Documente Academic
Documente Profesional
Documente Cultură
Guide
Release 12.4
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work,
Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP,
CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital,
the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink,
Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo,
Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet,
The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the
United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (0601R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the
document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
Audience xix
Contents 7
Contents 77
Contents 83
Prerequisites for Installing Two Ethernet Switch Network Modules in a Single Chassis 84
Feature Information for the Cisco HWIC-4ESW and the Cisco HWIC-D-9ESW EtherSwitch Cards 198
Contents 199
Glossary 353
Terminology 360
Prerequisites 385
Restrictions 386
Router Configuration Restrictions 386
External Router Guidelines 387
Access List Restrictions and Guidelines 387
Prerequisites 397
Restrictions 398
General Configuration Guidelines 398
External Router Guidelines 398
Access List Restrictions 398
Restrictions on Interaction of IPX MLS with Other Features 399
Restriction on Maximum Transmission Unit Size 399
IPX MLS Configuration Task List 399
Adding an IPX MLS Interface to a VTP Domain 400
Enabling Multilayer Switching Protocol (MLSP) on the Router 400
Assigning a VLAN ID to a Router Interface 400
Enabling IPX MLS on a Router Interface 401
Specifying a Router Interface As a Management Interface 401
Verifying IPX MLS on the Router 401
Troubleshooting Tips 401
This chapter describes the objectives, audience, organization, and conventions of Cisco IOS software
documentation. It also provides sources for obtaining documentation, technical assistance, and
additional publications and information from Cisco Systems. It contains the following sections:
• Documentation Objectives, page xix
• Audience, page xix
• Documentation Organization for Cisco IOS Release 12.4, page xx
• Document Conventions, page xxvi
• Obtaining Documentation, page xxvii
• Documentation Feedback, page xxviii
• Cisco Product Security Overview, page xxix
• Obtaining Technical Assistance, page xxx
• Obtaining Additional Publications and Information, page xxxi
Documentation Objectives
Cisco IOS software documentation describes the tasks and commands available to configure and
maintain Cisco networking devices.
Audience
The Cisco IOS software documentation set is intended primarily for users who configure and maintain
Cisco networking devices (such as routers and switches) but who may not be familiar with the
configuration and maintenance tasks, the relationship among tasks, or the Cisco IOS software commands
necessary to perform particular tasks. The Cisco IOS software documentation set is also intended for
those users experienced with Cisco IOS software who need to know about new features, new
configuration options, and new software characteristics in the current Cisco IOS software release.
Note In some cases, information contained in Release 12.2T and 12.3T feature documents augments or
supersedes content in the accompanying documentation. Therefore it is important to review all
feature documents for a particular technology.
Table 1 lists the Cisco IOS Release 12.4 configuration guides and command references.
Table 1 Cisco IOS Release 12.4 Configuration Guides and Command References
Table 1 Cisco IOS Release 12.4 Configuration Guides and Command References (continued)
Table 1 Cisco IOS Release 12.4 Configuration Guides and Command References (continued)
Table 1 Cisco IOS Release 12.4 Configuration Guides and Command References (continued)
Table 1 Cisco IOS Release 12.4 Configuration Guides and Command References (continued)
Table 1 Cisco IOS Release 12.4 Configuration Guides and Command References (continued)
Table 2 lists the documents and resources that support the Cisco IOS Release 12.4 software
configuration guides and command references.
Table 2 Cisco IOS Release 12.4 Supporting Documents and Resources (continued)
Document Conventions
Within Cisco IOS software documentation, the term router is generally used to refer to a variety of Cisco
products (for example, routers, access servers, and switches). Routers, access servers, and other
networking devices that support Cisco IOS software are shown interchangeably within examples. These
products are used only for illustrative purposes; that is, an example that shows one product does not
necessarily indicate that other products are not supported.
The Cisco IOS documentation set uses the following conventions:
Convention Description
^ or Ctrl The ^ and Ctrl symbols represent the Control key. For example, the key combination ^D or Ctrl-D
means hold down the Control key while you press the D key. Keys are indicated in capital letters but
are not case sensitive.
string A string is a nonquoted set of characters shown in italics. For example, when setting an SNMP
community string to public, do not use quotation marks around the string or the string will include the
quotation marks.
Convention Description
bold Bold text indicates commands and keywords that you enter literally as shown.
italics Italic text indicates arguments for which you supply values.
[x] Square brackets enclose an optional element (keyword or argument).
| A vertical line indicates a choice within an optional or required set of keywords or arguments.
[x | y] Square brackets enclosing keywords or arguments separated by a vertical line indicate an optional
choice.
{x | y} Braces enclosing keywords or arguments separated by a vertical line indicate a required choice.
Nested sets of square brackets or braces indicate optional or required choices within optional or required
elements. For example:
Convention Description
[x {y | z}] Braces and a vertical line within square brackets indicate a required choice within an optional element.
Convention Description
screen Examples of information displayed on the screen are set in Courier font.
bold screen Examples of text that you must enter are set in Courier bold font.
< > Angle brackets enclose text that is not printed to the screen, such as passwords, and are used in
contexts in which the italic document convention is not available, such as ASCII text.
! An exclamation point at the beginning of a line indicates a comment line. (Exclamation points are also
displayed by the Cisco IOS software for certain processes.)
[ ] Square brackets enclose default responses to system prompts.
The following conventions are used to attract the attention of the reader:
Caution Means reader be careful. In this situation, you might do something that could result in equipment
damage or loss of data.
Note Means reader take note. Notes contain suggestions or references to material not covered in the
manual.
Timesaver Means the described action saves time. You can save time by performing the action described in the
paragraph.
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several
ways to obtain technical assistance and other technical resources. These sections explain how to obtain
technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation and technical support at this URL:
http://www.cisco.com/techsupport
Ordering Documentation
Beginning June 30, 2005, registered Cisco.com users may order Cisco documentation at the Product
Documentation Store in the Cisco Marketplace at this URL:
http://www.cisco.com/go/marketplace/
Nonregistered Cisco.com users can order technical documentation from 8:00 a.m. to 5:00 p.m.
(0800 to 1700) PDT by calling 1 866 463-3487 in the United States and Canada, or elsewhere by
calling 011 408 519-5055. You can also order documentation by e-mail at
tech-doc-store-mkpl@external.cisco.com or by fax at 1 408 519-5001 in the United States and Canada,
or elsewhere at 011 408 519-5001.
Documentation Feedback
You can rate and provide feedback about Cisco technical documents by completing the online feedback
form that appears with the technical documents on Cisco.com.
You can send comments about Cisco documentation to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of your
document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product to encrypt any sensitive
information that you send to Cisco. PSIRT can work from encrypted information that is compatible with
PGP versions 2.x through 8.x.
Never use a revoked or an expired encryption key. The correct public key to use in your correspondence
with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page
at this URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
The link on this page has the current PGP key ID in use.
Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting
a web or phone request for service. You can access the CPI tool from the Cisco Technical Support &
Documentation website by clicking the Tools & Resources link. Choose Cisco Product Identification
Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link
under Alerts & RMAs. The CPI tool offers three search options: by product ID or model name; by tree
view; or for certain products, by copying and pasting show command output. Search results show an
illustration of your product with the serial number label location highlighted. Locate the serial number
label on your product and record the information before placing a service call.
• Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering
professionals involved in designing, developing, and operating public and private internets and
intranets. You can access the Internet Protocol Journal at this URL:
http://www.cisco.com/ipj
• Networking products offered by Cisco Systems, as well as customer support services, can be
obtained at this URL:
http://www.cisco.com/en/US/products/index.html
• Networking Professionals Connection is an interactive website for networking professionals to share
questions, suggestions, and information about networking products and technologies with Cisco
experts and other networking professionals. Join a discussion at this URL:
http://www.cisco.com/discuss/networking
• World-class networking training is available from Cisco. You can view current offerings at
this URL:
http://www.cisco.com/en/US/learning/index.html
This chapter provides tips for understanding and configuring Cisco IOS software using the
command-line interface (CLI). It contains the following sections:
• Understanding Command Modes, page xxxiii
• Getting Help, page xxxiv
• Using the no and default Forms of Commands, page xxxviii
• Saving Configuration Changes, page xxxviii
• Filtering Output from the show and more Commands, page xxxix
• Finding Additional Feature Support Information, page xxxix
For an overview of Cisco IOS software configuration, see the Cisco IOS Configuration Fundamentals
Configuration Guide.
For information on the conventions used in the Cisco IOS software documentation set, see the “About
Cisco IOS Software Documentation for Release 12.4” chapter.
ROM monitor mode is a separate mode used when the Cisco IOS software cannot load properly. If a valid
software image is not found when the software boots or if the configuration file is corrupted at startup,
the software might enter ROM monitor mode.
Table 1 describes how to access and exit various common command modes of the Cisco IOS software.
It also shows examples of the prompts displayed for each mode.
For more information on command modes, see the “Using the Cisco IOS Command-Line Interface”
chapter in the Cisco IOS Configuration Fundamentals Configuration Guide.
Getting Help
Entering a question mark (?) at the CLI prompt displays a list of commands available for each command
mode. You can also get a list of keywords and arguments associated with any command by using the
context-sensitive help feature.
To get help specific to a command mode, a command, a keyword, or an argument, use one of the
following commands:
Command Purpose
help Provides a brief description of the help system in any command mode.
abbreviated-command-entry? Provides a list of commands that begin with a particular character string. (No space
between command and question mark.)
abbreviated-command-entry<Tab> Completes a partial command name.
Command Purpose
? Lists all commands available for a particular command mode.
command ? Lists the keywords or arguments that you must enter next on the command line.
(Space between command and question mark.)
Command Comment
Router> enable Enter the enable command and
Password: <password> password to access privileged EXEC
Router#
commands. You are in privileged
EXEC mode when the prompt changes
to Router#.
Router# configure terminal Enter the configure terminal
Enter configuration commands, one per line. End with CNTL/Z. privileged EXEC command to enter
Router(config)#
global configuration mode. You are in
global configuration mode when the
prompt changes to Router(config)#.
Command Comment
Router(config)# interface serial ? Enter interface configuration mode by
<0-6> Serial interface number specifying the serial interface that you
Router(config)# interface serial 4 ?
/
want to configure using the interface
Router(config)# interface serial 4/ ? serial global configuration command.
<0-3> Serial interface number
Enter ? to display what you must enter
Router(config)# interface serial 4/0 ?
<cr> next on the command line. In this
Router(config)# interface serial 4/0 example, you must enter the serial
Router(config-if)# interface slot number and port number,
separated by a forward slash.
When the <cr> symbol is displayed,
you can press Enter to complete the
command.
You are in interface configuration mode
when the prompt changes to
Router(config-if)#.
Router(config-if)# ? Enter ? to display a list of all the
Interface configuration commands: interface configuration commands
.
.
available for the serial interface. This
. example shows only some of the
ip Interface Internet Protocol config commands available interface configuration
keepalive Enable keepalive commands.
lan-name LAN Name command
llc2 LLC2 Interface Subcommands
load-interval Specify interval for load calculation for an
interface
locaddr-priority Assign a priority group
logging Configure logging for interface
loopback Configure internal loopback on an interface
mac-address Manually set interface MAC address
mls mls router sub/interface commands
mpoa MPOA interface configuration commands
mtu Set the interface Maximum Transmission Unit (MTU)
netbios Use a defined NETBIOS access list or enable
name-caching
no Negate a command or set its defaults
nrzi-encoding Enable use of NRZI encoding
ntp Configure NTP
.
.
.
Router(config-if)#
Command Comment
Router(config-if)# ip ? Enter the command that you want to
Interface IP configuration subcommands: configure for the interface. This
access-group Specify access control for packets
accounting Enable IP accounting on this interface
example uses the ip command.
address Set the IP address of an interface Enter ? to display what you must enter
authentication authentication subcommands
next on the command line. This
bandwidth-percent Set EIGRP bandwidth limit
broadcast-address Set the broadcast address of an interface example shows only some of the
cgmp Enable/disable CGMP available interface IP configuration
directed-broadcast Enable forwarding of directed broadcasts commands.
dvmrp DVMRP interface commands
hello-interval Configures IP-EIGRP hello interval
helper-address Specify a destination address for UDP broadcasts
hold-time Configures IP-EIGRP hold time
.
.
.
Router(config-if)# ip
Router(config-if)# ip address ? Enter the command that you want to
A.B.C.D IP address configure for the interface. This
negotiated IP Address negotiated over PPP
Router(config-if)# ip address
example uses the ip address command.
Enter ? to display what you must enter
next on the command line. In this
example, you must enter an IP address
or the negotiated keyword.
A carriage return (<cr>) is not
displayed; therefore, you must enter
additional keywords or arguments to
complete the command.
Router(config-if)# ip address 172.16.0.1 ? Enter the keyword or argument that you
A.B.C.D IP subnet mask want to use. This example uses the
Router(config-if)# ip address 172.16.0.1
172.16.0.1 IP address.
Enter ? to display what you must enter
next on the command line. In this
example, you must enter an IP subnet
mask.
A <cr> is not displayed; therefore, you
must enter additional keywords or
arguments to complete the command.
Command Comment
Router(config-if)# ip address 172.16.0.1 255.255.255.0 ? Enter the IP subnet mask. This example
secondary Make this IP address a secondary address uses the 255.255.255.0 IP subnet mask.
<cr>
Router(config-if)# ip address 172.16.0.1 255.255.255.0 Enter ? to display what you must enter
next on the command line. In this
example, you can enter the secondary
keyword, or you can press Enter.
A <cr> is displayed; you can press
Enter to complete the command, or
you can enter another keyword.
Router(config-if)# ip address 172.16.0.1 255.255.255.0 In this example, Enter is pressed to
Router(config-if)# complete the command.
It might take a minute or two to save the configuration. After the configuration has been saved, the
following output appears:
[OK]
Router#
On most platforms, this task saves the configuration to NVRAM. On the Class A flash file system
platforms, this task saves the configuration to the location specified by the CONFIG_FILE environment
variable. The CONFIG_FILE variable defaults to NVRAM.
For more information on the search and filter functionality, see the “Using the Cisco IOS Command-Line
Interface” chapter in the Cisco IOS Configuration Fundamentals Configuration Guide.
This roadmap lists the features documented in the Virtual LANs modules in which they appear.
Roadmap History
This roadmap was first published April 20, 2006 and last updated on April 20, 2006.
Note Table 3 lists only the Cisco IOS software release that introduced support for a given feature in a given
Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS
software release train also support that feature.
12.2(13)T
Configuring Routing The IEEE 802.1Q protocol is used to interconnect Configuring
Between VLANs with multiple switches and routers, and for defining Routing Between VLANs
IEEE 802.1Q VLAN topologies. The IEEE 802.1Q standard is
• Configuring Routing
Encapsulation extremely restrictive to untagged frames. The
Between VLANs with
standard provides only a per-port VLANs solution
IEEE 802.1Q
for untagged frames. For example, assigning
Encapsulation
untagged frames to VLANs takes into consideration
only the port from which they have been received.
Each port has a parameter called a permanent virtual
identification (Native VLAN) that specifies the
VLAN assigned to receive untagged frames.
Configuring Routing ISL is a Cisco protocol for interconnecting multiple Configuring
Between VLANs with switches and maintaining VLAN information as Routing Between VLANs
Inter-Switch Link traffic goes between switches. ISL provides VLAN
• Configuring Routing
Encapsulation capabilities while maintaining full wire speed
Between
performance on Fast Ethernet links in full- or
VLANs with
half-duplex mode. ISL operates in a point-to-point
Inter-Switch Link
environment and will support up to 1000 VLANs.
Encapsulation
You can define virtually as many logical networks as
are necessary for your environment.
Configuring Routing AppleTalk can be routed over VLAN subinterfaces Configuring
Between VLANs with using the ISL or IEEE 802.10 VLANs feature that Routing Between VLANs
IEEE 802.10 provides full-feature Cisco IOS software AppleTalk
• Configuring Routing
Encapsulation support on a per-VLAN basis, allowing standard
Between VLANs with
AppleTalk capabilities to be configured on VLANs.
IEEE 802.10
Encapsulation
This module provides an overview of VLANs. It describes the encapsulation protocols used for routing
between VLANs and provides some basic information about designing VLANs. This module contains
tasks for configuring routing between VLANS.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image
support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on
Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at
the login dialog box and follow the instructions that appear.
Contents
• Information About Routing Between VLANs, page 7
• How to Configure Routing Between VLANS, page 18
• Configuration Examples for Configuring Routing Between VLANs, page 56
• Additional References, page 74
• Feature Information for Routing Between VLANs, page 76
LAN Segmentation
VLANs allow logical network topologies to overlay the physical switched infrastructure such that any
arbitrary collection of LAN ports can be combined into an autonomous user group or community of
interest. The technology logically segments the network into separate Layer 2 broadcast domains
whereby packets are switched between ports designated to be within the same VLAN. By containing
traffic originating on a particular LAN only to other LANs in the same VLAN, switched virtual networks
avoid wasting bandwidth, a drawback inherent to traditional bridged and switched networks in which
packets are often forwarded to LANs with no need for them. Implementation of VLANs also improves
scalability, particularly in LAN environments that support broadcast- or multicast-intensive protocols
and applications that flood packets throughout the network.
Figure 1 illustrates the difference between traditional physical LAN segmentation and logical VLAN
segmentation.
LAN 1
Catalyst
VLAN switch
LAN 2
Catalyst
VLAN switch
LAN 3
Router
S6619
Security
VLANs improve security by isolating groups. High-security users can be grouped into a VLAN, possibly
on the same physical segment, and no users outside that VLAN can communicate with them.
Broadcast Control
Just as switches isolate collision domains for attached hosts and only forward appropriate traffic out a
particular port, VLANs provide complete isolation between VLANs. A VLAN is a bridging domain, and
all broadcast and multicast traffic is contained within it.
VLAN Performance
The logical grouping of users allows an accounting group to make intensive use of a networked
accounting system assigned to a VLAN that contains just that accounting group and its servers.
That group’s work will not affect other users. The VLAN configuration improves general network
performance by not slowing down other users sharing the network.
Network Management
The logical grouping of users allows easier network management. It is not necessary to pull cables to
move a user from one network to another. Adds, moves, and changes are achieved by configuring a port
into the appropriate VLAN.
Relaying Function
The relaying function level, as displayed in Figure 2, is the lowest level in the architectural model
described in the IEEE 802.1Q standard and presents three types of rules:
• Ingress rules—Rules relevant to the classification of received frames belonging to a VLAN.
• Forwarding rules between ports—Rules decide whether to filter or forward the frame.
• Egress rules (output of frames from the switch)—Rules decide if the frame must be sent tagged or
untagged.
Frame Frame
reception transmission
54713
The Tagging Scheme
Figure 3 shows the tagging scheme proposed by the 802.3ac standard, that is, the addition of the four
octets after the source MAC address. Their presence is indicated by a particular value of the EtherType
field (called TPID), which has been fixed to be equal to 0x8100. When a frame has the EtherType equal
to 0x8100, this frame carries the tag IEEE 802.1Q/802.1p. The tag is stored in the following two octets
and it contains 3 bits of user priority, 1 bit of Canonical Format Identifier (CFI), and 12 bits of VLAN
ID (VID). The 3 bits of user priority are used by the 802.1p standard; the CFI is used for compatibility
reasons between Ethernet-type networks and Token Ring-type networks. The VID is the identification
of the VLAN, which is basically used by the 802.1Q standard; being on 12 bits, it allows the
identification of 4096 VLANs.
After the two octets of TPID and the two octets of the Tag Control Information field there are two octets
that originally would have been located after the Source Address field where there is the TPID. They
contain either the MAC length in the case of IEEE 802.3 or the EtherType in the case of Ethernet
version 2.
User
6 Destination address priority CFI
2 EtherType = 0x8100
2 MAC length/type
Variable Data
PAD
54712
4 FCS
The EtherType and VLAN ID are inserted after the MAC source address, but before the original
Ethertype/Length or Logical Link Control (LLC). The 1-bit CFI included a T-R Encapsulation bit so that
Token Ring frames can be carried across Ethernet backbones without using 802.1H translation.
Figure 4 shows how adding a tag in a frame recomputes the Frame Control Sequence. 802.1p and 802.1Q
share the same tag.
Original
Dest Src Len/Etype Data FCS
frame
Tagged
Dest Src Etype Tag Len/Etype Data FCS
frame
(VLAN ID and
TR encapsulations
PRI VLAN ID are 802.1Q,
not 802.1p)
54711
Native VLAN
Each physical port has a parameter called PVID. Every 802.1Q port is assigned a PVID value that is of
its native VLAN ID (default is VLAN 1). All untagged frames are assigned to the LAN specified in the
PVID parameter. When a tagged frame is received by a port, the tag is respected. If the frame is untagged,
the value contained in the PVID is considered as a tag. Because the frame is untagged and the PVID is
tagged to allow the coexistence, as shown in Figure 5, on the same pieces of cable of VLAN-aware
bridge/stations and of VLAN-unaware bridges/stations. Consider, for example, the two stations
connected to the central trunk link in the lower part of Figure 5. They are VLAN-unaware and they will
be associated to the VLAN C, because the PVIDs of the VLAN-aware bridges are equal to VLAN C.
Because the VLAN-unaware stations will send only untagged frames, when the VLAN-aware bridge
devices receive these untagged frames they will assign them to VLAN C.
VLAN A VLAN A
VLAN-unaware
end station
VLAN-unaware
end station
PVID = C VLAN B
VLAN C
VLAN-unaware
end station VLAN-aware
54710
end station
PVST+
PVST+ provides support for 802.1Q trunks and the mapping of multiple spanning trees to the single
spanning tree of 802.1Q switches.
The PVST+ architecture distinguishes three types of regions:
• A PVST region
• A PVST+ region
• A MST region
Each region consists of a homogenous type of switch. A PVST region can be connected to a PVST+
region by connecting two ISL ports. Similarly, a PVST+ region can be connected to an MST region by
connecting two 802.1Q ports.
At the boundary between a PVST region and a PVST+ region the mapping of spanning trees is
one-to-one. At the boundary between a MST region and a PVST+ region, the ST in the MST region maps
to one PVST in the PVST+ region. The one it maps to is called the common spanning tree (CST). The
default CST is the PVST of VLAN 1 (Native VLAN).
All PVSTs, except for the CST, are tunneled through the MST region. Tunneling means that bridge
protocol data units (BPDUs) are flooded through the MST region along the single spanning tree present
in the MST region.
VLAN Colors
VLAN switching is accomplished through frame tagging where traffic originating and contained within
a particular virtual topology carries a unique VLAN ID as it traverses a common backbone or trunk link.
The VLAN ID enables VLAN switching devices to make intelligent forwarding decisions based on the
embedded VLAN ID. Each VLAN is differentiated by a color, or VLAN identifier. The unique VLAN
ID determines the frame coloring for the VLAN. Packets originating and contained within a particular
VLAN carry the identifier that uniquely defines that VLAN (by the VLAN ID).
The VLAN ID allows VLAN switches and routers to selectively forward packets to ports with the same
VLAN ID. The switch that receives the frame from the source station inserts the VLAN ID and the
packet is switched onto the shared backbone network. When the frame exits the switched LAN, a switch
strips the header and forwards the frame to interfaces that match the VLAN color. If you are using a
Cisco network management product such as VlanDirector, you can actually color code the VLANs and
monitor VLAN graphically.
Implementing VLANS
Network managers can logically group networks that span all major topologies, including high-speed
technologies such as, ATM, FDDI, and Fast Ethernet. By creating virtual LANs, system and network
administrators can control traffic patterns and react quickly to relocations and keep up with constant
changes in the network due to moving requirements and node relocation just by changing the VLAN
member list in the router configuration. They can add, remove, or move devices or make other changes
to network configuration using software to make the changes.
Issues regarding creating VLANs should have been addressed when you developed your network design.
Issues to consider include the following:
• Scalability
• Performance improvements
• Security
• Network additions, moves, and changes
Note Cisco does not support IEEE 802.1Q encapsulation for Ethernet interfaces.
Procedures for configuring routing between VLANs with IEEE 802.1Q encapsulation are provided in
the “Configuring Routing Between VLANs with IEEE 802.1Q Encapsulation” section on page 39.
The FSSRP feature improves upon SSRP such that LANE server and BUS switchover for LANE clients
is immediate. With SSRP, a LANE server would go down, and depending on the network load, it may
have taken considerable time for the LANE client to come back up joined to the correct LANE server
and BUS. In addition to going down with SSRP, the LANE client would do the following:
• Clear out its data direct VCs
• Clear out its LE ARP entries
• Cause substantial signalling activity and data loss
FSSRP was designed to alleviate these problems with the LANE client. With FSSRP, each LANE client
is simultaneously joined to up to four LANE servers and BUSs. The concept of the master LANE server
and BUS is maintained; the LANE client uses the master LANE server when it needs LANE server BUS
services. However, the difference between SSRP and FSSRP is that if and when the master LANE server
goes down, the LANE client is already connected to multiple backup LANE servers and BUSs. The
LANE client simply uses the next backup LANE server and BUS as the master LANE server and BUS.
VLAN Interoperability
Cisco IOS features bring added benefits to the VLAN technology. Enhancements to ISL, IEEE 802.10,
and ATM LANE implementations enable routing of all major protocols between VLANs. These
enhancements allow users to create more robust networks incorporating VLAN configurations by
providing communications capabilities between VLANs.
Inter-VLAN Communications
The Cisco IOS supports full routing of several protocols over ISL and ATM LANE VLANs. IP, Novell
IPX, and AppleTalk routing are supported over IEEE 802.10 VLANs. Standard routing attributes such
as network advertisements, secondaries, and help addresses are applicable, and VLAN routing is fast
switched. Table 4 shows protocols supported for each VLAN encapsulation format and corresponding
Cisco IOS software releases.
VLAN Translation
VLAN translation refers to the ability of the Cisco IOS software to translate between different VLANs
or between VLAN and non-VLAN encapsulating interfaces at Layer 2. Translation is typically used for
selective inter-VLAN switching of nonroutable protocols and to extend a single VLAN topology across
hybrid switching environments. It is also possible to bridge VLANs on the main interface; the VLAN
encapsulating header is preserved. Topology changes in one VLAN domain do not affect a different
VLAN.
Restrictions
• Each command you enter while you are in interface configuration mode with the interface range
command is executed as it is entered. The commands are not batched together for execution after
you exit interface configuration mode. If you exit interface configuration mode while the commands
are being executed, some commands might not be executed on some interfaces in the range. Wait
until the command prompt reappears before exiting interface configuration mode.
• The no interface range command is not supported. You must delete individual subinterfaces to
delete a range.
Supported Platforms
For Cisco IOS Release 12.2(13)T, the following platforms are supported:
• Cisco 6400 series
• Cisco 7200 series
• Cisco 7401 ASR router
Benefits
The VLAN Range feature provides the following benefits:
Simultaneous Configurations
Identical commands can be entered once for a range of subinterfaces, rather than being entered
separately for each subinterface.
Customized Subinterfaces
Individual subinterfaces within a range can be customized or deleted.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface range {{ethernet | fastethernet | gigabitethernet | atm}
slot/interface.subinterface - {{ethernet | fastethernet | gigabitethernet |
atm}slot/interface.subinterface}]
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 interface range {{ethernet | fastethernet | Selects the range of subinterfaces to be configured.
gigabitethernet | atm} slot/interface.subinterface -
{{ethernet | fastethernet | gigabitethernet | Note The spaces around the dash are required. For
atm}slot/interface.subinterface} example, the command interface range
fastethernet 1 - 5 is valid; the command
interface range fastethernet 1-5 is not valid.
Example:
Router(config)# interface range fastethernet5/1.1 -
fastethernet5/1.4
Step 4 encapsulation dot1Q vlan-id Applies a unique VLAN ID to each subinterface
within the range.
Example: • vlan-id—Virtual LAN identifier. The allowed
Router(config-if)# encapsulation dot1Q 301 range is from 1 to 4095.
• The VLAN ID specified by the vlan-id argument
is applied to the first subinterface in the range.
Each subsequent interface is assigned a VLAN
ID, which is the specified vlan-id plus the
subinterface number minus the first subinterface
number (VLAN ID + subinterface number – first
subinterface number).
Step 5 no shutdown Activates the interface.
• This command is required only if you shut down
Example: the interface.
Router(config-if)# no shutdown
Step 6 exit Returns to privileged EXEC mode.
Example:
Router(config-if)# exit
Command Purpose
Step 7 show running-config Verifies subinterface configuration.
Example:
Router# show running-config
Step 8 show interfaces Verifies that subinterfaces have been created.
Example:
Router# show interfaces
Green Green
Fast Ethernet
Blue Blue
Token Token
Green Blue Red
S6621
Ring Red Red Ring
You can configure routing between any number of VLANs in your network. This section documents the
configuration tasks for each protocol supported with ISL encapsulation. The basic process is the same,
regardless of the protocol being routed. It involves the following tasks:
• Enabling the protocol on the router
• Enabling the protocol on the interface
• Defining the encapsulation format as ISL or TRISL
• Customizing the protocol according to the requirements for your environment
SUMMARY STEPS
1. enable
2. configure terminal
3. appletalk routing [eigrp router-number]
4. interface type slot/port.subinterface-number
5. encapsulation isl vlan-identifier
or
encapsulation sde said
6. appletalk cable-range cable-range [network.node]
7. appletalk zone zone-name
DETAILED STEPS
Example:
Router# configure terminal
Step 3 appletalk routing [eigrp router-number] Enables AppleTalk routing globally on either ISL or 802.10
interfaces.
Example:
Router(config)# appletalk routing
Step 4 interface type slot/port.subinterface-number Specifies the subinterface the VLAN will use.
Example:
Router(config)# interface Fddi 1/0.100
Step 5 encapsulation isl vlan-identifier Defines the encapsulation format as either ISL (isl) or IEEE
802.10 (sde), and specifies the VLAN identifier or security
or association identifier, respectively.
encapsulation sde said
Example:
Router(config-if)# encapsulation sde 100
Step 6 appletalk cable-range cable-range Assigns the AppleTalk cable range and zone for the
[network.node] subinterface.
Example:
Router(config-if)# appletalk cable-range
100-100 100.2
Step 7 appletalk zone zone-name Assigns the AppleTalk zone for the subinterface.
Example:
Router(config-if)# appletalk zone 100
SUMMARY STEPS
1. enable
2. configure terminal
3. vines routing [address]
4. interface type slot/port.subinterface-number
5. encapsulation isl vlan-identifier
6. vines metric [whole [fraction]]
DETAILED STEPS
Example:
Router# configure terminal
Step 3 vines routing [address] Enables Banyan VINES routing globally.
Example:
Router(config)# vines routing
Step 4 interface type slot/port.subinterface-number Specifies the subinterface on which ISL will be used.
Example:
Router(config)# interface fastethernet 1/0.1
Step 5 encapsulation isl vlan-identifier Defines the encapsulation format as ISL (isl), and specifies
the VLAN identifier.
Example:
Router(config-if)# encapsulation isl 200
Step 6 vines metric [whole [fraction]] Enables VINES routing metric on an interface.
Example:
Router(config-if)#vines metric 2
SUMMARY STEPS
1. enable
2. configure terminal
3. decnet [network-number] routing [decnet-address]
4. interface type slot/port.subinterface-number
5. encapsulation isl vlan-identifier
6. decnet cost [cost-value]
DETAILED STEPS
Example:
Router# configure terminal
Step 3 Router(config)# decnet [network-number] routing Enables DECnet on the router.
[decnet-address]
Example:
Router(config)# decnet routing 2.1
Step 4 interface type slot/port.subinterface-number Specifies the subinterface on which ISL will be used.
Example:
Router(config)# interface fastethernet 1/0.1
Step 5 encapsulation isl vlan-identifier Defines the encapsulation format as ISL (isl), and specifies
the VLAN identifier.
Example:
Router(config-if)# encapsulation isl 200
Step 6 decnet cost [cost-value] Enables DECnet cost metric on an interface.
Example:
Router(config-if)# decnet cost 4
S6620
A separate HSRP group is configured for each VLAN subnet so that Cisco IOS router A can be the
primary and forwarding router for VLANs 10 and 20. At the same time, it acts as backup for VLANs 30
and 40. Conversely, Router B acts as the primary and forwarding router for ISL VLANs 30 and 40, as
well as the secondary and backup router for distributed VLAN subnets 10 and 20.
Running HSRP over ISL allows users to configure redundancy between multiple routers that are
configured as front ends for VLAN IP subnets. By configuring HSRP over ISLs, users can eliminate
situations in which a single point of failure causes traffic interruptions. This feature inherently provides
some improvement in overall networking resilience by providing load balancing and redundancy
capabilities between subnets and VLANs.
To configure HSRP over ISLs between VLANs, you need to create the environment in which it will be
used. Perform the tasks described in the following sections in the order in which they appear.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type slot/port.subinterface-number
DETAILED STEPS
Example:
Router# configure terminal
Step 3 Router(config)# interface type Specifies the subinterface on which ISL will be used.
slot/port.subinterface-number
Example:
Router(config)# interface FastEthernet 1/1.110
Step 4 encapsulation isl vlan-identifier Defines the encapsulation format, and specifies the VLAN
identifier.
Example:
Router(config-if)# encapsulation isl 110
Step 5 ip address ip-address mask [secondary] Specifies the IP address for the subnet on which ISL will be
used.
Example:
Router(config-if)# ip address 10.1.1.2
255.255.255.0
Step 6 Router(config-if)# standby [group-number] ip Enables HSRP.
[ip-address [secondary]]
Example:
Router(config-if)# standby 1 ip 10.1.1.101
Step 7 Router(config-if)# standby [group-number] Configures the time between hello packets and the hold time
timers hellotime holdtime before other routers declare the active router to be down.
Example:
Router(config-if)# standby 1 timers 10 10
Example:
Router(config-if)# standby 1 priority 105
Step 9 Router(config-if)# standby [group-number] Specifies that if the local router has priority over the current
preempt active router, the local router should attempt to take its place
as the active router.
Example:
Router(config-if)# standby 1 priority 105
Step 10 Router(config-if)# standby [group-number] track Configures the interface to track other interfaces, so that if
type-number [interface-priority] one of the other interfaces goes down, the Hot Standby
priority for the device is lowered.
Example:
Router(config-if)# standby 1 track 4 5
Step 11 Router(config-if)# standby [group-number] Selects an authentication string to be carried in all HSRP
authentication string messages.
Example:
Router(config-if)# standby 1 authentication
hsrpword7
Note For more information on HSRP, see the “Configuring IP Services” chapter in the Cisco IOS IP
Configuration Guide.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip routing
4. interface type slot/port.subinterface-number
5. encapsulation tr-isl trbrf-vlan vlanid bridge-num bridge-number
6. ip address ip-address mask
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ip routing Enables IP routing on the router.
Example:
Router(config)# ip routing
Step 4 interface type slot/port.subinterface-number Specifies the subinterface on which TRISL will be used.
Example:
Router(config# interface FastEthernet4/0.1
Step 5 encapsulation tr-isl trbrf-vlan vlanid Defines the encapsulation for TRISL.
bridge-num bridge-number
• The DRiP database is automatically enabled when
TRISL encapsulation is configured, and at least one
Example: TrBRF is defined, and the interface is configured for
Router(config-if# encapsulation tr-isl SRB or for routing with RIF
trbrf-vlan 999 bridge-num 14
Step 6 ip address ip-address mask Sets a primary IP address for an interface.
• A mask identifies the bits that denote the network
Example: number in an IP address. When you use the mask to
Router(config-if# ip address 10.5.5.1 subnet a network, the mask is then referred to as a
255.255.255.0 subnet mask.
Note Only one type of IPX encapsulation can be configured per VLAN (subinterface). The IPX encapsulation
used must be the same within any particular subnet; a single encapsulation must be used by all NetWare
systems that belong to the same VLAN.
To configure Cisco IOS software on a router with connected VLANs to exchange different IPX framing
protocols, perform the steps described in the following task in the order in which they are appear.
SUMMARY STEPS
1. enable
2. configure terminal
3. ipx routing [node]
4. interface fddi slot/port.subinterface-number
5. encapsulation sde vlan-identifier
6. ipx network network encapsulation encapsulation-type
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ipx routing [node] Enables IPX routing globally.
Example:
Router(config)# ipx routing
Example:
Router(config)# interface 2/0.1
Step 5 encapsulation sde vlan-identifier Defines the encapsulation format and specifies the VLAN
identifier.
Example:
Router(config-if)# encapsulation isl 20
Step 6 ipx network network encapsulation Specifies the IPX encapsulation among Novell-FDDI, SAP,
encapsulation-type or SNAP.
Example:
Router(config-if)# ipx network 20 encapsulation
sap
Note Only one type of IPX encapsulation can be configured per VLAN (subinterface). The IPX encapsulation
used must be the same within any particular subnet: A single encapsulation must be used by all NetWare
systems that belong to the same LANs.
To configure Cisco IOS software to exchange different IPX framing protocols on a router with connected
VLANs, perform the steps in the following task in the order in which they are appear.
SUMMARY STEPS
1. enable
2. configure terminal
3. ipx routing [node]
4. interface type slot/port.subinterface-number
5. encapsulation tr-isl trbrf-vlan trbrf-vlan bridge-num bridge-num
6. ipx network network encapsulation encapsulation-type
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ipx routing [node] Enables IPX routing globally.
Example:
Router(config)# source-bridge ring-group 100
Step 4 interface type slot/port.subinterface-number Specifies the subinterface on which TRISL will be used.
Example:
Router(config-if)# interface TokenRing 3/1
Step 5 encapsulation tr-isl trbrf-vlan trbrf-vlan Defines the encapsulation for TRISL.
bridge-num bridge-num
Example:
Router(config-if)#encapsulation tr-isl
trbrf-vlan 999 bridge-num 14
Step 6 ipx network network encapsulation Specifies the IPX encapsulation on the subinterface by
encapsulation-type specifying the NetWare network number (if necessary) and
the encapsulation type.
Example:
Router(config-if)# ipx network 100
encapsulation sap
Note The default IPX encapsulation format for Cisco IOS routers is “novell-ether” (Novell Ethernet_802.3).
If you are running Novell Netware 3.12 or 4.0, the new Novell default encapsulation format is Novell
Ethernet_802.2 and you should configure the Cisco router with the IPX encapsulation format “sap.”
IP routing IP forwarding
table table
CyBus
S6622
Ethernet Ethernet Ethernet Ethernet Ethernet Ethernet
This distributed architecture allows incremental capacity increases by installation of additional VIP
cards. Using VIP cards for switching the majority of IP VLAN traffic in multiprotocol environments
substantially increases routing performance for the other protocols because the RSP offloads IP and can
then be dedicated to switching the non-IP protocols.
VIP distributed switching offloads switching of ISL VLAN IP traffic to the VIP card, removing
involvement from the main CPU. Offloading ISL traffic to the VIP card substantially improves
networking performance. Because you can install multiple VIP cards in a router, VLAN routing capacity
is increased linearly according to the number of VIP cards installed in the router.
To configure distributed switching on the VIP, you must first configure the router for IP routing.
Perform the tasks described in the following task in the order in which they appear.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip routing
4. interface type slot/port-adapter/port
5. ip route-cache distributed
6. encapsulation isl vlan-identifier
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ip routing Enables IP routing on the router.
