dscp | Configures the port trust state.
ip-precedence] By default, the port is not trusted. If no keyword is specified,
the default is dscp.
Example:
The keywords have these meanings:
Switch(config-if)# mls qos
trust cos • cos—Classifies an ingress packet by using the packet
CoS value. For an untagged packet, the port default CoS
value is used. The default port CoS value is 0.
• dscp—Classifies an ingress packet by using the packet
DSCP value. For a non-IP packet, the packet CoS value
is used if the packet is tagged; for an untagged packet,
the default port CoS is used. Internally, the switch maps
the CoS value to a DSCP value by using the
CoS-to-DSCP map.
• ip-precedence—Classifies an ingress packet by using
the packet IP-precedence value. For a non-IP packet, the
packet CoS value is used if the packet is tagged; for an
untagged packet, the default port CoS is used. Internally,
the switch maps the CoS value to a DSCP value by using
the CoS-to-DSCP map.
To return a port to its untrusted state, use the no mls qos trust
interface configuration command.
Example:
Switch(config-if)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
558
How to Configure QoS
Example:
Switch# show mls qos
interface
Step 6 copy running-config (Optional) Saves your entries in the configuration file.
startup-config
Example:
Switch# copy running-config
startup-config
Related Topics
Configuring the CoS Value for an Interface, on page 559
Configuring the CoS-to-DSCP Map, on page 585
Procedure
Example:
Switch# configure terminal
Step 2 interface interface-id Specifies the port to be configured, and enters interface
configuration mode.
Example: Valid interfaces include physical ports.
Switch(config)# interface
gigabitethernet 1/1/1
Step 3 mls qos cos {default-cos | Configures the default CoS value for the port.
override}
• For default-cos, specify a default CoS value to be assigned
to a port. If the packet is untagged, the default CoS value
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
559
How to Configure QoS
Switch(config-if)# mls qos • Use the override keyword to override the previously
override configured trust state of the incoming packet and to apply
the default port CoS value to the port on all incoming
packets. By default, CoS override is disabled.
Use the override keyword when all incoming packets on
specified ports deserve higher or lower priority than
packets entering from other ports. Even if a port was
previously set to trust DSCP, CoS, or IP precedence, this
command overrides the previously configured trust state,
and all the incoming CoS values are assigned the default
CoS value configured with this command. If an incoming
packet is tagged, the CoS value of the packet is modified
with the default CoS of the port at the ingress port.
Note To return to the default setting, use the no mls qos cos
{default-cos | override} interface configuration
command.
Step 4 end Returns to privileged EXEC mode.
Example:
Switch(config-if)# end
Example:
Switch# show mls qos
interface
Step 6 copy running-config (Optional) Saves your entries in the configuration file.
startup-config
Example:
Switch# copy running-config
startup-config
Related Topics
Configuring the Trust State on Ports Within the QoS Domain, on page 557
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
560
How to Configure QoS
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# cdp run
Step 3 interface interface-id Specifies the port connected to the Cisco IP Phone,
and enters interface configuration mode.
Example: Valid interfaces include physical ports.
Switch(config)# interface
gigabitethernet 2/1/1
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
561
How to Configure QoS
Example:
Switch(config-if)# cdp enable
Step 5 Use one of the following: Configures the switch port to trust the CoS value in
traffic received from the Cisco IP Phone.
• mls qos trust cos
or
• mls qos trust dscp
Configures the routed port to trust the DSCP value
in traffic received from the Cisco IP Phone.
Example: By default, the port is not trusted.
Switch(config-if)# mls qos trust
cos
Step 6 mls qos trust device cisco-phone Specifies that the Cisco IP Phone is a trusted device.
You cannot enable both trusted boundary and
Example: auto-QoS (auto qos voip interface configuration
Switch(config-if)# mls qos trust command) at the same time; they are mutually
device cisco-phone exclusive.
Note To disable the trusted boundary feature, use
the no mls qos trust device interface
configuration command.
Step 7 end Returns to privileged EXEC mode.
Example:
Switch(config-if)# end
Example:
Switch# show mls qos interface
Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
562
How to Configure QoS
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# mls qos
Step 3 no mls qos rewrite ip dscp Enables DSCP transparency. The switch
is configured to not modify the DSCP field
Example: of the IP packet.
Example:
Switch(config)# end
Example:
Switch# show mls qos interface
gigabitethernet 2/1/1
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
563
How to Configure QoS
Configuring the DSCP Trust State on a Port Bordering Another QoS Domain
If you are administering two separate QoS domains between which you want to implement QoS features for
IP traffic, you can configure the switch ports bordering the domains to a DSCP-trusted state. The receiving
port accepts the DSCP-trusted value and avoids the classification stage of QoS. If the two domains use different
DSCP values, you can configure the DSCP-to-DSCP-mutation map to translate a set of DSCP values to match
the definition in the other domain.
Beginning in privileged EXEC mode, follow these steps to configure the DSCP-trusted state on a port and
modify the DSCP-to-DSCP-mutation map. To ensure a consistent mapping strategy across both QoS domains,
you must perform this procedure on the ports in both domains.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
564
How to Configure QoS
Procedure
Example:
Switch# configure terminal
Step 3 interface interface-id Specifies the port to be trusted, and enter interface
configuration mode.
Example: Valid interfaces include physical ports.
Switch(config)# interface
gigabitethernet1/0/2
Step 4 mls qos trust dscp Configures the ingress port as a DSCP-trusted port. By
default, the port is not trusted.
Example: Note To return a port to its non-trusted state, use the no
Switch(config-if)# mls qos trust mls qos trust interface configuration command.
dscp
Step 5 mls qos dscp-mutation Applies the map to the specified ingress DSCP-trusted port.
dscp-mutation-name For dscp-mutation-name, specify the mutation map name
created in Step 2.
Example:
You can configure multiple DSCP-to-DSCP-mutation maps
Switch(config-if)# mls qos on an ingress port.
dscp-mutation
gigabitethernet1/0/2-mutation Note To return to the default DSCP-to-DSCP-mutation
map values, use the no mls qos map
dscp-mutation dscp-mutation-name global
configuration command.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
565
How to Configure QoS
Example:
Switch(config-if)# end
Example:
Switch# show mls qos maps
dscp-mutation
Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Note To return a port to its non-trusted state, use the no
Example: mls qos trust interface configuration command.
Switch# copy-running-config To return to the default DSCP-to-DSCP-mutation
startup-config map values, use the no mls qos map
dscp-mutation dscp-mutation-name global
configuration command.
Related Topics
Example: Configuring Port to the DSCP-Trusted State and Modifying the DSCP-to-DSCP-Mutation Map,
on page 608
These sections describe how to classify, police, and mark traffic. Depending on your network configuration,
you must perform one or more of the modules in this section.
Related Topics
Policing and Marking Overview, on page 534
Classification Overview, on page 529
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
566
How to Configure QoS
Procedure
Example:
Switch# configure terminal
Step 2 access-list access-list-number Creates an IP standard ACL, repeating the command as many
{deny | permit} source times as necessary.
[source-wildcard]
• For access-list-number, enter the access list number. The
range is 1 to 99 and 1300 to 1999.
Example:
• Use the permit keyword to permit a certain type of traffic
Switch(config)# access-list 1
if the conditions are matched. Use the deny keyword to
permit 192.2.255.0 1.1.1.255 deny a certain type of traffic if conditions are matched.
• For source, enter the network or host from which the
packet is being sent. You can use the any keyword as an
abbreviation for 0.0.0.0 255.255.255.255.
• (Optional) For source-wildcard, enter the wildcard bits
in dotted decimal notation to be applied to the source.
Place ones in the bit positions that you want to ignore.
Example:
Switch(config)# end
Example:
Switch# show access-lists
Step 5 copy running-config (Optional) Saves your entries in the configuration file.
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
567
How to Configure QoS
Example:
Switch# copy-running-config
startup-config
Related Topics
Access Control Lists, on page 532
QoS ACL Guidelines, on page 524
Examples: Classifying Traffic by Using ACLs, on page 609
Procedure
Example:
Switch# configure terminal
Step 2 access-list access-list-number Creates an IP extended ACL, repeating the command as many times
{deny | permit} protocol as necessary.
source source-wildcard
destination destination-wildcard • For access-list-number, enter the access list number. The
range is 100 to 199 and 2000 to 2699.
Example: • Use the permit keyword to permit a certain type of traffic if
the conditions are matched. Use the deny keyword to deny a
Switch(config)# access-list
100 permit ip any any dscp certain type of traffic if conditions are matched.
32
• For protocol, enter the name or number of an IP protocol.
Use the question mark (?) to see a list of available protocol
keywords.
• For source, enter the network or host from which the packet
is being sent. You specify this by using dotted decimal
notation, by using the any keyword as an abbreviation for
source 0.0.0.0 source-wildcard 255.255.255.255, or by using
the host keyword for source 0.0.0.0.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
568
How to Configure QoS
Example:
Switch(config)# end
Example:
Switch# show access-lists
Step 5 copy running-config (Optional) Saves your entries in the configuration file.
startup-config
Example:
Switch# copy-running-config
startup-config
Related Topics
Access Control Lists, on page 532
QoS ACL Guidelines, on page 524
Examples: Classifying Traffic by Using ACLs, on page 609
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
569
How to Configure QoS
Procedure
Example:
Switch# configure terminal
Step 2 ipv6 access-list access-list-name Creates an IPv6 ACL and enters IPv6 access-list configuration
mode.
Example: Accesses list names cannot contain a space or quotation mark or
Switch(config)# ipv6 begin with a numeric.
access-list ipv6_Name_ACL
Note To delete an access list, use the no ipv6 access-list
access-list-number global configuration command.
Step 3 {deny | permit} protocol Enters deny or permit to specify whether to deny or permit the
{source-ipv6-prefix/prefix-length packet if conditions are matched. These are the conditions:
| any | host source-ipv6-address} For protocol, enter the name or number of an Internet protocol:
[operator [port-number]] ahp, esp, icmp, ipv6, pcp, stcp, tcp, or udp, or an integer in the
{destination-ipv6-prefix/ range 0 to 255 representing an IPv6 protocol number.
prefix-length | any | host
destination-ipv6-address} • The source-ipv6-prefix/prefix-length or
[operator [port-number]] [dscp destination-ipv6-prefix/ prefix-length is the source or
value] [fragments] [log] destination IPv6 network or class of networks for which to
[log-input] [routing] [sequence set deny or permit conditions, specified in hexadecimal and
value] [time-range name] using 16-bit values between colons (see RFC 2373).
• Enter any as an abbreviation for the IPv6 prefix ::/0.
Example:
• For host source-ipv6-address or destination-ipv6-address,
Switch(config-ipv6-acl)# enter the source or destination IPv6 host address for which
permit ip host 10::1 host
11::2 host to set deny or permit conditions, specified in hexadecimal
using 16-bit values between colons.
• (Optional) For operator, specify an operand that compares
the source or destination ports of the specified protocol.
Operands are lt (less than), gt (greater than), eq (equal), neq
(not equal), and range.
If the operator follows the source-ipv6-prefix/prefix-length
argument, it must match the source port. If the operator
follows the destination-ipv6- prefix/prefix-length argument,
it must match the destination port.
• (Optional) The port-number is a decimal number from 0 to
65535 or the name of a TCP or UDP port. You can use TCP
port names only when filtering TCP. You can use UDP port
names only when filtering UDP.
• (Optional) Enter dscp value to match a differentiated services
code point value against the traffic class value in the Traffic
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
570
How to Configure QoS
Example:
Switch(config-ipv6-acl)# end
Example:
Switch# show ipv6
access-list
Step 6 copy running-config (Optional) Saves your entries in the configuration file.
startup-config
Example:
Switch# copy-running-config
startup-config
Related Topics
Access Control Lists, on page 532
QoS ACL Guidelines, on page 524
Examples: Classifying Traffic by Using ACLs, on page 609
QoS ACL IPv6 Guidelines
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
571
How to Configure QoS
Procedure
Example:
Switch# configure terminal
Step 2 mac access-list extended name Creates a Layer 2 MAC ACL by specifying the name of the
list.
Example: After entering this command, the mode changes to extended
Switch(config)# mac access-list MAC ACL configuration.
extended maclist1
Note To delete an access list, use the no mac access-list
extended access-list-name global configuration
command.
Step 3 {permit | deny} {host Specifies the type of traffic to permit or deny if the conditions
src-MAC-addr mask | any | host are matched, entering the command as many times as
dst-MAC-addr | dst-MAC-addr necessary.
mask} [type mask]
• For src-MAC-addr, enter the MAC address of the host
from which the packet is being sent. You specify this by
Example: using the hexadecimal format (H.H.H), by using the any
Switch(config-ext-mac1) # keyword as an abbreviation for source 0.0.0,
permit 0001.0000.0001 source-wildcard ffff.ffff.ffff, or by using the host
0.0.0 0002.0000.0001 0.0.0
keyword for source 0.0.0.
Switch(config-ext-mac1) # • For mask, enter the wildcard bits by placing ones in the
permit 0001.0000.0002 bit positions that you want to ignore.
0.0.0 0002.0000.0002 0.0.0
xns-idp • For dst-MAC-addr, enter the MAC address of the host
to which the packet is being sent. You specify this by
using the hexadecimal format (H.H.H), by using the any
keyword as an abbreviation for source 0.0.0,
source-wildcard ffff.ffff.ffff, or by using the host
keyword for source 0.0.0.
• (Optional) For type mask, specify the Ethertype number
of a packet with Ethernet II or SNAP encapsulation to
identify the protocol of the packet. For type, the range
is from 0 to 65535, typically specified in hexadecimal.
For mask, enter the don’t care bits applied to the
Ethertype before testing for a match.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
572
How to Configure QoS
Example:
Switch(config-ext-mac1)# end
Example:
Switch# show access-lists
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy-running-config
startup-config
Related Topics
Access Control Lists, on page 532
QoS ACL Guidelines, on page 524
Examples: Classifying Traffic by Using ACLs, on page 609
Note You can also create class maps during policy map creation by using the class policy-map configuration
command.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
573
How to Configure QoS
Procedure
Example:
Switch# configure terminal
Step 2 Use one of the following: Creates an IP standard or extended ACL, an IPv6 ACL
for IP traffic, or a Layer 2 MAC ACL for non-IP traffic,
• access-list access-list-number {deny repeating the command as many times as necessary.
| permit} source [source-wildcard]
When creating an access list, remember that, by default,
• access-list access-list-number {deny the end of the access list contains an implicit deny
| permit} protocol source statement for everything if it did not find a match before
[source-wildcard] destination reaching the end.
[destination-wildcard]
• ipv6 access-list access-list-name
{deny | permit} protocol
{source-ipv6-prefix/prefix-length |
any | host source-ipv6-address}
[operator [port-number]]
{destination-ipv6-prefix/
prefix-length | any | host
destination-ipv6-address} [operator
[port-number]] [dscp value]
[fragments] [log] [log-input]
[routing] [sequence value]
[time-range name]
• mac access-list extended name
{permit | deny} {host src-MAC-addr
mask | any | host dst-MAC-addr |
dst-MAC-addr mask} [type mask]
Example:
Switch(config)# access-list 103
permit ip any
any dscp 10
Step 3 class-map [match-all | match-any] Creates a class map, and enters class-map configuration
class-map-name mode.
By default, no class maps are defined.
Example:
• (Optional) Use the match-all keyword to perform
Switch(config)# class-map class1 a logical-AND of all matching statements under
this class map. All match criteria in the class map
must be matched.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
574
How to Configure QoS
Example:
Switch(config-cmap)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
575
How to Configure QoS
Example:
Switch# show class-map
Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy-running-config
startup-config
Related Topics
Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps, on page 578
Classifying, Policing, and Marking Traffic on SVIs by Using Hierarchical Policy Maps
Examples: Classifying Traffic by Using Class Maps, on page 610
Note IPv6 QoS is not supported on switches running the LAN base feature set.
To apply the primary match criteria to only IPv4 traffic, use the match protocol command with the ip keyword.
To apply the primary match criteria to only IPv6 traffic, use the match protocol command with the ipv6
keyword.
Procedure
Example:
Switch# configure terminal
Step 2 class-map {match-all} Creates a class map, and enters class-map configuration mode.
class-map-name By default, no class maps are defined.
Example:
When you use the match protocol command, only the
match-all keyword is supported.
Switch(config)# class-map
cm-1 • For class-map-name, specify the name of the class map.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
576
How to Configure QoS
Step 4 match {ip dscp dscp-list | ip Defines the match criterion to classify traffic.
precedence ip-precedence-list} By default, no match criterion is defined.
Example:
Switch(config-cmap)# end
Example:
Switch# show class-map
Step 7 copy running-config (Optional) Saves your entries in the configuration file.
startup-config
Example:
Switch# copy-running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
577
How to Configure QoS
Related Topics
Examples: Classifying Traffic by Using Class Maps, on page 610
Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps
You can configure a policy map on a physical port that specifies which traffic class to act on. Actions can
include trusting the CoS, DSCP, or IP precedence values in the traffic class; setting a specific DSCP or IP
precedence value in the traffic class; and specifying the traffic bandwidth limitations for each matched traffic
class (policer) and the action to take when the traffic is out of profile (marking).
A policy map also has these characteristics:
• A policy map can contain multiple class statements, each with different match criteria and policers.
• A policy map can contain a predefined default traffic class explicitly placed at the end of the map.
• A separate policy-map class can exist for each type of traffic received through a port.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
578
How to Configure QoS
Procedure
Example:
Switch# configure terminal
Step 2 class-map [match-all | Creates a class map, and enters class-map configuration mode.
match-any] class-map-name By default, no class maps are defined.
Step 3 policy-map policy-map-name Creates a policy map by entering the policy map name, and enters
policy-map configuration mode.
Example: By default, no policy maps are defined.
Switch(config-cmap)# The default behavior of a policy map is to set the DSCP to 0 if the
policy-map flowit
packet is an IP packet and to set the CoS to 0 if the packet is tagged.
No policing is performed.
Note To delete an existing policy map, use the no policy-map
policy-map-name global configuration command.
Step 4 class [class-map-name | Defines a traffic classification, and enters policy-map class
class-default] configuration mode.
By default, no policy map class-maps are defined.
Example:
If a traffic class has already been defined by using the class-map
Switch(config-pmap)# class global configuration command, specify its name for class-map-name
ipclass1
in this command.
A class-default traffic class is pre-defined and can be added to any
policy. It is always placed at the end of a policy map. With an
implied match any included in the class-default class, all packets
that have not already matched the other traffic classes will match
class-default.
Note To delete an existing class map, use the no class
class-map-name policy-map configuration command.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
579
How to Configure QoS
Switch(config-pmap-c)# • For burst-byte, specify the normal burst size in bytes. The
police 100000 range is 8000 to 1000000.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
580
How to Configure QoS
Example:
Switch(config-pmap-c)#
exit
Example:
Switch(config-pmap)# exit
Step 10 interface interface-id Specifies the port to attach to the policy map, and enters interface
configuration mode.
Example: Valid interfaces include physical ports.
Switch(config)# interface
gigabitethernet 2/0/1
Step 11 service-policy input Specifies the policy-map name, and applies it to an ingress port.
policy-map-name Only one policy map per ingress port is supported.
Example:
Note To remove the policy map and port association, use the no
service-policy input policy-map-name interface
Switch(config-if)# configuration command.
service-policy
input flowit
Example:
Switch(config-if)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
581
How to Configure QoS
Example:
Switch# show policy-map
Step 14 copy running-config (Optional) Saves your entries in the configuration file.
startup-config
Example:
Switch#
copy-running-config
startup-config
Related Topics
Policing and Marking Overview, on page 534
Physical Port Policing, on page 534
Classifying Traffic by Using Class Maps, on page 573
Policy Map on Physical Port
Examples: Classifying, Policing, and Marking Traffic on Physical Ports Using Policy Maps, on page 611
Policy Map on Physical Port Guidelines
Procedure
Example:
Switch# configure terminal
Step 2 mls qos aggregate-policer Defines the policer parameters that can be applied to
aggregate-policer-name rate-bps multiple traffic classes within the same policy map.
burst-byte exceed-action {drop | By default, no aggregate policer is defined.
policed-dscp-transmit}
• For aggregate-policer-name, specify the name
of the aggregate policer.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
582
How to Configure QoS
Step 3 class-map [match-all | match-any] Creates a class map to classify traffic as necessary.
class-map-name
Example:
Switch(config)# class-map ipclass1
Step 4 policy-map policy-map-name Creates a policy map by entering the policy map name,
and enters policy-map configuration mode.
Example:
Switch(config-cmap)# policy-map
aggflow1
Step 5 class [class-map-name | class-default] Defines a traffic classification, and enters policy-map
class configuration mode.
Example:
Switch(config-cmap-p)# class
ipclass1
Step 6 police aggregate aggregate-policer-name Applies an aggregate policer to multiple classes in the
same policy map.
Example: For aggregate-policer-name, enter the name specified
Switch(configure-cmap-p)# police in Step 2.
aggregate transmit1
To remove the specified aggregate policer from a policy
map, use the no police aggregate
aggregate-policer-name policy map configuration
command. To delete an aggregate policer and its
parameters, use the no mls qos aggregate-policer
aggregate-policer-name global configuration
command.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
583
How to Configure QoS
Example:
Switch(configure-cmap-p)# exit
Step 8 interface interface-id Specifies the port to attach to the policy map, and enters
interface configuration mode.
Example: Valid interfaces include physical ports.
Switch(config)# interface
gigabitethernet 2/0/1
Step 9 service-policy input policy-map-name Specifies the policy-map name, and applies it to an
ingress port.
Example: Only one policy map per ingress port is supported.
Switch(config-if)# service-policy
input aggflow1
Example:
Switch(configure-if)# end
Example:
Switch# show mls qos
aggregate-policer transmit1
Step 12 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy-running-config
startup-config
Related Topics
Policing and Marking Overview, on page 534
Examples: Classifying, Policing, and Marking Traffic by Using Aggregate Policers, on page 614
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
584
How to Configure QoS
Procedure
Example:
Switch# configure terminal
Step 2 mls qos map cos-dscp dscp1...dscp8 Modifies the CoS-to-DSCP map.
For dscp1...dscp8, enter eight DSCP values that
Example: correspond to CoS values 0 to 7. Separate each
Switch(config)# mls qos map DSCP value with a space.
cos-dscp 10 15 20 25 30 35 40 45
The DSCP range is 0 to 63.
Note To return to the default map, use the no
mls qos cos-dscp global configuration
command.
Step 3 end Returns to privileged EXEC mode.
Example:
Switch(config)# end
Example:
Switch# show mls qos maps cos-dscp
Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy-running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
585
How to Configure QoS
Related Topics
Default CoS-to-DSCP Map, on page 552
Configuring the Trust State on Ports Within the QoS Domain, on page 557
Examples: Configuring DSCP Maps, on page 615
Procedure
Example:
Switch# configure terminal
Step 2 mls qos map ip-prec-dscp dscp1...dscp8 Modifies the IP-precedence-to-DSCP map.
For dscp1...dscp8, enter eight DSCP values that
Example: correspond to the IP precedence values 0 to 7.
Switch(config)# mls qos map Separate each DSCP value with a space.
ip-prec-dscp 10 15 20 25 30 35 40
45
The DSCP range is 0 to 63.
Note To return to the default map, use the no
mls qos ip-prec-dscp global
configuration command.
Step 3 end Returns to privileged EXEC mode.
Example:
Switch(config)# end
Example:
Switch# show mls qos maps
ip-prec-dscp
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
586
How to Configure QoS
Related Topics
Default IP-Precedence-to-DSCP Map, on page 553
Examples: Configuring DSCP Maps, on page 615
Procedure
Example:
Switch# configure terminal
Step 2 mls qos map policed-dscp dscp-list to Modifies the policed-DSCP map.
mark-down-dscp
• For dscp-list, enter up to eight DSCP values
separated by spaces. Then enter the to
Example: keyword.
Switch(config)# mls qos map
policed-dscp 50 51 52 53 54 55 56 • For mark-down-dscp, enter the
57 to 0 corresponding policed (marked down) DSCP
value.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
587
How to Configure QoS
Example:
Switch(config)# end
Example:
Switch(config)# show mls qos maps
policed-dscp
Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy-running-config
startup-config
Related Topics
Default CoS-to-DSCP Map, on page 552
Default IP-Precedence-to-DSCP Map, on page 553
Default DSCP-to-CoS Map, on page 554
Examples: Configuring DSCP Maps, on page 615
Procedure
Example:
Switch# configure terminal
Step 2 mls qos map dscp-cos dscp-list to cos Modifies the DSCP-to-CoS map.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
588
How to Configure QoS
Example:
Switch(config)# end
Example:
Switch# show mls qos maps
dscp-to-cos
Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy-running-config
startup-config
Related Topics
Default DSCP-to-CoS Map, on page 554
Examples: Configuring DSCP Maps, on page 615
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
589
How to Configure QoS
Beginning in privileged EXEC mode, follow these steps to modify the DSCP-to-DSCP-mutation map. This
procedure is optional.
Procedure
Example:
Switch# configure terminal
Step 4 mls qos trust dscp Configures the ingress port as a DSCP-trusted port.
By default, the port is not trusted.
Example:
Switch(config-if)# mls qos trust
dscp
Step 5 mls qos dscp-mutation Applies the map to the specified ingress
dscp-mutation-name DSCP-trusted port.
For dscp-mutation-name, enter the mutation map
Example: name specified in Step 2.
Switch(config-if)# mls qos
dscp-mutation mutation1
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
590
How to Configure QoS
Example:
Switch(config-if)# end
Example:
Switch# show mls qos maps
dscp-mutation
Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy-running-config
startup-config
Related Topics
Examples: Configuring DSCP Maps, on page 615
Related Topics
Priority Queueing, on page 543
Ingress Port Activity
Configuration Guidelines
Follow these guidelines when the expedite queue is enabled or the egress queues are serviced based on their
SRR weights:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
591
How to Configure QoS
• If the egress expedite queue is enabled, it overrides the SRR shaped and shared weights for queue 1.
• If the egress expedite queue is disabled and the SRR shaped and shared weights are configured, the
shaped mode overrides the shared mode for queue 1, and SRR services this queue in shaped mode.
• If the egress expedite queue is disabled and the SRR shaped weights are not configured, SRR services
this queue in shared mode.
Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds
You can prioritize traffic by placing packets with particular DSCPs or CoSs into certain queues and adjusting
the queue thresholds so that packets with lower priorities are dropped.
Beginning in privileged EXEC mode, follow these steps to map DSCP or CoS values to an ingress queue and
to set WTD thresholds. This procedure is optional.
Procedure
Example:
Switch# configure terminal
Step 2 Use one of the following: Maps DSCP or CoS values to an ingress queue and to a threshold
ID.
• mls qos srr-queue input
dscp-map queue queue-id By default, DSCP values 0–39 and 48–63 are mapped to queue
threshold threshold-id 1 and threshold 1. DSCP values 40–47 are mapped to queue 2
dscp1...dscp8 and threshold 1.
• mls qos srr-queue input By default, CoS values 0–4, 6, and 7 are mapped to queue 1 and
cos-map queue queue-id threshold 1. CoS value 5 is mapped to queue 2 and threshold 1.
threshold threshold-id • For queue-id, the range is 1 to 2.
cos1...cos8
• For threshold-id, the range is 1 to 3. The drop-threshold
percentage for threshold 3 is predefined. It is set to the
Example: queue-full state.
Switch(config)# mls qos • For dscp1...dscp8, enter up to eight values, and separate
srr-queue input each value with a space. The range is 0 to 63.
dscp-map queue 1 threshold 2
20 21 22 23 24 25 26 • For cos1...cos8, enter up to eight values, and separate each
value with a space. The range is 0 to 7.
Step 3 mls qos srr-queue input threshold Assigns the two WTD threshold percentages for (threshold 1
queue-id threshold-percentage1 and 2) to an ingress queue. The default, both thresholds are set
threshold-percentage2 to 100 percent.
• For queue-id, the range is 1 to 2.
Example:
• For threshold-percentage1 threshold-percentage2, the
Switch(config)# mls qos
range is 1 to 100. Separate each value with a space.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
592
How to Configure QoS
Example:
Switch(config)# end
Step 6 copy running-config (Optional) Saves your entries in the configuration file.
startup-config To return to the default CoS input queue threshold map or the
default DSCP input queue threshold map, use the no mls qos
Example: srr-queue input cos-map or the no mls qos srr-queue input
Switch# copy running-config dscp-map global configuration command. To return to the
startup-config default WTD threshold percentages, use the no mls qos
srr-queue input threshold queue-id global configuration
command
Related Topics
Queueing and Scheduling on Ingress Queues, on page 540
Weighted Tail Drop, on page 538
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
593
How to Configure QoS
Procedure
Example:
Switch# configure terminal
Step 2 mls qos srr-queue input buffers Allocates the buffers between the ingress queues
percentage1 percentage2 By default 90 percent of the buffers are allocated to
queue 1, and 10 percent of the buffers are allocated
Example: to queue 2.
Switch(config)# mls qos srr-queue For percentage1 percentage2, the range is 0 to 100.
input buffers 60 40
Separate each value with a space.
You should allocate the buffers so that the queues
can handle any incoming bursty traffic.
Example:
Switch(config)# end
Example:
Switch# show mls qos interface buffer
or
Switch# show mls qos input-queue
Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example: To return to the default setting, use the no mls qos
Switch# copy-running-config srr-queue input buffers global configuration
startup-config command.
Related Topics
Queueing and Scheduling on Ingress Queues, on page 540
Examples: Configuring Ingress Queue Characteristics, on page 617
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
594
How to Configure QoS
Note SRR bandwidth limit works in both mls qos enabled and disabled states.
Beginning in privileged EXEC mode, follow these steps to allocate bandwidth between the ingress queues.
This procedure is optional.
Procedure
Example:
Switch# configure terminal
Step 2 mls qos srr-queue input bandwidth Assigns shared round robin weights to the ingress queues.
weight1 weight2 The default setting for weight1 and weight2 is 4 (1/2 of
the bandwidth is equally shared between the two queues).
Example:
For weight1 and weight2, the range is 1 to 100. Separate
Switch(config)# mls qos srr-queue each value with a space.
input bandwidth 25 75
SRR services the priority queue for its configured weight
as specified by the bandwidth keyword in the mls qos
srr-queue input priority-queue queue-id bandwidth
weight global configuration command. Then, SRR shares
the remaining bandwidth with both ingress queues and
services them as specified by the weights configured with
the mls qos srr-queue input bandwidth weight1 weight2
global configuration command.
Example:
Switch(config)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
595
How to Configure QoS
Example:
Switch# show mls qos interface
queueing
or
Switch# show mls qos input-queue
Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration file.
To return to the default setting, use the no mls qos
Example: srr-queue input bandwidth global configuration
Switch# copy running-config command.
startup-config
Related Topics
Queueing and Scheduling on Ingress Queues, on page 540
Examples: Configuring Ingress Queue Characteristics, on page 617
SRR Shaping and Sharing, on page 539
Related Topics
Shaped or Shared Mode, on page 546
Configuration Guidelines
Follow these guidelines when the expedite queue is enabled or the egress queues are serviced based on their
SRR weights:
• If the egress expedite queue is enabled, it overrides the SRR shaped and shared weights for queue 1.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
596
How to Configure QoS
• If the egress expedite queue is disabled and the SRR shaped and shared weights are configured, the
shaped mode overrides the shared mode for queue 1, and SRR services this queue in shaped mode.
• If the egress expedite queue is disabled and the SRR shaped weights are not configured, SRR services
this queue in shared mode.
Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set
You can guarantee the availability of buffers, set WTD thresholds, and configure the maximum allocation for
a queue-set by using the mls qos queue-set output qset-id threshold queue-id drop-threshold1 drop-threshold2
reserved-threshold maximum-threshold global configuration command.
Each threshold value is a percentage of the queue’s allocated buffers, which you specify by using the mls qos
queue-set output qset-id buffers allocation1 ... allocation4 global configuration command. The queues use
WTD to support distinct drop percentages for different traffic classes.
Note The switch supports 4 egress queues by default, although there is an option to enable a total of 8 egress
queues. Use the mls qos srr-queue output queues 8 global configuration command to enable all 8 egress
queues. Once 8 egress queues are enabled, you are able to configure thresholds, buffers, bandwidth share
weights, and bandwidth shape weights for all 8 queues. The 8 egress queue configuration is only supported
on a standalone switch.
Note The egress queue default settings are suitable for most situations. You should change them only when you
have a thorough understanding of the egress queues and if these settings do not meet your QoS solution.
Beginning in privileged EXEC mode, follow these steps to configure the memory allocation and to drop
thresholds for a queue-set. This procedure is optional.
Procedure
Example:
Switch# configure terminal
Step 2 mls qos srr-queue output (Optional) The switch supports 4 egress queues by default, although
queues 8 you can enable a total of 8 egress queues. Use the optional mls qos
srr-queue output queues 8 command to enable the additional 4
Example: egress queues.
Switch(config)# mls qos Once 8 queue support is enabled, you can then proceed to configure
srr-queue output queues 8 the additional 4 queues. Any existing egress queue configuration
commands are then modified to support the additional queue
parameters.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
597
How to Configure QoS
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
598
How to Configure QoS
Example:
Switch(config-id)# end
Example:
Switch# show mls qos
interface buffers
Step 9 copy running-config (Optional) Saves your entries in the configuration file.
startup-config To return to the default setting, use the no mls qos queue-set output
qset-id buffers global configuration command. To return to the
Example: default WTD threshold percentages, use the no mls qos queue-set
Switch# output qset-id threshold [queue-id] global configuration command.
copy-running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
599
How to Configure QoS
Related Topics
Queueing and Scheduling on Egress Queues
Examples: Configuring Egress Queue Characteristics, on page 617
Weighted Tail Drop, on page 538
Note The egress queue default settings are suitable for most situations. You should change them only when you
have a thorough understanding of egress queues and if these settings do not meet your QoS solution.
Beginning in privileged EXEC mode, follow these steps to map DSCP or CoS values to an egress queue and
to a threshold ID. This procedure is optional.
Procedure
Example:
Switch# configure terminal
Step 2 Use one of the following: Maps DSCP or CoS values to an egress queue and to a threshold
ID.
• mls qos srr-queue output
dscp-map queue By default, DSCP values 0–15 are mapped to queue 2 and threshold
queue-id threshold 1. DSCP values 16–31 are mapped to queue 3 and threshold 1. DSCP
threshold-id dscp1...dscp8 values 32–39 and 48–63 are mapped to queue 4 and threshold 1.
DSCP values 40–47 are mapped to queue 1 and threshold 1.
• mls qos srr-queue output
cos-map queue queue-id By default, CoS values 0 and 1 are mapped to queue 2 and threshold
threshold threshold-id 1. CoS values 2 and 3 are mapped to queue 3 and threshold 1. CoS
cos1...cos8 values 4, 6, and 7 are mapped to queue 4 and threshold 1. CoS value
5 is mapped to queue 1 and threshold 1.
• For queue-id, the range is 1 to 4.
Example:
Note If you enabled 8 egress queues using the mls qos
Switch(config)# mls qos srr-queue output queues 8 global configuration
srr-queue output
dscp-map queue 1 threshold
command, then the queue-id range would be from 1
2 10 11 to 8.
• For threshold-id, the range is 1 to 3. The drop-threshold
percentage for threshold 3 is predefined. It is set to the
queue-full state.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
600
How to Configure QoS
Example:
Switch(config)# end
Step 5 copy running-config (Optional) Saves your entries in the configuration file.
startup-config To return to the default DSCP output queue threshold map or the
default CoS output queue threshold map, use the no mls qos
Example: srr-queue output dscp-map or the no mls qos srr-queue output
Switch# copy-running-config cos-map global configuration command.
startup-config
Related Topics
Queueing and Scheduling on Egress Queues
Examples: Configuring Egress Queue Characteristics, on page 617
Weighted Tail Drop, on page 538
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
601
How to Configure QoS
You can configure the egress queues for shaped or shared weights, or both. Use shaping to smooth bursty
traffic or to provide a smoother output over time.
Beginning in privileged EXEC mode, follow these steps to assign the shaped weights and to enable bandwidth
shaping on the four egress queues mapped to a port. This procedure is optional.
Procedure
Example:
Switch# configure terminal
Step 2 interface interface-id Specifies the port of the outbound traffic, and enters interface
configuration mode.
Example:
Switch(config)# interface
gigabitethernet2/0/1
Step 3 srr-queue bandwidth shape Assigns SRR weights to the egress queues. By default, weight1
weight1 weight2 weight3 weight4 is set to 25; weight2, weight3, and weight4 are set to 0, and
these queues are in shared mode.
Example: For weight1 weight2 weight3 weight4, enter the weights to
Switch(config-if)# srr-queue control the percentage of the port that is shaped. The inverse
ratio (1/weight) controls the shaping bandwidth for this queue.
bandwidth shape 8 0 0 0 Separate each value with a space. The range is 0 to 65535.
If you configure a weight of 0, the corresponding queue operates
in shared mode. The weight specified with the srr-queue
bandwidth shape command is ignored, and the weights
specified with the srr-queue bandwidth share interface
configuration command for a queue come into effect. When
configuring queues in the same queue-set for both shaping and
sharing, make sure that you configure the lowest number queue
for shaping.
The shaped mode overrides the shared mode.
To return to the default setting, use the no srr-queue
bandwidth shape interface configuration command.
Note If you enabled 8 egress queues using the mls qos
srr-queue output queues 8 global configuration
command, then you would be able to assign SRR
weights to a total of 8 queues.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
602
How to Configure QoS
Example:
Switch(config-if)# end
Example:
Switch# show mls qos
interface
interface-id queuing
Step 6 copy running-config (Optional) Saves your entries in the configuration file.
startup-config To return to the default setting, use the no srr-queue
bandwidth shape interface configuration command.
Example:
Switch# copy running-config
startup-config
Related Topics
Queueing and Scheduling on Egress Queues
Examples: Configuring Egress Queue Characteristics, on page 617
SRR Shaping and Sharing, on page 539
Note The egress queue default settings are suitable for most situations. You should change them only when you
have a thorough understanding of the egress queues and if these settings do not meet your QoS solution.
Beginning in privileged EXEC mode, follow these steps to assign the shared weights and to enable bandwidth
sharing on the four egress queues mapped to a port. This procedure is optional.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
603
How to Configure QoS
Procedure
Example:
Switch# configure terminal
Step 2 interface interface-id Specifies the port of the outbound traffic, and enters
interface configuration mode.
Example:
Switch(config)# interface
gigabitethernet2/0/1
Step 3 srr-queue bandwidth share weight1 Assigns SRR weights to the egress queues. By default,
weight2 weight3 weight4 all four weights are 25 (1/4 of the bandwidth is allocated
to each queue).
Example: For weight1 weight2 weight3 weight4, enter the weights
Switch(config-id)# srr-queue to control the ratio of the frequency in which the SRR
bandwidth share 1 2 3 4 scheduler sends packets. Separate each value with a
space. The range is 1 to 255.
To return to the default setting, use the no srr-queue
bandwidth share interface configuration command.
Note If you enabled 8 egress queues using the mls
qos srr-queue output queues 8 global
configuration command, then you would be able
to assign SRR weights to a total of 8 queues.
Step 4 end Returns to privileged EXEC mode.
Example:
Switch(config-id)# end
Example:
Switch# show mls qos interface
interface_id queuing
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
To return to the default setting, use the no srr-queue
Example: bandwidth share interface configuration command.
Switch# copy-running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
604
How to Configure QoS
Related Topics
Queueing and Scheduling on Egress Queues
Examples: Configuring Egress Queue Characteristics, on page 617
SRR Shaping and Sharing, on page 539
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# mls qos
Step 3 interface interface-id Specifies the egress port, and enters interface
configuration mode.
Example:
Switch(config)# interface
gigabitethernet1/0/1
Step 4 priority-queue out Enables the egress expedite queue, which is disabled by
default.
Example: When you configure this command, the SRR weight
Switch(config-if)# priority-queue and queue size ratios are affected because there is one
out fewer queue participating in SRR. This means that
weight1 in the srr-queue bandwidth shape or the
srr-queue bandwidth share command is ignored (not
used in the ratio calculation).
Note To disable the egress expedite queue, use the
no priority-queue out interface configuration
command.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
605
How to Configure QoS
Example:
Switch(config-if)# end
Example:
Switch# show running-config
Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
To disable the egress expedite queue, use the no
Example: priority-queue out interface configuration command.
Switch# copy running-config
startup-config
Related Topics
Queueing and Scheduling on Egress Queues
Examples: Configuring Egress Queue Characteristics, on page 617
Note The egress queue default settings are suitable for most situations. You should change them only when you
have a thorough understanding of the egress queues and if these settings do not meet your QoS solution.
Beginning in privileged EXEC mode, follow these steps to limit the bandwidth on an egress port. This procedure
is optional.
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
606
How to Configure QoS
Step 3 srr-queue bandwidth limit weight1 Specifies the percentage of the port speed to which
the port should be limited. The range is 10 to 90.
Example: By default, the port is not rate-limited and is set to
Switch(config-if)# srr-queue 100 percent.
bandwidth limit 80
Note To return to the default setting, use the no
srr-queue bandwidth limit interface
configuration command.
Step 4 end Returns to privileged EXEC mode.
Example:
Switch(config-if)# end
Example:
Switch# show mls qos interface
interface_id queueing
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example: To return to the default setting, use the no
Switch# copy-running-config srr-queue bandwidth limit interface configuration
startup-config command.
Related Topics
Queueing and Scheduling on Egress Queues
Examples: Configuring Egress Queue Characteristics, on page 617
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
607
Monitoring Standard QoS
Command Description
show class-map [class-map-name] Displays QoS class maps, which define the match
criteria to classify traffic.
show mls qos interface [interface-id] [buffers | Displays QoS information at the port level, including
policers | queueing | statistics] the buffer allocation, which ports have configured
policers, the queueing strategy, and the ingress and
egress statistics.
show mls qos maps [cos-dscp | |cos-output-q | Displays QoS mapping information.
dscp-cos | |dscp-mutation dscp-mutation-name |
dscp-output-q | ip-prec-dscp | policed-dscp]
show mls qos queue-set [qset-id] Displays QoS settings for the egress queues.
show policy-map [policy-map-name [class Displays QoS policy maps, which define classification
class-map-name]] criteria for incoming traffic.
Do not use the show policy-map interface privileged
EXEC command to display classification information
for incoming traffic. The control-plane and interface
keywords are not supported, and the statistics shown in
the display should be ignored.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
608
Configuration Examples for QoS
Related Topics
Configuring the DSCP Trust State on a Port Bordering Another QoS Domain, on page 564
This example shows how to create an ACL that permits IP traffic from any source to any destination that has
the DSCP value set to 32:
This example shows how to create an ACL that permits IP traffic from a source host at 10.1.1.1 to a destination
host at 10.1.1.2 with a precedence value of 5:
This example shows how to create an ACL that permits PIM traffic from any source to a destination group
address of 224.0.0.2 with a DSCP set to 32:
This example shows how to create an ACL that permits IPv6 traffic from any source to any destination that
has the DSCP value set to 32:
This example shows how to create an ACL that permits IPv6 traffic from a source host at 10.1.1.1 to a
destination host at 10.1.1.2 with a precedence value of 5:
This example shows how to create a Layer 2 MAC ACL with two permit statements. The first statement
allows traffic from the host with MAC address 0001.0000.0001 to the host with MAC address 0002.0000.0001.
The second statement allows only Ethertype XNS-IDP traffic from the host with MAC address 0001.0000.0002
to the host with MAC address 0002.0000.0002.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
609
Configuration Examples for QoS
Related Topics
Creating an IP Standard ACL for IPv4 Traffic, on page 567
Creating an IP Extended ACL for IPv4 Traffic, on page 568
Creating an IPv6 ACL for IPv6 Traffic, on page 569
Creating a Layer 2 MAC ACL for Non-IP Traffic, on page 572
This example shows how to create a class map called class2, which matches incoming traffic with DSCP
values of 10, 11, and 12.
This example shows how to create a class map called class3, which matches incoming traffic with IP-precedence
values of 5, 6, and 7:
This example shows how to configure a class map to match IP DSCP and IPv6:
This example shows how to configure a class map that applies to both IPv4 and IPv6 traffic:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
610
Configuration Examples for QoS
Related Topics
Classifying Traffic by Using Class Maps, on page 573
Classifying Traffic by Using Class Maps and Filtering IPv6 Traffic, on page 576
Examples: Classifying, Policing, and Marking Traffic on Physical Ports Using Policy Maps
This example shows how to create a policy map and attach it to an ingress port. In the configuration, the IP
standard ACL permits traffic from network 10.1.0.0. For traffic matching this classification, the DSCP value
in the incoming packet is trusted. If the matched traffic exceeds an average traffic rate of 48000 b/s and a
normal burst size of 8000 bytes, its DSCP is marked down (based on the policed-DSCP map) and sent:
This example shows how to create a Layer 2 MAC ACL with two permit statements and attach it to an ingress
port. The first permit statement allows traffic from the host with MAC address 0001.0000.0001 destined for
the host with MAC address 0002.0000.0001. The second permit statement allows only Ethertype XNS-IDP
traffic from the host with MAC address 0001.0000.0002 destined for the host with MAC address
0002.0000.0002.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
611
Configuration Examples for QoS
This example shows how to create a class map that applies to both IPv4 and IPv6 traffic with the default class
applied to unclassified traffic:
Related Topics
Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps, on page 578
Policy Map on Physical Port
Examples: Classifying, Policing, and Marking Traffic on SVIs by Using Hierarchical Policy
Maps
This example shows how to create a hierarchical policy map:
Switch> enable
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# access-list 101 permit ip any any
Switch(config)# class-map cm-1
Switch(config-cmap)# match access 101
Switch(config-cmap)# exit
Switch(config)# exit
Switch#
Switch#
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
612
Configuration Examples for QoS
This example shows that when a child-level policy map is attached below a class, an action must be specified
for the class:
This example shows how to configure a class map to match IP DSCP and IPv6:
This example shows how to configure default traffic class to a policy map:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
613
Configuration Examples for QoS
This example shows how the default traffic class is automatically placed at the end of policy-map pm3 even
though class-default was configured first:
Related Topics
Classifying, Policing, and Marking Traffic on SVIs by Using Hierarchical Policy Maps
Hierarchical Policy Maps on SVI Guidelines
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
614
Configuration Examples for QoS
Related Topics
Classifying, Policing, and Marking Traffic by Using Aggregate Policers, on page 582
Cos-dscp map:
cos: 0 1 2 3 4 5 6 7
--------------------------------
dscp: 10 15 20 25 30 35 40 45
This example shows how to modify and display the IP-precedence-to-DSCP map:
IpPrecedence-dscp map:
ipprec: 0 1 2 3 4 5 6 7
--------------------------------
dscp: 10 15 20 25 30 35 40 45
Note In this policed-DSCP map, the marked-down DSCP values are shown in the body of the matrix. The d1
column specifies the most-significant digit of the original DSCP; the d2 row specifies the least-significant
digit of the original DSCP. The intersection of the d1 and d2 values provides the marked-down value. For
example, an original DSCP value of 53 corresponds to a marked-down DSCP value of 0.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
615
Configuration Examples for QoS
This example shows how to map DSCP values 0, 8, 16, 24, 32, 40, 48, and 50 to CoS value 0 and to display
the map:
Note In the above DSCP-to-CoS map, the CoS values are shown in the body of the matrix. The d1 column
specifies the most-significant digit of the DSCP; the d2 row specifies the least-significant digit of the
DSCP. The intersection of the d1 and d2 values provides the CoS value. For example, in the DSCP-to-CoS
map, a DSCP value of 08 corresponds to a CoS value of 0.
This example shows how to define the DSCP-to-DSCP-mutation map. All the entries that are not explicitly
configured are not modified (remains as specified in the null map):
Note In the above DSCP-to-DSCP-mutation map, the mutated values are shown in the body of the matrix. The
d1 column specifies the most-significant digit of the original DSCP; the d2 row specifies the least-significant
digit of the original DSCP. The intersection of the d1 and d2 values provides the mutated value. For
example, a DSCP value of 12 corresponds to a mutated value of 10.
Related Topics
Configuring the CoS-to-DSCP Map, on page 585
Configuring the IP-Precedence-to-DSCP Map, on page 586
Configuring the Policed-DSCP Map, on page 587
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
616
Configuration Examples for QoS
In this example, the DSCP values (0 to 6) are assigned the WTD threshold of 50 percent and will be dropped
sooner than the DSCP values (20 to 26) assigned to the WTD threshold of 70 percent.
This example shows how to allocate 60 percent of the buffer space to ingress queue 1 and 40 percent of the
buffer space to ingress queue 2:
This example shows how to assign the ingress bandwidth to the queues. Priority queueing is disabled, and
the shared bandwidth ratio allocated to queue 1 is 25/(25+75) and to queue 2 is 75/(25+75):
This example shows how to assign the ingress bandwidths to the queues. Queue 1 is the priority queue with
10 percent of the bandwidth allocated to it. The bandwidth ratios allocated to queues 1 and 2 is 4/(4+4). SRR
services queue 1 (the priority queue) first for its configured 10 percent bandwidth. Then SRR equally shares
the remaining 90 percent of the bandwidth between queues 1 and 2 by allocating 45 percent to each queue:
Related Topics
Allocating Buffer Space Between the Ingress Queues, on page 593
Queueing and Scheduling on Ingress Queues, on page 540
Allocating Bandwidth Between the Ingress Queues, on page 595
Queueing and Scheduling on Ingress Queues, on page 540
Configuring the Ingress Priority Queue
Queueing and Scheduling on Ingress Queues, on page 540
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
617
Configuration Examples for QoS
60 percent of the allocated memory, guarantees (reserves) 100 percent of the allocated memory, and configures
200 percent as the maximum memory that this queue can have before packets are dropped:
This example shows how to map DSCP values 10 and 11 to egress queue 1 and to threshold 2:
This example shows how to configure bandwidth shaping on queue 1. Because the weight ratios for queues
2, 3, and 4 are set to 0, these queues operate in shared mode. The bandwidth weight for queue 1 is 1/8, which
is 12.5 percent:
This example shows how to configure the weight ratio of the SRR scheduler running on an egress port. Four
queues are used, and the bandwidth ratio allocated for each queue in shared mode is 1/(1+2+3+4), 2/(1+2+3+4),
3/(1+2+3+4), and 4/(1+2+3+4), which is 10 percent, 20 percent, 30 percent, and 40 percent for queues 1, 2,
3, and 4. This means that queue 4 has four times the bandwidth of queue 1, twice the bandwidth of queue 2,
and one-and-a-third times the bandwidth of queue 3.
This example shows how to enable the egress expedite queue when the SRR weights are configured. The
egress expedite queue overrides the configured SRR weights.
When you configure this command to 80 percent, the port is idle 20 percent of the time. The line rate drops
to 80 percent of the connected speed, which is 800 Mb/s. These values are not exact because the hardware
adjusts the line rate in increments of six.
Related Topics
Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set, on page 597
Queueing and Scheduling on Egress Queues
Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID, on page 600
Queueing and Scheduling on Egress Queues
Configuring SRR Shaped Weights on Egress Queues, on page 601
Queueing and Scheduling on Egress Queues
Configuring SRR Shared Weights on Egress Queues, on page 603
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
618
Where to Go Next
Where to Go Next
Review the auto-QoS documentation to see if you can use these automated capabilities for your QoS
configuration.
Additional References
Related Documents
EnergyWise Commands
MIBs
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
619
Feature History and Information for QoS
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
620
CHAPTER 29
Configuring Auto-QoS
• Finding Feature Information, page 621
• Prerequisites for Auto-QoS, page 621
• Restrictions for Auto-QoS, page 622
• Information about Configuring Auto-QoS, page 622
• How to Configure Auto-QoS, page 627
• Monitoring Auto-QoS, page 630
• Configuration Examples for Auto-Qos, page 631
• Where to Go Next for Auto-QoS, page 641
• Additional References for Auto-QoS, page 641
• Feature History and Information for Auto-QoS, page 642
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
621
Restrictions for Auto-QoS
Auto-QoS Overview
You can use the auto-QoS feature to simplify the deployment of QoS features. Auto-QoS determines the
network design and enables QoS configurations so that the switch can prioritize different traffic flows. It uses
the egress queues instead of using the default (disabled) QoS behavior. The switch offers best-effort service
to each packet, regardless of the packet contents or size, and sends it from a single queue.
When you enable auto-QoS, it automatically classifies traffic based on the traffic type and ingress packet
label. The switch uses the classification results to choose the appropriate egress queue.
You can use auto-QoS commands to identify ports connected to the following Cisco devices:
• Cisco IP Phones
• Devices running the Cisco SoftPhone application
• Cisco TelePresence
• Cisco IP Camera
• Cisco digital media player
You also use the auto-QoS commands to identify ports that receive trusted traffic through an uplink. Auto-QoS
then performs these functions:
• Detects the presence or absence of auto-QoS devices through conditional trusted interfaces.
• Configures QoS classification
• Configures egress queues
Related Topics
QoS Overview
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
622
Information about Configuring Auto-QoS
CoS value 5 3 6 7 3 –
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
623
Information about Configuring Auto-QoS
The switch configures ingress queues on the port according to the settings in the following table. This table
shows the generated auto-QoS configuration for the ingress queues.
Ingress Queue Queue CoS-to-Queue Map Queue Weight Queue (Buffer) Size
Number (Bandwidth)
SRR shared 1 0, 1, 2, 3, 6, 7 70 percent 90 percent
The switch configures egress queues on the port according to the settings in the following table. This table
shows the generated auto-QoS configuration for the egress queues.
Egress Queue Egress Queue Queue Queue Queue (Buffer) Size for
Queue Number Weight (Buffer) 10/100 Ethernet Ports
(Bandwidth) Size for
Gigabit-Capable
Ports
Priority 1 4, 5 up to100 25 percent 15 percent
percent
SRR shared 2 2, 3, 6, 7 10 percent 25 percent 25 percent
• When you enable auto-QoS by using the auto qos voip cisco-phone, the auto qos voip cisco-softphone,
or the auto qos voip trust interface configuration command, the switch automatically generates a QoS
configuration based on the traffic type and ingress packet label and applies the commands listed in
Examples: Global Auto-QoS Configuration, on page 631 to the port.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
624
Information about Configuring Auto-QoS
• Auto-QoS migration happens after a new device is connected when the auto qos srnd4 global
configuration command is enabled.
Note If an interface previously configured with legacy auto-QoS migrates to enhanced auto-QoS, voice commands
and configuration are updated to match the new global QoS commands.
Auto-QoS configuration migration from enhanced auto-QoS to legacy auto-QoS can occur only when you
disable all existing auto-QoS configurations from the interface.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
625
Information about Configuring Auto-QoS
Note When a device running Cisco SoftPhone is connected to a nonrouted or routed port, the
switch supports only one Cisco SoftPhone application per port.
• When enabling auto-QoS with a Cisco IP Phone on a routed port, you must assign a static IP address to
the IP phone.
• This release supports only Cisco IP SoftPhone Version 1.3(3) or later.
• Connected devices must use Cisco Call Manager Version 4 or later.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
626
How to Configure Auto-QoS
• When you reload the switch, the system detects and re-executes the saved auto-QoS commands and the
AutoQoS SRND4.0 compliant config-set is generated .
Note Do not make changes to the auto-QoS-generated commands when auto-QoS compact is enabled, because
user-modifications are overridden when the switch reloads.
Configuring Auto-QoS
Enabling Auto-QoS
For optimum QoS performance, enable auto-QoS on all the devices in your network.
Procedure
Example:
Switch# configure terminal
Step 2 interface interface-id Specifies the port that is connected to a video device or the
uplink port that is connected to another trusted switch or router
Example: in the network interior, and enters interface configuration mode.
Switch(config)# interface
gigabitethernet 3/0/1
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
627
How to Configure Auto-QoS
QoS labels of incoming packets are trusted only when the system
is detected.
Enables auto-QoS for classification.
• police—Policing is set up by defining the QoS policy
maps and applying them to ports (port-based QoS).
Example:
Switch(config-if)# exit
Step 5 interface interface-id Specifies the switch port identified as connected to a trusted
switch or router, and enters interface configuration mode.
Example:
Switch(config)# interface
gigabitethernet 2/0/1
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
628
How to Configure Auto-QoS
Example:
Switch(config-if)# end
Procedure
Example:
Switch# configure terminal
Step 2 auto qos global compact Enables auto-Qos compact and generates (hidden) the global
configurations for auto-QoS.
Example: You can then enter the auto-QoS command you want to configure
Switch(config)# auto qos in the interface configuration mode and the interface commands
global compact that the system generates are also hidden.
To display the auto-QoS configuration that has been applied, use
these the privileged EXEC commands:
• show derived-config
• show policy-map
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
629
Monitoring Auto-QoS
What to Do Next
To disable auto-QoS compact, remove auto-Qos instances from all interfaces by entering the no form of the
corresponding auto-QoS commands and then enter the no auto qos global compact global configuration
command.
Troubleshooting Auto-QoS
To troubleshoot auto-QoS, use the debug auto qos privileged EXEC command. For more information, see
the debug auto qos command in the command reference for this release.
To disable auto-QoS on a port, use the no form of the auto qos command interface configuration command,
such as no auto qos voip. Only the auto-QoS-generated interface configuration commands for this port are
removed. If this is the last port on which auto-QoS is enabled and you enter the no auto qos voip command,
auto-QoS is considered disabled even though the auto-QoS-generated global configuration commands remain
(to avoid disrupting traffic on other ports affected by the global configuration).
Monitoring Auto-QoS
Table 79: Commands for Monitoring Auto-QoS
Command Description
show auto qos [interface [interface-type]] Displays the initial auto-QoS configuration.
You can compare the show auto qos and the show
running-config command output to identify the
user-defined QoS settings.
show mls qos [ aggregate policer | interface | Displays information about the QoS configuration that
maps | queue-set | stack-port | stack-qset ] might be affected by auto-QoS.
show mls qos aggregate policer policer_name Displays information about the QoS aggregate policer
configuration that might be affected by auto-QoS.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
630
Configuration Examples for Auto-Qos
Command Description
show mls qos interface [interface-type | buffers Displays information about the QoS interface
| policers | queueing | statistics ] configuration that might be affected by auto-QoS.
show mls qos maps [cos-dscp | cos-output-q | Displays information about the QoS maps configuration
dscp-cos | dscp-mutation | dscp-output-q | that might be affected by auto-QoS.
ip-prec-dscp | policed-dscp ]
show mls qos queue-set queue-set ID Displays information about the QoS queue-set
configuration that might be affected by auto-QoS.
show mls qos stack-port buffers Displays information about the QoS stack port buffer
configuration that might be affected by auto-QoS.
show mls qos stack-qset Displays information about the QoS stack queue set
configuration that might be affected by auto-QoS.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
631
Configuration Examples for Auto-Qos
The switch
Switch(config)# no mls qos Switch(config)# no mls qos srr-queue
automatically maps srr-queue output cos-map
CoS values to an egress output cos-map Switch(config)# mls qos srr-queue
queue and to a Switch(config)# mls qos output cos-map queue 1 threshold 3 4 5
srr-queue Switch(config)# mls qos srr-queue
threshold ID. output cos-map queue 1 output cos-map queue 2 threshold 3 6 7
threshold 3 5 Switch(config)# mls qos srr-queue
Switch(config)# mls qos output cos-map queue 2 threshold 1 2
srr-queue Switch(config)# mls qos srr-queue
output cos-map queue 2 output cos-map queue 2 threshold 2 3
threshold 3 3 Switch(config)# mls qos srr-queue
6 7 output cos-map queue 3 threshold 3 0
Switch(config)# mls qos
srr-queue Switch(config)# mls qos srr-queue
output cos-map queue 3 output cos-map queue 4 threshold 3 1
threshold 3 2
4
Switch(config)# mls qos
srr-queue
output cos-map queue 4
threshold 2 1
Switch(config)# mls qos
srr-queue
output cos-map queue 4
threshold 3 0
The switch
automatically maps
DSCP values to an
egress queue and to a
threshold ID.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
632
Configuration Examples for Auto-Qos
17 18 19 20 21 22 23
Switch(config)# mls qos srr-queue
output dscp-map queue 2 threshold 1 26
27 28 29 30 31 34 35 36 37 38 39
Switch(config)# mls qos srr-queue
output dscp-map queue 2 threshold 2 24
Switch(config)# mls qos Switch(config)# mls qos srr-queue
srr-queue output dscp-map queue 2 threshold 3 48
output dscp-map queue 2
threshold 3 49 50 51 52 53 54 55 56
24 25 26 27 28 29 30 31 Switch(config)# mls qos srr-queue
Switch(config)# mls qos output dscp-map queue 2 threshold 3 57
srr-queue
output dscp-map queue 2 58 59 60 61 62 63
threshold 3
48 49 50 51 52 53 54 55
Switch(config)# mls qos
srr-queue Switch(config)# mls qos srr-queue
output dscp-map queue 2 output dscp-map queue 3 threshold 3 0
threshold 3 1 2 3 4 5 6 7
56 57 58 59 60 61 62 63
Switch(config)# mls qos
srr-queue
output dscp-map queue 3 Switch(config)# mls qos srr-queue
threshold 3 output dscp-map queue 4 threshold 1 8
16 17 18 19 20 21 22 23 9 11 13 15
Switch(config)# mls qos Switch(config)# mls qos srr-queue
srr-queue output dscp-map queue 4 threshold 2 10
output dscp-map queue 3
threshold 3 12 14
32 33 34 35 36 37 38 39
Switch(config)# mls qos
srr-queue
output dscp-map queue 4
threshold 1 8
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
633
Configuration Examples for Auto-Qos
bandwidth share 10 10 60 20
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
634
Configuration Examples for Auto-Qos
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
635
Configuration Examples for Auto-Qos
If you entered the auto qos voip cisco-phone command, the switch automatically enables the trusted boundary
feature, which uses the CDP to detect the presence or absence of a Cisco IP Phone (as shown below).
If you entered the auto qos voip cisco-softphone command, the switch automatically creates class maps and
policy maps (as shown below).
After creating the class maps and policy maps, the switch automatically applies the policy map called
AutoQoS-Police-SoftPhone to an ingress interface on which auto-QoS with the Cisco SoftPhone feature is
enabled (as shown below).
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
636
Configuration Examples for Auto-Qos
If you entered the auto qos voip cisco-softphone command, the switch automatically creates class maps and
policy maps.
After creating the class maps and policy maps, the switch automatically applies the policy map called
AutoQoS-Police-SoftPhone to an ingress interface on which auto-QoS with the Cisco SoftPhone feature is
enabled.
If you entered the auto qos voip cisco-phone command, the switch automatically creates class maps and
policy maps.
If you entered the auto qos voip cisco-softphone command, the switch automatically creates class maps and
policy maps.
After creating the class maps and policy maps, the switch automatically applies the policy map called
AutoQoS-Police-SoftPhone to an ingress interface on which auto-QoS with the Cisco SoftPhone feature is
enabled.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
637
Configuration Examples for Auto-Qos
Examples: Auto-QoS Generated Configuration For Enhanced Video, Trust, and Classify Devices
If you entered the following enhanced auto-QoS commands, the switch configures a CoS-to-DSCP map (maps
CoS values in incoming packets to a DSCP value):
• auto qos video cts
• auto qos video ip-camera
• auto qos video media-player
• auto qos trust
• auto qos trust cos
• auto qos trust dscp
The following command is initiated after entering one of the above auto-QoS commands:
If you entered the auto qos classify command, the switch automatically creates class maps and policy maps
(as shown below).
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
638
Configuration Examples for Auto-Qos
If you entered the auto qos classify police command, the switch automatically creates class maps and policy
maps (as shown below).
This is the enhanced configuration for the auto qos voip cisco-phone command:
This is the enhanced configuration for the auto qos voip cisco-softphone command:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
639
Configuration Examples for Auto-Qos
GigabitEthernet1/2
auto qos voip cisco-phone
interface GigabitEthernet1/0/2
auto qos voip cisco-phone
end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
640
Where to Go Next for Auto-QoS
Description Link
To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/
messages in this release, use the Error Message index.cgi
Decoder tool.
Standard/RFC Title
—
MIBs
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
641
Feature History and Information for Auto-QoS
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
642
PART IX
Routing
• Configuring IP Unicast Routing, page 645
• Configuring IPv6 First Hop Security, page 653
CHAPTER 30
Configuring IP Unicast Routing
• Finding Feature Information, page 645
• Information About Configuring IP Unicast Routing, page 645
• Information About IP Routing, page 646
• Configuring IP Unicast Routing, page 648
• Enabling IP Unicast Routing, page 648
• Assigning IP Addresses to SVIs, page 649
• Configuring Static Unicast Routes, page 651
• Monitoring and Maintaining the IP Network, page 652
Note In addition to IPv4 traffic, you can also enable IP Version 6 (IPv6) unicast routing and configure interfaces
to forward IPv6 traffic.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
645
Information About IP Routing
This figure shows a basic routing topology. Switch A is in VLAN 10, and Switch B is in VLAN 20. The router
has an interface in each VLAN.
Figure 65: Routing Topology Example
When Host A in VLAN 10 needs to communicate with Host B in VLAN 10, it sends a packet addressed to
that host. Switch A forwards the packet directly to Host B, without sending it to the router.
When Host A sends a packet to Host C in VLAN 20, Switch A forwards the packet to the router, which
receives the traffic on the VLAN 10 interface. The router checks the routing table, finds the correct outgoing
interface, and forwards the packet on the VLAN 20 interface to Switch B. Switch B receives the packet and
forwards it to Host C.
Types of Routing
Routers and Layer 3 switches can route packets in these ways:
• By using default routing
• By using preprogrammed static routes for the traffic
The switch supports static routes and default routes, It does not support routing protocols.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
646
Information About IP Routing
• It generates, maintains, and distributes the distributed Cisco Express Forwarding (dCEF) database to all
stack members. The routes are programmed on all switches in the stack bases on this database.
• The MAC address of the active switch is used as the router MAC address for the whole stack, and all
outside devices use this address to send IP packets to the stack.
• All IP packets that require software forwarding or processing go through the CPU of the active switch.
If a active switch fails, the stack detects that the active switch is down and elects one of the stack members
to be the new active switch. During this period, except for a momentary interruption, the hardware continues
to forward packets with no active protocols.
However, even though the switch stack maintains the hardware identification after a failure, the routing
protocols on the router neighbors might flap during the brief interruption before the active switch restarts.
Routing protocols such as OSPF and EIGRP need to recognize neighbor transitions.
Upon election, the new active switch performs these functions:
• It starts generating, receiving, and processing routing updates.
• It builds routing tables, generates the CEF database, and distributes it to stack members.
• It uses its MAC address as the router MAC address. To notify its network peers of the new MAC address,
it periodically (every few seconds for 5 minutes) sends a gratuitous ARP reply with the new router MAC
address.
Note If you configure the persistent MAC address feature on the stack and the active switch
changes, the stack MAC address does not change for the configured time period. If the
previous active switch rejoins the stack as a member switch during that time period, the
stack MAC address remains the MAC address of the previous active switch.
• It attempts to determine the reachability of every proxy ARP entry by sending an ARP request to the
proxy ARP IP address and receiving an ARP reply. For each reachable proxy ARP IP address, it generates
a gratuitous ARP reply with the new router MAC address. This process is repeated for 5 minutes after
a new active switch election.
Caution Partitioning of the switch stack into two or more stacks might lead to undesirable behavior
in the network.
If the switch is reloaded, then all the ports on that switch go down and there is a loss of traffic for the interfaces
involved in routing.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
647
Configuring IP Unicast Routing
Note The switch supports 16 static routes (including user-configured routes and the default route) and any
directly connected routes and default routes for the management interface. You can use the "lanbase-default"
SDM template to configure the static routes. The switch can have an IP address assigned to each SVI.
Before enabling routing, enter the sdm prefer lanbase-routing global configuration command and reload
the switch.
Procedures for configuring routing:
• To support VLAN interfaces, create and configure VLANs on the switch or switch stack, and assign
VLAN membership to Layer 2 interfaces. For more information, see chapter: Configuring VLANs.
• Configure Layer 3 interfaces (SVIs).
• Enable IP routing on the switch.
• Assign IP addresses to the Layer 3 interfaces.
• Configure static routes.
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
648
Assigning IP Addresses to SVIs
Example:
Switch(config)# ip routing
Example:
Switch(config)# end
Example:
Switch# show running-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
649
Assigning IP Addresses to SVIs
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# end
Example:
Switch# show ip interface gigabitethernet
1/0/1
Example:
Switch# show ip interface gigabitethernet
1/0/1
Example:
Switch# show running-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
650
Configuring Static Unicast Routes
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# ip route prefix mask
gigabitethernet 1/0/4
Example:
Switch(config)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
651
Monitoring and Maintaining the IP Network
What to Do Next
Use the no ip route prefix mask {address| interface} global configuration command to remove a static route.
The switch retains static routes until you remove them.
show ip route [address [mask] Displays the current state of the routing table.
[longer-prefixes]]
show ip route summary Displays the current state of the routing table in summary
form.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
652
CHAPTER 31
Configuring IPv6 First Hop Security
• Finding Feature Information, page 653
• Prerequisites for First Hop Security in IPv6, page 654
• Restrictions for First Hop Security in IPv6, page 654
• Information about First Hop Security in IPv6, page 654
• How to Configure an IPv6 Snooping Policy, page 657
• How to Configure the IPv6 Binding Table Content , page 661
• How to Configure an IPv6 Neighbor Discovery Inspection Policy, page 662
• How to Attach an IPv6 Neighbor Discovery Multicast Suppress Policy on a Device, page 666
• How to Configure an IPv6 Router Advertisement Guard Policy, page 668
• How to Configure an IPv6 DHCP Guard Policy , page 672
• How to Configure IPv6 Source Guard, page 677
• How to Configure IPv6 Prefix Guard, page 679
• Configuration Examples for IPv6 First Hop Security, page 682
• Additional References, page 683
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
653
Prerequisites for First Hop Security in IPv6
• By default, a snooping policy has a security-level of guard. When such a snooping policy is configured
on an access switch, external IPv6 Router Advertisement (RA) or Dynamic Host Configuration Protocol
for IPv6 (DHCPv6) server packets are blocked, even though the uplink port facing the router or DHCP
server/relay is configured as a trusted port. To allow IPv6 RA or DHCPv6 server messages, do the
following:
• Apply an IPv6 RA-guard policy (for RA) or IPv6 DHCP-guard policy (for DHCP server messages
) on the uplink port.
• Configure a snooping policy with a lower security-level, for example glean or inspect. However;
configuring a lower security level is not recommended with such a snooping policy, because
benefits of First Hop security features are not effective.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
654
Information about First Hop Security in IPv6
do not conform are dropped. An ND message is considered trustworthy if its IPv6-to-Media Access
Control (MAC) mapping is verifiable.
This feature mitigates some of the inherent vulnerabilities of the ND mechanism, such as attacks on
DAD, address resolution, router discovery, and the neighbor cache.
• IPv6 Router Advertisement Guard—The IPv6 Router Advertisement (RA) guard feature enables the
network administrator to block or reject unwanted or rogue RA guard messages that arrive at the network
switch platform. RAs are used by routers to announce themselves on the link. The RA Guard feature
analyzes the RAs and filters out bogus RAs sent by unauthorized routers. In host mode, all router
advertisement and router redirect messages are disallowed on the port. The RA guard feature compares
configuration information on the Layer 2 device with the information found in the received RA frame.
Once the Layer 2 device has validated the content of the RA frame and router redirect frame against the
configuration, it forwards the RA to its unicast or multicast destination. If the RA frame content is not
validated, the RA is dropped.
• IPv6 DHCP Guard—The IPv6 DHCP Guard feature blocks reply and advertisement messages that come
from unauthorized DHCPv6 servers and relay agents. IPv6 DHCP guard can prevent forged messages
from being entered in the binding table and block DHCPv6 server messages when they are received on
ports that are not explicitly configured as facing a DHCPv6 server or DHCP relay. To use this feature,
configure a policy and attach it to an interface or a VLAN. To debug DHCP guard packets, use the
debug ipv6 snooping dhcp-guard privileged EXEC command.
• IPv6 Source Guard—Like IPv4 Source Guard, IPv6 Source Guard validates the source address or prefix
to prevent source address spoofing.
A source guard programs the hardware to allow or deny traffic based on source or destination addresses.
It deals exclusively with data packet traffic.
The IPv6 source guard feature provides the ability to use the IPv6 binding table to install PACLs to
prevent a host from sending packets with an invalid IPv6 source address.
To debug source-guard packets, use the debug ipv6 snooping source-guard privileged EXEC command.
Note The IPv6 PACL feature is supported only in the ingress direction; it is not supported in
the egress direction.
For more information on IPv6 Source Guard, see the IPv6 Source Guard chapter of the Cisco IOS IPv6
Configuration Guide Library on Cisco.com.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
655
Information about First Hop Security in IPv6
• IPv6 Prefix Guard—The IPv6 prefix guard feature works within the IPv6 source guard feature, to enable
the device to deny traffic originated from non-topologically correct addresses. IPv6 prefix guard is often
used when IPv6 prefixes are delegated to devices (for example, home gateways) using DHCP prefix
delegation. The feature discovers ranges of addresses assigned to the link and blocks any traffic sourced
with an address outside this range.
For more information on IPv6 Prefix Guard, see the IPv6 Prefix Guard chapter of the Cisco IOS IPv6
Configuration Guide Library on Cisco.com.
• IPv6 Destination Guard—The IPv6 destination guard feature works with IPv6 neighbor discovery to
ensure that the device performs address resolution only for those addresses that are known to be active
on the link. It relies on the address glean functionality to populate all destinations active on the link into
the binding table and then blocks resolutions before they happen when the destination is not found in
the binding table.
For more information about IPv6 Destination Guard, see the IPv6 Destination Guard chapter of the
Cisco IOS IPv6 Configuration Guide Library on Cisco.com.
• IPv6 Neighbor Discovery Multicast Suppress—The IPv6 Neighbor Discovery multicast suppress feature
is an IPv6 snooping feature that runs on a switch or a wireless controller and is used to reduce the amount
of control traffic necessary for proper link operations.
• DHCPv6 Relay—Lightweight DHCPv6 Relay Agent—The DHCPv6 Relay—Lightweight DHCPv6
Relay Agent feature allows relay agent information to be inserted by an access node that performs a
link-layer bridging (non-routing) function. Lightweight DHCPv6 Relay Agent (LDRA) functionality
can be implemented in existing access nodes, such as DSL access multiplexers (DSLAMs) and Ethernet
switches, that do not support IPv6 control or routing functions. LDRA is used to insert relay-agent
options in DHCP version 6 (DHCPv6) message exchanges primarily to identify client-facing interfaces.
LDRA functionality can be enabled on an interface and on a VLAN.
For more information about DHCPv6 Relay, See the DHCPv6 Relay—Lightweight DHCPv6 Relay
Agent section of the IP Addressing: DHCP Configuration Guide, Cisco IOS Release 15.1SG.
Related Topics
How to Configure an IPv6 Snooping Policy, on page 657
How to Attach an IPv6 Snooping Policy to an Interface, on page 658
How to Attach an IPv6 Snooping Policy to a Layer 2 EtherChannel Interface, on page 660
How to Configure the IPv6 Binding Table Content , on page 661
How to Configure an IPv6 Neighbor Discovery Inspection Policy, on page 662
How to Attach an IPv6 Neighbor Discovery Inspection Policy to an Interface , on page 664
How to Attach an IPv6 Neighbor Discovery Multicast Suppress Policy on a Device, on page 666
How to Attach an IPv6 Neighbor Discovery Multicast Suppress Policy on an Interface, on page 666
How to Attach an IPv6 Neighbor Discovery Multicast Suppress Policy to a Layer 2 EtherChannel Interface,
on page 667
How to Attach an IPv6 Snooping Policy to a Layer 2 EtherChannel Interface, on page 660
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
656
How to Configure an IPv6 Snooping Policy
Procedure
Example:
Switch# configure terminal
Step 2 ipv6 snooping policy policy-name Creates a snooping policy and enters IPv6 Snooping Policy
Configuration mode.
Example:
Switch(config)# ipv6 snooping
policy example_policy
Step 3 {[default ] | [device-role {node | Enables data address gleaning, validates messages against
switch}] | [limit address-count value] various criteria, specifies the security level for messages.
| [no] | [protocol {dhcp | ndp} ] |
[security-level {glean | guard | • (Optional) default—Sets all to default options.
inspect} ] | [tracking {disable • (Optional) device-role{node] | switch}—Specifies the
[stale-lifetime [seconds | infinite] | role of the device attached to the port. Default is node.
enable [reachable-lifetime [seconds
| infinite] } ] | [trusted-port ] } • (Optional) limit address-count value—Limits the
number of addresses allowed per target.
Example: • (Optional) no—Negates a command or sets it to defaults.
Switch(config-ipv6-snooping)#
security-level inspect • (Optional) protocol{dhcp | ndp}—Specifies which
protocol should be redirected to the snooping feature
for analysis. The default, is dhcp and ndp. To change
Example:
the default, use the no protocol command.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
657
How to Configure an IPv6 Snooping Policy
Example:
Switch(config-ipv6-snooping)#
exit
Step 5 show ipv6 snooping policy Displays the snooping policy configuration.
policy-name
Example:
Switch#show ipv6 snooping policy
example_policy
What to Do Next
Attach an IPv6 Snooping policy to interfaces or VLANs.
Related Topics
Information about First Hop Security in IPv6, on page 654
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
658
How to Configure an IPv6 Snooping Policy
Procedure
Example:
Switch# configure terminal
Step 2 interface Interface_type Specifies an interface type and identifier; enters the
stack/module/port interface configuration mode.
Example:
Switch(config)# interface
gigabitethernet 1/1/4
or
or
Switch(config-if)# ipv6 snooping
vlan 111,112
or
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
659
How to Configure an IPv6 Snooping Policy
Related Topics
Information about First Hop Security in IPv6, on page 654
Procedure
Example:
Switch# configure terminal
Example:
Switch(config-if-range)# ipv6 snooping
attach-policy example_policy
or
or
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
660
How to Configure the IPv6 Binding Table Content
Related Topics
Information about First Hop Security in IPv6, on page 654
Information about First Hop Security in IPv6, on page 654
Procedure
Step 2 [no] ipv6 neighbor binding [vlan vlan-id {ipv6-address Adds a static entry to the binding
interface interface_type stack/module/port hw_address table database.
[reachable-lifetimevalue [seconds | default | infinite] |
[tracking{ [default | disable] [ reachable-lifetimevalue
[seconds | default | infinite] | [enable
[reachable-lifetimevalue [seconds | default | infinite] |
[retry-interval {seconds| default [reachable-lifetimevalue
[seconds | default | infinite] } ]
Example:
Switch(config)# ipv6 neighbor binding
Step 3 [no] ipv6 neighbor binding max-entries number Specifies the maximum number of
[mac-limit number | port-limit number [mac-limit number] entries that are allowed to be inserted
| vlan-limit number [ [mac-limit number] | [port-limit in the binding table cache.
number [mac-limitnumber] ] ] ]
Example:
Switch(config)# ipv6 neighbor binding max-entries
30000
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
661
How to Configure an IPv6 Neighbor Discovery Inspection Policy
Example:
Switch# show ipv6 neighbor binding
Related Topics
Information about First Hop Security in IPv6, on page 654
Procedure
Example:
Switch# configure terminal
Step 2 [no]ipv6 nd inspection policy policy-name Specifies the ND inspection policy name
and enters ND Inspection Policy
Example: configuration mode.
Switch(config)# ipv6 nd inspection policy
example_policy
Step 3 device-role {host | monitor | router | switch} Specifies the role of the device attached
to the port. The default is host.
Example:
Switch(config-nd-inspection)# device-role
switch
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
662
How to Configure an IPv6 Neighbor Discovery Inspection Policy
Example:
Switch(config-nd-inspection)# limit
address-count 1000
Step 7 tracking {enable [reachable-lifetime {value | Overrides the default tracking policy on a
infinite}] | disable [stale-lifetime {value | infinite}]} port.
Example:
Switch(config-nd-inspection)# tracking
disable stale-lifetime infinite
Example:
Switch(config-nd-inspection)# trusted-port
Example:
Switch(config-nd-inspection)# no validate
source-mac
Example:
Switch(config-nd-inspection)# default limit
address-count
Step 12 do show ipv6 nd inspection policy policy_name Verifies the ND Inspection Configuration
without exiting ND inspection
Example: configuration mode.
Switch(config-nd-inspection)# do show ipv6
nd inspection policy example_policy
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
663
How to Configure an IPv6 Neighbor Discovery Inspection Policy
Related Topics
Information about First Hop Security in IPv6, on page 654
Procedure
Example:
Switch# configure terminal
Step 3 ipv6 nd inspection [attach-policy policy_name [ vlan Attaches the Neighbor Discovery Inspection
{vlan_ids | add vlan_ids | except vlan_ids | none | policy to the interface or the specified
remove vlan_ids | all} ] | vlan [ {vlan_ids | add VLANs on that interface. The default policy
vlan_ids | exceptvlan_ids | none | remove vlan_ids | is attached if the attach-policy option is
all} ] not used.
Example:
Switch(config-if)# ipv6 nd inspection
attach-policy example_policy
or
or
Related Topics
Information about First Hop Security in IPv6, on page 654
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
664
How to Configure an IPv6 Neighbor Discovery Inspection Policy
Procedure
Example:
Switch# configure terminal
Example:
Switch(config-if-range)# ipv6 nd inspection
attach-policy example_policy
or
or
Switch(config-if-range)#ipv6 nd inspection
vlan 222, 223,224
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
665
How to Attach an IPv6 Neighbor Discovery Multicast Suppress Policy on a Device
Procedure
Step 3 ipv6 nd suppress policy Defines the Neighbor Discovery suppress policy name and
policy-name enters Neighbor Discovery suppress policy configuration
mode.
Step 4 mode dad-proxy Enables Neighbor Discovery suppress in IPv6 DAD proxy
mode.
Related Topics
Information about First Hop Security in IPv6, on page 654
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
666
How to Attach an IPv6 Neighbor Discovery Multicast Suppress Policy on a Device
Step 3 Perform one of the following tasks: Specifies an interface type and number, and
places the device in interface configuration
• interface type number mode.
Attaches the IPv6 Neighbor Discovery
• ipv6 nd inspection [attach-policy Multicast Policy to an interface or a VLAN.
policy_name [ vlan { add | except | none |
remove | all} vlan [ vlan1, vlan2, vlan3...]]]
OR
Related Topics
Information about First Hop Security in IPv6, on page 654
How to Attach an IPv6 Neighbor Discovery Multicast Suppress Policy to a Layer 2 EtherChannel
Interface
To attach an IPv6 Neighbor Discovery Multicast Suppress policy on an EtherChannel interface, complete the
following steps:
Procedure
Step 3 Perform one of the following tasks: Specifies an interface type and port number
and places the switch in the port channel
• interface port-channel port-channel-number configuration mode.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
667
How to Configure an IPv6 Router Advertisement Guard Policy
Related Topics
Information about First Hop Security in IPv6, on page 654
Procedure
Example:
Switch# configure terminal
Step 2 [no]ipv6 nd raguard policy Specifies the RA Guard policy name and enters RA Guard
policy-name Policy configuration mode.
Example:
Switch(config)# ipv6 nd raguard
policy example_policy
Step 3 [no]device-role {host | monitor | router Specifies the role of the device attached to the port. The
| switch} default is host.
Example:
Switch(config-nd-raguard)#
device-role switch
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
668
How to Configure an IPv6 Router Advertisement Guard Policy
Step 6 [no]match {ipv6 access-list list | ra Matches a specified prefix list or access list.
prefix-list list}
Example:
Switch(config-nd-raguard)# match
ipv6 access-list example_list
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
669
How to Configure an IPv6 Router Advertisement Guard Policy
Example:
Switch(config-nd-raguard)# default
hop-limit
Step 11 do show ipv6 nd raguard policy (Optional)—Displays the ND Guard Policy configuration
policy_name without exiting the RA Guard policy configuration mode.
Example:
Switch(config-nd-raguard)# do show
ipv6 nd raguard policy
example_policy
Related Topics
Information about First Hop Security in IPv6, on page 654
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
670
How to Configure an IPv6 Router Advertisement Guard Policy
Step 3 ipv6 nd raguard [attach-policy policy_name [ vlan Attaches the Neighbor Discovery
{vlan_ids | add vlan_ids | except vlan_ids | none | Inspection policy to the interface or the
remove vlan_ids | all} ] | vlan [ {vlan_ids | add specified VLANs on that interface. The
vlan_ids | exceptvlan_ids | none | remove vlan_ids | default policy is attached if the
all} ] attach-policy option is not used.
Example:
Switch(config-if)# ipv6 nd raguard
attach-policy example_policy
or
or
Related Topics
Information about First Hop Security in IPv6, on page 654
How to Attach an IPv6 Router Advertisement Guard Policy to a Layer 2 EtherChannel Interface
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Router Advertisement Guard Policy
on an EtherChannel interface or VLAN:
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
671
How to Configure an IPv6 DHCP Guard Policy
Example:
Switch(config-if-range)# ipv6 nd raguard
attach-policy example_policy
or
or
Related Topics
Information about First Hop Security in IPv6, on page 654
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
672
How to Configure an IPv6 DHCP Guard Policy
Procedure
Example:
Switch# configure terminal
Step 2 [no]ipv6 dhcp guard policy policy-name Specifies the DHCPv6 Guard policy name and enters
DHCPv6 Guard Policy configuration mode.
Example:
Switch(config)# ipv6 dhcp guard
policy example_policy
Step 3 [no]device-role {client | server} (Optional) Filters out DHCPv6 replies and DHCPv6
advertisements on the port that are not from a device
Example: of the specified role. Default is client.
Switch(config-dhcp-guard)#
device-role server • client—Default value, specifies that the attached
device is a client. Server messages are dropped
on this port.
• server—Specifies that the attached device is a
DHCPv6 server. Server messages are allowed on
this port.
Step 4 [no] match server access-list (Optional). Enables verification that the advertised
ipv6-access-list-name DHCPv6 server or relay address is from an authorized
server access list (The destination address in the access
Example: list is 'any'). If not configured, this check will be
bypassed. An empty access list is treated as a permit
;;Assume a preconfigured IPv6 Access all.
List as follows:
Switch(config)# ipv6 access-list
my_acls
Switch(config-ipv6-acl)# permit host
FE80::A8BB:CCFF:FE01:F700 any
Step 5 [no] match reply prefix-list (Optional) Enables verification of the advertised
ipv6-prefix-list-name prefixes in DHCPv6 reply messages from the configured
authorized prefix list. If not configured, this check will
Example: be bypassed. An empty prefix list is treated as a permit.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
673
How to Configure an IPv6 DHCP Guard Policy
Example:
Switch(config-dhcp-guard)# default
device-role
Step 9 do show ipv6 dhcp guard policy (Optional) Displays the configuration of the IPv6 DHCP
policy_name guard policy without leaving the configuration submode.
Omitting the policy_name variable displays all DHCPv6
Example: policies.
Switch(config-dhcp-guard)# do show
ipv6 dhcp guard policy
example_policy
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
674
How to Configure an IPv6 DHCP Guard Policy
Related Topics
Information about First Hop Security in IPv6, on page 654
Procedure
Example:
Switch# configure terminal
Step 3 ipv6 dhcp guard [attach-policy policy_name [ vlan Attaches the DHCP Guard policy to the
{vlan_ids | add vlan_ids | except vlan_ids | none | interface or the specified VLANs on that
remove vlan_ids | all} ] | vlan [ {vlan_ids | add interface. The default policy is attached
vlan_ids | exceptvlan_ids | none | remove vlan_ids | if the attach-policy option is not used.
all} ]
Example:
Switch(config-if)# ipv6 dhcp guard
attach-policy example_policy
or
or
Step 4 do show running-config interface Interface_type Confirms that the policy is attached to the
stack/module/port specified interface without exiting the
configuration mode.
Example:
Switch#(config-if)# do show running-config
gig 1/1/4
Related Topics
Information about First Hop Security in IPv6, on page 654
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
675
How to Configure an IPv6 DHCP Guard Policy
Procedure
Example:
Switch# configure terminal
Example:
Switch(config-if-range)# ipv6 dhcp guard
attach-policy example_policy
or
or
Related Topics
Information about First Hop Security in IPv6, on page 654
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
676
How to Configure IPv6 Source Guard
Example:
Switch# configure terminal
Step 3 [no] ipv6 source-guard policy Specifies the IPv6 Source Guard policy name and
policy_name enters IPv6 Source Guard policy configuration mode.
Example:
Switch(config)# ipv6 source-guard
policy example_policy
Step 4 [deny global-autoconf] [permit (Optional) Defines the IPv6 Source Guard policy.
link-local] [default{. . . }] [exit] [no{. .
