Catalyst 3560 Switch Software Configuration Guide, Cisco IOS

OL-26641-03

I N D E X

Numerics

10-Gigabit Ethernet interfaces

configuration guidelines 14-33

defined 14-7

802.1AE 11-2

802.1AE Tagging 11-9, 13-2

802.1x-REV 11-2

A

AAA down policy, NAC Layer 2 IP validation 1-15

abbreviating commands 2-3

ABRs 41-26

AC (command switch) 6-11

access-class command 37-21

access control entries

See ACEs

access control entry (ACE) 43-3

access-denied response, VMPS 15-28

access groups

applying IPv4 ACLs to interfaces 37-22

Layer 2 37-22

Layer 3 37-23

access groups, applying IPv4 ACLs to interfaces 37-22

accessing

clusters, switch 6-14

command switches 6-12

member switches 6-14

switch clusters 6-14

accessing stack members 5-27

access lists

See ACLs

access ports

and Layer 2 protocol tunneling 19-11

defined 14-3

in switch clusters 6-10

access ports, defined 14-3

access template 8-2

accounting

with 802.1x 10-55

with IEEE 802.1x 10-17

with RADIUS 9-35

with TACACS+ 9-12, 9-17

ACEs

and QoS 38-8

defined 37-2

Ethernet 37-2

IP 37-2

ACLs

ACEs 37-2

any keyword 37-14

applying

on bridged packets 37-44

on multicast packets 37-45

on routed packets 37-45

on switched packets 37-43

time ranges to 37-18

to an interface 37-21, 43-7

to IPv6 interfaces 43-7

to QoS 38-8

classifying traffic for QoS 38-51

comments in 37-20

compiling 37-26

defined 37-2, 37-8

examples of 37-26, 38-51

IN-1Catalyst 3560 Switch Software Configuration Guide

Index

extended IP, configuring for QoS classification 38-53

extended IPv4

creating 37-12

matching criteria 37-8

hardware and software handling 37-23

host keyword 37-14

IP

creating 37-8

fragments and QoS guidelines 38-42

implicit deny 37-11, 37-16, 37-18

implicit masks 37-11


undefined 37-23

IPv4

applying to interfaces 37-21

creating 37-8


named 37-16

numbers 37-9

terminal lines, setting on 37-21

unsupported features 37-8

IPv6

and stacking 43-3


configuring 43-4, 43-5

displaying 43-8

interactions with other features 43-4

limitations 43-3


named 43-3

precedence of 43-2

supported 43-2


Layer 4 information in 37-43

logging messages 37-10

MAC extended 37-31, 38-54

matching 37-8, 37-23, 43-3

monitoring 37-47, 43-8

named, IPv4 37-16


named, IPv6 43-3

names 43-4

number per QoS class map 38-42

port 37-2, 43-1

precedence of 37-3

QoS 38-8, 38-51

resequencing entries 37-16

router 37-2, 43-1

router ACLs and VLAN map configuration guidelines 37-42

standard IP, configuring for QoS classification 38-52

standard IPv4

creating 37-11


support for 1-13

support in hardware 37-23

time ranges 37-18

types supported 37-2

unsupported features, IPv4 37-8

unsupported features, IPv6 43-3

using router ACLs with VLAN maps 37-42

VLAN maps


configuring 37-33

active link 24-4, 24-5, 24-6

active links 24-2

active router 45-2

active traffic monitoring, IP SLAs 46-1

address aliasing 27-2

addresses

displaying the MAC address table 7-26

dynamic

accelerated aging 20-10

changing the aging time 7-16

default aging 20-10

defined 7-14

learning 7-15

removing 7-17

IPv6 42-2

OL-26641-03

Index

MAC, discovering 7-26

multicast

group address range 49-3

STP address management 20-10

multicast, STP address management 20-10

static

adding and removing 7-22

defined 7-14

address resolution 7-26, 41-9

Address Resolution Protocol

See ARP

adjacency tables, with CEF 41-92

administrative distances

defined 41-105

OSPF 41-34

routing protocol defaults 41-94

administrative VLAN

REP, configuring 23-8

administrative VLAN, REP 23-8

advertisements

CDP 29-1

LLDP 30-2

RIP 41-21

VTP 15-19, 16-3, 16-5

age timer, REP 23-8

aggregatable global unicast addresses 42-3

aggregate addresses, BGP 41-62

aggregated ports

See EtherChannel

aggregate policers 38-69

aggregate policing 1-17

aggregator template 5-12, 8-3

aging, accelerating 20-10

aging time

accelerated

for MSTP 21-25

for STP 20-10, 20-25

MAC address table 7-16

maximum

OL-26641-03

for MSTP 21-26

for STP 20-25, 20-26

alarms, RMON 33-4

allowed-VLAN list 15-21

application engines, redirecting traffic to 48-1

area border routers

See ABRs

area routing

IS-IS 41-67

ISO IGRP 41-67

ARP

configuring 41-11

defined 1-7, 7-26, 41-9

encapsulation 41-12

static cache configuration 41-11

table

address resolution 7-26

managing 7-26

ASBRs 41-26

AS-path filters, BGP 41-56

asymmetrical links, and IEEE 802.1Q tunneling 19-4

attributes, RADIUS

vendor-proprietary 9-38

vendor-specific 9-36

attribute-value pairs 10-14, 10-17, 10-22, 10-23

authentication

EIGRP 41-43

HSRP 45-12

local mode with AAA 9-44

open1x 10-32

RADIUS

key 9-28

login 9-30

TACACS+

defined 9-11

key 9-13

login 9-14

See also port-based authentication


Index

authentication compatibility with Catalyst 6000 switches 10-9

authentication failed VLAN

See restricted VLAN

authentication keys, and routing protocols 41-105

authentication manager

CLI commands 10-10

compatibility with older 802.1x CLI commands 10-10 to ??