• Refer to the IP configuration chapters in the Cisco IOS
Example: IP Routing Configuration Guide for guidelines on
Router(config)# ip routing configuring IP.
Step 4 interface type slot/port-adapter/port Specifies the interface and interface configuration mode.
Example:
Router(config)# interface FastEthernet1/0/0
Step 5 ip route-cache distributed Enables VIP distributed switching of IP packets on the
interface.
Example:
Router(config-if)# ip route-cache distributed
Step 6 encapsulation isl vlan-identifier Defines the encapsulation format as ISL, and specifies the
VLAN identifier.
Example:
Router(config-if)# encapsulation isl 1
SUMMARY STEPS
1. enable
2. configure terminal
3. xns routing [address]
4. interface type slot/port.subinterface-number
5. encapsulation isl vlan-identifier
6. xns network [number]
DETAILED STEPS
Example:
Router# configure terminal
Step 3 xns routing [address] Enables XNS routing globally.
Example:
Router(config)# xns routing 0123.4567.adcb
Step 4 interface type slot/port.subinterface-number Specifies the subinterface on which ISL will be used.
Example:
Router(config)# interface fastethernet 1/0.1
Step 5 encapsulation isl vlan-identifier Defines the encapsulation format as ISL (isl), and specifies
the VLAN identifier.
Example:
Router(config-if)# encapsulation isl 100
Step 6 xns network [number] Enables XNS routing on the subinterface.
Example:
Router(config-if)# xns network 20
SUMMARY STEPS
1. enable
2. configure terminal
3. clns routing
4. interface type slot/port.subinterface-number
5. encapsulation isl vlan-identifier
6. clns enable
DETAILED STEPS
Example:
Router# configure terminal
Step 3 clns routing Enables CLNS routing globally.
Example:
Router(config)# clns routing
Step 4 interface type slot/port.subinterface-number Specifies the subinterface on which ISL will be used.
Example:
Router(config-if)# interface fastethernet 1/0.1
Step 5 encapsulation isl vlan-identifier Defines the encapsulation format as ISL (isl), and specifies
the VLAN identifier.
Example:
Router(config-if)# encapsulation isl 100
Step 6 clns enable Enables CLNS routing on the subinterface.
Example:
Router(config-if)# clns enable
SUMMARY STEPS
1. enable
2. configure terminal
3. router isis [tag]
4. net network-entity-title
5. interface type slot/port.subinterface-number
6. encapsulation isl vlan-identifier
7. clns router isis network [tag]
DETAILED STEPS
Example:
Router# configure terminal
Step 3 router isis [tag] Enables IS-IS routing, and enters router configuration
mode.
Example:
Router(config)# isis routing test-proc2
Step 4 net network-entity-title Configures the NET for the routing process.
Example:
Router(config)# net
49.0001.0002.aaaa.aaaa.aaaa.00
Step 5 interface type slot/port.subinterface-number Specifies the subinterface on which ISL will be used.
Example:
Router(config-if)# interface fastethernet 2.
Step 6 encapsulation isl vlan-identifier Defines the encapsulation format as ISL (isl), and specifies
the VLAN identifier.
Example:
Router(config-if)# encapsulation isl 101
Step 7 clns router isis network [tag] Specifies the interfaces that should be actively routing
IS-IS.
Example:
Router(config-if)# clns router is-is network
test-proc2
entire physical interface would stop routing any AppleTalk packets. With this feature enabled, AppleTalk
routing on subinterfaces will be unaffected by changes in the main interface with the main interface in
the “no-shut” state.
To route AppleTalk over IEEE 802.10 between VLANs, create the environment in which it will be used
by customizing the subinterface and perform the tasks described in the following steps in the order in
which they appear.
SUMMARY STEPS
1. enable
2. configure terminal
3. appletalk routing [eigrp router-number]
4. interface fastethernet slot/port.subinterface-number
5. appletalk cable-range cable-range [network.node]
6. appletalk zone zone-name
7. encapsulation sde said
DETAILED STEPS
Example:
Router# configure terminal
Step 3 appletalk routing [eigrp router-number] Enables AppleTalk routing globally.
Example:
Router(config)# appletalk routing
Step 4 interface fastethernet Specifies the subinterface the VLAN will use.
slot/port.subinterface-number
Example:
Router(config)# interface fastethernet 4/1.00
Step 5 appletalk cable-range cable-range Assigns the AppleTalk cable range and zone for the
[network.node] subinterface.
Example:
Router(config-if)# appletalk 100-100 100.1
Example:
Router(config-if)# appletalk zone eng
Step 7 encapsulation sde said Defines the encapsulation format as IEEE 802.10 (sde) and
specifies the VLAN identifier or security association
identifier, respectively.
Example:
Router(config-if)# encapsulation sde 100
Note For more information on configuring AppleTalk, see the “Configuring AppleTalk” chapter in the Cisco
IOS AppleTalk and Novell IPX Configuration Guide.
Prerequisites
Configuring routing between VLANs with IEEE 802.1Q encapsulation assumes the presence of a single
spanning tree and of an explicit tagging scheme with one-level tagging.
You can configure routing between any number of VLANs in your network.
Restrictions
The IEEE 802.1Q standard is extremely restrictive to untagged frames. The standard provides only a
per-port VLANs solution for untagged frames. For example, assigning untagged frames to VLANs takes
into consideration only the port from which they have been received. Each port has a parameter called a
permanent virtual identification (Native VLAN) that specifies the VLAN assigned to receive untagged
frames.
The main characteristics of the IEEE 802.1Q are that it assigns frames to VLANs by filtering and that
the standard assumes the presence of a single spanning tree and of an explicit tagging scheme with
one-level tagging.
This section contains the configuration tasks for each protocol supported with IEEE 802.1Q
encapsulation. The basic process is the same, regardless of the protocol being routed. It involves the
following tasks:
• Enabling the protocol on the router
• Enabling the protocol on the interface
• Defining the encapsulation format as IEEE 802.1Q
• Customizing the protocol according to the requirements for your environment
To configure IEEE 802.1Q on your network, perform the following tasks. One of the following tasks is
required depending on the protocol being used.
• Configuring AppleTalk Routing over IEEE 802.1Q (required)
• Configuring IP Routing over IEEE 802.1Q (required)
• Configuring IPX Routing over IEEE 802.1Q (required)
The following tasks are optional. Perform the following tasks to connect a network of hosts over a simple
bridging-access device to a remote access concentrator bridge between IEEE 802.1Q VLANs. The
following sections contain configuration tasks for the Integrated Routing and Bridging, Transparent
Bridging, and PVST+ Between VLANs with IEEE 802.1Q Encapsulation:
• Configuring a VLAN for a Bridge Group with Default VLAN1 (optional)
• Configuring a VLAN for a Bridge Group as a Native VLAN (optional)
SUMMARY STEPS
1. enable
2. configure terminal
3. appletalk routing [eigrp router-number]
4. interface fastethernet slot/port.subinterface-number
5. encapsulation dot1q vlan-identifier
6. appletalk cable-range cable-range [network.node]
7. appletalk zone zone-name
DETAILED STEPS
Example:
Router# configure terminal
Example:
Router(config)# appletalk routing
Step 4 interface fastethernet Specifies the subinterface the VLAN will use.
slot/port.subinterface-number
Example:
Router(config)# interface fastethernet 4/1.00
Step 5 encapsulation dot1q vlan-identifier Defines the encapsulation format as IEEE 802.1Q (dot1q),
and specifies the VLAN identifier.
Example:
Router(config-if)# encapsulation dot1q 100
Step 6 appletalk cable-range cable-range Assigns the AppleTalk cable range and zone for the
[network.node] subinterface.
Example:
Router(config-if)# appletalk cable-range
100-100 100.1
Step 7 appletalk zone zone-name Assigns the AppleTalk zone for the subinterface.
Example:
Router(config-if)# appletalk zone eng
Note For more information on configuring AppleTalk, see the “Configuring AppleTalk” chapter in the
Cisco IOS AppleTalk and Novell IPX Configuration Guide.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip routing
4. interface fastethernet slot/port.subinterface-number
5. encapsulation dotlq vlanid
6. ip address ip-address mask
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ip routing Enables IP routing on the router.
Example:
Router(config)# ip routing
Step 4 interface fastethernet Specifies the subinterface on which IEEE 802.1Q will be
slot/port.subinterface-number used.
Example:
Router(config)# interface fastethernet 4/1.101
Step 5 encapsulation dot1q vlanid Defines the encapsulation format at IEEE.802.1Q (dot1q)
and specifies the VLAN identifier.
Example:
Router(config-if)# encapsulation dot1q 101
Step 6 ip address ip-address mask Sets a primary IP address and mask for the interface.
Example:
Router(config-if)# ip addr 10.0.0.11 255.0.0.0
Once you have IP routing enabled on the router, you can customize the characteristics to suit your
environment. If necessary, refer to the IP configuration chapters in the Cisco IOS IP Routing
Configuration Guide for guidelines on configuring IP.
SUMMARY STEPS
1. enable
2. configure terminal
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ipx routing [node] Enables IPX routing globally.
Example:
Router(config)# ipx routing
Step 4 interface fastethernet Specifies the subinterface on which IEEE 802.1Q will be
slot/port.subinterface-number used.
Example:
Router(config)# interface fastethernet 4/1.102
Step 5 encapsulation dot1q vlanid Defines the encapsulation format at IEEE.802.1Q (dot1q)
and specifies the VLAN identifier.
Example:
Router(config-if)# encapsulation dot1q 102
Step 6 ipx network network Specifies the IPX network number.
Example:
Router(config-if)# ipx network 100
SUMMARY STEPS
1. enable
2. configure terminal
3. interface fastethernet slot/port.subinterface-number
4. encapsulation dotlq vlanid
5. bridge-group bridge-group
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface fastethernet Selects a particular interface to configure.
slot/port.subinterface-number
Example:
Router(config)# interface fastethernet 4/1.100
Step 4 encapsulation dot1q vlanid Defines the encapsulation format at IEEE.802.1Q (dot1q)
and specifies the VLAN identifier.
Example: • The specified VLAN is by default the native VLAN.
Router(config-subif)# encapsulation dot1q 1
Example:
Router(config-subif)# bridge-group 1
SUMMARY STEPS
1. enable
2. configure terminal
3. interface fastethernet slot/port
4. encapsulation dotlq vlanid native
5. bridge-group bridge-group
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface fastethernet Selects a particular interface to configure.
slot/port.subinterface-number
Example:
Router(config)# interface fastethernet 4/1.100
Step 4 encapsulation dot1q vlanid native Defines the encapsulation format at IEEE.802.1Q (dot1q)
and specifies the VLAN identifier. VLAN 20 is specified as
the native VLAN.
Example:
Router(config-subif)# encapsulation dot1q 20
native
Note If there is no explicitly defined native VLAN, the
default VLAN1 becomes the native VLAN.
Step 5 bridge-group bridge-group Assigns the bridge group to the interface.
Example:
Router(config-subif)# bridge-group 1
Note If there is an explicitly defined native VLAN, VLAN1 will only be used to process CST.
Prerequisites
You must have checked Feature Navigator to verify that your Cisco device and software image support
this feature.
You must be connected to an Ethernet device that supports double VLAN tag imposition/disposition or
switching.
Restrictions
The following restrictions apply to the Cisco 10000 series Internet router:
• Supported on Ethernet, FastEthernet, or Gigabit Ethernet interfaces.
• Supports only Point-to-Point Protocol over Ethernet (PPPoE) packets that are double-tagged for
Q-in-Q VLAN tag termination.
• IP and Multiprotocol Label Switching (MPLS) packets are not supported.
• Modular QoS can be applied to unambiguous subinterfaces only.
• Limited ACL support.
Note The Cisco 10000 series Internet router only supports PPPoE over Q-in-Q (PPPoEQinQ).
The primary benefit for the service provider is reduced number of VLANs supported for the same
number of customers. Other benefits of this feature include:
• PPPoE scalability. By expanding the available VLAN space from 4096 to approximately 16.8
million (4096 times 4096), the number of PPPoE sessions that can be terminated on a given interface
is multiplied.
• When deploying Gigabyte Ethernet DSL Access Multiplexer (DSLAM) in wholesale model, you can
assign the inner VLAN ID to represent the end-customer virtual circuit (VC) and assign the outer
VLAN ID to represent the service provider ID.
The Q-in-Q VLAN tag termination feature is simpler than the IEEE 802.1Q tunneling feature deployed
for the Catalyst 6500 series switches or the Catalyst 3550 and Catalyst 3750 switches. Whereas switches
require IEEE 802.1Q tunnels on interfaces to carry double-tagged traffic, routers need only encapsulate
Q-in-Q VLAN tags within another level of 802.1Q tags in order for the packets to arrive at the correct
destination as shown in Figure 9.
Source
address
Destination Length/ Frame Check
address EtherType Sequence
116115
Double-tagged
frame
QinQ
VLAN L2/L3 switch
30 Outer VLAN GigE
1
FE/GE
VLAN L2/L3 switch L2/L3 switch BRAS
20 Outer VLAN
2
170136
10 DSLAM VLAN 3
1
DSLAM
VLAN aggregation on a DSLAM will result in a lot of aggregate VLANs that at some point need to be
terminated on the broadband remote access servers (BRAS). Although the model could connect the
DSLAMs directly to the BRAS, a more common model uses the existing Ethernet-switched network
where each DSLAM VLAN ID is tagged with a second tag (Q-in-Q) as it connects into the
Ethernet-switched network.
The only model that is supported is PPPoE over Q-in-Q (PPPoEoQinQ). This can either be a PPP
terminated session or as a L2TP LAC session. No IP over Q-in-Q is supported.
The Cisco 10000 series Internet router already supports plain PPPoE and PPP over 802.1Q
encapsulation. Supporting PPP over Q-in-Q encapsulation is new. PPP over Q-in-Q encapsulation
processing is an extension to 802.1q encapsulation processing. A Q-in-Q frame looks like a VLAN
802.1Q frame, only it has two 802.1Q tags instead of one. See Figure 9.
PPP over Q-in-Q encapsulation supports configurable outer tag Ethertype. The configurable Ethertype
field values are 0x8100 (default), 0x9100, and 0x9200. See Figure 11.
0x8100
DA SA 0x9100 Tag 0x8100 Tag Len/Etype Data FCS
170137
0x9200
A subinterface that is configured with multiple Inner VLAN IDs is called an ambiguous Q-in-Q
subinterface. By allowing multiple Inner VLAN IDs to be grouped together, ambiguous Q-in-Q
subinterfaces allow for a smaller configuration, improved memory usage and better scalability.
In the following example, Q-in-Q traffic with an Outer VLAN ID of 101 and Inner VLAN IDs anywhere
in the 2001-2100 and 3001-3100 range is mapped to the Gigabit Ethernet 1/0.101 subinterface.:
Router(config)# interface gigabitethernet1/0.101
Router(config-subif)# encapsulation dot1q 101 second-dot1q 2001-2100,3001-3100
Ambiguous subinterfaces can also use the any keyword to specify the inner VLAN ID.
See the “Monitoring and Maintaining VLAN Subinterfaces” section on page 55 for an example of how
VLAN IDs are assigned to subinterfaces, and for a detailed example of how the any keyword is used on
ambiguous subinterfaces.
Only PPPoE is supported on ambiguous subinterfaces. Standard IP routing is not supported on
ambiguous subinterfaces.
Note On the Cisco 10000 series Internet router, Modular QoS services are only supported on unambiguous
subinterfaces.
Perform these tasks to configure the main interface used for the Q-in-Q double tagging and to configure
the subinterfaces.
• Configuring EtherType Field for Outer VLAN Tag Termination, page 50 (Optional)
• Configuring the Q-in-Q Subinterface, page 50 (Required)
• Verifying the IEEE 802.1Q-in-Q VLAN Tag Termination, page 52 (Optional)
Prerequisites
For the Cisco 10000 series Internet router:
• PPPoE is already configured.
• Virtual private dial-up network (VPDN) is enabled.
The first task is optional. A step in this task shows you how to configure the EtherType field to be 0x9100
for the outer VLAN tag, if that is required.
After the subinterface is defined, the 802.1Q encapsulation is configured to use the double tagging.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. dot1q tunneling ethertype ethertype
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface type number Configures an interface and enters interface configuration
mode.
Example:
Router(config)# interface gigabitethernet 1/0/0
Step 4 dot1q tunneling ethertype ethertype (Optional) Defines the Ethertype field type used by peer
devices when implementing Q-in-Q VLAN tagging.
Example: • Use this command if the Ethertype of peer devices is
Router(config-if)# dot1q tunneling ethertype 0x9100 or 0x9200 (0x9200 is only supported on the
0x9100 Cisco 10000 series Internet router).
• Cisco 10000 series Internet router supports both the
0x9100 and 0x9200 Ethertype field types.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number.subinterface-number
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface type number.subinterface-number Configures a subinterface and enters subinterface
configuration mode.
Example:
Router(config-if)# interface gigabitethernet
1/0/0.1
Step 4 encapsulation dot1q vlan-id second-dot1q {any | (Required) Enables the 802.1Q encapsulation of traffic on a
vlan-id | vlan-id-vlan-id[,vlan-id-vlan-id]} specified subinterface in a VLAN.
• Use the second-dot1q keyword and the vlan-id
Example: argument to specify the VLAN tags to be terminated on
Router(config-subif)# encapsulation dot1q 100 the subinterface.
second-dot1q 200
• In this example, an unambiguous Q-in-Q subinterface
is configured because only one inner VLAN ID is
specified.
• Q-in-Q frames with an outer VLAN ID of 100 and an
inner VLAN ID of 200 will be terminated.
Step 5 pppoe enable [group group-name] Enables PPPoE sessions on a subinterface.
• The example specifies that the PPPoE profile, vpn1,
Example: will be used by PPPoE sessions on the subinterface.
Router(config-subif)# pppoe enable group vpn1
Step 6 exit Exits subinterface configuration mode and returns to
interface configuration mode.
Example: • Repeat this step one more time to exit interface
Router(config-subif)# exit configuration mode.
SUMMARY STEPS
1. enable
2. show running-config
3. show vlans dot1q [internal | interface-type interface-number.subinterface-number [detail] |
outer-id [interface-type interface-number | second-dot1q [inner-id | any]] [detail]]
DETAILED STEPS
Step 1 enable
Enables privileged EXEC mode. Enter your password if prompted.
Router> enable
.
.
.
interface FastEthernet0/0.201
encapsulation dot1Q 201
ip address 10.7.7.5 255.255.255.252
!
interface FastEthernet0/0.401
encapsulation dot1Q 401
ip address 10.7.7.13 255.255.255.252
!
interface FastEthernet0/0.201999
encapsulation dot1Q 201 second-dot1q any
pppoe enable
!
interface FastEthernet0/0.2012001
encapsulation dot1Q 201 second-dot1q 2001
ip address 10.8.8.9 255.255.255.252
!
interface FastEthernet0/0.2012002
encapsulation dot1Q 201 second-dot1q 2002
ip address 10.8.8.13 255.255.255.252
!
interface FastEthernet0/0.4019999
encapsulation dot1Q 401 second-dot1q 100-900,1001-2000
pppoe enable
!
interface GigabitEthernet5/0.101
encapsulation dot1Q 101
ip address 10.7.7.1 255.255.255.252
!
interface GigabitEthernet5/0.301
encapsulation dot1Q 301
ip address 10.7.7.9 255.255.255.252
!
interface GigabitEthernet5/0.301999
encapsulation dot1Q 301 second-dot1q any
pppoe enable
!
interface GigabitEthernet5/0.1011001
encapsulation dot1Q 101 second-dot1q 1001
ip address 10.8.8.1 255.255.255.252
!
interface GigabitEthernet5/0.1011002
encapsulation dot1Q 101 second-dot1q 1002
ip address 10.8.8.5 255.255.255.252
!
interface GigabitEthernet5/0.1019999
encapsulation dot1Q 101 second-dot1q 1-1000,1003-2000
pppoe enable
.
.
The following shows the currently running configuration on a Cisco 10000 series Internet router:
Router# show running-config
.
.
.
interface FastEthernet1/0/0.201
encapsulation dot1Q 201
ip address 10.7.7.5 255.255.255.252
!
interface FastEthernet1/0/0.401
encapsulation dot1Q 401
ip address 10.7.7.13 255.255.255.252
!
interface FastEthernet1/0/0.201999
encapsulation dot1Q 201 second-dot1q any
pppoe enable
!
interface FastEthernet1/0/0.4019999
encapsulation dot1Q 401 second-dot1q 100-900,1001-2000
pppoe enable
!
interface GigabitEthernet5/0/0.101
encapsulation dot1Q 101
ip address 10.7.7.1 255.255.255.252
!
interface GigabitEthernet5/0/0.301
encapsulation dot1Q 301
ip address 10.7.7.9 255.255.255.252
!
interface GigabitEthernet5/0/0.301999
encapsulation dot1Q 301 second-dot1q any
pppoe enable
!
interface GigabitEthernet5/0/0.1019999
encapsulation dot1Q 101 second-dot1q 1-1000,1003-2000
pppoe enable
.
.
.
Note The show vlans dot1q command is not supported on the Cisco 10000 series Internet router.
SUMMARY STEPS
1. enable
2. configure terminal
3. show vlans
DETAILED STEPS
Example:
Router# configure terminal
Step 3 show vlans Displays VLAN subinterfaces.
Example:
Router# show vlans
Example
The following is sample output from the show vlans command indicating a native VLAN and a bridged
group:
Router# show vlans
FastEthernet1/0/2
The following is sample output from the show vlans command that shows the traffic count on
Fast Ethernet subinterfaces:
Router# show vlans
FastEthernet 2/0
100BASE-T ISL
S6241
VLAN 3 VLAN 4
Apple 3.1 Apple 4.1
As shown in Figure 12, AppleTalk traffic is routed to and from switched VLAN domains 3, 4, 100, and
200 to any other AppleTalk routing interface. This example shows a sample configuration file for the
Cisco 7500 series router with the commands entered to configure the network shown in Figure 12.
Enterprise
network
Host 1 Host 2
The topology shown in Figure 13 shows a Catalyst VLAN switch supporting Fast Ethernet connections
to two routers running HSRP. Both routers are configured to route HSRP over ISLs.
The standby conditions are determined by the standby commands used in the configuration. Traffic from
Host 1 is forwarded through Router A. Because the priority for the group is higher, Router A is the active
router for Host 1. Because the priority for the group serviced by Host 2 is higher in Router B, traffic from
Host 2 is forwarded through Router B, making Router B its active router.
In the configuration shown in Figure 13, if the active router becomes unavailable, the standby router
assumes active status for the additional traffic and automatically routes the traffic normally handled by
the router that has become unavailable.
Host 1 Configuration
interface Ethernet 1/2
ip address 10.1.1.25 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.1.1.101
Host 2 Configuration
interface Ethernet 1/2
ip address 10.1.1.27 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.1.1.102
!
Router A Configuration
interface FastEthernet 1/1.110
encapsulation isl 110
ip address 10.1.1.2 255.255.255.0
standby 1 ip 10.1.1.101
standby 1 preempt
standby 1 priority 105
standby 2 ip 10.1.1.102
standby 2 preempt
!
end
Router B Configuration
interface FastEthernet 1/1.110
encapsulation isl 110
ip address 10.1.1.3 255.255.255.0
standby 1 ip 10.1.1.101
standby 1 preempt
standby 2 ip 10.1.1.102
standby 2 preempt
standby 2 priority 105
router igrp 1
!
network 10.1.0.0
network 10.2.0.0
!
Catalyst
5000 switch
TrCRF 200
Fast Ethernet 4/0.1 TrBRF 999 / Bridge 14
100 Router 5500 Token Ring
5.5.5.1 switch
module
101 4.4.4.1
Fast Ethernet 4/0.2 TrBRF 998 / Bridge 13
TrCRF 300
TrCRF
TrCRF VLAN 40 Token Token VLAN 50
Slot 5 Ring Ring
Slot 5
Port 1 102 103
Port 2
11250
End station End station
The following is the configuration for the router:
interface FastEthernet4/0.1
ip address 10.5.5.1 255.255.255.0
encapsulation tr-isl trbrf-vlan 999 bridge-num 14
multiring trcrf-vlan 200 ring 100
multiring all
!
interface FastEthernet4/0.2
ip address 10.4.4.1 255.255.255.0
encapsulation tr-isl trbrf-vlan 998 bridge-num 13
multiring trcrf-vlan 300 ring 101
multiring all
The following is the configuration for the Catalyst 5000 switch with the Token Ring switch module in
slot 5. In this configuration, the Token Ring port 102 is assigned with TrCRF VLAN 40 and the Token
Ring port 103 is assigned with TrCRF VLAN 50:
#vtp
set vtp domain trisl
set vtp mode server
set vtp v2 enable
#drip
set set tokenring reduction enable
set tokenring distrib-crf disable
#vlans
set vlan 999 name trbrf type trbrf bridge 0xe stp ieee
set vlan 200 name trcrf200 type trcrf parent 999 ring 0x64 mode srb
set vlan 40 name trcrf40 type trcrf parent 999 ring 0x66 mode srb
set vlan 998 name trbrf type trbrf bridge 0xd stp ieee
set vlan 300 name trcrf300 type trcrf parent 998 ring 0x65 mode srb
set vlan 50 name trcrf50 type trcrf parent 998 ring 0x67 mode srb
#add token port to trcrf 40
set vlan 40 5/1
#add token port to trcrf 50
set vlan 50 5/2
set trunk 1/2 on
Catalyst
5000 switch
Ethernet
Ethernet ISL VLAN 12
5500 module
in slot 2 End station
Router A
4.4.4.1
5.5.5.1
TrBRF 999 / Bridge 14 Token Ring Token
100 switch module Ring
in slot 5 1
TrCRF 200 End station
TrCRF100
11251
Slot 5
Port 1
The following is the configuration for the router:
interface FastEthernet4/0.1
ip address 10.5.5.1 255.255.255.0
encapsulation tr-isl trbrf-vlan 999 bridge-num 14
multiring trcrf-vlan 20 ring 100
multiring all
!
interface FastEthernet4/0.2
ip address 10.4.4.1 255.255.255.0
encapsulation isl 12
Wide-area link
carrying VLAN traffic
VLAN 70
VLAN 20
Catalyst Catalyst
5000 switch 2900 switch
Workstation A Workstation C
running NetWare 4.0 on an IPX LAN
on an IPX LAN with VLAN 30 with novell-ether
sap encapsulation encapsulation
Workstation B
S6240
on an IPX LAN with
arpa encapsulation
VLAN 20 Configuration
ipx routing
interface FastEthernet 2/0
no shutdown
interface FastEthernet 2/0.20
encapsulation isl 20
ipx network 20 encapsulation sap
VLAN 30 Configuration
ipx routing
interface FastEthernet 2/0
no shutdown
interface FastEthernet 2/0.30
encapsulation isl 30
ipx network 30 encapsulation arpa
VLAN 70 Configuration
ipx routing
interface FastEthernet 3/0
no shutdown
interface Fast3/0.70
encapsulation isl 70
ipx network 70 encapsulation novell-ether
Routing with RIF Between a TRISL VLAN and a Token Ring Interface: Example
Figure 17 shows routing with RIF between a TRISL VLAN and a Token Ring interface.
Figure 17 Routing with RIF Between a TRISL VLAN and a Token Ring Interface
5500
TrCRF 200
Token Ring
Fast Ethernet 4/0.1 TrBRF 999 / Bridge 14
switch
module
100
4.4.4.1 5.5.5.1
Token
TrCRF VLAN 40
Token Slot 5
Ring 1
Ring 2 Port 1
End station End station
10777
End station
End station
The following is the configuration for the Catalyst 5000 switch with the Token Ring switch module in
slot 5. In this configuration, the Token Ring port 1 is assigned to the TrCRF VLAN 40:
#vtp
set vtp domain trisl
set vtp mode server
set vtp v2 enable
#drip
WAN
RSP
Cisco 7500 series router with
CyBus
VIP2 or later cards routing
traffic between VLANs VIP VIP
Fast Ethernet
FE FE FE FE port adapters
Catalyst VLAN
switches forwarding
ISL VLAN traffic
ISL VLAN 1 ISL VLAN 2 ISL VLAN 3 ISL VLAN 4 ISL VLAN 5 ISL VLAN 6 ISL VLAN 7
S6238
In Figure 18, the VIP cards forward the traffic between ISL VLANs or any other routing interface.
Traffic from any VLAN can be routed to any of the other VLANs, regardless of which VIP card receives
the traffic.
These commands show the configuration for each of the VLANs shown in Figure 18:
interface FastEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
ip route-cache distributed
full-duplex
interface FastEthernet1/0/0.1
ip address 10.1.1.1 255.255.255.0
encapsulation isl 1
interface FastEthernet1/0/0.2
ip address 10.1.2.1 255.255.255.0
encapsulation isl 2
interface FastEthernet1/0/0.3
ip address 10.1.3.1 255.255.255.0
encapsulation isl 3
interface FastEthernet1/1/0
ip route-cache distributed
full-duplex
interface FastEthernet1/1/0.1
ip address 172.16.1.1 255.255.255.0
encapsulation isl 4
interface FastEthernet2/0/0.5
ip address 10.2.1.1 255.255.255.0
encapsulation isl 5
interface FastEthernet2/1/0
ip address 10.3.1.1 255.255.255.0
ip route-cache distributed
full-duplex
interface FastEthernet2/1/0.6
ip address 10.4.6.1 255.255.255.0
encapsulation isl 6
interface FastEthernet2/1/0.7
ip address 10.4.7.1 255.255.255.0
encapsulation isl 7
FastEthernet 2/0
100BASE-T ISL
VLAN 3 VLAN 4
Apple 3.1 Apple 4.1
As shown in Figure 19, AppleTalk traffic is routed to and from switched VLAN domains 3, 4, 100, and
200 to any other AppleTalk routing interface. This example shows a sample configuration file for the
Cisco 7500 series router with the commands entered to configure the network shown in Figure 19.
ipx routing
appletalk routing
!
interface FastEthernet 1/1.110
ipx routing
appletalk routing
!
interface Ethernet 1
ip address 10.2.1.3 255.255.255.0
appletalk cable-range 2-2 2.3
appletalk zone 2
ipx network 120 encapsulation snap
!
router igrp 1
network 10.2.0.0
!
end
half-duplex
!
interface FastEthernet10/0.100
encapsulation dot1Q 100
no ip route-cache
bridge-group 1
!
interface Ethernet11/3
no ip address
no ip route-cache
bridge-group 2
!
interface Ethernet11/4
no ip address
no ip route-cache
bridge-group 3
!
bridge 1 protocol ieee
bridge 2 protocol ieee
bridge 3 protocol ieee
Note The any keyword can be configured on only one subinterface of a specified physical interface and outer
VLAN ID.
interface GigabitEthernet1/0/0.1
encapsulation dot1q 100 second-dot1q 100
interface GigabitEthernet1/0/0.2
encapsulation dot1q 100 second-dot1q 200
interface GigabitEthernet1/0/0.3
encapsulation dot1q 100 second-dot1q 300-400,500-600
interface GigabitEthernet1/0/0.4
encapsulation dot1q 100 second-dot1q any
interface GigabitEthernet1/0/0.5
encapsulation dot1q 200 second-dot1q 50
interface GigabitEthernet1/0/0.6
encapsulation dot1q 200 second-dot1q 1000-2000,3000-4000
interface GigabitEthernet1/0/0.7
encapsulation dot1q 200 second-dot1q any
Table 5 shows which subinterfaces are mapped to different values of the outer and inner VLAN ID on
Q-in-Q frames that come in on Gigabit Ethernet interface 1/0/0.
Table 5 Subinterfaces Mapped to Outer and Inner VLAN IDs for GE Interface 1/0/0
Table 5 Subinterfaces Mapped to Outer and Inner VLAN IDs for GE Interface 1/0/0 (continued)
Table 6 shows the changes made to the table for the outer VLAN ID of 200. Notice that subinterface
1/0/0.7 configured with the any keyword now has new inner VLAN ID mappings.
Table 6 Subinterfaces Mapped to Outer and Inner VLAN IDs for GE Interface 1/0/0—Changes
Resulting from Configuring GE Subinterface 1/0/0.8
Additional References
The following sections provide references related to configuring a VLAN range.
Related Documents
Related Topic Document Title
Configuring wide-area networking Cisco IOS Wide-Area Networking Configuration Guide,
Release 12.2
Commands used in configuring wide-area networking Cisco IOS Wide-Area Networking Command Reference,
Release 12.2
Configuring interface ranges Interface Range Specification, new feature document for Cisco IOS
Release 12.1(5)T
Commands using in Configuring Routing Between Cisco IOS Release 12.4, Cisco IOS Switching Services Command
VLANs with IEEE 802.10 Encapsulation Reference
Configuring AppleTalk Cisco IOS AppleTalk and Novell IPX Configuration Guide
Commands using in Configuring Routing Between Cisco IOS Release 12.4, Cisco IOS Switching Services Command
VLANs with IEEE 802.1Q Encapsulation Reference
IP routing configuration Cisco IOS IP Routing Configuration Guide
Interface commands: complete command syntax, Cisco IOS Interface and Hardware Component Command
command mode, defaults, usage guidelines, and Reference, Release 12.3T
examples
Interface configuration examples Cisco IOS Interface and Hardware Component Configuration Guide
Standards
Standard Title
IEEE 802.10 standard 802.10 Virtual LANs
IEEE 802.1Q standard 802.1Q Virtual LANs
MIBs
MIB MIBs Link
• None To locate and download MIBs for selected platforms, Cisco IOS
releases, and feature sets, use Cisco MIB Locator found at the
following URL:
http://www.cisco.com/go/mibs
RFCs
RFC Title
None —
Technical Assistance
Description Link
The Cisco Technical Support website contains http://www.cisco.com/techsupport
thousands of pages of searchable technical content,
including links to products, technologies, solutions,
technical tips, and tools. Registered Cisco.com users
can log in from this page to access even more content.
Note Table 7 lists only the Cisco IOS software release that introduced support for a given feature in a given
Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS
software release train also support that feature.
The Managed LAN Switch feature enables the control of the four switch ports in Cisco 831, 836, and
837 routers. Each switch port is associated with a Fast Ethernet interface. The output of the command
show controllers fastEthernet <1-4> displays the status of the selected switch port.
The Managed LAN Switch feature allows setting and display of the following parameters for each of the
switch ports:
• Speed
• Duplex
It also allows display of the link state of a switch port—that is, whether a device is connected to that port
or not.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image
support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on
Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at
the login dialog box and follow the instructions that appear.
Contents
• Information About Managed LAN Switch, page 78
• How to Enable Managed LAN Switch, page 78
• Configuration Examples for Managed LAN Switch, page 80
• Additional References, page 80
• Command Reference, page 81
LAN Switching
A LAN is a high-speed, fault-tolerant data network that supplies connectivity to a group of computers,
printers, and other devices that are in close proximity to each other, as in an office building, a school or
a home. LANs offer computer users many advantages, including shared access to devices and
applications, file exchange between connected users, and communication between users via electronic
mail and other applications.
For more information about LAN switching, refer to the following URL:
http://www.cisco.com/en/US/tech/tk389/tech_topology_and_network_serv_and_protocol_suite_home.
html
SUMMARY STEPS
1. enable
2. interface fastEthernet
3. duplex auto
4. speed auto
5. end
DETAILED STEPS
Additional References
The following sections provide references related to the Managed LAN Switch feature.
Related Documents
Related Topic Document Title
Cisco IOS Release 12.3 Configuration Guides and Cisco IOS Release 12.3 Configuration Guides and Command
Command References References
Standards
Standards Title
None —
MIBs
MIBs MIBs Link
• None To locate and download MIBs for selected platforms, Cisco IOS
releases, and feature sets, use Cisco MIB Locator found at the
following URL:
http://www.cisco.com/go/mibs
RFCs
RFCs Title
None —
Technical Assistance
Description Link
Technical Assistance Center (TAC) home page, http://www.cisco.com/public/support/tac/home.shtml
containing 30,000 pages of searchable technical
content, including links to products, technologies,
solutions, technical tips, and tools. Registered
Cisco.com users can log in from this page to access
even more content.
Command Reference
The following modified commands are pertinent to this feature. To see the command pages for these
commands and other commands used with this feature, go to the Cisco IOS Master Commands List,
Release 12.4, at http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124mindx/
124index.htm.
• show controllers fastEthernet
This document provides configuration tasks for the 4-port Cisco HWIC-4ESW and the 9-port
Cisco HWIC-D-9ESW EtherSwitch high-speed WAN interface cards (HWICs) hardware feature
supported on Cisco 1800 (modular), Cisco 2800, and Cisco 3800 series integrated services routers.
Cisco EtherSwitch HWICs are 10/100BASE-T Layer 2 Ethernet switches with Layer 3 routing
capability. (Layer 3 routing is forwarded to the host and is not actually performed at the switch.) Traffic
between different VLANs on a switch is routed through the router platform. Any one port on a
Cisco EtherSwitch HWIC may be configured as a stacking port to link to another Cisco EtherSwitch
HWIC or EtherSwitch network module in the same system. An optional power module can also be added
to provide inline power for IP telephones. The HWIC-D-9ESW HWIC requires a double-wide card slot.
This hardware feature does not introduce any new or modified Cisco IOS commands.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image
support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on
Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at
the login dialog box and follow the instructions that appear.
Contents
The following sections provide information about the Cisco EtherSwitch HWICs.
• Prerequisites for EtherSwitch HWICs, page 84
• Restrictions for EtherSwitch HWICs, page 84
• Information About EtherSwitch HWICs, page 85
• How to Configure EtherSwitch HWICs, page 87
• Intrachassis stacking for the optional Gigabit Ethernet expansion board ports must be configured.
For information about intrachassis stacking configuration, see the 16- and 36-Port Ethernet Switch
Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 series feature document.
Note Without this configuration and connection, duplications will occur in the VLAN databases, and
unexpected packet handling may occur.
VLANs
For information on the concept of VLANs, refer to the material at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gt1636nm.ht
m#1047027
802.1x Authentication
For information on the concept of 802.1x authentication, refer to the material at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gt1636nm.ht
m#1051006
IGMP Snooping
For information on the concept of IGMP snooping, refer to the material at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gt1636nm.ht
m#1053727
Storm Control
For information on the concept of storm control, refer to the material at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gt1636nm.ht
m#1051018
Intrachassis Stacking
For information on the concept of intrachassis stacking, refer to the material at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gt1636nm.ht
m#1051061
Fallback Bridging
For information on the concept of fallback bridging, refer to the material at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gt1636nm.ht
m#1054833
Configuring VLANs
This section describes how to configure VLANs on the switch and contains the following sections:
• Adding a VLAN Instance, page 87
• Deleting a VLAN Instance from the Database, page 90
SUMMARY STEPS
1. enable
2. vlan database
3. vlan vlan_id
4. exit
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 vlan database Enters VLAN configuration mode.
Example:
Router# vlan database
Step 3 vlan vlan_id Adds an Ethernet VLAN.
Example:
Router(vlan)# vlan 1
Step 4 exit Updates the VLAN database, propagates it throughout the
administrative domain, and returns to privileged EXEC mode.
Example:
Router(vlan)# exit
Router(vlan)# exit
APPLY completed.
Exiting....