. }] • deny global-autoconf—Denies data traffic from
auto-configured global addresses. This is useful
when all global addresses on a link are
Example: DHCP-assigned and the administrator wants to
Switch(config-sisf-sourceguard)#
deny global-autoconf block hosts with self-configured addresses to
send traffic.
• permit link-local—Allows all data traffic that
is sourced by a link-local address.
Step 6 show ipv6 source-guard policy Shows the policy configuration and all the interfaces
policy_name where the policy is applied.
Example:
Switch# show ipv6 source-guard
policy example_policy
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
677
How to Configure IPv6 Source Guard
What to Do Next
Apply the IPv6 Source Guard policy to an interface.
Related Topics
Information about First Hop Security in IPv6, on page 654
Procedure
Example:
Switch# configure terminal
Step 3 interface Interface_type stack/module/port Specifies an interface type and identifier; enters
the interface configuration mode.
Example:
Switch(config)# interface
gigabitethernet 1/1/4
Step 4 ipv6 source-guard [attach-policy Attaches the IPv6 Source Guard policy to the
<policy_name> ] interface. The default policy is attached if the
attach-policy option is not used.
Example:
Switch(config-if)# ipv6 source-guard
attach-policy example_policy
Step 5 show ipv6 source-guard policy policy_name Shows the policy configuration and all the
interfaces where the policy is applied.
Example:
Switch#(config-if)# show ipv6
source-guard policy example_policy
Related Topics
Information about First Hop Security in IPv6, on page 654
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
678
How to Configure IPv6 Prefix Guard
Procedure
Example:
Switch# configure terminal
Step 3 interface port-channel port-channel-number Specifies an interface type and port number and
places the switch in the port channel
Example: configuration mode.
Switch (config)# interface Po4
Step 4 ipv6 source-guard [attach-policy Attaches the IPv6 Source Guard policy to the
<policy_name> ] interface. The default policy is attached if the
attach-policy option is not used.
Example:
Switch(config-if) # ipv6 source-guard
attach-policy example_policy
Step 5 show ipv6 source-guard policy policy_name Shows the policy configuration and all the
interfaces where the policy is applied.
Example:
Switch(config-if) #show ipv6
source-guard policy example_policy
Related Topics
Information about First Hop Security in IPv6, on page 654
Examples: How to attach an IPv6 Source Guard Policy to a Layer 2 EtherChannel Interface, on page 682
Note To allow routing protocol control packets sourced by a link-local address when prefix guard is applied,
enable the permit link-local command in the source-guard policy configuration mode.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
679
How to Configure IPv6 Prefix Guard
Procedure
Example:
Switch# configure terminal
Step 3 [no] ipv6 source-guard policy Defines an IPv6 source-guard policy name and
source-guard-policy enters switch integrated security features
source-guard policy configuration mode.
Example:
Switch (config)# ipv6 source-guard
policy my_snooping_policy
Step 4 [ no ] validate address Disables the validate address feature and enables
the IPv6 prefix guard feature to be configured.
Example:
Switch (config-sisf-sourceguard)# no
validate address
Step 5 validate prefix Enables IPv6 source guard to perform the IPv6
prefix-guard operation.
Example:
Switch (config-sisf-sourceguard)#
validate prefix
Step 7 show ipv6 source-guard policy Displays the IPv6 source-guard policy
[source-guard-policy] configuration.
Example:
Switch # show ipv6 source-guard policy
policy1
Related Topics
Information about First Hop Security in IPv6, on page 654
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
680
How to Configure IPv6 Prefix Guard
Procedure
Example:
Switch# configure terminal
Step 3 interface Interface_type stack/module/port Specifies an interface type and identifier; enters
the interface configuration mode.
Example:
Switch(config)# interface
gigabitethernet 1/1/4
Step 4 ipv6 source-guard attach-policy policy_name Attaches the IPv6 Source Guard policy to the
interface. The default policy is attached if the
Example: attach-policy option is not used.
Switch(config-if)# ipv6 source-guard
attach-policy example_policy
Step 5 show ipv6 source-guard policy policy_name Shows the policy configuration and all the
interfaces where the policy is applied.
Example:
Switch(config-if)# show ipv6
source-guard policy example_policy
Related Topics
Information about First Hop Security in IPv6, on page 654
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
681
Configuration Examples for IPv6 First Hop Security
Procedure
Example:
Switch# configure terminal
Step 3 interface port-channel port-channel-number Specifies an interface type and port number and
places the switch in the port channel
Example: configuration mode.
Switch (config)# interface Po4
Step 4 ipv6 source-guard [attach-policy Attaches the IPv6 Source Guard policy to the
<policy_name> ] interface. The default policy is attached if the
attach-policy option is not used.
Example:
Switch(config-if)# ipv6 source-guard
attach-policy example_policy
Step 5 show ipv6 source-guard policy policy_name Shows the policy configuration and all the
interfaces where the policy is applied.
Example:
Switch(config-if)# show ipv6
source-guard policy example_policy
Related Topics
Information about First Hop Security in IPv6, on page 654
Examples: How to attach an IPv6 Prefix Guard Policy to a Layer 2 EtherChannel Interface, on page 683
Examples: How to attach an IPv6 Source Guard Policy to a Layer 2 EtherChannel Interface
The following example shows how to attach an IPv6 Source Guard Policy to a Layer 2 EtherChannel Interface:
Switch# configure terminal
Switch(config)# ipv6 source-guard policy POL
Switch(config-sisf-sourceguard) # validate address
switch(config-sisf-sourceguard)# exit
Switch(config)# interface Po4
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
682
Additional References
Related Topics
How to attach an IPv6 Source Guard Policy to a Layer 2 EtherChannel Interface, on page 679
Examples: How to attach an IPv6 Prefix Guard Policy to a Layer 2 EtherChannel Interface
The following example shows how to attach an IPv6 Prefix Guard Policy to a Layer 2 EtherChannel Interface:
Switch# configure terminal
Switch(config)# ipv6 source-guard policy POL
Switch (config-sisf-sourceguard)# no validate address
Switch((config-sisf-sourceguard)# validate prefix
Switch(config)# interface Po4
Switch(config-if)# ipv6 snooping
Switch(config-if)# ipv6 source-guard attach-policy POL
Related Topics
How to attach an IPv6 Prefix Guard Policy to a Layer 2 EtherChannel Interface, on page 682
Additional References
Related Documents
IPv6 network management and security topics IPv6 Configuration Library, Cisco
IOS XE Release 3SE (Catalyst
3850 Switches)
http://www.cisco.com/en/US/docs/
ios-xml/ios/ipv6/config_library/
xe-3se/3850/
ipv6-xe-3se-3850-library.html
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
683
Additional References
Description Link
To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/
messages in this release, use the Error Message index.cgi
Decoder tool.
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
684
PART X
Security
• Security Features Overview, page 687
• Preventing Unauthorized Access , page 691
• Controlling Switch Access with Passwords and Privilege Levels , page 693
• Configuring TACACS+, page 711
• Configuring RADIUS, page 835
• RADIUS Server Load Balancing, page 879
• RADIUS Change of Authorization Support, page 895
• Configuring Kerberos, page 913
• Configuring Accounting, page 937
• Configuring Local Authentication and Authorization , page 967
• MAC Authentication Bypass, page 971
• Password Strength and Management for Common Criteria, page 983
• AAA-SERVER-MIB Set Operation, page 991
• Configuring Secure Shell, page 997
• Secure Shell Version 2 Support, page 1017
• X.509v3 Certificates for SSH Authentication, page 1043
• Configuring Secure Socket Layer HTTP, page 1053
• Certification Authority Interoperability, page 1067
• Access Control List Overview, page 1085
• Configuring IPv4 Access Control Lists, page 1097
• IPv6 Access Control Lists, page 1139
• ACL Support for Filtering IP Options, page 1157
• VLAN Access Control Lists, page 1167
• Configuring DHCP , page 1187
• Configuring IP Source Guard , page 1211
• Configuring Dynamic ARP Inspection, page 1219
• Configuring IEEE 802.1x Port-Based Authentication, page 1237
• Configuring Web-Based Authentication, page 1325
• Auto Identity, page 1361
• Configuring Port-Based Traffic Control, page 1373
• Configuring FIPS, page 1419
• Configuring Control Plane Policing, page 1421
CHAPTER 32
Security Features Overview
• Security Features Overview, page 687
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
687
Security Features Overview
• BPDU guard for shutting down a Port Fast-configured port when an invalid configuration occurs.
• Standard and extended IP access control lists (ACLs) for defining inbound security policies on Layer 2
interfaces (port ACLs).
• Extended MAC access control lists for defining security policies in the inbound direction on Layer 2
interfaces.
• Source and destination MAC-based ACLs for filtering non-IP traffic.
• DHCP snooping to filter untrusted DHCP messages between untrusted hosts and DHCP servers.
• IP source guard to restrict traffic on nonrouted interfaces by filtering traffic based on the DHCP snooping
database and IP source bindings.
• Dynamic ARP inspection to prevent malicious attacks on the switch by not relaying invalid ARP requests
and responses to other ports in the same VLAN.
This feature is not supported on LanLite images on Catalyst 2960-X Series Switches.
• IEEE 802.1x port-based authentication to prevent unauthorized devices (clients) from gaining access to
the network. These 802.1x features are supported:
◦Multidomain authentication (MDA) to allow both a data device and a voice device, such as an IP
phone (Cisco or non-Cisco), to independently authenticate on the same IEEE 802.1x-enabled switch
port.
◦Dynamic voice virtual LAN (VLAN) for MDA to allow a dynamic voice VLAN on an
MDA-enabled port.
◦VLAN assignment for restricting 802.1x-authenticated users to a specified VLAN.
◦Support for VLAN assignment on a port configured for multi-auth mode. The RADIUS server
assigns a VLAN to the first host to authenticate on the port, and subsequent hosts use the same
VLAN. Voice VLAN assignment is supported for one IP phone.
◦Port security for controlling access to 802.1x ports.
◦Voice VLAN to permit a Cisco IP Phone to access the voice VLAN regardless of the authorized
or unauthorized state of the port.
◦IP phone detection enhancement to detect and recognize a Cisco IP phone.
◦Guest VLAN to provide limited services to non-802.1x-compliant users.
◦Restricted VLAN to provide limited services to users who are 802.1x compliant, but do not have
the credentials to authenticate via the standard 802.1x processes.
◦802.1x accounting to track network usage.
◦802.1x with wake-on-LAN to allow dormant PCs to be powered on based on the receipt of a specific
Ethernet frame.
◦802.1x readiness check to determine the readiness of connected end hosts before configuring IEEE
802.1x on the switch.
◦Voice aware 802.1x security to apply traffic violation actions only on the VLAN on which a security
violation occurs.
◦MAC authentication bypass (MAB) to authorize clients based on the client MAC address.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
688
Security Features Overview
◦Network Admission Control (NAC) Layer 2 802.1x validation of the antivirus condition or posture
of endpoint systems or clients before granting the devices network access.
◦Network Edge Access Topology (NEAT) with 802.1X switch supplicant, host authorization with
CISP, and auto enablement to authenticate a switch outside a wiring closet as a supplicant to another
switch.
◦IEEE 802.1x with open access to allow a host to access the network before being authenticated.
◦IEEE 802.1x authentication with downloadable ACLs and redirect URLs to allow per-user ACL
downloads from a Cisco Secure ACS server to an authenticated switch.
◦Support for dynamic creation or attachment of an auth-default ACL on a port that has no configured
static ACLs.
◦Flexible-authentication sequencing to configure the order of the authentication methods that a port
tries when authenticating a new host.
◦Multiple-user authentication to allow more than one host to authenticate on an 802.1x-enabled
port.
• TACACS+, a proprietary feature for managing network security through a TACACS server for both
IPv4 and IPv6.
• RADIUS for verifying the identity of, granting access to, and tracking the actions of remote users through
authentication, authorization, and accounting (AAA) services for both IPv4 and IPv6.
• Enhancements to RADIUS, TACACS+, and SSH to function over IPv6.
• Secure Socket Layer (SSL) Version 3.0 support for the HTTP 1.1 server authentication, encryption, and
message integrity and HTTP client authentication to allow secure HTTP communications (requires the
cryptographic version of the software).
• IEEE 802.1x Authentication with ACLs and the RADIUS Filter-Id Attribute.
• Support for IP source guard on static hosts.
• RADIUS Change of Authorization (CoA) to change the attributes of a certain session after it is
authenticated. When there is a change in policy for a user or user group in AAA, administrators can send
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
689
Security Features Overview
the RADIUS CoA packets from the AAA server, such as Cisco Identity Services Engine, or Cisco Secure
ACS to reinitialize authentication, and apply to the new policies.
• IEEE 802.1x User Distribution to allow deployments with multiple VLANs (for a group of users) to
improve scalability of the network by load balancing users across different VLANs. Authorized users
are assigned to the least populated VLAN in the group, assigned by RADIUS server.
• Support for critical VLAN with multiple-host authentication so that when a port is configured for
multi-auth, and an AAA server becomes unreachable, the port is placed in a critical VLAN in order to
still permit access to critical resources.
• Support for Network Edge Access Topology (NEAT) to change the port host mode and to apply a
standard port configuration on the authenticator switch port.
• VLAN-ID based MAC authentication to use the combined VLAN and MAC address information for
user authentication to prevent network access from unauthorized VLANs.
• MAC move to allow hosts (including the hosts connected behind an IP phone) to move across ports
within the same switch without any restrictions to enable mobility. With MAC move, the switch treats
the reappearance of the same MAC address on another port in the same way as a completely new MAC
address.
• Support for 3DES and AES with version 3 of the Simple Network Management Protocol (SNMPv3).
This release adds support for the 168-bit Triple Data Encryption Standard (3DES) and the 128-bit,
192-bit, and 256-bit Advanced Encryption Standard (AES) encryption algorithms to SNMPv3.
• Support for Cisco TrustSec SXP protocol. This feature is not supported on LanLite images.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
690
CHAPTER 33
Preventing Unauthorized Access
• Finding Feature Information, page 691
• Preventing Unauthorized Access, page 691
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
691
Preventing Unauthorized Access
• You can also enable the login enhancements feature, which logs both failed and unsuccessful login
attempts. Login enhancements can also be configured to block future login attempts after a set number
of unsuccessful attempts are made. For more information, see the Cisco IOS Login Enhancements
documentation.
Related Topics
Configuring Username and Password Pairs, on page 702
TACACS+ and Switch Access, on page 713
Setting a Telnet Password for a Terminal Line, on page 700
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
692
CHAPTER 34
Controlling Switch Access with Passwords and
Privilege Levels
• Finding Feature Information, page 693
• Restrictions for Controlling Switch Access with Passwords and Privileges, page 693
• Information About Passwords and Privilege Levels, page 694
• How to Control Switch Access with Passwords and Privilege Levels, page 696
• Monitoring Switch Access, page 707
• Configuration Examples for Setting Passwords and Privilege Levels, page 707
• Additional References, page 708
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
693
Information About Passwords and Privilege Levels
Related Topics
Disabling Password Recovery, on page 699
Password Recovery, on page 695
Enable secret password and privilege level No password is defined. The default is level 15
(privileged EXEC level). The password is encrypted
before it is written to the configuration file.
Related Topics
Protecting Enable and Enable Secret Passwords with Encryption, on page 698
Example: Protecting Enable and Enable Secret Passwords with Encryption, on page 707
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
694
Information About Passwords and Privilege Levels
Password Recovery
By default, any end user with physical access to the switch can recover from a lost password by interrupting
the boot process while the switch is powering on and then by entering a new password.
The password-recovery disable feature protects access to the switch password by disabling part of this
functionality. When this feature is enabled, the end user can interrupt the boot process only by agreeing to set
the system back to the default configuration. With password recovery disabled, you can still interrupt the boot
process and change the password, but the configuration file (config.text) and the VLAN database file (vlan.dat)
are deleted.
If you disable password recovery, we recommend that you keep a backup copy of the configuration file on a
secure server in case the end user interrupts the boot process and sets the system back to default values. Do
not keep a backup copy of the configuration file on the switch. If the switch is operating in VTP transparent
mode, we recommend that you also keep a backup copy of the VLAN database file on a secure server. When
the switch is returned to the default system configuration, you can download the saved files to the switch by
using the Xmodem protocol.
To re-enable password recovery, use the service password-recovery global configuration command.
Related Topics
Disabling Password Recovery, on page 699
Restrictions for Controlling Switch Access with Passwords and Privileges, on page 693
Related Topics
Setting a Telnet Password for a Terminal Line, on page 700
Example: Setting a Telnet Password for a Terminal Line, on page 708
Related Topics
Configuring Username and Password Pairs, on page 702
Privilege Levels
Cisco switches (and other devices) use privilege levels to provide password security for different levels of
switch operation. By default, the Cisco IOS software operates in two modes (privilege levels) of password
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
695
How to Control Switch Access with Passwords and Privilege Levels
security: user EXEC (Level 1) and privileged EXEC (Level 15). You can configure up to 16 hierarchical
levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users
to have access to specified commands.
Related Topics
Setting the Privilege Level for a Command, on page 704
Example: Setting the Privilege Level for a Command, on page 708
Changing the Default Privilege Level for Lines, on page 705
Logging into and Exiting a Privilege Level, on page 706
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
696
How to Control Switch Access with Passwords and Privilege Levels
Example:
Switch# configure terminal
Step 3 enable password password Defines a new password or changes an existing password
for access to privileged EXEC mode.
Example: By default, no password is defined.
Switch(config)# enable For password, specify a string from 1 to 25 alphanumeric
password secret321
characters. The string cannot start with a number, is case
sensitive, and allows spaces but ignores leading spaces. It
can contain the question mark (?) character if you precede
the question mark with the key combination Crtl-v when
you create the password; for example, to create the password
abc?123, do this:
1 Enter abc.
2 Enter Crtl-v.
3 Enter ?123.
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 6 copy running-config (Optional) Saves your entries in the configuration file.
startup-config
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
697
How to Control Switch Access with Passwords and Privilege Levels
Related Topics
Example: Setting or Changing a Static Enable Password, on page 707
Procedure
Example:
Switch# configure terminal
Step 3 Use one of the following: • Defines a new password or changes an existing
password for access to privileged EXEC mode.
• enable password [level level]
{password | encryption-type • Defines a secret password, which is saved using a
encrypted-password} nonreversible encryption method.
◦(Optional) For level, the range is from 0 to 15.
• enable secret [level level]
Level 1 is normal user EXEC mode privileges.
{password | encryption-type
The default level is 15 (privileged EXEC mode
encrypted-password}
privileges).
◦For password, specify a string from 1 to 25
alphanumeric characters. The string cannot start
Example:
Switch(config)# enable password with a number, is case sensitive, and allows
example102 spaces but ignores leading spaces. By default,
no password is defined.
or
Switch(config)# enable secret
◦(Optional) For encryption-type, only type 5, a
level 1 password secret123sample Cisco proprietary encryption algorithm, is
available. If you specify an encryption type,
you must provide an encrypted password—an
encrypted password that you copy from another
switch configuration.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
698
How to Control Switch Access with Passwords and Privilege Levels
Step 4 service password-encryption (Optional) Encrypts the password when the password is
defined or when the configuration is written.
Example: Encryption prevents the password from being readable in
Switch(config)# service the configuration file.
password-encryption
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Related Topics
Additional Password Security, on page 694
Example: Protecting Enable and Enable Secret Passwords with Encryption, on page 707
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
699
How to Control Switch Access with Passwords and Privilege Levels
the switch is returned to the default system configuration, you can download the saved files to the switch by
using the Xmodem protocol.
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# end
What to Do Next
To remove disable password recovery, use the no system disable password recovery switch all global
configuration command.
Related Topics
Password Recovery, on page 695
Restrictions for Controlling Switch Access with Passwords and Privileges, on page 693
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
700
How to Control Switch Access with Passwords and Privilege Levels
Procedure
Example:
Switch# configure terminal
Step 3 line vty 0 15 Configures the number of Telnet sessions (lines), and
enters line configuration mode.
Example: There are 16 possible sessions on a command-capable
Switch(config)# line vty 0 15 Switch. The 0 and 15 mean that you are configuring all
16 possible Telnet sessions.
Step 4 password password Sets a Telnet password for the line or lines.
For password, specify a string from 1 to 25
Example: alphanumeric characters. The string cannot start with a
Switch(config-line)# password number, is case sensitive, and allows spaces but ignores
abcxyz543 leading spaces. By default, no password is defined.
Example:
Switch(config-line)# end
Example:
Switch# show running-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
701
How to Control Switch Access with Passwords and Privilege Levels
Example:
Switch# copy running-config
startup-config
Related Topics
Preventing Unauthorized Access, on page 691
Terminal Line Telnet Configuration, on page 695
Example: Setting a Telnet Password for a Terminal Line, on page 708
Procedure
Example:
Switch# configure terminal
Step 3 username name [privilege level] Sets the username, privilege level, and password for each
{password encryption-type password} user.
• For name, specify the user ID as one word or the
Example: MAC address. Spaces and quotation marks are not
Switch(config)# username allowed.
adamsample privilege 1 password
secret456 • You can configure a maximum of 12000 clients
each, for both username and MAC filter.
Switch(config)# username
111111111111 mac attribute • (Optional) For level, specify the privilege level the
user has after gaining access. The range is 0 to 15.
Level 15 gives privileged EXEC mode access. Level
1 gives user EXEC mode access.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
702
How to Control Switch Access with Passwords and Privilege Levels
Step 4 Use one of the following: Enters line configuration mode, and configures the
console port (line 0) or the VTY lines (line 0 to 15).
• line console 0
• line vty 0 15
Example:
Switch(config)# line console 0
or
Switch(config)# line vty 15
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
703
How to Control Switch Access with Passwords and Privilege Levels
Related Topics
Preventing Unauthorized Access, on page 691
Username and Password Pairs, on page 695
Procedure
Example:
Switch# configure terminal
Step 3 privilege mode level level command Sets the privilege level for a command.
• For mode, enter configure for global configuration
Example: mode, exec for EXEC mode, interface for interface
Switch(config)# privilege exec configuration mode, or line for line configuration
level 14 configure mode.
• For level, the range is from 0 to 15. Level 1 is for
normal user EXEC mode privileges. Level 15 is the
level of access permitted by the enable password.
• For command, specify the command to which you
want to restrict access.
Step 4 enable password level level Specifies the password to enable the privilege level.
password
• For level, the range is from 0 to 15. Level 1 is for
normal user EXEC mode privileges.
Example:
• For password, specify a string from 1 to 25
Switch(config)# enable password
level 14 SecretPswd14 alphanumeric characters. The string cannot start with
a number, is case sensitive, and allows spaces but
ignores leading spaces. By default, no password is
defined.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
704
How to Control Switch Access with Passwords and Privilege Levels
Example:
Switch(config)# end
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Related Topics
Privilege Levels, on page 695
Example: Setting the Privilege Level for a Command, on page 708
Procedure
Example:
Switch# configure terminal
Step 3 line vty line Selects the virtual terminal line on which to restrict
access.
Example:
Switch(config)# line vty 10
Step 4 privilege level level Changes the default privilege level for the line.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
705
How to Control Switch Access with Passwords and Privilege Levels
Example:
Switch(config)# end
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
What to Do Next
Users can override the privilege level you set using the privilege level line configuration command by logging
in to the line and enabling a different privilege level. They can lower the privilege level by using the disable
command. If users know the password to a higher privilege level, they can use that password to enable the
higher privilege level. You might specify a high level or privilege level for your console line to restrict line
usage.
Related Topics
Privilege Levels, on page 695
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
706
Monitoring Switch Access
Related Topics
Privilege Levels, on page 695
Related Topics
Setting or Changing a Static Enable Password, on page 696
Related Topics
Protecting Enable and Enable Secret Passwords with Encryption, on page 698
Additional Password Security, on page 694
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
707
Additional References
Related Topics
Setting a Telnet Password for a Terminal Line, on page 700
Terminal Line Telnet Configuration, on page 695
Related Topics
Setting the Privilege Level for a Command, on page 704
Privilege Levels, on page 695
Additional References
Error Message Decoder
Description Link
To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/
messages in this release, use the Error Message index.cgi
Decoder tool.
MIBs
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
708
Additional References
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
709
Additional References
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
710
CHAPTER 35
Configuring TACACS+
TACACS+ is a security application that provides centralized validation of users attempting to gain access
to a router or network access server. TACACS+ provides detailed accounting information and flexible
administrative control over authentication and authorization processes. TACACS+ is facilitated through
authentication, authorization and accounting (AAA) and can be enabled only through AAA commands.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
711
Restrictions for TACACS+
The following are the prerequisites for controlling switch access with TACACS+:
• You must have access to a configured TACACS+ server to configure TACACS+ features on your switch.
Also, you must have access to TACACS+ services maintained in a database on a TACACS+ daemon
typically running on a LINUX or Windows workstation.
• We recommend a redundant connection between a switch stack and the TACACS+ server. This is to
help ensure that the TACACS+ server remains accessible in case one of the connected stack members
is removed from the switch stack.
• You need a system running the TACACS+ daemon software to use TACACS+ on your switch.
• To use TACACS+, it must be enabled.
• Authorization must be enabled on the switch to be used.
• Users must first successfully complete TACACS+ authentication before proceeding to TACACS+
authorization.
• To use any of the AAA commands listed in this section or elsewhere, you must first enable AAA with
the aaa new-model command.
• At a minimum, you must identify the host or hosts maintaining the TACACS+ daemon and define the
method lists for TACACS+ authentication. You can optionally define method lists for TACACS+
authorization and accounting.
• The method list defines the types of authentication to be performed and the sequence in which they are
performed; it must be applied to a specific port before any of the defined authentication methods are
performed. The only exception is the default method list (which, by coincidence, is named default). The
default method list is automatically applied to all ports except those that have a named method list
explicitly defined. A defined method list overrides the default method list.
• Use TACACS+ for privileged EXEC access authorization if authentication was performed by using
TACACS+.
• Use the local database if authentication was not performed by using TACACS+.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
712
Information About TACACS+
Related Topics
Preventing Unauthorized Access, on page 691
TACACS+ Overview
TACACS+ is a security application that provides centralized validation of users attempting to gain access to
your switch.
TACACS+ provides for separate and modular authentication, authorization, and accounting facilities. TACACS+
allows for a single access control server (the TACACS+ daemon) to provide each service—authentication,
authorization, and accounting—independently. Each service can be tied into its own database to take advantage
of other services available on that server or on the network, depending on the capabilities of the daemon.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
713
Information About TACACS+
The goal of TACACS+ is to provide a method for managing multiple network access points from a single
management service. Your switch can be a network access server along with other Cisco routers and access
servers.
TACACS+, administered through the AAA security services, can provide these services:
• Authentication—Provides complete control of authentication through login and password dialog, challenge
and response, and messaging support.
The authentication facility can conduct a dialog with the user (for example, after a username and password
are provided, to challenge a user with several questions, such as home address, mother’s maiden name,
service type, and social security number). The TACACS+ authentication service can also send messages
to user screens. For example, a message could notify users that their passwords must be changed because
of the company’s password aging policy.
• Authorization—Provides fine-grained control over user capabilities for the duration of the user’s session,
including but not limited to setting autocommands, access control, session duration, or protocol support.
You can also enforce restrictions on what commands a user can execute with the TACACS+ authorization
feature.
• Accounting—Collects and sends information used for billing, auditing, and reporting to the TACACS+
daemon. Network managers can use the accounting facility to track user activity for a security audit or
to provide information for user billing. Accounting records include user identities, start and stop times,
executed commands (such as PPP), number of packets, and number of bytes.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
714
Information About TACACS+
The TACACS+ protocol provides authentication between the switch and the TACACS+ daemon, and it
ensures confidentiality because all protocol exchanges between the switch and the TACACS+ daemon are
encrypted.
TACACS+ Operation
When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process occurs:
1 When the connection is established, the switch contacts the TACACS+ daemon to obtain a username
prompt to show to the user. The user enters a username, and the switch then contacts the TACACS+
daemon to obtain a password prompt. The switch displays the password prompt to the user, the user enters
a password, and the password is then sent to the TACACS+ daemon.
TACACS+ allows a dialog between the daemon and the user until the daemon receives enough information
to authenticate the user. The daemon prompts for a username and password combination, but can include
other items, such as the user’s mother’s maiden name.
2 The switch eventually receives one of these responses from the TACACS+ daemon:
• ACCEPT—The user is authenticated and service can begin. If the switch is configured to require
authorization, authorization begins at this time.
• REJECT—The user is not authenticated. The user can be denied access or is prompted to retry the
login sequence, depending on the TACACS+ daemon.
• ERROR—An error occurred at some time during authentication with the daemon or in the network
connection between the daemon and the switch. If an ERROR response is received, the switch
typically tries to use an alternative method for authenticating the user.
• CONTINUE—The user is prompted for additional authentication information.
After authentication, the user undergoes an additional authorization phase if authorization has been enabled
on the switch. Users must first successfully complete TACACS+ authentication before proceeding to
TACACS+ authorization.
3 If TACACS+ authorization is required, the TACACS+ daemon is again contacted, and it returns an
ACCEPT or REJECT authorization response. If an ACCEPT response is returned, the response contains
data in the form of attributes that direct the EXEC or NETWORK session for that user and the services
that the user can access:
• Telnet, Secure Shell (SSH), rlogin, or privileged EXEC services
• Connection parameters, including the host or client IP address, access list, and user timeouts
Method List
A method list defines the sequence and methods to be used to authenticate, to authorize, or to keep accounts
on a user. You can use method lists to designate one or more security protocols to be used, thus ensuring a
backup system if the initial method fails. The software uses the first method listed to authenticate, to authorize,
or to keep accounts on users; if that method does not respond, the software selects the next method in the list.
This process continues until there is successful communication with a listed method or the method list is
exhausted.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
715
Information About TACACS+
TACACS AV Pairs
The network access server implements TACACS+ authorization and accounting functions by transmitting
and receiving TACACS+ attribute-value (AV) pairs for each user session.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
716
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
717
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
718
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
719
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
720
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
721
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
722
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
723
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
724
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
725
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
726
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
727
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
728
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
729
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
730
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
731
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
732
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
733
Information About TACACS+
noescape=x Prevents user yes yes yes yes yes yes yes
from using
an escape
character.
Used with
service=shell.
Can be either
true or false
(for
example,
noescape=true).
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
734
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
735
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
736
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
737
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
738
Information About TACACS+
Used with
service=any
and
protocol=aaa.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
739
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
740
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
741
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
742
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
743
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
744
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
745
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
746
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
747
Information About TACACS+
service=x The primary yes yes yes yes yes yes yes
service.
Specifying a
service
attribute
indicates that
this is a
request for
authorization
or
accounting
of that
service.
Current
values are
slip, ppp,
arap, shell,
tty-daemon,
connection,
and system.
This attribute
must always
be included.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
748
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
749
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
750
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
751
Information About TACACS+
See Configuring TACACS+. module for the documents used to configure TACACS+, and TACACS+
authentication and authorization.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
752
Information About TACACS+
bytes_in The number yes yes yes yes yes yes yes
of input
bytes
transferred
during this
connection.
bytes_out The number yes yes yes yes yes yes yes
of output
bytes
transferred
during this
connection.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
753
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
754
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
755
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
756
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
757
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
758
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
759
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
760
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
761
Information About TACACS+
paks_in The number yes yes yes yes yes yes yes
of input
packets
transferred
during this
connection.
paks_out The number yes yes yes yes yes yes yes
of output
packets
transferred
during this
connection.
port The port the yes yes yes yes yes yes yes
user was
logged in to.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
762
Information About TACACS+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
763
Information About TACACS+
priv_level The privilege yes yes yes yes yes yes yes
level
associated
with the
action.
protocol The protocol yes yes yes yes yes yes yes
associated
with the
action.
service The service yes yes yes yes yes yes yes
the user
used.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
764
Information About TACACS+
stop_time The time the yes yes yes yes yes yes yes
action
stopped (in
seconds
since the
epoch.) The
clock must
be
configured to
receive this
information.
task_id Start and yes yes yes yes yes yes yes
stop records
for the same
event must
have
matching
(unique)
task_id
numbers.
timezone The time yes yes yes yes yes yes yes
zone
abbreviation
for all
timestamps
included in
this packet.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
765
Information About TACACS+
The following table lists the cause codes and descriptions for the Disconnect Cause Extended (disc-cause-ext)
attribute.
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1000 - No No reason no no no no yes yes yes yes
Reason for the
disconnect.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
766
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1010 - No The no no no no yes yes yes yes
Carrier modem
never
detected
data carrier
detect
(DCD).
This code
can appear
if a
disconnect
occurs
during the
initial
modem
connection.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
767
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1020 - TS The user no no no no yes yes yes yes
User Exit exited
normally
from the
terminal
server. This
code is
related to
immediate
Telnet and
raw TCP
disconnects
during a
terminal
server
session.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
768
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1022 - TS The user no no no no yes yes yes yes
Exit Telnet exited
normally
from a
Telnet
session.
This code
is related to
immediate
Telnet and
raw TCP
disconnects
during a
terminal
server
session.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
769
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1024 - TS The user no no no no yes yes yes yes
TCP Raw exited
Exit normally
from a raw
TCP
session.
This code
is related to
immediate
Telnet and
raw TCP
disconnects
during a
terminal
server
session.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
770
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1026 - TS The raw no no no no yes yes yes yes
No TCP TCP option
Raw is not
enabled.
This code
is related to
immediate
Telnet and
raw TCP
disconnects
during a
terminal
server
session.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
771
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1029 - TS The user no no no no yes yes yes yes
Close closed the
Vconn virtual
connection.
This code
is related to
immediate
Telnet and
raw TCP
disconnects
during a
terminal
server
session.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
772
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1032 - TS The user no no no no yes yes yes yes
Rlogin Opt selected an
Invalid invalid
Rlogin
option.
This code
is related to
immediate
Telnet and
raw TCP
disconnects
during a
terminal
server
session.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
773
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1040 - PPP PPP link no no no no yes yes yes yes
LCP control
Timeout protocol
(LCP)
negotiation
timed out
while
waiting for
a response
from a
peer. This
code
concerns
PPP
connections.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
774
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1043 - PPP PPP no no no no yes yes yes yes
CHAP Fail Challenge
Handshake
Authentication
Protocol
(CHAP)
authentication
failed. This
code
concerns
PPP
connections.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
775
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1047 - PPP LCP closed no no no no yes yes yes yes
No NCP because no
NCPs were
open. This
code
concerns
PPP
connections.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
776
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1050 - TS The raw no no no no yes yes yes yes
Tables Full TCP or
Telnet
internal
session
tables are
full. This
code relates
to
immediate
Telnet and
raw TCP
disconnects
and
contains
more
specific
information
than the
Telnet and
TCP codes
listed
earlier in
this table.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
777
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1052 - TS The IP no no no no yes yes yes yes
Invalid IP address for
Addr the Telnet
host is
invalid.
This code
relates to
immediate
Telnet and
raw TCP
disconnects
and
contains
more
specific
information
than the
Telnet and
TCP codes
listed
earlier in
this table.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
778
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1054 - TS The access no no no no yes yes yes yes
Bad Port server
detected a
bad or
missing
port
number.
This code
relates to
immediate
Telnet and
raw TCP
disconnects
and
contains
more
specific
information
than the
Telnet and
TCP codes
listed
earlier in
this table.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
779
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1061 - TCP The host no no no no yes yes yes yes
Connection refused the
Refused TCP
connection.
The TCP
stack can
return this
disconnect
code during
an
immediate
Telnet or
raw TCP
session.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
780
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1064 - TCP The TCP no no no no yes yes yes yes
Net network
Unreachable was
unreachable.
The TCP
stack can
return this
disconnect
code during
an
immediate
Telnet or
raw TCP
session.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
781
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1067 - TCP The TCP no no no no yes yes yes yes
Host host was
Admin administratively
Unreachable unreachable.
The TCP
stack can
return this
disconnect
code during
an
immediate
Telnet or
raw TCP
session.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
782
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1101 - The session no no no no yes yes yes yes
Security failed for
Fail security
reasons.
This code
applies to
all session
types.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
783
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1152 - Simple no no no no yes yes yes yes
SNMP Network
Disc Management
Protocol
(SNMP)
has
disconnected.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
784
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1195 - Call The call no no no no yes yes yes yes
Duration disconnected
because the
call
duration
exceeded
the
maximum
amount of
time
allowed by
the Max
Call Mins
or Max
DS0 Mins
parameter
on the
access
server.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
785
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1603 - The control no no no no no no yes yes
VPDN Bad packet is
Control invalid.
Packet This code
applies to
VPDN
sessions.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
786
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1608 - The call no no no no no no yes yes
VPDN Call was
Redirected redirected.
This code
applies to
VPDN
sessions.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
787
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1802 - no no no no no no no yes
Q850 No
Route
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
788
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
The
equipment
that is
sending
this code
has
received a
request to
route the
call
through a
particular
transit
network
that it does
not
recognize.
The
equipment
that is
sending
this code
does not
recognize
the transit
network
because
either the
transit
network
does not
exist or
because
that
particular
transit
network,
while it
does exist,
does not
serve the
equipment
that is
sending
this code.
This code
applies to
ISDN or
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
789
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
modem
calls that
came in
over ISDN.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
790
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1816 - The call is no no no no no no no yes
Q850 being
Normal cleared
Clearing because
one of the
users who
is involved
in the call
has
requested
that the call
be cleared.
This code
applies to
ISDN or
modem
calls that
came in
over ISDN.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
791
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1817 - The called no no no no no no no yes
Q850 User party is
Busy unable to
accept
another call
because the
user-busy
condition
has been
encountered.
This code
may be
generated
by the
called user
or by the
network. In
the case of
the user,
the user
equipment
is
compatible
with the
call. This
code
applies to
ISDN or
modem
calls that
came in
over ISDN.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
792
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1818 - Used when no no no no no no no yes
Q850 No a called
User party does
Responding not respond
to a
call-establishment
message
with either
an alerting
or connect
indication
within the
prescribed
period of
time that
was
allocated.
This code
applies to
ISDN or
modem
calls that
came in
over ISDN.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
793
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1821 - no no no no no no no yes
Q850 Call
Rejected
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
794
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
The
equipment
that is
sending
this code
does not
wish to
accept this
call
although it
could have
accepted
the call
because the
equipment
that is
sending
this code is
neither
busy nor
incompatible.
This code
may also
be
generated
by the
network,
indicating
that the call
was cleared
due to a
supplementary
service
constraint.
The
diagnostic
field may
contain
additional
information
about the
supplementary
service and
reason for
rejection.
This code
applies to
ISDN or
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
795
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
modem
calls that
came in
over ISDN.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
796
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1827 - The no no no no no no no yes
Q850 destination
Destination that was
Out of indicated
Order by the user
cannot be
reached
because the
interface to
the
destination
is not
functioning
correctly.
The term
“not
functioning
correctly”
indicates
that a
signaling
message
was unable
to be
delivered to
the remote
party. This
code
applies to
ISDN or
modem
calls that
came in
over ISDN.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
797
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1828 - The called no no no no no no no yes
Q850 party
Invalid cannot be
Number reached
Format because the
called party
number is
not in a
valid
format or is
not
complete.
This code
applies to
ISDN or
modem
calls that
came in
over ISDN.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
798
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1830 - This code no no no no no no no yes
Q850 is included
Responding in the
to Status STATUS
Enquiry message
when the
reason for
generating
the
STATUS
message
was the
prior
receipt of a
STATUS
ENQUIRY
message.
This code
applies to
ISDN or
modem
calls that
came in
over ISDN.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
799
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1838 - The no no no no no no no yes
Q850 network is
Network not
Out of functioning
Order correctly
and the
condition is
likely to
last a
relatively
long period
of time.
This code
applies to
ISDN or
modem
calls that
came in
over ISDN.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
800
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1842 - The no no no no no no no yes
Q850 network is
Network congested.
Congestion This code
applies to
ISDN or
modem
calls that
came in
over ISDN.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
801
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1844 - This code no no no no no no no yes
Q850 is returned
Requested when the
Channel circuit or
Not channel
Available that is
indicated
by the
requesting
entity
cannot be
provided
by the
other side
of the
interface.
This code
applies to
ISDN or
modem
calls that
came in
over ISDN.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
802
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1847 - This code no no no no no no no yes
Q850 is used to
Resource report a
Unavailable resource-unavailable
event only
when no
other code
in the
resource-unavailable
class
applies.
This code
applies to
ISDN or
modem
calls that
came in
over ISDN.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
803
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1852 - Although no no no no no no no yes
Q850 the calling
Outgoing party is a
Call Barred member of
the closed
user group
for the
outgoing
closed user
group call,
outgoing
calls are
not allowed
for this
member.
This code
applies to
ISDN or
modem
calls that
came in
over ISDN.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
804
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1858 - The user no no no no no no no yes
Q850 has
Bearer requested a
Capability bearer
Not capability
Available that is
implemented
by the
equipment
that
generated
this code
but that is
not
available at
this time.
This code
applies to
ISDN or
modem
calls that
have come
in over
ISDN.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
805
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1865 - The no no no no no no no yes
Q850 equipment
Bearer that is
Capability sending
Not this code
Implemented does not
support the
bearer
capability
that was
requested.
This code
applies to
ISDN or
modem
calls that
have come
in over
ISDN.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
806
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1869 - The no no no no no no no yes
Q850 supplementary
Facility service
Not requested
Implemented by the user
cannot be
provided
by the
network.
This code
applies to
ISDN or
modem
calls that
have come
in over
ISDN.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
807
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1882 - The no no no no no no no yes
Q850 channel
Channel most
Does Not recently
Exist identified is
not
acceptable
to the
sending
entity for
use in this
call. This
code
applies to
ISDN or
modem
calls that
have come
in over
ISDN. This
code
applies to
ISDN or
modem
calls that
have come
in over
ISDN.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
808
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1888 - The no no no no no no no yes
Q850 equipment
Incompatible that is
Destination sending
this code
has
received a
request to
establish a
call that
has
low-layer
compatibility
or other
compatibility
attributes
that cannot
be
accommodated.
This code
applies to
ISDN or
modem
calls that
have come
in over
ISDN.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
809
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1896 - The no no no no no no no yes
Q850 equipment
Mandatory that is
Info sending
Element Is this code
Missing has
received a
message
that is
missing an
information
element
that must
be present
in the
message
before that
message
can be
processed.
This code
applies to
ISDN or
modem
calls that
have come
in over
ISDN.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
810
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1897 - The no no no no no no no yes
Q850 Non equipment
Existent that is
Message sending
Type this code
has
received a
message
with a
message
type that it
does not
recognize
either
because
this is a
message
that is not
defined or
that is
defined but
not
implemented
by the
equipment
that is
sending
this code.
This code
applies to
ISDN or
modem
calls that
have come
in over
ISDN.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
811
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1898 - This code no no no no no no no yes
Q850 is used to
Invalid report an
Message invalid
message
when no
other code
in the
invalid
message
class
applies.
This code
applies to
ISDN or
modem
calls that
have come
in over
ISDN.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
812
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1900 - The no no no no no no no yes
Q850 equipment
Invalid that is
Element sending
Contents this code
has
received an
information
element
that it has
implemented;
however,
one or
more fields
in the
information
element are
coded in
such a way
that has not
been
implemented
by the
equipment
that is
sending
this code.
This code
applies to
ISDN or
modem
calls that
have come
in over
ISDN.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
813
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1901 - The no no no no no no no yes
Q850 message
Wrong that was
Message received is
for State incompatible
with the
call state.
This code
applies to
ISDN or
modem
calls that
have come
in over
ISDN.
1902 - A no no no no no no no yes
Q850 procedure
Recovery has been
on Timer initiated by
Expiration the
expiration
of a timer
in
association
with
error-handling
procedures.
This code
applies to
ISDN or
modem
calls that
have come
in over
ISDN.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
814
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1903 - The no no no no no no no yes
Q850 Info equipment
Element that is
Error sending
this code
has
received a
message
that
includes
information
elements or
parameters
that are not
recognized
because the
information
element
identifiers
or
paramenter
names are
not defined
or are
defined but
not
implemented
by the
equipment
that is
sending
this code.
This code
applies to
ISDN or
modem
calls that
have come
in over
ISDN.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
815
Information About TACACS+
Cause Description 11.0 11.1 11.2 11.3 12.0 12.1 12.2 12.3
Codes
1911 - This code no no no no no no no yes
Q850 is used to
Protocol report a
Error protocol
error event
only when
no other
code in the
protocol
error class
applies.
This code
applies to
ISDN or
modem
calls that
have come
in over
ISDN.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
816
Information About TACACS+
For example, suppose you want to share the same phone number with several customers, but you want to
know which customer is calling before you pick up the phone. You can customize how you answer the phone
because DNIS allows you to know which customer is calling when you answer.
Cisco devices with either ISDN or internal modems can receive the DNIS number. This functionality allows
users to assign different TACACS+ server groups for different customers (that is, different TACACS+ servers
for different DNIS numbers). Additionally, using server groups you can specify the same server group for
AAA services or a separate server group for each AAA service.
Cisco IOS software provides the flexibility to implement authentication and accounting services in several
ways:
• Globally--AAA services are defined using global configuration access list commands and applied in
general to all interfaces on a specific network access server.
• Per interface--AAA services are defined using interface configuration commands and applied specifically
to the interface being configured on a specific network access server.
• DNIS mapping--You can use DNIS to specify an AAA server to supply AAA services.
Because AAA configuration methods can be configured simultaneously, Cisco has established an order of
precedence to determine which server or groups of servers provide AAA services. The order of precedence
is as follows:
• Per DNIS--If you configure the network access server to use DNIS to identify which server group
provides AAA services, then this method takes precedence over any additional AAA selection method.
• Per interface--If you configure the network access server per interface to use access lists to determine
how a server provides AAA services, this method takes precedence over any global configuration AAA
access lists.
• Globally--If you configure the network access server by using global AAA access lists to determine
how the security server provides AAA services, this method has the lowest precedence.
Note Prior to configuring AAA Server Group Selection Based on DNIS, you must configure the remote security
servers associated with each AAA server group. See Identifying the TACACS Server Host and Configuring
AAA Server Groups for more information.
To configure the device to select a particular AAA server group based on the DNIS of the server group,
configure DNIS mapping. To map a server group with a group name with DNIS number, use the following
commands in global configuration mode:
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
817
Information About TACACS+
Step 4 Router(config)# aaa dnis map dnis-number Maps a DNIS number to a defined AAA server
authentication ppp group group; the servers in this server group are being
server-group-name used for authentication.
Step 5 Router(config)# aaa dnis map dnis-number Maps a DNIS number to a defined AAA server
accounting network [none | start-stop | group; the servers in this server group are being
stop-only] group server-group-name used for accounting.
TACACS+ Authentication
After you have identified the TACACS+ daemon and defined an associated TACACS+ encryption key, you
must define method lists for TACACS+ authentication. Because TACACS+ authentication is operated via
AAA, you need to issue the aaa authentication command, specifying TACACS+ as the authentication method.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
818
How to Configure TACACS+
TACACS+ Authorization
AAA authorization enables you to set parameters that restrict a user’s access to the network. Authorization
via TACACS+ may be applied to commands, network connections, and EXEC sessions. Because TACACS+
authorization is facilitated through AAA, you must issue the aaa authorization command, specifying
TACACS+ as the authorization method.
TACACS+ Accounting
The AAA accounting feature tracks the services that users are accessing and the amount of network resources
that they are consuming. When AAA accounting is enabled, the switch reports user activity to the TACACS+
security server in the form of accounting records. Each accounting record contains accounting attribute-value
(AV) pairs and is stored on the security server. This data can then be analyzed for network management, client
billing, or auditing.
Note Although TACACS+ configuration is performed through the CLI, the TACACS+ server authenticates
HTTP connections that have been configured with a privilege level of 15.
Identifying the TACACS+ Server Host and Setting the Authentication Key
Follow these steps to identify the TACACS+ server host and set the authentication key:
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
819
How to Configure TACACS+
Example:
Switch# configure terminal
Example:
Switch(config)# aaa new-model
Step 5 aaa group server tacacs+ group-name (Optional) Defines the AAA server-group with a
group name.
Example: This command puts the Switch in a server group
Switch(config)# aaa group server subconfiguration mode.
tacacs+ your_server_group
Switch(config)# server 10.1.2.3 Each server in the group must be previously defined
in Step 3.
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
820
How to Configure TACACS+
Note To secure the switch for HTTP access by using AAA methods, you must configure the switch with the ip
http authentication aaa global configuration command. Configuring AAA authentication does not secure
the switch for HTTP access by using AAA methods.
For more information about the ip http authentication command, see the Cisco IOS Security Command
Reference, Release 12.4.
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# aaa
new-model
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
821
How to Configure TACACS+
Step 5 line [console | tty | vty] Enters line configuration mode, and configures the lines to which
line-number [ending-line-number] you want to apply the authentication list.
Example:
Switch(config)# line 2 4
Step 6 login authentication {default | Applies the authentication list to a line or set of lines.
list-name}
• If you specify default, use the default list created with the
aaa authentication login command.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
822
How to Configure TACACS+
Switch(config-line)# login
authentication default
Example:
Switch(config-line)# end
Example:
Switch# show running-config
Step 9 copy running-config (Optional) Saves your entries in the configuration file.
startup-config
Example:
Switch# copy running-config
startup-config
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services
You can use the aaa authorization global configuration command with the tacacs+ keyword to set parameters
that restrict a user’s network access to privileged EXEC mode.
Note Authorization is bypassed for authenticated users who log in through the CLI even if authorization has
been configured.
Follow these steps to specify TACACS+ authorization for privileged EXEC access and network services:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
823
How to Configure TACACS+
Procedure
Example:
Switch# configure terminal
Step 3 aaa authorization network tacacs+ Configures the switch for user TACACS+
authorization for all network-related service
Example: requests.
Step 4 aaa authorization exec tacacs+ Configures the switch for user TACACS+
authorization if the user has privileged EXEC
Example: access.
Switch(config)# aaa authorization exec The exec keyword might return user profile
tacacs+ information (such as autocommand
information).
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
824
How to Configure TACACS+
Procedure
Example:
Switch# configure terminal
Step 3 aaa accounting network start-stop tacacs+ Enables TACACS+ accounting for all
network-related service requests.
Example:
Switch(config)# aaa accounting network
start-stop tacacs+
Step 4 aaa accounting exec start-stop tacacs+ Enables TACACS+ accounting to send a
start-record accounting notice at the beginning
Example: of a privileged EXEC process and a
stop-record at the end.
Switch(config)# aaa accounting exec
start-stop tacacs+
Example:
Switch(config)# end
Example:
Switch# show running-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
825
How to Configure TACACS+
What to Do Next
To establish a session with a router if the AAA server is unreachable, use the aaa accounting system
guarantee-first command. It guarantees system accounting as the first record, which is the default condition.
In some situations, users might be prevented from starting a session on the console or terminal connection
until after the system reloads, which can take more than 3 minutes.
To establish a console or Telnet session with the router if the AAA server is unreachable when the router
reloads, use the no aaa accounting system guarantee-first command.
Procedure
Example:
Device# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
826
How to Configure TACACS+
Example:
Device(config-vrf)# exit
Example:
Device(config-if)# ip vrf forwarding
cisco
Step 8 ip address ip-address mask [secondary] Sets a primary or secondary IP address for
an interface.
Example:
Device(config-if)# ip address 10.0.0.2
255.0.0.0
Example:
Device(config-if)# exit
Step 10 aaa group server tacacs+ group-name Groups different TACACS+ server hosts
into distinct lists and distinct methods and
Example: enters server-group configuration mode.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
827
How to Configure TACACS+
Example:
Device(config-sg-tacacs+)# server-private
10.1.1.1 port 19 key cisco
Example:
Device(config-sg-tacacs)# exit
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
828
Configuration Examples for TACACS+
Example:
Device# debug tacacs packets
Monitoring TACACS+
Table 88: Commands for Displaying TACACS+ Information
Command Purpose
show tacacs Displays TACACS+ server statistics.
aaa new-model
aaa authentication ppp default if-needed group tacacs+ local
aaa authorization network default group tacacs+
tacacs-server host 10.1.2.3
tacacs-server key goaway
interface serial 0
ppp authentication chap default
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
829
Configuration Examples for TACACS+
aaa new-model
aaa authentication ppp default if-needed group tacacs+ local
aaa accounting network default stop-only group tacacs+
tacacs-server host 10.1.2.3
tacacs-server key goaway
interface serial 0
ppp authentication chap default
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
830
Configuration Examples for TACACS+
aaa new-model
aaa authentication ppp test group tacacs+ local
tacacs-server host 10.1.2.3
tacacs-server key goaway
interface serial 0
ppp authentication chap pap test
The following example shows how to configure TACACS+ as the security protocol for PPP authentication,
but instead of the “test” method list, the “default” method list is used.
aaa new-model
aaa authentication ppp default if-needed group tacacs+ local
tacacs-server host 10.1.2.3
tacacs-server key goaway
interface serial 0
ppp authentication chap default
The following example shows how to create the same authentication algorithm for PAP, but it calls the method
list “MIS-access” instead of “default”:
aaa new-model
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
831
Configuration Examples for TACACS+
The following example shows the configuration for a TACACS+ daemon with an IP address of 10.2.3.4 and
an encryption key of “apple”:
aaa new-model
aaa authentication login default group tacacs+ local
tacacs-server host 10.2.3.4
tacacs-server key apple
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
832
Additional References for TACACS+
MIBs
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
833
Feature Information for TACACS+
Cisco IOS 12.2(54)SG The Per VRF for TACACS+ Servers feature allows
per virtual route forwarding (per VRF) to be
Cisco IOS 15.2(1)E
configured for authentication, authorization, and
accounting (AAA) on TACACS+ servers.
The following commands were introduced or
modified: ip tacacs source-interface, ip vrf
forwarding (server-group), server-private
(TACACS+).
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
834
CHAPTER 36
Configuring RADIUS
The RADIUS security system is a distributed client/server system that secures networks against unauthorized
access. In the Cisco implementation, RADIUS clients run on Cisco devices and send authentication requests
to a central RADIUS server that contains all user authentication and network service access information.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
835
Restrictions for Configuring RADIUS
• RADIUS is facilitated through AAA and can be enabled only through AAA commands.
• Use the aaa new-model global configuration command to enable AAA.
• Use the aaa authentication global configuration command to define method lists for RADIUS
authentication.
• Use line and interface commands to enable the defined method lists to be used.
• At a minimum, you must identify the host or hosts that run the RADIUS server software and define the
method lists for RADIUS authentication. You can optionally define method lists for RADIUS
authorization and accounting.
• You should have access to and should configure a RADIUS server before configuring RADIUS features
on your Switch.
• The RADIUS host is normally a multiuser system running RADIUS server software from Cisco (Cisco
Secure Access Control Server Version 3.0), Livingston, Merit, Microsoft, or another software provider.
For more information, see the RADIUS server documentation.
• To use the Change-of-Authorization (CoA) interface, a session must already exist on the switch. CoA
can be used to identify a session and enforce a disconnect request. The update affects only the specified
session.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
836
Information about RADIUS
RADIUS Overview
RADIUS is a distributed client/server system that secures networks against unauthorized access. RADIUS
clients run on supported Cisco routers and switches. Clients send authentication requests to a central RADIUS
server, which contains all user authentication and network service access information.
Use RADIUS in these network environments that require access security:
• Networks with multiple-vendor access servers, each supporting RADIUS. For example, access servers
from several vendors use a single RADIUS server-based security database. In an IP-based network with
multiple vendors’ access servers, dial-in users are authenticated through a RADIUS server that has been
customized to work with the Kerberos security system.
• Turnkey network security environments in which applications support the RADIUS protocol, such as
in an access environment that uses a smart card access control system. In one case, RADIUS has been
used with Enigma’s security cards to validates users and to grant access to network resources.
• Networks already using RADIUS. You can add a Cisco Switch containing a RADIUS client to the
network. This might be the first step when you make a transition to a TACACS+ server. See Figure 2:
Transitioning from RADIUS to TACACS+ Services below.
• Network in which the user must only access a single service. Using RADIUS, you can control user
access to a single host, to a single utility such as Telnet, or to the network through a protocol such as
IEEE 802.1x. For more information about this protocol, see Chapter 11, “Configuring IEEE 802.1x
Port-Based Authentication.”
• Networks that require resource accounting. You can use RADIUS accounting independently of RADIUS
authentication or authorization. The RADIUS accounting functions allow data to be sent at the start and
end of services, showing the amount of resources (such as time, packets, bytes, and so forth) used during
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
837
Information about RADIUS
the session. An Internet service provider might use a freeware-based version of RADIUS access control
and accounting software to meet special security and billing needs.
RADIUS Operation
When a user attempts to log in and authenticate to a Switch that is access controlled by a RADIUS server,
these events occur:
1 The user is prompted to enter a username and password.
2 The username and encrypted password are sent over the network to the RADIUS server.
3 The user receives one of the following responses from the RADIUS server:
• ACCEPT—The user is authenticated.
• REJECT—The user is either not authenticated and is prompted to re-enter the username and password,
or access is denied.
• CHALLENGE—A challenge requires additional data from the user.
• CHALLENGE PASSWORD—A response requests the user to select a new password.
The ACCEPT or REJECT response is bundled with additional data that is used for privileged EXEC or
network authorization. The additional data included with the ACCEPT or REJECT packets includes these
items:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
838
Information about RADIUS
You identify RADIUS security servers by their hostname or IP address, hostname and specific UDP port
numbers, or their IP address and specific UDP port numbers. The combination of the IP address and the UDP
port number creates a unique identifier, allowing different ports to be individually defined as RADIUS hosts
providing a specific AAA service. This unique identifier enables RADIUS requests to be sent to multiple
UDP ports on a server at the same IP address.
If two different host entries on the same RADIUS server are configured for the same service—for example,
accounting—the second host entry configured acts as a fail-over backup to the first one. Using this example,
if the first host entry fails to provide accounting services, the %RADIUS-4-RADIUS_DEAD message appears,
and then the switch tries the second host entry configured on the same device for accounting services. (The
RADIUS host entries are tried in the order that they are configured.)
A RADIUS server and the switch use a shared secret text string to encrypt passwords and exchange responses.
To configure RADIUS to use the AAA security commands, you must specify the host running the RADIUS
server daemon and a secret text (key) string that it shares with the switch.
The timeout, retransmission, and encryption key values can be configured globally for all RADIUS servers,
on a per-server basis, or in some combination of global and per-server settings.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
839
Information about RADIUS
defined methods are exhausted. If authentication fails at any point in this cycle—meaning that the security
server or local username database responds by denying the user access—the authentication process stops, and
no other authentication methods are attempted.
AAA Authorization
AAA authorization limits the services available to a user. When AAA authorization is enabled, the switch
uses information retrieved from the user’s profile, which is in the local user database or on the security server,
to configure the user’s session. The user is granted access to a requested service only if the information in the
user profile allows it.
RADIUS Accounting
The AAA accounting feature tracks the services that users are using and the amount of network resources that
they are consuming. When you enable AAA accounting, the switch reports user activity to the RADIUS
security server in the form of accounting records. Each accounting record contains accounting attribute-value
(AV) pairs and is stored on the security server. You can then analyze the data for network management, client
billing, or auditing.
Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value
are an appropriate attributevalue (AV) pair defined in the Cisco TACACS+ specification, and sep is = for
mandatory attributes and is * for optional attributes. The full set of features available for TACACS+
authorization can then be used for RADIUS.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
840
Information about RADIUS
For example, the following AV pair causes Cisco’s “multiple named IP address pools” feature to be activated
during IP authorization (during PPP’s Internet Protocol Control Protocol (IPCP) address assignment):
cisco-avpair= ”ip:addr-pool=first“
If you insert an “*”, the AV pair “ip:addr-pool=first” becomes optional. Note that any AV pair can be made
optional:
cisco-avpair= ”ip:addr-pool*first“
The following example shows how to cause a user logging in from a network access server to have immediate
access to EXEC commands:
cisco-avpair= ”shell:priv-lvl=15“
Other vendors have their own unique vendor-IDs, options, and associated VSAs. For more information about
vendor-IDs and VSAs, see RFC 2138, “Remote Authentication Dial-In User Service (RADIUS).”
Attribute 26 contains the following three elements:
• Type
• Length
• String (also known as data)
• Vendor-Id
• Vendor-Type
• Vendor-Length
• Vendor-Data
The figure below shows the packet format for a VSA encapsulated “behind” attribute 26.
Note It is up to the vendor to specify the format of their VSA. The Attribute-Specific field (also known as
Vendor-Data) is dependent on the vendor's definition of that attribute.
The table below describes significant fields listed in the Vendor-Specific RADIUS IETF Attributes table
(second table below), which lists supported vendor-specific RADIUS attributes (IETF attribute 26).
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
841
Information about RADIUS
Field Description
Number All attributes listed in the following table are extensions of IETF
attribute 26.
Vendor-Specific Command Codes A defined code used to identify a particular vendor. Code 9
defines Cisco VSAs, 311 defines Microsoft VSAs, and 529
defines Ascend VSAs.
Sub-Type Number The attribute ID number. This number is much like the ID
numbers of IETF attributes, except it is a “second layer” ID
number encapsulated behind attribute 26.
VPDN Attributes
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
842
Information about RADIUS
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
843
Information about RADIUS
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
844
Information about RADIUS
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
845
Information about RADIUS
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
846
Information about RADIUS
H323 Attributes
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
847
Information about RADIUS
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
848
Information about RADIUS
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
849
Information about RADIUS
Miscellaneous Attributes
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
850
Information about RADIUS
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
851
Information about RADIUS
Note The Disconnect-Cause is incremented by 1000 when it is used in RADIUS AVPairs; for example, disc-cause
4 becomes 1004.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
852
Information about RADIUS
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
853
Information about RADIUS
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
854
Information about RADIUS
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
855
Information about RADIUS
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
856
Information about RADIUS
Note In accounting “start” records, attribute 196 does not have a value.
Code Description
10 Modem allocation and negotiation is complete; the
call is up.
Note Progress codes 33, 30, and 67 are generated and seen through debugs on the NAS; all other codes are
generated and seen through debugs and the accounting record on the RADIUS server.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
857
How to Configure RADIUS
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
858
How to Configure RADIUS
Example:
Switch# configure terminal
Step 3 radius server name Specifies the name of the RADIUS server configuration for
Protected Access Credential (PAC) provisioning and enters
Example: RADIUS server configuration mode.
Switch(config)# radius server The switch also supports RADIUS for IPv6.
ISE
Step 4 address {ipv4 | ipv6} ip address (Optional) Specifies the RADIUS server parameters.
{auth-port port number | acct-port For auth-port port-number, specify the UDP destination
port number} port for authentication requests. The default is 1645. The
range is 0 to 65536.
Example:
For acct-port port-number, specify the UDP destination
Switch(config-radius-server)# port for authentication requests. The default is 1646.
address ipv4 10.1.1.1 auth-port
1645 acct-port 1646
Step 5 key string (Optional) For key string, specify the authentication and
encryption key used between the Switch and the RADIUS
Example: daemon running on the RADIUS server.
Switch(config-radius-server)# Note The key is a text string that must match the
key cisco123 encryption key used on the RADIUS server.
Always configure the key as the last item in the
radius server command. Leading spaces are
ignored, but spaces within and at the end of the
key are used. If you use spaces in your key, do not
enclose the key in quotation marks unless the
quotation marks are part of the key.
Step 6 retransmit value (Optional) Specifies the number of times a RADIUS request
is resent when the server is not responding or responding
Example: slowly. The range is 1 to 100. This setting overrides the
radius-server retransmit global configuration command
Switch(config-radius-server)# setting.
retransmit 10
Step 7 timeout seconds (Optional) Specifies the time interval that the Switch waits
for the RADIUS server to reply before sending a request
Example: again. The range is 1 to 1000. This setting overrides the
radius-server timeout global configuration command
Switch(config-radius-server)# setting.
timeout 60
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
859
How to Configure RADIUS
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 10 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Procedure
Example:
Switch# configure terminal
Step 2 radius-server key string Specifies the shared secret text string used between the
switch and all RADIUS servers.
Example: Note The key is a text string that must match the
Switch(config)# radius-server key encryption key used on the RADIUS server.
your_server_key Leading spaces are ignored, but spaces within
and at the end of the key are used. If you use
Switch(config)# key spaces in your key, do not enclose the key in
your_server_key quotation marks unless the quotation marks are
part of the key.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
860
How to Configure RADIUS
Switch(config)# radius-server
retransmit 5
Step 4 radius-server timeout seconds Specifies the number of seconds a switch waits for a
reply to a RADIUS request before resending the request.
Example: The default is 5 seconds; the range is 1 to 1000.
Switch(config)# radius-server
timeout 3
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
861
How to Configure RADIUS
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# aaa
new-model
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
862
How to Configure RADIUS
Step 5 line [console | tty | vty] Enters line configuration mode, and configure the lines to which
line-number [ending-line-number] you want to apply the authentication list.
Example:
Switch(config)# line 1 4
Step 6 login authentication {default | Applies the authentication list to a line or set of lines.
list-name}
• If you specify default, use the default list created with the
aaa authentication login command.
Example:
• For list-name, specify the list created with the aaa
Switch(config)# login
authentication default authentication login command.
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 9 copy running-config (Optional) Saves your entries in the configuration file.
startup-config
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
863
How to Configure RADIUS
Procedure
Example:
Switch# configure terminal
Step 3 radius server name Specifies the name of the RADIUS server
configuration for Protected Access Credential
Example: (PAC) provisioning and enters RADIUS server
configuration mode.
Switch(config)# radius server ISE
The switch also supports RADIUS for IPv6.
Step 4 address {ipv4 | ipv6} {ip-address | Configures the IPv4 address for the RADIUS
hostname} auth-port port-number acct-port server accounting and authentication parameters.
port-number
Example:
Switch(config-radius-server)# address
ipv4 10.1.1.1 auth-port 1645
acct-port 1646
Switch(config-radius-server)# key
cisco123
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
864
How to Configure RADIUS
Example:
Switch# show running-config
Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
Configuring RADIUS Authorization for User Privileged Access and Network Services
Note Authorization is bypassed for authenticated users who log in through the CLI even if authorization has
been configured.
Follow these steps to configure RADIUS authorization for user priviledged access and network services:
Procedure
Example:
Switch# configure terminal
Step 3 aaa authorization network radius Configures the switch for user RADIUS
authorization for all network-related service
Example: requests.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
865
How to Configure RADIUS
Switch(config)# aaa authorization exec The exec keyword might return user profile
radius information (such as autocommand
information).
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
What to Do Next
You can use the aaa authorization global configuration command with the radius keyword to set parameters
that restrict a user’s network access to privileged EXEC mode.
The aaa authorization exec radius local command sets these authorization parameters:
• Use RADIUS for privileged EXEC access authorization if authentication was performed by using
RADIUS.
• Use the local database if authentication was not performed by using RADIUS.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
866
How to Configure RADIUS
Procedure
Example:
Switch# configure terminal
Step 3 aaa accounting network start-stop radius Enables RADIUS accounting for all
network-related service requests.
Example:
Switch(config)# aaa accounting network
start-stop radius
Step 4 aaa accounting exec start-stop radius Enables RADIUS accounting to send a
start-record accounting notice at the beginning
Example: of a privileged EXEC process and a
Switch(config)# aaa accounting exec stop-record at the end.
start-stop radius
Example:
Switch(config)# end
Example:
Switch# show running-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
867
How to Configure RADIUS
What to Do Next
To establishing a session with a router if the AAA server is unreachable, use the aaa accounting system
guarantee-first command. This command guarantees system accounting as the first record, which is the
default condition. In some situations, users might be prevented from starting a session on the console or
terminal connection until after the system reloads, which can take more than 3 minutes.
To establish a console or Telnet session with the router if the AAA server is unreachable when the router
reloads, use the no aaa accounting system guarantee-first command.
Procedure
Step 3 show radius statistics Displays the RADIUS statistics for accounting
and authentication packets.
Example:
Device# debug aaa authorization
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
868
How to Configure RADIUS
Procedure
Example:
Switch# configure terminal
Step 3 radius-server vsa send [accounting | Enables the switch to recognize and use VSAs as
authentication] defined by RADIUS IETF attribute 26.
• (Optional) Use the accounting keyword to limit
Example: the set of recognized vendor-specific attributes
Switch(config)# radius-server vsa to only accounting attributes.
send accounting
• (Optional) Use the authentication keyword to
limit the set of recognized vendor-specific
attributes to only authentication attributes.
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
869
How to Configure RADIUS
Procedure
Example:
Switch# configure terminal
Step 3 radius-server host {hostname | Specifies the IP address or hostname of the remote
ip-address} non-standard RADIUS server host and identifies that it is using a
vendor-proprietary implementation of RADIUS.
Example:
Switch(config)# radius-server
host 172.20.30.15 non-standard
Step 4 radius-server key string Specifies the shared secret text string used between the
switch and the vendor-proprietary RADIUS server. The
Example: switch and the RADIUS server use this text string to
encrypt passwords and exchange responses.
Switch(config)# radius-server key
rad124 Note The key is a text string that must match the
encryption key used on the RADIUS server.
Leading spaces are ignored, but spaces within
and at the end of the key are used. If you use
spaces in your key, do not enclose the key in
quotation marks unless the quotation marks are
part of the key.
Step 5 end Returns to privileged EXEC mode.
Example:
Switch(config)# end
Example:
Switch# show running-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
870
How to Configure RADIUS
Example:
Switch# copy running-config
startup-config
Procedure
Example:
Device# configure terminal
Example:
Device(config)# aaa user profile
profilename1
Step 4 aaa attribute {dnis | clid} Adds DNIS or CLID attribute values to the user
profile and enters AAA-user configuration mode.
Example:
Device# configure terminal
Step 6 test aaa group {group-name | radius} Associates a DNIS or CLID named user profile
username password new-code [profile with the record sent to the RADIUS server.
profile-name] Note The profile-name must match the
profile-name specified in the aaa user
profile command.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
871
Configuration Examples for RADIUS
Example:
Command Purpose
Displays information associated with RADIUS.
Device# debug radius
This example shows how to configure host1 as the RADIUS server and to use the default ports for both
authentication and accounting:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
872
Configuration Examples for RADIUS
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
873
Configuration Examples for RADIUS
cisco-avpair= ”ip:addr-pool=first“
This example shows how to provide a user logging in from a switch with immediate access to privileged
EXEC commands:
cisco-avpair= ”shell:priv-lvl=15“
This example shows how to specify an authorized VLAN in the RADIUS server database:
cisco-avpair= ”tunnel-type(#64)=VLAN(13)”
cisco-avpair= ”tunnel-medium-type(#65)=802 media(6)”
cisco-avpair= ”tunnel-private-group-id(#81)=vlanid”
This example shows how to apply an input ACL in ASCII format to an interface for the duration of this
connection:
This example shows how to apply an output ACL in ASCII format to an interface for the duration of this
connection:
Example: User Profile Associated With the test aaa group Command
The following example shows how to configure the dnis = dnisvalue user profile “prfl1” and associate it with
a test aaa group command. In this example, the debug radius command has been enabled and the output
follows the configuration.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
874
Additional References for RADIUS
Standard/RFC Title
RFC 5176 RADIUS Change of Authorization (CoA) extensions
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
875
Feature Information for RADIUS
Description Link
To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/
messages in this release, use the Error Message index.cgi
Decoder tool.
MIBs
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Cisco IOS 15.2(1)E The RADIUS Progress Codes feature adds additional
progress codes to RADIUS attribute 196
(Ascend-Connect-Progress), which indicates a
connection state before a call is disconnected through
progress codes.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
876
Feature Information for RADIUS
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
877
Feature Information for RADIUS
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
878
CHAPTER 37
RADIUS Server Load Balancing
The RADIUS Server Load Balancing feature distributes authentication, authorization, and accounting (AAA)
authentication and accounting transactions across RADIUS servers in a server group. These servers can
share the AAA transaction load and thereby respond faster to incoming requests.
This module describes the RADIUS Server Load Balancing feature.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
879
Restrictions for RADIUS Server Load Balancing
• RADIUS must be configured for functions such as authentication, accounting, or static route download.
The batch size is a user-configured parameter. Changes in the batch size may impact CPU load and network
throughput. As batch size increases, CPU load decreases and network throughput increases. However, if a
large batch size is used, all available server resources may not be fully utilized. As batch size decreases, CPU
load increases and network throughput decreases.
Note There is no set number for large or small batch sizes. A batch with more than 50 transactions is considered
large and a batch with fewer than 25 transactions is considered small.
Note If a server group contains ten or more servers, we recommend that you set a high batch size to reduce
CPU load.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
880
Information About RADIUS Server Load Balancing
same server for the start and stop record for a session regardless of the server cost. When using the preferred
server setting, ensure that the server that is used for the initial transaction (for example, authentication), the
preferred server, is part of any other server group that is used for a subsequent transaction (for example,
accounting).
The preferred server is not used if one of the following criteria is true:
• The load-balance method least-outstanding ignore-preferred-server command is used.
• The preferred server is dead.
• The preferred server is in quarantine.
• The want server flag has been set, overriding the preferred server setting.
The want server flag, an internal setting, is used when the same server must be used for all stages of a multistage
transaction regardless of the server cost. If the want server is not available, the transaction fails.
You can use the load-balance method least-outstanding ignore-preferred-server command if you have
either of the following configurations:
• Dedicated authentication server and a separate dedicated accounting server
• Network where you can track all call record statistics and call record details, including start and stop
records and records that are stored on separate servers
If you have a configuration where authentication servers are a superset of accounting servers, the preferred
server is not used.
Caution We recommend that you use a test user that is not defined on the RADIUS server for the RADIUS server
automated testing to protect against security issues that may arise if the test user is not correctly configured.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
881
How to Configure RADIUS Server Load Balancing
Note Use the test aaa group command to check load-balancing transactions.
Procedure
Example:
Device# configure terminal
Step 3 radius-server host {hostname | ip-address} [test Enables RADIUS automated testing.
username name] [auth-port number]
[ignore-auth-port] [acct-port number]
[ignore-acct-port] [idle-time seconds]
Example:
Device(config)# radius-server host 192.0.2.1
test username test1 idle-time 1
Step 4 aaa group server radius group-name Enters server group configuration mode.
Example:
Device(config)# aaa group server radius rad-sg
Example:
Device(config-sg)# load-balance method
least-outstanding batch-size 30
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
882
How to Configure RADIUS Server Load Balancing
Procedure
Example:
Device# configure terminal
Step 3 radius-server host {hostname | ip-address} [test Enables RADIUS automated testing.
username name] [auth-port number]
[ignore-auth-port] [acct-port number]
[ignore-acct-port] [idle-time seconds]
Example:
Device(config)# radius-server host 192.0.2.1
test username test1 idle-time 1
Example:
Device(config-sg)# load-balance method
least-outstanding batch-size 5
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
883
How to Configure RADIUS Server Load Balancing
Procedure
Step 1 Use the debug aaa test command to determine when an idle timer or dead timer has expired, when test packets
are sent, the status of the server, or to verify the server state.
The idle timer is used to check the server status and is updated with or without any incoming requests.
Monitoring the idle timer helps to determine if there are nonresponsive servers and to keep the RADIUS
server status updated to efficiently utilize available resources. For instance, an updated idle timer would help
ensure that incoming requests are sent to servers that are alive.
The dead timer is used either to determine that a server is dead or to update a dead server’s status appropriately.
Monitoring server selection helps to determine how often the server selection changes. Server selection is
effective in analyzing if there are any bottlenecks, a large number of queued requests, or if only specific servers
are processing incoming requests.
The following sample output from the debug aaa test command shows when the idle timer expired:
Example:
Device# debug aaa test
Step 2 Use the debug aaa sg-server selection command to determine the server that is selected for load balancing.
The following sample output from the debug aaa sg-server selection command shows five access requests
being sent to a server group with a batch size of three:
Example:
Device# debug aaa sg-server selection
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
884
Configuration Examples for RADIUS Server Load Balancing
Step 3 Use the test aaa group command to manually verify the RADIUS load-balanced server status.
The following sample output shows the response from a load-balanced RADIUS server that is alive when the
username “test” does not match a user profile. The server is verified alive when it issues an Access-Reject
response to an authentication, authorization, and accounting (AAA) packet generated using the test aaa group
command.
Example:
Device# test aaa group SG1 test lab new-code
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
885
Configuration Examples for RADIUS Server Load Balancing
• The aaa group server radius command shows the configuration of a server group with two member
servers.
• The load-balance command enables load balancing for global RADIUS server groups with the batch
size specified.
• The aaa authentication ppp command authenticates all PPP users using RADIUS.
• The aaa accounting command enables sending of all accounting requests to the AAA server when the
client is authenticated and then disconnected using the start-stop keyword.
The show debug sample output below shows the selection of the preferred server and the processing of requests
for the preceding configuration:
Device# show debug
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
886
Configuration Examples for RADIUS Server Load Balancing
The following sample output from the show aaa servers command shows the AAA server status for the
named RADIUS server group configuration:
The sample output shows the status of two RADIUS servers. Both servers are alive, and no requests have
been processed since the counters were cleared 0 minutes ago.
Device# show aaa servers
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
887
Configuration Examples for RADIUS Server Load Balancing
The show debug sample output below shows the selection of the preferred server and the processing of
requests for the configuration:
Device# show debug
General OS:
AAA server group server selection debugging is on
#
<sending 10 pppoe requests>
Device#
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000014):No preferred server available.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Obtaining least loaded server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:No more transactions in batch. Obtaining a new
server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Obtaining a new least loaded server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Server[0] load:0
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Server[1] load:0
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Selected Server[0] with load 0
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:[5] transactions remaining in batch.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000014):Server (192.0.2.238:2095,2096) now being
used as preferred server
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000015):No preferred server available.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Obtaining least loaded server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:[4] transactions remaining in batch. Reusing
server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000015):Server (192.0.2.238:2095,2096) now being
used as preferred server
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000016):No preferred server available.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Obtaining least loaded server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:[3] transactions remaining in batch. Reusing
server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000016):Server (192.0.2.238:2095,2096) now being
used as preferred server
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000017):No preferred server available.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Obtaining least loaded server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:[2] transactions remaining in batch. Reusing
server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000017):Server (192.0.2.238:2095,2096) now being
used as preferred server
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000018):No preferred server available.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Obtaining least loaded server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:[1] transactions remaining in batch. Reusing
server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000018):Server (192.0.2.238:2095,2096) now being
used as preferred server
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000019):No preferred server available.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Obtaining least loaded server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:No more transactions in batch. Obtaining a new
server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Obtaining a new least loaded server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Server[1] load:0
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Server[0] load:5
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Selected Server[1] with load 0
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:[5] transactions remaining in batch.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000019):Server (192.0.2.238:2015,2016) now being
used as preferred server.
The following sample output from the show aaa servers command shows the AAA server status for the global
RADIUS server group configuration:
The sample output shows the status of two RADIUS servers. Both servers are up and successfully processed
in the last 2 minutes:
• Five out of six authentication requests
• Five out of five accounting requests
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
888
Configuration Examples for RADIUS Server Load Balancing
The show debug sample output below shows test requests being sent to servers. The response to the test
request sent to the server is received, the server is removed from quarantine as appropriate, the server is marked
alive, and then the idle timer is reset.
Device# show debug
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
889
Configuration Examples for RADIUS Server Load Balancing
Example: Configuring the Preferred Server with the Same Authentication and Authorization
Server
The following example shows an authentication server group and an authorization server group that use the
same servers 209.165.200.225 and 209.165.200.226. Both server groups have the preferred server flag enabled.
aaa group server radius authentication-group
server 209.165.200.225 key radkey1
server 209.165.200.226 key radkey2
aaa group server radius accounting-group
server 209.165.200.225 key radkey1
server 209.165.200.226 key radkey2
When a preferred server is selected for a session, all transactions for that session will continue to use the
original preferred server. The servers 209.165.200.225 and 209.165.200.226 are load balanced based on
sessions rather than transactions.
Example: Configuring the Preferred Server with Different Authentication and Authorization
Servers
The following example shows an authentication server group that uses servers 209.165.200.225 and
209.165.200.226 and an authorization server group that uses servers 209.165.201.1 and 209.165.201.2. Both
server groups have the preferred server flag enabled.
aaa group server radius authentication-group
server 209.165.200.225 key radkey1
server 209.165.200.226 key radkey2
aaa group server radius accounting-group
server 209.165.201.1 key radkey3
server 209.165.201.2 key radkey4
The authentication server group and the accounting server group do not share any common servers. A preferred
server is never found for accounting transactions; therefore, authentication and accounting servers are
load-balanced based on transactions. Start and stop records are sent to the same server for a session.
Example: Configuring the Preferred Server with Overlapping Authentication and Authorization
Servers
The following example shows an authentication server group that uses servers 209.165.200.225,
209.165.200.226, and 209.165.201.1 and an accounting server group that uses servers 209.165.201.1 and
209.165.201.2. Both server groups have the preferred server flag enabled.
aaa group server radius authentication-group
server 209.165.200.225 key radkey1
server 209.165.200.226 key radkey2
server 209.165.201.1 key radkey3
aaa group server radius accounting-group
server 209.165.201.1 key radkey3
server 209.165.201.2 key radkey4
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
890
Configuration Examples for RADIUS Server Load Balancing
If all servers have equal transaction processing capability, one-third of all authentication transactions are
directed toward the server 209.165.201.1. Therefore, one-third of all accounting transactions are also directed
toward the server 209.165.201.1. The remaining two-third of accounting transactions are load balanced equally
between servers 209.165.201.1 and 209.165.201.2. The server 209.165.201.1 receives fewer authentication
transactions because the server 209.165.201.1 has outstanding accounting transactions.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
891
Additional References for RADIUS Server Load Balancing
Security commands
• Security Command Reference: Commands A to C
• Security Command Reference: Commands D to L
• Security Command Reference: Commands M to R
• Security Command Reference: Commands S to Z
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/techsupport
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
892
Feature Information for RADIUS Server Load Balancing
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
893
Feature Information for RADIUS Server Load Balancing
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
894
CHAPTER 38
RADIUS Change of Authorization Support
The RADIUS Change of Authorization (CoA) provides a mechanism to change the attributes of an
authentication, authorization, and accounting (AAA) session after it is authenticated
Identity-Based Networking Services supports RADIUS change of authorization (CoA) commands for session
query, reauthentication, and termination, port bounce and port shutdown, and service template activation
and deactivation.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
895
Information About RADIUS Change-of-Authorization
section provides an overview of the RADIUS interface including available primitives and how they are used
during a CoA.
• Change-of-Authorization Requests
• CoA Request Response Code
• CoA Request Commands
• Session Reauthentication
• Stacking Guidelines for Session Termination
A standard RADIUS interface is typically used in a pulled model where the request originates from a network
attached device and the response come from the queried servers. Catalyst switches support the RADIUS CoA
extensions defined in RFC 5176 that are typically used in a pushed model and allow for the dynamic
reconfiguring of sessions from external AAA or policy servers.
The switch supports these per-session CoA requests:
• Session reauthentication
• Session termination
• Session termination with port shutdown
• Session termination with port bounce
This feature is integrated with Cisco Secure Access Control Server (ACS) 5.1.
The RADIUS interface is enabled by default on Catalyst switches. However, some basic configuration is
required for the following attributes:
• Security and Password—refer to the “Preventing Unauthorized Access to Your Switch” section in this
guide.
• Accounting—refer to the “Starting RADIUS Accounting” section in the Configuring Switch-Based
Authentication chapter in this guide.
Cisco IOS software supports the RADIUS CoA extensions defined in RFC 5176 that are typically used in a
push model to allow the dynamic reconfiguring of sessions from external AAA or policy servers. Per-session
CoA requests are supported for session identification, session termination, host reauthentication, port shutdown,
and port bounce. This model comprises one request (CoA-Request) and two possible response codes:
• CoA acknowledgement (ACK) [CoA-ACK]
• CoA nonacknowledgement (NAK) [CoA-NAK]
The request is initiated from a CoA client (typically a AAA or policy server) and directed to the device that
acts as a listener.
The table below shows the RADIUS CoA commands and vendor-specific attributes (VSAs) supported by
Identity-Based Networking Services. All CoA commands must include the session identifier between the
device and the CoA client.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
896
Information About RADIUS Change-of-Authorization
Session terminate This is a standard disconnect request and does not require a VSA.
Change-of-Authorization Requests
Change of Authorization (CoA) requests, as described in RFC 5176, are used in a push model to allow for
session identification, host reauthentication, and session termination. The model is comprised of one request
(CoA-Request) and two possible response codes:
• CoA acknowledgment (ACK) [CoA-ACK]
• CoA non-acknowledgment (NAK) [CoA-NAK]
The request is initiated from a CoA client (typically a RADIUS or policy server) and directed to the switch
that acts as a listener.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
897
Information About RADIUS Change-of-Authorization
31 Calling-Station-ID
44 Acct-Session-ID
80 Message-Authenticator
101 Error-Cause
This table shows the possible values for the Error-Cause attribute.
Value Explanation
201 Residual Session Context Removed
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
898
Information About RADIUS Change-of-Authorization
Value Explanation
507 Request Initiated
Preconditions
To use the CoA interface, a session must already exist on the switch. CoA can be used to identify a session
and enforce a disconnect request. The update affects only the specified session.
Session Identification
For disconnect and CoA requests targeted at a particular session, the switch locates the session based on one
or more of the following attributes:
• Acct-Session-Id (IETF attribute #44)
• Audit-Session-Id (Cisco VSA)
• Calling-Station-Id (IETF attribute #31 which contains the host MAC address)
• IPv6 Attributes, which can be one of the following:
• Framed-IPv6-Prefix (IETF attribute #97) and Framed-Interface-Id (IETF attribute #96), which
together create a full IPv6 address per RFC 3162
• Framed-IPv6-Address
Unless all session identification attributes included in the CoA message match the session, the switch returns
a Disconnect-NAK or CoA-NAK with the “Invalid Attribute Value” error-code attribute.
If more than one session identification attribute is included in the message, all the attributes must match the
session or the switch returns a Disconnect- negative acknowledgment (NAK) or CoA-NAK with the error
code “Invalid Attribute Value.”
The packet format for a CoA Request code as defined in RFC 5176 consists of the fields: Code, Identifier,
Length, Authenticator, and Attributes in Type:Length:Value (TLV) format.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
899
Information About RADIUS Change-of-Authorization
Session Identification
For disconnect and CoA requests targeted at a particular session, the device locates the session based on one
or more of the following attributes:
• Acct-Session-Id (IETF attribute #44)
• Audit-Session-Id (Cisco VSA)
• Calling-Station-Id (IETF attribute #31, which contains the host MAC address)
• IPv6 Attributes, which can be one of the following:
• Framed-IPv6-Prefix (IETF attribute #97) and Framed-Interface-Id (IETF attribute #96), which
together create a full IPv6 address per RFC 3162
• Framed-IPv6-Address
If more than one session identification attribute is included in the message, all of the attributes must match
the session or the device returns a Disconnect-NAK or CoA-NAK with the error code “Invalid Attribute
Value.”
For CoA requests targeted at a particular enforcement policy, the device returns a CoA-NAK with the error
code “Invalid Attribute Value” if any of the above session identification attributes are included in the message.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
900
Information About RADIUS Change-of-Authorization
Session Reauthentication
The AAA server typically generates a session reauthentication request when a host with an unknown identity
or posture joins the network and is associated with a restricted access authorization profile (such as a guest
VLAN). A reauthentication request allows the host to be placed in the appropriate authorization group when
its credentials are known.
To initiate session authentication, the AAA server sends a standard CoA-Request message which contains a
Cisco VSA in this form: Cisco:Avpair=“subscriber:command=reauthenticate” and one or more session
identification attributes.
The current session state determines the switch response to the message. If the session is currently authenticated
by IEEE 802.1x, the switch responds by sending an EAPoL (Extensible Authentication Protocol over Lan)
-RequestId message to the server.
If the session is currently authenticated by MAC authentication bypass (MAB), the switch sends an
access-request to the server, passing the same identity attributes used for the initial successful authentication.
If session authentication is in progress when the switch receives the command, the switch terminates the
process, and restarts the authentication sequence, starting with the method configured to be attempted first.
If the session is not yet authorized, or is authorized via guest VLAN, or critical VLAN, or similar policies,
the reauthentication message restarts the access control methods, beginning with the method configured to
be attempted first. The current authorization of the session is maintained until the reauthentication leads to a
different authorization result.
Session Termination
There are three types of CoA requests that can trigger session termination. A CoA Disconnect-Request
terminates the session, without disabling the host port. This command causes re-initialization of the authenticator
state machine for the specified host, but does not restrict that host access to the network.
To restrict a host’s access to the network, use a CoA Request with the
Cisco:Avpair="subscriber:command=disable-host-port" VSA. This command is useful when a host is known
to be causing problems on the network, and you need to immediately block network access for the host. When
you want to restore network access on the port, re-enable it using a non-RADIUS mechanism.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
901
Information About RADIUS Change-of-Authorization
When a device with no supplicant, such as a printer, needs to acquire a new IP address (for example, after a
VLAN change), terminate the session on the host port with port-bounce (temporarily disable and then re-enable
the port).