overview 10-8

authoritative time source, described 7-3

authorization

with RADIUS 9-34

with TACACS+ 9-12, 9-16

authorized ports with IEEE 802.1x 10-11

autoconfiguration 3-3

auto enablement 10-34

automatic advise (auto-advise) in switch stacks 5-14

automatic copy (auto-copy) in switch stacks 5-13

automatic discovery

considerations

beyond a noncandidate device 6-9

brand new switches 6-10

connectivity 6-6

different VLANs 6-8

management VLANs 6-8

non-CDP-capable devices 6-7

noncluster-capable devices 6-7

routed ports 6-9

in switch clusters 6-6

See also CDP

automatic extraction (auto-extract) in switch stacks 5-13

automatic QoS

See QoS

automatic recovery, clusters 6-11

See also HSRP

automatic upgrades (auto-upgrade) in switch stacks 5-13

auto-MDIX

configuring 14-39

described 14-39


autonegotiation

duplex mode 1-4

interface configuration guidelines 14-36

mismatches 52-13

autonomous system boundary routers

See ASBRs

autonomous systems, in BGP 41-50

Auto-QoS video devices 1-18

Auto-RP, described 49-6

autosensing, port speed 1-4

autostate exclude 14-6

auxiliary VLAN

See voice VLAN

availability, features 1-9

B

BackboneFast

described 22-8

disabling 22-18

enabling 22-17

support for 1-10

backup interfaces

See Flex Links

backup links 24-2

backup static routing, configuring 47-12

banners

configuring

login 7-14

message-of-the-day login 7-13

default configuration 7-12

when displayed 7-12

Berkeley r-tools replacement 9-56

BGP

aggregate addresses 41-62

aggregate routes, configuring 41-62

CIDR 41-62

clear commands 41-65

community filtering 41-59

OL-26641-03

Index

configuring neighbors 41-60


described 41-46

enabling 41-50

monitoring 41-65

multipath support 41-54

neighbors, types of 41-50

path selection 41-54

peers, configuring 41-60

prefix filtering 41-58

resetting sessions 41-53

route dampening 41-64

route maps 41-56

route reflectors 41-63

routing domain confederation 41-63

routing session with multi-VRF CE 41-86

show commands 41-65

supernets 41-62

support for 1-19

Version 4 41-47

binding cluster group and HSRP group 45-13

binding database

address, DHCP server

See DHCP, Cisco IOS server database

DHCP snooping

See DHCP snooping binding database

bindings

address, Cisco IOS DHCP server 25-6

DHCP snooping database 25-6

IP source guard 25-16

binding table, DHCP snooping


blocking packets 28-7

Boolean expressions in tracked lists 47-4

booting

boot loader, function of 3-2

boot process 3-2

manually 3-20

specific image 3-21

OL-26641-03

boot loader

accessing 3-22

described 3-2

environment variables 3-22

prompt 3-22

trap-door mechanism 3-2

Boot Loader Upgrade and Image Verification for the FIPS Mode of Operation 3-25

bootstrap router (BSR), described 49-7

Border Gateway Protocol

See BGP

BPDU

error-disabled state 22-2

filtering 22-3

RSTP format 21-13

BPDU filtering

described 22-3

disabling 22-16

enabling 22-15

support for 1-10

BPDU guard

described 22-2

disabling 22-15

enabling 22-14

support for 1-10

bridged packets, ACLs on 37-44

bridge groups

See fallback bridging

bridge protocol data unit

See BPDU

broadcast flooding 41-18

broadcast packets

directed 41-15

flooded 41-15

broadcast storm-control command 28-4

broadcast storms 28-1, 41-15


Index

C

cables, monitoring for unidirectional links 31-1

candidate switch

automatic discovery 6-6

defined 6-5

requirements 6-5

See also command switch, cluster standby group, and member switch

Catalyst 6000 switches

authentication compatibility 10-9

CA trustpoint

configuring 9-53

defined 9-51

CDP

and trusted boundary 38-48

automatic discovery in switch clusters 6-6

configuring 29-2


defined with LLDP 30-1

described 29-1

disabling for routing device 29-4

enabling and disabling

on an interface 29-4

on a switch 29-4

Layer 2 protocol tunneling 19-7

monitoring 29-5

overview 29-1

power negotiation extensions 14-8

support for 1-7

switch stack considerations 29-2

transmission timer and holdtime, setting 29-3

updates 29-3

CEF

defined 41-92

distributed 41-92

enabling 41-92

IPv6 42-31

CGMP


as IGMP snooping learning method 27-9

clearing cached group entries 49-64

enabling server support 49-45

joining multicast group 27-3

overview 49-9

server support only 49-9

switch support of 1-5

CIDR 41-62

CipherSuites 9-52

Cisco 7960 IP Phone 17-1

Cisco Discovery Protocol

See CDP

Cisco Express Forwarding

See CEF

Cisco Group Management Protocol

See CGMP

Cisco intelligent power management 14-8

Cisco IOS DHCP server

See DHCP, Cisco IOS DHCP server

Cisco IOS File System

See IFS

Cisco IOS IP SLAs 46-2

Cisco Redundant Power System 2300

configuring 14-53

managing 14-53

Cisco Secure ACS

attribute-value pairs for downloadable ACLs 10-23

attribute-value pairs for redirect URL 10-22

Cisco Secure ACS configuration guide 10-73

CiscoWorks 2000 1-7, 35-5

CISP 10-34

CIST regional root

See MSTP

CIST root

See MSTP

civic location 30-3

classless interdomain routing

See CIDR

classless routing 41-8

OL-26641-03

Index

class maps for QoS

configuring 38-55

described 38-8

displaying 38-89

class of service

See CoS

clearing interfaces 14-56

CLI

abbreviating commands 2-3

command modes 2-1

configuration logging 2-5

described 1-6

editing features

enabling and disabling 2-6

keystroke editing 2-7

wrapped lines 2-8

error messages 2-4

filtering command output 2-9

getting help 2-3

history

changing the buffer size 2-5

described 2-5

disabling 2-6

recalling commands 2-6

managing clusters 6-17

no and default forms of commands 2-4

Client Information Signalling Protocol

See CISP

client mode, VTP 16-3

client processes, tracking 47-1

CLNS

See ISO CLNS

clock

See system clock

clusters, switch

accessing 6-14


automatic recovery 6-11

benefits 1-2

OL-26641-03

compatibility 6-5

described 6-1

LRE profile considerations 6-17

managing

through CLI 6-17

through SNMP 6-18

planning 6-5

planning considerations



CLI 6-17

host names 6-14

IP addresses 6-14

LRE profiles 6-17

passwords 6-15

RADIUS 6-17

SNMP 6-15, 6-18

switch stacks 6-15

TACACS+ 6-17

See also candidate switch, command switch, cluster standby group, member switch, and standby command switch

cluster standby group

and HSRP group 45-13


considerations 6-12

defined 6-2

requirements 6-3

virtual IP address 6-12

See also HSRP

CNS 1-7

Configuration Engine

configID, deviceID, hostname 4-3

configuration service 4-2

described 4-1

event service 4-3

embedded agents

described 4-5

enabling automated configuration 4-6


Index

enabling configuration agent 4-9

enabling event agent 4-8

management functions 1-7

CoA Request Commands 9-23

Coarse Wave Division Multiplexer

See CWDM SFPs

command-line interface

See CLI

command modes 2-1

commands

abbreviating 2-3

no and default 2-4

commands, setting privilege levels 9-8

command switch

accessing 6-12

active (AC) 6-11

configuration conflicts 52-12

defined 6-2

passive (PC) 6-11

password privilege levels 6-18

priority 6-11

recovery

from command-switch failure 6-11, 52-9

from lost member connectivity 52-12

redundant 6-11

replacing

with another switch 52-11

with cluster member 52-9

requirements 6-3

standby (SC) 6-11

See also candidate switch, cluster standby group, member switch, and standby command switch