Router#
Router#
Enter the show vlan-switch command in EXEC mode using the Cisco IOS CLI to verify the VLAN
configuration, as shown below.
Router# show vlan-switch
Router#
SUMMARY STEPS
1. enable
2. vlan database
3. no vlan vlan_id
4. exit
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 vlan database Enters VLAN configuration mode.
Example:
Router# vlan database
Step 3 no vlan vlan_id Deletes an Ethernet VLAN.
Example:
Router(vlan)# no vlan 1
Step 4 exit Updates the VLAN database, propagates it throughout the
administrative domain, and returns to privileged EXEC mode.
Example:
Router(vlan)# exit
You can verify that a VLAN has been deleted from the switch in VLAN database mode.
Use the show command in VLAN database mode to verify that a VLAN has been deleted from the
switch, as shown in the following output example:
Router(vlan)# show
Router(vlan)#
Enter the show vlan-switch brief command in EXEC mode, using the Cisco IOS CLI to verify that a
VLAN has been deleted from the switch, as shown in the following output example:
Router# show vlan-switch brief
SUMMARY STEPS
1. enable
2. vlan database
3. vtp server
4. vtp domain domain_name
5. vtp password password_value
6. exit
DETAILED STEPS
Example:
Router# vlan database
Step 3 vtp server Configures the switch as a VTP server.
Example:
Router(vlan)# vtp server
Step 4 vtp domain domain_name Defines the VTP domain name, which can be up to 32 characters
long.
Example:
Router(vlan)# vtp domain distantusers
Step 5 vtp password password_value (Optional) Sets a password, which can be from 8 to 64 characters
long, for the VTP domain.
Example:
Router(vlan)# vtp password philadelphis
Step 6 exit Updates the VLAN database, propagates it throughout the
administrative domain, exits VLAN configuration mode, and
returns to privileged EXEC mode.
Example:
Router(vlan)# exit
SUMMARY STEPS
1. enable
2. vlan database
3. vtp client
4. exit
DETAILED STEPS
Example:
Router# vlan database
Step 3 vtp client Configures the switch as a VTP client.
Example:
Router(vlan)# vtp client
Step 4 exit Updates the VLAN database, propagates it throughout the
administrative domain, exits VLAN configuration mode and
returns to privileged EXEC mode.
Example:
Router(vlan)# exit
SUMMARY STEPS
1. enable
2. vlan database
3. vtp transparent
4. exit
DETAILED STEPS
Example:
Router# vlan database
Step 3 vtp transparent Configures VTP transparent mode.
Example:
Router(vlan)# vtp transparent
Step 4 exit Updates the VLAN database, propagates it throughout the
administrative domain, exits VLAN configuration mode, and
returns to privileged EXEC mode.
Example:
Router(vlan)# exit
Verifying VTP
Use the show vtp status command to verify VTP status:
Router# show vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 256
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xBF 0x86 0x94 0x45 0xFC 0xDF 0xB5 0x70
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Local updater ID is 1.3.214.25 on interface Fa0/0 (first interface found)
Router#
SUMMARY STEPS
1. enable
2. configure terminal
3. interface range {macro macro_name | FastEthernet interface-id [ - interface-id] | vlan vlan_ID}
[, FastEthernet interface-id [ - interface-id] | vlan vlan-ID]
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface range {macro macro_name | Select the range of interfaces to be configured.
FastEthernet interface-id [ - interface-id] |
vlan vlan-ID} [, FastEthernet interface-id [ - • The space before the dash is required. For example, the
interface-id] | vlan vlan-ID] command interface range fastethernet 0/<slot>/0 -
0/<slot>/3 is valid; the command interface range
fastethernet 0/<slot>/0-0/<slot>/3 is not valid.
Example:
Router(config)# interface range FastEthernet • You can enter one macro or up to five comma-separated
0/1/0 - 0/1/3 ranges.
• Comma-separated ranges can include both VLANs and
physical interfaces.
• You are not required to enter spaces before or after the
comma.
• The interface range command only supports VLAN
interfaces that are configured with the interface vlan
command.
SUMMARY STEPS
1. enable
2. configure terminal
3. define interface-range macro_name {FastEthernet interface-id [ - interface-id] | {vlan vlan_ID -
vlan_ID} | [, FastEthernet interface-id [ - interface-id]
DETAILED STEPS
Example:
Router# configure terminal
Step 3 define interface-range macro_name {FastEthernet • Defines a range of macros.
interface-id [ - interface-id] | {vlan vlan_ID
- vlan-ID} | [, FastEthernet interface-id [ -
interface-id]
Example:
Router(config)# define interface-range
first_three FastEthernet0/1/0 - 2
Use the show running-configuration command to show the defined interface-range macro
configuration, as shown below:
Router# show running-configuration | include define
When configuring an interface speed and duplex mode, note these guidelines:
• If both ends of the line support autonegotiation, Cisco highly recommends the default auto
negotiation settings.
• If one interface supports auto negotiation and the other end does not, configure duplex and speed on
both interfaces; do not use the auto setting on the supported side.
• Both ends of the line need to be configured to the same setting; for example, both hard-set or both
auto-negotiate. Mismatched settings are not supported.
Caution Changing the interface speed and duplex mode configuration might shut down and reenable the interface
during the reconfiguration.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface fastethernet interface-id
4. speed [10 | 100 | auto]
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface fastethernet interface-id Selects the interface to be configured.
Example:
Router(config)# interface fastethernet 0/1/0
Step 4 speed [10 | 100 | auto ] Selects the interface to be configured.
Example:
Router(config-if)# speed 100
Note If you set the interface speed to auto on a 10/100-Mbps Ethernet interface, both speed and duplex are
automatically negotiated.
Follow the steps below to set the duplex mode of a Fast Ethernet interface.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface fastethernet interface-id
4. duplex [auto | full | half]
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface fastethernet interface-id Selects the interface to be configured.
Example:
Router(config)# interface fastethernet 0/1/0
Step 4 duplex [auto | full | half] Sets the duplex mode of the interface.
Example:
Router(config-if)# duplex auto
Note If you set the port speed to auto on a 10/100-Mbps Ethernet interface, both speed and duplex are
automatically negotiated. You cannot change the duplex mode of auto negotiation interfaces.
The following example shows how to set the interface duplex mode to auto on Fast Ethernet interface 3:
Router(config)# interface fastethernet 0/1/0
Router(config-if)# speed 100
Router(config-if)# duplex auto
Router(config-if)# end
Use the show interfaces command to verify the interface speed and duplex mode configuration for an
interface, as shown in the following output example.
Router# show interfaces fastethernet 0/1/0
Auto-duplex, Auto-speed
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:11, output never, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
4 packets input, 1073 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
6 packets output, 664 bytes, 0 underruns(0/0/0)
0 output errors, 0 collisions, 3 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
Router#
You can add a description of an interface to help you remember its function. The description appears in
the output of the following commands: show configuration, show running-config, and show
interfaces.
Use the description command to add a description for an interface.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface fastethernet interface-id
4. description string
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface fastethernet interface-id Selects the interface to be configured.
Example:
Router(config)# interface fastethernet 0/1/0
Step 4 description string Adds a description for an interface.
Example:
Router(config-if)# description newinterface
SUMMARY STEPS
1. enable
2. configure terminal
3. interface fastethernet interface-id
4. shutdown
5. switchport mode trunk
6. switchport trunk native vlan vlan-num
7. switchport trunk allowed vlan {add | except | none | remove} vlan1[,vlan[,vlan[,...]]
8. no shutdown
9. end
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface fastethernet interface-id Selects the interface to be configured.
Example:
Router(config)# interface fastethernet 0/1/0
Step 4 shutdown (Optional) Shuts down the interface to prevent traffic flow
until configuration is complete.
Example:
Router(config-if)# shutdown
Step 5 switchport mode trunk Configures the interface as a Layer 2 trunk.
Note Encapsulation is always dot1q.
Example:
Router(config-if)# switchport mode trunk
Step 6 switchport trunk native vlan vlan-num (Optional) For 802.1Q trunks, specifies the native VLAN.
Example:
Router(config-if)# switchport trunk native vlan
1
Step 7 switchport trunk allowed vlan {add | except | (Optional) Configures the list of VLANs allowed on the trunk.
none | remove} vlan1[,vlan[,vlan[,...]] All VLANs are allowed by default. You cannot remove any of
the default VLANs from a trunk.
Example:
Router(config-if)# switchport trunk allowed
vlan add vlan1, vlan2, vlan3
Step 8 no shutdown Activates the interface. (Required only if you shut down the
interface.)
Example:
Router(config-if)# no shutdown
Step 9 end Exits configuration mode.
Example:
Router(config-if)# end
Note Ports do not support Dynamic Trunk Protocol (DTP). Ensure that the neighboring switch is set to a mode
that will not send DTP.
Building configuration...
Current configuration: 71 bytes
!
interface FastEthernet0/3/1
switchport mode trunk
no ip address
end
Router#
Router#
Follow these steps below to configure a Fast Ethernet interface as Layer 2 access.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface fastethernet interface-id
4. shutdown
5. switchport mode access
6. switchport access vlan vlan-num
7. no shutdown
8. end
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface fastethernet interface-id Selects the interface to be configured.
Example:
Router(config)# interface fastethernet 0/1/0
Step 4 shutdown (Optional) Shuts down the interface to prevent traffic flow
until configuration is complete.
Example:
Router(config-if)# shutdown
Step 5 switchport mode access Configures the interface as a Layer 2 access.
Example:
Router(config-if)# switchport mode access
Step 6 switchport access vlan vlan-num For access ports, specifies the access VLAN.
Example:
Router(config-if)# switchport access vlan 1
Step 7 no shutdown Activates the interface.
• Required only if you shut down the interface.
Example:
Router(config-if)# no shutdown
Step 8 end Exits configuration mode.
Example:
Router(config-if)# end
Building configuration...
Current configuration: 76 bytes
!
interface FastEthernet0/1/2
Use the show interfaces command to verify the switchport configuration of the interface, as shown
below.
Router# show interfaces f0/1/0 switchport
Name: Fa0/1/0
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Disabled
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: ALL
Trunking VLANs Active: 1
Priority for untagged frames: 0
Override vlan tag priority: FALSE
Voice VLAN: none
Appliance trust: none
Router#
– Switch Port Analyzer (SPAN) destination port—You can enable 802.1x on a port that is a SPAN
destination port; however, 802.1x is disabled until the port is removed as a SPAN destination.
You can enable 802.1x on a SPAN source port.
SUMMARY STEPS
1. enable
2. configure terminal
3. aaa authentication dot1x {default | listname} method1 [method2...]
4. interface interface-id
5. dot1x port-control auto
6. end
7. show dot1x
8. copy running-config startup-config
DETAILED STEPS
Example:
Router# configure terminal
Example:
Router(config-if)# end
Step 7 show dot1x Verifies your entries.
Example:
Router# show dot1x
Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Router# copy running-config startup-config
To disable AAA, use the no aaa new-model global configuration command. To disable 802.1x AAA
authentication, use the no aaa authentication dot1x {default | list-name} method1 [method2...] global
configuration command. To disable 802.1x, use the dot1x port-control force-authorized or the no
dot1x port-control interface configuration command.
configured for the same service—for example, authentication—the second host entry configured acts as
the fail-over backup to the first one. The RADIUS host entries are tried in the order that they were
configured.
Follow these steps to configure the RADIUS server parameters on the switch. This procedure is required.
SUMMARY STEPS
1. enable
2. configure terminal
3. radius-server host {hostname | ip-address} auth-port port-number key string
4. end
5. show running-config
6. copy running-config startup-config
DETAILED STEPS
Example:
Router# configure terminal
Step 3 radius-server host {hostname | ip-address} Configures the RADIUS server parameters on the switch.
auth-port port-number key string
• For hostname | ip-address, specify the host name or IP
address of the remote RADIUS server.
Example:
Router# raduis-server host hostseven auth-port
• For auth-port port-number, specify the UDP
75 key newauthority75 destination port for authentication requests. The default
is 1645.
• For key string, specify the authentication and
encryption key used between the switch and the
RADIUS daemon running on the RADIUS server. The
key is a text string that must match the encryption key
used on the RADIUS server.
NoteAlways configure the key as the last item in the
radius-server host command syntax because
leading spaces are ignored, but spaces within and at
the end of the key are used. If you use spaces in the
key, do not enclose the key in quotation marks
unless the quotation marks are part of the key. This
key must match the encryption used on the
RADIUS daemon.
Example:
Router(config-if)# end
Step 5 show running-config Verifies your entries.
Example:
Router# show running-config
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Router# copy running-config startup-config
To delete the specified RADIUS server, use the no radius-server host {hostname | ip-address} global
configuration command.
You can globally configure the timeout, retransmission, and encryption key values for all RADIUS
servers by using the radius-server host global configuration command. If you want to configure these
options on a per-server basis, use the radius-server timeout, radius-server retransmit, and the
radius-server key global configuration commands.
You also need to configure some settings on the RADIUS server. These settings include the IP address
of the switch and the key string to be shared by both the server and the switch. For more information,
refer to the RADIUS server documentation.
SUMMARY STEPS
1. enable
2. configure terminal
3. dot1x re-authentication
4. dot1x timeout re-authperiod seconds
5. end
6. show dot1x
7. copy running-config startup-config
DETAILED STEPS
Example:
Router# configure terminal
Step 3 dot1x re-authentication Enables periodic reauthentication of the client.
• Periodic reauthentication is disabled by default.
Example:
Router(config)# dot1x re-authentication
Step 4 dot1x timeout re-authperiod seconds Sets the number of seconds between reauthentication
attempts.
Example: • The range is 1 to 4294967295; the default is 3600
seconds.
Router(config)# dot1x timeout re-authperiod 120
• This command affects the behavior of the switch only
if periodic reauthentication is enabled
Step 5 end Returns to privileged EXEC mode.
Example:
Router(config-if)# end
Step 6 show dot1x Verifies your entries.
Example:
Router# show dot1x
Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Router# copy running-config startup-config
SUMMARY STEPS
1. enable
2. configure terminal
3. dot1x timeout quiet-period seconds
4. end
5. show dot1x
6. copy running-config startup-config
DETAILED STEPS
Example:
Router# configure terminal
Step 3 dot1x timeout quiet-period seconds Sets the number of seconds that the switch remains in the
quiet state following a failed authentication exchange with
the client.
Example:
Router(config)#dot1x timeout quiet-period 120 • The range is 0 to 65535 seconds; the default is 60.
Step 4 end Returns to privileged EXEC mode.
Example:
Router(config-if)# end
Step 5 show dot1x Verifies your entries.
Example:
Router# show dot1x
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Router# copy running-config startup-config
To return to the default quiet time, use the no dot1x timeout quiet-period global configuration
command.
Note You should change the default value of this command only to adjust for unusual circumstances such
as unreliable links or specific behavioral problems with certain clients and authentication servers.
Follow the steps below to change the amount of time that the switch waits for client notification.
SUMMARY STEPS
1. enable
2. configure terminal
3. dot1x timeout tx-period seconds
4. end
5. show dot1x
6. copy running-config startup-config
DETAILED STEPS
Example:
Router# configure terminal
Step 3 dot1x timeout tx-period seconds Sets the number of seconds that the switch waits for a
response to an EAP-request/identity frame from the client
before retransmitting the request.
Example:
Router(config)# dot1x timeout tx-period seconds • The range is 1 to 65535 seconds; the default is 30.
Step 4 end Returns to privileged EXEC mode.
Example:
Router(config-if)# end
Step 5 show dot1x Verifies your entries.
Example:
Router# show dot1x
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Router# copy running-config startup-config
To return to the default retransmission time, use the no dot1x timeout tx-period global configuration
command.
Note You should change the default value of this command only to adjust for unusual circumstances such
as unreliable links or specific behavioral problems with certain clients and authentication servers.
SUMMARY STEPS
1. enable
2. configure terminal
3. dot1x max-req count
4. end
5. show dot1x
6. copy running-config startup-config
DETAILED STEPS
Example:
Router# configure terminal
Step 3 dot1x max-req count Sets the number of times that the switch sends an
EAP-request/identity frame to the client before restarting
the authentication process.
Example:
Router(config)# dot1x max-req 5 • The range is 1 to 10; the default is 2.
Step 4 end Returns to privileged EXEC mode.
Example:
Router(config-if)# end
Example:
Router# show dot1x
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Router# copy running-config startup-config
To return to the default retransmission number, use the no dot1x max-req global configuration
command.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. dot1x multiple-hosts
5. end
6. show dot1x interface interface-id
7. copy running-config startup-config
DETAILED STEPS
Example:
Router# configure terminal
Example:
Router# interface 0/1/2
Step 4 dot1x multiple-hosts Allows multiple hosts (clients) on an 802.1x-authorized
port.
Example: • Make sure that the dot1x port-control interface
Router(config-if)# dot1x multiple-hosts configuration command is set to auto for the specified
interface.
Step 5 end Returns to privileged EXEC mode.
Example:
Router(config-if)# end
Step 6 show dot1x Verifies your entries.
Example:
Router# show dot1x
Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Router# copy running-config startup-config
To disable multiple hosts on the port, use the no dot1x multiple-hosts interface configuration command.
SUMMARY STEPS
1. enable
2. configure terminal
3. dot1x default
4. end
5. show dot1x
6. copy running-config startup-config
DETAILED STEPS
Example:
Router# configure terminal
Step 3 dot1x default Resets the configurable 802.1x parameters to the default
values.
Example:
Router(config)# dot1x default
Step 4 end Returns to privileged EXEC mode.
Example:
Router(config)# end
Step 5 show dot1x Verifies your entries.
Example:
Router# show dot1x
Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Router# copy running-config startup-config
SUMMARY STEPS
1. enable
2. configure terminal
3. spanning-tree vlan vlan-ID
4. end
5. show spanning-tree vlan vlan-id
DETAILED STEPS
Example:
Router# configure terminal
Step 3 spanning-tree vlan vlan-ID Enables spanning tree on a per-VLAN basis
Example:
Router(config)# spanning-tree vlan 200
Step 4 end Returns to privileged EXEC mode.
Example:
Router(config)# end
Step 5 show spanning-tree vlan vlan-id Verifies spanning tree configuration
Example:
Router# show spanning-tree vlan 200
Example
Use the show spanning-tree vlan to verify spanning tree configuration, as illustrated below:
Router# show spanning-tree vlan 200
Router#
SUMMARY STEPS
1. enable
2. configure terminal
3. interface {ethernet | fastethernet} interface-id
4. spanning-tree port-priority port-priority
5. spanning-tree vlan vlan-ID port-priority port-priority
6. end
7. show spanning-tree interface
DETAILED STEPS
Example:
Router# configure terminal
Example:
Router(config)# interface fastethernet 0/1/6
Step 4 spanning-tree port-priority port-priority Configures the port priority for an interface.
• The of port-priority value can be from 4 to 252 in
Example: increments of 4.
Router(config-if)# spanning-tree port-priority
8
• Use the no form of this command to restore the
defaults.
Step 5 spanning-tree vlan vlan-ID port-priority Configures the priority for a VLAN.
port-priority
Example:
Router (config-if)# spanning-tree vlan vlan1
port-priority 12
Step 6 end Returns to privileged EXEC mode.
Example:
Router(config)# end
Step 7 show spanning-tree interface fastethernet (Optional) Saves your entries in the configuration file.
interface-id
Example:
Router# show spanning-tree interface
fastethernet 0/1/6
Example
Use the show spanning-tree interface to verify spanning-tree interface and the spanning-tree port priority
configuration, as illustrated below:
Router# show spanning-tree interface fastethernet 0/1/6
Port cost value calculations are based on the bandwidth of the port. There are two classes of values. Short
(16-bit) values are specified by the IEEE 802.1D specification and range in value from 1 to 65535. Long
(32-bit) values are specified by the IEEE 802.1t specification and range in value from 1 to 200,000,000.
Follow the steps below to configure the spanning tree port cost of an interface.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface {ethernet | fastethernet} interface-id
4. spanning-tree cost port-cost
5. spanning-tree vlan vlan-ID cost port-cost
6. end
7. show spanning-tree interface
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface {ethernet | fastethernet} Selects an interface to configure.
interface-id
Example:
Router(config)# interface fastethernet 0/1/6
Step 4 spanning-tree cost port-cost Configures the port cost for an interface.
• The value of port_cost can be from 1 to 200,000,000 (1
Example: to 65,535 in Cisco IOS Releases 12.1(2)E and earlier).
Router(config-if)# spanning-tree cost 2000
• Use the no form of this command to restore the
defaults.
Step 5 spanning-tree vlan vlan-ID cost port-cost Configures the VLAN port cost for an interface.
• The value port-cost can be from 1 to 65,535.
Example: • Use the no form of this command to restore the
Router(config-if)# spanning-tree vlan 200 cost
2000
defaults.
Step 6 end Returns to privileged EXEC mode.
Example:
Router(config)# end
Step 7 show spanning-tree interface fastethernet (Optional) Saves your entries in the configuration file.
interface-id
Example:
Router# show spanning-tree interface
fastethernet 0/1/6
Example
Use the show spanning-tree vlan to verify the spanning-tree port cost configuration.
Router# show spanning-tree vlan 200
Router#
SUMMARY STEPS
1. enable
2. configure terminal
3. spanning-tree vlan vlan-ID priority bridge-priority
4. show spanning-tree vlan bridge [brief]
DETAILED STEPS
Example:
Router# configure terminal
Step 3 spanning-tree vlan vlan-ID priority Configures the bridge priority of a VLAN. The
bridge-priority bridge_priority value can be from 1 to 65535.
• Use the no form of this command to restore the
Example: defaults.
Router(config)# spanning-tree vlan 200 priority
2
Caution Exercise care when using this command. For
most situations spanning-tree vlan vlan-ID root
primary and the spanning-tree vlan vlan-ID
root secondary are the preferred commands to
modify the bridge priority.
Example:
Router(config-if)# spanning-tree cost 200
Example
Use the show spanning-tree vlan bridge command to verify the bridge priority, as shown below.
Router# show spanning-tree vlan 200 bridge brief
SUMMARY STEPS
1. enable
2. configure terminal
3. spanning-tree vlan vlan-ID hello-time hello-time
DETAILED STEPS
Example:
Router# configure terminal
Step 3 spanning-tree vlan vlan-ID hello-time Configures the hello time of a VLAN.
hello-time
• The hello_time value can be from 1 to 10 seconds.
• Use the no form of this command to restore the defaults
Example:
Router(config)# spanning-tree vlan 200
hello-time 5
SUMMARY STEPS
1. enable
2. configure terminal
3. spanning-tree vlan vlan-ID forward-time forward-time
DETAILED STEPS
Example:
Router# configure terminal
Step 3 spanning-tree vlan vlan-ID forward-time Configures the forward time of a VLAN.
forward-time
• The value of forward-time can be from 4 to 30 seconds.
• Use the no form of this command to restore the
Example: defaults.
Router(config)# spanning-tree vlan 20
forward-time 5
SUMMARY STEPS
1. enable
2. configure terminal
3. spanning-tree vlan vlan-ID max-age max-age
DETAILED STEPS
Example:
Router# configure terminal
Step 3 spanning-tree vlan vlan-ID max-age max-age Configures the maximum aging time of a VLAN.
• The value of max_age can be from 6 to 40 seconds.
Example: • Use the no form of this command to restore the
Router(config)# spanning-tree vlan 200 max-age
30
defaults.
Note The root switch for each instance of spanning tree should be a backbone or distribution switch. Do not
configure an access switch as the spanning tree primary root.
Use the diameter keyword to specify the Layer 2 network diameter (that is, the maximum number of
bridge hops between any two end stations in the Layer 2 network). When you specify the network
diameter, the switch automatically picks an optimal hello time, forward delay time, and maximum age
time for a network of that diameter, which can significantly reduce the spanning tree convergence time.
You can use the hello keyword to override the automatically calculated hello time.
Note We recommend that you avoid configuring the hello time, forward delay time, and maximum age time
manually after configuring the switch as the root bridge.
SUMMARY STEPS
1. enable
2. configure terminal
3. spanning-tree vlan vlaN-ID root primary [diameter hops [hello-time seconds]]
4. end
5. no spanning-tree vlan vlan-ID
6. show spanning-tree vlan vlan-ID
DETAILED STEPS
Example:
Router# configure terminal
Step 3 spanning-tree vlan vlan-ID root primary Configures a switch as the root switch.
[diameter hops [hello-time seconds]]
• Use the no form of this command to restore the
defaults.
Example:
Router(config)# spanning-tree vlan 200 root
primary
Step 4 end Returns to privileged EXEC mode.
Example:
Router(config)# end
Step 5 no spanning-tree vlan vlan-ID Disables spanning tree on a per-VLAN basis.
Example:
Router(config)# spanning-tree vlan 200 root
primary
Step 6 show spanning-tree vlan vlan-ID Verifies spanning tree on a per-VLAN basis.
Example:
Router(config)# show spanning-tree vlan 200
Example
Use the show spanning-tree vlan command to verify the that the spanning tree is disabled, as illustrated
below:
Router# show spanning-tree vlan 200
<output truncated>
Spanning tree instance for VLAN 200 does not exist.
Router#
SUMMARY STEPS
1. enable
2. configure terminal
3. mac-address-table secure mac-address fastethernet interface-id [vlan vlan-id]
4. end
5. show mac-address-table secure
DETAILED STEPS
Example:
Router# configure terminal
Step 3 mac-address-table secure mac-address Secures the MAC address traffic on the port.
fastethernet interface-id [vlan vlan-id]]
Example:
Router(config)# mac-address-table secure
0000.0002.0001 fastethernet 0/1/1 vlan 2
Step 4 end Returns to privileged EXEC mode.
Example:
Router(config)# end
Step 5 show mac-address-table secure Verifies the configuration.
Example:
Router# show mac-address-table secure
Example
Use the show mac-address-table secure to verify the configuration, as illustrated below:
Router# show mac-address-table secure
SUMMARY STEPS
1. enable
2. configure terminal
3. mac-address-table static mac-address fastethernet interface-id [vlan vlan-id]
4. end
5. show mac-address-table
DETAILED STEPS
Example:
Router# configure terminal
Step 3 Router(config)# mac-address-table static Creates a static entry in the MAC address table.
mac-address fastethernet interface-id [vlan
vlan-id] When the vlan-id is not specified, VLAN 1 is taken by default.
Example:
Router(config)# mac-address-table static
00ff.ff0d.2dc0 fastethernet 0/1/1
Step 4 end Returns to privileged EXEC mode.
Example:
Router(config)# end
Step 5 show mac-address-table Verifies the MAC address table.
Example:
Router# show mac-address-table
Example
Use the show mac command to verify the MAC address table, as illustrated below:
Router# show mac-address-table
SUMMARY STEPS
1. enable
2. configure terminal
3. mac-address-table aging-time time
4. end
5. show mac-address-table aging-time
DETAILED STEPS
Example:
Router# configure terminal
Step 3 mac-address-table aging-time time Configures the MAC address aging timer age in seconds.
• The range is 0 to 10000 seconds.
Example:
Router(config)# mac-address-table aging-time
4080
Example:
Router(config)# end
Step 5 show mac-address-table aging-time Verifies the MAC address table.
Example:
Router# show mac-address-table aging-time
Example
Use the show mac-address-table aging-time command to verify the MAC address table aging timer, as
illustrated below:
Router # show mac-address-table aging-time
Mac address aging time 320
SUMMARY STEPS
1. enable
2. configure terminal
3. cdp run
4. end
5. show cdp
DETAILED STEPS
Example:
Router# configure terminal
Example:
Router(config)# cdp run
Step 4 end Returns to privileged EXEC mode.
Example:
Router(config)# end
Step 5 show cdp Verifies the CDP configuration.
Example:
Router# show cdp
Example
SUMMARY STEPS
1. enable
2. configure terminal
3. interface {ethernet | fastethernet}
4. cdp enable
5. end
6. show cdp interface interface-id
7. show cdp neighbors
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface {ethernet | fastethernet} Selects an interface to configure.
interface-id
Example:
Router(config)# interface fastethernet 0/1/1
Step 4 cdp enable Enables CDP globally.
Example:
Router(config)# cdp enable
Step 5 end Returns to privileged EXEC mode.
Example:
Router(config)# end
Step 6 show cdp interface interface-id Verifies the CDP configuration on the interface.
Example:
Router# show cdp interface
Step 7 show cdp neighbors Verifies the information about the neighboring equipment.
Example:
Router# show cdp neighbors
Example
Use the show cdp command to verify the CDP configuration for an interface.
Router# show cdp interface fastethernet 0/1/1
SUMMARY STEPS
1. enable
2. clear cdp counters
3. clear cdp table
4. show cdp
5. show cdp entry entry-name [protocol | version]
6. show cdp interface interface-id
7. show cdp neighbors interface-id [detail]
8. show cdp traffic
DETAILED STEPS
Command or Action Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 clear cdp counters (Optional) Resets the traffic counters to zero.
Example:
Router# clear cdp counters
Step 3 clear cdp table (Optional) Deletes the CDP table of information about
neighbors.
Example:
Router# clear cdp table
Step 4 show cdp (Optional) Verifies global information such as frequency of
transmissions and the holdtime for packets being transmitted.
Example:
Router# show cdp
Step 5 show cdp entry entry_name [protocol | version] (Optional) Verifies information about a specific neighbor.
• The display can be limited to protocol or version
Example: information.
Router# show cdp entry newentry
Step 6 show cdp interface interface-id (Optional) Verifies information about interfaces on which
CDP is enabled.
Example:
Router# show cdp interface 0/1/1
Note An EtherSwitch HWIC supports only one SPAN session. Either Tx or both Tx and Rx monitoring is
supported.
SUMMARY STEPS
1. enable
2. configure terminal
3. monitor session 1 {source {interface interface-id} | {vlan vlan-ID}} [, | - | rx | tx | both]
DETAILED STEPS
Example:
Router# configure terminal
Step 3 monitor session 1 {source {interface Specifies the SPAN session (number 1), the source
interface-id} | {vlan vlan-ID}} [, | - | rx | interfaces or VLANs, and the traffic direction to be
tx | both]
monitored.
• The example shows how to configure the SPAN session
Example: to monitor bidirectional traffic from source interface
Router(config)# monitor session 1 source
Fast Ethernet 0/3/1.
interface fastethernet 0/3/1
SUMMARY STEPS
1. enable
2. configure terminal
3. monitor session session-id {destination {interface type interface-id} [, | -] | {vlan vlan-ID}}
4. show monitor session
5. no monitor session session-id
DETAILED STEPS
Example:
Router# configure terminal
Example:
Router(config)# no monitor session 1
Example
Use the show monitor session command to verify the sources and destinations configured for the SPAN
session.
Router# show monitor session 1
Session 1
---------
Source Ports:
RX Only: None
TX Only: None
Both: Fa0/1/0
Source VLANs:
RX Only: None
TX Only: None
Both: None
Destination Ports: Fa0/1/1
Filter VLANs: None
SUMMARY STEPS
1. enable
2. configure terminal
3. interface fastethernet interface-id
4. power inline {auto | never}
5. end
6. show power inline
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 interface fastethernet interface-id Selects a particular Fast Ethernet interface for
configuration.
Example:
Router(config)# interface fastethernet 0/3/1
Step 4 power inline {auto |never} Configures the port to supply inline power automatically to a
Cisco IP phone.
Example: • Use never to permanently disable inline power on the
Router(config-if)# power inline auto port.
Step 5 end Returns to privileged EXEC mode.
Example:
Router(config-if)# end
Step 6 show power inline Displays power configuration on the ports.
Example:
Router# show power inline
Example
Use the show power inline command to verify the power configuration on the ports, as illustrated below.
Router# show power inline
SUMMARY STEPS
1. enable
2. configure terminal
3. ip multicast-routing
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 ip multicast-routing Enables IP multicast routing globally.
Example:
Router(config)# ip multicast-routing
SUMMARY STEPS
1. enable
2. configure terminal
3. interface vlan vlan-id
4. ip pim {dense-mode | sparse-mode | sparse-dense-mode}
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Command Purpose
Step 3 interface vlan vlan-id Selects the interface to be configured.
Router(config)# interface vlan 1
Step 4 ip pim {dense-mode | sparse-mode | Enables IP PIM on a Layer 3 interface.
sparse-dense-mode}
Example:
Router(config-if)# ip pim sparse-dense mode
Examples
The following example shows how to enable PIM on an interface using the default mode
(sparse-dense-mode):
Router(config-if)# ip pim sparse-dense mode
Router(config-if)#
The following example shows how to enable PIM sparse mode on an interface:
Router(config-if)# ip pim sparse-mode
Router(config-if)#
Note The show interface statistics command does not verify hardware-switched packets, only packets
switched by software.
The show ip pim interface count command verifies the IP multicast Layer 3 switching enable state on
IP PIM interfaces and verifies the number of packets received and sent on the interface.
Use the following show commands to verify IP multicast Layer 3 switching information for an IP PIM
Layer 3 interface.
IP Multicast Statistics
5 routes using 2728 bytes of memory
4 groups, 0.25 average sources per group
Forwarding Counts:Pkt Count/Pkts per second/Avg Pkt Size/Kilobits per second
Other counts:Total/RPF failed/Other drops(OIF-null, rate-limit etc)
Router#
Note A negative counter means that the outgoing interface list of the corresponding entry is NULL, and this
indicates that this flow is still active.
Router#
Note The RPF-MFD flag indicates that the flow is completely hardware switched. The H flag indicates that
the flow is hardware-switched on the outgoing interface.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip igmp snooping
4. end
5. show ip igmp snooping
6. copy running-config startup-config
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 ip igmp snooping Globally enables IGMP snooping in all existing VLAN
interfaces.
Example:
Router(config)# ip igmp snooping
Step 4 end Returns to privileged EXEC mode.
Example:
Router(config)# end
Step 5 show ip igmp snooping Displays snooping configuration.
Example:
Router# show ip igmp snooping
Step 6 copy running-config startup-config (Optional) Saves your configuration to the startup
configuration.
Example:
Router# copy running-config startup-config
To globally disable IGMP snooping on all VLAN interfaces, use the no ip igmp snooping global
command.
Use the following steps to enable IGMP snooping on a VLAN interface.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip igmp snooping vlan vlan-id
4. end
5. show ip igmp snooping
6. copy running-config startup-config
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 ip igmp snooping vlan vlan-id Enables IGMP snooping on the VLAN interface.
Example:
Router(config)# ip igmp snooping vlan 1
Step 4 end Returns to privileged EXEC mode.
Example:
Router(config)# end
Step 5 show ip igmp snooping [vlan vlan-id] Displays snooping configuration.
• (Optional) vlan-id is the number of the VLAN.
Example:
Router# show ip igmp snooping vlan 1
Step 6 copy running-config startup-config (Optional) Saves your configuration to the startup
configuration.
Example:
Router# copy running-config startup-config
To disable IGMP snooping on a VLAN interface, use the no ip igmp snooping vlan vlan-id global
configuration command for the specified VLAN number (for example, vlan1).
SUMMARY STEPS
1. enable
2. configure terminal
3. ip igmp snooping vlan vlan-id immediate-leave
4. end
5. show ip igmp snooping
6. copy running-config startup-config
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 ip igmp snooping vlan vlan-id immediate-leave Enables IGMP Immediate-Leave processing on the VLAN
interface.
Example:
Router(config)# ip igmp snooping vlan 1
immediate-leave
Step 4 end Returns to privileged EXEC mode.
Example:
Router(config)# end
Step 5 show ip igmp snooping Displays snooping configuration.
Example:
Router# show ip igmp snooping
Step 6 copy running-config startup-config (Optional) Saves your configuration to the startup
configuration.
Example:
Router# copy running-config startup-config
To disable Immediate-Leave processing, follow Steps 1 and 2 to enter interface configuration mode, and
use the no ip igmp snooping vlan vlan-id immediate-leave global configuration command.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip igmp snooping vlan vlan-id static mac-address interface interface-id
4. end
5. show mac-address-table multicast [vlan vlan-id] [user | igmp-snooping] [count]
6. show igmp snooping
7. copy running-config startup-config
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 ip igmp snooping vlan vlan-id static Enables IGMP snooping on the VLAN interface.
mac-address interface interface-id
Example:
Router(config)# ip igmp snooping vlan 1 static
0100.5e05.0505 interface Fa0/1/1
Step 4 end Returns to privileged EXEC mode.
Example:
Router(config)# end
Step 5 show mac-address-table multicast [vlan Displays MAC address table entries for a VLAN.
vlan-id] [user | igmp-snooping] [count]
• vlan-id is the multicast group VLAN ID.
• user displays only the user-configured multicast
Example:
Router# show mac-address-table multicast
entries.
vlan 1 igmp-snooping • igmp-snooping displays entries learned via IGMP
snooping.
• count displays only the total number of entries for the
selected criteria, not the actual entries.
Command Purpose
Step 6 show ip igmp snooping Displays snooping configuration.
Example:
Router# show ip igmp snooping
Step 7 copy running-config startup-config (Optional) Saves your configuration to the startup
configuration.
Example:
Router# copy running-config startup-config
SUMMARY STEPS
1. enable
2. configure terminal
3. ip igmp snooping vlan vlan-id mrouter {interface interface-id | learn pim-dvmrp}
4. end
5. show ip igmp snooping
6. show ip igmp snooping mrouter [vlan vlan-id]
7. copy running-config startup-config
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 ip igmp snooping vlan vlan-id mrouter Enables IGMP snooping on the VLAN interface and enables
{interface interface-id | learn pim-dvmrp} route discovery.
Example:
Router(config)# ip igmp snooping vlan1
interface Fa0/1/1 learn pim-dvmrp
Command Purpose
Step 4 end Returns to privileged EXEC mode.
Example:
Router(config)# end
Step 5 show ip igmp snooping Displays snooping configuration.
Example:
Router# show ip igmp snooping
Step 6 show ip igmp snooping mrouter [vlan vlan-id] Displays Mroute discovery information.
Example:
Router# show ip igmp snooping mroute vlan
vlan1
Step 7 copy running-config startup-config (Optional) Saves your configuration to the startup
configuration.
Example:
Router# copy running-config startup-config
SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. storm-control {broadcast | multicast | unicast} level level-high [level-low]
5. storm-control action shutdown
6. end
7. show storm-control [interface] [broadcast | multicast | unicast | history]
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 interface interface-id Enters interface configuration mode and specifies the port to
configure.
Example:
Router(config)# interface 0/3/1
Step 4 storm-control {broadcast | multicast | Configures broadcast, multicast, or unicast per-port storm control.
unicast} level level-high [level-low]
• Specify the rising threshold level for either broadcast, multicast,
or unicast traffic. The storm control action occurs when traffic
Example: utilization reaches this level.
Router(config-if)# Storm-control
broadcast level 7 • (Optional) Specify the falling threshold level. The normal
transmission restarts (if the action is filtering) when traffic drops
below this level.
Step 5 storm-control action shutdown Selects the shutdown keyword to disable the port during a storm.
• The default is to filter out the traffic.
Example:
Router(config-if)# Storm-control action
shutdown
Step 6 end Returns to privileged EXEC mode.
Example:
Router(config-if)# end
Step 7 show storm-control [interface] Verifies your entries.