Session Identification
For disconnect and CoA requests targeted at a particular session, the device locates the session based on one
or more of the following attributes:
• Acct-Session-Id (IETF attribute #44)
• Audit-Session-Id (Cisco VSA)
• Calling-Station-Id (IETF attribute #31, which contains the host MAC address)
• IPv6 Attributes, which can be one of the following:
• Framed-IPv6-Prefix (IETF attribute #97) and Framed-Interface-Id (IETF attribute #96), which
together create a full IPv6 address per RFC 3162
• Framed-IPv6-Address
If more than one session identification attribute is included in the message, all of the attributes must match
the session or the device returns a Disconnect-NAK or CoA-NAK with the error code “Invalid Attribute
Value.”
For CoA requests targeted at a particular enforcement policy, the device returns a CoA-NAK with the error
code “Invalid Attribute Value” if any of the above session identification attributes are included in the message.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
902
Information About RADIUS Change-of-Authorization
Session Identification
For disconnect and CoA requests targeted at a particular session, the device locates the session based on one
or more of the following attributes:
• Acct-Session-Id (IETF attribute #44)
• Audit-Session-Id (Cisco VSA)
• Calling-Station-Id (IETF attribute #31, which contains the host MAC address)
• IPv6 Attributes, which can be one of the following:
• Framed-IPv6-Prefix (IETF attribute #97) and Framed-Interface-Id (IETF attribute #96), which
together create a full IPv6 address per RFC 3162
• Framed-IPv6-Address
If more than one session identification attribute is included in the message, all of the attributes must match
the session or the device returns a Disconnect-NAK or CoA-NAK with the error code “Invalid Attribute
Value.”
For CoA requests targeted at a particular enforcement policy, the device returns a CoA-NAK with the error
code “Invalid Attribute Value” if any of the above session identification attributes are included in the message.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
903
Information About RADIUS Change-of-Authorization
Because this command is session-oriented, it must be accompanied by one or more of the session identification
attributes described in the “Session Identification” section. If the session cannot be located, the switch returns
a CoA-NAK message with the “Session Context Not Found” error-code attribute. If the session is located, the
switch disables the hosting port and returns a CoA-ACK message.
If the switch fails before returning a CoA-ACK to the client, the process is repeated on the new active switch
when the request is re-sent from the client. If the switch fails after returning a CoA-ACK message to the client
but before the operation has completed, the operation is restarted on the new active switch.
Note A Disconnect-Request failure following command re-sending could be the result of either a successful
session termination before change-over (if the Disconnect-ACK was not sent) or a session termination by
other means (for example, a link failure) that occurred after the original command was issued and before
the standby switch became active.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
904
Information About RADIUS Change-of-Authorization
Session Identification
For disconnect and CoA requests targeted at a particular session, the device locates the session based on one
or more of the following attributes:
• Acct-Session-Id (IETF attribute #44)
• Audit-Session-Id (Cisco VSA)
• Calling-Station-Id (IETF attribute #31, which contains the host MAC address)
• IPv6 Attributes, which can be one of the following:
• Framed-IPv6-Prefix (IETF attribute #97) and Framed-Interface-Id (IETF attribute #96), which
together create a full IPv6 address per RFC 3162
• Framed-IPv6-Address
If more than one session identification attribute is included in the message, all of the attributes must match
the session or the device returns a Disconnect-NAK or CoA-NAK with the error code “Invalid Attribute
Value.”
For CoA requests targeted at a particular enforcement policy, the device returns a CoA-NAK with the error
code “Invalid Attribute Value” if any of the above session identification attributes are included in the message.
If the device fails before returning a CoA-ACK to the client, the process is repeated on the new active device
when the request is resent from the client. If the device fails after returning a CoA-ACK message to the client
but before the operation is complete, the operation is restarted on the new active device.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
905
Information About RADIUS Change-of-Authorization
The switch initiates a port-bounce (disables the port for 10 seconds, then re-enables it).
If the port-bounce is successful, the signal that triggered the port-bounce is removed from the standby stack
master.
If the stack master fails before the port-bounce completes, a port-bounce is initiated after stack master
change-over based on the original command (which is subsequently removed).
If the stack master fails before sending a CoA-ACK message, the new stack master treats the re-sent command
as a new command.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
906
How to Configure RADIUS Change-of-Authorization
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# aaa new-model
Step 5 client {ip-address | name} [vrf vrfname] Enters dynamic authorization local server configuration
[server-key string] mode and specifies a RADIUS client from which a
device will accept CoA and disconnect requests.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
907
How to Configure RADIUS Change-of-Authorization
Step 7 port port-number Specifies the port on which a device listens for
RADIUS requests from configured RADIUS clients.
Example:
Switch(config-sg-radius)# port 25
Step 8 auth-type {any | all | session-key} Specifies the type of authorization the switch uses for
RADIUS clients.
Example: The client must match all the configured attributes for
Switch(config-sg-radius)# authorization.
auth-type any
Step 11 authentication command bounce-port (Optional) Configures the switch to ignore a CoA
ignore request to temporarily disable the port hosting a
session. The purpose of temporarily disabling the port
Example: is to trigger a DHCP renegotiation from the host when
a VLAN change occurs and there is no supplicant on
Switch(config-sg-radius)# the endpoint to detect the change.
authentication command bounce-port
ignore
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
908
Additional References for RADIUS Change-of-Authorization
Example:
Switch(config-sg-radius)# end
Example:
Switch# show running-config
Step 15 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
909
Feature Information for RADIUS Change-of-Authorization Support
Standard/RFC Title
RFC 5176 Dynamic Authorization Extensions to RADIUS
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
910
Feature Information for RADIUS Change-of-Authorization Support
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
911
Feature Information for RADIUS Change-of-Authorization Support
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
912
CHAPTER 39
Configuring Kerberos
Kerberos is a secret-key network authentication protocol, developed at the Massachusetts Institute of
Technology (MIT), that uses the Data Encryption Standard (DES) cryptographic algorithm for encryption
and authentication. Kerberos was designed to authenticate requests for network resources. Kerberos, like
other secret-key systems, is based on the concept of a trusted third party that performs secure verification of
users and services. In the Kerberos protocol, this trusted third party is called the key distribution center
(KDC).
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
913
Information About Kerberos
• So that remote users can authenticate to network services, you must configure the hosts and the KDC
in the Kerberos realm to communicate and mutually authenticate users and network services. To do this,
you must identify them to each other. You add entries for the hosts to the Kerberos database on the KDC
and add KEYTAB files generated by the KDC to all hosts in the Kerberos realm. You also create entries
for the users in the KDC database.
• A Kerberos server can be a switch that is configured as a network security server and that can authenticate
users by using the Kerberos protocol.
When you add or create entries for the hosts and users, follow these guidelines:
• The Kerberos principal name must be in all lowercase characters.
• The Kerberos instance name must be in all lowercase characters.
• The Kerberos realm name must be in all uppercase characters.
Note In the Kerberos configuration examples, the trusted third party can be any switch that supports Kerberos,
that is configured as a network security server, and that can authenticate users by using the Kerberos
protocol.
Kerberos Overview
Kerberos is a secret-key network authentication protocol, which was developed at the Massachusetts Institute
of Technology (MIT). It uses the Data Encryption Standard (DES) cryptographic algorithm for encryption
and authentication and authenticates requests for network resources. Kerberos uses the concept of a trusted
third party to perform secure verification of users and services. This trusted third party is called the key
distribution center (KDC).
Kerberos verifies that users are who they claim to be and the network services that they use are what the
services claim to be. To do this, a KDC or trusted Kerberos server issues tickets to users. These tickets, which
have a limited life span, are stored in user credential caches. The Kerberos server uses the tickets instead of
user names and passwords to authenticate users and network services.
Note A Kerberos server can be any switch that is configured as a network security server and that can authenticate
users by using the Kerberos protocol.
The Kerberos credential scheme uses a process called single logon. This process authenticates a user once
and then allows secure authentication (without encrypting another password) wherever that user credential is
accepted.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
914
Information About Kerberos
This software release supports Kerberos 5, which allows organizations that are already using Kerberos 5 to
use the same Kerberos authentication database on the KDC that they are already using on their other network
hosts (such as UNIX servers and PCs).
Kerberos supports these network services:
• Telnet
• rlogin
• rsh
Term Definition
Authentication A process by which a user or service identifies itself
to another service. For example, a client can
authenticate to a switch or a switch can authenticate
to another switch.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
915
Information About Kerberos
Term Definition
KDC9 Key distribution center that consists of a Kerberos
server and database program that is running on a
network host.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
916
Information About Kerberos
Kerberos Operation
A Kerberos server can be a switch that is configured as a network security server and that can authenticate
remote users by using the Kerberos protocol. Although you can customize Kerberos in a number of ways,
remote users attempting to access network services must pass through three layers of security before they can
access network services.
Kerberos Operation
A Kerberos server can be a switch that is configured as a network security server and that can authenticate
remote users by using the Kerberos protocol. Although you can customize Kerberos in a number of ways,
remote users attempting to access network services must pass through three layers of security before they can
access network services.
To authenticate to network services by using a switch as a Kerberos server, remote users must follow these
steps:
A remote user who initiates a un-Kerberized Telnet session and authenticates to a boundary switch is inside
the firewall, but the user must still authenticate directly to the KDC before getting access to the network
services. The user must authenticate to the KDC because the TGT that the KDC issues is stored on the switch
and cannot be used for additional authentication until the user logs on to the switch.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
917
Information About Kerberos
At this point, the user has a TGT and can communicate securely with the KDC. In turn, the TGT allows the
user to authenticate to other network services.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
918
How to Configure Kerberos
8 Host A attempts to decrypt the service credential with the user’s TGT. If Host A can decrypt the service
credential, it is assured the credential came from the real KDC.
9 Host A sends the service credential to the desired network service. Note that the credential is still encrypted
with the SRVTAB shared by the KDC and the network service.
10 The network service attempts to decrypt the service credential using its SRVTAB.
11 If the network service can decrypt the credential, it is assured the credential was in fact issued from the
KDC. Note that the network service trusts anything it can decrypt from the KDC, even if it receives it
indirectly from a user. This is because the user first authenticated with the KDC.
At this point, the user is authenticated to the network service on Host B. This process is repeated each time a
user wants to access a network service in the Kerberos realm.
Note All Kerberos command examples are based on Kerberos 5 Beta 5 of the original MIT implementation.
Later versions use a slightly different interface.
Procedure
Step 1 Use the su command to become root on the host running the KDC.
Step 2 Use the kdb5_edit program to configure the commands in the next steps.
Note The Kerberos realm name in the following steps must be in uppercase characters.
Step 3 Use the ank (add new key) command in privileged EXEC mode to add a user to the KDC. This command
prompts for a password that the user must enter to authenticate the router. For example:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
919
How to Configure Kerberos
Example:
Device # ank username@REALM
Step 4 Use the ank command to add a privileged instance of a user. For example:
Example
The following example adds the user loki to the Kerberos realm COMPANY.COM:
ank loki@COMPANY.COM
Privileged instances can be created to allow network administrators to connect to the router at the enable level
so that a clear text password is not used to avoid compromising security and to enter enabled modes. See the
Enabling Kerberos Instance Mapping, on page 924 for more information on mapping Kerberos instances to
various Cisco IOS privilege levels.
Procedure
Step 1 Use the ark (add random key) command to add a network service supported by a host or device to the KDC.
For example:
Example:
Device# ark
SERVICE/HOSTNAME@REALM
Step 2 Use the kdb5_edit command xst to write an SRVTAB entry to a file. For example:
Example:
Device# xst
device-name host
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
920
How to Configure Kerberos
Example
The following example shows how to add a Kerberized authentication service for a device called device1 to
the Kerberos realm COMPANY.COM:
ark host/device1.company.com@COMPANY.COM
The following example shows how to write an entry for all network services on all Kerberized hosts that use
this KDC for authentication to a file:
Procedure
Step 3 Device(config)# kerberos realm (Optional) Maps a host name or DNS domain to
{dns-domain | host } kerberos-realm a Kerberos realm.
What to Do Next
Note Because the machine running the KDC and all Kerberized hosts must interact within a 5-minute window
or authentication fails, all Kerberized machines, and especially the KDC, should be running the Network
Time Protocol (NTP).
The kerberos local-realm, kerberos realm, and kerberos server commands are equivalent to the UNIX
krb.conf file. The table below identifies mappings from the Cisco IOS configuration commands to a Kerberos
5 configuration file (krb5.conf).
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
921
How to Configure Kerberos
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
922
How to Configure Kerberos
You can optionally configure the device to forward users’ TGTs with them as they authenticate from the
device to Kerberized remote hosts on the network when using Kerberized Telnet, rcp, rsh, and rlogin (with
the appropriate flags).
To force all clients to forward users’ credentials as they connect to other hosts in the Kerberos realm, use the
following command in global configuration mode:
Command Purpose
Forces all clients to forward user credentials upon
Device(config)# kerberos credentials forward successful Kerberos authentication.
With credentials forwarding enabled, users’ TGTs are automatically forwarded to the next host they authenticate
to. In this way, users can connect to multiple hosts in the Kerberos realm without running the KINIT program
each time to get a new TGT.
Command Purpose
Sets login authentication to use the Kerberos 5 Telnet
Device(config)# aaa authentication login authentication protocol when using Telnet to connect
{default | list-name
to the device.
} krb5_telnet
Although Telnet sessions to the device are authenticated, users must still enter a clear text password if they
want to enter enable mode. The kerberos instance map command, discussed in a later section, allows them
to authenticate to the device at a predefined privilege level.
Note This feature is available only if you have the 56-bit encryption image. 56-bit DES encryption is subject
to U.S. Government export control regulations.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
923
How to Configure Kerberos
To establish an encrypted Kerberized Telnet session from a device to a remote host, use either of the following
commands in EXEC command mode:
Command Purpose
Establishes an encrypted Telnet session.
Device(config)# connect host
[port
] /encrypt kerberos
or
Device(config)# telnet host
[port
] /encrypt kerberos
When a user opens a Telnet session from a device to a remote host, the device and remote host negotiate to
authenticate the user using Kerberos credentials. If this authentication is successful, the device and remote
host then negotiate whether or not to use encryption. If this negotiation is successful, both inbound and
outbound traffic is encrypted using 56-bit DES encryption with 64-bit CFB.
When a user dials in from a remote host to a device configured for Kerberos authentication, the host and
device will attempt to negotiate whether or not to use encryption for the Telnet session. If this negotiation is
successful, the device will encrypt all outbound data during the Telnet session.
If encryption is not successfully negotiated, the session will be terminated and the user will receive a message
stating that the encrypted Telnet session was not successfully established.
Command Purpose
Sets Telnet, rlogin, rsh, and rcp to fail if they cannot
Device(config)# kerberos clients mandatory negotiate the Kerberos protocol with the remote
server.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
924
Configuration Examples for Kerberos
To map a Kerberos instance to a Cisco IOS privilege level, use the following command in global configuration
mode:
Command Purpose
Maps a Kerberos instance to a Cisco IOS privilege
Device(config)# kerberos instance map level.
instance
privilege-level
If there is a Kerberos instance for user loki in the KDC database (for example, loki/admin ), user loki can now
open a Telnet session to the device as loki/admin and authenticate automatically at privilege level 15, assuming
instance “admin” is mapped to privilege level 15.
Cisco IOS commands can be set to various privilege levels using the privilege levelcommand.
After you map a Kerberos instance to a Cisco IOS privilege level, you must configure the device to check for
Kerberos instances each time a user logs in. To run authorization to determine if a user is allowed to run an
EXEC shell based on a mapped Kerberos instance, use the aaa authorization command with the krb5-instance
keyword. For more information, refer to the chapter “Configuring Authorization.”
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
925
Configuration Examples for Kerberos
chet-ss20# sbin/kdb5_edit
kdb5_edit: ank chet
Enter password:
Re-enter password for verification:
kdb5_edit: ank chet/admin
Enter password:
Re-enter password for verification:
kdb5_edit: ank chet/restricted
Enter password:
Re-enter password for verification:
kdb5_edit: ark host/chet-ss20.cisco.com
kdb5_edit: ark host/chet-2500.cisco.com
kdb5_edit: xst chet-ss20.cisco.com host
'host/chet-ss20.cisco.com@CISCO.COM' added to keytab 'WRFILE:chet-ss20.cisco.com-new-srvtab'
kdb5_edit: xst chet-2500.cisco.com host
'host/chet-2500.cisco.com@CISCO.COM' added to keytab 'WRFILE:chet-2500.cisco.com-new-srvtab'
kdb5_edit: ldb
entry: host/chet-2500.cisco.com@CISCO.COM
entry: chet/restricted@CISCO.COM
entry: chet@CISCO.COM
entry: K/M@CISCO.COM
entry: host/chet-ss20.cisco.com@CISCO.COM
entry: krbtgt/CISCO.COM@CISCO.COM
entry: chet/admin@CISCO.COM
kdb5_edit: q
chet-ss20#
The following example shows output from a write term command, which displays the configuration of device
chet-2500. This is a typical configuration with no Kerberos authentication.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
926
Configuration Examples for Kerberos
!
version 11.2
service udp-small-servers
service tcp-small-servers
!
hostname chet-2500
!
clock timezone PST -8
clock summer-time PDT recurring
aaa new-model
aaa authentication login console none
aaa authentication ppp local local
enable password sMudgKin
!
username chet-2500 password 7 sMudgkin
username chet-3000 password 7 sMudgkin
username chetin password 7 sMudgkin
!
interface Ethernet0
ip address 172.16.0.0 255.255.255.0
!
interface Serial0
no ip address
shutdown
no fair-queue
!
interface Serial1
no ip address
shutdown
no fair-queue
!
interface Async2
ip unnumbered Ethernet0
encapsulation ppp
shutdown
async dynamic routing
async mode dedicated
no cdp enable
ppp authentication pap local
no tarp propagate
!
interface Async3
ip unnumbered Ethernet0
encapsulation ppp
shutdown
async dynamic address
async dynamic routing
async mode dedicated
no cdp enable
ppp authentication pap local
no tarp propagate
!
router eigrp 109
network 172.17.0.0
no auto-summary
!
ip default-gateway 172.30.55.64
ip domain-name cisco.com
ip name-server 192.168.0.0
ip classless
!
!
line con 0
exec-timeout 0 0
login authentication console
line 1 16
transport input all
line aux 0
transport input all
line vty 0 4
password sMudgKin
!
ntp clock-period 17179703
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
927
Configuration Examples for Kerberos
Building configuration...
Current configuration:
!
! Last configuration change at 14:05:54 PDT Mon May 13 1996
!
version 11.2
service udp-small-servers
service tcp-small-servers
!
hostname chet-2500
!
clock timezone PST -8
clock summer-time PDT recurring
aaa new-model
aaa authentication login default krb5
aaa authentication login console none
aaa authentication ppp local local
enable password sMudgKin
!
username chet-2500 password 7 sMudgkin
username chet-3000 password 7 sMudgkin
username chetin password 7 sMudgkin
kerberos local-realm CISCO.COM
kerberos server CISCO.COM 172.71.54.14
kerberos credentials forward
!
interface Ethernet0
ip address 172.16.0.0 255.255.255.0
!
interface Serial0
no ip address
shutdown
no fair-queue
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
928
Configuration Examples for Kerberos
!
interface Serial1
no ip address
shutdown
no fair-queue
!
interface Async2
ip unnumbered Ethernet0
encapsulation ppp
shutdown
async dynamic routing
async mode dedicated
no cdp enable
ppp authentication pap local
no tarp propagate
!
interface Async3
ip unnumbered Ethernet0
encapsulation ppp
shutdown
async dynamic address
async dynamic routing
async mode dedicated
no cdp enable
ppp authentication pap local
no tarp propagate
!
router eigrp 109
network 172.17.0.0
no auto-summary
!
ip default-gateway 172.30.55.64
ip domain-name cisco.com
ip name-server 192.168.0.0
ip classless
!
!
line con 0
exec-timeout 0 0
login authentication console
line 1 16
transport input all
line aux 0
transport input all
line vty 0 4
password sMudgKin
!
ntp clock-period 17179703
ntp peer 172.19.10.0
ntp peer 172.19.0.0
end
With the device configured thus far, user chet can log in to the device with a username and password and
automatically obtain a TGT, as illustrated in the next example. With possession of a credential, user chet
successfully authenticates to host chet-ss20 without entering a username/password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
929
Configuration Examples for Kerberos
Note that the new configuration contains a kerberos srvtab entry line. This line is created by the kerberos
srvtab remotecommand.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
930
Configuration Examples for Kerberos
!
interface Async2
ip unnumbered Ethernet0
encapsulation ppp
shutdown
async dynamic routing
async mode dedicated
no cdp enable
ppp authentication pap local
no tarp propagate
!
interface Async3
ip unnumbered Ethernet0
encapsulation ppp
shutdown
async dynamic address
async dynamic routing
async mode dedicated
no cdp enable
ppp authentication pap local
no tarp propagate
!
router eigrp 109
network 172.17.0.0
no auto-summary
!
ip default-gateway 172.30.55.64
ip domain-name cisco.com
ip name-server 192.168.0.0
ip classless
!
!
line con 0
exec-timeout 0 0
login authentication console
line 1 16
transport input all
line aux 0
transport input all
line vty 0 4
password sMudgKin
!
ntp clock-period 17179703
ntp peer 172.19.10.0
ntp peer 172.19.0.0
end
chet-2500#
With this configuration, the user can Telnet in to the device using Kerberos credentials, as illustrated in the
next example:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
931
Configuration Examples for Kerberos
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
932
Configuration Examples for Kerberos
!
interface Async3
ip unnumbered Ethernet0
encapsulation ppp
shutdown
async dynamic address
async dynamic routing
async mode dedicated
no cdp enable
ppp authentication pap local
no tarp propagate
!
router eigrp 109
network 172.17.0.0
no auto-summary
!
ip default-gateway 172.30.55.64
ip classless
!
!
line con 0
exec-timeout 0 0
login authentication console
line 1 16
transport input all
line aux 0
transport input all
line vty 0 4
password sMudgKin
!
ntp clock-period 17179703
ntp peer 172.19.10.0
ntp peer 172.19.0.0
end
chet-2500#
The following example shows output from the three types of sessions now possible for user chet with Kerberos
instances turned on:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
933
Additional References
Device>
telnet host1 /encrypt kerberos
Additional References
Related Documents
Description Link
To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/
messages in this release, use the Error Message index.cgi
Decoder tool.
MIBs
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
934
Feature Information for Kerberos
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
935
Feature Information for Kerberos
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
936
CHAPTER 40
Configuring Accounting
The AAA Accounting feature allows the services that users are accessing and the amount of network resources
that users are consuming to be tracked. When AAA Accounting is enabled, the network access server reports
user activity to the TACACS+ or RADIUS security server (depending on which security method is
implemented) in the form of accounting records. Each accounting record contains accounting attribute-value
(AV) pairs and is stored on the security server. This data can then be analyzed for network management,
client billing, and auditing.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
937
Restrictions for Configuring Accounting
• Enable AAA on the network access server by using the aaa new-modelcommand in global configuration
mode.
• Define the characteristics of the RADIUS or TACACS+ security server if RADIUS or TACACS+
authorization is issued. For more information about configuring the Cisco network access server to
communicate with the RADIUS security server, see the Configuring RADIUS module. For more
information about configuring the Cisco network access server to communicate with the TACACS+
security server, see the Configuring TACACS+ module.
Note The Cisco IOS software attempts accounting with the next listed accounting method only when there is
no response from the previous method. If accounting fails at any point in this cycle--meaning that the
security server responds by denying the user access--the accounting process stops and no other accounting
methods are attempted.
Accounting method lists are specific to the type of accounting being requested. AAA supports seven different
types of accounting:
• Network --Provides information for all PPP, SLIP, or ARAP sessions, including packet and byte counts.
• EXEC --Provides information about user EXEC terminal sessions of the network access server.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
938
Information About Configuring Accounting
• Commands --Provides information about the EXEC mode commands that a user issues. Command
accounting generates accounting records for all EXEC mode commands, including global configuration
commands, associated with a specific privilege level.
• Connection --Provides information about all outbound connections made from the network access
server, such as Telnet, local-area transport (LAT), TN3270, packet assembler/disassembler (PAD), and
rlogin.
• System --Provides information about system-level events.
• Resource --Provides “start” and “stop” records for calls that have passed user authentication, and provides
“stop” records for calls that fail to authenticate.
• VRRS --Provides information about Virtual Router Redundancy Service (VRRS).
Note System accounting does not use named accounting lists; only the default list for system accounting can
be defined.
Once again, when a named method list is created, a particular list of accounting methods for the indicated
accounting type are defined.
Accounting method lists must be applied to specific lines or interfaces before any of the defined methods are
performed. The only exception is the default method list (which is named “default”). If the aaa accounting
command for a particular accounting type is issued without specifying a named method list, the default method
list is automatically applied to all interfaces or lines except those that have a named method list explicitly
defined (A defined method list overrides the default method list). If no default method list is defined, then no
accounting takes place.
This section includes the following subsections:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
939
Information About Configuring Accounting
Note With CSCuc32663, passwords and accounting logs are masked before being sent to the TACACS+ or
RADIUS security servers. Use the aaa accounting commands visible-keys command to send unmasked
information to the TACACS+ or RADIUS security servers.
Note With CSCuc32663, passwords and accounting logs are masked before being sent to the TACACS+ or
RADIUS security servers. Use the aaa accounting commands visible-keys command to send unmasked
information to the TACACS+ or RADIUS security servers.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
940
Information About Configuring Accounting
Network Accounting
Network accounting provides information for all PPP, SLIP, or ARAP sessions, including packet and byte
counts.
The following example shows the information contained in a RADIUS network accounting record for a PPP
user who comes in through an EXEC session:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
941
Information About Configuring Accounting
Caller-ID = “408”
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
Service-Type = Exec-User
Acct-Session-Id = “0000000D”
Acct-Delay-Time = 0
User-Id = “username1”
NAS-Identifier = “172.16.25.15”
The following example shows the information contained in a TACACS+ network accounting record for a
PPP user who first started an EXEC session:
Note The precise format of accounting packets records may vary depending on the security server daemon.
The following example shows the information contained in a RADIUS network accounting record for a PPP
user who comes in through autoselect:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
942
Information About Configuring Accounting
The following example shows the information contained in a TACACS+ network accounting record for a
PPP user who comes in through autoselect:
EXEC Accounting
EXEC accounting provides information about user EXEC terminal sessions (user shells) on the network access
server, including username, date, start and stop times, the access server IP address, and (for dial-in users) the
telephone number the call originated from.
The following example shows the information contained in a RADIUS EXEC accounting record for a dial-in
user:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
943
Information About Configuring Accounting
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Service-Type = Exec-User
Acct-Session-Id = “00000010”
Acct-Delay-Time = 0
User-Id = “username1”
NAS-Identifier = “172.16.25.15”
Command Accounting
Command accounting provides information about the EXEC shell commands for a specified privilege level
that are being executed on a network access server. Each command accounting record includes a list of the
commands executed for that privilege level, as well as the date and time each command was executed, and
the user who executed it.
The following example shows the information contained in a TACACS+ command accounting record for
privilege level 1:
Note The Cisco implementation of RADIUS does not support command accounting.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
944
Information About Configuring Accounting
Connection Accounting
Connection accounting provides information about all outbound connections made from the network access
server such as Telnet, LAT, TN3270, PAD, and rlogin.
The following example shows the information contained in a RADIUS connection accounting record for an
outbound Telnet connection:
The following example shows the information contained in a RADIUS connection accounting record for an
outbound rlogin connection:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
945
Information About Configuring Accounting
Acct-Authentic = RADIUS
Service-Type = Login
Acct-Session-Id = “0000000A”
Login-Service = Rlogin
Login-IP-Host = “10.68.202.158”
Acct-Delay-Time = 0
User-Id = “username1”
NAS-Identifier = “172.16.25.15”
System Accounting
System accounting provides information about all system-level events (for example, when the system reboots
or when accounting is turned on or off).
The following accounting record shows a typical TACACS+ system accounting record server indicating that
AAA Accounting has been turned off:
Wed Jun 27 03:55:32 2001 172.16.25.15 unknown unknown unknown start task_id=25
service=system event=sys_acct reason=reconfigure
Note The precise format of accounting packets records may vary depending on the TACACS+ daemon.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
946
Information About Configuring Accounting
The following accounting record shows a TACACS+ system accounting record indicating that AAA Accounting
has been turned on:
Wed Jun 27 03:55:22 2001 172.16.25.15 unknown unknown unknown stop task_id=23
service=system event=sys_acct reason=reconfigure
Additional tasks for measuring system resources are covered in the Cisco IOS software configuration guides.
For example, IP accounting tasks are described in the Configuring IP Services chapter in the CiscoIOS
Application Services Configuration Guide .
Resource Accounting
The Cisco implementation of AAA accounting provides “start” and “stop” record support for calls that have
passed user authentication. The additional feature of generating “stop” records for calls that fail to authenticate
as part of user authentication is also supported. Such records are necessary for users employing accounting
records to manage and monitor their networks.
This section includes the following subsections:
Figure 69: Modem Dial-In Call Setup Sequence With Normal Flow and Without Resource Failure Stop Accounting Enabled
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
947
Information About Configuring Accounting
The figure below illustrates a call setup sequence with normal call flow (no disconnect) and with AAA resource
failure stop accounting enabled.
Figure 70: Modem Dial-In Call Setup Sequence With Normal Flow and WIth Resource Failure Stop Accounting Enabled
The figure below illustrates a call setup sequence with call disconnect occurring before user authentication
and with AAA resource failure stop accounting enabled.
Figure 71: Modem Dial-In Call Setup Sequence With Call Disconnect Occurring Before User Authentication and With
Resource Failure Stop Accounting Enabled
The figure below illustrates a call setup sequence with call disconnect occurring before user authentication
and without AAA resource failure stop accounting enabled.
Figure 72: Modem Dial-In Call Setup Sequence With Call Disconnect Occurring Before User Authentication and Without
Resource Failure Stop Accounting Enabled
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
948
Information About Configuring Accounting
With this feature, a call setup and call disconnect “start-stop” accounting record tracks the progress of the
resource connection to the device. A separate user authentication “start-stop” accounting record tracks the user
management progress. These two sets of accounting records are interlinked by using a unique session ID for
the call.
The figure below illustrates a call setup sequence with AAA resource start-stop accounting enabled.
Figure 73: Modem Dial-In Call Setup Sequence With Resource Start-Stop Accounting Enabled
VRRS Accounting
Virtual Router Redundancy Service (VRRS) provides a multiclient information abstraction and management
service between a First Hop Redundancy Protocol (FHRP) and a registered client. The VRRS multiclient
service provides a consistent interface with FHRP protocols by abstracting over several FHRPs and providing
an idealized view of their state. VRRS manages data updates, allowing interested clients to register in one
place and receive updates for named FHRP groups or all registered FHRP groups.
Virtual Router Redundancy Protocol (VRRP) is an FHRP that acts as a server that pushes FHRP status
information out to all registered VRRS clients. Clients obtain status on essential information provided by the
FHRP, including current and previous redundancy states, active and inactive L3 and L2 addresses, and, in
some cases, information about other redundant gateways in the network. Clients can use this information to
provide stateless and stateful redundancy information to clients and protocols.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
949
Information About Configuring Accounting
Accounting messages for a VRRS transitioning out of master state are sent after all PPPoE accounting stop
messages for sessions that are part of that VRRS.
Note This command is supported only on Cisco AS5300 and Cisco AS5800 universal access server platforms.
The table below shows the SNMP user-end data objects that can be used to monitor and terminate authenticated
client connections with the AAA session MIB feature.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
950
Information About Configuring Accounting
IdleTime The elapsed time in seconds that the session has been
idle.
The table below describes the AAA summary information provided by the AAA session MIB feature using
SNMP on a per-system basis.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
951
How to Configure Accounting
Note System accounting does not use named method lists. For system accounting, define only the default method
list.
Procedure
Example:
Device# configure terminal
Step 3 aaa accounting {system | network | exec | Creates an accounting method list and enables
connection | commands level} {default | accounting. The argument list-name is a
list-name} {start-stop | stop-only | none} character string used to name the created list.
[method1 [method2...]]
Example:
Device(config)# aaa accounting system
default start-stop
Step 4 Do one of the following: Enters the line configuration mode for the lines
to which the accounting method list is applied.
• line [aux | console | tty | vty] line-number
[ending-line-number] or
• interface interface-type interface-number Enters the interface configuration mode for the
interfaces to which the accounting method list
is applied.
Example:
Device(config)# line aux line1
Step 5 Do one of the following: Applies the accounting method list to a line or
set of lines.
• accounting {arap | commands level |
connection | exec} {default | list-name} or
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
952
How to Configure Accounting
Example:
Device(config-line)# accounting arap
default
Procedure
Example:
Device# configure terminal
Example:
Device(config)# aaa new-model
Step 4 radius-server accounting system Enables the device to send a system accounting record
host-config for the addition and deletion of a RADIUS server.
Example:
Device(config)# radius-server
accounting system host-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
953
How to Configure Accounting
Step 6 server-private {host-name | ip-address} Enters the hostname or IP address of the RADIUS
key {[0 server-key | 7 server-key] server and hidden server key.
server-key
• (Optional) 0 with the server-keyargument specifies
that an unencrypted (cleartext) hidden server key
Example: follows.
Device(config-sg-radius)#
server-private 172.16.1.11 key • (Optional) 7 with the server-key argument
cisco specifies that an encrypted hidden server key
follows.
• The server-key argument specifies the hidden
server key. If the server-keyargument is
configured without the 0 or 7 preceding it, it is
unencrypted.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
954
How to Configure Accounting
prevent accounting records from being generated for sessions that do not have usernames associated with
them, use the following command in global configuration mode:
Command Purpose
Prevents accounting records from being generated
Device(config)# aaa accounting suppress for users whose username string is NULL.
null-username
Command Purpose
Enables periodic interim accounting records to be
Device(config)# aaa accounting update sent to the accounting server.
[newinfo] [periodic] number
When the aaa accounting updatecommandis activated, the Cisco IOS software issues interim accounting
records for all users on the system. If the keyword newinfo is used, interim accounting records are sent to the
accounting server every time there is new accounting information to report. An example of this would be
when IPCP completes IP address negotiation with the remote peer. The interim accounting record includes
the negotiated IP address used by the remote peer.
When used with the keyword periodic, interim accounting records are sent periodically as defined by the
number argument. The interim accounting record contains all of the accounting information recorded for that
user up to the time the interim accounting record is sent.
Caution Using the aaa accounting update periodic command can cause heavy congestion when many users are
logged in to the network.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
955
How to Configure Accounting
To specify that accounting stop records be generated for users who fail to authenticate at login or during
session negotiation, use the following command in global configuration mode:
Command Purpose
Generates “stop” records for users who fail to
Device(config)# aaa accounting send authenticate at login or during session negotiation
stop-record authentication failure
using PPP.
Command Purpose
Nests network accounting records.
Device(config)# aaa accounting nested
Command Purpose
Generates a “stop” record for any calls that do not
Device(config)# aaa accounting resource reach user authentication.
method-list stop-failure group server-group
Note Before configuring this feature, the tasks
described in the Prerequisites for
Configuring Accounting, on page 937 section
must be performed, and SNMP must be
enabled on the network access server.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
956
How to Configure Accounting
Command Purpose
Supports the ability to send a “start” record at each
Device(config)# aaa accounting resource call setup. followed with a corresponding “stop”
method-list start-stop group server-group
record at the call disconnect.
Note Before configuring this feature, the tasks
described in the Prerequisites for
Configuring Accounting, on page 937 section
must be performed, and SNMP must be
enabled on the network access server.
Command Purpose
Enables sending accounting records to multiple AAA
Device(config)# aaa accounting {system |
servers. Simultaneously sends accounting records to
network | exec | connection | commands level} the first server in each group. If the first server is
{default | list-name} {start-stop | stop-only |
unavailable, failover occurs using the backup servers
none} [broadcast] method1 [method2...]
defined within that group.
Command Purpose
Allows per-DNIS accounting configuration. This
Device(config)# aaa dnis map dnis-number command has precedence over the global aaa
accounting network [start-stop | stop-only |
accounting command.
none] [broadcast] method1 [method2...]
Enables sending accounting records to multiple AAA
servers. Simultaneously sends accounting records to
the first server in each group. If the first server is
unavailable, failover occurs using the backup servers
defined within that group.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
957
How to Configure Accounting
Note Overusing SNMP can affect the overall system performance; therefore, normal network management
performance must be considered when this feature is used.
To configure AAA session MIB, use the following command in global configuration mode
Procedure
Procedure
Example:
Device# configure terminal
Step 3 aaa accounting vrrs {default | list-name} Enables AAA accounting for VRRS.
start-stop method1 [method2...]
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
958
How to Configure Accounting
Example:
Device(config)# aaa accounting vrrs
default start-stop
Step 4 aaa attribute list list-name Defines a AAA attribute list locally on a
device, and enters attribute list configuration
Example: mode.
Step 5 attribute type name value [service service] Defines an attribute type that is to be added to
[protocol protocol][mandatory][tag tag-value] an attribute list locally on a device.
Example:
Device(config-attr-list)# attribute type
example 1
Step 8 accounting delay seconds (Optional) Specifies the delay time for sending
accounting-off messages to the VRRS.
Example:
Device(config-vrrs)# accounting delay
10
Example:
Device(config-vrrs)# accounting method
default
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
959
How to Configure Accounting
Command Purpose
The aaa accounting system guarantee-first
Device(config)# no aaa accounting system command guarantees system accounting as the first
guarantee-first
record, which is the default condition.
In some situations, users may be prevented from
starting a session on the console or terminal
connection until after the system reloads, which can
take more than three minutes. To resolve this problem,
the no aaa accounting system guarantee-first
command can be used.
Note Entering the no aaa accounting system guarantee-first command is not the only condition by which the
console or telnet session can be started. For example, if the privileged EXEC session is being authenticated
by TACACS and the TACACS server is not reachable, then the session cannot start.
Monitoring Accounting
No specific show command exists for either RADIUS or TACACS+ accounting. To obtain accounting records
displaying information about users currently logged in, use the following command in privileged EXEC mode:
Command Purpose
Allows display of the active accountable events on
Device# show accounting the network and helps collect information in the event
of a data loss on the accounting server.
Troubleshooting Accounting
To troubleshoot accounting information, use the following command in privileged EXEC mode:
Command Purpose
Displays information on accountable events as they
Device# debug aaa accounting occur.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
960
Configuration Examples for Accounting
aaa new-model
aaa authentication login admins local
aaa authentication ppp dialins group radius local
aaa authorization network blue1 group radius local
aaa accounting network red1 start-stop group radius group tacacs+
username root password ALongPassword
tacacs-server host 172.31.255.0
tacacs-server key goaway
radius-server host 172.16.2.7
radius-server key myRaDiUSpassWoRd
interface group-async 1
group-range 1 16
encapsulation ppp
ppp authentication chap dialins
ppp authorization blue1
ppp accounting red1
line 1 16
autoselect ppp
autoselect during-login
login authentication admins
modem dialin
The lines in this sample RADIUS AAA configuration are defined as follows:
• The aaa new-model command enables AAA network security services.
• The aaa authentication login admins local command defines a method list “admins”, for login
authentication.
• The aaa authentication ppp dialins group radius local command defines the authentication method
list “dialins”, which specifies that first RADIUS authentication and then (if the RADIUS server does not
respond) local authentication is used on serial lines using PPP.
• The aaa authorization network blue1 group radius local command defines the network authorization
method list named “blue1”, which specifies that RADIUS authorization is used on serial lines using PPP.
If the RADIUS server fails to respond, then local network authorization is performed.
• The aaa accounting network red1 start-stop group radius group tacacs+command defines the
network accounting method list named red1, which specifies that RADIUS accounting services (in this
case, start and stop records for specific events) are used on serial lines using PPP. If the RADIUS server
fails to respond, accounting services are handled by a TACACS+ server.
• The username command defines the username and password to be used for the PPP Password
Authentication Protocol (PAP) caller identification.
• The tacacs-server host command defines the name of the TACACS+ server host.
• The tacacs-server key command defines the shared secret text string between the network access server
and the TACACS+ server host.
• The radius-server host command defines the name of the RADIUS server host.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
961
Configuration Examples for Accounting
• The radius-server key command defines the shared secret text string between the network access server
and the RADIUS server host.
• The interface group-async command selects and defines an asynchronous interface group.
• The group-range command defines the member asynchronous interfaces in the interface group.
• The encapsulation ppp command sets PPP as the encapsulation method used on the specified interfaces.
• The ppp authentication chap dialinscommand selects Challenge Handshake Authentication Protocol
(CHAP) as the method of PPP authentication and applies the “dialins” method list to the specified
interfaces.
• The ppp authorization blue1command applies the blue1 network authorization method list to the
specified interfaces.
• The ppp accounting red1command applies the red1 network accounting method list to the specified
interfaces.
• The line command switches the configuration mode from global configuration to line configuration and
identifies the specific lines being configured.
• The autoselect ppp command configures the Cisco IOS software to allow a PPP session to start up
automatically on these selected lines.
• The autoselect during-login command is used to display the username and password prompt without
pressing the Return key. After the user logs in, the autoselect function (in this case, PPP) begins.
• The login authentication admins command applies the admins method list for login authentication.
• The modem dialin command configures modems attached to the selected lines to only accept incoming
calls.
The show accountingcommand yields the following output for the preceding configuration:
Field Description
Active Accounted actions on Terminal line or interface name user with which the
user logged in.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
962
Configuration Examples for Accounting
Field Description
attribute=value AV pairs associated with this accounting session.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
963
Additional References for Configuring Accounting
server 10.0.0.1
server 10.0.0.2
aaa group server tacacs+ isp_customer
server 172.0.0.1
aaa dnis map enable
aaa dnis map 7777 accounting network start-stop broadcast group isp group isp_customer
radius-server host 10.0.0.1
radius-server host 10.0.0.2
radius-server key key_1
tacacs-server host 172.0.0.1 key key_2
The broadcast keyword causes “start” and “stop” accounting records for network connection calls having
DNIS number 7777 to be sent simultaneously to server 10.0.0.1 in the group isp and to server 172.0.0.1 in
the group isp_customer. If server 10.0.0.1 is unavailable, failover to server 10.0.0.2 occurs. If server 172.0.0.1
is unavailable, no failover occurs because backup servers are not configured for the group isp_customer.
aaa new-model
aaa authentication ppp default group radius
aaa authorization network default group radius
aaa accounting network default start-stop group radius
aaa session-mib disconnect
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
964
Feature Information for Configuring Accounting
RFCs
RFC Title
RFC 2903 Generic AAA Architecture
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
965
Feature Information for Configuring Accounting
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
AAA Resource Accounting for Cisco IOS 15.2(1)E AAA resource accounting for start-stop
Start-Stop Records records supports the ability to send a
“start” record at each call setup,
followed by a corresponding “stop”
record at the call disconnect. This
functionality can be used to manage and
monitor wholesale customers from one
source of data reporting, such as
accounting records.
AAA Session MIB Cisco IOS 15.2(1)E The AAA session MIB feature allows
customers to monitor and terminate their
authenticated client connections using
SNMP. The data of the client is
presented so that it correlates directly
to the AAA Accounting information
reported by either the RADIUS or the
TACACS+ server.
AAA: IPv6 Accounting Delay Cisco IOS 15.2(1)E VRRS provides a multiclient
Enhancements information abstraction and
management service between a First
Hop Redundancy Protocol (FHRP) and
a registered client.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
966
CHAPTER 41
Configuring Local Authentication and
Authorization
• Finding Feature Information, page 967
• How to Configure Local Authentication and Authorization, page 967
• Monitoring Local Authentication and Authorization, page 969
• Additional References, page 970
• Feature Information for Local Authentication and Authorization, page 970
Note To secure the switch for HTTP access by using AAA methods, you must configure the switch with the ip
http authentication aaa global configuration command. Configuring AAA authentication does not secure
the switch for HTTP access by using AAA methods.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
967
How to Configure Local Authentication and Authorization
Follow these steps to configure AAA to operate without a server by setting the switch to implement AAA in
local mode:
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# aaa new-model
Step 4 aaa authentication login default local Sets the login authentication to use the local username
database. The default keyword applies the local user
Example: database authentication to all ports.
Step 5 aaa authorization exec local Configures user AAA authorization, check the local
database, and allow the user to run an EXEC shell.
Example:
Switch(config)# aaa authorization
exec local
Step 6 aaa authorization network local Configures user AAA authorization for all
network-related service requests.
Example:
Switch(config)# aaa authorization
network local
Step 7 username name [privilege level] Enters the local database, and establishes a
{password encryption-type password} username-based authentication system.
Repeat this command for each user.
Example:
• For name, specify the user ID as one word. Spaces
Switch(config)# username and quotation marks are not allowed.
your_user_name privilege 1
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
968
Monitoring Local Authentication and Authorization
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 10 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
969
Additional References
Additional References
Error Message Decoder
Description Link
To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/
messages in this release, use the Error Message index.cgi
Decoder tool.
MIBs
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
970
CHAPTER 42
MAC Authentication Bypass
The MAC Authentication Bypass feature is a MAC-address-based authentication mechanism that allows
clients in a network to integrate with the Cisco Identity Based Networking Services (IBNS) and Network
Admission Control (NAC) strategy using the client MAC address. The MAC Authentication Bypass feature
is applicable to the following network environments:
• Network environments in which a supplicant code is not available for a given client platform.
• Network environments in which the end client configuration is not under administrative control, that
is, the IEEE 802.1X requests are not supported on these networks.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
971
Prerequisites for Configuring MAC Authentication Bypass
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
972
Information About MAC Authentication Bypass
• To enable MAB for an existing large database that uses formatted username attributes, the username
format in the client MAC needs to be configured. Use the mab request format attribute 1 command
to configure the username format.
• Some databases do not accept authentication if the username and password values are the same. In such
instances, the password needs to be configured to ensure that the password is different from the username.
Use the mab request format attribute 2 command to configure the password.
The Configurable MAB Username and Password feature allows interoperability between the Cisco IOS
Authentication Manager and the existing MAC databases and RADIUS servers. The password is a global
password and hence is the same for all MAB authentications and interfaces. This password is also synchronized
across all supervisor devices to achieve high availability.
If the password is not provided or configured, the password uses the same value as the username. The table
below describes the formatting of the username and the password:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
973
How to Configure MAC Authentication Bypass
Procedure
Example:
Device# configure terminal
Example:
Device(config)# interface Gigabitethernet
1/2/1
Example:
Device(config-if)# mab
Example:
Device(config-if)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
974
How to Configure MAC Authentication Bypass
Example:
Device# show authentication session
interface Gigabitethernet 1/2/1 details
Procedure
Example:
Device# configure terminal
Example:
Device(config)# interface Gigabitethernet
1/2/1
Example:
Device(config-if)# switchport
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
975
How to Configure MAC Authentication Bypass
Example:
Device(config-if)# mab
Example:
Device(config-if)# authentication periodic
Step 9 authentication timer reauthenticate {seconds Configures the time, in seconds, between
| server} reauthentication attempts.
Example:
Device(config-if)# authentication timer
reauthenticate 900
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
976
How to Configure MAC Authentication Bypass
Example:
Device# configure terminal
Example:
Device(config)# interface
Gigabitethernet 1/2/1
Example:
Device(config-if)# switchport
Step 6 authentication port-control auto Configures the authorization state of the port.
Example:
Device(config-if)# authentication
port-control auto
Example:
Device(config-if)# mab
Step 8 authentication violation {restrict | shutdown} Configures the action to be taken when a
security violation occurs on the port.
Example:
Device(config-if)# authentication
violation shutdown
Step 9 authentication timer restart seconds Configures the period of time, in seconds,
after which an attempt is made to authenticate
Example: an unauthorized port.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
977
How to Configure MAC Authentication Bypass
Procedure
Example:
Device# configure terminal
Step 3 mab request format attribute 1 groupsize {1 | 2 | Configures the username format for MAB
4 | 12} separator {- | : | .} [lowercase | uppercase] requests.
Example:
Device(config)# mab request format attribute
1 groupsize 2 separator :
Step 4 mab request format attribute 2 [0 | 7] password Configures a global password for all
MAB requests.
Example:
Device(config)# mab request format attribute
2 password1
Example:
Device(config)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
978
Configuration Examples for MAC Authentication Bypass
Device> enable
Device# configure terminal
Device(config)# interface GigabitEthernet2/1
Device(config-if)# mab
Device(config-if)# end
Device# show authentication sessions interface GigabitEthernet2/1 details
Device> enable
Device# configure terminal
Device(config)# mab request format attribute 1 groupsize 2 separator :
Device(config)# mab request format attribute 2 password1
Device(config)# end
Authentication commands
• Cisco IOS Security Command Reference:
Commands A to C
• Cisco IOS Security Command Reference:
Commands D to L
• Cisco IOS Security Command Reference:
Commands M to R
• Cisco IOS Security Command Reference:
Commands S to Z
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
979
Feature Information for MAC Authentication Bypass
MIBs
• CISCO-PAE-MIB http://www.cisco.com/go/mibs
• IEEE8021-PAE-MIB
RFCs
RFC Title
RFC 3580 IEEE 802.1x Remote Authentication Dial In User
Service (RADIUS)
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
980
Feature Information for MAC Authentication Bypass
Configurable MAB Cisco IOS 15.2(1)E The Configurable MAB Username and Password
Username and Password feature enables you to configure MAC
Authentication Bypass (MAB) username format
and password to allow interoperability between
the Cisco IOS Authentication Manager and
existing MAC databases and RADIUS servers.
The following commands were introduced or
modified: mab request format attribute 1, mab
request format attribute 2.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
981
Feature Information for MAC Authentication Bypass
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
982
CHAPTER 43
Password Strength and Management for Common
Criteria
The Password Strength and Management for Common Criteria feature is used to specify password policies
and security mechanisms for storing, retrieving, and providing rules to specify user passwords.
For local users, the user profile and the password information with the key parameters are stored on the Cisco
device, and this profile is used for local authentication of users. The user can be an administrator (terminal
access) or a network user (for example, PPP users being authenticated for network access).
For remote users, where the user profile information is stored in a remote server, a third-party authentication,
authorization, and accounting (AAA) server may be used for providing AAA services, both for administrative
and network access.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
983
Restrictions for Password Strength and Management for Common Criteria
If the password's lifetime is not configured for a user and the user has already logged on and if the security
administrator configures the lifetime for that user, then the lifetime will be set in the database. When the same
user is authenticated the next time, the system will check for password expiry. The password expiry is checked
only during the authentication phase.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
984
How to Configure Password Strength and Management for Common Criteria
If the user has been already authenticated and logged on to the system and if the password expires, then no
action will be taken. The user will be prompted to change the password only during the next authentication
for the same user.
When the security administrator changes the password security policy and the existing profile does not meet
the password security policy rules, no action will be taken if the user has already logged on to the system.
The user will be prompted to change the password only when the user tries to get authenticated using the
profile that does not meet the password security restriction.
When the user changes the password, the lifetime parameters set by the security administrator for the old
profile will be the lifetime parameters for the new password.
For noninteractive clients such as dot1x, when the password expires, appropriate error messages will be sent
to the clients, and the clients must contact the security administrator to renew the password.
Note Users can change their passwords only when they are logging on and after the expiry of the old password;
however, a security administrator can change the user's password at any time.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
985
How to Configure Password Strength and Management for Common Criteria
Procedure
Example:
Device# configure terminal
Example:
Device(config)# aaa new-model
Step 4 aaa common-criteria policy policy-name Creates the AAA security password policy
and enters common criteria configuration
Example: policy mode.
Device(config)# aaa common-criteria
policy policy1
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
986
How to Configure Password Strength and Management for Common Criteria
Example:
Device(config)# username user1
common-criteria-policy policy1 password
password1
Example:
Device(config)# end
Procedure
Step 1 enable
Enables privileged EXEC mode.
Example:
Device> enable
Example:
Device# show aaa common-criteria policy name policy1
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
987
Configuration Examples for Password Strength and Management for Common Criteria
Minimum length: 1
Maximum length: 64
Upper Count: 20
Lower Count: 20
Numeric Count: 5
Special Count: 2
Number of character changes 4
Valid forever. User tied to this policy will not expire.
Example:
Device# show aaa common-criteria policy all
====================================================================
Policy name: policy1
Minimum length: 1
Maximum length: 64
Upper Count: 20
Lower Count: 20
Numeric Count: 5
Special Count: 2
Number of character changes 4
Valid forever. User tied to this policy will not expire.
====================================================================
Policy name: policy2
Minimum length: 1
Maximum length: 34
Upper Count: 10
Lower Count: 5
Numeric Count: 4
Special Count: 2
Number of character changes 2
Valid forever. User tied to this policy will not expire.
=====================================================================
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
988
Additional References for Password Strength and Management for Common Criteria
Related Documents
RFCs
RFC Title
RFC 2865 Remote Authentication Dial-in User Service
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/techsupport
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
989
Feature Information for Password Strength and Management for Common Criteria
Table 105: Feature Information for Password Strength and Management for Common Criteria
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
990
CHAPTER 44
AAA-SERVER-MIB Set Operation
The AAA-SERVER-MIB Set Operation feature allows the authentication, authorization, and accounting
(AAA) server configuration to be extended or expanded by using the CISCO-AAA-SERVER-MIB to create
and add new AAA servers, modify the “KEY” under the CISCO-AAA-SERVER-MIB, and delete the AAA
server configuration.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
991
Restrictions for AAA-SERVER-MIB Set Operation
CISCO-AAA-SERVER-MIB
The CISCO-AAA-SERVER-MIB provides that statistics reflect both the state of the AAA server operation
with the server itself and of AAA communications with external servers. The CISCO-AAA-SERVER-MIB
provides the following information:
• Statistics for each AAA operation
• Status of servers that are providing AAA functions
• Identities of external AAA servers
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
992
Configuration Examples for AAA-SERVER-MIB Set Operation
Procedure
Step 2 show running-config | include Displays all the RADIUS servers that are configured
radius-server host in the global configuration mode.
Example:
Device# show running-config |
include radius-server host
Step 3 show aaa servers Displays information about the number of requests
sent to and received from authentication,
Example: authorization, and accounting (AAA) servers.
Server Statistics
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
993
Configuration Examples for AAA-SERVER-MIB Set Operation
SNMP Get Operation to Check the Configuration and Statistics of the RADIUS Servers
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
994
Additional References for AAA-SERVER-MIB Set Operation
Related Documents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
995
Feature Information for AAA-SERVER-MIB Set Operation
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/cisco/web/support/index.html
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
996
CHAPTER 45
Configuring Secure Shell
The Secure Shell (SSH) feature is an application and a protocol that provides a secure replacement to the
Berkeley r-tools. The protocol secures sessions using standard cryptographic mechanisms, and the application
can be used similarly to the Berkeley rexec and rsh tools. Two versions of SSH are available: SSH Version
1 and SSH Version 2.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
997
Restrictions for Configuring Secure Shell
• Before enabling SCP, you must correctly configure SSH, authentication, and authorization on the switch.
• Because SCP relies on SSH for its secure transport, the router must have an Rivest, Shamir, and Adelman
(RSA) key pair.
• SCP relies on SSH for security.
• SCP requires that authentication, authorization, and accounting (AAA) authorization be configured so
the router can determine whether the user has the correct privilege level.
• A user must have appropriate authorization to use SCP.
• A user who has appropriate authorization can use SCP to copy any file in the Cisco IOS File System
(IFS) to and from a switch by using the copy command. An authorized administrator can also do this
from a workstation.
• The Secure Shell (SSH) server requires an IPsec (Data Encryption Standard [DES] or 3DES) encryption
software image; the SSH client requires an IPsec (DES or 3DES) encryption software image.)
• Configure a hostname and host domain for your device by using the hostname and ip domain-name
commands in global configuration mode.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
998
Information about SSH
Note The SSH client functionality is available only when the SSH server is enabled.
User authentication is performed like that in the Telnet session to the device. SSH also supports the following
user authentication methods:
• TACACS+
• RADIUS
• Local authentication and authorization
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
999
Information about SSH
Note When using SCP, you cannot enter the password into the copy command. You must enter the password
when prompted.
Note Enable the SCP option while using the pscp.exe file with the Cisco software.
Reverse Telnet
Reverse telnet allows you to telnet to a certain port range and connect to terminal or auxiliary lines. Reverse
telnet has often been used to connect a Cisco device that has many terminal lines to the consoles of other
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1000
How to Configure Secure Shell
Cisco devices. Telnet makes it easy to reach the device console from anywhere simply by telnet to the terminal
server on a specific line. This telnet approach can be used to configure a device even if all network connectivity
to that device is disconnected. Reverse telnet also allows modems that are attached to Cisco devices to be
used for dial-out (usually with a rotary device).
Reverse SSH
Reverse telnet can be accomplished using SSH. Unlike reverse telnet, SSH provides for secure connections.
The Reverse SSH Enhancements feature provides you with a simplified method of configuring SSH. Using
this feature, you no longer have to configure a separate line for every terminal or auxiliary line on which you
want to enable SSH. The previous method of configuring reverse SSH limited the number of ports that can
be accessed to 100. The Reverse SSH Enhancements feature removes the port number limitation.
Procedure
Example:
Switch# configure terminal
Step 3 hostname hostname Configures a hostname and IP domain name for your
Switch.
Example: Note Follow this procedure only if you are
Switch(config)# hostname configuring the Switch as an SSH server.
your_hostname
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1001
How to Configure Secure Shell
Example:
Switch(config)# ip domain-name
your_domain
Step 5 crypto key generate rsa Enables the SSH server for local and remote
authentication on the Switch and generates an RSA key
Example: pair. Generating an RSA key pair for the Switch
automatically enables SSH.
Switch(config)# crypto key
generate rsa We recommend that a minimum modulus size of 1024
bits.
When you generate RSA keys, you are prompted to
enter a modulus length. A longer modulus length might
be more secure, but it takes longer to generate and to
use.
Note Follow this procedure only if you are
configuring the Switch as an SSH server.
Step 6 end Returns to privileged EXEC mode.
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Note This procedure is only required if you are configuring the Switch as an SSH server.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1002
How to Configure Secure Shell
Procedure
Example:
Switch# configure terminal
Step 3 ip ssh version [1 | 2] (Optional) Configures the Switch to run SSH Version 1
or SSH Version 2.
Example: • 1—Configure the Switch to run SSH Version 1.
Switch(config)# ip ssh version 1
• 2—Configure the Switch to run SSH Version 2.
Step 5 Use one or both of the following: (Optional) Configures the virtual terminal line settings.
• line • Enters line configuration mode to configure the
vtyline_number[ending_line_number] virtual terminal line settings. For line_number and
ending_line_number, specify a pair of lines. The
• transport input ssh range is 0 to 15.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1003
How to Configure Secure Shell
or
Switch(config-line)# transport
input ssh
Example:
Switch(config-line)# end
Example:
Switch# show running-config
Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1004
How to Configure Secure Shell
Troubleshooting Tips
• If your Secure Shell (SSH) configuration commands are rejected as illegal commands, you have not
successfully generated an Rivest, Shamir, and Adleman (RSA) key pair for your device. Make sure that
you have specified a hostname and domain. Then use the crypto key generate rsa command to generate
an RSA key pair and enable the SSH server.
• When configuring the RSA key pair, you might encounter the following error messages:
• No hostname specified.
You must configure a hostname for the device using the hostname global configuration command.
• No domain specified.
You must configure a host domain for the device using the ip domain-name global configuration
command.
• The number of allowable SSH connections is limited to the maximum number of vtys configured for
the device. Each SSH connection uses a vty resource.
• SSH uses either local security or the security protocol that is configured through AAA on your device
for user authentication. When configuring Authentication, Authorization, and Accounting ( AAA), you
must ensure that AAA is disabled on the console for user authentication. AAA authorization is disabled
on the console by default. If AAA authorization is enabled on the console, disable it by configuring the
no aaa authorization console command during the AAA configuration stage.
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1005
How to Configure Secure Shell
Example:
Device# configure terminal
Step 3 line line-number Identifies a line for configuration and enters line
ending-line-number configuration mode.
Example:
Device# line 1 3
Example:
Device(config-line)# no exec
Step 5 login authentication listname Defines a login authentication mechanism for the lines.
Note The authentication method must use a username
Example: and password.
Device(config-line)# login
authentication default
Step 6 transport input ssh Defines which protocols to use to connect to a specific
line of the device.
Example: • The ssh keyword must be used for the Reverse
Device(config-line)# transport SSH Enhancements feature.
input ssh
Example:
Device(config-line)# exit
Example:
Device(config)# exit
Step 9 ssh -l userid : {number} Specifies the user ID to use when logging in on the
{ip-address} remote networking device that is running the SSH server.
• userid --User ID.
Example:
• : --Signifies that a port number and terminal IP
Device# ssh -l lab:1
router.example.com address will follow the userid argument.
• number --Terminal or auxiliary line number.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1006
How to Configure Secure Shell
Procedure
Example:
Device# configure terminal
Step 3 line line-number Identifies a line for configuration and enters line
ending-line-number configuration mode.
Example:
Device# line 1 200
Example:
Device(config-line)# no exec
Step 5 login authentication listname Defines a login authentication mechanism for the lines.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1007
How to Configure Secure Shell
Device(config-line)# login
authentication default
Step 7 transport input ssh Defines which protocols to use to connect to a specific
line of the device.
Example: • The ssh keyword must be used for the Reverse
Device(config-line)# transport SSH Enhancements feature.
input ssh
Example:
Device(config-line)# exit
Example:
Device(config)# exit
Step 10 ssh -l userid :rotary {number} Specifies the user ID to use when logging in on the
{ip-address} remote networking device that is running the SSH
server.
Example: • userid --User ID.
Device# ssh -l lab:rotary1
router.example.com • : --Signifies that a port number and terminal IP
address will follow the userid argument.
• number --Terminal or auxiliary line number.
• ip-address --Terminal server IP address.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1008
How to Configure Secure Shell
Procedure
Step 2 debug ip ssh client Displays debugging messages for the SSH client.
Example:
Device# debug ip ssh client
Procedure
Step 2 debug ip ssh Displays debugging messages for the SSH server.
Example:
Device# debug ip ssh
Step 3 show ssh Displays the status of the SSH server connections.
Example:
Device# show ssh
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1009
How to Configure Secure Shell
Example:
Device# show line
Table 107: Commands for Displaying the SSH Server Configuration and Status
Command Purpose
show ip ssh Shows the version and configuration information for
the SSH server.
Procedure
Example:
Device# configure terminal
Example:
Device(config)# aaa new-model
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1010
How to Configure Secure Shell
Example:
Device(config)# aaa authentication login
default group tacacs+
Step 5 aaa authorization {network | exec | Sets parameters that restrict user access to a
commands level | reverse-access | network.
configuration} {default | list-name} [method1 Note The exec keyword runs authorization
[ method2... ]] to determine if the user is allowed to
run an EXEC shell; therefore, you
Example: must use the exec keyword when you
Device(config)# aaa authorization exec configure SCP.
default group tacacs+
Example:
Device(config)# ip scp server enable
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1011
Configuration Examples for Secure Shell
! AAA authentication and authorization must be configured properly in order for SCP to work.
aaa new-model
aaa authentication login default local
aaa authorization exec default local
username user1 privilege 15 password 0 lab
! SSH must be configured and functioning properly.
ip scp server enable
! AAA authentication and authorization must be configured properly for SCP to work.
aaa new-model
aaa authentication login default group tacacs+
aaa authorization exec default group tacacs+
! SSH must be configured and functioning properly.
ip ssh time-out 120
ip ssh authentication-retries 3
ip scp server enable
line 1 3
no exec
login authentication default
transport input ssh
Client Configuration
The following commands configured on the SSH client will form the reverse SSH session with lines 1, 2, and
3, respectively:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1012
Additional References for Secure Shell
line 1 200
no exec
login authentication default
rotary 1
transport input ssh
exit
The following command shows that reverse SSH will connect to the first free line in the rotary group:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1013
Feature Information for SSH
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Cisco IOS 15.2(5)E Note Starting with Cisco IOS 15.2(5)E, Secure
Shell Version 1 (SSHv1) is deprecated.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1014
Feature Information for SSH
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1015
Feature Information for SSH
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1016
CHAPTER 46
Secure Shell Version 2 Support
The Secure Shell Version 2 Support feature allows you to configure Secure Shell (SSH) Version 2. (SSH
Version 1 support was implemented in an earlier Cisco software release.) SSH runs on top of a reliable
transport layer and provides strong authentication and encryption capabilities. The only reliable transport
that is defined for SSH is TCP. SSH provides a means to securely access and securely execute commands
on another computer over a network. The Secure Copy Protocol (SCP) feature that is provided with SSH
allows for the secure transfer of files.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1017
Information About Secure Shell Version 2 Support
The configuration for the SSH Version 2 server is similar to the configuration for SSH Version 1. The ip ssh
version command defines the SSH version to be configured. If you do not configure this command, SSH by
default runs in compatibility mode; that is, both SSH Version 1 and SSH Version 2 connections are honored.
Note SSH Version 1 is a protocol that has never been defined in a standard. If you do not want your device to
fall back to the undefined protocol (Version 1), you should use the ip ssh version command and specify
Version 2.
The ip ssh rsa keypair-name command enables an SSH connection using the Rivest, Shamir, and Adleman
(RSA) keys that you have configured. Previously, SSH was linked to the first RSA keys that were generated
(that is, SSH was enabled when the first RSA key pair was generated). This behavior still exists, but by using
the ip ssh rsa keypair-name command, you can overcome this behavior. If you configure the ip ssh rsa
keypair-name command with a key pair name, SSH is enabled if the key pair exists or SSH will be enabled
if the key pair is generated later. If you use this command to enable SSH, you are not forced to configure a
hostname and a domain name, which was required in SSH Version 1 of the Cisco software.
Note The login banner is supported in SSH Version 2, but it is not supported in Secure Shell Version 1.
The Cisco SSH implementation has traditionally used 768-bit modulus, but with an increasing need for higher
key sizes to accommodate DH Group 14 (2048 bits) and Group 16 (4096 bits) cryptographic applications, a
message exchange between the client and the server to establish the favored DH group becomes necessary.
The ip ssh dh min size command configures the modulus size on the SSH server. In addition to this, the ssh
command was extended to add VRF awareness to the SSH client-side functionality through which the VRF
instance name in the client is provided with the IP address to look up the correct routing table and establish
a connection.
Debugging was enhanced by modifying SSH debug commands. The debug ip ssh command was extended
to simplify the debugging process. Before the simplification of the debugging process, this command printed
all debug messages related to SSH regardless of what was specifically required. The behavior still exists, but
if you configure the debug ip ssh command with a keyword, messages are limited to information specified
by the keyword.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1018
Information About Secure Shell Version 2 Support
User authentication—RSA-based user authentication uses a private/public key pair associated with each user
for authentication. The user must generate a private/public key pair on the client and configure a public key
on the Cisco SSH server to complete the authentication.
An SSH user trying to establish credentials provides an encrypted signature using the private key. The signature
and the user’s public key are sent to the SSH server for authentication. The SSH server computes a hash over
the public key provided by the user. The hash is used to determine if the server has a matching entry. If a
match is found, an RSA-based message verification is performed using the public key. Hence, the user is
authenticated or denied access based on the encrypted signature.
Server authentication—While establishing an SSH session, the Cisco SSH client authenticates the SSH server
by using the server host keys available during the key exchange phase. SSH server keys are used to identify
the SSH server. These keys are created at the time of enabling SSH and must be configured on the client.
For server authentication, the Cisco SSH client must assign a host key for each server. When the client tries
to establish an SSH session with a server, the client receives the signature of the server as part of the key
exchange message. If the strict host key checking flag is enabled on the client, the client checks if it has the
host key entry corresponding to the server. If a match is found, the client tries to validate the signature by
using the server host key. If the server is successfully authenticated, the session establishment continues;
otherwise, it is terminated and displays a “Server Authentication Failed” message.
Note Storing public keys on a server uses memory; therefore, the number of public keys configurable on an
SSH server is restricted to ten users, with a maximum of two public keys per user.
Note RSA-based user authentication is supported by the Cisco server, but Cisco clients cannot propose public
key as an authentication method. If the Cisco server receives a request from an open SSH client for
RSA-based authentication, the server accepts the authentication request.
Note For server authentication, configure the RSA public key of the server manually and configure the ip ssh
stricthostkeycheck command on the Cisco SSH client.
Note When you configure the snmp-server host command, the IP address must be the address of the PC that
has the SSH (telnet) client and that has IP connectivity to the SSH server.
You must also enable SNMP debugging using the debug snmp packet command to display the traps. The
trap information includes information such as the number of bytes sent and the protocol that was used for the
SSH session.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1019
How to Configure Secure Shell Version 2 Support
The following example shows that an SNMP trap is set. The trap notification is generated automatically when
the SSH session terminates. In the example, a.b.c.d is the IP address of the SSH client.
snmp-server
snmp-server host a.b.c.d public tty
The following is sample output from the debug snmp packet command. The output provides SNMP trap
information for an SSH session.
Switch# exit
Switch#
Configuring a Device for SSH Version 2 Using a Hostname and Domain Name
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1020
How to Configure Secure Shell Version 2 Support
Example:
Device# configure terminal
Example:
Device(config)# hostname cisco7200
Example:
cisco7200(config)# ip domain-name
example.com
Step 5 crypto key generate rsa Enables the SSH server for local and remote
authentication.
Example:
cisco7200(config)# crypto key generate
rsa
Example:
cisco7200(config)# ip ssh time-out 120
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1021
How to Configure Secure Shell Version 2 Support
Procedure
Example:
Device# configure terminal
Step 3 ip ssh rsa keypair-name keypair-name Specifies the RSA key pair to be used for SSH.
Note A Cisco device can have many RSA key
Example: pairs.
Device(config)# ip ssh rsa
keypair-name sshkeys
Step 4 crypto key generate rsa usage-keys label Enables the SSH server for local and remote
key-label modulus modulus-size authentication on the device.
• For SSH Version 2, the modulus size must
Example: be at least 768 bits.
Device(config)# crypto key generate
rsa usage-keys label sshkeys modulus Note To delete the RSA key pair, use the
768
crypto key zeroize rsa command. When
you delete the RSA key pair, you
automatically disable the SSH server.
Step 5 ip ssh [time-out seconds | Configures SSH control variables on your device.
authentication-retries integer]
Example:
Device(config)# ip ssh time-out 12
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1022
How to Configure Secure Shell Version 2 Support
Procedure
Example:
Device# configure terminal
Example:
Device(config)# hostname host1
Step 4 ip domain-name name Defines a default domain name that the Cisco software uses
to complete unqualified hostnames.
Example:
host1(config)# ip domain-name
name1
Example:
host1(config)# crypto key
generate rsa
Step 6 ip ssh pubkey-chain Configures SSH-RSA keys for user and server
authentication on the SSH server and enters public-key
Example: configuration mode.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1023
How to Configure Secure Shell Version 2 Support
Step 8 key-string Specifies the RSA public key of the remote peer and enters
public-key data configuration mode.
Example: Note You can obtain the public key value from an open
host1(conf-ssh-pubkey-user)# SSH client; that is, from the .ssh/id_rsa.pub file.
key-string
Step 9 key-hash key-type key-name (Optional) Specifies the SSH key type and version.
• The key type must be ssh-rsa for the configuration of
Example: private public key pairs.
host1(conf-ssh-pubkey-data)#
key-hash ssh-rsa key1 • This step is optional only if the key-string command
is configured.
• You must configure either the key-string command
or the key-hash command.
Configuring the Cisco IOS SSH Client to Perform RSA-Based Server Authentication
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1024
How to Configure Secure Shell Version 2 Support
Example:
Device# configure terminal
Example:
Device(config)# hostname host1
Step 4 ip domain-name name Defines a default domain name that the Cisco software
uses to complete unqualified hostnames.
Example:
host1(config)# ip domain-name
name1
Example:
host1(config)# crypto key
generate rsa
Step 6 ip ssh pubkey-chain Configures SSH-RSA keys for user and server
authentication on the SSH server and enters public-key
Example: configuration mode.
host1(config)# ip ssh
pubkey-chain
Step 7 server server-name Enables the SSH server for public-key authentication on
the device and enters public-key server configuration
Example: mode.
host1(conf-ssh-pubkey)# server
server1
Step 8 key-string Specifies the RSA public-key of the remote peer and
enters public key data configuration mode.
Example: Note You can obtain the public key value from an
host1(conf-ssh-pubkey-server)# open SSH client; that is, from the
key-string .ssh/id_rsa.pub file.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1025
How to Configure Secure Shell Version 2 Support
Step 10 key-hash key-type key-name (Optional) Specifies the SSH key type and version.
• The key type must be ssh-rsa for the configuration
Example: of private/public key pairs.
host1(conf-ssh-pubkey-server)#
key-hash ssh-rsa key1 • This step is optional only if the key-string
command is configured.
• You must configure either the key-string command
or the key-hash command.
Example:
host1# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1026
How to Configure Secure Shell Version 2 Support
Note The device with which you want to connect must support a Secure Shell (SSH) server that has an encryption
algorithm that is supported in Cisco software. Also, you need not enable your device. SSH can be run in
disabled mode.
Procedure
Example:
Device# ssh -v 2 -c aes256-ctr -m hmac-sha1-96 -l user2
10.76.82.24
Note The following task configures the server-side functionality for SCP. This task shows a typical configuration
that allows the device to securely copy files from a remote workstation.
Procedure
Example:
Device# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1027
How to Configure Secure Shell Version 2 Support
Example:
Device(config)# aaa new-model
Step 4 aaa authentication login default local Sets AAA authentication at login to use the local
username database for authentication.
Example:
Device(config)# aaa authentication
login default local
Step 5 aaa authorization exec defaultlocal Sets the parameters that restrict user access to a
network, runs the authorization to determine if the
Example: user ID is allowed to run an EXEC shell, and
specifies that the system must use the local database
Device(config)# aaa authorization for authorization.
exec default local
Step 7 ip ssh time-outseconds Sets the time interval (in seconds) that the device
waits for the SSH client to respond.
Example:
Device(config)# ip ssh time-out 120
Step 8 ip ssh authentication-retries integer Sets the number of authentication attempts after
which the interface is reset.
Example:
Device(config)# ip ssh
authentication-retries 3
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1028
How to Configure Secure Shell Version 2 Support
Procedure
Example:
Device# show ssh
Examples
The following sample output from the show ssh command displays status of various SSH Version 1 and
Version 2 connections for Version 1 and Version 2 connections:
-----------------------------------------------------------------------
Device# show ssh
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1029
How to Configure Secure Shell Version 2 Support
The following sample output from the show ssh command displays status of various SSH Version 1 and
Version 2 connections for a Version 2 connection with no Version 1 connection:
-------------------------------------------------------------------------
Device# show ssh
-------------------------------------------------------------------------
Device# show ssh
Procedure
Step 2 show ip ssh Displays the version and configuration data for SSH.
Example:
Device# show ip ssh
Examples
The following sample output from the show ip ssh command displays the version of SSH that is enabled, the
authentication timeout values, and the number of authentication retries for Version 1 and Version 2 connections:
-----------------------------------------------------------------------
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1030
How to Configure Secure Shell Version 2 Support
------------------------------------------------------------------------
Device# show ip ssh
------------------------------------------------------------------------
Device# show ip ssh
Procedure
Example:
Device# debug ip ssh
Step 3 debug snmp packet Enables debugging of every SNMP packet sent
or received by the device.
Example:
Device# debug snmp packet
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1031
How to Configure Secure Shell Version 2 Support
Example
The following sample output from the debug ip ssh command shows the connection is an SSH Version 2
connection:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1032
How to Configure Secure Shell Version 2 Support
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1033
Configuration Examples for Secure Shell Version 2 Support
snmp-server
snmp-server host a.b.c.d public tty
The following is sample output from the debug snmp packet command. The output provides SNMP trap
information for an SSH session.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1034
Configuration Examples for Secure Shell Version 2 Support
Device2# exit
Device1#
Password:
Password:
Password:
Password:
Password:
Password: cisco123
Last login: Tue Dec 6 13:15:21 2005 from 10.76.248.213
user1@courier:~> exit
logout
[Connection to 10.76.248.200 closed by foreign host]
Device1# debug ip ssh client
Password:
*Nov 17 12:50:53.199: SSH0: sent protocol version id SSH-1.99-Cisco-1.25
*Nov 17 12:50:53.199: SSH CLIENT0: protocol version id is - SSH-1.99-Cisco-1.25
*Nov 17 12:50:53.199: SSH CLIENT0: sent protocol version id SSH-1.99-Cisco-1.25
*Nov 17 12:50:53.199: SSH CLIENT0: protocol version exchange successful
*Nov 17 12:50:53.203: SSH0: protocol version id is - SSH-1.99-Cisco-1.25
*Nov 17 12:50:53.335: SSH CLIENT0: key exchange successful and encryption on
*Nov 17 12:50:53.335: SSH2 CLIENT 0: using method keyboard-interactive
Password:
Password:
Password:
*Nov 17 12:51:01.887: SSH2 CLIENT 0: using method password authentication
Password:
Password: lab
Device2>
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1035
Configuration Examples for Secure Shell Version 2 Support
Password:
Old Password: cisco
New Password: cisco123
Re-enter New password: cisco123
Device2> exit
Password: cisco
Your password has expired.
Enter a new one now.
New Password: cisco123
Re-enter New password: cisco123
Device2> exit
Password:cisco1
Your password has expired.
Enter a new one now.
New Password: cisco
Re-enter New password: cisco12
The New and Re-entered passwords have to be the same.
Try again.
New Password: cisco
Re-enter New password: cisco
Device2>
Example: Enabling ChPass and Expiring the Password After Three Logins
In the following example, the ChPass feature is enabled and TACACS+ ACS is used as the back-end AAA
server. The password expires after three logins using the SSH keyboard interactive authentication method.
Password: cisco
Device2> exit
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1036
Configuration Examples for Secure Shell Version 2 Support
Password: cisco
Device2> exit
Password: cisco
Device2> exit
Password: cisco
Your password has expired.
Enter a new one now.
New Password: cisco123
Re-enter New password: cisco123
Device2>
Device2# exit
Device1#
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1037
Additional References for Secure Shell Version 2 Support
The following is sample output from the debug ip ssh packet command. The output provides debugging
information about the SSH packet.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1038
Feature Information for Secure Shell Version 2 Support
Standards
Standards Title
IETF Secure Shell Version 2 Draft Standards Internet Engineering Task Force website
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1039
Feature Information for Secure Shell Version 2 Support
Secure Shell Version 2 Cisco IOS XE Release The Secure Shell Version 2 Enhancements
Enhancements 3.4SG feature includes a number of additional
capabilities such as support for VRF-Aware
SSH, SSH debug enhancements, and DH
Group 14 and Group 16 exchange support.
This feature was supported on CAT2960,
CAT3560E, CAT3560X, CAT3750,
CAT3750E, CAT3750X, CAT4500.
Note The VRF-Aware SSH feature is
supported depending on your
release.
The following commands were introduced
or modified: debug ip ssh, and ip ssh dh
min size.
Secure Shell Version 2 Cisco IOS XE Release The Secure Shell Version 2 Enhancements
Enhancements for RSA Keys 3.4SG for RSA Keys feature includes a number of
additional capabilities to support RSA
key-based user authentication for SSH and
SSH server host key storage and
verification.
This feature was supported on CAT2960,
CAT3560E, CAT3560X, CAT3750,
CAT3750E, CAT3750X, CAT4500.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1040
Feature Information for Secure Shell Version 2 Support
SSH Keyboard Interactive Cisco IOS XE Release The SSH Keyboard Interactive
Authentication 3.4SG Authentication feature, also known as
Generic Message Authentication for SSH,
is a method that can be used to implement
different types of authentication
mechanisms. Basically, any currently
supported authentication method that
requires only user input can be performed
with this feature.
This feature was supported on CAT2960,
CAT3560E, CAT3560X, CAT3750,
CAT3750E, CAT3750X, CAT4500.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1041
Feature Information for Secure Shell Version 2 Support
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1042
CHAPTER 47
X.509v3 Certificates for SSH Authentication
The X.509v3 Certificates for SSH Authentication feature uses public key algorithm (PKI) for server and
user authentication, and allows the Secure Shell (SSH) protocol to verify the identity of the owner of a key
pair via digital certificates, signed and issued by a Certificate Authority (CA).
This module describes how to configure server and user certificate profiles for a digital certificate.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1043
Restrictions for X.509v3 Certificates for SSH Authentication
authenticate user command to remove the ip ssh server authenticate user command from the configuration.
The IOS secure shell (SSH) server will start using the ip ssh server algorithm authentication command.
When you configure the ip ssh server authenticate user command, the following message is displayed:
Warning SSH command accepted; but this CLI will be deprecated soon. Please move to new CLI ip ssh server
algorithm authentication. Please configure the “default ip ssh server authenticate user” to make the
CLI ineffective.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1044
How to Configure X.509v3 Certificates for SSH Authentication
Procedure
Example:
Switch# configure terminal
Step 3 ip ssh server algorithm hostkey Defines the order of host key algorithms. Only the
{x509v3-ssh-rsa [ssh-rsa] | ssh-rsa configured algorithm is negotiated with the Secure
[x509v3-ssh-rsa]} Shell (SSH) client.
Note The IOS SSH server must have at least
Example: one configured host key algorithm:
Switch(config)# ip ssh server algorithm • x509v3-ssh-rsa—certificate-based
hostkey x509v3-ssh-rsa
authentication
• ssh-rsa—public key-based
authentication
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1045
How to Configure X.509v3 Certificates for SSH Authentication
Step 6 trustpoint sign PKI-trustpoint-name Attaches the public key infrastructure (PKI)
trustpoint to the server certificate profile.
Example: • The SSH server uses the certificate associated
Switch(ssh-server-cert-profile-server)# with this PKI trustpoint for server
trustpoint sign trust1 authentication.
Switch(ssh-server-cert-profile-server)#
end
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1046
How to Configure X.509v3 Certificates for SSH Authentication
Example:
Switch# configure terminal
Step 3 ip ssh server algorithm authentication Defines the order of user authentication algorithms.
{publickey | keyboard | password} Only the configured algorithm is negotiated with the
Secure Shell (SSH) client.
Example: Note • The IOS SSH server must have at least
Switch(config)# ip ssh server one configured user authentication
algorithm authentication publickey algorithm.
• To use the certificate method for user
authentication, the publickey keyword
must be configured.
Step 4 ip ssh server algorithm publickey Defines the order of public key algorithms. Only the
{x509v3-ssh-rsa [ssh-rsa] | ssh-rsa configured algorithm is accepted by the SSH client
[x509v3-ssh-rsa]} for user authentication.
Note The IOS SSH client must have at least one
Example: configured public key algorithm:
Switch(config)# ip ssh server • x509v3-ssh-rsa—Certificate-based
algorithm publickey x509v3-ssh-rsa
authentication
• ssh-rsa—Public-key-based
authentication
Step 5 ip ssh server certificate profile Configures server certificate profile and user
certificate profile and enters SSH certificate profile
Example: configuration mode.
Step 7 trustpoint verify PKI-trustpoint-name Configures the public key infrastructure (PKI)
trustpoint that is used to verify the incoming user
Example: certificate.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1047
Verifying the Server and User Authentication Using Digital Certificates
Step 1 enable
Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable
Example:
Device# show ip ssh
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1048
Configuration Examples for X.509v3 Certificates for SSH Authentication
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1049
Feature Information for X.509v3 Certificates for SSH Authentication
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1050
Feature Information for X.509v3 Certificates for SSH Authentication
Table 109: Feature Information for X509v3 Certificates for SSH Authentication
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1051
Feature Information for X.509v3 Certificates for SSH Authentication
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1052
CHAPTER 48
Configuring Secure Socket Layer HTTP
This feature provides Secure Socket Layer (SSL) version 3.0 support for the HTTP 1.1 server and HTTP
1.1 client within Cisco IOS software. SSL provides server authentication, encryption, and message integrity
to allow secure HTTP communications. SSL also provides HTTP client authentication. HTTP over SSL is
abbreviated as HTTPS.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1053
Information About Secure Socket Layer HTTP
switch from a Web browser. Cisco's implementation of the secure HTTP server and secure HTTP client uses
an implementation of SSL Version 3.0 with application-layer encryption. HTTP over SSL is abbreviated as
HTTPS; the URL of a secure connection begins with https:// instead of http://.
Note SSL evolved into Transport Layer Security (TLS) in 1999, but is still used in this particular context.
The primary role of the HTTP secure server (the switch) is to listen for HTTPS requests on a designated port
(the default HTTPS port is 443) and pass the request to the HTTP 1.1 Web server. The HTTP 1.1 server
processes requests and passes responses (pages) back to the HTTP secure server, which, in turn, responds to
the original request.
The primary role of the HTTP secure client (the web browser) is to respond to Cisco IOS application requests
for HTTPS User Agent services, perform HTTPS User Agent services for the application, and pass the response
back to the application.
Note The certificate authorities and trustpoints must be configured on each device individually. Copying them
from other devices makes them invalid on the switch.
When a new certificate is enrolled, the new configuration change is not applied to the HTTPS server until
the server is restarted. You can restart the server using either the CLI or by physical reboot. On restarting
the server, the switch starts using the new certificate.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1054
Information About Secure Socket Layer HTTP
If a self-signed certificate has been generated, this information is included in the output of the show
running-config privileged EXEC command. This is a partial sample output from that command displaying
a self-signed certificate.
<output truncated>
<output truncated>
You can remove this self-signed certificate by disabling the secure HTTP server and entering the no crypto
pki trustpoint TP-self-signed-30890755072 global configuration command. If you later re-enable a secure
HTTP server, a new self-signed certificate is generated.
Note The values that follow TP self-signed depend on the serial number of the device.
You can use an optional command (ip http secure-client-auth) to allow the HTTPS server to request an
X.509v3 certificate from the client. Authenticating the client provides more security than server authentication
by itself.
For additional information on Certificate Authorities, see the “Configuring Certification Authority
Interoperability” chapter in the Cisco IOS Security Configuration Guide, Release 12.4.
CipherSuites
A CipherSuite specifies the encryption algorithm and the digest algorithm to use on a SSL connection. When
connecting to the HTTPS server, the client Web browser offers a list of supported CipherSuites, and the client
and server negotiate the best encryption algorithm to use from those on the list that are supported by both.
For example, Netscape Communicator 4.76 supports U.S. security with RSA Public Key Cryptography, MD2,
MD5, RC2-CBC, RC4, DES-CBC, and DES-EDE3-CBC.
For the best possible encryption, you should use a client browser that supports 128-bit encryption, such as
Microsoft Internet Explorer Version 5.5 (or later) or Netscape Communicator Version 4.76 (or later). The
SSL_RSA_WITH_DES_CBC_SHA CipherSuite provides less security than the other CipherSuites, as it does
not offer 128-bit encryption.
The more secure and more complex CipherSuites require slightly more processing time. This list defines the
CipherSuites supported by the switch and ranks them from fastest to slowest in terms of router processing
load (speed):
1 SSL_RSA_WITH_DES_CBC_SHA—RSA key exchange (RSA Public Key Cryptography) with DES-CBC
for message encryption and SHA for message digest
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1055
Information About Secure Socket Layer HTTP
2 SSL_RSA_WITH_NULL_SHA key exchange with NULL for message encryption and SHA for message
digest (only for SSL 3.0).
3 SSL_RSA_WITH_NULL_MD5 key exchange with NULL for message encryption and MD5 for message
digest (only for SSL 3.0).
4 SSL_RSA_WITH_RC4_128_MD5—RSA key exchange with RC4 128-bit encryption and MD5 for
message digest
5 SSL_RSA_WITH_RC4_128_SHA—RSA key exchange with RC4 128-bit encryption and SHA for
message digest
6 SSL_RSA_WITH_3DES_EDE_CBC_SHA—RSA key exchange with 3DES and DES-EDE3-CBC for
message encryption and SHA for message digest
7 SSL_RSA_WITH_AES_128_CBC_SHA—RSA key exchange with AES 128-bit encryption and SHA
for message digest (only for SSL 3.0).
8 SSL_RSA_WITH_AES_256_CBC_SHA—RSA key exchange with AES 256-bit encryption and SHA
for message digest (only for SSL 3.0).
9 SSL_RSA_WITH_DHE_AES_128_CBC_SHA—RSA key exchange with AES 128-bit encryption and
SHA for message digest (only for SSL 3.0).
10 SSL_RSA_WITH_DHE_AES_256_CBC_SHA—RSA key exchange with AES 256-bit encryption and
SHA for message digest (only for SSL 3.0).
Note The latest versions of Chrome do not support the four original cipher suites, thus disallowing access to
both web GUI and guest portals.