community list, BGP 41-59

community ports 18-2

community strings


for cluster switches 35-4

in clusters 6-15

overview 35-4


SNMP 6-15

community VLANs 18-2, 18-3

compatibility, feature 28-12

compatibility, software

See stacks, switch

config.text 3-19

configurable leave timer, IGMP 27-6

configuration, initial

defaults 1-23

Express Setup 1-2

configuration changes, logging 34-11

configuration conflicts, recovering from lost member connectivity 52-12

configuration examples, network 1-26

configuration files

archiving 54-21

clearing the startup configuration 54-20

creating using a text editor 54-11

default name 3-19

deleting a stored configuration 54-20

described 54-8

downloading

automatically 3-19

preparing 54-11, 54-14, 54-17

reasons for 54-8

using FTP 54-14

using RCP 54-18

using TFTP 54-12

guidelines for creating and using 54-10

guidelines for replacing and rolling back 54-22

invalid combinations when copying 54-5

limiting TFTP server access 35-18

obtaining with DHCP 3-9

password recovery disable considerations 9-5

replacing a running configuration 54-21

rolling back a running configuration 54-21, 54-22

specifying the filename 3-19

system contact and location information 35-17

types and location 54-10

OL-26641-03

Index

uploading

preparing 54-11, 54-14, 54-17

reasons for 54-9

using FTP 54-16

using RCP 54-19

using TFTP 54-13

configuration guidelines

REP 23-7

configuration guidelines, multi-VRF CE 41-79

configuration logger 34-11

configuration logging 2-5

configuration replacement 54-21

configuration rollback 54-21

configuration settings, saving 3-16

configure terminal command 14-24

configuring 802.1x user distribution 10-68

Configuring First Hop Security in IPv6 41-45, 42-19

Configuring IPv6 Source Guard 42-22

configuring port-based authentication violation modes 10-45

configuring small-frame arrival rate 28-5

Configuring VACL Logging 37-41

conflicts, configuration 52-12

connections, secure remote 9-46

connectivity problems 52-15, 52-16, 52-18

consistency checks in VTP Version 2 16-6

console port, connecting to 2-10

content-routing technology

See WCCP

control protocol, IP SLAs 46-4

convergence

REP 23-4

corrupted software, recovery steps with Xmodem 52-2

CoS

in Layer 2 frames 38-2

override priority 17-6

trust priority 17-6

CoS input queue threshold map for QoS 38-17

CoS output queue threshold map for QoS 38-21

OL-26641-03

CoS-to-DSCP map for QoS 38-71

counters, clearing interface 14-56

CPU utilization, troubleshooting 52-29

crashinfo file 52-25

critical authentication, IEEE 802.1x 10-65

critical VLAN 10-26

critical voice VLAN

configuring 10-65

cross-stack EtherChannel


configuring

on Layer 2 interfaces 39-14

on Layer 3 physical interfaces 39-18

described 39-3

illustration 39-4

support for 1-9

cross-stack UplinkFast, STP

described 22-5

disabling 22-17

enabling 22-17

fast-convergence events 22-8

Fast Uplink Transition Protocol 22-7

normal-convergence events 22-8

support for 1-10

cryptographic software image

Kerberos 9-40

SSH 9-45

SSL 9-50


customer edge devices 41-77

customjzeable web pages, web-based authentication 12-6

CWDM SFPs 1-39

D

DACL

See downloadable ACL

daylight saving time 7-8

dCEF, in the switch stack 41-92


Index

debugging

enabling all system diagnostics 52-21

enabling for a specific feature 52-21

redirecting error message output 52-22

using commands 52-20

default commands 2-4

default configuration

802.1x 10-39

auto-QoS 38-24

banners 7-12

BGP 41-47

CDP 29-2

DHCP 25-8

DHCP option 82 25-8

DHCP snooping 25-8

DHCP snooping binding database 25-9

DNS 7-11

dynamic ARP inspection 26-6

EIGRP 41-38

EtherChannel 39-12

Ethernet interfaces 14-32

fallback bridging 51-3

Flex Links 24-9

HSRP 45-6

IEEE 802.1Q tunneling 19-4

IGMP 49-40

IGMP filtering 27-25

IGMP snooping 27-7, 44-6

IGMP throttling 27-25

initial switch information 3-3

IP addressing, IP routing 41-6

IP multicast routing 49-11

IP SLAs 46-6

IP source guard 25-17

IPv6 42-17

IS-IS 41-68

Layer 2 interfaces 14-32


LLDP 30-5


MAC address table 7-16

MAC address-table move update 24-9

MSDP 50-4

MSTP 21-15

multi-VRF CE 41-79

MVR 27-20

optional spanning-tree configuration 22-12

OSPF 41-27

password and privilege level 9-3

PIM 49-11

private VLANs 18-7

RADIUS 9-27

REP 23-7

RIP 41-21

RMON 33-3

RSPAN 32-11

SDM template 8-8

SNMP 35-7

SPAN 32-11

SSL 9-52

standard QoS 38-39

STP 20-14

switch stacks 5-22

system message logging 34-4

system name and prompt 7-10

TACACS+ 9-13

UDLD 31-4

VLAN, Layer 2 Ethernet interfaces 15-19

VLANs 15-9

VMPS 15-29

voice VLAN 17-3

VTP 16-10

WCCP 48-5

default gateway 3-16, 41-13

default networks 41-95

default router preference

See DRP

default routes 41-95

default routing 41-3

OL-26641-03

Index

default web-based authentication configuration

802.1X 12-9

deleting VLANs 15-10

denial-of-service attack 28-1

description command 14-47

designing your network, examples 1-26

desktop template 5-12, 8-3

destination addresses

in IPv4 ACLs 37-13

in IPv6 ACLs 43-5

destination-IP address-based forwarding, EtherChannel 39-10

destination-MAC address forwarding, EtherChannel 39-10

detecting indirect link failures, STP 22-8

device 54-25

device discovery protocol 29-1, 30-1

device manager

benefits 1-2

described 1-2, 1-6

in-band management 1-8

upgrading a switch 54-25

device sensor

configuring 10-56

restrictions 10-56

DHCP

Cisco IOS server database

configuring 25-14


described 25-6

DHCP for IPv6

See DHCPv6

enabling

relay agent 25-10

DHCP-based autoconfiguration

client request message exchange 3-4

configuring

client side 3-4

DNS 3-8

OL-26641-03

relay device 3-8

server side 3-6

TFTP server 3-7

example 3-10

lease options

for IP address information 3-6

for receiving the configuration file 3-7

overview 3-3

relationship to BOOTP 3-4

relay support 1-7, 1-19

support for 1-7

DHCP-based autoconfiguration and image update

configuring 3-11 to 3-15

understanding 3-5 to 3-6

DHCP binding database


DHCP binding table


DHCP object tracking, configuring primary interface 47-10

DHCP option 82

circuit ID suboption 25-5



displaying 25-15

forwarding address, specifying 25-10

helper address 25-10

overview 25-3

packet format, suboption

circuit ID 25-5

remote ID 25-5

remote ID suboption 25-5

DHCP server port-based address allocation



described 25-26

displaying 25-30

enabling 25-27

reserved addresses 25-28


Index

DHCP server port-based address assignment

support for 1-7

DHCP snooping

accepting untrusted packets form edge switch 25-3, 25-12

and private VLANs 25-13

binding database




displaying binding tables 25-15

message exchange process 25-4

option 82 data insertion 25-3

trusted interface 25-2

untrusted interface 25-2

untrusted messages 25-2

DHCP snooping binding database

adding bindings 25-14

binding entries, displaying 25-15

binding file

format 25-7

location 25-6

bindings 25-6

clearing agent statistics 25-15


configuring 25-14

default configuration 25-8, 25-9

deleting

binding file 25-15

bindings 25-15

database agent 25-15

described 25-6

displaying 25-15

binding entries 25-15

status and statistics 25-15

displaying status and statistics 25-15

enabling 25-14

entry 25-6

renewing database 25-15


resetting

delay value 25-15

timeout value 25-15

DHCP snooping binding table


DHCPv6



described 42-10

enabling client function 42-30

enabling DHCPv6 server function 42-28

support for 1-19

Differentiated Services architecture, QoS 38-2

Differentiated Services Code Point 38-2

Diffusing Update Algorithm (DUAL) 41-36

directed unicast requests 1-7

directories

changing 54-4

creating and removing 54-4

displaying the working 54-4

discovery, clusters

See automatic discovery

Distance Vector Multicast Routing Protocol

See DVMRP

distance-vector protocols 41-3

distribute-list command 41-104

DNS

and DHCP-based autoconfiguration 3-8


displaying the configuration 7-12

in IPv6 42-4

overview 7-10

setting up 7-11

support for 1-7

DNS-based SSM mapping 49-19, 49-21

domain names

DNS 7-10

VTP 16-11

Domain Name System

OL-26641-03

Index

See DNS

domains, ISO IGRP routing 41-67

dot1q-tunnel switchport mode 15-18

double-tagged packets



downloadable ACL 10-21, 10-23, 10-73

downloading

configuration files

preparing 54-11, 54-14, 54-17

reasons for 54-8

using FTP 54-14

using RCP 54-18

using TFTP 54-12

image files

deleting old image 54-29

preparing 54-27, 54-31, 54-35

reasons for 54-25

using CMS 1-3

using FTP 54-32

using HTTP 1-3, 54-25

using RCP 54-36

using TFTP 54-28

using the device manager or Network Assistant 54-25

drop threshold for Layer 2 protocol packets 19-12

DRP

configuring 42-24

described 42-9

IPv6 42-9

support for 1-19

DSCP 1-17, 38-2

DSCP input queue threshold map for QoS 38-17

DSCP output queue threshold map for QoS 38-21

DSCP-to-CoS map for QoS 38-74

DSCP-to-DSCP-mutation map for QoS 38-75

DSCP transparency 38-49

DTP 1-11, 15-17

dual-action detection 39-7

OL-26641-03

DUAL finite state machine, EIGRP 41-37

dual IPv4 and IPv6 templates 8-5, 42-10

dual protocol stacks

IPv4 and IPv6 42-10

SDM templates supporting 42-10

dual-purpose uplinks

defined 14-7

LEDs 14-7