[broadcast | multicast | unicast |
history]
Example:
Router(config-if)# show storm-control
Note If any type of traffic exceeds the upper threshold limit, all of the other types of traffic will be stopped.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. no storm-control {broadcast | multicast | unicast} level level-high [level-low]
5. no storm-control action shutdown
6. end
7. show storm-control {broadcast | multicast | unicast}
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 interface interface-id Enters interface configuration mode and specifies the port to
configure.
Example:
Router(config)# interface 0/3/1
Step 4 no storm-control {broadcast | multicast Disables per-port storm control.
| unicast} level level-high [level-low]
Example:
Router(config-if)# no storm-control
broadcast level 7
Step 5 no storm-control action shutdown Disables the specified storm control action.
Example:
Router(config-if)# no storm-control
action shutdown
Command Purpose
Step 6 end Returns to privileged EXEC mode.
Example:
Router(config-if)# end
Step 7 show storm-control [interface] Verifies your entries.
[{broadcast | multicast | unicast |
history}]
Example:
Router(config-if)# show storm-control
Configuring Stacking
Stacking is the connection of two switch modules resident in the same chassis so that they behave as a
single switch. When a chassis is populated with two switch modules, the user must configure both of
them to operate in stacked mode. This is done by selecting one port from each switch module and
configuring it to be a stacking partner. The user must then use a cable to connect the stacking partners
from each switch module to physically stack the switch modules. Any one port in a switch module can
be designated as the stacking partner for that switch module.
Follow the steps below to configure a pair of ports on two different switch modules as stacking partners.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface fastethernet interface-id
4. no shutdown
5. switchport stacking-partner interface FastEthernet partner-interface-id
6. exit
7. interface fastethernet partner-interface-id
8. no shutdown
9. end
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 interface fastethernet interface-id Enters interface configuration mode and specifies the port to
configure.
Example:
Router# interface fastethernet 0/3/1
Step 4 no shutdown Activates the interface.
• This step is required only if you shut down the interface.
Example:
Router# no shutdown
Step 5 switchport stacking-partner interface Selects and configures the stacking partner port.
fastethernet partner-interface-id
• To restore the defaults, use the no form of this command.
Example:
Router(config-if)# switchport
stacking-partner interface FastEthernet
partner-interface-id
Step 6 exit Returns to privileged configuration mode.
Example:
Router(config-if)# exit
Step 7 interface fastethernet Enters interface configuration mode and specifies the
partner-interface-id partner-interface.
Example:
Router# interface fastethernet 0/3/1
Step 8 no shutdown Activates the stacking partner interface.
Example:
Router(config)# no shutdown
Step 9 end Exits configuration mode.
Example:
Router(config)# end
Note Both stacking partner ports must have their speed and duplex parameters set to auto.
Caution If stacking is removed, stacked interfaces will go to shutdown state. Other nonstacked ports will be left
unchanged.
SUMMARY STEPS
1. enable
2. configure terminal
3. no ip routing
4. bridge bridge-group protocol vlan-bridge
5. interface interface-id
6. bridge-group bridge-group
7. end
8. show vlan-bridge
9. show running-config
10. copy running-config startup-config
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 no ip routing Disables IP routing.
Example:
Router(config)# no ip routing
Step 4 bridge bridge-group protocol Assigns a bridge group number and specifies the VLAN-bridge
vlan-bridge spanning-tree protocol to run in the bridge group.
• The ibm and dec keywords are not supported.
Example:
Router(config)# bridge 100 protocol
• For bridge-group, specify the bridge group number. The range is 1
vlan-bridge to 255.
• Frames are bridged only among interfaces in the same group.
Command Purpose
Step 5 interface interface-id Enters interface configuration mode and specifies the interface on
which you want to assign the bridge group.
Example: • The specified interface must be an SVI: a VLAN interface that you
Router(config)# interface 0/3/1 created by using the interface vlan vlan-id global configuration
command.
• These ports must have IP addresses assigned to them.
Step 6 bridge-group bridge-group Assigns the interface to the bridge group created in Step 2.
• By default, the interface is not assigned to any bridge group. An
Example: interface can be assigned to only one bridge group.
Router(config-if)# bridge-group 100
Step 7 end Returns to privileged EXEC mode.
Example:
Router(config-if)# end
Step 8 show vlan-bridge (Optional) Verifies forwarding mode.
Example:
Router# show vlan-bridge
Step 9 show running-config (Optional) Verifies your entries.
Example:
Router# show running-config
Step 10 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Example:
Router# copy running-config
startup-config
To remove a bridge group, use the no bridge bridge-group protocol vlan-bridge global configuration
command. To remove an interface from a bridge group, use the no bridge-group bridge-group interface
configuration command.
SUMMARY STEPS
1. enable
2. configure terminal
3. no bridge bridge-group acquire
4. end
5. show running-config
6. copy running-config startup-config
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 no bridge bridge-group acquire Enables the switch to stop forwarding any frames for stations that it has
dynamically learned through the discovery process and to limit frame
forwarding to statically configured stations.
Example: • The switch filters all frames except those whose destined-to
Router(config)# no bridge 100 addresses have been statically configured into the forwarding
acquire
cache. To configure a static address, use the bridge bridge-group
address mac-address {forward | discard} global configuration
command.
• For bridge-group, specify the bridge group number. The range is 1
to 255.
Step 4 end Returns to privileged EXEC mode.
Example:
Router(config)# end
Step 5 show running-config Verifies your entry.
Example:
Router# show running-config
Step 6 copy running-config startup-config (Optional) Saves your entry in the configuration file.
Example:
Router# copy running-config
startup-config
To cause the switch to forward frames to stations that it has dynamically learned, use the bridge
bridge-group acquire global configuration command.
SUMMARY STEPS
1. enable
2. configure terminal
3. bridge bridge-group aging-time seconds
4. end
5. show running-config
6. copy running-config startup-config
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 bridge bridge-group aging-time Specifies the length of time that a dynamic entry remains in the bridge
seconds table from the time the entry was created or last updated.
• For bridge-group, specify the bridge group number. The range is 1
Example: to 255.
Router(config)# bridge 100
aging-time 10000 • For seconds, enter a number from 0 to 1000000. The default is 300
seconds.
Step 4 end Returns to privileged EXEC mode.
Example:
Router(config)# end
Command Purpose
Step 5 show running-config Verifies your entry.
Example:
Router# show running-config
Step 6 copy running-config startup-config (Optional) Saves your entry in the configuration file.
Example:
Router# copy running-config
startup-config
To return to the default aging-time interval, use the no bridge bridge-group aging-time global
configuration command.
SUMMARY STEPS
1. enable
2. configure terminal
3. bridge bridge-group address mac-address {forward | discard} [interface-id]
4. end
5. show running-config
6. copy running-config startup-config
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Command Purpose
Step 3 show running-config Verifies your entry.
Example:
Router: show running-config
Step 4 copy running-config startup-config (Optional) Saves your entry in the configuration file.
Example:
Router# copy running-config
startup-config
To disable the frame forwarding ability, use the no bridge bridge-group address mac-address global
configuration command.
Note Only network administrators with a good understanding of how switches and STP function should
make adjustments to spanning-tree parameters. Poorly planned adjustments can have a negative
impact on performance. A good source on switching is the IEEE 802.1d specification; for more
information, refer to the “References and Recommended Reading” appendix in the Cisco IOS
Configuration Fundamentals Command Reference, Release 12.2.
You can globally configure the priority of an individual switch when two switches tie for position as the
root switch, or you can configure the likelihood that a switch will be selected as the root switch. This
priority is determined by default; however, you can change it.
Follow the steps below to change the switch priority.
SUMMARY STEPS
1. enable
2. configure terminal
3. bridge bridge-group priority number
4. end
5. show running-config
6. copy running-config startup-config
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 bridge bridge-group priority number Changes the priority of the switch.
• For bridge-group, specify the bridge group number. The range is 1
Example: to 255.
Router(config)# bridge 100 priority
5
• For number, enter a number from 0 to 65535. The default is 32768.
The lower the number, the more likely the switch will be chosen as
the root.
Step 4 end Returns to privileged EXEC mode.
Example:
Router(config)# end
Step 5 show running-config Verifies your entry.
Example:
Router: show running-config
Step 6 copy running-config startup-config (Optional) Saves your entry in the configuration file.
Example:
Router# copy running-config
startup-config
This command does not have a no form. To return to the default setting, use the bridge bridge-group
priority number global configuration command, and set the priority to the default value. To change the
priority on an interface, use the bridge-group priority interface configuration command (described in
the next section).
You can change the priority for an interface. When two switches tie for position as the root switch, you
configure an interface priority to break the tie. The switch with the lower interface value is elected.
Follow the steps below to change the interface priority.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. bridge-group bridge-group priority number
5. end
6. show running-config
7. copy running-config startup-config
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 interface interface-id Enters interface configuration mode and specifies the interface to set
the priority.
Example:
Router(config)# interface 0/3/1
Step 4 bridge bridge-group priority number Changes the prioriyt of the bridge.
Example:
Router(config-if)# bridge 100
priority 4
Step 5 end Returns to privileged EXEC mode.
Example:
Router(config-if)# end
Command Purpose
Step 6 show running-config Verifies your entry.
Example:
Router: show running-config
Step 7 copy running-config startup-config (Optional) Saves your entry in the configuration file.
Example:
Router# copy running-config
startup-config
To return to the default setting, use the bridge-group bridge-group priority number interface
configuration command.
Each interface has a path cost associated with it. By convention, the path cost is 1000/data rate of the
attached LAN, in Mbps.
Follow the steps below to assign a path cost.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. bridge-group bridge-group path-cost cost
5. end
6. show running-config
7. copy running-config startup-config
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 interface interface-id Enters interface configuration mode and specifies the interface to set
the priority.
Example:
Router(config)# interface 0/3/1
Command Purpose
Step 4 bridge bridge-group path-costs cost Changes the path cost.
Example:
Router(config-if)# bridge 100
pathcost 4
Step 5 end Returns to privileged EXEC mode.
Example:
Router(config-if)# end
Step 6 show running-config Verifies your entry.
Example:
Router: show running-config
Step 7 copy running-config startup-config (Optional) Saves your entry in the configuration file.
Example:
Router# copy running-config
startup-config
To return to the default path cost, use the no bridge-group bridge-group path-cost cost interface
configuration command.
Note Each switch in a spanning tree adopts the interval between hello BPDUs, the forward delay interval,
and the maximum idle interval parameters of the root switch, regardless of what its individual
configuration might be.
Follow the steps below to adjust the interval between hello BPDUs.
SUMMARY STEPS
1. enable
2. configure terminal
3. bridge bridge-group hello-time seconds
4. end
5. show running-config
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 bridge bridge-group hello-time Specifies the interval between hello BPDUs.
seconds
• For bridge-group, specify the bridge group number. The range is 1
to 255.
Example:
Router(config-if)# bridge 100
• For seconds, enter a number from 1 to 10. The default is 2 seconds.
hello-time 5
Step 4 end Returns to privileged EXEC mode.
Example:
Router(config-if)# end
Step 5 show running-config Verifies your entry.
Example:
Router: show running-config
Step 6 copy running-config startup-config (Optional) Saves your entry in the configuration file.
Example:
Router# copy running-config
startup-config
To return to the default setting, use the no bridge bridge-group hello-time global configuration
command.
The forward-delay interval is the amount of time spent listening for topology change information after
an interface has been activated for switching and before forwarding actually begins.
Follow the steps below to change the forward-delay interval.
SUMMARY STEPS
1. enable
2. configure terminal
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 bridge bridge-group forward-time Specifies the forward-delay interval.
seconds
• For bridge-group, specify the bridge group number. The range is 1
to 255.
Example:
Router(config-if)# bridge 100
• For seconds, enter a number from 10 to 200. The default is 20
forward-time 25 seconds.
Step 4 end Returns to privileged EXEC mode.
Example:
Router(config-if)# end
Step 5 show running-config Verifies your entry.
Example:
Router: show running-config
Step 6 copy running-config startup-config (Optional) Saves your entry in the configuration file.
Example:
Router# copy running-config
startup-config
To return to the default setting, use the no bridge bridge-group forward-time seconds global
configuration command.
If a switch does not hear BPDUs from the root switch within a specified interval, it recomputes the
spanning-tree topology.
Follow the steps below to change the maximum-idle interval (maximum aging time).
SUMMARY STEPS
1. enable
2. configure terminal
3. bridge bridge-group max-age seconds
4. end
5. show running-config
6. copy running-config startup-config
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 bridge bridge-group max-age seconds Specifies the interval the switch waits to hear BPDUs from the root
switch.
Example: • For bridge-group, specify the bridge group number. The range is 1
Router(config-if)# bridge 100 to 255.
forward-time 25
• For seconds, enter a number from 10 to 200. The default is 30
seconds.
Step 4 end Returns to privileged EXEC mode.
Example:
Router(config-if)# end
Step 5 show running-config Verifies your entry.
Example:
Router: show running-config
Step 6 copy running-config startup-config (Optional) Saves your entry in the configuration file.
Example:
Router# copy running-config
startup-config
To return to the default setting, use the no bridge bridge-group max-age global configuration command.
When a loop-free path exists between any two switched subnetworks, you can prevent BPDUs generated
in one switching subnetwork from impacting devices in the other switching subnetwork, yet still permit
switching throughout the network as a whole. For example, when switched LAN subnetworks are
separated by a WAN, BPDUs can be prevented from traveling across the WAN link.
Follow the steps below to disable spanning tree on an interface.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. bridge-group bridge-group spanning-disabled
5. end
6. show running-config
7. copy running-config startup-config
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 interface interface-id Enters interface configuration mode and specifies the interface to set
the priority.
Example:
Router(config)# interface 0/3/1
Step 4 bridge-group bridge-group Disables spanning tree on the interface.
spanning-disabled
• For bridge-group, specify the bridge group number. The range is 1
to 255.
Example:
Router(config-if)# bridge 100
spanning-disabled
Step 5 end Returns to privileged EXEC mode.
Example:
Router(config-if)# end
Command Purpose
Step 6 show running-config Verifies your entry.
Example:
Router: show running-config
Step 7 copy running-config startup-config (Optional) Saves your entry in the configuration file.
Example:
Router# copy running-config
startup-config
To reenable spanning tree on the interface, use the no bridge-group bridge-group spanning-disabled
interface configuration command.
Command Purpose
clear bridge bridge-group Removes any learned entries from the forwarding database and
clears the transmit and receive counts for any statically
configured entries.
show bridge [bridge-group] Displays details about the bridge group.
show bridge [bridge-group] [interface-id] [address] Displays classes of entries in the bridge forwarding database.
[group] [verbose]
Note Refer to the Cisco AVVID QoS Design Guide for more information on how to implement end-to-end QoS
as you deploy Cisco AVVID solutions.
Follow these steps to automatically configure Cisco IP phones to send voice traffic on the voice VLAN
ID (VVID) on a per-port basis (see the “Voice Traffic and VVID” section on page 170).
SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. switchport mode trunk
5. switchport voice vlan vlan-id
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 interface interface-id Enters the interface configuration mode and the port to be
configured (for example, interface fa0/3/1).
Example:
Router(config)# interface 0/2/1
Step 4 switchport mode trunk Configures the port to trunk mode.
Example:
Router(config-if)# switchport mode trunk
Step 5 switchport voice vlan vlan-id Configures the voice port with a VVID that will be used
exclusively for voice traffic.
Example:
Router(config-if)# switchport voice vlan
100
SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. switchport access vlan vlan-id
5. end
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 interface interface-id Enters the interface configuration mode and the port to be
configured (e.g., interface fa0/1/1).
Example:
Router(config)# interface 0/2/1
Command Purpose
Step 4 switchport access vlan vlan-id Sets the native VLAN for untagged traffic.
• The value of vlan-id represents the ID of the VLAN that is
Example:
sending and receiving untagged traffic on the port. Valid
Router(config-if)# switchport access vlan
100 IDs are from 1 to 1001. Leading zeroes are not permitted.
Step 5 end Returns to the privileged EXEC mode.
Example:
Router# end
Use the show run interface command to verify the switchport configuration.
Router# show run interface interface-id
Use the write memory command to save the current configuration in flash memory.
Router# write memory
SUMMARY STEPS
1. enable
2. configure terminal
3. snmp-server host ip-address traps snmp vlan-membership
4. end
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 snmp-server host ip-address traps snmp Enters the trap manager IP address, community string, and the
vlan-membership traps to generate.
Example:
Router(config)# snmp-server host
172.16.128.263 traps1 snmp vlancommunity1
Step 4 end Returns to privileged EXEC mode.
Example:
Router(config)# end
Use the show running-config command to verify that the information was entered correctly by
displaying the running configuration:
Router# show running-config
Configuring IP Information
This section describes how to assign IP information on the HWICs. The following topics are included:
• Assigning IP Information to the Switch, page 173
• Specifying a Domain Name and Configuring the DNS, page 176
You can use a BOOTP server to automatically assign IP information to the switch; however, the BOOTP
server must be set up in advance with a database of physical MAC addresses and corresponding IP
addresses, subnet masks, and default gateway addresses. In addition, the switch must be able to access
the BOOTP server through one of its ports. At startup, a switch without an IP address requests the
information from the BOOTP server; the requested information is saved in the switch running the
configuration file. To ensure that the IP information is saved when the switch is restarted, save the
configuration by entering the write memory command in privileged EXEC mode.
You can change the information in these fields. The mask identifies the bits that denote the network
number in the IP address. When you use the mask to subnet a network, the mask is then referred to as a
subnet mask. The broadcast address is reserved for sending messages to all hosts. The CPU sends traffic
to an unknown IP address through the default gateway.
Follow these steps to enter the IP information.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface vlan_id
4. ip address ip-address subnet-mask
5. exit
6. ip default-gateway ip-address
7. end
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 interface vlan_id Enters interface configuration mode and specifies the VLAN to
which the IP information is assigned.
Example: • VLAN 1 is the management VLAN, but you can configure
Router(config)# interface vlan 1 any VLAN from IDs 1 to 1001.
Step 4 ip address ip-address subnet-mask Enters the IP address and subnet mask.
Example:
Router(config)# ip address 192.0.2.10
255.255.255.255
Step 5 exit Returns to global configuration mode.
Example:
Router(config)# exit
Command Purpose
Step 6 ip default-gateway ip-address Enters the IP address of the default router.
Example:
Router# ip default-gateway 192.0.2.20
Step 7 end Returns to privileged EXEC mode.
Example:
Router# end
Note Using the no ip address command in configuration mode disables the IP protocol stack and
removes the IP information. Cluster members without IP addresses rely on the IP protocol
stack being enabled.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface vlan_id
4. no ip address
5. end
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 interface vlan_id Enters interface configuration mode, and enters the VLAN to
which the IP information is assigned.
VLAN 1 is the management VLAN, but you can configure any
Example:
Router(config)# interface vlan 1
VLAN from IDs 1 to 1001.
Command Purpose
Step 4 no ip address Removes the IP address and subnet mask.
Example:
Router(config-subif)# no ip address
Step 5 end Returns to privileged EXEC mode.
Example:
Router(config-subif)# end
Caution If you are removing the IP address through a telnet session, your connection to the switch
will be lost.
Each unique IP address can have a host name associated with it. The Cisco IOS software maintains an
EXEC mode and related Telnet support operations. This cache speeds the process of converting names
to addresses.
IP defines a hierarchical naming scheme that allows a device to be identified by its location or domain.
Domain names are pieced together with periods (.) as the delimiting characters. For example, Cisco
Systems is a commercial organization that IP identifies by a com domain name, so its domain name is
cisco.com. A specific device in this domain, the FTP system, for example, is identified as ftp.cisco.com.
To track domain names, IP has defined the concept of a domain name server (DNS), the purpose of which
is to hold a cache (or database) of names mapped to IP addresses. To map domain names to IP addresses,
you must first identify the host names and then specify a name server and enable the DNS, the Internet’s
global naming scheme that uniquely identifies network devices.
SUMMARY STEPS
1. enable
2. configure terminal
3. monitor session session-id {destination | source} {interface | vlan interface-id | vlan-id}} [, | - |
both | tx | rx]
4. end
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 monitor session session-id {destination | source} Enables port monitoring for a specific session (“number”).
{interface | vlan interface-id | vlan-id}} [, |
- | both | tx | rx] • Optionally, supply a SPAN destination interface and a
source interface.
Example:
Router(config)# monitor session session-id
{destination | source} {interface | vlan
interface-id | vlan-id}} [, | - | both | tx | rx]
Step 4 end Returns to privileged EXEC mode.
Example:
Router(config)# end
Disabling SPAN
SUMMARY STEPS
1. enable
2. configure terminal
3. no monitor session session-id
4. end
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 no monitor session session-id Disables port monitoring for a specific session.
Example:
Router(config)# no monitor session 37
Step 4 end Returns to privileged EXEC mode.
Example:
Router(config)# end
All addresses are associated with a VLAN. An address can exist in more than one VLAN and have
different destinations in each. Multicast addresses, for example, could be forwarded to port 1 in VLAN
1 and ports 9, 10, and 11 in VLAN 5.
Each VLAN maintains its own logical address table. A known address in one VLAN is unknown in
another until it is learned or statically associated with a port in the other VLAN. An address can be secure
in one VLAN and dynamic in another. Addresses that are statically entered in one VLAN must be static
addresses in all other VLANs.
Dynamic addresses are source MAC addresses that the switch learns and then drops when they are not
in use. Use the Aging Time field to define how long the switch retains unseen addresses in the table. This
parameter applies to all VLANs.
Setting too short an aging time can cause addresses to be prematurely removed from the table. Then
when the switch receives a packet for an unknown destination, it floods the packet to all ports in the same
VLAN as the receiving port. This unnecessary flooding can impact performance. Setting too long an
aging time can cause the address table to be filled with unused addresses; it can cause delays in
establishing connectivity when a workstation is moved to a new port.
Follow these steps to configure the dynamic address table aging time.
SUMMARY STEPS
1. enable
2. configure terminal
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 mac-address-table aging-time seconds Enters the number of seconds that dynamic addresses are to be
retained in the address table.
Example: • Valid entries are from 10 to 1000000.
Router(config)# mac-address-table
aging-time 30000
Step 4 end Returns to privileged EXEC mode.
Example:
Router(config)# end
SUMMARY STEPS
1. enable
2. configure terminal
3. no mac-address-table dynamic hw-addr
4. end
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 no mac-address-table dynamic hw-addr Enters the MAC address to be removed from dynamic MAC address
table.
Example:
Router(config)# no mac-address-table
dynamic 0100.5e05.0505
Step 4 end Returns to privileged EXEC mode.
Example:
Router(config)# end
You can remove all dynamic entries by using the clear mac-address-table dynamic command in
privileged EXEC mode.
SUMMARY STEPS
1. enable
2. configure terminal
3. mac-address-table secure address hw-addr interface interface-id vlan vlan-id
4. end
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 mac-address-table secure address hw-addr Enters the MAC address, its associated port, and the
interface interface-id vlan vlan-id VLAN ID.
Example:
Router(config)# mac-address-table secure
address 0100.5e05.0505 interface 0/3/1 vlan vlan
1
Step 4 end Returns to privileged EXEC mode.
Example:
Router(config)# end
SUMMARY STEPS
1. enable
2. configure terminal
3. no mac-address-table secure hw-addr vlan vlan-id
4. end
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Command Purpose
Step 3 no mac-address-table secure hw-addr vlan Enters the secure MAC address, its associated port, and
vlan-id the VLAN ID to be removed.
Example:
Router(config)# no mac-address-table secure
address 0100.5e05.0505 vlan vlan 1
Step 4 end Returns to privileged EXEC mode.
Example:
Router(config)# end
You can remove all secure addresses by using the clear mac-address-table secure command in
privileged EXEC mode.
SUMMARY STEPS
1. enable
2. configure terminal
3. mac-address-table static hw-addr [interface] interface-id [vlan] vlan-id
4. end
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 mac-address-table static hw-addr [interface] Enters the static MAC address, the interface, and the VLAN
interface-id [vlan] vlan-id ID of those ports.
Example:
Router(config)# mac-address-table static
0100.5e05.0505 interface 0/3/1 vlan vlan 1
Step 4 end Returns to privileged EXEC mode.
Example:
Router(config)# end
SUMMARY STEPS
1. enable
2. configure terminal
3. no mac-address-table static hw-addr [interface] interface-id [vlan] vlan-id
4. end
DETAILED STEPS
:
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Command Purpose
Step 3 no mac-address-table static hw-addr Enters the static MAC address, the interface, and the VLAN ID
[interface] interface-id [vlan] vlan-id of the port to be removed.
Example:
Router(config)# no mac-address-table static
0100.5e05.0505 interface 0/3/1 vlan vlan
Step 4 end Returns to privileged EXEC mode.
Example:
Router(config)# end
You can remove all secure addresses by using the clear mac-address-table static command in
privileged EXEC mode.
Command Purpose
Router# clear mac-address-table Enters to clear all MAC address tables.
The following example shows how to change to the interface-range configuration mode using the
interface-range macro enet_list:
Router(config)# interface range macro enet_list
Stacking: Example
The following example shows how to stack two HWICs.
Router(config)# interface FastEthernet 0/1/8
Router(config-if)# no shutdown
Router(config-if)# switchport stacking-partner interface FastEthernet 0/3/8
Router(config-if)# interface FastEthernet 0/3/8
Router(config-if)# no shutdown
The following example shows how to configure the switch as a VTP client:
Router# vlan database
Router(vlan)# vtp client
Setting device to VTP CLIENT mode.
Router(vlan)# exit
The following example shows how to configure the switch as VTP transparent:
Router# vlan database
Router(vlan)# vtp transparent
Setting device to VTP TRANSPARENT mode.
Router(vlan)# exit
APPLY completed.
Exiting....
Router#
The following example shows how to verify the configuration of VLAN 200 on the interface when it is
configured as a trunk port:
The following example shows how to verify the configuration of the interface when it is configured as
an access port:
Router# show spanning-tree interface fastethernet 0/3/2
Port 33 (FastEthernet0/3/2) of VLAN20 is forwarding
Port path cost 18, Port priority 64, Port Identifier 64.33
Designated root has priority 32768, address 00ff.ff10.37b7
Designated bridge has priority 32768, address 00ff.ff10.37b7
Designated port id is 128.13, designated path cost 0
Timers: message age 2, forward delay 0, hold 0
Number of transitions to forwarding state: 1
BPDU: sent 1, received 175
Router#
Note Because spanning tree is enabled by default, issuing a show running command to view the resulting
configuration will not display the command you entered to enable spanning tree.
The following example shows spanning tree being disabled on VLAN 20:
Router# configure terminal
Router(config)# no spanning-tree vlan 20
Router(config)# end
Router#
The following example shows port security being configured in the MAC address table.
Router(config)# mac-address-table secure 0000.1111.2222 fa0/1/2 vlan 3
Router(config)# end
HWIC Slot: 1
--------------
MACADDR VLANID INTERFACES
0100.5e05.0505 1 Fa0/1/1
0100.5e06.0606 2
HWIC Slot: 3
--------------
MACADDR VLANID INTERFACES
0100.5e05.0505 1 Fa0/3/4
0100.5e06.0606 2 Fa0/3/0
Router#
The following is an example of output from the show running interface privileged EXEC command
for VLAN 1:
Router# show running interface vlan 1
Building configuration...
Building configuration...
Router#
Router# show ip igmp group
Router#
Storm-Control: Example
The following example shows bandwidth-based multicast suppression being enabled at 70 percent on
Fast Ethernet interface 2:
Router# configure terminal
Router(config)# interface FastEthernet0/3/3
Router(config-if)# storm-control multicast threshold 70.0 30.0
Router(config-if)# end
interface FastEthernet0/1/1
description DOT1Q port to IP Phone
switchport native vlan 50
switchport mode trunk
switchport voice vlan 150
interface Vlan 50
description data vlan
ip address 209.165.200.220 255.255.255.0
This configuration instructs the IP phone to generate a packet with an 802.1Q VLAN ID of 150 with an
802.1p value of 5 (default for voice bearer traffic).
Note In a centralized CallManager deployment model, the DHCP server might be located across the WAN
link. If so, an ip helper-address command pointing to the DHCP server should be included on the voice
VLAN interface for the IP phone. This is done to obtain its IP address as well as the address of the TFTP
server required for its configuration.
Be aware that IOS supports a DHCP server function. If this function is used, the EtherSwitch HWIC
serves as a local DHCP server and a helper address would not be required.
interface Vlan 60
description data vlan
ip address 10.60.1.1 255.255.255.0
interface Serial0/3/0
ip address 172.3.1.2 255.255.255.0
Note Standard IGP routing protocols such as RIP, IGRP, EIGRP, and OSPF are supported on the EtherSwitch
HWIC. Multicast routing is also supported for PIM dense mode, sparse mode and sparse-dense mode.
The EtherSwitch HWIC instructs the IP phone to generate an 802.1Q frame with a null VLAN ID value
but with an 802.1p value (default is COS of 5 for bearer traffic). The voice and data VLANs are both 40
in this example.
Note Using a separate subnet, and possibly a separate IP address space, may not be an option for
some small branch offices due to the IP routing configuration. If the IP routing can handle
an additional subnet at the remote branch, you can use Cisco Network Registrar and
secondary addressing.
Additional References
The following sections provide references related to EtherSwitch HWICs.
Related Documents
Standards
Standards Title
No new or modified standards are supported by this —
feature, and support for existing standards have not
been modified by this feature.
MIBs
RFCs
RFCs Title
No new or modified RFCs are supported by this —
feature, and support for existing RFCs have not been
modified by this feature.
Technical Assistance
Description Link
Technical Assistance Center (TAC) home page, http://www.cisco.com/public/support/tac/home.shtml
containing 30,000 pages of searchable technical
content, including links to products, technologies,
solutions, technical tips, and tools. Registered
Cisco.com users can log in from this page to access
even more content.
Command Reference
This feature uses no new or modified commands. To see the command pages for the commands used with
this feature, go to the Cisco IOS Master Commands List, Release 12.4, at http://www.cisco.com/
univercd/cc/td/doc/product/software/ios124/124mindx/124index.htm.
Note Table 10 lists only the Cisco IOS software release that introduced support for a given feature in a given
Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS
software release train also support that feature.
Table 10 Feature Information for the 4-Port Cisco HWIC-4ESW and the 9-Port Cisco HWIC-D-9ESW EtherSwitch High
Speed WAN Interface Cards
This document explains how to configure the EtherSwitch network module. This network module is
supported on Cisco 2600 series, Cisco 3600 series, and Cisco 3700 series routers. The EtherSwitch
network module is a modular, high-density voice network module that provides Layer 2 switching across
Ethernet ports. The EtherSwitch network module has sixteen 10/100 switched Ethernet ports with
integrated inline power and QoS features that are designed to extend Cisco AVVID-based voice-over-IP
(VoIP) networks to small branch offices.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image
support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on
Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at
the login dialog box and follow the instructions that appear.
Contents
• Prerequisites for the EtherSwitch Network Module, page 200
• Restrictions for the EtherSwitch Network Module, page 200
• Information About the EtherSwitch Network Module, page 201
• How to Configure the EtherSwitch Network Module, page 241
VLANs
Virtual local-area networks (VLANs) are a group of end stations with a common set of requirements,
independent of physical location. VLANs have the same attributes as a physical LAN but allow you to
group end stations even if they are not located physically on the same LAN segment.
VTP Domain
A VTP domain (also called a VLAN management domain) is made up of one or more interconnected
switches that share the same VTP domain name. A switch can be configured to be in only one VTP
domain. You make global VLAN configuration changes for the domain using either the command-line
interface (CLI) or Simple Network Management Protocol (SNMP).
By default, the switch is in VTP server mode and is in an un-named domain state until the switch receives
an advertisement for a domain over a trunk link or until you configure a management domain. You cannot
create or modify VLANs on a VTP server until the management domain name is specified or learned.
If the switch receives a VTP advertisement over a trunk link, it inherits the management domain name
and the VTP configuration revision number. The switch ignores advertisements with a different
management domain name or an earlier configuration revision number.
If you configure the switch as VTP transparent, you can create and modify VLANs, but the changes
affect only the individual switch.
When you make a change to the VLAN configuration on a VTP server, the change is propagated to all
switches in the VTP domain. VTP advertisements are transmitted out all trunk connections using IEEE
802.1Q encapsulation.
VTP maps VLANs dynamically across multiple LAN types with unique names and internal index
associations. Mapping eliminates excessive device administration required from network administrators.
VTP Modes
You can configure a switch to operate in any one of these VTP modes:
• Server—In VTP server mode, you can create, modify, and delete VLANs and specify other
configuration parameters (such as VTP version) for the entire VTP domain. VTP servers advertise
their VLAN configuration to other switches in the same VTP domain and synchronize their VLAN
configuration with other switches based on advertisements received over trunk links. VTP server is
the default mode.
• Client—VTP clients behave the same way as VTP servers, but you cannot create, change, or delete
VLANs on a VTP client.
• Transparent—VTP transparent switches do not participate in VTP. A VTP transparent switch does
not advertise its VLAN configuration and does not synchronize its VLAN configuration based on
received advertisements. However, in VTP version 2, transparent switches do forward VTP
advertisements that they receive out their trunk interfaces.
VTP Advertisements
Each switch in the VTP domain sends periodic advertisements out each trunk interface to a reserved
multicast address. VTP advertisements are received by neighboring switches, which update their VTP
and VLAN configurations as necessary.
The following global configuration information is distributed in VTP advertisements:
• VLAN IDs (801.Q)
• VTP domain name
• VTP configuration revision number
• VLAN configuration, including maximum transmission unit (MTU) size for each VLAN
• Frame format
VTP Version 2
If you use VTP in your network, you must decide whether to use VTP version 1 or version 2. VTP
version 2 supports the following features not supported in version 1:
Unrecognized Type-Length-Value (TLV) Support—A VTP server or client propagates configuration
changes to its other trunks, even for TLVs it is not able to parse. The unrecognized TLV is saved in
NVRAM.
Version-Dependent Transparent Mode—In VTP version 1, a VTP transparent switch inspects VTP
messages for the domain name and version, and forwards a message only if the version and domain name
match. Since only one domain is supported in the NM-16ESW software, VTP version 2 forwards VTP
messages in transparent mode, without checking the version.
Consistency Checks—In VTP version 2, VLAN consistency checks (such as VLAN names and values)
are performed only when you enter new information through the CLI or SNMP. Consistency checks are
not performed when new information is obtained from a VTP message, or when information is read from
NVRAM. If the digest on a received VTP message is correct, its information is accepted without
consistency checks.
Using the Spanning Tree Protocol with the EtherSwitch network module
Spanning Tree Protocol (STP) is a Layer 2 link management protocol that provides path redundancy
while preventing undesirable loops in the network. For a Layer 2 Ethernet network to function properly,
only one active path can exist between any two stations. Spanning tree operation is transparent to end
stations, which cannot detect whether they are connected to a single LAN segment or to a switched LAN
of multiple segments.
The EtherSwitch network module uses STP (the IEEE 802.1D bridge protocol) on all VLANs. By
default, a single instance of STP runs on each configured VLAN (provided that you do not manually
disable STP). You can enable and disable STP on a per-VLAN basis.
When you create fault-tolerant internetworks, you must have a loop-free path between all nodes in a
network. The spanning tree algorithm calculates the best loop-free path throughout a switched Layer 2
network. Switches send and receive spanning tree frames at regular intervals. The switches do not
forward these frames but use the frames to construct a loop-free path.
Multiple active paths between end stations cause loops in the network. If a loop exists in the network, end
stations might receive duplicate messages and switches might learn endstation MAC addresses on multiple
Layer 2 interfaces. These conditions result in an unstable network.
Spanning Tree Protocol (STP) defines a tree with a root switch and a loop-free path from the root to all
switches in the Layer 2 network. STP forces redundant data paths into a standby (blocked) state. If a
network segment in the spanning tree fails and a redundant path exists, the spanning tree algorithm
recalculates the spanning tree topology and activates the standby path.
When two ports on a switch are part of a loop, the spanning tree port priority and port path cost setting
determine which port is put in the forwarding state and which port is put in the blocking state. The
spanning tree port priority value represents the location of an interface in the network topology and how
well located it is to pass traffic. The spanning tree port path cost value represents media speed.
For each VLAN, the switch with the highest bridge priority (the lowest numerical priority value) is
elected as the root switch. If all switches are configured with the default priority (32768), the switch with
the lowest MAC address in the VLAN becomes the root switch.
The spanning tree root switch is the logical center of the spanning tree topology in a switched network.
All paths that are not needed to reach the root switch from anywhere in the switched network are placed
in spanning tree blocking mode.
BPDUs contain information about the transmitting bridge and its ports, including bridge and MAC
addresses, bridge priority, port priority, and path cost. Spanning tree uses this information to elect the
root bridge and root port for the switched network, as well as the root port and designated port for each
switched segment.
STP Timers
Table 11 describes the STP timers that affect the entire spanning tree performance.
Timer Purpose
Hello timer Determines how often the switch broadcasts hello messages to other switches.
Forward delay timer Determines how long each of the listening and learning states will last before
the port begins forwarding.
Maximum age timer Determines the amount of time protocol information received on a port is
stored by the switch.
Boot-up
initialization
Blocking
state
Listening Disabled
state state
Learning
state
Forwarding S5691
state
Boot-up Initialization
When you enable spanning tree, every port in the switch, VLAN, or network goes through the blocking
state and the transitory states of listening and learning at power up. If properly configured, each Layer 2
interface stabilizes to the forwarding or blocking state.
When the spanning tree algorithm places a Layer 2 interface in the forwarding state, the following
process occurs:
1. The Layer 2 interface is put into the listening state while it waits for protocol information that
suggests that it should go to the blocking state.
2. The Layer 2 interface waits for the forward delay timer to expire, moves the Layer 2 interface to the
learning state, and resets the forward delay timer.
3. In the learning state, the Layer 2 interface continues to block frame forwarding as it learns end
station location information for the forwarding database.
4. The Layer 2 interface waits for the forward delay timer to expire and then moves the Layer 2
interface to the forwarding state, where both learning and frame forwarding are enabled.
Blocking State
A Layer 2 interface in the blocking state does not participate in frame forwarding, as shown in Figure 21.
After initialization, a BPDU is sent out to each Layer 2 interface in the switch. A switch initially assumes
it is the root until it exchanges BPDUs with other switches. This exchange establishes which switch in
the network is the root or root bridge. If only one switch is in the network, no exchange occurs, the
forward delay timer expires, and the ports move to the listening state. A port always enters the blocking
state following switch initialization.
Segment Forwarding
frames
Port 1
Network
Station
management
addresses BPDUs and data frames
BPDUs
Network
management
frames
Data
S5692
frames
Port 2
Blocking Segment
frames
Listening State
The listening state is the first transitional state a Layer 2 interface enters after the blocking state. The
Layer 2 interface enters this state when STP determines that the Layer 2 interface should participate in
frame forwarding. Figure 22 shows a Layer 2 interface in the listening state.
Port 1
Network
Station
management
addresses BPDUs and data frames
BPDUs
Network
management
frames
Data
frames
S5693
Port 2
Learning State
A Layer 2 interface in the learning state prepares to participate in frame forwarding. The Layer 2
interface enters the learning state from the listening state. Figure 23 shows a Layer 2 interface in the
learning state.
Port 1
Network
Station
management
addresses BPDUs and data frames
Station
addresses BPDUs Network
management
frames
Data
frames
Port 2 S5694
Forwarding State
A Layer 2 interface in the forwarding state forwards frames, as shown in Figure 24. The Layer 2 interface
enters the forwarding state from the learning state.