RSA (in conjunction with the specified encryption and digest algorithm combinations) is used for both key
generation and authentication on SSL connections. This usage is independent of whether or not a CA trustpoint
is configured.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1056
Information About Secure Socket Layer HTTP
https://209.165.129:1026
or
https://host.domain.com:1026
Procedure
or
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1057
Information About Secure Socket Layer HTTP
Step 4 ip http secure-port port-number (Optional) Specifies the port number to be used for the
HTTPS server. The default port number is 443. Valid
Example: options are 443 or any number in the range 1025 to 65535.
Switch(config)# ip http
secure-port 443
Step 7 ip http secure-trustpoint name Specifies the CA trustpoint to use to get an X.509v3 security
certificate and to authenticate the client certificate
Example: connection.
Switch(config)# ip http Note Use of this command assumes you have already
secure-trustpoint configured a CA trustpoint according to the
your_trustpoint previous procedure.
Step 8 ip http path path-name (Optional) Sets a base HTTP path for HTML files. The path
specifies the location of the HTTP server files on the local
Example: system (usually located in system flash memory).
Step 9 ip http access-class (Optional) Specifies an access list to use to allow access to
access-list-number the HTTP server.
Example:
Switch(config)# ip http
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1058
Information About Secure Socket Layer HTTP
Step 10 ip http max-connections value (Optional) Sets the maximum number of concurrent
connections that are allowed to the HTTP server. We
Example: recommend that the value be at least 10 and not less. This
is required for the UI to function as expected.
Switch(config)# ip http
max-connections 4
Step 11 ip http timeout-policy idle seconds (Optional) Specifies how long a connection to the HTTP
life seconds requests value server can remain open under the defined circumstances:
• idle—the maximum time period when no data is
Example: received or response data cannot be sent. The range
Switch(config)# ip http is 1 to 600 seconds. The default is 180 seconds (3
timeout-policy idle 120 life 240 minutes).
requests 1
• life—the maximum time period from the time that the
connection is established. The range is 1 to 86400
seconds (24 hours). The default is 180 seconds.
• requests—the maximum number of requests
processed on a persistent connection. The maximum
value is 86400. The default is 1.
Example:
Switch(config)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1059
Information About Secure Socket Layer HTTP
Procedure
Example:
Switch# configure terminal
Step 2 ip http client secure-trustpoint name (Optional) Specifies the CA trustpoint to be used if the
remote HTTP server requests client authentication. Using
Example: this command assumes that you have already configured
a CA trustpoint by using the previous procedure. The
Switch(config)# ip http client command is optional if client authentication is not needed
secure-trustpoint your_trustpoint
or if a primary trustpoint has been configured.
Example:
Switch(config)# end
Configuring a CA Trustpoint
For secure HTTP connections, we recommend that you configure an official CA trustpoint. A CA trustpoint
is more secure than a self-signed certificate.
Beginning in privileged EXEC mode, follow these steps to configure a CA Trustpoint:
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1060
Information About Secure Socket Layer HTTP
Switch(config)# hostname
your_hostname
Step 3 ip domain-name domain-name Specifies the IP domain name of the switch (required
only if you have not previously configured an IP
Example: domain name). The domain name is required for
security keys and certificates.
Switch(config)# ip domain-name
your_domain
Step 4 crypto key generate rsa (Optional) Generates an RSA key pair. RSA key pairs
are required before you can obtain a certificate for the
Example: switch. RSA key pairs are generated automatically.
You can use this command to regenerate the keys, if
Switch(config)# crypto key needed.
generate rsa
Step 5 crypto ca trustpoint name Specifies a local configuration name for the CA
trustpoint and enter CA trustpoint configuration mode.
Example:
Switch(config)# crypto ca
trustpoint your_trustpoint
Step 6 enrollment url url Specifies the URL to which the switch should send
certificate requests.
Example:
Switch(ca-trustpoint)# enrollment
url http://your_server:80
Step 7 enrollment http-proxy host-name (Optional) Configures the switch to obtain certificates
port-number from the CA through an HTTP proxy server.
• For host-name , specify the proxy server used to
Example: get the CA.
Switch(ca-trustpoint)# enrollment
http-proxy your_host 49 • For port-number, specify the port number used
to access the CA.
Step 8 crl query url Configures the switch to request a certificate revocation
list (CRL) to ensure that the certificate of the peer has
Example: not been revoked.
Switch(ca-trustpoint)# crl query
ldap://your_host:49
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1061
Monitoring Secure HTTP Server and Client Status
Step 11 crypto ca authentication name Authenticates the CA by getting the public key of the
CA. Use the same name used in Step 5.
Example:
Switch(config)# crypto ca
authentication your_trustpoint
Step 12 crypto ca enroll name Obtains the certificate from the specified CA trustpoint.
This command requests a signed certificate for each
Example: RSA key pair.
Example:
Switch(config)# end
Table 110: Commands for Displaying the SSL Secure Server and Client Status
Command Purpose
show ip http client secure status Shows the HTTP secure client configuration.
show ip http server secure status Shows the HTTP secure server configuration.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1062
Configuration Examples for Secure Socket Layer HTTP
In the following example, the CA trustpoint CA-trust-local is specified, and the HTTPS client is configured
to use this trustpoint for client authentication requests:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1063
Additional References for Secure Socket Layer HTTP
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1064
Glossary
Glossary
RSA—RSA is a widely used Internet encryption and authentication system that uses public and private keys
for encryption and decryption. The RSA algorithm was invented in 1978 by Ron Rivest, Adi Shamir, and
Leonard Adleman. The abbreviation RSA comes from the first letter of the last names of the three original
developers. The RSA algorithm is included in many applications, such as the web browsers from Microsoft
and Netscape. The RSA encryption system is owned by RSA Security.
SHA —The Secure Hash Algorithm. SHA was developed by NIST and is specified in the Secure Hash Standard
(SHS, FIPS 180). Often used as an alternative to Digest 5 algorithm.
signatures, digital —In the context of SSL, “signing” means to encrypt with a private key. In digital signing,
one-way hash functions are used as input for a signing algorithm. In RSA signing, a 36-byte structure of two
hashes (one SHA and one MD5) is signed (encrypted with the private key).
SSL 3.0 —Secure Socket Layer version 3.0. SSL is a security protocol that provides communications privacy
over the Internet. The protocol allows client and server applications to communicate in a way that is designed
to prevent eavesdropping, tampering, or message forgery. SSL uses a program layer located between the
Internet’s HTTP and TCP layers. SSL is included as part of most web server products and as part of most
Internet browsers. The SSL 3.0 specification can be found at http://home.netscape.com/eng/ssl3/.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1065
Glossary
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1066
CHAPTER 49
Certification Authority Interoperability
This chapter describes how to configure certification authority (CA) interoperability, which is provided in
support of the IPSec protocol. CA interoperability permits Cisco IOS devices and CAs to communicate so
that your Cisco IOS device can obtain and use digital certificates from the CA. Although IPSec can be
implemented in your network without the use of a CA, using a CA provides manageability and scalability
for IPSec.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1067
Restrictions for Certification Authority
CA Supported Standards
Without certification authority (CA) interoperability, Cisco IOS devices could not use CAs when deploying
IPSec. CAs provide a manageable, scalable solution for IPSec networks.
Cisco supports the following standards with this feature:
• IPSec—IPSec is a framework of open standards that provides data confidentiality, data integrity, and
data authentication between participating peers. IPSec provides these security services at the IP layer;
it uses Internet Key Exchange to handle negotiation of protocols and algorithms based on local policy,
and to generate the encryption and authentication keys to be used by IPSec. IPSec can be used to protect
one or more data flows between a pair of hosts, between a pair of security gateways, or between a security
gateway and a host.
• Internet Key Exchange (IKE)—A hybrid protocol that implements Oakley and Skeme key exchanges
inside the Internet Security Association Key Management Protocol (ISAKMP) framework. Although
IKE can be used with other protocols, its initial implementation is with the IPSec protocol. IKE provides
authentication of the IPSec peers, negotiates IPSec keys, and negotiates IPSec security associations.
• Public-Key Cryptography Standard #7 (PKCS #7)—A standard from RSA Data Security, Inc., used to
encrypt and sign certificate enrollment messages.
• Public-Key Cryptography Standard #10 (PKCS #10)—A standard syntax from RSA Data Security, Inc.
for certificate requests.
• RSA Keys—RSA is the public key cryptographic system developed by Ron Rivest, Adi Shamir, and
Leonard Adleman. RSA keys come in pairs: one public key and one private key.
• X.509v3 certificates—Certificate support that allows the IPSec-protected network to scale by providing
the equivalent of a digital ID card to each device. When two devices wish to communicate, they exchange
digital certificates to prove their identity (thus removing the need to manually exchange public keys
with each peer or to manually specify a shared key at each peer). These certificates are obtained from a
CA. X.509 is part of the X.500 standard of the ITU.
Purpose of CAs
Certificate authorities (CAs) are responsible for managing certificate requests and issuing certificates to
participating IPSec network devices. These services provide centralized key management for the participating
devices.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1068
Information About Certification Authority
CAs simplify the administration of IPSec network devices. You can use a CA with a network containing
multiple IPSec-compliant devices such as routers.
Digital signatures, enabled by public key cryptography, provide a means of digitally authenticating devices
and individual users. In public key cryptography, such as the RSA encryption system, each user has a key
pair containing both a public and a private key. The keys act as complements, and anything encrypted with
one of the keys can be decrypted with the other. In simple terms, a signature is formed when data is encrypted
with a user's private key. The receiver verifies the signature by decrypting the message with the sender's public
key. The fact that the message could be decrypted using the sender's public key indicates that the holder of
the private key, the sender, must have created the message. This process relies on the receiver's having a copy
of the sender's public key and knowing with a high degree of certainty that it really does belong to the sender
and not to someone pretending to be the sender.
Digital certificates provide the link. A digital certificate contains information to identify a user or device, such
as the name, serial number, company, department, or IP address. It also contains a copy of the entity's public
key. The certificate is itself signed by a certification authority (CA), a third party that is explicitly trusted by
the receiver to validate identities and to create digital certificates.
In order to validate the signature of the CA, the receiver must first know the CA's public key. Normally this
process is handled out-of-band or through an operation done at installation. For instance, most web browsers
are configured with the public keys of several CAs by default. The Internet Key Exchange (IKE), an essential
component of IPSec, can use digital signatures to scalably authenticate peer devices before setting up security
associations.
Without digital signatures, one must manually exchange either public keys or secrets between each pair of
devices that use IPSec to protect communications between them. Without certificates, every new device added
to the network requires a configuration change on every other device with which it communicates securely.
With digital certificates, each device is enrolled with a certification authority. When two devices wish to
communicate, they exchange certificates and digitally sign data to authenticate each other. When a new device
is added to the network, one simply enrolls that device with a CA, and none of the other devices needs
modification. When the new device attempts an IPSec connection, certificates are automatically exchanged
and the device can be authenticated.
In the above illustration, each device uses the key of the other device to authenticate the identity of the other
device; this authentication always occurs when IPsec traffic is exchanged between the two devices.
If you have multiple Cisco devices in a mesh topology and wish to exchange IPsec traffic passing among all
of those devices, you must first configure shared keys or RSA public keys among all of those devices.
Every time a new device is added to the IPsec network, you must configure keys between the new device and
each of the existing devices. (In Figure 34, four additional two-part key configurations would be required to
add a single encrypting device to the network.)
Consequently, the more devices there are that require IPsec services, the more involved the key administration
becomes. This approach does not scale well for larger, more complex encrypting networks.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1069
Information About Certification Authority
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1070
How to Configure Certification Authority
CAs can also revoke certificates for devices that will no longer participate in IPsec. Revoked certificates are
not recognized as valid by other IPsec devices. Revoked certificates are listed in a certificate revocation list
(CRL), which each peer may check before accepting a certificate from another peer.
Registration Authorities
Some CAs have a registration authority (RA) as part of their implementation. An RA is essentially a server
that acts as a proxy for the CA so that CA functions can continue when the CA is offline.
Some of the configuration tasks described in this document differ slightly, depending on whether your CA
supports an RA.
CRLs are normally stored at your device according to the following conditions:
• If your CA does not support an RA, only one CRL gets stored in the device.
• If your CA supports an RA, multiple CRLs can be stored in the device.
In some cases, storing these certificates and CRLs locally will not present any difficulty. In other cases,
memory might become a problem—particularly if the CA supports an RA and a large number of CRLs have
to be stored on the device. If the NVRAM is too small to store root certificates, only the fingerprint of the
root certificate is saved.
To save NVRAM space, specify that certificates and CRLs should not be stored locally, but should be retrieved
from the CA when needed. This alternative will save NVRAM space but could result in a slight performance
impact. To specify that certificates and CRLs should not be stored locally on your device, but should be
retrieved when required, enable query mode.
If you do not enable query mode now, you can do it later even if certificates and CRLs have are already stored
on the device. In this case, when you enable query mode, the stored certificates and CRLs are deleted from
the device after you save the configuration. (If you copy the configuration to a TFTP site prior to enabling
query mode, you can save any stored certificates and CRLs at the TFTP site.)
Before disabling query mode, perform the copy system:running-config nvram:startup-config command
to save all current certificates and CRLs to NVRAM. Otherwise they could be lost during a reboot.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1071
How to Configure Certification Authority
To specify that certificates and CRLs should not be stored locally on your device, but should be retrieved
when required, enable query mode by using the following command in global configuration mode:
Procedure
Procedure
Example:
Device# configure terminal
Example:
Device(config)# hostname device1
Example:
Device(config)# ip domain-name
domain.com
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1072
How to Configure Certification Authority
Procedure
Example:
Device# configure terminal
Step 3 crypto key generate rsa [usage-keys] Generates an RSA key pair.
• Use the usage-keys keyword to specify
Example: special-usage keys instead of general-purpose
Device(config)# crypto key generate
rsa usage-keys keys.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1073
How to Configure Certification Authority
Procedure
Example:
Device# configure terminal
Step 3 crypto ca trustpoint name Declares the certification authority (CA) that
your device should use and enters the CA profile
Example: enroll configuration mode.
Device(config)# crypto ca trustpoint
ka
Step 4 enrollment url url Specifies the URL of the CA server to which
enrollment requests are sent.
Example:
Device(ca-profile-enroll)# enrollment
url http://entrust:81
Step 5 enrollment command Specifies the HTTP command that is sent to the
CA for enrollment.
Example:
Device(ca-profile-enroll)# enrollment
command
Step 7 crypto pki trustpoint name Declares the trustpoint that your device should
use and enters Ca-trustpoint configuration mode.
Example:
Device(config)# crypto pki trustpoint
ka
Step 8 crl query ldap://url:[port] Queries the certificate revocation list (CRL) to
ensure that the certificate of the peer is not
Example: revoked.
Device(ca-trustpoint)# crl query
ldap://bar.cisco.com:3899
Step 9 enrollment {mode ra | retry count number Specifies the enrollment wait period between
| retry period minutes | url url} certificate request retries.
Example:
Device(ca-trustpoint)# enrollment retry
period 2
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1074
How to Configure Certification Authority
Example:
Device(ca-trustpoint)# revocation-check
crl ocsp
Procedure
Example:
Device# configure terminal
Step 3 crypto ca trustpoint name Declares the trustpoint that your device should
use and enters CA trustpoint configuration
Example: mode.
Device(config)# crypto ca trustpoint ka
Step 4 revocation-check method1 [method2 method3] Checks the revocation status of a certificate.
Example:
Device(ca-trustpoint)# revocation-check
ocsp
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1075
How to Configure Certification Authority
Step 6 enrollment http-proxy hostname port-number Accesses the certification authority (CA) by
HTTP through the proxy server.
Example:
Device(ca-trustpoint)# enrollment
http-proxy host2 8080
Authenticating the CA
The device must authenticate the certification authority (CA). It does this by obtaining the self-signed certificate
of the CA, which contains the public key of the CA. Because the certificate of the CA is self-signed (the CA
signs its own certificate) the public key of the CA should be manually authenticated by contacting the CA
administrator to compare the fingerprint of the CA certificate when you perform this step.
Perform the following task to get the public key of the CA:
Procedure
Example:
Device# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1076
How to Configure Certification Authority
Note If your device reboots after you have issued the crypto pki enroll command, but before you have received
the certificates, you must reissue the command and notify the CA administrator.
Procedure
Example:
Device# configure terminal
Step 3 crypto pki enroll number Obtains certificates for your device from the
CA.
Example:
Device(config)# crypto pki enroll
myca
What to Do Next
Saving Your Configuration
Always remember to save your work when you make configuration changes.
Use the copy system:running-config nvram:startup-config command to save your configuration. This
command includes saving RSA keys to private NVRAM. RSA keys are not saved with your configuration
when you use a copy system:running-config rcp: or copy system:running-config tftp: command.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1077
Monitoring and Maintaining Certification Authority
Procedure
Example:
Device# configure terminal
Step 3 crypto pki crl request name Requests that a new certificate revocation list
(CRL) be obtained immediately from the CA.
Example:
Device(config)# crypto pki crl
request myca
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1078
Monitoring and Maintaining Certification Authority
If you would like CRL of the root certificate to be queried when the device reboots, you must enter the crl
query command.
Perform the following task to query the CRL published by the configured root with the LDAP URL:
Procedure
Example:
Device# configure terminal
Step 3 crypto pki trustpoint name Declares the trustpoint that your device should
use and enters CA trustpoint configuration mode.
Example:
Device(ca-trustpoint)# crypto pki
trustpoint mytp
Step 4 crl query ldap ://url : [port] Queries the CRL to ensure that the certificate of
the peer has not been revoked.
Example:
Device(ca-trustpoint)# crl query
ldap://url:[port]
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1079
Monitoring and Maintaining Certification Authority
Example:
Device# configure terminal
Step 3 crypto key zeroize rsa [key-pair-label] Deletes all Rivest, Shamir, and Adelman (RSA)
keys from your device.
Example:
Device(config)# crypto key zeroize
rsa
What to Do Next
After you delete RSA keys from the device, you should also complete the following two additional tasks:
• Ask the CA administrator to revoke the device certificates at the CA; you must supply the challenge
password that you created when you originally obtained the device certificates with the crypto pki
enroll command.
• Manually remove the device certificates from the device configuration.
Procedure
Example:
Device# configure terminal
Step 3 crypto key pubkey-chain rsa Enters public key chain configuration mode, so
that you can manually specify other devices’ RSA
Example: public keys.
Device(config)# crypto key
pubkey-chain rsa
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1080
Monitoring and Maintaining Certification Authority
Example:
Device(config-pubkey-c)# no named-key
otherpeer.example.com
Procedure
Step 2 show crypto pki certificates Displays information about your device
certificate, the certification authority (CA)
Example: certificate, and any registration authority (RA)
Device# show crypto pki certificates certificates.
Example:
Device# configure terminal
Step 4 crypto pki certificate chain name Enters certificate chain configuration mode.
Example:
Device(config)# crypto pki certificate
chain myca
Example:
Device(config-cert-chain)# no
certificate
0123456789ABCDEF0123456789ABCDEF
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1081
Monitoring and Maintaining Certification Authority
Example:
Device(config)# no crypto pki import MS
certificate
Procedure
Step 2 show crypto key mypubkey rsa [keyname] Displays the RSA public keys configured on
a device.
Example:
Device# show crypto key mypubkey rsa
[keyname]
Step 3 show crypto key pubkey-chain rsa Displays the RSA public keys of the peer that
are stored on a device.
Example:
Device# show crypto key pubkey-chain rsa
Step 4 show crypto key pubkey-chain rsa [name Displays the address of a specific key.
key-name | address key-address]
Example:
Device# show crypto key pubkey-chain rsa
address 209.165.202.129
Step 5 show crypto pki certificates Displays information about the device
certificate, the certification authority (CA)
Example: certificate, and any registration authority (RA)
Device# show crypto pki certificates certificates
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1082
Monitoring and Maintaining Certification Authority
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1083
Monitoring and Maintaining Certification Authority
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1084
CHAPTER 50
Access Control List Overview
Access lists filter network traffic by controlling the forwarding or blocking of routed packets at the interface
of a device. A device examines each packet to determine whether to forward or drop that packet, based on
the criteria specified in access lists.
The criteria that can be specified in an access list include the source address of the traffic, the destination
address of the traffic, and the upper-layer protocol.
Note Some users might successfully evade basic access lists because these lists require no authentication.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1085
Information About Access Control Lists
An access list may be configured, but it does not take effect until the access list is either applied to an interface,
a virtual terminal line (vty), or referenced by some command that accepts an access list. Multiple commands
can reference the same access list.
The following configuration example shows how to create an IP access list named branchoffices. The ACL
is applied to serial interface 0 on incoming packets. No sources other than those on the networks specified by
each source address and mask pair can access this interface. The destinations for packets coming from sources
on network 172.20.7.0 are unrestricted. The destination for packets coming from sources on network 172.29.2.0
must be 172.25.5.4.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1086
Information About Access Control Lists
An access list with more than 13 entries is processed using a trie-based lookup algorithm. This process will
happen automatically; it does not need to be configured.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1087
Information About Access Control Lists
Note
• An access list can control traffic arriving at a device or leaving a device, but not traffic originating at a
device.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1088
Information About Access Control Lists
• Organize your access list so that more specific references in a network or subnet appear before more
general ones.
• Use the statement permit any any if you want to allow all other packets not already denied. Using the
statement permit any any in effect avoids denying all other packets with the implicit deny statement at
the end of an access list. Do not make your first access list entry permit any any because all traffic will
get through; no packets will reach the subsequent testing. In fact, once you specify permit any any, all
traffic not already denied will get through.
• Although all access lists end with an implicit deny statement, we recommend use of an explicit deny
statement (for example, deny ip any any). On most platforms, you can display the count of packets
denied by issuing the show access-listcommand, thus finding out more information about who your
access list is disallowing. Only packets denied by explicit deny statements are counted, which is why
the explicit deny statement will yield more complete data for you.
• While you are creating an access list or after it is created, you might want to delete an entry.
• You cannot delete an entry from a numbered access list; trying to do so will delete the entire access
list. If you need to delete an entry, you need to delete the entire access list and start over.
• You can delete an entry from a named access list. Use the no permitor no deny command to delete
the appropriate entry.
• In order to make the purpose of individual statements more scannable and easily understood at a glance,
you can write a helpful remark before or after any statement by using the remark command.
• If you want to deny access to a particular host or network and find out if someone from that network or
host is attempting to gain access, include the log keyword with the corresponding deny statement so
that the packets denied from that source are logged for you.
• This hint applies to the placement of your access list. When trying to save resources, remember that an
inbound access list applies the filter conditions before the routing table lookup. An outbound access list
applies the filter conditions after the routing table lookup.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1089
Information About Access Control Lists
• IP options--Specifies IP options; one reason to filter on IP options is to prevent routers from being
saturated with spurious packets containing them.
If you do not supply a wildcard mask with a source or destination address in an access list statement, the
software assumes an implicit wildcard mask of 0.0.0.0, meaning all values must match.
Unlike subnet masks, which require contiguous bits indicating network and subnet to be ones, wildcard masks
allow noncontiguous bits in the mask.
The table below shows examples of IP addresses and masks from an access list, along with the corresponding
addresses that are considered a match.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1090
Information About Access Control Lists
Supported ACLs
The switch supports three types of ACLs to filter traffic:
• Port ACLs access-control traffic entering a Layer 2 interface. You can apply only one IP access list and
one MAC access list to a Layer 2 interface.
• Router ACLs access-control routed traffic between VLANs and are applied to Layer 3 interfaces in a
specific direction (inbound or outbound).
• VLAN ACLs or VLAN maps access-control all packets (bridged and routed). You can use VLAN maps
to filter traffic between devices in the same VLAN. VLAN maps are configured to provide access control
based on Layer 3 addresses for IPv4. Unsupported protocols are access-controlled through MAC addresses
using Ethernet ACEs. After a VLAN map is applied to a VLAN, all packets (routed or bridged) entering
the VLAN are checked against the VLAN map. Packets can either enter the VLAN through a switch
port or through a routed port after being routed.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1091
Information About Access Control Lists
ACL Precedence
When VLAN maps, Port ACLs, and router ACLs are configured on the same switch, the filtering precedence,
from greatest to least for ingress traffic is port ACL, VLAN map, and then router ACL. For egress traffic, the
filtering precedence is router ACL, VLAN map, and then port ACL.
The following examples describe simple use cases:
• When both an input port ACL and a VLAN map are applied, incoming packets received on ports with
a port ACL applied are filtered by the port ACL. Other packets are filtered by the VLAN map
• When an input router ACL and input port ACL exist in a switch virtual interface (SVI), incoming packets
received on ports to which a port ACL is applied are filtered by the port ACL. Incoming routed IP packets
received on other ports are filtered by the router ACL. Other packets are not filtered.
• When an output router ACL and input port ACL exist in an SVI, incoming packets received on the ports
to which a port ACL is applied are filtered by the port ACL. Outgoing routed IP packets are filtered by
the router ACL. Other packets are not filtered.
• When a VLAN map, input router ACL, and input port ACL exist in an SVI, incoming packets received
on the ports to which a port ACL is applied are only filtered by the port ACL. Incoming routed IP packets
received on other ports are filtered by both the VLAN map and the router ACL. Other packets are filtered
only by the VLAN map.
• When a VLAN map, output router ACL, and input port ACL exist in an SVI, incoming packets received
on the ports to which a port ACL is applied are only filtered by the port ACL. Outgoing routed IP packets
are filtered by both the VLAN map and the router ACL. Other packets are filtered only by the VLAN
map.
Port ACLs
Port ACLs are ACLs that are applied to Layer 2 interfaces on a switch. Port ACLs are supported only on
physical interfaces and not on EtherChannel interfaces. Port ACLs can be applied to the interface only in
inbound direction. The following access lists are supported:
• Standard IP access lists using source addresses
• Extended IP access lists using source and destination addresses and optional protocol type information
• MAC extended access lists using source and destination MAC addresses and optional protocol type
information
The switch examines ACLs on an interface and permits or denies packet forwarding based on how the packet
matches the entries in the ACL. In this way, ACLs control access to a network or to part of a network.
This is an example of using port ACLs to control access to a network when all workstations are in the same
VLAN. ACLs applied at the Layer 2 input would allow Host A to access the Human Resources network, but
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1092
Information About Access Control Lists
prevent Host B from accessing the same network. Port ACLs can only be applied to Layer 2 interfaces in the
inbound direction.
Figure 75: Using ACLs to Control Traffic in a Network
When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk port.
When you apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and voice VLANs.
With port ACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC addresses.
You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP access list and
a MAC access list to the interface.
Note You cannot apply more than one IP access list and one MAC access list to a Layer 2 interface. If an IP
access list or MAC access list is already configured on a Layer 2 interface and you apply a new IP access
list or MAC access list to the interface, the new ACL replaces the previously configured one.
Router ACLs
You can apply router ACLs on switch virtual interfaces (SVIs), which are Layer 3 interfaces to VLANs; on
physical Layer 3 interfaces; and on Layer 3 EtherChannel interfaces. You apply router ACLs on interfaces
for specific directions (inbound or outbound). You can apply one router ACL in each direction on an interface.
The switch supports these access lists for IPv4 traffic:
• Standard IP access lists use source addresses for matching operations.
• Extended IP access lists use source and destination addresses and optional protocol type information
for matching operations.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1093
Information About Access Control Lists
As with port ACLs, the switch examines ACLs associated with features configured on a given interface. As
packets enter the switch on an interface, ACLs associated with all inbound features configured on that interface
are examined. After packets are routed and before they are forwarded to the next hop, all ACLs associated
with outbound features configured on the egress interface are examined.
ACLs permit or deny packet forwarding based on how the packet matches the entries in the ACL, and can be
used to control access to a network or to part of a network.
Note In the first and second ACEs in the examples, the eq keyword after the destination address means to test
for the TCP-destination-port well-known numbers equaling Simple Mail Transfer Protocol (SMTP) and
Telnet, respectively.
• Packet A is a TCP packet from host 10.2.2.2., port 65000, going to host 10.1.1.1 on the SMTP port. If
this packet is fragmented, the first fragment matches the first ACE (a permit) as if it were a complete
packet because all Layer 4 information is present. The remaining fragments also match the first ACE,
even though they do not contain the SMTP port information, because the first ACE only checks Layer
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1094
Information About Access Control Lists
3 information when applied to fragments. The information in this example is that the packet is TCP and
that the destination is 10.1.1.1.
• Packet B is from host 10.2.2.2, port 65001, going to host 10.1.1.2 on the Telnet port. If this packet is
fragmented, the first fragment matches the second ACE (a deny) because all Layer 3 and Layer 4
information is present. The remaining fragments in the packet do not match the second ACE because
they are missing Layer 4 information. Instead, they match the third ACE (a permit).
Because the first fragment was denied, host 10.1.1.2 cannot reassemble a complete packet, so packet B
is effectively denied. However, the later fragments that are permitted will consume bandwidth on the
network and resources of host 10.1.1.2 as it tries to reassemble the packet.
• Fragmented packet C is from host 10.2.2.2, port 65001, going to host 10.1.1.3, port ftp. If this packet is
fragmented, the first fragment matches the fourth ACE (a deny). All other fragments also match the
fourth ACE because that ACE does not check any Layer 4 information and because Layer 3 information
in all fragments shows that they are being sent to host 10.1.1.3, and the earlier permit ACEs were checking
different hosts.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1095
Information About Access Control Lists
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1096
CHAPTER 51
Configuring IPv4 Access Control Lists
Access control lists (ACLs) perform packet filtering to control which packets move through the network
and where. Such control provides security by helping to limit network traffic, restrict the access of users and
devices to the network, and prevent traffic from leaving a network. IP access lists can reduce the chance of
spoofing and denial-of-service attacks and allow dynamic, temporary user access through a firewall.
IP access lists can also be used for purposes other than security, such as bandwidth control, restricting the
content of routing updates, redistributing routes, triggering dial-on-demand (DDR) calls, limiting debug
output, and identifying or classifying traffic for quality of service (QoS) features. This module provides an
overview of IP access lists.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1097
Prerequisites for Configuring IPv4 Access Control Lists
Note By default, the router sends Internet Control Message Protocol (ICMP) unreachable messages when a
packet is denied by an access group on a Layer 3 interface. These access-group denied packets are not
dropped in hardware but are bridged to the switch CPU so that it can generate the ICMP-unreachable
message. They do not generate ICMP unreachable messages. ICMP unreachable messages can be disabled
on router ACLs with the no ip unreachables interface command.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1098
Information About Configuring IPv4 Access Control Lists
• A Layer 2 interface can have only one MAC access list. If you apply a MAC access list to a Layer 2
interface that has a MAC ACL configured, the new ACL replaces the previously configured one.
Note The mac access-group interface configuration command is only valid when applied to a physical Layer 2
interface. You cannot use the command on EtherChannel port channels.
ACL Overview
Packet filtering can help limit network traffic and restrict network use by certain users or devices. ACLs filter
traffic as it passes through a router or switch and permit or deny packets crossing specified interfaces or
VLANs. An ACL is a sequential collection of permit and deny conditions that apply to packets. When a packet
is received on an interface, the switch compares the fields in the packet against any applied ACLs to verify
that the packet has the required permissions to be forwarded, based on the criteria specified in the access lists.
One by one, it tests packets against the conditions in an access list. The first match decides whether the switch
accepts or rejects the packets. Because the switch stops testing after the first match, the order of conditions
in the list is critical. If no conditions match, the switch rejects the packet. If there are no restrictions, the switch
forwards the packet; otherwise, the switch drops the packet. The switch can use ACLs on all packets it forwards,
including packets bridged within a VLAN.
You configure access lists on a router or Layer 3 switch to provide basic security for your network. If you do
not configure ACLs, all packets passing through the switch could be allowed onto all parts of the network.
You can use ACLs to control which hosts can access different parts of a network or to decide which types of
traffic are forwarded or blocked at router interfaces. For example, you can allow e-mail traffic to be forwarded
but not Telnet traffic. ACLs can be configured to block inbound traffic, outbound traffic, or both.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1099
Information About Configuring IPv4 Access Control Lists
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1100
Information About Configuring IPv4 Access Control Lists
In addition to numbered standard and extended ACLs, you can also create standard and extended named IP
ACLs by using the supported numbers. That is, the name of a standard IP ACL can be 1 to 99; the name of
an extended IP ACL can be 100 to 199. The advantage of using named ACLs instead of numbered lists is that
you can delete individual entries from a named list.
Note ICMP echo-reply cannot be filtered. All other ICMP codes or types can be filtered.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1101
Information About Configuring IPv4 Access Control Lists
Note The name you give to a standard or extended ACL can also be a number in the supported range of access
list numbers. That is, the name of a standard IP ACL can be 1 to 99 and . The advantage of using named
ACLs instead of numbered lists is that you can delete individual entries from a named list.
Benefits of Using the Named ACL Support for Noncontiguous Ports on an Access Control Entry Feature
The Named ACL Support for Noncontiguous Ports on an Access Control Entry feature allows you to specify
noncontiguous ports in a single access control entry, which greatly reduces the number of entries required in
an access control list when several entries have the same source address, destination address, and protocol,
but differ only in the ports.
This feature greatly reduces the number of access control entries (ACEs) required in an access control list to
handle multiple entries for the same source address, destination address, and protocol. If you maintain large
numbers of ACEs, use this feature to consolidate existing groups of access list entries wherever it is possible
and when you create new access list entries. When you configure access list entries with noncontiguous ports,
you will have fewer access list entries to maintain.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1102
Information About Configuring IPv4 Access Control Lists
after the desired position had to be removed, then the new entry was added, and then all the removed entries
had to be reentered. This method was cumbersome and error prone.
This feature allows users to add sequence numbers to access list entries and resequence them. When a user
adds a new entry, the user chooses the sequence number so that it is in a desired position in the access list. If
necessary, entries currently in the access list can be resequenced to create room to insert the new entry.
• If the user enters an entry without a sequence number, it is assigned a sequence number that is 10 greater
than the last sequence number in that access list and is placed at the end of the list.
• If the user enters an entry that matches an already existing entry (except for the sequence number), then
no changes are made.
• If the user enters a sequence number that is already present, the following error message is generated:
• If a new access list is entered from global configuration mode, then sequence numbers for that access
list are generated automatically.
• Distributed support is provided so that the sequence numbers of entries in the Route Processor (RP) and
line card are in synchronization at all times.
• Sequence numbers are not nvgened. That is, the sequence numbers themselves are not saved. In the
event that the system is reloaded, the configured sequence numbers revert to the default sequence starting
number and increment. The function is provided for backward compatibility with software releases that
do not support sequence numbering.
• This feature works with named and numbered, standard and extended IP access lists.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1103
Information About Configuring IPv4 Access Control Lists
The following is an example of a remark that describes function of the subsequent deny statement:
ip access-list extended telnetting
remark Do not allow host1 subnet to telnet out
deny tcp host 172.16.2.88 any eq telnet
For router ACLs, other factors can cause packets to be sent to the CPU:
• Using the log keyword
• Generating ICMP unreachable messages
When traffic flows are both logged and forwarded, forwarding is done by hardware, but logging must be done
by software. Because of the difference in packet handling capacity between hardware and software, if the sum
of all flows being logged (both permitted flows and denied flows) is of great enough bandwidth, not all of the
packets that are forwarded can be logged.
When you enter the show ip access-lists privileged EXEC command, the match count displayed does not
account for packets that are access controlled in hardware. Use the show platform acl counters hardware
privileged EXEC command to obtain some basic hardware ACL statistics for switched and routed packets.
Router ACLs function as follows:
• The hardware controls permit and deny actions of standard and extended ACLs (input and output) for
security access control.
• If log has not been specified, the flows that match a deny statement in a security ACL are dropped by
the hardware if ip unreachables is disabled. The flows matching a permit statement are switched in
hardware.
• Adding the log keyword to an ACE in a router ACL causes a copy of the packet to be sent to the CPU
for logging only. If the ACE is a permit statement, the packet is still switched and routed in hardware.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1104
Information About Configuring IPv4 Access Control Lists
• You can control logging messages. ACL entries can be set to log traffic only at certain times of the day.
Therefore, you can simply deny access without needing to analyze many logs generated during peak
hours.
Time-based access lists trigger CPU activity because the new configuration of the access list must be merged
with other features and the combined configuration loaded into the hardware memory. For this reason, you
should be careful not to have several access lists configured to take affect in close succession (within a small
number of minutes of each other.)
Note The time range relies on the switch system clock; therefore, you need a reliable clock source. We
recommend that you use Network Time Protocol (NTP) to synchronize the switch clock.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1105
Information About Configuring IPv4 Access Control Lists
Note Access lists that are applied to interfaces on a device do not filter traffic that originates from that device.
The figure above shows that Device 2 is a bypass device that is connected to Device 1 and Device 3. An
outbound access list is applied to Gigabit Ethernet interface 0/0/0 on Device 1. When you ping Device 3 from
Device 1, the access list does not check for packets going outbound because the traffic is locally generated.
The access list check is bypassed for locally generated packets, which are always outbound.
By default, an access list that is applied to an outbound interface for matching locally generated traffic will
bypass the outbound access list check; but transit traffic is subjected to the outbound access list check.
Note The behavior described above applies to all single-CPU platforms that run Cisco software.
ACL Logging
The switch software can provide logging messages about packets permitted or denied by a standard IP access
list. That is, any packet that matches the ACL causes an informational logging message about the packet to
be sent to the console. The level of messages logged to the console is controlled by the logging console
commands controlling the syslog messages.
Note Because routing is done in hardware and logging is done in software, if a large number of packets match
a permit or deny ACE containing a log keyword, the software might not be able to match the hardware
processing rate, and not all packets will be logged.
The first packet that triggers the ACL causes a logging message right away, and subsequent packets are
collected over 5-minute intervals before they appear or logged. The logging message includes the access list
number, whether the packet was permitted or denied, the source IP address of the packet, and the number of
packets from that source permitted or denied in the prior 5-minute interval.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1106
How to Configure ACLs
Note The logging facility might drop some logging message packets if there are too many to be handled or if
there is more than one logging message to be handled in 1 second. This behavior prevents the router from
crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing
tool or an accurate source of the number of matches to an access list.
Procedure
Procedure
Example:
Switch# configure terminal
Step 3 access-list access-list-number Defines a standard IPv4 access list by using a source address
{deny | permit} source and wildcard.
source-wildcard [log]
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1107
How to Configure ACLs
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 6 copy running-config (Optional) Saves your entries in the configuration file.
startup-config
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1108
How to Configure ACLs
Procedure
Example:
Switch# configure terminal
Step 2 access-list access-list-number {deny Defines an extended IPv4 access list and the access conditions.
| permit} protocol source The access-list-number is a decimal number from 100 to 199
source-wildcard destination or 2000 to 2699.
destination-wildcard [precedence
precedence] [tos tos] [fragments] Enter deny or permit to specify whether to deny or permit the
[log [log-input] [time-range packet if conditions are matched.
time-range-name] [dscp dscp] For protocol, enter the name or number of an P protocol: ahp,
eigrp, esp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, pcp,
Example: pim, tcp, or udp, or an integer in the range 0 to 255 representing
an IP protocol number. To match any Internet protocol (including
Switch(config)# access-list 101
permit ip host 10.1.1.2 any ICMP, TCP, and UDP), use the keyword ip.
precedence 0 tos 0 log
Note This step includes options for most IP protocols. For
additional specific parameters for TCP, UDP, ICMP,
and IGMP, see the following steps.
The source is the number of the network or host from which the
packet is sent.
The source-wildcard applies wildcard bits to the source.
The destination is the network or host number to which the
packet is sent.
The destination-wildcard applies wildcard bits to the destination.
Source, source-wildcard, destination, and destination-wildcard
can be specified as:
• The 32-bit quantity in dotted-decimal format.
• The keyword any for 0.0.0.0 255.255.255.255 (any host).
• The keyword host for a single host 0.0.0.0.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1109
How to Configure ACLs
Step 4 access-list access-list-number {deny (Optional) Defines an extended UDP access list and the access
| permit} udp source conditions.
source-wildcard [operator port] The UDP parameters are the same as those described for TCP
destination destination-wildcard except that the [operator [port]] port number or name must be
[operator port] [precedence a UDP port number or name, and the flag and established
precedence] [tos tos] [fragments] keywords are not valid for UDP.
[log [log-input] [time-range
time-range-name] [dscp dscp]
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1110
How to Configure ACLs
Example:
Switch(config)# access-list 101
permit udp any any eq 100
Step 5 access-list access-list-number {deny Defines an extended ICMP access list and the access conditions.
| permit} icmp source The ICMP parameters are the same as those described for most
source-wildcard destination IP protocols in an extended IPv4 ACL, with the addition of the
destination-wildcard [icmp-type | ICMP message type and code parameters. These optional
[[icmp-type icmp-code] | keywords have these meanings:
[icmp-message]] [precedence
precedence] [tos tos] [fragments] • icmp-type—Enter to filter by ICMP message type, a
[time-range time-range-name] [dscp number from 0 to 255.
dscp]
• icmp-code—Enter to filter ICMP packets that are filtered
by the ICMP message code type, a number from 0 to 255.
Example:
• icmp-message—Enter to filter ICMP packets by the ICMP
Switch(config)# access-list 101
permit icmp any any 200
message type name or the ICMP message type and code
name.
Step 6 access-list access-list-number {deny (Optional) Defines an extended IGMP access list and the access
| permit} igmp source conditions.
source-wildcard destination The IGMP parameters are the same as those described for most
destination-wildcard [igmp-type] IP protocols in an extended IPv4 ACL, with this optional
[precedence precedence] [tos tos] parameter.
[fragments] [log [log-input]
[time-range time-range-name] [dscp igmp-type—To match IGMP message type, enter a number from
dscp] 0 to 15, or enter the message name: dvmrp, host-query,
host-report, pim, or trace.
Example:
Switch(config)# access-list 101
permit igmp any any 14
Example:
Switch(config)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1111
How to Configure ACLs
Procedure
Example:
Switch# configure terminal
Step 3 ip access-list standard name Defines a standard IPv4 access list using a
name, and enter access-list configuration mode.
Example: The name can be a number from 1 to 99.
Switch(config)# ip access-list standard
20
Step 4 Use one of the following: In access-list configuration mode, specify one
or more conditions denied or permitted to decide
• deny {source [source-wildcard] | host if the packet is forwarded or dropped.
source | any} [log]
• host source—A source and source
• permit {source [source-wildcard] | host
wildcard of source 0.0.0.0.
source | any} [log]
• any—A source and source wildcard of
0.0.0.0 255.255.255.255.
Example:
Switch(config-std-nacl)# deny
192.168.0.0 0.0.255.255 255.255.0.0
0.0.255.255
or
Switch(config-std-nacl)# permit
10.108.0.0 0.0.0.0 255.255.255.0 0.0.0.0
Example:
Switch(config-std-nacl)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1112
How to Configure ACLs
Example:
Switch# show running-config
Procedure
Example:
Switch# configure terminal
Step 3 ip access-list extended name Defines an extended IPv4 access list using a name,
and enter access-list configuration mode.
Example: The name can be a number from 100 to 199.
Switch(config)# ip access-list
extended 150
Step 4 {deny | permit} protocol {source In access-list configuration mode, specify the
[source-wildcard] | host source | any} conditions allowed or denied. Use the log keyword
{destination [destination-wildcard] | host to get access list logging messages, including
destination | any} [precedence precedence] violations.
[tos tos] [established] [log] [time-range
time-range-name] • host source—A source and source wildcard
of source 0.0.0.0.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1113
How to Configure ACLs
Example:
Switch(config-ext-nacl)# end
Example:
Switch# show running-config
Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
When you are creating extended ACLs, remember that, by default, the end of the ACL contains an implicit
deny statement for everything if it did not find a match before reaching the end. For standard ACLs, if you
omit the mask from an associated IP host address access list specification, 0.0.0.0 is assumed to be the mask.
After you create an ACL, any additions are placed at the end of the list. You cannot selectively add ACL
entries to a specific ACL. However, you can use no permit and no deny access-list configuration mode
commands to remove entries from a named ACL.
Being able to selectively remove lines from a named ACL is one reason you might use named ACLs instead
of numbered ACLs.
What to Do Next
After creating a named ACL, you can apply it to interfaces or to VLANs .
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1114
How to Configure ACLs
Note The ACL—Named ACL Support for Noncontiguous Ports on an Access Control Entry feature can be
used only with named, extended ACLs.
Procedure
Example:
Device# configure terminal
Step 3 ip access-list extended access-list-name Specifies the IP access list by name and enters named
access list configuration mode.
Example:
Device(config)# ip access-list
extended acl-extd-1
Step 4 [sequence-number] permit tcp source Specifies a permit statement in named IP access list
source-wildcard [operator port [port]] configuration mode.
destination destination-wildcard [operator
[port]] [established {match-any | • Operators include lt (less than), gt (greater than),
eq (equal), neq (not equal), and range (inclusive
match-all} {+ | -} flag-name] [precedence
range).
precedence] [tos tos] [log] [time-range
time-range-name] [fragments] • If the operator is positioned after the source and
source-wildcard arguments, it must match the
Example: source port. If the operator is positioned after the
Device(config-ext-nacl)# permit tcp destination and destination-wildcard arguments,
any eq telnet ftp any eq 450 679
it must match the destination port.
• The range operator requires two port numbers.
You can configure up to 10 ports after the eq
and neqoperators. All other operators require
one port number.
• To filter UDP ports, use the UDP syntax of this
command.
Step 5 [sequence-number] deny tcp source (Optional) Specifies a deny statement in named access
source-wildcard [operator port [port]] list configuration mode.
destination destination-wildcard [operator
[port]] [established {match-any | • Operators include lt (less than), gt (greater than),
eq (equal), neq (not equal), and range (inclusive
match-all} {+ | -} flag-name] [precedence
range).
precedence] [tos tos] [log] [time-range
time-range-name] [fragments]
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1115
How to Configure ACLs
Step 6 Repeat Step 4 or Step 5 as necessary, adding Allows you to revise the access list.
statements by sequence number where you
planned. Use the no sequence-number
command to delete an entry.
Step 7 end (Optional) Exits named access list configuration mode
and returns to privileged EXEC mode.
Example:
Device(config-ext-nacl)# end
Step 8 show ip access-lists access-list-name (Optional) Displays the contents of the access list.
Example:
Device# show ip access-lists kmd1
Consolidating Access List Entries with Noncontiguous Ports into One Access List Entry
Perform this task to consolidate a group of access list entries with noncontiguous ports into one access list
entry.
Although this task uses TCP ports, you could use the UDP syntax of the permit and deny commands to filter
noncontiguous UDP ports.
Although this task uses a permit command first, use the permit and deny commands in the order that achieves
your filtering goals.
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1116
How to Configure ACLs
Example:
Device# configure terminal
Step 4 ip access-list extended access-list-name Specifies the IP access list by name and enters
named access list configuration mode.
Example:
Device(config)# ip access-list extended
mylist1
Step 5 no [sequence-number] permit protocol source Removes the redundant access list entry that can
source-wildcard destination be consolidated.
destination-wildcard[option option-name]
[precedence precedence][tos tos] [log] • Repeat this step to remove entries to be
consolidated because only the port numbers
[time-range time-range-name] [fragments]
differ.
Step 6 [sequence-number] permit protocol source Specifies a permit statement in named access list
source-wildcard[operator port[port]] destination configuration mode.
destination-wildcard[operator port[port]]
[option option-name] [precedence • In this instance, a group of access list entries
with noncontiguous ports was consolidated
precedence][tos tos] [log] [time-range
into one permit statement.
time-range-name] [fragments]
• You can configure up to 10 ports after the
Example: eq and neq operators.
Device(config-ext-nacl)# permit tcp any
neq 45 565 632 any eq 23 45 34 43
Step 7 Repeat Steps 5 and 6 as necessary, adding Allows you to revise the access list.
permit or deny statements to consolidate access
list entries where possible. Use the no
sequence-number command to delete an entry.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1117
How to Configure ACLs
Step 9 show ip access-lists access-list-name (Optional) Displays the contents of the access
list.
Example:
Device# show ip access-lists mylist1
Procedure
Example:
Device# configure terminal
Step 3 ip access-list resequence access-list-name Resequences the specified IP access list using the
starting-sequence-number increment starting sequence number and the increment of
sequence numbers.
Example:
Device(config)# ip access-list
resequence kmd1 100 15
Step 4 ip access-list {standard| extended} Specifies the IP access list by name and enters named
access-list-name access list configuration mode.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1118
How to Configure ACLs
Step 5 Do one of the following: Specifies a permit statement in named IP access list
mode.
• sequence-number permit source
source-wildcard • This access list happens to use a permit
statement first, but a deny statement could
• sequence-number permit protocol
appear first, depending on the order of
source source-wildcard destination
statements you need.
destination-wildcard [precedence
precedence][tos tos] [log] [time-range • As the prompt indicates, this access list was a
time-range-name] [fragments] standard access list. If you had specified
extended in Step 4, the prompt for this step
would be Device(config-ext-nacl) and you
Example: would use the extended permit command
syntax.
Device(config-std-nacl)# 105 permit
10.5.5.5 0.0.0 255
Step 7 Do one of the following: Specifies a permit statement in named IP access list
mode.
• sequence-number permit source
source-wildcard • This access list happens to use a
permitstatement first, but a deny statement
• sequence-number permit protocol
could appear first, depending on the order of
source source-wildcard destination
statements you need.
destination-wildcard [precedence
precedence][tos tos] [log] [time-range • See the permit (IP) command for additional
time-range-name] [fragments] command syntax to permit upper layer protocols
(ICMP, IGMP, TCP, and UDP).
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1119
How to Configure ACLs
Step 9 Repeat Step 5 and/or Step 6 to add sequence Allows you to revise the access list.
number statements, as applicable.
Step 10 end (Optional) Exits the configuration mode and returns
to privileged EXEC mode.
Example:
Device(config-std-nacl)# end
Step 11 show ip access-lists access-list-name (Optional) Displays the contents of the IP access list.
Example:
Device# show ip access-lists kmd1
Examples
Review the output of the show ip access-lists command to see that the access list includes the new entries:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1120
How to Configure ACLs
Procedure
Example:
Device# configure terminal
Step 3 ip access-list {standard | extended} {name Identifies the access list by a name or number
| number} and enters extended named access list
configuration mode.
Example:
Device(config)# ip access-list extended
telnetting
Step 5 deny protocol host host-address any eq port Sets conditions in a named IP access list that
denies packets.
Example:
Device(config-ext-nacl)# deny tcp host
172.16.2.88 any eq telnet
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1121
How to Configure ACLs
Procedure
Example:
Switch# configure terminal
Step 4 Use one of the following: Specifies when the function it will be applied to is
operational.
• absolute [start time date] [end time
date] • You can use only one absolute statement in
the time range. If you configure more than
• periodic day-of-the-week hh:mm to one absolute statement, only the one
[day-of-the-week] hh:mm
configured last is executed.
• periodic {weekdays | weekend | daily}
• You can enter multiple periodic statements.
hh:mm to hh:mm
For example, you could configure different
hours for weekdays and weekends.
or
Switch(config-time-range)# periodic
weekdays 8:00 to 12:00
Example:
Switch(config)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1122
How to Configure ACLs
Example:
Switch# show running-config
Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
What to Do Next
Repeat the steps if you have multiple items that you want in effect at different times.
Procedure
Example:
Switch# configure terminal
Step 3 line [console | vty] line-number Identifies a specific line to configure, and enter in-line
configuration mode.
Example: • console—Specifies the console terminal line.
Switch(config)# line console 0 The console port is DCE.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1123
How to Configure ACLs
Step 4 access-class access-list-number {in Restricts incoming and outgoing connections between
| out} a particular virtual terminal line (into a device) and
the addresses in an access list.
Example:
Switch(config-line)# access-class
10 in
Example:
Switch(config-line)# end
Example:
Switch# show running-config
Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1124
Monitoring IPv4 ACLs
Procedure
Example:
Switch# configure terminal
Example:
Switch(config-if)# ip access-group 2 in
Example:
Switch(config-if)# end
Example:
Switch# show running-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1125
Monitoring IPv4 ACLs
When you use the ip access-group interface configuration command to apply ACLs to a Layer 2 or 3 interface,
you can display the access groups on the interface. You can also display the MAC ACLs applied to a Layer
2 interface. You can use the privileged EXEC commands as described in this table to display this information.
Table 113: Commands for Displaying Access Lists and Access Groups
Command Purpose
show access-lists [number | name] Displays the contents of one or all current IP and MAC address
access lists or a specific access list (numbered or named).
show ip access-lists [number | name] Displays the contents of all current IP access lists or a specific
IP access list (numbered or named).
show running-config [interface Displays the contents of the configuration file for the switch or
interface-id] the specified interface, including all configured MAC and IP
access lists and which access groups are applied to an interface.
show mac access-group [interface Displays MAC access lists applied to all Layer 2 interfaces or
interface-id] the specified
Layer 2 interface.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1126
Configuration Examples for ACLs
This shows a small networked office environment with routed Port 2 connected to Server A, containing benefits
and other information that all employees can access, and routed Port 1 connected to Server B, containing
confidential payroll data. All users can access Server A, but Server B has restricted access.
Figure 77: Using Router ACLs to Control Traffic
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1127
Configuration Examples for ACLs
Switch(config-if)# ip access-group 2 in
In this example, suppose that you have a network connected to the Internet, and you want any host on the
network to be able to form TCP connections to any host on the Internet. However, you do not want IP hosts
to be able to form TCP connections to hosts on your network, except to the mail (SMTP) port of a dedicated
mail host.
SMTP uses TCP port 25 on one end of the connection and a random port number on the other end. The same
port numbers are used throughout the life of the connection. Mail packets coming in from the Internet have
a destination port of 25. Outbound packets have the port numbers reversed. Because the secure system of the
network always accepts mail connections on port 25, the incoming and outgoing services are separately
controlled. The ACL must be configured as an input ACL on the outbound interface and an output ACL on
the inbound interface.
In this example, the network is a Class B network with the address 128.88.0.0, and the mail host address is
128.88.1.2. The established keyword is used only for the TCP to show an established connection. A match
occurs if the TCP datagram has the ACK or RST bits set, which show that the packet belongs to an existing
connection. Gigabit Ethernet interface 1 on stack member 1 is the interface that connects the router to the
Internet.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1128
Configuration Examples for ACLs
The marketing_group ACL allows any TCP Telnet traffic to the destination address and wildcard 171.69.0.0
0.0.255.255 and denies any other TCP traffic. It permits ICMP traffic, denies UDP traffic from any source to
the destination address range 171.69.0.0 through 179.69.255.255 with a destination port less than 1024, denies
any other IP traffic, and provides a log of the result.
The Internet_filter ACL is applied to outgoing traffic and the marketing_group ACL is applied to incoming
traffic on a Layer 3 port.
Example: Consolidating Access List Entries with Noncontiguous Ports into One Access List Entry
The show access-lists command is used to display a group of access list entries for the access list named abc:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1129
Configuration Examples for ACLs
list entries and the creation of a new access list entry that consolidates the previously displayed group of access
list entries:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1130
Configuration Examples for ACLs
In this example of a numbered ACL, the Winter and Smith workstations are not allowed to browse the web:
Switch(config)# access-list 100 remark Do not allow Winter to browse the web
Switch(config)# access-list 100 deny host 171.69.3.85 any eq www
Switch(config)# access-list 100 remark Do not allow Smith to browse the web
Switch(config)# access-list 100 deny host 171.69.3.13 any eq www
In this example of a named ACL, the Jones subnet is not allowed access:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1131
Configuration Examples for ACLs
In this example of a named ACL, the Jones subnet is not allowed to use outbound Telnet:
To apply a time range, enter the time-range name in an extended ACL that can implement time ranges. This
example shows how to create and verify extended access list 188 that denies TCP traffic from any source to
any destination during the defined holiday times and permits all TCP traffic during work hours.
This example uses named ACLs to permit and deny the same traffic.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1132
Configuration Examples for ACLs
<output truncated>
This example is a named extended access list ext1 that permits ICMP packets from any source to 10.1.1.0
0.0.0.255 and denies all UDP packets.
Note that all logging entries for IP ACLs start with %SEC-6-IPACCESSLOG with minor variations in format
depending on the kind of ACL and the access entry that has been matched.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1133
Examples: Troubleshooting ACLs
A log message for the same sort of packet using the log keyword does not include the input interface
information:
The switch has insufficient resources to create a hardware representation of the ACL. The resources include
hardware memory and label space but not CPU memory. A lack of available logical operation units or
specialized hardware resources causes this problem. Logical operation units are needed for a TCP flag match
or a test other than eq (ne, gt, lt, or range) on TCP, UDP, or SCTP port numbers.
Use one of these workarounds:
• Modify the ACL configuration to use fewer resources.
• Rename the ACL with a name or number that alphanumerically precedes the ACL names or numbers.
To determine the specialized hardware resources, enter the show platform layer4 acl map privileged EXEC
command. If the switch does not have available resources, the output shows that index 0 to index 15 are not
available.
For more information about configuring ACLs with insufficient resources, see CSCsq63926 in the Bug Toolkit.
For example, if you apply this ACL to an interface:
or
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1134
Additional References
• Rename the ACL with a name or number that alphanumerically precedes the other ACLs (for example,
rename ACL 79 to ACL 1).
You can now apply the first ACE in the ACL to the interface. The switch allocates the ACE to available
mapping bits in the Opselect index and then allocates flag-related operators to use the same bits in the hardware
memory.
Additional References
Related Documents
Description Link
To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/
messages in this release, use the Error Message index.cgi
Decoder tool.
MIBs
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1135
Feature Information for IPv4 Access Control Lists
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Cisco IOS 15.2(2)E The Named ACL Support for Noncontiguous Ports
on an Access Control Entry feature allows you to
specify noncontiguous ports in a single access control
entry, which greatly reduces the number of entries
required in an access control list when several entries
have the same source address, destination address,
and protocol, but differ only in the ports.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1136
Feature Information for IPv4 Access Control Lists
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1137
Feature Information for IPv4 Access Control Lists
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1138
CHAPTER 52
IPv6 Access Control Lists
Access lists determine what traffic is blocked and what traffic is forwarded at device interfaces and allow
filtering of traffic based on source and destination addresses, and inbound and outbound traffic to a specific
interface. Standard IPv6 ACL functionality was extended to support traffic filtering based on IPv6 option
headers and optional, upper-layer protocol type information for finer granularity of control. Standard IPv6
ACL functionality was extended to support traffic filtering based on IPv6 option headers and optional,
upper-layer protocol type information for finer granularity of control.
This module describes how to configure IPv6 traffic filtering and to control access to virtual terminal lines.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1139
Prerequisites for IPV6 ACLs
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1140
Information About Configuring IPv6 ACLs
Note To use IPv6, you must configure the dual IPv4 and IPv6 Switch Database Management (SDM) template
on the switch. You select the template by entering the sdm prefer {default | dual-ipv4-and-ipv6} global
configuration command.
ACL Overview
Packet filtering can help limit network traffic and restrict network use by certain users or devices. ACLs filter
traffic as it passes through a router or switch and permit or deny packets crossing specified interfaces or
VLANs. An ACL is a sequential collection of permit and deny conditions that apply to packets. When a packet
is received on an interface, the switch compares the fields in the packet against any applied ACLs to verify
that the packet has the required permissions to be forwarded, based on the criteria specified in the access lists.
One by one, it tests packets against the conditions in an access list. The first match decides whether the switch
accepts or rejects the packets. Because the switch stops testing after the first match, the order of conditions
in the list is critical. If no conditions match, the switch rejects the packet. If there are no restrictions, the switch
forwards the packet; otherwise, the switch drops the packet. The switch can use ACLs on all packets it forwards,
including packets bridged within a VLAN.
You configure access lists on a router or Layer 3 switch to provide basic security for your network. If you do
not configure ACLs, all packets passing through the switch could be allowed onto all parts of the network.
You can use ACLs to control which hosts can access different parts of a network or to decide which types of
traffic are forwarded or blocked at router interfaces. For example, you can allow e-mail traffic to be forwarded
but not Telnet traffic. ACLs can be configured to block inbound traffic, outbound traffic, or both.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1141
Information About Configuring IPv6 ACLs
are access-controlled through MAC addresses using Ethernet ACEs. After a VLAN map is applied to a
VLAN, all packets entering the VLAN are checked against the VLAN map.
The switch does not support VLAN ACLs (VLAN maps) for IPv6 traffic.
You can apply both IPv4 and IPv6 ACLs to an interface. As with IPv4 ACLs, IPv6 port ACLs take precedence
over router ACLs.
• IPv6 port ACLs - Supported on inbound traffic on Layer 2 interfaces only. Applied to all IPv6 packets
entering the interface.
Note If you configure unsupported IPv6 ACLs, an error message appears and the configuration does not take
affect.
The switch does not support VLAN ACLs (VLAN maps) for IPv6 traffic.
You can apply both IPv4 and IPv6 ACLs to an interface.
As with IPv4 ACLs, IPv6 port ACLs take precedence over router ACLs:
• When an input router ACL and input port ACL exist in an SVI, packets received on ports to which a
port ACL is applied are filtered by the port ACL. Routed IP packets received on other ports are filtered
by the router ACL. Other packets are not filtered.
• When an output router ACL and input port ACL exist in an SVI, packets received on the ports to which
a port ACL is applied are filtered by the port ACL. Outgoing routed IPv6 packets are filtered by the
router ACL. Other packets are not filtered.
Note If any port ACL (IPv4, IPv6, or MAC) is applied to an interface, that port ACL is used to filter packets,
and any router ACLs attached to the SVI of the port VLAN are ignored.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1142
Information About Configuring IPv6 ACLs
• You can create both IPv4 and IPv6 ACLs on a switch or switch stack, and you can apply both IPv4 and
IPv6 ACLs to the same interface. Each ACL must have a unique name; an error message appears if you
try to use a name that is already configured.
You use different commands to create IPv4 and IPv6 ACLs and to attach IPv4 or IPv6 ACLs to the same
Layer 2 or Layer 3 interface. If you use the wrong command to attach an ACL (for example, an IPv4
command to attach an IPv6 ACL), you receive an error message.
• You cannot use MAC ACLs to filter IPv6 frames. MAC ACLs can only filter non-IP frames.
• If the hardware memory is full, packets are dropped on the interface and an unload error message is
logged.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1143
How to Configure IPv6 ACLs
Procedure
Example:
Switch# configure terminal
Step 3 {ipv6 access-list list-name Defines an IPv6 ACL name, and enters IPv6 access list
configuration mode.
Example:
Switch(config)# ipv6 access-list
example_acl_list
Step 4 {deny | permit} protocol Enter deny or permit to specify whether to deny or permit the
{source-ipv6-prefix/|prefix-length|any| packet if conditions are matched. These are the conditions:
host source-ipv6-address} [ operator
[ port-number ]] { • For protocol, enter the name or number of an Internet
protocol: ahp, esp, icmp, ipv6, pcp, stcp, tcp, or udp,
destination-ipv6-prefix/ prefix-length
or an integer in the range 0 to 255 representing an IPv6
| any | host destination-ipv6-address}
protocol number.
[operator [port-number]][dscp value]
[fragments] [log] [log-input] • The source-ipv6-prefix/prefix-length or
destination-ipv6-prefix/ prefix-length is the source or
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1144
How to Configure IPv6 ACLs
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1145
How to Configure IPv6 ACLs
Step 6 {deny | permit} udp (Optional) Define a UDP access list and the access conditions.
{source-ipv6-prefix/prefix-length | any Enter udp for the User Datagram Protocol. The UDP
| host source-ipv6-address} [operator parameters are the same as those described for TCP, except
[port-number]] that the [operator [port]] port number or name must be a UDP
{destination-ipv6-prefix/prefix-length port number or name, and the established parameter is not
| any | host destination-ipv6-address} valid for UDP.
[operator [port-number]] [dscp value]
[log] [log-input] [neq {port |
protocol}] [range {port | protocol}]
[routing] [sequence value]
[time-range name]]
Step 7 {deny | permit} icmp (Optional) Define an ICMP access list and the access
{source-ipv6-prefix/prefix-length | any conditions.
| host source-ipv6-address} [operator Enter icmp for Internet Control Message Protocol. The ICMP
[port-number]] parameters are the same as those described for most IP
{destination-ipv6-prefix/prefix-length protocols in Step 1, with the addition of the ICMP message
| any | host destination-ipv6-address} type and code parameters. These optional keywords have
[operator [port-number]] [icmp-type these meanings:
[icmp-code] | icmp-message] [dscp
value] [log] [log-input] [routing] • icmp-type—Enter to filter by ICMP message type, a
[sequence value] [time-range name] number from 0 to 255.
• icmp-code—Enter to filter ICMP packets that are filtered
by the ICMP message code type, a number from 0 to
255.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1146
How to Configure IPv6 ACLs
Example:
Switch# show running-config
Step 11 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
What to Do Next
Attach the IPv6 ACL to an Interface
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1147
How to Configure IPv6 ACLs
Example:
Switch# configure terminal
Step 3 interface interface-id Identify a Layer 2 interface (for port ACLs) or Layer
3 interface (for router ACLs) on which to apply an
access list, and enter interface configuration mode.
Step 5 ipv6 address ipv6-address Configure an IPv6 address on a Layer 3 interface (for
router ACLs).
Step 6 ipv6 traffic-filter access-list-name {in Apply the access list to incoming or outgoing traffic
| out} on the interface.
Note The out keyword is not supported for Layer
2 interfaces (port ACLs).
Step 7 end Returns to privileged EXEC mode.
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Command Purpose
show access-lists Displays all access lists configured on the switch.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1148
How to Configure IPv6 ACLs
Command Purpose
show ipv6 access-list [access-list-name] Displays all configured IPv6 access lists or the access
list specified by name.
show vlan filter[access-mapaccess-map| vlanvlan-id] Displays the mapping between VACLs and VLANs.
This is an example of the output from the show access-lists privileged EXEC command. The output shows
all access lists that are configured on the switch or switch stack.
Switch # show access-lists
Extended IP access list hello
10 permit ip any any
IPv6 access list ipv6
permit ipv6 any any sequence 10
This is an example of the output from the show ipv6 access-list privileged EXEC command. The output
shows only IPv6 access lists configured on the switch or switch stack
Switch# show ipv6 access-list
IPv6 access list inbound
permit tcp any any eq bgp (8 matches) sequence 10
permit tcp any any eq telnet (15 matches) sequence 20
permit udp any any sequence 30
IPv6 access list outbound
deny udp any any sequence 10
deny tcp any any eq telnet sequence 20
This is an example of the output from the show vlan access-map privileged EXEC command. The output
shows VLAN access map information.
Switch# show vlan access-map
Vlan access-map "m1" 10
Match clauses:
ipv6 address: ip2
Action: drop
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1149
How to Configure IPv6 ACLs
Example:
Device# configure terminal
Step 3 ipv6 access-list access-list-name Defines an IPv6 ACL and enters IPv6 access list
configuration mode.
Example:
Device(config)# ipv6 access-list
list1
Step 5 interface type number Specifies an interface type and number and enters
interface configuration mode.
Example:
Step 6 ipv6 traffic-filter access-list-name {in | Filters incoming and outgoing IPv6 traffic on an
out} interface.
Example:
Device(config-if)# ipv6
traffic-filter list1 in
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1150
How to Configure IPv6 ACLs
Step 4 permit protocol {source-ipv6-prefix/prefix-length | any | host Sets permit conditions for the
source-ipv6-address | auth} [operator [port-number]] IPv6 ACL.
{destination-ipv6-prefix/prefix-length | any | host
destination-ipv6-address | auth} [operator [port-number]]
[dest-option-type [header-number | header-type]] [dscp value]
[flow-label value] [fragments] [hbh] [log] [log-input] [mobility]
[mobility-type [mh-number | mh-type]] [reflect name [timeout
value]] [routing] [routing-type routing-number] [sequence
value] [time-range name]
Example:
Device(config-ipv6-acl)# permit icmp any any
dest-option-type
Step 5 deny protocol {source-ipv6-prefix/prefix-length | any | host Sets deny conditions for the
source-ipv6-address | auth} [operator [port-number]] IPv6 ACL.
{destination-ipv6-prefix/prefix-length | any | host
destination-ipv6-address | auth} [operator [port-number]]
[dest-option-type [header-number | header-type]] [dscp value]
[flow-label value] [fragments] [hbh] [log] [log-input] [mobility]
[mobility-type [mh-number | mh-type]] [routing] [routing-type
routing-number] [sequence value] [time-range name]
[undetermined-transport]
Example:
Device(config-ipv6-acl)# deny icmp any any
dest-option-type
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1151
Configuration Examples for IPv6 ACLs
Switch(config-if)# no switchport
Switch(config-if)# ipv6 address 2001::/64 eui-64
Switch(config-if)# ipv6 traffic-filter CISCO out
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1152
Additional References
Building configuration...
Additional References
Related Documents
Description Link
To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/
messages in this release, use the Error Message index.cgi
Decoder tool.
MIBs
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1153
Feature Information for IPv6 Access Control Lists
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1154
Feature Information for IPv6 Access Control Lists
IPv6 Services: Standard Access 12.2(25)SG Access lists determine what traffic
Control Lists is blocked and what traffic is
forwarded at router interfaces and
allow filtering based on source and
destination addresses, inbound and
outbound to a specific interface.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1155
Feature Information for IPv6 Access Control Lists
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1156
CHAPTER 53
ACL Support for Filtering IP Options
The ACL Support for Filtering IP Options feature describes how to use an IP access list to filter IP packets
that contain IP options to prevent devices from becoming saturated with spurious packets.
This module also describes the ACL TCP Flags Filtering feature and how to use an IP access list to filter IP
packets that contain TCP flags. The ACL TCP Flags Filtering feature allows you to select any combination
of flags on which to filter. The ability to match on a flag set and on a flag not set gives you a greater degree
of control for filtering on TCP flags, thus enhancing security.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1157
Information About ACL Support for Filtering IP Options
IP Options
IP uses four key mechanisms in providing its service: Type of Service, Time to Live, Options, and Header
Checksum.
The Options, commonly referred to as IP Options, provide for control functions that are required in some
situations but unnecessary for the most common communications. IP Options include provisions for time
stamps, security, and special routing.
IP Options may or may not appear in datagrams. They must be implemented by all IP modules (host and
gateways). What is optional is their transmission in any particular datagram, not their implementation. In
some environments the security option may be required in all datagrams.
The option field is variable in length. There may be zero or more options. IP Options can have one of two
formats:
• Format 1: A single octet of option-type.
• Format 2: An option-type octet, an option-length octet, and the actual option-data octets.
The option-length octet counts the option-type octet, the option-length octet, and the option-data octets.
The option-type octet is viewed as having three fields: a 1-bit copied flag, a 2-bit option class, and a 5-bit
option number. These fields form an 8-bit value for the option type field. IP Options are commonly referred
to by their 8-bit value.
For a complete list and description of IP Options, refer to RFC 791, Internet Protocol at the following URL:
http://www.faqs.org/rfcs/rfc791.html
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1158
How to Configure ACL Support for Filtering IP Options
The ACEs that make up an access list can be configured to detect and drop unauthorized TCP packets by
allowing only the packets that have a very specific group of TCP flags set or not set. The ACL TCP Flags
Filtering feature provides a greater degree of packet-filtering control in the following ways:
• You can select any desired combination of TCP flags on which to filter TCP packets.
• You can configure ACEs to allow matching on a flag that is set, as well as on a flag that is not set.
TCP Flags
The table below lists the TCP flags, which are further described in RFC 793, Transmission Control Protocol.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1159
How to Configure ACL Support for Filtering IP Options
Note • The ACL Support for Filtering IP Options feature can be used only with named, extended ACLs.
• Resource Reservation Protocol (RSVP) Multiprotocol Label Switching Traffic Engineering (MPLS
TE), Internet Group Management Protocol Version 2 (IGMPV2), and other protocols that use IP
options packets may not function in drop or ignore mode if this feature is configured.
• On most Cisco devices, a packet with IP options is not switched in hardware, but requires control
plane software processing (primarily because there is a need to process the options and rewrite the
IP header), so all IP packets with IP options will be filtered and switched in software.
Procedure
Example:
Device# configure terminal
Step 3 ip access-list extended access-list-name Specifies the IP access list by name and enters
named access list configuration mode.
Example:
Device(config)# ip access-list
extended mylist1
Step 4 [sequence-number] deny protocol source (Optional) Specifies a deny statement in named IP
source-wildcard destination access list mode.
destination-wildcard [option option-value]
[precedence precedence] [tos tos] [log] • This access list happens to use a
denystatement first, but a permit statement
[time-range time-range-name] [fragments]
could appear first, depending on the order of
statements you need.
Example:
Device(config-ext-nacl)# deny ip any • Use the option keyword and option-value
any option traceroute
argument to filter packets that contain a
particular IP Option.
• In this example, any packet that contains the
traceroute IP option will be filtered out.
• Use the no sequence-number form of this
command to delete an entry.
Step 5 [sequence-number] permit protocol source Specifies a permit statement in named IP access
source-wildcard destination list mode.
destination-wildcard [option option-value]
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1160
How to Configure ACL Support for Filtering IP Options
Step 6 Repeat Step 4 or Step 5 as necessary. Allows you to revise the access list.
Step 8 show ip access-lists access-list-name (Optional) Displays the contents of the IP access
list.
Example:
Device# show ip access-lists mylist1
Note • TCP flag filtering can be used only with named, extended ACLs.
• The ACL TCP Flags Filtering feature is supported only for Cisco ACLs.
• Previously, the following command-line interface (CLI) format could be used to configure a TCP
flag-checking mechanism:
permit tcp any any rst The following format that represents the same access control entry (ACE) can
now be used: permit tcp any any match-any +rst Both the CLI formats are accepted; however, if the
new keywords match-all or match-any are chosen, they must be followed by the new flags that are
prefixed with “+” or “-”. It is advisable to use only the old format or the new format in a single ACL. You
cannot mix and match the old and new CLI formats.
Caution If a device having ACEs with the new syntax format is reloaded with a previous version of the Cisco
software that does not support the ACL TCP Flags Filtering feature, the ACEs will not be applied, leading
to possible security loopholes.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1161
How to Configure ACL Support for Filtering IP Options
Procedure
Example:
Device# configure terminal
Step 3 ip access-list extended access-list-name Specifies the IP access list by name and enters
named access list configuration mode.
Example:
Device(config)# ip access-list extended
kmd1
Step 4 [sequence-number] permit tcp source Specifies a permit statement in named IP access list
source-wildcard [operator [port]] destination mode.
destination-wildcard [operator [port]]
[established|{match-any | match-all} {+ | -} • This access list happens to use a
permitstatement first, but a deny statement
flag-name] [precedence precedence] [tos tos]
could appear first, depending on the order of
[log] [time-range time-range-name]
statements you need.
[fragments]
• Use the TCP command syntax of the
Example: permitcommand.
Device(config-ext-nacl)# permit tcp any • Any packet with the RST TCP header flag set
any match-any +rst will be matched and allowed to pass the named
access list kmd1 in Step 3.
Step 5 [sequence-number] deny tcp source (Optional) Specifies a deny statement in named IP
source-wildcard [operator [port]] destination access list mode.
destination-wildcard [operator [port]]
[established|{match-any | match-all} {+ | -} • This access list happens to use a
permitstatement first, but a deny statement
flag-name] [precedence precedence] [tos tos]
could appear first, depending on the order of
[log] [time-range time-range-name]
statements you need.
[fragments]
• Use the TCP command syntax of the
Example: denycommand.
Device(config-ext-nacl)# deny tcp any • Any packet that does not have the ACK flag
any match-all -ack -fin set, and also does not have the FIN flag set,
will not be allowed to pass the named access
list kmd1 in Step 3.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1162
Configuration Examples for ACL Support for Filtering IP Options
Step 6 Repeat Step 4 or Step 5 as necessary, adding Allows you to revise the access list.
statements by sequence number where you
planned. Use the no
sequence-numbercommand to delete an entry.
Step 7 end (Optional) Exits the configuration mode and returns
to privileged EXEC mode.
Example:
Device(config-ext-nacl)# end
Step 8 show ip access-lists access-list-name (Optional) Displays the contents of the IP access
list.
Example: • Review the output to confirm that the access
Device# show ip access-lists kmd1 list includes the new entry.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1163
Additional References for ACL Support for Filtering IP Options
RFCs
RFC Title
RFC 791 Internet Protocol
http://www.faqs.org/rfcs/rfc791.html
http://www.faqs.org/rfcs/rfc791.html
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1164
Feature Information for Creating an IP Access List to Filter
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
ACL TCP Flags Filtering Cisco IOS 15.2(2)E This feature provides a flexible mechanism for
filtering on TCP flags. The ACL TCP Flags
Filtering feature allows you to select any
combination of flags on which to filter. The
ability to match on a flag set and on a flag not
set gives you a greater degree of control for
filtering on TCP flags, thus enhancing security.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1165
Feature Information for Creating an IP Access List to Filter
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1166
CHAPTER 54
VLAN Access Control Lists
VLAN access control lists (ACLs) or VLAN maps access-control all packets (bridged and routed). You can
use VLAN maps to filter traffic between devices in the same VLAN. VLAN maps are configured to provide
access control based on Layer 3 addresses for IPv4. Unsupported protocols are access-controlled through
MAC addresses using Ethernet access control entries (ACEs). After a VLAN map is applied to a VLAN, all
packets (routed or bridged) entering the VLAN are checked against the VLAN map. Packets can either enter
the VLAN through a switch port or through a routed port after being routed.
This module provides more information about VLAN ACLs and how to configure them.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1167
Information About VLAN Access Control Lists
VLAN Maps
VLAN ACLs or VLAN maps are used to control network traffic within a VLAN. You can apply VLAN maps
to all packets that are bridged within a VLAN in the switch or switch stack. VACLs are strictly for security
packet filtering and for redirecting traffic to specific physical interfaces. VACLs are not defined by direction
(ingress or egress).
All non-IP protocols are access-controlled through MAC addresses and Ethertype using MAC VLAN maps.
(IP traffic is not access controlled by MAC VLAN maps.) You can enforce VLAN maps only on packets
going through the switch; you cannot enforce VLAN maps on traffic between hosts on a hub or on another
switch connected to this switch.
With VLAN maps, forwarding of packets is permitted or denied, based on the action specified in the map.
This shows how a VLAN map is applied to prevent a specific type of traffic from Host A in VLAN 10 from
being forwarded. You can apply only one VLAN map to a VLAN.
Figure 78: Using VLAN Maps to Control Traffic
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1168
Information About VLAN Access Control Lists
Note When you use router ACLs with VLAN maps, packets that require logging on the router ACLs are not
logged if they are denied by a VLAN map.
If the VLAN map has a match clause for the type of packet (IP or MAC) and the packet does not match the
type, the default is to drop the packet. If there is no match clause in the VLAN map, and no action specified,
the packet is forwarded if it does not match any VLAN map entry.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1169
How to Configure VLAN Access Control Lists
If you need to specify the full-flow mode and the ACL contains both IP ACEs and TCP/UDP/ICMP
ACEs with Layer 4 information, put the Layer 4 ACEs at the end of the list. This gives priority to the
filtering of traffic based on IP addresses.
VACL Logging
When you configure VACL logging, syslog messages are generated for denied IP packets under these
circumstances:
• When the first matching packet is received.
• For any matching packets received within the last 5 minutes.
• If the threshold is reached before the 5-minute interval.
Log messages are generated on a per-flow basis. A flow is defined as packets with the same IP addresses and
Layer 4 (UDP or TCP) port numbers. If a flow does not receive any packets in the 5-minute interval, that flow
is removed from the cache. When a syslog message is generated, the timer and packet counter are reset.
VACL logging restrictions:
• Only denied IP packets are logged.
• Packets that require logging on the outbound port ACLs are not logged if they are denied by a VACL.
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1170
How to Configure VLAN Access Control Lists
Example:
Switch(config)# mac access-list
extended mac1
Step 4 {deny | permit} {any | host source MAC In extended MAC access-list configuration mode,
address | source MAC address mask} {any specifies to permit or deny any source MAC address,
| host destination MAC address | destination a source MAC address with a mask, or a specific host
MAC address mask} [type mask | lsap lsap source MAC address and any destination MAC
mask | aarp | amber | dec-spanning | address, destination MAC address with a mask, or a
decnet-iv | diagnostic | dsm | etype-6000 specific destination MAC address.
| etype-8042 | lat | lavc-sca | mop-console (Optional) You can also enter these options:
| mop-dump | msdos | mumps | netbios |
vines-echo | vines-ip | xns-idp | 0-65535] • type mask—An arbitrary EtherType number of
[cos cos] a packet with Ethernet II or SNAP encapsulation
in decimal, hexadecimal, or octal with optional
Example: mask of don’t care bits applied to the EtherType
before testing for a match.
Switch(config-ext-macl)# deny any
any decnet-iv • lsap lsap mask—An LSAP number of a packet
with IEEE 802.2 encapsulation in decimal,
or
hexadecimal, or octal with optional mask of don’t
Switch(config-ext-macl)# permit any
care bits.
any
• aarp | amber | dec-spanning | decnet-iv |
diagnostic | dsm | etype-6000 | etype-8042 | lat
| lavc-sca | mop-console | mop-dump | msdos |
mumps | netbios | vines-echo | vines-ip |
xns-idp—A non-IP protocol.
• cos cos—An IEEE 802.1Q cost of service
number from 0 to 7 used to set priority.
Example:
Switch(config-ext-macl)# end
Example:
Switch# show running-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1171
How to Configure VLAN Access Control Lists
Example:
Switch# copy running-config
startup-config
Procedure
Example:
Switch# configure terminal
Switch(config)# interface
gigabitethernet1/0/2
Step 4 mac access-group {name} {in | out } Controls access to the specified interface by
using the MAC access list.
Example: Port ACLs are supported in the outbound and
Switch(config-if)# mac access-group inbound directions .
mac1 in
Example:
Switch(config-if)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1172
How to Configure VLAN Access Control Lists
Example:
Switch# show mac access-group interface
gigabitethernet1/0/2
Example:
Switch# show running-config
After receiving a packet, the switch checks it against the inbound ACL. If the ACL permits it, the switch
continues to process the packet. If the ACL rejects the packet, the switch discards it. When you apply an
undefined ACL to an interface, the switch acts as if the ACL has not been applied and permits all packets.
Remember this behavior if you use undefined ACLs for network security.
Procedure
Switch(config)# vlan access-map When you create VLAN maps with the same name, numbers
map_1 20 are assigned sequentially in increments of 10. When modifying
or deleting maps, you can enter the number of the map entry
that you want to modify or delete.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1173
How to Configure VLAN Access Control Lists
Step 2 match {ip | mac} address {name | Match the packet (using either the IP or MAC address) against
number} [name | number] one or more standard or extended access lists. Note that packets
are only matched against access lists of the correct protocol
Example: type. IP packets are matched against standard or extended IP
access lists. Non-IP packets are only matched against named
Switch(config-access-map)# match MAC extended access lists.
ip address ip2
Note If the VLAN map is configured with a match clause
for a type of packet (IP or MAC) and the map action
is drop, all packets that match the type are dropped.
If the VLAN map has no match clause, and the
configured action is drop, all IP and Layer 2 packets
are dropped.
Step 3 Enter one of the following commands Sets the action for the map entry.
to specify an IP packet or a non-IP
packet (with only a known MAC
address) and to match the packet
against one or more ACLs (standard
or extended):
• action { forward}
Switch(config-access-map)#
action forward
• action { drop}
Switch(config-access-map)#
action drop
Step 4 vlan filter mapname vlan-list list Applies the VLAN map to one or more VLAN IDs.
The list can be a single VLAN ID (22), a consecutive list
Example: (10-22), or a string of VLAN IDs (12, 22, 30). Spaces around
Switch(config)# vlan filter map the comma and hyphen are optional.
1 vlan-list 20-22
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1174
How to Configure VLAN Access Control Lists
Procedure
Example:
Switch# configure terminal
Step 2 vlan access-map name [number] Creates a VLAN map, and give it a name and (optionally)
a number. The number is the sequence number of the entry
Example: within the map.
Switch(config)# vlan access-map When you create VLAN maps with the same name, numbers
map_1 20 are assigned sequentially in increments of 10. When
modifying or deleting maps, you can enter the number of
the map entry that you want to modify or delete.
VLAN maps do not use the specific permit or deny
keywords. To deny a packet by using VLAN maps, create
an ACL that would match the packet, and set the action to
drop. A permit in the ACL counts as a match. A deny in the
ACL means no match.
Entering this command changes to access-map configuration
mode.
Step 3 match {ip | mac} address {name | Match the packet (using either the IP or MAC address)
number} [name | number] against one or more standard or extended access lists. Note
that packets are only matched against access lists of the
Example: correct protocol type. IP packets are matched against
standard or extended IP access lists. Non-IP packets are
Switch(config-access-map)# only matched against named MAC extended access lists.
match ip address ip2
Step 4 action {drop | forward} (Optional) Sets the action for the map entry. The default is
to forward.
Example:
Switch(config-access-map)#
action forward
Example:
Switch(config-access-map)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1175
How to Configure VLAN Access Control Lists
Example:
Switch# show running-config
Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Procedure
Example:
Switch# configure terminal
Step 3 vlan filter mapname vlan-list list Applies the VLAN map to one or more VLAN
IDs.
Example: The list can be a single VLAN ID (22), a
Switch(config)# vlan filter map 1 consecutive list (10-22), or a string of VLAN IDs
vlan-list 20-22 (12, 22, 30). Spaces around the comma and
hyphen are optional.
Example:
Switch(config)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1176
How to Configure VLAN Access Control Lists
Example:
Switch# show running-config
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
Procedure
Example:
Switch# configure terminal
Step 2 vlan access-map name [number] Creates a VLAN map. Give it a name and optionally a number.
The number is the sequence number of the entry within the
Example: map.
Step 3 action drop log Sets the VLAN access map to drop and log IP packets.
Example:
Switch(config-access-map)#
action drop log
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1177
Configuration Examples for ACLs and VLAN Maps
Example:
Switch(config)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1178
Configuration Examples for ACLs and VLAN Maps
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1179
Configuration Examples for Using VLAN Maps in Your Network
In a wiring closet configuration, routing might not be enabled on the switch. In this configuration, the switch
can still support a VLAN map and a QoS classification ACL. Assume that Host X and Host Y are in different
VLANs and are connected to wiring closet switches A and C. Traffic from Host X to Host Y is eventually
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1180
Configuration Examples for Using VLAN Maps in Your Network
being routed by Switch B, a Layer 3 switch with routing enabled. Traffic from Host X to Host Y can be
access-controlled at the traffic entry point, Switch A.
Figure 79: Wiring Closet Configuration
If you do not want HTTP traffic switched from Host X to Host Y, you can configure a VLAN map on Switch
A to drop all HTTP traffic from Host X (IP address 10.1.1.32) to Host Y (IP address 10.1.1.34) at Switch A
and not bridge it to Switch B.
First, define the IP access list http that permits (matches) any TCP traffic on the HTTP port.
Next, create VLAN access map map2 so that traffic that matches the http access list is dropped and all other
IP traffic is forwarded.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1181
Configuration Examples for Using VLAN Maps in Your Network
You can restrict access to a server on another VLAN. For example, server 10.1.1.100 in VLAN 10 needs to
have access denied to these hosts:
• Hosts in subnet 10.1.2.0/8 in VLAN 20 should not have access.
• Hosts 10.1.1.4 and 10.1.1.8 in VLAN 10 should not have access.
Define a VLAN map using this ACL that will drop IP packets that match SERVER1_ACL and forward IP
packets that do not match the ACL.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1182
Configuration Examples of Router ACLs and VLAN Maps Applied to VLANs
This example shows how an ACL is applied on packets that are switched within a VLAN. Packets switched
within the VLAN without being routed or forwarded by fallback bridging are only subject to the VLAN map
of the input VLAN.
Figure 81: Applying ACLs on Switched Packets
This example shows how an ACL is applied on fallback-bridged packets. For bridged packets, only Layer 2
ACLs are applied to the input VLAN. Only non-IP, non-ARP packets can be fallback-bridged.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1183
Configuration Examples of Router ACLs and VLAN Maps Applied to VLANs
This example shows how ACLs are applied on routed packets. The ACLs are applied in this order:
1 VLAN map for input VLAN
2 Input router ACL
3 Output router ACL
4 VLAN map for output VLAN
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1184
Configuration Examples of Router ACLs and VLAN Maps Applied to VLANs
This example shows how ACLs are applied on packets that are replicated for IP multicasting. A multicast
packet being routed has two different kinds of filters applied: one for destinations that are other ports in the
input VLAN and another for each of the destinations that are in other VLANs to which the packet has been
routed. The packet might be routed to more than one output VLAN, in which case a different router output
ACL and VLAN map would apply for each destination VLAN. The final result is that the packet might be
permitted in some of the output VLANs and not in others. A copy of the packet is forwarded to those
destinations where it is permitted. However, if the input VLAN map drops the packet, no destination receives
a copy of the packet.