link selection 14-7, 14-34

setting the type 14-34

DVMRP

autosummarization

configuring a summary address 49-59

disabling 49-61

connecting PIM domain to DVMRP router 49-52

enabling unicast routing 49-55

interoperability

with Cisco devices 49-50

with Cisco IOS software 49-9

mrinfo requests, responding to 49-54

neighbors

advertising the default route to 49-54

discovery with Probe messages 49-50

displaying information 49-54

prevent peering with nonpruning 49-57

rejecting nonpruning 49-56

overview 49-9

routes

adding a metric offset 49-62

advertising all 49-61

advertising the default route to neighbors 49-54

caching DVMRP routes learned in report messages 49-55

changing the threshold for syslog messages 49-58

deleting 49-64

displaying 49-64

favoring one over another 49-62

limiting the number injected into MBONE 49-58

limiting unicast route advertisements 49-50


Index

routing table 49-9

source distribution tree, building 49-9

support for 1-19

tunnels

configuring 49-52

displaying neighbor information 49-54

dynamic access ports

characteristics 15-4

configuring 15-30

defined 14-3

dynamic addresses

See addresses

dynamic ARP inspection

ARP cache poisoning 26-1

ARP requests, described 26-1

ARP spoofing attack 26-1

clearing

log buffer 26-17

statistics 26-17


configuring

ACLs for non-DHCP environments 26-10

in DHCP environments 26-8

log buffer 26-15

rate limit for incoming ARP packets 26-4, 26-12


denial-of-service attacks, preventing 26-12

described 26-1

DHCP snooping binding database 26-2

displaying

ARP ACLs 26-16

configuration and operating state 26-16

log buffer 26-17

statistics 26-17

trust state and rate limit 26-16

error-disabled state for exceeding rate limit 26-4

function of 26-2

interface trust states 26-3

log buffer


clearing 26-17

configuring 26-15

displaying 26-17

logging of dropped packets, described 26-5

man-in-the middle attack, described 26-2

network security issues and interface trust states 26-3

priority of ARP ACLs and DHCP snooping entries 26-4

rate limiting of ARP packets

configuring 26-12

described 26-4

error-disabled state 26-4

statistics

clearing 26-17

displaying 26-17

validation checks, performing 26-14

dynamic auto trunking mode 15-18

dynamic desirable trunking mode 15-18

Dynamic Host Configuration Protocol

See DHCP-based autoconfiguration

dynamic port VLAN membership

described 15-28

reconfirming 15-31

troubleshooting 15-33

types of connections 15-30

dynamic routing 41-3

ISO CLNS 41-66

Dynamic Trunking Protocol

See DTP

E

EAC 13-2

EBGP 41-45

editing features

enabling and disabling 2-6

keystrokes used 2-7

wrapped lines 2-8

EEM 3.2 36-5

OL-26641-03

Index

EIGRP

authentication 41-43

components 41-37

configuring 41-40


definition 41-36

interface parameters, configuring 41-41

monitoring 41-45

stub routing 41-44

elections

See stack master

ELIN location 30-3

embedded event manager

3.2 36-5

actions 36-4


displaying information 36-8

environmental variables 36-5

event detectors 36-3

policies 36-4

registering and defining an applet 36-6

registering and defining a TCL script 36-7

understanding 36-1

enable password 9-4

enable secret password 9-4

Enable the FIPS mode 3-25

encryption, CipherSuite 9-52

encryption for passwords 9-4

encryption keying 11-2

encryption keys, MKA 11-2

Endpoint Admission Control (EAC) 13-2

Enhanced IGRP

See EIGRP

enhanced object tracking

backup static routing 47-12

commands 47-1

defined 47-1

DHCP primary interface 47-10

HSRP 47-7

OL-26641-03

IP routing state 47-2

IP SLAs 47-9

line-protocol state 47-2

network monitoring with IP SLAs 47-11

routing policy, configuring 47-12

static route primary interface 47-10

tracked lists 47-3

enhanced object tracking static routing 47-10

environmental variables, embedded event manager 36-5

environment variables, function of 3-23

equal-cost routing 1-19, 41-93

error-disabled state, BPDU 22-2

error messages during command entry 2-4

EtherChannel

automatic creation of 39-6, 39-8

channel groups

binding physical and logical interfaces 39-5, 39-6

numbering of 39-6


configuring


Layer 3 physical interfaces 39-18

Layer 3 port-channel logical interfaces 39-17

configuring Layer 2 interfaces 39-14


described 39-2

displaying status 39-25

forwarding methods 39-10, 39-20

IEEE 802.3ad, described 39-8

interaction

with STP 39-13

with VLANs 39-14

LACP

described 39-8


hot-standby ports 39-22

interaction with other features 39-9

modes 39-9

port priority 39-24


Index

system priority 39-23

Layer 3 interface 41-5

load balancing 39-10, 39-20

logical interfaces, described 39-5

PAgP

aggregate-port learners 39-21

compatibility with Catalyst 1900 39-21

described 39-6


interaction with other features 39-8

interaction with virtual switches 39-7

learn method and priority configuration 39-21

modes 39-7

support for 1-5

with dual-action detection 39-7

port-channel interfaces

described 39-5

numbering of 39-6

port groups 14-6

stack changes, effects of 39-11

support for 1-5

EtherChannel guard

described 22-10

disabling 22-18

enabling 22-18

Ethernet management port

active link 14-29

and routing 14-29

and TFTP 14-31

configuring 14-31

default setting 14-29

described 14-29

for network management 14-29

specifying 14-31

supported features 14-30


Ethernet management port, internal

and routing 14-29



Ethernet VLANs

adding 15-9

defaults and ranges 15-9

modifying 15-9

EUI 42-4

event detectors, embedded event manager 36-3

events, RMON 33-4

examples

network configuration 1-26

expedite queue for QoS 38-88

Express Setup 1-2

See also getting started guide

extended crashinfo file 52-25

extended-range VLANs


configuring 15-12

creating 15-13

creating with an internal VLAN ID 15-15

defined 15-1

extended system ID

MSTP 21-19

STP 20-5, 20-18

extended universal identifier

See EUI

Extensible Authentication Protocol over LAN 10-2

external BGP

See EBGP

external neighbors, BGP 41-50

F

fa0 interface 1-8

Fa0 port

See Ethernet management port

failover support 1-9

fallback bridging

and protected ports 51-4

bridge groups

creating 51-4

OL-26641-03

Index

described 51-2

displaying 51-10

function of 51-2

number supported 51-4

removing 51-5

bridge table

clearing 51-10

displaying 51-10


connecting interfaces with 14-17


described 51-1

frame forwarding

flooding packets 51-2

forwarding packets 51-2

overview 51-1

protocol, unsupported 51-4


STP

disabling on an interface 51-9

forward-delay interval 51-8

hello BPDU interval 51-8

interface priority 51-6

maximum-idle interval 51-9

path cost 51-7

VLAN-bridge spanning-tree priority 51-6

VLAN-bridge STP 51-2

support for 1-19

SVIs and routed ports 51-1

unsupported protocols 51-4

VLAN-bridge STP 20-13

Fast Convergence 24-3

fastethernet0 port

See Ethernet management port

Fast Uplink Transition Protocol 22-7

features, incompatible 28-12

FIB 41-92

fiber-optic, detecting unidirectional links 31-1

files

OL-26641-03

basic crashinfo

description 52-25

location 52-25

copying 54-5

crashinfo, description 52-25

deleting 54-5

displaying the contents of 54-8

extended crashinfo

description 52-25

location 52-25

tar

creating 54-6

displaying the contents of 54-7

extracting 54-7

image file format 54-26

file system

displaying available file systems 54-2

displaying file information 54-3

local file system names 54-1

network file system names 54-5

setting the default 54-3

filtering

in a VLAN 37-33

IPv6 traffic 43-4, 43-7

non-IP traffic 37-31

show and more command output 2-9

filtering show and more command output 2-9

filters, IP

See ACLs, IP

fips authorization-key authorization-key 3-25

flash device, number of 54-1

flexible authentication ordering

configuring 10-76

overview 10-32

Flex Link Multicast Fast Convergence 24-3

Flex Links


configuring 24-10

configuring preferred VLAN 24-13


Index

configuring VLAN load balancing 24-12


description 24-2

link load balancing 24-2

monitoring 24-16

VLANs 24-2

flooded traffic, blocking 28-8

flow-based packet classification 1-17

flowcharts

QoS classification 38-7

QoS egress queueing and scheduling 38-19

QoS ingress queueing and scheduling 38-16

QoS policing and marking 38-11

flowcontrol

configuring 14-38

described 14-38

forward-delay time

MSTP 21-25

STP 20-25

Forwarding Information Base

See FIB

forwarding nonroutable protocols 51-1

FTP

configuration files

downloading 54-14

overview 54-13

preparing the server 54-14

uploading 54-16

image files

deleting old image 54-33

downloading 54-32

preparing the server 54-31

uploading 54-33

G

general query 24-5

Generating IGMP Reports 24-4

get-bulk-request operation 35-4


get-next-request operation 35-3, 35-5

get-request operation 35-3, 35-4, 35-5

get-response operation 35-4

Gigabit modules

See SFPs

global configuration mode 2-2

global leave, IGMP 27-13

guest VLAN and 802.1x 10-24

guide mode 1-2

GUIs

See device manager and Network Assistant

H

hardware limitations and Layer 3 interfaces 14-49

hello time

MSTP 21-25

STP 20-24

help, for the command line 2-3

HFTM space 52-28

hierarchical policy maps 38-9


configuring 38-62

described 38-12

history

changing the buffer size 2-5

described 2-5

disabling 2-6