Port 1
Network
Station
management
addresses BPDUs and data frames
S5695
Port 2
Disabled State
A Layer 2 interface in the disabled state does not participate in frame forwarding or spanning tree, as
shown in Figure 25. A Layer 2 interface in the disabled state is virtually nonoperational.
Port 1
Network
Station
management
addresses BPDUs and data frames
Network
management
frames
Data
S5696
frames
Port 2
MAC addresses are allocated sequentially, with the first MAC address in the range assigned to VLAN 1,
the second MAC address in the range assigned to VLAN 2, and so forth.
For example, if the MAC address range is 00-e0-1e-9b-2e-00 to 00-e0-1e-9b-31-ff, the VLAN 1 bridge
ID is 00-e0-1e-9b-2e-00, the VLAN 2 bridge ID is 00-e0-1e-9b-2e-01, the VLAN 3 bridge ID is
00-e0-1e-9b-2e-02, and so forth.
cost values to interfaces that you want spanning tree to select last. If all interfaces have the same cost
value, spanning tree puts the interface with the lowest interface number in the forwarding state and
blocks other interfaces.
The possible cost range is 0 to 65535 (the default is media-specific).
Spanning tree uses the port cost value when the interface is configured as an access port and uses VLAN
port cost values when the interface is configured as a trunk port.
BackboneFast
BackboneFast is initiated when a root port or blocked port on a switch receives inferior BPDUs from its
designated bridge. An inferior BPDU identifies one switch as both the root bridge and the designated
bridge. When a switch receives an inferior BPDU, it means that a link to which the switch is not directly
connected (an indirect link) has failed (that is, the designated bridge has lost its connection to the root
switch). Under STP rules, the switch ignores inferior BPDUs for the configured maximum aging time
specified by the spanning-tree max-age global configuration command.
The switch tries to determine if it has an alternate path to the root switch. If the inferior BPDU arrives
on a blocked port, the root port and other blocked ports on the switch become alternate paths to the root
switch. (Self-looped ports are not considered alternate paths to the root switch.) If the inferior BPDU
arrives on the root port, all blocked ports become alternate paths to the root switch. If the inferior BPDU
arrives on the root port and there are no blocked ports, the switch assumes that it has lost connectivity
to the root switch, causes the maximum aging time on the root to expire, and becomes the root switch
according to normal STP rules.
If the switch has alternate paths to the root switch, it uses these alternate paths to transmit a new kind of
Protocol Data Unit (PDU) called the Root Link Query PDU. The switch sends the Root Link Query PDU
on all alternate paths to the root switch. If the switch determines that it still has an alternate path to the
root, it causes the maximum aging time on the ports on which it received the inferior BPDU to expire.
If all the alternate paths to the root switch indicate that the switch has lost connectivity to the root switch,
the switch causes the maximum aging times on the ports on which it received an inferior BPDU to expire.
If one or more alternate paths can still connect to the root switch, the switch makes all ports on which it
received an inferior BPDU its designated ports and moves them out of the blocking state (if they were
in the blocking state), through the listening and learning states, and into the forwarding state.
Figure 26 shows an example topology with no link failures. Switch A, the root switch, connects directly
to Switch B over link L1 and to Switch C over link L2. The interface on Switch C that connects directly
to Switch B is in the blocking state.
Switch A
(Root) Switch B
L1
L2 L3
Blocked port
155680
Switch C
If link L1 fails, Switch C cannot detect this failure because it is not connected directly to link L1.
However, because Switch B is directly connected to the root switch over L1, it detects the failure, elects
itself the root, and begins sending BPDUs to Switch C, identifying itself as the root. When Switch C
receives the inferior BPDUs from Switch B, Switch C assumes that an indirect failure has occurred. At
that point, BackboneFast allows the blocked port on Switch C to move immediately to the listening state
without waiting for the maximum aging time for the port to expire. BackboneFast then changes the
interface on Switch C to the forwarding state, providing a path from Switch B to Switch A. This
switchover takes approximately 30 seconds, twice the Forward Delay time if the default Forward Delay
time of 15 seconds is set. Figure 27 shows how BackboneFast reconfigures the topology to account for
the failure of link L1.
Switch A
(Root) Switch B
L1
Link failure
L2 L3
155681
states to forwarding state.
Switch C
If a new switch is introduced into a shared-medium topology as shown in Figure 28, BackboneFast is not
activated because the inferior BPDUs did not come from the recognized designated bridge (Switch B).
The new switch begins sending inferior BPDUs that say it is the root switch. However, the other switches
ignore these inferior BPDUs, and the new switch learns that Switch B is the designated bridge to
Switch A, the root switch.
Switch A
(Root)
Switch C Switch B
(Designated bridge)
Blocked port
Added switch
155682
VLAN Trunks
A trunk is a point-to-point link between one or more Ethernet switch interfaces and another networking
device such as a router or a switch. Trunks carry the traffic of multiple VLANs over a single link and
allow you to extend VLANs across an entire network and supports only one encapsulation on all Ethernet
interfaces: 802.1Q-802.1Q is an industry-standard trunking encapsulation. You can configure a trunk on
a single Ethernet interface or on an EtherChannel bundle.
When you connect a Cisco switch to a device other than a Cisco device through an 802.1Q trunk, the
Cisco switch combines the spanning tree instance of the VLAN trunk with the spanning tree instance of
the other 802.1Q switch. However, spanning tree information for each VLAN is maintained by Cisco
switches separated by a cloud of 802.1Q switches that are not Cisco switches. The 802.1Q cloud
separating the Cisco switches that is not Cisco devised, is treated as a single trunk link between the
switches.
Make sure that the native VLAN for an 802.1Q trunk is the same on both ends of the trunk link. If the
VLAN on one end of the trunk is different from the VLAN on the other end, spanning tree loops might
result. Inconsistencies detected by a Cisco switch mark the line as broken and block traffic for the
specific VLAN.
Disabling spanning tree on the VLAN of an 802.1Q trunk without disabling spanning tree on every
VLAN in the network can potentially cause spanning tree loops. Cisco recommends that you leave
spanning tree enabled on the VLAN of an 802.1Q trunk or that you disable spanning tree on every VLAN
in the network. Make sure that your network is loop-free before disabling spanning tree.
Port Security
You can use port security to block input to an Ethernet, Fast Ethernet, or Gigabit Ethernet port when the
MAC address of the station attempting to access the port is different from any of the MAC addresses
specified for that port. Alternatively, you can use port security to filter traffic destined to or received from
a specific host based on the host MAC address.
802.1x Authentication
This section describes how to configure IEEE 802.1x port-based authentication to prevent unauthorized
devices (clients) from gaining access to the network. As LANs extend to hotels, airports, and corporate
lobbies, insecure environments could be created.
Device Roles
With 802.1x port-based authentication, the devices in the network have specific roles as shown in
Figure 29.
Authentication
server
(RADIUS)
155688
network module
Workstation
(client)
• Client—the device (workstation) that requests access to the LAN and switch services and responds
to the requests from the switch. The workstation must be running 802.1x-compliant client software such
as that offered in the Microsoft Windows XP operating system. (The client is the supplicant in the IEEE
802.1x specification.)
Note To resolve Windows XP network connectivity and 802.1x authentication issues, read the
Microsoft Knowledge Base article at this URL:
http://support.microsoft.com/support/kb/articles/Q303/5/97.ASP
• Authentication server—performs the actual authentication of the client. The authentication server
validates the identity of the client and notifies the switch whether or not the client is authorized to
access the LAN and switch services. Because the switch acts as the proxy, the authentication service
is transparent to the client. In this release, the Remote Authentication Dial-In User Service (RADIUS)
security system with Extensible Authentication Protocol (EAP) extensions is the only supported
authentication server; it is available in Cisco Secure Access Control Server version 3.0. RADIUS
operates in a client/server model in which secure authentication information is exchanged between
the RADIUS server and one or more RADIUS clients.
• Switch (edge switch or wireless access point)—controls the physical access to the network based on
the authentication status of the client. The switch acts as an intermediary (proxy) between the client
and the authentication server, requesting identity information from the client, verifying that
information with the authentication server, and relaying a response to the client. The switch includes
the RADIUS client, which is responsible for encapsulating and decapsulating the Extensible
Authentication Protocol (EAP) frames and interacting with the authentication server.
When the switch receives EAPOL frames and relays them to the authentication server, the Ethernet
header is stripped and the remaining EAP frame is reencapsulated in the RADIUS format. The EAP
frames are not modified or examined during encapsulation, and the authentication server must
support EAP within the native frame format. When the switch receives frames from the
authentication server, the server’s frame header is removed, leaving the EAP frame, which is then
encapsulated for Ethernet and sent to the client.
The devices that can act as intermediaries include the Catalyst 3550 multilayer switch, Catalyst 2950
switch, or a wireless access point. These devices must be running software that supports the
RADIUS client and 802.1x.
Note If 802.1x is not enabled or supported on the network access device, any EAPOL frames from the
client are dropped. If the client does not receive an EAP-request/identity frame after three attempts
to start authentication, the client transmits frames as if the port is in the authorized state. A port in
the authorized state effectively means that the client has been successfully authenticated.
When the client supplies its identity, the switch begins its role as the intermediary, passing EAP frames
between the client and the authentication server until authentication succeeds or fails. If the
authentication succeeds, the switch port becomes authorized.
The specific exchange of EAP frames depends on the authentication method being used. Figure 30 shows
a message exchange initiated by the client using the One-Time-Password (OTP) authentication method
with a RADIUS server.
EAPOL-Start
EAP-Request/Identity
EAP-Response/Identity RADIUS Access-Request
EAP-Request/OTP RADIUS Access-Challenge
EAP-Response/OTP RADIUS Access-Request
EAP-Success RADIUS Access-Accept
Port Authorized
EAPOL-Logoff
155687
Port Unauthorized
Supported Topologies
The 802.1x port-based authentication is supported in two topologies:
• Point-to-point
• Wireless LAN
In a point-to-point configuration (see Figure 29 on page 219), only one client can be connected to the
802.1x-enabled switch port. The switch detects the client when the port link state changes to the up state.
If a client leaves or is replaced with another client, the switch changes the port link state to down, and
the port returns to the unauthorized state.
Figure 31 shows 802.1x-port-based authentication in a wireless LAN. The 802.1x port is configured as
a multiple-host port that becomes authorized as soon as one client is authenticated. When the port is
authorized, all other hosts indirectly attached to the port are granted access to the network. If the port
becomes unauthorized (reauthentication fails or an EAPOL-logoff message is received), the switch
denies access to the network to all of the attached clients. In this topology, the wireless access point is
responsible for authenticating the clients attached to it, and the wireless access point acts as a client to
the switch.
155686
Wireless client
Storm Control
A traffic storm occurs when packets flood the LAN, creating excessive traffic and degrading network
performance. Errors in the protocol-stack implementation or in the network configuration can cause a
storm. Storm control can be implemented globally or on a per-port basis. Global storm control and
per-port storm control cannot be enabled at the same time.
Forwarded traffic
Blocked traffic
Total
number of
Threshold
broadcast
packets
or bytes
46651
0 T1 T2 T3 T4 T5 Time
When global storm control is enabled, the switch monitors packets passing from an interface to the
switching bus and determines if the packet is unicast, multicast, or broadcast. The switch monitors the
number of broadcast, multicast, or unicast packets received within the 1-second time interval, and when
a threshold for one type of traffic is reached, that type of traffic is dropped. This threshold is specified
as a percentage of total available bandwidth that can be used by broadcast (multicast or unicast) traffic.
The combination of broadcast suppression threshold numbers and the 1-second time interval control the
way the suppression algorithm works. A higher threshold allows more packets to pass through. A
threshold value of 100 percent means that no limit is placed on the traffic.
Note Because packets do not arrive at uniform intervals, the 1-second time interval during which traffic
activity is measured can affect the behavior of global storm control.
The switch continues to monitor traffic on the port, and when the utilization level is below the threshold
level, the type of traffic that was dropped is forwarded again.
EtherChannel
EtherChannel bundles up to eight individual Ethernet links into a single logical link that provides
bandwidth of up to 1600 Mbps (Fast EtherChannel full duplex) between the network module and another
switch or host.
An EtherSwitch network module system supports a maximum of six EtherChannels. All interfaces in
each EtherChannel must have the same speed duplex and mode.
Load Balancing
EtherChannel balances traffic load across the links in a channel by reducing part of the binary pattern
formed from the addresses in the frame to a numerical value that selects one of the links in the channel.
EtherChannel load balancing can use MAC addresses or IP addresses; either source or destination or
both source and destination. The selected mode applies to all EtherChannels configured on the switch.
Use the option that provides the greatest variety in your configuration. For example, if the traffic on a
channel is going only to a single MAC address, using the destination MAC address always chooses the
same link in the channel; using source addresses or IP addresses may result in better load balancing.
Intrachassis Stacking
Multiple switch modules may be installed simultaneously by connecting the Gigabit Ethernet (GE) ports
of the EtherSwitch network module. This connection sustains a line-rate traffic similar to the switch
fabric found in Cisco Catalyst switches and forms a single VLAN consisting of all ports in multiple
EtherSwitch network modules. The stacking port must be configured for multiple switch modules to
operate correctly in the same chassis.
• MAC address entries learned via intrachassis stacking are not displayed.
• Link status of intrachassis stacked ports are filtered.
Destination Interface
A destination interface (also called a monitor interface) is a switched interface to which SPAN sends
packets for analysis. You can have one SPAN destination interface. Once an interface becomes an active
destination interface, incoming traffic is disabled. You cannot configure a SPAN destination interface to
receive ingress traffic. The interface does not forward any traffic except that required for the SPAN
session.
An interface configured as a destination interface cannot be configured as a source interface.
EtherChannel interfaces cannot be SPAN destination interfaces.
Specifying a trunk interface as a SPAN destination interface stops trunking on the interface.
Source Interface
A source interface is an interface monitored for network traffic analysis. One or more source interfaces
can be monitored in a single SPAN session with user-specified traffic types (ingress, egress, or both)
applicable for all the source interfaces.
You can configure source interfaces in any VLAN. You can configure EtherChannel as source interfaces,
which means that all interfaces in the specified VLANs are source interfaces for the SPAN session.
Trunk interfaces can be configured as source interfaces and mixed with nontrunk source interfaces;
however, the destination interface never encapsulates.
Traffic Types
Ingress SPAN (Rx) copies network traffic received by the source interfaces for analysis at the destination
interface. Egress SPAN (Tx) copies network traffic transmitted from the source interfaces. Specifying
the configuration option both copies network traffic received and transmitted by the source interfaces to
the destination interface.
SPAN Traffic
Network traffic, including multicast, can be monitored using SPAN. Multicast packet monitoring is
enabled by default. In some SPAN configurations, multiple copies of the same source packet are sent to
the SPAN destination interface. For example, a bidirectional (both ingress and egress) SPAN session is
configured for sources a1 and a2 to a destination interface d1. If a packet enters the switch through a1
and gets switched to a2, both incoming and outgoing packets are sent to destination interface d1; both
packets would be the same (unless a Layer-3 rewrite had occurred, in which case the packets would be
different).
Routed Ports
A routed port is a physical port that acts like a port on a router; it does not have to be connected to a
router. A routed port is not associated with a particular VLAN, as is an access port. A routed port behaves
like a regular router interface, except that it does not support subinterfaces. Routed ports can be
configured with a Layer 3 routing protocol.
Configure routed ports by putting the interface into Layer 3 mode with the no switchport interface
configuration command. Then assign an IP address to the port, enable routing, and assign routing
protocol characteristics by using the ip routing and router protocol global configuration commands.
Caution Entering a no switchport interface configuration command shuts the interface down and then
reenables it, which might generate messages on the device to which the interface is connected.
Furthermore, when you use this command to put the interface into Layer 3 mode, you are deleting
any Layer 2 characteristics configured on the interface. (Also, when you return the interface to
Layer 2 mode, you are deleting any Layer 3 characteristics configured on the interface.)
The number of routed ports and SVIs that you can configure is not limited by software; however, the
interrelationship between this number and the number of other features being configured might have an
impact on CPU utilization because of hardware limitations.
Routed ports support only Cisco Express Forwarding (CEF) switching (IP fast switching is not
supported).
IGMP Snooping
Internet Group Management Protocol (IGMP) snooping constrains the flooding of multicast traffic by
dynamically configuring the interfaces so that multicast traffic is forwarded only to those interfaces
associated with IP multicast devices. The LAN switch snoops on the IGMP traffic between the host and
the router and keeps track of multicast groups and member ports. When the switch receives an IGMP
join report from a host for a particular multicast group, the switch adds the host port number to the
associated multicast forwarding table entry. When it receives an IGMP Leave Group message from a
host, it removes the host port from the table entry. After it relays the IGMP queries from the multicast
router, it deletes entries periodically if it does not receive any IGMP membership reports from the
multicast clients.
When IGMP snooping is enabled, the multicast router sends out periodic IGMP general queries to all
VLANs. The switch responds to the router queries with only one join request per MAC multicast group,
and the switch creates one entry per VLAN in the Layer 2 forwarding table for each MAC group from
which it receives an IGMP join request. All hosts interested in this multicast traffic send join requests
and are added to the forwarding table entry.
Layer 2 multicast groups learned through IGMP snooping are dynamic. However, you can statically
configure MAC multicast groups by using the ip igmp snooping vlan static command. If you specify
group membership for a multicast group address statically, your setting supersedes any automatic
manipulation by IGMP snooping. Multicast group membership lists can consist of both user-defined and
IGMP snooping-learned settings.
EtherSwitch network modules support a maximum of 255 IP multicast groups and support both IGMP
version 1 and IGMP version 2.
If a port spanning-tree, a port group, or a VLAN ID change occurs, the IGMP snooping-learned multicast
groups from this port on the VLAN are deleted.
In the IP multicast-source-only environment, the switch learns the IP multicast group from the IP
multicast data stream and only forwards traffic to the multicast router ports.
Immediate-Leave Processing
IGMP snooping Immediate-Leave processing allows the switch to remove an interface that sends a leave
message from the forwarding table without first sending out MAC-based general queries to the interface.
The VLAN interface is pruned from the multicast tree for the multicast group specified in the original
leave message. Immediate-Leave processing ensures optimal bandwidth management for all hosts on a
switched network, even when multiple multicast groups are in use simultaneously.
Note You should use the Immediate-Leave processing feature only on VLANs where only one host is
connected to each port. If Immediate-Leave processing is enabled on VLANs where more than one
host is connected to a port, some hosts might be inadvertently dropped. Immediate-Leave processing
is supported only with IGMP version 2 hosts.
You can configure the switch to snoop on PIM/Distance Vector Multicast Routing Protocol
(PIM/DVMRP) packets. By default, the switch snoops on PIM/DVMRP packets on all VLANs. To learn
of multicast router ports through PIM-DVMRP packets, use the ip igmp snooping vlan vlan-id mrouter
learn pim-dvmrp interface configuration command.
1
IGMP Report 224.1.2.3
CPU port
Multicast
Forwarding
Table
2 3 4 5
155685
Note that the switch architecture allows the CPU to distinguish IGMP information packets from other
packets for the multicast group. The switch recognizes the IGMP packets through its filter engine. This
prevents the CPU from becoming overloaded with multicast frames.
The entry in the multicast forwarding table tells the switching engine to send frames addressed to the
0100.5E01.0203 multicast MAC address that are not IGMP packets (!IGMP) to the router and to the host
that has joined the group.
If another host (for example, Host 4) sends an IGMP join message for the same group (Figure 34), the
CPU receives that message and adds the port number of Host 4 to the multicast forwarding table as
shown in Table 16.
CPU port
Multicast
Forwarding
Table
2 3 4 5
155684
Fallback Bridging
With fallback bridging, the switch bridges together two or more VLANs or routed ports, essentially
connecting multiple VLANs within one bridge domain. Fallback bridging forwards traffic that the
multilayer switch does not route and forwards traffic belonging to a nonroutable protocol such as
DECnet.
Fallback bridging does not allow the spanning trees from the VLANs being bridged to collapse; each
VLAN has its own Spanning Tree Protocol (STP) instance and a separate spanning tree, called the
VLAN-bridge spanning tree, which runs on top of the bridge group to prevent loops.
A VLAN bridge domain is represented using the switch virtual interface (SVI). A set of SVIs and routed
ports (which do not have any VLANs associated with them) can be configured to form a bridge group.
Recall that an SVI represents a VLAN of switch ports as one interface to the routing or bridging function
in the system. Only one SVI can be associated with a VLAN, and it is only necessary to configure an
SVI for a VLAN when you want to route between VLANs, to fallback-bridge nonroutable protocols
between VLANs, or to provide IP host connectivity to the switch. A routed port is a physical port that
acts like a port on a router, but it is not connected to a router. A routed port is not associated with a
particular VLAN, does not support subinterfaces, but behaves like a normal routed interface.
A bridge group is an internal organization of network interfaces on a switch. Bridge groups cannot be
used to identify traffic switched within the bridge group outside the switch on which they are defined.
Bridge groups on the same switch function as distinct bridges; that is, bridged traffic and bridge protocol
data units (BPDUs) cannot be exchanged between different bridge groups on a switch. An interface can
be a member of only one bridge group. Use a bridge group for each separately bridged (topologically
distinct) network connected to the switch.
The purpose of placing network interfaces into a bridge group is twofold:
• To bridge all nonrouted traffic among the network interfaces making up the bridge group. If the
packet destination address is in the bridge table, it is forwarded on a single interface in the bridge
group. If the packet destination address is not in the bridge table, it is flooded on all forwarding
interfaces in the bridge group. The bridge places source addresses in the bridge table as it learns
them during the bridging process.
• To participate in the spanning-tree algorithm by receiving, and in some cases sending, BPDUs on
the LANs to which they are attached. A separate spanning process runs for each configured bridge
group. Each bridge group participates in a separate spanning-tree instance. A bridge group
establishes a spanning-tree instance based on the BPDUs it receives on only its member interfaces.
Figure 35 shows a fallback bridging network example. The multilayer switch has two interfaces
configured as SVIs with different assigned IP addresses and attached to two different VLANs. Another
interface is configured as a routed port with its own IP address. If all three of these ports are assigned to
the same bridge group, non-IP protocol frames can be forwarded among the end stations connected to
the switch.
Host A Host B
155690
VLAN 20 VLAN 30
Understanding ACLs
Packet filtering can limit network traffic and restrict network use by certain users or devices. ACLs can
filter traffic as it passes through a switch and permit or deny packets from crossing specified interfaces.
An ACL is a sequential collection of permit and deny conditions that apply to packets. When a packet is
received on an interface, the switch compares the fields in the packet against any applied ACLs to verify
that the packet has the required permissions to be forwarded, based on the criteria specified in the access
lists. The switch tests the packet against the conditions in an access list one by one. The first match
determines whether the switch accepts or rejects the packet. Because the switch stops testing conditions
after the first match, the order of conditions in the list is critical. If no conditions match, the switch
rejects the packet. If there are no restrictions, the switch forwards the packet; otherwise, the switch drops
the packet.
You configure access lists on a Layer 2 switch to provide basic security for your network. If you do not
configure ACLs, all packets passing through the switch could be allowed onto all parts of the network.
You can use ACLs to control which hosts can access different parts of a network or to decide which types
of traffic are forwarded or blocked at switch interfaces. For example, you can allow e-mail traffic to be
forwarded but not Telnet traffic. ACLs can be configured to block inbound traffic.
An ACL contains an ordered list of access control entries (ACEs). Each ACE specifies permit or deny
and a set of conditions the packet must satisfy in order to match the ACE. The meaning of permit or deny
depends on the context in which the ACL is used.
The EtherSwitch network module supports IP ACLs to filter IP traffic, including TCP or User Datagram
Protocol (UDP) traffic (but not both traffic types in the same ACL).
ACLs
You can apply ACLs on physical Layer 2 interfaces. ACLs are applied on interfaces only on the inbound
direction.
• Standard IP access lists use source addresses for matching operations.
• Extended IP access lists use source and destination addresses and optional protocol type information
for matching operations.
The switch examines access lists associated with features configured on a given interface and a direction.
As packets enter the switch on an interface, ACLs associated with all inbound features configured on
that interface are examined.
ACLs permit or deny packet forwarding based on how the packet matches the entries in the ACL. For
example, you can use ACLs to allow one host to access a part of a network, but to prevent another host
from accessing the same part. In Figure 36, ACLs applied at the switch input allow Host A to access the
Human Resources network, but prevent Host B from accessing the same network.
Host A
155689
and permitting traffic from Host A
= Packet
Note In the first and second ACEs in the examples, the eq keyword after the destination address means to
test for the TCP-destination-port well-known numbers equaling Simple Mail Transfer Protocol
(SMTP) and Telnet, respectively.
• Packet A is a TCP packet from host 10.2.2.2, port 65000, going to host 10.1.1.1 on the SMTP port.
If this packet is fragmented, the first fragment matches the first ACE (a permit), as if it were a
complete packet because all Layer 4 information is present. The remaining fragments also match the
first ACE, even though they do not contain the SMTP port information because the first ACE only
checks Layer 3 information when applied to fragments. (The information in this example is that the
packet is TCP and that the destination is 10.1.1.1.)
• Packet B is from host 10.2.2.2, port 65001, going to host 10.1.1.2 on the Telnet port. If this packet
is fragmented, the first fragment matches the second ACE (a deny) because all Layer 3 and Layer 4
information is present. The remaining fragments in the packet do not match the second ACE because
they are missing Layer 4 information.
• Because the first fragment was denied, host 10.1.1.2 cannot reassemble a complete packet, so packet
B is effectively denied. However, the later fragments that are permitted will consume bandwidth on
the network and resources of host 10.1.1.2 as it tries to reassemble the packet.
• Fragmented packet C is from host 10.2.2.2, port 65001, going to host 10.1.1.3, port FTP. If this
packet is fragmented, the first fragment matches the third ACE (a deny). All other fragments also
match the third ACE because that ACE does not check any Layer 4 information and because Layer 3
information in all fragments shows that they are being sent to host 10.1.1.3, and the earlier permit
ACEs were checking different hosts.
Note In an IP extended ACL (both named and numbered), a Layer 4 system-defined mask cannot
precede a Layer 3 user-defined mask. For example, a Layer 4 system-defined mask such as
permit tcp any any or deny udp any any cannot precede a Layer 3 user-defined mask such
as permit ip 10.1.1.1 any. If you configure this combination, the ACL is not configured. All
other combinations of system-defined and user-defined masks are allowed in security ACLs.
The EtherSwitch network module ACL configuration is consistent with Cisco Catalyst switches.
However, there are significant restrictions as well as differences for ACL configurations on the
EtherSwitch network module.
In this example, the first ACE permits all the TCP packets coming from the host 10.1.1.1 with a
destination TCP port number of 80. The second ACE permits all TCP packets coming from the host
10.2.1.1 with a destination TCP port number of 23. Both the ACEs use the same mask; therefore, a
EtherSwitch network module supports this ACL.
• Only four user-defined masks can be defined for the entire system. These can be used for either
security or quality of service (QoS) but cannot be shared by QoS and security. You can configure as
many ACLs as you require. However, a system error message appears if ACLs with more than four
different masks are applied to interfaces.
Table 17 lists a summary of the ACL restrictions on EtherSwitch network modules.
Encapsulated Packet
Layer 2
IP header Data
header
length (1 byte)
DSCP
Note Layer 3 IPv6 packets are dropped when received by the switch.
All switches and routers across the Internet rely on the class information to provide the same forwarding
treatment to packets with the same class information and different treatment to packets with different
class information. The class information in the packet can be assigned by end hosts or by switches or
routers along the way, based on a configured policy, detailed examination of the packet, or both. Detailed
examination of the packet is expected to happen closer to the edge of the network so that the core
switches and routers are not overloaded.
Switches and routers along the path can use the class information to limit the amount of resources
allocated per traffic class. The behavior of an individual device when handling traffic in the DiffServ
architecture is called per-hop behavior. If all devices along a path provide a consistent per-hop behavior,
you can construct an end-to-end QoS solution.
Implementing QoS in your network can be a simple or complex task and depends on the QoS features
offered by your internetworking devices, the traffic types and patterns in your network, and the
granularity of control you need over incoming and outgoing traffic.
The EtherSwitch network module can function as a Layer 2 switch connected to a Layer 3 router. When
a packet enters the Layer 2 engine directly from a switch port, it is placed into one of four queues in the
dynamic, 32-MB shared memory buffer. The queue assignment is based on the dot1p value in the packet.
Any voice bearer packets that come in from the Cisco IP phones on the voice VLAN are automatically
placed in the highest priority (Queue 3) based on the 802.1p value generated by the IP phone. The queues
are then serviced on a weighted round robin (WRR) basis. The control traffic, which uses a CoS or ToS
of 3, is placed in Queue 2.
Table 18 summarizes the queues, CoS values, and weights for Layer 2 QoS on the EtherSwitch network
module.
The weights specify the number of packets that are serviced in the queue before moving on to the next
queue. Voice Realtime Transport Protocol (RTP) bearer traffic marked with a CoS or ToS of 5 and Voice
Control plane traffic marked with a CoS/ToS of 3 are placed into the highest priority queues. If the queue
has no packets to be serviced, it is skipped. Weighted Random Early Detection (WRED) is not supported
on the Fast Ethernet ports.
You cannot configure port-based QoS on the Layer 2 switch ports.
• Policing determines whether a packet is in or out of profile according to the configured policer, and
the policer limits the bandwidth consumed by a flow of traffic. The result of this determination is
passed to the marker. For more information, see the “Policing and Marking” section on page 239.
• Marking evaluates the policer and configuration information for the action to be taken when a packet
is out of profile and decides what to do with the packet (pass through a packet without modification,
mark down the DSCP value in the packet, or drop the packet). For more information, see the
“Policing and Marking” section on page 239.
Actions at the egress interface include queueing and scheduling:
• Queuing evaluates the CoS value and determines which of the four egress queues in which to place
the packet.
• Scheduling services the four egress queues based on their configured WRR weights.
In profile or
out of profile Queuing and
Classification Policing Mark
scheduling
Classifies the packet Determines if the Based on whether Based on the CoS,
based on the ACL. packet is in profile or the packet is in or determines into
out of profile based out of profile and the which of the egress
on the policer configured queues to place the
associated with the parameters, packet, then
filter. determines whether services the queues
to pass through, according to the
mark down, or drop configured weights.
the packet. The
DSCP and CoS are
marked or changed
60979
accordingly.
Classification
Classification is the process of distinguishing one kind of traffic from another by examining the fields
in the packet.
Classification occurs only on a physical interface basis. No support exists for classifying packets at the
VLAN or the switched virtual interface level.
You specify which fields in the frame or packet that you want to use to classify incoming traffic.
• Configuration of a deny action is not supported in QoS ACLs on the 16- and 36-port EtherSwitch
network modules.
• System-defined masks are allowed in class maps with these restrictions:
– A combination of system-defined and user-defined masks cannot be used in the multiple class
maps that are a part of a policy map.
– System-defined masks that are a part of a policy map must all use the same type of system mask.
For example, a policy map cannot have a class map that uses the permit tcp any any ACE and
another that uses the permit ip any any ACE.
– A policy map can contain multiple class maps that all use the same user-defined mask or the
same system-defined mask.
Note For more information on the system-defined mask, see the “Understanding Access Control
Parameters” section on page 234.
• For more information on ACL restrictions, see the “Guidelines for Configuring ACLs on the
EtherSwitch network module” section on page 235.
After a traffic class has been defined with the ACL, you can attach a policy to it. A policy might contain
multiple classes with actions specified for each one of them. A policy might include commands to
rate-limit the class. This policy is then attached to a particular port on which it becomes effective.
You implement IP ACLs to classify IP traffic by using the access-list global configuration command.
Note No policers can be configured on the egress interface on EtherSwitch network modules.
Mapping Tables
The EtherSwitch network modules support these types of marking to apply to the switch:
• CoS value to the DSCP value
• DSCP value to CoS value
Note An interface can be configured to trust either CoS or DSCP, but not both at the same time.
Before the traffic reaches the scheduling stage, QoS uses the configurable DSCP-to-CoS map to derive
a CoS value from the internal DSCP value.
The CoS-to-DSCP and DSCP-to-CoS map have default values that might or might not be appropriate for
your network.
Configuring VLANs
Perform this task to configure the VLANs on an EtherSwitch network module.
SUMMARY STEPS
1. enable
2. vlan database
3. vlan vlan-id [are hops] [backupcrf mode] [bridge type | number] [media type] [mtu mtu-size]
[name vlan-name] [parent parent-vlan-id] [ring ring-number] [said sa-id-value] [state {suspend
| active}] [stp type type] [tb-vlan1 tb-vlan1-id] [tb-vlan2 tb-vlan2-id]
4. no vlan vlan-id
5. exit
6. show vlan-switch [brief | id vlan | name name]
DETAILED STEPS
Example:
Router# configure terminal
Example:
Router(vlan)# vlan 2 media ethernet name
vlan1502
Step 4 no vlan vlan-id (Optional) Deletes a specific VLAN.
• In this example, VLAN 2 is deleted.
Example:
Router(vlan)# no vlan 2
Step 5 exit Exits VLAN configuration mode and returns the router to
privileged EXEC mode.
Example:
Router(vlan)# exit
Step 6 show vlan-switch [brief | id vlan | name name] (Optional) Displays VLAN information.
• The optional brief keyword displays only a single line
Example: for each VLAN, naming the VLAN, status, and ports.
Router# show vlan-switch name vlan0003
• The optional id keyword displays information about a
single VLAN identified by VLAN ID number; valid
values are from 1 to 1005.
• The optional name keyword displays information about
a single VLAN identified by VLAN name; valid values
are an ASCII string from 1 to 32 characters.
Examples
Sample Output for the show vlan-switch Command
In the following example, output information is displayed to verify the VLAN configuration:
Router# show vlan-switch name vlan0003
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 1002 1003
1002 fddi 101002 1500 - - - - - 1 1003
1003 tr 101003 1500 1005 0 - - srb 1 1002
In the following example, the brief keyword is used to verify that VLAN 2 has been deleted:
Router# show vlan-switch brief
SUMMARY STEPS
1. enable
2. vlan database
3. vtp server
4. vtp domain domain-name
5. vtp password password-value
6. vtp client
7. vtp transparent
8. vtp v2-mode
9. exit
10. show vtp {counters | status}
DETAILED STEPS
Example:
Router# vlan database
Step 3 vlan server Configures the EtherSwitch network module as a VTP
server.
Example:
Router(vlan)# vlan server
Step 4 vtp domain domain-name Defines the VTP domain name.
• The domain-name argument consists of up to 32
Example: characters.
Router(vlan)# vtp domain Lab_Network
Step 5 vtp password password-value (Optional) Sets a password for the VTP domain.
• The password-value argument can consist of 8 to 64
Example: characters.
Router(vlan)# vtp password labpassword
Step 6 vtp client (Optional) Configures the EtherSwitch network module as
a VTP client.
Example: • The VLAN database is updated when you leave VLAN
Router(vlan)# vtp client configuration mode.
Note You would configure the device as either a VTP
server or a VTP client.
Step 7 vtp transparent (Optional) Disables VTP on the EtherSwitch network
module.
Example:
Router(vlan)# vtp transparent
Step 8 vtp v2-mode (Optional) Enables VTP version 2.
Example:
Router(vlan)# vtp v2-mode
Examples
Sample Output for the show vtp Command
In the following example, output information about the VTP management domain is displayed:
Router# show vtp status
VTP Version : 2
Configuration Revision : 247
Maximum VLANs supported locally : 1005
Number of existing VLANs : 33
VTP Operating Mode : Client
VTP Domain Name : Lab_Network
VTP Pruning Mode : Enabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x45 0x52 0xB6 0xFD 0x63 0xC8 0x49 0x80
Configuration last modified by 0.0.0.0 at 8-12-99 15:04:49
If any root switch for the specified VLANs has a bridge priority lower than 8192, the switch sets the
bridge priority for the specified VLANs to 1 less than the lowest bridge priority.
For example, if all switches in the network have the bridge priority for VLAN 100 set to the default value
of 32768, entering the spanning-tree vlan 100 root primary command on a switch will set the bridge
priority for VLAN 100 to 8192, causing the switch to become the root bridge for VLAN 100.
Note The root bridge for each instance of spanning tree should be a backbone or distribution switch device.
Do not configure an access switch device as the spanning tree primary root.
Use the diameter keyword to specify the Layer 2 network diameter (that is, the maximum number of
bridge hops between any two end stations in the Layer 2 network). When you specify the network
diameter, the switch automatically picks an optimal hello time, forward delay time, and maximum age
time for a network of that diameter, which can significantly reduce the spanning tree convergence time.
You can use the hello-time keyword to override the automatically calculated hello time.
Note You should avoid configuring the hello time, forward delay time, and maximum age time manually after
configuring the switch as the root bridge.
Caution Exercise care when using the spanning-tree vlan command with the priority keyword. For most
situations spanning-tree vlan with the root primary keywords and the spanning-tree vlan with the
root secondary keywords are the preferred commands to modify the bridge priority.
SUMMARY STEPS
1. enable
2. configure terminal
3. spanning-tree vlan vlan-id [forward-time seconds | hello-time seconds | max-age seconds |
priority priority | protocol protocol | [root {primary | secondary} [diameter net-diameter]
[hello-time seconds]]]]
4. spanning-tree vlan vlan-id [priority priority]
5. spanning-tree vlan vlan-id [root {primary | secondary} [diameter net-diameter] [hello-time
seconds]]
6. spanning-tree vlan vlan-id [hello-time seconds]
7. spanning-tree vlan vlan-id [forward-time seconds]
8. spanning-tree vlan vlan-id [max-age seconds]
9. spanning-tree backbonefast
10. interface {ethernet | fastethernet | gigabitethernet} slot/port
11. spanning-tree port-priority port-priority
12. spanning-tree cost cost
13. exit
DETAILED STEPS
Example:
Router# configure terminal
Step 3 spanning-tree vlan vlan-id [forward-time Configures spanning tree on a per-VLAN basis.
seconds | hello-time seconds | max-age seconds
| priority priority | protocol protocol | [root • In this example, spanning tree is enabled on VLAN
{primary | secondary} [diameter net-diameter] 200.
[hello-time seconds]]]]
• Use the no form of this command to disable spanning
tree on the specified VLAN.
Example:
Router(config)# spanning-tree vlan 200
Step 4 spanning-tree vlan vlan-id [priority priority] (Optional) Configures the bridge priority of a VLAN.
• The priority value can be from 1 to 65535.
Example: • Review the “VLAN Bridge Priority” section before
Router(config)# spanning-tree vlan 200 priority
33792
using this command.
• Use the no form of this command to restore the
defaults.
Step 5 spanning-tree vlan vlan-id [root {primary | (Optional) Configures the EtherSwitch network module as
secondary} [diameter net-diameter] [hello-time the root bridge.
seconds]]
• Review the “VLAN Root Bridge” concept before using
this command.
Example:
Router(config)# spanning-tree vlan 200 root
primary diameter 4
Step 6 spanning-tree vlan vlan-id [hello-time seconds] (Optional) Configures the hello time of a VLAN.
• The seconds value can be from 1 to 10 seconds.