Figure 84: Applying ACLs on Multicast Packets
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1185
Configuration Examples of Router ACLs and VLAN Maps Applied to VLANs
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1186
CHAPTER 55
Configuring DHCP
• Finding Feature Information, page 1187
• Information About DHCP, page 1187
• How to Configure DHCP Features, page 1194
• Configuring DHCP Server Port-Based Address Allocation, page 1203
DHCP Server
The DHCP server assigns IP addresses from specified address pools on a switch or router to DHCP clients
and manages them. If the DHCP server cannot give the DHCP client the requested configuration parameters
from its database, it forwards the request to one or more secondary DHCP servers defined by the network
administrator. The switch can act as a DHCP server.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1187
Information About DHCP
transparently between networks. Relay agents receive DHCP messages and generate new DHCP messages
to send on output interfaces.
DHCP Snooping
DHCP snooping is a DHCP security feature that provides network security by filtering untrusted DHCP
messages and by building and maintaining a DHCP snooping binding database, also referred to as a DHCP
snooping binding table.
DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. You use DHCP snooping to
differentiate between untrusted interfaces connected to the end user and trusted interfaces connected to the
DHCP server or another switch.
Note For DHCP snooping to function properly, all DHCP servers must be connected to the switch through
trusted interfaces.
An untrusted DHCP message is a message that is received through an untrusted interface. By default, the
switch considers all interfaces untrusted. So, the switch must be configured to trust some interfaces to use
DHCP Snooping. When you use DHCP snooping in a service-provider environment, an untrusted message
is sent from a device that is not in the service-provider network, such as a customer’s switch. Messages from
unknown devices are untrusted because they can be sources of traffic attacks.
The DHCP snooping binding database has the MAC address, the IP address, the lease time, the binding type,
the VLAN number, and the interface information that corresponds to the local untrusted interfaces of a switch.
It does not have information regarding hosts interconnected with a trusted interface.
In a service-provider network, an example of an interface you might configure as trusted is one connected to
a port on a device in the same network. An example of an untrusted interface is one that is connected to an
untrusted interface in the network or to an interface on a device that is not in the network.
When a switch receives a packet on an untrusted interface and the interface belongs to a VLAN in which
DHCP snooping is enabled, the switch compares the source MAC address and the DHCP client hardware
address. If the addresses match (the default), the switch forwards the packet. If the addresses do not match,
the switch drops the packet.
The switch drops a DHCP packet when one of these situations occurs:
• A packet from a DHCP server, such as a DHCPOFFER, DHCPACK, DHCPNAK, or
DHCPLEASEQUERY packet, is received from outside the network or firewall.
• A packet is received on an untrusted interface, and the source MAC address and the DHCP client hardware
address do not match.
• The switch receives a DHCPRELEASE or DHCPDECLINE broadcast message that has a MAC address
in the DHCP snooping binding database, but the interface information in the binding database does not
match the interface on which the message was received.
• A DHCP relay agent forwards a DHCP packet that includes a relay-agent IP address that is not 0.0.0.0,
or the relay agent forwards a packet that includes option-82 information to an untrusted port.
If the switch is an aggregation switch supporting DHCP snooping and is connected to an edge switch that is
inserting DHCP option-82 information, the switch drops packets with option-82 information when packets
are received on an untrusted interface. If DHCP snooping is enabled and packets are received on a trusted
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1188
Information About DHCP
port, the aggregation switch does not learn the DHCP snooping bindings for connected devices and cannot
build a complete DHCP snooping binding database.
When an aggregation switch can be connected to an edge switch through an untrusted interface and you enter
the ip dhcp snooping information option allow-untrusted global configuration command, the aggregation
switch accepts packets with option-82 information from the edge switch. The aggregation switch learns the
bindings for hosts connected through an untrusted switch interface. The DHCP security features, such as
dynamic ARP inspection or IP source guard, can still be enabled on the aggregation switch while the switch
receives packets with option-82 information on untrusted input interfaces to which hosts are connected. The
port on the edge switch that connects to the aggregation switch must be configured as a trusted interface.
Normally, it is not desirable to broadcast packets to wireless clients. So, DHCP snooping replaces destination
broadcast MAC address (ffff.ffff.ffff) with unicast MAC address for DHCP packets that are going from server
to wireless clients. The unicast MAC address is retrieved from CHADDR field in the DHCP payload. This
processing is applied for server to client packets such as DHCP OFFER, DHCP ACK, and DHCP NACK
messages. The ip dhcp snooping wireless bootp-broadcast enable can be used to revert this behavior. When
the wireless BOOTP broadcast is enabled, the broadcast DHCP packets from server are forwarded to wireless
clients without changing the destination MAC address.
Related Topics
Prerequisites for Configuring DHCP Snooping and Option 82, on page 1198
Note The DHCP option-82 feature is supported only when DHCP snooping is globally enabled on the VLANs
to which subscriber devices using option-82 are assigned.
The following illustration shows a metropolitan Ethernet network in which a centralized DHCP server assigns
IP addresses to subscribers connected to the switch at the access layer. Because the DHCP clients and their
associated DHCP server do not reside on the same IP network or subnet, a DHCP relay agent (the Catalyst
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1189
Information About DHCP
switch) is configured with a helper address to enable broadcast forwarding and to transfer DHCP messages
between the clients and the server.
When you enable the DHCP snooping information option 82 on the switch, the following sequence of
events occurs:
• The host (DHCP client) generates a DHCP request and broadcasts it on the network.
• When the switch receives the DHCP request, it adds the option-82 information in the packet. By default,
the remote-ID suboption is the switch MAC address, and the circuit-ID suboption is the port identifier,
vlan-mod-port, from which the packet is received.You can configure the remote ID and circuit ID.
• If the IP address of the relay agent is configured, the switch adds this IP address in the DHCP packet.
• The switch forwards the DHCP request that includes the option-82 field to the DHCP server.
• The DHCP server receives the packet. If the server is option-82-capable, it can use the remote ID, the
circuit ID, or both to assign IP addresses and implement policies, such as restricting the number of IP
addresses that can be assigned to a single remote ID or circuit ID. Then the DHCP server echoes the
option-82 field in the DHCP reply.
• The DHCP server unicasts the reply to the switch if the request was relayed to the server by the switch.
The switch verifies that it originally inserted the option-82 data by inspecting the remote ID and possibly
the circuit ID fields. The switch removes the option-82 field and forwards the packet to the switch port
that connects to the DHCP client that sent the DHCP request.
In the default suboption configuration, when the described sequence of events occurs, the values in these
fields do not change (see the illustration,Suboption Packet Formats):
• Circuit-ID suboption fields
◦Suboption type
◦Length of the suboption type
◦Circuit-ID type
◦Length of the circuit-ID type
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1190
Information About DHCP
In the port field of the circuit ID suboption, the port numbers start at 3. For example, on a switch with 24
10/100/1000 ports and four small form-factor pluggable (SFP) module slots, port 3 is the Gigabit Ethernet
1/0/1 port, port 4 is the Gigabit Ethernet 1/0/2 port, and so forth. Port 27 is the SFP module slot Gigabit
Ethernet1/0/25, and so forth.
The illustration, Suboption Packet Formats. shows the packet formats for the remote-ID suboption and the
circuit-ID suboption when the default suboption configuration is used. For the circuit-ID suboption, the module
number corresponds to the switch number in the stack. The switch uses the packet formats when you globally
enable DHCP snooping and enter the ip dhcp snooping information option global configuration command.
The illustration, User-Configured Suboption Packet Formats, shows the packet formats for user-configured
remote-ID and circuit-ID suboptions The switch uses these packet formats when DHCP snooping is globally
enabled and when the ip dhcp snooping information option format remote-id global configuration command
and theip dhcp snooping vlan information option format-type circuit-id string interface configuration
command are entered.
The values for these fields in the packets change from the default values when you configure the remote-ID
and circuit-ID suboptions:
• Circuit-ID suboption fields
◦The circuit-ID type is 1.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1191
Information About DHCP
◦The length values are variable, depending on the length of the string that you configure.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1192
Information About DHCP
agent stores the bindings in a file at a configured location. At the end of each entry is a checksum that accounts
for all the bytes from the start of the file through all the bytes associated with the entry. Each entry is 72 bytes,
followed by a space and then the checksum value.
To keep the bindings when the switch reloads, you must use the DHCP snooping database agent. If the agent
is disabled, dynamic ARP inspection or IP source guard is enabled, and the DHCP snooping binding database
has dynamic bindings, the switch loses its connectivity. If the agent is disabled and only DHCP snooping is
enabled, the switch does not lose its connectivity, but DHCP snooping might not prevent DHCP spoofing
attacks.
When reloading, the switch reads the binding file to build the DHCP snooping binding database. The switch
updates the file when the database changes.
When a switch learns of new bindings or when it loses bindings, the switch immediately updates the entries
in the database. The switch also updates the entries in the binding file. The frequency at which the file is
updated is based on a configurable delay, and the updates are batched. If the file is not updated in a specified
time (set by the write-delay and abort-timeout values), the update stops.
This is the format of the file with bindings:
<initial-checksum>
TYPE DHCP-SNOOPING
VERSION 1
BEGIN
<entry-1> <checksum-1>
<entry-2> <checksum-1-2>
...
...
<entry-n> <checksum-1-2-..-n>
END
Each entry in the file is tagged with a checksum value that the switch uses to verify the entries when it reads
the file. The initial-checksum entry on the first line distinguishes entries associated with the latest file update
from entries associated with a previous file update.
This is an example of a binding file:
2bb4c2a1
TYPE DHCP-SNOOPING
VERSION 1
BEGIN
192.1.168.1 3 0003.47d8.c91f 2BB6488E Gi1/0/4 21ae5fbb
192.1.168.3 3 0003.44d6.c52f 2BB648EB Gi1/0/4 1bdb223f
192.1.168.2 3 0003.47d9.c8f1 2BB648AB Gi1/0/4 584a38f0
END
When the switch starts and the calculated checksum value equals the stored checksum value, the switch reads
entries from the binding file and adds the bindings to its DHCP snooping binding database. The switch ignores
an entry when one of these situations occurs:
• The switch reads the entry and the calculated checksum value does not equal the stored checksum value.
The entry and the ones following it are ignored.
• An entry has an expired lease time (the switch might not remove a binding entry when the lease time
expires).
• The interface in the entry no longer exists on the system.
• The interface is a routed interface or a DHCP snooping-trusted interface.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1193
How to Configure DHCP Features
Checking the relay agent information Enabled (invalid messages are dropped)
DHCP relay agent forwarding policy Replace the existing relay agent information
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1194
How to Configure DHCP Features
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1195
How to Configure DHCP Features
Procedure
Example:
Switch# configure terminal
Step 3 service dhcp Enables the DHCP server and relay agent on
your switch. By default, this feature is enabled.
Example:
Switch(config)# service dhcp
Example:
Switch(config)# end
Example:
Switch# show running-config
What to Do Next
See the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP
Configuration Guide, Release 12.4 for these procedures:
• Checking (validating) the relay agent information
• Configuring the relay agent forwarding policy
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1196
How to Configure DHCP Features
Procedure
Example:
Switch# configure terminal
Step 4 ip address ip-address subnet-mask Configures the interface with an IP address and an
IP subnet.
Example:
Switch(config-if)# ip address
192.108.1.27 255.255.255.0
Example:
Switch(config-if)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1197
How to Configure DHCP Features
Step 8 switchport mode access Defines the VLAN membership mode for the port.
Example:
Switch(config-if)# switchport mode
access
Step 9 switchport access vlan vlan-id Assigns the ports to the same VLAN as configured
in Step 2.
Example:
Switch(config-if)# switchport access
vlan 1
Example:
Switch(config-if)# end
Example:
Switch# show running-config
Step 12 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1198
How to Configure DHCP Features
• Before globally enabling DHCP snooping on the switch, make sure that the devices acting as the DHCP
server and the DHCP relay agent are configured and enabled.
• If you want the switch to respond to DHCP requests, it must be configured as a DHCP server.
• Before configuring the DHCP snooping information option on your switch, be sure to configure the
device that is acting as the DHCP server. You must specify the IP addresses that the DHCP server can
assign or exclude, or you must configure DHCP options for these devices.
• For DHCP snooping to function properly, all DHCP servers must be connected to the switch through
trusted interfaces. In a service-provider network, a trusted interface is connected to a port on a device
in the same network.
• You must configure the switch to use the Cisco IOS DHCP server binding database to use it for DHCP
snooping.
• To use the DHCP snooping option of accepting packets on untrusted inputs, the switch must be an
aggregation switch that receives packets with option-82 information from an edge switch.
• The following prerequisites apply to DHCP snooping binding database configuration:
◦You must configure a destination on the DHCP snooping binding database to use the switch for
DHCP snooping.
◦Because both NVRAM and the flash memory have limited storage capacity, we recommend that
you store the binding file on a TFTP server.
◦For network-based URLs (such as TFTP and FTP), you must create an empty file at the configured
URL before the switch can write bindings to the binding file at that URL. See the documentation
for your TFTP server to determine whether you must first create an empty file on the server; some
TFTP servers cannot be configured this way.
◦To ensure that the lease time in the database is accurate, we recommend that you enable and
configure Network Time Protocol (NTP).
◦If NTP is configured, the switch writes binding changes to the binding file only when the switch
system clock is synchronized with NTP.
• Before configuring the DHCP relay agent on your switch, make sure to configure the device that is
acting as the DHCP server. You must specify the IP addresses that the DHCP server can assign or
exclude, configure DHCP options for devices, or set up the DHCP database agent.
• If you want the switch to relay DHCP packets, the IP address of the DHCP server must be configured
on the switch virtual interface (SVI) of the DHCP client.
• If a switch port is connected to a DHCP server, configure a port as trusted by entering the ip dhcp
snooping trust interface configuration command.
• If a switch port is connected to a DHCP client, configure a port as untrusted by entering the no ip dhcp
snooping trust interface configuration command.
Related Topics
DHCP Snooping, on page 1188
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1199
How to Configure DHCP Features
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# ip dhcp snooping
Step 4 ip dhcp snooping vlan vlan-range Enables DHCP snooping on a VLAN or range of VLANs.
The range is 1 to 4094. You can enter a single VLAN ID
Example: identified by VLAN ID number, a series of VLAN IDs
separated by commas, a range of VLAN IDs separated by
Switch(config)# ip dhcp snooping hyphens, or a range of VLAN IDs separated by entering
vlan 10
the starting and ending VLAN IDs separated by a space.
• You can enter a single VLAN ID identified by VLAN
ID number, a series of VLAN IDs separated by
commas, a range of VLAN IDs separated by hyphens,
or a range of VLAN IDs separated by entering the
starting and ending VLAN IDs separated by a space.
Step 5 ip dhcp snooping information option Enables the switch to insert and remove DHCP relay
information (option-82 field) in forwarded DHCP request
Example: messages to the DHCP server. This is the default setting.
Step 6 ip dhcp snooping information option (Optional) Configures the remote-ID suboption.
format remote-id [string You can configure the remote ID as:
ASCII-string | hostname]
• String of up to 63 ASCII characters (no spaces)
Example: • Configured hostname for the switch
Switch(config)# ip dhcp snooping
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1200
How to Configure DHCP Features
Step 7 ip dhcp snooping information option (Optional) If the switch is an aggregation switch connected
allow-untrusted to an edge switch, this command enables the switch to
accept incoming DHCP snooping packets with option-82
Example: information from the edge switch.
Step 9 ip dhcp snooping vlan vlan (Optional) Configures the circuit-ID suboption for the
information option format-type specified interface.
circuit-id [override] string Specify the VLAN and port identifier, using a VLAN ID
ASCII-string in the range of 1 to 4094. The default circuit ID is the port
identifier, in the format vlan-mod-port.
Example:
You can configure the circuit ID to be a string of 3 to 63
Switch(config-if)# ip dhcp ASCII characters (no spaces).
snooping vlan 1 information
option format-type curcuit-id (Optional) Use the override keyword when you do not
override string ovrride2 want the circuit-ID suboption inserted in TLV format to
define subscriber information.
Step 10 ip dhcp snooping trust (Optional) Configures the interface as trusted or untrusted.
Use the no keyword to configure an interface to receive
Example: messages from an untrusted client. The default setting is
untrusted.
Switch(config-if)# ip dhcp
snooping trust
Step 11 ip dhcp snooping limit rate rate (Optional) Configures the number of DHCP packets per
second that an interface can receive. The range is 1 to 2048.
Example: By default, no rate limit is configured.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1201
How to Configure DHCP Features
Example:
Switch(config-if)# exit
Step 13 ip dhcp snooping verify (Optional) Configures the switch to verify that the source
mac-address MAC address in a DHCP packet received on untrusted
ports matches the client hardware address in the packet.
Example: The default is to verify that the source MAC address
matches the client hardware address in the packet.
Switch(config)# ip dhcp snooping
verify mac-address
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 16 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
show ip dhcp snooping Displays the DHCP snooping configuration for a switch
show ip dhcp snooping binding Displays only the dynamically configured bindings in the DHCP snooping
binding database, also referred to as a binding table.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1202
Configuring DHCP Server Port-Based Address Allocation
show ip dhcp snooping Displays the DHCP snooping binding database status and statistics.
database
show ip dhcp snooping Displays the DHCP snooping statistics in summary or detail form.
statistics
show ip source binding Display the dynamically and statically configured bindings.
Note If DHCP snooping is enabled and an interface changes to the down state, the switch does not delete the
statically configured bindings.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1203
Configuring DHCP Server Port-Based Address Allocation
• To restrict assignments from the DHCP pool to preconfigured reservations (unreserved addresses are
not offered to the client and other clients are not served by the pool), you can enter the reserved-only
DHCP pool configuration command.
Procedure
Example:
Switch# configure terminal
Step 3 ip dhcp snooping database Specifies the URL for the database agent or the
{flash[number]:/filename | binding file by using one of these forms:
ftp://user:password@host/filename |
http://[[username:password]@]{hostname • flash[number]:/filename
| host-ip}[/directory] /image-name.tar | (Optional) Use the number parameter to specify
rcp://user@host/filename}| the stack member number of the stack master.
tftp://host/filename The range for number is 1 to 9.
• ftp://user:password@host/filename
Example:
• http://[[username:password]@]{hostname |
Switch(config)# ip dhcp snooping
database
host-ip}[/directory] /image-name.tar
tftp://10.90.90.90/snooping-rp2
• rcp://user@host/filename
• tftp://host/filename
Step 4 ip dhcp snooping database timeout seconds Specifies (in seconds) how long to wait for the
database transfer process to finish before stopping
Example: the process.
Switch(config)# ip dhcp snooping The default is 300 seconds. The range is 0 to 86400.
database timeout 300 Use 0 to define an infinite duration, which means to
continue trying the transfer indefinitely.
Step 5 ip dhcp snooping database write-delay Specifies the duration for which the transfer should
seconds be delayed after the binding database changes. The
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1204
Configuring DHCP Server Port-Based Address Allocation
Example:
Switch(config)# end
Step 7 ip dhcp snooping binding mac-address vlan (Optional) Adds binding entries to the DHCP
vlan-id ip-address interface interface-id snooping binding database. The vlan-id range is from
expiry seconds 1 to 4904. The seconds range is from 1 to
4294967295.
Example: Enter this command for each entry that you add.
Switch# ip dhcp snooping binding Use this command when you are testing or
0001.1234.1234 vlan 1 172.20.50.5
interface gi1/1 expiry 1000
debugging the switch.
Step 8 show ip dhcp snooping database [detail] Displays the status and statistics of the DHCP
snooping binding database agent.
Example:
Switch# show ip dhcp snooping database
detail
Example:
Switch# show running-config
Step 10 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1205
Configuring DHCP Server Port-Based Address Allocation
Procedure
Example:
Switch# configure terminal
Step 3 ip dhcp use subscriber-id client-id Configures the DHCP server to globally use the
subscriber identifier as the client identifier on all
Example: incoming DHCP messages.
Step 6 ip dhcp server use subscriber-id client-id Configures the DHCP server to use the subscriber
identifier as the client identifier on all incoming
Example: DHCP messages on the interface.
Example:
Switch(config)# end
Example:
Switch# show running-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1206
Configuring DHCP Server Port-Based Address Allocation
What to Do Next
After enabling DHCP port-based address allocation on the switch, use the ip dhcp pool global configuration
command to preassign IP addresses and to associate them to clients.
Command Purpose
show interface interface id Displays the status and configuration of a specific interface.
show ip dhcp binding Displays address bindings on the Cisco IOS DHCP server.
Additional References
Related Documents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1207
Configuring DHCP Server Port-Based Address Allocation
Description Link
To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/
messages in this release, use the Error Message index.cgi
Decoder tool.
MIBs
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1208
Configuring DHCP Server Port-Based Address Allocation
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1209
Configuring DHCP Server Port-Based Address Allocation
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1210
CHAPTER 56
Configuring IP Source Guard
IP Source Guard (IPSG) is a security feature that restricts IP traffic on nonrouted, Layer 2 interfaces by
filtering traffic based on the DHCP snooping binding database and on manually configured IP source bindings.
This chapter contains the following topics:
IP Source Guard
You can use IP source guard to prevent traffic attacks if a host tries to use the IP address of its neighbor and
you can enable IP source guard when DHCP snooping is enabled on an untrusted interface.
After IPSG is enabled on an interface, the switch blocks all IP traffic received on the interface except for
DHCP packets allowed by DHCP snooping.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1211
Information About IP Source Guard
The switch uses a source IP lookup table in hardware to bind IP addresses to ports. For IP and MAC filtering,
a combination of source IP and source MAC lookups are used. IP traffic with a source IP address is the binding
table is allowed, all other traffic is denied.
The IP source binding table has bindings that are learned by DHCP snooping or are manually configured
(static IP source bindings). An entry in this table has an IP address, its associated MAC address, and its
associated VLAN number. The switch uses the IP source binding table only when IP source guard is enabled.
IPSG is supported only on Layer 2 ports, including access and trunk ports. You can configure IPSG with
source IP address filtering or with source IP and MAC address filtering.
Note Do not use IPSG (IP source guard) for static hosts on uplink ports or trunk ports.
IPSG for static hosts extends the IPSG capability to non-DHCP and static environments. The previous IPSG
used the entries created by DHCP snooping to validate the hosts connected to a switch. Any traffic received
from a host without a valid DHCP binding entry is dropped. This security feature restricts IP traffic on
nonrouted Layer 2 interfaces. It filters traffic based on the DHCP snooping binding database and on manually
configured IP source bindings. The previous version of IPSG required a DHCP environment for IPSG to
work.
IPSG for static hosts allows IPSG to work without DHCP. IPSG for static hosts relies on IP device tracking-table
entries to install port ACLs. The switch creates static entries based on ARP requests or other IP packets to
maintain the list of valid hosts for a given port. You can also specify the number of hosts allowed to send
traffic to a given port. This is equivalent to port security at Layer 3.
IPSG for static hosts also supports dynamic hosts. If a dynamic host receives a DHCP-assigned IP address
that is available in the IP DHCP snooping table, the same entry is learned by the IP device tracking table. In
a stacked environment, when the master failover occurs, the IP source guard entries for static hosts attached
to member ports are retained. When you enter the show ip device tracking all EXEC command, the IP device
tracking table displays the entries as ACTIVE.
Note Some IP hosts with multiple network interfaces can inject some invalid packets into a network interface.
The invalid packets contain the IP or MAC address for another network interface of the host as the source
address. The invalid packets can cause IPSG for static hosts to connect to the host, to learn the invalid IP
or MAC address bindings, and to reject the valid bindings. Consult the vender of the corresponding
operating system and the network interface to prevent the host from injecting invalid packets.
IPSG for static hosts initially learns IP or MAC bindings dynamically through an ACL-based snooping
mechanism. IP or MAC bindings are learned from static hosts by ARP and IP packets. They are stored in the
device tracking database. When the number of IP addresses that have been dynamically learned or statically
configured on a given port reaches a maximum, the hardware drops any packet with a new IP address. To
resolve hosts that have moved or gone away for any reason, IPSG for static hosts leverages IP device tracking
to age out dynamically learned IP address bindings. This feature can be used with DHCP snooping. Multiple
bindings are established on a port that is connected to both DHCP and static hosts. For example, bindings are
stored in both the device tracking database as well as in the DHCP snooping binding database.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1212
How to Configure IP Source Guard
• When IP source guard with source IP filtering is enabled on an interface, DHCP snooping must be
enabled on the access VLAN for that interface.
• If you are enabling IP source guard on a trunk interface with multiple VLANs and DHCP snooping is
enabled on all the VLANs, the source IP address filter is applied on all the VLANs.
Note If IP source guard is enabled and you enable or disable DHCP snooping on a VLAN on
the trunk interface, the switch might not properly filter traffic.
• You can enable this feature when 802.1x port-based authentication is enabled.
• When you configure IP source guard smart logging, packets with a source address other than the specified
address or an address learned by DHCP are denied, and the packet contents are sent to a NetFlow
collector. If you configure this feature, make sure that smart logging is globally enabled.
• In a switch stack, if IP source guard is configured on a stack member interface and you remove the the
configuration of that switch by entering the no switch stack-member-number provision global
configuration command, the interface static bindings are removed from the binding table, but they are
not removed from the running configuration. If you again provision the switch by entering the switch
stack-member-number provision command, the binding is restored.
To remove the binding from the running configuration, you must disable IP source guard before entering
the no switch provision command. The configuration is also removed if the switch reloads while the
interface is removed from the binding table.
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1213
How to Configure IP Source Guard
Example:
Switch# configure terminal
Step 4 ip verify source [mac-check ] Enables IP source guard with source IP address
filtering.
Example: (Optional) mac-check—Enables IP Source
Switch(config-if)# ip verify source
Guard with source IP address and MAC
address filtering.
Example:
Switch(config-if)# exit
Step 6 ip source binding mac-address vlan vlan-id Adds a static IP source binding.
ip-address interface interface-id Enter this command for each static binding.
Example:
Switch(config)# ip source binding
0100.0230.0002 vlan 11 10.0.0.4
interface gigabitethernet1/0/1
Example:
Switch(config)# end
Example:
Switch# show running-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1214
How to Configure IP Source Guard
Procedure
Example:
Switch# configure terminal
Step 3 ip device tracking Turns on the IP host table, and globally enables IP
device tracking.
Example:
Switch(config)# ip device tracking
Example:
Switch(config)# interface
gigabitethernet 1/0/1
Example:
Switch(config-if)# switchport mode
access
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1215
Monitoring IP Source Guard
Example:
Switch(config-if)# switchport access
vlan 10
Step 7 ip verify source[tracking] [mac-check ] Enables IP source guard with source IP address
filtering.
Example: (Optional) tracking—Enables IP source guard for
Switch(config-if)# ip verify source
tracking mac-check static hosts.
(Optional) mac-check—Enables MAC address
filtering.
The command ip verify source tracking
mac-checkenables IP source guard for static hosts
with MAC address filtering.
Step 8 ip device tracking maximum number Establishes a maximum limit for the number of static
IPs that the IP device tracking table allows on the
Example: port. The range is 1to 10. The maximum number is
10.
Switch(config-if)# ip device
tracking maximum 8 Note You must configure the ip device tracking
maximum limit-number interface
configuration command.
Step 9 end Returns to privileged EXEC mode.
Example:
Switch(config)# end
Command Purpose
show ip verify source [ interface interface-id ] Displays the IP source guard configuration on the
switch or on a specific interface.
show ip device tracking { all | interface interface-id Displays information about the entries in the IP device
| ip ip-address | mac imac-address} tracking table.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1216
Additional References
Command Purpose
ip verify source tracking Verifies the data source.
For detailed information about the fields in these displays, see the command reference for this release.
Additional References
Error Message Decoder
Description Link
To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/
messages in this release, use the Error Message index.cgi
Decoder tool.
MIBs
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1217
Additional References
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1218
CHAPTER 57
Configuring Dynamic ARP Inspection
• Finding Feature Information, page 1219
• Restrictions for Dynamic ARP Inspection, page 1219
• Understanding Dynamic ARP Inspection, page 1221
• Default Dynamic ARP Inspection Configuration, page 1224
• Relative Priority of ARP ACLs and DHCP Snooping Entries, page 1225
• Configuring ARP ACLs for Non-DHCP Environments , page 1225
• Configuring Dynamic ARP Inspection in DHCP Environments, page 1227
• Limiting the Rate of Incoming ARP Packets, page 1230
• Performing Dynamic ARP Inspection Validation Checks, page 1231
• Monitoring DAI, page 1233
• Verifying the DAI Configuration, page 1233
• Additional References, page 1234
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1219
Restrictions for Dynamic ARP Inspection
• Dynamic ARP inspection is not effective for hosts connected to switches that do not support dynamic
ARP inspection or that do not have this feature enabled. Because man-in-the-middle attacks are limited
to a single Layer 2 broadcast domain, separate the domain with dynamic ARP inspection checks from
the one with no checking. This action secures the ARP caches of hosts in the domain enabled for dynamic
ARP inspection.
• Dynamic ARP inspection depends on the entries in the DHCP snooping binding database to verify
IP-to-MAC address bindings in incoming ARP requests and ARP responses. Make sure to enable DHCP
snooping to permit ARP packets that have dynamically assigned IP addresses.
When DHCP snooping is disabled or in non-DHCP environments, use ARP ACLs to permit or to deny
packets.
• Dynamic ARP inspection is supported on access ports, trunk ports, and EtherChannel ports.
Note Do not enable Dynamic ARP inspection on RSPAN VLANs. If Dynamic ARP inspection
is enabled on RSPAN VLANs, Dynamic ARP inspection packets might not reach the
RSPAN destination port.
• A physical port can join an EtherChannel port channel only when the trust state of the physical port and
the channel port match. Otherwise, the physical port remains suspended in the port channel. A port
channel inherits its trust state from the first physical port that joins the channel. Consequently, the trust
state of the first physical port need not match the trust state of the channel.
Conversely, when you change the trust state on the port channel, the switch configures a new trust state
on all the physical ports that comprise the channel.
• The rate limit is calculated separately on each switch in a switch stack. For a cross-stack EtherChannel,
this means that the actual rate limit might be higher than the configured value. For example, if you set
the rate limit to 30 pps on an EtherChannel that has one port on switch 1 and one port on switch 2, each
port can receive packets at 29 pps without causing the EtherChannel to become error-disabled.
• The operating rate for the port channel is cumulative across all the physical ports within the channel.
For example, if you configure the port channel with an ARP rate-limit of 400 pps, all the interfaces
combined on the channel receive an aggregate 400 pps. The rate of incoming ARP packets on
EtherChannel ports is equal to the sum of the incoming rate of packets from all the channel members.
Configure the rate limit for EtherChannel ports only after examining the rate of incoming ARP packets
on the channel-port members.
The rate of incoming packets on a physical port is checked against the port-channel configuration rather
than the physical-ports configuration. The rate-limit configuration on a port channel is independent of
the configuration on its physical ports.
If the EtherChannel receives more ARP packets than the configured rate, the channel (including all
physical ports) is placed in the error-disabled state.
• Make sure to limit the rate of ARP packets on incoming trunk ports. Configure trunk ports with higher
rates to reflect their aggregation and to handle packets across multiple dynamic ARP inspection-enabled
VLANs. You also can use the ip arp inspection limit none interface configuration command to make
the rate unlimited. A high rate-limit on one VLAN can cause a denial-of-service attack to other VLANs
when the software places the port in the error-disabled state.
• When you enable dynamic ARP inspection on the switch, policers that were configured to police ARP
traffic are no longer effective. The result is that all ARP traffic is sent to the CPU.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1220
Understanding Dynamic ARP Inspection
• In the presence of vlan-bridging & IP device tracking, the cross-stack ARP packet forwarding will not
work.
Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the same subnet.
Their IP and MAC addresses are shown in parentheses; for example, Host A uses IP address IA and MAC
address MA. When Host A needs to communicate to Host B at the IP layer, it broadcasts an ARP request for
the MAC address associated with IP address IB. When the switch and Host B receive the ARP request, they
populate their ARP caches with an ARP binding for a host with the IP address IA and a MAC address MA;
for example, IP address IA is bound to MAC address MA. When Host B responds, the switch and Host A
populate their ARP caches with a binding for a host with the IP address IB and the MAC address MB.
Host C can poison the ARP caches of the switch, Host A, and Host B by broadcasting forged ARP responses
with bindings for a host with an IP address of IA (or IB) and a MAC address of MC. Hosts with poisoned
ARP caches use the MAC address MC as the destination MAC address for traffic intended for IA or IB. This
means that Host C intercepts that traffic. Because Host C knows the true MAC addresses associated with IA
and IB, it can forward the intercepted traffic to those hosts by using the correct MAC address as the destination.
Host C has inserted itself into the traffic stream from Host A to Host B, the classic man-in-the middleattack.
Dynamic ARP inspection is a security feature that validates ARP packets in a network. It intercepts, logs,and
discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from
certain man-in-the-middle attacks.
Dynamic ARP inspection ensures that only valid ARP requests and responses are relayed. The switch performs
these activities:
• Intercepts all ARP requests and responses on untrusted ports
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1221
Understanding Dynamic ARP Inspection
• Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating
the local ARP cache or before forwarding the packet to the appropriate destination
• Drops invalid ARP packets
Dynamic ARP inspection determines the validity of an ARP packet based on valid IP-to-MAC address bindings
stored in a trusted database, the DHCP snooping binding database. This database is built by DHCP snooping
if DHCP snooping is enabled on the VLANs and on the switch. If the ARP packet is received on a trusted
interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards
the packet only if it is valid.
You enable dynamic ARP inspection on a per-VLAN basis by using the ip arp inspection vlan vlan-range
global configuration command.
In non-DHCP environments, dynamic ARP inspection can validate ARP packets against user-configured ARP
access control lists (ACLs) for hosts with statically configured IP addresses. You define an ARP ACL by
using the arp access-list acl-name global configuration command.
You can configure dynamic ARP inspection to drop ARP packets when the IP addresses in the packets are
invalid or when the MAC addresses in the body of the ARP packets do not match the addresses specified in
the Ethernet header. Use the ip arp inspection validate {[src-mac] [dst-mac] [ip]} global configuration
command.
Caution Use the trust state configuration carefully. Configuring interfaces as untrusted when they should betrusted
can result in a loss of connectivity.
In the following figure, assume that both Switch A and Switch B are running dynamic ARP inspection on the
VLAN that includes Host 1 and Host 2. If Host 1 and Host 2 acquire their IP addresses from the DHCP server
connected to Switch A, only Switch A binds the IP-to-MAC address of Host 1. Therefore, if the interface
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1222
Understanding Dynamic ARP Inspection
between Switch A and Switch B is untrusted, the ARP packets from Host 1 are dropped by Switch B.
Connectivity between Host 1 and Host 2 is lost.
Figure 89: ARP Packet Validation on a VLAN Enabled for Dynamic ARP Inspection
Configuring interfaces to be trusted when they are actually untrusted leaves a security hole in the network. If
Switch A is not running dynamic ARP inspection, Host 1 can easily poison the ARP cache of Switch B (and
Host 2, if the link between the switches is configured as trusted). This condition can occur even though Switch
B is running dynamic ARP inspection.
Dynamic ARP inspection ensures that hosts (on untrusted interfaces) connected to a switch running dynamic
ARP inspection do not poison the ARP caches of other hosts in the network. However, dynamic ARP inspection
does not prevent hosts in other portions of the network from poisoning the caches of the hosts that are connected
to a switch running dynamic ARP inspection.
In cases in which some switches in a VLAN run dynamic ARP inspection and other switches do not, configure
the interfaces connecting such switches as untrusted. However, to validate the bindings of packets from
nondynamic ARP inspection switches, configure the switch running dynamic ARP inspection with ARP
ACLs. When you cannot determine such bindings, at Layer 3, isolate switches running dynamic ARP inspection
from switches not running dynamic ARP inspection switches.
Note Depending on the setup of the DHCP server and the network, it might not be possible to validate a given
ARP packet on all switches in the VLAN.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1223
Default Dynamic ARP Inspection Configuration
Note The rate limit for an EtherChannel is applied separately to each switch in a stack. For example, if a limit
of 20 pps is configured on the EtherChannel, each switch with ports in the EtherChannel can carry up to
20 pps. If any switch exceeds the limit, the entire EtherChannel is placed into the error-disabled state.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1224
Relative Priority of ARP ACLs and DHCP Snooping Entries
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1225
Configuring ARP ACLs for Non-DHCP Environments
Example:
Switch# configure terminal
Step 3 arp access-list acl-name Defines an ARP ACL, and enters ARP access-list configuration
mode. By default, no ARP access lists are defined.
Note At the end of the ARP access list, there is an implicit
deny ip any mac any command.
Step 4 permit ip host sender-ip mac Permits ARP packets from the specified host (Host 2).
host sender-mac
• Forsender-ip, enter the IP address of Host 2.
• For sender-mac, enter the MAC address of Host 2.
Step 6 ip arp inspection filter Applies ARP ACL to the VLAN. By default, no defined ARP
arp-acl-name vlan vlan-range ACLs are applied to any VLAN.
[static]
• For arp-acl-name, specify the name of the ACL created in
Step 2.
• For vlan-range, specify the VLAN that the switches and
hosts are in. You can specify a single VLAN identified by
VLAN ID number, a range of VLANs separated by a
hyphen, or a series of VLANs separated by a comma. The
range is 1 to 4094.
• (Optional) Specify static to treat implicit denies in the ARP
ACL as explicit denies and to drop packets that do not
match any previous clauses in the ACL. DHCP bindings
are not used.
If you do not specify this keyword, it means that there is
no explicit deny in the ACL that denies the packet, and
DHCP bindings determine whether a packet is permitted
or denied if the packet does not match any clauses in the
ACL.
Step 7 interface interface-id Specifies Switch A interface that is connected to Switch B, and
enters the interface configuration mode.
Step 8 no ip arp inspection trust Configures Switch A interface that is connected to Switch B as
untrusted.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1226
Configuring Dynamic ARP Inspection in DHCP Environments
Example:
Switch# show running-config
Step 12 copy running-config (Optional) Saves your entries in the configuration file.
startup-config
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1227
Configuring Dynamic ARP Inspection in DHCP Environments
Note Dynamic ARP inspection depends on the entries in the DHCP snooping binding database to verify
IP-to-MAC address bindings in incoming ARP requests and ARP responses. Make sure to enable DHCP
snooping to permit ARP packets that have dynamically assigned IP addresses.
Follow these steps to configure dynamic ARP inspection. You must perform this procedure on both switches.
This procedure is required.
Procedure
Step 2 show cdp neighbors Verify the connection between the switches.
Example:
Switch(config-if)#show cdp
neighbors
Example:
Switch# configure terminal
Step 4 ip arp inspection vlan vlan-range Enable dynamic ARP inspection on a per-VLAN basis.
By default, dynamic ARP inspection is disabled on all
Example: VLANs. For vlan-range, specify a single VLAN
Switch(config)# ip arp inspection identified by VLAN ID number, a range of VLANs
vlan 1 separated by a hyphen, or a series of VLANs separated
by a comma. The range is 1 to 4094. Specify the same
VLAN ID for both switches.
Step 6 ip arp inspection trust Configures the connection between the switches as
trusted. By default, all interfaces are untrusted.
Example: The switch does not check ARP packets that it receives
Switch(config-if)#ip arp
inspection trust
from the other switch on the trusted interface. It simply
forwards the packets.
For untrusted interfaces, the switch intercepts all ARP
requests and responses. It verifies that the intercepted
packets have valid IP-to-MAC address bindings before
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1228
Configuring Dynamic ARP Inspection in DHCP Environments
Example:
Switch(config-if)#end
Step 8 show ip arp inspection interfaces Verifies the dynamic ARP inspection configuration on
interfaces.
Example:
Step 9 show ip arp inspection vlan vlan-range Verifies the dynamic ARP inspection configuration on
VLAN.
Example:
Switch(config-if)#show ip arp
inspection vlan 1
Example:
Switch(config-if)#show ip dhcp
snooping binding
Step 11 show ip arp inspection statistics vlan Checks the dynamic ARP inspection statistics on
vlan-range VLAN.
Example:
Switch(config-if)#show ip arp
inspection statistics vlan 1
Example:
Switch# configure terminal
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1229
Limiting the Rate of Incoming ARP Packets
Note Unless you configure a rate limit on an interface, changing the trust state of the interface also changes its
rate limit to the default value for that trust state. After you configure the rate limit, the interface retains
the rate limit even when its trust state is changed. If you enter the no ip arp inspection limit interface
configuration command, the interface reverts to its default rate limit.
Follow these steps to limit the rate of incoming ARP packets. This procedure is optional.
Procedure
Example:
Switch# configure terminal
Step 4 ip arp inspection limit {rate pps Limits the rate of incoming ARP requests and responses
[burst interval seconds] | none} on the interface. The default rate is 15 pps on untrusted
interfaces and unlimited on trusted interfaces. The burst
interval is 1 second.
The keywords have these meanings:
• For ratepps, specify an upper limit for the number
of incoming packets processed per second. The range
is 0 to 2048 pps.
• (Optional) For burst intervalseconds, specify the
consecutive interval in seconds, over which the
interface is monitored for a high rate of ARP
packets. The range is 1 to 15.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1230
Performing Dynamic ARP Inspection Validation Checks
Step 6 Use the following commands: (Optional) Enables error recovery from the dynamic ARP
inspection error-disabled state, and configure the dynamic
• errdisable detect cause ARP inspection recover mechanism variables.
arp-inspection
By default, recovery is disabled, and the recovery interval
• errdisable recovery cause is 300 seconds.
arp-inspection
For interval interval, specify the time in seconds to
• errdisable recovery interval recover from the error-disabled state. The range is 30 to
interval 86400.
Example:
Switch# show running-config
Step 10 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1231
Performing Dynamic ARP Inspection Validation Checks
Procedure
Example:
Switch> enable
Example:
Switch# configure terminal
Step 3 ip arp inspection validate Performs a specific check on incoming ARP packets. By default,
{[src-mac] [dst-mac] [ip]} no checks are performed.
The keywords have these meanings:
• For src-mac, check the source MAC address in the Ethernet
header against the sender MAC address in the ARP body.
This check is performed on both ARP requests and responses.
When enabled, packets with different MAC addresses are
classified as invalid and are dropped.
• For dst-mac, check the destination MAC address in the
Ethernet header against the target MAC address in ARP
body. This check is performed for ARP responses. When
enabled, packets with different MAC addresses are classified
as invalid and are dropped.
• For ip, check the ARP body for invalid and unexpected IP
addresses. Addresses include 0.0.0.0, 255.255.255.255, and
all IP multicast addresses. Sender IP addresses are checked
in all ARP requests and responses, and target IP addresses
are checked only in ARP responses.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1232
Monitoring DAI
Example:
Switch# show
running-config
Step 7 copy running-config (Optional) Saves your entries in the configuration file.
startup-config
Example:
Switch# copy
running-config
startup-config
Monitoring DAI
To monitor DAI, use the following commands:
Command Description
clear ip arp inspection statistics Clears dynamic ARP inspection statistics.
show ip arp inspection statistics [vlan vlan-range] Displays statistics for forwarded, dropped, MAC
validation failure, IP validation failure, ACL permitted
and denied, and DHCP permitted and denied packets
for the specified VLAN. If no VLANs are specified
or if a range is specified, displays information only
for VLANs with dynamic ARP inspection enabled
(active).
clear ip arp inspection log Clears the dynamic ARP inspection log buffer.
show ip arp inspection log Displays the configuration and contents of the
dynamic ARP inspection log buffer.
For the show ip arp inspection statistics command, the switch increments the number of forwarded packets
for each ARP request and response packet on a trusted dynamic ARP inspection port. The switch increments
the number of ACL or DHCP permitted packets for each packet that is denied by source MAC, destination
MAC, or IP validation checks, and the switch increments the appropriate.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1233
Additional References
Command Description
show arp access-list [acl-name] Displays detailed information about ARP ACLs.
show ip arp inspection interfaces [interface-id] Displays the trust state and the rate limit of ARP
packets for the specified interface or all interfaces.
show ip arp inspection vlan vlan-range Displays the configuration and the operating state of
dynamic ARP inspection for the specified VLAN. If
no VLANs are specified or if a range is specified,
displays information only for VLANs with dynamic
ARP inspection enabled (active).
Additional References
Error Message Decoder
Description Link
To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/
messages in this release, use the Error Message index.cgi
Decoder tool.
MIBs
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1234
Additional References
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1235
Additional References
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1236
CHAPTER 58
Configuring IEEE 802.1x Port-Based
Authentication
This chapter describes how to configure IEEE 802.1x port-based authentication. IEEE 802.1x authentication
prevents unauthorized devices (clients) from gaining access to the network. Unless otherwise noted, the term
switch refers to a standalone switch or a switch stack.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1237
Information About 802.1x Port-Based Authentication
Until the client is authenticated, 802.1x access control allows only Extensible Authentication Protocol over
LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the port
to which the client is connected. After authentication is successful, normal traffic can pass through the port.
Note For complete syntax and usage information for the commands used in this chapter, see the “RADIUS
Commands” section in the Cisco IOS Security Command Reference, Release 3SE
If Multi Domain Authentication (MDA) is enabled on a port, this flow can be used with some exceptions that
are applicable to voice authorization.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1238
Information About 802.1x Port-Based Authentication
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1239
Information About 802.1x Port-Based Authentication
• You manually re-authenticate the client by entering the dot1x re-authenticate interface interface-id
privileged EXEC command.
Note If 802.1x authentication is not enabled or supported on the network access device, any EAPOL frames
from the client are dropped. If the client does not receive an EAP-request/identity frame after three attempts
to start authentication, the client sends frames as if the port is in the authorized state. A port in the authorized
state effectively means that the client has been successfully authenticated.
When the client supplies its identity, the switch begins its role as the intermediary, passing EAP frames between
the client and the authentication server until authentication succeeds or fails. If the authentication succeeds,
the switch port becomes authorized. If the authentication fails, authentication can be retried, the port might
be assigned to a VLAN that provides limited services, or network access is not granted.
The specific exchange of EAP frames depends on the authentication method being used.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1240
Information About 802.1x Port-Based Authentication
This figure shows a message exchange initiated by the client when the client uses the One-Time-Password
(OTP) authentication method with a RADIUS server.
Figure 91: Message Exchange
If 802.1x authentication times out while waiting for an EAPOL message exchange and MAC authentication
bypass is enabled, the switch can authorize the client when the switch detects an Ethernet packet from the
client. The switch uses the MAC address of the client as its identity and includes this information in the
RADIUS-access/request frame that is sent to the RADIUS server. After the server sends the switch the
RADIUS-access/accept frame (authorization is successful), the port becomes authorized. If authorization fails
and a guest VLAN is specified, the switch assigns the port to the guest VLAN. If the switch detects an EAPOL
packet while waiting for an Ethernet packet, the switch stops the MAC authentication bypass process and
starts 802.1x authentication.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1241
Information About 802.1x Port-Based Authentication
This figure shows the message exchange during MAC authentication bypass.
Figure 92: Message Exchange During MAC Authentication Bypass
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1242
Information About 802.1x Port-Based Authentication
NAC Layer 2 IP validation Filter-Id attribute Filter-Id attribute Filter-Id attribute Filter-Id attribute
Downloadable Downloadable Downloadable Downloadable
ACL ACL ACL ACL
Redirect URL Redirect URL Redirect URL Redirect URL
Web authentication as fallback Proxy ACL Proxy ACL Proxy ACL Proxy ACL
method16 Filter-Id attribute Filter-Id attribute Filter-Id attribute Filter-Id attribute
Downloadable Downloadable Downloadable Downloadable
ACL ACL ACL ACL
Note You can only set any as the source in the ACL.
Note For any ACL configured for multiple-host mode, the source portion of statement must be any. (For example,
permit icmp any host 10.10.1.1.)
You must specify any in the source ports of any defined ACL. Otherwise, the ACL cannot be applied and
authorization fails. Single host is the only exception to support backward compatibility.
More than one host can be authenticated on MDA-enabled and multiauth ports. The ACL policy applied for
one host does not effect the traffic of another host. If only one host is authenticated on a multi-host port, and
the other hosts gain network access without authentication, the ACL policy for the first host can be applied
to the other connected hosts by specifying any in the source address.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1243
Information About 802.1x Port-Based Authentication
Note If 802.1x authentication is globally disabled, other authentication methods are still enabled on that port,
such as web authentication.
The authentication manager commands provide the same functionality as earlier 802.1x commands.
When filtering out verbose system messages generated by the authentication manager, the filtered content
typically relates to authentication success. You can also filter verbose messages for 802.1x authentication and
MAB authentication. There is a separate command for each authentication method:
• The no authentication logging verbose global configuration command filters verbose messages from
the authentication manager.
• The no dot1x logging verbose global configuration command filters 802.1x authentication verbose
messages.
• The no mab logging verbose global configuration command filters MAC authentication bypass (MAB)
verbose messages
authentication event dot1x auth-fail vlan Enable the restricted VLAN on a port.
dot1x critical (interface Enable the
configuration) inaccessible-authentication-bypass feature.
dot1x guest-vlan6 Specify an active VLAN as an 802.1x guest
VLAN.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1244
Information About 802.1x Port-Based Authentication
authentication host-mode dot1x host-mode {single-host Allow a single host (client) or multiple hosts
[multi-auth | multi-domain | | multi-host | multi-domain} on an 802.1x-authorized port.
multi-host | single-host]
authentication port-control dot1x port-control {auto | Enable manual control of the authorization
{auto | force-authorized | force-authorized | state of the port.
force-un authorized} force-unauthorized}
authentication violation dot1x violation-mode Configure the violation modes that occur
{protect | restrict | shutdown} {shutdown | restrict | when a new device connects to a port or
protect} when a new device connects to a port after
the maximum number of devices are
connected to that port.
Note CDP bypass is not supported and may cause a port to go into err-disabled state.
If a client that does not support 802.1x authentication connects to an unauthorized 802.1x port, the switch
requests the client’s identity. In this situation, the client does not respond to the request, the port remains in
the unauthorized state, and the client is not granted access to the network.
In contrast, when an 802.1x-enabled client connects to a port that is not running the 802.1x standard, the client
initiates the authentication process by sending the EAPOL-start frame. When no response is received, the
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1245
Information About 802.1x Port-Based Authentication
client sends the request for a fixed number of times. Because no response is received, the client begins sending
frames as if the port is in the authorized state.
You control the port authorization state by using the authentication port-control interface configuration
command and these keywords:
• force-authorized—disables 802.1x authentication and causes the port to change to the authorized state
without any authentication exchange required. The port sends and receives normal traffic without
802.1x-based authentication of the client. This is the default setting.
• force-unauthorized—causes the port to remain in the unauthorized state, ignoring all attempts by the
client to authenticate. The switch cannot provide authentication services to the client through the port.
• auto—enables 802.1x authentication and causes the port to begin in the unauthorized state, allowing
only EAPOL frames to be sent and received through the port. The authentication process begins when
the link state of the port changes from down to up or when an EAPOL-start frame is received. The switch
requests the identity of the client and begins relaying authentication messages between the client and
the authentication server. Each client attempting to access the network is uniquely identified by the
switch by using the client MAC address.
If the client is successfully authenticated (receives an Accept frame from the authentication server), the port
state changes to authorized, and all frames from the authenticated client are allowed through the port. If the
authentication fails, the port remains in the unauthorized state, but authentication can be retried. If the
authentication server cannot be reached, the switch can resend the request. If no response is received from
the server after the specified number of attempts, authentication fails, and network access is not granted.
When a client logs off, it sends an EAPOL-logoff message, causing the switch port to change to the unauthorized
state.
If the link state of a port changes from up to down, or if an EAPOL-logoff frame is received, the port returns
to the unauthorized state.
If the switch that failed comes up and rejoins the switch stack, the authentications might or might not fail
depending on the boot-up time and whether the connectivity to the RADIUS server is re-established by the
time the authentication is attempted.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1246
Information About 802.1x Port-Based Authentication
To avoid loss of connectivity to the RADIUS server, you should ensure that there is a redundant connection
to it. For example, you can have a redundant connection to the stack master and another to a stack member,
and if the stack master fails, the switch stack still has connectivity to the RADIUS server.
Note For all host modes, the line protocol stays up before authorization when port-based authentication is
configured.
The switch supports multidomain authentication (MDA), which allows both a data device and a voice device,
such as an IP Phone (Cisco or non-Cisco), to connect to the same switch port.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1247
Information About 802.1x Port-Based Authentication
Note When a port is in multiple-authentication mode, the guest VLAN and the authentication-failed VLAN
features do not activate.
You can assign a RADIUS-server-supplied VLAN in multi-auth mode, under the following conditions:
• The host is the first host authorized on the port, and the RADIUS server supplies VLAN information
• Subsequent hosts are authorized with a VLAN that matches the operational VLAN.
• A host is authorized on the port with no VLAN assignment, and subsequent hosts either have no VLAN
assignment, or their VLAN information matches the operational VLAN.
• The first host authorized on the port has a group VLAN assignment, and subsequent hosts either have
no VLAN assignment, or their group VLAN matches the group VLAN on the port. Subsequent hosts
must use the same VLAN from the VLAN group as the first host. If a VLAN list is used, all hosts are
subject to the conditions specified in the VLAN list.
• Only one voice VLAN assignment is supported on a multi-auth port.
• After a VLAN is assigned to a host on the port, subsequent hosts must have matching VLAN information
or be denied access to the port.
• You cannot configure a guest VLAN or an auth-fail VLAN in multi-auth mode.
• The behavior of the critical-auth VLAN is not changed for multi-auth mode. When a host tries to
authenticate and the server is not reachable, all authorized hosts are reinitialized in the configured VLAN.
Note This feature is supported only on Catalyst 2960X switches running the LAN base image
The Multi-auth Per User VLAN assignment feature allows you to create multiple operational access VLANs
based on VLANs assigned to the clients on the port that has a single configured access VLAN. The port
configured as an access port where the traffic for all the VLANs associated with data domain is not dot1q
tagged, and these VLANs are treated as native VLANs.
The number of hosts per multi-auth port is 8, however there can be more hosts.
Note The Multi-auth Per User VLAN assignment feature is not supported for Voice domain. All clients in Voice
domain on a port must use the same VLAN.
The following scenarios are associated with the multi-auth Per User VLAN assignments:
Scenario one
When a hub is connected to an access port, and the port is configured with an access VLAN (V0).
The host (H1) is assigned to VLAN (V1) through the hub. The operational VLAN of the port is changed to
V1. This behaviour is similar on a single-host or multi-domain-auth port.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1248
Information About 802.1x Port-Based Authentication
When a second host (H2) is connected and gets assigned to VLAN ( V2), the port will have two operational
VLANs (V1 and V2). If H1 and H2 sends untagged ingress traffic, H1 traffic is mapped to VLAN (V1) and
H2 traffic to VLAN (V2), all egress traffic going out of the port on VLAN (V1) and VLAN (V2) are untagged.
If both the hosts, H1 and H2 are logged out or the sessions are removed due to some reason then VLAN (V1)
and VLAN (V2) are removed from the port, and the configured VLAN (V0) is restored on the port.
Scenario two
When a hub is connected to an access port, and the port is configured with an access VLAN (V0). The host
(H1) is assigned to VLAN (V1) through the hub. The operational VLAN of the port is changed to V1.
When a second host (H2) is connected and gets authorized without explicit vlan policy, H2 is expected to use
the configured VLAN (V0) that is restored on the port. A ll egress traffic going out of two operational VLANs,
VLAN (V0) and VLAN (V1) are untagged.
If host (H2 ) is logged out or the session is removed due to some reason then the configured VLAN (V0) is
removed from the port, and VLAN (V1) becomes the only operational VLAN on the port.
Scenario three
When a hub is connected to an access port in open mode, and the port is configured with an access VLAN
(V0) .
The host (H1) is assigned to VLAN (V1) through the hub. The operational VLAN of the port is changed to
V1. When a second host (H2) is connected and remains unauthorized, it still has access to operational VLAN
(V1) due to open mode.
If host H1 is logged out or the session is removed due to some reason, VLAN (V1) is removed from the port
and host (H2) gets assigned to VLAN (V0).
Note The combination of Open mode and VLAN assignment has an adverse affect on host (H2) because it has
an IP address in the subnet that corresponds to VLAN (V1).
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1249
Information About 802.1x Port-Based Authentication
MAC Move
When a MAC address is authenticated on one switch port, that address is not allowed on another authentication
manager-enabled port of the switch. If the switch detects that same MAC address on another authentication
manager-enabled port, the address is not allowed.
There are situations where a MAC address might need to move from one port to another on the same switch.
For example, when there is another device (for example a hub or an IP phone) between an authenticated host
and a switch port, you might want to disconnect the host from the device and connect it directly to another
port on the same switch.
You can globally enable MAC move so the device is reauthenticated on the new port. When a host moves to
a second port, the session on the first port is deleted, and the host is reauthenticated on the new port. MAC
move is supported on all host modes. (The authenticated host can move to any port on the switch, no matter
which host mode is enabled on the that port.) When a MAC address moves from one port to another, the
switch terminates the authenticated session on the original port and initiates a new authentication sequence
on the new port. The MAC move feature applies to both voice and data hosts.
Note In open authentication mode, a MAC address is immediately moved from the original port to the new
port, with no requirement for authorization on the new port.
MAC Replace
The MAC replace feature can be configured to address the violation that occurs when a host attempts to
connect to a port where another host was previously authenticated.
Note This feature does not apply to ports in multi-auth mode, because violations are not triggered in that mode.
It does not apply to ports in multiple host mode, because in that mode, only the first host requires
authentication.
If you configure the authentication violation interface configuration command with the replace keyword,
the authentication process on a port in multi-domain mode is:
• A new MAC address is received on a port with an existing authenticated MAC address.
• The authentication manager replaces the MAC address of the current data host on the port with the new
MAC address.
• The authentication manager initiates the authentication process for the new MAC address.
• If the authentication manager determines that the new host is a voice host, the original voice host is
removed.
If a port is in open authentication mode, any new MAC address is immediately added to the MAC address
table.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1250
Information About 802.1x Port-Based Authentication
802.1x Accounting
The 802.1x standard defines how users are authorized and authenticated for network access but does not keep
track of network usage. 802.1x accounting is disabled by default. You can enable 802.1x accounting to monitor
this activity on 802.1x-enabled ports:
• User successfully authenticates.
• User logs off.
• Link-down occurs.
• Re-authentication successfully occurs.
• Re-authentication fails.
The switch does not log 802.1x accounting information. Instead, it sends this information to the RADIUS
server, which must be configured to log accounting messages.
You can view the AV pairs that are being sent by the switch by entering the debug radius accounting
privileged EXEC command. For more information about this command, see the Cisco IOS Debug Command
Reference, Release 12.4.
This table lists the AV pairs and when they are sent are sent by the switch.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1251
Information About 802.1x Port-Based Authentication
17 The Framed-IP-Address AV pair is sent when a valid static IP address is configured or w when a Dynamic Host Control Protocol (DHCP) binding exists for
the host in the DHCP snooping bindings table.
Related Topics
Configuring 802.1x Readiness Check, on page 1275
Switch-to-RADIUS-Server Communication
RADIUS security servers are identified by their hostname or IP address, hostname and specific UDP port
numbers, or IP address and specific UDP port numbers. The combination of the IP address and UDP port
number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP ports on a
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1252
Information About 802.1x Port-Based Authentication
server at the same IP address. If two different host entries on the same RADIUS server are configured for the
same service—for example, authentication—the second host entry configured acts as the fail-over backup to
the first one. The RADIUS host entries are tried in the order that they were configured.
Related Topics
Configuring the Switch-to-RADIUS-Server Communication, on page 1282
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1253
Information About 802.1x Port-Based Authentication
◦If a voice device is authorized and is using a downloaded voice VLAN, the removal of the voice
VLAN configuration, or modifying the configuration value to dot1p or untagged results in voice
device un-authorization and the disablement of multi-domain host mode.
When the port is in the force authorized, force unauthorized, unauthorized, or shutdown state, it is put into
the configured access VLAN.
If an 802.1x port is authenticated and put in the RADIUS server-assigned VLAN, any change to the port
access VLAN configuration does not take effect. In the case of a multidomain host, the same applies to voice
devices when the port is fully authorized with these exceptions:
• If the VLAN configuration change of one device results in matching the other device configured or
assigned VLAN, authorization of all devices on the port is terminated and multidomain host mode is
disabled until a valid configuration is restored where data and voice device configured VLANs no longer
match.
• If a voice device is authorized and is using a downloaded voice VLAN, the removal of the voice VLAN
configuration, or modifying the configuration value to dot1p or untagged results in voice device
un-authorization and the disablement of multi-domain host mode.
When the port is in the force authorized, force unauthorized, unauthorized, or shutdown state, it is put into
the configured access VLAN.
The 802.1x authentication with VLAN assignment feature is not supported on trunk ports, dynamic ports, or
with dynamic-access port assignment through a VLAN Membership Policy Server (VMPS).
To configure VLAN assignment you need to perform these tasks:
• Enable AAA authorization by using the network keyword to allow interface configuration from the
RADIUS server.
• Enable 802.1x authentication. (The VLAN assignment feature is automatically enabled when you
configure 802.1x authentication on an access port).
• Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return these
attributes to the switch:
◦[64] Tunnel-Type = VLAN
◦[65] Tunnel-Medium-Type = 802
◦[81] Tunnel-Private-Group-ID = VLAN name or VLAN ID
◦[83] Tunnel-Preference
Attribute [64] must contain the value VLAN (type 13). Attribute [65] must contain the value 802 (type
6). Attribute [81] specifies the VLAN name or VLAN ID assigned to the IEEE 802.1x-authenticated user.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1254
Information About 802.1x Port-Based Authentication
does not save RADIUS-specified ACLs in the running configuration. When the port is unauthorized, the
switch removes the ACL from the port.
You can configure router ACLs and input port ACLs on the same switch. However, a port ACL takes precedence
over a router ACL. If you apply input port ACL to an interface that belongs to a VLAN, the port ACL takes
precedence over an input router ACL applied to the VLAN interface. Incoming packets received on the port
to which a port ACL is applied are filtered by the port ACL. Incoming routed packets received on other ports
are filtered by the router ACL. Outgoing routed packets are filtered by the router ACL. To avoid configuration
conflicts, you should carefully plan the user profiles stored on the RADIUS server.
RADIUS supports per-user attributes, including vendor-specific attributes. These vendor-specific attributes
(VSAs) are in octet-string format and are passed to the switch during the authentication process. The VSAs
used for per-user ACLs are inacl#<n> for the ingress direction and outacl#<n> for the egress direction. MAC
ACLs are supported only in the ingress direction. The switch supports VSAs only in the ingress direction. It
does not support port ACLs in the egress direction on Layer 2 ports.
Use only the extended ACL syntax style to define the per-user configuration stored on the RADIUS server.
When the definitions are passed from the RADIUS server, they are created by using the extended naming
convention. However, if you use the Filter-Id attribute, it can point to a standard ACL.
You can use the Filter-Id attribute to specify an inbound or outbound ACL that is already configured on the
switch. The attribute contains the ACL number followed by .in for ingress filtering or .out for egress filtering.
If the RADIUS server does not allow the .in or .out syntax, the access list is applied to the outbound ACL by
default. Because of limited support of Cisco IOS access lists on the switch, the Filter-Id attribute is supported
only for IP ACLs numbered 1 to 199 and 1300 to 2699 (IP standard and IP extended ACLs).
The maximum size of the per-user ACL is 4000 ASCII characters but is limited by the maximum size of
RADIUS-server per-user ACLs.
To configure per-user ACLs:
• Enable AAA authentication.
• Enable AAA authorization by using the network keyword to allow interface configuration from the
RADIUS server.
• Enable 802.1x authentication.
• Configure the user profile and VSAs on the RADIUS server.
• Configure the 802.1x port for single-host mode.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1255
Information About 802.1x Port-Based Authentication
If more than one host is authenticated and the host is in single-host, MDA, or multiple-authentication mode,
the switch changes the source address of the ACL to the host IP address.
You can apply the ACLs and redirect URLs to all the devices connected to the 802.1x-enabled port.
If no ACLs are downloaded during 802.1x authentication, the switch applies the static default ACL on the
port to the host. On a voice VLAN port configured in multi-auth or MDA mode, the switch applies the ACL
only to the phone as part of the authorization policies.
Beginning with Cisco IOS Release 12.2(55)SE, if there is no static ACL on a port, a dynamic auth-default
ACL is created, and policies are enforced before dACLs are downloaded and applied.
The auth-default ACL is created when at least one host with an authorization policy is detected on the port.
The auth-default ACL is removed from the port when the last authenticated session ends. You can configure
the auth-default ACL by using the ip access-list extended auth-default-acl global configuration command.
Note The auth-default-ACL does not support Cisco Discovery Protocol (CDP) bypass in the single host mode.
You must configure a static ACL on the interface to support CDP bypass.
The 802.1x and MAB authentication methods support two authentication modes, open and closed. If there is
no static ACL on a port in closed authentication mode:
• An auth-default-ACL is created.
• The auth-default-ACL allows only DHCP traffic until policies are enforced.
• When the first host authenticates, the authorization policy is applied without IP address insertion.
• When a second host is detected, the policies for the first host are refreshed, and policies for the first and
subsequent sessions are enforced with IP address insertion.
To control access for hosts with no authorization policy, you can configure a directive. The supported values
for the directive are open and default. When you configure the open directive, all traffic is allowed. The default
directive subjects traffic to the access provided by the port. You can configure the directive either in the user
profile on the AAA server or on the switch. To configure the directive on the AAA server, use the
authz-directive =<open/default> global command. To configure the directive on the switch, use the epm
access-control open global configuration command.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1256
Information About 802.1x Port-Based Authentication
The access control entries (ACEs) in the fallback ACL are converted to per-user entries. If the configured
fallback profile does not include a fallback ACL, the host is subject to the auth-default-ACL associated with
the port.
Note If you use a custom logo with web authentication and it is stored on an external server, the port ACL must
allow access to the external server before authentication. You must either configure a static port ACL or
change the auth-default-ACL to provide appropriate access to the external server.
Cisco Secure ACS and Attribute-Value Pairs for the Redirect URL
The switch uses these cisco-av-pair VSAs:
• url-redirect is the HTTP or HTTPS URL.
• url-redirect-acl is the switch ACL name or number.
The switch uses the CiscoSecure-defined-ACL attribute value pair to intercept an HTTP or HTTPS request
from the end point. The switch then forwards the client web browser to the specified redirect address. The
url-redirect AV pair on the Cisco Secure ACS contains the URL to which the web browser is redirected. The
url-redirect-acl attribute value pair contains the name or number of an ACL that specifies the HTTP or HTTPS
traffic to redirect.
If a redirect URL is configured for a client on the authentication server, a default port ACL on the connected
client switch port must also be configured.
If a downloadable ACL is configured for a client on the authentication server, a default port ACL on the
connected client switch port must also be configured.
If the default ACL is configured on the switch and the Cisco Secure ACS sends a host-access-policy to the
switch, it applies the policy to traffic from the host connected to a switch port. If the policy does not apply,
the switch applies the default ACL. If the Cisco Secure ACS sends the switch a downloadable ACL, this ACL
takes precedence over the default ACL that is configured on the switch port. However, if the switch receives
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1257
Information About 802.1x Port-Based Authentication
an host access policy from the Cisco Secure ACS but the default ACL is not configured, the authorization
failure is declared.
Note This feature is not supported on Cisco ACS Server. (The ACS server ignores the sent VLAN-IDs for new
hosts and only authenticates based on the MAC address.)
If devices send EAPOL packets to the switch during the lifetime of the link, the switch no longer allows clients
that fail authentication access to the guest VLAN.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1258
Information About 802.1x Port-Based Authentication
Note If an EAPOL packet is detected after the interface has changed to the guest VLAN, the interface reverts
to an unauthorized state, and 802.1x authentication restarts.
Any number of 802.1x-incapable clients are allowed access when the switch port is moved to the guest VLAN.
If an 802.1x-capable client joins the same port on which the guest VLAN is configured, the port is put into
the unauthorized state in the user-configured access VLAN, and authentication is restarted.
Guest VLANs are supported on 802.1x ports in single host, multiple host, multi-auth and multi-domain modes.
You can configure any active VLAN except an RSPAN VLAN, a private VLAN, or a voice VLAN as an
802.1x guest VLAN. The guest VLAN feature is not supported on internal VLANs (routed ports) or trunk
ports; it is supported only on access ports.
The switch supports MAC authentication bypass. When MAC authentication bypass is enabled on an 802.1x
port, the switch can authorize clients based on the client MAC address when IEEE 802.1x authentication times
out while waiting for an EAPOL message exchange. After detecting a client on an 802.1x port, the switch
waits for an Ethernet packet from the client. The switch sends the authentication server a
RADIUS-access/request frame with a username and password based on the MAC address. If authorization
succeeds, the switch grants the client access to the network. If authorization fails, the switch assigns the port
to the guest VLAN if one is specified.
Note You can configure a VLAN to be both the guest VLAN and the restricted VLAN if you want to provide
the same services to both types of users.
Without this feature, the client attempts and fails authentication indefinitely, and the switch port remains in
the spanning-tree blocking state. With this feature, you can configure the switch port to be in the restricted
VLAN after a specified number of authentication attempts (the default value is 3 attempts).
The authenticator counts the failed authentication attempts for the client. When this count exceeds the configured
maximum number of authentication attempts, the port moves to the restricted VLAN. The failed attempt count
increments when the RADIUS server replies with either an EAP failure or an empty response without an EAP
packet. When the port moves into the restricted VLAN, the failed attempt counter resets.
Users who fail authentication remain in the restricted VLAN until the next re-authentication attempt. A port
in the restricted VLAN tries to re-authenticate at configured intervals (the default is 60 seconds). If
re-authentication fails, the port remains in the restricted VLAN. If re-authentication is successful, the port
moves either to the configured VLAN or to a VLAN sent by the RADIUS server. You can disable
re-authentication. If you do this, the only way to restart the authentication process is for the port to receive a
link down or EAP logoff event. We recommend that you keep re-authentication enabled if a client might
connect through a hub. When a client disconnects from the hub, the port might not receive the link down or
EAP logoff event.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1259
Information About 802.1x Port-Based Authentication
After a port moves to the restricted VLAN, a simulated EAP success message is sent to the client. This prevents
clients from indefinitely attempting authentication. Some clients (for example, devices running Windows XP)
cannot implement DHCP without EAP success.
Restricted VLANs are supported on 802.1x ports in all host modes and on Layer 2 ports.
You can configure any active VLAN except an RSPAN VLAN, a primary private VLAN, or a voice VLAN
as an 802.1x restricted VLAN. The restricted VLAN feature is not supported on internal VLANs (routed
ports) or trunk ports; it is supported only on access ports.
Other security port features such as dynamic ARP Inspection, DHCP snooping, and IP source guard can be
configured independently on a restricted VLAN.
Note If critical authentication is configured on interface, then vlan used for critical authorization (critical vlan)
should be active on the switch. If the critical vlan is inactive (or) down, critical authentication session
will keep trying to enable inactive vlan and fail repeatedly. This can lead to large amount of memory
holding.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1260
Information About 802.1x Port-Based Authentication
• If the port is already authorized and reauthentication occurs, the switch puts the critical port in the
critical-authentication state in the current VLAN, which might be the one previously assigned by the
RADIUS server.
• If the RADIUS server becomes unavailable during an authentication exchange, the current exchange
times out, and the switch puts the critical port in the critical-authentication state during the next
authentication attempt.
You can configure the critical port to reinitialize hosts and move them out of the critical VLAN when the
RADIUS server is again available. When this is configured, all critical ports in the critical-authentication state
are automatically re-authenticated.
• Restricted VLAN—If the port is already authorized in a restricted VLAN and the RADIUS servers are
unavailable, the switch puts the critical port in the critical-authentication state in the restricted VLAN.
• 802.1x accounting—Accounting is not affected if the RADIUS servers are unavailable.
• Private VLAN—You can configure inaccessible authentication bypass on a private VLAN host port.
The access VLAN must be a secondary private VLAN.
• Voice VLAN—Inaccessible authentication bypass is compatible with voice VLAN, but the
RADIUS-configured or user-specified access VLAN and the voice VLAN must be different.
• Remote Switched Port Analyzer (RSPAN)—Do not configure an RSPAN VLAN as the
RADIUS-configured or user-specified access VLAN for inaccessible authentication bypass.
In a switch stack:
• The stack master checks the status of the RADIUS servers by sending keepalive packets. When the
status of a RADIUS server changes, the stack master sends the information to the stack members. The
stack members can then check the status of RADIUS servers when re-authenticating critical ports.
• If the new stack master is elected, the link between the switch stack and RADIUS server might change,
and the new stack immediately sends keepalive packets to update the status of the RADIUS servers. If
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1261
Information About 802.1x Port-Based Authentication
the server status changes from dead to alive, the switch re-authenticates all switch ports in the
critical-authentication state.
When a member is added to the stack, the stack master sends the member the server status.
Note Switch stacks are supported only on Catalyst 2960-S switches running the LAN base image.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1262
Information About 802.1x Port-Based Authentication
Note The RADIUS server can send the VLAN information in any combination of VLAN-IDs,
VLAN names, or VLAN groups.
The IP phone uses the VVID for its voice traffic, regardless of the authorization state of the port. This allows
the phone to work independently of IEEE 802.1x authentication.
In single-host mode, only the IP phone is allowed on the voice VLAN. In multiple-hosts mode, additional
clients can send traffic on the voice VLAN after a supplicant is authenticated on the PVID. When multiple-hosts
mode is enabled, the supplicant authentication affects both the PVID and the VVID.
A voice VLAN port becomes active when there is a link, and the device MAC address appears after the first
CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices. As a result,
if several IP phones are connected in series, the switch recognizes only the one directly connected to it. When
IEEE 802.1x authentication is enabled on a voice VLAN port, the switch drops packets from unrecognized
IP phones more than one hop away.
When IEEE 802.1x authentication is enabled on a switch port, you can configure an access port VLAN that
is also a voice VLAN.
When IP phones are connected to an 802.1x-enabled switch port that is in single host mode, the switch grants
the phones network access without authenticating them. We recommend that you use multidomain authentication
(MDA) on the port to authenticate both a data device and a voice device, such as an IP phone
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1263
Information About 802.1x Port-Based Authentication
Note If you enable IEEE 802.1x authentication on an access port on which a voice VLAN is configured and to
which a Cisco IP Phone is connected, the Cisco IP phone loses connectivity to the switch for up to 30
seconds.
Note If PortFast is not enabled on the port, the port is forced to the bidirectional state.
When you configure a port as unidirectional by using the authentication control-direction in interface
configuration command, the port changes to the spanning-tree forwarding state. The port can send packets to
the host but cannot receive packets from the host.
When you configure a port as bidirectional by using the authentication control-direction both interface
configuration command, the port is access-controlled in both directions. The port does not receive packets
from or send packets to the host.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1264
Information About 802.1x Port-Based Authentication
password based on the MAC address. If authorization succeeds, the switch grants the client access to the
network. If authorization fails, the switch assigns the port to the guest VLAN if one is configured. This process
works for most client devices; however, it does not work for clients that use an alternate MAC address format.
You can configure how MAB authentication is performed for clients with MAC addresses that deviate from
the standard format or where the RADIUS configuration requires the user name and password to differ.
If an EAPOL packet is detected on the interface during the lifetime of the link, the switch determines that the
device connected to that interface is an 802.1x-capable supplicant and uses 802.1x authentication (not MAC
authentication bypass) to authorize the interface. EAPOL history is cleared if the interface link status goes
down.
If the switch already authorized a port by using MAC authentication bypass and detects an IEEE 802.1x
supplicant, the switch does not unauthorize the client connected to the port. When re-authentication occurs,
the switch uses the authentication or re-authentication methods configured on the port, if the previous session
ended because the Termination-Action RADIUS attribute value is DEFAULT.
Clients that were authorized with MAC authentication bypass can be re-authenticated. The re-authentication
process is the same as that for clients that were authenticated with IEEE 802.1x. During re-authentication, the
port remains in the previously assigned VLAN. If re-authentication is successful, the switch keeps the port
in the same VLAN. If re-authentication fails, the switch assigns the port to the guest VLAN, if one is configured.
If re-authentication is based on the Session-Timeout RADIUS attribute (Attribute[27]) and the
Termination-Action RADIUS attribute (Attribute [29]) and if the Termination-Action RADIUS attribute
(Attribute [29]) action is Initialize (the attribute value is DEFAULT), the MAC authentication bypass session
ends, and connectivity is lost during re-authentication. If MAC authentication bypass is enabled and the IEEE
802.1x authentication times out, the switch uses the MAC authentication bypass feature to initiate
re-authorization. For more information about these AV pairs, see RFC 3580, “IEEE 802.1X Remote
Authentication Dial In User Service (RADIUS) Usage Guidelines.”
MAC authentication bypass interacts with the features:
• IEEE 802.1x authentication—You can enable MAC authentication bypass only if 802.1x authentication
is enabled on the port .
• Guest VLAN—If a client has an invalid MAC address identity, the switch assigns the client to a guest
VLAN if one is configured.
• Restricted VLAN—This feature is not supported when the client connected to an IEEE 802.lx port is
authenticated with MAC authentication bypass.
• Port security
• Voice VLAN
• Private VLAN—You can assign a client to a private VLAN.
• Network Edge Access Topology (NEAT)—MAB and NEAT are mutually exclusive. You cannot enable
MAB when NEAT is enabled on an interface, and you should not enable NEAT when MAB is enabled
on an interface.
Cisco IOS Release 12.2(55)SE and later supports filtering of verbose MAB system messages
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1265
Information About 802.1x Port-Based Authentication
• Download the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS
attribute (Attribute[29]) from the authentication server.
• Set the number of seconds between re-authentication attempts as the value of the Session-Timeout
RADIUS attribute (Attribute[27]) and get an access policy against the client from the RADIUS server.
• Set the action to be taken when the switch tries to re-authenticate the client by using the
Termination-Action RADIUS attribute (Attribute[29]). If the value is the DEFAULT or is not set, the
session ends. If the value is RADIUS-Request, the re-authentication process starts.
• Set the list of VLAN number or name or VLAN group name as the value of the Tunnel Group Private
ID (Attribute[81]) and the preference for the VLAN number or name or VLAN group name as the value
of the Tunnel Preference (Attribute[83]). If you do not configure the Tunnel Preference, the first Tunnel
Group Private ID (Attribute[81]) attribute is picked up from the list.
• View the NAC posture token, which shows the posture of the client, by using the show authentication
privileged EXEC command.
• Configure secondary private VLANs as guest VLANs.
Configuring NAC Layer 2 IEEE 802.1x validation is similar to configuring IEEE 802.1x port-based
authentication except that you must configure a posture token on the RADIUS server.
Using this feature, you can control which ports use which authentication methods, and you can control the
failover sequencing of methods on those ports. For example, MAC authentication bypass and 802.1x can be
the primary or secondary authentication methods, and web authentication can be the fallback method if either
or both of those authentication attempts fail.
The IEEE 802.1X Flexible Authentication feature supports the following host modes:
• multi-auth—Multiauthentication allows one authentication on a voice VLAN and multiple authentications
on the data VLAN.
• multi-domain—Multidomain authentication allows two authentications: one on the voice VLAN and
one on the data VLAN.
Related Topics
Configuring Flexible Authentication Ordering, on page 1317
Open1x Authentication
Open1x authentication allows a device access to a port before that device is authenticated. When open
authentication is configured, a new host can pass traffic according to the access control list (ACL) defined on
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1266
Information About 802.1x Port-Based Authentication
the port. After the host is authenticated, the policies configured on the RADIUS server are applied to that
host.
You can configure open authentication with these scenarios:
• Single-host mode with open authentication–Only one user is allowed network access before and after
authentication.
• MDA mode with open authentication–Only one user in the voice domain and one user in the data domain
are allowed.
• Multiple-hosts mode with open authentication–Any host can access the network.
• Multiple-authentication mode with open authentication–Similar to MDA, except multiple hosts can be
authenticated.
Related Topics
Configuring Open1x, on page 1319
Multidomain Authentication
The switch supports multidomain authentication (MDA), which allows both a data device and voice device,
such as an IP phone (Cisco or non-Cisco), to authenticate on the same switch port. The port is divided into a
data domain and a voice domain.
Note For all host modes, the line protocol stays up before authorization when port-based authentication is
configured.
MDA does not enforce the order of device authentication. However, for best results, we recommend that a
voice device is authenticated before a data device on an MDA-enabled port.
Follow these guidelines for configuring MDA:
• You must configure a switch port for MDA.
• You must configure the voice VLAN for the IP phone when the host mode is set to multidomain.
• Voice VLAN assignment on an MDA-enabled port is supported Cisco IOS Release 12.2(40)SE and
later.
• To authorize a voice device, the AAA server must be configured to send a Cisco Attribute-Value (AV)
pair attribute with a value of device-traffic-class=voice. Without this value, the switch treats the voice
device as a data device.
• The guest VLAN and restricted VLAN features only apply to the data devices on an MDA-enabled port.
The switch treats a voice device that fails authorization as a data device.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1267
Information About 802.1x Port-Based Authentication
• If more than one device attempts authorization on either the voice or the data domain of a port, it is error
disabled.
• Until a device is authorized, the port drops its traffic. Non-Cisco IP phones or voice devices are allowed
into both the data and voice VLANs. The data VLAN allows the voice device to contact a DHCP server
to obtain an IP address and acquire the voice VLAN information. After the voice device starts sending
on the voice VLAN, its access to the data VLAN is blocked.
• A voice device MAC address that is binding on the data VLAN is not counted towards the port security
MAC address limit.
• MDA can use MAC authentication bypass as a fallback mechanism to allow the switch port to connect
to devices that do not support IEEE 802.1x authentication.
• When a data or a voice device is detected on a port, its MAC address is blocked until authorization
succeeds. If the authorization fails, the MAC address remains blocked for 5 minutes.
• If more than five devices are detected on the data VLAN or more than one voice device is detected on
the voice VLAN while a port is unauthorized, the port is error disabled.
• When a port host mode is changed from single- or multihost to multidomain mode, an authorized data
device remains authorized on the port. However, a Cisco IP phone that has been allowed on the port
voice VLAN is automatically removed and must be reauthenticated on that port.
• Active fallback mechanisms such as guest VLAN and restricted VLAN remain configured after a port
changes from single- or multihost mode to multidomain mode.
• Switching a port host mode from multidomain to single- or multihost mode removes all authorized
devices from the port.
• If a data domain is authorized first and placed in the guest VLAN, non-IEEE 802.1x-capable voice
devices need to tag their packets on the voice VLAN to trigger authentication.
• We do not recommend per-user ACLs with an MDA-enabled port. An authorized device with a per-user
ACL policy might impact traffic on both the voice and data VLANs of the port. If used, only one device
on the port should enforce per-user ACLs.
802.1x Supplicant and Authenticator Switches with Network Edge Access Topology (NEAT)
The Network Edge Access Topology (NEAT) feature extends identity to areas outside the wiring closet (such
as conference rooms). This allows any type of device to authenticate on the port.
• 802.1x switch supplicant: You can configure a switch to act as a supplicant to another switch by using
the 802.1x supplicant feature. This configuration is helpful in a scenario, where, for example, a switch
is outside a wiring closet and is connected to an upstream switch through a trunk port. A switch configured
with the 802.1x switch supplicant feature authenticates with the upstream switch for secure connectivity.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1268
Information About 802.1x Port-Based Authentication
Once the supplicant switch authenticates successfully the port mode changes from access to trunk in an
authenticator switch. In a supplicant switch you must manually configure trunk when enabling CISP.
Note NEAT configuration is the only supported and qualified method to authenticate switches
using 802.1x. Any other method to authenticate a network switch can result in an
undefined behavior.
• If the access VLAN is configured on the authenticator switch, it becomes the native VLAN for the trunk
port after successful authentication.
In the default state, when you connect a supplicant switch to an authenticator switch that has BPDU guard
enabled, the authenticator port could be error-disabled if it receives a Spanning Tree Protocol (STP) bridge
protocol data unit (BPDU) packets before the supplicant switch has authenticated. Beginning with Cisco IOS
Release 15.0(1)SE, you can control traffic exiting the supplicant port during the authentication period. Entering
the dot1x supplicant controlled transient global configuration command temporarily blocks the supplicant
port during authentication to ensure that the authenticator port does not shut down before authentication
completes. If authentication fails, the supplicant port opens. Entering the no dot1x supplicant controlled
transient global configuration command opens the supplicant port during the authentication period. This is
the default behavior.
We strongly recommend using the dot1x supplicant controlled transientcommand on a supplicant switch
when BPDU guard is enabled on the authenticator switch port with the spanning-tree bpduguard enable
interface configuration command.
Note If you globally enable BPDU guard on the authenticator switch by using the spanning-tree portfast
bpduguard default global configuration command, entering the dot1x supplicant controlled transient
command does not prevent the BPDU violation.
You can enable MDA or multiauth mode on the authenticator switch interface that connects to one more
supplicant switches. Multihost mode is not supported on the authenticator switch interface.
When you reboot an authenticator switch with single-host mode enabled on the interface, the interface may
move to err-disabled state before authentication. To recover from err-disabled state, flap the authenticator
port to activate the interface again and initiate authentication.
Use the dot1x supplicant force-multicast global configuration command on the supplicant switch for Network
Edge Access Topology (NEAT) to work in all host modes.
• Host Authorization: Ensures that only traffic from authorized hosts (connecting to the switch with
supplicant) is allowed on the network. The switches use Client Information Signalling Protocol (CISP)
to send the MAC addresses connecting to the supplicant switch to the authenticator switch.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1269
Information About 802.1x Port-Based Authentication
• Auto enablement: Automatically enables trunk configuration on the authenticator switch, allowing user
traffic from multiple VLANs coming from supplicant switches. Configure the cisco-av-pair as
device-traffic-class=switch at the ACS. (You can configure this under the group or the user settings.)
5 Trunk port
Note The switchport nonegotiate command is not supported on supplicant and authenticator switches with
NEAT. This command should not be configured at the supplicant side of the topology. If configured on
the authenticator side, the internal macros will automatically remove this command from the port.
Note To use voice aware IEEE 802.1x authentication, the switch must be running the LAN base image.
You use the voice aware 802.1x security feature to configure the switch to disable only the VLAN on which
a security violation occurs, whether it is a data or voice VLAN. In previous releases, when an attempt to
authenticate the data client caused a security violation, the entire port shut down, resulting in a complete loss
of connectivity.
You can use this feature in IP phone deployments where a PC is connected to the IP phone. A security violation
found on the data VLAN results in the shutdown of only the data VLAN. The traffic on the voice VLAN
flows through the switch without interruption.
Related Topics
Configuring Voice Aware 802.1x Security, on page 1277
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1270
How to Configure 802.1x Port-Based Authentication
Common Session ID
Authentication manager uses a single session ID (referred to as a common session ID) for a client no matter
which authentication method is used. This ID is used for all reporting purposes, such as the show commands
and MIBs. The session ID appears with all per-session syslog messages.
The session ID includes:
• The IP address of the Network Access Device (NAD)
• A monotonically increasing unique 32 bit integer
• The session start time stamp (a 32 bit integer)
This example shows how the session ID appears in the output of the show authentication command. The
session ID in this example is 160000050000000B288508E5:
This is an example of how the session ID appears in the syslog output. The session ID in this example is
also160000050000000B288508E5:
The session ID is used by the NAD, the AAA server, and other report-analyzing applications to identify the
client. The ID appears automatically. No configuration is required.
AAA Disabled.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1271
How to Configure 802.1x Port-Based Authentication
Re-authentication number 2 times (number of times that the switch restarts the
authentication process before the port changes to the
unauthorized state).
Quiet period 60 seconds (number of seconds that the switch remains in the
quiet state following a failed authentication exchange with the
client).
Retransmission time 30 seconds (number of seconds that the switch should wait for
a response to an EAP request/identity frame from the client
before resending the request).
Maximum retransmission number 2 times (number of times that the switch will send an
EAP-request/identity frame before restarting the authentication
process).
Client timeout period 30 seconds (when relaying a request from the authentication
server to the client, the amount of time the switch waits for a
response before resending the request to the client.)
Authentication server timeout period 30 seconds (when relaying a response from the client to the
authentication server, the amount of time the switch waits for
a reply before resending the response to the server.)
You can change this timeout period by using the dot1x timeout
server-timeout interface configuration command.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1272
How to Configure 802.1x Port-Based Authentication
802.1x Authentication
These are the 802.1x authentication configuration guidelines:
• When 802.1x authentication is enabled, ports are authenticated before any other Layer 2 or Layer 3
features are enabled.
• If the VLAN to which an 802.1x-enabled port is assigned changes, this change is transparent and does
not affect the switch. For example, this change occurs if a port is assigned to a RADIUS server-assigned
VLAN and is then assigned to a different VLAN after re-authentication.
If the VLAN to which an 802.1x port is assigned to shut down, disabled, or removed, the port becomes
unauthorized. For example, the port is unauthorized after the access VLAN to which a port is assigned
shuts down or is removed.
• The 802.1x protocol is supported on Layer 2 static-access ports, voice VLAN ports, and Layer 3 routed
ports, but it is not supported on these port types:
◦Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk port.