recalling commands 2-6

history table, level and number of syslog messages 34-10

host modes, MACsec 11-3

host names, in clusters 6-14

host ports

configuring 18-12

kinds of 18-2

hosts, limit on dynamic ports 15-33

Hot Standby Router Protocol

See HSRP

HP OpenView 1-7

OL-26641-03

Index

HQATM space 52-28

HSRP

authentication string 45-12

automatic cluster recovery 6-13

binding to cluster group 45-13

cluster standby group considerations 6-12

command-switch redundancy 1-1, 1-9

configuring 45-6


definition 45-1

guidelines 45-7

monitoring 45-14

object tracking 47-7

overview 45-1

priority 45-9

routing redundancy 1-18

support for ICMP redirect messages 45-13


timers 45-12

tracking 45-9

See also clusters, cluster standby group, and standby command switch

HSRP for IPv6

configuring 42-38

guidelines 42-37

HTTP over SSL

see HTTPS

HTTPS 9-50

configuring 9-54

self-signed certificate 9-51

HTTP secure server 9-50

Hulc Forwarding TCAM Manager

See HFTM space

Hulc QoS/ACL TCAM Manager

See HQATM space

I

IBPG 41-45

OL-26641-03

ICMP

IPv6 42-4

redirect messages 41-13

support for 1-19

time-exceeded messages 52-18

traceroute and 52-18

unreachable messages 37-22

unreachable messages and IPv6 43-4

unreachables and ACLs 37-23

ICMP Echo operation

configuring 46-12

IP SLAs 46-12

ICMP ping

executing 52-15

overview 52-15

ICMP Router Discovery Protocol

See IRDP

ICMPv6 42-4

IDS appliances

and ingress RSPAN 32-22

and ingress SPAN 32-15

IEEE 802.1D

See STP

IEEE 802.1p 17-1

IEEE 802.1Q

and trunk ports 14-4

configuration limitations 15-19

encapsulation 15-16

native VLAN for untagged traffic 15-23

tunneling

compatibility with other features 19-5

defaults 19-4

described 19-1

tunnel ports with other features 19-6

IEEE 802.1s

See MSTP

IEEE 802.1w

See RSTP

IEEE 802.1x


Index

See port-based authentication

IEEE 802.3ad

See EtherChannel

IEEE 802.3ad, PoE+ 1-20, 14-9

IEEE 802.3af

See PoE

IEEE 802.3x flow control 14-38

ifIndex values, SNMP 35-6

IFS 1-7

IGMP

configurable leave timer

described 27-6

enabling 27-11

configuring the switch

as a member of a group 49-40

statically connected member 49-44

controlling access to groups 49-41


deleting cache entries 49-64

displaying groups 49-64

fast switching 49-45

flooded multicast traffic

controlling the length of time 27-12

disabling on an interface 27-13

global leave 27-13

query solicitation 27-13

recovering from flood mode 27-13

host-query interval, modifying 49-42

joining multicast group 27-3

join messages 27-3

leave processing, enabling 27-11, 44-9

leaving multicast group 27-5

multicast reachability 49-40

overview 49-3

queries 27-4

report suppression

described 27-6

disabling 27-16, 44-11

supported versions 27-3


support for 1-5

Version 1

changing to Version 2 49-42

described 49-3

Version 2

changing to Version 1 49-42

described 49-3

maximum query response time value 49-44

pruning groups 49-44

query timeout value 49-43

IGMP filtering

configuring 27-26


described 27-24

monitoring 27-29

support for 1-6

IGMP groups

configuring filtering 27-28

setting the maximum number 27-27

IGMP helper 1-5, 49-6

IGMP Immediate Leave


described 27-5

enabling 27-11

IGMP profile

applying 27-27

configuration mode 27-26

configuring 27-26

IGMP snooping

and address aliasing 27-2

and stack changes 27-6

configuring 27-7


definition 27-2

enabling and disabling 27-7, 44-7

global configuration 27-7

Immediate Leave 27-5

in the switch stack 27-6

method 27-8

OL-26641-03

Index

monitoring 27-17, 44-12

querier


configuring 27-14

supported versions 27-3

support for 1-5

VLAN configuration 27-8

IGMP throttling

configuring 27-28


described 27-25

displaying action 27-29

IGP 41-26

Immediate Leave, IGMP 27-5

enabling 44-9

inaccessible authentication bypass 10-26

support for multiauth ports 10-26

initial configuration

defaults 1-23

Express Setup 1-2

interface

number 14-23

range macros 14-27

interface command 14-23 to ??, 14-23 to ??, 14-23 to 14-24

interface configuration

REP 23-9

interface configuration mode 2-2

interfaces

auto-MDIX, configuring 14-39


10-Gigabit Ethernet 14-33

duplex and speed 14-35

configuring

procedure 14-24

counters, clearing 14-56


described 14-47

descriptive name, adding 14-47

displaying information about 14-55

OL-26641-03

flow control 14-38

management 1-6

monitoring 14-55

naming 14-47

physical, identifying 14-23

range of 14-25

restarting 14-56, 14-57

shutting down 14-56

speed and duplex, configuring 14-36

status 14-55

supported 14-23

types of 14-1

interfaces range macro command 14-27

interface types 14-23

Interior Gateway Protocol

See IGP

internal BGP

See IBGP

internal neighbors, BGP 41-50

Internet Control Message Protocol

See ICMP

Internet Group Management Protocol

See IGMP

Internet Protocol version 6

See IPv6

Inter-Switch Link

See ISL

inter-VLAN routing 1-19, 41-2

Intrusion Detection System

See IDS appliances

inventory management TLV 30-3, 30-7

IP ACLs

for QoS classification 38-8

implicit deny 37-11, 37-16

implicit masks 37-11

named 37-16

undefined 37-23

IP addresses

128-bit 42-2


Index

candidate or member 6-5, 6-14

classes of 41-7

cluster access 6-2

command switch 6-3, 6-12, 6-14


discovering 7-26

for IP routing 41-5

IPv6 42-2

MAC address association 41-9

monitoring 41-19

redundant clusters 6-12

standby command switch 6-12, 6-14

See also IP information

IP base image 1-1

IP broadcast address 41-17

ip cef distributed command 41-92

IP directed broadcasts 41-15

ip igmp profile command 27-26

IP information

assigned

manually 3-15

through DHCP-based autoconfiguration 3-3


IP multicast routing

addresses

all-hosts 49-3

all-multicast-routers 49-3

host group address range 49-3

administratively-scoped boundaries, described 49-48

and IGMP snooping 27-2

Auto-RP

adding to an existing sparse-mode cloud 49-27

benefits of 49-27

clearing the cache 49-64


filtering incoming RP announcement messages 49-30

overview 49-6

preventing candidate RP spoofing 49-30


preventing join messages to false RPs 49-29

setting up in a new internetwork 49-27

using with BSR 49-35

bootstrap router


configuring candidate BSRs 49-33

configuring candidate RPs 49-34

defining the IP multicast boundary 49-32

defining the PIM domain border 49-31

overview 49-7

using with Auto-RP 49-35

Cisco implementation 49-2

configuring

basic multicast routing 49-13

IP multicast boundary 49-48


enabling

multicast forwarding 49-13

PIM mode 49-14

group-to-RP mappings

Auto-RP 49-6

BSR 49-7

MBONE

deleting sdr cache entries 49-64

described 49-46

displaying sdr cache 49-65

enabling sdr listener support 49-47

limiting DVMRP routes advertised 49-58

limiting sdr cache entry lifetime 49-47

SAP packets for conference session announcement 49-47

Session Directory (sdr) tool, described 49-46

monitoring

packet rate loss 49-65

peering devices 49-65

tracing a path 49-65

multicast forwarding, described 49-8

PIMv1 and PIMv2 interoperability 49-12

protocol interaction 49-2

OL-26641-03

Index

reverse path check (RPF) 49-8

routing table

deleting 49-64

displaying 49-64

RP

assigning manually 49-25

configuring Auto-RP 49-27

configuring PIMv2 BSR 49-31

monitoring mapping information 49-35

using Auto-RP and BSR 49-35

stacking

stack master functions 49-10

stack member functions 49-10

statistics, displaying system and network 49-64

See also CGMP

See also DVMRP

See also IGMP

See also PIM

IP phones

and QoS 17-1

automatic classification and queueing 38-23

configuring 17-4

ensuring port security with QoS 38-47

trusted boundary for QoS 38-47

IP Port Security for Static Hosts

on a Layer 2 access port 25-20

on a PVLAN host port 25-24

IP precedence 38-2

IP-precedence-to-DSCP map for QoS 38-72

IP protocols

in ACLs 37-13

routing 1-18

IP protocols in ACLs 37-13

IP routes, monitoring 41-107

IP routing

connecting interfaces with 14-17

disabling 41-20

enabling 41-20

IP Service Level Agreements

OL-26641-03

See IP SLAs

IP service levels, analyzing 46-1

IP services image 1-1

IP SLAs

benefits 46-2


configuring object tracking 47-9

Control Protocol 46-4


definition 46-1

ICMP echo operation 46-12

measuring network performance 46-3

monitoring 46-14

multioperations scheduling 46-5


operation 46-3

reachability tracking 47-9

responder

described 46-4

enabling 46-8

response time 46-4

scheduling 46-5

SNMP support 46-2

supported metrics 46-2

threshold monitoring 46-6

track object monitoring agent, configuring 47-11

track state 47-9

UDP jitter operation 46-9

IP source guard

and 802.1x 25-18

and DHCP snooping 25-15

and port security 25-18


and routed ports 25-18

and TCAM entries 25-18

and trunk interfaces 25-18

and VRF 25-18

binding configuration

automatic 25-16


Index

manual 25-16

binding table 25-16



described 25-15

disabling 25-19

displaying

active IP or MAC bindings 25-26

bindings 25-26

configuration 25-26

enabling 25-19, 25-20

filtering

source IP address 25-16

source IP and MAC address 25-16

on provisioned switches 25-18

source IP address filtering 25-16

source IP and MAC address filtering 25-16

static bindings

adding 25-19, 25-20

deleting 25-19

static hosts 25-20