Example: • In this example, the hello time is set to 7 seconds.
Router(config)# spanning-tree vlan 200
hello-time 7
Step 7 spanning-tree vlan vlan-id [forward-time (Optional) Configures the spanning tree forward delay time of
seconds] a VLAN.
• The seconds value can be from 4 to 30 seconds.
Example:
Router(config)# spanning-tree vlan 200
• In this example, the forward delay time is set to 21
forward-time 21 seconds.
SUMMARY STEPS
1. enable
2. show spanning-tree [bridge-group] [active | backbonefast | blockedports | bridge | brief |
inconsistentports | interface interface-type interface-number | pathcost method | root | summary
[totals] | uplinkfast | vlan vlan-id]
DETAILED STEPS
Step 1 enable
Enables privileged EXEC mode. Enter your password if prompted:
Router> enable
Use this command with the interface keyword to display spanning tree information about a specified
interface:
Router# show spanning-tree interface fastethernet 5/8
Use this command with the bridge, brief, and vlan keywords to display the bridge priority information:
Router# show spanning-tree bridge brief vlan 200
Caution Changing the interface speed and duplex mode configuration might shut down and reenable the interface
during the reconfiguration.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface range {vlan vlan-id - vlan-id} | {{ethernet | fastethernet | macro macro-name}
slot/interface - interface} [, {{ethernet | fastethernet | macro macro-name} slot/interface -
interface}]
4. define interface-range macro-name {vlan vlan-id - vlan-id} | {{ethernet | fastethernet}
slot/interface - interface} [, {{ethernet | fastethernet} slot/interface - interface}]
5. interface fastethernet slot/interface
6. speed [10 | 100 | auto]
7. duplex [auto | full | half]
8. description string
9. exit
10. show interfaces fastethernet slot/port
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface range {vlan vlan-id - vlan-id} | Selects the range of interfaces to be configured.
{{ethernet | fastethernet | macro macro-name}
slot/interface - interface}[, {{ethernet | • The space before and after the dash is required. For
fastethernet | macro macro-name} slot/interface example, the command interface range fastethernet 1
- interface}] - 5 is valid; the command interface range fastethernet
1-5 is not valid.
Example: • You can enter one macro or up to five comma-separated
Router(config)# interface range fastethernet ranges.
5/1 - 4
• Comma-separated ranges can include both VLANs and
physical interfaces.
• You are not required to enter spaces before or after the
comma.
The interface range command only supports VLAN
interfaces that are configured with the interface vlan
command.
Step 4 define interface-range macro-name {vlan vlan-id • Defines the interface range macro and saves it in
- vlan-id} | {{ethernet | fastethernet} NVRAM.
slot/interface - interface} [, {{ethernet |
fastethernet} slot/interface - interface}] • In this example, the interface range macro is named
sales and contains VLAN numbers from 2 to 5.
Example:
Router(config)# define interface-range sales
vlan 2 - 5
Step 5 interface fastethernet slot/interface Configures a specific Fast Ethernet interface.
Example:
Router(config)# interface fastethernet 1/4
Step 6 speed [10 | 100 | auto] Sets the speed for a Fast Ethernet interface.
Note If you set the interface speed to auto on a
Example: 10/100-Mbps Ethernet interface, both speed and
Router(config-if)# speed 100 duplex are autonegotiated.
Example:
Router(config-if)# description salesgroup1
Step 9 exit Exits interface configuration mode and returns the router to
global configuration mode.
Example: • Repeat this step one more time to exit global
Router(config-if)# exit configuration mode.
Step 10 show interfaces fastethernet slot/port (Optional) Displays information about Fast Ethernet
interfaces.
Example:
Router# show interfaces fastethernet 1/4
Examples
Sample Output for the show interfaces fastethernet Command
In the following example, output information is displayed to verify the speed and duplex mode of a Fast
Ethernet interface:
Router# show interfaces fastethernet 1/4
Restrictions
Note Ports do not support Dynamic Trunk Protocol (DTP). Ensure that the neighboring switch is set to a mode
that will not send DTP traffic.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface {ethernet | fastethernet | gigabitethernet} slot/port
4. shutdown
5. switchport mode {access | trunk}
6. switchport trunk {encapsulation dot1q | native vlan | allowed vlan vlan-list}
7. switchport trunk allowed vlan {add | except | none | remove} vlan1[,vlan[,vlan[,...]]
8. no shutdown
9. exit
10. show interfaces fastethernet slot/port {switchport | trunk}
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface {ethernet | fastethernet | Selects the Ethernet interface to configure.
gigabitethernet} slot/port
Example:
Router(config)# interface fastethernet 5/8
Step 4 shutdown (Optional) Shuts down the interface to prevent traffic flow
until configuration is complete.
Example: Note Encapsulation is always dot1q.
Router(config-if)# shutdown
Example:
Router# show interfaces fastethernet 5/8
switchport
Examples
Sample Output for the show interfaces fastethernet Command
In the following two examples, output information is displayed to verify the configuration of Fast
Ethernet interface as a Layer 2 trunk:
Router# show interfaces fastethernet 5/8 switchport
Name: Fa5/8
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Disabled
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Protected: false
SUMMARY STEPS
1. enable
2. configure terminal
3. interface {ethernet | fastethernet | gigabitethernet} slot/port
4. shutdown
5. switchport mode {access | trunk}
6. switchport access vlan vlan-id
7. no shutdown
8. exit
DETAILED STEPS
Example:
Router# configure terminal
Example:
Router(config)# interface fastethernet 1/0
Step 4 shutdown (Optional) Shuts down the interface to prevent traffic flow
until configuration is complete.
Example: Note Encapsulation is always dot1q.
Router(config-if)# shutdown
Step 5 switchport mode {access | trunk} Configures the interface type.
• In this example, the interface type is set to be Layer 2
Example: access.
Router(config-if)# switchport mode access
Step 6 switchport access vlan vlan For access ports, specifies the access VLAN.
• In this example, the Layer 2 access VLAN 5 is set.
Example:
Router(config-if)# switchport access vlan 5
Step 7 no shutdown Activates the interface. (Required only if you shut down the
interface.)
Example:
Router(config-if)# no shutdown
Step 8 exit Exits interface configuration mode and returns the router to
global configuration mode.
Example: • Repeat this step one more time to exit global
Router(config-if)# exit configuration mode.
Note Refer to the Cisco AVVID QoS Design Guide for more information on how to implement end-to-end QoS
as you deploy Cisco AVVID solutions.
Voice Traffic and Voice VLAN ID (VVID) Using the EtherSwitch Network Module
The EtherSwitch network module can automatically configure voice VLAN. This capability overcomes
the management complexity of overlaying a voice topology onto a data network while maintaining the
quality of voice traffic. With the automatically configured voice VLAN feature, network administrators
can segment phones into separate logical networks, even though the data and voice infrastructure is
physically the same. The voice VLAN feature places the phones into their own VLANs without the need
for end-user intervention. A user can plug the phone into the switch, and the switch provides the phone
with the necessary VLAN information.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface {ethernet | fastethernet | gigabitethernet} slot/port
4. switchport mode {access | trunk}
5. switchport voice vlan {vlan-id | dot1p | none | untagged}
6. exit
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface {ethernet | fastethernet | Selects the Ethernet interface to configure and enters interface
gigabitethernet} slot/port configuration mode.
Example:
Router(config)# interface fastethernet 5/1
Step 4 switchport mode {access | trunk} Configures the interface type.
• In this example, the interface type is set to trunk mode.
Example:
Router(config-if)# switchport mode trunk
SUMMARY STEPS
1. enable
2. configure terminal
3. interface {ethernet | fastethernet | gigabitethernet} slot/port
4. switchport access vlan vlan-id
5. switchport voice vlan {vlan-id | dot1p | none | untagged}
6. exit
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface {ethernet | fastethernet | Selects the Ethernet interface to configure and enters interface
gigabitethernet} slot/port configuration mode.
Example:
Router(config)# interface fastethernet 5/2
Step 4 switchport access vlan vlan-id Configures the port as an access port and assigns a VLAN.
• The value of vlan-id represents the ID of the VLAN that
Example:
is sending and receiving untagged traffic on the port.
Router(config-if)# switchport access vlan 40
Valid IDs are from 1 to 1001. Leading zeroes are not
accepted.
Step 5 switchport voice vlan {vlan-id | dot1p | none | Configures the Cisco IP phone to send voice traffic with
untagged} higher priority (CoS=5 on 802.1Q tag) on the access VLAN.
Data traffic (from an attached PC) is sent untagged for
Example: lower priority (port default=0).
Router(config-if)# switchport voice vlan dot1p
Step 6 exit Exits interface configuration mode and returns the router to
global configuration mode.
Example: • Repeat this step one more time to exit global
Router(config-if)# exit configuration mode.
Trap Managers
A trap manager is a management station that receives and processes traps. When you configure a trap
manager, community strings for each member switch must be unique. If a member switch has an IP
address assigned to it, the management station accesses the switch by using its assigned IP address.
By default, no trap manager is defined, and no traps are issued.
IP Addressing
The recommended configuration for using multiple cables to connect IP phones to the Cisco AVVID
network is to use a separate IP subnet and separate VLANs for IP telephony.
If your network devices require connectivity with devices in networks for which you do not control name
assignment, you can assign device names that uniquely identify your devices within the entire
internetwork. The Internet’s global naming scheme, the DNS, accomplishes this task. This service is
enabled by default.
SUMMARY STEPS
1. enable
2. configure terminal
3. snmp-server host {hostname | ip-address} [traps | informs] [version {1 | 2c | 3 [auth | noauth |
priv]}] community-string [udp-port port] [notification-type] [vrf vrf-name]
4. interface {ethernet | fastethernet | gigabitethernet} slot/port
5. ip address ip-address
6. exit
7. ip default-gateway ip-address
8. exit
DETAILED STEPS
Example:
Router# configure terminal
Example:
Router(config)# snmp-server host 10.6.1.1 traps
1 snmp vlan-membership
Step 4 interface vlan vlan-id Enters interface configuration mode, and specifies the
VLAN to which the IP information is assigned.
Example:
• VLAN 1 is the management VLAN, but you can
Router(config)# interface vlan 200
configure any VLAN from IDs 1 to 1001.
Step 5 ip address ip-address Enters the IP address and subnet mask.
Example:
Router(config-if)# ip address 10.2.1.2
Step 6 exit Exits interface configuration mode and returns the router to
global configuration mode.
Example:
Router(config-if)# exit
Step 7 ip default-gateway ip-address Enters the IP address of the default routing device.
Example:
Router(config)# ip default-gateway 10.5.1.5
Step 8 exit Exits global configuration mode and returns the router to
privileged EXEC mode.
Example:
Router(config)# exit
SUMMARY STEPS
1. enable
2. configure terminal
3. interface {ethernet | fastethernet | gigabitethernet} slot/port
4. switchport voice vlan {vlan-id | dot1p | none | untagged}
5. power inline {auto | never}
6. exit
DETAILED STEPS
Example:
Router# configure terminal
Example:
Router(config)# interface fastethernet 1/0
Step 4 switchport voice vlan {vlan-id | dot1p | none | Instructs the EtherSwitch network module to use 802.1p
untagged} priority tagging for voice traffic and to use VLAN 0 (default
native VLAN) to carry all traffic.
Example:
Router(config-if)# switchport voice vlan dot1p
Step 5 power inline {auto | never} Determine how inline power is applied to the device on the
specified port.
Example:
• In this example, inline power on the port is permanently
Router(config-if)# power inline never
disabled.
Step 6 exit Exits interface configuration mode and returns the router to
global configuration mode.
Example: • Repeat this step one more time to exit global
Router(config-if)# exit configuration mode.
SUMMARY STEPS
1. enable
2. show cdp
3. show cdp interface [interface-type interface-number]
4. show cdp neighbors [interface-type interface-number] [detail]
DETAILED STEPS
Step 1 enable
Enables privileged EXEC mode. Enter your password if prompted:
Router> enable
Each VLAN maintains its own logical address table. A known address in one VLAN is unknown in
another until it is learned or statically associated with a port in the other VLAN. An address can be secure
in one VLAN and dynamic in another. Addresses that are statically entered in one VLAN must be static
addresses in all other VLANs.
Caution Cisco advises that you do not change the aging timer because the EtherSwitch network module could go
out of synchronization.
Secure Addresses
The secure address table contains secure MAC addresses and their associated ports and VLANs. A
secure address is a manually entered unicast address that is forwarded to only one port per VLAN. If you
enter an address that is already assigned to another port, the switch reassigns the secure address to the
new port.
You can enter a secure port address even when the port does not yet belong to a VLAN. When the port
is later assigned to a VLAN, packets destined for that address are forwarded to the port.
Static Addresses
A static address has the following characteristics:
• It is manually entered in the address table and must be manually removed.
• It can be a unicast or multicast address.
• It does not age and is retained when the switch restarts.
Because all ports are associated with at least one VLAN, the switch acquires the VLAN ID for the
address from the ports that you select on the forwarding map. A static address in one VLAN must be a
static address in other VLANs. A packet with a static address that arrives on a VLAN where it has not
been statically entered is flooded to all ports and not learned.
SUMMARY STEPS
1. enable
2. configure terminal
3. mac-address-table secure mac-address {fastethernet | gigabitethernet} slot/port vlan vlan-id
4. mac-address-table [dynamic | static ] mac-address {fastethernet | gigabitethernet} slot/port vlan
vlan-id
DETAILED STEPS
Example:
Router# configure terminal
Step 3 mac-address-table secure mac-address Secures the MAC address traffic on the port.
{fastethernet | gigabitethernet} slot/port vlan
vlan-id • Use the no form of this command to restore the
defaults.
Example:
Router(config)# mac-address-table secure
0003.0003.0003 fastethernet 2/8 vlan 2
Step 4 mac-address-table [dynamic | static] Creates a static or dynamic entry in the MAC address table.
mac-address {fastethernet | gigabitethernet}
slot/port vlan vlan-id Note Only the port where the link is up will see the
dynamic entry validated in the EtherSwitch network
module.
Example:
Router(config)# mac-address-table static
0001.6443.6440 fastethernet 2/8 vlan 1
Step 5 mac-address-table aging-time seconds Configures the MAC address aging-timer age in seconds.
• Default aging time is 300 seconds.
Example:
Router(config)# mac-address-table aging-timer
23
Step 6 exit Exits global configuration mode and returns the router to
privileged EXEC mode.
Example:
Router(config-if)# exit
Step 7 show mac-address-table [aging-time | secure] (Optional) Displays information about the MAC address
table.
Example:
Router# show mac-address-table secure
Examples
Sample Output for the show mac-address-table Command
In the following example, output information is displayed to verify the configuration of the secure port:
Router# show mac-address-table secure
In the following example, information about static and dynamic addresses in the MAC address table is
displayed:
In the following example, information about the MAC address aging timer is displayed:
– EtherChannel port—Before enabling 802.1x on the port, you must first remove the port from
the EtherChannel before enabling 802.1x on it. If you try to enable 802.1x on an EtherChannel
or on an active port in an EtherChannel, an error message appears, and 802.1x is not enabled.
If you enable 802.1x on a not-yet active port of an EtherChannel, the port does not join the
EtherChannel.
Switch Port Analyzer (SPAN) destination port—You can enable 802.1x on a port that is a SPAN
destination port; however, 802.1x is disabled until the port is removed as a SPAN destination. You can
enable 802.1x on a SPAN source port.
Table 19 shows the default 802.1x configuration.
SUMMARY STEPS
1. enable
2. configure terminal
3. aaa new-model
4. aaa authentication dot1x default group radius
5. interface type slot/port
6. dot1x port-control [auto | force-authorized | force-unauthorized]
7. exit
DETAILED STEPS
Command Description
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 aaa new-model Enables AAA.
Example:
Router (config)# aaa new-model
Step 4 aaa authentication dot1x default group radius Creates an 802.1x authentication method list.
To create a default list that is used when a named list
Example: is not specified in the authentication command, use
Router (config)# aaa authentication dot1x default the default keyword followed by the methods that
group radius are to be used in default situations. The default
method list is automatically applied to all interfaces.
Enter at least one of these keywords:
• group radius—Use the list of all RADIUS
servers for authentication.
• none—Use no authentication. The client is
automatically authenticated without the switch
using the information supplied by the client.
Step 5 interface type slot/port Enters interface configuration mode and specifies
the interface to be enabled for 802.1x port-based
authentication.
Example:
Router (config)# interface fastethernet 5/1
Step 6 dot1x port-control [auto | force-authorized | Enables 802.1x port-based authentication on the
force-unauthorized] interface.
For feature interaction information with trunk,
Example: dynamic, dynamic-access, EtherChannel, secure,
Router (config-if)# dot1x port-control auto and SPAN ports, see the “802.1x Authentication
Guidelines for the EtherSwitch network module”
section on page 269.
Step 7 exit Exits interface configuration mode and returns the
router to privileged EXEC mode.
Example: • Repeat this command to exit global
Router(config)# exit configuration mode and return to privileged
EXEC mode.
RADIUS security servers are identified by their host name or IP address, host name and specific UDP
port numbers, or IP address and specific UDP port numbers. The combination of the IP address and UDP
port number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP
ports on a server at the same IP address. If two different host entries on the same RADIUS server are
configured for the same service—for example, authentication—the second host entry configured acts as
the fail-over backup to the first one. The RADIUS host entries are tried in the order that they were
configured.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip radius source-interface interface-name
4. radius-server host {hostname | ip-address} auth-port port-number key string
5. radius-server key string
DETAILED STEPS
Command Description
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 ip radius source-interface interface-name Forces RADIUS to use the IP address of a specified
interface for all outgoing RADIUS packets.
Example:
Router (config)# ip radius source-interface
ethernet1
Command Description
Step 4 radius-server host {hostname | ip-address} auth-port Configures the RADIUS server parameters on the
port-number key string switch.
• Use the hostname or ip-address argument to
Example: specify the host name or IP address of the
Router (config)# radius-server host 172.16.39.46 remote RADIUS server.
auth-port 1612 key rad123
• Use the auth-port port-number keyword and
argument to specify the UDP destination port
for authentication requests. The default is 1645.
• Use the key string keyword and argument to
specify the authentication and encryption key
used between the switch and the RADIUS
daemon running on the RADIUS server. The
key is a text string that must match the
encryption key used on the RADIUS server.
Note Always configure the key as the last item in
the radius-server host command syntax
because leading spaces are ignored, but
spaces within and at the end of the key are
used. If you use spaces in the key, do not
enclose the key in quotation marks unless
the quotation marks are part of the key. This
key must match the encryption used on the
RADIUS daemon.
Note You should change the default values of these commands only to adjust for unusual circumstances
such as unreliable links or specific behavioral problems with certain clients and authentication
servers.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface {ethernet | fastethernet | gigabitethernet} slot/port
DETAILED STEPS
Command Description
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 interface {ethernet | fastethernet | gigabitethernet} Specifies the interface to which multiple hosts are
slot/port indirectly attached and enters interface configuration
mode.
Example:
Router(config)# interface fastethernet 5/6
Step 4 dot1x port-control [auto | force-authorized | Enables 802.1x port-based authentication on the
force-unauthorized] interface.
For feature interaction information with trunk,
Example: dynamic, dynamic-access, EtherChannel, secure,
Router (config-if)# dot1x port-control auto and SPAN ports, see the “802.1x Authentication
Guidelines for the EtherSwitch network module”
section on page 269.
Step 5 dot1x multiple-hosts Allows multiple hosts (clients) on an
802.1x-authorized port.
Example: Note Make sure that the dot1x port-control
Router (config-if)# dot1x multiple-hosts interface configuration command is set to
auto for the specified interface.
Command Description
Step 6 exit Exits interface configuration mode and returns the
router to global configuration mode.
Example:
Router(config-if)# exit
Step 7 dot1x max-req number-of-retries Sets the number of times that the switch sends an
EAP-request/identity frame to the client before
restarting the authentication process.
Example:
Router (config)# dot1x max-req 3 • The range is from 1 to 10; the default is 2.
Step 8 dot1x re-authentication Enables periodic reauthentication of the client,
which is disabled by default.
Example: • The reauthentication period can be set using the
Router (config)# dot1x reauthentication dot1x timeout command.
Step 9 dot1x timeout re-authperiod value Sets the number of seconds between reauthentication
attempts.
Example: • The range is from 1 to 4294967295; the default
Router (config)# dot1x timeout re-authperiod 1800 is 3600 seconds.
Note This command affects the behavior of the
switch only if periodic reauthentication is
enabled.
Step 10 dot1x timeout tx-period value Sets the number of seconds that the EtherSwitch
network module waits for a response to an
EAP-request/identity frame from the client before
Example:
Router (config)# dot1x timeout tx-period 60
retransmitting the request.
• The range is from 1 to 65535 seconds; the
default is 30.
Step 11 dot1x timeout quiet-period value Sets the number of seconds that the EtherSwitch
network module remains in a quiet state following a
failed authentication exchange with the client.
Example:
Router (config)# dot1x timeout quiet-period 600 • The range is from 1 to 65535 seconds; the
default is 60.
Step 12 dot1x default Resets the configurable 802.1x parameters to the
default values.
Example:
Router (config)# dot1x default
Step 13 exit Exits global configuration mode and returns the
router to privileged EXEC mode.
Example:
Router(config)# exit
Step 14 show dot1x [statistics] [interface interface-type (Optional) Displays 802.1x statistics, administrative
interface-number] status, and operational status for the EtherSwitch
network module or a specified interface.
Example:
Router# show dot1x statistics interface fastethernet
0/1
Examples
Sample Output for the show dot1x Command
In the following example, statistics appear for all the physical ports for the specified interface:
Router# show dot1x statistics fastethernet 0/1
FastEthernet0/1
Last Last
EAPOLVer EAPOLSrc
1 0002.4b29.2a03
In the following example, global 802.1x parameters and a summary are displayed:
Router# show dot1x
SUMMARY STEPS
1. enable
2. configure terminal
3. interface {ethernet | fastethernet | gigabitethernet} slot/port
4. power inline {auto | never}
5. exit
6. show power inline
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface {ethernet | fastethernet | Selects the Ethernet interface to configure and enters interface
gigabitethernet} slot/port configuration mode.
Example:
Router(config)# interface fastethernet 5/6
Step 4 power inline {auto | never} Configures the port to supply inline power automatically to a
Cisco IP phone.
Example:
• Use the never keyword to permanently disable inline
Router(config-if)# power inline auto
power on the port.
Step 5 exit Exits interface configuration mode and returns the router to
global configuration mode.
Example: • Repeat this command to exit global configuration mode
Router(config-if)# exit and return to privileged EXEC mode.
Step 6 show power inline (Optional) Displays information about the power
configuration on the ports.
Example:
Router# show power inline
Examples
Sample Output for the show power inline Command
In the following example, output information is displayed to verify the power configuration on the ports:
Router# show power inline
SUMMARY STEPS
1. enable
2. configure terminal
3. storm-control {{{broadcast | multicast | unicast} level level [lower-level]} | action shutdown}
4. exit
5. show interface [interface-type interface-number] counters {broadcast | multicast | unicast}
DETAILED STEPS
Example:
Router# configure terminal
Step 3 storm-control {{{broadcast | multicast | Specifies the global broadcast, multicast, or unicast storm
unicast} level level [lower-level]}| action control suppression level as a percentage of total
shutdown}
bandwidth.
• A threshold value of 100 percent means that no limit is
Example: placed on the specified type of traffic.
Router(config)# storm-control broadcast level
75 • Use the level keyword and argument to specify the
threshold value.
• Use the no form of this command to restore the
defaults.
Step 4 exit Exits interface configuration mode and returns the router to
global configuration mode.
Example: • Repeat this command to exit global configuration mode
Router(config-if)# exit and return to privileged EXEC mode.
Step 5 show interface [interface-type (Optional) Displays the type of storm control suppression
interface-number] counters {broadcast | counter currently in use and displays the number of
multicast | unicast}
discarded packets.
• Use the interface-type and interface-number arguments
Example: to display the type of storm control suppression counter
Router# show interface counters broadcast
for a specified interface.
Examples
Sample Output for the show interface counters Command
In the following example, output information is displayed to verify the number of packets discarded for
the specified storm control suppression:
Router# show interface counters broadcast
Port BcastSuppDiscards
Fa0/1 0
Fa0/2 0
SUMMARY STEPS
1. enable
2. configure terminal
3. interface {ethernet | fastethernet | gigabitethernet} slot/port
4. storm-control {{{broadcast | multicast | unicast} level level [lower-level]} | action shutdown}
5. storm-control action shutdown
6. exit
7. show storm-control [interface-type interface-number] [broadcast | multicast | unicast | history]
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface {ethernet | fastethernet | Selects the Ethernet interface to configure and enters interface
gigabitethernet} slot/port configuration mode.
Example:
Router(config)# interface fastethernet 5/6
Step 4 storm-control {{{broadcast | multicast | Configures broadcast, multicast, or unicast per-port
unicast} level level [lower-level]}| action storm-control.
shutdown}
• Use the level keyword and argument to specify the
rising threshold level for either broadcast, multicast, or
Example: unicast traffic. The storm control action occurs when
Router(config-if)# storm-control multicast
traffic utilization reaches this level.
level 80
• Use the optional lower-level argument to specify the
falling threshold level. The normal transmission
restarts (if the action is filtering) when traffic drops
below this level.
• A threshold value of 100 percent means that no limit is
placed on the specified type of traffic.
• Use the no form of this command to restore the
defaults.
Examples
Sample Output for the show storm-control Command
In the following example, output information is displayed to verify the number of packets discarded for
the specified storm control suppression:
Router# show storm-control broadcast
Restrictions
• Cisco IOS software creates port-channel interfaces for Layer 2 EtherChannels when you configure
Layer 2 Ethernet interfaces with the channel-group command. You cannot put Layer 2 Ethernet
interfaces into a manually created port-channel interface.
• Layer 2 interfaces must be connected and functioning for Cisco IOS software to create port-channel
interfaces for Layer 2 EtherChannels.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface {ethernet | fastethernet | gigabitethernet} slot/port
4. channel-group port-channel-number mode on
5. Repeat Steps 3 through 4 for each Ethernet interface to be added as a Layer 2 EtherChannel.
6. exit
7. port-channel load-balance {src-mac | dst-mac | src-dst-mac | src-ip | dst-ip | src-dst-ip}
8. no interface port-channel port-channel-number
9. exit
10. show interfaces fastethernet slot/port {etherchannel | switchport | trunk}
11. show etherchannel [channel-group] {port-channel | brief | detail | summary | port |
load-balance}
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface {ethernet | fastethernet | Selects the Ethernet interface to configure.
gigabitethernet} slot/port
Example:
Router(config)# interface fastethernet 5/6
Step 4 channel-group port-channel-number mode on Configures the interface in a port-channel.
• In this example, the Etherchannel group 2 is
Example: configured.
Router(config)# channel-group 2 mode on
Step 5 Repeat Steps 3 through 4 for each Ethernet interface to —
be added as a Layer 2 EtherChannel.
Step 6 exit Exits interface configuration mode and returns the router to
global configuration mode.
Example:
Router(config-if)# exit
Example:
Router# show etherchannel 2 port-channel
Examples
Sample Output for the show interfaces fastethernet Command
In the following example, output information is displayed to verify the configuration of Fast Ethernet
interface as a Layer 2 EtherChannel:
Router# show interfaces fastethernet 5/6 etherchannel
Partner’s information:
Port-channel: Po2
------------
SUMMARY STEPS
1. enable
2. set port flowcontrol {receive | send} [mod-number/port-number] {off | on | desired}
3. show port flowcontrol
DETAILED STEPS
Example:
Router# set port flowcontrol 5/1 receive on
Step 3 show port flowcontrol (Optional) Displays information about the flow control for
Gigabit Ethernet ports.
Example:
Router# show port flowcontrol
Examples
Sample Output for the show port flowcontrol Command
In the following example, output information is displayed to verify the flow control configuration on
Gigabit Ethernet ports:
Router# show interfaces fastethernet 5/6 etherchannel
SUMMARY STEPS
1. enable
2. configure terminal
3. interface gigabitethernet slot/port
4. switchport stacking-partner interface gigabit slot/port
5. exit
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface gigabitethernet slot/port Selects the Gigabit Ethernet interface to configure.
Example:
Router(config)# interface gigabitethernet 2/0
Step 4 switchport stacking-partner interface Creates the intrachassis stacking between the current
gigabitethernet slot/port Gigabit Ethernet (GE) interface and the stacking link
partner GE interface.
Example: • In this example, GE interface 2/0 is stacked on GE
Router(config-if)# switchport stacking-link interface 3/0 to form an extended VLAN within one
interface gigabitethernet 3/0
chassis on the router.
Step 5 exit Exits interface configuration mode and returns the router to
global configuration mode.
Example: • Repeat this command to exit global configuration mode
Router(config-if)# exit and return to privileged EXEC mode.
SUMMARY STEPS
1. enable
2. configure terminal
3. monitor session session-number {source interface interface-type slot/port | vlan vlan-id} [, | - | rx
| tx | both]
4. monitor session session-number {destination interface interface-type slot/port [, | - ] | vlan
vlan-id}
5. exit
DETAILED STEPS
Example:
Router# configure terminal
Step 3 monitor session session-number {source Specifies the SPAN session number, the source interface, or
interface interface-type slot/port | vlan VLAN, and the traffic direction to be monitored.
vlan-id} [, | - | rx | tx | both]
Note Multiple SPAN sessions can be configured, but only
one SPAN session is supported at a time.
Example:
Router(config)# monitor session 1 source
interface fastethernet 5/1 both
Step 4 monitor session session-number {destination Specifies the SPAN session number, the destination
interface interface-type slot/port [, | -] | interface, or VLAN.
vlan vlan-id}
Example:
Router(config)# monitor session 1 destination
interface fastethernet 5/48
Step 5 exit Exits global configuration mode and returns the router to
privileged EXEC mode.
Example:
Router(config)# exit
Note A Layer 3 switch can have an IP address assigned to each routed port and SVI. The number of routed
ports and SVIs that you can configure is not limited by software; however, the interrelationship
between this number and the number of other features being configured might have an impact on
CPU utilization because of hardware limitations.
All Layer 3 interfaces require an IP address to route traffic (a routed port cannot obtain an IP address
from a DHCP server, but the router can act as a DHCP server and serve IP addresses through a routed
port).
Routed ports support only CEF switching (IP fast switching is not supported).
Note If the physical port is in Layer 2 mode (the default), you must enter the no switchport interface
configuration command to put the interface into Layer 3 mode. Entering a no switchport command
disables and then reenables the interface, which might generate messages on the device to which the
interface is connected. When you use this command to put the interface into Layer 3 mode, you are
also deleting any Layer 2 characteristics configured on the interface. (Also, when you return the
interface to Layer 2 mode, you are deleting any Layer 3 characteristics configured on the interface.)
SUMMARY STEPS
1. enable
2. configure terminal
3. interface {ethernet | fastethernet | gigabitethernet} slot/port
4. no switchport
5. ip address ip-address mask
6. no shutdown
7. exit
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface {ethernet | fastethernet | Selects the Ethernet interface to configure.
gigabitethernet} slot/port
Example:
Router(config)# interface gigabitethernet 0/10
Example:
Router(config)# ip address 10.1.2.3 255.255.0.0
Step 6 no shutdown Activates the interface. (Required only if you shut down the
interface.)
Example:
Router(config-if)# no shutdown
Step 7 exit Exits interface configuration mode and returns the router to
global configuration mode.
Example: • Repeat this command to exit global configuration mode
Router(config-if)# exit and return to privileged EXEC mode.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip multicast-routing
4. interface vlan vlan-id
5. ip pim {dense-mode | sparse-mode | sparse-dense-mode}
6. exit
7. show ip pim [vrf vrf-name] interface [interface-type interface-number] [df | count] [rp-address]
[detail]
8. show ip mroute [vrf vrf-name] [group-address | group-name] [source-address | source-name]
[interface-type interface-number] [summary] [count] [active kbps]
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ip multicast-routing Enables IP multicast routing globally.
Example:
Router(config)# ip multicast-routing
Step 4 interface vlan vlan-id Selects the interface to configure.
Example:
Router(config)# interface vlan 10
Step 5 ip pim {dense-mode | sparse-mode | Enables IP PIM on a Layer 3 interface.
sparse-dense-mode}
Example:
Router(config-if)# ip pim sparse-mode
Step 6 exit Exits interface configuration mode and returns the router to
global configuration mode.
Example: • Repeat this command to exit global configuration mode
Router(config-if)# exit and return to privileged EXEC mode.
Step 7 show ip pim [vrf vrf-name] interface Verifies the IP multicast Layer 3 switching enable state on
[interface-type interface-number] [df | count] IP PIM interfaces.
[rp-address] [detail]
• Use the count keyword to display the number of
packets received and sent on the interface.
Example:
Router# show ip pim interface count
Step 8 show ip mroute [vrf vrf-name] [group-address | Displays the contents of the IP multicast routing (mroute)
group-name] [source-address | source-name] table.
[interface-type interface-number] [summary]
[count] [active kbps]
Example:
Router# show ip mroute count
Examples
Sample Output for the show ip pim Command
In the following example, output information is displayed to verify the IP multicast Layer 3 switching
information for an IP PIM Layer 3 interface:
IP Multicast Statistics
56 routes using 28552 bytes of memory
13 groups, 3.30 average sources per group
Forwarding Counts:Pkt Count/Pkts per second/Avg Pkt Size/Kilobits per second
Other counts:Total/RPF failed/Other drops(OIF-null, rate-limit etc)
Note The negative counter means that the outgoing interface list of the corresponding entry is NULL, and this
indicates that this flow is still active.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip igmp snooping
4. ip igmp snooping vlan vlan-id
5. ip igmp snooping vlan vlan-id immediate-leave
6. ip igmp snooping vlan vlan-id static mac-address interface interface-type slot/port
7. ip igmp snooping vlan vlan-id mrouter {interface interface-type slot/port | learn pim-dvmrp}
8. exit
9. show ip igmp snooping [vlan vlan-id]
10. show ip igmp snooping mrouter [vlan vlan-id]
11. show mac-address-table multicast [vlan vlan-id] [user | igmp-snooping] [count]
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ip igmp snooping Globally enables IGMP snooping on all existing VLAN
interfaces.
Example:
Router(config)# ip igmp snooping
Step 4 ip igmp snooping vlan vlan-id Enables IGMP snooping on the specified VLAN interface.
Example:
Router(config)# ip igmp snooping vlan 10
Step 5 ip igmp snooping vlan vlan-id immediate-leave Enables IGMP Immediate-Leave processing on the
specified VLAN interface.
Example:
Router(config)# ip igmp snooping vlan 10
immediate-leave
To configure fallback bridging for a set of SVIs or routed ports, these interfaces must be assigned to
bridge groups. All interfaces in the same group belong to the same bridge domain. Each SVI or routed
port can be assigned to only one bridge group. A maximum of 31 bridge groups can be configured on
the switch.
Note The protected port feature is not compatible with fallback bridging. When fallback bridging is
enabled, it is possible for packets to be forwarded from one protected port on a switch to another
protected port on the same switch if the ports are in different VLANs.
By default, the switch forwards any frames for stations that it has dynamically learned. By disabling this
activity, the switch only forwards frames whose addresses have been statically configured into the
forwarding cache.
A switch forwards, floods, or drops packets based on the bridge table. The bridge table maintains both
static and dynamic entries. Static entries are entered by you or learned by the switch. Dynamic entries
are entered by the bridge learning process. A dynamic entry is automatically removed after a specified
length of time, known as aging time, from the time the entry was created or last updated.
If you are likely to move hosts on a switched network, decrease the aging-time to enable the switch to
quickly adapt to the change. If hosts on a switched network do not continuously send packets, increase
the aging time to keep the dynamic entries for a longer time and thus reduce the possibility of flooding
when the hosts send again.
SUMMARY STEPS
1. enable
2. configure terminal
3. bridge bridge-group protocol vlan-bridge
4. interface {ethernet | fastethernet | gigabitethernet} slot/port
5. bridge-group bridge-group
6. exit
7. bridge bridge-group address mac-address {forward | discard} [interface-type interface-number]
8. no bridge bridge-group acquire
9. bridge bridge-group aging-time seconds
10. exit
DETAILED STEPS
Example:
Router# configure terminal
Step 3 bridge bridge-group protocol vlan-bridge Assigns a bridge group number, and specifies the
VLAN-bridge spanning-tree protocol to run in the bridge
group.
Example:
Router(config)# bridge 10 protocol vlan-bridge • Use the bridge-group argument to specify the bridge
group number. The range is 1 to 255. You can create up
to 31 bridge groups.
Note Frames are bridged only among interfaces in the
same group.
Note Only network administrators with a good understanding of how switches and STP function should
make adjustments to spanning-tree parameters. Poorly planned adjustments can have a negative
impact on performance. A good source on switching is the IEEE 802.1d specification; for more
information, refer to the “References and Recommended Reading” appendix in the Cisco IOS
Configuration Fundamentals and Network Management Command Reference, Release 12.3 T.
Switch Priority
You can globally configure the priority of an individual switch when two switches tie for position as the
root switch, or you can configure the likelihood that a switch will be selected as the root switch. This
priority is determined by default; however, you can change it.
Interface Priority
You can change the priority for an interface. When two switches tie for position as the root switch, you
configure an interface priority to break the tie. The switch with the lowest interface value is elected.
Each interface has a path cost associated with it. By convention, the path cost is 1000/data rate of the
attached LAN, in Mbps.
You can adjust three different BPDU intervals. The interval between hello BPDUs can be set. The
forward-delay interval is the amount of time spent listening for topology change information after an
interface has been activated for switching and before forwarding actually begins. The maximum-idle
interval specifies the amount of time the switch waits to hear BPDUs from the root switch. If a switch
does not hear BPDUs from the root switch within the specified interval, it recomputes the spanning-tree
topology.
Note Each switch in a spanning tree adopts the interval between hello BPDUs, the forward delay interval,
and the maximum idle interval parameters of the root switch, regardless of what its individual
configuration might be.
SUMMARY STEPS
1. enable
2. configure terminal
3. bridge bridge-group hello-time seconds
4. bridge bridge-group forward-time seconds
5. bridge bridge-group max-age seconds
6. exit
DETAILED STEPS
Example:
Router# configure terminal
Step 3 bridge bridge-group hello-time seconds Specifies the interval between hello BPDUs.
• Use the bridge-group argument to specify the bridge
Example: group number. The range is from 1 to 255.
Router(config)# bridge 10 hello-time 5
• Use the seconds argument to enter a number from 1 to
10. The default is 2 seconds.
Step 4 bridge bridge-group forward-time seconds Specifies the forward-delay interval.
• Use the bridge-group argument to specify the bridge
Example: group number. The range is from 1 to 255.
Router(config)# bridge 10 forward-time 10
• Use the seconds argument to enter a number from 10 to
200. The default is 20 seconds.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface {ethernet | fastethernet | gigabitethernet} slot/port
4. bridge bridge-group spanning-disabled
5. exit
DETAILED STEPS
Example:
Router# configure terminal
Restrictions
The EtherSwitch network module does not support these Cisco IOS router ACL-related features:
• Non-IP protocol ACLs (see Table 21 on page 302).
• Bridge-group ACLs.
• IP accounting.
• ACL support on the outbound direction.