If you try to enable 802.1x authentication on a dynamic port, an error message appears, and 802.1x
authentication is not enabled. If you try to change the mode of an 802.1x-enabled port to dynamic,
an error message appears, and the port mode is not changed.
◦EtherChannel port—Do not configure a port that is an active or a not-yet-active member of an
EtherChannel as an 802.1x port. If you try to enable 802.1x authentication on an EtherChannel
port, an error message appears, and 802.1x authentication is not enabled.
◦Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can enable
802.1x authentication on a port that is a SPAN or RSPAN destination port. However, 802.1x
authentication is disabled until the port is removed as a SPAN or RSPAN destination port. You
can enable 802.1x authentication on a SPAN or RSPAN source port.
• Before globally enabling 802.1x authentication on a switch by entering the dot1x system-auth-control
global configuration command, remove the EtherChannel configuration from the interfaces on which
802.1x authentication and EtherChannel are configured.
• Cisco IOS Release 12.2(55)SE and later supports filtering of system messages related to 802.1x
authentication.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1273
How to Configure 802.1x Port-Based Authentication
VLAN Assignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication Bypass
These are the configuration guidelines for VLAN assignment, guest VLAN, restricted VLAN, and inaccessible
authentication bypass:
• When 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equal to a
voice VLAN.
• The 802.1x authentication with VLAN assignment feature is not supported on trunk ports, dynamic
ports, or with dynamic-access port assignment through a VMPS.
• You can configure any VLAN except an RSPAN VLAN or a voice VLAN as an 802.1x guest VLAN.
The guest VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is supported
only on access ports.
• After you configure a guest VLAN for an 802.1x port to which a DHCP client is connected, you might
need to get a host IP address from a DHCP server. You can change the settings for restarting the 802.1x
authentication process on the switch before the DHCP process on the client times out and tries to get a
host IP address from the DHCP server. Decrease the settings for the 802.1x authentication process
(authentication timer inactivity and authentication timer reauthentication interface configuration
commands). The amount to decrease the settings depends on the connected 802.1x client type.
• When configuring the inaccessible authentication bypass feature, follow these guidelines:
◦The feature is supported on 802.1x port in single-host mode and multihosts mode.
◦If the client is running Windows XP and the port to which the client is connected is in the
critical-authentication state, Windows XP might report that the interface is not authenticated.
◦If the Windows XP client is configured for DHCP and has an IP address from the DHCP server,
receiving an EAP-Success message on a critical port might not re-initiate the DHCP configuration
process.
◦You can configure the inaccessible authentication bypass feature and the restricted VLAN on an
802.1x port. If the switch tries to re-authenticate a critical port in a restricted VLAN and all the
RADIUS servers are unavailable, switch changes the port state to the critical authentication state
and remains in the restricted VLAN.
◦If the CTS links are in Critical Authentication mode and the master reloads, the policy where SGT
was configured on a device will not be available on the new master. This is because the internal
bindings will not be synced to the standby switch in a 3750-X switch stack.
• You can configure any VLAN except an RSPAN VLAN or a voice VLAN as an 802.1x restricted VLAN.
The restricted VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is
supported only on access ports.
• When wireless guest clients obtains IP from foreign client VLAN instead of anchor client VLAN, you
should use the ip dhcp required command under the WLAN configuration to force clients to issue a
new DHCP request. This prevents the clients from getting an incorrect IP at anchor.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1274
How to Configure 802.1x Port-Based Authentication
• Unless otherwise stated, the MAC authentication bypass guidelines are the same as the 802.1x
authentication guidelines.
• If you disable MAC authentication bypass from a port after the port has been authorized with its MAC
address, the port state is not affected.
• If the port is in the unauthorized state and the client MAC address is not the authentication-server
database, the port remains in the unauthorized state. However, if the client MAC address is added to the
database, the switch can use MAC authentication bypass to re-authorize the port.
• If the port is in the authorized state, the port remains in this state until re-authorization occurs.
• You can configure a timeout period for hosts that are connected by MAC authentication bypass but are
inactive. The range is 1to 65535 seconds.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1275
How to Configure 802.1x Port-Based Authentication
• When you configure the dot1x test eapol-capable command on an 802.1x-enabled port, and the link
comes up, the port queries the connected client about its 802.1x capability. When the client responds
with a notification packet, it is 802.1x-capable. A syslog message is generated if the client responds
within the timeout period. If the client does not respond to the query, the client is not 802.1x-capable.
No syslog message is generated
• The readiness check can be sent on a port that handles multiple hosts (for example, a PC that is connected
to an IP phone). A syslog message is generated for each of the clients that respond to the readiness check
within the timer period.
Procedure
Example:
Switch# configure terminal
Step 3 dot1x test eapol-capable [interface Enables the 802.1x readiness check on the switch.
interface-id] (Optional) For interface-id specify the port on
which to check for IEEE 802.1x readiness.
Example:
Switch# dot1x test eapol-capable Note If you omit the optional interface
interface gigabitethernet1/0/13 keyword, all interfaces on the switch are
DOT1X_PORT_EAPOL_CAPABLE:DOT1X: MAC
00-01-02-4b-f1-a3 on
tested.
gigabitethernet1/0/13 is EAPOL
capable
Step 4 dot1x test timeout timeout (Optional) Configures the timeout used to wait
for EAPOL response. The range is from 1 to
65535 seconds. The default is 10 seconds.
Example:
Switch(config)# end
Example:
Switch# show running-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1276
How to Configure 802.1x Port-Based Authentication
Related Topics
802.1x Readiness Check, on page 1252
Note To use voice aware IEEE 802.1x authentication, the switch must be running the LAN base image.
You use the voice aware 802.1x security feature on the switch to disable only the VLAN on which a security
violation occurs, whether it is a data or voice VLAN. You can use this feature in IP phone deployments where
a PC is connected to the IP phone. A security violation found on the data VLAN results in the shutdown of
only the data VLAN. The traffic on the voice VLAN flows through the switch without interruption.
Follow these guidelines to configure voice aware 802.1x voice security on the switch:
• You enable voice aware 802.1x security by entering the errdisable detect cause security-violation
shutdown vlan global configuration command. You disable voice aware 802.1x security by entering
the no version of this command. This command applies to all 802.1x-configured ports in the switch.
Note If you do not include the shutdown vlan keywords, the entire port is shut down when
it enters the error-disabled state.
• If you use the errdisable recovery cause security-violation global configuration command to configure
error-disabled recovery, the port is automatically re-enabled. If error-disabled recovery is not configured
for the port, you re-enable it by using the shutdown and no shutdown interface configuration commands.
• You can re-enable individual VLANs by using the clear errdisable interface interface-id vlan [vlan-list]
privileged EXEC command. If you do not specify a range, all VLANs on the port are enabled.
Beginning in privileged EXEC mode, follow these steps to enable voice aware 802.1x security:
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1277
How to Configure 802.1x Port-Based Authentication
Step 5 Enter the following: (Optional) Re-enable an error-disabled VLAN, and clear
all error-disable indications.
• shutdown
• no shutdown
This example shows how to configure the switch to shut down any VLAN on which a security violation error
occurs:
Switch(config)# errdisable detect cause security-violation shutdown vlan
This example shows how to re-enable all VLANs that were error disabled on port Gigabit Ethernet 40/2.
Switch# clear errdisable interface gigabitethernet4/0/2
vlan
You can verify your settings by entering the show errdisable detect privileged EXEC command.
Related Topics
Voice Aware 802.1x Security, on page 1270
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1278
How to Configure 802.1x Port-Based Authentication
Beginning in privileged EXEC mode, follow these steps to configure the security violation actions on the
switch:
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# aaa new-model
Step 3 aaa authentication dot1x {default} Creates an 802.1x authentication method list.
method1 To create a default list that is used when a named list
is not specified in the authentication command, use
Example: the default keyword followed by the method that is to
Switch(config)# aaa authentication be used in default situations. The default method list is
dot1x default group radius automatically applied to all ports.
For method1, enter the group radius keywords to use
the list of all RADIUS servers for authentication.
Step 4 interface interface-id Specifies the port connected to the client that is to be
enabled for IEEE 802.1x authentication, and enter
Example: interface configuration mode.
Switch(config)# interface
gigabitethernet1/0/4
Example:
Switch(config-if)# switchport mode
access
Step 6 authentication violation {shutdown | Configures the violation mode. The keywords have
restrict | protect | replace} these meanings:
• shutdown–Error disable the port.
Example:
• restrict–Generate a syslog error.
Switch(config-if)# authentication
violation restrict • protect–Drop packets from any new device that
sends traffic to the port.
• replace–Removes the current session and
authenticates with the new host.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1279
How to Configure 802.1x Port-Based Authentication
Example:
Switch(config-if)# end
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1280
How to Configure 802.1x Port-Based Authentication
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# aaa new-model
Step 3 aaa authentication dot1x {default} Creates an 802.1x authentication method list.
method1 To create a default list that is used when a named list
is not specified in the authentication command, use
Example: the default keyword followed by the method that is
Switch(config)# aaa authentication to be used in default situations. The default method
dot1x default group radius list is automatically applied to all ports.
For method1, enter the group radius keywords to
use the list of all RADIUS servers for authentication.
Note Though other keywords are visible in the
command-line help string, only the group
radius keywords are supported.
Step 4 dot1x system-auth-control Enables 802.1x authentication globally on the switch.
Example:
Switch(config)# dot1x
system-auth-control
Step 5 aaa authorization network {default} (Optional) Configures the switch to use user-RADIUS
group radius authorization for all network-related service requests,
such as per-user ACLs or VLAN assignment.
Example:
Switch(config)# aaa authorization
network default group radius
Step 6 radius-server host ip-address (Optional) Specifies the IP address of the RADIUS
server.
Example:
Switch(config)# radius-server host
124.2.2.12
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1281
How to Configure 802.1x Port-Based Authentication
Step 8 interface interface-id Specifies the port connected to the client that is to be
enabled for IEEE 802.1x authentication, and enter
Example: interface configuration mode.
Switch(config)# interface
gigabitethernet1/0/2
Step 9 switchport mode access (Optional) Sets the port to access mode only if you
configured the RADIUS server in Step 6 and Step 7.
Example:
Switch(config-if)# switchport mode
access
Example:
Switch(config-if)# authentication
port-control auto
Step 11 dot1x pae authenticator Sets the interface Port Access Entity to act only as an
authenticator and ignore messages meant for a
Example: supplicant.
Example:
Switch(config-if)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1282
How to Configure 802.1x Port-Based Authentication
You also need to configure some settings on the RADIUS server. These settings include the IP address of the
switch and the key string to be shared by both the server and the switch. For more information, see the RADIUS
server documentation.
Follow these steps to configure the RADIUS server parameters on the switch. This procedure is required.
Procedure
Example:
Switch> enable
Example:
Switch# configure terminal
Example:
For auth-port port-number, specify the UDP destination port for
authentication requests. The default is 1645. The range is 0 to
Switch(config)# 65536.
radius-server host
125.5.5.43 auth-port 1645 For key string, specify the authentication and encryption key used
key rad123
between the switch and the RADIUS daemon running on the
RADIUS server. The key is a text string that must match the
encryption key used on the RADIUS server.
Note Always configure the key as the last item in the
radius-server host command syntax because leading
spaces are ignored, but spaces within and at the end of
the key are used. If you use spaces in the key, do not
enclose the key in quotation marks unless the quotation
marks are part of the key. This key must match the
encryption used on the RADIUS daemon.
If you want to use multiple RADIUS servers, re-enter this
command.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1283
How to Configure 802.1x Port-Based Authentication
Example:
Switch(config)# end
Related Topics
Switch-to-RADIUS-Server Communication, on page 1252
Procedure
Example:
Switch# configure terminal
Step 2 interface interface-id Specifies the port to which multiple hosts are indirectly
attached, and enter interface configuration mode.
Example:
Switch(config)# interface
gigabitethernet2/0/1
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1284
How to Configure 802.1x Port-Based Authentication
Example:
Switch(config-if)# end
Procedure
Example:
Switch# configure terminal
Step 2 interface interface-id Specifies the port to be configured, and enter interface
configuration mode.
Example:
Switch(config)# interface
gigabitethernet2/0/1
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1285
How to Configure 802.1x Port-Based Authentication
Example:
Switch(config-if)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1286
How to Configure 802.1x Port-Based Authentication
Procedure
Example:
Switch# configure terminal
Step 3 authentication timer inactivity seconds Sets the number of seconds that the switch
remains in the quiet state following a failed
Example: authentication exchange with the client.
Example:
Switch(config-if)# end
Example:
Switch# show authentication sessions
interface gigabitethernet2/0/1
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1287
How to Configure 802.1x Port-Based Authentication
Note You should change the default value of this command only to adjust for unusual circumstances such as
unreliable links or specific behavioral problems with certain clients and authentication servers.
Beginning in privileged EXEC mode, follow these steps to change the amount of time that the switch waits
for client notification. This procedure is optional.
Procedure
Example:
Switch# configure terminal
Step 3 authentication timer reauthenticate seconds Sets the number of seconds that the switch
waits for a response to an
Example: EAP-request/identity frame from the client
before resending the request.
Switch(config-if)# authentication timer
reauthenticate 60 The range is 1 to 65535 seconds; the default
is 5.
Example:
Switch(config-if)# end
Example:
Switch# show authentication sessions
interface gigabitethernet2/0/1
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1288
How to Configure 802.1x Port-Based Authentication
Note You should change the default value of this command only to adjust for unusual circumstances such as
unreliable links or specific behavioral problems with certain clients and authentication servers.
Beginning in privileged EXEC mode, follow these steps to set the switch-to-client frame-retransmission
number. This procedure is optional.
Procedure
Example:
Switch# configure terminal
Step 3 dot1x max-reauth-req count Sets the number of times that the switch sends an
EAP-request/identity frame to the client before
Example: restarting the authentication process. The range is
1 to 10; the default is 2.
Switch(config-if)# dot1x
max-reauth-req 5
Example:
Switch(config-if)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1289
How to Configure 802.1x Port-Based Authentication
Note You should change the default value of this command only to adjust for unusual circumstances such as
unreliable links or specific behavioral problems with certain clients and authentication servers.
Beginning in privileged EXEC mode, follow these steps to set the re-authentication number. This procedure
is optional.
Procedure
Example:
Switch# configure terminal
Step 3 switchport mode access Sets the port to access mode only if you previously
configured the RADIUS server.
Example:
Switch(config-if)# switchport mode
access
Step 4 dot1x max-req count Sets the number of times that the switch restarts
the authentication process before the port changes
Example: to the unauthorized state. The range is 0 to 10; the
default is 2.
Switch(config-if)# dot1x max-req 4
Example:
Switch(config-if)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1290
How to Configure 802.1x Port-Based Authentication
Procedure
Example:
Switch# configure terminal
Step 2 authentication mac-move permit Enables MAC move on the switch. Default is deny.
In Session Aware Networking mode, the default
Example: CLI is access-session mac-move deny. To enable
Switch(config)# authentication Mac Move in Session Aware Networking, use the
mac-move permit no access-session mac-move global configuration
command.
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1291
How to Configure 802.1x Port-Based Authentication
Procedure
Example:
Switch# configure terminal
Step 2 interface interface-id Specifies the port to be configured, and enter interface
configuration mode.
Example:
Switch(config)# interface
gigabitethernet2/0/2
Step 3 authentication violation {protect | Use the replace keyword to enable MAC replace on
replace | restrict | shutdown} the interface. The port removes the current session
and initiates authentication with the new host.
Example: The other keywords have these effects:
Switch(config-if)# authentication • protect: the port drops packets with unexpected
violation replace
MAC addresses without generating a system
message.
• restrict: violating packets are dropped by the
CPU and a system message is generated.
• shutdown: the port is error disabled when it
receives an unexpected MAC address.
Example:
Switch(config-if)# end
Example:
Switch# show running-config
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1292
How to Configure 802.1x Port-Based Authentication
When the stop message is not sent successfully, this message appears:
Note You must configure the RADIUS server to perform accounting tasks, such as logging start, stop, and
interim-update messages and time stamps. To turn on these functions, enable logging of “Update/Watchdog
packets from this AAA client” in your RADIUS server Network Configuration tab. Next, enable “CVS
RADIUS Accounting” in your RADIUS server System Configuration tab.
Beginning in privileged EXEC mode, follow these steps to configure 802.1x accounting after AAA is enabled
on your switch. This procedure is optional.
Procedure
Example:
Switch# configure terminal
Step 3 aaa accounting dot1x default start-stop group Enables 802.1x accounting using the list of
radius all RADIUS servers.
Example:
Switch(config-if)# aaa accounting dot1x
default start-stop group radius
Step 4 aaa accounting system default start-stop group (Optional) Enables system accounting (using
radius the list of all RADIUS servers) and generates
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1293
How to Configure 802.1x Port-Based Authentication
Example:
Switch(config-if)# end
Example:
Switch# show running-config
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1294
How to Configure 802.1x Port-Based Authentication
Step 3 Use one of the following: • Sets the port to access mode.
• switchport mode access • Configures the Layer 2 port as a
private-VLAN host port.
• switchport mode private-vlan host
Example:
Switch(config-if)# switchport mode
private-vlan host
Step 4 authentication event no-response action Specifies an active VLAN as an 802.1x guest
authorize vlan vlan-id VLAN. The range is 1 to 4094.
You can configure any active VLAN except an
Example: internal VLAN (routed port), an RSPAN VLAN
Switch(config-if)# authentication event or a voice VLAN as an 802.1x guest VLAN.
no-response action authorize vlan 2
Example:
Switch(config-if)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1295
How to Configure 802.1x Port-Based Authentication
Procedure
Example:
Switch# configure terminal
Step 3 Use one of the following: • Sets the port to access mode.
• switchport mode access • Configures the Layer 2 port as a
private-VLAN host port.
• switchport mode private-vlan host
Example:
Switch(config-if)# switchport mode
access
Example:
Switch(config-if)# authentication
port-control auto
Step 5 authentication event fail action authorize Specifies an active VLAN as an 802.1x
vlan vlan-id restricted VLAN. The range is 1 to 4094.
You can configure any active VLAN except an
Example: internal VLAN (routed port), an RSPAN VLAN
Switch(config-if)# authentication event or a voice VLAN as an 802.1x restricted VLAN.
fail action authorize vlan 2
Example:
Switch(config-if)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1296
How to Configure 802.1x Port-Based Authentication
Procedure
Example:
Switch# configure terminal
Step 3 Use one of the following: • Sets the port to access mode.
• switchport mode access • Configures the Layer 2 port as a
private-VLAN host port.
• switchport mode private-vlan host
Example:
or
Switch(config-if)# switchport mode
access
Example:
Switch(config-if)# authentication
port-control auto
Step 5 authentication event fail action authorize Specifies an active VLAN as an 802.1x restricted
vlan vlan-id VLAN. The range is 1 to 4094.
You can configure any active VLAN except an
Example: internal VLAN (routed port), an RSPAN VLAN
Switch(config-if)# authentication event or a voice VLAN as an 802.1x restricted VLAN.
fail action authorize vlan 8
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1297
How to Configure 802.1x Port-Based Authentication
Example:
Switch(config-if)# end
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# aaa new-model
Step 3 radius-server dead-criteria{time Sets the conditions that determine when a RADIUS server
seconds } [tries number] is considered un-available or down (dead).
• time— 1 to 120 seconds. The switch dynamically
Example: determines a default seconds value between 10 and 60.
Switch(config)# radius-server
dead-criteria time 20 tries 10 • number—1 to 100 tries. The switch dynamically
determines a default triesnumber between 10 and 100.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1298
How to Configure 802.1x Port-Based Authentication
Switch(config)# radius-server
deadtime 60
Step 5 radius-server host ip-address (Optional) Configure the RADIUS server parameters by using
address[acct-port these keywords:
udp-port][auth-port udp-port]
[testusername name[idle-time time] • acct-portudp-port—Specify the UDP port for the
[ignore-acct-port][ignore RADIUS accounting server. The range for the UDP
port number is from 0 to 65536. The default is 1646.
auth-port]] [key string]
• auth-portudp-port—Specify the UDP port for the
Example: RADIUS authentication server. The range for the UDP
port number is from 0 to 65536. The default is 1645.
Switch(config)# radius-server
host 1.1.1.2 acct-port 1550 Note You should configure the UDP port for the
auth-port
1560 test username user1
RADIUS accounting server and the UDP port
idle-time 30 key abc1234 for the RADIUS authentication server to
nondefault values.
• test usernamename—Enable automated testing of the
RADIUS server status, and specify the username to be
used.
• idle-time time—Set the interval of time in minutes after
which the switch sends test packets to the server. The
range is from 1 to 35791 minutes. The default is 60
minutes (1 hour).
• ignore-acct-port—Disable testing on the
RADIUS-server accounting port.
• ignore-auth-port—Disable testing on the
RADIUS-server authentication port.
• For keystring, specify the authentication and encryption
key used between the switch and the RADIUS daemon
running on the RADIUS server. The key is a text string
that must match the encryption key used on the
RADIUS server.
Note Always configure the key as the last item in
the radius-server host command syntax
because leading spaces are ignored, but spaces
within and at the end of the key are used. If
you use spaces in the key, do not enclose the
key in quotation marks unless the quotation
marks are part of the key. This key must match
the encryption used on the RADIUS daemon.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1299
How to Configure 802.1x Port-Based Authentication
Step 6 dot1x critical {eapol | recovery (Optional) Configure the parameters for inaccessible
delay milliseconds} authentication bypass:
• eapol—Specify that the switch sends an
Example: EAPOL-Success message when the switch successfully
Switch(config)# dot1x critical authenticates the critical port.
eapol
(config)# dot1x critical • recovery delaymilliseconds—Set the recovery delay
recovery delay 2000 period during which the switch waits to re-initialize a
critical port when a RADIUS server that was
unavailable becomes available. The range is from 1 to
10000 milliseconds. The default is 1000 milliseconds
(a port can be re-initialized every second).
Step 7 interface interface-id Specify the port to be configured, and enter interface
configuration mode.
Example:
Switch(config)# interface
gigabitethernet 1/0/1
Step 8 authentication event server dead Use these keywords to move hosts on the port if the RADIUS
action {authorize | reinitialize} vlan server is unreachable:
vlan-id]
• authorize—Move any new hosts trying to authenticate
to the user-specified critical VLAN.
Example:
• reinitialize—Move all authorized hosts on the port to
Switch(config-if)#
authentication event server dead the user-specified critical VLAN.
action
reinitialicze vlan 20
Step 9 switchport voice vlan vlan-id Specifies the voice VLAN for the port. The voice VLAN
cannot be the same as the critical data VLAN configured in
Example: Step 6.
Switch(config-if)# switchport
voice vlan
Step 10 authentication event server dead Configures critical voice VLAN to move data traffic on the
action authorize voice port to the voice VLAN if the RADIUS server is unreachable.
Example:
Switch(config-if)#
authentication event server dead
action
authorize voice
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1300
How to Configure 802.1x Port-Based Authentication
Example:
Switch(config-if)# do show
authentication interface gigabit
1/0/1
Example:
Switch(config-if)# do copy
running-config startup-config
To return to the RADIUS server default settings, use the no radius-server dead-criteria, the no radius-server
deadtime, and the no radius-server host global configuration commands. To disable inaccessible authentication
bypass, use the no authentication event server dead action interface configuration command. To disable
critical voice VLAN, use the no authentication event server dead action authorize voice interface
configuration command.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1301
How to Configure 802.1x Port-Based Authentication
Procedure
Example:
Switch# configure terminal
Step 3 authentication control-direction {both | Enables 802.1x authentication with WoL on the
in} port, and use these keywords to configure the port
as bidirectional or unidirectional.
Example: • both—Sets the port as bidirectional. The port
Switch(config-if)# authentication cannot receive packets from or send packets
control-direction both to the host. By default, the port is
bidirectional.
• in—Sets the port as unidirectional. The port
can send packets to the host but cannot
receive packets from the host.
Example:
Switch(config-if)# end
Example:
Switch# show authentication sessions
interface gigabitethernet2/0/3
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1302
How to Configure 802.1x Port-Based Authentication
Procedure
Example:
Switch# configure terminal
Example:
Switch(config-if)# authentication
port-control auto
Example:
Switch(config-if)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1303
How to Configure 802.1x Port-Based Authentication
Procedure
Example:
Switch# configure terminal
Step 2 mab request format attribute 1 Specifies the format of the MAC address in the User-Name
groupsize {1 | 2 | 4 |12} [separator attribute of MAB-generated Access-Request packets.
{- | : | .} {lowercase | uppercase}]
1—Sets the username format of the 12 hex digits of the MAC
address.
Example:
group size—The number of hex nibbles to concatenate before
Switch(config)# mab request insertion of a separator. A valid groupsize must be either 1, 2,
format attribute 1 groupsize
12 4, or 12.
separator—The character that separates the hex nibbles
according to group size. A valid separator must be either a
hyphen, colon, or period. No separator is used for a group size
of 12.
{lowercase | uppercase}—Specifies if nonnumeric hex nibbles
should be in lowercase or uppercase.
Step 3 mab request format attribute2 {0 2—Specifies a custom (nondefault) value for the User-Password
| 7} text attribute in MAB-generated Access-Request packets.
0—Specifies a cleartext password to follow.
Example:
7—Specifies an encrypted password to follow.
Switch(config)# mab request
format attribute 2 7 text—Specifies the password to be used in the User-Password
A02f44E18B12 attribute.
Note When you send configuration information in e-mail,
remove type 7 password information. The show
tech-support command removes this information from
its output by default.
Step 4 end Returns to privileged EXEC mode.
Example:
Switch(config)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1304
How to Configure 802.1x Port-Based Authentication
Procedure
Example:
Switch# configure terminal
Step 2 vlan group vlan-group-name vlan-list vlan-list Configures a VLAN group, and maps a
single VLAN or a range of VLANs to it.
Example:
Switch(config)# vlan group eng-dept
vlan-list 10
Example:
Switch(config)# end
Step 4 no vlan group vlan-group-name vlan-list Clears the VLAN group configuration or
vlan-list elements of the VLAN group configuration.
Example:
Switch(config)# no vlan group eng-dept
vlan-list 10
This example shows how to add a VLAN to an existing VLAN group and to verify that the VLAN was added:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1305
How to Configure 802.1x Port-Based Authentication
This example shows that when all the VLANs are cleared from a VLAN group, the VLAN group is cleared:
For more information about these commands, see the Cisco IOS Security Command Reference.
Procedure
Example:
Switch# configure terminal
Step 3 switchport mode access Sets the port to access mode only if you
configured the RADIUS server.
Example:
Switch(config-if)# switchport mode
access
Step 4 authentication event no-response action Specifies an active VLAN as an 802.1x guest
authorize vlan vlan-id VLAN. The range is 1 to 4094.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1306
How to Configure 802.1x Port-Based Authentication
Step 6 authentication timer reauthenticate Sets re-authentication attempt for the client (set
to one hour).
Example: This command affects the behavior of the switch
Switch(config-if)# authentication timer only if periodic re-authentication is enabled.
reauthenticate
Example:
Switch(config-if)# end
Example:
Switch# show authentication sessions
interface gigabitethernet2/0/3
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1307
How to Configure 802.1x Port-Based Authentication
Procedure
Example:
Device# configure terminal
Step 4 aaa authentication login default local Sets the authentication, authorization, and accounting
(AAA) authentication by using the default
Example: authentication methods.
Device(config)# aaa authentication
login default local
Step 5 aaa authentication rejected n in m ban Configures the time period for which an user is
x blocked, if the user fails to successfully login within
the specified time and login attempts.
Example: • n—Specifies the number of times a user can try
Device(config)# aaa authentication
rejected 3 in 20 ban 300 to login.
• m—Specifies the number of seconds within
which an user can try to login.
• x—Specifies the time period an user is banned
if the user fails to successfully login.
Step 7 show aaa local user blocked Displays the list of local users who were blocked.
Example:
Device# show aaa local user blocked
Step 8 clear aaa local user blocked username Clears the information about the blocked local user.
username
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1308
How to Configure 802.1x Port-Based Authentication
Example:
Device# clear aaa local user
blocked username user1
The following is sample output from the show aaa local user blocked command:
Device# show aaa local user blocked
Local-user State
Note The cisco-av-pairs must be configured as device-traffic-class=switch on the ACS, which sets the interface
as a trunk after the supplicant is successfully authenticated.
Beginning in privileged EXEC mode, follow these steps to configure a switch as an authenticator:
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# cisp enable
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1309
How to Configure 802.1x Port-Based Authentication
Example:
Switch(config-if)# switchport mode access
Example:
Switch(config-if)# authentication
port-control auto
Example:
Switch(config-if)# end
Example:
Switch# show running-config interface
gigabitethernet2/0/1
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1310
How to Configure 802.1x Port-Based Authentication
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# cisp enable
Step 3 dot1x credentials profile Creates 802.1x credentials profile. This must
be attached to the port that is configured as
Example: supplicant.
Example:
Switch(config)# username suppswitch
Example:
Switch(config)# password myswitch
Step 6 dot1x supplicant force-multicast Forces the switch to send only multicast
EAPOL packets when it receives either unicast
Example: or multicast packets.
Step 8 switchport trunk encapsulation dot1q Sets the port to trunk mode.
Example:
Switch(config-if)# switchport trunk
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1311
How to Configure 802.1x Port-Based Authentication
Step 9 switchport mode trunk Configures the interface as a VLAN trunk port.
Example:
Switch(config-if)# switchport mode
trunk
Step 10 dot1x pae supplicant Configures the interface as a port access entity
(PAE) supplicant.
Example:
Switch(config-if)# dot1x pae supplicant
Step 11 dot1x credentials profile-name Attaches the 802.1x credentials profile to the
interface.
Example:
Switch(config-if)# dot1x credentials
test
Example:
Switch(config-if)# end
Example:
Switch# show running-config interface
gigabitethernet1/0/1
Step 15 Configuring NEAT with Auto Smartports You can also use an Auto Smartports
Macros user-defined macro instead of the switch VSA
to configure the authenticator switch. For more
information, see the Auto Smartports
Configuration Guide for this release.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1312
How to Configure 802.1x Port-Based Authentication
Note You must configure a downloadable ACL on the ACS before downloading it to the switch.
After authentication on the port, you can use the show ip access-list privileged EXEC command to display
the downloaded ACLs on the port.
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# ip device tracking
Example:
Switch(config)# aaa new-model
Step 4 aaa authorization network default local group Sets the authorization method to local. To
radius remove the authorization method, use the
no aaa authorization network default
Example: local group radius command.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1313
How to Configure 802.1x Port-Based Authentication
Example:
Switch(config-if)# show running-config
interface gigabitethernet2/0/4
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1314
How to Configure 802.1x Port-Based Authentication
Example:
Enter deny or permit to specify whether to deny or permit
Switch(config)# access-list 1 access if conditions are matched.
deny any log
The source is the source address of the network or host that
sends a packet, such as this:
• hostname: The 32-bit quantity in dotted-decimal
format.
• any: The keyword any as an abbreviation for source
and source-wildcard value of 0.0.0.0
255.255.255.255. You do not need to enter a
source-wildcard value.
• host: The keyword host as an abbreviation for source
and source-wildcard of source 0.0.0.0.
Example:
Switch(config)# interface
gigabitethernet2/0/2
Step 4 ip access-group acl-id in Configures the default ACL on the port in the input
direction.
Example: Note The acl-id is an access list name or
Switch(config-if)# ip number.
access-group default_acl in
Example:
Switch(config-if)# exit
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1315
How to Configure 802.1x Port-Based Authentication
Example:
Switch(config)# aaa new-model
Step 7 aaa authorization network default Sets the authorization method to local. To remove the
group radius authorization method, use the no aaa authorization
network default group radius command.
Example:
Switch(config)# aaa
authorization network default
group radius
Step 9 ip device tracking probe [count | (Optional) Configures the IP device tracking table:
interval | use-svi]
• count count—Sets the number of times that the
switch sends the ARP probe. The range is from 1 to
Example: 5. The default is 3.
Switch(config)# ip device
tracking probe count • interval interval—Sets the number of seconds that
the switch waits for a response before resending the
ARP probe. The range is from 30 to 300 seconds.
The default is 30 seconds.
• use-svi—Uses the switch virtual interface (SVI) IP
address as source of ARP probes.
Step 10 radius-server vsa send Configures the network access server to recognize and use
authentication vendor-specific attributes.
Note The downloadable ACL must be
Example: operational.
Switch(config)# radius-server
vsa send authentication
Example:
Switch(config)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1316
How to Configure 802.1x Port-Based Authentication
Procedure
Example:
Switch# configure terminal
Step 2 mab request format attribute 32 vlan access-vlan Enables VLAN ID-based MAC
authentication.
Example:
Switch(config)# mab request format attribute
32 vlan access-vlan
Note Before changing the default order and priority of these authentication methods, however, you should
understand the potential consequences of those changes. See http://www.cisco.com/en/US/prod/collateral/
iosswrel/ps6537/ps6586/ps6638/application_note_c27-573287_ps6638_Products_White_Paper.html for
details.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1317
How to Configure 802.1x Port-Based Authentication
Procedure
Example:
Switch# configure terminal
Step 3 switchport mode access Sets the port to access mode only if you
previously configured the RADIUS server.
Example:
Switch(config-if)# switchport mode access
Step 4 authentication order [ dot1x | mab ] | (Optional) Sets the order of authentication
{webauth} methods used on a port.
Example:
Switch(config-if)# authentication order
mab dot1x
Example:
Switch(config-if)# authentication
priority mab dot1x
Example:
Switch(config-if)# end
Related Topics
Flexible Authentication Ordering, on page 1266
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1318
How to Configure 802.1x Port-Based Authentication
Configuring Open1x
Beginning in privileged EXEC mode, follow these steps to enable manual control of the port authorization
state:
Procedure
Example:
Switch# configure terminal
Step 3 switchport mode access Sets the port to access mode only if you
configured the RADIUS server.
Example:
Switch(config-if)# switchport mode access
Step 4 authentication control-direction {both | in} (Optional) Configures the port control as
unidirectional or bidirectional.
Example:
Switch(config-if)# authentication
control-direction both
Example:
Switch(config-if)# authentication
host-mode multi-auth
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1319
How to Configure 802.1x Port-Based Authentication
Step 8 authentication order [ dot1x | mab ] | (Optional) Sets the order of authentication
{webauth} methods used on a port.
Example:
Switch(config-if)# authentication order
dot1x webauth
Example:
Switch(config-if)# authentication
port-control auto
Example:
Switch(config-if)# end
Related Topics
Open1x Authentication, on page 1266
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1320
How to Configure 802.1x Port-Based Authentication
Procedure
Example:
Switch# configure terminal
Step 3 switchport mode access (Optional) Sets the port to access mode only
if you configured the RADIUS server.
Example:
Switch(config-if)# switchport mode
access
Example:
Switch(config-if)# no dot1x pae
authenticator
Example:
Switch(config-if)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1321
Monitoring 802.1x Statistics and Status
Procedure
Example:
Switch# configure terminal
Example:
Switch(config-if)# end
Command Purpose
show dot1x all statistics Displays 802.1x statistics for all ports
show dot1x interface interface-id statistics Displays 802.1x statistics for a specific port
show dot1x all [count | details | statistics | Displays the 802.1x administrative and operational
summary] status for a switch
show dot1x interface interface-id Displays the 802.1x administrative and operational
status for a specific port
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1322
Additional References
Command Purpose
no dot1x logging verbose Filters verbose 802.1x authentication messages
(beginning with Cisco IOS Release 12.2(55)SE)
For detailed information about the fields in these displays, see the command reference for this release.
Additional References
Related Documents
Configuring RADIUS, TACACS+, Secure Shell, Securing User Services Configuration Guide Library,
802.1X and AAA. Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
http://www.cisco.com/en/US/docs/ios-xml/ios/
security/config_library/xe-3se/3850/
secuser-xe-3se-3850-library.html
Description Link
To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/
messages in this release, use the Error Message index.cgi
Decoder tool.
MIBs
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1323
Feature Information for 802.1x Port-Based Authentication
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1324
CHAPTER 59
Configuring Web-Based Authentication
The Web-Based Authentication feature, also known as web authentication proxy, authenticates end users on
host systems that do not run the IEEE 802.1x supplicant.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1325
Information About Web-Based Authentication
Note You can configure web-based authentication on Layer 2 and Layer 3 interfaces.
When you initiate an HTTP session, web-based authentication intercepts ingress HTTP packets from the host
and sends an HTML login page to the users. The users enter their credentials, which the web-based
authentication feature sends to the authentication, authorization, and accounting (AAA) server for authentication.
If authentication succeeds, web-based authentication sends a Login-Successful HTML page to the host and
applies the access policies returned by the AAA server.
If authentication fails, web-based authentication forwards a Login-Fail HTML page to the user, prompting
the user to retry the login. If the user exceeds the maximum number of attempts, web-based authentication
forwards a Login-Expired HTML page to the host, and the user is placed on a watch list for a waiting period.
Note HTTPS traffic interception for central web authentication redirect is not supported.
Note You should use global parameter-map (for method-type, custom, and redirect) only for using the same
web authentication methods like consent, web consent, and webauth, for all the clients and SSIDs. This
ensures that all the clients have the same web-authentication method.
If the requirement is to use Consent for one SSID and Web-authentication for another SSID, then you
should use two named parameter-maps. You should configure Consent in first parameter-map and configure
webauth in second parameter-map.
Note The traceback that you receive when webauth client tries to do authentication does not have any performance
or behavioral impact. It happens rarely when the context for which FFM replied back to EPM for ACL
application is already dequeued (possibly due to timer expiry) and the session becomes ‘unauthorized’.
Device Roles
With web-based authentication, the devices in the network have these specific roles:
• Client—The device (workstation) that requests access to the LAN and the services and responds to
requests from the switch. The workstation must be running an HTML browser with Java Script enabled.
• Authentication server—Authenticates the client. The authentication server validates the identity of the
client and notifies the switch that the client is authorized to access the LAN and the switch services or
that the client is denied.
• Switch—Controls the physical access to the network based on the authentication status of the client. The
switch acts as an intermediary (proxy) between the client and the authentication server, requesting
identity information from the client, verifying that information with the authentication server, and relaying
a response to the client.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1326
Information About Web-Based Authentication
Host Detection
The switch maintains an IP device tracking table to store information about detected hosts.
Note By default, the IP device tracking feature is disabled on a switch. You must enable the IP device tracking
feature to use web-based authentication.
For Layer 2 interfaces, web-based authentication detects IP hosts by using these mechanisms:
• ARP based trigger—ARP redirect ACL allows web-based authentication to detect hosts with a static IP
address or a dynamic IP address.
• Dynamic ARP inspection
• DHCP snooping—Web-based authentication is notified when the switch creates a DHCP-binding entry
for the host.
Session Creation
When web-based authentication detects a new host, it creates a session as follows:
• Reviews the exception list.
If the host IP is included in the exception list, the policy from the exception list entry is applied, and the
session is established.
• Reviews for authorization bypass
If the host IP is not on the exception list, web-based authentication sends a nonresponsive-host (NRH)
request to the server.
If the server response is access accepted, authorization is bypassed for this host. The session is established.
• Sets up the HTTP intercept ACL
If the server response to the NRH request is access rejected, the HTTP intercept ACL is activated, and
the session waits for HTTP traffic from the host.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1327
Information About Web-Based Authentication
Authentication Process
When you enable web-based authentication, these events occur:
• The user initiates an HTTP session.
• The HTTP traffic is intercepted, and authorization is initiated. The switch sends the login page to the
user. The user enters a username and password, and the switch sends the entries to the authentication
server.
• If the authentication succeeds, the switch downloads and activates the user’s access policy from the
authentication server. The login success page is sent to the user.
• If the authentication fails, the switch sends the login fail page. The user retries the login. If the maximum
number of attempts fails, the switch sends the login expired page, and the host is placed in a watch list.
After the watch list times out, the user can retry the authentication process.
• If the authentication server does not respond to the switch, and if an AAA fail policy is configured, the
switch applies the failure access policy to the host. The login success page is sent to the user.
• The switch reauthenticates a client when the host does not respond to an ARP probe on a Layer 2 interface,
or when the host does not send any traffic within the idle timeout on a Layer 3 interface.
• The feature applies the downloaded timeout or the locally configured session timeout.
Note Beginning with Cisco IOS XE Denali 16.1.1 and later, the default session timeout value
for web-based authentication on WLC is 1800 seconds. The default session timeout
value was infinite seconds, prior to Cisco IOS XE Denali 16.1.1.
• If the terminate action is RADIUS, the feature sends a nonresponsive host (NRH) request to the server.
The terminate action is included in the response from the server.
• If the terminate action is default, the session is dismantled, and the applied policy is removed.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1328
Information About Web-Based Authentication
Authenticating the user at the client Following the login attempt, the authentication proxy
action can vary depending on whether JavaScript is
enabled in the browser. If JavaScript is enabled, and
authentication is successful, the authentication proxy
displays a message indicating the status of the
authentication as shown in the Authentication Proxy
Login Status Message figure, in the How the
Authentication Proxy Works module. After the
authentication status is displayed, the proxy
automatically completes the HTTP connection.
If JavaScript is disabled, and authentication is
successful, the authentication proxy generates a popup
window with additional instructions for completing
the connection. See the Authentication Proxy Login
Status Message with JavaScript Disabled figure, in
the Secure Authentication module.
If authentication is unsuccessful in any case, the user
must log in again from the login page.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1329
Information About Web-Based Authentication
• You want to use the authentication proxy in conjunction with AAA accounting to generate “start” and
“stop” accounting records that can be used for billing, security, or resource allocation purposes, thereby
allowing users to track traffic from the authenticated hosts.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1330
Information About Web-Based Authentication
The figure below shows the authentication proxy applied at the dial-in interface with all network traffic blocked
at each interface.
The Local Web Authentication Banner can be configured in legacy and new-style (Session-aware) CLIs as
follows:
• Legacy mode—Use the ip admission auth-proxy-banner http global configuration command.
• New-style mode—Use the parameter-map type webauth global bannerglobal configuration command.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1331
Information About Web-Based Authentication
The default banner Cisco Systems and Switch host-name Authentication appear on the Login Page. Cisco
Systems appears on the authentication result pop-up page.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1332
Information About Web-Based Authentication
• New-style mode—Use the parameter-map type webauth global banner global configuration
command
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1333
Information About Web-Based Authentication
If you do not enable a banner, only the username and password dialog boxes appear in the web authentication
login screen, and no banner appears when you log into the switch.
For more information, see the Session Aware Networking Configuration Guide, Cisco IOS XE Release 3SE
(Catalyst 3850 Switches) Session Aware Networking Configuration Guide, Cisco IOS XE Release 3SE (Catalyst
3850 Switches) and the Web Authentication Enhancements - Customizing Authentication Proxy Web Pages.
Guidelines
• You can substitute your own HTML pages for the default internal HTML pages.
• You can use a logo or specify text in the login, success, failure, and expire web pages.
• On the banner page, you can specify text in the login page.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1334
Information About Web-Based Authentication
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1335
Information About Web-Based Authentication
You can substitute your HTML pages for the default internal HTML pages. You can also specify a URL to
which users are redirected after authentication occurs, which replaces the internal Success page.
Because the custom login page is a public web form, consider these guidelines for the page:
• The login form must accept user entries for the username and password and must show them as uname
and pwd.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1336
Information About Web-Based Authentication
• The custom login page should follow best practices for a web form, such as page timeout, hidden
password, and prevention of redundant submissions.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1337
Information About Web-Based Authentication
This illustration displays the packet flow that redirects a user to the originally requested URL:
1 A user accesses a network for the first time and sends an HTTP request to access www.google.com. When
the user first accesses the network, a MAC authentication bypass (MAB) is triggered and the MAC address
is sent to the Cisco ISE.
2 The Cisco ISE returns a RADIUS access-accept message (even if the MAC address is not received) along
with the redirect access control list (ACL), the ACL-WEBAUTH-REDIRECT message, and the guest
web portal URL to the device.
The RADIUS message instructs the device to open a port that is restricted based on the configured port
and the redirect ACLs, for regular network traffic.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1338
Information About Web-Based Authentication
3 When the user launches a web browser, the device intercepts the HTTP traffic and redirects the browser
to the Cisco ISE central web authentication (CWA) guest web portal URL; the user-requested URL is
extracted and appended to the Cisco ISE guest URL.
4 When the user is authenticated, the Cisco ISE sends the Device Registration page to the user. The user
enters the required information, and the page is returned to the Cisco ISE. The Cisco ISE downloads user
profiles and redirects the user to the originally requested URL: www.google.com.
802.1x Authentication
These are the 802.1x authentication configuration guidelines:
• When 802.1x authentication is enabled, ports are authenticated before any other Layer 2 or Layer 3
features are enabled.
• If the VLAN to which an 802.1x-enabled port is assigned changes, this change is transparent and does
not affect the switch. For example, this change occurs if a port is assigned to a RADIUS server-assigned
VLAN and is then assigned to a different VLAN after re-authentication.
If the VLAN to which an 802.1x port is assigned to shut down, disabled, or removed, the port becomes
unauthorized. For example, the port is unauthorized after the access VLAN to which a port is assigned
shuts down or is removed.
• The 802.1x protocol is supported on Layer 2 static-access ports, voice VLAN ports, and Layer 3 routed
ports, but it is not supported on these port types:
◦Dynamic ports—A port in dynamic mode can negotiate with its neighbor to become a trunk port.
If you try to enable 802.1x authentication on a dynamic port, an error message appears, and 802.1x
authentication is not enabled. If you try to change the mode of an 802.1x-enabled port to dynamic,
an error message appears, and the port mode is not changed.
◦EtherChannel port—Do not configure a port that is an active or a not-yet-active member of an
EtherChannel as an 802.1x port. If you try to enable 802.1x authentication on an EtherChannel
port, an error message appears, and 802.1x authentication is not enabled.
◦Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) destination ports—You can enable
802.1x authentication on a port that is a SPAN or RSPAN destination port. However, 802.1x
authentication is disabled until the port is removed as a SPAN or RSPAN destination port. You
can enable 802.1x authentication on a SPAN or RSPAN source port.
• Before globally enabling 802.1x authentication on a switch by entering the dot1x system-auth-control
global configuration command, remove the EtherChannel configuration from the interfaces on which
802.1x authentication and EtherChannel are configured.
• Cisco IOS Release 12.2(55)SE and later supports filtering of system messages related to 802.1x
authentication.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1339
Information About Web-Based Authentication
When an authentication proxy cache and associated dynamic access control lists (ACLs) are created, the
authentication proxy will start to track the traffic from the authenticated host. Accounting saves data about
this event in a data structure stored with the data of other users. If the accounting start option is enabled, you
can generate an accounting record (a “start” record) at this time. Subsequent traffic from the authenticated
host will be recorded when the dynamic ACL created by the authentication proxy receives the packets.
When an authentication proxy cache expires and is deleted, additional data, such as elapsed time, is added to
the accounting information and a “stop” record is sent to the server. At this point, the information is deleted
from the data structure.
The accounting records for the authentication proxy user session are related to the cache and the dynamic
ACL usage.
ACLs
If you configure a VLAN ACL or a Cisco IOS ACL on an interface, the ACL is applied to the host traffic
only after the web-based authentication host policy is applied.
For Layer 2 web-based authentication, it is more secure, though not required, to configure a port ACL (PACL)
as the default access policy for ingress traffic from hosts connected to the port. After authentication, the
web-based authentication host policy overrides the PACL. The Policy ACL is applied to the session even if
there is no ACL configured on the port.
You cannot configure a MAC ACL and web-based authentication on the same interface.
You cannot configure web-based authentication on a port whose access VLAN is configured for VACL
capture.
EtherChannel
You can configure web-based authentication on a Layer 2 EtherChannel interface. The web-based authentication
configuration applies to all member channels.
Gateway IP
You cannot configure Gateway IP (GWIP) on a Layer 3 VLAN interface if web-based authentication is
configured on any of the switch ports in the VLAN.
You can configure web-based authentication on the same Layer 3 interface as Gateway IP. The host policies
for both features are applied in software. The GWIP policy overrides the web-based authentication host policy.
LAN Port IP
You can configure LAN port IP (LPIP) and Layer 2 web-based authentication on the same port. The host is
authenticated by using web-based authentication first, followed by LPIP posture validation. The LPIP host
policy overrides the web-based authentication host policy.
If the web-based authentication idle timer expires, the NAC policy is removed. The host is authenticated, and
posture is validated again.
Port Security
You can configure web-based authentication and port security on the same port. Web-based authentication
authenticates the port, and port security manages network access for all MAC addresses, including that of the
client. You can then limit the number or group of clients that can access the network through the port.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1340
Information About Web-Based Authentication
RADIUS server
• None specified
• IP address
• 1645
• UDP authentication port
• None specified
• Key
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1341
Information About Web-Based Authentication
• Web-based authentication and Network Edge Access Topology (NEAT) are mutually exclusive. You
cannot use web-based authentication when NEAT is enabled on an interface, and you cannot use NEAT
when web-based authentication is running on an interface.
• Web-based authentication NRH (Non-Responsive Host) is not supported for voice devices.
• Only the Password Authentication Protocol (PAP) is supported for web-based RADIUS authentication
on controllers. The Challenge Handshake Authentication Protocol (CHAP) is not supported for web-based
RADIUS authentication on controllers.
• Identify the following RADIUS security server settings that will be used while configuring
switch-to-RADIUS-server communication:
◦Host name
◦Host IP address
◦Host name and specific UDP port numbers
◦IP address and specific UDP port numbers
The combination of the IP address and UDP port number creates a unique identifier, that enables RADIUS
requests to be sent to multiple UDP ports on a server at the same IP address. If two different host entries
on the same RADIUS server are configured for the same service (for example, authentication) the second
host entry that is configured functions as the failover backup to the first one. The RADIUS host entries
are chosen in the order that they were configured.
• When you configure the RADIUS server parameters:
◦Specify the key string on a separate command line.
◦For key string, specify the authentication and encryption key used between the switch and the
RADIUS daemon running on the RADIUS server. The key is a text string that must match the
encryption key used on the RADIUS server.
◦When you specify the key string, use spaces within and at the end of the key. If you use spaces in
the key, do not enclose the key in quotation marks unless the quotation marks are part of the key.
This key must match the encryption used on the RADIUS daemon.
◦You can globally configure the timeout, retransmission, and encryption key values for all RADIUS
servers by using with the radius-server host global configuration command. If you want to
configure these options on a per-server basis, use the radius-server timeout, radius-server transmit,
and the radius-server key global configuration commands. For more information, see the Cisco
IOS Security Configuration Guide, Release 12.4 and the Cisco IOS Security Command Reference,
Release 12.4.
Note You need to configure some settings on the RADIUS server, including: the switch IP
address, the key string to be shared by both the server and the switch, and the
downloadable ACL (DACL). For more information, see the RADIUS server
documentation.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1342
How to Configure Web-Based Authentication
Procedure
Example:
Switch# configure terminal
Step 3 ip admission name name proxy http Configures an authentication rule for
web-based authorization.
Example:
Switch(config)# ip admission name
webauth1 proxy http
Example:
Switch(config-if)# ip access-group
webauthag
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1343
How to Configure Web-Based Authentication
Example:
Switch(config-if)# exit
Example:
Switch(config)# ip device tracking
Example:
Switch(config)# end
Example:
Switch# show ip admission status
Note Use default list for AAA authorization, if you are planning to use features such as dACL.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1344
How to Configure Web-Based Authentication
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# aaa new-model
Step 4 aaa authentication login default group {tacacs+ Defines the list of authentication methods
| radius} at login.
Example:
Switch(config)# aaa authentication login
default group tacacs+
Step 5 aaa authorization auth-proxy default group Creates an authorization method list for
{tacacs+ | radius} web-based authorization.
Example:
Switch(config)# aaa authorization
auth-proxy default group tacacs+
Example:
Switch(config)# tacacs-server host 10.1.1.1
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1345
How to Configure Web-Based Authentication
Example:
Switch(config)# end
Example:
Switch# show running-config
Procedure
Example:
Switch# configure terminal
Step 3 ip radius source-interface vlan vlan Specifies that the RADIUS packets have the IP address
interface number of the indicated interface.
Example:
Switch(config)# ip radius
source-interface vlan 80
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1346
How to Configure Web-Based Authentication
Step 5 radius-server key string Configures the authorization and encryption key used
between the switch and the RADIUS daemon running
Example: on the RADIUS server.
Step 6 radius-server dead-criteria tries Specifies the number of unanswered sent messages to
num-tries a RADIUS server before considering the server to be
inactive. The range of num-tries is 1 to 100.
Example:
Switch(config)# radius-server
dead-criteria tries 30
Example:
Switch(config)# end
Note The Apple psuedo-browser will not open if you configure only the ip http secure-server command. You
should also configure the ip http server command.
Follow these steps to enable the server for either HTTP or HTTPS:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1347
How to Configure Web-Based Authentication
Procedure
Example:
Switch# configure terminal
Step 3 ip http server Enables the HTTP server. The web-based authentication
feature uses the HTTP server to communicate with the
Example: hosts for user authentication.
Example:
Switch(config)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1348
How to Configure Web-Based Authentication
Procedure
Example:
Switch# configure terminal
Step 3 ip admission proxy http login page file Specifies the location in the Switch memory
device:login-filename file system of the custom HTML file to use in
place of the default login page. The device: is
Example: flash memory.
Step 4 ip admission proxy http success page file Specifies the location of the custom HTML
device:success-filename file to use in place of the default login success
page.
Example:
Switch(config)# ip admission proxy http
success page file disk1:success.htm
Step 5 ip admission proxy http failure page file Specifies the location of the custom HTML
device:fail-filename file to use in place of the default login failure
page.
Example:
Switch(config)# ip admission proxy http
fail page file disk1:fail.htm
Step 6 ip admission proxy http login expired page file Specifies the location of the custom HTML
device:expired-filename file to use in place of the default login expired
page.
Example:
Switch(config)# ip admission proxy http
login expired page file disk1:expired.htm
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1349
How to Configure Web-Based Authentication
Example:
Switch(config)# end
Procedure
Example:
Switch# configure terminal
Step 3 ip admission proxy http success redirect Specifies a URL for redirection of the user in
url-string place of the default login success page.
Example:
Switch(config)# ip admission proxy http
success redirect www.example.com
Example:
Switch(config)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1350
How to Configure Web-Based Authentication
Procedure
Example:
Switch# configure terminal
Step 3 ip admission max-login-attempts number Sets the maximum number of failed login
attempts. The range is 1 to 2147483647
Example: attempts. The default is 5.
Switch(config)# ip admission
max-login-attempts 10
Example:
Switch(config)# end
Example:
Switch# show running-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1351
How to Configure Web-Based Authentication
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# end
Step 4 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch(config)# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1352
How to Configure Web-Based Authentication
Procedure
Example:
Switch# configure terminal
Step 3 parameter-map type webauth global Creates a parameter map and enters parameter-map
webauth configuration mode. The specific
Example: configuration commands supported for a global
Switch (config)# parameter-map type parameter map defined with the global keyword
webauth global differ from the commands supported for a named
parameter map defined with the
parameter-map-name argument.
Step 4 l2-webauth-enabled Enables the web-based authentication without SVI
feature
Example:
Switch (config-params-parameter-map)#
l2-webauth-enabled
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1353
How to Configure Web-Based Authentication
Procedure
Example:
Switch# configure terminal
Step 3 parameter-map type webauth global Creates a parameter map and enters parameter-map
webauth configuration mode. The specific
Example: configuration commands supported for a global
Switch (config)# parameter-map type parameter map defined with the global keyword
webauth global differ from the commands supported for a named
parameter map defined with the
parameter-map-name argument.
Step 4 webauth-vrf-aware Enables the web-based authentication VRF aware
feature on SVI.
Example:
Switch
(config-params-parameter-map)#
webauth-vrf-aware
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1354
How to Configure Web-Based Authentication
Procedure
Step 2 clear ip auth-proxy cache {* | host ip Delete authentication proxy entries. Use an asterisk
address} to delete all cache entries. Enter a specific IP address
to delete the entry for a single host.
Example:
Switch# clear ip auth-proxy cache
192.168.4.5
Step 3 clear ip admission cache {* | host ip Delete authentication proxy entries. Use an asterisk
address} to delete all cache entries. Enter a specific IP address
to delete the entry for a single host.
Example:
Switch# clear ip admission cache
192.168.4.5
Command Purpose
show authentication sessions method webauth Displays the web-based authentication settings for all
interfaces for fastethernet, gigabitethernet, or
tengigabitethernet
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1355
How to Configure Web-Based Authentication
Command Purpose
show authentication sessions interface Displays the web-based authentication settings for
type slot/port[details] the specified interface for fastethernet, gigabitethernet,
or tengigabitethernet.
In Session Aware Networking mode, use the show
access-session interface command.
Procedure
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1356
How to Configure Web-Based Authentication
Procedure
Step 3 show ip auth-proxy cache Displays the list of user authentication entries.
The authentication proxy cache lists the host IP
Example: address, the source port number, the timeout value for
Device# show ip auth-proxy cache the authentication proxy, and the state of the
connection. If the authentication proxy state is
HTTP_ESTAB, the user authentication was
successful.
Example:
Device# show ip http server secure
status
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1357
Configuration Examples for Web-Based Authentication
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1358
Configuration Examples for Web-Based Authentication
This example shows how to verify the configuration of a custom authentication proxy web pages:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1359
Additional References for Web-Based Authentication
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1360
CHAPTER 60
Auto Identity
• Auto Identity, page 1361
Auto Identity
The Auto Identity feature provides a set of built-in policies at global configuration and interface configuration
modes. This feature is available only in Class-Based Policy Language (CPL) control policy-equivalent new-style
mode. To convert all the relevant authentication commands to their CPL control policy-equivalents, use the
authentication convert-to new-style command.
This module describes the feature and explains how to configure it.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1361
Auto Identity
The Auto Identity feature uses the Cisco Common Classification Policy Language-based configuration that
significantly reduces the number of commands used to configure both authentication methods and interface-level
commands. The Auto Identity feature provides a set of built-in policies that are based on policy maps, class
maps, parameter maps, and interface templates.
In global configuration mode, the source template AI_GLOBAL_CONFIG_TEMPLATE command
enables the Auto Identity feature. In interface configuration mode, configure the AI_MONITOR_MODE,
AI_LOW_IMPACT_MODE, or AI_CLOSED_MODE interface templates to enable the feature on interfaces.
You can configure multiple templates; however, you must bind multiple templates together using the merge
command. If you do not bind the templates, the last configured template is used. While binding templates, if
the same command is repeated in two templates with different arguments, the last configured command is
used.
Note You can also enable user-defined templates that are configured using the template name command in
global configuration mode .
Use the show template interface or show template global commands to display information about built-in
templates. Built-in templates can be edited. Built-in template information is displayed in the output of the
show running-config command, if the template is edited. If you delete an edited built-in template, the built-in
template reverts to the default and is not deleted from the configuration. However; if you delete a user-defined
template, it is deleted from the configuration.
Note Before you delete a template, ensure that it is not attached to a device.
Note You must configure the RADIUS server commands, because these are not automatically configured when
the global template is enabled.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1362
Auto Identity
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1363
Auto Identity
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1364
Auto Identity
Procedure
Example:
Switch# configure terminal
Step 5 radius server name Specifies the name for the RADIUS server
configuration for Protected Access Credential (PAC)
Example: provisioning and enters RADIUS server configuration
Switch(config)# radius server ISE mode.
Step 6 address ipv4 {hostname | ipv4-address} Configures the IPv4 address for the RADIUS server
accounting and authentication parameters.
Example: Note This command is not a part of the global
Switch(config-radius-server)#
address ipv4 10.1.1.1 template, and you must configure it.
Step 7 key ipv4 {0 string | 7 string} string Specifies the authentication and encryption key for
all RADIUS communications between the device and
Example: the RADIUS server.
Switch(config-radius-server)# key
ipv4 cisco Note This command is not a part of the global
template, and you must configure it.
Step 8 end Exits RADIUS server configuration mode and returns
to privileged EXEC mode.
Example:
Switch(config-radius-server)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1365
Auto Identity
Procedure
Example:
Switch# configure terminal
Example:
Switch(config-if)# source template
AI_CLOSED_MODE
Step 6 switchport access vlan vlan-id Sets the VLAN when the interface is in
access mode.
Example:
Switch(config-if)# switchport access vlan
100
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1366
Auto Identity
Procedure
Step 1 enable
Example:
Switch> enable
Enables Privileged EXEC mode.
• Enter your password if prompted.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1367
Auto Identity
Example:
Switch# show template interface source built-in all
Example:
Switch# show template global source built-in all
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1368
Auto Identity
Example:
Switch# show derived-config | inc aaa| radius-server
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting identity default start-stop group radius
aaa accounting system default start-stop group radius
aaa session-id common
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 6 voice 1
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server host 10.25.18.42 key cisco
Example:
Switch# show derived-config | interface gigabitethernet2/0/6
Building configuration...
Example:
Switch# show access-session interface gigabitethernet2/0/6 details
Interface: GigabitEthernet2/0/6
MAC Address: c025.5c43.be00
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: CP-9971-SEPC0255C43BE00
Device-type: Cisco-IP-Phone-9971
Status: Authorized
Domain: VOICE
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: 091A1C5B00000017002003EE
Acct Session ID: 0x00000005
Handle: 0xBB00000B
Current Policy: AI_DOT1X_MAB_POLICIES
Local Policies:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1369
Auto Identity
Server Policies:
Vlan Group: Vlan: 100
Security Policy: Must Not Secure
Security Status: Link Unsecure
Example:
Switch# show running-config interface gigabitethernet2/0/6
Building configuration...
Example:
Switch# show lldp neighbor
Capability codes:
(R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device
(W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1370
Auto Identity
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1371
Auto Identity
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1372
CHAPTER 61
Configuring Port-Based Traffic Control
• Overview of Port-Based Traffic Control , page 1374
• Finding Feature Information, page 1374
• Information About Storm Control, page 1374
• How to Configure Storm Control, page 1376
• Finding Feature Information, page 1380
• Information About Protected Ports, page 1380
• How to Configure Protected Ports, page 1381
• Monitoring Protected Ports, page 1383
• Where to Go Next, page 1383
• Additional References, page 1383
• Feature Information, page 1384
• Finding Feature Information, page 1384
• Information About Port Blocking, page 1384
• How to Configure Port Blocking, page 1385
• Monitoring Port Blocking, page 1386
• Where to Go Next, page 1386
• Additional References, page 1387
• Feature Information, page 1388
• Prerequisites for Port Security, page 1388
• Restrictions for Port Security, page 1388
• Information About Port Security, page 1389
• How to Configure Port Security, page 1394
• Configuration Examples for Port Security, page 1414
• Additional References, page 1414
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1373
Overview of Port-Based Traffic Control
Storm Control
Storm control prevents traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on
one of the physical interfaces. A LAN storm occurs when packets flood the LAN, creating excessive traffic
and degrading network performance. Errors in the protocol-stack implementation, mistakes in network
configurations, or users issuing a denial-of-service attack can cause a storm.
Storm control (or traffic suppression) monitors packets passing from an interface to the switching bus and
determines if the packet is unicast, multicast, or broadcast. The switch counts the number of packets of a
specified type received within the 1-second time interval and compares the measurement with a predefined
suppression-level threshold.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1374
Information About Storm Control
With each method, the port blocks traffic when the rising threshold is reached. The port remains blocked until
the traffic rate drops below the falling threshold (if one is specified) and then resumes normal forwarding. If
the falling suppression level is not specified, the switch blocks all traffic until the traffic rate drops below the
rising suppression level. In general, the higher the level, the less effective the protection against broadcast
storms.
Note When the storm control threshold for multicast traffic is reached, all multicast traffic except control traffic,
such as bridge protocol data unit (BDPU) and Cisco Discovery Protocol (CDP) frames, are blocked.
However, the switch does not differentiate between routing updates, such as OSPF, and regular multicast
data traffic, so both types of traffic are blocked.
Traffic Patterns
This example shows broadcast traffic patterns on an interface over a given period of time.
Figure 103: Broadcast Storm Control Example
Broadcast traffic being forwarded exceeded the configured threshold between time intervals T1 and T2 and
between T4 and T5. When the amount of specified traffic exceeds the threshold, all traffic of that kind is
dropped for the next time period. Therefore, broadcast traffic is blocked during the intervals following T2
and T5. At the next time interval (for example, T3), if broadcast traffic does not exceed the threshold, it is
again forwarded.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1375
How to Configure Storm Control
The combination of the storm-control suppression level and the 1-second time interval controls the way the
storm control algorithm works. A higher threshold allows more packets to pass through. A threshold value
of 100 percent means that no limit is placed on the traffic. A value of 0.0 means that all broadcast, multicast,
or unicast traffic on that port is blocked.
Note Because packets do not arrive at uniform intervals, the 1-second time interval during which traffic activity
is measured can affect the behavior of storm control.
You use the storm-control interface configuration commands to set the threshold value for each traffic type.
Note Storm control is supported on physical interfaces. You can also configure storm control on an EtherChannel.
When storm control is configured on an EtherChannel, the storm control settings propagate to the
EtherChannel physical interfaces.
Follow these steps to storm control and threshold levels:
Procedure
Example:
Switch> enable
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1376
How to Configure Storm Control
For BPS and PPS settings, you can use metric suffixes such as k,
m, and g for large number thresholds.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1377
How to Configure Storm Control
Example:
Switch(config-if)# end
Step 7 show storm-control Verifies the storm control suppression levels set on the interface
[interface-id] [broadcast | for the specified traffic type. If you do not enter a traffic type,
multicast | unicast] details for all traffic types (broadcast, multicast and unicast) are
displayed.
Example:
Switch# show storm-control
gigabitethernet1/0/1
unicast
Step 8 copy running-config (Optional) Saves your entries in the configuration file.
startup-config
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1378
How to Configure Storm Control
Procedure
Example:
Switch# configure terminal
Step 3 errdisable detect cause small-frame Enables the small-frame rate-arrival feature on the
switch.
Example:
Switch(config)# errdisable detect
cause small-frame
Step 4 errdisable recovery interval interval (Optional) Specifies the time to recover from the
specified error-disabled state.
Example:
Switch(config)# errdisable recovery
interval 60
Step 5 errdisable recovery cause small-frame (Optional) Configures the recovery time for
error-disabled ports to be automatically re-enabled
Example: after they are error disabled by the arrival of small
frames
Switch(config)# errdisable recovery
cause small-frame Storm control is supported on physical interfaces.
You can also configure storm control on an
EtherChannel. When storm control is configured
on an EtherChannel, the storm control settings
propagate to the EtherChannel physical interfaces.
Step 7 small-frame violation-rate pps Configures the threshold rate for the interface to
drop incoming packets and error disable the port.
Example: The range is 1 to 10,000 packets per second (pps)
Switch(config-if)# small-frame
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1379
Finding Feature Information
Example:
Switch(config)# end
Example:
Switch# show interfaces
gigabitethernet1/0/2
Example:
Switch# show running-config
Step 11 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
Protected Ports
Some applications require that no traffic be forwarded at Layer 2 between ports on the same switch so that
one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1380
How to Configure Protected Ports
protected ports ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports
on the switch.
Protected ports have these features:
• A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is
also a protected port. Data traffic cannot be forwarded between protected ports at Layer 2; only control
traffic, such as PIM packets, is forwarded because these packets are processed by the CPU and forwarded
in software. All data traffic passing between protected ports must be forwarded through a Layer 3 device.
• Forwarding behavior between a protected port and a nonprotected port proceeds as usual.
Because a switch stack represents a single logical switch, Layer 2 traffic is not forwarded between any protected
ports in the switch stack, whether they are on the same or different switches in the stack.
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1381
How to Configure Protected Ports
Example:
Switch(config)# end
Example:
Switch# show interfaces
gigabitethernet1/0/1 switchport
Example:
Switch# show running-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1382
Monitoring Protected Ports
Command Purpose
show interfaces [interface-id] switchport Displays the administrative and operational status of all
switching (nonrouting) ports or the specified port, including
port blocking and port protection settings.
Where to Go Next
•
Additional References
Error Message Decoder
Description Link
To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/
messages in this release, use the Error Message index.cgi
Decoder tool.
MIBs
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1383
Feature Information
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Feature Information
Release Feature Information
Cisco IOS 15.0(2)EX This feature was introduced.
Port Blocking
By default, the switch floods packets with unknown destination MAC addresses out of all ports. If unknown
unicast and multicast traffic is forwarded to a protected port, there could be security issues. To prevent unknown
unicast or multicast traffic from being forwarded from one port to another, you can block a port (protected or
nonprotected) from flooding unknown unicast or multicast packets to other ports.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1384
How to Configure Port Blocking
Note With multicast traffic, the port blocking feature blocks only pure Layer 2 packets. Multicast packets that
contain IPv4 or IPv6 information in the header are not blocked.
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1385
Monitoring Port Blocking
Example:
Switch(config)# end
Example:
Switch# show interfaces
gigabitethernet1/0/1 switchport
Example:
Switch# show running-config
Command Purpose
show interfaces [interface-id] switchport Displays the administrative and operational status of all
switching (nonrouting) ports or the specified port, including
port blocking and port protection settings.
Where to Go Next
•
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1386
Additional References
Additional References
Related Documents
Description Link
To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/
messages in this release, use the Error Message index.cgi
Decoder tool.
Standard/RFC Title
MIBs
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1387
Feature Information
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Feature Information
Release Feature Information
Cisco IOS 15.0(2)EX This feature was introduced.
Note If you try to set the maximum value to a number less than the number of secure addresses already configured
on an interface, the command is rejected.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1388
Information About Port Security
Port Security
You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses
of the stations allowed to access the port. When you assign secure MAC addresses to a secure port, the port
does not forward packets with source addresses outside the group of defined addresses. If you limit the number
of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that
port is assured the full bandwidth of the port.
If a port is configured as a secure port and the maximum number of secure MAC addresses is reached, when
the MAC address of a station attempting to access the port is different from any of the identified secure MAC
addresses, a security violation occurs. Also, if a station with a secure MAC address configured or learned on
one secure port attempts to access another secure port, a violation is flagged.
Related Topics
Enabling and Configuring Port Security, on page 1394
Configuration Examples for Port Security, on page 1414
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1389
Information About Port Security
Security Violations
It is a security violation when one of these situations occurs:
• The maximum number of secure MAC addresses have been added to the address table, and a station
whose MAC address is not in the address table attempts to access the interface.
• An address learned or configured on one secure interface is seen on another secure interface in the same
VLAN.
You can configure the interface for one of three violation modes, based on the action to be taken if a violation
occurs:
• protect—when the number of secure MAC addresses reaches the maximum limit allowed on the port,
packets with unknown source addresses are dropped until you remove a sufficient number of secure
MAC addresses to drop below the maximum value or increase the number of maximum allowable
addresses. You are not notified that a security violation has occurred.
Note We do not recommend configuring the protect violation mode on a trunk port. The
protect mode disables learning when any VLAN reaches its maximum limit, even if the
port has not reached its maximum limit.
• restrict—when the number of secure MAC addresses reaches the maximum limit allowed on the port,
packets with unknown source addresses are dropped until you remove a sufficient number of secure
MAC addresses to drop below the maximum value or increase the number of maximum allowable
addresses. In this mode, you are notified that a security violation has occurred. An SNMP trap is sent,
a syslog message is logged, and the violation counter increments.
• shutdown—a port security violation causes the interface to become error-disabled and to shut down
immediately, and the port LED turns off. When a secure port is in the error-disabled state, you can bring
it out of this state by entering the errdisable recovery cause psecure-violation global configuration
command, or you can manually re-enable it by entering the shutdown and no shut down interface
configuration commands. This is the default mode.
• shutdown vlan—Use to set the security violation mode per-VLAN. In this mode, the VLAN is error
disabled instead of the entire port when a violation occurs
This table shows the violation mode and the actions taken when you configure an interface for port security.
Violation Traffic is Sends SNMP Sends syslog Displays Violation Shuts down
Mode forwarded trap message error counter port
18
message increments
19
protect No No No No No No
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1390
Information About Port Security
Violation Traffic is Sends SNMP Sends syslog Displays Violation Shuts down
Mode forwarded trap message error counter port
18
message increments
19
18 Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses.
19 The switch returns an error message if you manually configure an address that would cause a security violation.
20 Shuts down only the VLAN on which the violation occurred.
Related Topics
Enabling and Configuring Port Security Aging, on page 1398
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1391
Information About Port Security
Note Voice VLAN is only supported on access ports and not on trunk ports, even though the
configuration is allowed.
• When you enable port security on an interface that is also configured with a voice VLAN, set the
maximum allowed secure addresses on the port to two. When the port is connected to a Cisco IP phone,
the IP phone requires one MAC address. The Cisco IP phone address is learned on the voice VLAN,
but is not learned on the access VLAN. If you connect a single PC to the Cisco IP phone, no additional
MAC addresses are required. If you connect more than one PC to the Cisco IP phone, you must configure
enough secure addresses to allow one for each PC and one for the phone.
• When a trunk port configured with port security and assigned to an access VLAN for data traffic and to
a voice VLAN for voice traffic, entering the switchport voice and switchport priority extend interface
configuration commands has no effect.
When a connected device uses the same MAC address to request an IP address for the access VLAN
and then an IP address for the voice VLAN, only the access VLAN is assigned an IP address.
• When you enter a maximum secure address value for an interface, and the new value is greater than the
previous value, the new value overwrites the previously configured value. If the new value is less than
the previous value and the number of configured secure addresses on the interface exceeds the new
value, the command is rejected.
• The switch does not support port security aging of sticky secure MAC addresses.
This table summarizes port security compatibility with other port-based features.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1392
Information About Port Security
Dynamic-access port 23 No
Routed port No
EtherChannel Yes
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1393
How to Configure Port Security
Procedure
Example:
Switch> enable
Example:
Switch# configure terminal
Step 3 port-security mac-address Specifies a MAC address that should be forbidden by port-security
forbidden mac address on all the interfaces.
Example:
Switch(config)#
port-security mac-address
forbidden 2.2.2
Step 4 interface interface-id Specifies the interface to be configured, and enter interface
configuration mode.
Example:
Switch(config)# interface
gigabitethernet1/0/1
Step 5 switchport mode {access | Sets the interface switchport mode as access or trunk; an interface
trunk} in the default mode (dynamic auto) cannot be configured as a
secure port.
Example:
Switch(config-if)#
switchport mode access
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1394
How to Configure Port Security
Step 8 switchport port-security (Optional) Sets the maximum number of secure MAC addresses
[maximum value [vlan {vlan-list for the interface. The maximum number of secure MAC addresses
| {access | voice}}]] that you can configure on a switch or switch stack is set by the
maximum number of available MAC addresses allowed in the
Example: system. This number is set by the active Switch Database
Management (SDM) template. This number is the total of available
Switch(config-if)# MAC addresses, including those used for other Layer 2 functions
switchport port-security
maximum 20 and any other secure MAC addresses configured on interfaces.
(Optional) vlan—sets a per-VLAN maximum value
Enter one of these options after you enter the vlan keyword:
• vlan-list—On a trunk port, you can set a per-VLAN
maximum value on a range of VLANs separated by a hyphen
or a series of VLANs separated by commas. For nonspecified
VLANs, the per-VLAN maximum value is used.
• access—On an access port, specifies the VLAN as an access
VLAN.
• voice—On an access port, specifies the VLAN as a voice
VLAN.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1395
How to Configure Port Security
Step 10 switchport port-security (Optional) Enters a secure MAC address for the interface. You
[mac-address mac-address [vlan can use this command to enter the maximum number of secure
{vlan-id | {access | voice}}] MAC addresses. If you configure fewer secure MAC addresses
than the maximum, the remaining MAC addresses are dynamically
Example: learned.
Switch(config-if)# Note If you enable sticky learning after you enter this
switchport port-security command, the secure addresses that were dynamically
mac-address learned are converted to sticky secure MAC addresses
00:A0:C7:12:C9:25 vlan 3
voice and are added to the running configuration.
(Optional) vlan—sets a per-VLAN maximum value.
Enter one of these options after you enter the vlan keyword:
• vlan-id—On a trunk port, you can specify the VLAN ID and
the MAC address. If you do not specify a VLAN ID, the
native VLAN is used.
• access—On an access port, specifies the VLAN as an access
VLAN.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1396
How to Configure Port Security
Example:
Switch(config-if)#
switchport port-security
mac-address sticky
Step 12 switchport port-security (Optional) Enters a sticky secure MAC address, repeating the
mac-address sticky command as many times as necessary. If you configure fewer
[mac-address | vlan {vlan-id | secure MAC addresses than the maximum, the remaining MAC
{access | voice}}] addresses are dynamically learned, are converted to sticky secure
MAC addresses, and are added to the running configuration.
Example: Note If you do not enable sticky learning before this command
Switch(config-if)# is entered, an error message appears, and you cannot
switchport port-security enter a sticky secure MAC address.
mac-address sticky (Optional) vlan—sets a per-VLAN maximum value.
00:A0:C7:12:C9:25 vlan voice
Enter one of these options after you enter the vlan keyword:
• vlan-id—On a trunk port, you can specify the VLAN ID and
the MAC address. If you do not specify a VLAN ID, the
native VLAN is used.
• access—On an access port, specifies the VLAN as an access
VLAN.
• voice—On an access port, specifies the VLAN as a voice
VLAN.
Example:
Switch(config-if)#
switchport port-security
mac-address forbidden 2.2.2
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1397
How to Configure Port Security
Example:
Switch(config)# end
Example:
Switch# show port-security
Example:
Switch# show running-config
Step 17 copy running-config (Optional) Saves your entries in the configuration file.
startup-config
Example:
Switch# copy running-config
startup-config
Related Topics
Port Security, on page 1389
Configuration Examples for Port Security, on page 1414
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1398
How to Configure Port Security
Example:
Switch# configure terminal
Step 4 switchport port-security aging {static Enables or disable static aging for the secure port, or
| time time | type {absolute | set the aging time or type.
inactivity}} Note The switch does not support port security aging
of sticky secure addresses.
Example: Enter static to enable aging for statically configured
Switch(config-if)# switchport secure addresses on this port.
port-security aging time 120
For time, specifies the aging time for this port. The valid
range is from 0 to 1440 minutes.
For type, select one of these keywords:
• absolute—Sets the aging type as absolute aging.
All the secure addresses on this port age out
exactly after the time (minutes) specified lapses
and are removed from the secure address list.
• inactivity—Sets the aging type as inactivity aging.
The secure addresses on this port age out only if
there is no data traffic from the secure source
addresses for the specified time period.
Example:
Switch(config)# end
Example:
Switch# show port-security
interface gigabitethernet1/0/1
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1399
How to Configure Port Security
Example:
Switch# show running-config
Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Related Topics
Port Security Aging, on page 1391
Storm Control
Storm control prevents traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on
one of the physical interfaces. A LAN storm occurs when packets flood the LAN, creating excessive traffic
and degrading network performance. Errors in the protocol-stack implementation, mistakes in network
configurations, or users issuing a denial-of-service attack can cause a storm.
Storm control (or traffic suppression) monitors packets passing from an interface to the switching bus and
determines if the packet is unicast, multicast, or broadcast. The switch counts the number of packets of a
specified type received within the 1-second time interval and compares the measurement with a predefined
suppression-level threshold.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1400
How to Configure Port Security
• Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast,
multicast, or unicast traffic
• Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received
• Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received
• Traffic rate in packets per second and for small frames. This feature is enabled globally. The threshold
for small frames is configured for each interface.
With each method, the port blocks traffic when the rising threshold is reached. The port remains blocked until
the traffic rate drops below the falling threshold (if one is specified) and then resumes normal forwarding. If
the falling suppression level is not specified, the switch blocks all traffic until the traffic rate drops below the
rising suppression level. In general, the higher the level, the less effective the protection against broadcast
storms.
Note When the storm control threshold for multicast traffic is reached, all multicast traffic except control traffic,
such as bridge protocol data unit (BDPU) and Cisco Discovery Protocol (CDP) frames, are blocked.
However, the switch does not differentiate between routing updates, such as OSPF, and regular multicast
data traffic, so both types of traffic are blocked.
Traffic Patterns
This example shows broadcast traffic patterns on an interface over a given period of time.
Figure 104: Broadcast Storm Control Example
Broadcast traffic being forwarded exceeded the configured threshold between time intervals T1 and T2 and
between T4 and T5. When the amount of specified traffic exceeds the threshold, all traffic of that kind is
dropped for the next time period. Therefore, broadcast traffic is blocked during the intervals following T2
and T5. At the next time interval (for example, T3), if broadcast traffic does not exceed the threshold, it is
again forwarded.
The combination of the storm-control suppression level and the 1-second time interval controls the way the
storm control algorithm works. A higher threshold allows more packets to pass through. A threshold value
of 100 percent means that no limit is placed on the traffic. A value of 0.0 means that all broadcast, multicast,
or unicast traffic on that port is blocked.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1401
How to Configure Port Security
Note Because packets do not arrive at uniform intervals, the 1-second time interval during which traffic activity
is measured can affect the behavior of storm control.
You use the storm-control interface configuration commands to set the threshold value for each traffic type.
Note Storm control is supported on physical interfaces. You can also configure storm control on an EtherChannel.
When storm control is configured on an EtherChannel, the storm control settings propagate to the
EtherChannel physical interfaces.
Follow these steps to storm control and threshold levels:
Procedure
Example:
Switch> enable
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1402
How to Configure Port Security
For BPS and PPS settings, you can use metric suffixes such as k,
m, and g for large number thresholds.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1403
How to Configure Port Security
Example:
Switch(config-if)# end
Step 7 show storm-control Verifies the storm control suppression levels set on the interface
[interface-id] [broadcast | for the specified traffic type. If you do not enter a traffic type,
multicast | unicast] details for all traffic types (broadcast, multicast and unicast) are
displayed.
Example:
Switch# show storm-control
gigabitethernet1/0/1
unicast
Step 8 copy running-config (Optional) Saves your entries in the configuration file.
startup-config
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1404
How to Configure Port Security
Procedure
Example:
Switch# configure terminal
Step 3 errdisable detect cause small-frame Enables the small-frame rate-arrival feature on the
switch.
Example:
Switch(config)# errdisable detect
cause small-frame
Step 4 errdisable recovery interval interval (Optional) Specifies the time to recover from the
specified error-disabled state.
Example:
Switch(config)# errdisable recovery
interval 60
Step 5 errdisable recovery cause small-frame (Optional) Configures the recovery time for
error-disabled ports to be automatically re-enabled
Example: after they are error disabled by the arrival of small
frames
Switch(config)# errdisable recovery
cause small-frame Storm control is supported on physical interfaces.
You can also configure storm control on an
EtherChannel. When storm control is configured
on an EtherChannel, the storm control settings
propagate to the EtherChannel physical interfaces.
Step 7 small-frame violation-rate pps Configures the threshold rate for the interface to
drop incoming packets and error disable the port.
Example: The range is 1 to 10,000 packets per second (pps)
Switch(config-if)# small-frame
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1405
How to Configure Port Security
Example:
Switch(config)# end
Example:
Switch# show interfaces
gigabitethernet1/0/2
Example:
Switch# show running-config
Step 11 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
Protected Ports
Some applications require that no traffic be forwarded at Layer 2 between ports on the same switch so that
one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1406
How to Configure Port Security
protected ports ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports
on the switch.
Protected ports have these features:
• A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is
also a protected port. Data traffic cannot be forwarded between protected ports at Layer 2; only control
traffic, such as PIM packets, is forwarded because these packets are processed by the CPU and forwarded
in software. All data traffic passing between protected ports must be forwarded through a Layer 3 device.
• Forwarding behavior between a protected port and a nonprotected port proceeds as usual.
Because a switch stack represents a single logical switch, Layer 2 traffic is not forwarded between any protected
ports in the switch stack, whether they are on the same or different switches in the stack.
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1407
How to Configure Port Security
Example:
Switch(config)# end
Example:
Switch# show interfaces
gigabitethernet1/0/1 switchport
Example:
Switch# show running-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1408
How to Configure Port Security
Command Purpose
show interfaces [interface-id] switchport Displays the administrative and operational status of all
switching (nonrouting) ports or the specified port, including
port blocking and port protection settings.
Where to Go Next
Additional References
Description Link
To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/
messages in this release, use the Error Message index.cgi
Decoder tool.
MIBs
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1409
How to Configure Port Security
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Feature Information
Release Feature Information
Cisco IOS 15.0(2)EX This feature was introduced.
Port Blocking
By default, the switch floods packets with unknown destination MAC addresses out of all ports. If unknown
unicast and multicast traffic is forwarded to a protected port, there could be security issues. To prevent unknown
unicast or multicast traffic from being forwarded from one port to another, you can block a port (protected or
nonprotected) from flooding unknown unicast or multicast packets to other ports.
Note With multicast traffic, the port blocking feature blocks only pure Layer 2 packets. Multicast packets that
contain IPv4 or IPv6 information in the header are not blocked.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1410
How to Configure Port Security
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1411
How to Configure Port Security
Example:
Switch# show interfaces
gigabitethernet1/0/1 switchport
Example:
Switch# show running-config
Command Purpose
show interfaces [interface-id] switchport Displays the administrative and operational status of all
switching (nonrouting) ports or the specified port, including
port blocking and port protection settings.
Where to Go Next
Additional References
Related Documents
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1412
How to Configure Port Security
Description Link
To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/
messages in this release, use the Error Message index.cgi
Decoder tool.
Standard/RFC Title
MIBs
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Feature Information
Release Feature Information
Cisco IOS 15.0(2)EX This feature was introduced.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1413
Configuration Examples for Port Security
This example shows how to configure a static secure MAC address on VLAN 3 on a port:
This example shows how to enable sticky port security on a port, to manually configure MAC addresses for
data VLAN and voice VLAN, and to set the total maximum number of secure addresses to 20 (10 for data
VLAN and 10 for voice VLAN).
Related Topics
Port Security, on page 1389
Enabling and Configuring Port Security, on page 1394
Additional References
Error Message Decoder
Description Link
To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/
messages in this release, use the Error Message index.cgi
Decoder tool.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1414
Finding Feature Information
MIBs
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1415
How to Configure Protocol Storm Protection
• Spanning Tree Protocol (STP) reconverges because the STP bridge protocol data unit (BPDU) cannot
be sent or received.
• CLI is slow or unresponsive.
Using protocol storm protection, you can control the rate at which control packets are sent to the switch by
specifying the upper threshold for the packet flow rate. The supported protocols are ARP, ARP snooping,
Dynamic Host Configuration Protocol (DHCP) v4, DHCP snooping, Internet Group Management Protocol
(IGMP), and IGMP snooping.
When the packet rate exceeds the defined threshold, the switch drops all traffic arriving on the specified virtual
port for 30 seconds. The packet rate is measured again, and protocol storm protection is again applied if
necessary.
For further protection, you can manually error disable the virtual port, blocking all incoming traffic on the
virtual port. You can manually enable the virtual port or set a time interval for automatic re-enabling of the
virtual port.
Note Excess packets are dropped on no more than two virtual ports.
Virtual port error disabling is not supported for EtherChannel and Flexlink interfaces
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1416
Monitoring Protocol Storm Protection
Step 4 errdisable detect cause psp (Optional) Enables error-disable detection for protocol
storm protection. If this feature is enabled, the virtual
Example: port is error disabled. If this feature is disabled, the port
drops excess packets without error disabling the port.
Switch(config)# errdisable
detect cause psp
Step 5 errdisable recovery interval time (Optional) Configures an auto-recovery time (in seconds)
for error-disabled virtual ports. When a virtual port is
Example: error-disabled, the switch auto-recovers after this time.
The range is from 30 to 86400 seconds.
Switch
Example:
Switch(config)# end
Step 7 show psp config {arp | dhcp | igmp} Verifies your entries.
Example:
Switch# show psp config dhcp
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1417
Additional References
Additional References
Error Message Decoder
Description Link
To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/
messages in this release, use the Error Message index.cgi
Decoder tool.
MIBs
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1418
CHAPTER 62
Configuring FIPS
• Information About FIPS and Common Criteria, page 1419
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1419
Information About FIPS and Common Criteria
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1420
CHAPTER 63
Configuring Control Plane Policing
• Finding Feature Information, page 1421
• Restrictions for Control Plane Policing, page 1421
• Control Plane Policing, page 1421
• Configuring Control Plane Policing, page 1422
• Examples: Configuring CoPP, page 1423
• For ospf, eigrp and ripv2 protocols, control packets which are destined to multicast Mac of the router
are policed along with the "reserve-multicast-group" option.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1421
Configuring Control Plane Policing
the packets from being routed to the CPU at an undesired rate that might impact the performance of a switch
and the network. In addition, the CoPP protects the CPU from denial of service (DoS) attacks and ensures
routing stability, reachability, and packet delivery. You can use Multi-Layer Switching QoS CLI to set the
rate limit and policing parameters on a specific protocol.
Note CoPP is supported only on LAN BASE, IP Lite, and IP Service licenses.