IP traceroute

executing 52-19

overview 52-18

IP unicast routing

address resolution 41-9

administrative distances 41-94, 41-105

ARP 41-9

assigning IP addresses to Layer 3 interfaces 41-7

authentication keys 41-105

broadcast

address 41-17

flooding 41-18

packets 41-15

storms 41-15

classless routing 41-8

configuring static routes 41-94

default

addressing configuration 41-6


gateways 41-13

networks 41-95

routes 41-95

routing 41-3

directed broadcasts 41-15

disabling 41-20

dynamic routing 41-3

enabling 41-20

EtherChannel Layer 3 interface 41-5

IGP 41-26

inter-VLAN 41-2

IP addressing

classes 41-7

configuring 41-5

IPv6 42-3

IRDP 41-14


MAC address and IP address 41-9

passive interfaces 41-103

protocols

distance-vector 41-3

dynamic 41-3

link-state 41-3

proxy ARP 41-9

redistribution 41-96

reverse address resolution 41-9

routed ports 41-5

static routing 41-3

steps to configure 41-5

subnet mask 41-7

subnet zero 41-7

supernet 41-8

UDP 41-17

with SVIs 41-5

See also BGP

See also EIGRP

See also OSPF

See also RIP

IPv4 ACLs

OL-26641-03

Index


extended, creating 37-12

named 37-16

standard, creating 37-11

IPv4 and IPv6

dual protocol stacks 42-10

IPv6

ACLs

displaying 43-8

limitations 43-3


port 43-1

precedence 43-2

router 43-1

supported 43-2

addresses 42-2

address formats 42-2

and switch stacks 42-15, 42-16

applications 42-9

assigning address 42-17

autoconfiguration 42-9

CEFv6 42-31

configuring static routes 42-32


default router preference (DRP) 42-9

defined 42-1

Enhanced Interior Gateway Routing Protocol (EIGRP) IPv6 42-12

EIGRP IPv6 Commands 42-13

Router ID 42-12

feature limitations 42-14

features not supported 42-14

forwarding 42-17

ICMP 42-4

monitoring 42-40

neighbor discovery 42-4

OSPF 42-11

path MTU discovery 42-4

SDM templates 8-5, 43-1, 44-1

OL-26641-03

stack master functions 42-15, 42-16

Stateless Autoconfiguration 42-9

supported features 42-3

switch limitations 42-14

understanding static routes 42-11

IPv6 traffic, filtering 43-4

IRDP

configuring 41-14

definition 41-14

support for 1-19

IS-IS

addresses 41-67

area routing 41-67


monitoring 41-76

show commands 41-76

system routing 41-67

ISL

and IPv6 42-3

and trunk ports 14-4

encapsulation 1-11, 15-16

trunking with IEEE 802.1 tunneling 19-4

ISO CLNS

clear commands 41-76

dynamic routing protocols 41-66

monitoring 41-76

NETs 41-66

NSAPs 41-66

OSI standard 41-66

ISO IGRP

area routing 41-67

system routing 41-67

isolated port 18-2

isolated VLANs 18-2, 18-3

J

join messages, IGMP 27-3


Index

K

KDC

described 9-41

See also Kerberos

Kerberos

authenticating to

boundary switch 9-43

KDC 9-43

network services 9-43

configuration examples 9-40

configuring 9-44

credentials 9-41

cryptographic software image 9-40

described 9-41

KDC 9-41

operation 9-43

realm 9-42

server 9-42

support for 1-15

switch as trusted third party 9-41

terms 9-41

TGT 9-42

tickets 9-41

key distribution center

See KDC

L

l2protocol-tunnel command 19-13

LACP


See EtherChannel

Layer 2 frames, classification with CoS 38-2

Layer 2 interfaces, default configuration 14-32

Layer 2 protocol tunneling

configuring 19-11

configuring for EtherChannels 19-15



defined 19-8

guidelines 19-12

Layer 2 traceroute

and ARP 52-17

and CDP 52-17

broadcast traffic 52-16

described 52-16

IP addresses and subnets 52-17

MAC addresses and VLANs 52-17

multicast traffic 52-17

multiple devices on a port 52-17

unicast traffic 52-16

usage guidelines 52-17

Layer 3 features 1-18

Layer 3 interfaces

assigning IP addresses to 41-7

assigning IPv4 and IPv6 addresses to 42-26

assigning IPv6 addresses to 42-18

changing from Layer 2 mode 41-7, 41-84

types of 41-5

Layer 3 packets, classification methods 38-2

LDAP 4-2

Leaking IGMP Reports 24-4

LEDs, switch

See hardware installation guide

lightweight directory access protocol

See LDAP

line configuration mode 2-2

Link Aggregation Control Protocol

See EtherChannel

link failure, detecting unidirectional 21-8

link integrity, verifying with REP 23-3

Link Layer Discovery Protocol

See CDP

link local unicast addresses 42-4

link redundancy

See Flex Links

links, unidirectional 31-1

link state advertisements (LSAs) 41-32

OL-26641-03

Index

link-state protocols 41-3

link-state tracking

configuring 39-27

described 39-25

LLDP

configuring 30-5



enabling 30-6

monitoring and maintaining 30-11

overview 30-1

supported TLVs 30-2


transmission timer and holdtime, setting 30-6

LLDP-MED

configuring

procedures 30-5

TLVs 30-7

monitoring and maintaining 30-11

overview 30-1, 30-2

supported TLVs 30-2

LLDP Media Endpoint Discovery

See LLDP-MED

load balancing 45-4

local SPAN 32-2

location TLV 30-3, 30-7

logging messages, ACL 37-10

login authentication

with RADIUS 9-30

with TACACS+ 9-14

login banners 7-12

log messages

See system message logging

Long-Reach Ethernet (LRE) technology 1-27, 1-37

loop guard

described 22-12

enabling 22-19

support for 1-10

LRE profiles, considerations in switch clusters 6-17

OL-26641-03

M

MAB

See MAC authentication bypass

MAB aging timer 1-12

MAB inactivity timer

default setting 10-39

range 10-42

MAC/PHY configuration status TLV 30-2

MAC addresses

aging time 7-16

and VLAN association 7-15

building the address table 7-15


disabling learning on a VLAN 7-25

discovering 7-26

displaying 7-26

displaying in the IP source binding table 25-26

dynamic

learning 7-15

removing 7-17

in ACLs 37-31

IP address association 41-9

static

adding 7-23

allowing 7-24, 7-26

characteristics of 7-22

dropping 7-24

removing 7-23

MAC address learning 1-7

MAC address learning, disabling on a VLAN 7-25

MAC address notification, support for 1-21

MAC address-table move update


configuring 24-13


description 24-7

monitoring 24-16

MAC address-to-VLAN mapping 15-28


Index

MAC authentication bypass 10-41

configuring 10-68

overview 10-18

See MAB

MAC extended access lists

applying to Layer 2 interfaces 37-32

configuring for QoS 38-54

creating 37-31

defined 37-31

for QoS classification 38-5

MACSec 11-9, 13-2

MACsec 11-2

configuring on an interface 11-7

defined 11-1, 11-2

MACsec Key Agreement Protocol

See MKA

magic packet 10-29

manageability features 1-7

management access

in-band

browser session 1-8

CLI session 1-8

device manager 1-8

SNMP 1-8

out-of-band console port connection 1-8

management address TLV 30-2

management options

CLI 2-1

clustering 1-3

CNS 4-1

Network Assistant 1-2

overview 1-6

management VLAN

considerations in switch clusters 6-8

discovery through different management VLANs 6-8

manual preemption, REP, configuring 23-13

mapping tables for QoS

configuring

CoS-to-DSCP 38-71


DSCP 38-71

DSCP-to-CoS 38-74

DSCP-to-DSCP-mutation 38-75

IP-precedence-to-DSCP 38-72

policed-DSCP 38-73

described 38-13

marking

action with aggregate policers 38-69

described 38-4, 38-9

matching

IPv6 ACLs 43-3

matching, IPv4 ACLs 37-8

maximum aging time

MSTP 21-26

STP 20-25

maximum hop count, MSTP 21-26

maximum number of allowed devices, port-based authentication 10-42

maximum-paths command 41-54, 41-93

MDA



exceptions with authentication process 10-6

Media Access Control Security

See MACsec

membership mode, VLAN port 15-4

member switch


defined 6-2

managing 6-17

passwords 6-14

recovering from lost connectivity 52-12

requirements 6-5

See also candidate switch, cluster standby group, and standby command switch

memory consistency check errors

example 52-28

memory consistency check routines 1-6, 52-28

memory consistency integrity 1-6, 52-28

OL-26641-03

Index

messages, to users through banners 7-12

metrics, in BGP 41-54

metric translations, between routing protocols 41-99

metro tags 19-2

MHSRP 45-4

MIBs

overview 35-1

SNMP interaction with 35-5

mini-point-of-presence

See POP

mirroring traffic for analysis 32-1

mismatches, autonegotiation 52-13

MKA

configuring policies 11-6

defined 11-2

policies 11-3

replay protection 11-3

statistics 11-4

virtual ports 11-3

module number 14-23

monitoring

access groups 37-47

BGP 41-65

cables for unidirectional links 31-1

CDP 29-5

CEF 41-92

EIGRP 41-45

fallback bridging 51-10

features 1-21

Flex Links 24-16

HSRP 45-14


IGMP

filters 27-29

snooping 27-17, 44-12

interfaces 14-55

IP

address tables 41-19

multicast routing 49-63

OL-26641-03

routes 41-107

IP SLAs operations 46-14

IPv4 ACL configuration 37-47

IPv6 42-40

IPv6 ACL configuration 43-8

IS-IS 41-76

ISO CLNS 41-76


MAC address-table move update 24-16

MSDP peers 50-18

multicast router interfaces 27-17, 44-12

multi-VRF CE 41-91

MVR 27-24

network traffic for analysis with probe 32-2


OSPF 41-36

port

blocking 28-21

protection 28-21

private VLANs 18-15

REP 23-14

RP mapping information 49-35

SFP status 14-56, 52-14

source-active messages 50-18

speed and duplex mode 14-37

SSM mapping 49-23

traffic flowing among switches 33-1

traffic suppression 28-21

tunneling 19-18

VLAN

filters 37-47

maps 37-47

VLANs 15-16

VMPS 15-32

VTP 16-19

mrouter Port 24-3

mrouter port 24-5

MSDP

benefits of 50-3


Index

clearing MSDP connections and statistics 50-18

controlling source information

forwarded by switch 50-11

originated by switch 50-9