• Inbound and outbound rate limiting (except with QoS ACLs).
• IP packets with a header length of less than five are not to be access-controlled.
• Reflexive ACLs.
• Dynamic ACLs.
• ICMP-based filtering.
• IGMP-based filtering.
ACL Numbers
The number you use to denote your ACL shows the type of access list that you are creating. Table 21
lists the access list number and corresponding type and shows whether or not they are supported by the
switch. The EtherSwitch network module supports IP standard and IP extended access lists, numbers 1
to 199 and 1300 to 2699.
Note In addition to numbered standard and extended ACLs, you can also create standard and extended
named IP ACLs by using the supported numbers. That is, the name of a standard IP ACL can be 1 to
99; the name of an extended IP ACL can be 100 to 199. The advantage of using named ACLs instead
of numbered lists is that you can delete individual entries from a named list.
Note An attempt to apply an unsupported ACL feature to an EtherSwitch network module interface
produces an error message.
Note When creating an ACL, remember that, by default, the end of the ACL contains an implicit deny
statement for all packets that it did not find a match for before reaching the end. With standard access
lists, if you omit the ask from an associated IP host address ACL specification, 0.0.0.0 is assumed to
be the mask.
SUMMARY STEPS
1. enable
2. configure terminal
3. access-list access-list-number {deny | permit | remark} {source source-wildcard | host source |
any}
4. exit
5. show access-lists [number | name]
DETAILED STEPS
Example:
Router# configure terminal
Step 3 access-list access-list-number {deny | permit | Defines a standard IP ACL by using a source address and
remark} {source source-wildcard | host source | wildcard.
any}
• The access-list-number is a decimal number from 1 to
99 or 1300 to 1999.
Example:
Router(config)# access-list 2 deny host • Enter the deny or permit keywords to specify whether
172.17.198.102 to deny or permit access if conditions are matched.
• The source is the source address of the network or host
from which the packet is being sent, and is a 32-bit
number in dotted-decimal format.
• The source-wildcard applies wildcard bits to the source
address.
• The keyword host as an abbreviation for source and
source-wildcard of source 0.0.0.0.
• The keyword any as an abbreviation for source and
source-wildcard of 0.0.0.0 255.255.255.255. You do
not need to enter a source-wildcard.
Step 4 exit Exits global configuration mode and returns the router to
privileged EXEC mode.
Example:
Router(config)# exit
Step 5 show access-lists [number | name] Displays access list configuration information.
Example:
Router# show access-lists
Extended ACLs
Although standard ACLs use only source addresses for matching, you can use an extended ACL source
and destination addresses for matching operations and optional protocol type information for finer
granularity of control. Some protocols also have specific parameters and keywords that apply to that
protocol.
These IP protocols are supported (protocol keywords are in parentheses in bold): Internet Protocol (ip),
Transmission Control Protocol (tcp), or User Datagram Protocol (udp).
Supported parameters can be grouped into these categories:
• TCP
• UDP
Table 22 lists the possible filtering parameters for ACEs for each protocol type.
For more details on the specific keywords relative to each protocol, refer to the Cisco IP Command
Reference for Cisco IOS Release 12.3 T.
Note The EtherSwitch network module does not support dynamic or reflexive access lists. It also does not
support filtering based on the minimize-monetary-cost type of service (TOS) bit.
When creating ACEs in numbered extended access lists, remember that after you create the list, any
additions are placed at the end of the list. You cannot reorder the list or selectively add or remove ACEs
from a numbered list.
Use the no access-list access-list-number global configuration command to delete the entire access list.
You cannot delete individual ACEs from numbered access lists.
After an ACL is created, any additions (possibly entered from the terminal) are placed at the end of the
list. You can add ACEs to an ACL, but deleting any ACE deletes the entire ACL.
Note When creating an ACL, remember that, by default, the end of the access list contains an implicit deny
statement for all packets if it did not find a match before reaching the end.
SUMMARY STEPS
1. enable
2. configure terminal
3. access-list access-list-number {deny | permit | remark} protocol {source source-wildcard | host
source | any} [operator port] {destination destination-wildcard | host destination | any} [operator
port]
4. exit
5. show access-lists [number | name]
DETAILED STEPS
Example:
Router# configure terminal
Example:
Router# show access-lists
What to Do Next
After creating an ACL, you must apply it to an interface, as described in the “Applying the ACL to an
Interface” section on page 311.
You can identify IP ACLs with an alphanumeric string (a name) rather than a number. You can use named
ACLs to configure more IP access lists on a switch than if you use numbered access lists. If you identify
your access list with a name rather than a number, the mode and command syntax are slightly different.
However, not all commands that use IP access lists accept a named ACL.
Note The name you give to a standard ACL or extended ACL can also be a number in the supported range
of access list numbers. That is, the name of a standard IP ACL can be 1 to 99; the name of an extended
IP ACL can be 100 to 199. The advantage of using named ACLs instead of numbered lists is that you
can delete individual entries from a named list.
Note When creating an ACL, remember that, by default, the end of the ACL contains an implicit deny
statement for all packets that it did not find a match for before reaching the end. With standard access
lists, if you omit the ask from an associated IP host address ACL specification, 0.0.0.0 is assumed to
be the mask.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip access-list standard {access-list-number | name}
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ip access-list standard {access-list-number | Defines a standard IP access list using a name and enters
name} access-list configuration mode.
• The name argument can be a decimal number from 1 to
Example: 99.
Router(config)# ip access-list standard sales
Step 4 deny {source source-wildcard | host source | Specifies one or more conditions denied or permitted to
any} determine if the packet is forwarded or dropped.
or
• host source represents a source and source wildcard of
permit {source source-wildcard | host source |
any}
source 0.0.0.0.
• any represents a source and source wildcard of 0.0.0.0
255.255.255.255.
Example:
Router(config-acl# deny 10.2.1.3 any
Example:
Router(config-acl)# permit 10.2.1.4 any
Step 5 exit Exits access-list configuration mode and returns the router
to global configuration mode.
Example: • Repeat this command to exit global configuration mode
Router(config)# exit and return to privileged EXEC mode.
Step 6 show access-lists [number | name] Displays access list configuration information.
Example:
Router# show access-lists sales
Note The name you give to a standard ACL or extended ACL can also be a number in the supported range
of access list numbers. That is, the name of a standard IP ACL can be 1 to 99; the name of an extended
IP ACL can be 100 to 199. The advantage of using named ACLs instead of numbered lists is that you
can delete individual entries from a named list.
Note When creating an ACL, remember that, by default, the end of the ACL contains an implicit deny
statement for all packets that it did not find a match for before reaching the end. With standard access
lists, if you omit the ask from an associated IP host address ACL specification, 0.0.0.0 is assumed to
be the mask.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip access-list extended {access-list-number | name}
4. deny protocol {source source-wildcard | host source | any} [operator port] {destination
destination-wildcard | host destination | any} [operator port]
or
permit {source source-wildcard | host source | any} [operator port] {destination
destination-wildcard | host destination | any} [operator port]
5. exit
6. show access-lists [number | name]
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ip access-list extended {access-list-number | Defines an extended IP access list using a name and enters
name} access-list configuration mode.
• The name argument can be a decimal number from 100
Example: to 199.
Router(config)# ip access-list extended
marketing
Step 4 deny {source source-wildcard | host source | Specifies one or more conditions denied or permitted to
any} protocol {source source-wildcard | host determine if the packet is forwarded or dropped.
source | any} [operator port] {destination
destination-wildcard | host destination | any} See the “Configuring a Numbered Extended ACL” section
[operator port] on page 305 for definitions of protocols and other
or keywords.
permit {source source-wildcard | host source |
• host source represents a source and source wildcard of
any} protocol {source source-wildcard | host
source | any} [operator port] {destination source 0.0.0.0, and host destination represents a
destination-wildcard | host destination | any} destination and destination wildcard of destination
[operator port] 0.0.0.0.
• any represents a source and source wildcard or
Example: destination and destination wildcard of 0.0.0.0
Router(config-acl# deny tcp any any 255.255.255.255.
or
Router(config-acl)# permit tcp 10.2.1.4
0.0.0.255 eq telnet
Step 5 exit Exits access-list configuration mode and returns the router
to global configuration mode.
Example: • Repeat this command to exit global configuration mode
Router(config-acl)# exit and return to privileged EXEC mode.
Step 6 show access-lists [number | name] Displays access list configuration information.
Example:
Router# show access-lists marketing
• When controlling access to a line, you must use a number. Numbered ACLs can be applied to lines.
• When controlling access to an interface, you can use a name or number.
Note The ip access-group interface configuration command is only valid when applied to a Layer 2
interface or a Layer 3 interface. If applied to a Layer 3 interface, the interface must have been
configured with an IP address. ACLs cannot be applied to interface port-channels.
For inbound ACLs, after receiving a packet, the switch checks the packet against the ACL. If the ACL
permits the packet, the switch continues to process the packet. If the ACL rejects the packet, the switch
discards the packet.
When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied to
the interface and permits all packets. Remember this behavior if you use undefined ACLs for network
security.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface {ethernet | fastethernet | gigabitethernet} slot/port
4. ip access-group {access-list-number | name} in
5. exit
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface {ethernet | fastethernet | Specifies the Ethernet interface to which the ACL will be
gigabitethernet} slot/port applied and enters interface configuration mode.
• The interface must be a Layer 2 interface or a routed
Example: port.
Router(config)# interface gigabitethernet 0/3
Example:
Router(config)# ip access-group sales in
Step 5 exit Exits interface configuration mode and returns the router to
global configuration mode.
Example: • Repeat this step one more time to exit global
Router(config-if)# exit configuration mode.
Prerequisites
Before configuring QoS, you must have a thorough understanding of the following items:
• The types of applications used and the traffic patterns on your network.
• Traffic characteristics and needs of your network. Is the traffic bursty? Do you need to reserve
bandwidth for voice and video streams?
• Bandwidth requirements and speed of the network.
• Location of congestion points in the network.
Restrictions
• If you have EtherChannel ports configured on your switch, you must configure QoS classification,
policing, mapping, and queueing on the individual physical ports that comprise the EtherChannel.
You must decide whether the QoS configuration should match on all ports in the EtherChannel.
• It is not possible to match IP fragments against configured IP extended ACLs to enforce QoS. IP
fragments are transmitted as best-effort. IP fragments are denoted by fields in the IP header.
• Control traffic (such as spanning-tree Bridge Protocol Data Units (BPDUs) and routing update
packets) received by the switch are subject to all ingress QoS processing.
• Only one ACL per class map and only one match command per class map are supported. The ACL
can have multiple access control entries, which are commands that match fields against the contents
of the packet.
• Policy maps with ACL classification in the egress direction are not supported and cannot be attached
to an interface by using the service-policy input policy-map-name interface configuration
command.
• In a policy map, the class named class-default is not supported. The switch does not filter traffic
based on the policy map defined by the class class-default policy-map configuration command.
For more information on guidelines for configuring ACLs, see the “Classification Based on QoS ACLs”
section on page 238.
Classification
of traffic
performed here
155691
Note The mls qos cos command replaced the switchport priority command in Cisco IOS Release
12.1(6)EA2.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface {ethernet | fastethernet | gigabitethernet} slot/port
4. mls qos trust {cos | dscp}
5. mls qos cos {default-cos | override}
6. exit
7. show mls qos interface [interface-type slot/port] [policers]
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface {ethernet | fastethernet | Selects the Ethernet interface to be trusted and enters interface
gigabitethernet} slot/port configuration mode.
• Valid interfaces include physical interfaces and SVIs.
Example:
Router(config)# interface fastethernet 0/1
Example:
Router# show mls qos interface fastethernet 0/1
Examples
The following is sample output from the show mls qos interface fastethernet0/1 command:
Router# show mls qos interface fastethernet 0/1
FastEthernet0/1
trust state: trust cos
COS override: dis
default COS: 0
Note You can also create class maps during policy map creation by using the class policy-map
configuration command. For more information, see the “Classifying, Policing, and Marking Traffic
Using Policy Maps” section on page 319.
SUMMARY STEPS
1. enable
2. configure terminal
3. access-list access-list-number {deny | permit | remark} {source source-wildcard | host source |
any}
or
access-list access-list-number {deny | permit | remark} protocol {source source-wildcard | host
source | any} [operator-port] {destination destination-wildcard | host destination | any}
[operator-port]
4. class-map class-map-name
5. match access-group acl-index-or-name
6. exit
7. show class-map [class-map-name]
DETAILED STEPS
Example:
Router# configure terminal
Step 3 access-list access-list-number {deny | permit | Creates an IP standard or extended ACL for IP traffic.
remark} {source source-wildcard | host source |
any} • Repeat this command as many times as necessary.
or • For more information, see the “Configuring a
access-list access-list-number {deny | permit | Numbered Standard ACL” section on page 303 and the
remark} protocol {source source-wildcard | host “Configuring a Numbered Extended ACL” section on
source | any} [operator port] {destination
page 305.
destination-wildcard | host destination | any}
[operator port] • Deny statements are not supported for QoS ACLS. See
the “Classification Based on QoS ACLs” section on
page 238 for more details.
Example:
Router(config)# access-list 103 permit any any
tcp eq 80
Example:
Router# show class-map class1
SUMMARY STEPS
1. enable
2. configure terminal
3. access-list access-list-number {deny | permit | remark} {source source-wildcard | host source |
any}
or
access-list access-list-number {deny | permit | remark} protocol {source source-wildcard | host
source | any} [operator-port] {destination destination-wildcard | host destination | any}
[operator-port]
4. policy-map policy-map-name
5. class class-map-name [access-group acl-index-or-name]
6. police {bps | cir bps} [burst-byte | bc burst-byte] conform-action transmit [exceed-action {drop
| dscp dscp-value}]
7. exit
DETAILED STEPS
Example:
Router# configure terminal
Step 3 access-list access-list-number {deny | permit | Creates an IP standard or extended ACL for IP traffic.
remark} {source source-wildcard | host source |
any} • Repeat this command as many times as necessary.
or • For more information, see the “Configuring a
access-list access-list-number {deny | permit | Numbered Standard ACL” section on page 303 and the
remark} protocol {source source-wildcard | host “Configuring a Numbered Extended ACL” section on
source | any} [operator port] {destination
page 305.
destination-wildcard | host destination | any}
[operator port] Note Deny statements are not supported for QoS ACLS.
See the “Classification Based on QoS ACLs”
section on page 238 for more details.
Example:
Router(config)# access-list 1 permit 10.1.0.0
0.0.255.255
Step 4 policy-map policy-map-name Creates a policy map by entering the policy map name, and
enters policy-map configuration mode.
Example: • By default, no policy maps are defined.
Router(config)# policy-map flow1t
• The default behavior of a policy map is to set the DSCP
to 0 if the packet is an IP packet and to set the CoS to 0
if the packet is tagged. No policing is performed.
Example:
Router# show policy-map flow1t class class1
CoS value 0 1 2 3 4 5 6 7
DSCP value 0 8 16 26 32 46 48 56
If these values are not appropriate for your network, you need to modify them. These CoS-to-DSCP
mapping numbers follow the numbers used in deploying Cisco AVVID and may be different from the
mapping numbers used by the EtherSwitch network module, Cisco Catalyst 2950, Cisco Catalyst 3550,
and other switches.
SUMMARY STEPS
1. enable
2. configure terminal
3. mls qos map cos-dscp dscp1...dscp8
4. exit
5. show mls qos maps cos-dscp
DETAILED STEPS
Example:
Router# configure terminal
Step 3 mls qos map cos-dscp dscp1...dscp8 Modifies the CoS-to-DSCP map.
• For dscp1...dscp8, enter eight DSCP values that
Example: correspond to CoS values 0 to 7. Separate each DSCP
Router(config)# mls qos map cos-dscp 8 8 8 8 24 value with a space.
32 56 56
• The supported DSCP values are 0, 8, 10, 16, 18, 24, 26,
32, 34, 40, 46, 48, and 56.
Step 4 exit Exits global configuration mode and returns the router to
privileged EXEC mode.
Example:
Router(config)# exit
Step 5 show mls qos maps cos-dscp (Optional) Displays the CoS-to-DSCP map.
Example:
Router# show mls qos maps cos-dscp
If these values are not appropriate for your network, you need to modify them. These DSCP-to-CoS
mapping numbers follow the numbers used in deploying Cisco AVVID and may be different from the
mapping numbers used by the EtherSwitch network module, Cisco Catalyst 2950, Cisco Catalyst 3550,
and other switches.
SUMMARY STEPS
1. enable
2. configure terminal
3. mls qos map dscp-cos dscp-list to cos
4. exit
5. show mls qos maps dscp-to-cos
DETAILED STEPS
Example:
Router# configure terminal
Step 3 mls qos map dscp-cos dscp-list to cos Modifies the DSCP-to-CoS map.
• For dscp-list, enter up to 13 DSCP values separated by
Example:
spaces. Then enter the to keyword.
Router(config)# mls qos map dscp-cos 26 48 to 7
• For cos, enter the CoS value to which the DSCP values
correspond.
• The supported DSCP values are 0, 8, 10, 16, 18, 24, 26,
32, 34, 40, 46, 48, and 56. The CoS range is 0 to 7.
Step 4 exit Exits global configuration mode and returns the router to
privileged EXEC mode.
Example:
Router(config)# exit
Step 5 show mls qos maps dscp-to-cos (Optional) Displays the DSCP-to-CoS map.
Example:
Router# show mls qos maps dscp-to-cos
The following example shows how to verify the configuration of VLAN 200 on the interface when it is
configured as a trunk port:
Router# show spanning-tree vlan 200
The following example shows how to verify the configuration of the interface when it is configured as
an access port:
Router# show spanning-tree interface fastethernet 5/8
The following example shows spanning tree being enabled on VLAN 150:
Router# configure terminal
Router(config)# spanning-tree vlan 150
Router(config)# end
Router#
Note Because spanning tree is enabled by default, issuing a show running-config command to view the
resulting configuration will not display the command you entered to enable spanning tree.
The following example shows spanning tree being disabled on VLAN 200:
Router# configure terminal
Router(config)# no spanning-tree vlan 200
Router(config)# end
The following example shows the switch device being configured as the root bridge for VLAN 10, with
a network diameter of 4:
Router# configure terminal
Router(config)# spanning-tree vlan 10 root primary diameter 4
Router(config)# exit
Router(config)#
The following example shows how to change to the interface-range configuration mode using the
interface-range macro enet_list:
Router(config)# interface range macro enet_list
Router(config-if)#
interface fastethernet5/1
description DOT1Q port to IP Phone
switchport native vlan 50
switchport mode trunk
switchport voice vlan 150
interface vlan 50
description data vlan
ip address 10.50.1.1 255.255.255.0
This configuration instructs the IP phone to generate a packet with an 802.1Q VLAN ID of 150 with an
802.1p value of 5 (default for voice bearer traffic).
Note In a centralized CallManager deployment model, the DHCP server might be located across the WAN
link. If so, an ip helper-address command pointing to the DHCP server should be included on the voice
VLAN interface for the IP phone. This is done to obtain its IP address as well as the address of the TFTP
server required for its configuration.
Cisco IOS supports a DHCP server function. If this function is used, the EtherSwitch network module
serves as a local DHCP server and a helper address would not be required.
interface vlan 60
description data vlan
ip address 10.60.1.1 255.255.255.0
interface serial1/0
ip address 172.16.1.2 255.255.255.0
Note Standard IGP routing protocols such as RIP, IGRP, EIGRP, and OSPF are supported on the EtherSwitch
network module. Multicast routing is also supported for PIM dense mode, sparse mode, and sparse-dense
mode.
The EtherSwitch network module instructs the IP phone to generate an 802.1Q frame with a null VLAN
ID value but with an 802.1p value (default is COS of 5 for bearer traffic). The voice and data VLANs
are both 40 in this example.
Note Using a separate VLAN, and possibly a separate IP address space, may not be an option for some small
branch offices due to the IP routing configuration. If the IP routing can handle an additional VLAN at
the remote branch, you can use Cisco Network Registrar and secondary addressing.
Name: Gi0/2
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Note Removing the port-channel also removes the channel-group command from the interfaces belonging to
it.
Port 4/0 flow control receive administration status is set to on (port will require far end to send
flowcontrol):
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# interface gigabitethernet4/0
Router(config-if)# flowcontrol receive on
Router(config-if)# end
The following example shows how to configure Gigabit Ethernet interface 0/10 as a routed port and to
assign it an IP address:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# interface gigabitethernet0/10
Router(config-if)# no switchport
Router(config-if)# ip address 10.1.2.3 255.255.0.0
Router(config-if)# no shutdown
Router(config-if)# end
The following is sample output from the show interfaces privileged EXEC command for Gigabit
Ethernet interface 0/2:
Router# show interfaces gigabitethernet0/2
GigabitEthernet0/2 is up, line protocol is up
Hardware is Gigabit Ethernet, address is 0002.4b29.4400 (bia 0002.4b29.4400)
Internet address is 192.168.135.21/24
MTU 1500 bytes, BW 100000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s
input flow-control is off, output flow-control is off
The following is sample output from the show ip interface privileged EXEC command for Gigabit
Ethernet interface 0/2:
Router# show ip interface gigabitethernet0/2
GigabitEthernet0/2 is up, line protocol is up
Internet address is 192.168.135.21/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.5 224.0.0.6
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
The following is sample output from the show running-config privileged EXEC command for Gigabit
Ethernet interface 0/2:
Router# show running-config interface gigabitethernet0/2
Building configuration...
The following example shows interchassis stacking being verified between GE port 2/0 and GE port
3/0:
Router# show interface gigabit 2/0
The following is sample output from the show interfaces privileged EXEC command for Gigabit
Ethernet interface 0/2:
Router# show interfaces gigabitethernet0/2
The following is sample output from the show ip interface privileged EXEC command for Gigabit
Ethernet interface 0/2:
Router# show ip interface gigabitethernet0/2
GigabitEthernet0/2 is up, line protocol is up
Internet address is 192.168.135.21/24
Broadcast address is 255.255.255.255
The following is sample output from the show running-config privileged EXEC command for Gigabit
Ethernet interface 0/2:
Router# show running-config interface gigabitethernet0/2
Building configuration...
The following example shows the output from configuring IGMP snooping:
Router# show mac-address-table multicast igmp-snooping
Slot # :3
--------------
MACADDR VLANID INTERFACES
0100.5e00.0001 1
0100.5e00.0002 1
0100.5e00.000d 1
0100.5e00.0016 1
0100.5e05.0505 1 Fa3/12
0100.5e06.0606 1 Fa3/13
0100.5e7f.ffff 1 Fa3/13
0100.5e00.0001 2
0100.5e00.0002 2
0100.5e00.000d 2
0100.5e00.0016 2
0100.5e00.0128 2
0100.5e05.0505 2 Fa3/10
0100.5e06.0606 2 Fa3/11
The following example shows output from the show running-config interface privileged EXEC
command for VLAN 1:
Router# show running-config interface vlan 1
Building configuration...
The following example shows output from the show running-config interface privileged EXEC
command for VLAN 2:
Router# show running-config interface vlan 2
Building configuration...
The following example shows output from the multicast routing table:
Router# show ip mroute
Router(config-if)# bridge-group 10
Router(config-if)# exit
Router(config)# no bridge 10 acquire
Router(config)# bridge 10 aging-time 200
Router(config)# bridge 1 address 0800.cb00.45e9 forward gigabitethernet0/1
192.168.65.1 192.168.65.2
Cisco router with Ethernet
switch network module
Router A
no spanning-tree vlan 1
no spanning-tree vlan 100
!
bridge irb
!
Router B
no spanning-tree vlan 1
no spanning-tree vlan 100
!
bridge irb
!
dlsw local-peer peer-id 192.168.66.1
dlsw remote-peer 0 tcp 192.168.65.1
dlsw bridge-group 1
!
interface FastEthernet1/8
switchport access vlan 100
no ip address
interface Vlan1
ip address 192.168.65.2 255.255.255.0
!
interface Vlan100
no ip address
bridge-group 1
bridge-group 1 spanning-disabled
!
bridge 1 protocol ieee
call rsvp-sync
The following example shows that the switch accepts addresses on network 10.0.0.0 subnets and denies
all packets coming from 10.10.0.0 subnets. The ACL is then applied to packets entering Gigabit Ethernet
interface 0/1:
Router(config)# access-list 2 permit 10.0.0.0 0.255.255.255
Router(config)# access-list 2 deny 10.10.0.0 0.255.255.255
Router(config)# interface gigabitethernet0/1
Router(config-if)# ip access-group 2 in
The following example shows how to create and display an extended access list to deny Telnet access
from any host in network 172.16.198.0 to any host in network 192.168.52.0 and permit any others (the
eq keyword after the destination address means to test for the TCP destination port number equaling
Telnet):
Router(config)# access-list 102 deny tcp 172.16.198.0 0.0.0.255 192.168.52.0 0.0.0.255 eq
telnet
Router(config)# access-list 102 permit tcp any any
Router(config)# end
Router# show access-lists
The following example shows an extended ACL with a network connected to the Internet and any host
on the network being able to form TCP Telnet and SMTP connections to any host on the Internet:
Router(config)# access-list 102 permit tcp any 172.18.0.0 0.0.255.255 eq 23
Router(config)# access-list 102 permit tcp any 172.18.0.0 0.0.255.255 eq 25
Router(config)# interface gigabitethernet0/1
Router(config-if)# ip access-group 102 in
SMTP uses TCP port 25 on one end of the connection and a random port number on the other end. The
same port numbers are used throughout the life of the connection. Mail packets coming in from the
Internet have a destination port of 25. Because the secure system behind the switch always accepts mail
connections on port 25, the incoming services are controlled.
The following example shows the marketing_group ACL allowing any TCP Telnet traffic to the
destination address and wildcard 172.19.0.0 0.0.255.255 and denying any other TCP traffic. It permits
any other IP traffic:
The ACLs are applied to permit Gigabit Ethernet port 0/1, which is configured as a Layer 2 port, with
the marketing_group ACL applied to incoming traffic.
Router(config)# interface gigabitethernet0/1
Router(config-if)# ip access-group marketing_group in
The following example shows an entry in a named IP ACL using the remark access-list global
configuration command to include a comment about an access list. In this example, the Jones subnet is
not allowed to use outbound Telnet:
Router(config)# ip access-list extended telnetting
Router(config-ext-nacl)# remark Do not allow Jones subnet to telnet out
Router(config-ext-nacl)# deny tcp host 172.19.2.88 any eq telnet
In this example of a numbered ACL, the workstation belonging to Jones is allowed access, and the
workstation belonging to Smith is not allowed access:
Router(config)# access-list 1 remark Permit only Jones workstation through
Router(config)# access-list 1 permit 172.19.2.88
Router(config)# access-list 1 remark Do not allow Smith workstation through
Router(config)# access-list 1 deny 172.19.3.13
In this example of a numbered ACL, the Winter and Smith workstations are not allowed to browse the
web:
Router(config)# access-list 100 remark Do not allow Winter to browse the web
Router(config)# access-list 100 deny host 172.19.3.85 any eq www
Router(config)# access-list 100 remark Do not allow Smith to browse the web
Router(config)# access-list 100 deny host 172.19.3.13 any eq www
The only way to ensure that you can view all configured access groups under all circumstances is to use
the show running-config privileged EXEC command. To display the ACL configuration of a single
interface, use the show running-config interface interface-id command.
The following example shows how to display the ACL configuration of Gigabit Ethernet interface 0/1:
Internet Workstation
Catalyst 2950
Catalyst 2950
155692
End
workstations
The following example uses a standard ACL to allow access to a specific Internet host with the address
172.20.128.64:
Router(config)# access-list 6 permit 172.20.128.64 0.0.0.0
Router(config)# end
Router(config)# interface gigabitethernet0/1
Router(config-if)# ip access-group 6 in
The following example uses an extended ACL to deny traffic from port 80 (HTTP). It permits all other
types of traffic:
Router(config)# access-list 106 deny tcp any any eq 80
Router(config)# access-list 106 permit ip any any
Router(config)# interface gigabitethernet0/2
Router(config-if)# ip access-group 106 in
• Classifying, Policing, and Marking Traffic by Using Policy Maps: Example, page 347
• Configuring the CoS-to-DSCP Map: Example, page 347
• Configuring the DSCP-to-CoS Map: Example, page 348
• Displaying QoS Information: Example, page 348
Cos-dscp map:
cos: 0 1 2 3 4 5 6 7
--------------------------------
dscp: 8 8 8 8 24 32 56 56
Dscp-cos map:
dscp: 0 8 10 16 18 24 26 32 34 40 46 48 56
-----------------------------------------------
cos: 0 1 1 2 2 3 7 4 4 5 5 7 7
Dscp-cos map:
dscp: 0 8 10 16 18 24 26 32 34 40 46 48 56
-----------------------------------------------
cos: 0 1 1 2 2 3 3 4 4 5 5 6 7
Additional References
The following sections provide references related to the EtherSwitch network module.
Related Documents
Related Topic Document Title
Quick Start Guide for the Cisco 2600 series Cisco 2600 Series Modular Routers Quick Start Guide
Hardware installation for the Cisco 2600 series Cisco 2600 Series Hardware Installation Guide
Quick Start Guide for the Cisco 3600 series Quick start guides for Cisco 3600 series routers
Hardware installation for the Cisco 3600 series Cisco 3600 Series Hardware Installation Guide
Quick Start Guide for the Cisco 3700 series Quick start guides for Cisco 3700 series routers
Hardware installation for the Cisco 3700 series Hardware installation documents for Cisco 3700 series routers
Information about configuring Voice over IP features Cisco IOS Voice, Video, and Fax Configuration Guide
Voice over IP commands Cisco IOS Voice, Video, and Fax Command Reference, Release
12.3 T
Information about Flow Control Configuring Gigabit Ethernet Switching
Standards
Standards Title
802.1d Spanning Tree Protocol
802.1p Supplement to MAC Bridges: Traffic Class Expediting and Dynamic
Multicast Filtering
802.1q Virtual LAN (VLAN) Bridges
802.1x Port Based Network Access Control
MIBs
MIBs MIBs Link
• IF MIB To locate and download MIBs for selected platforms, Cisco IOS
releases, and feature sets, use Cisco MIB Locator found at the
• CISCO-CDP-MIB
following URL:
• CISCO-CDP-MIB
http://www.cisco.com/go/mibs
• CISCO-IMAGE-MIB
• CISCO-FLASH-MIB
• OLD-CISCO-CHASSIS-MIB
• CISCO-VTP-MIB
• CISCO-HSRP-MIB
• OLD-CISCO-TS-MIB
• CISCO-ENTITY-ASSET-MIB
• CISCO-ENTITY-FRU-CONTROL-MIB
• CISCO-ENTITY-ASSET-MIB
• CISCO-VLAN-MEMBERSHIP-MIB
• CISCO-VLAN-IFINDEX-RELATIONSHIP-MIB
• RMON1-MIB
• PIM-MIB
• CISCO-STP-EXTENSIONS-MIB
• IPMROUTE-MIB
• CISCO-MEMORY-POOL-MIB
• CISCO-RTTMON-MIB
• CISCO-PROCESS-MIB
• CISCO-COPS-CLIENT-MIB
RFCs
RFCs Title
RFC 1213 Management Information Base for Network Management of
TCP/IP-Based Internets, MIB-II
RFC 1253 OSPF Version 2 Management Information Base
RFC 1493 Definitions of Managed Objects for Bridges
RFC 1643 Definitions of Managed Objects for the Ethernet-Like Interface
Types
RFC 2037 Entity MIB using SMIv2
RFC 2284 PPP Extensible Authentication Protocol (EAP)
Technical Assistance
Description Link
Technical Assistance Center (TAC) home page, http://www.cisco.com/public/support/tac/home.shtml
containing 30,000 pages of searchable technical
content, including links to products, technologies,
solutions, technical tips, and tools. Registered
Cisco.com users can log in from this page to access
even more content.
Command Reference
The following new and modified commands are pertinent to this feature. To see the command pages for
these commands and other commands used with this feature, go to the Cisco IOS Master Commands List,
Release 12.4, at http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124mindx/
124index.htm.
• aaa authentication dot1x
• class (EtherSwitch)
• debug dot1x (EtherSwitch)
• debug eswilp
• debug ip igmp snooping
• debug spanning-tree
• dot1x default
• dot1x max-req
• dot1x multiple-hosts
• dot1x port-control
• dot1x re-authenticate (EtherSwitch)
• dot1x re-authentication
• dot1x timeout (EtherSwitch)
• ip igmp snooping
• ip igmp snooping vlan
• ip igmp snooping vlan immediate-leave
• ip igmp snooping vlan mrouter
• ip igmp snooping vlan static
• mls qos cos
• mls qos map
• mls qos trust
• police (EtherSwitch)
• show dot1x (EtherSwitch)
• show ip igmp snooping
Glossary
802.1d—IEEE standard for MAC bridges.
802.1p—IEEE standard for queuing and multicast support.
802.1q—IEEE standard for VLAN frame tagging.
802.1x—IEEE standard for port-based network access control.
ACE—access control entry. Entry in an access control list.
ACL—access control list. Used for security or as a general means to classify traffic.
AgPort—aggregate port (another name for EtherChannel).
ATM—Asynchronous Transfer Mode. The international standard for cell relay in which multiple service
types (such as voice, video, or data) are conveyed in fixed-length (53-byte) cells. Fixed-length cells
allow cell processing to occur in hardware, thereby reducing transit delays. ATM is designed to take
advantage of high-speed transmission media such as E3, SONET, and T3.
authentication server—Entity that validates the credentials of a host trying to obtain access to the
network.
authenticator—Entity that enforces authentication rules for hosts connecting to a LAN via one of its
ports.
authorization state—The state of a controlled port. It can be authorized (access allowed) or
unauthorized (access denied).
AVVID—Architecture for voice, video, and integrated data.
BRI—Basic Rate Interface. ISDN interface comprising two B channels and one D channel for
circuit-switched communication of voice, video, and data.
CAC—connection admission control. Set of actions taken by each ATM switch during connection setup
to determine whether a connection’s requested QoS will violate the QoS guarantees for established
connections. CAC is also used when routing a connection request through an ATM network.
candidate—Switch that is not part of a cluster, but is eligible to join a cluster because it meets the
qualification criteria of the cluster.
CBWFQ—class-based weighted fair queuing. Extends the standard WFQ functionality to provide
support for user-defined traffic classes.
CCN—Cisco Communications Network (Cisco IP phones and IP PBX).
classification—Process of sorting incoming packets by examining fields of interest in the packet header.
Fields can be addresses, ports, DSCP value, and so on.
cluster—Group of switches that are managed as a single device. A cluster comprises one commander
and multiple members.
cluster commander—Switch that provides the primary management interface to a cluster.
cluster member—Member switch that is managed through the cluster commander.
CoS—class of service. An indication of how an upper-layer protocol requires a lower-layer protocol to
treat its messages. In SNA subarea routing, CoS definitions are used by subarea nodes to determine the
optimal route to establish a session. A CoS definition comprises a virtual route number and a
transmission priority field. Also called ToS.
DSCP—differentiated services code point. In QoS, a modification of the type of service byte. Six bits
of this byte are being reallocated for use as the DSCP field, where each DSCP specifies a particular
per-hop behavior that is applied to a packet.
DSL—digital subscriber line. Public network technology that delivers high bandwidth over conventional
copper wiring at limited distances. There are four types of DSL: ADSL, HDSL, SDSL, and VDSL. All
are provisioned via modem pairs, with one modem at a central office and the other at the customer site.
Because most DSL technologies do not use the whole bandwidth of the twisted pair, there is room
remaining for a voice channel.
EAP—Extensible Authentication Protocol. A mechanism (originally designed for PPP in RFC 2284)
that provides authentication of hosts requesting access to a network.
EAPOL—EAP over LAN.
Frame Relay—The capability to carry normal telephony-style voice over an IP-based network with
POTS-like functionality, reliability, and voice quality. VoIP lets a router carry voice traffic (such as
telephone calls and faxes) over an IP network. In VoIP, the DSP segments the voice signal into frames,
which then are coupled in groups of two and stored in voice packets. These voice packets are transported
using IP in compliance with ITU-T specification H.323.
FXO—Foreign Exchange Office. An FXO interface connects to the Public Switched Telephone Network
(PSTN) central office and is the interface offered on a standard telephone. Cisco’s FX interface is an
RJ-11 connector that allows an analog connection at the PSTN’s central office or to a station interface
on a PBX.
FXS—Foreign Exchange Station. An FXS interface connects directly to a standard telephone and
supplies ring, voltage, and dial tone. Cisco’s FXS interface is an RJ-11 connector that allows connections
to basic telephone service equipment, keysets, and PBXs.
HSRP—Hot Standby Router Protocol. Provides high network availability and transparent network
topology changes. HSRP creates a hot standby router group with a lead router that services all packets
sent to the hot standby address. The lead router is monitored by other routers in the group, and if it fails,
one of these standby routers inherits the lead position and the hot standby group address.
IGMP—Internet Group Management Protocol. Used by IP hosts to report their multicast group
memberships to an adjacent multicast router.
ISL—InterSwitch Link, which is used to carry traffic for multiple VLANs. A method of encapsulating
tagged LAN frames and transporting them over a full-duplex, point-to-point Ethernet link. The
encapsulated frames can be Token Ring or Fast Ethernet and are carried unchanged from transmitter to
receiver.
MIB—Management Information Base. Database of network management information that is used and
maintained by a network management protocol, such as SNMP or Common Management Information
Protocol (CMIP). The value of a MIB object can be changed or retrieved using SNMP or CMIP
commands, usually through a graphical user interface (GUI) network management system. MIB objects
are organized in a tree structure that includes public (standard) and private (proprietary) branches.
policing—Process of ensuring whether a stream of classified incoming packets conforms to a particular
traffic profile. An action (drop or remark) is taken based on the rate of arrival of packets.
PRI—primary rate interface. ISDN interface to primary rate access. Primary rate access consists of one
64-kbps D channel and 23 (T1) or 30 (E1) B channels for voice or data. Compare with BRI.
PSTN—public switched telephone network. General term referring to the variety of telephone networks
and services in place worldwide. Also called POTS.
PVC—permanent virtual circuit. Virtual circuit that is permanently established. PVCs save bandwidth
associated with circuit establishment and tear down in situations where certain virtual circuits must exist
all the time. In ATM terminology, called a permanent virtual connection.
PVST—Per-VLAN spanning tree. Support for dot1q trunks to map multiple spanning trees to a single
spanning tree.
QoS—quality of service. Measure of performance for a transmission system that reflects its transmission
quality and service availability.
RADIUS—Remote Access Dial-In User Service. A service used to authenticate and authorize clients.
RMON—remote monitoring. MIB agent specification described in RFC 1271 that defines functions for
the remote monitoring of networked devices. The RMON specification provides numerous monitoring,
problem detection, and reporting capabilities.
RSVP—Resource Reservation Protocol. Protocol that supports the reservation of resources across an IP
network. Applications running on IP end systems can use RSVP to indicate to other nodes the nature
(bandwidth, jitter, maximum burst, and so on) of the packet streams they want to receive. RSVP depends
on IPv6. Also known as Resource Reservation Setup Protocol.
SIP—Session Initiation Protocol. Protocol developed by the IETF MMUSIC Working Group as an
alternative to H.323. SIP features are compliant with IETF RFC 2543, which was published in March
1999. SIP equips platforms to signal the setup of voice and multimedia calls over IP networks.
SNMP—Simple Network Management Protocol. Network management protocol used almost
exclusively in TCP/IP networks. SNMP provides a means to monitor and control network devices and to
manage configurations, statistics collection, performance, and security.
stacking—Connecting two switches so they behave as one entity for management purposes. Regarding
an EtherSwitch network module, stacking means connecting two EtherSwitch network modules inside a
chassis so that they behave as one switch.
STP—Spanning Tree Protocol. Bridge protocol that uses the spanning-tree algorithm, which enables a
learning bridge to dynamically work around loops in a network topology by creating a spanning tree.
Bridges exchange Bridge Protocol Data Unit (BPDU) messages with other bridges to detect loops and
then remove the loops by shutting down selected bridge interfaces. Refers to both the IEEE 802.1
Spanning-Tree Protocol standard and the earlier Digital Equipment Corporation Spanning-Tree Protocol
upon which it is based. The IEEE version supports bridge domains and allows the bridge to construct a
loop-free topology across an extended LAN. The IEEE version generally is preferred over the Digital
version.
supplicant—Entity requesting access to the network via the authenticator.
SVI—Switch Virtual Interface. Represents a VLAN of switch ports as one interface to the routing or
bridging function in a system.
VBR—variable bit rate. QoS class defined by the ATM Forum for ATM networks. VBR is subdivided
into a real time (RT) class and non-real time (NRT) class. VBR (RT) is used for connections in which
there is a fixed timing relationship between samples. VBR (NRT) is used for connections in which there
is no fixed timing relationship between samples but that still need a guaranteed QoS.
VLAN—virtual LAN. Group of devices on one or more LANs that are configured (using management
software) so that they can communicate as if they were attached to the same wire, when in fact they are
on separate LAN segments. Because VLANs are based on logical instead of physical connections, they
are extremely flexible.
VoIP—Voice over IP. Ability to carry normal telephony-style voice over an IP-based internet with
POTS-like functionality, reliability, and voice quality. VoIP enables a router to carry voice traffic (such
as telephone calls and faxes) over an IP network. In VoIP, the digital signal processor (DSP) segments
the voice signal into frames, which then are coupled in groups of two and stored in voice packets. These
voice packets are transported using IP in compliance with ITU-T specification H.323.
VoIPoFR—Voice-over-IP over Frame-Relay.
VPN—virtual private network. Enables IP traffic to travel securely over a public TCP/IP network by
encrypting all traffic from one network to another. A VPN uses “tunneling” to encrypt all information at
the IP level.
Note Refer to Internetworking Terms and Acronyms for terms not included in this glossary.
Note The information in this chapter is a brief summary of the information contained in the Catalyst 5000
Series Multilayer Switching User Guide. The commands and configurations described in this guide apply
only to the devices that provide routing services. Commands and configurations for Catalyst 5000 series
switches are documented in the Catalyst 5000 Series Multilayer Switching User Guide.
MLS provides high-performance Layer 3 switching for Cisco routers and switches. MLS switches IP
data packets between subnets using advanced application-specific integrated circuit (ASIC) switching
hardware. Standard routing protocols, such as Open Shortest Path First (OSPF), Enhanced Interior
Gateway Routing Protocol (Enhanced IGRP), Routing Information Protocol (RIP), and Intermediate
System-to-Intermediate System (IS-IS), are used for route determination.
MLS enables hardware-based Layer 3 switching to offload routers from forwarding unicast IP data
packets over shared media networking technologies such as Ethernet. The packet forwarding function is
moved onto Layer 3 Cisco series switches whenever a partial or complete switched path exists between
two hosts. Packets that do not have a partial or complete switched path to reach their destinations still
use routers for forwarding packets.
MLS also provides traffic statistics as part of its switching function. These statistics are used for
identifying traffic characteristics for administration, planning, and troubleshooting. MLS uses NetFlow
Data Export (NDE) to export the flow statistics.
Procedures for configuring MLS and NDE on routers are provided in the “Configuring IP Multilayer
Switching” chapter.
Procedures for configuring MLS and NDE on routers are provided in the following chapters in this
publication:
• “Configuring IP Multilayer Switching” chapter
• “Configuring IP Multicast Multilayer Switching” chapter
• “Configuring IPX Multilayer Switching” chapter
This chapter describes MLS. It contains the following sections:
• Terminology
• Introduction to MLS
• Key MLS Features
• MLS Implementation
• Standard and Extended Access Lists
Terminology
The following terminology is used in the MLS chapters:
• Multilayer Switching-Switching Engine (MLS-SE)—A NetFlow Feature Card (NFFC)-equipped
Catalyst 5000 series switch.
• Multilayer Switching-Route Processor (MLS-RP)—A Cisco router with MLS enabled.
• Multilayer Switching Protocol (MLSP)—The protocol running between the MLS-SE and MLS-RP
to enable MLS.
Introduction to MLS
Layer 3 protocols, such as IP and Internetwork Packet Exchange (IPX), are connectionless—they deliver
each packet independently of each other. However, actual network traffic consists of many end-to-end
conversations, or flows, between users or applications.
A flow is a unidirectional sequence of packets between a particular source and destination that share the
same protocol and transport-layer information. Communication from a client to a server and from the
server to the client is in separate flows. For example, HTTP Web packets from a particular source to a
particular destination are in a separate flow from File Transfer Protocol (FTP) file transfer packets
between the same pair of hosts.
Flows can be based on only Layer 3 addresses. This feature allows IP traffic from multiple users or
applications to a particular destination to be carried on a single flow if only the destination IP address is
used to identify a flow.
The NFFC maintains a Layer 3 switching table (MLS cache) for the Layer 3-switched flows. The cache
also includes entries for traffic statistics that are updated in tandem with the switching of packets.
After the MLS cache is created, packets identified as belonging to an existing flow can be
Layer 3-switched based on the cached information. The MLS cache maintains flow information for all
active flows. When the Layer 3-switching entry for a flow ages out, the flow statistics can be exported
to a flow collector application.
For information on multicast MLS, see the “Introduction to IP Multicast MLS” section in this chapter.
Feature Description
Ease of Use Is autoconfigurable and autonomously sets up its Layer 3 flow cache. Its “plug-and-play” design
eliminates the need for you to learn new IP switching technologies.
Transparency Requires no end-system changes and no renumbering of subnets. It works with DHCP1 and requires
no new routing protocols.
Standards Based Uses IETF2 standard routing protocols such as OSPF and RIP for route determination. You can
deploy MLS in a multivendor network.
Investment Protection Provides a simple feature-card upgrade on the Catalyst 5000 series switches. You can use MLS with
your existing chassis and modules. MLS also allows you to use either an integrated RSM or an
external router for route processing and Cisco IOS services.
Fast Convergence Allows you to respond to route failures and routing topology changes by performing
hardware-assisted invalidation of flow entries.
Resilience Provides the benefits of HSRP3 without additional configuration. This feature enables the switches
to transparently switch over to the Hot Standby backup router when the primary router goes offline,
eliminating a single point of failure in the network.
Access Lists Allows you to set up access lists to filter, or to prevent traffic between members of different subnets.
MLS enforces multiple security levels on every packet of the flow at wire speed. It allows you to
configure and enforce access control rules on the RSM. Because MLS parses the packet up to the
transport layer, it enables access lists to be validated. By providing multiple security levels, MLS
enables you to set up rules and control traffic based on IP addresses and transport-layer application
port numbers.
Accounting and Allows you to see data flows as they are switched for troubleshooting, traffic management, and
Traffic Management accounting purposes. MLS uses NDE to export the flow statistics. Data collection of flow statistics
is maintained in hardware with no impact on switching performance. The records for expired and
purged flows are grouped and exported to applications such as NetSys for network planning,
RMON24 traffic management and monitoring, and accounting applications.
Network Design Enables you to speed up your network while retaining the existing subnet structure. It makes the
Simplification number of Layer 3 hops irrelevant in campus design, enabling you to cope with increases in
any-to-any traffic.
Media Speed Access You do not need to centralize servers in multiple VLANs to get direct connections. By providing
to Server Farms security on a per-flow basis, you can control access to the servers and filter traffic based on subnet
numbers and transport-layer application ports without compromising Layer 3 switching
performance.
Faster Interworkgroup Addresses the need for higher-performance interworkgroup connectivity by intranet and multimedia
Connectivity applications. By deploying MLS, you gain the benefits of both switching and routing on the same
platform.
1. DHCP = Dynamic Host Configuration Protocol
2. IETF = Internet Engineering Task Force
3. HSRP = Hot Standby Router Protocol
4. RMON2 = Remote Monitoring 2
MLS Implementation
This section provides a step-by-step description of MLS implementation.
Note The MLS-RPs shown in the figures represent either a RSM or an externally attached Cisco router.
The MLSP informs the Catalyst 5000 series switch of the MLS-RP MAC addresses used on different
VLANs and the MLS-RP’s routing and access list changes. Through this protocol, the MLS-RP
multicasts its MAC and VLAN information to all MLS-SEs. When the MLS-SE hears the MLSP hello
message indicating an MLS initialization, the MLS-SE is programmed with the MLS-RP MAC address
and its associated VLAN number (see Figure 42).
12000
(MLS-SE)
In Figure 43, Host A and Host B are located on different VLANs. Host A initiates a data transfer to
Host B. When Host A sends the first packet to the MLS-RP, the MLS-SE recognizes this packet as a
candidate packet for Layer 3 switching because the MLS-SE has learned the MLS-RP’s destination
MAC address and VLAN through MLSP. The MLS-SE learns the Layer 3 flow information (such as the
destination address, source address, and protocol port numbers), and forwards the first packet to the
MLS-RP. A partial MLS entry for this Layer 3 flow is created in the MLS cache.
The MLS-RP receives the packet, looks at its route table to determine how to forward the packet, and
applies services such as Access Control Lists (ACLs) and class of service (COS) policy.
The MLS-RP rewrites the MAC header adding a new destination MAC address (Host B’s) and its own
MAC address as the source.
MLS-RP
Candidate packet
(MLS-SE)
12001
Host A Host B
The MLS-RP routes the packet to Host B. When the packet appears back on the Catalyst 5000 series
switch backplane, the MLS-SE recognizes the source MAC address as that of the MLS-RP, and that the
packet’s flow information matches the flow for which it set up a candidate entry. The MLS-SE considers
this packet an enabler packet and completes the MLS entry (established by the candidate packet) in the
MLS cache (see Figure 44).
Enabler packet
(MLS-SE)
12002
Host A Host B
After the MLS entry has been completed, all Layer 3 packets with the same flow from Host A to Host B
are Layer 3 switched directly inside the switch from Host A to Host B, bypassing the router
(see Figure 45). After the Layer 3-switched path is established, the packet from Host A is rewritten by
the MLS-SE before it is forwarded to Host B. The rewritten information includes the MAC addresses,
encapsulations (when applicable), and some Layer 3 information.
The resultant packet format and protocol behavior is identical to that of a packet that is routed by the
RSM or external Cisco router.
Note MLS is unidirectional. For Host B to communicate with Host A, another Layer 3-switched path needs to
be created from Host B to Host A.
(MLS-SE)
12003
Host A
Host B
Layer 3-switched packets
See the Catalyst 5000 Series Multilayer Switching User Guide for additional network implementation
examples that include network topologies that do not support MLS.
MLS allows you to enforce access lists on every packet of the flow without compromising MLS
performance. When you enable MLS, standard and extended access lists are handled at wire speed by
the MLS-SE. Access lists configured on the MLS-RP take effect automatically on the MLS-SE.
Additionally, route topology changes and the addition of access lists are reflected in the switching path
of MLS.
Consider the case where an access list is configured on the MLS-RP to deny access from Station A to
Station B. When Station A wants to communicate with Station B, it sends the first packet to the MLS-RP.
The MLS-RP receives this packet and checks to learn if this packet flow is permitted. If an ACL is
configured for this flow, the packet is discarded. Because the first packet for this flow does not return
from the MLS-RP, an MLS cache entry is not established by the MLS-SE.
In another case, access lists are introduced on the MLS-RP while the flow is already being Layer 3
switched within the MLS-SE. The MLS-SE immediately enforces security for the affected flow by
purging it.
Similarly, when the MLS-RP detects a routing topology change, the appropriate MLS cache entries are
deleted in the MLS-SE. The techniques for handling route and access list changes apply to both the RSM
and directly attached external routers.
General Guidelines
The following is a list of general guidelines to enabling MLS:
• When you enable MLS, the RSM or externally attached router continues to handle all non-IP
protocols while offloading the switching of IP packets to the MLS-SE.
• Do not confuse MLS with the NetFlow switching supported by Cisco routers. MLS uses both the
RSM or directly attached external router and the MLS-SE. With MLS, you are not required to use
NetFlow switching on the RSM or directly attached external router; any switching path on the RSM
or directly attached external router will work (process, fast, and so on).
The network in the upper diagram in Figure 46 does not have the IP multicast MLS feature enabled.
Note the arrows from the router to each multicast group in each VLAN. In this case, the router must
replicate the multicast data packets to the multiple VLANs. The router can be easily overwhelmed with
forwarding and replicated multicast traffic if the input rate or the number of outgoing interfaces
increases.
As shown in the lower diagram in Figure 46, this potential problem is prevented by having the switch
hardware forward the multicast data traffic. (Multicast control packets are still moving between the
router and switch.)
Trunk link
VLANs 100, 200, 300
VLAN 100
Switch
G1
G1 member
source
VLAN 300
G1
member G1
member
VLAN 200
Trunk link
VLANs 100, 200, 300
VLAN 100 Switch
(MMLS-SE)
G1
G1 member
source
VLAN 300
G1
member G1
member
18952
VLAN 200
• Provides IP multicast scalability—If you need high throughput of multicast traffic, install a
Catalyst 5000 series switch and configure the Provides IP Multicast Scalability feature. By reducing
the load on your router, the router can accommodate more multicast flows.
• Provides meaningful flow statistics—IP multicast MLS provides flow statistics that can be used to
administer, plan, and troubleshoot networks.
MLS Cache
The MLS-SE maintains a cache for IPX MLS flows and maintains statistics for each flow. An IPX MLS
cache entry is created for the initial packet of each flow. Upon receipt of a packet that does not match
any flow in the MLS cache, a new IPX MLS entry is created.
The state and identity of the flow are maintained while packet traffic is active; when traffic for a flow
ceases, the entry ages out. You can configure the aging time for IPX MLS entries kept in the MLS cache.
If an entry is not used for the specified period of time, the entry ages out and statistics for that flow can
be exported to a flow collector application.
The maximum MLS cache size is 128,000 entries. However, an MLS cache larger than 32,000 entries
increases the probability that a flow will not be switched by the MLS-SE and will get forwarded to the
router.
Note The number of active flows that can be switched using the MLS cache depends on the type of access lists
configured on MLS router interfaces (which determines the flow mask). See the “Flow Mask Modes”
section later in this document.
Note The flow mask mode determines the display of the show mls rp ipx EXEC command. Refer to the
Cisco IOS Switching Services Command Reference for details.
1. Transport Control counts the number of times this packet has been routed. If this number is greater than the maximum (the
default is 16), then the packet is dropped.
The MLS-SE rewrites the Layer 2 frame header, changing the destination MAC address to that of Host B
and the source MAC address to that of the MLS-RP (these MAC addresses are stored in the IPX MLS
cache entry for this flow). The Layer 3 IPX addresses remain the same. The MLS-SE rewrites the
switched Layer 3 packets so that they appear to have been routed by a router.
The MLS-SE forwards the rewritten packet to Host B’s VLAN (the destination VLAN is saved in the
IPX MLS cache entry) and Host B receives the packet.
After the MLS-SE performs the packet rewrite, the packet is formatted as shown in Table 29:
MAC = Bb
MAC = Dd
ting
RSM arke
3/M
MAC = Aa Net 03
Net 1/Sales
01 Net
2/E
ngin
eer
ing MAC = Cc
02
18561
Data 01.Aa:02.Cc Dd:Cc
Note Router interfaces with input access lists or outbound access lists unsupported by MLS cannot participate
in IPX MLS. However, you can translate any input access list to an output access list to provide the same
effect on the interface.
IPX MLS enforces access lists on every packet of the flow, without compromising IPX MLS
performance. The MLS-SE handles permit traffic supported by MLS at wire speed.
Note Access list deny traffic is always handled by the MLS-RP, not the MLS-SE.
The MLS switching path automatically reflects route topology changes and the addition or modification
of access lists on the MLS-SE. The techniques for handling route and access list changes apply to both
the RSM and directly attached external routers.
For example, for Stations A and B to communicate, Station A sends the first packet to the MLS-RP. If the
MLS-RP is configured with an access list to deny access from Station A to Station B, the MLS-RP
receives the packet, checks its access list permissions to learn if the packet flow is permitted, and then
discards the packet. Because the MLS-SE does not receive the returned first packet for this flow from
the MLS-RP, the MLS-SE does not create an MLS cache entry.
In contrast, if the MLS-SE is already Layer 3 switching a flow and the access list is created on the
MLS-RP, MLSP notifies the MLS-SE, and the MLS-SE immediately purges the affected flow from the
MLS cache. New flows are created based on the restrictions imposed by the access list.
Similarly, when the MLS-RP detects a routing topology change, the MLS-SE deletes the appropriate
MLS cache entries, and new flows are created based on the new topology.
Access Lists
The following sections describe how access lists affect MLS.
Note Any input access list can be translated to an output access list to provide the same effect on the interface.
IP Accounting
Enabling IP accounting on an MLS-enabled interface disables the IP accounting functions on that
interface.
Note To collect statistics for the Layer 3-switched traffic, enable NDE.
Data Encryption
MLS is disabled on an interface when the data encryption feature is configured on the interface.
TCP Intercept
With MLS interfaces enabled, the TCP intercept feature (enabled in global configuration mode) might
not work properly. When you enable the TCP intercept feature, the following message is displayed:
Command accepted, interfaces with mls might cause inconsistent behavior.
If you attempt to enable MLS on an interface that has an MTU value other than the default value, the
following message is displayed:
mls only supports interfaces with default mtu size
This chapter describes how to configure your network to perform IP Multilayer Switching (MLS). This
chapter contains these sections:
• Configuring and Monitoring MLS
• Configuring NetFlow Data Export
• Multilayer Switching Configuration Examples
For a complete description of the commands in this chapter, refer to the the Cisco IOS Switching Services
Command Reference. To locate documentation of other commands that appear in this chapter, use the
command reference master index or search online.
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the section “Finding Additional Feature
Support Information” section on page xxxix in the chapter “Using Cisco IOS Software for Release 12.4”
Note The information in this chapter is a brief summary of the information contained in the Catalyst 5000
Series Multilayer Switching User Guide. The commands and configurations described in this guide apply
only to the devices that provide routing services. Commands and configurations for Catalyst 5000 series
switches are documented in the Catalyst 5000 Series Multilayer Switching User Guide. For
configuration information for the Catalyst 6000 series switch, see Configuring and Troubleshooting IP
MLS on Catalyst 6000 with an MSFC or the “Configuring IP Multilayer Switching” chapter in the
Catalyst 6500 Series MSFC (12.x) & PFC Configuration Guide.
Command Purpose
Step 1 Router(config)# mls rp ip Globally enables MLSP. MLSP is the protocol that runs
between the MLS-SE and the MLS-RP.
Step 2 Router(config)# interface type number Selects a router interface.
Step 3 Router(config-if)# mls rp vtp-domain Selects the router interface to be Layer 3 switched and then
[domain-name] adds that interface to the same VLAN Trunking Protocol
(VTP) domain as the switch. This interface is referred to as
the MLS interface. This command is required only if the
Catalyst switch is in a VTP domain.
Step 4 Router(config-if)# mls rp vlan-id Assigns a VLAN ID to the MLS interface. MLS requires that
[vlan-id-num] each interface has a VLAN ID. This step is not required for
RSM VLAN interfaces or ISL-encapsulated interfaces.
Step 5 Router(config-if)# mls rp ip Enables each MLS interface.
Step 6 Router(config-if)# mls rp Selects one MLS interface as a management interface. MLSP
management-interface packets are sent and received through this interface. This can
be any MLS interface connected to the switch.
Repeat steps 2 through 5 for each interface that will
support MLS.
Note The interface-specific commands in this section apply only to Ethernet, Fast Ethernet, VLAN, and Fast
Etherchannel interfaces on the Catalyst RSM/Versatile Interface Processor 2 (VIP2) or directly attached
external router.
To globally disable MLS on the router, use the following command in global configuration mode:
Command Purpose
Router(config)# no mls rp ip Disables MLS on the router.
Monitoring MLS
To display MLS details including specifics for MLSP, use the following commands in EXEC mode, as
needed:
• MLS status (enabled or disabled) for switch interfaces and subinterfaces
• Flow mask used by this MLS-enabled switch when creating Layer 3-switching entries for the router
• Current settings of the keepalive timer, retry timer, and retry count
• MLSP-ID used in MLSP messages
• List of interfaces in all VTP domains that are enabled for MLS
Command Purpose
Router# show mls rp Displays MLS details for all interfaces.
mac 00e0.fefc.6000
vlan id(s)
1 10 91 92 93 95 100
Command Purpose
Router# show mls rp [interface] Displays MLS details for a specific interface.
Command Purpose
Router# show mls rp vtp-domain [domain-name] Displays MLS interfaces for a specific VTP domain.
mac 00e0.fefc.6000
vlan id(s)
1 10 91 92 93 95 100
Perform the task in this section to configure your Cisco router for NDE. To ensure a successful NDE
configuration, you must also configure the Catalyst switch. For a full description, see the Catalyst 5000
Series Multilayer Switching User Guide.
Command Purpose
Router(config)# mls rp nde-address ip-address Specifies an NDE IP address for the router doing the Layer 3
switching. The router and the Catalyst 5000 series switch use
the NDE IP address when sending MLS statistics to a data
collection application.
Building configuration...
Current configuration:
.
.
.
mls rp ip
interface Vlan1
ip address 172.20.26.56 255.255.255.0
mls rp vtp-domain Engineering
mls rp management-interface
mls rp ip
interface Vlan2
ip address 172.16.2.73 255.255.255.0
interface Vlan3
ip address 172.16.3.73 255.255.255.0
mls rp vtp-domain Engineering
mls rp ip
.
.
end
router#
router# show mls rp
mac 0006.7c71.8600
vlan id(s)
1 3
mac 0006.7c71.8600
vlan id(s)
1 3
vlan 1 on Vlan1
mac 0006.7c71.8600
vlan id(s)
1 3
This chapter describes how to configure your network to perform IP multicast Multilayer Switching
(MLS). This chapter contains these sections:
• Prerequisites
• Restrictions
• Configuring and Monitoring IP Multicast MLS
• IP Multicast MLS Configuration Examples
For a complete description of the commands in this chapter, refer to the the Cisco IOS Switching Services
Command Reference. To locate documentation of other commands that appear in this chapter, use the
command reference master index or search online.
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the section “Finding Additional Feature
Support Information” section on page xxxix in the chapter “Using Cisco IOS Software for Release 12.4”.
Note The information in this chapter is a brief summary of the information contained in the Catalyst 5000
Series Multilayer Switching User Guide. The commands and configurations described in this guide apply
only to the devices that provide routing services. Commands and configurations for Catalyst 5000 series
switches are documented in the Catalyst 5000 Series Multilayer Switching User Guide.
Prerequisites
The following prerequisites are necessary before MLS can function:
• A VLAN interface must be configured on both the switch and the router. For information on
configuring inter-VLAN routing on the RSM or an external router, refer to the Catalyst 5000
Software Configuration Guide.
• IP multicast MLS must be configured on the switch. For procedures on this task, refer to the
“Configuring IP Multicast Routing” chapter in the Cisco IOS IP Routing Configuration Guide.
• IP multicast routing and PIM must be enabled on the router. The minimal steps to configure them
are described in the “Configuring and Monitoring IP Multicast MLS” section later in this document.
For detailed information on configuring IP multicast routing and PIM, refer to the Cisco IOS IP
Routing Configuration Guide.
Restrictions
You must also configure the Catalyst 5000 series switch in order for IP multicast MLS to function on the
router.
The restrictions in the following sections apply to IP multicast MLS on the router:
• Router Configuration Restrictions
• External Router Guidelines
• Access List Restrictions and Guidelines
Note Groups in the 224.0.0.* range are reserved for routing control packets and must be flooded to all
forwarding ports of the VLAN. These addresses map to the multicast MAC address range
01-00-5E-00-00-xx, where xx is in the range from 0 to 0xFF.
• For PIM auto-RP multicast groups (IP multicast group addresses 224.0.1.39 and 224.0.1.40).
• For flows that are forwarded on the multicast shared tree (that is, {*, G, *} forwarding) when the
interface or group is running PIM sparse mode.
• If the shortest path tree (SPT) bit for the flow is cleared when running PIM sparse mode for the
interface or group.
• When an input rate limit is applied on an RPF interface.
• For any RPF interface with access lists applied (for detailed information, see the “Access List
Restrictions and Guidelines” section later in this document).
• For any RPF interface with multicast boundary configured.
• For packets that require fragmentation and packets with IP options. However, packets in the flow
that are not fragmented or that do not specify IP options are multilayer switched.
• On external routers, for source traffic received at the router on non-ISL or non-802.1Q interfaces.
• For source traffic received on tunnel interfaces (such as MBONE traffic).
• For any RPF interface with multicast tag switching enabled.
If the following input access list is applied to the RPF interface for a group of flows, all flows except
the {s1, g1} flow are multilayer switched (because the protocol specified in the entry for {s1, g1}
is not ip):
Router(config)# access-list 101 permit udp s1 g1
Router(config)# access-list 101 permit ip any any
For examples of IP multicast MLS configurations, see the “IP Multicast MLS Configuration Examples”
section later in this document.
Command Purpose
Router(config)# ip multicast-routing Enables IP multicast routing globally.
Note This section describes only how to enable IP multicast routing on the router. For detailed IP multicast
configuration information, refer to the “Configuring IP Multicast Routing” chapter in the Cisco IOS IP
Routing Configuration Guide.
Enabling IP PIM
You must enable PIM on the router interfaces connected to the switch before IP multicast MLS will
function on those router interfaces. To do so, use the following commands beginning in interface
configuration mode:
Command Purpose
Step 1 Router(config)# interface type number Configures an interface.
Step 2 Router(config-if)# ip pim {dense-mode | sparse-mode Enables PIM on the interface.
| sparse-dense-mode}
Note This section describes only how to enable PIM on router interfaces. For detailed PIM configuration
information, refer to the “Configuring IP Multicast Routing” chapter in the Cisco IOS IP Routing
Configuration Guide.
Command Purpose
Router(config-if)# mls rp ip multicast Enables IP multicast MLS on an interface.
Command Purpose
Router(config-if)# mls rp ip multicast management-interface Configures an interface as the IP multicast MLS
management interface.
Command Purpose
Router# show ip mroute [group-name | group-address [source]] Displays hardware switching state for outgoing
interfaces.
Router# show ip pim interface [type number] [count] Displays PIM interface information.
Router# show mls rp ip multicast [locate] [group [source] Displays Layer 3 switching information.
[vlan-id]] | [statistics] | [summary]
Router
(MMLS-RP)
Trunk link
VLANs 10, 20, 30
Switch
(MMLS-SE)
G1 source
D
G1
G1 A
VLAN 30
10.1.30.0/24
VLAN 10
10.1.10.0/24
B C
G1
VLAN 20
18501
10.1.20.0/24
Note On the MMLS-RP, the IP multicast MLS management interface is user-configured to the VLAN 30
subinterface. If this interface goes down, the system will revert to the default management interface (in
this case, the VLAN 10 subinterface).
Router Configuration
The following is an example configuration of IP multicast MLS on the router:
ip multicast-routing
interface fastethernet2/0.10
encapsulation isl 10
ip address 10.1.10.1 255.255.255.0
ip pim dense-mode
interface fastethernet2/0.20
encapsulation isl 20
ip address 10.1.20.1 255.255.255.0
ip pim dense-mode
interface fastethernet2/0.30
encapsulation isl 30
ip address 10.1.30.1 255.255.255.0
ip pim dense-mode
mls rp ip multicast management-interface
You will receive the following message informing you that you changed the management interface:
Warning: MLS Multicast management interface is now Fa2/0.30
Switch Configuration
The following example shows how to configure the switch (MMLS-SE):
Console> (enable) set trunk 1/2 on isl
Port(s) 1/2 trunk mode set to on.
Port(s) 1/2 trunk type set to isl.
Console> (enable) set igmp enable
IGMP feature for IP multicast enabled
Console> (enable) set mls multicast enable
Multilayer Switching for Multicast is enabled for this device.
Console> (enable) set mls multicast include 10.1.10.1
Multilayer switching for multicast is enabled for router 10.1.10.1.
Router A Router B
(MMLS-RP) (MMLS-RP)
G1 source Switch A
(MMLS-SE)
A B D E F
G1 G1 G1
C
VLAN 10
172.20.10.0/24 G1 VLAN 30
VLAN 20 172.20.30.0/24
18955
172.20.20.0/24
• The default IP multicast MLS management interface is used on both MMLS-RPs (VLAN 1).
• Port 1/3 on the MMLS-SE is connected to Switch B through an ISL trunk link carrying all VLANs.
• Port 1/4 on the MMLS-SE is connected to Switch C through an ISL trunk link carrying all VLANs.
• Switch B and Switch C perform Layer 2 switching functions only.
Switch B Configuration
The following example shows how to configure Switch B assuming VLAN Trunking Protocol (VTP) is
used for VLAN management:
Console> (enable) set igmp enable
IGMP feature for IP multicast enabled
Console> (enable)
Switch C Configuration
The following example shows how to configure Switch C assuming VTP is used for VLAN management:
Console> (enable) set igmp enable
IGMP feature for IP multicast enabled
Console> (enable)
This chapter describes how to configure your network to perform IPX Multilayer Switching (MLS). This
chapter contains these sections:
• Prerequisites
• Restrictions
• IPX MLS Configuration Task List
• Troubleshooting Tips
• Monitoring and Maintaining IPX MLS on the Router
• IPX MLS Configuration Examples
For a complete description of the commands in this chapter, refer to the the Cisco IOS Switching Services
Command Reference. To locate documentation of other commands that appear in this chapter, use the
command reference master index or search online.
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the section “Finding Additional Feature
Support Information” section on page xxxix in the chapter “Using Cisco IOS Software for Release 12.4”
Note The information in this chapter is a brief summary of the information contained in the Catalyst 5000
Series Multilayer Switching User Guide. The commands and configurations described in this guide apply
only to the devices that provide routing services. Commands and configurations for Catalyst 5000 series
switches are documented in the Catalyst 5000 Series Multilayer Switching User Guide.
Prerequisites
The following prerequisites must be met before IPX MLS can function:
• A VLAN interface must be configured on both the switch and the router. For information on
configuring inter-VLAN routing on the RSM or external router, refer to the Catalyst 5000 Software
Configuration Guide, Release 5.1.
• IPX MLS must be configured on the switch. For more information refer to the Catalyst 5000
Software Configuration Guide, Release 5.1 and the Catalyst 5000 Command Reference, Release 5.1.
IPX MLS must be enabled on the router. The minimal configuration steps are described in the section
“IPX MLS Configuration Tasks.” For more details on configuring IPX routing, refer to the Cisco IOS
AppleTalk and Novell IPX Configuration Guide.
Restrictions
This section describes restrictions that apply to configuring IPX MLS on the router.
Note You can translate input access lists to output access lists to provide the same effect on the
interface.
• Output access lists—When an output access list is applied to an interface, the IPX MLS cache
entries for that interface are purged. Entries associated with other interfaces are not affected; they
follow their normal aging or purging procedures.
Applying access lists that filter according to packet type, source node, source socket, or destination
socket prevents the interface from participating in IPX MLS.
Applying access lists that use the log option prevents the interface from participating in IPX MLS.
• Access list impact on flow masks—Access lists impact the flow mask mode advertised to the
MLS-SE by an MLS-RP. If no access list has been applied on any MLS-RP interface, the flow mask
mode is destination-ipx (the least specific) by default. If an access list that filters according to the
source IPX network has been applied, the mode is source-destination-ipx by default.
Caution Perform this configuration task only if the switch connected to your router interfaces is in a VTP domain.
Perform the task before you enter any other IPX MLS interface command—specifically the mls rp ipx
or mls rp management-interface command. If you enter these commands before adding the interface
to a VTP domain, the interface will be automatically placed in a null domain. To place the IPX MLS
interface into a domain other than the null domain, clear the IPX MLS interface configuration before you
add the interface to another VTP domain. Refer to the section “Configuration, Verification, and
Troubleshooting Tips” and the Catalyst 5000 Software Configuration Guide, Release 5.1.
Determine which router interfaces you will use as IPX MLS interfaces and add them to the same VTP
domain as the switches.
To view the VTP configuration and its domain name on the switch, enter the show mls rp vtp-domain
EXEC command at the switch Console> prompt.
To assign an MLS interface to a specific VTP domain on the MLS-RP, use the following command in
interface configuration mode:
Command Purpose
Router(config-if)# mls rp vtp-domain domain-name Adds an IPX MLS interface to a VTP domain.
Command Purpose
Router(config)# mls rp ipx Globally enables MLSP on the router. MLSP is the
protocol that runs between the MLS-SE and
MLS-RP.
Note This task is not required for RSM VLAN interfaces (virtual interfaces), ISL-encapsulated interfaces, or
IEEE 802.1Q-encapsulated interfaces.
To assign a VLAN ID to an IPX MLS interface, use the following command in interface configuration
mode:
Command Purpose
Router(config-if)# mls rp vlan-id vlan-id-number Assigns a VLAN ID to an IPX MLS interface.
The assigned IPX MLS interface must be either an
Ethernet or Fast Ethernet interface with no
subinterfaces.
Command Purpose
Router(config-if)# mls rp ipx Enables a router interface for IPX MLS.
Command Purpose
Router(config-if)# mls rp management-interface Specifies an interface as the management interface.
MLSP packets are sent and received through the
management interface. Select only one IPX MLS
interface connected to the switch.
Troubleshooting Tips
If you entered either the mls rp ipx interface command or the mls rp management-interface interface
command on the interface before assigning it to a VTP domain, the interface will be in the null domain,
instead of the VTP domain.
To remove the interface from the null domain and add it to a new VTP domain, use the following
commands in interface configuration mode:
Command Purpose
Step 1 Router(config-if)# no mls rp ipx Removes an interface from the null domain.
Router(config-if)# no mls rp management-interface
Router(config-if)# no mls rp vtp-domain domain-name
Step 2 Router(config-if)# mls rp vtp-domain domain-name Adds the interface to a new VTP domain.
Command Purpose
Router# mls rp locate ipx Displays information about all switches currently
shortcutting for the specified IPX flow(s).
Router# show mls rp interface type number Displays MLS details for a specific interface.
Router# show mls rp ipx Displays details for all IPX MLS interfaces on the
router:
• MLS status (enabled or disabled) for switch
interfaces and subinterfaces.
• Flow mask required when creating Layer 3
switching entries for the router.
• Current settings for the keepalive timer, retry
timer, and retry count.
• MLSP-ID used in MLSP messages.
• List of interfaces in all VTP domains enabled
for MLS.
Router# show mls rp vtp-domain domain-name Displays details about IPX MLS interfaces for a
specific VTP domain.
Figure 50 Example Network: IPX MLS with Cisco 7505 over ISL
Cisco 7505
Subinterfaces:
(MLS-RP)
fa2/0.1 IPX network 1
fa2/0.10 IPX network 10
fa2/0.20 IPX network 20
fa2/0 fa2/0.30 IPX network 30
ISL
Trunk link
Catalyst 5509 Novell client
Catalyst 5505 with NFFC Catalyst 5505 NC2
(Switch B) (Switch A, MLS-SE) 1/1 (Switch C)
4/1
3/1 1/1 1/2 1/3 1/1
ISL 3/1 ISL 3/1
Novell client Trunk link Trunk link
NC1
Novell server
23261
NS2
VLAN 10
IPX network 10 Novell server VLAN 30
NS1 IPX network 30
VLAN 20
IPX network 20
Switch A Configuration
This example shows how to configure Switch A (MLS-SE):
SwitchA> (enable) set vtp domain Corporate mode server
VTP domain Corporate modified
SwitchA> (enable) set vlan 10
Vlan 10 configuration successful
SwitchA> (enable) set vlan 20
Vlan 20 configuration successful
SwitchA> (enable) set vlan 30
Vlan 30 configuration successful
SwitchA> (enable) set port name 1/1 Router Link
Port 1/1 name set.
SwitchA> (enable) set trunk 1/1 on isl
Port(s) 1/1 trunk mode set to on.
Port(s) 1/1 trunk type set to isl.
SwitchA> (enable) set port name 1/2 SwitchB Link
Port 1/2 name set.
SwitchA> (enable) set trunk 1/2 desirable isl
Port(s) 1/2 trunk mode set to desirable.
Port(s) 1/2 trunk type set to isl.
SwitchA> (enable) set port name 1/3 SwitchC Link
Port 1/3 name set.
SwitchA> (enable) set trunk 1/3 desirable isl
Port(s) 1/3 trunk mode set to desirable.
Port(s) 1/3 trunk type set to isl.
SwitchA> (enable)
Switch B Configuration
This example shows how to configure Switch B:
SwitchB> (enable) set port name 1/1 SwitchA Link
Port 1/1 name set.
SwitchB> (enable) set port name 3/1 Source S1
Port 3/1 name set.
SwitchB> (enable) set vlan 10 3/1
VLAN 10 modified.
VLAN 1 modified.
VLAN Mod/Ports
---- -----------------------
10 3/1
SwitchB> (enable)
Switch C Configuration
This example shows how to configure Switch C:
SwitchC> (enable) set port name 1/1 SwitchA Link
Port 1/1 name set.
SwitchC> (enable) set port name 3/1 Destination D1
Port 3/1 name set.
SwitchC> (enable) set vlan 30 3/1
VLAN 30 modified.
VLAN 1 modified.
VLAN Mod/Ports
---- -----------------------
30 3/1
SwitchC> (enable)
MLS-RP Configuration
This example shows how to configure the MLS-RP:
mls rp ipx
interface fastethernet 2/0
full-duplex
mls rp vtp-domain Engineering
interface fastethernet2/0.1
encapsulation isl 1
ipx address 10.1.1.1 255.255.255.0
mls rp ipx
mls rp management-interface
interface fastethernet2/0.10
encapsulation isl 10
ipx network 10
mls rp ipx
interface fastethernet2/0.20
encapsulation isl 20
ipx network 20
mls rp ipx
interface fastethernet2/0.30
encapsulation isl 30
ipx network 30
mls rp ipx
Current configuration:
!
version 12.0
.
.
.
ipx routing 0010.0738.2917
mls rp ip
mls rp ipx
.
.
.
interface Vlan21
ip address 10.5.5.155 255.255.255.0
ipx network 2121
mls rp vtp-domain Engineering
mls rp management-interface
mls rp ip
mls rp ipx
!
interface Vlan22
ip address 10.2.2.155 255.255.255.0
ipx network 2222
mls rp vtp-domain Engineering
mls rp ip
mls rp ipx
!
.
.
.
end
.
.
.
!
!
!
.
.
.
end