Related Topics
Configuring Control Plane Policing, on page 1422
Examples: Configuring CoPP, on page 1423
Procedure
Example:
Switch# configure terminal
Step 3 mls qos copp protocol { autorp-announce | Configures a packet policer for the
autorp-discovery | bgp | cdp | cgmp | dai | specified protocol.
dhcp-snoop-client-to-server | For more details about the various
dhcp-snoop-server-to-client | dhcpv6-client-to-server parameters, please refer Consolidated
| dhcpv6-server-to-client | eigrp | eigrp-v6 | Platform Command Reference, Cisco
energy-wise | igmp-gs-query | igmp-leave | igmp-query IOS Release 15.2(4)E .
| igmp-report | igrp | ipv6-pimv2 | lldp | mld-gs-query
| mld-leave | mld-query | mld-report | ndp-redirect |
ndp-router-advertisement | ndp-router-solicitation |
ospf | ospf-v6 | pimv1 | pxe | rep-hfl |
reserve-multicast-group | rip | rip-v6 | rsvp-snoop |
stp } police {pps | bps} police rate
Example:
Switch (config)# mls qos copp protocol cdp
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1422
Examples: Configuring CoPP
Example:
Switch(config)# end
Step 5 show mls qos copp protocols Displays the CoPP parameters and
counters for all the configured protocol.
Example:
Switch# show mls qos copp protocols
What to Do Next
To clear the CoPP statistics, use the clear copp counters command.
Related Topics
Control Plane Policing, on page 1421
Examples: Configuring CoPP, on page 1423
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1423
Examples: Configuring CoPP
Related Topics
Control Plane Policing, on page 1421
Configuring Control Plane Policing, on page 1422
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1424
PART XI
Configuring Cisco IOS IP SLAs
• Configuring Cisco IP SLAs, page 1427
CHAPTER 64
Configuring Cisco IP SLAs
• Finding Feature Information, page 1427
• Restrictions on SLAs, page 1427
• Information About SLAs, page 1428
• How to Configure IP SLAs Operations, page 1431
• Monitoring IP SLA Operations, page 1433
• Additional References, page 1434
• Feature History and Information for Service Level Agreements, page 1435
Restrictions on SLAs
This section lists the restrictions on SLAs.
The following are restrictions on IP SLAs network performance measurement:
• The switch does not support VoIP service levels using the gatekeeper registration delay operations
measurements.
• Only a Cisco IOS device can be a source for a destination IP SLAs responder.
• You cannot configure the IP SLAs responder on non-Cisco devices and Cisco IOS IP SLAs can send
operational packets only to services native to those devices.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1427
Information About SLAs
Related Topics
Configuring the IP SLA Responder, on page 1432
IP SLA Responder and IP SLA Control Protocol, on page 1429
Response Time Computation for IP SLAs, on page 1430
Because Cisco IOS IP SLAs is SNMP-accessible, it can also be used by performance-monitoring applications
like Cisco Prime Internetwork Performance Monitor (IPM) and other third-party Cisco partner performance
management products.
Using IP SLAs can provide the following benefits:
• Service-level agreement monitoring, measurement, and verification.
• Network performance monitoring
◦Measurement of jitter, latency, or packet loss in the network.
◦Continuous, reliable, and predictable measurements.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1428
Information About SLAs
• IP service network health assessment to verify that the existing QoS is sufficient for new IP services.
• Edge-to-edge network availability monitoring for proactive verification and connectivity testing of
network resources (for example, shows the network availability of an NFS server used to store business
critical data from a remote site).
• Network operation troubleshooting by providing consistent, reliable measurement that immediately
identifies problems and saves troubleshooting time.
• Multiprotocol Label Switching (MPLS) performance monitoring and network verification (if the switch
supports MPLS).
The following figure shows how IP SLAs begin when the source device sends a generated packet to the
destination device. After the destination device receives the packet, depending on the type of IP SLAs operation,
it responds with time-stamp information for the source to make the calculation on performance metrics. An
IP SLAs operation performs a network measurement from the source device to a destination in the network
using a specific protocol such as UDP.
Figure 105: Cisco IOS IP SLAs Operation
Related Topics
Monitoring IP SLA Operations, on page 1433
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1429
Information About SLAs
the need for dedicated probes. The responder uses the Cisco IOS IP SLA Control Protocol to provide a
mechanism through which it can be notified on which port it should listen and respond.
Note The IP SLA responder can be a Cisco IOS Layer 2, responder-configurable switch. The responder does
not need to support full IP SLA functionality.
The following figure shows where the Cisco IOS IP SLA responder fits in the IP network. The responder
listens on a specific port for control protocol messages sent by an IP SLA operation. Upon receipt of the
control message, it enables the specified UDP or TCP port for the specified duration. During this time, the
responder accepts the requests and responds to them. It disables the port after it responds to the IP SLA packet,
or when the specified time expires. MD5 authentication for control messages is available for added security.
You do not need to enable the responder on the destination device for all IP SLA operations. For example, a
responder is not required for services that are already provided by the destination router (such as Telnet or
HTTP).
Related Topics
Configuring the IP SLA Responder, on page 1432
Restrictions on SLAs, on page 1427
Monitoring IP SLA Operations, on page 1433
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1430
How to Configure IP SLAs Operations
When the IP SLA responder is enabled, it allows the target device to take time stamps when the packet arrives
on the interface at interrupt level and again just as it is leaving, eliminating the processing time. This time
stamping is made with a granularity of sub-milliseconds (ms).
The following figure demonstrates how the responder works. Four time stamps are taken to make the calculation
for round-trip time. At the target router, with the responder functionality enabled, time stamp 2 (TS2) is
subtracted from time stamp 3 (TS3) to produce the time spent processing the test packet as represented by
delta. This delta value is then subtracted from the overall round-trip time. Notice that the same principle is
applied by IP SLAs on the source router where the incoming time stamp 4 (TS4) is also taken at the interrupt
level to allow for greater accuracy.
Figure 107: Cisco IOS IP SLA Responder Time Stamping
An additional benefit of the two time stamps at the target device is the ability to track one-way delay, jitter,
and directional packet loss. Because much network behavior is asynchronous, it is critical to have these
statistics. However, to capture one-way delay measurements, you must configure both the source router and
target router with Network Time Protocol (NTP) so that the source and target are synchronized to the same
clock source. One-way jitter measurements do not require clock synchronization.
Related Topics
Configuring the IP SLA Responder, on page 1432
Restrictions on SLAs, on page 1427
Monitoring IP SLA Operations, on page 1433
Default Configuration
No IP SLAs operations are configured.
Related Topics
Configuration Guidelines, on page 1432
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1431
How to Configure IP SLAs Operations
Configuration Guidelines
For information on the IP SLA commands, see the Cisco IOS IP SLAs Command Reference, Release 12.4T
command reference.
For detailed descriptions and configuration procedures, see the Cisco IOS IP SLAs Configuration Guide,
Release 12.4TL.
Related Topics
Default Configuration, on page 1431
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1432
Monitoring IP SLA Operations
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Related Topics
IP SLA Responder and IP SLA Control Protocol, on page 1429
Response Time Computation for IP SLAs, on page 1430
Restrictions on SLAs, on page 1427
Monitoring IP SLA Operations, on page 1433
Related Topics
Configuring the IP SLA Responder, on page 1432
IP SLA Responder and IP SLA Control Protocol, on page 1429
Response Time Computation for IP SLAs, on page 1430
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1433
Additional References
Additional References
Related Documents
Description Link
To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/
messages in this release, use the Error Message index.cgi
Decoder tool.
Standard/RFC Title
None -
MIBs
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1434
Feature History and Information for Service Level Agreements
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1435
Feature History and Information for Service Level Agreements
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1436
PART XII
Stacking
• Managing Switch Stacks, page 1439
CHAPTER 65
Managing Switch Stacks
• Finding Feature Information, page 1439
• Prerequisites for Switch Stacks, page 1439
• Restrictions for Switch Stacks, page 1440
• Information About Switch Stacks, page 1440
• How to Configure a Switch Stack, page 1455
• Troubleshooting the Switch Stack, page 1462
• Monitoring the Switch Stack, page 1463
• Configuration Examples for Switch Stacks, page 1464
• Additional References for Switch Stacks, page 1467
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1439
Restrictions for Switch Stacks
The stack master controls the operation of the switch stack, and is the single point of stack-wide management.
From the stack master, you configure:
• System-level (global) features that apply to all stack members
• Interface-level features for each stack member
The stack master contains the saved and running configuration files for the switch stack. The configuration
files include the system-level settings for the switch stack and the interface-level settings for each stack
member. Each stack member has a current copy of these files for back-up purposes.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1440
Information About Switch Stacks
Encryption Features
If the active switchstack master is running the cryptographic universal software image (supports encryption),
the encryption features are available on the switch stack.
FlexStack-Plus
The stack members use the Cisco FlexStack-Plus technology to work together as a unified system. Layer 2
protocols support the entire switch stack as a single entity in the network.
Note Switch stacks running the LAN Base image do not support Layer 3 features.
The FlexStack-Plus bandwidth for a single stack port is 20 Gbps. With FlexStack-Plus technology, up to eight
members can be joined into a single stack. In a mixed stack of Catalyst 2960-X and Catalyst 2960-S switches,
FlexStack-Plus reverts to FlexStack capabilities of 10 Gbps stack port bandwidth and a maximum of four
members per stack.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1441
Information About Switch Stacks
members, with one of them as the active switchstack master. You can connect standalone switches to an
existing switch stack to increase the stack membership.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1442
Information About Switch Stacks
• Adding powered-on switches (merging) causes all switches to reload and elect a new active switch from
among themselves. The newly elected active switch retains its role and configuration. All other switches
retain their stack member numbers and use the stack configuration of the newly elected active switch.
Adding powered-on switches (merging) causes the stack masters of the merging switch stacks to elect
a stack master from among themselves. The reelected stack master retains its role and configuration as
do its stack members. All remaining switches, including the former stack masters, reload and join the
switch stack as stack members. They change their stack member numbers to the lowest available numbers
and use the stack configuration of the reelected stack master.
• Removing powered-on stack members causes the switch stack to divide (partition) into two or more
switch stacks, each with the same configuration. This can cause:
• An IP address conflict in your network. If you want the switch stacks to remain separate, change
the IP address or addresses of the newly created switch stacks.
• A MAC address conflict between two members in the stack. You can use the stack-mac update
force command to resolve the conflict.
If a newly created switch stack does not have an active switch or standby switch, the switch stack will reload
and elect a new active switch.
Note Make sure that you power off the switches that you add to or remove from the switch stack.
After adding or removing stack members, make sure that the switch stack is operating at full bandwidth
. Press the Mode button on a stack member until the Stack mode LED is on. The last two right port LEDs
on all switches in the stack should be green. Depending on the switch model, the last two right ports are
10-Gigabit Ethernet ports or small form-factor pluggable (SFP) module ports (10/100/1000 ports). If one
or both of these LEDs are not green on any of the switches, the stack is not operating at full bandwidth.
It may take upto 4 seconds for stack convergence when a new stack member is added to the existing switch
stack.
If you remove powered-on members but do not want to partition the stack:
• Power off the switches in the newly created switch stacks.
• Reconnect them to the original switch stack through their stack ports.
• Power on the switches.
For cabling and power considerations that affect switch stacks, see the Catalyst 2960-X Switch Hardware
Installation Guide.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1443
Information About Switch Stacks
Stack members in the same Switch stack cannot have the same stack member number. Every stack member,
including a standalone Switch, retains its member number until you manually change the number or unless
the number is already being used by another member in the stack.
• If you manually change the stack member number by using the switch current-stack-member-number
renumber new-stack-member-number global configuration command, the new number goes into effect
after that stack member resets (or after you use the reload slot stack-member-number privileged EXEC
command) and only if that number is not already assigned to any other members in the stack. Another
way to change the stack member number is by changing the Switch_NUMBER environment variable.
If the number is being used by another member in the stack, the Switch selects the lowest available
number in the stack.
If you manually change the number of a stack member and no interface-level configuration is associated
with that new member number, that stack member resets to its default configuration.
You cannot use the switch current-stack-member-number renumber new-stack-member-number global
configuration command on a provisioned Switch. If you do, the command is rejected.
• If you move a stack member to a different Switch stack, the stack member retains its number only if the
number is not being used by another member in the stack. If it is being used, the Switch selects the
lowest available number in the stack.
• If you merge Switch stacks, the Switch that join the Switch stack of a new active switchstack master
select the lowest available numbers in the stack.
As described in the hardware installation guide, you can use the Switch port LEDs in Stack mode to visually
determine the stack member number of each stack member.
In the default mode Stack LED will blink in green color only on the stack master. However, when we scroll
the Mode button to Stack option - Stack LED will glow green on all the stack members.
When mode button is scrolled to Stack option, the switch number of each stack member will be displayed as
LEDs on the first five ports of that switch. The switch number is displayed in binary format for all stack
members. On the switch, the amber LED indicates value 0 and green LED indicates value 1.
Example for switch number 5 (Binary - 00101):
First five LEDs will glow in below color combination on stack member with switch number 5.
• Port-1 : Amber
• Port-2 : Amber
• Port-3 : Green
• Port-4 : Amber
• Port-5 : Green
Similarly first five LEDs will glow in amber or green, depending on the switch number on all stack members.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1444
Information About Switch Stacks
Note • Stack port will not go down but only transmission/reception will be disabled. The log message shown
below will be displayed on the console. Once the peer end network port is converted to stack port,
transmission/reception on this stack port will be enabled.
Note We recommend assigning the highest priority value to the switch that you prefer to be the active switchstack
master. This ensures that the switch is reelected as the active switchstack master if a reelection occurs.
To change the priority value for a stack member, use the switch stack-member-number priority new
priority-value global configuration command. For more information, see the “Setting the Stack Member
Priority Value” section.
The new priority value takes effect immediately but does not affect the current active switchstack master. The
new priority value helps determine which stack member is elected as the new active switchstack master when
the current active switchstack master or the switch stack resets.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1445
Information About Switch Stacks
master. If the previous stack master does not rejoin the stack during this period, the switch stack takes the
MAC address of the new stack master as the stack MAC address.
You can also configure stack MAC persistency so that the stack MAC address never changes to the new active
switchstack master MAC address.
All stack members are eligible stack masters. If the stack master becomes unavailable, the remaining members
elect a new stack master from among themselves.
The active switchstack master is elected or reelected based on one of these factors and in the order listed:
1 The switch that is currently the active switchstack master.
2 The switch with the highest stack member priority value.
Note We recommend assigning the highest priority value to the switch that you prefer to be the active switchstack
master. This ensures that the switch is reelected as active switchstack master if a reelection occurs.
Note The factors for electing or reelecting a new standby switch are same as those for the active switch election
or reelection, and are applied to all participating switches except the active switch.
After election, the new active switch becomes available after a few seconds. In the meantime, the switch stack
uses the forwarding tables in memory to minimize network disruption. The physical interfaces on the other
available stack members are not affected during a new active switch election and reset.
When the previous active switch becomes available, it does not resume its role as the active switch.
If you power on or reset an entire switch stack, some stack members might not participate in the active switch
election. Stack members that are powered on within the same 2-minute timeframe participate in the active
switch election and have a chance to become the active switch. Stack members that are powered on after the
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1446
Information About Switch Stacks
120-second timeframe do not participate in this initial election and become stack members. For powering
considerations that affect active-switch elections, see the switch hardware installation guide.
As described in the hardware installation guide, you can use the ACTV LED on the switch to see if the switch
is the active switch.
A stack master retains its role unless one of these events occurs:
• The switch stack is reset.*
• The stack master is removed from the switch stack.
• The stack master is reset or powered off.
• The stack master fails.
• The switch stack membership is increased by adding powered-on standalone switches or switch stacks.*
In the events marked by an asterisk (*), the current stack master might be reelected based on the listed factors.
When you power on or reset an entire switch stack, some stack members might not participate in the stack
master election. Stack members that are powered on within the same 20-second time frame participate in the
stack master election and have a chance to become the stack master. Stack members that are powered on after
the 20-second time frame do not participate in this initial election and become stack members. All stack
members participate in reelections. For all powering considerations that affect stack-master elections, see the
“Switch Installation” chapter in the hardware installation guide.
The new stack master becomes available after a few seconds. In the meantime, the switch stack uses the
forwarding tables in memory to minimize network disruption. The physical interfaces on the other available
stack members are not affected during a new stack master election and reset.
After a new stack master is elected and the previous stack master becomes available, the previous stack master
does not resume its role as stack master.
For all powering considerations that affect stack-master elections, see the Catalyst 2960-X Switch Hardware
Installation Guide.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1447
Information About Switch Stacks
Note The interface-specific settings of the active switchstack master are saved if the active switchstack master
is replaced without saving the running configuration to the startup configuration.
A new, out-of-box switch joining a switch stack uses the system-level settings of that switch stack. If a switch
is moved to a different switch stack before it is powered on, that switch loses its saved configuration file and
uses the system-level configuration of the new switch stack. If the switch is powered on as a standalone switch
before it joins the new switch stack, the stack will reload. When the stack reloads, the new switch may become
the active switchstack master, retain its configuration and overwrite the configuration files of the other stack
members.
The interface-specific configuration of each stack member is associated with the stack member number. Stack
members retain their numbers unless they are manually changed or they are already used by another member
in the same switch stack. If the stack member number changes, the new number goes into effect after that
stack member resets.
• If an interface-specific configuration does not exist for that member number, the stack member uses its
default interface-specific configuration.
• If an interface-specific configuration exists for that member number, the stack member uses the
interface-specific configuration associated with that member number.
If you replace a failed member with an identical model, the replacement member automatically uses the same
interface-specific configuration as the failed switch. You do not need to reconfigure the interface settings.
The replacement switch (referred to as the provisioned switch) must have the same stack member number as
the failed switch.
You back up and restore the stack configuration in the same way as you would for a standalone switch
configuration.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1448
Information About Switch Stacks
file ensures that the switch stack can reload and can use the saved information whether or not the provisioned
switch is part of the switch stack.
Table 140: Results of Comparing the Provisioned Configuration with the Provisioned Switch
Scenario Result
The stack member numbers and the The switch stack applies the
1 If the stack member number of
Switch types match. provisioned configuration to the
the provisioned switch matches provisioned switch and adds it to
the stack member number in the
the stack.
provisioned configuration on
the stack, and
2 If the Switch type of the
provisioned switch matches the
Switch type in the provisioned
configuration on the stack.
The stack member numbers match The switch stack applies the default
1 If the stack member number of
but the Switch types do not match. configuration to the provisioned
the provisioned switch matches switch and adds it to the stack.
the stack member number in the
provisioned configuration on The provisioned configuration is
the stack, but changed to reflect the new
information.
2 The Switch type of the
provisioned switch does not
match the Switch type in the
provisioned configuration on
the stack.
The stack member number is not The switch stack applies the default
found in the provisioned configuration to the provisioned
configuration. switch and adds it to the stack.
The provisioned configuration is
changed to reflect the new
information.
The stack member number of the The switch stack applies the default
provisioned switch is not found in configuration to the provisioned
the provisioned configuration. switch and adds it to the stack.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1449
Information About Switch Stacks
If you add a provisioned switch that is a different type than specified in the provisioned configuration to a
powered-down switch stack and then apply power, the switch stack rejects the (now incorrect) switch
stack-member-number provision type global configuration command in the startup configuration file. However,
during stack initialization, the nondefault interface configuration information in the startup configuration file
for the provisioned interfaces (potentially of the wrong type) is executed. Depending on the differences between
the actual Switch type and the previously provisioned switch type, some commands are rejected, and some
commands are accepted.
Note If the switch stack does not contain a provisioned configuration for a new Switch, the Switch joins the
stack with the default interface configuration. The switch stack then adds to its running configuration with
a switch stack-member-number provision type global configuration command that matches the new
Switch. For configuration information, see the Provisioning a New Member for a Switch Stack section.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1450
Information About Switch Stacks
Auto-Upgrade
The purpose of the auto-upgrade feature is to allow a switch to be upgraded to a compatible software image,
so that the switch can join the switch stack.
When a new switch attempts to join a switch stack, each stack member performs compatibility checks with
itself and the new switch. Each stack member sends the results of the compatibility checks to the active
switchstack master, which uses the results to determine whether the switch can join the switch stack. If the
software on the new switch is incompatible with the switch stack, the new switch enters version-mismatch
(VM) mode.
If the auto-upgrade feature is enabled on the existing switch stack, the active switchstack master automatically
upgrades the new switch with the same software image running on a compatible stack member. Auto-upgrade
starts a few minutes after the mismatched software is detected before starting.
By default, auto-upgrade is enabled (the boot auto-copy-sw global configuration command is enabled). You
can disable auto-upgrade by using the no boot auto-copy-sw global configuration command on the stack
master. You can check the status of auto-upgrade by using the show boot privileged EXEC command and by
checking the Auto upgrade line in the display.
Auto-upgrade includes an auto-copy process and an auto-extract process.
• Auto-copy automatically copies the software image running on any stack member to the new switch to
automatically upgrade it. Auto-copy occurs if auto-upgrade is enabled, if there is enough flash memory
in the new switch, and if the software image running on the switch stack is suitable for the new switch.
Note A switch in VM mode might not run all released software. For example, new switch
hardware is not recognized in earlier versions of software.
• Automatic extraction (auto-extract) occurs when the auto-upgrade process cannot find the appropriate
software in the stack to copy to the new switch. In that case, the auto-extract process searches all switches
in the stack for the tar file needed to upgrade the switch stack or the new switch. The tar file can be in
any flash file system in the switch stack or in the new switch. If a tar file suitable for the new switch is
found on a stack member, the process extracts the file and automatically upgrades the new switch.
The auto-upgrade (auto-copy and auto-extract) processes start a few minutes after the mismatched software
is detected.
When the auto-upgrade process is complete, the new switch reloads and joins the stack as a fully functioning
member. If you have both stack cables connected during the reload, network downtime does not occur because
the switch stack operates on two rings.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1451
Information About Switch Stacks
Auto-Advise
The auto-advise feature is triggered when:
• The auto-upgrade feature is disabled.
• The new switch is in bundle mode and the stack is in installed mode. Auto-advise displays syslog
messages about using the software auto-upgrade privileged EXEC command to change the new switch
to installed mode.
• The stack is in bundle mode. Auto-advise displays syslog messages about booting the new switch in
bundle mode so that it can join the stack.
• An auto-upgrade attempt fails because the new switch is running incompatible software. After the switch
stack performs compatibility checks with the new switch, auto-advise displays syslog messages about
whether the new switch can be auto-upgraded.
Auto-advise cannot be disabled. It does not give suggestions when the switch stack software and the software
of the switch in version-mismatch (VM) mode do not contain the same license level.
Automatic advise (auto-advise) occurs when the auto-upgrade process cannot find appropriate stack member
software to copy to the new switch. This process tells you the command (archive copy-sw or archive
download-sw privileged EXEC command) and the image name (tar filename) needed to manually upgrade
the switch stack or the new switch. The recommended image can be the running switch stack image or a tar
file in any flash file system in the switch stack (including the new switch). If an appropriate image is not found
in the stack flash file systems, the auto-advise process tells you to install new software on the switch stack.
Auto-advise cannot be disabled, and there is no command to check its status.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1452
Information About Switch Stacks
This example shows that the switch stack detected a new switch that is running a different minor version
number than the switch stack. Auto-copy starts but cannot find software in the switch stack to copy to the
VM-mode switch to make it compatible with the switch stack. The auto-advise process starts and recommends
that you download a tar file from the network to the switch in VM mode:
*Mar 1 00:01:11.319:%STACKMGR-6-STACK_LINK_CHANGE:Stack Port 2 Switch 2 has changed to state
UP
*Mar 1 00:01:15.547:%STACKMGR-6-SWITCH_ADDED_VM:Switch 1 has been ADDED to the stack
(VERSION_MISMATCH)
stack_2#
*Mar 1 00:03:15.554:%IMAGEMGR-6-AUTO_COPY_SW_INITIATED:Auto-copy-software process initiated
for switch number(s) 1
*Mar 1 00:03:15.554:%IMAGEMGR-6-AUTO_COPY_SW:
*Mar 1 00:03:15.554:%IMAGEMGR-6-AUTO_COPY_SW:Searching for stack member to act
*Mar 1 00:03:15.554:%IMAGEMGR-6-AUTO_COPY_SW:as software donor...
*Mar 1 00:03:15.554:%IMAGEMGR-6-AUTO_COPY_SW:Software was not copied
*Mar 1 00:03:15.562:%IMAGEMGR-6-AUTO_ADVISE_SW_INITIATED:Auto-advise-software process
initiated for switch number(s) 1
*Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW:
*Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW:
*Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW:Systems with incompatible software
*Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW:have been added to the stack. The
*Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW:storage devices on all of the stack
*Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW:members have been scanned, and it has
*Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW:been determined that the stack can be
*Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW:repaired by issuing the following
*Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW:command(s):
*Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW:
*Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW: archive download-sw /force-reload /overwrite
/dest 1 flash1:c2960x-universalk9-mz.150-2.EX.tar
*Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1453
Information About Switch Stacks
Note Auto-advise and auto-copy identify which images are running by examining the info file and by searching
the directory structure on the switch stack. If you download your image by using the copy tftp: boot loader
command instead of the archive download-sw privileged EXEC command, the proper directory structure
is not created. For more information about the info file, see the Catalyst 2960-X Switch Managing Cisco
IOS Image Files Configuration Guide.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1454
How to Configure a Switch Stack
Note Stack members retain their IP addresses when you remove them from a switch stack. To avoid a conflict
by having two devices with the same IP address in your network, change the IP addresses of any Switch
that you remove from the switch stack.
For related information about switch stack configurations, see the Switch Stack Configuration Files section.
Connectivity to the Switch Stack Through Console Ports or Ethernet Management Ports
You can connect to the active switchstack master by using one of these methods:
• You can connect a terminal or a PC to the active switchstack master through the console port of one or
more stack members.
• You can connect a PC to the active switchstack master through the Ethernet management ports of one
or more stack members. For more information about connecting to the switch stack through Ethernet
management ports, see the Using the Ethernet Management Port section.
You can connect to the active switchstack master by connecting a terminal or a PC to the stack master through
the console port of one or more stack members.
Be careful when using multiple CLI sessions to the active switchstack master. Commands that you enter in
one session are not displayed in the other sessions. Therefore, it is possible that you might not be able to
identify the session from which you entered a command.
We recommend using only one CLI session when managing the switch stack.
Note When you enter the command to configure this feature, a warning message appears with the consequences
of your configuration. You should use this feature cautiously. Using the old active switchstack master
MAC address elsewhere in the same domain could result in lost traffic.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1455
How to Configure a Switch Stack
Procedure
Example:
Switch> enable
Example:
Switch# configure
terminal
Step 3 stack-mac persistent timer Enables a time delay after a stack-master change before the stack
[0 | time-value] MAC address changes to that of the new active switchstack master.
If the previous active switchstack master rejoins the stack during this
Example: period, the stack uses that MAC address as the stack MAC address.
Switch(config)#
stack-mac persistent You can configure the time period as 0 to 60 minutes.
timer 7
• Enter the command with no value to set the default delay of
approximately 4 minutes. We recommend that you always enter
a value.
If the command is entered without a value, the time delay
appears in the running-config file with an explicit timer value
of 4 minutes.
• Enter 0 to continue using the MAC address of the current active
switchstack master indefinitely.
The stack MAC address of the previous active switchstack
master is used until you enter the no stack-mac persistent timer
command, which immediately changes the stack MAC address
to that of the current active switchstack master.
• Enter a time-value from 1 to 60 minutes to configure the time
period before the stack MAC address changes to the new active
switchstack master.
The stack MAC address of the previous active switchstack
master is used until the configured time period expires or until
you enter the no stack-mac persistent timer command.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1456
How to Configure a Switch Stack
Example:
Switch(config)# end
Step 5 copy running-config (Optional) Saves your entries in the configuration file.
startup-config
Example:
Switch# copy
running-config
startup-config
What to Do Next
Use the no stack-mac persistent timer global configuration command to disable the persistent MAC address
feature.
Procedure
Example:
Switch# configure terminal
Step 3 switch current-stack-member-number Specifies the current stack member number and
renumber new-stack-member-number the new stack member number for the stack
member. The range is 1 to 8.
Example: You can display the current stack member
Switch(config)# switch 3 renumber 4
number by using the show switch user EXEC
command.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1457
How to Configure a Switch Stack
Example:
Switch(config)# end
Example:
Switch# reload slot 4
Example:
showSwitch
Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
Procedure
Step 2 switch stack-member-number Specifies the stack member number and the new priority
priority new-priority-number for the stack member. The stack member number range is
1 to 8. The priority value range is 1 to 15.
Example: You can display the current priority value by using the show
Switch# switch 3 priority 2
switch user EXEC command.
The new priority value takes effect immediately but does
not affect the current active switchstack master. The new
priority value helps determine which stack member is
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1458
How to Configure a Switch Stack
Step 3 show switch stack-member-number Verify the stack member priority value.
Example:
Switch# show switch
Step 4 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Procedure
Example:
Switch# configure terminal
Step 2 switch stack port-speed 10 Sets the stack port speed to 10 Gbps.
Example:
Switch(config)# switch stack port-speed
10
Example:
Switch(config)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1459
How to Configure a Switch Stack
Example:
Switch# reload
Procedure
Example:
Switch# show switch
Example:
Switch# configure terminal
Step 3 switch stack-member-number provision Specifies the stack member number for the
type preconfigured switch. By default, no switches are
provisioned.
Example: For stack-member-number, the range is 1 to 8. Specify
Switch(config)# switch 3 provision
WS-xxxx
a stack member number that is not already used in the
switch stack. See Step 1.
For type, enter the model number of a supported
switch that is listed in the command-line help strings.
Example:
Switch(config)# end
Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1460
How to Configure a Switch Stack
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# end
and want to remove the provisioned information and to avoid receiving an error message, you can remove
power from stack member 3, disconnect the StackWise-480stack cables between the stack member 3 and
switches to which it is connected, reconnect the cables between the remaining stack members, and enter the
no switch stack-member-number provision global configuration command.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1461
Troubleshooting the Switch Stack
Note Be careful when using the switch stack-member-number stack port port-number disable command. When
you disable the stack port, the stack operates at half bandwidth.
A stack is in the full-ring state when all members are connected through the stack ports and are in the ready
state.
The stack is in the partial-ring state when the following occurs:
• All members are connected through their stack ports but some are not in the ready state.
• Some members are not connected through the stack ports.
Procedure
Example:
Switch# switch 2 stack port 1 disable
Step 2 switch stack-member-number stack port port-number Reenables the stack port.
enable
Example:
Switch# switch 2 stack port 1 enable
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1462
Monitoring the Switch Stack
When you disable a stack port and the stack is in the full-ring state, you can disable only one stack port. This
message appears:
Enabling/disabling a stack port may cause undesired stack changes. Continue?[confirm]
When you disable a stack port and the stack is in the partial-ring state, you cannot disable the port. This
message appears:
Disabling stack port not allowed with current stack configuration.
Procedure
Step 1 Disconnect the stack cable between Port 1 on Switch 1 and Port 2 on Switch 4.
Step 2 Remove Switch 4 from the stack.
Step 3 Add a switch to replace Switch 4 and assign it switch-number 4.
Step 4 Reconnect the cable between Port 1 on Switch 1 and Port 2 on Switch 4 (the replacement switch).
Step 5 Reenable the link between the switches. Enter the switch 1 stack port 1 enable privileged EXEC command
to enable Port 1 on Switch 1.
Step 6 Power on Switch 4.
Caution Powering on Switch 4 before enabling the Port 1 on Switch 1 might cause one of the switches to reload.
If Switch 4 is powered on first, you might need to enter the switch 1 stack port 1 enable and the switch
4 stack port 2 enable privileged EXEC commands to bring up the link.
Command Description
show controller ethernet-controller stack port {1 Displays stack port counters (or per-interface and
| 2} per-stack port send and receive statistics read from
the hardware).
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1463
Configuration Examples for Switch Stacks
Command Description
show controller ethernet-controller fastethernet0 Displays information about the Ethernet management
port, including the port status and the per-interface
send and receive statistics read from the hardware.
show platform stack manager all Displays all stack manager information, such as the
stack protocol version.
show platform stack passive-links Displays information about stack passive links.
Scenario Result
Stack masterActive switch election Connect two powered-on switch Only one of the two stack
specifically determined by existing stacks through the mastersactive switches becomes
stack mastersactive switches StackWise-480stack ports. the new active switchstack master.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1464
Configuration Examples for Switch Stacks
Scenario Result
Stack masterActive switch election The stack member with the higher
1 Connect two switches through
specifically determined by the priority value is elected active
their stack ports.
stack member priority value switchstack master.
2 Use the switch
stack-member-number priority
new-priority-number global
configuration command to set
one stack member with a higher
member priority value.
3 Restart both stack members at
the same time.
Stack masterActive switch election Assuming that both stack members The stack member with the saved
specifically determined by the have the same priority value: configuration file is elected active
configuration file switchstack master.
1 Make sure that one stack
member has a default
configuration and that the other
stack member has a saved
(nondefault) configuration file.
2 Restart both stack members at
the same time.
Stack masterActive switch election Assuming that both stack members The stack member with the lower
specifically determined by the have the same priority value, MAC address is elected active
MAC address configuration file, and feature set, switchstack master.
restart both stack members at the
same time.
Stack member number conflict Assuming that one stack member The stack member with the higher
has a higher priority value than the priority value retains its stack
other stack member: member number. The other stack
member has a new stack member
1 Ensure that both stack members
number.
have the same stack member
number. If necessary, use the
switch
current-stack-member-number
renumber
new-stack-member-number
global configuration command.
2 Restart both stack members at
the same time.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1465
Configuration Examples for Switch Stacks
Scenario Result
Add a stack member The active switchstack master is
1 Power off the new switch.
retained. The new switch is added
2 Through their stack ports, to the switch stack.
connect the new switch to a
powered-on switch stack.
3 Power on the new switch.
Stack masterActive switch failure Remove (or power off) the active The standby switch becomes the
switchstack master. new active switch. All other stack
members in the stack remain as
stack members and do not reboot.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1466
Additional References for Switch Stacks
Description Link
To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/
messages in this release, use the Error Message index.cgi
Decoder tool.
Standard/RFC Title
None —
MIBs
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1467
Additional References for Switch Stacks
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1468
PART XIII
System Management
• Administering the System, page 1471
• Performing Switch Setup Configuration, page 1505
• Configuring SDM Templates, page 1533
• Configuring System Message Logs, page 1541
• Configuring Online Diagnostics, page 1555
• Troubleshooting the Software Configuration, page 1567
CHAPTER 66
Administering the System
• Information About Administering the Switch, page 1471
• How to Administer the Switch, page 1479
• Monitoring and Maintaining Administration of the Switch, page 1498
• Configuration Examples for Switch Administration, page 1499
• Additional References for Switch Administration , page 1502
• Feature History and Information for Switch Administration, page 1503
Note For complete syntax and usage information for the commands used in this section, see the Cisco IOS
Configuration Fundamentals Command Referenceon Cisco.com.
System Clock
The basis of the time service is the system clock. This clock runs from the moment the system starts up and
keeps track of the date and time.
The system clock can then be set from these sources:
• RTC
• NTP
• Manual configuration
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1471
Information About Administering the Switch
The system clock keeps track of time internally based on Coordinated Universal Time (UTC), also known as
Greenwich Mean Time (GMT). You can configure information about the local time zone and summer time
(daylight saving time) so that the time appears correctly for the local time zone.
The system clock keeps track of whether the time is authoritative or not (that is, whether it has been set by a
time source considered to be authoritative). If it is not authoritative, the time is available only for display
purposes and is not redistributed.
The RTC and NTP clocks are integrated on the switch. When NTP is enabled, the RTC time is periodically
synchronized to the NTP clock to maintain accuracy.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1472
Information About Administering the Switch
The time kept on a device is a critical resource; you should use the security features of NTP to avoid the
accidental or malicious setting of an incorrect time. Two mechanisms are available: an access list-based
restriction scheme and an encrypted authentication mechanism.
Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or
atomic clock. We recommend that the time service for your network be derived from the public NTP servers
available on the IP Internet.
The Figure shows a typical network example using NTP. Switch A is the NTP master, with the Switch B, C,
and D configured in NTP server mode, in server association with Switch A. Switch E is configured as an NTP
peer to the upstream and downstream Switch, Switch B and Switch F, respectively.
If the network is isolated from the Internet, Cisco’s implementation of NTP allows a device to act as if it is
synchronized through NTP, when in fact it has learned the time by using other means. Other devices then
synchronize to that device through NTP.
When multiple sources of time are available, NTP is always considered to be more authoritative. NTP time
overrides the time set by any other method.
Several manufacturers include NTP software for their host systems, and a publicly available version for
systems running UNIX and its various derivatives is also available. This software allows host systems to be
time-synchronized as well.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1473
Information About Administering the Switch
NTP Stratum
NTP uses the concept of a stratum to describe how many NTP hops away a device is from an authoritative
time source. A stratum 1 time server has a radio or atomic clock directly attached, a stratum 2 time server
receives its time through NTP from a stratum 1 time server, and so on. A device running NTP automatically
chooses as its time source the device with the lowest stratum number with which it communicates through
NTP. This strategy effectively builds a self-organizing tree of NTP speakers.
NTP avoids synchronizing to a device whose time might not be accurate by never synchronizing to a device
that is not synchronized. NTP also compares the time reported by several devices and does not synchronize
to a device whose time is significantly different than the others, even if its stratum is lower.
NTP Associations
The communications between devices running NTP (known as associations) are usually statically configured;
each device is given the IP address of all devices with which it should form associations. Accurate timekeeping
is possible by exchanging NTP messages between each pair of devices with an association. However, in a
LAN environment, NTP can be configured to use IP broadcast messages instead. This alternative reduces
configuration complexity because each device can simply be configured to send or receive broadcast messages.
However, in that case, information flow is one-way only.
NTP Security
The time kept on a device is a critical resource; you should use the security features of NTP to avoid the
accidental or malicious setting of an incorrect time. Two mechanisms are available: an access list-based
restriction scheme and an encrypted authentication mechanism.
NTP Implementation
Implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic
clock. We recommend that the time service for your network be derived from the public NTP servers available
on the IP Internet.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1474
Information About Administering the Switch
The following figure shows a typical network example using NTP. Switch A is the NTP master, with the
Switch B, C, and D configured in NTP server mode, in server association with Switch A. Switch E is configured
as an NTP peer to the upstream and downstream switches, Switch B and Switch F, respectively.
Figure 111: Typical NTP Network Configuration
If the network is isolated from the Internet, NTP allows a device to act as if it is synchronized through NTP,
when in fact it has learned the time by using other means. Other devices then synchronize to that device
through NTP.
When multiple sources of time are available, NTP is always considered to be more authoritative. NTP time
overrides the time set by any other method.
Several manufacturers include NTP software for their host systems, and a publicly available version for
systems running UNIX and its various derivatives is also available. This software allows host systems to be
time-synchronized as well.
NTP Version 4
NTP version 4 is implemented on the switch. NTPv4 is an extension of NTP version 3. NTPv4 supports both
IPv4 and IPv6 and is backward-compatible with NTPv3.
NTPv4 provides these capabilities:
• Support for IPv6.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1475
Information About Administering the Switch
• Improved security compared to NTPv3. The NTPv4 protocol provides a security framework based on
public key cryptography and standard X509 certificates.
• Automatic calculation of the time-distribution hierarchy for a network. Using specific multicast groups,
NTPv4 automatically configures the hierarchy of the servers to achieve the best time accuracy for the
lowest bandwidth cost. This feature leverages site-local IPv6 multicast addresses.
For details about configuring NTPv4, see the Implementing NTPv4 in IPv6 chapter of the Cisco IOS IPv6
Configuration Guide, Release 12.4T.
DNS
The DNS protocol controls the Domain Name System (DNS), a distributed database with which you can map
hostnames to IP addresses. When you configure DNS on your switch, you can substitute the hostname for the
IP address with all IP commands, such as ping, telnet, connect, and related Telnet support operations.
IP defines a hierarchical naming scheme that allows a device to be identified by its location or domain. Domain
names are pieced together with periods (.) as the delimiting characters. For example, Cisco Systems is a
commercial organization that IP identifies by a com domain name, so its domain name is cisco.com. A specific
device in this domain, for example, the File Transfer Protocol (FTP) system is identified as ftp.cisco.com.
To keep track of domain names, IP has defined the concept of a domain name server, which holds a cache
(or database) of names mapped to IP addresses. To map domain names to IP addresses, you must first identify
the hostnames, specify the name server that is present on your network, and enable the DNS.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1476
Information About Administering the Switch
Login Banners
You can configure a message-of-the-day (MOTD) and a login banner. The MOTD banner is displayed on all
connected terminals at login and is useful for sending messages that affect all network users (such as impending
system shutdowns).
The login banner is also displayed on all connected terminals. It appears after the MOTD banner and before
the login prompts.
Note For complete syntax and usage information for the commands used in this section, see the Cisco IOS
Configuration Fundamentals Command Reference, Release 12.4.
The address table lists the destination MAC address, the associated VLAN ID, and port number associated
with the address and the type (static or dynamic).
Note For complete syntax and usage information for the commands used in this section, see the command
reference for this release.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1477
Information About Administering the Switch
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1478
How to Administer the Switch
Protocol (SNAP). By default, standard Ethernet-style ARP encapsulation (represented by the arpa keyword)
is enabled on the IP interface.
ARP entries added manually to the table do not age and must be manually removed.
For CLI procedures, see the Cisco IOS Release 12.4 documentation on Cisco.com.
Note You must reconfigure this setting if you have manually configured the system clock before the active
switchstack master fails and a different stack member assumes the role of active switchstack master.
Procedure
Step 2 Use one of the following: Manually set the system clock using one of these formats:
• clock set hh:mm:ss day month • hh:mm:ss—Specifies the time in hours (24-hour
year format), minutes, and seconds. The time specified is
relative to the configured time zone.
• clock set hh:mm:ss month day
year • day—Specifies the day by date in the month.
• month—Specifies the month by name.
Example: • year—Specifies the year (no abbreviation).
Switch# clock set 13:32:00 23
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1479
How to Administer the Switch
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1480
How to Administer the Switch
Example:
Switch# show running-config
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Procedure
Example:
Switch# configure terminal
Step 3 clock summer-time zone date date Configures summer time to start and end on specified
month year hh:mm date month year days every year.
hh:mm [offset]]
Example:
Switch(config)# clock summer-time
PDT date
10 March 2013 2:00 3 November
2013 2:00
Step 4 clock summer-time zone recurring Configures summer time to start and end on the specified
[week day month hh:mm week day days every year. All times are relative to the local time
month hh:mm [offset]] zone. The start time is relative to standard time.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1481
How to Administer the Switch
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date
and time of the next summer time events):
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1482
How to Administer the Switch
Procedure
Example:
Switch# configure terminal
Step 3 clock summer-time zone date[ month Configures summer time to start on the first date and
date year hh:mm month date year end on the second date.
hh:mm [offset]]orclock summer-time Summer time is disabled by default.
zone date [date month year hh:mm date
month year hh:mm [offset]] • For zone, specify the name of the time zone (for
example, PDT) to be displayed when summer time
is in effect.
• (Optional) For week, specify the week of the month
(1 to 5 or last).
• (Optional) For day, specify the day of the week
(Sunday, Monday...).
• (Optional) For month, specify the month (January,
February...).
• (Optional) For hh:mm, specify the time (24-hour
format) in hours and minutes.
• (Optional) For offset, specify the number of
minutes to add during summer time. The default
is 60.
Example:
Switch(config)# end
Example:
Switch# show running-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1483
How to Administer the Switch
Example:
Switch# copy running-config
startup-config
Procedure
Example:
Switch# configure terminal
Step 3 hostname name Configures a system name. When you set the system
name, it is also used as the system prompt.
Example: The default setting is Switch.
Switch(config)# hostname The name must follow the rules for ARPANET
remote-users
hostnames. They must start with a letter, end with a
letter or digit, and have as interior characters only
letters, digits, and hyphens. Names can be up to 63
characters.
Example:
Switch(config)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1484
How to Administer the Switch
Example:
Switch# show running-config
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Setting Up DNS
If you use the switch IP address as its hostname, the IP address is used and no DNS query occurs. If you
configure a hostname that contains no periods (.), a period followed by the default domain name is appended
to the hostname before the DNS query is made to map the name to an IP address. The default domain name
is the value set by the ip domain-name global configuration command. If there is a period (.) in the hostname,
the Cisco IOS software looks up the IP address without appending any default domain name to the hostname.
Follow these steps to set up your switch to use the DNS:
Procedure
Example:
Switch# configure terminal
Step 3 ip domain-name name Defines a default domain name that the software uses to
complete unqualified hostnames (names without a
Example: dotted-decimal domain name).
Switch(config)# ip domain-name Do not include the initial period that separates an unqualified
Cisco.com name from the domain name.
At boot time, no domain name is configured; however, if
the switch configuration comes from a BOOTP or Dynamic
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1485
How to Administer the Switch
Step 4 ip name-server server-address1 Specifies the address of one or more name servers to use
[server-address2 ... server-address6] for name and address resolution.
You can specify up to six name servers. Separate each server
Example: address with a space. The first server specified is the primary
Switch(config)# ip server. The switch sends DNS queries to the primary server
name-server 192.168.1.100 first. If that query fails, the backup servers are queried.
192.168.1.200 192.168.1.300
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
What to Do Next
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1486
How to Administer the Switch
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1487
How to Administer the Switch
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1488
How to Administer the Switch
Procedure
Example:
Switch# configure terminal
Step 3 mac address-table aging-time [0 | Sets the length of time that a dynamic entry remains
10-1000000] [routed-mac | vlan vlan-id] in the MAC address table after the entry is used or
updated.
Example: The range is 10 to 1000000 seconds. The default
Switch(config)# mac address-table is 300. You can also enter 0, which disables aging.
aging-time 500 vlan 2 Static address entries are never aged or removed
from the table.
vlan-id—Valid IDs are 1 to 4094.
Example:
Switch(config)# end
Example:
Switch# show running-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1489
How to Administer the Switch
Procedure
Example:
Switch# configure terminal
Step 3 snmp-server host host-addr Specifies the recipient of the trap message.
community-string notification-type {
informs | traps } {version {1 | 2c | 3}} • host-addr—Specifies the name or address of the
{vrf vrf instance name} NMS.
• traps (the default)—Sends SNMP traps to the
Example: host.
Switch(config)# snmp-server host • informs—Sends SNMP informs to the host.
172.20.10.10 traps private
mac-notification • version—Specifies the SNMP version to support.
Version 1, the default, is not available with
informs.
• community-string—Specifies the string to send
with the notification operation. Though you can
set this string by using the snmp-server host
command, we recommend that you define this
string by using the snmp-server community
command before using the snmp-server host
command.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1490
How to Administer the Switch
Step 4 snmp-server enable traps Enables the switch to send MAC address change
mac-notification change notification traps to the NMS.
Example:
Switch(config)# snmp-server enable
traps
mac-notification change
Step 5 mac address-table notification change Enables the MAC address change notification feature.
Example:
Switch(config)# mac address-table
notification change
Step 6 mac address-table notification change Enters the trap interval time and the history table size.
[interval value] [history-size value]
• (Optional) interval value—Specifies the
notification trap interval in seconds between each
Example: set of traps that are generated to the NMS. The
Switch(config)# mac address-table range is 0 to 2147483647 seconds; the default is
notification change interval 123 1 second.
Switch(config)#mac address-table
notification change history-size • (Optional) history-size value—Specifies the
100
maximum number of entries in the MAC
notification history table. The range is 0 to 500;
the default is 1.
Step 7 interface interface-id Enters interface configuration mode, and specifies the
Layer 2 interface on which to enable the SNMP MAC
Example: address notification trap.
Switch(config)# interface
gigabitethernet1/0/2
Step 8 snmp trap mac-notification change Enables the MAC address change notification trap on
{added | removed} the interface.
• Enables the trap when a MAC address is added
Example: on this interface.
Switch(config-if)# snmp trap
mac-notification change added • Enables the trap when a MAC address is removed
from this interface.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1491
How to Administer the Switch
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 11 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Procedure
Example:
Switch# configure terminal
Step 3 snmp-server host host-addr {traps | Specifies the recipient of the trap message.
informs} {version {1 | 2c | 3}}
community-string notification-type • host-addr—Specifies the name or address of
the NMS.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1492
How to Administer the Switch
Step 4 snmp-server enable traps Enables the switch to send MAC address move
mac-notification move notification traps to the NMS.
Example:
Switch(config)# snmp-server enable
traps
mac-notification move
Step 5 mac address-table notification Enables the MAC address move notification feature.
mac-move
Example:
Switch(config)# mac address-table
notification mac-move
Example:
Switch(config)# end
Example:
Switch# show running-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1493
How to Administer the Switch
What to Do Next
To disable MAC address-move notification traps, use the no snmp-server enable traps mac-notification
move global configuration command. To disable the MAC address-move notification feature, use the no mac
address-table notification mac-move global configuration command.
You can verify your settings by entering the show mac address-table notification mac-move privileged
EXEC commands.
Procedure
Example:
Switch# configure terminal
Step 3 snmp-server host host-addr {traps | Specifies the recipient of the trap message.
informs} {version {1 | 2c | 3}}
community-string notification-type • host-addr—Specifies the name or address of the
NMS.
Example: • traps (the default)—Sends SNMP traps to the
host.
Switch(config)# snmp-server host
172.20.10.10 traps private • informs—Sends SNMP informs to the host.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1494
How to Administer the Switch
Step 4 snmp-server enable traps Enables MAC threshold notification traps to the NMS.
mac-notification threshold
Example:
Switch(config)# snmp-server enable
traps
mac-notification threshold
Step 5 mac address-table notification threshold Enables the MAC address threshold notification
feature.
Example:
Switch(config)# mac address-table
notification threshold
Step 6 mac address-table notification threshold Enters the threshold value for the MAC address
[limit percentage] | [interval time] threshold usage monitoring.
• (Optional) limit percentage—Specifies the
Example: percentage of the MAC address table use; valid
Switch(config)# mac address-table values are from 1 to 100 percent. The default is
notification threshold interval 123 50 percent.
Switch(config)# mac address-table
notification threshold limit 78 • (Optional) interval time—Specifies the time
between notifications; valid values are greater
than or equal to 120 seconds. The default is 120
seconds.
Example:
Switch(config)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1495
How to Administer the Switch
Example:
Switch# show running-config
Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
What to Do Next
Procedure
Example:
Switch# configure terminal
Step 3 mac address-table static mac-addr Adds a static address to the MAC address table.
vlan vlan-id interface interface-id
• mac-addr—Specifies the destination MAC unicast
address to add to the address table. Packets with this
Example: destination address received in the specified VLAN
Switch(config)# mac are forwarded to the specified interface.
address-table
static c2f3.220a.12f4 vlan 4 • vlan-id—Specifies the VLAN for which the packet
interface gigabitethernet 1/0/1 with the specified MAC address is received. Valid
VLAN IDs are 1 to 4094.
• interface-id—Specifies the interface to which the
received packet is forwarded. Valid interfaces include
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1496
How to Administer the Switch
Example:
Switch# show running-config
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1497
Monitoring and Maintaining Administration of the Switch
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
clear mac address-table dynamic interface Removes all addresses on the specified physical port
interface-id or port channel.
clear mac address-table dynamic vlan vlan-id Removes all addresses on a specified VLAN.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1498
Configuration Examples for Switch Administration
Command Purpose
show ip igmp snooping groups Displays the Layer 2 multicast entries for all VLANs
or the specified VLAN.
show mac address-table address mac-address Displays MAC address table information for the
specified MAC address.
show mac address-table aging-time Displays the aging time in all VLANs or the specified
VLAN.
show mac address-table count Displays the number of addresses present in all
VLANs or the specified VLAN.
show mac address-table dynamic Displays only dynamic MAC address table entries.
show mac address-table interface interface-name Displays the MAC address table information for the
specified interface.
show mac address-table move update Displays the MAC address table move update
information.
show mac address-table notification {change | Displays the MAC notification parameters and history
mac-move | threshold} table.
show mac address-table static Displays only static MAC address table entries.
show mac address-table vlan vlan-id Displays the MAC address table information for the
specified VLAN.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1499
Configuration Examples for Switch Administration
This example shows how to set summer time start and end dates:
This example shows how to configure a MOTD banner by using the pound sign (#) symbol as the beginning
and ending delimiter:
Switch(config)#
This example shows the banner that appears from the previous configuration:
Trying 192.0.2.15...
Connected to 192.0.2.15.
Password:
Access for authorized users only. Please enter your username and password.
Switch(config)#
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1500
Configuration Examples for Switch Administration
This example shows how to specify 172.20.10.10 as the NMS, enable the MAC address threshold notification
feature, set the interval time to 123 seconds, and set the limit to 78 per cent:
This example shows how to add the static address c2f3.220a.12f4 to the MAC address table. When a packet
is received in VLAN 4 with this MAC address as its destination address, the packet is forwarded to the specified
port:
Note You cannot associate the same static MAC address to multiple interfaces. If the command is executed
again with a different interface, the static MAC address is overwritten on the new interface.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1501
Additional References for Switch Administration
Standard/RFC Title
None —
MIBs
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1502
Feature History and Information for Switch Administration
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1503
Feature History and Information for Switch Administration
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1504
CHAPTER 67
Performing Switch Setup Configuration
• Information About Performing Switch Setup Configuration, page 1505
• How to Perform Switch Setup Configuration, page 1516
• Monitoring Switch Setup Configuration, page 1527
• Configuration Examples for Performing Switch Setup, page 1528
• Additional References for Performing Switch Setup, page 1530
• Feature History and Information For Performing Switch Setup Configuration, page 1531
Boot Process
To start your switch, you need to follow the procedures in the getting started guide or the hardware installation
guide for installing and powering on the switch and setting up the initial switch configuration (IP address,
subnet mask, default gateway, secret and Telnet passwords, and so forth).
The boot loader software performs the normal boot process and includes these activities:
• Locates the bootable (base) package in the bundle or installed package set.
• Performs low-level CPU initialization. It initializes the CPU registers, which control where physical
memory is mapped, its quantity, its speed, and so forth.
• Performs power-on self-test (POST) for the CPU subsystem and tests the system DRAM.
• Initializes the file systems on the system board.
• Loads a default operating system software image into memory and boots up the switch.
The boot loader provides access to the flash file systems before the operating system is loaded. Normally, the
boot loader is used only to load, decompress, and start the operating system. After the boot loader gives the
operating system control of the CPU, the boot loader is not active until the next system reset or power-on.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1505
Information About Performing Switch Setup Configuration
The boot loader also provides trap-door access into the system if the operating system has problems serious
enough that it cannot be used. The trap-door operation provides enough access to the system so that if it is
necessary, you can format the flash file system, reinstall the operating system software image by using the
Xmodem Protocol, recover from a lost or forgotten password, and finally restart the operating system.
Before you can assign switch information, make sure that you have connected a PC or terminal to the console
port or a PC to the Ethernet management port, and make sure you have configured the PC or terminal-emulation
software baud rate and character format to match that of the switch console port settings:
• Baud rate default is 9600.
• Data bits default is 8.
Note If the data bits option is set to 8, set the parity option to none.
Note If you are using DHCP, do not respond to any of the questions in the setup program until the switch
receives the dynamically assigned IP address and reads the configuration file.
If you are an experienced user familiar with the switch configuration steps, manually configure the switch.
Otherwise, use the setup program described in the Boot Process section.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1506
Information About Performing Switch Setup Configuration
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1507
Information About Performing Switch Setup Configuration
The client, Switch A, broadcasts a DHCPDISCOVER message to locate a DHCP server. The DHCP server
offers configuration parameters (such as an IP address, subnet mask, gateway IP address, DNS IP address, a
lease for the IP address, and so forth) to the client in a DHCPOFFER unicast message.
In a DHCPREQUEST broadcast message, the client returns a formal request for the offered configuration
information to the DHCP server. The formal request is broadcast so that all other DHCP servers that received
the DHCPDISCOVER broadcast message from the client can reclaim the IP addresses that they offered to
the client.
The DHCP server confirms that the IP address has been allocated to the client by returning a DHCPACK
unicast message to the client. With this message, the client and server are bound, and the client uses
configuration information received from the server. The amount of information the switch receives depends
on how you configure the DHCP server.
If the configuration parameters sent to the client in the DHCPOFFER unicast message are invalid (a
configuration error exists), the client returns a DHCPDECLINE broadcast message to the DHCP server.
The DHCP server sends the client a DHCPNAK denial broadcast message, which means that the offered
configuration parameters have not been assigned, that an error has occurred during the negotiation of the
parameters, or that the client has been slow in responding to the DHCPOFFER message (the DHCP server
assigned the parameters to another client).
A DHCP client might receive offers from multiple DHCP or BOOTP servers and can accept any of the offers;
however, the client usually accepts the first offer it receives. The offer from the DHCP server is not a guarantee
that the IP address is allocated to the client; however, the server usually reserves the address until the client
has had a chance to formally request the address. If the switch accepts replies from a BOOTP server and
configures itself, the switch broadcasts, instead of unicasts, TFTP requests to obtain the switch configuration
file.
The DHCP hostname option allows a group of switches to obtain hostnames and a standard configuration
from the central management DHCP server. A client (switch) includes in its DCHPDISCOVER message an
option 12 field used to request a hostname and other configuration parameters from the DHCP server. The
configuration files on all clients are identical except for their DHCP-obtained hostnames.
If a client has a default hostname (the hostname name global configuration command is not configured or
the no hostname global configuration command is entered to remove the hostname), the DHCP hostname
option is not included in the packet when you enter the ip address dhcp interface configuration command.
In this case, if the client receives the DCHP hostname option from the DHCP interaction while acquiring an
IP address for an interface, the client accepts the DHCP hostname option and sets the flag to show that the
system now has a hostname configured.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1508
Information About Performing Switch Setup Configuration
• Unless you configure a timeout, the DHCP-based autoconfiguration with a saved configuration feature
tries indefinitely to download an IP address.
• The auto-install process stops if a configuration file cannot be downloaded or if the configuration file
is corrupted.
• The configuration file that is downloaded from TFTP is merged with the existing configuration in the
running configuration but is not saved in the NVRAM unless you enter the write memory or
copy running-configuration startup-configuration privileged EXEC command. If the downloaded
configuration is saved to the startup configuration, the feature is not triggered during subsequent system
restarts.
DHCP Autoconfiguration
DHCP autoconfiguration downloads a configuration file to one or more switches in your network from a
DHCP server. The downloaded configuration file becomes the running configuration of the switch. It does
not over write the bootup configuration saved in the flash, until you reload the switch.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1509
Information About Performing Switch Setup Configuration
• If you want the switch to receive the configuration file from a TFTP server, you must configure the
DHCP server with these lease options:
◦TFTP server name (required)
◦Boot filename (the name of the configuration file that the client needs) (recommended)
◦Hostname (optional)
• Depending on the settings of the DHCP server, the switch can receive IP address information, the
configuration file, or both.
• If you do not configure the DHCP server with the lease options described previously, it replies to client
requests with only those parameters that are configured. If the IP address and the subnet mask are not
in the reply, the switch is not configured. If the router IP address or the TFTP server name are not found,
the switch might send broadcast, instead of unicast, TFTP requests. Unavailability of other lease options
does not affect autoconfiguration.
• The switch can act as a DHCP server. By default, the Cisco IOS DHCP server and relay agent features
are enabled on your switch but are not configured. (These features are not operational.)
If you specify the TFTP server name in the DHCP server-lease database, you must also configure the TFTP
server name-to-IP-address mapping in the DNS-server database.
If the TFTP server to be used is on a different LAN from the switch, or if it is to be accessed by the switch
through the broadcast address (which occurs if the DHCP server response does not contain all the required
information described previously), a relay must be configured to forward the TFTP packets to the TFTP server.
The preferred solution is to configure the DHCP server with all the required information.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1510
Information About Performing Switch Setup Configuration
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1511
Information About Performing Switch Setup Configuration
Note The switch broadcasts TFTP server requests if the TFTP server is not obtained from the DHCP replies,
if all attempts to read the configuration file through unicast transmissions fail, or if the TFTP server name
cannot be resolved to an IP address.
You can change the settings of the environment variables by accessing the boot loader or by using Cisco IOS
commands. Under normal circumstances, it is not necessary to alter the setting of the environment variables.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1512
Information About Performing Switch Setup Configuration
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1513
Information About Performing Switch Setup Configuration
When the switch is connected to a PC through the Ethernet management port, you can download or upload a
configuration file to the boot loader by using TFTP. Make sure the environment variables in this table are
configured.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1514
Information About Performing Switch Setup Configuration
Variable Description
MAC_ADDR Specifies the MAC address of the switch.
Note We recommend that you do not modify this
variable.
However, if you modify this variable after the boot
loader is up or the value is different from the saved
value, enter this command before using TFTP.
IP_ADDR Specifies the IP address and the subnet mask for the
associated IP subnet of the switch.
The reload command halts the system. If the system is not set to manually boot up, it reboots itself.
If your switch is configured for manual booting, do not reload it from a virtual terminal. This restriction
prevents the switch from entering the boot loader mode and then taking it from the remote user’s control.
If you modify your configuration file, the switch prompts you to save the configuration before reloading.
During the save operation, the system requests whether you want to proceed with the save if the CONFIG_FILE
environment variable points to a startup configuration file that no longer exists. If you proceed in this situation,
the system enters setup mode upon reload.
To cancel a previously scheduled reload, use the reload cancel privileged EXEC command.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1515
How to Perform Switch Setup Configuration
Procedure
Example:
Switch# configure terminal
Step 2 ip dhcp pool poolname Creates a name for the DHCP server address
pool, and enters DHCP pool configuration mode.
Example:
Switch(config)# ip dhcp pool pool
Step 3 boot filename Specifies the name of the configuration file that
is used as a boot image.
Example:
Switch(dhcp-config)# boot
config-boot.text
Step 4 network network-number mask prefix-length Specifies the subnet network number and mask
of the DHCP address pool.
Example: Note The prefix length specifies the number
Switch(dhcp-config)# network of bits that comprise the address prefix.
10.10.10.0 255.255.255.0 The prefix is an alternative way of
specifying the network mask of the
client. The prefix length must be
preceded by a forward slash (/).
Step 5 default-router address Specifies the IP address of the default router for
a DHCP client.
Example:
Switch(dhcp-config)# default-router
10.10.10.1
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1516
How to Perform Switch Setup Configuration
Example:
Switch(dhcp-config)# option 150
10.10.10.1
Example:
Switch(dhcp-config)# exit
Step 9 interface interface-id Specifies the address of the client that will
receive the configuration file.
Example:
Switch(config)# interface
gigabitethernet1/0/4
Example:
Switch(config-if)# no switchport
Step 11 ip address address mask Specifies the IP address and mask for the
interface.
Example:
Switch(config-if)# ip address
10.10.10.1 255.255.255.0
Example:
Switch(config-if)# end
Related Topics
Example: Configuring a Switch as a DHCP Server, on page 1528
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1517
How to Perform Switch Setup Configuration
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1518
How to Perform Switch Setup Configuration
Step 8 copy tftp flash filename.txt Uploads the text file to the
switch.
Example:
Switch(config)# copy tftp flash image.bin
Step 9 copy tftp flash imagename.bin Uploads the tar file for the
new image to the switch.
Example:
Switch(config)# copy tftp flash image.bin
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1519
How to Perform Switch Setup Configuration
Related Topics
Example: Configuring DHCP Auto-Image Update, on page 1528
Note You should only configure and enable the Layer 3 interface. Do not assign an IP address or DHCP-based
autoconfiguration with a saved configuration.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1520
How to Perform Switch Setup Configuration
Procedure
Example:
Switch# configure terminal
Step 3 boot host retry timeout timeout-value (Optional) Sets the amount of time the system
tries to download a configuration file.
Example: Note If you do not set a timeout, the system
Switch(conf)# boot host retry timeout will try indefinitely to obtain an IP
300 address from the DHCP server.
Example:
Switch(config-if)# end
Example:
Switch# show boot
Related Topics
Example: Configuring a Switch to Download Configurations from a DHCP Server, on page 1529
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1521
How to Perform Switch Setup Configuration
Procedure
Example:
Switch# configure terminal
Step 2 interface vlan vlan-id Enters interface configuration mode, and enter the
VLAN to which the IP information is assigned. The
Example: range is 1 to 4094.
Step 3 ip address ip-address subnet-mask Enters the IP address and subnet mask.
Example:
Switch(config-vlan)# ip address
10.10.10.2 255.255.255.0
Example:
Switch(config-vlan)# exit
Step 5 ip default-gateway ip-address Enters the IP address of the next-hop router interface
that is directly connected to the switch where a default
Example: gateway is being configured. The default gateway
receives IP packets with unresolved destination IP
Switch(config)# ip default-gateway addresses from the switch.
10.10.10.1
Once the default gateway is configured, the switch
has connectivity to the remote networks with which
a host needs to communicate.
Note When your switch is configured to route with
IP, it does not need to have a default gateway
set.
Step 6 end Returns to privileged EXEC mode.
Example:
Switch(config)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1522
How to Perform Switch Setup Configuration
Example:
Switch# show interfaces vlan 99
Example:
Switch# show ip redirects
Note After you configure the NVRAM buffer size, reload the switch or switch stack.
When you add a switch to a stack and the NVRAM size differs, the new switch syncs with the stack and
reloads automatically.
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1523
How to Perform Switch Setup Configuration
Example:
Switch(config)# end
Example:
Switch# show boot
Related Topics
Example: Configuring NVRAM Buffer Size, on page 1529
Procedure
Example:
Switch# configure terminal
Step 2 boot flash:/file-url Specifies the configuration file to load during the
next boot cycle.
Example: file-url—The path (directory) and the configuration
Switch(config)# boot filename.
flash:config.text
Filenames and directory names are case-sensitive.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1524
How to Perform Switch Setup Configuration
Example:
Switch(config)# end
Step 5 copy running-config startup-config (Optional) Saves your entries in the configuration
file.
Example:
Switch# copy running-config
startup-config
Procedure
Example:
Switch# configure terminal
Step 2 boot manual Enables the switch to manually boot up during the next boot
cycle.
Example:
Switch(config)# boot manual
Example:
Switch(config)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1525
How to Perform Switch Setup Configuration
Step 5 copy running-config (Optional) Saves your entries in the configuration file.
startup-config
Example:
Switch# copy running-config
startup-config
Procedure
Example:
Switch# configure terminal
Step 2 copy running-config startup-config Saves your switch configuration information to the startup
configuration before you use the reload command.
Example:
copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1526
Monitoring Switch Setup Configuration
Step 4 reload at hh: mm [month day | day Specifies the time in hours and minutes for the reload to
month] [text] occur.
Note Use the at keyword only if the switch system
Example: clock has been set (through Network Time
Switch(config)# reload at 14:00 Protocol (NTP), the hardware calendar, or
manually). The time is relative to the configured
time zone on the switch. To schedule reloads
across several switches to occur simultaneously,
the time on each switch must be synchronized
with NTP.
Step 5 reload cancel Cancels a previously scheduled reload.
Example:
Switch(config)# reload cancel
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1527
Configuration Examples for Performing Switch Setup
.
<output truncated>
.
interface gigabitethernet6/0/2
mvr type source
<output truncated>
...!
interface VLAN1
ip address 172.20.137.50 255.255.255.0
no ip directed-broadcast
!
ip default-gateway 172.20.137.1 !
!
snmp-server community private RW
snmp-server community public RO
snmp-server community private@es0 RW
snmp-server community public@es0 RO
snmp-server chassis-id 0x12
!
end
Related Topics
Configuring DHCP Autoconfiguration (Only Configuration File), on page 1516
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1528
Configuration Examples for Performing Switch Setup
Switch(dhcp-config)# exit
Switch(config)# tftp-server flash:config-boot.text
Switch(config)# tftp-server flash:image_name
Switch(config)# tftp-server flash:boot-config.text
Switch(config)# tftp-server flash: autoinstall_dhcp
Switch(config)# interface gigabitethernet1/0/4
Switch(config-if)# ip address 10.10.10.1 255.255.255.0
Switch(config-if)# end
Related Topics
Configuring DHCP Auto-Image Update (Configuration File and Image), on page 1518
Related Topics
Configuring the Client to Download Files from DHCP Server, on page 1520
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1529
Additional References for Performing Switch Setup
Manual Boot : no
HELPER path-list :
Auto upgrade : yes
Auto upgrade path :
NVRAM/Config file
buffer size: 600000
Timeout for Config
Download: 300 seconds
Config Download
via DHCP: enabled (next boot: enabled)
Switch#
Related Topics
Configuring the NVRAM Buffer Size, on page 1523
Standard/RFC Title
None —
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1530
Feature History and Information For Performing Switch Setup Configuration
MIBs
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1531
Feature History and Information For Performing Switch Setup Configuration
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1532
CHAPTER 68
Configuring SDM Templates
• Finding Feature Information, page 1533
• Information About Configuring SDM Templates, page 1533
• How to Configure SDM Templates, page 1536
• Configuration Examples for SDM Templates, page 1538
• Additional References for SDM Templates, page 1539
• Feature History and Information for Configuring SDM Templates, page 1540
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1533
Information About Configuring SDM Templates
• The switch supports homogeneous stacking and mixed stacking. Mixed stacking is supported only with
the Catalyst 2960-S switches. A homogenous stack can have up to eight stack members, while a mixed
stack can have up to four stack members. All switches in a switch stack must be running the LAN Base
image.
• The default template is the only template supported on switches running the LAN Base image.
SDM Templates
You can use Switch Database Management (SDM) templates to configure system resources to optimize support
for specific features, depending on how your device is used in the network. You can select a template to
provide maximum system usage for some functions.
To allocate ternary content addressable memory (TCAM) resources for different usages, the switch SDM
templates prioritize system resources to optimize support for certain features. The templates supported on
your device:
• Default—The default template gives balance to all functions.
• LAN Base default—The LAN Base default template is to be used with switches in a homogeneous stack.
• LAN Base routing—The LAN Base routing template supports IPv4 unicast routes for static routing SVI
configuration.
The LAN Base routing template prevents other features from using the memory allocated to unicast routing.
Routing must be enabled on your switch before you can use the routing template.
For more information about homogeneous and mixed stacks, see the Catalyst 2960-X Switch Stacking
Configuration Guide.
After you change the template and the system reboots, you can use the show sdm prefer privileged EXEC
command to verify the new template configuration. If you enter the show sdm prefer command before you
enter the reload privileged EXEC command, the show sdm prefer command shows the template currently
in use and the template that becomes active after a reload.
Note • The SDM templates contain only those commands that are defined as part of the templates. If a
template enables another related command that is not defined in the template, then this other command
will be visible when the show running config command is entered. For example, if the SDM template
enables the switchport voice vlan command, then the spanning-tree portfast edge command may
also be enabled (although it is not defined on the SDM template).
If the SDM template is removed, then other such related commands are also removed and have to
be reconfigured explicitly.
• SDM templates do not create VLANs. You must create the VLANs before adding commands to the
SDM templates.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1534
Information About Configuring SDM Templates
• LAN Base default—Optimizes the resources in the switch to support feature level for no routed interfaces
and 1024 VLANs.
Resource Default LAN Base Default LAN Base Routing LAN Lite
Unicast MAC 8K 16 k 4K 16 k
addresses
NetFlow Entries 16 K — — —
0 2K .875 K 0
• Directly
connected
hosts
0 1K 80 0
• Indirect
routes
.25 K 2K .75 K 0
• Directly
connected
IPv6
addresses
32 1K 32 0
• Indirect IPv6
unicast
routes
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1535
How to Configure SDM Templates
Resource Default LAN Base Default LAN Base Routing LAN Lite
Ipv4 MAC QoS .375 K .5 K .375 K .256 K
ACEs
Related Topics
Examples: Displaying SDM Templates, on page 1538
Setting the SDM Template, on page 1536
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1536
How to Configure SDM Templates
Example:
Switch# configure terminal
Step 3 sdm prefer { default | Specifies the SDM template to be used on the switch. The
lanbase-default | lanbase-routing keywords have these meanings:
}
• default —The default template provides balance for all
Layer 2, IPv4 and IPv6 functionality.
Example:
• lanbase-routing —The LAN Base routing templates
Switch(config)# sdm prefer
lanbase-routing provides both IPv4 and IPv6 static routing functionality.
Step 4 sdm prefer { default | Specifies the SDM template to be used on the switch. The
dual-ipv4-and-ipv6 {default} | keywords have these meanings:
lanbase-routing }
• default —The default template provides balance for all
Layer 2, IPv4 and IPv6 functionality.
Example:
Switch(config)# sdm prefer • dual-ipv4-and-ipv6 —The dual IP template supports
dual-ipv4-and-ipv6
both IPv4 and IPv6 routing. The default option balances
IPv4 and IPv6 Layer 2 functionality.
• lanbase-routing —This template maximizes IPv4
routing on the switch..
Example:
Switch(config)# end
Example:
Switch# reload
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1537
Configuration Examples for SDM Templates
"default" template:
The selected template optimizes the resources in
the switch to support this level of features for
0 routed interfaces and 255 VLANs.
Switch#
This is an example output showing the LAN Base default template information.
Switch# show sdm prefer lanbase-default
"lanbase-default" template:
The selected template optimizes the resources in
the switch to support this level of features for
0 routed interfaces and 1024 VLANs.
Switch#
This is an example output showing the LAN Base routing template information.
Switch# show sdm prefer lanbase-routing
"lanbase-routing" template:
The selected template optimizes the resources in
the switch to support this level of features for
0 routed interfaces and 255 VLANs.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1538
Additional References for SDM Templates
Switch#
Standard/RFC Title
None —
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1539
Feature History and Information for Configuring SDM Templates
MIBs
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1540
CHAPTER 69
Configuring System Message Logs
• Restrictions for Configuring System Message Logs, page 1541
• Information About Configuring System Message Logs, page 1541
• How to Configure System Message Logs, page 1544
• Monitoring and Maintaining System Message Logs, page 1552
• Configuration Examples for System Message Logs, page 1552
• Additional References for System Message Logs, page 1553
• Feature History and Information For System Message Logs, page 1554
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1541
Information About Configuring System Message Logs
You can set the severity level of the messages to control the type of messages displayed on the consoles and
each of the destinations. You can time-stamp log messages or set the syslog source address to enhance real-time
debugging and management. For information on possible messages, see the system message guide for this
release.
You can access logged system messages by using the switch command-line interface (CLI) or by saving them
to a properly configured syslog server. The switch software saves syslog messages in an internal buffer on a
standalone switch, and in the case of a switch stack, on the active switchstack master. If a standalone switch
or the stack master fails, the log is lost unless you had saved it to flash memory.
You can remotely monitor system messages by viewing the logs on a syslog server or by accessing the switch
through Telnet, through the console port, or through the Ethernet management port. In a switch stack, all stack
member consoles provide the same console output.
The part of the message preceding the percent sign depends on the setting of these global configuration
commands:
• service sequence-numbers
• service timestamps log datetime
• service timestamps log datetime [localtime] [msec] [show-timezone]
• service timestamps log uptime
Element Description
seq no: Stamps log messages with a sequence number only
if the service sequence-numbers global configuration
command is configured.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1542
Information About Configuring System Message Logs
Element Description
timestamp formats: Date and time of the message or event. This
information appears only if the service timestamps
mm/dd h h:mm:ss
log [datetime | log] global configuration command
or is configured.
hh:mm:ss (short uptime)
or
d h (long uptime)
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1543
How to Configure System Message Logs
Procedure
Example:
Switch# configure terminal
Step 2 logging buffered [size] Logs messages to an internal buffer on the switch or on a standalone
switch or, in the case of a switch stack, on the active switchstack
Example: master. The range is 4096 to 2147483647 bytes. The default buffer
size is 4096 bytes.
Switch(config)# logging
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1544
How to Configure System Message Logs
Step 4 logging file flash: filename Stores log messages in a file in flash memory on a standalone
[max-file-size [min-file-size]] switch or, in the case of a switch stack, on the active switchstack
[severity-level-number | type] master.
• filename—Enters the log message filename.
Example:
• (Optional) max-file-size —Specifies the maximum logging
Switch(config)# logging
file flash:log_msg.txt file size. The range is 4096 to 2147483647. The default is
40960 4096 3 4096 bytes.
• (Optional) min-file-size—Specifies the minimum logging file
size. The range is 1024 to 2147483647. The default is 2048
bytes.
• (Optional) severity-level-number | type—Specifies either the
logging severity level or the logging type. The severity range
is 0 to 7.
Example:
Switch(config)# end
Step 6 terminal monitor Logs messages to a nonconsole terminal during the current session.
Terminal parameter-setting commands are set locally and do not
Example: remain in effect after the session has ended. You must perform this
Switch# terminal monitor step for each session to see the debugging messages.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1545
How to Configure System Message Logs
Procedure
Example:
Switch# configure terminal
Step 2 line [console | vty] line-number Specifies the line to be configured for synchronous logging of
[ending-line-number] messages.
• console —Specifies configurations that occur through the
Example: switch console port or the Ethernet management port.
Switch(config)# line
console • line vty line-number—Specifies which vty lines are to have
synchronous logging enabled. You use a vty connection for
configurations that occur through a Telnet session. The range
of line numbers is from 0 to 15.
You can change the setting of all 16 vty lines at once by entering:
line vty 0 15
You can also change the setting of the single vty line being used
for your current connection. For example, to change the setting for
vty line 2, enter:
line vty 2
When you enter this command, the mode changes to line
configuration.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1546
How to Configure System Message Logs
Example:
Switch(config)# end
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1547
How to Configure System Message Logs
Example:
Switch(config)# no logging console
Example:
Switch(config)# end
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1548
How to Configure System Message Logs
Example:
Switch(config)# end
Procedure
Example:
Switch# configure terminal
Example:
Switch(config)# service sequence-numbers
Example:
Switch(config)# end
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1549
How to Configure System Message Logs
Procedure
Example:
Switch# configure terminal
Step 3 logging monitor level Limits messages logged to the terminal lines.
By default, the terminal receives debugging messages
Example: and numerically lower levels.
Switch(config)# logging monitor 3
Step 4 logging trap level Limits messages logged to the syslog servers.
By default, syslog servers receive informational
Example: messages and numerically lower levels.
Switch(config)# logging trap 3
Example:
Switch(config)# end
Procedure
Example:
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1550
How to Configure System Message Logs
Step 3 logging history size number Specifies the number of syslog messages that can be
stored in the history table.
Example: The default is to store one message. The range is 0 to
Switch(config)# logging history 500 messages.
size 200
Example:
Switch(config)# end
Note Some recent versions of UNIX syslog daemons no longer accept by default syslog packets from the
network. If this is the case with your system, use the UNIX man syslogd command to decide what options
must be added to or removed from the syslog command line to enable logging of remote syslog messages.
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1551
Monitoring and Maintaining System Message Logs
$ touch /var/log/cisco.log
$ chmod 666 /var/log/cisco.log
Step 3 Make sure the syslog daemon reads the new For more information, see the man syslog.conf and
changes. man syslogd commands on your UNIX system.
Example:
$ kill -HUP `cat /etc/syslog.pid`
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1552
Additional References for System Message Logs
This example shows part of a logging display with the service timestamps log datetime global configuration
command enabled:
This example shows part of a logging display with the service timestamps log uptime global configuration
command enabled:
This example shows part of a logging display with the sequence numbers enabled.
Standard/RFC Title
None —
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1553
Feature History and Information For System Message Logs
MIBs
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1554
CHAPTER 70
Configuring Online Diagnostics
• Information About Configuring Online Diagnostics, page 1555
• How to Configure Online Diagnostics, page 1556
• Monitoring and Maintaining Online Diagnostics, page 1560
• Configuration Examples for Online Diagnostic Tests, page 1561
• Additional References for Online Diagnostics, page 1564
• Feature History and Information for Configuring Online Diagnostics, page 1565
Online Diagnostics
With online diagnostics, you can test and verify the hardware functionality of the Switch while the Switch is
connected to a live network.
The online diagnostics contain packet switching tests that check different hardware components and verify
the data path and the control signals.
The online diagnostics detect problems in these areas:
• Hardware components
• Interfaces (Ethernet ports and so forth)
• Solder joints
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1555
How to Configure Online Diagnostics
Procedure
Example:
You can specify the tests by using one of these options:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1556
How to Configure Online Diagnostics
Procedure
Example:
Switch# configure terminal
Step 2 diagnostic schedule switch number Schedules on-demand diagnostic tests for a specific day and
test {name | test-id | test-id-range | time.
all | basic | non-disruptive |} {daily The switch number keyword is supported only on stacking
| on mm dd yyyy hh:mm | weekly switches. The range is from 1 to 8.
day-of-week hh:mm}
When specifying the tests to be scheduled, use these options:
Example: • name—Name of the test that appears in the show
Switch(config)# diagnostic diagnostic content command output.
schedule switch 1 test 1-5 on
July 3 2013 23:10 • test-id—ID number of the test that appears in the show
diagnostic content command output.
• test-id-range—ID numbers of the tests that appear in the
show diagnostic content command output.
• all—All test IDs.
• basic—Starts the basic on-demand diagnostic tests.
• non-disruptive—Starts the non-disruptive test suite.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1557
How to Configure Online Diagnostics
Procedure
Example:
Switch# configure terminal
Step 3 diagnostic monitor interval switch Configures the health-monitoring interval of the specified
number test {name | test-id | tests.
test-id-range | all} hh:mm:ss The switch number keyword is supported only on stacking
milliseconds day switches.
Example:
When specifying the tests, use one of these parameters:
Step 4 diagnostic monitor syslog (Optional) Configures the switch to generate a syslog message
when a health-monitoring test fails.
Example:
Switch(config)# diagnostic
monitor syslog
Step 5 diagnostic monitor threshold (Optional) Sets the failure threshold for the health-monitoring
switch number number test {name | tests.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1558
How to Configure Online Diagnostics
Step 6 diagnostic monitor switch number Enables the specified health-monitoring tests.
test {name | test-id | test-id-range | The switch number keyword is supported only on stacking
all} switches. The range is from 1 to 9.
Example:
When specifying the tests, use one of these parameters:
Example:
Switch(config)# end
Example:
Switch# show running-config
Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1559
Monitoring and Maintaining Online Diagnostics
What to Do Next
Use the no diagnostic monitor interval testtest-id | test-id-range } global configuration command to change
the interval to the default value or to zero. Use the no diagnostic monitor syslog command to disable generation
of syslog messages when a health-monitoring test fails. Use the diagnostic monitor threshold testtest-id |
test-id-range }failure countcommand to remove the failure threshold.
Command Purpose
show diagnostic content switch [number | all] Displays the online diagnostics configured for a
switch.
The switch [number | all] parameter is supported only
on stacking switches.
show diagnostic result switch [number | all] [detail Displays the online diagnostics test results.
| test {name | test-id | test-id-range | all} [detail]] The switch [number | all] parameter is supported only
on stacking switches.
show diagnostic switch [number | all] [detail] Displays the online diagnostics test results.
The switch [number | all] parameter is supported only
on stacking switches.
show diagnostic schedule switch [number | all] Displays the online diagnostics test schedule.
The switch [number | all] parameter is supported only
on stacking switches.
show diagnostic post Displays the POST results. (The output is the same
as the show post command output.)
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1560
Configuration Examples for Online Diagnostic Tests
Procedure
Example:
You can specify the tests by using one of these options:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1561
Configuration Examples for Online Diagnostic Tests
This example shows how to schedule diagnostic testing to occur weekly at a certain time on a specific switch:
Switch 1: SerialNo :
___________________________________________________________________________
1) TestPortAsicStackPortLoopback ---> U
2) TestPortAsicLoopback ------------> U
3) TestPortAsicCam -----------------> U
4) TestPortAsicMem -----------------> U
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1562
Configuration Examples for Online Diagnostic Tests
5) TestInlinePwrCtlr ---------------> U
This example shows how to display the online diagnostics that are configured on a specific switch:
Switch# show diagnostic content switch 3
Switch 1:
Diagnostics test suite attributes:
B/* - Basic ondemand test / NA
P/V/* - Per port test / Per device test / NA
D/N/* - Disruptive test / Non-disruptive test / NA
S/* - Only applicable to standby unit / NA
X/* - Not a health monitoring test / NA
F/* - Fixed monitoring interval test / NA
E/* - Always enabled monitoring test / NA
A/I - Monitoring is active / Monitoring is inactive
R/* - Switch will reload after test list completion / NA
P/* - will partition stack / NA
This example shows how to display the online diagnostic results for a switch:
Switch# show diagnostic result
Switch 1: SerialNo :
Overall diagnostic result: PASS
Test results: (. = Pass, F = Fail, U = Untested)
1) TestPortAsicStackPortLoopback ---> .
2) TestPortAsicLoopback ------------> .
3) TestPortAsicCam -----------------> .
4) TestPortAsicRingLoopback --------> .
5) TestMicRingLoopback -------------> .
6) TestPortAsicMem -----------------> .
This example shows how to display the online diagnostic test status:
Switch# show diagnostic status
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1563
Additional References for Online Diagnostics
TestPortAsicRingLoopback <OD>
TestMicRingLoopback <OD>
TestPortAsicMem <OD>
3 N/A N/A
4 N/A N/A
====== ================================= =============================== ======
Switch#
This example shows how to display the online diagnostic test schedule for a switch:
Switch# show diagnostic schedule switch 1
Standard/RFC Title
None —
MIBs
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1564
Feature History and Information for Configuring Online Diagnostics
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1565
Feature History and Information for Configuring Online Diagnostics
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1566
CHAPTER 71
Troubleshooting the Software Configuration
This chapter describes how to identify and resolve software problems related to the Cisco IOS software on
the switch. Depending on the nature of the problem, you can use the command-line interface (CLI), Device
Manager, or Network Assistant to identify and solve problems.
Additional troubleshooting information, such as LED descriptions, is provided in the hardware installation
guide.
Related Topics
Recovering from a Software Failure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1567
Information About Troubleshooting the Software Configuration
Note On these switches, a system administrator can disable some of the functionality of this feature by allowing
an end user to reset a password only by agreeing to return to the default configuration. If you are an end
user trying to reset a password when password recovery has been disabled, a status message reminds you
to return to the default configuration during the recovery process.
Note You cannot recover encryption password key, when Cisco WLC configuration is copied from one Cisco
WLC to another (in case of an RMA).
Related Topics
Recovering from a Lost or Forgotten Password
A powered device can receive redundant power when it is connected to a PoE switch port and to an AC power
source. The device does not receive redundant power when it is only connected to the PoE port.
After the switch detects a powered device, the switch determines the device power requirements and then
grants or denies power to the device. The switch can also detect the real-time power consumption of the device
by monitoring and policing the power usage.
For more information, see the "Configuring PoE" chapter in the Catalyst 2960-X Switch Interface and Hardware
Component Configuration Guide.
Related Topics
Scenarios to Troubleshoot Power over Ethernet (PoE), on page 1592
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1568
Information About Troubleshooting the Software Configuration
the no shutdown interface command. You can also configure automatic recovery on the Switch to recover
from the error-disabled state.
On a Switch, the errdisable recovery cause loopback and the errdisable recovery interval seconds global
configuration commands automatically take the interface out of the error-disabled state after the specified
period of time.
Ping
The Switch supports IP ping, which you can use to test connectivity to remote hosts. Ping sends an echo
request packet to an address and waits for a reply. Ping returns one of these responses:
• Normal response—The normal response (hostname is alive) occurs in 1 to 10 seconds, depending on
network traffic.
• Destination does not respond—If the host does not respond, a no-answer message is returned.
• Unknown host—If the host does not exist, an unknown host message is returned.
• Destination unreachable—If the default gateway cannot reach the specified network, a
destination-unreachable message is returned.
• Network or host unreachable—If there is no entry in the route table for the host or network, a network
or host unreachable message is returned.
Related Topics
Executing Ping, on page 1585
Example: Pinging an IP Host, on page 1594
Layer 2 Traceroute
The Layer 2 traceroute feature allows the switch to identify the physical path that a packet takes from a source
device to a destination device. Layer 2 traceroute supports only unicast source and destination MAC addresses.
Traceroute finds the path by using the MAC address tables of the Switch in the path. When the Switch detects
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1569
Information About Troubleshooting the Software Configuration
a device in the path that does not support Layer 2 traceroute, the Switch continues to send Layer 2 trace queries
and lets them time out.
The Switch can only identify the path from the source device to the destination device. It cannot identify the
path that a packet takes from source host to the source device or from the destination device to the destination
host.
• When multiple devices are attached to one port through hubs (for example, multiple CDP neighbors are
detected on a port), the Layer 2 traceroute feature is not supported. When more than one CDP neighbor
is detected on a port, the Layer 2 path is not identified, and an error message appears.
• This feature is not supported in Token Ring VLANs.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1570
Information About Troubleshooting the Software Configuration
IP Traceroute
You can use IP traceroute to identify the path that packets take through the network on a hop-by-hop basis.