received by switch 50-13


dense-mode regions

sending SA messages to 50-16

specifying the originating address 50-17

filtering

incoming SA messages 50-14

SA messages to a peer 50-12

SA requests from a peer 50-10

join latency, defined 50-6

meshed groups

configuring 50-15

defined 50-15

originating address, changing 50-17

overview 50-1

peer-RPF flooding 50-2

peers

configuring a default 50-4

monitoring 50-18

peering relationship, overview 50-1

requesting source information from 50-8

shutting down 50-16

source-active messages

caching 50-6

clearing cache entries 50-18

defined 50-2

filtering from a peer 50-10

filtering incoming 50-14

filtering to a peer 50-12

limiting data with TTL 50-13

monitoring 50-18

restricting advertised sources 50-9

support for 1-19

MSTP

boundary ports



described 21-7

BPDU filtering

described 22-3

enabling 22-15

BPDU guard

described 22-2

enabling 22-14

CIST, described 21-3

CIST regional root 21-3

CIST root 21-6

configuration guidelines 21-16, 22-13

configuring

forward-delay time 21-25

hello time 21-25

link type for rapid convergence 21-27

maximum aging time 21-26

maximum hop count 21-26

MST region 21-17

neighbor type 21-27

path cost 21-23

port priority 21-21

root switch 21-19

secondary root switch 21-20

switch priority 21-24

CST

defined 21-3

operations between regions 21-5


default optional feature configuration 22-12


enabling the mode 21-17

EtherChannel guard

described 22-10

enabling 22-18

extended system ID

effects on root switch 21-19

effects on secondary root switch 21-20

unexpected behavior 21-19

OL-26641-03

Index

IEEE 802.1s

implementation 21-7

port role naming change 21-7

terminology 21-6

instances supported 20-11

interface state, blocking to forwarding 22-2

interoperability and compatibility among modes 20-12

interoperability with IEEE 802.1D

described 21-9

restarting migration process 21-28

IST

defined 21-3

master 21-3

operations within a region 21-3

loop guard

described 22-12

enabling 22-19

mapping VLANs to MST instance 21-17

MST region

CIST 21-3

configuring 21-17

described 21-2

hop-count mechanism 21-6

IST 21-3

supported spanning-tree instances 21-2

optional features supported 1-10

overview 21-2

Port Fast

described 22-2

enabling 22-13

preventing root switch selection 22-11

root guard

described 22-11

enabling 22-18

root switch

configuring 21-19

effects of extended system ID 21-19

unexpected behavior 21-19

OL-26641-03

shutdown Port Fast-enabled port 22-2


status, displaying 21-28

multiauth

support for inaccessible authentication bypass 10-26

multiauth mode

See multiple-authentication mode

multicast groups

Immediate Leave 27-5

joining 27-3

leaving 27-5

static joins 27-10, 44-8

multicast packets

ACLs on 37-45

blocking 28-8

multicast router interfaces, monitoring 27-17, 44-12

multicast router ports, adding 27-9, 44-8

Multicast Source Discovery Protocol

See MSDP

multicast storm 28-1

multicast storm-control command 28-4

multicast television application 27-19

multicast VLAN 27-18

Multicast VLAN Registration

See MVR

multidomain authentication

See MDA

multioperations scheduling, IP SLAs 46-5

multiple authentication 10-15

multiple authentication mode

configuring 10-48

Multiple HSRP

See MHSRP

multiple VPN routing/forwarding in customer edge devices

See multi-VRF CE

multi-VRF CE

configuration example 41-87



Index

configuring 41-79


defined 41-77

displaying 41-91

monitoring 41-91

network components 41-79

packet-forwarding process 41-79

support for 1-19

MVR

and address aliasing 27-21

and IGMPv3 27-21


configuring interfaces 27-22


described 27-18

example application 27-19

in the switch stack 27-20

modes 27-22

monitoring 27-24

multicast television application 27-19

setting global parameters 27-21

support for 1-6

N

NAC

AAA down policy 1-15

critical authentication 10-26, 10-65

IEEE 802.1x authentication using a RADIUS server 10-70

IEEE 802.1x validation using RADIUS server 10-70

inaccessible authentication bypass 1-15, 10-65

Layer 2 IEEE 802.1x validation 1-14, 1-15, 10-32, 10-70

Layer 2 IP validation 1-15

named IPv4 ACLs 37-16

NameSpace Mapper

See NSM

native VLAN

and IEEE 802.1Q tunneling 19-4


configuring 15-23

default 15-23

NDAC 11-9, 13-2

NEAT

configuring 10-71

overview 10-33

neighbor discovery, IPv6 42-4

neighbor discovery/recovery, EIGRP 41-37

neighbor offset numbers, REP 23-4

neighbors, BGP 41-60

Network Admission Control

NAC

See NAC

Network Assistant

benefits 1-2

described 1-6

downloading image files 1-3

guide mode 1-2

management options 1-2

managing switch stacks 5-2, 5-18

upgrading a switch 54-25

wizards 1-3

network configuration examples

cost-effective wiring closet 1-28

high-performance wiring closet 1-29

increasing network performance 1-26

large network 1-35

long-distance, high-bandwidth transport 1-39

multidwelling network 1-37

providing network services 1-26

redundant Gigabit backbone 1-30

server aggregation and Linux server cluster 1-31

small to medium-sized network 1-33

network design

performance 1-26

services 1-26

Network Device Admission Control (NDAC) 11-9, 13-2

Network Edge Access Topology

See NEAT

OL-26641-03

Index

network management

CDP 29-1

RMON 33-1

SNMP 35-1

network performance, measuring with IP SLAs 46-3

network policy TLV 30-2, 30-7

Network Time Protocol

See NTP

no commands 2-4

nonhierarchical policy maps


described 38-10

non-IP traffic filtering 37-31

nontrunking mode 15-18

normal-range VLANs 15-5


configuring 15-5

defined 15-1

no switchport command 14-5

not-so-stubby areas

See NSSA

NSAPs, as ISO IGRP addresses 41-67

NSF Awareness

IS-IS 41-69

NSM 4-3

NSSA, OSPF 41-32

NTP

associations

defined 7-3

overview 7-3

stratum 7-3

support for 1-7

time

services 7-3

synchronizing 7-3

O

OBFL

OL-26641-03

configuring 52-27

described 52-26

displaying 52-27

object tracking

HSRP 47-7

IP SLAs 47-9

IP SLAs, configuring 47-9

monitoring 47-13

offline configuration for switch stacks 5-8

off mode, VTP 16-4

on-board failure logging

See OBFL

online diagnostics

overview 53-1

running tests 53-3

understanding 53-1

open1x

configuring 10-76

open1x authentication

overview 10-32

Open Shortest Path First

See OSPF

optimizing system resources 8-1

options, management 1-6

OSPF

area parameters, configuring 41-32

configuring 41-30

default configuration

metrics 41-33

route 41-33

settings 41-27

described 41-26

for IPv6 42-11

interface parameters, configuring 41-31

LSA group pacing 41-35

monitoring 41-36

router IDs 41-35

route summarization 41-33

support for 1-18


Index

virtual links 41-33

out-of-profile markdown 1-17

P

packet modification, with QoS 38-22

PAgP


See EtherChannel

parallel paths, in routing tables 41-93

passive interfaces

configuring 41-103

OSPF 41-34

passwords


disabling recovery of 9-5

encrypting 9-4

for security 1-12

in clusters 6-15

overview 9-1

recovery of 52-4

setting

enable 9-3

enable secret 9-4

Telnet 9-6

with usernames 9-7

VTP domain 16-11

path cost

MSTP 21-23

STP 20-22

path MTU discovery 42-4

PBR

defined 41-99

enabling 41-101

fast-switched policy-based routing 41-102

local policy-based routing 41-102

PC (passive command switch) 6-11

peers, BGP 41-60

percentage thresholds in tracked lists 47-6


performance, network design 1-26

performance features 1-4

persistent self-signed certificate 9-51

per-user ACLs and Filter-Ids 10-9

per-VLAN spanning-tree plus

See PVST+

PE to CE routing, configuring 41-86

physical ports 14-2

PIM


dense mode

overview 49-4

rendezvous point (RP), described 49-5

RPF lookups 49-8

displaying neighbors 49-65

enabling a mode 49-14

overview 49-4

router-query message interval, modifying 49-39

shared tree and source tree, overview 49-36

shortest path tree, delaying the use of 49-37

sparse mode

join messages and shared tree 49-5

overview 49-5

prune messages 49-5

RPF lookups 49-9

stub routing


displaying 49-64

enabling 49-24

overview 49-5

support for 1-19

versions

interoperability 49-12

troubleshooting interoperability problems 49-36

v2 improvements 49-4

PIM-DVMRP, as snooping method 27-8

ping

character output description 52-16

executing 52-15

OL-26641-03

Index

overview 52-15

PoE

auto mode 14-10

CDP with power consumption, described 14-8

CDP with power negotiation, described 14-8

Cisco intelligent power management 14-8

configuring 14-40

cutoff power

determining 14-12

cutoff-power

support for 14-11

devices supported 14-8

high-power devices operating in low-power mode 14-8

IEEE power classification levels 14-9

monitoring 14-11

monitoring power 14-43

policing power consumption 14-43

policing power usage 14-11

power budgeting 14-41

power consumption 14-12, 14-41

powered-device detection and initial power allocation 14-9

power management modes 14-10

power monitoring 14-11

power negotiation extensions to CDP 14-8

power sensing 14-11

standards supported 14-8

static mode 14-10

total available power 14-13

troubleshooting 52-13

PoE+ 1-20, 14-8, 14-9, 14-40

policed-DSCP map for QoS 38-73

policers

configuring

for each matched traffic class 38-57

for more than one traffic class 38-69

described 38-4

displaying 38-89

OL-26641-03

number of 38-43

types of 38-10

policing

described 38-4

hierarchical

See hierarchical policy maps

token-bucket algorithm 38-10

policy-based routing

See PBR

policy maps for QoS


described 38-8

displaying 38-90

hierarchical 38-9

hierarchical on SVIs


configuring 38-62

described 38-12

nonhierarchical on physical ports


described 38-10

POP 1-37

port ACLs

defined 37-2

types of 37-4

Port Aggregation Protocol

See EtherChannel

port-based authentication

accounting 10-17

authentication server

defined 10-3, 12-2

RADIUS server 10-3

client, defined 10-3, 12-2


configuring

802.1x authentication 10-46

guest VLAN 10-62

host mode 10-48

inaccessible authentication bypass 10-65


Index

manual re-authentication of a client 10-51

periodic re-authentication 10-50

quiet period 10-51

RADIUS server 10-48, 12-13

RADIUS server parameters on the switch 10-47, 12-11

restricted VLAN 10-63

switch-to-client frame-retransmission number 10-52, 10-53

switch-to-client retransmission time 10-51

violation modes 10-45


described 10-1

device roles 10-3, 12-2

displaying statistics 10-78, 12-17

downloadable ACLs and redirect URLs

configuring 10-73 to 10-75, ?? to 10-75

overview 10-21 to 10-23

EAPOL-start frame 10-6

EAP-request/identity frame 10-6

EAP-response/identity frame 10-6

enabling

802.1X authentication 12-11

encapsulation 10-4

flexible authentication ordering

configuring 10-76

overview 10-32

guest VLAN


described 10-24

host mode 10-13

inaccessible authentication bypass

configuring 10-65

described 10-26

guidelines 10-41

initiation and message exchange 10-6

magic packet 10-29

maximum number of allowed devices per port 10-42

method lists 10-46

multiple authentication 10-15


per-user ACLs

AAA authorization 10-46

configuration tasks 10-21

described 10-20

RADIUS server attributes 10-20

ports

authorization state and dot1x port-control command 10-11

authorized and unauthorized 10-11

voice VLAN 10-28

port security

described 10-29

readiness check

configuring 10-42


resetting to default values 10-78


statistics, displaying 10-78

switch

as proxy 10-3, 12-2

RADIUS client 10-4

switch supplicant

configuring 10-71

overview 10-33

upgrading from a previous release 38-36

user distribution

guidelines 10-31

overview 10-31

VLAN assignment

AAA authorization 10-46



described 10-18

voice aware 802.1x security

configuring 10-43


voice VLAN

described 10-28

PVID 10-28

OL-26641-03

Index

VVID 10-28

wake-on-LAN, described 10-29

with ACLs and RADIUS Filter-Id attribute 10-35

port-based authentication methods, supported 10-8

port blocking 1-5, 28-7

port-channel

See EtherChannel

port description TLV 30-2

Port Fast

described 22-2

enabling 22-13

mode, spanning tree 15-29

support for 1-10

port membership modes, VLAN 15-4

port priority

MSTP 21-21

STP 20-20

ports

10-Gigabit Ethernet module 14-7

access 14-3

blocking 28-7

dual-purpose uplink 14-7

dynamic access 15-4

IEEE 802.1Q tunnel 15-5

protected 28-6

REP 23-6

routed 14-4

secure 28-9

static-access 15-4, 15-11

switch 14-2

trunks 15-4, 15-16

VLAN assignments 15-11

port security

aging 28-17


and QoS trusted boundary 38-47

and stacking 28-18

configuring 28-13


OL-26641-03

described 28-8

displaying 28-21

enabling 28-18

on trunk ports 28-14

sticky learning 28-9

violations 28-10

with other features 28-11

port-shutdown response, VMPS 15-28

port VLAN ID TLV 30-2

power inline consumption command 14-15

power management TLV 30-3, 30-7

Power over Ethernet

See PoE

preempt delay time, REP 23-5

preemption, default configuration 24-9

preemption delay, default configuration 24-9

preferential treatment of traffic

See QoS

prefix lists, BGP 41-58

preventing unauthorized access 9-1

primary edge port, REP 23-4

primary interface for object tracking, DHCP, configuring 47-10

primary interface for static routing, configuring 47-10

primary links 24-2

primary VLANs 18-1, 18-3

priority

HSRP 45-9

overriding CoS 17-6

trusting CoS 17-6

private VLAN edge ports

See protected ports

private VLANs

across multiple switches 18-4

and SDM template 18-4

and SVIs 18-5

and switch stacks 18-6

benefits of 18-1

community ports 18-2


Index

community VLANs 18-2, 18-3

configuration guidelines 18-7, 18-8, 18-9


configuring 18-10


end station access to 18-3

IP addressing 18-3

isolated port 18-2

isolated VLANs 18-2, 18-3

mapping 18-14

monitoring 18-15

ports

community 18-2


configuring host ports 18-12

configuring promiscuous ports 18-13

described 15-5

isolated 18-2

promiscuous 18-2

primary VLANs 18-1, 18-3

promiscuous ports 18-2

secondary VLANs 18-2

subdomains 18-1

traffic in 18-5

privileged EXEC mode 2-2

privilege levels

changing the default for lines 9-9

command switch 6-18

exiting 9-10

logging into 9-10

mapping on member switches 6-18

overview 9-2, 9-8

setting a command with 9-8

promiscuous ports

configuring 18-13

defined 18-2

protected ports 1-12, 28-6

protocol-dependent modules, EIGRP 41-37

Protocol-Independent Multicast Protocol


See PIM

protocol storm protection 28-19

provider edge devices 41-77

provisioned switches and IP source guard 25-18

provisioning new members for a switch stack 5-8

proxy ARP

configuring 41-12

definition 41-9

with IP routing disabled 41-13

proxy reports 24-4

pruning, VTP

disabling

in VTP domain 16-17

on a port 15-23

enabling

in VTP domain 16-17

on a port 15-22

examples 16-7

overview 16-7

pruning-eligible list

changing 15-22

for VTP pruning 16-7

VLANs 16-18

PVST+

described 20-11

IEEE 802.1Q trunking interoperability 20-12

instances supported 20-11

Q

QoS

and MQC commands 38-1

auto-QoS

categorizing traffic 38-24

configuration and defaults display 38-38


described 38-23

disabling 38-38

displaying generated commands 38-38

OL-26641-03

Index

displaying the initial configuration 38-38

effects on running configuration 38-35

list of generated commands 38-26, 38-30

basic model 38-4

classification

class maps, described 38-8

defined 38-4

DSCP transparency, described 38-49

flowchart 38-7

forwarding treatment 38-3

in frames and packets 38-3

IP ACLs, described 38-8

MAC ACLs, described 38-5, 38-8

options for IP traffic 38-6

options for non-IP traffic 38-5

policy maps, described 38-8

trust DSCP, described 38-5

trusted CoS, described 38-5

trust IP precedence, described 38-5

class maps

configuring 38-55

displaying 38-89


auto-QoS 38-35

standard QoS 38-42

configuring

aggregate policers 38-69

auto-QoS 38-23

default port CoS value 38-47

DSCP maps 38-71


DSCP trust states bordering another domain 38-49

egress queue characteristics 38-81

ingress queue characteristics 38-77

IP extended ACLs 38-53

IP standard ACLs 38-51

MAC ACLs 38-54

policy maps, hierarchical 38-62

OL-26641-03

port trust states within the domain 38-45

trusted boundary 38-47

default auto configuration 38-24

default standard configuration 38-39

displaying statistics 38-89


egress queues

allocating buffer space 38-82

buffer allocation scheme, described 38-20

configuring shaped weights for SRR 38-86

configuring shared weights for SRR 38-87

described 38-4

displaying the threshold map 38-85

flowchart 38-19

mapping DSCP or CoS values 38-84

scheduling, described 38-4

setting WTD thresholds 38-82

WTD, described 38-21

enabling globally 38-44

flowcharts

classification 38-7

egress queueing and scheduling 38-19

ingress queueing and scheduling 38-16

policing and marking 38-11

implicit deny 38-8

ingress queues

allocating bandwidth 38-79

allocating buffer space 38-79

buffer and bandwidth allocation, described 38-18

configuring shared weights for SRR 38-79

configuring the priority queue 38-80

described 38-4

displaying the threshold map 38-78

flowchart 38-16

mapping DSCP or CoS values 38-77

priority queue, described 38-18

scheduling, described 38-4

setting WTD thresholds 38-77



Index

IP phones

automatic classification and queueing 38-23

detection and trusted settings 38-23, 38-47

limiting bandwidth on egress interface 38-88

mapping tables

CoS-to-DSCP 38-71

displaying 38-90

DSCP-to-CoS 38-74

DSCP-to-DSCP-mutation 38-75

IP-precedence-to-DSCP 38-72

policed-DSCP 38-73

types of 38-13

marked-down actions 38-60, 38-65

marking, described 38-4, 38-9

overview 38-2

packet modification 38-22

policers

configuring 38-60, 38-65, 38-69

described 38-9

displaying 38-89

number of 38-43

types of 38-10

policies, attaching to an interface 38-10

policing


token bucket algorithm 38-10

policy maps


displaying 38-90

hierarchical 38-9

hierarchical on SVIs 38-62

nonhierarchical on physical ports 38-57

QoS label, defined 38-4

queues

configuring egress characteristics 38-81

configuring ingress characteristics 38-77

high priority (expedite) 38-22, 38-88

location of 38-14

SRR, described 38-15



rewrites 38-22

support for 1-16

trust states

bordering another domain 38-49

described 38-5

trusted device 38-47

within the domain 38-45

quality of service

See QoS

queries, IGMP 27-4

query solicitation, IGMP 27-13

R

RADIUS

attributes

vendor-proprietary 9-38

vendor-specific 9-36

configuring

accounting 9-35

authenticati

Documents

Catalyst 3560 Switch Software Configuration Guide, Cisco IOS