The command output displays all network layer (Layer 3) devices, such as routers, that the traffic passes
through on the way to the destination.
Your Switch can participate as the source or destination of the traceroute privileged EXEC command and
might or might not appear as a hop in the traceroute command output. If the Switch is the destination of the
traceroute, it is displayed as the final destination in the traceroute output. Intermediate Switch do not show
up in the traceroute output if they are only bridging the packet from one port to another within the same VLAN.
However, if the intermediate Switch is a multilayer Switch that is routing a particular packet, this Switch
shows up as a hop in the traceroute output.
The traceroute privileged EXEC command uses the Time To Live (TTL) field in the IP header to cause
routers and servers to generate specific return messages. Traceroute starts by sending a User Datagram Protocol
(UDP) datagram to the destination host with the TTL field set to 1. If a router finds a TTL value of 1 or 0, it
drops the datagram and sends an Internet Control Message Protocol (ICMP) time-to-live-exceeded message
to the sender. Traceroute finds the address of the first hop by examining the source address field of the ICMP
time-to-live-exceeded message.
To identify the next hop, traceroute sends a UDP packet with a TTL value of 2. The first router decrements
the TTL field by 1 and sends the datagram to the next router. The second router sees a TTL value of 1, discards
the datagram, and returns the time-to-live-exceeded message to the source. This process continues until the
TTL is incremented to a value large enough for the datagram to reach the destination host (or until the maximum
TTL is reached).
To learn when a datagram reaches its destination, traceroute sets the UDP destination port number in the
datagram to a very large value that the destination host is unlikely to be using. When a host receives a datagram
destined to itself containing a destination port number that is unused locally, it sends an ICMP port-unreachable
error to the source. Because all errors except port-unreachable errors come from intermediate hops, the receipt
of a port-unreachable error means that this message was sent by the destination port.
Related Topics
Executing IP Traceroute, on page 1587
Example: Performing a Traceroute to an IP Host, on page 1595
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1571
Information About Troubleshooting the Software Configuration
When you run TDR, the Switch reports accurate information in these situations:
• The cable for the gigabit link is a solid-core cable.
• The open-ended cable is not terminated.
When you run TDR, the Switch does not report accurate information in these situations:
• The cable for the gigabit link is a twisted-pair cable or is in series with a solid-core cable.
• The link is a 10-megabit or a 100-megabit link.
• The cable is a stranded cable.
• The link partner is a Cisco IP Phone.
• The link partner is not IEEE 802.3 compliant.
Debug Commands
Caution Because debugging output is assigned high priority in the CPU process, it can render the system unusable.
For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting
sessions with Cisco technical support staff. It is best to use debug commands during periods of lower
network traffic and fewer users. Debugging during these periods decreases the likelihood that increased
debug command processing overhead will affect system use.
All debug commands are entered in privileged EXEC mode, and most debug commands take no arguments.
Related Topics
Redirecting Debug and Error Message Output, on page 1587
Example: Enabling All System Diagnostics, on page 1596
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1572
Information About Troubleshooting the Software Configuration
• Environment data—Unique device identifier (UDI) information for a standalone Switch or a switch
stack member and for all the connected FRU devices: the product identification (PID), the version
identification (VID), and the serial number.
• Message—Record of the hardware-related system messages generated by a standalone Switch or a
switch stack member.
• Power over Ethernet (PoE)—Record of the power consumption of PoE ports on a standalone Switch
or a switch stack member.
• Temperature—Temperature of a standalone Switch or a switch stack member.
• Uptime data—Time when a standalone Switch or a switch stack member starts, the reason the Switch
restarts, and the length of time the Switch has been running since it last restarted.
• Voltage—System voltages of a standalone Switch or a switch stack member.
You should manually set the system clock or configure it by using Network Time Protocol (NTP).
When the Switch is running, you can retrieve the OBFL data by using the show logging onboard privileged
EXEC commands. If the Switch fails, contact your Cisco technical support representative to find out how to
retrieve the data.
When an OBFL-enabled Switch is restarted, there is a 10-minute delay before logging of new data begins.
Related Topics
Configuring OBFL, on page 1588
Displaying OBFL Information
Note You may see increased system memory usage when Cisco Catalyst 4500E Supervisor Engine 8-E is used
in wireless mode.
Layer 3 switches:
• Dropped packets or increased latency for packets routed in software
• BGP or OSPF routing topology changes
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1573
How to Troubleshoot the Software Configuration
• HSRP flapping
Note
Procedure
Step 1 From your PC, download the software image tar file (image_filename.tar) from Cisco.com. The Cisco IOS
image is stored as a bin file in a directory in the tar file. For information about locating the software image
files on Cisco.com, see the release notes.
Step 2 Extract the bin file from the tar file. If you are using Windows, use a zip program that can read a tar file. Use
the zip program to navigate. If you are using Windows, use a zip program that can read a tar file. Use the zip
program to navigate. If you are using UNIX, follow these steps:
a) Display the contents of the tar file by using the tar -tvf <image_filename.tar> UNIX command.
Example:
unix-1% tar -tvf image_filename.tar
b) Locate the bin file, and extract it by using the tar -xvf <image_filename.tar> <image_filename.bin>
UNIX command.
Example:
unix-1% tar -xvf image_filename.tar image_filename.bin
x c2960x-universalk9-mz-150-2.EX1/c2960x-universalk9-mz-150-2.EX1.bin, 2928176 bytes,
5720
tape blocks
c) Verify that the bin file was extracted by using the ls -l <image_filename.bin> UNIX command.
Example:
unix-1% ls -l image_filename.bin
-rw-r--r-- 1 boba 2928176 Apr 21 12:01
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1574
How to Troubleshoot the Software Configuration
c2960x-universalk9-mz.150-2.0.66.UCP/c2960x-universalk9-mz.150-2.0.66.UCP.bin
Step 3 Connect your PC with terminal-emulation software supporting the Xmodem Protocol to the switch console
port.
Step 4 Set the line speed on the emulation software to 9600 baud.
Step 5 Unplug the switch power cord.
Step 6 Press the Mode button, and at the same time reconnect the power cord to the switch. You can release the
Mode button a second or two after the LED above port 1 goes off. Several lines of information about the
software appear along with instructions.
Example:
The system has been interrupted prior to initializing the flash file system. The following
commands will initialize the flash file system, and finish loading the operating system
software#
flash_init
load_helper
boot
Example:
switch: flash_init
Step 8 If you had set the console port speed to any speed other than 9600, it has been reset to that particular speed.
Change the emulation software line speed to match that of the switch console port.
Step 9 Load any helper files.
Example:
switch: load_helper
Example:
switch: copy xmodem: flash:image_filename.bin
Step 11 After the Xmodem request appears, use the appropriate command on the terminal-emulation software to start
the transfer and to copy the software image into flash memory.
Step 12 Boot the newly downloaded Cisco IOS image.
Example:
switch: boot flash:image_filename.bin
Step 13 Use the archive download-sw privileged EXEC command to download the software image to the switch or
to the switch stack.
Step 14 Use the reload privileged EXEC command to restart the switch and to verify that the new software image is
operating properly.
Step 15 Delete the flash:image_filename.bin file from the switch.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1575
How to Troubleshoot the Software Configuration
Note On these switches, a system administrator can disable some of the functionality of this feature by allowing
an end user to reset a password only by agreeing to return to the default configuration. If you are an end
user trying to reset a password when password recovery has been disabled, a status message shows this
during the recovery process.
You enable or disable password recovery by using the service password-recovery global configuration
command.
The switch supports homogeneous stacking and mixed stacking. Mixed stacking is supported only with the
Catalyst 2960-S switches. A homogenous stack can have up to eight stack members, while a mixed stack can
have up to four stack members. All switches in a switch stack must be running the LAN Base image.
Procedure
Step 2 Set the line speed on the emulation software to 9600 baud.
Step 3 On a switch, power off the switch.
Step 4 Reconnect the power cord to the switch. Within 15 seconds, press the Mode button while the System LED is
still flashing green. Continue pressing the Mode button until all the system LEDs turn on and remain solid,
then release the Mode button.
Several lines of information about the software appear with instructions, informing you if the password
recovery procedure has been disabled or not.
• If you see a message that begins with this statement:
The system has been interrupted prior to initializing the flash file system. The
following commands will initialize the flash file system
proceed to the "Procedure with Password Recovery Enabled" section, and follow the steps.
• If you see a message that begins with this statement:
The password-recovery mechanism has been triggered, but is currently disabled.
proceed to the "Procedure with Password Recovery Disabled" section, and follow the steps.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1576
How to Troubleshoot the Software Configuration
On a switch:
Switch> reload
Proceed with reload? [confirm] y
The system has been interrupted prior to initializing the flash file system. The following
commands will initialize the flash file system, and finish loading the operating system
software:
flash_init
load_helper
boot
Procedure
Step 2 If you had set the console port speed to any number other than 9600, it has been reset to that particular speed.
Change the emulation software line speed to match that of the switch console port.
Step 3 Load any helper files.
Switch: load_helper
You are prompted to start the setup program. Enter N at the prompt.
Continue with the configuration dialog?? [yes/no]: No
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1577
How to Troubleshoot the Software Configuration
Note Before continuing to Step 9, power on any connected stack members and wait until they have
completely initialized. Failure to follow this step can result in a lost configuration depending on how
your switch is set up.
Press Return in response to the confirmation prompts. The configuration file is now reloaded, and you can
change the pasword.
The secret password can be from 1 to 25 alphanumeric characters, can start with a number, is case sensitive,
and allows spaces but ignores leading spaces.
Step 14 Boot the switch with the packages.conf file from flash.
Switch: boot flash:packages.conf
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1578
How to Troubleshoot the Software Configuration
Would you like to reset the system back to the default configuration (y/n)?
Caution Returning the Switch to the default configuration results in the loss of all existing configurations. We
recommend that you contact your system administrator to verify if there are backup Switch and VLAN
configuration files.
• If you enter n (no), the normal boot process continues as if the Mode button had not been pressed; you
cannot access the boot loader prompt, and you cannot enter a new password. You see the message:
• If you enter y (yes), the configuration file in flash memory and the VLAN database file are deleted.
When the default configuration loads, you can reset the password.
Procedure
Step 1 Choose to continue with password recovery and delete the existing configuration:
Would you like to reset the system back to the default configuration (y/n)? Y
Directory of flash:
13 drwx 192 Mar 01 2013 22:30:48 c2960x-universalk9-mz.150-2.0.63.UCP.bin
16128000 bytes total (10003456 bytes free)
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1579
How to Troubleshoot the Software Configuration
You are prompted to start the setup program. To continue with password recovery, enter N at the prompt:
The secret password can be from 1 to 25 alphanumeric characters, can start with a number, is case sensitive,
and allows spaces but ignores leading spaces.
Note Before continuing to Step 9, power on any connected stack members and wait until they have
completely initialized. The stacking feature is supported on Switch running the LAN Base image.
Step 8 Write the running configuration to the startup configuration file:
Step 9 You must now reconfigure the Switch. If the system administrator has the backup Switch and VLAN
configuration files available, you should use those.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1580
How to Troubleshoot the Software Configuration
These recovery procedures require that you have physical access to the switch. For information on
command-capable switches, see the release notes.
Procedure
Step 1 Disconnect the command switch from the member switches, and physically remove it from the cluster.
Step 2 Insert the member switch in place of the failed command switch, and duplicate its connections to the cluster
members.
Step 3 Start a CLI session on the new command switch.
You can access the CLI by using the console port or, if an IP address has been assigned to the switch, by using
Telnet. For details about using the console port, see Catalyst 2960-X Switch Hardware Installation Guide.
Example:
Switch> enable
Switch#
Example:
Switch# configure terminal
Example:
Switch(config)# no cluster commander-address
Step 8 Return to privileged EXEC mode.
Example:
Switch(config)# end
Switch#
Step 9 Use the setup program to configure the switch IP information. This program prompts you for IP address
information and passwords. From privileged EXEC mode, enter EXEC mode, enter setup, and press Return.
Example:
Switch# setup
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1581
How to Troubleshoot the Software Configuration
Example:
The prompts in the setup program vary depending on the member switch that you selected to
be the command switch:
Continue with configuration dialog? [yes/no]: y
or
If this prompt does not appear, enter enable, and press Return. Enter setup, and press Return to start the
setup program.
Step 11 Respond to the questions in the setup program.
When prompted for the hostname, it is limited to 28 characters and 31 characters on a member switch. Do
not use -n, where n is a number, as the last characters in a hostname for any switch. When prompted for the
Telnet (virtual terminal) password, it is 1 to 25 alphanumeric characters, is case sensitive, allows spaces, but
ignores leading spaces.
Step 12 When prompted for the enable secret and enable passwords, enter the passwords of the failed command
switch again.
Step 13 When prompted, make sure to enable the switch as the cluster command switch, and press Return.
Step 14 When prompted, assign a name to the cluster, and press Return.
The cluster name can be 1 to 31 alphanumeric characters, dashes, or underscores.
Step 15 After the initial configuration displays, verify that the addresses are correct.
Step 16 If the displayed information is correct, enter Y, and press Return.
If this information is not correct, enter N, press Return, and begin again at Step 9.
Step 17 Start your browser, and enter the IP address of the new command switch.
Step 18 From the Cluster menu, select Add to Cluster to display a list of candidate switches to add to the cluster.
Procedure
Step 1 Insert the new switch in place of the failed command switch, and duplicate its connections to the cluster
members.
Step 2 You can access the CLI by using the console port or, if an IP address has been assigned to the switch, by using
Telnet. For details about using the console port, see the switch hardware installation guide.
Step 3 At the switch prompt, enter privileged EXEC mode.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1582
How to Troubleshoot the Software Configuration
Example:
Switch> enable
Switch#
Step 4 Enter the password of the failed command switch.
Step 5 Use the setup program to configure the switch IP information. This program prompts you for IP address
information and passwords. From privileged EXEC mode, enter EXEC mode, enter setup, and press Return.
Example:
Switch# setup
Example:
The prompts in the setup program vary depending on the member switch that you selected to
be the command switch:
Continue with configuration dialog? [yes/no]: y
or
If this prompt does not appear, enter enable, and press Return. Enter setup, and press Return to start the
setup program.
Step 7 Respond to the questions in the setup program.
When prompted for the hostname, it is limited to 28 characters and 31 characters on a member switch. Do
not use -n, where n is a number, as the last characters in a hostname for any switch. When prompted for the
Telnet (virtual terminal) password, it is 1 to 25 alphanumeric characters, is case sensitive, allows spaces, but
ignores leading spaces.
Step 8 When prompted for the enable secret and enable passwords, enter the passwords of the failed command
switch again.
Step 9 When prompted, make sure to enable the switch as the cluster command switch, and press Return.
Step 10 When prompted, assign a name to the cluster, and press Return.
The cluster name can be 1 to 31 alphanumeric characters, dashes, or underscores.
Step 11 After the initial configuration displays, verify that the addresses are correct.
Step 12 If the displayed information is correct, enter Y, and press Return.
If this information is not correct, enter N, press Return, and begin again at Step 9.
Step 13 Start your browser, and enter the IP address of the new command switch.
Step 14 From the Cluster menu, select Add to Cluster to display a list of candidate switches to add to the cluster.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1583
How to Troubleshoot the Software Configuration
If you replace a stack member with an identical model, the new Switch functions with the exact same
configuration as the replaced Switch. This is also assuming the new Switch is using the same member number
as the replaced Switch.
Removing powered-on stack members causes the switch stack to divide (partition) into two or more switch
stacks, each with the same configuration. If you want the switch stacks to remain separate, change the IP
address or addresses of the newly created switch stacks. To recover from a partitioned switch stack, follow
these steps:
1 Power off the newly created switch stacks.
2 Reconnect them to the original switch stack through their StackWise Plus ports.
3 Power on the Switch.
For the commands that you can use to monitor the switch stack and its members, see the Displaying Switch
Stack Information section.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1584
How to Troubleshoot the Software Configuration
To maximize Switch performance and ensure a link, follow one of these guidelines when changing the settings
for duplex and speed:
• Let both ports autonegotiate both speed and duplex.
• Manually set the speed and duplex parameters for the ports on both ends of the connection.
Note If a remote device does not autonegotiate, configure the duplex settings on the two ports to match. The
speed parameter can adjust itself even if the connected port does not autonegotiate.
Note The security error message references the GBIC_SECURITY facility. The Switch supports SFP modules
and does not support GBIC modules. Although the error message text refers to GBIC interfaces and
modules, the security messages actually refer to the SFP modules and module interfaces.
If you are using a non-Cisco SFP module, remove the SFP module from the Switch, and replace it with a
Cisco module. After inserting a Cisco SFP module, use the errdisable recovery cause gbic-invalid global
configuration command to verify the port status, and enter a time interval for recovering from the error-disabled
state. After the elapsed interval, the Switch brings the interface out of the error-disabled state and retries the
operation. For more information about the errdisable recovery command, see the command reference for
this release.
If the module is identified as a Cisco SFP module, but the system is unable to read vendor-data information
to verify its accuracy, an SFP module error message is generated. In this case, you should remove and reinsert
the SFP module. If it continues to fail, the SFP module might be defective.
Executing Ping
If you attempt to ping a host in a different IP subnetwork, you must define a static route to the network or
have IP routing configured to route between those subnets.
IP routing is disabled by default on all Switch.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1585
How to Troubleshoot the Software Configuration
Note Though other protocol keywords are available with the ping command, they are not supported in this
release.
Use this command to ping another device on the network from the Switch:
Command Purpose
ping ip host | address Pings a remote host through IP or by supplying the
hostname or network address.
Switch# ping 172.20.52.3
Related Topics
Ping, on page 1569
Example: Pinging an IP Host, on page 1594
Monitoring Temperature
The Switch monitors the temperature conditions and uses the temperature information to control the fans.
Use the show env temperature status privileged EXEC command to display the temperature value, state,
and thresholds. The temperature value is the temperature in the Switch (not the external temperature).You
can configure only the yellow threshold level (in Celsius) by using the system env temperature threshold
yellow value global configuration command to set the difference between the yellow and red thresholds. You
cannot configure the green or red thresholds. For more information, see the command reference for this release.
Command Purpose
tracetroute mac [interface interface-id] Displays the Layer 2 path taken by the packets from
{source-mac-address} [interface interface-id] the specified source MAC address to the specified
{destination-mac-address} [vlan vlan-id] [detail] destination MAC address.
tracetroute mac ip {source-ip-address | Displays the Layer 2 path taken by the packets from
source-hostname}{destination-ip-address | the specified source IP address or hostname to the
destination-hostname} [detail] specified destination IP address or hostname.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1586
How to Troubleshoot the Software Configuration
Executing IP Traceroute
Note Though other protocol keywords are available with the traceroute privileged EXEC command, they are
not supported in this release.
Command Purpose
traceroute ip host Traces the path that
Switch# traceroute ip 192.51.100.1 packets take through
the network.
Related Topics
IP Traceroute , on page 1571
Example: Performing a Traceroute to an IP Host, on page 1595
By default, the network server sends the output from debug commands and system error messages to the
console. If you use this default, you can use a virtual terminal connection to monitor debug output instead of
connecting to the console port or the Ethernet management port.
Possible destinations include the console, virtual terminals, internal buffer, and UNIX hosts running a syslog
server. The syslog format is compatible with 4.3 Berkeley Standard Distribution (BSD) UNIX and its
derivatives.
Note Be aware that the debugging destination you use affects system overhead. When you log messages to the
console, very high overhead occurs. When you log messages to a virtual terminal, less overhead occurs.
Logging messages to a syslog server produces even less, and logging to an internal buffer produces the
least overhead of any method.
For more information about system message logging, see Configuring System Message Logging.
Related Topics
Debug Commands, on page 1572
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1587
How to Troubleshoot the Software Configuration
Configuring OBFL
Caution We recommend that you do not disable OBFL and that you do not remove the data stored in the flash
memory.
• To enable OBFL, use the hw-switch switch [switch-number] logging onboard [message level level]
global configuration command. On switches, the range for switch-number is from 1 to 9. Use the message
level level parameter to specify the severity of the hardware-related messages that the switch generates
and stores in the flash memory.
• To copy the OBFL data to the local network or a specific file system, use the copy onboard switch
switch-number url url-destination privileged EXEC command.
• To disable OBFL, use the no hw-switch switch [switch-number] logging onboard [message level]
global configuration command.
• To clear all the OBFL data in the flash memory except for the uptime and CLI command information,
use the clear onboard switch switch-number privileged EXEC command.
• In a switch stack, you can enable OBFL on a standalone switch or on all stack members by using the
hw-switch switch [switch-number] logging onboard [message level level] global configuration command.
• You can enable or disable OBFL on a member switch from the active switchstack master.
For more information about the commands in this section, see the command reference for this release.
Related Topics
Onboard Failure Logging on the Switch, on page 1572
Displaying OBFL Information
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1588
Verifying Troubleshooting of the Software Configuration
Command Purpose
show logging onboard [module[switch-number ]]clilog Displays the OBFL CLI
Switch# show logging onboard 1 clilog commands that were entered
on a standalone switch or the
specified stack members.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1589
Verifying Troubleshooting of the Software Configuration
Command Purpose
show logging onboard [module[switch-number ]] continuous Displays the data in the
Switch# show logging onboard 1 continuous continuous file.
show logging onboard [module[switch-number ]] endhh:mm:ss Displays end time and date on
Switch# show logging onboard 1 a standalone switch or the
end 13:00:15 jul 2013 specified stack members.
show logging onboard [module[switch-number ]] start Displays the start time and date
Switch# show logging on a standalone switch or the
onboard 1 start 13:00:10 jul 2013 specified stack members.
show logging onboard [module[switch-number ]] summary Displays both the data in the
Switch# show logging onboard 1 summary summary file
For more information, see the Catalyst 2960-X Switch System Management Command Reference.
Example: Verifying the Problem and Cause for High CPU Utilization
To determine if high CPU utilization is a problem, enter the show processes cpu sorted privileged EXEC
command. Note the underlined information in the first line of the output example.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1590
Verifying Troubleshooting of the Software Configuration
This example shows normal CPU utilization. The output shows that utilization for the last 5 seconds is 8%/0%,
which has this meaning:
• The total CPU utilization is 8 percent, including both time running Cisco IOS processes and time spent
handling interrupts.
• The time spent handling interrupts is zero percent.
Total CPU utilization is greater One or more Cisco IOS process is Identify the unusual event, and
than 50% with minimal time spent consuming too much CPU time. troubleshoot the root cause. See the
on interrupts. This is usually triggered by an section on “Debugging Active
event that activated the process. Processes.”
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1591
Scenarios for Troubleshooting the Software Configuration
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1592
Scenarios for Troubleshooting the Software Configuration
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1593
Configuration Examples for Troubleshooting Software
Non-Cisco powered device does not Use the show power inline command to verify that the switch power
work on Cisco PoE switch. budget (available PoE) is not depleted before or after the powered
A non-Cisco powered device is device is connected. Verify that sufficient power is available for the
connected to a Cisco PoE switch, but powered device type before you connect it.
never powers on or powers on and then Use the show interface status command to verify that the switch
quickly powers off. Non-PoE devices detects the connected powered device.
work normally.
Use the show log command to review system messages that reported
an overcurrent condition on the port. Identify the symptom precisely:
Does the powered device initially power on, but then disconnect?
If so, the problem might be an initial surge-in (or inrush) current
that exceeds a current-limit threshold for the port.
Related Topics
Power over Ethernet Ports, on page 1568
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1594
Configuration Examples for Troubleshooting Software
Character Description
! Each exclamation point means receipt of a reply.
To end a ping session, enter the escape sequence (Ctrl-^ X by default). Simultaneously press and release the
Ctrl, Shift, and 6 keys and then press the X key.
Related Topics
Ping, on page 1569
Executing Ping, on page 1585
The display shows the hop count, the IP address of the router, and the round-trip time in milliseconds for each
of the three probes that are sent.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1595
Configuration Examples for Troubleshooting Software
Character Description
* The probe timed out.
H Host unreachable.
N Network unreachable.
P Protocol unreachable.
Q Source quench.
U Port unreachable.
To end a trace in progress, enter the escape sequence (Ctrl-^ X by default). Simultaneously press and release
the Ctrl, Shift, and 6 keys and then press the X key.
Related Topics
IP Traceroute , on page 1571
Executing IP Traceroute, on page 1587
Caution Because debugging output takes priority over other network traffic, and because the debug all privileged
EXEC command generates more output than any other debug command, it can severely diminish switch
performance or even render it unusable. In virtually all cases, it is best to use more specific debug
commands.
The no debug all privileged EXEC command disables all diagnostic output. Using the no debug all command
is a convenient way to ensure that you have not accidentally left any debug commands enabled.
Related Topics
Debug Commands, on page 1572
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1596
Additional References for Troubleshooting Software Configuration
Standard/RFC Title
None —
MIBs
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1597
Feature History and Information for Troubleshooting Software Configuration
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1598
PART XIV
Working with the Cisco IOS File System,
Configuration Files, and Software Images
• Working with the Cisco IOS File System, Configuration Files, and Software Images, page 1601
CHAPTER 72
Working with the Cisco IOS File System,
Configuration Files, and Software Images
• Working with the Flash File System, page 1601
• Working with Configuration Files, page 1611
• Replacing and Rolling Back Configurations, page 1622
• Working with Software Images , page 1625
• Copying Image Files Using TFTP, page 1628
• Copying Image Files Using FTP, page 1631
• Copying Image Files Using RCP, page 1637
• Copying an Image File from One Stack Member to Another, page 1642
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1601
Working with the Flash File System
This example shows a switch stack. In this example, the active switch is stack member 1; the file system on
stack member 2 is displayed as flash-2:, the file system on stack member 3 is displayed as flash-3: and so on
up to stack member 9, displayed as flash-9: for a 9-member stack. The example also shows the crashinfo
directories and a USB flash drive plugged into the active switch:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1602
Working with the Flash File System
- - network rw scp:
- - network rw https:
- - opaque ro cns:
- - opaque rw revrcsf:
Field Value
Size(b) Amount of memory in the file system in bytes.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1603
Working with the Flash File System
Field Value
Prefixes Alias for file system.
crashinfo:—Crashinfo file.
flash:—Flash file system.
ftp:—FTP server.
http:—HTTP server.
https:—Secure HTTP server.
nvram:—NVRAM.
null:—Null destination for copies. You can copy a remote file to null
to find its size.
rcp:—Remote Copy Protocol (RCP) server.
scp:—Session Control Protocol (SCP) server.
system:—Contains the system memory, including the running
configuration.
tftp:—TFTP network server.
usbflash0:—USB flash memory.
xmodem:—Obtain the file from a network machine by using the
Xmodem protocol.
ymodem:—Obtain the file from a network machine by using the
Ymodem protocol.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1604
Working with the Flash File System
Command Description
dir [/all] Displays a list of files on a file system.
[filesystem:filename]
show file systems Displays more information about each of the files on a file system.
show file descriptors Displays a list of open file descriptors. File descriptors are the internal
representations of open files. You can use this command to see if another user
has a file open.
Procedure
Step 2 dir filesystem: Displays the directories on the specified file system.
For filesystem:, use flash: for the system board flash
Example: device.
Switch# dir flash: To access flash partitions of switch members in a stack,
use flash-n where n is the stack member number. For
example, flash-4.
Example:
Switch# pwd
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1605
Working with the Flash File System
Example:
Switch# cd
Creating Directories
Beginning in privileged EXEC mode, follow these steps to create a directory:
Procedure
Step 2 mkdir directory_name Creates a new directory. Directory names are case
sensitive and are limited to 45 characters between the
Example: slashes (/); the name cannot contain control characters,
spaces, slashes, quotes, semicolons, or colons.
Switch# mkdir new_configs
Example:
Switch# dir flash:
Removing Directories
To remove a directory with all its files and subdirectories, use the delete /force /recursive filesystem:/file-url
privileged EXEC command.
Use the /recursive keyword to delete the named directory and all subdirectories and the files contained in it.
Use the /force keyword to suppress the prompting that confirms a deletion of each file in the directory. You
are prompted only once at the beginning of this deletion process.
For filesystem, use flash: for the system board flash device. For file-url, enter the name of the directory to be
deleted. All of the files in the directory and the directory are removed.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1606
Working with the Flash File System
Copying Files
To copy a file from a source to a destination, use the copy source-url destination-url privileged EXEC
command. For the source and destination URLs, you can use running-config and startup-config keyword
shortcuts. For example, the copy running-config startup-config command saves the currently running
configuration file to the NVRAM section of flash memory to be used as the configuration during system
initialization.
You can also copy from special file systems (xmodem:, ymodem:) as the source for the file from a network
machine that uses the Xmodem or Ymodem protocol.
Network file system URLs include ftp:, rcp:, and tftp: and have these syntaxes:
• FTP—ftp:[[//username [:password]@location]/directory]/filename
• RCP—rcp:[[//username@location]/directory]/filename
• TFTP—tftp:[[//location]/directory]/filename
Copying Files from One Switch in a Stack to Another Switch in the Same Stack
To copy a file from one switch in a stack to another switch in the same stack, use the flash-X: notation, where
X is the switch number.
To view all switches in a stack, use the show switch command in privileged EXEC mode, as in the following
example of a 9-member switch stack:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1607
Working with the Flash File System
To view all file systems available to copy on a specific switch, use the copy command as in the following
example of a 5-member stack:
Switch#
This example shows how to copy a config file stored in the flash partition of switch 2 to the flash partition of
switch 4. It assumes that switch 2 and switch 4 are in the same stack.
Deleting Files
When you no longer need a file on a flash memory device, you can permanently delete it. To delete a file or
directory from a specified flash device, use the delete [/force] [/recursive] [filesystem:]/file-url privileged
EXEC command.
Use the /recursive keyword for deleting a directory and all subdirectories and the files contained in it. Use
the /force keyword to suppress the prompting that confirms a deletion of each file in the directory. You are
prompted only once at the beginning of this deletion process. Use the /force and /recursive keywords for
deleting old software images that were installed by using the archive download-sw command but are no
longer needed.
If you omit the filesystem: option, the switch uses the default device specified by the cd command. For file-url,
you specify the path (directory) and the name of the file to be deleted.
When you attempt to delete any files, the system prompts you to confirm the deletion.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1608
Working with the Flash File System
This example shows how to delete the file myconfig from the default flash memory device:
Switch# delete myconfig
Procedure
For flash:/file-url, specify the location on the local flash file system
in which the new file is created. You can also specify an optional list
of files or directories within the source directory to add to the new
file. If none are specified, all files and directories at this level are
written to the newly created file.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1609
Working with the Flash File System
You can also limit the file displays by specifying a list of files or
directories after the file. Only those files appear. If none are specified,
all files and directories appear.
Step 3 archive tar /xtract source-url Extracts a file into a directory on the flash file system.
flash:/file-url [dir/file...] For source-url, specify the source URL alias for the local file system.
The -filename. is the file from which to extract files. These options
Example: are supported:
switch# archive tar • Local flash file system syntax:
/xtract
tftp:/172.20.10.30/saved. flash:
flash:/new-configs
• FTP syntax:
ftp:[[//username[:password]@location]/directory]/-filename.
• RCP syntax:
rcp:[[//username@location]/directory]/-filename.
• TFTP syntax:
tftp:[[//location]/directory]/-filename.
Step 4 more [ /ascii | /binary | Displays the contents of any readable file, including a file on a remote
/ebcdic] /file-url file system.
Example:
switch# more
flash:/new-configs
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1610
Working with Configuration Files
You can copy (upload) configuration files from the switch to a file server by using TFTP, FTP, or RCP. You
might perform this task to back up a current configuration file to a server before changing its contents so that
you can later restore the original configuration file from the server.
The protocol you use depends on which type of server you are using. The FTP and RCP transport mechanisms
provide faster performance and more reliable delivery of data than TFTP. These improvements are possible
because FTP and RCP are built on and use the TCP/IP stack, which is connection-oriented.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1611
Working with Configuration Files
Note The copy {ftp: | rcp: | tftp:} system:running-config privileged EXEC command loads the configuration
files on the switch as if you were entering the commands at the command line. The switch does not erase
the existing running configuration before adding the commands. If a command in the copied configuration
file replaces a command in the existing configuration file, the existing command is erased. For example,
if the copied configuration file contains a different IP address in a particular command than the existing
configuration, the IP address in the copied configuration is used. However, some commands in the existing
configuration might not be replaced or negated. In this case, the resulting configuration file is a mixture
of the existing configuration file and the copied configuration file, with the copied configuration file
having precedence.
To restore a configuration file to an exact copy of a file stored on a server, copy the configuration file
directly to the startup configuration (by using the copy {ftp: | rcp: | tftp:} nvram:startup-config privileged
EXEC command), and reload the switch.
Procedure
Command or Purpose
Action
Step 1 Copy an existing configuration from a switch to a server.
Step 2 Open the configuration file in a text editor, such as vi or emacs on UNIX
or Notepad on a PC.
Step 3 Extract the portion of the configuration file with the desired commands,
and save it in a new file.
Step 4 Copy the configuration file to the appropriate server location. For example,
copy the file to the TFTP directory on the workstation (usually /tftpboot
on a UNIX workstation).
Step 5 Make sure the permissions on the file are set to world-read.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1612
Working with Configuration Files
Note You must restart the inetd daemon after modifying the /etc/inetd.conf and /etc/services
files. To restart the daemon, either stop the inetd process and restart it, or enter a fastboot
command (on the SunOS 4.x) or a reboot command (on Solaris 2.x or SunOS 5.x). For
more information on the TFTP daemon, see the documentation for your workstation.
• Ensure that the switch has a route to the TFTP server. The switch and the TFTP server must be in the
same subnetwork if you do not have a router to route traffic between subnets. Check connectivity to the
TFTP server by using the ping command.
• Ensure that the configuration file to be downloaded is in the correct directory on the TFTP server (usually
/tftpboot on a UNIX workstation).
• For download operations, ensure that the permissions on the file are set correctly. The permissionon the
file should be world-read.
• Before uploading the configuration file, you might need to create an empty file on the TFTP server. To
create an empty file, enter the touch filename command, where filename is the name of the file you will
use when uploading it to the server.
• During upload operations, if you are overwriting an existing file (including an empty file, if you had to
create one) on the server, ensure that the permissions on the file are set correctly. Permissions on the
file should be world-write.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1613
Working with Configuration Files
Procedure
Command Purpose
or Action
Step 1 Copy the configuration file to the appropriate TFTP directory on the workstation.
This example shows how to configure the software from the file tokyo-confg at IP address 172.16.2.155:
Switch# copy tftp://172.16.2.155/tokyo-confg system:running-config
Configure using tokyo-confg from 172.16.2.155? [confirm] y
Booting tokyo-confg from 172.16.2.155:!!! [OK - 874/16000 bytes]
Procedure
Command or Purpose
Action
Step 1 Verify that the TFTP server is properly configured.
Step 2 Log into the switch through the console port, the Ethernet management port, or
a Telnet session
.
Step 3 Upload the switch configuration to the TFTP server. Specify the IP address or
hostname of the TFTP server and the destination filename.
Use one of these privileged EXEC commands:
• copy system:running-config tftp:[[[//location]/directory]/filename]
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1614
Working with Configuration Files
Command or Purpose
Action
• copy nvram:startup-config tftp:[[[//location]/directory]/filename]
• copy flash[n]:/directory/startup-config
tftp:[[[//location]/directory]/filename]
Note You can only enter the flashn parameter (for example, flash3) on
Catalyst 3750-E switches.
The file is uploaded to the TFTP server.
This example shows how to upload a configuration file from a switch to a TFTP server:
Switch# copy system:running-config tftp://172.16.2.155/tokyo-confg
Write file tokyo-confg on host 172.16.2.155? [confirm] y
#
Writing tokyo-confg!!! [OK]
The switch sends the first valid password it encounters in the following sequence:
1 The password specified in the copy command, if a password is specified.
2 The password set by the ip ftp password command, if the command is configured.
3 The switch forms a password username @switchname.domain . The variable username is the username
associated with the current session, switchname is the configured host name, and domain is the domain
of the switch.
The username and password must be associated with an account on the FTP server. If you are writing to the
server, the FTP server must be properly configured to accept the FTP write request from the user on the switch.
If the server has a directory structure, the configuration file or image is written to or copied from the directory
associated with the username on the server. For example, if the system image resides in the home directory
of a user on the server, specify that user name as the remote username.
Refer to the documentation for your FTP server for more information.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1615
Working with Configuration Files
Use the ip ftp username and ip ftp password global configuration commands to specify a username and
password for all copies. Include the username in the copy EXEC command if you want to specify a username
for that copy operation only.
For more information, see the documentation for your FTP server.
Procedure
Step 2 ip ftp username username (Optional) Change the default remote username.
Step 3 ip ftp password password (Optional) Change the default password.
Step 4 end Return to privileged EXEC mode.
Step 5 Do one of the following: Using FTP, copy the configuration file from a
network server to the running configuration or to
• copy system:running-config ftp: the startup configuration file.
[[[//[username [:password
]@]location]/directory ]/filename ]
• copy nvram:startup-config ftp:
[[[//[username [:password
]@]location]/directory ]/filename]
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1616
Working with Configuration Files
This example shows how to copy a configuration file named host1-confg from the netadmin1 directory on
the remote server with an IP address of 172.16.101.101 and to load and run those commands on the switch:
Switch# copy ftp://netadmin1:mypass@172.16.101.101/host1-confg system:running-config
Configure using host1-confg from 172.16.101.101? [confirm]
Connected to 172.16.101.101
Loading 1112 byte file host1-confg:![OK]
Switch#
%SYS-5-CONFIG: Configured from host1-config by ftp from 172.16.101.101
This example shows how to specify a remote username of netadmin1. The software copies the configuration
file host2-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.101 to
the switch startup configuration.
Switch# configure terminal
Switch(config)# ip ftp username netadmin1
Switch(config)# ip ftp password mypass
Switch(config)# end
Switch# copy ftp: nvram:startup-config
Address of remote host [255.255.255.255]? 172.16.101.101
Name of configuration file[rtr2-confg]? host2-confg
Configure using host2-confg from 172.16.101.101?[confirm]
Connected to 172.16.101.101
Loading 1112 byte file host2-confg:![OK]
[OK]
Switch#
%SYS-5-CONFIG_NV:Non-volatile store configured from host2-config by ftp from 172.16.101.101
Procedure
Step 2 ip ftp username username (Optional) Change the default remote username.
Step 3 ip ftp password password (Optional) Change the default password.
Step 4 end Return to privileged EXEC mode.
Step 5 Do one of the following: Using FTP, store the switch running or startup
configuration file to the specified location.
• copy system:running-config ftp:
[[[//[username [:password
]@]location]/directory ]/filename ] or
• copy nvram:startup-config ftp:
[[[//[username [:password
]@]location]/directory ]/filename ]
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1617
Working with Configuration Files
This example shows how to copy the running configuration file named switch2-confg to the netadmin1
directory on the remote host with an IP address of 172.16.101.101:
Switch# copy system:running-config ftp://netadmin1:mypass@172.16.101.101/switch2-confg
Write file switch2-confg on host 172.16.101.101?[confirm]
Building configuration...[OK]
Connected to 172.16.101.101
Switch#
This example shows how to store a startup configuration file on a server by using FTP to copy the file:
Switch# configure terminal
Switch(config)# ip ftp username netadmin2
Switch(config)# ip ftp password mypass
Switch(config)# end
Switch# copy nvram:startup-config ftp:
Remote host[]? 172.16.101.101
Name of configuration file to write [switch2-confg]?
Write file switch2-confg on host 172.16.101.101?[confirm]
![OK]
For a successful RCP copy request, you must define an account on the network server for the remote username.
If the server has a directory structure, the configuration file is written to or copied from the directory associated
with the remote username on the server. For example, if the configuration file is in the home directory of a
user on the server, specify that user's name as the remote username.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1618
Working with Configuration Files
If the switch IP address translates to Switch1.company.com, the .rhosts file for User0 on the RCPserver should
contain this line:
Switch1.company.com Switch1
For more information, see the documentation for your RCP server.
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1619
Working with Configuration Files
This example shows how to copy a configuration file named host1-confg from the netadmin1 directory on
the remote server with an IP address of 172.16.101.101 and load and run those commands on the switch:
Switch# copy rcp://netadmin1@172.16.101.101/host1-confg system:running-config
Configure using host1-confg from 172.16.101.101? [confirm]
Connected to 172.16.101.101
Loading 1112 byte file host1-confg:![OK]
Switch#
%SYS-5-CONFIG: Configured from host1-config by rcp from 172.16.101.101
This example shows how to specify a remote username of netadmin1. Then it copies the configuration file
host2-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.101to the
startup configuration:
Switch# configure terminal
Switch(config)# ip rcmd remote-username netadmin1
Switch(config)# end
Switch# copy rcp: nvram:startup-config
Address of remote host [255.255.255.255]? 172.16.101.101
Name of configuration file[rtr2-confg]? host2-confg
Configure using host2-confg from 172.16.101.101?[confirm]
Connected to 172.16.101.101
Loading 1112 byte file host2-confg:![OK]
[OK]
Switch#
%SYS-5-CONFIG_NV:Non-volatile store configured from host2-config by rcp from 172.16.101.101
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1620
Working with Configuration Files
This example shows how to copy the running configuration file named switch2-confg to the netadmin1
directory on the remote host with an IP address of 172.16.101.101:
Switch# copy system:running-config rcp://netadmin1@172.16.101.101/switch2-confg
Write file switch-confg on host 172.16.101.101?[confirm]
Building configuration...[OK]
Connected to 172.16.101.101
Switch#
This example shows how to store a startup configuration file on a server:
Switch# configure terminal
Switch(config)# ip rcmd remote-username netadmin2
Switch(config)# end
Switch# copy nvram:startup-config rcp:
Remote host[]? 172.16.101.101
Name of configuration file to write [switch2-confg]?
Write file switch2-confg on host 172.16.101.101?[confirm]
![OK]
Note You cannot restore the startup configuration file after it has been deleted.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1621
Replacing and Rolling Back Configurations
Configuration Archive
The Cisco IOS configuration archive is intended to provide a mechanism to store, organize, and manage an
archive of Cisco IOS configuration files to enhance the configuration rollback capability provided by the
configure replace command. Before this feature was introduced, you could save copies of the running
configuration using the copy running-config destination-url command, storing the replacement file either
locally or remotely. However, this method lacked any automated file management. On the other hand, the
Configuration Replace and Configuration Rollback feature provides the capability to automatically save copies
of the running configuration to the Cisco IOS configuration archive. These archived files serve as checkpoint
configuration references and can be used by the configure replace command to revert to previous configuration
states.
The archive config command allows you to save Cisco IOS configurations in the configuration archive using
a standard location and filename prefix that is automatically appended with an incremental version number
(and optional timestamp) as each consecutive file is saved. This functionality provides a means for consistent
identification of saved Cisco IOS configuration files. You can specify how many versions of the running
configuration are kept in the archive. After the maximum number of files are saved in the archive, the oldest
file is automatically deleted when the next, most recent file is saved. The show archive command displays
information for all configuration files saved in the Cisco IOS configuration archive.
The Cisco IOS configuration archive, in which the configuration files are stored and available for use with
the configure replace command, can be located on the following file systems: FTP, HTTP, RCP, TFTP.
Configuration Replace
The configure replace privileged EXEC command replaces the running configuration with any saved
configuration file. When you enter the configure replace command, the running configuration is compared
with the specified replacement configuration, and a set of configuration differences is generated. The resulting
differences are used to replace the configuration. The configuration replacement operation is usually completed
in no more than three passes. To prevent looping behavior no more than five passes are performed.
You can use the copy source-url running-config privileged EXEC command to copy a stored configuration
file to the running configuration. When using this command as an alternative to the configure replace target-url
privileged EXEC command, note these major differences:
• The copysource-urlrunning-config command is a merge operation and preserves all the commands
from both the source file and the running configuration. This command does not remove commands
from the running configuration that are not present in the source file. In contrast, the configure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1622
Replacing and Rolling Back Configurations
replacetarget-url command removes commands from the running configuration that are not present in
the replacement file and adds commands to the running configuration that are not present.
• You can use a partial configuration file as the source file for the copysource-urlrunning-config command.
You must use a complete configuration file as the replacement file for the configure replacetarget-url
command.
Configuration Rollback
You can also use the configure replace command to roll back changes that were made since the previous
configuration was saved. Instead of basing the rollback operation on a specific set of changes that were applied,
the configuration rollback capability reverts to a specific configuration based on a saved configuration file.
If you want the configuration rollback capability, you must first save the running configuration before making
any configuration changes. Then, after entering configuration changes, you can use that saved configuration
file to roll back the changes by using the configure replacetarget-url command.
You can specify any saved configuration file as the rollback configuration. You are not limited to a fixed
number of rollbacks, as is the case in some rollback models.
Configuration Guidelines
Follow these guidelines when configuring and performing configuration replacement and rollback:
• Make sure that the switch has free memory larger than the combined size of the two configuration files
(the running configuration and the saved replacement configuration). Otherwise, the configuration
replacement operation fails.
• Make sure that the switch also has sufficient free memory to execute the configuration replacement or
rollback configuration commands.
• Certain configuration commands, such as those pertaining to physical components of a networking
device (for example, physical interfaces), cannot be added or removed from the running configuration.
◦A configuration replacement operation cannot remove the interfaceinterface-id command line
from the running configuration if that interface is physically present on the device.
◦The interfaceinterface-id command line cannot be added to the running configuration if no such
interface is physically present on the device.
• When using the configure replace command, you must specify a saved configuration as the replacement
configuration file for the running configuration. The replacement file must be a complete configuration
generated by a Cisco IOS device (for example, a configuration generated by the copy
running-configdestination-url command).
Note If you generate the replacement configuration file externally, it must comply with the format of files
generated by Cisco IOS devices.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1623
Replacing and Rolling Back Configurations
Procedure
Step 4 maximumnumber (Optional) Set the maximum number of archive files of the running
configuration to be saved in the configuration archive .
number-Maximum files of the running configuration file in the
configuration archive. Valid values are from 1 to 14. The default
is 10.
Note Before using this command, you must first enter the path
archive configuration command to specify the location
and filename prefix for the files in the configuration
archive.
Step 5 time-period minutes (Optional) Set the time increment for automatically saving an
archive file of the running configuration in the configuration
archive.
minutes-Specify how often, in minutes, to automatically save an
archive file of the running configuration in the configuration
archive
Step 8 copy running-config (Optional) Save your entries in the configuration file.
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1624
Working with Software Images
Procedure
Step 5 configure replace Replace the running configuration file with a saved configuration file.
target-url [list] [force] target-url—URL (accessible by the file system) of the saved configuration
[time seconds] file that is to replace the running configuration, such as the configuration
[nolock] file created in Step 2 by using the archive config privileged EXEC
command
list —Display a list of the command entries applied by the software parser
during each pass of the configuration replacement operation. The total
number of passes also appears.
force —Replace the running configuration file with the specified saved
configuration file without prompting you for confirmation.
timeseconds—Specify the time (in seconds) within which you must enter
the configure confirm command to confirm replacement of the running
configuration file. If you do not enter the configure confirm command
within the specified time limit, the configuration replacement operation
is automatically stopped. (In other words, the running configuration file
is restored to the configuration that existed before you entered the
configure replace command).
Note You must first enable the configuration archive before you can
use the time seconds command line option.
nolock— Disable the locking of the running configuration file
that prevents other users from changing the running configuration
during a configuration replacement operation.
Step 6 configure confirm (Optional) Confirm replacement of the running configuration with a saved
configuration file.
Note Use this command only if the time seconds keyword and argument
of the configure replace command are specified.
Step 7 copy running-config (Optional) Save your entries in the configuration file.
startup-config
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1625
Working with Software Images
Note Instead of using the copy privileged EXEC command or the archive tar privileged EXEC command, we
recommend using the archive download-sw and archive upload-sw privileged EXEC commands to
download and upload software image files. For switch stacks, the archive download-sw and archive
upload-sw privileged EXEC commands can only be used through the stack master. Software images
downloaded to the stack master are automatically downloaded to the rest of the stack members.
To upgrade a switch in the stack that has an incompatible software image, use the archive copy-sw
privileged EXEC command to copy the software image from an existing stack member to the incompatible
switch. That switch automatically reloads and joins the stack as a fully functioning member.
You can download a switch image file from a TFTP, FTP, or RCP server to upgrade the switch software. If
you do not have access to a TFTP server, you can download a software image file directly to your PC or
workstation by using a web browser (HTTP) and then by using the device manager or Cisco Network Assistant
to upgrade your switch. For information about upgrading your switch by using a TFTP server or a web browser
(HTTP), see the release notes.
You can replace the current image with the new one or keep the current image in flash memory after a
download.
You upload a switch image file to a TFTP, FTP, or RCP server for backup purposes. You can use this uploaded
image for future downloads to the same switch or to another of the same type.
The protocol that you use depends on which type of server you are using. The FTP and RCP transport
mechanisms provide faster performance and more reliable delivery of data than TFTP. These improvements
are possible because FTP and RCP are built on and use the TCP/IP stack, which is connection-oriented.
Note For a list of software images and the supported upgrade paths, see the release notes.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1626
Working with Software Images
• An info file, which serves as a table of contents for the tar file
• One or more subdirectories containing other images and files, such as Cisco IOS images and web
management files
This example shows some of the information contained in the info file. The table provides additional details
about this information:
system_type:0x00000000:image-name
image_family:xxxx
stacking_number:x
info_end:
version_suffix:xxxx
version_directory:image-name
image_system_type_id:0x00000000
image_name:image-nameB.bin
ios_image_file_size:6398464
total_image_file_size:8133632
image_feature:IP|LAYER_3|PLUS|MIN_DRAM_MEG=128
image_family:xxxx
stacking_number:x
board_ids:0x401100c4 0x00000000 0x00000001 0x00000003 0x00000002 0x00008000 0x00008002
0x40110000
info_end
Field Description
version_suffix Specifies the Cisco IOS image version string suffix
image_name Specifies the name of the Cisco IOS image within the
tar file
ios_image_file_size Specifies the Cisco IOS image size in the tar file,
which is an approximate measure of how much flash
memory is required to hold just the Cisco IOS image
total_image_file_size Specifies the size of all the images (the Cisco IOS
image and the web management files) in the tar file,
which is an approximate measure of how much flash
memory is required to hold them
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1627
Copying Image Files Using TFTP
Note Instead of using the copy privileged EXEC command or the archive tar privileged EXEC command, we
recommend using the archive download-sw and archive upload-sw privileged EXEC commands to
download and upload software image files. For switch stacks, the archive download-sw and archive
upload-sw privileged EXEC commands can only be used through the stack master. Software images
downloaded to the stack master are automatically downloaded to the rest of the stack members.
To upgrade a switch with an incompatible software image, use the archive copy-sw privileged EXEC
command to copy the software image from an existing stack member to the incompatible switch. That
switch automatically reloads and joins the stack as a fully functioning member.
Note You must restart the inetd daemon after modifying the /etc/inetd.conf and /etc/services
files. To restart the daemon, either stop the inetd process and restart it, or enter a fastboot
command (on the SunOS 4.x) or a reboot command (on Solaris 2.x or SunOS 5.x). For
more information on the TFTP daemon, see the documentation for your workstation.
• Ensure that the switch has a route to the TFTP server. The switch and the TFTP server must be in the
same subnetwork if you do not have a router to route traffic between subnets. Check connectivity to the
TFTP server by using the ping command.
• Ensure that the image to be downloaded is in the correct directory on the TFTP server (usually /tftpboot
on a UNIX workstation).
• For download operations, ensure that the permissions on the file are set correctly. The permission on
the file should be world-read.
• Before uploading the image file, you might need to create an empty file on the TFTP server. To create
an empty file, enter the touch filename command, where filename is the name of the file you will use
when uploading the image to the server.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1628
Copying Image Files Using TFTP
• During upload operations, if you are overwriting an existing file (including an empty file, if you had to
create one) on the server, ensure that the permissions on the file are set correctly. Permissions on the
file should be world-write.
Procedure
Step 2 Log into the switch through the console port or a Telnet
session.
Step 3 archive download-sw/overwrite/reload Download the image file from the TFTP server to the
tftp:[[//location]/directory]/image-name.tar switch, and overwrite the current image.
• The /overwrite option overwrites the software
image in flash memory with the downloaded image.
• The /reload option reloads the system after
downloading the image unless the configuration has
been changed and not been saved.
• For // location , specify the IP address of the TFTP
server.
• For /directory/image-name.tar specify the directory
(optional) and the image to download. Directory
and image names are case sensitive.
Step 4 archive download-sw/leave-old-sw/reload Download the image file from the TFTP server to the
tftp:[[//location]/directory]/image-name.tar switch, and keep the current image.
• The /leave-old-sw option keeps the old software
version after a download.
• The /reload option reloads the system after
downloading the image unless the configuration has
been changed and not been saved.
• For //location, specify the IP address of the TFTP
server.
• For /directory/image-name.tar specify the directory
(optional) and the image to download. Directory
and image names are case sensitive.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1629
Copying Image Files Using TFTP
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1630
Copying Image Files Using FTP
Procedure
Step 2 Log into the switch through the console port or a Telnet session.
Step 3 archive upload-sw Upload the currently running switch image to the TFTP server.
tftp:[[// location
]/directory • For // location , specify the IP address of the TFTP server.
]/image-name .tar • For /directory/image-name.tar specify the directory (optional) and
the name of the software image to be uploaded. Directory and image
names are case sensitive. The image-name.tar is the name of the
software image to be stored on the server.
The archive upload-sw privileged EXEC command builds an image
file on the server by uploading these files in order: info, the Cisco
IOS image, and the web management files. After these files are
uploaded, the upload algorithm creates the tar file format.
Note Instead of using the copy privileged EXEC command or the archive tar privileged EXEC command, we
recommend using the archive download-sw and archive upload-sw privileged EXEC commands to
download and upload software image files. For switch stacks, the archive download-sw and archive
upload-sw privileged EXEC commands can only be used through the stack master. Software images
downloaded to the stack master are automatically downloaded to the rest of the stack members.
To upgrade a switch with an incompatible software image, use the archive copy-sw privileged EXEC command
to copy the software image from an existing stack member to the incompatible switch. That switch automatically
reloads and joins the stack as a fully functioning member.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1631
Copying Image Files Using FTP
The FTP protocol requires a client to send a remote username and password on each FTP request to a server.
When you copy an image file from the switch to a server by using FTP, the Cisco IOS software sends the first
valid username in this list:
• The username specified in the archive download-sw or archive upload-sw privileged EXEC command
if a username is specified.
• The username set by the ip ftp username username global configuration command if the command is
configured.
• Anonymous.
The username and password must be associated with an account on the FTP server. If you are writing to the
server, the FTP server must be properly configured to accept the FTP write request from you.
Use the ip ftp username and ip ftp password commands to specify a username and password for all copies.
Include the username in the archive download-sw or archive upload-sw privileged EXEC command if you
want to specify a username only for that operation.
If the server has a directory structure, the image file is written to or copied from the directory associated with
the username on the server. For example, if the image file resides in the home directory of a user on the server,
specify that user's name as the remote username.
Before you begin downloading or uploading an image file by using FTP, do these tasks:
• Ensure that the switch has a route to the FTP server. The switch and the FTP server must be in the same
subnetwork if you do not have a router to route traffic between subnets. Check connectivity to the FTP
server by using the ping command.
• If you are accessing the switch through the console or a Telnet session and you do not have a valid
username, make sure that the current FTP username is the one that you want to use for the FTP download.
You can enter the show users privileged EXEC command to view the valid username. If you do not
want to use this username, create a new FTP username by using the ip ftp username username global
configuration command. This new name will be used during all archive operations. The new username
is stored in NVRAM. If you are accessing the switch through a Telnet session and you have a valid
username, this username is used, and you do not need to set the FTP username. Include the username
in the archive download-sw or archive upload-sw privileged EXEC command if you want to specify
a username for that operation only.
• When you upload an image file to the FTP server, it must be properly configured to accept the write
request from the user on the switch.
For more information, see the documentation for your FTP server.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1632
Copying Image Files Using FTP
Procedure
Step 7 archive download-sw /overwrite/reload Download the image file from the
ftp:[[//username[:password]@location]/directory]/image-name.tar FTP server to the switch, and
overwrite the current image.
• The /overwrite option
overwrites the software
image in flash memory with
the downloaded image.
• The /reload option reloads
the system after
downloading the image
unless the configuration has
been changed and not been
saved.
• For //username
[:password]specify the
username and password;
these must be associated
with an account on the FTP
server.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1633
Copying Image Files Using FTP
Step 8 archive download-sw /leave-old-sw/reload Download the image file from the
ftp:[[//username[:password]@location]/directory]/image-name.tar FTP server to the switch, and
keep the current image.
• The /leave-old-sw option
keeps the old software
version after a download.
• The /reload option reloads
the system after
downloading the image
unless the configuration has
been changed and not been
saved.
• For //username
[:password]specify the
username and password;
these must be associated
with an account on the FTP
server.
• For @ location, specify the
IP address of the FTP
server.
• For
directory/image-name.tar,
specify the directory
(optional) and the image to
download. Directory and
image names are case
sensitive.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1634
Copying Image Files Using FTP
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1635
Copying Image Files Using FTP
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1636
Copying Image Files Using RCP
Note Instead of using the copy privileged EXEC command or the archive tar privileged EXEC command, we
recommend using the archive download-sw and archive upload-sw privileged EXEC commands to
download and upload software image files. For switch stacks, the archive download-sw and archive
upload-sw privileged EXEC commands can only be used through the stack master. Software images
downloaded to the stack master are automatically downloaded to the rest of the stack members. To upgrade
a switch with an incompatible software image, use the archive copy-sw privileged EXEC command to
copy the software image from an existing stack member to the incompatible switch. That switch
automatically reloads and joins the stack as a fully functioning member.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1637
Copying Image Files Using RCP
For the RCP copy request to execute successfully, an account must be defined on the network server for the
remote username. If the server has a directory structure, the image file is written to or copied from the directory
associated with the remote username on the server. For example, if the image file resides in the home directory
of a user on the server, specify that user's name as the remote username.
Before you begin downloading or uploading an image file by using RCP, do these tasks:
• Ensure that the workstation acting as the RCP server supports the remote shell (rsh).
• Ensure that the switch has a route to the RCP server. The switch and the server must be in the same
subnetwork if you do not have a router to route traffic between subnets. Check connectivity to the RCP
server by using the ping command.
• If you are accessing the switch through the console or a Telnet session and you do not have a valid
username, make sure that the current RCP username is the one that you want to use for the RCP download.
You can enter the show users privileged EXEC command to view the valid username. If you do not
want to use this username, create a new RCP username by using the ip rcmd remote-usernameusername
global configuration command to be used during all archive operations. The new username is stored in
NVRAM. If you are accessing the switch through a Telnet session and you have a valid username, this
username is used, and there is no need to set the RCP username. Include the username in the archive
download-sw or archive upload-sw privileged EXEC command if you want to specify a username only
for that operation.
• When you upload an image to the RCP to the server, it must be properly configured to accept the RCP
write request from the user on the switch. For UNIX systems, you must add an entry to the .rhosts file
for the remote user on the RCP server.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1638
Copying Image Files Using RCP
Procedure
Step 6 archive download-sw /overwrite/reload Download the image file from the RCP
rcp:[[[//username@]/location]/directory]/image-name.tar server to the switch, and overwrite the
current image.
• The /overwrite option overwrites the
software image in flash memory with
the downloaded image.
• The /reload option reloads the
system after downloading the image
unless the configuration has been
changed and not been saved.
• For //username specify the username.
For the RCP copy request to execute
successfully, an account must be
defined on the network server for the
remote username.
• For @ location, specify the IP
address of theRCP server.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1639
Copying Image Files Using RCP
Step 7 archive download-sw /leave-old-sw/reload Download the image file from the FTP
rcp:[[[//[username@]location]/directory]/image-name.tar server to the switch, and keep the current
image.
• The /leave-old-sw option keeps the
old software version after a
download.
• The /reload option reloads the
system after downloading the image
unless the configuration has been
changed and not been saved.
• For //usernamespecify the username.
For the RCP copy request to execute,
an account must be defined on the
network server for the remote
username.
• For @ location, specify the IP
address of the RCP server.
• For /directory]/image-name.tar,
specify the directory (optional) and
the image to download. Directory and
image names are case sensitive.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1640
Copying Image Files Using RCP
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1641
Copying an Image File from One Stack Member to Another
Note To successfully use the archive copy-sw privileged EXEC command, you must have downloaded from
a TFTP server the images for both the stack member switch being added and the stack master. You use
the archive download-sw privileged EXEC command to perform the download.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1642
Copying an Image File from One Stack Member to Another
Beginning in privileged EXEC mode from the stack member that you want to upgrade, follow these steps to
copy the running image file from the flash memory of a different stack member:
Procedure
Step 2 reload slotstack-member-number Reset the updated stack member, and put this configuration
change into effect.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1643
Copying an Image File from One Stack Member to Another
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1644
PART XV
Embedded Event Manager
• Embedded Event Manager Overview, page 1647
• Information About Writing EEM Policies Using the Cisco IOS CLI, page 1671
• Writing Embedded Event Manager Policies Using Tcl, page 1743
• Signed Tcl Scripts, page 1801
• EEM CLI Library Command Extensions, page 1825
• EEM Context Library Command Extensions, page 1837
• EEM Event Registration Tcl Command Extensions, page 1845
• EEM Event Tcl Command Extensions, page 1953
• EEM Library Debug Command Extensions, page 1961
• EEM Multiple Event Support Tcl Command Extensions, page 1963
• EEM SMTP Library Command Extensions, page 1967
• EEM System Information Tcl Command Extensions, page 1971
• EEM Utility Tcl Command Extensions, page 1985
CHAPTER 73
Embedded Event Manager Overview
Embedded Event Manager (EEM) is a distributed and customized approach to event detection and recovery
offered directly in a Cisco IOS device. EEM offers the ability to monitor events and take informational,
corrective, or any desired EEM action when the monitored events occur or when a threshold is reached. An
EEM policy is an entity that defines an event and the actions to be taken when that event occurs.
This module contains a technical overview of EEM. EEM can be used alone, or with other network
management technologies to help monitor and maintain your network. Before you begin to implement EEM,
it is important that you understand the information presented in this module.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1647
Information About Embedded Event Manager
management can be done off device because some problems compromise communication between the device
and the external network management device. Capturing the state of the device during such situations can be
invaluable in taking immediate recovery actions and gathering information to perform root-cause analysis.
Network availability is also improved if automatic recovery actions are performed without the need to fully
reboot the routing device.
EEM is a flexible, policy-driven framework that supports in-box monitoring of different components of the
system with the help of software agents known as event detectors. The figure below shows the relationship
between the EEM server, core event publishers (event detectors), and the event subscribers (policies). Basically,
event publishers screen events and publish them when there is a match on an event specification that is provided
by the event subscriber. Event detectors notify the EEM server when an event of interest occurs. The EEM
policies that are configured using the Cisco command-line interface (CLI) then implement recovery on the
basis of the current state of the system and the actions specified in the policy for the given event.
EEM offers the ability to monitor events and take informational or corrective action when the monitored
events occur or when a threshold is reached. An EEM policy is an entity that defines an event and the actions
to be taken when that event occurs. There are two types of EEM policies: an applet or a script. An applet is
a simple form of policy that is defined within the CLI configuration. A script is a form of policy that is written
in Tool Command Language (Tcl).
Note If your network has a higher version of EEM, that version would include the previous releases of EEM
version as well.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1648
Information About Embedded Event Manager
The ability to run a Cisco defined sample policy written using Tool Command Language (Tcl) was introduced.
A sample policy was provided that could be stored in the system policy directory.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1649
Information About Embedded Event Manager
• CLI—The CLI event detector screens command-line interface (CLI) commands for a regular expression
match.
• None—The none event detector publishes an event when the Cisco IOS event manager run command
executes an EEM policy.
• OIR—The online insertion and removal (OIR) event detector publishes an event when a particular
hardware insertion or removal event occurs.
EEM 2.1 also permits multiple concurrent policies to be run using the new event manager scheduler script
command. Support for SNMP event detector rate-based events is provided as is the ability to create policies
using Tool Command Language (Tcl).
EEM 2.1 for Software Modularity introduced the ability to display EEM reliability metric data for processes.
Note EEM 2.1 for Software Modularity images also supports the resource and RF event detectors introduced
in EEM 2.2, but it does not support the enhanced object tracking event detector or the actions to read and
set tracked objects.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1650
Information About Embedded Event Manager
• Resource—The resource event detector publishes an event when the Embedded Resource Manager
(ERM) reports an event for the specified policy.
• RF—The redundancy framework (RF) event detector publishes an event when one or more RF events
occur during synchronization in a dual Route Processor (RP) system. The RF event detector can also
detect an event when a dual RP system continuously switches from one RP to another RP (referred to
as a ping-pong situation).
• The following test-specific GOLD Event Detector information can be accessed through new read-only
EEM built-in environment variables (available to EEM applets only):
• Test name, attribute, total run count
• Test result per test, port, or device
• Total failure count, last fail time
• Error code
• Occurrence of consecutive failures
These enhancements result in reduced mean time to recovery (MTTR) and higher availability through improved
automation and fault detection.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1651
Information About Embedded Event Manager
• SNMP Notification—The SNMP notification event detector provides the ability to intercept SNMP trap
and inform messages coming into the device. An SNMP notification event is generated when an incoming
SNMP trap or inform message matches specified values or crosses specified thresholds.
• RPC—The remote procedure call (RPC) event detector provides the ability to invoke EEM policies from
outside the device over an encrypted connection using Secure Shell (SSH). The RPC event detector uses
Simple Object Access Protocol (SOAP) data encoding for exchanging XML-based messages. This event
detector can be used to run EEM policies and then receive output in a SOAP XML-formatted reply.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1652
Information About Embedded Event Manager
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1653
Information About Embedded Event Manager
show event manager policy available command and the show event manager policy registered
command have been enhanced to add the description keyword to display the description of the registered
applet.
• Enables EEM policies to bypass AAA authorization--The event manager application command has
been enhanced to provide authorization and bypass keywords to disable AAA.
• Introduces CLI Library enhancements--Provides two new commands in the CLI library: cli_run and
cli_run_interactive.
• Identity--Identity event detector generates an event when AAA authorization and authentication is
successful, when failure occurs, or after normal user traffic on the port is allowed to flow.
• Mac-Address-Table--Mac-Address-Table event detector generates an event when a MAC address is
learned in the MAC address table.
Note The Mac-Address-Table event detector is supported only on switch platforms and can be used only on
Layer 2 interfaces where MAC addresses are learned. Layer 3 interfaces do not learn addresses and devices
do not usually support the mac-address-table infrastructure needed to notify EEM of a learned MAC
address.
EEM 3.2 also introduces new CLI commands to support the applets to work with the new event detectors.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1654
Information About Embedded Event Manager
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1655
Information About Embedded Event Manager
event detector is available. The event detectors shown in the table are supported in later releases of the same
Cisco IOS release train. For more details on each event detector, see the Event Detectors concept in the
“Embedded Event Manager Overview” module.
Event 12.2(25)S 12.3(14)T 12.4(2)T 12.2(18)SXF4 12.2(33)SXH 12.4(20)T 12.4(22)T 15.0(1)M 15.1(2)SY 15 E
Detector 12.2(18)SXF5 12.2(31)SB3 Cisco 12.2(33)SXI 12.2(33)SRE 15.1(3)T XE 3E
12.2(28)SB 12.2(33)SRB IOS
12.2(33)SRA Software
Modularity
Application-Specific Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
Counter Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
Environmental -- -- -- -- -- -- -- -- -- Yes
Interface Yes Yes Yes Yes Yes Yes Yes Yes -- Yes
Counter
NF -- -- -- -- -- -- Yes Yes -- --
None -- Yes Yes Yes Yes Yes Yes Yes Yes Yes
OIR -- Yes Yes Yes Yes Yes Yes Yes Yes Yes
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1656
Information About Embedded Event Manager
Event 12.2(25)S 12.3(14)T 12.4(2)T 12.2(18)SXF4 12.2(33)SXH 12.4(20)T 12.4(22)T 15.0(1)M 15.1(2)SY 15 E
Detector 12.2(18)SXF5 12.2(31)SB3 Cisco 12.2(33)SXI 12.2(33)SRE 15.1(3)T XE 3E
12.2(28)SB 12.2(33)SRB IOS
12.2(33)SRA Software
Modularity
Routing -- -- -- -- -- -- Yes Yes -- Yes
SNMP Yes Yes Yes Yes Yes Yes Yes Yes -- Yes
SNMP -- -- -- -- -- -- -- -- Yes --
Proxy
Syslog Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
Timer Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
IOSWDSysMon Yes Yes Yes Yes Yes Yes Yes Yes -- Yes
(Cisco
IOS
watchdog)
WDSysMon -- -- -- Yes -- -- -- -- --
(Cisco
IOS
Software
Modularity
watchdog)
Event Detectors
Embedded Event Manager (EEM) uses software programs known as event detectors to determine when an
EEM event occurs. Event detectors are separate systems that provide an interface between the agent being
monitored, for example Simple Network Management Protocol (SNMP), and the EEM policies where an
action can be implemented. Some event detectors are available on every Cisco IOS release, but most event
detectors have been introduced in a specific release. For details of which event detector is supported in each
Cisco IOS release, see the EEM Event Detectors Available by Cisco IOS Release concept in the “Writing
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1657
Information About Embedded Event Manager
Embedded Event Manager Policies Using the Cisco IOS CLI” or the “Writing Embedded Event Manager
Policies Using Tcl” modules. EEM contains the following event detectors.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1658
Information About Embedded Event Manager
Object tracking was enhanced to provide complete separation between the objects to be tracked and the action
to be taken by a client when a tracked object changes. Thus, several clients such as HSRP, VRRP, or GLBP
can register their interest with the tracking process, track the same object, and each take different action when
the object changes. Each tracked object is identified by a unique number that is specified on the tracking
command-line interface (CLI). Client processes use this number to track a specific object. The tracking process
periodically polls the tracked objects and notes any change of value. The changes in the tracked object are
communicated to interested client processes, either immediately or after a specified delay. The object values
are reported as either up or down.
Enhanced object tracking is now integrated with EEM to allow EEM to report on a status change of a tracked
object and to allow enhanced object tracking to track EEM objects. A new type of tracking object--a stub
object--is created. The stub object can be manipulated using the existing CLI commands that already allow
tracked objects to be manipulated.
Route Processors (RPs), line cards, or feature cards can be monitored for OIR events.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1659
Information About Embedded Event Manager
RF Event Detector
The redundancy framework (RF) event detector publishes an event when one or more RF events occur during
synchronization in a dual Route Processor (RP) system. The RF event detector can also detect an event when
a dual RP system continuously switches from one RP to another RP (referred to as a ping-pong situation).
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1660
Information About Embedded Event Manager
Note Cisco IOS processes are now referred to as tasks to distinguish them from Cisco IOS Software Modularity
processes.
Two events may be monitored at the same time, and the event publishing criteria can be specified to require
one event or both events to cross their specified thresholds.
Watchdog System Monitor (WDSysMon) Event Detector for Cisco IOS Software Modularity
The Cisco IOS Software Modularity watchdog system monitor event detector detects infinite loops, deadlocks,
and memory leaks in Cisco IOS Software Modularity processes.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1661
Information About Embedded Event Manager
Action 12.2(25)S 12.3(14)T 12.4(2)T 12.2(18)SXF4 12.2(33)SXH 12.4(20)T 12.4(22)T 15.0(1)M 15E
12.2(18)SXF5 12.2(31)SB3 Cisco IOS XE 3E
12.2(28)SB 12.2(33)SRB Software
12.2(33)SRA Modularity
Execute a -- Yes Yes Yes Yes Yes Yes Yes Yes
CLI
command
Generate a Yes Yes Yes Yes Yes Yes Yes Yes Yes
CNS event
Generate a Yes Yes Yes Yes Yes Yes Yes Yes Yes
prioritized
syslog
message
Generate Yes Yes Yes Yes Yes Yes Yes Yes Yes
an SNMP
trap
Publish an Yes Yes Yes Yes Yes Yes Yes Yes Yes
application-specific
event
Reload the Yes Yes Yes Yes Yes Yes Yes Yes Yes
Cisco
software
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1662
Information About Embedded Event Manager
Action 12.2(25)S 12.3(14)T 12.4(2)T 12.2(18)SXF4 12.2(33)SXH 12.4(20)T 12.4(22)T 15.0(1)M 15E
12.2(18)SXF5 12.2(31)SB3 Cisco IOS XE 3E
12.2(28)SB 12.2(33)SRB Software
12.2(33)SRA Modularity
Set or Yes Yes Yes Yes Yes Yes Yes Yes Yes
modify a
named
counter
Switch to a Yes Yes Yes Yes Yes Yes Yes Yes Yes
secondary
RP
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1663
Information About Embedded Event Manager
EEM action CLI commands contain an EEM action label that is a unique identifier that can be any string
value. Actions are sorted and run in ascending alphanumeric (lexicographical) key sequence using the label
as the sort key. If you are using numbers as labels be aware that alphanumerical sorting will sort 10.0 after
1.0, but before 2.0, and in this situation we recommend that you use numbers such as 01.0, 02.0, and so on,
or use an initial letter followed by numbers.
Cisco-defined environment variables (see the table below) and Cisco system-defined environment variables
may apply to one specific event detector or to all event detectors. Environment variables that are user-defined
or defined by Cisco in a sample policy are set using the event manager environment command. Variables
that are used in the EEM policy must be defined before you register the policy. A Tcl policy contains a section
called “Environment Must Define” that can be defined to check that any required environment variables are
defined before the policy runs.
Cisco built-in environment variables are a subset of the Cisco-defined environment variables and the built-in
variables are available to EEM applets only. The built-in variables can be read-only or can be read and write,
and these variables may apply to one specific event detector or to all event detectors. For more details and a
table listing the Cisco system-defined variables, see the ““Writing Embedded Event Manager Policies Using
the Cisco IOS CLI” module.
Note Cisco-defined environment variables begin with an underscore character (_). We strongly recommend
that customers avoid the same naming convention to prevent naming conflicts.
The table below describes the Cisco-defined variables used in the sample EEM policies. Some of the
environment variables do not have to be specified for the corresponding sample policy to run and these are
marked as optional.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1664
Information About Embedded Event Manager
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1665
Information About Embedded Event Manager
There are two ways to create an EEM policy. The first method is to write applets using CLI commands, and
the second method is to write Tcl scripts. Cisco provides enhancements to Tcl in the form of Tcl command
extensions that facilitate the development of EEM policies. Scripts are defined off the networking device
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1666
Where to Go Next
using an ASCII editor. The script is then copied to the networking device and registered with EEM. When a
policy is registered with the Embedded Event Manager, the software examines the policy and registers it to
be run when the specified event occurs. Policies can be unregistered or suspended. Both types of policies can
be used to implement EEM in your network.
For details on writing EEM policies using the Cisco IOS CLI, go to “Writing Embedded Event Manager
Policies Using the Cisco IOS CLI” module.
For details on writing EEM policies using Tcl, go to “Writing Embedded Event Manager Policies Using Tcl”
module.
Where to Go Next
• If you want to write EEM policies using the Cisco IOS CLI, see the “Writing Embedded Event Manager
Policies Using the Cisco IOS CLI” module.
• If you want to write EEM policies using Tcl, see the “Writing Embedded Event Manager Policies Using
Tcl” module.
Table 164: Feature Information for Embedded Event Manager 4.0 Overview
Additional References
The following sections provide references related to EEM.
Related Documents
EEM commands: complete command syntax, defaults, Cisco IOS Embedded Event Manager Command
command mode, command history, usage guidelines, Reference
and examples
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1667
Additional References
Embedded Event Manager policy writing using Tcl Writing Embedded Event Manager Policies Using
Tcl module
Standards
Standard Title
No new or modified standards are supported, and --
support for existing standards has not been modified.
MIBs
RFCs
RFC Title
No new or modified RFCs are supported, and support --
for existing RFCs has not been modified.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1668
Additional References
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/cisco/web/support/index.html
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1669
Additional References
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1670
CHAPTER 74
Information About Writing EEM Policies Using
the Cisco IOS CLI
• Finding Feature Information, page 1671
• Prerequisites for Writing EEM Policies Using the Cisco IOS CLI, page 1671
• Information About Writing EEM Policies Using the Cisco IOS CLI, page 1672
• How to Write EEM Policies Using the Cisco IOS CLI, page 1684
• Configuration Examples for Writing Embedded Event Manager Policies Using Tcl, page 1725
• Additional References, page 1740
• Feature Information for Writing EEM 4.0 Policies Using the Cisco IOS CLI, page 1741
Prerequisites for Writing EEM Policies Using the Cisco IOS CLI
• Before writing EEM policies, you should be familiar with the concepts explained in the “Embedded
Event Manager Overview” module.
• If the action cns-event command is used, access to a Cisco Networking Services (CNS) Event gateway
must be configured.
• If the action force-switchover command is used, a secondary processor must be configured on the
device.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1671
Information About Writing EEM Policies Using the Cisco IOS CLI
• If the action snmp-trap command is used, the snmp-server enable traps event-manager command
must be enabled to permit SNMP traps to be sent from the Cisco IOS device to the SNMP server. Other
relevant snmp-server commands must also be configured; for details see the action snmp-trap command
page.
Information About Writing EEM Policies Using the Cisco IOS CLI
EEM Applet
An EEM applet is a concise method for defining event screening criteria and the actions to be taken when
that event occurs. In applet configuration mode, three types of configuration statements are supported. The
event commands are used to specify the event criteria to trigger the applet to run, the action commands are
used to specify an action to perform when the EEM applet is triggered, and the set command is used to set
the value of an EEM applet variable. Currently only the _exit_status variable is supported for the set command.
Only one event configuration command is allowed within an applet configuration. When applet configuration
mode is exited and no event command is present, a warning is displayed stating that no event is associated
with this applet. If no event is specified, this applet is not considered registered. When no action is associated
with this applet, events are still triggered but no actions are performed. Multiple action configuration commands
are allowed within an applet configuration. Use the show event manager policy registered command to
display a list of registered applets.
Before modifying an EEM applet, be aware that the existing applet is not replaced until you exit applet
configuration mode. While you are in applet configuration mode modifying the applet, the existing applet
may be executing. It is safe to modify the applet without unregistering it. When you exit applet configuration
mode, the old applet is unregistered and the new version is registered.
The action configuration commands are uniquely identified using the label argument, which can be any string
value. Actions are sorted in ascending alphanumeric key sequence using the label argument as the sort key,
and they are run using this sequence.
The Embedded Event Manager schedules and runs policies on the basis of an event specification that is
contained within the policy itself. When applet configuration mode is exited, EEM examines the event and
action commands that are entered and registers the applet to be run when a specified event occurs.
EEM Script
Scripts are defined off the networking device using an ASCII editor. The script is then copied to the networking
device and registered with EEM. Tcl scripts are supported by EEM.
EEM allows you to write and implement your own policies using Tcl. Writing an EEM policy involves:
• Selecting the event for which the policy is run.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1672
Information About Writing EEM Policies Using the Cisco IOS CLI
• Defining the event detector options associated with logging and responding to the event.
• Choosing the actions to be followed when the event occurs.
Cisco provides enhancements to Tcl in the form of keyword extensions that facilitate the development of
EEM policies. The main categories of keywords identify the detected event, the subsequent action, utility
information, counter values, and system information. For more details about writing EEM policies using Tcl,
see the “Writing Embedded Event Manager Policies Using Tcl” module.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1673
Information About Writing EEM Policies Using the Cisco IOS CLI
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1674
Information About Writing EEM Policies Using the Cisco IOS CLI
_gold_ec testnum Test error code, where testnum is the test number. For
example, _gold_ec3 is the EEM built-in environment
variable for the error code of test 3.
_gold_lf testnum Last fail time, where testnum is the test number. For
example, _gold_lf3 is the EEM built-in variable for
the last fail time of test 3.
The time-stamp format is mmm dd yyyy hh:mm:ss.
For example, Mar 11 2005 08:47:00.
_gold_rc testnum Test total run count, where testnum is the test number.
For example, _gold_rc3 is the EEM built-in variable
for the total run count of test 3.
_gold_ta testnum Test attribute, where testnum is the test number. For
example, _gold_ta3 is the EEM built-in variable for
the test attribute of test 3.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1675
Information About Writing EEM Policies Using the Cisco IOS CLI
_gold_tn testnum Test name, where testnum is the test number. For
example, _gold_tn3 is the EEM built-in variable for
the name of test 3.
_gold_tr testnum Test result, where testnum is the test number. For
example, _gold_tr6 is the EEM built-in variable for
test 6, where test 6 is not a per-port test and not a
per-device test.
The test result is one of the following values:
• P: diagnostic result Pass
• F: diagnostic result Fail
• U: diagnostic result Unknown
_gold_tr testnum d devnum Per-device test result, where testnum is the test
number and devnum is the device number. For
example, _gold_tr3d20 is the EEM built-in variable
for the test result for test 3, device 20.
The test result is one of the following values:
• P: diagnostic result Pass
• F: diagnostic result Fail
• U: diagnostic result Unknown
_gold_tr testnum p portnum Per-port test result, where testnum is the test number
and portnum is the port number. For example,
_gold_tr5p20 is the EEM built-in variable for the
test result for test 5, port 20.
The test result is one of the following values:
• P: diagnostic result Pass
• F: diagnostic result Fail
• U: diagnostic result Unknown
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1676
Information About Writing EEM Policies Using the Cisco IOS CLI
_none_argc The parameters that are passed from the XML SOAP
command to the script.
_none_arg1
_none_arg2
_none_arg3
_none_arg4
_none_arg5
_none_arg6
_none_arg7
_none_arg8
_none_arg9
_none_arg10
_none_arg11
_none_arg12
_none_arg13
_none_arg14
_none_arg15
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1677
Information About Writing EEM Policies Using the Cisco IOS CLI
_resource_level The ERM event level. The four event levels are
normal, minor, major, and critical.
RF Event Detector
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1678
Information About Writing EEM Policies Using the Cisco IOS CLI
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1679
Information About Writing EEM Policies Using the Cisco IOS CLI
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1680
Information About Writing EEM Policies Using the Cisco IOS CLI
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1681
Information About Writing EEM Policies Using the Cisco IOS CLI
_wd_sub1_node _wd_sub2_node The slot number for the subevent RP reporting node.
_wd_sub1_node _wd_sub2_node The slot number for the subevent RP reporting node.
_wd_sub1_entry_ [1-N]_b_node The slot number for the subevent RP reporting node.
_wd_sub2_entry_[1-N]_b_node
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1682
Information About Writing EEM Policies Using the Cisco IOS CLI
_wd_sub1_entry_ [1-N]_node The slot number for the subevent RP reporting node.
_wd_sub2_entry_[1-N]_node
_wd_sub1_node _wd_sub2_node The slot number for the subevent RP reporting node.
_wd_sub1_node _wd_sub2_node The slot number for the subevent RP reporting node.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1683
How to Write EEM Policies Using the Cisco IOS CLI
_wd_sub1_node _wd_sub2_node The slot number for the subevent RP reporting node.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1684
How to Write EEM Policies Using the Cisco IOS CLI
The SNMP event detector and the syslog action commands used in this task are just representing any event
detector and action commands. For examples using other event detectors and action commands, see the
Embedded Event Manager Applet Configuration Examples, on page 1725.
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1685
How to Write EEM Policies Using the Cisco IOS CLI
Step 2 show event manager environment [all| (Optional) Displays the name and value of EEM
variable-name] environment variables.
• The optional all keyword displays all the EEM
Example: environment variables.
Device# show event manager
environment all • The optional variable-nameargument displays
information about the specified environment
variable.
Example:
Device# configure terminal
Step 4 event manager environment Configures the value of the specified EEM environment
variable-name string variable.
• In this example, the environment variable that holds
Example: the e-mail address to which e-mail is sent is set to
Device(config)# event manager engineering@example.com.
environment _email_to
engineering@example.com
Step 5 Repeat Alphabetical Order of EEM Action Repeat Alphabetical Order of EEM Action Labels to
Labels for all the required environment configure all the environment variables required by the
variables. policy to be registered in Alphabetical Order of EEM
Action Labels.
Step 6 event manager applet applet-name Registers the applet with the Embedded Event Manager
(EEM) and enters applet configuration mode.
Example:
Device(config)# event manager applet
memory-fail
Step 7 Do one of the following: Specifies the event criteria that cause the EEM applet to
run.
• event snmp oid oid-value get-type
{exact| next} entry-op operator • In this example, an EEM event is triggered when
entry-val entry-value[exit-comb| free memory falls below the value of 5120000.
and}] [exit-op operator] [exit-val
• Exit criteria are optional, and if not specified, event
exit-value] [exit-time
monitoring is reenabled immediately.
exit-time-value] poll-interval
poll-int-value
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1686
How to Write EEM Policies Using the Cisco IOS CLI
Example:
Device(config-applet)# event snmp
oid 1.3.6.1.4.1.9.9.48.1.1.1.6.1
get-type exact entry-op lt entry-val
5120000 poll-interval 90
Step 8 action label cli command cli-string Specifies the action of executing a Cisco IOS CLI
[pattern pattern-string] command when an EEM applet is triggered.
The pattern keyword is optional and is used only when
Example: the command string solicits input. The action
Device(config-applet)# action 1.0 clicommand ends when the solicited prompt as specified
cli command "enable" in the optional pattern keyword is received. You are
required to specify a regular expression pattern that will
match the next solicited prompt. Specification of an
Example:
incorrect pattern will cause the action cli command to
Device(config-applet)# action 2.0 wait forever until the applet execution times out due to
cli command "clear counters the maxrun timer expiration.
Ethernet0/1" pattern "confirm"
• The action taken is to specify an EEM applet to
Example: run when the pattern keyword specifies the
confirm argument for the clear counters
Device(config-applet)# action 3.0 Ethernet0/1 command. In this case the command
cli command "y"
string solicits input, such as “confirm,” which has
to be completed with a “yes” or a “no” input.
Step 9 action label syslog [priority Specifies the action to be taken when an EEM applet is
priority-level] msg msg-text facility string triggered.
In this example, the action taken is to write a message
Example: to syslog.
Device(config-applet)# action 1.0 • The optional priority keyword specifies the
syslog priority critical msg
"Memory exhausted; current available priority level of the syslog messages. If selected,
memory is $_snmp_oid_val bytes" the priority-level argument must be defined.
• The msg-text argument can be character text, an
Example: environment variable, or a combination of the two.
Device(config-applet)# action 1.0 • The facility keyword specifies the location of
syslog priority errors facility
EEM-FAC message “TEST MSG” generated message
• The string argument can be character text, an
environment variable, or a combination of the two.
Step 10 action label mail server Specifies the action of sending a short e-mail when an
server-address to to-address from EEM applet is triggered.
from-address [cc cc-address] subject
subject body body-text • The server-address argument specifies the fully
qualified domain name of the e-mail server to be
used to forward the e-mail.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1687
How to Write EEM Policies Using the Cisco IOS CLI
Troubleshooting Tips
Use the debug event manager command in privileged EXEC mode to troubleshoot EEM command operations.
Use any debugging command with caution as the volume of generated output can slow or stop the device
operations. We recommend that this command be used only under the supervision of a Cisco engineer.
Procedure
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1688
How to Write EEM Policies Using the Cisco IOS CLI
Example:
Device# configure terminal
Step 4 event manager environment Configures the value of the specified EEM
variable-name string environment variable.
• In this example, the software assigns a CRON
Example: timer environment variable to be set to the
Device(config)# event manager second minute of every hour of every day.
environment _cron_entry 0-59/2
0-23/1 * * 0-6
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1689
How to Write EEM Policies Using the Cisco IOS CLI
Examples
In the following example, the show event manager environment privileged EXEC command is used to
display the name and value of all EEM environment variables.
Procedure
Step 2 show event manager policy registered (Optional) Displays the EEM policies that are
[description [policy-name] | detailed currently registered.
policy-filename [system | user] | [event-type
event-name] [system | user] [time-ordered | • The optional systemand user keywords
display the registered system and user
name-ordered]]
policies.
Example:
Device# configure terminal
Step 4 no event manager policy policy-filename Removes the EEM policy from the
configuration, causing the policy to be
Example: unregistered.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1690
How to Write EEM Policies Using the Cisco IOS CLI
Example:
Device# show event manager policy
registered
Examples
In the following example, the show event manager policy registered privileged EXEC command is used to
display the two EEM applets that are currently registered:
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(5)E (Catalyst 2960-X Switches)
1691
How to Write EEM Policies Using the Cisco IOS CLI
Procedure
Step 2 show event manager policy registered (Optional) Displays the EEM policies that are
[description [policy-name] | detailed currently registered.
policy-filename [system | user] | [event-type
event-name] [system | user] [time-ordered | • The optional systemand user keywords
display the registered system and user
name-ordered]]
policies.
Example: